* [3.5.y.z extended stable] Linux 3.5.7.24 stable review
@ 2013-10-28 14:47 Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 01/64] ACPI / IPMI: Fix atomic context requirement of ipmi_msg_handler() Luis Henriques
` (63 more replies)
0 siblings, 64 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Luis Henriques
This is the start of the review cycle for the Linux 3.5.7.24 stable kernel.
This version contains 64 new patches, summarized below. The new patches are
posted as replies to this message and also available in this git branch:
http://kernel.ubuntu.com/git?p=ubuntu/linux.git;h=linux-3.5.y-review;a=shortlog
git://kernel.ubuntu.com/ubuntu/linux.git linux-3.5.y-review
The review period for version 3.5.7.24 will be open for the next three days.
To report a problem, please reply to the relevant follow-up patch message.
For more information about the Linux 3.5.y.z extended stable kernel version,
see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable .
-Luis
--
arch/arm/include/asm/syscall.h | 6 +
arch/arm/mm/init.c | 3 +
arch/ia64/mm/contig.c | 2 +
arch/ia64/mm/discontig.c | 2 +
arch/parisc/kernel/traps.c | 6 +-
arch/parisc/mm/init.c | 2 +
arch/powerpc/kernel/lparcfg.c | 1 +
arch/powerpc/kvm/book3s_hv_rmhandlers.S | 2 +-
arch/powerpc/lib/checksum_64.S | 54 ++++--
arch/tile/include/asm/percpu.h | 34 +++-
arch/unicore32/mm/init.c | 3 +
drivers/acpi/acpi_ipmi.c | 24 +--
drivers/char/random.c | 11 +-
drivers/connector/cn_proc.c | 16 ++
drivers/connector/connector.c | 7 +-
drivers/gpu/drm/radeon/evergreen.c | 2 +-
drivers/hwmon/applesmc.c | 13 ++
drivers/md/dm-snap-persistent.c | 18 +-
drivers/media/video/sh_vou.c | 2 +-
drivers/net/can/dev.c | 10 +-
drivers/net/can/flexcan.c | 20 +--
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 +
drivers/net/ethernet/marvell/mv643xx_eth.c | 6 +-
drivers/net/ethernet/ti/davinci_emac.c | 3 +-
drivers/net/wan/farsync.c | 1 +
drivers/net/wan/wanxl.c | 1 +
drivers/net/wireless/rt2x00/rt2800lib.c | 7 +
drivers/pci/setup-res.c | 3 +-
drivers/usb/core/quirks.c | 6 +
drivers/usb/host/xhci-hub.c | 28 ---
drivers/usb/host/xhci-pci.c | 25 +++
drivers/usb/host/xhci.c | 14 +-
drivers/usb/host/xhci.h | 2 +
drivers/usb/serial/option.c | 225 +++++++++++++++++++++++-
drivers/usb/serial/ti_usb_3410_5052.c | 1 +
drivers/usb/storage/scsiglue.c | 5 +-
drivers/usb/storage/unusual_devs.h | 7 +
drivers/watchdog/ts72xx_wdt.c | 3 +-
fs/btrfs/relocation.c | 14 +-
fs/buffer.c | 14 +-
fs/ext4/xattr.c | 2 +
fs/fuse/dir.c | 7 +-
fs/fuse/file.c | 8 +-
fs/fuse/fuse_i.h | 9 +
fs/fuse/inode.c | 4 +-
fs/nilfs2/page.c | 2 +
fs/nilfs2/segment.c | 11 +-
include/linux/mm.h | 3 +-
include/linux/random.h | 1 +
include/linux/skbuff.h | 15 ++
include/linux/timex.h | 14 ++
include/linux/usb_usual.h | 4 +-
include/net/cipso_ipv4.h | 6 +-
include/net/dst.h | 12 ++
init/main.c | 2 +
lib/show_mem.c | 3 +
mm/memcontrol.c | 2 +
mm/mmap.c | 77 +++++++-
mm/page-writeback.c | 10 +-
mm/page_alloc.c | 7 +
net/8021q/vlan_netlink.c | 2 +-
net/bridge/br_stp_if.c | 2 +-
net/compat.c | 2 +
net/ipv4/inet_hashtables.c | 2 +-
net/ipv4/ip_output.c | 2 +-
net/ipv4/route.c | 2 +-
net/ipv4/tcp_input.c | 5 +-
net/ipv4/tcp_output.c | 9 +-
net/ipv6/inet6_hashtables.c | 2 +-
net/ipv6/ip6_output.c | 2 +-
net/ipv6/route.c | 11 +-
net/l2tp/l2tp_ppp.c | 4 +
net/sctp/output.c | 3 +-
net/socket.c | 24 ++-
net/unix/af_unix.c | 10 ++
net/unix/diag.c | 1 +
sound/pci/hda/patch_realtek.c | 1 +
sound/usb/usx2y/usbusx2yaudio.c | 22 +--
sound/usb/usx2y/usx2yhwdeppcm.c | 7 +-
79 files changed, 739 insertions(+), 177 deletions(-)
AKASHI Takahiro (1):
ARM: 7851/1: check for number of arguments in syscall_get/set_arguments()
Chen Gang (1):
powerpc/pseries/lparcfg: Fix possible overflow are more than 1026
Chris Metcalf (1):
tile: use a more conservative __my_cpu_offset in CONFIG_PREEMPT
Cyril Hrubis (1):
mm/mmap: check for RLIMIT_AS before unmapping
Dan Carpenter (3):
watchdog: ts72xx_wdt: locking bug in ioctl
[media] sh_vou: almost forever loop in sh_vou_try_fmt_vid_out()
net: heap overflow in __audit_sockaddr()
Daniel Borkmann (1):
net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race
Daniel Mack (1):
ALSA: snd-usb-usx2y: remove bogus frame checks
Dave Jones (1):
ext4: fix memory leak in xattr
David Rientjes (1):
mm, show_mem: suppress page counts in non-blockable contexts
Diego Elio Pettenò (1):
USB: serial: ti_usb_3410_5052: add Abbott strip port ID to combined table as well.
Enrico Mioso (1):
usb: serial: option: blacklist Olivetti Olicard200
Eric Dumazet (5):
tcp: must unclone packets before mangling them
tcp: do not forget FIN in tcp_shifted_skb()
net: do not call sock_put() on TIMEWAIT sockets
l2tp: must disable bh before calling l2tp_xmit_skb()
bnx2x: record rx queue for LRO packets
Fan Du (1):
sctp: Use software crc32 checksum when xfrm transform will happen.
Fangxiaozhi (Franko) (1):
USB: support new huawei devices in option.c
Fengguang Wu (1):
writeback: fix negative bdi max pause
Greg Kroah-Hartman (1):
USB: serial: option: add support for Inovia SEW858 device
Hannes Frederic Sowa (1):
inet: fix possible memory corruption with UDP_CORK and UFO
Helge Deller (1):
parisc: fix interruption handler to respect pagefault_disable()
Henrik Rydberg (1):
hwmon: (applesmc) Always read until end of data
Jiri Benc (1):
ipv4: fix ineffective source address selection
Johannes Weiner (1):
fs: buffer: move allocation failure loop into the allocator
Josef Bacik (1):
Btrfs: change how we queue blocks for backref checking
Linus Torvalds (1):
mm: do not grow the stack vma just because of an overrun on preceding vma
Lv Zheng (1):
ACPI / IPMI: Fix atomic context requirement of ipmi_msg_handler()
Marc Kleine-Budde (4):
can: dev: fix nlmsg size calculation in can_get_size()
net: vlan: fix nlmsg size calculation in vlan_get_size()
can: flexcan: fix flexcan_chip_start() on imx6
can: flexcan: flexcan_chip_start: fix regression, mark one MB for TX and abort pending TX
Marcelo Ricardo Leitner (1):
ipv6: restrict neighbor entry creation to output flow
Mariusz Ceier (1):
davinci_emac.c: Fix IFF_ALLMULTI setup
Mathias Krause (3):
proc connector: fix info leaks
unix_diag: fix info leak
connector: use nlmsg_len() to check message length
Maxim Patlasov (1):
fuse: hotfix truncate_pagecache() issue
Mikulas Patocka (1):
dm snapshot: fix data corruption
Nikhil P Rao (1):
PCI: fix truncation of resource size to 32 bits
Oliver Neukum (4):
xhci: quirk for extra long delay for S4
USB: quirks.c: add one device that cannot deal with suspension
USB: quirks: add touchscreen that is dazzeled by remote wakeup
usb-storage: add quirk for mandatory READ_CAPACITY_16
Paul E. McKenney (1):
powerpc: Restore registers on error exit from csum_partial_copy_generic()
Paul Mackerras (1):
KVM: PPC: Book3S HV: Fix typo in saving DSCR
Salva Peiró (2):
farsync: fix info leak in ioctl
wanxl: fix info leak in ioctl
Sarah Sharp (1):
xhci: Don't enable/disable RWE on bus suspend/resume.
Sebastian Hesselbarth (2):
net: mv643xx_eth: update statistics timer from timer context only
net: mv643xx_eth: fix orphaned statistics timer crash
Seif Mazareeb (1):
net: fix cipso packet validation when !NETLABEL
Stanislaw Gruszka (1):
rt2800: fix wrong TX power compensation
Takashi Iwai (2):
ALSA: hda - Add fixup for ASUS N56VZ
xhci: Fix spurious wakeups after S5 on Haswell
Theodore Ts'o (2):
random: run random_int_secret_init() run after all late_initcalls
random: allow architectures to optionally define random_get_entropy()
Vlad Yasevich (3):
bridge: Correctly clamp MAX forward_delay when enabling STP
net: dst: provide accessor function to dst->xfrm
sctp: Perform software checksum if packet has to be fragmented.
Vyacheslav Dubeyko (1):
nilfs2: fix issue with race condition of competition between segments for dirty blocks
wojciech kapuscinski (1):
drm/radeon: fix hw contexts for SUMO2 asics
^ permalink raw reply [flat|nested] 71+ messages in thread
* [PATCH 3.5 01/64] ACPI / IPMI: Fix atomic context requirement of ipmi_msg_handler()
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 02/64] Btrfs: change how we queue blocks for backref checking Luis Henriques
` (62 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Lv Zheng, Rafael J. Wysocki, Jonghwan Choi, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Lv Zheng <lv.zheng@intel.com>
commit 06a8566bcf5cf7db9843a82cde7a33c7bf3947d9 upstream.
This patch fixes the issues indicated by the test results that
ipmi_msg_handler() is invoked in atomic context.
BUG: scheduling while atomic: kipmi0/18933/0x10000100
Modules linked in: ipmi_si acpi_ipmi ...
CPU: 3 PID: 18933 Comm: kipmi0 Tainted: G AW 3.10.0-rc7+ #2
Hardware name: QCI QSSC-S4R/QSSC-S4R, BIOS QSSC-S4R.QCI.01.00.0027.070120100606 07/01/2010
ffff8838245eea00 ffff88103fc63c98 ffffffff814c4a1e ffff88103fc63ca8
ffffffff814bfbab ffff88103fc63d28 ffffffff814c73e0 ffff88103933cbd4
0000000000000096 ffff88103fc63ce8 ffff88102f618000 ffff881035c01fd8
Call Trace:
<IRQ> [<ffffffff814c4a1e>] dump_stack+0x19/0x1b
[<ffffffff814bfbab>] __schedule_bug+0x46/0x54
[<ffffffff814c73e0>] __schedule+0x83/0x59c
[<ffffffff81058853>] __cond_resched+0x22/0x2d
[<ffffffff814c794b>] _cond_resched+0x14/0x1d
[<ffffffff814c6d82>] mutex_lock+0x11/0x32
[<ffffffff8101e1e9>] ? __default_send_IPI_dest_field.constprop.0+0x53/0x58
[<ffffffffa09e3f9c>] ipmi_msg_handler+0x23/0x166 [ipmi_si]
[<ffffffff812bf6e4>] deliver_response+0x55/0x5a
[<ffffffff812c0fd4>] handle_new_recv_msgs+0xb67/0xc65
[<ffffffff81007ad1>] ? read_tsc+0x9/0x19
[<ffffffff814c8620>] ? _raw_spin_lock_irq+0xa/0xc
[<ffffffffa09e1128>] ipmi_thread+0x5c/0x146 [ipmi_si]
...
Also Tony Camuso says:
We were getting occasional "Scheduling while atomic" call traces
during boot on some systems. Problem was first seen on a Cisco C210
but we were able to reproduce it on a Cisco c220m3. Setting
CONFIG_LOCKDEP and LOCKDEP_SUPPORT to 'y' exposed a lockdep around
tx_msg_lock in acpi_ipmi.c struct acpi_ipmi_device.
=================================
[ INFO: inconsistent lock state ]
2.6.32-415.el6.x86_64-debug-splck #1
---------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
ksoftirqd/3/17 [HC0[0]:SC1[1]:HE1:SE0] takes:
(&ipmi_device->tx_msg_lock){+.?...}, at: [<ffffffff81337a27>] ipmi_msg_handler+0x71/0x126
{SOFTIRQ-ON-W} state was registered at:
[<ffffffff810ba11c>] __lock_acquire+0x63c/0x1570
[<ffffffff810bb0f4>] lock_acquire+0xa4/0x120
[<ffffffff815581cc>] __mutex_lock_common+0x4c/0x400
[<ffffffff815586ea>] mutex_lock_nested+0x4a/0x60
[<ffffffff8133789d>] acpi_ipmi_space_handler+0x11b/0x234
[<ffffffff81321c62>] acpi_ev_address_space_dispatch+0x170/0x1be
The fix implemented by this change has been tested by Tony:
Tested the patch in a boot loop with lockdep debug enabled and never
saw the problem in over 400 reboots.
Reported-and-tested-by: Tony Camuso <tcamuso@redhat.com>
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Reviewed-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Jonghwan Choi <jhbird.choi@samsung.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/acpi/acpi_ipmi.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/drivers/acpi/acpi_ipmi.c b/drivers/acpi/acpi_ipmi.c
index f40acef..a6977e1 100644
--- a/drivers/acpi/acpi_ipmi.c
+++ b/drivers/acpi/acpi_ipmi.c
@@ -39,6 +39,7 @@
#include <linux/ipmi.h>
#include <linux/device.h>
#include <linux/pnp.h>
+#include <linux/spinlock.h>
MODULE_AUTHOR("Zhao Yakui");
MODULE_DESCRIPTION("ACPI IPMI Opregion driver");
@@ -57,7 +58,7 @@ struct acpi_ipmi_device {
struct list_head head;
/* the IPMI request message list */
struct list_head tx_msg_list;
- struct mutex tx_msg_lock;
+ spinlock_t tx_msg_lock;
acpi_handle handle;
struct pnp_dev *pnp_dev;
ipmi_user_t user_interface;
@@ -147,6 +148,7 @@ static void acpi_format_ipmi_msg(struct acpi_ipmi_msg *tx_msg,
struct kernel_ipmi_msg *msg;
struct acpi_ipmi_buffer *buffer;
struct acpi_ipmi_device *device;
+ unsigned long flags;
msg = &tx_msg->tx_message;
/*
@@ -177,10 +179,10 @@ static void acpi_format_ipmi_msg(struct acpi_ipmi_msg *tx_msg,
/* Get the msgid */
device = tx_msg->device;
- mutex_lock(&device->tx_msg_lock);
+ spin_lock_irqsave(&device->tx_msg_lock, flags);
device->curr_msgid++;
tx_msg->tx_msgid = device->curr_msgid;
- mutex_unlock(&device->tx_msg_lock);
+ spin_unlock_irqrestore(&device->tx_msg_lock, flags);
}
static void acpi_format_ipmi_response(struct acpi_ipmi_msg *msg,
@@ -242,6 +244,7 @@ static void ipmi_msg_handler(struct ipmi_recv_msg *msg, void *user_msg_data)
int msg_found = 0;
struct acpi_ipmi_msg *tx_msg;
struct pnp_dev *pnp_dev = ipmi_device->pnp_dev;
+ unsigned long flags;
if (msg->user != ipmi_device->user_interface) {
dev_warn(&pnp_dev->dev, "Unexpected response is returned. "
@@ -250,7 +253,7 @@ static void ipmi_msg_handler(struct ipmi_recv_msg *msg, void *user_msg_data)
ipmi_free_recv_msg(msg);
return;
}
- mutex_lock(&ipmi_device->tx_msg_lock);
+ spin_lock_irqsave(&ipmi_device->tx_msg_lock, flags);
list_for_each_entry(tx_msg, &ipmi_device->tx_msg_list, head) {
if (msg->msgid == tx_msg->tx_msgid) {
msg_found = 1;
@@ -258,7 +261,7 @@ static void ipmi_msg_handler(struct ipmi_recv_msg *msg, void *user_msg_data)
}
}
- mutex_unlock(&ipmi_device->tx_msg_lock);
+ spin_unlock_irqrestore(&ipmi_device->tx_msg_lock, flags);
if (!msg_found) {
dev_warn(&pnp_dev->dev, "Unexpected response (msg id %ld) is "
"returned.\n", msg->msgid);
@@ -378,6 +381,7 @@ acpi_ipmi_space_handler(u32 function, acpi_physical_address address,
struct acpi_ipmi_device *ipmi_device = handler_context;
int err, rem_time;
acpi_status status;
+ unsigned long flags;
/*
* IPMI opregion message.
* IPMI message is firstly written to the BMC and system software
@@ -395,9 +399,9 @@ acpi_ipmi_space_handler(u32 function, acpi_physical_address address,
return AE_NO_MEMORY;
acpi_format_ipmi_msg(tx_msg, address, value);
- mutex_lock(&ipmi_device->tx_msg_lock);
+ spin_lock_irqsave(&ipmi_device->tx_msg_lock, flags);
list_add_tail(&tx_msg->head, &ipmi_device->tx_msg_list);
- mutex_unlock(&ipmi_device->tx_msg_lock);
+ spin_unlock_irqrestore(&ipmi_device->tx_msg_lock, flags);
err = ipmi_request_settime(ipmi_device->user_interface,
&tx_msg->addr,
tx_msg->tx_msgid,
@@ -413,9 +417,9 @@ acpi_ipmi_space_handler(u32 function, acpi_physical_address address,
status = AE_OK;
end_label:
- mutex_lock(&ipmi_device->tx_msg_lock);
+ spin_lock_irqsave(&ipmi_device->tx_msg_lock, flags);
list_del(&tx_msg->head);
- mutex_unlock(&ipmi_device->tx_msg_lock);
+ spin_unlock_irqrestore(&ipmi_device->tx_msg_lock, flags);
kfree(tx_msg);
return status;
}
@@ -457,7 +461,7 @@ static void acpi_add_ipmi_device(struct acpi_ipmi_device *ipmi_device)
INIT_LIST_HEAD(&ipmi_device->head);
- mutex_init(&ipmi_device->tx_msg_lock);
+ spin_lock_init(&ipmi_device->tx_msg_lock);
INIT_LIST_HEAD(&ipmi_device->tx_msg_list);
ipmi_install_space_handler(ipmi_device);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 02/64] Btrfs: change how we queue blocks for backref checking
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 01/64] ACPI / IPMI: Fix atomic context requirement of ipmi_msg_handler() Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 03/64] watchdog: ts72xx_wdt: locking bug in ioctl Luis Henriques
` (61 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Josef Bacik, Chris Mason, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <jbacik@fusionio.com>
commit b6c60c8018c4e9beb2f83fc82c09f9d033766571 upstream.
Previously we only added blocks to the list to have their backrefs checked if
the level of the block is right above the one we are searching for. This is
because we want to make sure we don't add the entire path up to the root to the
lists to make sure we process things one at a time. This assumes that if any
blocks in the path to the root are going to be not checked (shared in other
words) then they will be in the level right above the current block on up. This
isn't quite right though since we can have blocks higher up the list that are
shared because they are attached to a reloc root. But we won't add this block
to be checked and then later on we will BUG_ON(!upper->checked). So instead
keep track of wether or not we've queued a block to be checked in this current
search, and if we haven't go ahead and queue it to be checked. This patch fixed
the panic I was seeing where we BUG_ON(!upper->checked). Thanks,
Signed-off-by: Josef Bacik <jbacik@fusionio.com>
Signed-off-by: Chris Mason <chris.mason@fusionio.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
fs/btrfs/relocation.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
index 646ee21..92841a7 100644
--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -684,6 +684,7 @@ struct backref_node *build_backref_tree(struct reloc_control *rc,
int cowonly;
int ret;
int err = 0;
+ bool need_check = true;
path1 = btrfs_alloc_path();
path2 = btrfs_alloc_path();
@@ -906,6 +907,7 @@ again:
cur->bytenr);
lower = cur;
+ need_check = true;
for (; level < BTRFS_MAX_LEVEL; level++) {
if (!path2->nodes[level]) {
BUG_ON(btrfs_root_bytenr(&root->root_item) !=
@@ -949,14 +951,12 @@ again:
/*
* add the block to pending list if we
- * need check its backrefs. only block
- * at 'cur->level + 1' is added to the
- * tail of pending list. this guarantees
- * we check backrefs from lower level
- * blocks to upper level blocks.
+ * need check its backrefs, we only do this once
+ * while walking up a tree as we will catch
+ * anything else later on.
*/
- if (!upper->checked &&
- level == cur->level + 1) {
+ if (!upper->checked && need_check) {
+ need_check = false;
list_add_tail(&edge->list[UPPER],
&list);
} else
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 03/64] watchdog: ts72xx_wdt: locking bug in ioctl
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 01/64] ACPI / IPMI: Fix atomic context requirement of ipmi_msg_handler() Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 02/64] Btrfs: change how we queue blocks for backref checking Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 04/64] random: run random_int_secret_init() run after all late_initcalls Luis Henriques
` (60 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dan Carpenter, Wim Van Sebroeck, Jonghwan Choi, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 8612ed0d97abcf1c016d34755b7cf2060de71963 upstream.
Calling the WDIOC_GETSTATUS & WDIOC_GETBOOTSTATUS and twice will cause a
interruptible deadlock.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
Cc: Jonghwan Choi <jhbird.choi@samsung.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/watchdog/ts72xx_wdt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/watchdog/ts72xx_wdt.c b/drivers/watchdog/ts72xx_wdt.c
index 8df050d..1c53745 100644
--- a/drivers/watchdog/ts72xx_wdt.c
+++ b/drivers/watchdog/ts72xx_wdt.c
@@ -310,7 +310,8 @@ static long ts72xx_wdt_ioctl(struct file *file, unsigned int cmd,
case WDIOC_GETSTATUS:
case WDIOC_GETBOOTSTATUS:
- return put_user(0, p);
+ error = put_user(0, p);
+ break;
case WDIOC_KEEPALIVE:
ts72xx_wdt_kick(wdt);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 04/64] random: run random_int_secret_init() run after all late_initcalls
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (2 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 03/64] watchdog: ts72xx_wdt: locking bug in ioctl Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 05/64] tile: use a more conservative __my_cpu_offset in CONFIG_PREEMPT Luis Henriques
` (59 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Theodore Ts'o, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 47d06e532e95b71c0db3839ebdef3fe8812fca2c upstream.
The some platforms (e.g., ARM) initializes their clocks as
late_initcalls for some unknown reason. So make sure
random_int_secret_init() is run after all of the late_initcalls are
run.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/char/random.c | 3 +--
include/linux/random.h | 1 +
init/main.c | 2 ++
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 395d2e8..e0b3680 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1447,12 +1447,11 @@ ctl_table random_table[] = {
static u32 random_int_secret[MD5_MESSAGE_BYTES / 4] ____cacheline_aligned;
-static int __init random_int_secret_init(void)
+int random_int_secret_init(void)
{
get_random_bytes(random_int_secret, sizeof(random_int_secret));
return 0;
}
-late_initcall(random_int_secret_init);
/*
* Get a random word for internal kernel use only. Similar to urandom but
diff --git a/include/linux/random.h b/include/linux/random.h
index ac621ce..7e58ad2 100644
--- a/include/linux/random.h
+++ b/include/linux/random.h
@@ -56,6 +56,7 @@ extern void add_interrupt_randomness(int irq, int irq_flags);
extern void get_random_bytes(void *buf, int nbytes);
extern void get_random_bytes_arch(void *buf, int nbytes);
void generate_random_uuid(unsigned char uuid_out[16]);
+extern int random_int_secret_init(void);
#ifndef MODULE
extern const struct file_operations random_fops, urandom_fops;
diff --git a/init/main.c b/init/main.c
index 9a053de..0b62dae 100644
--- a/init/main.c
+++ b/init/main.c
@@ -68,6 +68,7 @@
#include <linux/shmem_fs.h>
#include <linux/slab.h>
#include <linux/perf_event.h>
+#include <linux/random.h>
#include <asm/io.h>
#include <asm/bugs.h>
@@ -779,6 +780,7 @@ static void __init do_basic_setup(void)
do_ctors();
usermodehelper_enable();
do_initcalls();
+ random_int_secret_init();
}
static void __init do_pre_smp_initcalls(void)
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 05/64] tile: use a more conservative __my_cpu_offset in CONFIG_PREEMPT
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (3 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 04/64] random: run random_int_secret_init() run after all late_initcalls Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 06/64] ALSA: snd-usb-usx2y: remove bogus frame checks Luis Henriques
` (58 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Chris Metcalf, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Metcalf <cmetcalf@tilera.com>
commit f862eefec0b68e099a9fa58d3761ffb10bad97e1 upstream.
It turns out the kernel relies on barrier() to force a reload of the
percpu offset value. Since we can't easily modify the definition of
barrier() to include "tp" as an output register, we instead provide a
definition of __my_cpu_offset as extended assembly that includes a fake
stack read to hazard against barrier(), forcing gcc to know that it
must reread "tp" and recompute anything based on "tp" after a barrier.
This fixes observed hangs in the slub allocator when we are looping
on a percpu cmpxchg_double.
A similar fix for ARMv7 was made in June in change 509eb76ebf97.
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
arch/tile/include/asm/percpu.h | 34 +++++++++++++++++++++++++++++++---
1 file changed, 31 insertions(+), 3 deletions(-)
diff --git a/arch/tile/include/asm/percpu.h b/arch/tile/include/asm/percpu.h
index 63294f5..4f7ae39 100644
--- a/arch/tile/include/asm/percpu.h
+++ b/arch/tile/include/asm/percpu.h
@@ -15,9 +15,37 @@
#ifndef _ASM_TILE_PERCPU_H
#define _ASM_TILE_PERCPU_H
-register unsigned long __my_cpu_offset __asm__("tp");
-#define __my_cpu_offset __my_cpu_offset
-#define set_my_cpu_offset(tp) (__my_cpu_offset = (tp))
+register unsigned long my_cpu_offset_reg asm("tp");
+
+#ifdef CONFIG_PREEMPT
+/*
+ * For full preemption, we can't just use the register variable
+ * directly, since we need barrier() to hazard against it, causing the
+ * compiler to reload anything computed from a previous "tp" value.
+ * But we also don't want to use volatile asm, since we'd like the
+ * compiler to be able to cache the value across multiple percpu reads.
+ * So we use a fake stack read as a hazard against barrier().
+ * The 'U' constraint is like 'm' but disallows postincrement.
+ */
+static inline unsigned long __my_cpu_offset(void)
+{
+ unsigned long tp;
+ register unsigned long *sp asm("sp");
+ asm("move %0, tp" : "=r" (tp) : "U" (*sp));
+ return tp;
+}
+#define __my_cpu_offset __my_cpu_offset()
+#else
+/*
+ * We don't need to hazard against barrier() since "tp" doesn't ever
+ * change with PREEMPT_NONE, and with PREEMPT_VOLUNTARY it only
+ * changes at function call points, at which we are already re-reading
+ * the value of "tp" due to "my_cpu_offset_reg" being a global variable.
+ */
+#define __my_cpu_offset my_cpu_offset_reg
+#endif
+
+#define set_my_cpu_offset(tp) (my_cpu_offset_reg = (tp))
#include <asm-generic/percpu.h>
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 06/64] ALSA: snd-usb-usx2y: remove bogus frame checks
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (4 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 05/64] tile: use a more conservative __my_cpu_offset in CONFIG_PREEMPT Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 07/64] ALSA: hda - Add fixup for ASUS N56VZ Luis Henriques
` (57 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: fzu, Daniel Mack, Takashi Iwai, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Mack <zonque@gmail.com>
commit a9d14bc0b188a822e42787d01e56c06fe9750162 upstream.
The frame check in i_usX2Y_urb_complete() and
i_usX2Y_usbpcm_urb_complete() is bogus and produces false positives as
described in this LAU thread:
http://linuxaudio.org/mailarchive/lau/2013/5/20/200177
This patch removes the check code entirely.
Cc: fzu@wemgehoertderstaat.de
Reported-by: Dr Nicholas J Bailey <nicholas.bailey@glasgow.ac.uk>
Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Daniel Mack <zonque@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
sound/usb/usx2y/usbusx2yaudio.c | 22 +++-------------------
sound/usb/usx2y/usx2yhwdeppcm.c | 7 +------
2 files changed, 4 insertions(+), 25 deletions(-)
diff --git a/sound/usb/usx2y/usbusx2yaudio.c b/sound/usb/usx2y/usbusx2yaudio.c
index 43d337d..bdc4ddb 100644
--- a/sound/usb/usx2y/usbusx2yaudio.c
+++ b/sound/usb/usx2y/usbusx2yaudio.c
@@ -299,19 +299,6 @@ static void usX2Y_error_urb_status(struct usX2Ydev *usX2Y,
usX2Y_clients_stop(usX2Y);
}
-static void usX2Y_error_sequence(struct usX2Ydev *usX2Y,
- struct snd_usX2Y_substream *subs, struct urb *urb)
-{
- snd_printk(KERN_ERR
-"Sequence Error!(hcd_frame=%i ep=%i%s;wait=%i,frame=%i).\n"
-"Most probably some urb of usb-frame %i is still missing.\n"
-"Cause could be too long delays in usb-hcd interrupt handling.\n",
- usb_get_current_frame_number(usX2Y->dev),
- subs->endpoint, usb_pipein(urb->pipe) ? "in" : "out",
- usX2Y->wait_iso_frame, urb->start_frame, usX2Y->wait_iso_frame);
- usX2Y_clients_stop(usX2Y);
-}
-
static void i_usX2Y_urb_complete(struct urb *urb)
{
struct snd_usX2Y_substream *subs = urb->context;
@@ -328,12 +315,9 @@ static void i_usX2Y_urb_complete(struct urb *urb)
usX2Y_error_urb_status(usX2Y, subs, urb);
return;
}
- if (likely((urb->start_frame & 0xFFFF) == (usX2Y->wait_iso_frame & 0xFFFF)))
- subs->completed_urb = urb;
- else {
- usX2Y_error_sequence(usX2Y, subs, urb);
- return;
- }
+
+ subs->completed_urb = urb;
+
{
struct snd_usX2Y_substream *capsubs = usX2Y->subs[SNDRV_PCM_STREAM_CAPTURE],
*playbacksubs = usX2Y->subs[SNDRV_PCM_STREAM_PLAYBACK];
diff --git a/sound/usb/usx2y/usx2yhwdeppcm.c b/sound/usb/usx2y/usx2yhwdeppcm.c
index 8e40b6e..1da1eca 100644
--- a/sound/usb/usx2y/usx2yhwdeppcm.c
+++ b/sound/usb/usx2y/usx2yhwdeppcm.c
@@ -244,13 +244,8 @@ static void i_usX2Y_usbpcm_urb_complete(struct urb *urb)
usX2Y_error_urb_status(usX2Y, subs, urb);
return;
}
- if (likely((urb->start_frame & 0xFFFF) == (usX2Y->wait_iso_frame & 0xFFFF)))
- subs->completed_urb = urb;
- else {
- usX2Y_error_sequence(usX2Y, subs, urb);
- return;
- }
+ subs->completed_urb = urb;
capsubs = usX2Y->subs[SNDRV_PCM_STREAM_CAPTURE];
capsubs2 = usX2Y->subs[SNDRV_PCM_STREAM_CAPTURE + 2];
playbacksubs = usX2Y->subs[SNDRV_PCM_STREAM_PLAYBACK];
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 07/64] ALSA: hda - Add fixup for ASUS N56VZ
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (5 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 06/64] ALSA: snd-usb-usx2y: remove bogus frame checks Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 08/64] hwmon: (applesmc) Always read until end of data Luis Henriques
` (56 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Takashi Iwai, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit c6cc3d58b4042f5cadae653ff8d3df26af1a0169 upstream.
ASUS N56VZ needs a fixup for the bass speaker pin, which was already
provided via model=asus-mode4.
Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=841645
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 1baf0dc..accddc0 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6728,6 +6728,7 @@ static const struct snd_pci_quirk alc662_fixup_tbl[] = {
SND_PCI_QUIRK(0x1025, 0x031c, "Gateway NV79", ALC662_FIXUP_SKU_IGNORE),
SND_PCI_QUIRK(0x1025, 0x038b, "Acer Aspire 8943G", ALC662_FIXUP_ASPIRE),
SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
+ SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_ASUS_MODE4),
SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT),
SND_PCI_QUIRK(0x105b, 0x0cd6, "Foxconn", ALC662_FIXUP_ASUS_MODE2),
SND_PCI_QUIRK(0x144d, 0xc051, "Samsung R720", ALC662_FIXUP_IDEAPAD),
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 08/64] hwmon: (applesmc) Always read until end of data
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (6 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 07/64] ALSA: hda - Add fixup for ASUS N56VZ Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 09/64] drm/radeon: fix hw contexts for SUMO2 asics Luis Henriques
` (55 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Henrik Rydberg, Guenter Roeck, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Henrik Rydberg <rydberg@euromail.se>
commit 25f2bd7f5add608c1d1405938f39c96927b275ca upstream.
The crash reported and investigated in commit 5f4513 turned out to be
caused by a change to the read interface on newer (2012) SMCs.
Tests by Chris show that simply reading the data valid line is enough
for the problem to go away. Additional tests show that the newer SMCs
no longer wait for the number of requested bytes, but start sending
data right away. Apparently the number of bytes to read is no longer
specified as before, but instead found out by reading until end of
data. Failure to read until end of data confuses the state machine,
which eventually causes the crash.
As a remedy, assuming bit0 is the read valid line, make sure there is
nothing more to read before leaving the read function.
Tested to resolve the original problem, and runtested on MBA3,1,
MBP4,1, MBP8,2, MBP10,1, MBP10,2. The patch seems to have no effect on
machines before 2012.
Tested-by: Chris Murphy <chris@cmurf.com>
Signed-off-by: Henrik Rydberg <rydberg@euromail.se>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/hwmon/applesmc.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
index 0882b25..dbaf7f4 100644
--- a/drivers/hwmon/applesmc.c
+++ b/drivers/hwmon/applesmc.c
@@ -212,6 +212,7 @@ static int send_argument(const char *key)
static int read_smc(u8 cmd, const char *key, u8 *buffer, u8 len)
{
+ u8 status, data = 0;
int i;
if (send_command(cmd) || send_argument(key)) {
@@ -219,6 +220,7 @@ static int read_smc(u8 cmd, const char *key, u8 *buffer, u8 len)
return -EIO;
}
+ /* This has no effect on newer (2012) SMCs */
outb(len, APPLESMC_DATA_PORT);
for (i = 0; i < len; i++) {
@@ -229,6 +231,17 @@ static int read_smc(u8 cmd, const char *key, u8 *buffer, u8 len)
buffer[i] = inb(APPLESMC_DATA_PORT);
}
+ /* Read the data port until bit0 is cleared */
+ for (i = 0; i < 16; i++) {
+ udelay(APPLESMC_MIN_WAIT);
+ status = inb(APPLESMC_CMD_PORT);
+ if (!(status & 0x01))
+ break;
+ data = inb(APPLESMC_DATA_PORT);
+ }
+ if (i)
+ pr_warn("flushed %d bytes, last value is: %d\n", i, data);
+
return 0;
}
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 09/64] drm/radeon: fix hw contexts for SUMO2 asics
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (7 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 08/64] hwmon: (applesmc) Always read until end of data Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 10/64] KVM: PPC: Book3S HV: Fix typo in saving DSCR Luis Henriques
` (54 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: wojciech kapuscinski, Alex Deucher, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: wojciech kapuscinski <wojtask9@wp.pl>
commit 50b8f5aec04ebec7dbdf2adb17220b9148c99e63 upstream.
They have 4 rather than 8.
Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=63599
Signed-off-by: wojciech kapuscinski <wojtask9@wp.pl>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/gpu/drm/radeon/evergreen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
index 650e2d7..9c2ae4e 100644
--- a/drivers/gpu/drm/radeon/evergreen.c
+++ b/drivers/gpu/drm/radeon/evergreen.c
@@ -1766,7 +1766,7 @@ static void evergreen_gpu_init(struct radeon_device *rdev)
rdev->config.evergreen.sx_max_export_size = 256;
rdev->config.evergreen.sx_max_export_pos_size = 64;
rdev->config.evergreen.sx_max_export_smx_size = 192;
- rdev->config.evergreen.max_hw_contexts = 8;
+ rdev->config.evergreen.max_hw_contexts = 4;
rdev->config.evergreen.sq_num_cf_insts = 2;
rdev->config.evergreen.sc_prim_fifo_size = 0x40;
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 10/64] KVM: PPC: Book3S HV: Fix typo in saving DSCR
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (8 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 09/64] drm/radeon: fix hw contexts for SUMO2 asics Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 11/64] random: allow architectures to optionally define random_get_entropy() Luis Henriques
` (53 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Paul Mackerras, Paolo Bonzini, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Mackerras <paulus@samba.org>
commit cfc860253abd73e1681696c08ea268d33285a2c4 upstream.
This fixes a typo in the code that saves the guest DSCR (Data Stream
Control Register) into the kvm_vcpu_arch struct on guest exit. The
effect of the typo was that the DSCR value was saved in the wrong place,
so changes to the DSCR by the guest didn't persist across guest exit
and entry, and some host kernel memory got corrupted.
Signed-off-by: Paul Mackerras <paulus@samba.org>
Acked-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
arch/powerpc/kvm/book3s_hv_rmhandlers.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
index a1044f4..86af817 100644
--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
@@ -963,7 +963,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_206)
BEGIN_FTR_SECTION
mfspr r8, SPRN_DSCR
ld r7, HSTATE_DSCR(r13)
- std r8, VCPU_DSCR(r7)
+ std r8, VCPU_DSCR(r9)
mtspr SPRN_DSCR, r7
END_FTR_SECTION_IFSET(CPU_FTR_ARCH_206)
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 11/64] random: allow architectures to optionally define random_get_entropy()
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (9 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 10/64] KVM: PPC: Book3S HV: Fix typo in saving DSCR Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 12/64] ext4: fix memory leak in xattr Luis Henriques
` (52 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Theodore Ts'o, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit 61875f30daf60305712e25b209ef41ced2635bad upstream.
Allow architectures which have a disabled get_cycles() function to
provide a random_get_entropy() function which provides a fine-grained,
rapidly changing counter that can be used by the /dev/random driver.
For example, an architecture might have a rapidly changing register
used to control random TLB cache eviction, or DRAM refresh that
doesn't meet the requirements of get_cycles(), but which is good
enough for the needs of the random driver.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/char/random.c | 8 ++++----
include/linux/timex.h | 14 ++++++++++++++
2 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index e0b3680..08b4e70 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -646,7 +646,7 @@ struct timer_rand_state {
*/
void add_device_randomness(const void *buf, unsigned int size)
{
- unsigned long time = get_cycles() ^ jiffies;
+ unsigned long time = random_get_entropy() ^ jiffies;
mix_pool_bytes(&input_pool, buf, size, NULL);
mix_pool_bytes(&input_pool, &time, sizeof(time), NULL);
@@ -683,7 +683,7 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
goto out;
sample.jiffies = jiffies;
- sample.cycles = get_cycles();
+ sample.cycles = random_get_entropy();
sample.num = num;
mix_pool_bytes(&input_pool, &sample, sizeof(sample), NULL);
@@ -750,7 +750,7 @@ void add_interrupt_randomness(int irq, int irq_flags)
struct fast_pool *fast_pool = &__get_cpu_var(irq_randomness);
struct pt_regs *regs = get_irq_regs();
unsigned long now = jiffies;
- __u32 input[4], cycles = get_cycles();
+ __u32 input[4], cycles = random_get_entropy();
input[0] = cycles ^ jiffies;
input[1] = irq;
@@ -1470,7 +1470,7 @@ unsigned int get_random_int(void)
hash = get_cpu_var(get_random_int_hash);
- hash[0] += current->pid + jiffies + get_cycles();
+ hash[0] += current->pid + jiffies + random_get_entropy();
md5_transform(hash, random_int_secret);
ret = hash[0];
put_cpu_var(get_random_int_hash);
diff --git a/include/linux/timex.h b/include/linux/timex.h
index 99bc88b..a647f36 100644
--- a/include/linux/timex.h
+++ b/include/linux/timex.h
@@ -173,6 +173,20 @@ struct timex {
#include <asm/timex.h>
+#ifndef random_get_entropy
+/*
+ * The random_get_entropy() function is used by the /dev/random driver
+ * in order to extract entropy via the relative unpredictability of
+ * when an interrupt takes places versus a high speed, fine-grained
+ * timing source or cycle counter. Since it will be occurred on every
+ * single interrupt, it must have a very low cost/overhead.
+ *
+ * By default we use get_cycles() for this purpose, but individual
+ * architectures may override this in their asm/timex.h header file.
+ */
+#define random_get_entropy() get_cycles()
+#endif
+
/*
* SHIFT_PLL is used as a dampening factor to define how much we
* adjust the frequency correction for a given offset in PLL mode.
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 12/64] ext4: fix memory leak in xattr
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (10 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 11/64] random: allow architectures to optionally define random_get_entropy() Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 13/64] parisc: fix interruption handler to respect pagefault_disable() Luis Henriques
` (51 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dave Jones, Theodore Ts'o, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Jones <davej@redhat.com>
commit 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc upstream.
If we take the 2nd retry path in ext4_expand_extra_isize_ea, we
potentionally return from the function without having freed these
allocations. If we don't do the return, we over-write the previous
allocation pointers, so we leak either way.
Spotted with Coverity.
[ Fixed by tytso to set is and bs to NULL after freeing these
pointers, in case in the retry loop we later end up triggering an
error causing a jump to cleanup, at which point we could have a double
free bug. -- Ted ]
Signed-off-by: Dave Jones <davej@fedoraproject.org>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
fs/ext4/xattr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 1d261e6..e979d5d 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1328,6 +1328,8 @@ retry:
s_min_extra_isize) {
tried_min_extra_isize++;
new_extra_isize = s_min_extra_isize;
+ kfree(is); is = NULL;
+ kfree(bs); bs = NULL;
goto retry;
}
error = -1;
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 13/64] parisc: fix interruption handler to respect pagefault_disable()
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (11 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 12/64] ext4: fix memory leak in xattr Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 14/64] mm, show_mem: suppress page counts in non-blockable contexts Luis Henriques
` (50 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Helge Deller, John David Anglin, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 59b33f148cc08fb33cbe823fca1e34f7f023765e upstream.
Running an "echo t > /proc/sysrq-trigger" crashes the parisc kernel. The
problem is, that in print_worker_info() we try to read the workqueue info via
the probe_kernel_read() functions which use pagefault_disable() to avoid
crashes like this:
probe_kernel_read(&pwq, &worker->current_pwq, sizeof(pwq));
probe_kernel_read(&wq, &pwq->wq, sizeof(wq));
probe_kernel_read(name, wq->name, sizeof(name) - 1);
The problem here is, that the first probe_kernel_read(&pwq) might return zero
in pwq and as such the following probe_kernel_reads() try to access contents of
the page zero which is read protected and generate a kernel segfault.
With this patch we fix the interruption handler to call parisc_terminate()
directly only if pagefault_disable() was not called (in which case
preempt_count()==0). Otherwise we hand over to the pagefault handler which
will try to look up the faulting address in the fixup tables.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
arch/parisc/kernel/traps.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c
index 45ba99f..71d7d72 100644
--- a/arch/parisc/kernel/traps.c
+++ b/arch/parisc/kernel/traps.c
@@ -810,14 +810,14 @@ void notrace handle_interruption(int code, struct pt_regs *regs)
else {
/*
- * The kernel should never fault on its own address space.
+ * The kernel should never fault on its own address space,
+ * unless pagefault_disable() was called before.
*/
- if (fault_space == 0)
+ if (fault_space == 0 && !in_atomic())
{
pdc_chassis_send_status(PDC_CHASSIS_DIRECT_PANIC);
parisc_terminate("Kernel Fault", regs, code, fault_address);
-
}
}
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 14/64] mm, show_mem: suppress page counts in non-blockable contexts
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (12 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 13/64] parisc: fix interruption handler to respect pagefault_disable() Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 15/64] mm/mmap: check for RLIMIT_AS before unmapping Luis Henriques
` (49 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: David Rientjes, Mel Gorman, Dave Hansen, Andrew Morton,
Linus Torvalds, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: David Rientjes <rientjes@google.com>
commit 4b59e6c4730978679b414a8da61514a2518da512 upstream.
On large systems with a lot of memory, walking all RAM to determine page
types may take a half second or even more.
In non-blockable contexts, the page allocator will emit a page allocation
failure warning unless __GFP_NOWARN is specified. In such contexts, irqs
are typically disabled and such a lengthy delay may even result in NMI
watchdog timeouts.
To fix this, suppress the page walk in such contexts when printing the
page allocation failure warning.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Mel Gorman <mgorman@suse.de>
Acked-by: Michal Hocko <mhocko@suse.cz>
Cc: Dave Hansen <dave@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
arch/arm/mm/init.c | 3 +++
arch/ia64/mm/contig.c | 2 ++
arch/ia64/mm/discontig.c | 2 ++
arch/parisc/mm/init.c | 2 ++
arch/unicore32/mm/init.c | 3 +++
include/linux/mm.h | 3 ++-
lib/show_mem.c | 3 +++
mm/page_alloc.c | 7 +++++++
8 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
index f54d592..01ad1f6 100644
--- a/arch/arm/mm/init.c
+++ b/arch/arm/mm/init.c
@@ -99,6 +99,9 @@ void show_mem(unsigned int filter)
printk("Mem-info:\n");
show_free_areas(filter);
+ if (filter & SHOW_MEM_FILTER_PAGE_COUNT)
+ return;
+
for_each_bank (i, mi) {
struct membank *bank = &mi->bank[i];
unsigned int pfn1, pfn2;
diff --git a/arch/ia64/mm/contig.c b/arch/ia64/mm/contig.c
index 1516d1d..f2652fc 100644
--- a/arch/ia64/mm/contig.c
+++ b/arch/ia64/mm/contig.c
@@ -47,6 +47,8 @@ void show_mem(unsigned int filter)
printk(KERN_INFO "Mem-info:\n");
show_free_areas(filter);
printk(KERN_INFO "Node memory in pages:\n");
+ if (filter & SHOW_MEM_FILTER_PAGE_COUNT)
+ return;
for_each_online_pgdat(pgdat) {
unsigned long present;
unsigned long flags;
diff --git a/arch/ia64/mm/discontig.c b/arch/ia64/mm/discontig.c
index c641333..2230817 100644
--- a/arch/ia64/mm/discontig.c
+++ b/arch/ia64/mm/discontig.c
@@ -623,6 +623,8 @@ void show_mem(unsigned int filter)
printk(KERN_INFO "Mem-info:\n");
show_free_areas(filter);
+ if (filter & SHOW_MEM_FILTER_PAGE_COUNT)
+ return;
printk(KERN_INFO "Node memory in pages:\n");
for_each_online_pgdat(pgdat) {
unsigned long present;
diff --git a/arch/parisc/mm/init.c b/arch/parisc/mm/init.c
index 3ac462d..cf2da13 100644
--- a/arch/parisc/mm/init.c
+++ b/arch/parisc/mm/init.c
@@ -697,6 +697,8 @@ void show_mem(unsigned int filter)
printk(KERN_INFO "Mem-info:\n");
show_free_areas(filter);
+ if (filter & SHOW_MEM_FILTER_PAGE_COUNT)
+ return;
#ifndef CONFIG_DISCONTIGMEM
i = max_mapnr;
while (i-- > 0) {
diff --git a/arch/unicore32/mm/init.c b/arch/unicore32/mm/init.c
index de186bd..6444828 100644
--- a/arch/unicore32/mm/init.c
+++ b/arch/unicore32/mm/init.c
@@ -66,6 +66,9 @@ void show_mem(unsigned int filter)
printk(KERN_DEFAULT "Mem-info:\n");
show_free_areas(filter);
+ if (filter & SHOW_MEM_FILTER_PAGE_COUNT)
+ return;
+
for_each_bank(i, mi) {
struct membank *bank = &mi->bank[i];
unsigned int pfn1, pfn2;
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 920beba..53eb728 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -868,7 +868,8 @@ extern void pagefault_out_of_memory(void);
* Flags passed to show_mem() and show_free_areas() to suppress output in
* various contexts.
*/
-#define SHOW_MEM_FILTER_NODES (0x0001u) /* filter disallowed nodes */
+#define SHOW_MEM_FILTER_NODES (0x0001u) /* disallowed nodes */
+#define SHOW_MEM_FILTER_PAGE_COUNT (0x0002u) /* page type count */
extern void show_free_areas(unsigned int flags);
extern bool skip_free_areas_node(unsigned int flags, int nid);
diff --git a/lib/show_mem.c b/lib/show_mem.c
index 4407f8c..b7c7231 100644
--- a/lib/show_mem.c
+++ b/lib/show_mem.c
@@ -18,6 +18,9 @@ void show_mem(unsigned int filter)
printk("Mem-Info:\n");
show_free_areas(filter);
+ if (filter & SHOW_MEM_FILTER_PAGE_COUNT)
+ return;
+
for_each_online_pgdat(pgdat) {
unsigned long i, flags;
diff --git a/mm/page_alloc.c b/mm/page_alloc.c
index 63e6fa4..715b395 100644
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1929,6 +1929,13 @@ void warn_alloc_failed(gfp_t gfp_mask, int order, const char *fmt, ...)
return;
/*
+ * Walking all memory to count page types is very expensive and should
+ * be inhibited in non-blockable contexts.
+ */
+ if (!(gfp_mask & __GFP_WAIT))
+ filter |= SHOW_MEM_FILTER_PAGE_COUNT;
+
+ /*
* This documents exceptions given to allocations in certain
* contexts that are allowed to allocate outside current's set
* of allowed nodes.
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 15/64] mm/mmap: check for RLIMIT_AS before unmapping
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (13 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 14/64] mm, show_mem: suppress page counts in non-blockable contexts Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 16/64] mm: do not grow the stack vma just because of an overrun on preceding vma Luis Henriques
` (48 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Cyril Hrubis, Andrew Morton, Linus Torvalds, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Cyril Hrubis <chrubis@suse.cz>
commit e8420a8ece80b3fe810415ecf061d54ca7fab266 upstream.
Fix a corner case for MAP_FIXED when requested mapping length is larger
than rlimit for virtual memory. In such case any overlapping mappings
are unmapped before we check for the limit and return ENOMEM.
The check is moved before the loop that unmaps overlapping parts of
existing mappings. When we are about to hit the limit (currently mapped
pages + len > limit) we scan for overlapping pages and check again
accounting for them.
This fixes situation when userspace program expects that the previous
mappings are preserved after the mmap() syscall has returned with error.
(POSIX clearly states that successfull mapping shall replace any
previous mappings.)
This corner case was found and can be tested with LTP testcase:
testcases/open_posix_testsuite/conformance/interfaces/mmap/24-2.c
In this case the mmap, which is clearly over current limit, unmaps
dynamic libraries and the testcase segfaults right after returning into
userspace.
I've also looked at the second instance of the unmapping loop in the
do_brk(). The do_brk() is called from brk() syscall and from vm_brk().
The brk() syscall checks for overlapping mappings and bails out when
there are any (so it can't be triggered from the brk syscall). The
vm_brk() is called only from binmft handlers so it shouldn't be
triggered unless binmft handler created overlapping mappings.
Signed-off-by: Cyril Hrubis <chrubis@suse.cz>
Reviewed-by: Mel Gorman <mgorman@suse.de>
Reviewed-by: Wanpeng Li <liwanp@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
mm/mmap.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 46 insertions(+), 4 deletions(-)
diff --git a/mm/mmap.c b/mm/mmap.c
index f1a9a72..74e0d0d 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -6,6 +6,7 @@
* Address space accounting code <alan@lxorguk.ukuu.org.uk>
*/
+#include <linux/kernel.h>
#include <linux/slab.h>
#include <linux/backing-dev.h>
#include <linux/mm.h>
@@ -393,6 +394,34 @@ find_vma_prepare(struct mm_struct *mm, unsigned long addr,
return vma;
}
+static unsigned long count_vma_pages_range(struct mm_struct *mm,
+ unsigned long addr, unsigned long end)
+{
+ unsigned long nr_pages = 0;
+ struct vm_area_struct *vma;
+
+ /* Find first overlaping mapping */
+ vma = find_vma_intersection(mm, addr, end);
+ if (!vma)
+ return 0;
+
+ nr_pages = (min(end, vma->vm_end) -
+ max(addr, vma->vm_start)) >> PAGE_SHIFT;
+
+ /* Iterate over the rest of the overlaps */
+ for (vma = vma->vm_next; vma; vma = vma->vm_next) {
+ unsigned long overlap_len;
+
+ if (vma->vm_start > end)
+ break;
+
+ overlap_len = min(end, vma->vm_end) - vma->vm_start;
+ nr_pages += overlap_len >> PAGE_SHIFT;
+ }
+
+ return nr_pages;
+}
+
void __vma_link_rb(struct mm_struct *mm, struct vm_area_struct *vma,
struct rb_node **rb_link, struct rb_node *rb_parent)
{
@@ -1228,6 +1257,23 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
unsigned long charged = 0;
struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
+ /* Check against address space limit. */
+ if (!may_expand_vm(mm, len >> PAGE_SHIFT)) {
+ unsigned long nr_pages;
+
+ /*
+ * MAP_FIXED may remove pages of mappings that intersects with
+ * requested mapping. Account for the pages it would unmap.
+ */
+ if (!(vm_flags & MAP_FIXED))
+ return -ENOMEM;
+
+ nr_pages = count_vma_pages_range(mm, addr, addr + len);
+
+ if (!may_expand_vm(mm, (len >> PAGE_SHIFT) - nr_pages))
+ return -ENOMEM;
+ }
+
/* Clear old maps */
error = -ENOMEM;
munmap_back:
@@ -1238,10 +1284,6 @@ munmap_back:
goto munmap_back;
}
- /* Check against address space limit. */
- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
- return -ENOMEM;
-
/*
* Set 'VM_NORESERVE' if we should not account for the
* memory use of this mapping.
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 16/64] mm: do not grow the stack vma just because of an overrun on preceding vma
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (14 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 15/64] mm/mmap: check for RLIMIT_AS before unmapping Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 17/64] xhci: Don't enable/disable RWE on bus suspend/resume Luis Henriques
` (47 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Linus Torvalds, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
commit 09884964335e85e897876d17783c2ad33cf8a2e0 upstream.
The stack vma is designed to grow automatically (marked with VM_GROWSUP
or VM_GROWSDOWN depending on architecture) when an access is made beyond
the existing boundary. However, particularly if you have not limited
your stack at all ("ulimit -s unlimited"), this can cause the stack to
grow even if the access was really just one past *another* segment.
And that's wrong, especially since we first grow the segment, but then
immediately later enforce the stack guard page on the last page of the
segment. So _despite_ first growing the stack segment as a result of
the access, the kernel will then make the access cause a SIGSEGV anyway!
So do the same logic as the guard page check does, and consider an
access to within one page of the next segment to be a bad access, rather
than growing the stack to abut the next segment.
Reported-and-tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
mm/mmap.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/mm/mmap.c b/mm/mmap.c
index 74e0d0d..7e24763 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1865,9 +1865,28 @@ int expand_downwards(struct vm_area_struct *vma,
return error;
}
+/*
+ * Note how expand_stack() refuses to expand the stack all the way to
+ * abut the next virtual mapping, *unless* that mapping itself is also
+ * a stack mapping. We want to leave room for a guard page, after all
+ * (the guard page itself is not added here, that is done by the
+ * actual page faulting logic)
+ *
+ * This matches the behavior of the guard page logic (see mm/memory.c:
+ * check_stack_guard_page()), which only allows the guard page to be
+ * removed under these circumstances.
+ */
#ifdef CONFIG_STACK_GROWSUP
int expand_stack(struct vm_area_struct *vma, unsigned long address)
{
+ struct vm_area_struct *next;
+
+ address &= PAGE_MASK;
+ next = vma->vm_next;
+ if (next && next->vm_start == address + PAGE_SIZE) {
+ if (!(next->vm_flags & VM_GROWSUP))
+ return -ENOMEM;
+ }
return expand_upwards(vma, address);
}
@@ -1890,6 +1909,14 @@ find_extend_vma(struct mm_struct *mm, unsigned long addr)
#else
int expand_stack(struct vm_area_struct *vma, unsigned long address)
{
+ struct vm_area_struct *prev;
+
+ address &= PAGE_MASK;
+ prev = vma->vm_prev;
+ if (prev && prev->vm_end == address) {
+ if (!(prev->vm_flags & VM_GROWSDOWN))
+ return -ENOMEM;
+ }
return expand_downwards(vma, address);
}
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 17/64] xhci: Don't enable/disable RWE on bus suspend/resume.
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (15 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 16/64] mm: do not grow the stack vma just because of an overrun on preceding vma Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 18/64] xhci: quirk for extra long delay for S4 Luis Henriques
` (46 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Sarah Sharp, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
commit f217c980ca980e3a645b7485ea5eae9a747f4945 upstream.
The RWE bit of the USB 2.0 PORTPMSC register is supposed to enable
remote wakeup for devices in the lower power link state L1. It has
nothing to do with the device suspend remote wakeup from L2. The RWE
bit is designed to be set once (when USB 2.0 LPM is enabled for the
port) and cleared only when USB 2.0 LPM is disabled for the port.
The xHCI bus suspend method was setting the RWE bit erroneously, and the
bus resume method was clearing it. The xHCI 1.0 specification with
errata up to Aug 12, 2012 says in section 4.23.5.1.1.1 "Hardware
Controlled LPM":
"While Hardware USB2 LPM is enabled, software shall not modify the
HIRDBESL or RWE fields of the USB2 PORTPMSC register..."
If we have previously enabled USB 2.0 LPM for a device, that means when
the USB 2.0 bus is resumed, we violate the xHCI specification by
clearing RWE. It also means that after a bus resume, the host would
think remote wakeup is disabled from L1 for ports with USB 2.0 Link PM
enabled, which is not what we want.
This patch should be backported to kernels as old as 3.2, that
contain the commit 65580b4321eb36f16ae8b5987bfa1bb948fc5112 "xHCI: set
USB2 hardware LPM". That was the first kernel that supported USB 2.0
Link PM.
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/usb/host/xhci-hub.c | 28 ----------------------------
1 file changed, 28 deletions(-)
diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
index b83a7b8..1b592dc 100644
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1067,20 +1067,6 @@ int xhci_bus_suspend(struct usb_hcd *hcd)
t1 = xhci_port_state_to_neutral(t1);
if (t1 != t2)
xhci_writel(xhci, t2, port_array[port_index]);
-
- if (hcd->speed != HCD_USB3) {
- /* enable remote wake up for USB 2.0 */
- __le32 __iomem *addr;
- u32 tmp;
-
- /* Add one to the port status register address to get
- * the port power control register address.
- */
- addr = port_array[port_index] + 1;
- tmp = xhci_readl(xhci, addr);
- tmp |= PORT_RWE;
- xhci_writel(xhci, tmp, addr);
- }
}
hcd->state = HC_STATE_SUSPENDED;
bus_state->next_statechange = jiffies + msecs_to_jiffies(10);
@@ -1159,20 +1145,6 @@ int xhci_bus_resume(struct usb_hcd *hcd)
xhci_ring_device(xhci, slot_id);
} else
xhci_writel(xhci, temp, port_array[port_index]);
-
- if (hcd->speed != HCD_USB3) {
- /* disable remote wake up for USB 2.0 */
- __le32 __iomem *addr;
- u32 tmp;
-
- /* Add one to the port status register address to get
- * the port power control register address.
- */
- addr = port_array[port_index] + 1;
- tmp = xhci_readl(xhci, addr);
- tmp &= ~PORT_RWE;
- xhci_writel(xhci, tmp, addr);
- }
}
(void) xhci_readl(xhci, &xhci->op_regs->command);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 18/64] xhci: quirk for extra long delay for S4
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (16 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 17/64] xhci: Don't enable/disable RWE on bus suspend/resume Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 19/64] xhci: Fix spurious wakeups after S5 on Haswell Luis Henriques
` (45 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Oliver Neukum, Sarah Sharp, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.de>
commit 455f58925247e8a1a1941e159f3636ad6ee4c90b upstream.
It has been reported that this chipset really cannot
sleep without this extraordinary delay.
This patch should be backported, in order to ensure this host functions
under stable kernels. The last quirk for Fresco Logic hosts (commit
bba18e33f25072ebf70fd8f7f0cdbf8cdb59a746 "xhci: Extend Fresco Logic MSI
quirk.") was backported to stable kernels as old as 2.6.36.
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
[ luis: backported to 3.5:
- adjusted context
- replaced usage of xhci_dbg_trace() by xhci_dbg() ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/usb/host/xhci-pci.c | 8 ++++++++
drivers/usb/host/xhci.c | 7 ++++++-
drivers/usb/host/xhci.h | 1 +
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
index 5e3ef3e..8b218a4 100644
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -67,6 +67,14 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
xhci_dbg(xhci, "QUIRK: Fresco Logic xHC needs configure"
" endpoint cmd after reset endpoint\n");
}
+ if (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK &&
+ pdev->revision == 0x4) {
+ xhci->quirks |= XHCI_SLOW_SUSPEND;
+ xhci_dbg(xhci,
+ "QUIRK: Fresco Logic xHC revision %u"
+ "must be suspended extra slowly",
+ pdev->revision);
+ }
/* Fresco Logic confirms: all revisions of this chip do not
* support MSI, even though some of them claim to in their PCI
* capabilities.
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index eb31daa..10e10a6 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -883,6 +883,7 @@ static void xhci_clear_command_ring(struct xhci_hcd *xhci)
int xhci_suspend(struct xhci_hcd *xhci)
{
int rc = 0;
+ unsigned int delay = XHCI_MAX_HALT_USEC;
struct usb_hcd *hcd = xhci_to_hcd(xhci);
u32 command;
@@ -901,8 +902,12 @@ int xhci_suspend(struct xhci_hcd *xhci)
command = xhci_readl(xhci, &xhci->op_regs->command);
command &= ~CMD_RUN;
xhci_writel(xhci, command, &xhci->op_regs->command);
+
+ /* Some chips from Fresco Logic need an extraordinary delay */
+ delay *= (xhci->quirks & XHCI_SLOW_SUSPEND) ? 10 : 1;
+
if (handshake(xhci, &xhci->op_regs->status,
- STS_HALT, STS_HALT, XHCI_MAX_HALT_USEC)) {
+ STS_HALT, STS_HALT, delay)) {
xhci_warn(xhci, "WARN: xHC CMD_RUN timeout\n");
spin_unlock_irq(&xhci->lock);
return -ETIMEDOUT;
diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
index 9a97918..b15d034 100644
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1517,6 +1517,7 @@ struct xhci_hcd {
#define XHCI_COMP_MODE_QUIRK (1 << 14)
#define XHCI_AVOID_BEI (1 << 15)
#define XHCI_PLAT (1 << 16)
+#define XHCI_SLOW_SUSPEND (1 << 17)
unsigned int num_active_eps;
unsigned int limit_active_eps;
/* There are two roothubs to keep track of bus suspend info for */
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 19/64] xhci: Fix spurious wakeups after S5 on Haswell
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (17 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 18/64] xhci: quirk for extra long delay for S4 Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 20/64] USB: support new huawei devices in option.c Luis Henriques
` (44 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Oliver Neukum, Takashi Iwai, Sarah Sharp, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 638298dc66ea36623dbc2757a24fc2c4ab41b016 upstream.
Haswell LynxPoint and LynxPoint-LP with the recent Intel BIOS show
mysterious wakeups after shutdown occasionally. After discussing with
BIOS engineers, they explained that the new BIOS expects that the
wakeup sources are cleared and set to D3 for all wakeup devices when
the system is going to sleep or power off, but the current xhci driver
doesn't do this properly (partly intentionally).
This patch introduces a new quirk, XHCI_SPURIOUS_WAKEUP, for
fixing the spurious wakeups at S5 by calling xhci_reset() in the xhci
shutdown ops as done in xhci_stop(), and setting the device to PCI D3
at shutdown and remove ops.
The PCI D3 call is based on the initial fix patch by Oliver Neukum.
[Note: Sarah changed the quirk name from XHCI_HSW_SPURIOUS_WAKEUP to
XHCI_SPURIOUS_WAKEUP, since none of the other quirks have system names
in them. Sarah also fixed a collision with a quirk submitted around the
same time, by changing the xhci->quirks bit from 17 to 18.]
This patch should be backported to kernels as old as 3.0, that
contain the commit 1c12443ab8eba71a658fae4572147e56d1f84f66 "xhci: Add
Lynx Point to list of Intel switchable hosts."
Cc: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/usb/host/xhci-pci.c | 17 +++++++++++++++++
drivers/usb/host/xhci.c | 7 +++++++
drivers/usb/host/xhci.h | 1 +
3 files changed, 25 insertions(+)
diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
index 8b218a4..085d018 100644
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -34,6 +34,9 @@
#define PCI_VENDOR_ID_ETRON 0x1b6f
#define PCI_DEVICE_ID_ASROCK_P67 0x7023
+#define PCI_DEVICE_ID_INTEL_LYNXPOINT_XHCI 0x8c31
+#define PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI 0x9c31
+
static const char hcd_name[] = "xhci_hcd";
/* called after powerup, by probe or system-pm "wakeup" */
@@ -115,6 +118,15 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
xhci->quirks |= XHCI_SPURIOUS_REBOOT;
xhci->quirks |= XHCI_AVOID_BEI;
}
+ if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
+ (pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_XHCI ||
+ pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI)) {
+ /* Workaround for occasional spurious wakeups from S5 (or
+ * any other sleep) on Haswell machines with LPT and LPT-LP
+ * with the new Intel BIOS
+ */
+ xhci->quirks |= XHCI_SPURIOUS_WAKEUP;
+ }
if (pdev->vendor == PCI_VENDOR_ID_ETRON &&
pdev->device == PCI_DEVICE_ID_ASROCK_P67) {
xhci->quirks |= XHCI_RESET_ON_RESUME;
@@ -221,6 +233,11 @@ static void xhci_pci_remove(struct pci_dev *dev)
usb_put_hcd(xhci->shared_hcd);
}
usb_hcd_pci_remove(dev);
+
+ /* Workaround for spurious wakeups at shutdown with HSW */
+ if (xhci->quirks & XHCI_SPURIOUS_WAKEUP)
+ pci_set_power_state(dev, PCI_D3hot);
+
kfree(xhci);
}
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 10e10a6..8ef76d2 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -776,12 +776,19 @@ void xhci_shutdown(struct usb_hcd *hcd)
spin_lock_irq(&xhci->lock);
xhci_halt(xhci);
+ /* Workaround for spurious wakeups at shutdown with HSW */
+ if (xhci->quirks & XHCI_SPURIOUS_WAKEUP)
+ xhci_reset(xhci);
spin_unlock_irq(&xhci->lock);
xhci_cleanup_msix(xhci);
xhci_dbg(xhci, "xhci_shutdown completed - status = %x\n",
xhci_readl(xhci, &xhci->op_regs->status));
+
+ /* Yet another workaround for spurious wakeups at shutdown with HSW */
+ if (xhci->quirks & XHCI_SPURIOUS_WAKEUP)
+ pci_set_power_state(to_pci_dev(hcd->self.controller), PCI_D3hot);
}
#ifdef CONFIG_PM
diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
index b15d034..a3d5b54 100644
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1518,6 +1518,7 @@ struct xhci_hcd {
#define XHCI_AVOID_BEI (1 << 15)
#define XHCI_PLAT (1 << 16)
#define XHCI_SLOW_SUSPEND (1 << 17)
+#define XHCI_SPURIOUS_WAKEUP (1 << 18)
unsigned int num_active_eps;
unsigned int limit_active_eps;
/* There are two roothubs to keep track of bus suspend info for */
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 20/64] USB: support new huawei devices in option.c
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (18 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 19/64] xhci: Fix spurious wakeups after S5 on Haswell Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 21/64] USB: serial: ti_usb_3410_5052: add Abbott strip port ID to combined table as well Luis Henriques
` (43 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: fangxiaozhi, Greg Kroah-Hartman, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Fangxiaozhi (Franko)" <fangxiaozhi@huawei.com>
commit d544db293a44a2a3b09feab7dbd59668b692de71 upstream.
Add new supporting declarations to option.c, to support Huawei new
devices with new bInterfaceSubClass value.
Signed-off-by: fangxiaozhi <huananhu@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/usb/serial/option.c | 216 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 216 insertions(+)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index d0c2d20..743ce6b 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -703,6 +703,222 @@ static const struct usb_device_id option_ids[] = {
{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x7A) },
{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x7B) },
{ USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x02, 0x7C) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x01) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x02) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x03) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x04) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x05) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x06) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x0A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x0B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x0D) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x0E) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x0F) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x10) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x12) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x13) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x14) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x15) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x17) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x18) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x19) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x1A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x1B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x1C) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x31) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x32) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x33) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x34) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x35) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x36) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x3A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x3B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x3D) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x3E) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x3F) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x48) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x49) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x4A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x4B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x4C) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x61) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x62) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x63) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x64) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x65) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x66) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x6A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x6B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x6D) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x6E) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x6F) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x78) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x79) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x7A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x7B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x03, 0x7C) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x01) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x02) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x03) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x04) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x05) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x06) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x0A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x0B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x0D) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x0E) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x0F) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x10) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x12) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x13) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x14) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x15) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x17) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x18) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x19) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x1A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x1B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x1C) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x31) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x32) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x33) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x34) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x35) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x36) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x3A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x3B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x3D) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x3E) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x3F) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x48) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x49) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x4A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x4B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x4C) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x61) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x62) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x63) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x64) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x65) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x66) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x6A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x6B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x6D) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x6E) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x6F) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x78) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x79) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x7A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x7B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x04, 0x7C) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x01) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x02) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x03) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x04) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x05) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x06) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x0A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x0B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x0D) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x0E) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x0F) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x10) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x12) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x13) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x14) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x15) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x17) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x18) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x19) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x1A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x1B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x1C) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x31) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x32) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x33) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x34) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x35) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x36) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x3A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x3B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x3D) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x3E) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x3F) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x48) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x49) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x4A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x4B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x4C) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x61) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x62) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x63) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x64) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x65) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x66) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x6A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x6B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x6D) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x6E) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x6F) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x78) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x79) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x7A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x7B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x05, 0x7C) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x01) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x02) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x03) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x04) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x05) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x06) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x0A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x0B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x0D) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x0E) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x0F) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x10) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x12) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x13) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x14) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x15) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x17) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x18) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x19) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x1A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x1B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x1C) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x31) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x32) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x33) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x34) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x35) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x36) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x3A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x3B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x3D) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x3E) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x3F) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x48) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x49) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x4A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x4B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x4C) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x61) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x62) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x63) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x64) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x65) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x66) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x6A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x6B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x6D) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x6E) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x6F) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x78) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x79) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x7A) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x7B) },
+ { USB_VENDOR_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0xff, 0x06, 0x7C) },
{ USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V640) },
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 21/64] USB: serial: ti_usb_3410_5052: add Abbott strip port ID to combined table as well.
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (19 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 20/64] USB: support new huawei devices in option.c Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 22/64] USB: serial: option: add support for Inovia SEW858 device Luis Henriques
` (42 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Diego Elio Pettenò, Greg Kroah-Hartman, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Diego=20Elio=20Petten=C3=B2?= <flameeyes@flameeyes.eu>
commit c9d09dc7ad106492c17c587b6eeb99fe3f43e522 upstream.
Without this change, the USB cable for Freestyle Option and compatible
glucometers will not be detected by the driver.
Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/usb/serial/ti_usb_3410_5052.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c
index ea41faa..bb1e0c5 100644
--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -209,6 +209,7 @@ static struct usb_device_id ti_id_table_combined[19+2*TI_EXTRA_VID_PID_COUNT+1]
{ USB_DEVICE(IBM_VENDOR_ID, IBM_454B_PRODUCT_ID) },
{ USB_DEVICE(IBM_VENDOR_ID, IBM_454C_PRODUCT_ID) },
{ USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_PRODUCT_ID) },
+ { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STRIP_PORT_ID) },
{ USB_DEVICE(TI_VENDOR_ID, FRI2_PRODUCT_ID) },
{ }
};
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 22/64] USB: serial: option: add support for Inovia SEW858 device
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (20 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 21/64] USB: serial: ti_usb_3410_5052: add Abbott strip port ID to combined table as well Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 23/64] ARM: 7851/1: check for number of arguments in syscall_get/set_arguments() Luis Henriques
` (41 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Greg Kroah-Hartman, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f4c19b8e165cff1a6607c21f8809441d61cab7ec upstream.
This patch adds the device id for the Inovia SEW858 device to the option driver.
Reported-by: Pavel Parkhomenko <ra85551@gmail.com>
Tested-by: Pavel Parkhomenko <ra85551@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/usb/serial/option.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 743ce6b..4460d63 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -457,6 +457,10 @@ static void option_instat_callback(struct urb *urb);
#define CHANGHONG_VENDOR_ID 0x2077
#define CHANGHONG_PRODUCT_CH690 0x7001
+/* Inovia */
+#define INOVIA_VENDOR_ID 0x20a6
+#define INOVIA_SEW858 0x1105
+
/* some devices interfaces need special handling due to a number of reasons */
enum option_blacklist_reason {
OPTION_BLACKLIST_NONE = 0,
@@ -1583,6 +1587,7 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */
+ { USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 23/64] ARM: 7851/1: check for number of arguments in syscall_get/set_arguments()
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (21 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 22/64] USB: serial: option: add support for Inovia SEW858 device Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 24/64] USB: quirks.c: add one device that cannot deal with suspension Luis Henriques
` (40 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: AKASHI Takahiro, Will Deacon, Russell King, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
commit 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a upstream.
In ftrace_syscall_enter(),
syscall_get_arguments(..., 0, n, ...)
if (i == 0) { <handle ORIG_r0> ...; n--;}
memcpy(..., n * sizeof(args[0]));
If 'number of arguments(n)' is zero and 'argument index(i)' is also zero in
syscall_get_arguments(), none of arguments should be copied by memcpy().
Otherwise 'n--' can be a big positive number and unexpected amount of data
will be copied. Tracing system calls which take no argument, say sync(void),
may hit this case and eventually make the system corrupted.
This patch fixes the issue both in syscall_get_arguments() and
syscall_set_arguments().
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
arch/arm/include/asm/syscall.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/arm/include/asm/syscall.h b/arch/arm/include/asm/syscall.h
index fce38a6..36b69df 100644
--- a/arch/arm/include/asm/syscall.h
+++ b/arch/arm/include/asm/syscall.h
@@ -51,6 +51,9 @@ static inline void syscall_get_arguments(struct task_struct *task,
unsigned int i, unsigned int n,
unsigned long *args)
{
+ if (n == 0)
+ return;
+
if (i + n > SYSCALL_MAX_ARGS) {
unsigned long *args_bad = args + SYSCALL_MAX_ARGS - i;
unsigned int n_bad = n + i - SYSCALL_MAX_ARGS;
@@ -75,6 +78,9 @@ static inline void syscall_set_arguments(struct task_struct *task,
unsigned int i, unsigned int n,
const unsigned long *args)
{
+ if (n == 0)
+ return;
+
if (i + n > SYSCALL_MAX_ARGS) {
pr_warning("%s called with max args %d, handling only %d\n",
__func__, i + n, SYSCALL_MAX_ARGS);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 24/64] USB: quirks.c: add one device that cannot deal with suspension
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (22 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 23/64] ARM: 7851/1: check for number of arguments in syscall_get/set_arguments() Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 25/64] dm snapshot: fix data corruption Luis Henriques
` (39 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Oliver Neukum, Greg Kroah-Hartman, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.de>
commit 4294bca7b423d1a5aa24307e3d112a04075e3763 upstream.
The device is not responsive when resumed, unless it is reset.
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
index d67ff42..daaf9fa 100644
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -155,6 +155,9 @@ static const struct usb_device_id usb_quirk_list[] = {
/* Broadcom BCM92035DGROM BT dongle */
{ USB_DEVICE(0x0a5c, 0x2021), .driver_info = USB_QUIRK_RESET_RESUME },
+ /* MAYA44USB sound device */
+ { USB_DEVICE(0x0a92, 0x0091), .driver_info = USB_QUIRK_RESET_RESUME },
+
/* Action Semiconductor flash disk */
{ USB_DEVICE(0x10d6, 0x2200), .driver_info =
USB_QUIRK_STRING_FETCH_255 },
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 25/64] dm snapshot: fix data corruption
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (23 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 24/64] USB: quirks.c: add one device that cannot deal with suspension Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 26/64] USB: quirks: add touchscreen that is dazzeled by remote wakeup Luis Henriques
` (38 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mikulas Patocka, Mike Snitzer, Alasdair G Kergon, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit e9c6a182649f4259db704ae15a91ac820e63b0ca upstream.
This patch fixes a particular type of data corruption that has been
encountered when loading a snapshot's metadata from disk.
When we allocate a new chunk in persistent_prepare, we increment
ps->next_free and we make sure that it doesn't point to a metadata area
by further incrementing it if necessary.
When we load metadata from disk on device activation, ps->next_free is
positioned after the last used data chunk. However, if this last used
data chunk is followed by a metadata area, ps->next_free is positioned
erroneously to the metadata area. A newly-allocated chunk is placed at
the same location as the metadata area, resulting in data or metadata
corruption.
This patch changes the code so that ps->next_free skips the metadata
area when metadata are loaded in function read_exceptions.
The patch also moves a piece of code from persistent_prepare_exception
to a separate function skip_metadata to avoid code duplication.
CVE-2013-4299
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/md/dm-snap-persistent.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/drivers/md/dm-snap-persistent.c b/drivers/md/dm-snap-persistent.c
index 4caa8e6..2d2b1b7 100644
--- a/drivers/md/dm-snap-persistent.c
+++ b/drivers/md/dm-snap-persistent.c
@@ -269,6 +269,14 @@ static chunk_t area_location(struct pstore *ps, chunk_t area)
return NUM_SNAPSHOT_HDR_CHUNKS + ((ps->exceptions_per_area + 1) * area);
}
+static void skip_metadata(struct pstore *ps)
+{
+ uint32_t stride = ps->exceptions_per_area + 1;
+ chunk_t next_free = ps->next_free;
+ if (sector_div(next_free, stride) == NUM_SNAPSHOT_HDR_CHUNKS)
+ ps->next_free++;
+}
+
/*
* Read or write a metadata area. Remembering to skip the first
* chunk which holds the header.
@@ -502,6 +510,8 @@ static int read_exceptions(struct pstore *ps,
ps->current_area--;
+ skip_metadata(ps);
+
return 0;
}
@@ -616,8 +626,6 @@ static int persistent_prepare_exception(struct dm_exception_store *store,
struct dm_exception *e)
{
struct pstore *ps = get_info(store);
- uint32_t stride;
- chunk_t next_free;
sector_t size = get_dev_size(dm_snap_cow(store->snap)->bdev);
/* Is there enough room ? */
@@ -630,10 +638,8 @@ static int persistent_prepare_exception(struct dm_exception_store *store,
* Move onto the next free pending, making sure to take
* into account the location of the metadata chunks.
*/
- stride = (ps->exceptions_per_area + 1);
- next_free = ++ps->next_free;
- if (sector_div(next_free, stride) == 1)
- ps->next_free++;
+ ps->next_free++;
+ skip_metadata(ps);
atomic_inc(&ps->pending_count);
return 0;
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 26/64] USB: quirks: add touchscreen that is dazzeled by remote wakeup
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (24 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 25/64] dm snapshot: fix data corruption Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 27/64] usb: serial: option: blacklist Olivetti Olicard200 Luis Henriques
` (37 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Oliver Neukum, Greg Kroah-Hartman, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.de>
commit 614ced91fc6fbb5a1cdd12f0f1b6c9197d9f1350 upstream.
The device descriptors are messed up after remote wakeup
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
index daaf9fa..987d3ef 100644
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -122,6 +122,9 @@ static const struct usb_device_id usb_quirk_list[] = {
/* Alcor Micro Corp. Hub */
{ USB_DEVICE(0x058f, 0x9254), .driver_info = USB_QUIRK_RESET_RESUME },
+ /* MicroTouch Systems touchscreen */
+ { USB_DEVICE(0x0596, 0x051e), .driver_info = USB_QUIRK_RESET_RESUME },
+
/* appletouch */
{ USB_DEVICE(0x05ac, 0x021a), .driver_info = USB_QUIRK_RESET_RESUME },
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 27/64] usb: serial: option: blacklist Olivetti Olicard200
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (25 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 26/64] USB: quirks: add touchscreen that is dazzeled by remote wakeup Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 28/64] usb-storage: add quirk for mandatory READ_CAPACITY_16 Luis Henriques
` (36 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Enrico Mioso, Antonella Pellizzari, Greg Kroah-Hartman, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Enrico Mioso <mrkiko.rs@gmail.com>
commit fd8573f5828873343903215f203f14dc82de397c upstream.
Interface 6 of this device speaks QMI as per tests done by us.
Credits go to Antonella for providing the hardware.
Signed-off-by: Enrico Mioso <mrkiko.rs@gmail.com>
Signed-off-by: Antonella Pellizzari <anto.pellizzari83@gmail.com>
Tested-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/usb/serial/option.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 4460d63..c4b313f 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1499,7 +1499,9 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD100) },
{ USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD145) },
- { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD200) },
+ { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD200),
+ .driver_info = (kernel_ulong_t)&net_intf6_blacklist
+ },
{ USB_DEVICE(CELOT_VENDOR_ID, CELOT_PRODUCT_CT680M) }, /* CT-650 CDMA 450 1xEVDO modem */
{ USB_DEVICE_AND_INTERFACE_INFO(SAMSUNG_VENDOR_ID, SAMSUNG_PRODUCT_GT_B3730, USB_CLASS_CDC_DATA, 0x00, 0x00) }, /* Samsung GT-B3730 LTE USB modem.*/
{ USB_DEVICE(YUGA_VENDOR_ID, YUGA_PRODUCT_CEM600) },
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 28/64] usb-storage: add quirk for mandatory READ_CAPACITY_16
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (26 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 27/64] usb: serial: option: blacklist Olivetti Olicard200 Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 29/64] fs: buffer: move allocation failure loop into the allocator Luis Henriques
` (35 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Oliver Neukum, Greg Kroah-Hartman, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.de>
commit 32c37fc30c52508711ea6a108cfd5855b8a07176 upstream.
Some USB drive enclosures do not correctly report an
overflow condition if they hold a drive with a capacity
over 2TB and are confronted with a READ_CAPACITY_10.
They answer with their capacity modulo 2TB.
The generic layer cannot cope with that. It must be told
to use READ_CAPACITY_16 from the beginning.
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/usb/storage/scsiglue.c | 5 ++++-
drivers/usb/storage/unusual_devs.h | 7 +++++++
include/linux/usb_usual.h | 4 +++-
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c
index 11418da..a6e4c4a 100644
--- a/drivers/usb/storage/scsiglue.c
+++ b/drivers/usb/storage/scsiglue.c
@@ -205,8 +205,11 @@ static int slave_configure(struct scsi_device *sdev)
/*
* Many devices do not respond properly to READ_CAPACITY_16.
* Tell the SCSI layer to try READ_CAPACITY_10 first.
+ * However some USB 3.0 drive enclosures return capacity
+ * modulo 2TB. Those must use READ_CAPACITY_16
*/
- sdev->try_rc_10_first = 1;
+ if (!(us->fflags & US_FL_NEEDS_CAP16))
+ sdev->try_rc_10_first = 1;
/* assume SPC3 or latter devices support sense size > 18 */
if (sdev->scsi_level > SCSI_SPC_2)
diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
index ae14acd..7da68c4 100644
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -1905,6 +1905,13 @@ UNUSUAL_DEV( 0x1652, 0x6600, 0x0201, 0x0201,
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_IGNORE_RESIDUE ),
+/* Reported by Oliver Neukum <oneukum@suse.com> */
+UNUSUAL_DEV( 0x174c, 0x55aa, 0x0100, 0x0100,
+ "ASMedia",
+ "AS2105",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NEEDS_CAP16),
+
/* Reported by Jesse Feddema <jdfeddema@gmail.com> */
UNUSUAL_DEV( 0x177f, 0x0400, 0x0000, 0x0000,
"Yarvik",
diff --git a/include/linux/usb_usual.h b/include/linux/usb_usual.h
index 17df360..425bc8b 100644
--- a/include/linux/usb_usual.h
+++ b/include/linux/usb_usual.h
@@ -64,7 +64,9 @@
US_FLAG(NO_READ_CAPACITY_16, 0x00080000) \
/* cannot handle READ_CAPACITY_16 */ \
US_FLAG(INITIAL_READ10, 0x00100000) \
- /* Initial READ(10) (and others) must be retried */
+ /* Initial READ(10) (and others) must be retried */ \
+ US_FLAG(NEEDS_CAP16, 0x00400000)
+ /* cannot handle READ_CAPACITY_10 */
#define US_FLAG(name, value) US_FL_##name = value ,
enum { US_DO_ALL_FLAGS };
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 29/64] fs: buffer: move allocation failure loop into the allocator
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (27 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 28/64] usb-storage: add quirk for mandatory READ_CAPACITY_16 Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-31 14:00 ` Johannes Weiner
2013-10-28 14:47 ` [PATCH 3.5 30/64] writeback: fix negative bdi max pause Luis Henriques
` (34 subsequent siblings)
63 siblings, 1 reply; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Johannes Weiner, Michal Hocko, Andrew Morton, Linus Torvalds,
Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Weiner <hannes@cmpxchg.org>
commit 84235de394d9775bfaa7fa9762a59d91fef0c1fc upstream.
Buffer allocation has a very crude indefinite loop around waking the
flusher threads and performing global NOFS direct reclaim because it can
not handle allocation failures.
The most immediate problem with this is that the allocation may fail due
to a memory cgroup limit, where flushers + direct reclaim might not make
any progress towards resolving the situation at all. Because unlike the
global case, a memory cgroup may not have any cache at all, only
anonymous pages but no swap. This situation will lead to a reclaim
livelock with insane IO from waking the flushers and thrashing unrelated
filesystem cache in a tight loop.
Use __GFP_NOFAIL allocations for buffers for now. This makes sure that
any looping happens in the page allocator, which knows how to
orchestrate kswapd, direct reclaim, and the flushers sensibly. It also
allows memory cgroups to detect allocations that can't handle failure
and will allow them to ultimately bypass the limit if reclaim can not
make progress.
Reported-by: azurIt <azurit@pobox.sk>
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
fs/buffer.c | 14 ++++++++++++--
mm/memcontrol.c | 2 ++
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/fs/buffer.c b/fs/buffer.c
index 2c78739..2675e5a 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -957,9 +957,19 @@ grow_dev_page(struct block_device *bdev, sector_t block,
struct buffer_head *bh;
sector_t end_block;
int ret = 0; /* Will call free_more_memory() */
+ gfp_t gfp_mask;
- page = find_or_create_page(inode->i_mapping, index,
- (mapping_gfp_mask(inode->i_mapping) & ~__GFP_FS)|__GFP_MOVABLE);
+ gfp_mask = mapping_gfp_mask(inode->i_mapping) & ~__GFP_FS;
+ gfp_mask |= __GFP_MOVABLE;
+ /*
+ * XXX: __getblk_slow() can not really deal with failure and
+ * will endlessly loop on improvised global reclaim. Prefer
+ * looping in the allocator rather than here, at least that
+ * code knows what it's doing.
+ */
+ gfp_mask |= __GFP_NOFAIL;
+
+ page = find_or_create_page(inode->i_mapping, index, gfp_mask);
if (!page)
return ret;
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 226b63e..953bf3c 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -2405,6 +2405,8 @@ done:
return 0;
nomem:
*ptr = NULL;
+ if (gfp_mask & __GFP_NOFAIL)
+ return 0;
return -ENOMEM;
bypass:
*ptr = root_mem_cgroup;
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 30/64] writeback: fix negative bdi max pause
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (28 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 29/64] fs: buffer: move allocation failure loop into the allocator Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 31/64] powerpc/pseries/lparcfg: Fix possible overflow are more than 1026 Luis Henriques
` (33 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Fengguang Wu, Richard Weinberger, Geert Uytterhoeven,
Andrew Morton, Linus Torvalds, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Fengguang Wu <fengguang.wu@intel.com>
commit e3b6c655b91e01a1dade056cfa358581b47a5351 upstream.
Toralf runs trinity on UML/i386. After some time it hangs and the last
message line is
BUG: soft lockup - CPU#0 stuck for 22s! [trinity-child0:1521]
It's found that pages_dirtied becomes very large. More than 1000000000
pages in this case:
period = HZ * pages_dirtied / task_ratelimit;
BUG_ON(pages_dirtied > 2000000000);
BUG_ON(pages_dirtied > 1000000000); <---------
UML debug printf shows that we got negative pause here:
ick: pause : -984
ick: pages_dirtied : 0
ick: task_ratelimit: 0
pause:
+ if (pause < 0) {
+ extern int printf(char *, ...);
+ printf("ick : pause : %li\n", pause);
+ printf("ick: pages_dirtied : %lu\n", pages_dirtied);
+ printf("ick: task_ratelimit: %lu\n", task_ratelimit);
+ BUG_ON(1);
+ }
trace_balance_dirty_pages(bdi,
Since pause is bounded by [min_pause, max_pause] where min_pause is also
bounded by max_pause. It's suspected and demonstrated that the
max_pause calculation goes wrong:
ick: pause : -717
ick: min_pause : -177
ick: max_pause : -717
ick: pages_dirtied : 14
ick: task_ratelimit: 0
The problem lies in the two "long = unsigned long" assignments in
bdi_max_pause() which might go negative if the highest bit is 1, and the
min_t(long, ...) check failed to protect it falling under 0. Fix all of
them by using "unsigned long" throughout the function.
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Reported-by: Toralf Förster <toralf.foerster@gmx.de>
Tested-by: Toralf Förster <toralf.foerster@gmx.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Richard Weinberger <richard@nod.at>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
mm/page-writeback.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/mm/page-writeback.c b/mm/page-writeback.c
index e252db8..194cc02 100644
--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -1072,11 +1072,11 @@ static unsigned long dirty_poll_interval(unsigned long dirty,
return 1;
}
-static long bdi_max_pause(struct backing_dev_info *bdi,
- unsigned long bdi_dirty)
+static unsigned long bdi_max_pause(struct backing_dev_info *bdi,
+ unsigned long bdi_dirty)
{
- long bw = bdi->avg_write_bandwidth;
- long t;
+ unsigned long bw = bdi->avg_write_bandwidth;
+ unsigned long t;
/*
* Limit pause time for small memory systems. If sleeping for too long
@@ -1088,7 +1088,7 @@ static long bdi_max_pause(struct backing_dev_info *bdi,
t = bdi_dirty / (1 + bw / roundup_pow_of_two(1 + HZ / 8));
t++;
- return min_t(long, t, MAX_PAUSE);
+ return min_t(unsigned long, t, MAX_PAUSE);
}
static long bdi_min_pause(struct backing_dev_info *bdi,
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 31/64] powerpc/pseries/lparcfg: Fix possible overflow are more than 1026
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (29 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 30/64] writeback: fix negative bdi max pause Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 32/64] powerpc: Restore registers on error exit from csum_partial_copy_generic() Luis Henriques
` (32 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Chen Gang, Benjamin Herrenschmidt, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Gang <gang.chen@asianux.com>
commit 5676005acf26ab7e924a8438ea4746e47d405762 upstream.
need set '\0' for 'local_buffer'.
SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of
rtas_data_buf may truncated in memcpy.
if contents are really truncated.
the splpar_strlen is more than 1026. the next while loop checking will
not find the end of buffer. that will cause memory access violation.
Signed-off-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
arch/powerpc/kernel/lparcfg.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/powerpc/kernel/lparcfg.c b/arch/powerpc/kernel/lparcfg.c
index 7ebbae0..f62fda1 100644
--- a/arch/powerpc/kernel/lparcfg.c
+++ b/arch/powerpc/kernel/lparcfg.c
@@ -307,6 +307,7 @@ static void parse_system_parameter_string(struct seq_file *m)
__pa(rtas_data_buf),
RTAS_DATA_BUF_SIZE);
memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH);
+ local_buffer[SPLPAR_MAXLENGTH - 1] = '\0';
spin_unlock(&rtas_data_buf_lock);
if (call_status != 0) {
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 32/64] powerpc: Restore registers on error exit from csum_partial_copy_generic()
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (30 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 31/64] powerpc/pseries/lparcfg: Fix possible overflow are more than 1026 Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 33/64] nilfs2: fix issue with race condition of competition between segments for dirty blocks Luis Henriques
` (31 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Paul E. McKenney, Anton Blanchard, Benjamin Herrenschmidt,
Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
commit 8f21bd0090052e740944f9397e2be5ac7957ded7 upstream.
The csum_partial_copy_generic() function saves the PowerPC non-volatile
r14, r15, and r16 registers for the main checksum-and-copy loop.
Unfortunately, it fails to restore them upon error exit from this loop,
which results in silent corruption of these registers in the presumably
rare event of an access exception within that loop.
This commit therefore restores these register on error exit from the loop.
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
[ luis: backported to 3.5:
- following bwh's port to 3.2 kernel, register name macros use
lower-case 'r' ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
arch/powerpc/lib/checksum_64.S | 54 +++++++++++++++++++++++++++++++-----------
1 file changed, 40 insertions(+), 14 deletions(-)
diff --git a/arch/powerpc/lib/checksum_64.S b/arch/powerpc/lib/checksum_64.S
index afa2eba..3cdbc64 100644
--- a/arch/powerpc/lib/checksum_64.S
+++ b/arch/powerpc/lib/checksum_64.S
@@ -229,19 +229,35 @@ _GLOBAL(csum_partial)
blr
- .macro source
+ .macro srcnr
100:
.section __ex_table,"a"
.align 3
- .llong 100b,.Lsrc_error
+ .llong 100b,.Lsrc_error_nr
.previous
.endm
- .macro dest
+ .macro source
+150:
+ .section __ex_table,"a"
+ .align 3
+ .llong 150b,.Lsrc_error
+ .previous
+ .endm
+
+ .macro dstnr
200:
.section __ex_table,"a"
.align 3
- .llong 200b,.Ldest_error
+ .llong 200b,.Ldest_error_nr
+ .previous
+ .endm
+
+ .macro dest
+250:
+ .section __ex_table,"a"
+ .align 3
+ .llong 250b,.Ldest_error
.previous
.endm
@@ -277,11 +293,11 @@ _GLOBAL(csum_partial_copy_generic)
mtctr r6
1:
-source; lhz r6,0(r3) /* align to doubleword */
+srcnr; lhz r6,0(r3) /* align to doubleword */
subi r5,r5,2
addi r3,r3,2
adde r0,r0,r6
-dest; sth r6,0(r4)
+dstnr; sth r6,0(r4)
addi r4,r4,2
bdnz 1b
@@ -395,10 +411,10 @@ dest; std r16,56(r4)
mtctr r6
3:
-source; ld r6,0(r3)
+srcnr; ld r6,0(r3)
addi r3,r3,8
adde r0,r0,r6
-dest; std r6,0(r4)
+dstnr; std r6,0(r4)
addi r4,r4,8
bdnz 3b
@@ -408,10 +424,10 @@ dest; std r6,0(r4)
srdi. r6,r5,2
beq .Lcopy_tail_halfword
-source; lwz r6,0(r3)
+srcnr; lwz r6,0(r3)
addi r3,r3,4
adde r0,r0,r6
-dest; stw r6,0(r4)
+dstnr; stw r6,0(r4)
addi r4,r4,4
subi r5,r5,4
@@ -419,10 +435,10 @@ dest; stw r6,0(r4)
srdi. r6,r5,1
beq .Lcopy_tail_byte
-source; lhz r6,0(r3)
+srcnr; lhz r6,0(r3)
addi r3,r3,2
adde r0,r0,r6
-dest; sth r6,0(r4)
+dstnr; sth r6,0(r4)
addi r4,r4,2
subi r5,r5,2
@@ -430,10 +446,10 @@ dest; sth r6,0(r4)
andi. r6,r5,1
beq .Lcopy_finish
-source; lbz r6,0(r3)
+srcnr; lbz r6,0(r3)
sldi r9,r6,8 /* Pad the byte out to 16 bits */
adde r0,r0,r9
-dest; stb r6,0(r4)
+dstnr; stb r6,0(r4)
.Lcopy_finish:
addze r0,r0 /* add in final carry */
@@ -443,6 +459,11 @@ dest; stb r6,0(r4)
blr
.Lsrc_error:
+ ld r14,STK_REG(r14)(r1)
+ ld r15,STK_REG(r15)(r1)
+ ld r16,STK_REG(r16)(r1)
+ addi r1,r1,STACKFRAMESIZE
+.Lsrc_error_nr:
cmpdi 0,r7,0
beqlr
li r6,-EFAULT
@@ -450,6 +471,11 @@ dest; stb r6,0(r4)
blr
.Ldest_error:
+ ld r14,STK_REG(r14)(r1)
+ ld r15,STK_REG(r15)(r1)
+ ld r16,STK_REG(r16)(r1)
+ addi r1,r1,STACKFRAMESIZE
+.Ldest_error_nr:
cmpdi 0,r8,0
beqlr
li r6,-EFAULT
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 33/64] nilfs2: fix issue with race condition of competition between segments for dirty blocks
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (31 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 32/64] powerpc: Restore registers on error exit from csum_partial_copy_generic() Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 34/64] fuse: hotfix truncate_pagecache() issue Luis Henriques
` (30 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Paul Fertser, ARAI Shun-ichi, Piotr Szymaniak,
Juan Barry Manuel Canham, Zahid Chowdhury, Elmer Zhang,
Kenneth Langga, Vyacheslav Dubeyko, Andrew Morton,
Linus Torvalds, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Vyacheslav Dubeyko <slava@dubeyko.com>
commit 7f42ec3941560f0902fe3671e36f2c20ffd3af0a upstream.
Many NILFS2 users were reported about strange file system corruption
(for example):
NILFS: bad btree node (blocknr=185027): level = 0, flags = 0x0, nchildren = 768
NILFS error (device sda4): nilfs_bmap_last_key: broken bmap (inode number=11540)
But such error messages are consequence of file system's issue that takes
place more earlier. Fortunately, Jerome Poulin <jeromepoulin@gmail.com>
and Anton Eliasson <devel@antoneliasson.se> were reported about another
issue not so recently. These reports describe the issue with segctor
thread's crash:
BUG: unable to handle kernel paging request at 0000000000004c83
IP: nilfs_end_page_io+0x12/0xd0 [nilfs2]
Call Trace:
nilfs_segctor_do_construct+0xf25/0x1b20 [nilfs2]
nilfs_segctor_construct+0x17b/0x290 [nilfs2]
nilfs_segctor_thread+0x122/0x3b0 [nilfs2]
kthread+0xc0/0xd0
ret_from_fork+0x7c/0xb0
These two issues have one reason. This reason can raise third issue
too. Third issue results in hanging of segctor thread with eating of
100% CPU.
REPRODUCING PATH:
One of the possible way or the issue reproducing was described by
Jermoe me Poulin <jeromepoulin@gmail.com>:
1. init S to get to single user mode.
2. sysrq+E to make sure only my shell is running
3. start network-manager to get my wifi connection up
4. login as root and launch "screen"
5. cd /boot/log/nilfs which is a ext3 mount point and can log when NILFS dies.
6. lscp | xz -9e > lscp.txt.xz
7. mount my snapshot using mount -o cp=3360839,ro /dev/vgUbuntu/root /mnt/nilfs
8. start a screen to dump /proc/kmsg to text file since rsyslog is killed
9. start a screen and launch strace -f -o find-cat.log -t find
/mnt/nilfs -type f -exec cat {} > /dev/null \;
10. start a screen and launch strace -f -o apt-get.log -t apt-get update
11. launch the last command again as it did not crash the first time
12. apt-get crashes
13. ps aux > ps-aux-crashed.log
13. sysrq+W
14. sysrq+E wait for everything to terminate
15. sysrq+SUSB
Simplified way of the issue reproducing is starting kernel compilation
task and "apt-get update" in parallel.
REPRODUCIBILITY:
The issue is reproduced not stable [60% - 80%]. It is very important to
have proper environment for the issue reproducing. The critical
conditions for successful reproducing:
(1) It should have big modified file by mmap() way.
(2) This file should have the count of dirty blocks are greater that
several segments in size (for example, two or three) from time to time
during processing.
(3) It should be intensive background activity of files modification
in another thread.
INVESTIGATION:
First of all, it is possible to see that the reason of crash is not valid
page address:
NILFS [nilfs_segctor_complete_write]:2100 bh->b_count 0, bh->b_blocknr 13895680, bh->b_size 13897727, bh->b_page 0000000000001a82
NILFS [nilfs_segctor_complete_write]:2101 segbuf->sb_segnum 6783
Moreover, value of b_page (0x1a82) is 6786. This value looks like segment
number. And b_blocknr with b_size values look like block numbers. So,
buffer_head's pointer points on not proper address value.
Detailed investigation of the issue is discovered such picture:
[-----------------------------SEGMENT 6783-------------------------------]
NILFS [nilfs_segctor_do_construct]:2310 nilfs_segctor_begin_construction
NILFS [nilfs_segctor_do_construct]:2321 nilfs_segctor_collect
NILFS [nilfs_segctor_do_construct]:2336 nilfs_segctor_assign
NILFS [nilfs_segctor_do_construct]:2367 nilfs_segctor_update_segusage
NILFS [nilfs_segctor_do_construct]:2371 nilfs_segctor_prepare_write
NILFS [nilfs_segctor_do_construct]:2376 nilfs_add_checksums_on_logs
NILFS [nilfs_segctor_do_construct]:2381 nilfs_segctor_write
NILFS [nilfs_segbuf_submit_bio]:464 bio->bi_sector 111149024, segbuf->sb_segnum 6783
[-----------------------------SEGMENT 6784-------------------------------]
NILFS [nilfs_segctor_do_construct]:2310 nilfs_segctor_begin_construction
NILFS [nilfs_segctor_do_construct]:2321 nilfs_segctor_collect
NILFS [nilfs_lookup_dirty_data_buffers]:782 bh->b_count 1, bh->b_page ffffea000709b000, page->index 0, i_ino 1033103, i_size 25165824
NILFS [nilfs_lookup_dirty_data_buffers]:783 bh->b_assoc_buffers.next ffff8802174a6798, bh->b_assoc_buffers.prev ffff880221cffee8
NILFS [nilfs_segctor_do_construct]:2336 nilfs_segctor_assign
NILFS [nilfs_segctor_do_construct]:2367 nilfs_segctor_update_segusage
NILFS [nilfs_segctor_do_construct]:2371 nilfs_segctor_prepare_write
NILFS [nilfs_segctor_do_construct]:2376 nilfs_add_checksums_on_logs
NILFS [nilfs_segctor_do_construct]:2381 nilfs_segctor_write
NILFS [nilfs_segbuf_submit_bh]:575 bh->b_count 1, bh->b_page ffffea000709b000, page->index 0, i_ino 1033103, i_size 25165824
NILFS [nilfs_segbuf_submit_bh]:576 segbuf->sb_segnum 6784
NILFS [nilfs_segbuf_submit_bh]:577 bh->b_assoc_buffers.next ffff880218a0d5f8, bh->b_assoc_buffers.prev ffff880218bcdf50
NILFS [nilfs_segbuf_submit_bio]:464 bio->bi_sector 111150080, segbuf->sb_segnum 6784, segbuf->sb_nbio 0
[----------] ditto
NILFS [nilfs_segbuf_submit_bio]:464 bio->bi_sector 111164416, segbuf->sb_segnum 6784, segbuf->sb_nbio 15
[-----------------------------SEGMENT 6785-------------------------------]
NILFS [nilfs_segctor_do_construct]:2310 nilfs_segctor_begin_construction
NILFS [nilfs_segctor_do_construct]:2321 nilfs_segctor_collect
NILFS [nilfs_lookup_dirty_data_buffers]:782 bh->b_count 2, bh->b_page ffffea000709b000, page->index 0, i_ino 1033103, i_size 25165824
NILFS [nilfs_lookup_dirty_data_buffers]:783 bh->b_assoc_buffers.next ffff880219277e80, bh->b_assoc_buffers.prev ffff880221cffc88
NILFS [nilfs_segctor_do_construct]:2367 nilfs_segctor_update_segusage
NILFS [nilfs_segctor_do_construct]:2371 nilfs_segctor_prepare_write
NILFS [nilfs_segctor_do_construct]:2376 nilfs_add_checksums_on_logs
NILFS [nilfs_segctor_do_construct]:2381 nilfs_segctor_write
NILFS [nilfs_segbuf_submit_bh]:575 bh->b_count 2, bh->b_page ffffea000709b000, page->index 0, i_ino 1033103, i_size 25165824
NILFS [nilfs_segbuf_submit_bh]:576 segbuf->sb_segnum 6785
NILFS [nilfs_segbuf_submit_bh]:577 bh->b_assoc_buffers.next ffff880218a0d5f8, bh->b_assoc_buffers.prev ffff880222cc7ee8
NILFS [nilfs_segbuf_submit_bio]:464 bio->bi_sector 111165440, segbuf->sb_segnum 6785, segbuf->sb_nbio 0
[----------] ditto
NILFS [nilfs_segbuf_submit_bio]:464 bio->bi_sector 111177728, segbuf->sb_segnum 6785, segbuf->sb_nbio 12
NILFS [nilfs_segctor_do_construct]:2399 nilfs_segctor_wait
NILFS [nilfs_segbuf_wait]:676 segbuf->sb_segnum 6783
NILFS [nilfs_segbuf_wait]:676 segbuf->sb_segnum 6784
NILFS [nilfs_segbuf_wait]:676 segbuf->sb_segnum 6785
NILFS [nilfs_segctor_complete_write]:2100 bh->b_count 0, bh->b_blocknr 13895680, bh->b_size 13897727, bh->b_page 0000000000001a82
BUG: unable to handle kernel paging request at 0000000000001a82
IP: [<ffffffffa024d0f2>] nilfs_end_page_io+0x12/0xd0 [nilfs2]
Usually, for every segment we collect dirty files in list. Then, dirty
blocks are gathered for every dirty file, prepared for write and
submitted by means of nilfs_segbuf_submit_bh() call. Finally, it takes
place complete write phase after calling nilfs_end_bio_write() on the
block layer. Buffers/pages are marked as not dirty on final phase and
processed files removed from the list of dirty files.
It is possible to see that we had three prepare_write and submit_bio
phases before segbuf_wait and complete_write phase. Moreover, segments
compete between each other for dirty blocks because on every iteration
of segments processing dirty buffer_heads are added in several lists of
payload_buffers:
[SEGMENT 6784]: bh->b_assoc_buffers.next ffff880218a0d5f8, bh->b_assoc_buffers.prev ffff880218bcdf50
[SEGMENT 6785]: bh->b_assoc_buffers.next ffff880218a0d5f8, bh->b_assoc_buffers.prev ffff880222cc7ee8
The next pointer is the same but prev pointer has changed. It means
that buffer_head has next pointer from one list but prev pointer from
another. Such modification can be made several times. And, finally, it
can be resulted in various issues: (1) segctor hanging, (2) segctor
crashing, (3) file system metadata corruption.
FIX:
This patch adds:
(1) setting of BH_Async_Write flag in nilfs_segctor_prepare_write()
for every proccessed dirty block;
(2) checking of BH_Async_Write flag in
nilfs_lookup_dirty_data_buffers() and
nilfs_lookup_dirty_node_buffers();
(3) clearing of BH_Async_Write flag in nilfs_segctor_complete_write(),
nilfs_abort_logs(), nilfs_forget_buffer(), nilfs_clear_dirty_page().
Reported-by: Jerome Poulin <jeromepoulin@gmail.com>
Reported-by: Anton Eliasson <devel@antoneliasson.se>
Cc: Paul Fertser <fercerpav@gmail.com>
Cc: ARAI Shun-ichi <hermes@ceres.dti.ne.jp>
Cc: Piotr Szymaniak <szarpaj@grubelek.pl>
Cc: Juan Barry Manuel Canham <Linux@riotingpacifist.net>
Cc: Zahid Chowdhury <zahid.chowdhury@starsolutions.com>
Cc: Elmer Zhang <freeboy6716@gmail.com>
Cc: Kenneth Langga <klangga@gmail.com>
Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ luis: backported to 3.5:
- nilfs_clear_dirty_page() has not been separated from
nilfs_clear_dirty_pages() ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
fs/nilfs2/page.c | 2 ++
fs/nilfs2/segment.c | 11 +++++++++--
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/fs/nilfs2/page.c b/fs/nilfs2/page.c
index 3e7b2a0..f45b83f 100644
--- a/fs/nilfs2/page.c
+++ b/fs/nilfs2/page.c
@@ -94,6 +94,7 @@ void nilfs_forget_buffer(struct buffer_head *bh)
clear_buffer_nilfs_volatile(bh);
clear_buffer_nilfs_checked(bh);
clear_buffer_nilfs_redirected(bh);
+ clear_buffer_async_write(bh);
clear_buffer_dirty(bh);
if (nilfs_page_buffers_clean(page))
__nilfs_clear_page_dirty(page);
@@ -390,6 +391,7 @@ void nilfs_clear_dirty_pages(struct address_space *mapping)
bh = head = page_buffers(page);
do {
lock_buffer(bh);
+ clear_buffer_async_write(bh);
clear_buffer_dirty(bh);
clear_buffer_nilfs_volatile(bh);
clear_buffer_nilfs_checked(bh);
diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c
index 88e11fb..8992b33 100644
--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -662,7 +662,7 @@ static size_t nilfs_lookup_dirty_data_buffers(struct inode *inode,
bh = head = page_buffers(page);
do {
- if (!buffer_dirty(bh))
+ if (!buffer_dirty(bh) || buffer_async_write(bh))
continue;
get_bh(bh);
list_add_tail(&bh->b_assoc_buffers, listp);
@@ -696,7 +696,8 @@ static void nilfs_lookup_dirty_node_buffers(struct inode *inode,
for (i = 0; i < pagevec_count(&pvec); i++) {
bh = head = page_buffers(pvec.pages[i]);
do {
- if (buffer_dirty(bh)) {
+ if (buffer_dirty(bh) &&
+ !buffer_async_write(bh)) {
get_bh(bh);
list_add_tail(&bh->b_assoc_buffers,
listp);
@@ -1576,6 +1577,7 @@ static void nilfs_segctor_prepare_write(struct nilfs_sc_info *sci)
list_for_each_entry(bh, &segbuf->sb_segsum_buffers,
b_assoc_buffers) {
+ set_buffer_async_write(bh);
if (bh->b_page != bd_page) {
if (bd_page) {
lock_page(bd_page);
@@ -1589,6 +1591,7 @@ static void nilfs_segctor_prepare_write(struct nilfs_sc_info *sci)
list_for_each_entry(bh, &segbuf->sb_payload_buffers,
b_assoc_buffers) {
+ set_buffer_async_write(bh);
if (bh == segbuf->sb_super_root) {
if (bh->b_page != bd_page) {
lock_page(bd_page);
@@ -1674,6 +1677,7 @@ static void nilfs_abort_logs(struct list_head *logs, int err)
list_for_each_entry(segbuf, logs, sb_list) {
list_for_each_entry(bh, &segbuf->sb_segsum_buffers,
b_assoc_buffers) {
+ clear_buffer_async_write(bh);
if (bh->b_page != bd_page) {
if (bd_page)
end_page_writeback(bd_page);
@@ -1683,6 +1687,7 @@ static void nilfs_abort_logs(struct list_head *logs, int err)
list_for_each_entry(bh, &segbuf->sb_payload_buffers,
b_assoc_buffers) {
+ clear_buffer_async_write(bh);
if (bh == segbuf->sb_super_root) {
if (bh->b_page != bd_page) {
end_page_writeback(bd_page);
@@ -1752,6 +1757,7 @@ static void nilfs_segctor_complete_write(struct nilfs_sc_info *sci)
b_assoc_buffers) {
set_buffer_uptodate(bh);
clear_buffer_dirty(bh);
+ clear_buffer_async_write(bh);
if (bh->b_page != bd_page) {
if (bd_page)
end_page_writeback(bd_page);
@@ -1773,6 +1779,7 @@ static void nilfs_segctor_complete_write(struct nilfs_sc_info *sci)
b_assoc_buffers) {
set_buffer_uptodate(bh);
clear_buffer_dirty(bh);
+ clear_buffer_async_write(bh);
clear_buffer_delay(bh);
clear_buffer_nilfs_volatile(bh);
clear_buffer_nilfs_redirected(bh);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 34/64] fuse: hotfix truncate_pagecache() issue
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (32 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 33/64] nilfs2: fix issue with race condition of competition between segments for dirty blocks Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 35/64] rt2800: fix wrong TX power compensation Luis Henriques
` (29 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Maxim Patlasov, Miklos Szeredi, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Patlasov <MPatlasov@parallels.com>
commit 06a7c3c2781409af95000c60a5df743fd4e2f8b4 upstream.
The way how fuse calls truncate_pagecache() from fuse_change_attributes()
is completely wrong. Because, w/o i_mutex held, we never sure whether
'oldsize' and 'attr->size' are valid by the time of execution of
truncate_pagecache(inode, oldsize, attr->size). In fact, as soon as we
released fc->lock in the middle of fuse_change_attributes(), we completely
loose control of actions which may happen with given inode until we reach
truncate_pagecache. The list of potentially dangerous actions includes
mmap-ed reads and writes, ftruncate(2) and write(2) extending file size.
The typical outcome of doing truncate_pagecache() with outdated arguments
is data corruption from user point of view. This is (in some sense)
acceptable in cases when the issue is triggered by a change of the file on
the server (i.e. externally wrt fuse operation), but it is absolutely
intolerable in scenarios when a single fuse client modifies a file without
any external intervention. A real life case I discovered by fsx-linux
looked like this:
1. Shrinking ftruncate(2) comes to fuse_do_setattr(). The latter sends
FUSE_SETATTR to the server synchronously, but before getting fc->lock ...
2. fuse_dentry_revalidate() is asynchronously called. It sends FUSE_LOOKUP
to the server synchronously, then calls fuse_change_attributes(). The
latter updates i_size, releases fc->lock, but before comparing oldsize vs
attr->size..
3. fuse_do_setattr() from the first step proceeds by acquiring fc->lock and
updating attributes and i_size, but now oldsize is equal to
outarg.attr.size because i_size has just been updated (step 2). Hence,
fuse_do_setattr() returns w/o calling truncate_pagecache().
4. As soon as ftruncate(2) completes, the user extends file size by
write(2) making a hole in the middle of file, then reads data from the hole
either by read(2) or mmap-ed read. The user expects to get zero data from
the hole, but gets stale data because truncate_pagecache() is not executed
yet.
The scenario above illustrates one side of the problem: not truncating the
page cache even though we should. Another side corresponds to truncating
page cache too late, when the state of inode changed significantly.
Theoretically, the following is possible:
1. As in the previous scenario fuse_dentry_revalidate() discovered that
i_size changed (due to our own fuse_do_setattr()) and is going to call
truncate_pagecache() for some 'new_size' it believes valid right now. But
by the time that particular truncate_pagecache() is called ...
2. fuse_do_setattr() returns (either having called truncate_pagecache() or
not -- it doesn't matter).
3. The file is extended either by write(2) or ftruncate(2) or fallocate(2).
4. mmap-ed write makes a page in the extended region dirty.
The result will be the lost of data user wrote on the fourth step.
The patch is a hotfix resolving the issue in a simplistic way: let's skip
dangerous i_size update and truncate_pagecache if an operation changing
file size is in progress. This simplistic approach looks correct for the
cases w/o external changes. And to handle them properly, more sophisticated
and intrusive techniques (e.g. NFS-like one) would be required. I'd like to
postpone it until the issue is well discussed on the mailing list(s).
Changed in v2:
- improved patch description to cover both sides of the issue.
Signed-off-by: Maxim Patlasov <mpatlasov@parallels.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
[ luis: backported to 3.5, based on bwh's backport to 3.2:
- added state field to struct fuse_inode ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
fs/fuse/dir.c | 7 ++++++-
fs/fuse/file.c | 8 +++++++-
fs/fuse/fuse_i.h | 9 +++++++++
fs/fuse/inode.c | 4 +++-
4 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index b60cc5f..ac5b0b9 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1354,6 +1354,7 @@ static int fuse_do_setattr(struct dentry *entry, struct iattr *attr,
{
struct inode *inode = entry->d_inode;
struct fuse_conn *fc = get_fuse_conn(inode);
+ struct fuse_inode *fi = get_fuse_inode(inode);
struct fuse_req *req;
struct fuse_setattr_in inarg;
struct fuse_attr_out outarg;
@@ -1384,8 +1385,10 @@ static int fuse_do_setattr(struct dentry *entry, struct iattr *attr,
if (IS_ERR(req))
return PTR_ERR(req);
- if (is_truncate)
+ if (is_truncate) {
fuse_set_nowrite(inode);
+ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
+ }
memset(&inarg, 0, sizeof(inarg));
memset(&outarg, 0, sizeof(outarg));
@@ -1447,12 +1450,14 @@ static int fuse_do_setattr(struct dentry *entry, struct iattr *attr,
invalidate_inode_pages2(inode->i_mapping);
}
+ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
return 0;
error:
if (is_truncate)
fuse_release_nowrite(inode);
+ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
return err;
}
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index e7785e4..9cc2f91 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -515,7 +515,8 @@ static void fuse_read_update_size(struct inode *inode, loff_t size,
struct fuse_inode *fi = get_fuse_inode(inode);
spin_lock(&fc->lock);
- if (attr_ver == fi->attr_version && size < inode->i_size) {
+ if (attr_ver == fi->attr_version && size < inode->i_size &&
+ !test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) {
fi->attr_version = ++fc->attr_version;
i_size_write(inode, size);
}
@@ -877,12 +878,16 @@ static ssize_t fuse_perform_write(struct file *file,
{
struct inode *inode = mapping->host;
struct fuse_conn *fc = get_fuse_conn(inode);
+ struct fuse_inode *fi = get_fuse_inode(inode);
int err = 0;
ssize_t res = 0;
if (is_bad_inode(inode))
return -EIO;
+ if (inode->i_size < pos + iov_iter_count(ii))
+ set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
+
do {
struct fuse_req *req;
ssize_t count;
@@ -917,6 +922,7 @@ static ssize_t fuse_perform_write(struct file *file,
if (res > 0)
fuse_write_update_size(inode, pos);
+ clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
fuse_invalidate_attr(inode);
return res > 0 ? res : err;
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index 771fb63..1f63d49 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -103,6 +103,15 @@ struct fuse_inode {
/** List of writepage requestst (pending or sent) */
struct list_head writepages;
+
+ /** Miscellaneous bits describing inode state */
+ unsigned long state;
+};
+
+/** FUSE inode state bits */
+enum {
+ /** An operation changing file size is in progress */
+ FUSE_I_SIZE_UNSTABLE,
};
struct fuse_conn;
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 1cd6165..bca4e62 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -92,6 +92,7 @@ static struct inode *fuse_alloc_inode(struct super_block *sb)
fi->attr_version = 0;
fi->writectr = 0;
fi->orig_ino = 0;
+ fi->state = 0;
INIT_LIST_HEAD(&fi->write_files);
INIT_LIST_HEAD(&fi->queued_writes);
INIT_LIST_HEAD(&fi->writepages);
@@ -199,7 +200,8 @@ void fuse_change_attributes(struct inode *inode, struct fuse_attr *attr,
loff_t oldsize;
spin_lock(&fc->lock);
- if (attr_version != 0 && fi->attr_version > attr_version) {
+ if ((attr_version != 0 && fi->attr_version > attr_version) ||
+ test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) {
spin_unlock(&fc->lock);
return;
}
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 35/64] rt2800: fix wrong TX power compensation
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (33 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 34/64] fuse: hotfix truncate_pagecache() issue Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 36/64] [media] sh_vou: almost forever loop in sh_vou_try_fmt_vid_out() Luis Henriques
` (28 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Stanislaw Gruszka, John W. Linville, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <sgruszka@redhat.com>
commit 6e956da2027c767859128b9bfef085cf2a8e233b upstream.
We should not do temperature compensation on devices without
EXTERNAL_TX_ALC bit set (called DynamicTxAgcControl on vendor driver).
Such devices can have totally bogus TSSI parameters on the EEPROM,
but still threaded by us as valid and result doing wrong TX power
calculations.
This fix inability to connect to AP on slightly longer distance on
some Ralink chips/devices.
Reported-and-tested-by: Fabien ADAM <id2ndr@crocobox.org>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
[ luis: backported to 3.5:
- use rt2x00_eeprom_read() instead of rt2800_eeprom_read() ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/net/wireless/rt2x00/rt2800lib.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c
index 1c60904..b81f2b6 100644
--- a/drivers/net/wireless/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/rt2x00/rt2800lib.c
@@ -2181,6 +2181,13 @@ static int rt2800_get_gain_calibration_delta(struct rt2x00_dev *rt2x00dev)
int i;
/*
+ * First check if temperature compensation is supported.
+ */
+ rt2x00_eeprom_read(rt2x00dev, EEPROM_NIC_CONF1, &eeprom);
+ if (!rt2x00_get_field16(eeprom, EEPROM_NIC_CONF1_EXTERNAL_TX_ALC))
+ return 0;
+
+ /*
* Read TSSI boundaries for temperature compensation from
* the EEPROM.
*
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 36/64] [media] sh_vou: almost forever loop in sh_vou_try_fmt_vid_out()
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (34 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 35/64] rt2800: fix wrong TX power compensation Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 37/64] tcp: must unclone packets before mangling them Luis Henriques
` (27 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dan Carpenter, Guennadi Liakhovetski, Mauro Carvalho Chehab,
Jonghwan Choi, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 47c32ec9392a1fc7dec9d7cfde084e1432fcee82 upstream.
The "i < " part of the "i < ARRAY_SIZE()" condition was missing.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
[g.liakhovetski@gmx.de: remove unrelated superfluous braces]
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Cc: Jonghwan Choi <jhbird.choi@gmail.com>
[ luis: backported to 3.5:
- file rename: drivers/media/platform/sh_vou.c ->
drivers/media/video/sh_vou.c ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/media/video/sh_vou.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/video/sh_vou.c b/drivers/media/video/sh_vou.c
index 8fd1874..1ca38b0 100644
--- a/drivers/media/video/sh_vou.c
+++ b/drivers/media/video/sh_vou.c
@@ -776,7 +776,7 @@ static int sh_vou_try_fmt_vid_out(struct file *file, void *priv,
v4l_bound_align_image(&pix->width, 0, VOU_MAX_IMAGE_WIDTH, 1,
&pix->height, 0, VOU_MAX_IMAGE_HEIGHT, 1, 0);
- for (i = 0; ARRAY_SIZE(vou_fmt); i++)
+ for (i = 0; i < ARRAY_SIZE(vou_fmt); i++)
if (vou_fmt[i].pfmt == pix->pixelformat)
return 0;
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 37/64] tcp: must unclone packets before mangling them
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (35 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 36/64] [media] sh_vou: almost forever loop in sh_vou_try_fmt_vid_out() Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 38/64] tcp: do not forget FIN in tcp_shifted_skb() Luis Henriques
` (26 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, Neal Cardwell, Yuchung Cheng, David S. Miller,
Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit c52e2421f7368fd36cbe330d2cf41b10452e39a9 upstream.
TCP stack should make sure it owns skbs before mangling them.
We had various crashes using bnx2x, and it turned out gso_size
was cleared right before bnx2x driver was populating TC descriptor
of the _previous_ packet send. TCP stack can sometime retransmit
packets that are still in Qdisc.
Of course we could make bnx2x driver more robust (using
ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack.
We have identified two points where skb_unclone() was needed.
This patch adds a WARN_ON_ONCE() to warn us if we missed another
fix of this kind.
Kudos to Neal for finding the root cause of this bug. Its visible
using small MSS.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ luis: backported to 3.5, using davem's port to 3.4:
- skb_unclone() function definition to include/linux/skbuff.h ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
include/linux/skbuff.h | 10 ++++++++++
net/ipv4/tcp_output.c | 9 ++++++---
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index e1c1e64..0ec4788 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -774,6 +774,16 @@ static inline int skb_cloned(const struct sk_buff *skb)
(atomic_read(&skb_shinfo(skb)->dataref) & SKB_DATAREF_MASK) != 1;
}
+static inline int skb_unclone(struct sk_buff *skb, gfp_t pri)
+{
+ might_sleep_if(pri & __GFP_WAIT);
+
+ if (skb_cloned(skb))
+ return pskb_expand_head(skb, 0, 0, pri);
+
+ return 0;
+}
+
/**
* skb_header_cloned - is the header a clone
* @skb: buffer to check
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 4a1e840..d06b130 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -934,6 +934,9 @@ static void tcp_queue_skb(struct sock *sk, struct sk_buff *skb)
static void tcp_set_skb_tso_segs(const struct sock *sk, struct sk_buff *skb,
unsigned int mss_now)
{
+ /* Make sure we own this skb before messing gso_size/gso_segs */
+ WARN_ON_ONCE(skb_cloned(skb));
+
if (skb->len <= mss_now || !sk_can_gso(sk) ||
skb->ip_summed == CHECKSUM_NONE) {
/* Avoid the costly divide in the normal
@@ -1015,9 +1018,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
if (nsize < 0)
nsize = 0;
- if (skb_cloned(skb) &&
- skb_is_nonlinear(skb) &&
- pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
+ if (skb_unclone(skb, GFP_ATOMIC))
return -ENOMEM;
/* Get a new skb... force flag on. */
@@ -2150,6 +2151,8 @@ int tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
int oldpcount = tcp_skb_pcount(skb);
if (unlikely(oldpcount > 1)) {
+ if (skb_unclone(skb, GFP_ATOMIC))
+ return -ENOMEM;
tcp_init_tso_segs(sk, skb, cur_mss);
tcp_adjust_pcount(sk, skb, oldpcount - tcp_skb_pcount(skb));
}
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 38/64] tcp: do not forget FIN in tcp_shifted_skb()
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (36 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 37/64] tcp: must unclone packets before mangling them Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 39/64] net: do not call sock_put() on TIMEWAIT sockets Luis Henriques
` (25 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, Yuchung Cheng, Ilpo Järvinen, David S. Miller,
Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 5e8a402f831dbe7ee831340a91439e46f0d38acd upstream.
Yuchung found following problem :
There are bugs in the SACK processing code, merging part in
tcp_shift_skb_data(), that incorrectly resets or ignores the sacked
skbs FIN flag. When a receiver first SACK the FIN sequence, and later
throw away ofo queue (e.g., sack-reneging), the sender will stop
retransmitting the FIN flag, and hangs forever.
Following packetdrill test can be used to reproduce the bug.
$ cat sack-merge-bug.pkt
`sysctl -q net.ipv4.tcp_fack=0`
// Establish a connection and send 10 MSS.
0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+.000 bind(3, ..., ...) = 0
+.000 listen(3, 1) = 0
+.050 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 7>
+.000 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 6>
+.001 < . 1:1(0) ack 1 win 1024
+.000 accept(3, ..., ...) = 4
+.100 write(4, ..., 12000) = 12000
+.000 shutdown(4, SHUT_WR) = 0
+.000 > . 1:10001(10000) ack 1
+.050 < . 1:1(0) ack 2001 win 257
+.000 > FP. 10001:12001(2000) ack 1
+.050 < . 1:1(0) ack 2001 win 257 <sack 10001:11001,nop,nop>
+.050 < . 1:1(0) ack 2001 win 257 <sack 10001:12002,nop,nop>
// SACK reneg
+.050 < . 1:1(0) ack 12001 win 257
+0 %{ print "unacked: ",tcpi_unacked }%
+5 %{ print "" }%
First, a typo inverted left/right of one OR operation, then
code forgot to advance end_seq if the merged skb carried FIN.
Bug was added in 2.6.29 by commit 832d11c5cd076ab
("tcp: Try to restore large SKBs while SACK processing")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Acked-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
net/ipv4/tcp_input.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 3d5ffe0..a6acd36 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1475,7 +1475,10 @@ static bool tcp_shifted_skb(struct sock *sk, struct sk_buff *skb,
tp->lost_cnt_hint -= tcp_skb_pcount(prev);
}
- TCP_SKB_CB(skb)->tcp_flags |= TCP_SKB_CB(prev)->tcp_flags;
+ TCP_SKB_CB(prev)->tcp_flags |= TCP_SKB_CB(skb)->tcp_flags;
+ if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
+ TCP_SKB_CB(prev)->end_seq++;
+
if (skb == tcp_highest_sack(sk))
tcp_advance_highest_sack(sk, skb);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 39/64] net: do not call sock_put() on TIMEWAIT sockets
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (37 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 38/64] tcp: do not forget FIN in tcp_shifted_skb() Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 40/64] net: mv643xx_eth: update statistics timer from timer context only Luis Henriques
` (24 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 80ad1d61e72d626e30ebe8529a0455e660ca4693 upstream.
commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU /
hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets.
We should instead use inet_twsk_put()
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
net/ipv4/inet_hashtables.c | 2 +-
net/ipv6/inet6_hashtables.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 7880af9..ffd0f56 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -268,7 +268,7 @@ begintw:
}
if (unlikely(!INET_TW_MATCH(sk, net, hash, acookie,
saddr, daddr, ports, dif))) {
- sock_put(sk);
+ inet_twsk_put(inet_twsk(sk));
goto begintw;
}
goto out;
diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
index 73f1a00..e38290b 100644
--- a/net/ipv6/inet6_hashtables.c
+++ b/net/ipv6/inet6_hashtables.c
@@ -110,7 +110,7 @@ begintw:
goto out;
}
if (!INET6_TW_MATCH(sk, net, hash, saddr, daddr, ports, dif)) {
- sock_put(sk);
+ inet_twsk_put(inet_twsk(sk));
goto begintw;
}
goto out;
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 40/64] net: mv643xx_eth: update statistics timer from timer context only
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (38 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 39/64] net: do not call sock_put() on TIMEWAIT sockets Luis Henriques
@ 2013-10-28 14:47 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 41/64] net: mv643xx_eth: fix orphaned statistics timer crash Luis Henriques
` (23 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:47 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Sebastian Hesselbarth, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
commit 041b4ddb84989f06ff1df0ca869b950f1ee3cb1c upstream.
Each port driver installs a periodic timer to update port statistics
by calling mib_counters_update. As mib_counters_update is also called
from non-timer context, we should not reschedule the timer there but
rather move it to timer-only context.
Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/net/ethernet/marvell/mv643xx_eth.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c
index 7197e0f..ae50dd6 100644
--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
+++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
@@ -1273,15 +1273,13 @@ static void mib_counters_update(struct mv643xx_eth_private *mp)
p->rx_discard += rdlp(mp, RX_DISCARD_FRAME_CNT);
p->rx_overrun += rdlp(mp, RX_OVERRUN_FRAME_CNT);
spin_unlock_bh(&mp->mib_counters_lock);
-
- mod_timer(&mp->mib_counters_timer, jiffies + 30 * HZ);
}
static void mib_counters_timer_wrapper(unsigned long _mp)
{
struct mv643xx_eth_private *mp = (void *)_mp;
-
mib_counters_update(mp);
+ mod_timer(&mp->mib_counters_timer, jiffies + 30 * HZ);
}
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 41/64] net: mv643xx_eth: fix orphaned statistics timer crash
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (39 preceding siblings ...)
2013-10-28 14:47 ` [PATCH 3.5 40/64] net: mv643xx_eth: update statistics timer from timer context only Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 42/64] net: heap overflow in __audit_sockaddr() Luis Henriques
` (22 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Sebastian Hesselbarth, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
commit f564412c935111c583b787bcc18157377b208e2e upstream.
The periodic statistics timer gets started at port _probe() time, but
is stopped on _stop() only. In a modular environment, this can cause
the timer to access already deallocated memory, if the module is unloaded
without starting the eth device. To fix this, we add the timer right
before the port is started, instead of at _probe() time.
Signed-off-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Acked-by: Jason Cooper <jason@lakedaemon.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c
index ae50dd6..02b03b5 100644
--- a/drivers/net/ethernet/marvell/mv643xx_eth.c
+++ b/drivers/net/ethernet/marvell/mv643xx_eth.c
@@ -2366,6 +2366,7 @@ static int mv643xx_eth_open(struct net_device *dev)
mp->int_mask |= INT_TX_END_0 << i;
}
+ add_timer(&mp->mib_counters_timer);
port_start(mp);
wrlp(mp, INT_MASK_EXT, INT_EXT_LINK_PHY | INT_EXT_TX);
@@ -2913,7 +2914,6 @@ static int mv643xx_eth_probe(struct platform_device *pdev)
mp->mib_counters_timer.data = (unsigned long)mp;
mp->mib_counters_timer.function = mib_counters_timer_wrapper;
mp->mib_counters_timer.expires = jiffies + 30 * HZ;
- add_timer(&mp->mib_counters_timer);
spin_lock_init(&mp->mib_counters_lock);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 42/64] net: heap overflow in __audit_sockaddr()
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (40 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 41/64] net: mv643xx_eth: fix orphaned statistics timer crash Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 43/64] proc connector: fix info leaks Luis Henriques
` (21 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dan Carpenter, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 1661bf364ae9c506bc8795fef70d1532931be1e8 upstream.
We need to cap ->msg_namelen or it leads to a buffer overflow when we
to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to
exploit this bug.
The call tree is:
___sys_recvmsg()
move_addr_to_user()
audit_sockaddr()
__audit_sockaddr()
Reported-by: Jüri Aedla <juri.aedla@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
net/compat.c | 2 ++
net/socket.c | 24 ++++++++++++++++++++----
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/net/compat.c b/net/compat.c
index 9c816e8..707f5ba 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -71,6 +71,8 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg)
__get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
__get_user(kmsg->msg_flags, &umsg->msg_flags))
return -EFAULT;
+ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
+ return -EINVAL;
kmsg->msg_name = compat_ptr(tmp1);
kmsg->msg_iov = compat_ptr(tmp2);
kmsg->msg_control = compat_ptr(tmp3);
diff --git a/net/socket.c b/net/socket.c
index cd51a03..c9b6b90 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1898,6 +1898,16 @@ struct used_address {
unsigned int name_len;
};
+static int copy_msghdr_from_user(struct msghdr *kmsg,
+ struct msghdr __user *umsg)
+{
+ if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
+ return -EFAULT;
+ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
+ return -EINVAL;
+ return 0;
+}
+
static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
struct msghdr *msg_sys, unsigned int flags,
struct used_address *used_address)
@@ -1916,8 +1926,11 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
if (MSG_CMSG_COMPAT & flags) {
if (get_compat_msghdr(msg_sys, msg_compat))
return -EFAULT;
- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
- return -EFAULT;
+ } else {
+ err = copy_msghdr_from_user(msg_sys, msg);
+ if (err)
+ return err;
+ }
if (msg_sys->msg_iovlen > UIO_FASTIOV) {
err = -EMSGSIZE;
@@ -2125,8 +2138,11 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
if (MSG_CMSG_COMPAT & flags) {
if (get_compat_msghdr(msg_sys, msg_compat))
return -EFAULT;
- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
- return -EFAULT;
+ } else {
+ err = copy_msghdr_from_user(msg_sys, msg);
+ if (err)
+ return err;
+ }
if (msg_sys->msg_iovlen > UIO_FASTIOV) {
err = -EMSGSIZE;
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 43/64] proc connector: fix info leaks
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (41 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 42/64] net: heap overflow in __audit_sockaddr() Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 44/64] ipv4: fix ineffective source address selection Luis Henriques
` (20 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mathias Krause, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@googlemail.com>
commit e727ca82e0e9616ab4844301e6bae60ca7327682 upstream.
Initialize event_data for all possible message types to prevent leaking
kernel stack contents to userland (up to 20 bytes). Also set the flags
member of the connector message to 0 to prevent leaking two more stack
bytes this way.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ luis: backported to 3.5, using davem's port to 3.4:
- adjusted context
- dropped changes to proc_coredump_connector() ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/connector/cn_proc.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c
index 9d90e8c..7ab4b1d 100644
--- a/drivers/connector/cn_proc.c
+++ b/drivers/connector/cn_proc.c
@@ -64,6 +64,7 @@ void proc_fork_connector(struct task_struct *task)
msg = (struct cn_msg*)buffer;
ev = (struct proc_event*)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
get_seq(&msg->seq, &ev->cpu);
ktime_get_ts(&ts); /* get high res monotonic timestamp */
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
@@ -79,6 +80,7 @@ void proc_fork_connector(struct task_struct *task)
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
msg->ack = 0; /* not used */
msg->len = sizeof(*ev);
+ msg->flags = 0; /* not used */
/* If cn_netlink_send() failed, the data is not sent */
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
}
@@ -95,6 +97,7 @@ void proc_exec_connector(struct task_struct *task)
msg = (struct cn_msg*)buffer;
ev = (struct proc_event*)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
get_seq(&msg->seq, &ev->cpu);
ktime_get_ts(&ts); /* get high res monotonic timestamp */
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
@@ -105,6 +108,7 @@ void proc_exec_connector(struct task_struct *task)
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
msg->ack = 0; /* not used */
msg->len = sizeof(*ev);
+ msg->flags = 0; /* not used */
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
}
@@ -121,6 +125,7 @@ void proc_id_connector(struct task_struct *task, int which_id)
msg = (struct cn_msg*)buffer;
ev = (struct proc_event*)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
ev->what = which_id;
ev->event_data.id.process_pid = task->pid;
ev->event_data.id.process_tgid = task->tgid;
@@ -144,6 +149,7 @@ void proc_id_connector(struct task_struct *task, int which_id)
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
msg->ack = 0; /* not used */
msg->len = sizeof(*ev);
+ msg->flags = 0; /* not used */
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
}
@@ -159,6 +165,7 @@ void proc_sid_connector(struct task_struct *task)
msg = (struct cn_msg *)buffer;
ev = (struct proc_event *)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
get_seq(&msg->seq, &ev->cpu);
ktime_get_ts(&ts); /* get high res monotonic timestamp */
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
@@ -169,6 +176,7 @@ void proc_sid_connector(struct task_struct *task)
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
msg->ack = 0; /* not used */
msg->len = sizeof(*ev);
+ msg->flags = 0; /* not used */
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
}
@@ -184,6 +192,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id)
msg = (struct cn_msg *)buffer;
ev = (struct proc_event *)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
get_seq(&msg->seq, &ev->cpu);
ktime_get_ts(&ts); /* get high res monotonic timestamp */
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
@@ -202,6 +211,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id)
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
msg->ack = 0; /* not used */
msg->len = sizeof(*ev);
+ msg->flags = 0; /* not used */
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
}
@@ -217,6 +227,7 @@ void proc_comm_connector(struct task_struct *task)
msg = (struct cn_msg *)buffer;
ev = (struct proc_event *)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
get_seq(&msg->seq, &ev->cpu);
ktime_get_ts(&ts); /* get high res monotonic timestamp */
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
@@ -228,6 +239,7 @@ void proc_comm_connector(struct task_struct *task)
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
msg->ack = 0; /* not used */
msg->len = sizeof(*ev);
+ msg->flags = 0; /* not used */
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
}
@@ -243,6 +255,7 @@ void proc_exit_connector(struct task_struct *task)
msg = (struct cn_msg*)buffer;
ev = (struct proc_event*)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
get_seq(&msg->seq, &ev->cpu);
ktime_get_ts(&ts); /* get high res monotonic timestamp */
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
@@ -255,6 +268,7 @@ void proc_exit_connector(struct task_struct *task)
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
msg->ack = 0; /* not used */
msg->len = sizeof(*ev);
+ msg->flags = 0; /* not used */
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
}
@@ -278,6 +292,7 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack)
msg = (struct cn_msg*)buffer;
ev = (struct proc_event*)msg->data;
+ memset(&ev->event_data, 0, sizeof(ev->event_data));
msg->seq = rcvd_seq;
ktime_get_ts(&ts); /* get high res monotonic timestamp */
put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns);
@@ -287,6 +302,7 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack)
memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id));
msg->ack = rcvd_ack + 1;
msg->len = sizeof(*ev);
+ msg->flags = 0; /* not used */
cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL);
}
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 44/64] ipv4: fix ineffective source address selection
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (42 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 43/64] proc connector: fix info leaks Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 45/64] can: dev: fix nlmsg size calculation in can_get_size() Luis Henriques
` (19 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jiri Benc, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Benc <jbenc@redhat.com>
commit 0a7e22609067ff524fc7bbd45c6951dd08561667 upstream.
When sending out multicast messages, the source address in inet->mc_addr is
ignored and rewritten by an autoselected one. This is caused by a typo in
commit 813b3b5db831 ("ipv4: Use caller's on-stack flowi as-is in output
route lookups").
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
net/ipv4/route.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 98b30d0..8707417 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2707,7 +2707,7 @@ static struct rtable *ip_route_output_slow(struct net *net, struct flowi4 *fl4)
RT_SCOPE_LINK);
goto make_route;
}
- if (fl4->saddr) {
+ if (!fl4->saddr) {
if (ipv4_is_multicast(fl4->daddr))
fl4->saddr = inet_select_addr(dev_out, 0,
fl4->flowi4_scope);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 45/64] can: dev: fix nlmsg size calculation in can_get_size()
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (43 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 44/64] ipv4: fix ineffective source address selection Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 46/64] ipv6: restrict neighbor entry creation to output flow Luis Henriques
` (18 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Marc Kleine-Budde, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit fe119a05f8ca481623a8d02efcc984332e612528 upstream.
This patch fixes the calculation of the nlmsg size, by adding the missing
nla_total_size().
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/net/can/dev.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
index 4972609..ffda218 100644
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -665,14 +665,14 @@ static size_t can_get_size(const struct net_device *dev)
size_t size;
size = nla_total_size(sizeof(u32)); /* IFLA_CAN_STATE */
- size += sizeof(struct can_ctrlmode); /* IFLA_CAN_CTRLMODE */
+ size += nla_total_size(sizeof(struct can_ctrlmode)); /* IFLA_CAN_CTRLMODE */
size += nla_total_size(sizeof(u32)); /* IFLA_CAN_RESTART_MS */
- size += sizeof(struct can_bittiming); /* IFLA_CAN_BITTIMING */
- size += sizeof(struct can_clock); /* IFLA_CAN_CLOCK */
+ size += nla_total_size(sizeof(struct can_bittiming)); /* IFLA_CAN_BITTIMING */
+ size += nla_total_size(sizeof(struct can_clock)); /* IFLA_CAN_CLOCK */
if (priv->do_get_berr_counter) /* IFLA_CAN_BERR_COUNTER */
- size += sizeof(struct can_berr_counter);
+ size += nla_total_size(sizeof(struct can_berr_counter));
if (priv->bittiming_const) /* IFLA_CAN_BITTIMING_CONST */
- size += sizeof(struct can_bittiming_const);
+ size += nla_total_size(sizeof(struct can_bittiming_const));
return size;
}
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 46/64] ipv6: restrict neighbor entry creation to output flow
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (44 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 45/64] can: dev: fix nlmsg size calculation in can_get_size() Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 47/64] bridge: Correctly clamp MAX forward_delay when enabling STP Luis Henriques
` (17 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Marcelo Ricardo Leitner, Jiri Pirko, Hannes Frederic Sowa,
Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcelo Ricardo Leitner <mleitner@redhat.com>
This patch is based on 3.2.y branch, the one used by reporter. Please let me
know if it should be different. Thanks.
The patch which introduced the regression was applied on stables:
3.0.64 3.4.31 3.7.8 3.2.39
The patch which introduced the regression was for stable trees only.
---8<---
Commit 0d6a77079c475033cb622c07c5a880b392ef664e "ipv6: do not create
neighbor entries for local delivery" introduced a regression on
which routes to local delivery would not work anymore. Like this:
$ ip -6 route add local 2001::/64 dev lo
$ ping6 -c1 2001::9
PING 2001::9(2001::9) 56 data bytes
ping: sendmsg: Invalid argument
As this is a local delivery, that commit would not allow the creation of a
neighbor entry and thus the packet cannot be sent.
But as TPROXY scenario actually needs to avoid the neighbor entry creation only
for input flow, this patch now limits previous patch to input flow, keeping
output as before that patch.
Reported-by: Debabrata Banerjee <dbavatar@gmail.com>
Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
CC: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
net/ipv6/route.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 8253206..9659bd9 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -818,7 +818,7 @@ static struct rt6_info *rt6_alloc_clone(struct rt6_info *ort,
}
static struct rt6_info *ip6_pol_route(struct net *net, struct fib6_table *table, int oif,
- struct flowi6 *fl6, int flags)
+ struct flowi6 *fl6, int flags, bool input)
{
struct fib6_node *fn;
struct rt6_info *rt, *nrt;
@@ -826,8 +826,11 @@ static struct rt6_info *ip6_pol_route(struct net *net, struct fib6_table *table,
int attempts = 3;
int err;
int reachable = net->ipv6.devconf_all->forwarding ? 0 : RT6_LOOKUP_F_REACHABLE;
+ int local = RTF_NONEXTHOP;
strict |= flags & RT6_LOOKUP_F_IFACE;
+ if (input)
+ local |= RTF_LOCAL;
relookup:
read_lock_bh(&table->tb6_lock);
@@ -847,7 +850,7 @@ restart:
read_unlock_bh(&table->tb6_lock);
if (!dst_get_neighbour_noref_raw(&rt->dst) &&
- !(rt->rt6i_flags & (RTF_NONEXTHOP | RTF_LOCAL)))
+ !(rt->rt6i_flags & local))
nrt = rt6_alloc_cow(rt, &fl6->daddr, &fl6->saddr);
else if (!(rt->dst.flags & DST_HOST))
nrt = rt6_alloc_clone(rt, &fl6->daddr);
@@ -891,7 +894,7 @@ out2:
static struct rt6_info *ip6_pol_route_input(struct net *net, struct fib6_table *table,
struct flowi6 *fl6, int flags)
{
- return ip6_pol_route(net, table, fl6->flowi6_iif, fl6, flags);
+ return ip6_pol_route(net, table, fl6->flowi6_iif, fl6, flags, true);
}
static struct dst_entry *ip6_route_input_lookup(struct net *net,
@@ -924,7 +927,7 @@ void ip6_route_input(struct sk_buff *skb)
static struct rt6_info *ip6_pol_route_output(struct net *net, struct fib6_table *table,
struct flowi6 *fl6, int flags)
{
- return ip6_pol_route(net, table, fl6->flowi6_oif, fl6, flags);
+ return ip6_pol_route(net, table, fl6->flowi6_oif, fl6, flags, false);
}
struct dst_entry * ip6_route_output(struct net *net, const struct sock *sk,
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 47/64] bridge: Correctly clamp MAX forward_delay when enabling STP
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (45 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 46/64] ipv6: restrict neighbor entry creation to output flow Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 48/64] net: vlan: fix nlmsg size calculation in vlan_get_size() Luis Henriques
` (16 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Herbert Xu, Stephen Hemminger, Vlad Yasevich, David S. Miller,
Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Vlad Yasevich <vyasevic@redhat.com>
commit 4b6c7879d84ad06a2ac5b964808ed599187a188d upstream.
Commit be4f154d5ef0ca147ab6bcd38857a774133f5450
bridge: Clamp forward_delay when enabling STP
had a typo when attempting to clamp maximum forward delay.
It is possible to set bridge_forward_delay to be higher then
permitted maximum when STP is off. When turning STP on, the
higher then allowed delay has to be clamed down to max value.
CC: Herbert Xu <herbert@gondor.apana.org.au>
CC: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Reviewed-by: Veaceslav Falico <vfalico@redhat.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
net/bridge/br_stp_if.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index 7ba2ed5..5bb38cd 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -134,7 +134,7 @@ static void br_stp_start(struct net_bridge *br)
if (br->bridge_forward_delay < BR_MIN_FORWARD_DELAY)
__br_set_forward_delay(br, BR_MIN_FORWARD_DELAY);
- else if (br->bridge_forward_delay < BR_MAX_FORWARD_DELAY)
+ else if (br->bridge_forward_delay > BR_MAX_FORWARD_DELAY)
__br_set_forward_delay(br, BR_MAX_FORWARD_DELAY);
if (r == 0) {
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 48/64] net: vlan: fix nlmsg size calculation in vlan_get_size()
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (46 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 47/64] bridge: Correctly clamp MAX forward_delay when enabling STP Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 49/64] l2tp: must disable bh before calling l2tp_xmit_skb() Luis Henriques
` (15 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Patrick McHardy, Marc Kleine-Budde, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit c33a39c575068c2ea9bffb22fd6de2df19c74b89 upstream.
This patch fixes the calculation of the nlmsg size, by adding the missing
nla_total_size().
Cc: Patrick McHardy <kaber@trash.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
net/8021q/vlan_netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c
index 708c80e..ebde030 100644
--- a/net/8021q/vlan_netlink.c
+++ b/net/8021q/vlan_netlink.c
@@ -152,7 +152,7 @@ static size_t vlan_get_size(const struct net_device *dev)
struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
return nla_total_size(2) + /* IFLA_VLAN_ID */
- sizeof(struct ifla_vlan_flags) + /* IFLA_VLAN_FLAGS */
+ nla_total_size(sizeof(struct ifla_vlan_flags)) + /* IFLA_VLAN_FLAGS */
vlan_qos_map_size(vlan->nr_ingress_mappings) +
vlan_qos_map_size(vlan->nr_egress_mappings);
}
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 49/64] l2tp: must disable bh before calling l2tp_xmit_skb()
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (47 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 48/64] net: vlan: fix nlmsg size calculation in vlan_get_size() Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 50/64] farsync: fix info leak in ioctl Luis Henriques
` (14 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, James Chapman, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 455cc32bf128e114455d11ad919321ab89a2c312 upstream.
François Cachereul made a very nice bug report and suspected
the bh_lock_sock() / bh_unlok_sock() pair used in l2tp_xmit_skb() from
process context was not good.
This problem was added by commit 6af88da14ee284aaad6e4326da09a89191ab6165
("l2tp: Fix locking in l2tp_core.c").
l2tp_eth_dev_xmit() runs from BH context, so we must disable BH
from other l2tp_xmit_skb() users.
[ 452.060011] BUG: soft lockup - CPU#1 stuck for 23s! [accel-pppd:6662]
[ 452.061757] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppoe pppox
ppp_generic slhc ipv6 ext3 mbcache jbd virtio_balloon xfs exportfs dm_mod
virtio_blk ata_generic virtio_net floppy ata_piix libata virtio_pci virtio_ring virtio [last unloaded: scsi_wait_scan]
[ 452.064012] CPU 1
[ 452.080015] BUG: soft lockup - CPU#2 stuck for 23s! [accel-pppd:6643]
[ 452.080015] CPU 2
[ 452.080015]
[ 452.080015] Pid: 6643, comm: accel-pppd Not tainted 3.2.46.mini #1 Bochs Bochs
[ 452.080015] RIP: 0010:[<ffffffff81059f6c>] [<ffffffff81059f6c>] do_raw_spin_lock+0x17/0x1f
[ 452.080015] RSP: 0018:ffff88007125fc18 EFLAGS: 00000293
[ 452.080015] RAX: 000000000000aba9 RBX: ffffffff811d0703 RCX: 0000000000000000
[ 452.080015] RDX: 00000000000000ab RSI: ffff8800711f6896 RDI: ffff8800745c8110
[ 452.080015] RBP: ffff88007125fc18 R08: 0000000000000020 R09: 0000000000000000
[ 452.080015] R10: 0000000000000000 R11: 0000000000000280 R12: 0000000000000286
[ 452.080015] R13: 0000000000000020 R14: 0000000000000240 R15: 0000000000000000
[ 452.080015] FS: 00007fdc0cc24700(0000) GS:ffff8800b6f00000(0000) knlGS:0000000000000000
[ 452.080015] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 452.080015] CR2: 00007fdb054899b8 CR3: 0000000074404000 CR4: 00000000000006a0
[ 452.080015] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 452.080015] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 452.080015] Process accel-pppd (pid: 6643, threadinfo ffff88007125e000, task ffff8800b27e6dd0)
[ 452.080015] Stack:
[ 452.080015] ffff88007125fc28 ffffffff81256559 ffff88007125fc98 ffffffffa01b2bd1
[ 452.080015] ffff88007125fc58 000000000000000c 00000000029490d0 0000009c71dbe25e
[ 452.080015] 000000000000005c 000000080000000e 0000000000000000 ffff880071170600
[ 452.080015] Call Trace:
[ 452.080015] [<ffffffff81256559>] _raw_spin_lock+0xe/0x10
[ 452.080015] [<ffffffffa01b2bd1>] l2tp_xmit_skb+0x189/0x4ac [l2tp_core]
[ 452.080015] [<ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp]
[ 452.080015] [<ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24
[ 452.080015] [<ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6
[ 452.080015] [<ffffffff81254e88>] ? __schedule+0x5c1/0x616
[ 452.080015] [<ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c
[ 452.080015] [<ffffffff810bbd21>] ? fget_light+0x75/0x89
[ 452.080015] [<ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56
[ 452.080015] [<ffffffff811c9b34>] sys_sendto+0x10c/0x13b
[ 452.080015] [<ffffffff8125cac2>] system_call_fastpath+0x16/0x1b
[ 452.080015] Code: 81 48 89 e5 72 0c 31 c0 48 81 ff 45 66 25 81 0f 92 c0 5d c3 55 b8 00 01 00 00 48 89 e5 f0 66 0f c1 07 0f b6 d4 38 d0 74 06 f3 90 <8a> 07 eb f6 5d c3 90 90 55 48 89 e5 9c 58 0f 1f 44 00 00 5d c3
[ 452.080015] Call Trace:
[ 452.080015] [<ffffffff81256559>] _raw_spin_lock+0xe/0x10
[ 452.080015] [<ffffffffa01b2bd1>] l2tp_xmit_skb+0x189/0x4ac [l2tp_core]
[ 452.080015] [<ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp]
[ 452.080015] [<ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24
[ 452.080015] [<ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6
[ 452.080015] [<ffffffff81254e88>] ? __schedule+0x5c1/0x616
[ 452.080015] [<ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c
[ 452.080015] [<ffffffff810bbd21>] ? fget_light+0x75/0x89
[ 452.080015] [<ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56
[ 452.080015] [<ffffffff811c9b34>] sys_sendto+0x10c/0x13b
[ 452.080015] [<ffffffff8125cac2>] system_call_fastpath+0x16/0x1b
[ 452.064012]
[ 452.064012] Pid: 6662, comm: accel-pppd Not tainted 3.2.46.mini #1 Bochs Bochs
[ 452.064012] RIP: 0010:[<ffffffff81059f6e>] [<ffffffff81059f6e>] do_raw_spin_lock+0x19/0x1f
[ 452.064012] RSP: 0018:ffff8800b6e83ba0 EFLAGS: 00000297
[ 452.064012] RAX: 000000000000aaa9 RBX: ffff8800b6e83b40 RCX: 0000000000000002
[ 452.064012] RDX: 00000000000000aa RSI: 000000000000000a RDI: ffff8800745c8110
[ 452.064012] RBP: ffff8800b6e83ba0 R08: 000000000000c802 R09: 000000000000001c
[ 452.064012] R10: ffff880071096c4e R11: 0000000000000006 R12: ffff8800b6e83b18
[ 452.064012] R13: ffffffff8125d51e R14: ffff8800b6e83ba0 R15: ffff880072a589c0
[ 452.064012] FS: 00007fdc0b81e700(0000) GS:ffff8800b6e80000(0000) knlGS:0000000000000000
[ 452.064012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 452.064012] CR2: 0000000000625208 CR3: 0000000074404000 CR4: 00000000000006a0
[ 452.064012] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 452.064012] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 452.064012] Process accel-pppd (pid: 6662, threadinfo ffff88007129a000, task ffff8800744f7410)
[ 452.064012] Stack:
[ 452.064012] ffff8800b6e83bb0 ffffffff81256559 ffff8800b6e83bc0 ffffffff8121c64a
[ 452.064012] ffff8800b6e83bf0 ffffffff8121ec7a ffff880072a589c0 ffff880071096c62
[ 452.064012] 0000000000000011 ffffffff81430024 ffff8800b6e83c80 ffffffff8121f276
[ 452.064012] Call Trace:
[ 452.064012] <IRQ>
[ 452.064012] [<ffffffff81256559>] _raw_spin_lock+0xe/0x10
[ 452.064012] [<ffffffff8121c64a>] spin_lock+0x9/0xb
[ 452.064012] [<ffffffff8121ec7a>] udp_queue_rcv_skb+0x186/0x269
[ 452.064012] [<ffffffff8121f276>] __udp4_lib_rcv+0x297/0x4ae
[ 452.064012] [<ffffffff8121c178>] ? raw_rcv+0xe9/0xf0
[ 452.064012] [<ffffffff8121f4a7>] udp_rcv+0x1a/0x1c
[ 452.064012] [<ffffffff811fe385>] ip_local_deliver_finish+0x12b/0x1a5
[ 452.064012] [<ffffffff811fe54e>] ip_local_deliver+0x53/0x84
[ 452.064012] [<ffffffff811fe1d0>] ip_rcv_finish+0x2bc/0x2f3
[ 452.064012] [<ffffffff811fe78f>] ip_rcv+0x210/0x269
[ 452.064012] [<ffffffff8101911e>] ? kvm_clock_get_cycles+0x9/0xb
[ 452.064012] [<ffffffff811d88cd>] __netif_receive_skb+0x3a5/0x3f7
[ 452.064012] [<ffffffff811d8eba>] netif_receive_skb+0x57/0x5e
[ 452.064012] [<ffffffff811cf30f>] ? __netdev_alloc_skb+0x1f/0x3b
[ 452.064012] [<ffffffffa0049126>] virtnet_poll+0x4ba/0x5a4 [virtio_net]
[ 452.064012] [<ffffffff811d9417>] net_rx_action+0x73/0x184
[ 452.064012] [<ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core]
[ 452.064012] [<ffffffff810343b9>] __do_softirq+0xc3/0x1a8
[ 452.064012] [<ffffffff81013b56>] ? ack_APIC_irq+0x10/0x12
[ 452.064012] [<ffffffff81256559>] ? _raw_spin_lock+0xe/0x10
[ 452.064012] [<ffffffff8125e0ac>] call_softirq+0x1c/0x26
[ 452.064012] [<ffffffff81003587>] do_softirq+0x45/0x82
[ 452.064012] [<ffffffff81034667>] irq_exit+0x42/0x9c
[ 452.064012] [<ffffffff8125e146>] do_IRQ+0x8e/0xa5
[ 452.064012] [<ffffffff8125676e>] common_interrupt+0x6e/0x6e
[ 452.064012] <EOI>
[ 452.064012] [<ffffffff810b82a1>] ? kfree+0x8a/0xa3
[ 452.064012] [<ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core]
[ 452.064012] [<ffffffffa01b2c25>] ? l2tp_xmit_skb+0x1dd/0x4ac [l2tp_core]
[ 452.064012] [<ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp]
[ 452.064012] [<ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24
[ 452.064012] [<ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6
[ 452.064012] [<ffffffff81254e88>] ? __schedule+0x5c1/0x616
[ 452.064012] [<ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c
[ 452.064012] [<ffffffff810bbd21>] ? fget_light+0x75/0x89
[ 452.064012] [<ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56
[ 452.064012] [<ffffffff811c9b34>] sys_sendto+0x10c/0x13b
[ 452.064012] [<ffffffff8125cac2>] system_call_fastpath+0x16/0x1b
[ 452.064012] Code: 89 e5 72 0c 31 c0 48 81 ff 45 66 25 81 0f 92 c0 5d c3 55 b8 00 01 00 00 48 89 e5 f0 66 0f c1 07 0f b6 d4 38 d0 74 06 f3 90 8a 07 <eb> f6 5d c3 90 90 55 48 89 e5 9c 58 0f 1f 44 00 00 5d c3 55 48
[ 452.064012] Call Trace:
[ 452.064012] <IRQ> [<ffffffff81256559>] _raw_spin_lock+0xe/0x10
[ 452.064012] [<ffffffff8121c64a>] spin_lock+0x9/0xb
[ 452.064012] [<ffffffff8121ec7a>] udp_queue_rcv_skb+0x186/0x269
[ 452.064012] [<ffffffff8121f276>] __udp4_lib_rcv+0x297/0x4ae
[ 452.064012] [<ffffffff8121c178>] ? raw_rcv+0xe9/0xf0
[ 452.064012] [<ffffffff8121f4a7>] udp_rcv+0x1a/0x1c
[ 452.064012] [<ffffffff811fe385>] ip_local_deliver_finish+0x12b/0x1a5
[ 452.064012] [<ffffffff811fe54e>] ip_local_deliver+0x53/0x84
[ 452.064012] [<ffffffff811fe1d0>] ip_rcv_finish+0x2bc/0x2f3
[ 452.064012] [<ffffffff811fe78f>] ip_rcv+0x210/0x269
[ 452.064012] [<ffffffff8101911e>] ? kvm_clock_get_cycles+0x9/0xb
[ 452.064012] [<ffffffff811d88cd>] __netif_receive_skb+0x3a5/0x3f7
[ 452.064012] [<ffffffff811d8eba>] netif_receive_skb+0x57/0x5e
[ 452.064012] [<ffffffff811cf30f>] ? __netdev_alloc_skb+0x1f/0x3b
[ 452.064012] [<ffffffffa0049126>] virtnet_poll+0x4ba/0x5a4 [virtio_net]
[ 452.064012] [<ffffffff811d9417>] net_rx_action+0x73/0x184
[ 452.064012] [<ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core]
[ 452.064012] [<ffffffff810343b9>] __do_softirq+0xc3/0x1a8
[ 452.064012] [<ffffffff81013b56>] ? ack_APIC_irq+0x10/0x12
[ 452.064012] [<ffffffff81256559>] ? _raw_spin_lock+0xe/0x10
[ 452.064012] [<ffffffff8125e0ac>] call_softirq+0x1c/0x26
[ 452.064012] [<ffffffff81003587>] do_softirq+0x45/0x82
[ 452.064012] [<ffffffff81034667>] irq_exit+0x42/0x9c
[ 452.064012] [<ffffffff8125e146>] do_IRQ+0x8e/0xa5
[ 452.064012] [<ffffffff8125676e>] common_interrupt+0x6e/0x6e
[ 452.064012] <EOI> [<ffffffff810b82a1>] ? kfree+0x8a/0xa3
[ 452.064012] [<ffffffffa01b2cc2>] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core]
[ 452.064012] [<ffffffffa01b2c25>] ? l2tp_xmit_skb+0x1dd/0x4ac [l2tp_core]
[ 452.064012] [<ffffffffa01c2d36>] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp]
[ 452.064012] [<ffffffff811c7872>] __sock_sendmsg_nosec+0x22/0x24
[ 452.064012] [<ffffffff811c83bd>] sock_sendmsg+0xa1/0xb6
[ 452.064012] [<ffffffff81254e88>] ? __schedule+0x5c1/0x616
[ 452.064012] [<ffffffff8103c7c6>] ? __dequeue_signal+0xb7/0x10c
[ 452.064012] [<ffffffff810bbd21>] ? fget_light+0x75/0x89
[ 452.064012] [<ffffffff811c8444>] ? sockfd_lookup_light+0x20/0x56
[ 452.064012] [<ffffffff811c9b34>] sys_sendto+0x10c/0x13b
[ 452.064012] [<ffffffff8125cac2>] system_call_fastpath+0x16/0x1b
Reported-by: François Cachereul <f.cachereul@alphalink.fr>
Tested-by: François Cachereul <f.cachereul@alphalink.fr>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
net/l2tp/l2tp_ppp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 286fec4..624cf33 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -352,7 +352,9 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh
goto error_put_sess_tun;
}
+ local_bh_disable();
l2tp_xmit_skb(session, skb, session->hdr_len);
+ local_bh_enable();
sock_put(ps->tunnel_sock);
sock_put(sk);
@@ -427,7 +429,9 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
skb->data[0] = ppph[0];
skb->data[1] = ppph[1];
+ local_bh_disable();
l2tp_xmit_skb(session, skb, session->hdr_len);
+ local_bh_enable();
sock_put(sk_tun);
sock_put(sk);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 50/64] farsync: fix info leak in ioctl
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (48 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 49/64] l2tp: must disable bh before calling l2tp_xmit_skb() Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 51/64] unix_diag: fix info leak Luis Henriques
` (13 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Dan Carpenter, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speiro@ai2.upv.es>
commit 96b340406724d87e4621284ebac5e059d67b2194 upstream.
The fst_get_iface() code fails to initialize the two padding bytes of
struct sync_serial_settings after the ->loopback member. Add an explicit
memset(0) before filling the structure to avoid the info leak.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/net/wan/farsync.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c
index 1a62318..3710427 100644
--- a/drivers/net/wan/farsync.c
+++ b/drivers/net/wan/farsync.c
@@ -1972,6 +1972,7 @@ fst_get_iface(struct fst_card_info *card, struct fst_port_info *port,
}
i = port->index;
+ memset(&sync, 0, sizeof(sync));
sync.clock_rate = FST_RDL(card, portConfig[i].lineSpeed);
/* Lucky card and linux use same encoding here */
sync.clock_type = FST_RDB(card, portConfig[i].internalClock) ==
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 51/64] unix_diag: fix info leak
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (49 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 50/64] farsync: fix info leak in ioctl Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 52/64] connector: use nlmsg_len() to check message length Luis Henriques
` (12 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mathias Krause, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@googlemail.com>
commit 6865d1e834be84ddd5808d93d5035b492346c64a upstream.
When filling the netlink message we miss to wipe the pad field,
therefore leak one byte of heap memory to userland. Fix this by
setting pad to 0.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
net/unix/diag.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/unix/diag.c b/net/unix/diag.c
index 47d3002..1b4d8fc 100644
--- a/net/unix/diag.c
+++ b/net/unix/diag.c
@@ -134,6 +134,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r
rep->udiag_family = AF_UNIX;
rep->udiag_type = sk->sk_type;
rep->udiag_state = sk->sk_state;
+ rep->pad = 0;
rep->udiag_ino = sk_ino;
sock_diag_save_cookie(sk, rep->udiag_cookie);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 52/64] connector: use nlmsg_len() to check message length
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (50 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 51/64] unix_diag: fix info leak Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 53/64] bnx2x: record rx queue for LRO packets Luis Henriques
` (11 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mathias Krause, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Krause <minipli@googlemail.com>
commit 162b2bedc084d2d908a04c93383ba02348b648b0 upstream.
The current code tests the length of the whole netlink message to be
at least as long to fit a cn_msg. This is wrong as nlmsg_len includes
the length of the netlink message header. Use nlmsg_len() instead to
fix this "off-by-NLMSG_HDRLEN" size check.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/connector/connector.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
index dde6a0f..ea6efe8 100644
--- a/drivers/connector/connector.c
+++ b/drivers/connector/connector.c
@@ -157,17 +157,18 @@ static int cn_call_callback(struct sk_buff *skb)
static void cn_rx_skb(struct sk_buff *__skb)
{
struct nlmsghdr *nlh;
- int err;
struct sk_buff *skb;
+ int len, err;
skb = skb_get(__skb);
if (skb->len >= NLMSG_SPACE(0)) {
nlh = nlmsg_hdr(skb);
+ len = nlmsg_len(nlh);
- if (nlh->nlmsg_len < sizeof(struct cn_msg) ||
+ if (len < (int)sizeof(struct cn_msg) ||
skb->len < nlh->nlmsg_len ||
- nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) {
+ len > CONNECTOR_MAX_MSG_SIZE) {
kfree_skb(skb);
return;
}
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 53/64] bnx2x: record rx queue for LRO packets
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (51 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 52/64] connector: use nlmsg_len() to check message length Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 54/64] net: dst: provide accessor function to dst->xfrm Luis Henriques
` (10 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Eric Dumazet, Willem de Bruijn, Eilon Greenstein,
David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 60e66fee56b2256dcb1dc2ea1b2ddcb6e273857d upstream.
RPS support is kind of broken on bnx2x, because only non LRO packets
get proper rx queue information. This triggers reorders, as it seems
bnx2x like to generate a non LRO packet for segment including TCP PUSH
flag : (this might be pure coincidence, but all the reorders I've
seen involve segments with a PUSH)
11:13:34.335847 IP A > B: . 415808:447136(31328) ack 1 win 457 <nop,nop,timestamp 3789336 3985797>
11:13:34.335992 IP A > B: . 447136:448560(1424) ack 1 win 457 <nop,nop,timestamp 3789336 3985797>
11:13:34.336391 IP A > B: . 448560:479888(31328) ack 1 win 457 <nop,nop,timestamp 3789337 3985797>
11:13:34.336425 IP A > B: P 511216:512640(1424) ack 1 win 457 <nop,nop,timestamp 3789337 3985798>
11:13:34.336423 IP A > B: . 479888:511216(31328) ack 1 win 457 <nop,nop,timestamp 3789337 3985798>
11:13:34.336924 IP A > B: . 512640:543968(31328) ack 1 win 457 <nop,nop,timestamp 3789337 3985798>
11:13:34.336963 IP A > B: . 543968:575296(31328) ack 1 win 457 <nop,nop,timestamp 3789337 3985798>
We must call skb_record_rx_queue() to properly give to RPS (and more
generally for TX queue selection on forward path) the receive queue
information.
Similar fix is needed for skb_mark_napi_id(), but will be handled
in a separate patch to ease stable backports.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Cc: Eilon Greenstein <eilong@broadcom.com>
Acked-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ luis: backported to 3.5, using davem's port to 3.4:
- adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
index 2364f66..27c2843 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
@@ -566,6 +566,7 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
skb, cqe, cqe_idx)) {
if (tpa_info->parsing_flags & PARSING_FLAGS_VLAN)
__vlan_hwaccel_put_tag(skb, tpa_info->vlan_tag);
+ skb_record_rx_queue(skb, fp->rx_queue);
napi_gro_receive(&fp->napi, skb);
} else {
DP(NETIF_MSG_RX_STATUS,
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 54/64] net: dst: provide accessor function to dst->xfrm
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (52 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 53/64] bnx2x: record rx queue for LRO packets Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 55/64] sctp: Use software crc32 checksum when xfrm transform will happen Luis Henriques
` (9 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Vlad Yasevich, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Vlad Yasevich <vyasevich@gmail.com>
commit e87b3998d795123b4139bc3f25490dd236f68212 upstream.
dst->xfrm is conditionally defined. Provide accessor funtion that
is always available.
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
include/net/dst.h | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/include/net/dst.h b/include/net/dst.h
index 8197ead..1efe71a 100644
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -464,10 +464,22 @@ static inline struct dst_entry *xfrm_lookup(struct net *net,
{
return dst_orig;
}
+
+static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst)
+{
+ return NULL;
+}
+
#else
extern struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
const struct flowi *fl, struct sock *sk,
int flags);
+
+/* skb attached with this dst needs transformation if dst->xfrm is valid */
+static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst)
+{
+ return dst->xfrm;
+}
#endif
#endif /* _NET_DST_H */
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 55/64] sctp: Use software crc32 checksum when xfrm transform will happen.
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (53 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 54/64] net: dst: provide accessor function to dst->xfrm Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 56/64] sctp: Perform software checksum if packet has to be fragmented Luis Henriques
` (8 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Neil Horman, Steffen Klassert, Fan Du, Vlad Yasevich,
David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Fan Du <fan.du@windriver.com>
commit 27127a82561a2a3ed955ce207048e1b066a80a2a upstream.
igb/ixgbe have hardware sctp checksum support, when this feature is enabled
and also IPsec is armed to protect sctp traffic, ugly things happened as
xfrm_output checks CHECKSUM_PARTIAL to do checksum operation(sum every thing
up and pack the 16bits result in the checksum field). The result is fail
establishment of sctp communication.
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Fan Du <fan.du@windriver.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
net/sctp/output.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/sctp/output.c b/net/sctp/output.c
index 83dddb9..a80b310 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -523,7 +523,8 @@ int sctp_packet_transmit(struct sctp_packet *packet)
* by CRC32-C as described in <draft-ietf-tsvwg-sctpcsum-02.txt>.
*/
if (!sctp_checksum_disable) {
- if (!(dst->dev->features & NETIF_F_SCTP_CSUM)) {
+ if (!(dst->dev->features & NETIF_F_SCTP_CSUM) ||
+ (dst_xfrm(dst) != NULL)) {
__u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len);
/* 3) Put the resultant value into the checksum field in the
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 56/64] sctp: Perform software checksum if packet has to be fragmented.
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (54 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 55/64] sctp: Use software crc32 checksum when xfrm transform will happen Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 57/64] wanxl: fix info leak in ioctl Luis Henriques
` (7 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Fan Du, Vlad Yasevich, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Vlad Yasevich <vyasevich@gmail.com>
commit d2dbbba77e95dff4b4f901fee236fef6d9552072 upstream.
IP/IPv6 fragmentation knows how to compute only TCP/UDP checksum.
This causes problems if SCTP packets has to be fragmented and
ipsummed has been set to PARTIAL due to checksum offload support.
This condition can happen when retransmitting after MTU discover,
or when INIT or other control chunks are larger then MTU.
Check for the rare fragmentation condition in SCTP and use software
checksum calculation in this case.
CC: Fan Du <fan.du@windriver.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
net/sctp/output.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sctp/output.c b/net/sctp/output.c
index a80b310..a1e2a9b 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -524,7 +524,7 @@ int sctp_packet_transmit(struct sctp_packet *packet)
*/
if (!sctp_checksum_disable) {
if (!(dst->dev->features & NETIF_F_SCTP_CSUM) ||
- (dst_xfrm(dst) != NULL)) {
+ (dst_xfrm(dst) != NULL) || packet->ipfragok) {
__u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len);
/* 3) Put the resultant value into the checksum field in the
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 57/64] wanxl: fix info leak in ioctl
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (55 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 56/64] sctp: Perform software checksum if packet has to be fragmented Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 58/64] net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race Luis Henriques
` (6 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Salva Peiró, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speiro@ai2.upv.es>
commit 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1 upstream.
The wanxl_ioctl() code fails to initialize the two padding bytes of
struct sync_serial_settings after the ->loopback member. Add an explicit
memset(0) before filling the structure to avoid the info leak.
Signed-off-by: Salva Peiró <speiro@ai2.upv.es>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/net/wan/wanxl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wan/wanxl.c b/drivers/net/wan/wanxl.c
index feb7541..ccd496b 100644
--- a/drivers/net/wan/wanxl.c
+++ b/drivers/net/wan/wanxl.c
@@ -355,6 +355,7 @@ static int wanxl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
ifr->ifr_settings.size = size; /* data size wanted */
return -ENOBUFS;
}
+ memset(&line, 0, sizeof(line));
line.clock_type = get_status(port)->clocking;
line.clock_rate = 0;
line.loopback = 0;
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 58/64] net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (56 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 57/64] wanxl: fix info leak in ioctl Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 59/64] net: fix cipso packet validation when !NETLABEL Luis Henriques
` (5 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Daniel Borkmann, Eric Dumazet, Eric W. Biederman,
David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <dborkman@redhat.com>
commit 90c6bd34f884cd9cee21f1d152baf6c18bcac949 upstream.
In the case of credentials passing in unix stream sockets (dgram
sockets seem not affected), we get a rather sparse race after
commit 16e5726 ("af_unix: dont send SCM_CREDENTIALS by default").
We have a stream server on receiver side that requests credential
passing from senders (e.g. nc -U). Since we need to set SO_PASSCRED
on each spawned/accepted socket on server side to 1 first (as it's
not inherited), it can happen that in the time between accept() and
setsockopt() we get interrupted, the sender is being scheduled and
continues with passing data to our receiver. At that time SO_PASSCRED
is neither set on sender nor receiver side, hence in cmsg's
SCM_CREDENTIALS we get eventually pid:0, uid:65534, gid:65534
(== overflow{u,g}id) instead of what we actually would like to see.
On the sender side, here nc -U, the tests in maybe_add_creds()
invoked through unix_stream_sendmsg() would fail, as at that exact
time, as mentioned, the sender has neither SO_PASSCRED on his side
nor sees it on the server side, and we have a valid 'other' socket
in place. Thus, sender believes it would just look like a normal
connection, not needing/requesting SO_PASSCRED at that time.
As reverting 16e5726 would not be an option due to the significant
performance regression reported when having creds always passed,
one way/trade-off to prevent that would be to set SO_PASSCRED on
the listener socket and allow inheriting these flags to the spawned
socket on server side in accept(). It seems also logical to do so
if we'd tell the listener socket to pass those flags onwards, and
would fix the race.
Before, strace:
recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"blub\n", 4096}],
msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET,
cmsg_type=SCM_CREDENTIALS{pid=0, uid=65534, gid=65534}},
msg_flags=0}, 0) = 5
After, strace:
recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"blub\n", 4096}],
msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET,
cmsg_type=SCM_CREDENTIALS{pid=11580, uid=1000, gid=1000}},
msg_flags=0}, 0) = 5
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
net/unix/af_unix.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index ce7db4b..2e67391 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1248,6 +1248,15 @@ static int unix_socketpair(struct socket *socka, struct socket *sockb)
return 0;
}
+static void unix_sock_inherit_flags(const struct socket *old,
+ struct socket *new)
+{
+ if (test_bit(SOCK_PASSCRED, &old->flags))
+ set_bit(SOCK_PASSCRED, &new->flags);
+ if (test_bit(SOCK_PASSSEC, &old->flags))
+ set_bit(SOCK_PASSSEC, &new->flags);
+}
+
static int unix_accept(struct socket *sock, struct socket *newsock, int flags)
{
struct sock *sk = sock->sk;
@@ -1282,6 +1291,7 @@ static int unix_accept(struct socket *sock, struct socket *newsock, int flags)
/* attach accepted sock to socket */
unix_state_lock(tsk);
newsock->state = SS_CONNECTED;
+ unix_sock_inherit_flags(sock, newsock);
sock_graft(tsk, newsock);
unix_state_unlock(tsk);
return 0;
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 59/64] net: fix cipso packet validation when !NETLABEL
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (57 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 58/64] net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 60/64] inet: fix possible memory corruption with UDP_CORK and UFO Luis Henriques
` (4 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Seif Mazareeb, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Seif Mazareeb <seif@marvell.com>
commit f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b upstream.
When CONFIG_NETLABEL is disabled, the cipso_v4_validate() function could loop
forever in the main loop if opt[opt_iter +1] == 0, this will causing a kernel
crash in an SMP system, since the CPU executing this function will
stall /not respond to IPIs.
This problem can be reproduced by running the IP Stack Integrity Checker
(http://isic.sourceforge.net) using the following command on a Linux machine
connected to DUT:
"icmpsic -s rand -d <DUT IP address> -r 123456"
wait (1-2 min)
Signed-off-by: Seif Mazareeb <seif@marvell.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
include/net/cipso_ipv4.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h
index a7a683e..a8c2ef6 100644
--- a/include/net/cipso_ipv4.h
+++ b/include/net/cipso_ipv4.h
@@ -290,6 +290,7 @@ static inline int cipso_v4_validate(const struct sk_buff *skb,
unsigned char err_offset = 0;
u8 opt_len = opt[1];
u8 opt_iter;
+ u8 tag_len;
if (opt_len < 8) {
err_offset = 1;
@@ -302,11 +303,12 @@ static inline int cipso_v4_validate(const struct sk_buff *skb,
}
for (opt_iter = 6; opt_iter < opt_len;) {
- if (opt[opt_iter + 1] > (opt_len - opt_iter)) {
+ tag_len = opt[opt_iter + 1];
+ if ((tag_len == 0) || (opt[opt_iter + 1] > (opt_len - opt_iter))) {
err_offset = opt_iter + 1;
goto out;
}
- opt_iter += opt[opt_iter + 1];
+ opt_iter += tag_len;
}
out:
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 60/64] inet: fix possible memory corruption with UDP_CORK and UFO
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (58 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 59/64] net: fix cipso packet validation when !NETLABEL Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 61/64] davinci_emac.c: Fix IFF_ALLMULTI setup Luis Henriques
` (3 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Jiri Pirko, Eric Dumazet, David Miller, Hannes Frederic Sowa,
Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
[ This is a simplified -stable version of a set of upstream commits. ]
This is a replacement patch only for stable which does fix the problems
handled by the following two commits in -net:
"ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9)
"ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b)
Three frames are written on a corked udp socket for which the output
netdevice has UFO enabled. If the first and third frame are smaller than
the mtu and the second one is bigger, we enqueue the second frame with
skb_append_datato_frags without initializing the gso fields. This leads
to the third frame appended regulary and thus constructing an invalid skb.
This fixes the problem by always using skb_append_datato_frags as soon
as the first frag got enqueued to the skb without marking the packet
as SKB_GSO_UDP.
The problem with only two frames for ipv6 was fixed by "ipv6: udp
packets following an UFO enqueued packet need also be handled by UFO"
(2811ebac2521ceac84f2bdae402455baa6a7fb47).
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
include/linux/skbuff.h | 5 +++++
net/ipv4/ip_output.c | 2 +-
net/ipv6/ip6_output.c | 2 +-
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 0ec4788..160f3ea 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -1226,6 +1226,11 @@ static inline int skb_pagelen(const struct sk_buff *skb)
return len + skb_headlen(skb);
}
+static inline bool skb_has_frags(const struct sk_buff *skb)
+{
+ return skb_shinfo(skb)->nr_frags;
+}
+
/**
* __skb_fill_page_desc - initialise a paged fragment in an skb
* @skb: buffer containing fragment to be initialised
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 7ee32c6..ed8270f 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -846,7 +846,7 @@ static int __ip_append_data(struct sock *sk,
csummode = CHECKSUM_PARTIAL;
cork->length += length;
- if (((length > mtu) || (skb && skb_is_gso(skb))) &&
+ if (((length > mtu) || (skb && skb_has_frags(skb))) &&
(sk->sk_protocol == IPPROTO_UDP) &&
(rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) {
err = ip_ufo_append_data(sk, queue, getfrag, from, length,
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index d00f1ad..01cf1cd 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1351,7 +1351,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
skb = skb_peek_tail(&sk->sk_write_queue);
cork->length += length;
if (((length > mtu) ||
- (skb && skb_is_gso(skb))) &&
+ (skb && skb_has_frags(skb))) &&
(sk->sk_protocol == IPPROTO_UDP) &&
(rt->dst.dev->features & NETIF_F_UFO)) {
err = ip6_ufo_append_data(sk, getfrag, from, length,
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 61/64] davinci_emac.c: Fix IFF_ALLMULTI setup
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (59 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 60/64] inet: fix possible memory corruption with UDP_CORK and UFO Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 62/64] can: flexcan: fix flexcan_chip_start() on imx6 Luis Henriques
` (2 subsequent siblings)
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Mariusz Ceier, David S. Miller, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Mariusz Ceier <mceier+kernel@gmail.com>
commit d69e0f7ea95fef8059251325a79c004bac01f018 upstream.
When IFF_ALLMULTI flag is set on interface and IFF_PROMISC isn't,
emac_dev_mcast_set should only enable RX of multicasts and reset
MACHASH registers.
It does this, but afterwards it either sets up multicast MACs
filtering or disables RX of multicasts and resets MACHASH registers
again, rendering IFF_ALLMULTI flag useless.
This patch fixes emac_dev_mcast_set, so that multicast MACs filtering and
disabling of RX of multicasts are skipped when IFF_ALLMULTI flag is set.
Tested with kernel 2.6.37.
Signed-off-by: Mariusz Ceier <mceier+kernel@gmail.com>
Acked-by: Mugunthan V N <mugunthanvnm@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/net/ethernet/ti/davinci_emac.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c
index 762464e..e6911ee 100644
--- a/drivers/net/ethernet/ti/davinci_emac.c
+++ b/drivers/net/ethernet/ti/davinci_emac.c
@@ -876,8 +876,7 @@ static void emac_dev_mcast_set(struct net_device *ndev)
netdev_mc_count(ndev) > EMAC_DEF_MAX_MULTICAST_ADDRESSES) {
mbp_enable = (mbp_enable | EMAC_MBP_RXMCAST);
emac_add_mcast(priv, EMAC_ALL_MULTI_SET, NULL);
- }
- if (!netdev_mc_empty(ndev)) {
+ } else if (!netdev_mc_empty(ndev)) {
struct netdev_hw_addr *ha;
mbp_enable = (mbp_enable | EMAC_MBP_RXMCAST);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 62/64] can: flexcan: fix flexcan_chip_start() on imx6
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (60 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 61/64] davinci_emac.c: Fix IFF_ALLMULTI setup Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 63/64] can: flexcan: flexcan_chip_start: fix regression, mark one MB for TX and abort pending TX Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 64/64] PCI: fix truncation of resource size to 32 bits Luis Henriques
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team; +Cc: Marc Kleine-Budde, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit 0d1862ea1a5bb876cf05555a7307080cb75bf379 upstream.
In the flexcan_chip_start() function first the flexcan core is going through
the soft reset sequence, then the RX FIFO is enabled.
With the hardware is put into FIFO mode, message buffers 1...7 are reserved by
the FIFO engine. The remaining message buffers are in reset default values.
This patch removes the bogus initialization of the message buffers, as it
causes an imprecise external abort on imx6.
Reported-by: Lothar Waßmann <LW@KARO-electronics.de>
Tested-by: Lothar Waßmann <LW@KARO-electronics.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/net/can/flexcan.c | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
index 81d4741..6a51f5c 100644
--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -668,7 +668,6 @@ static int flexcan_chip_start(struct net_device *dev)
{
struct flexcan_priv *priv = netdev_priv(dev);
struct flexcan_regs __iomem *regs = priv->base;
- unsigned int i;
int err;
u32 reg_mcr, reg_ctrl;
@@ -734,17 +733,6 @@ static int flexcan_chip_start(struct net_device *dev)
netdev_dbg(dev, "%s: writing ctrl=0x%08x", __func__, reg_ctrl);
flexcan_write(reg_ctrl, ®s->ctrl);
- for (i = 0; i < ARRAY_SIZE(regs->cantxfg); i++) {
- flexcan_write(0, ®s->cantxfg[i].can_ctrl);
- flexcan_write(0, ®s->cantxfg[i].can_id);
- flexcan_write(0, ®s->cantxfg[i].data[0]);
- flexcan_write(0, ®s->cantxfg[i].data[1]);
-
- /* put MB into rx queue */
- flexcan_write(FLEXCAN_MB_CNT_CODE(0x4),
- ®s->cantxfg[i].can_ctrl);
- }
-
/* acceptance mask/acceptance code (accept everything) */
flexcan_write(0x0, ®s->rxgmask);
flexcan_write(0x0, ®s->rx14mask);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 63/64] can: flexcan: flexcan_chip_start: fix regression, mark one MB for TX and abort pending TX
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (61 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 62/64] can: flexcan: fix flexcan_chip_start() on imx6 Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 64/64] PCI: fix truncation of resource size to 32 bits Luis Henriques
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Lothar Waßmann, Marc Kleine-Budde, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit d5a7b406c529e4595ce03dc8f6dcf7fa36f106fa upstream.
In patch
0d1862e can: flexcan: fix flexcan_chip_start() on imx6
the loop in flexcan_chip_start() that iterates over all mailboxes after the
soft reset of the CAN core was removed. This loop put all mailboxes (even the
ones marked as reserved 1...7) into EMPTY/INACTIVE mode. On mailboxes 8...63,
this aborts any pending TX messages.
After a cold boot there is random garbage in the mailboxes, which leads to
spontaneous transmit of CAN frames during first activation. Further if the
interface was disabled with a pending message (usually due to an error
condition on the CAN bus), this message is retransmitted after enabling the
interface again.
This patch fixes the regression by:
1) Limiting the maximum number of used mailboxes to 8, 0...7 are used by the RX
FIFO, 8 is used by TX.
2) Marking the TX mailbox as EMPTY/INACTIVE, so that any pending TX of that
mailbox is aborted.
Cc: Lothar Waßmann <LW@KARO-electronics.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/net/can/flexcan.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
index 6a51f5c..2bf507b 100644
--- a/drivers/net/can/flexcan.c
+++ b/drivers/net/can/flexcan.c
@@ -61,7 +61,7 @@
#define FLEXCAN_MCR_BCC BIT(16)
#define FLEXCAN_MCR_LPRIO_EN BIT(13)
#define FLEXCAN_MCR_AEN BIT(12)
-#define FLEXCAN_MCR_MAXMB(x) ((x) & 0xf)
+#define FLEXCAN_MCR_MAXMB(x) ((x) & 0x1f)
#define FLEXCAN_MCR_IDAM_A (0 << 8)
#define FLEXCAN_MCR_IDAM_B (1 << 8)
#define FLEXCAN_MCR_IDAM_C (2 << 8)
@@ -701,9 +701,11 @@ static int flexcan_chip_start(struct net_device *dev)
*
*/
reg_mcr = flexcan_read(®s->mcr);
+ reg_mcr &= ~FLEXCAN_MCR_MAXMB(0xff);
reg_mcr |= FLEXCAN_MCR_FRZ | FLEXCAN_MCR_FEN | FLEXCAN_MCR_HALT |
FLEXCAN_MCR_SUPV | FLEXCAN_MCR_WRN_EN |
- FLEXCAN_MCR_IDAM_C | FLEXCAN_MCR_SRX_DIS;
+ FLEXCAN_MCR_IDAM_C | FLEXCAN_MCR_SRX_DIS |
+ FLEXCAN_MCR_MAXMB(FLEXCAN_TX_BUF_ID);
netdev_dbg(dev, "%s: writing mcr=0x%08x", __func__, reg_mcr);
flexcan_write(reg_mcr, ®s->mcr);
@@ -733,6 +735,10 @@ static int flexcan_chip_start(struct net_device *dev)
netdev_dbg(dev, "%s: writing ctrl=0x%08x", __func__, reg_ctrl);
flexcan_write(reg_ctrl, ®s->ctrl);
+ /* Abort any pending TX, mark Mailbox as INACTIVE */
+ flexcan_write(FLEXCAN_MB_CNT_CODE(0x4),
+ ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl);
+
/* acceptance mask/acceptance code (accept everything) */
flexcan_write(0x0, ®s->rxgmask);
flexcan_write(0x0, ®s->rx14mask);
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* [PATCH 3.5 64/64] PCI: fix truncation of resource size to 32 bits
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
` (62 preceding siblings ...)
2013-10-28 14:48 ` [PATCH 3.5 63/64] can: flexcan: flexcan_chip_start: fix regression, mark one MB for TX and abort pending TX Luis Henriques
@ 2013-10-28 14:48 ` Luis Henriques
63 siblings, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-28 14:48 UTC (permalink / raw)
To: linux-kernel, stable, kernel-team
Cc: Nikhil P Rao, Bjorn Helgaas, Jiri Slaby, Luis Henriques
3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikhil P Rao <nikhil.rao@intel.com>
commit d6776e6d5c2f8db0252f447b09736075e1bbe387 upstream.
_pci_assign_resource() took an int "size" argument, which meant that
sizes larger than 4GB were truncated. Change type to resource_size_t.
[bhelgaas: changelog]
Signed-off-by: Nikhil P Rao <nikhil.rao@intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
drivers/pci/setup-res.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/pci/setup-res.c b/drivers/pci/setup-res.c
index eea85da..be76eba 100644
--- a/drivers/pci/setup-res.c
+++ b/drivers/pci/setup-res.c
@@ -206,7 +206,8 @@ static int pci_revert_fw_address(struct resource *res, struct pci_dev *dev,
return ret;
}
-static int _pci_assign_resource(struct pci_dev *dev, int resno, int size, resource_size_t min_align)
+static int _pci_assign_resource(struct pci_dev *dev, int resno,
+ resource_size_t size, resource_size_t min_align)
{
struct resource *res = dev->resource + resno;
struct pci_bus *bus;
--
1.8.3.2
^ permalink raw reply related [flat|nested] 71+ messages in thread
* Re: [PATCH 3.5 29/64] fs: buffer: move allocation failure loop into the allocator
2013-10-28 14:47 ` [PATCH 3.5 29/64] fs: buffer: move allocation failure loop into the allocator Luis Henriques
@ 2013-10-31 14:00 ` Johannes Weiner
2013-10-31 14:25 ` Luis Henriques
2013-10-31 14:48 ` Jan Kara
0 siblings, 2 replies; 71+ messages in thread
From: Johannes Weiner @ 2013-10-31 14:00 UTC (permalink / raw)
To: Luis Henriques
Cc: linux-kernel, stable, kernel-team, Michal Hocko, Andrew Morton,
Linus Torvalds
This is part of a bigger series and was tagged for stable as a
reminder only. Please don't apply for now.
On Mon, Oct 28, 2013 at 02:47:48PM +0000, Luis Henriques wrote:
> 3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Johannes Weiner <hannes@cmpxchg.org>
>
> commit 84235de394d9775bfaa7fa9762a59d91fef0c1fc upstream.
>
> Buffer allocation has a very crude indefinite loop around waking the
> flusher threads and performing global NOFS direct reclaim because it can
> not handle allocation failures.
>
> The most immediate problem with this is that the allocation may fail due
> to a memory cgroup limit, where flushers + direct reclaim might not make
> any progress towards resolving the situation at all. Because unlike the
> global case, a memory cgroup may not have any cache at all, only
> anonymous pages but no swap. This situation will lead to a reclaim
> livelock with insane IO from waking the flushers and thrashing unrelated
> filesystem cache in a tight loop.
>
> Use __GFP_NOFAIL allocations for buffers for now. This makes sure that
> any looping happens in the page allocator, which knows how to
> orchestrate kswapd, direct reclaim, and the flushers sensibly. It also
> allows memory cgroups to detect allocations that can't handle failure
> and will allow them to ultimately bypass the limit if reclaim can not
> make progress.
>
> Reported-by: azurIt <azurit@pobox.sk>
> Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
> Cc: Michal Hocko <mhocko@suse.cz>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> ---
> fs/buffer.c | 14 ++++++++++++--
> mm/memcontrol.c | 2 ++
> 2 files changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/fs/buffer.c b/fs/buffer.c
> index 2c78739..2675e5a 100644
> --- a/fs/buffer.c
> +++ b/fs/buffer.c
> @@ -957,9 +957,19 @@ grow_dev_page(struct block_device *bdev, sector_t block,
> struct buffer_head *bh;
> sector_t end_block;
> int ret = 0; /* Will call free_more_memory() */
> + gfp_t gfp_mask;
>
> - page = find_or_create_page(inode->i_mapping, index,
> - (mapping_gfp_mask(inode->i_mapping) & ~__GFP_FS)|__GFP_MOVABLE);
> + gfp_mask = mapping_gfp_mask(inode->i_mapping) & ~__GFP_FS;
> + gfp_mask |= __GFP_MOVABLE;
> + /*
> + * XXX: __getblk_slow() can not really deal with failure and
> + * will endlessly loop on improvised global reclaim. Prefer
> + * looping in the allocator rather than here, at least that
> + * code knows what it's doing.
> + */
> + gfp_mask |= __GFP_NOFAIL;
> +
> + page = find_or_create_page(inode->i_mapping, index, gfp_mask);
> if (!page)
> return ret;
>
> diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> index 226b63e..953bf3c 100644
> --- a/mm/memcontrol.c
> +++ b/mm/memcontrol.c
> @@ -2405,6 +2405,8 @@ done:
> return 0;
> nomem:
> *ptr = NULL;
> + if (gfp_mask & __GFP_NOFAIL)
> + return 0;
> return -ENOMEM;
> bypass:
> *ptr = root_mem_cgroup;
> --
> 1.8.3.2
>
^ permalink raw reply [flat|nested] 71+ messages in thread
* Re: [PATCH 3.5 29/64] fs: buffer: move allocation failure loop into the allocator
2013-10-31 14:00 ` Johannes Weiner
@ 2013-10-31 14:25 ` Luis Henriques
2013-10-31 14:48 ` Jan Kara
1 sibling, 0 replies; 71+ messages in thread
From: Luis Henriques @ 2013-10-31 14:25 UTC (permalink / raw)
To: Johannes Weiner
Cc: linux-kernel, stable, kernel-team, Michal Hocko, Andrew Morton,
Linus Torvalds
On Thu, Oct 31, 2013 at 10:00:08AM -0400, Johannes Weiner wrote:
> This is part of a bigger series and was tagged for stable as a
> reminder only. Please don't apply for now.
Grrr... I need to start cleaning my email inbox before doing a
release. I just saw the discussion in stable@.
I'll do an emergency release reverting this patch. Thanks for
catching this.
Cheers,
--
Luis
>
> On Mon, Oct 28, 2013 at 02:47:48PM +0000, Luis Henriques wrote:
> > 3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Johannes Weiner <hannes@cmpxchg.org>
> >
> > commit 84235de394d9775bfaa7fa9762a59d91fef0c1fc upstream.
> >
> > Buffer allocation has a very crude indefinite loop around waking the
> > flusher threads and performing global NOFS direct reclaim because it can
> > not handle allocation failures.
> >
> > The most immediate problem with this is that the allocation may fail due
> > to a memory cgroup limit, where flushers + direct reclaim might not make
> > any progress towards resolving the situation at all. Because unlike the
> > global case, a memory cgroup may not have any cache at all, only
> > anonymous pages but no swap. This situation will lead to a reclaim
> > livelock with insane IO from waking the flushers and thrashing unrelated
> > filesystem cache in a tight loop.
> >
> > Use __GFP_NOFAIL allocations for buffers for now. This makes sure that
> > any looping happens in the page allocator, which knows how to
> > orchestrate kswapd, direct reclaim, and the flushers sensibly. It also
> > allows memory cgroups to detect allocations that can't handle failure
> > and will allow them to ultimately bypass the limit if reclaim can not
> > make progress.
> >
> > Reported-by: azurIt <azurit@pobox.sk>
> > Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
> > Cc: Michal Hocko <mhocko@suse.cz>
> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> > Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> > ---
> > fs/buffer.c | 14 ++++++++++++--
> > mm/memcontrol.c | 2 ++
> > 2 files changed, 14 insertions(+), 2 deletions(-)
> >
> > diff --git a/fs/buffer.c b/fs/buffer.c
> > index 2c78739..2675e5a 100644
> > --- a/fs/buffer.c
> > +++ b/fs/buffer.c
> > @@ -957,9 +957,19 @@ grow_dev_page(struct block_device *bdev, sector_t block,
> > struct buffer_head *bh;
> > sector_t end_block;
> > int ret = 0; /* Will call free_more_memory() */
> > + gfp_t gfp_mask;
> >
> > - page = find_or_create_page(inode->i_mapping, index,
> > - (mapping_gfp_mask(inode->i_mapping) & ~__GFP_FS)|__GFP_MOVABLE);
> > + gfp_mask = mapping_gfp_mask(inode->i_mapping) & ~__GFP_FS;
> > + gfp_mask |= __GFP_MOVABLE;
> > + /*
> > + * XXX: __getblk_slow() can not really deal with failure and
> > + * will endlessly loop on improvised global reclaim. Prefer
> > + * looping in the allocator rather than here, at least that
> > + * code knows what it's doing.
> > + */
> > + gfp_mask |= __GFP_NOFAIL;
> > +
> > + page = find_or_create_page(inode->i_mapping, index, gfp_mask);
> > if (!page)
> > return ret;
> >
> > diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> > index 226b63e..953bf3c 100644
> > --- a/mm/memcontrol.c
> > +++ b/mm/memcontrol.c
> > @@ -2405,6 +2405,8 @@ done:
> > return 0;
> > nomem:
> > *ptr = NULL;
> > + if (gfp_mask & __GFP_NOFAIL)
> > + return 0;
> > return -ENOMEM;
> > bypass:
> > *ptr = root_mem_cgroup;
> > --
> > 1.8.3.2
> >
> --
> To unsubscribe from this list: send the line "unsubscribe stable" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 71+ messages in thread
* Re: [PATCH 3.5 29/64] fs: buffer: move allocation failure loop into the allocator
2013-10-31 14:00 ` Johannes Weiner
2013-10-31 14:25 ` Luis Henriques
@ 2013-10-31 14:48 ` Jan Kara
2013-10-31 16:03 ` Johannes Weiner
2013-10-31 16:03 ` Andrew Morton
1 sibling, 2 replies; 71+ messages in thread
From: Jan Kara @ 2013-10-31 14:48 UTC (permalink / raw)
To: Johannes Weiner
Cc: Luis Henriques, linux-kernel, kernel-team, Michal Hocko, Andrew Morton
On Thu 31-10-13 10:00:08, Johannes Weiner wrote:
> On Mon, Oct 28, 2013 at 02:47:48PM +0000, Luis Henriques wrote:
> > 3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Johannes Weiner <hannes@cmpxchg.org>
> >
> > commit 84235de394d9775bfaa7fa9762a59d91fef0c1fc upstream.
> >
> > Buffer allocation has a very crude indefinite loop around waking the
> > flusher threads and performing global NOFS direct reclaim because it can
> > not handle allocation failures.
> >
> > The most immediate problem with this is that the allocation may fail due
> > to a memory cgroup limit, where flushers + direct reclaim might not make
> > any progress towards resolving the situation at all. Because unlike the
> > global case, a memory cgroup may not have any cache at all, only
> > anonymous pages but no swap. This situation will lead to a reclaim
> > livelock with insane IO from waking the flushers and thrashing unrelated
> > filesystem cache in a tight loop.
> >
> > Use __GFP_NOFAIL allocations for buffers for now. This makes sure that
> > any looping happens in the page allocator, which knows how to
> > orchestrate kswapd, direct reclaim, and the flushers sensibly. It also
> > allows memory cgroups to detect allocations that can't handle failure
> > and will allow them to ultimately bypass the limit if reclaim can not
> > make progress.
So I was under the impression that __GFP_NOFAIL is going away, doesn't
it? At least about an year ago there was some effort to remove its users so
we ended up creating loops like the above one (and similar ones for
jbd/jbd2) in cases where handling the failure wasn't easily possible. And now
it seems we are going in the opposite direction... At least we have a
steady flow of patches guaranteed :)
Honza
> >
> > Reported-by: azurIt <azurit@pobox.sk>
> > Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
> > Cc: Michal Hocko <mhocko@suse.cz>
> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> > Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
> > ---
> > fs/buffer.c | 14 ++++++++++++--
> > mm/memcontrol.c | 2 ++
> > 2 files changed, 14 insertions(+), 2 deletions(-)
> >
> > diff --git a/fs/buffer.c b/fs/buffer.c
> > index 2c78739..2675e5a 100644
> > --- a/fs/buffer.c
> > +++ b/fs/buffer.c
> > @@ -957,9 +957,19 @@ grow_dev_page(struct block_device *bdev, sector_t block,
> > struct buffer_head *bh;
> > sector_t end_block;
> > int ret = 0; /* Will call free_more_memory() */
> > + gfp_t gfp_mask;
> >
> > - page = find_or_create_page(inode->i_mapping, index,
> > - (mapping_gfp_mask(inode->i_mapping) & ~__GFP_FS)|__GFP_MOVABLE);
> > + gfp_mask = mapping_gfp_mask(inode->i_mapping) & ~__GFP_FS;
> > + gfp_mask |= __GFP_MOVABLE;
> > + /*
> > + * XXX: __getblk_slow() can not really deal with failure and
> > + * will endlessly loop on improvised global reclaim. Prefer
> > + * looping in the allocator rather than here, at least that
> > + * code knows what it's doing.
> > + */
> > + gfp_mask |= __GFP_NOFAIL;
> > +
> > + page = find_or_create_page(inode->i_mapping, index, gfp_mask);
> > if (!page)
> > return ret;
> >
> > diff --git a/mm/memcontrol.c b/mm/memcontrol.c
> > index 226b63e..953bf3c 100644
> > --- a/mm/memcontrol.c
> > +++ b/mm/memcontrol.c
> > @@ -2405,6 +2405,8 @@ done:
> > return 0;
> > nomem:
> > *ptr = NULL;
> > + if (gfp_mask & __GFP_NOFAIL)
> > + return 0;
> > return -ENOMEM;
> > bypass:
> > *ptr = root_mem_cgroup;
> > --
> > 1.8.3.2
> >
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
Jan Kara <jack@suse.cz>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 71+ messages in thread
* Re: [PATCH 3.5 29/64] fs: buffer: move allocation failure loop into the allocator
2013-10-31 14:48 ` Jan Kara
@ 2013-10-31 16:03 ` Johannes Weiner
2013-10-31 16:03 ` Andrew Morton
1 sibling, 0 replies; 71+ messages in thread
From: Johannes Weiner @ 2013-10-31 16:03 UTC (permalink / raw)
To: Jan Kara
Cc: Luis Henriques, linux-kernel, kernel-team, Michal Hocko, Andrew Morton
On Thu, Oct 31, 2013 at 03:48:48PM +0100, Jan Kara wrote:
> On Thu 31-10-13 10:00:08, Johannes Weiner wrote:
> > On Mon, Oct 28, 2013 at 02:47:48PM +0000, Luis Henriques wrote:
> > > 3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > From: Johannes Weiner <hannes@cmpxchg.org>
> > >
> > > commit 84235de394d9775bfaa7fa9762a59d91fef0c1fc upstream.
> > >
> > > Buffer allocation has a very crude indefinite loop around waking the
> > > flusher threads and performing global NOFS direct reclaim because it can
> > > not handle allocation failures.
> > >
> > > The most immediate problem with this is that the allocation may fail due
> > > to a memory cgroup limit, where flushers + direct reclaim might not make
> > > any progress towards resolving the situation at all. Because unlike the
> > > global case, a memory cgroup may not have any cache at all, only
> > > anonymous pages but no swap. This situation will lead to a reclaim
> > > livelock with insane IO from waking the flushers and thrashing unrelated
> > > filesystem cache in a tight loop.
> > >
> > > Use __GFP_NOFAIL allocations for buffers for now. This makes sure that
> > > any looping happens in the page allocator, which knows how to
> > > orchestrate kswapd, direct reclaim, and the flushers sensibly. It also
> > > allows memory cgroups to detect allocations that can't handle failure
> > > and will allow them to ultimately bypass the limit if reclaim can not
> > > make progress.
> So I was under the impression that __GFP_NOFAIL is going away, doesn't
> it? At least about an year ago there was some effort to remove its users so
> we ended up creating loops like the above one (and similar ones for
> jbd/jbd2) in cases where handling the failure wasn't easily possible. And now
> it seems we are going in the opposite direction... At least we have a
> steady flow of patches guaranteed :)
Lol.
I would assume that people had a problem with allocations that can not
fail, rather than __GFP_NOFAIL. As long as we do have callsites that
can't deal with failure, I'd much prefer __GFP_NOFAIL over open-coded
looping. The page allocator is much better equipped to make forward
progress and the problematic sites are immediately apparent/greppable.
In order of preference, this is how allocation sites should deal with
errors:
1. Gracefully abort current operation and move on
2. Stab eyes with fork
3. Use __GFP_NOFAIL
... but never loop around the allocation, please.
^ permalink raw reply [flat|nested] 71+ messages in thread
* Re: [PATCH 3.5 29/64] fs: buffer: move allocation failure loop into the allocator
2013-10-31 14:48 ` Jan Kara
2013-10-31 16:03 ` Johannes Weiner
@ 2013-10-31 16:03 ` Andrew Morton
2013-10-31 19:35 ` Jan Kara
1 sibling, 1 reply; 71+ messages in thread
From: Andrew Morton @ 2013-10-31 16:03 UTC (permalink / raw)
To: Jan Kara
Cc: Johannes Weiner, Luis Henriques, linux-kernel, kernel-team, Michal Hocko
On Thu, 31 Oct 2013 15:48:48 +0100 Jan Kara <jack@suse.cz> wrote:
> On Thu 31-10-13 10:00:08, Johannes Weiner wrote:
> > On Mon, Oct 28, 2013 at 02:47:48PM +0000, Luis Henriques wrote:
> > > 3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > From: Johannes Weiner <hannes@cmpxchg.org>
> > >
> > > commit 84235de394d9775bfaa7fa9762a59d91fef0c1fc upstream.
> > >
> > > Buffer allocation has a very crude indefinite loop around waking the
> > > flusher threads and performing global NOFS direct reclaim because it can
> > > not handle allocation failures.
> > >
> > > The most immediate problem with this is that the allocation may fail due
> > > to a memory cgroup limit, where flushers + direct reclaim might not make
> > > any progress towards resolving the situation at all. Because unlike the
> > > global case, a memory cgroup may not have any cache at all, only
> > > anonymous pages but no swap. This situation will lead to a reclaim
> > > livelock with insane IO from waking the flushers and thrashing unrelated
> > > filesystem cache in a tight loop.
> > >
> > > Use __GFP_NOFAIL allocations for buffers for now. This makes sure that
> > > any looping happens in the page allocator, which knows how to
> > > orchestrate kswapd, direct reclaim, and the flushers sensibly. It also
> > > allows memory cgroups to detect allocations that can't handle failure
> > > and will allow them to ultimately bypass the limit if reclaim can not
> > > make progress.
> So I was under the impression that __GFP_NOFAIL is going away, doesn't
> it? At least about an year ago there was some effort to remove its users so
> we ended up creating loops like the above one (and similar ones for
> jbd/jbd2) in cases where handling the failure wasn't easily possible. And now
> it seems we are going in the opposite direction... At least we have a
> steady flow of patches guaranteed :)
Argh. The whole point behind __GFP_NOFAIL was to centralise the
open-coded infinite-retry loops into the MM core. So they can be
easily located and fixed up.
Yes, __GFP_NOFAIL *should* go away, once all those infinite-retry loops
are fixed to handle allocation failures. But it sounds like this
"effort" was just undoing
: commit f3615244f15c8bee5783fcf032717ffdfd56e219
: Author: akpm <akpm>
: AuthorDate: Sun Apr 20 21:28:12 2003 +0000
: Commit: akpm <akpm>
: CommitDate: Sun Apr 20 21:28:12 2003 +0000
:
: [PATCH] implement __GFP_REPEAT, __GFP_NOFAIL, __GFP_NORETRY
and thereby hiding the bad code from grep again :(
^ permalink raw reply [flat|nested] 71+ messages in thread
* Re: [PATCH 3.5 29/64] fs: buffer: move allocation failure loop into the allocator
2013-10-31 16:03 ` Andrew Morton
@ 2013-10-31 19:35 ` Jan Kara
0 siblings, 0 replies; 71+ messages in thread
From: Jan Kara @ 2013-10-31 19:35 UTC (permalink / raw)
To: Andrew Morton
Cc: Jan Kara, Johannes Weiner, Luis Henriques, linux-kernel,
kernel-team, Michal Hocko
On Thu 31-10-13 09:03:53, Andrew Morton wrote:
> On Thu, 31 Oct 2013 15:48:48 +0100 Jan Kara <jack@suse.cz> wrote:
>
> > On Thu 31-10-13 10:00:08, Johannes Weiner wrote:
> > > On Mon, Oct 28, 2013 at 02:47:48PM +0000, Luis Henriques wrote:
> > > > 3.5.7.24 -stable review patch. If anyone has any objections, please let me know.
> > > >
> > > > ------------------
> > > >
> > > > From: Johannes Weiner <hannes@cmpxchg.org>
> > > >
> > > > commit 84235de394d9775bfaa7fa9762a59d91fef0c1fc upstream.
> > > >
> > > > Buffer allocation has a very crude indefinite loop around waking the
> > > > flusher threads and performing global NOFS direct reclaim because it can
> > > > not handle allocation failures.
> > > >
> > > > The most immediate problem with this is that the allocation may fail due
> > > > to a memory cgroup limit, where flushers + direct reclaim might not make
> > > > any progress towards resolving the situation at all. Because unlike the
> > > > global case, a memory cgroup may not have any cache at all, only
> > > > anonymous pages but no swap. This situation will lead to a reclaim
> > > > livelock with insane IO from waking the flushers and thrashing unrelated
> > > > filesystem cache in a tight loop.
> > > >
> > > > Use __GFP_NOFAIL allocations for buffers for now. This makes sure that
> > > > any looping happens in the page allocator, which knows how to
> > > > orchestrate kswapd, direct reclaim, and the flushers sensibly. It also
> > > > allows memory cgroups to detect allocations that can't handle failure
> > > > and will allow them to ultimately bypass the limit if reclaim can not
> > > > make progress.
> > So I was under the impression that __GFP_NOFAIL is going away, doesn't
> > it? At least about an year ago there was some effort to remove its users so
> > we ended up creating loops like the above one (and similar ones for
> > jbd/jbd2) in cases where handling the failure wasn't easily possible. And now
> > it seems we are going in the opposite direction... At least we have a
> > steady flow of patches guaranteed :)
>
> Argh. The whole point behind __GFP_NOFAIL was to centralise the
> open-coded infinite-retry loops into the MM core. So they can be
> easily located and fixed up.
>
> Yes, __GFP_NOFAIL *should* go away, once all those infinite-retry loops
> are fixed to handle allocation failures. But it sounds like this
> "effort" was just undoing
>
> : commit f3615244f15c8bee5783fcf032717ffdfd56e219
> : Author: akpm <akpm>
> : AuthorDate: Sun Apr 20 21:28:12 2003 +0000
> : Commit: akpm <akpm>
> : CommitDate: Sun Apr 20 21:28:12 2003 +0000
> :
> : [PATCH] implement __GFP_REPEAT, __GFP_NOFAIL, __GFP_NORETRY
>
> and thereby hiding the bad code from grep again :(
So I also looked into history trying to find out why we opencoded the
allocation loops. It seems originally the patch set described and
referenced in http://lwn.net/Articles/401915/ from David Rientjes in 2010
triggered the discussion. You actually opposed to that series so I didn't
merge the jbd patch. But jbd2 change got merged by Ted. Then an year later
I've noticed jbd2 is avoiding __GFP_NOFAIL and forgot you were opposing
that change and copied the change over to jbd. So I'll back out the jbd
change. I'll also look into removing the retry loop from jbd2 (there the
change actually made some sense because in some cases we can deal with
allocation failure).
Honza
--
Jan Kara <jack@suse.cz>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 71+ messages in thread
end of thread, other threads:[~2013-10-31 19:35 UTC | newest]
Thread overview: 71+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-10-28 14:47 [3.5.y.z extended stable] Linux 3.5.7.24 stable review Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 01/64] ACPI / IPMI: Fix atomic context requirement of ipmi_msg_handler() Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 02/64] Btrfs: change how we queue blocks for backref checking Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 03/64] watchdog: ts72xx_wdt: locking bug in ioctl Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 04/64] random: run random_int_secret_init() run after all late_initcalls Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 05/64] tile: use a more conservative __my_cpu_offset in CONFIG_PREEMPT Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 06/64] ALSA: snd-usb-usx2y: remove bogus frame checks Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 07/64] ALSA: hda - Add fixup for ASUS N56VZ Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 08/64] hwmon: (applesmc) Always read until end of data Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 09/64] drm/radeon: fix hw contexts for SUMO2 asics Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 10/64] KVM: PPC: Book3S HV: Fix typo in saving DSCR Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 11/64] random: allow architectures to optionally define random_get_entropy() Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 12/64] ext4: fix memory leak in xattr Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 13/64] parisc: fix interruption handler to respect pagefault_disable() Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 14/64] mm, show_mem: suppress page counts in non-blockable contexts Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 15/64] mm/mmap: check for RLIMIT_AS before unmapping Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 16/64] mm: do not grow the stack vma just because of an overrun on preceding vma Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 17/64] xhci: Don't enable/disable RWE on bus suspend/resume Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 18/64] xhci: quirk for extra long delay for S4 Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 19/64] xhci: Fix spurious wakeups after S5 on Haswell Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 20/64] USB: support new huawei devices in option.c Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 21/64] USB: serial: ti_usb_3410_5052: add Abbott strip port ID to combined table as well Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 22/64] USB: serial: option: add support for Inovia SEW858 device Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 23/64] ARM: 7851/1: check for number of arguments in syscall_get/set_arguments() Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 24/64] USB: quirks.c: add one device that cannot deal with suspension Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 25/64] dm snapshot: fix data corruption Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 26/64] USB: quirks: add touchscreen that is dazzeled by remote wakeup Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 27/64] usb: serial: option: blacklist Olivetti Olicard200 Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 28/64] usb-storage: add quirk for mandatory READ_CAPACITY_16 Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 29/64] fs: buffer: move allocation failure loop into the allocator Luis Henriques
2013-10-31 14:00 ` Johannes Weiner
2013-10-31 14:25 ` Luis Henriques
2013-10-31 14:48 ` Jan Kara
2013-10-31 16:03 ` Johannes Weiner
2013-10-31 16:03 ` Andrew Morton
2013-10-31 19:35 ` Jan Kara
2013-10-28 14:47 ` [PATCH 3.5 30/64] writeback: fix negative bdi max pause Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 31/64] powerpc/pseries/lparcfg: Fix possible overflow are more than 1026 Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 32/64] powerpc: Restore registers on error exit from csum_partial_copy_generic() Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 33/64] nilfs2: fix issue with race condition of competition between segments for dirty blocks Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 34/64] fuse: hotfix truncate_pagecache() issue Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 35/64] rt2800: fix wrong TX power compensation Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 36/64] [media] sh_vou: almost forever loop in sh_vou_try_fmt_vid_out() Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 37/64] tcp: must unclone packets before mangling them Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 38/64] tcp: do not forget FIN in tcp_shifted_skb() Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 39/64] net: do not call sock_put() on TIMEWAIT sockets Luis Henriques
2013-10-28 14:47 ` [PATCH 3.5 40/64] net: mv643xx_eth: update statistics timer from timer context only Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 41/64] net: mv643xx_eth: fix orphaned statistics timer crash Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 42/64] net: heap overflow in __audit_sockaddr() Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 43/64] proc connector: fix info leaks Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 44/64] ipv4: fix ineffective source address selection Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 45/64] can: dev: fix nlmsg size calculation in can_get_size() Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 46/64] ipv6: restrict neighbor entry creation to output flow Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 47/64] bridge: Correctly clamp MAX forward_delay when enabling STP Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 48/64] net: vlan: fix nlmsg size calculation in vlan_get_size() Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 49/64] l2tp: must disable bh before calling l2tp_xmit_skb() Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 50/64] farsync: fix info leak in ioctl Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 51/64] unix_diag: fix info leak Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 52/64] connector: use nlmsg_len() to check message length Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 53/64] bnx2x: record rx queue for LRO packets Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 54/64] net: dst: provide accessor function to dst->xfrm Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 55/64] sctp: Use software crc32 checksum when xfrm transform will happen Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 56/64] sctp: Perform software checksum if packet has to be fragmented Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 57/64] wanxl: fix info leak in ioctl Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 58/64] net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 59/64] net: fix cipso packet validation when !NETLABEL Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 60/64] inet: fix possible memory corruption with UDP_CORK and UFO Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 61/64] davinci_emac.c: Fix IFF_ALLMULTI setup Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 62/64] can: flexcan: fix flexcan_chip_start() on imx6 Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 63/64] can: flexcan: flexcan_chip_start: fix regression, mark one MB for TX and abort pending TX Luis Henriques
2013-10-28 14:48 ` [PATCH 3.5 64/64] PCI: fix truncation of resource size to 32 bits Luis Henriques
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).