commit 555a5d61f1623a0fa7aa012be0c4b24873c17991 Author: Greg Kroah-Hartman Date: Thu Mar 28 12:06:45 2013 -0700 Linux 3.0.71 commit f2c1a6c85f3cf6be6cf0ddf38fc8a0a5b05498fb Author: Ben Hutchings Date: Thu Nov 29 09:12:37 2012 +0100 asus-laptop: Do not call HWRS on init commit cb7da022450cdaaebd33078b6b32fb7dd2aaf6db upstream. Since commit 8871e99f89b7 ('asus-laptop: HRWS/HWRS typo'), module initialisation is very slow on the Asus UL30A. The HWRS method takes about 12 seconds to run, and subsequent initialisation also seems to be delayed. Since we don't really need the result, don't bother calling it on init. Those who are curious can still get the result through the 'infos' device attribute. Update the comment about HWRS in show_infos(). Reported-by: ryan References: http://bugs.debian.org/692436 Signed-off-by: Ben Hutchings Signed-off-by: Corentin Chary Signed-off-by: Matthew Garrett Signed-off-by: Greg Kroah-Hartman commit 9fbbadf339d8d97a2aa16c25346278ef64cbcfc1 Author: Felix Fietkau Date: Tue Feb 26 16:09:55 2013 +0100 rt2x00: error in configurations with mesh support disabled commit 6ef9e2f6d12ce9e2120916804d2ddd46b954a70b upstream. If CONFIG_MAC80211_MESH is not set, cfg80211 will now allow advertising interface combinations with NL80211_IFTYPE_MESH_POINT present. Add appropriate ifdefs to avoid running into errors. [Backported for 3.8-stable. Removed code of simultaneous AP and mesh mode added in 4a5fc6d 3.9-rc1.] Signed-off-by: Felix Fietkau Acked-by: Gertjan van Wingerde Signed-off-by: John W. Linville Signed-off-by: Lingzhu Xiang Reviewed-by: CAI Qian Signed-off-by: Greg Kroah-Hartman commit ea8d2d19ad17ceafc883b86e448a405cf7808927 Author: Kees Cook Date: Mon Dec 17 16:03:20 2012 -0800 exec: use -ELOOP for max recursion depth commit d740269867021faf4ce38a449353d2b986c34a67 upstream. To avoid an explosion of request_module calls on a chain of abusive scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon as maximum recursion depth is hit, the error will fail all the way back up the chain, aborting immediately. This also has the side-effect of stopping the user's shell from attempting to reexecute the top-level file as a shell script. As seen in the dash source: if (cmd != path_bshell && errno == ENOEXEC) { *argv-- = cmd; *argv = cmd = path_bshell; goto repeat; } The above logic was designed for running scripts automatically that lacked the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC, things continue to behave as the shell expects. Additionally, when tracking recursion, the binfmt handlers should not be involved. The recursion being tracked is the depth of calls through search_binary_handler(), so that function should be exclusively responsible for tracking the depth. Signed-off-by: Kees Cook Cc: halfdog Cc: P J P Cc: Alexander Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 7396043fa475256bb61f1c9f901cfd3ed550a3cd Author: Lekensteyn Date: Tue Jun 26 00:36:24 2012 +0200 i915: initialize CADL in opregion commit d627b62ff8d4d36761adbcd90ff143d79c94ab22 upstream. This is rather a hack to fix brightness hotkeys on a Clevo laptop. CADL is not used anywhere in the driver code at the moment, but it could be used in BIOS as is the case with the Clevo laptop. The Clevo B7130 requires the CADL field to contain at least the ID of the LCD device. If this field is empty, the ACPI methods that are called on pressing brightness / display switching hotkeys will not trigger a notification. As a result, it appears as no hotkey has been pressed. Reference: https://bugs.freedesktop.org/show_bug.cgi?id=45452 Tested-by: Peter Wu Signed-off-by: Peter Wu Acked-by: Jesse Barnes Signed-off-by: Daniel Vetter Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit cb536e41582fc565991c09ad63d4ae623870f1b0 Author: Mathias Krause Date: Thu Jul 12 08:46:55 2012 +0200 udf: avoid info leak on export commit 0143fc5e9f6f5aad4764801015bc8d4b4a278200 upstream. For type 0x51 the udf.parent_partref member in struct fid gets copied uninitialized to userland. Fix this by initializing it to 0. Signed-off-by: Mathias Krause Signed-off-by: Jan Kara Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 89e2149fdbd22db4c354df58f2939b8878e6f10d Author: Mathias Krause Date: Thu Jul 12 08:46:54 2012 +0200 isofs: avoid info leak on export commit fe685aabf7c8c9f138e5ea900954d295bf229175 upstream. For type 1 the parent_offset member in struct isofs_fid gets copied uninitialized to userland. Fix this by initializing it to 0. Signed-off-by: Mathias Krause Signed-off-by: Jan Kara Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit c18508394610b47964ef6c2d4d71b85873ce10fe Author: Mathieu Desnoyers Date: Mon Feb 25 10:20:36 2013 -0500 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys commit 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 upstream. Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to compat_process_vm_rw() shows that the compatibility code requires an explicit "access_ok()" check before calling compat_rw_copy_check_uvector(). The same difference seems to appear when we compare fs/read_write.c:do_readv_writev() to fs/compat.c:compat_do_readv_writev(). This subtle difference between the compat and non-compat requirements should probably be debated, as it seems to be error-prone. In fact, there are two others sites that use this function in the Linux kernel, and they both seem to get it wrong: Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() also ends up calling compat_rw_copy_check_uvector() through aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to be missing. Same situation for security/keys/compat.c:compat_keyctl_instantiate_key_iov(). I propose that we add the access_ok() check directly into compat_rw_copy_check_uvector(), so callers don't have to worry about it, and it therefore makes the compat call code similar to its non-compat counterpart. Place the access_ok() check in the same location where copy_from_user() can trigger a -EFAULT error in the non-compat code, so the ABI behaviors are alike on both compat and non-compat. While we are here, fix compat_do_readv_writev() so it checks for compat_rw_copy_check_uvector() negative return values. And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error handling. Acked-by: Linus Torvalds Acked-by: Al Viro Signed-off-by: Mathieu Desnoyers Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8fc39830ce6dc2a93f29872afce83b180a6d3deb Author: Alan Cox Date: Fri Sep 28 12:20:02 2012 +0100 key: Fix resource leak commit a84a921978b7d56e0e4b87ffaca6367429b4d8ff upstream. On an error iov may still have been reallocated and need freeing Signed-off-by: Alan Cox Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman commit d79c29b44524bd1ea8c4ab71a13f33fced3bb17a Author: Johan Hovold Date: Tue Mar 19 09:21:08 2013 +0100 USB: io_ti: fix get_icount for two port adapters commit 5492bf3d5655b4954164f69c02955a7fca267611 upstream. Add missing get_icount field to two-port driver. The two-port driver was not updated when switching to the new icount interface in commit 0bca1b913aff ("tty: Convert the USB drivers to the new icount interface"). Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 2f4e0bbf44d7469d6de03155cdf25e3928a93707 Author: Johan Hovold Date: Tue Mar 19 09:21:07 2013 +0100 USB: garmin_gps: fix memory leak on disconnect commit 618aa1068df29c37a58045fe940f9106664153fd upstream. Remove bogus disconnect test introduced by 95bef012e ("USB: more serial drivers writing after disconnect") which prevented queued data from being freed on disconnect. The possible IO it was supposed to prevent is long gone. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 400ac274e9c84f439a2e419bcb392aefbd9f4a3e Author: Jan Kara Date: Tue Feb 5 13:59:56 2013 +0100 udf: Fix bitmap overflow on large filesystems with small block size commit 89b1f39eb4189de745fae554b0d614d87c8d5c63 upstream. For large UDF filesystems with 512-byte blocks the number of necessary bitmap blocks is larger than 2^16 so s_nr_groups in udf_bitmap overflows (the number will overflow for filesystems larger than 128 GB with 512-byte blocks). That results in ENOSPC errors despite the filesystem has plenty of free space. Fix the problem by changing s_nr_groups' type to 'int'. That is enough even for filesystems 2^32 blocks (UDF maximum) and 512-byte blocksize. Reported-and-tested-by: v10lator@myway.de Signed-off-by: Jan Kara Cc: Jim Trigg Signed-off-by: Greg Kroah-Hartman commit 28a4b1b70dd44e8e4ab9df6e84e776911902313e Author: Johan Hovold Date: Tue Mar 19 09:21:09 2013 +0100 USB: serial: fix interface refcounting commit d7971051e4df825e0bc11b995e87bfe86355b8e5 upstream. Make sure the interface is not released before our serial device. Note that drivers are still not allowed to access the interface in any way that may interfere with another driver that may have gotten bound to the same interface after disconnect returns. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 1f9e70fa1d260bb1ed217bd636cad0c1d0a29f24 Author: Dmitry Torokhov Date: Mon Feb 25 10:56:01 2013 -0800 USB: xhci - fix bit definitions for IMAN register commit f8264340e694604863255cc0276491d17c402390 upstream. According to XHCI specification (5.5.2.1) the IP is bit 0 and IE is bit 1 of IMAN register. Previously their definitions were reversed. Even though there are no ill effects being observed from the swapped definitions (because IMAN_IP is RW1C and in legacy PCI case we come in with it already set to 1 so it was clearing itself even though we were setting IMAN_IE instead of IMAN_IP), we should still correct the values. This patch should be backported to kernels as old as 2.6.36, that contain the commit 4e833c0b87a30798e67f06120cecebef6ee9644c "xhci: don't re-enable IE constantly". Signed-off-by: Dmitry Torokhov Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 84bde6521f50d67ecdb52777da3901430470bd5d Author: CQ Tang Date: Mon Mar 18 11:02:21 2013 -0400 x86-64: Fix the failure case in copy_user_handle_tail() commit 66db3feb486c01349f767b98ebb10b0c3d2d021b upstream. The increment of "to" in copy_user_handle_tail() will have incremented before a failure has been noted. This causes us to skip a byte in the failure case. Only do the increment when assured there is no failure. Signed-off-by: CQ Tang Link: http://lkml.kernel.org/r/20130318150221.8439.993.stgit@phlsvslse11.ph.intel.com Signed-off-by: Mike Marciniszyn Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 611f2aaf1f4de0ab50d0a3dabfb1759d13f65cf9 Author: Mark Rutland Date: Thu Mar 7 15:09:24 2013 +0000 clockevents: Don't allow dummy broadcast timers commit a7dc19b8652c862d5b7c4d2339bd3c428bd29c4a upstream. Currently tick_check_broadcast_device doesn't reject clock_event_devices with CLOCK_EVT_FEAT_DUMMY, and may select them in preference to real hardware if they have a higher rating value. In this situation, the dummy timer is responsible for broadcasting to itself, and the core clockevents code may attempt to call non-existent callbacks for programming the dummy, eventually leading to a panic. This patch makes tick_check_broadcast_device always reject dummy timers, preventing this problem. Signed-off-by: Mark Rutland Cc: linux-arm-kernel@lists.infradead.org Cc: Jon Medhurst (Tixy) Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 52bc8dc1e1023ad0a91b3c80d048688d4167b7e5 Author: Mike Marciniszyn Date: Tue Feb 26 15:46:27 2013 +0000 IPoIB: Fix send lockup due to missed TX completion commit 1ee9e2aa7b31427303466776f455d43e5e3c9275 upstream. Commit f0dc117abdfa ("IPoIB: Fix TX queue lockup with mixed UD/CM traffic") attempts to solve an issue where unprocessed UD send completions can deadlock the netdev. The patch doesn't fully resolve the issue because if more than half the tx_outstanding's were UD and all of the destinations are RC reachable, arming the CQ doesn't solve the issue. This patch uses the IB_CQ_REPORT_MISSED_EVENTS on the ib_req_notify_cq(). If the rc is above 0, the UD send cq completion callback is called directly to re-arm the send completion timer. This issue is seen in very large parallel filesystem deployments and the patch has been shown to correct the issue. Reviewed-by: Dean Luick Signed-off-by: Mike Marciniszyn Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit b5b9400569dec274ff74b3182e1f86c1e5b50ce4 Author: Dmitry Artamonow Date: Sat Mar 9 20:30:58 2013 +0400 usb-storage: add unusual_devs entry for Samsung YP-Z3 mp3 player commit 29f86e66428ee083aec106cca1748dc63d98ce23 upstream. Device stucks on filesystem writes, unless following quirk is passed: echo 04e8:5136:m > /sys/module/usb_storage/parameters/quirks Add corresponding entry to unusual_devs.h Signed-off-by: Dmitry Artamonow Signed-off-by: Greg Kroah-Hartman commit 84bd1744acdd6e3cef26df9de51c834b8aa48b9a Author: Zheng Liu Date: Sun Mar 10 21:20:23 2013 -0400 ext4: fix the wrong number of the allocated blocks in ext4_split_extent() commit 3a2256702e47f68f921dfad41b1764d05c572329 upstream. This commit fixes a wrong return value of the number of the allocated blocks in ext4_split_extent. When the length of blocks we want to allocate is greater than the length of the current extent, we return a wrong number. Let's see what happens in the following case when we call ext4_split_extent(). map: [48, 72] ex: [32, 64, u] 'ex' will be split into two parts: ex1: [32, 47, u] ex2: [48, 64, w] 'map->m_len' is returned from this function, and the value is 24. But the real length is 16. So it should be fixed. Meanwhile in this commit we use right length of the allocated blocks when get_reserved_cluster_alloc in ext4_ext_handle_uninitialized_extents is called. Signed-off-by: Zheng Liu Signed-off-by: "Theodore Ts'o" Cc: Dmitry Monakhov Signed-off-by: Greg Kroah-Hartman commit 554d123e99dbb1d2192501c8d295e556d777388e Author: Jeff Layton Date: Mon Mar 11 09:52:19 2013 -0400 cifs: ignore everything in SPNEGO blob after mechTypes commit f853c616883a8de966873a1dab283f1369e275a1 upstream. We've had several reports of people attempting to mount Windows 8 shares and getting failures with a return code of -EINVAL. The default sec= mode changed recently to sec=ntlmssp. With that, we expect and parse a SPNEGO blob from the server in the NEGOTIATE reply. The current decode_negTokenInit function first parses all of the mechTypes and then tries to parse the rest of the negTokenInit reply. The parser however currently expects a mechListMIC or nothing to follow the mechTypes, but Windows 8 puts a mechToken field there instead to carry some info for the new NegoEx stuff. In practice, we don't do anything with the fields after the mechTypes anyway so I don't see any real benefit in continuing to parse them. This patch just has the kernel ignore the fields after the mechTypes. We'll probably need to reinstate some of this if we ever want to support NegoEx. Reported-by: Jason Burgess Reported-by: Yan Li Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 3993d37e21053878739ad1baa264617aa115f4af Author: Wanpeng Li Date: Fri Mar 22 15:04:40 2013 -0700 mm/hugetlb: fix total hugetlbfs pages count when using memory overcommit accouting commit d00285884c0892bb1310df96bce6056e9ce9b9d9 upstream. hugetlb_total_pages is used for overcommit calculations but the current implementation considers only the default hugetlb page size (which is either the first defined hugepage size or the one specified by default_hugepagesz kernel boot parameter). If the system is configured for more than one hugepage size, which is possible since commit a137e1cc6d6e ("hugetlbfs: per mount huge page sizes") then the overcommit estimation done by __vm_enough_memory() (resp. shown by meminfo_proc_show) is not precise - there is an impression of more available/allowed memory. This can lead to an unexpected ENOMEM/EFAULT resp. SIGSEGV when memory is accounted. Testcase: boot: hugepagesz=1G hugepages=1 the default overcommit ratio is 50 before patch: egrep 'CommitLimit' /proc/meminfo CommitLimit: 55434168 kB after patch: egrep 'CommitLimit' /proc/meminfo CommitLimit: 54909880 kB [akpm@linux-foundation.org: coding-style tweak] Signed-off-by: Wanpeng Li Acked-by: Michal Hocko Cc: "Aneesh Kumar K.V" Cc: Hillf Danton Cc: KAMEZAWA Hiroyuki Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b599876605b32b7b692b095df613af8d27240a1f Author: Torsten Duwe Date: Sat Mar 23 15:38:22 2013 +0100 KMS: fix EDID detailed timing vsync parsing commit 16dad1d743d31a104a849c8944e6b9eb479f6cd7 upstream. EDID spreads some values across multiple bytes; bit-fiddling is needed to retrieve these. The current code to parse "detailed timings" has a cut&paste error that results in a vsync offset of at most 15 lines instead of 63. See http://en.wikipedia.org/wiki/EDID and in the "EDID Detailed Timing Descriptor" see bytes 10+11 show why that needs to be a left shift. Signed-off-by: Torsten Duwe Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 28513ead437be0ab26124c430411c1358b69e71d Author: Kees Cook Date: Mon Mar 11 17:31:45 2013 -0700 drm/i915: bounds check execbuffer relocation count commit 3118a4f652c7b12c752f3222af0447008f9b2368 upstream. It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows. CVE-2013-0913 v3: collapse test, improve comment v2: move check into validate_exec_list Signed-off-by: Kees Cook Reported-by: Pinkie Pie Reviewed-by: Chris Wilson Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit 23e90aa103cabff3b5d48faad3e8deefa43e38b6 Author: Bing Zhao Date: Thu Mar 7 20:00:16 2013 -0800 mwifiex: fix potential out-of-boundary access to ibss rate table commit 5f0fabf84d7b52f979dcbafa3d3c530c60d9a92c upstream. smatch found this error: CHECK drivers/net/wireless/mwifiex/join.c drivers/net/wireless/mwifiex/join.c:1121 mwifiex_cmd_802_11_ad_hoc_join() error: testing array offset 'i' after use. Signed-off-by: Bing Zhao Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7bdb127976b88b761bdd0b2a2756b35681655ce1 Author: Steven Rostedt (Red Hat) Date: Wed Mar 13 11:15:19 2013 -0400 tracing: Fix free of probe entry by calling call_rcu_sched() commit 740466bc89ad8bd5afcc8de220f715f62b21e365 upstream. Because function tracing is very invasive, and can even trace calls to rcu_read_lock(), RCU access in function tracing is done with preempt_disable_notrace(). This requires a synchronize_sched() for updates and not a synchronize_rcu(). Function probes (traceon, traceoff, etc) must be freed after a synchronize_sched() after its entry has been removed from the hash. But call_rcu() is used. Fix this by using call_rcu_sched(). Also fix the usage to use hlist_del_rcu() instead of hlist_del(). Signed-off-by: Steven Rostedt Cc: Paul McKenney Signed-off-by: Greg Kroah-Hartman commit cdeff82601556a61c22f6e27dfeefb9af823485a Author: Steven Rostedt (Red Hat) Date: Tue Mar 12 11:32:32 2013 -0400 tracing: Fix race in snapshot swapping commit 2721e72dd10f71a3ba90f59781becf02638aa0d9 upstream. Although the swap is wrapped with a spin_lock, the assignment of the temp buffer used to swap is not within that lock. It needs to be moved into that lock, otherwise two swaps happening on two different CPUs, can end up using the wrong temp buffer to assign in the swap. Luckily, all current callers of the swap function appear to have their own locks. But in case something is added that allows two different callers to call the swap, then there's a chance that this race can trigger and corrupt the buffers. New code is coming soon that will allow for this race to trigger. I've Cc'd stable, so this bug will not show up if someone backports one of the changes that can trigger this bug. Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 7ace9c4c6c590531e0cf4a61925ec2dd5947f81c Author: Kees Cook Date: Mon Mar 11 12:25:19 2013 -0700 drm/i915: restrict kernel address leak in debugfs commit 2563a4524febe8f4a98e717e02436d1aaf672aa2 upstream. Masks kernel address info-leak in object dumps with the %pK suffix, so they cannot be used to target kernel memory corruption attacks if the kptr_restrict sysctl is set. Signed-off-by: Kees Cook Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit 48a6edd00c703041a0bdfd756aa155b88b69c2b3 Author: Daniel Mack Date: Tue Mar 19 21:09:25 2013 +0100 ALSA: snd-usb: mixer: ignore -EINVAL in snd_usb_mixer_controls() commit 83ea5d18d74f032a760fecde78c0210f66f7f70c upstream. Creation of individual mixer controls may fail, but that shouldn't cause the entire mixer creation to fail. Even worse, if the mixer creation fails, that will error out the entire device probing. All the functions called by parse_audio_unit() should return -EINVAL if they find descriptors that are unsupported or believed to be malformed, so we can safely handle this error code as a non-fatal condition in snd_usb_mixer_controls(). That fixes a long standing bug which is commonly worked around by adding quirks which make the driver ignore entire interfaces. Some of them might now be unnecessary. Signed-off-by: Daniel Mack Reported-and-tested-by: Rodolfo Thomazelli Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8eb3446cae04c4d100818003dac2d4546e3f0704 Author: Daniel Mack Date: Tue Mar 19 21:09:24 2013 +0100 ALSA: snd-usb: mixer: propagate errors up the call chain commit 4d7b86c98e445b075c2c4c3757eb6d3d6efbe72e upstream. In check_input_term() and parse_audio_feature_unit(), propagate the error value that has been returned by a failing function instead of -EINVAL. That helps cleaning up the error pathes in the mixer. Signed-off-by: Daniel Mack Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 90c925a0edaec90fe169ab62dffa570de362d5b1 Author: Takashi Iwai Date: Wed Mar 20 15:42:00 2013 +0100 ALSA: hda - Fix typo in checking IEC958 emphasis bit commit a686fd141e20244ad75f80ad54706da07d7bb90a upstream. There is a typo in convert_to_spdif_status() about checking the emphasis IEC958 status bit. It should check the given value instead of the resultant value. Reported-by: Martin Weishart Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9bb104c28a389c39812b15b39672aa87b91bcd79 Author: Ben Hutchings Date: Wed Feb 27 16:50:38 2013 +0000 sfc: Only use TX push if a single descriptor is to be written [ Upstream commit fae8563b25f73dc584a07bcda7a82750ff4f7672 ] Using TX push when notifying the NIC of multiple new descriptors in the ring will very occasionally cause the TX DMA engine to re-use an old descriptor. This can result in a duplicated or partly duplicated packet (new headers with old data), or an IOMMU page fault. This does not happen when the pushed descriptor is the only one written. TX push also provides little latency benefit when a packet requires more than one descriptor. Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit ad0c4a9fa31036fefb30385edfbd1feb8971de97 Author: Ben Hutchings Date: Tue Mar 5 01:03:47 2013 +0000 sfc: Disable soft interrupt handling during efx_device_detach_sync() [ Upstream commit 35205b211c8d17a8a0b5e8926cb7c73e9a7ef1ad ] efx_device_detach_sync() locks all TX queues before marking the device detached and thus disabling further TX scheduling. But it can still be interrupted by TX completions which then result in TX scheduling in soft interrupt context. This will deadlock when it tries to acquire a TX queue lock that efx_device_detach_sync() already acquired. To avoid deadlock, we must use netif_tx_{,un}lock_bh(). Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit c62fe657e9c08b273aac0c3a0556ccdce9ede49a Author: Ben Hutchings Date: Mon Jan 28 19:01:06 2013 +0000 sfc: Detach net device when stopping queues for reconfiguration [ Upstream commit 29c69a4882641285a854d6d03ca5adbba68c0034 ] We must only ever stop TX queues when they are full or the net device is not 'ready' so far as the net core, and specifically the watchdog, is concerned. Otherwise, the watchdog may fire *immediately* if no packets have been added to the queue in the last 5 seconds. The device is ready if all the following are true: (a) It has a qdisc (b) It is marked present (c) It is running (d) The link is reported up (a) and (c) are normally true, and must not be changed by a driver. (d) is under our control, but fake link changes may disturb userland. This leaves (b). We already mark the device absent during reset and self-test, but we need to do the same during MTU changes and ring reallocation. We don't need to do this when the device is brought down because then (c) is already false. Signed-off-by: Ben Hutchings [bwh: Backported to 3.0: adjust context] Signed-off-by: Greg Kroah-Hartman commit 67d8c1035e0c960a3d41abe532ea868bb3985f22 Author: Ben Hutchings Date: Thu Jan 10 23:51:54 2013 +0000 sfc: Fix efx_rx_buf_offset() in the presence of swiotlb [ Upstream commits 06e63c57acbb1df7c35ebe846ae416a8b88dfafa, b590ace09d51cd39744e0f7662c5e4a0d1b5d952 and c73e787a8db9117d59b5180baf83203a42ecadca ] We assume that the mapping between DMA and virtual addresses is done on whole pages, so we can find the page offset of an RX buffer using the lower bits of the DMA address. However, swiotlb maps in units of 2K, breaking this assumption. Add an explicit page_offset field to struct efx_rx_buffer. Signed-off-by: Ben Hutchings [bwh: Backported to 3.0: adjust context] Signed-off-by: Greg Kroah-Hartman commit bbd3cfb8cbb326f32f1daec0ea6ffbf855a7ecc8 Author: Ben Hutchings Date: Thu Dec 20 18:48:20 2012 +0000 sfc: Properly sync RX DMA buffer when it is not the last in the page [ Upstream commit 3a68f19d7afb80f548d016effbc6ed52643a8085 ] We may currently allocate two RX DMA buffers to a page, and only unmap the page when the second is completed. We do not sync the first RX buffer to be completed; this can result in packet loss or corruption if the last RX buffer completed in a NAPI poll is the first in a page and is not DMA-coherent. (In the middle of a NAPI poll, we will handle the following RX completion and unmap the page *before* looking at the content of the first buffer.) Signed-off-by: Ben Hutchings [bwh: Backported to 3.0: adjust context] Signed-off-by: Greg Kroah-Hartman commit 16cec22e5099020edb0ba8b6ae8f1b011e2ec4d5 Author: Ben Hutchings Date: Sat Dec 1 02:21:17 2012 +0000 sfc: Fix timekeeping in efx_mcdi_poll() [ Upstream commit ebf98e797b4e26ad52ace1511a0b503ee60a6cd4 ] efx_mcdi_poll() uses get_seconds() to read the current time and to implement a polling timeout. The use of this function was chosen partly because it could easily be replaced in a co-sim environment with a macro that read the simulated time. Unfortunately the real get_seconds() returns the system time (real time) which is subject to adjustment by e.g. ntpd. If the system time is adjusted forward during a polled MCDI operation, the effective timeout can be shorter than the intended 10 seconds, resulting in a spurious failure. It is also possible for a backward adjustment to delay detection of a areal failure. Use jiffies instead, and change MCDI_RPC_TIMEOUT to be denominated in jiffies. Also correct rounding of the timeout: check time > finish (or rather time_after(time, finish)) and not time >= finish. Signed-off-by: Ben Hutchings [bwh: Backported to 3.0: adjust context] Signed-off-by: Greg Kroah-Hartman commit 376ed848f420a921325e9dc144c9cc7fa3829a38 Author: Daniel Pieczko Date: Wed Oct 17 13:21:23 2012 +0100 sfc: lock TX queues when calling netif_device_detach() [ Upstream commit c2f3b8e3a44b6fe9e36704e30157ebe1a88c08b1 ] The assertion of netif_device_present() at the top of efx_hard_start_xmit() may fail if we don't do this. Signed-off-by: Ben Hutchings [bwh: Backported to 3.0: adjust context] Signed-off-by: Greg Kroah-Hartman commit 442933f2b6a4c0e1d4a3b216c55c720a01c032be Author: Ben Hutchings Date: Mon May 23 12:18:45 2011 +0100 sfc: Fix two causes of flush failure [ Upstream commits a606f4325dca6950996abbae452d33f2af095f39, d5e8cc6c946e0857826dcfbb3585068858445bfe, 525d9e824018cd7cc8d8d44832ddcd363abfe6e1 ] The TX DMA engine issues upstream read requests when there is room in the TX FIFO for the completion. However, the fetches for the rest of the packet might be delayed by any back pressure. Since a flush must wait for an EOP, the entire flush may be delayed by back pressure. Mitigate this by disabling flow control before the flushes are started. Since PF and VF flushes run in parallel introduce fc_disable, a reference count of the number of flushes outstanding. The same principle could be applied to Falcon, but that would bring with it its own testing. We sometimes hit a "failed to flush" timeout on some TX queues, but the flushes have completed and the flush completion events seem to go missing. In this case, we can check the TX_DESC_PTR_TBL register and drain the queues if the flushes had finished. Signed-off-by: Ben Hutchings [bwh: Backported to 3.0: - Call efx_nic_type::finish_flush() on both success and failure paths - Check the TX_DESC_PTR_TBL registers in the polling loop - Declare efx_mcdi_set_mac() extern] Signed-off-by: Greg Kroah-Hartman commit 886033e132d6d83d6e7738e3edcd1598a7b66cf0 Author: Ben Hutchings Date: Fri Sep 7 00:58:10 2012 +0100 sfc: Convert firmware subtypes to native byte order in efx_mcdi_get_board_cfg() [ Upstream commit bfeed902946a31692e7a24ed355b6d13ac37d014 ] On big-endian systems the MTD partition names currently have mangled subtype numbers and are not recognised by the firmware update tool (sfupdate). Signed-off-by: Ben Hutchings [bwh: Backported to 3.0: use old macros for length of firmware subtype array] Signed-off-by: Greg Kroah-Hartman commit c7c9da144089da9241afd57398144ba4860e91bd Author: Stuart Hodgson Date: Fri Mar 30 13:04:51 2012 +0100 sfc: Do not attempt to flush queues if DMA is disabled [ Upstream commit 3dca9d2dc285faf1910d405b65df845cab061356 ] efx_nic_fatal_interrupt() disables DMA before scheduling a reset. After this, we need not and *cannot* flush queues. Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit dc3780422853539f985271c59e686e4e53ac0eb2 Author: Steve Hodgson Date: Wed Jun 22 12:11:33 2011 +0100 sfc: Fix Siena mac statistics on big endian platforms [ Upstream commit a659b2a94d87add999229ecd9f2f56817d5d737b ] [bwh: Use __force in the one place it's needed] Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit de279fd887d1237ec1cd330e1a3c02807eb9ba56 Author: Ben Hutchings Date: Fri Jun 24 20:26:44 2011 +0100 sfc: Fix loop condition for efx_filter_search() when !for_insert [ Upstream commit 4017dbdc14af1903dc9fcba4d08b89c02325069d ] efx_filter_remove_filter() fails to remove inserted filters in some cases. For example: 1. Two filters A and B have specifications that result in an initial hash collision. 2. A is inserted first, followed by B. 3. An attempt to remove B first succeeds, but if A is removed first a subsequent attempt to remove B fails. When searching for an existing filter (!for_insert), efx_filter_search() must always continue to the maximum search depth for the given type rather than stopping at the first unused entry. Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 7b7a1b8b3bd1742ca5ab259e741da0070e936db0 Author: Hannes Frederic Sowa Date: Fri Mar 15 11:32:30 2013 +0000 inet: limit length of fragment queue hash table bucket lists [ Upstream commit 5a3da1fe9561828d0ca7eca664b16ec2b9bf0055 ] This patch introduces a constant limit of the fragment queue hash table bucket list lengths. Currently the limit 128 is choosen somewhat arbitrary and just ensures that we can fill up the fragment cache with empty packets up to the default ip_frag_high_thresh limits. It should just protect from list iteration eating considerable amounts of cpu. If we reach the maximum length in one hash bucket a warning is printed. This is implemented on the caller side of inet_frag_find to distinguish between the different users of inet_fragment.c. I dropped the out of memory warning in the ipv4 fragment lookup path, because we already get a warning by the slab allocator. Cc: Eric Dumazet Cc: Jesper Dangaard Brouer Signed-off-by: Hannes Frederic Sowa Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 110789df9f88361dcf6b5dad53a38ea2f88cad77 Author: Vlad Yasevich Date: Wed Mar 13 04:18:58 2013 +0000 rtnetlink: Mask the rta_type when range checking [ Upstream commit a5b8db91442fce9c9713fcd656c3698f1adde1d6 ] Range/validity checks on rta_type in rtnetlink_rcv_msg() do not account for flags that may be set. This causes the function to return -EINVAL when flags are set on the type (for example NLA_F_NESTED). Signed-off-by: Vlad Yasevich Acked-by: Thomas Graf Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1b92d599fe0f704d9981063d39339fea1f9bd092 Author: Denis V. Lunev Date: Wed Mar 13 00:24:15 2013 +0000 ipv4: fix definition of FIB_TABLE_HASHSZ [ Upstream commit 5b9e12dbf92b441b37136ea71dac59f05f2673a9 ] a long time ago by the commit commit 93456b6d7753def8760b423ac6b986eb9d5a4a95 Author: Denis V. Lunev Date: Thu Jan 10 03:23:38 2008 -0800 [IPV4]: Unify access to the routing tables. the defenition of FIB_HASH_TABLE size has obtained wrong dependency: it should depend upon CONFIG_IP_MULTIPLE_TABLES (as was in the original code) but it was depended from CONFIG_IP_ROUTE_MULTIPATH This patch returns the situation to the original state. The problem was spotted by Tingwei Liu. Signed-off-by: Denis V. Lunev CC: Tingwei Liu CC: Alexey Kuznetsov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3aa308171cf985939fb03b0416962c5d470cd911 Author: Xufeng Zhang Date: Thu Mar 7 21:39:37 2013 +0000 sctp: don't break the loop while meeting the active_path so as to find the matched transport [ Upstream commit 2317f449af30073cfa6ec8352e4a65a89e357bdd ] sctp_assoc_lookup_tsn() function searchs which transport a certain TSN was sent on, if not found in the active_path transport, then go search all the other transports in the peer's transport_addr_list, however, we should continue to the next entry rather than break the loop when meet the active_path transport. Signed-off-by: Xufeng Zhang Acked-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0f4bab2da773a765a4025189bb6fb2ffacccf91a Author: Veaceslav Falico Date: Mon Mar 11 00:21:48 2013 +0000 netconsole: don't call __netpoll_cleanup() while atomic [ Upstream commit 3f315bef23075ea8a98a6fe4221a83b83456d970 ] __netpoll_cleanup() is called in netconsole_netdev_event() while holding a spinlock. Release/acquire the spinlock before/after it and restart the loop. Also, disable the netconsole completely, because we won't have chance after the restart of the loop, and might end up in a situation where nt->enabled == 1 and nt->np.dev == NULL. Signed-off-by: Veaceslav Falico Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c8b46f44552cbf67460fba1c13edcba3339b1c76 Author: David Ward Date: Mon Mar 11 10:43:39 2013 +0000 net/ipv4: Ensure that location of timestamp option is stored [ Upstream commit 4660c7f498c07c43173142ea95145e9dac5a6d14 ] This is needed in order to detect if the timestamp option appears more than once in a packet, to remove the option if the packet is fragmented, etc. My previous change neglected to store the option location when the router addresses were prespecified and Pointer > Length. But now the option location is also stored when Flag is an unrecognized value, to ensure these option handling behaviors are still performed. Signed-off-by: David Ward Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bf40057118cc5392a0fe4bd77b1f65dd49bcc8d2 Author: Tkhai Kirill Date: Sat Feb 23 23:01:15 2013 +0000 sunsu: Fix panic in case of nonexistent port at "console=ttySY" cmdline option [ Upstream commit cb29529ea0030e60ef1bbbf8399a43d397a51526 ] If a machine has X (X < 4) sunsu ports and cmdline option "console=ttySY" is passed, where X < Y <= 4, than the following panic happens: Unable to handle kernel NULL pointer dereference TPC: RPC: I7: Call Trace: [0000000000453a38] register_console+0x378/0x3e0 [0000000000576fa0] uart_add_one_port+0x2e0/0x340 [000000000057af40] su_probe+0x160/0x2e0 [00000000005b8a4c] platform_drv_probe+0xc/0x20 [00000000005b6c2c] driver_probe_device+0x12c/0x220 [00000000005b6da8] __driver_attach+0x88/0xa0 [00000000005b4df4] bus_for_each_dev+0x54/0xa0 [00000000005b5a54] bus_add_driver+0x154/0x260 [00000000005b7190] driver_register+0x50/0x180 [00000000006d250c] sunsu_init+0x18c/0x1e0 [00000000006c2668] do_one_initcall+0xe8/0x160 [00000000006c282c] kernel_init_freeable+0x12c/0x1e0 [0000000000603764] kernel_init+0x4/0x100 [0000000000405f64] ret_from_syscall+0x1c/0x2c [0000000000000000] (null) 1)Fix the panic; 2)Increment registered port number every successful probe. Signed-off-by: Kirill Tkhai CC: David Miller Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 28de3b32ee0a6785e17dd8db5e37c5ccc19a3b79 Author: Greg Kroah-Hartman Date: Wed Mar 20 14:16:12 2013 -0700 Revert "USB: EHCI: don't check DMA values in QH overlays" This reverts commit 0319f9909ce68a7516dfc8d53400e07168d281a8, which is commit feca7746d5d9e84b105a613b7f3b6ad00d327372 upstream. It shouldn't have gone into this stable release. Cc: Alan Stern Cc: Joseph Salisbury Cc: Stephen Thirlwall Signed-off-by: Greg Kroah-Hartman