1. 21 Jan, 2015 23 commits
  2. 20 Jan, 2015 6 commits
    • Linus Torvalds's avatar
      Merge branch 'for-3.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · b97f880c
      Linus Torvalds authored
      Pull libata fixes from Tejun Heo:
      
       - Bartlomiej will be co-maintaining PATA portion of libata.  git
         workflow will stay the same.
      
       - sata_sil24 wasn't happy with tag ordered submission.  An option to
         restore the old tag allocation behavior is implemented for sil24.
      
       - a very old race condition in PIO host state machine which can trigger
         BUG fixed.
      
       - other driver-specific changes
      
      * 'for-3.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
        libata: prevent HSM state change race between ISR and PIO
        libata: allow sata_sil24 to opt-out of tag ordered submission
        ata: pata_at91: depend on !ARCH_MULTIPLATFORM
        ahci: Remove Device ID for Intel Sunrise Point PCH
        ahci: Use dev_info() to inform about the lack of Device Sleep support
        libata: Whitelist SSDs that are known to properly return zeroes after TRIM
        sata_dwc_460ex: fix resource leak on error path
        ata: add MAINTAINERS entry for libata PATA drivers
        libata: clean up MAINTAINERS entries
        libata: export ata_get_cmd_descript()
        ahci_xgene: Fix the DMA state machine lockup for the ATA_CMD_PACKET PIO mode command.
        ahci_xgene: Fix the endianess issue in APM X-Gene SoC AHCI SATA controller driver.
      b97f880c
    • Linus Torvalds's avatar
      Merge branch 'for-3.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq · d4b2d006
      Linus Torvalds authored
      Pull workqueue fix from Tejun Heo:
       "The xfs folks have been running into weird and very rare lockups for
        some time now.  I didn't think this could have been from workqueue
        side because no one else was reporting it.  This time, Eric had a
        kdump which we looked into and it turned out this actually was a
        workqueue bug and the bug has been there since the beginning of
        concurrency managed workqueue.
      
        A worker pool ensures forward progress of the workqueues associated
        with it by always having at least one worker reserved from executing
        work items.  When the pool is under contention, the idle one tries to
        create more workers for the pool and if that doesn't succeed quickly
        enough, it calls the rescuers to the pool.
      
        This logic had a subtle race condition in an early exit path.  When a
        worker invokes this manager function, the function may return %false
        indicating that the caller may proceed to executing work items either
        because another worker is already performing the role or conditions
        have changed and the pool is no longer under contention.
      
        The latter part depended on the assumption that whether more workers
        are necessary or not remains stable while the pool is locked; however,
        pool->nr_running (concurrency count) may change asynchronously and it
        getting bumped from zero asynchronously could send off the last idle
        worker to execute work items.
      
        The race window is fairly narrow, and, even when it gets triggered,
        the pool deadlocks iff if all work items get blocked on pending work
        items of the pool, which is highly unlikely but can be triggered by
        xfs.
      
        The patch removes the race window by removing the early exit path,
        which doesn't server any purpose anymore anyway"
      
      * 'for-3.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
        workqueue: fix subtle pool management issue which can stall whole worker_pool
      d4b2d006
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v3.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 06efe0e5
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "Here is a (hopefully final) slew of pin control fixes for the v3.19
        series.  The deadlock fix is kind of serious and tagged for stable,
        the rest is business as usual.
      
         - Fix two deadlocks around the pin control mutexes, a long-standing
           issue that manifest itself in plug/unplug of pin controllers.
           (Tagged for stable.)
      
         - Handle an error path with zero functions in the Qualcomm pin
           controller.
      
         - Drop a bogus second GPIO chip added in the Lantiq driver.
      
         - Fix sudden IRQ loss on Rockchip pin controllers.
      
         - Register the GIT tree in MAINTAINERS"
      
      * tag 'pinctrl-v3.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: MAINTAINERS: add git tree reference
        pinctrl: qcom: Don't iterate past end of function array
        pinctrl: lantiq: remove bogus of_gpio_chip_add
        pinctrl: Fix two deadlocks
        pinctrl: rockchip: Avoid losing interrupts when supporting both edges
      06efe0e5
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · eef8f4c2
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Socket addresses returned in the error queue need to be fully
          initialized before being passed on to userspace, fix from Willem de
          Bruijn.
      
       2) Interrupt handling fixes to davinci_emac driver from Tony Lindgren.
      
       3) Fix races between receive packet steering and cpu hotplug, from Eric
          Dumazet.
      
       4) Allowing netlink sockets to subscribe to unknown multicast groups
          leads to crashes, don't allow it.  From Johannes Berg.
      
       5) One to many socket races in SCTP fixed by Daniel Borkmann.
      
       6) Put in a guard against the mis-use of ipv6 atomic fragments, from
          Hagen Paul Pfeifer.
      
       7) Fix promisc mode and ethtool crashes in sh_eth driver, from Ben
          Hutchings.
      
       8) NULL deref and double kfree fix in sxgbe driver from Girish K.S and
          Byungho An.
      
       9) cfg80211 deadlock fix from Arik Nemtsov.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (36 commits)
        s2io: use snprintf() as a safety feature
        r8152: remove sram_read
        r8152: remove generic_ocp_read before writing
        bgmac: activate irqs only if there is nothing to poll
        bgmac: register napi before the device
        sh_eth: Fix ethtool operation crash when net device is down
        sh_eth: Fix promiscuous mode on chips without TSU
        ipv6: stop sending PTB packets for MTU < 1280
        net: sctp: fix race for one-to-many sockets in sendmsg's auto associate
        genetlink: synchronize socket closing and family removal
        genetlink: disallow subscribing to unknown mcast groups
        genetlink: document parallel_ops
        net: rps: fix cpu unplug
        net: davinci_emac: Add support for emac on dm816x
        net: davinci_emac: Fix ioremap for devices with MDIO within the EMAC address space
        net: davinci_emac: Fix incomplete code for getting the phy from device tree
        net: davinci_emac: Free clock after checking the frequency
        net: davinci_emac: Fix runtime pm calls for davinci_emac
        net: davinci_emac: Fix hangs with interrupts
        ip: zero sockaddr returned on error queue
        ...
      eef8f4c2
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 22628890
      Linus Torvalds authored
      Pull crypto fix from Herbert Xu:
       "This fixes a regression that arose from the change to add a crypto
        prefix to module names which was done to prevent the loading of
        arbitrary modules through the Crypto API.
      
        In particular, a number of modules were missing the crypto prefix
        which meant that they could no longer be autoloaded"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: add missing crypto module aliases
      22628890
    • Dan Carpenter's avatar
      s2io: use snprintf() as a safety feature · a8c1d28a
      Dan Carpenter authored
      "sp->desc[i]" has 25 characters.  "dev->name" has 15 characters.  If we
      used all 15 characters then the sprintf() would overflow.
      
      I changed the "sprintf(sp->name, "%s Neterion %s"" to snprintf(), as
      well, even though it can't overflow just to be consistent.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8c1d28a
  3. 19 Jan, 2015 11 commits
    • David S. Miller's avatar
      Merge branch 'r8152' · ef5a1ba1
      David S. Miller authored
      Hayes Wang says:
      
      ====================
      r8152: couldn't read OCP_SRAM_DATA
      
      Read OCP_SRAM_DATA would read additional bytes and may let
      the hw abnormal.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ef5a1ba1
    • hayeswang's avatar
      r8152: remove sram_read · b4d99def
      hayeswang authored
      Read OCP register 0xa43a~0xa43b would clear some flags which the hw
      would use, and it may let the device lost. However, the unit of
      reading is 4 bytes. That is, it would read 0xa438~0xa43b when calling
      sram_read() to read OCP_SRAM_DATA.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b4d99def
    • hayeswang's avatar
      r8152: remove generic_ocp_read before writing · 8cb3db24
      hayeswang authored
      For ocp_write_word() and ocp_write_byte(), there is a generic_ocp_read()
      which is used to read the whole 4 byte data, keep the unchanged bytes,
      and modify the expected bytes. However, the "byen" could be used to
      determine which bytes of the 4 bytes to write, so the action could be
      removed.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8cb3db24
    • David S. Miller's avatar
      Merge branch 'bgmac' · e60bf806
      David S. Miller authored
      Hauke Mehrtens says:
      
      ====================
      bgmac: some fixes to napi usage
      
      I compared the napi documentation with the bgmac driver and found some
      problems in that driver. These two patches should fix the problems.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e60bf806
    • Hauke Mehrtens's avatar
      bgmac: activate irqs only if there is nothing to poll · 43f159c6
      Hauke Mehrtens authored
      IRQs should only get activated when there is nothing to poll in the
      queue any more and to after every poll.
      Signed-off-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      43f159c6
    • Hauke Mehrtens's avatar
      bgmac: register napi before the device · 6216642f
      Hauke Mehrtens authored
      napi should get registered before the netdev and not after.
      Signed-off-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6216642f
    • David S. Miller's avatar
      Merge branch 'sh_eth' · 852c5d9c
      David S. Miller authored
      Ben Hutchings says:
      
      ====================
      sh_eth fixes
      
      I'm currently looking at Ethernet support on the R-Car H2 chip,
      reviewing and testing the sh_eth driver.  Here are fixes for two fairly
      obvious bugs in the driver; I will probably have some more later.
      
      These are not tested on any of the other supported chips.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      852c5d9c
    • Ben Hutchings's avatar
      sh_eth: Fix ethtool operation crash when net device is down · 4f9dce23
      Ben Hutchings authored
      The driver connects and disconnects the PHY device whenever the
      net device is brought up and down.  The ethtool get_settings,
      set_settings and nway_reset operations will dereference a null
      or dangling pointer if called while it is down.
      
      I think it would be preferable to keep the PHY connected, but there
      may be good reasons not to.
      
      As an immediate fix for this bug:
      - Set the phydev pointer to NULL after disconnecting the PHY
      - Change those three operations to return -ENODEV while the PHY is
        not connected
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f9dce23
    • Ben Hutchings's avatar
      sh_eth: Fix promiscuous mode on chips without TSU · b37feed7
      Ben Hutchings authored
      Currently net_device_ops::set_rx_mode is only implemented for
      chips with a TSU (multiple address table).  However we do need
      to turn the PRM (promiscuous) flag on and off for other chips.
      
      - Remove the unlikely() from the TSU functions that we may safely
        call for chips without a TSU
      - Make setting of the MCT flag conditional on the tsu capability flag
      - Rename sh_eth_set_multicast_list() to sh_eth_set_rx_mode() and plumb
        it into both net_device_ops structures
      - Remove the previously-unreachable branch in sh_eth_rx_mode() that
        would otherwise reset the flags to defaults for non-TSU chips
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b37feed7
    • Hagen Paul Pfeifer's avatar
      ipv6: stop sending PTB packets for MTU < 1280 · 9d289715
      Hagen Paul Pfeifer authored
      Reduce the attack vector and stop generating IPv6 Fragment Header for
      paths with an MTU smaller than the minimum required IPv6 MTU
      size (1280 byte) - called atomic fragments.
      
      See IETF I-D "Deprecating the Generation of IPv6 Atomic Fragments" [1]
      for more information and how this "feature" can be misused.
      
      [1] https://tools.ietf.org/html/draft-ietf-6man-deprecate-atomfrag-generation-00Signed-off-by: default avatarFernando Gont <fgont@si6networks.com>
      Signed-off-by: default avatarHagen Paul Pfeifer <hagen@jauu.net>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d289715
    • David Jeffery's avatar
      libata: prevent HSM state change race between ISR and PIO · ce751452
      David Jeffery authored
      It is possible for ata_sff_flush_pio_task() to set ap->hsm_task_state to
      HSM_ST_IDLE in between the time __ata_sff_port_intr() checks for HSM_ST_IDLE
      and before it calls ata_sff_hsm_move() causing ata_sff_hsm_move() to BUG().
      
      This problem is hard to reproduce making this patch hard to verify, but this
      fix will prevent the race.
      
      I have not been able to reproduce the problem, but here is a crash dump from
      a 2.6.32 kernel.
      
      On examining the ata port's state, its hsm_task_state field has a value of HSM_ST_IDLE:
      
      crash> struct ata_port.hsm_task_state ffff881c1121c000
        hsm_task_state = 0
      
      Normally, this should not be possible as ata_sff_hsm_move() was called from ata_sff_host_intr(),
      which checks hsm_task_state and won't call ata_sff_hsm_move() if it has a HSM_ST_IDLE value.
      
      PID: 11053  TASK: ffff8816e846cae0  CPU: 0   COMMAND: "sshd"
       #0 [ffff88008ba03960] machine_kexec at ffffffff81038f3b
       #1 [ffff88008ba039c0] crash_kexec at ffffffff810c5d92
       #2 [ffff88008ba03a90] oops_end at ffffffff8152b510
       #3 [ffff88008ba03ac0] die at ffffffff81010e0b
       #4 [ffff88008ba03af0] do_trap at ffffffff8152ad74
       #5 [ffff88008ba03b50] do_invalid_op at ffffffff8100cf95
       #6 [ffff88008ba03bf0] invalid_op at ffffffff8100bf9b
          [exception RIP: ata_sff_hsm_move+317]
          RIP: ffffffff813a77ad  RSP: ffff88008ba03ca0  RFLAGS: 00010097
          RAX: 0000000000000000  RBX: ffff881c1121dc60  RCX: 0000000000000000
          RDX: ffff881c1121dd10  RSI: ffff881c1121dc60  RDI: ffff881c1121c000
          RBP: ffff88008ba03d00   R8: 0000000000000000   R9: 000000000000002e
          R10: 000000000001003f  R11: 000000000000009b  R12: ffff881c1121c000
          R13: 0000000000000000  R14: 0000000000000050  R15: ffff881c1121dd78
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
       #7 [ffff88008ba03d08] ata_sff_host_intr at ffffffff813a7fbd
       #8 [ffff88008ba03d38] ata_sff_interrupt at ffffffff813a821e
       #9 [ffff88008ba03d78] handle_IRQ_event at ffffffff810e6ec0
      --- <IRQ stack> ---
          [exception RIP: pipe_poll+48]
          RIP: ffffffff81192780  RSP: ffff880f26d459b8  RFLAGS: 00000246
          RAX: 0000000000000000  RBX: ffff880f26d459c8  RCX: 0000000000000000
          RDX: 0000000000000001  RSI: 0000000000000000  RDI: ffff881a0539fa80
          RBP: ffffffff8100bb8e   R8: ffff8803b23324a0   R9: 0000000000000000
          R10: ffff880f26d45dd0  R11: 0000000000000008  R12: ffffffff8109b646
          R13: ffff880f26d45948  R14: 0000000000000246  R15: 0000000000000246
          ORIG_RAX: ffffffffffffff10  CS: 0010  SS: 0018
          RIP: 00007f26017435c3  RSP: 00007fffe020c420  RFLAGS: 00000206
          RAX: 0000000000000017  RBX: ffffffff8100b072  RCX: 00007fffe020c45c
          RDX: 00007f2604a3f120  RSI: 00007f2604a3f140  RDI: 000000000000000d
          RBP: 0000000000000000   R8: 00007fffe020e570   R9: 0101010101010101
          R10: 0000000000000000  R11: 0000000000000246  R12: 00007fffe020e5f0
          R13: 00007fffe020e5f4  R14: 00007f26045f373c  R15: 00007fffe020e5e0
          ORIG_RAX: 0000000000000017  CS: 0033  SS: 002b
      
      Somewhere between the ata_sff_hsm_move() check and the ata_sff_host_intr() check, the value changed.
      On examining the other cpus to see what else was running, another cpu was running the error handler
      routines:
      
      PID: 326    TASK: ffff881c11014aa0  CPU: 1   COMMAND: "scsi_eh_1"
       #0 [ffff88008ba27e90] crash_nmi_callback at ffffffff8102fee6
       #1 [ffff88008ba27ea0] notifier_call_chain at ffffffff8152d515
       #2 [ffff88008ba27ee0] atomic_notifier_call_chain at ffffffff8152d57a
       #3 [ffff88008ba27ef0] notify_die at ffffffff810a154e
       #4 [ffff88008ba27f20] do_nmi at ffffffff8152b1db
       #5 [ffff88008ba27f50] nmi at ffffffff8152aaa0
          [exception RIP: _spin_lock_irqsave+47]
          RIP: ffffffff8152a1ff  RSP: ffff881c11a73aa0  RFLAGS: 00000006
          RAX: 0000000000000001  RBX: ffff881c1121deb8  RCX: 0000000000000000
          RDX: 0000000000000246  RSI: 0000000000000020  RDI: ffff881c122612d8
          RBP: ffff881c11a73aa0   R8: ffff881c17083800   R9: 0000000000000000
          R10: 0000000000000000  R11: 0000000000000000  R12: ffff881c1121c000
          R13: 000000000000001f  R14: ffff881c1121dd50  R15: ffff881c1121dc60
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0000
      --- <NMI exception stack> ---
       #6 [ffff881c11a73aa0] _spin_lock_irqsave at ffffffff8152a1ff
       #7 [ffff881c11a73aa8] ata_exec_internal_sg at ffffffff81396fb5
       #8 [ffff881c11a73b58] ata_exec_internal at ffffffff81397109
       #9 [ffff881c11a73bd8] atapi_eh_request_sense at ffffffff813a34eb
      
      Before it tried to acquire a spinlock, ata_exec_internal_sg() called ata_sff_flush_pio_task().
      This function will set ap->hsm_task_state to HSM_ST_IDLE, and has no locking around setting this
      value. ata_sff_flush_pio_task() can then race with the interrupt handler and potentially set
      HSM_ST_IDLE at a fatal moment, which will trigger a kernel BUG.
      
      v2: Fixup comment in ata_sff_flush_pio_task()
      
      tj: Further updated comment.  Use ap->lock instead of shost lock and
          use the [un]lock_irq variant instead of the irqsave/restore one.
      Signed-off-by: default avatarDavid Milburn <dmilburn@redhat.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: stable@vger.kernel.org
      ce751452