1. 03 Jan, 2014 3 commits
    • Daniel Borkmann's avatar
      net: llc: fix use after free in llc_ui_recvmsg · 4d231b76
      Daniel Borkmann authored
      While commit 30a584d9 fixes datagram interface in LLC, a use
      after free bug has been introduced for SOCK_STREAM sockets that do
      not make use of MSG_PEEK.
      
      The flow is as follow ...
      
        if (!(flags & MSG_PEEK)) {
          ...
          sk_eat_skb(sk, skb, false);
          ...
        }
        ...
        if (used + offset < skb->len)
          continue;
      
      ... where sk_eat_skb() calls __kfree_skb(). Therefore, cache
      original length and work on skb_len to check partial reads.
      
      Fixes: 30a584d9 ("[LLX]: SOCK_DGRAM interface fixes")
      Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4d231b76
    • Jason Wang's avatar
      virtio-net: fix refill races during restore · 6cd4ce00
      Jason Wang authored
      During restoring, try_fill_recv() was called with neither napi lock nor napi
      disabled. This can lead two try_fill_recv() was called in the same time. Fix
      this by refilling before trying to enable napi.
      
      Fixes 0741bcb5
      (virtio: net: Add freeze, restore handlers to support S4).
      
      Cc: Amit Shah <amit.shah@redhat.com>
      Cc: Rusty Russell <rusty@rustcorp.com.au>
      Cc: Michael S. Tsirkin <mst@redhat.com>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6cd4ce00
    • Wei-Chun Chao's avatar
      ipv4: fix tunneled VM traffic over hw VXLAN/GRE GSO NIC · 7a7ffbab
      Wei-Chun Chao authored
      VM to VM GSO traffic is broken if it goes through VXLAN or GRE
      tunnel and the physical NIC on the host supports hardware VXLAN/GRE
      GSO offload (e.g. bnx2x and next-gen mlx4).
      
      Two issues -
      (VXLAN) VM traffic has SKB_GSO_DODGY and SKB_GSO_UDP_TUNNEL with
      SKB_GSO_TCP/UDP set depending on the inner protocol. GSO header
      integrity check fails in udp4_ufo_fragment if inner protocol is
      TCP. Also gso_segs is calculated incorrectly using skb->len that
      includes tunnel header. Fix: robust check should only be applied
      to the inner packet.
      
      (VXLAN & GRE) Once GSO header integrity check passes, NULL segs
      is returned and the original skb is sent to hardware. However the
      tunnel header is already pulled. Fix: tunnel header needs to be
      restored so that hardware can perform GSO properly on the original
      packet.
      Signed-off-by: default avatarWei-Chun Chao <weichunc@plumgrid.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7a7ffbab
  2. 02 Jan, 2014 10 commits
  3. 31 Dec, 2013 2 commits
    • Octavian Purdila's avatar
      usbnet: mcs7830: rework link state detection · 8d88bbff
      Octavian Purdila authored
      Even with the quirks in commit dabdaf0c (mcs7830: Fix link state
      detection) there are still spurious link-down events for some chips
      where the false link-down events count go over a few hundreds.
      
      This patch takes a more conservative approach and only looks at
      link-down events where the link-down state is not combined with other
      states (e.g. half/full speed, pending frames in SRAM or TX status
      information valid). In all other cases we assume the link is up.
      
      Tested on MCS7830CV-DA (USB ID 9710:7830).
      
      Cc: Ondrej Zary <linux@rainbow-software.org>
      Cc: Michael Leun <lkml20120218@newton.leun.net>
      Cc: Ming Lei <ming.lei@canonical.com>
      Signed-off-by: default avatarOctavian Purdila <octavian.purdila@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d88bbff
    • David S. Miller's avatar
      vlan: Fix header ops passthru when doing TX VLAN offload. · 2205369a
      David S. Miller authored
      When the vlan code detects that the real device can do TX VLAN offloads
      in hardware, it tries to arrange for the real device's header_ops to
      be invoked directly.
      
      But it does so illegally, by simply hooking the real device's
      header_ops up to the VLAN device.
      
      This doesn't work because we will end up invoking a set of header_ops
      routines which expect a device type which matches the real device, but
      will see a VLAN device instead.
      
      Fix this by providing a pass-thru set of header_ops which will arrange
      to pass the proper real device instead.
      
      To facilitate this add a dev_rebuild_header().  There are
      implementations which provide a ->cache and ->create but not a
      ->rebuild (f.e. PLIP).  So we need a helper function just like
      dev_hard_header() to avoid crashes.
      
      Use this helper in the one existing place where the
      header_ops->rebuild was being invoked, the neighbour code.
      
      With lots of help from Florian Westphal.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2205369a
  4. 30 Dec, 2013 23 commits
    • Linus Torvalds's avatar
      Merge tag 'dt-fixes-for-3.13' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · 71ce176e
      Linus Torvalds authored
      Pull devicetree fixes from Rob Herring:
       - Fix 2 regressions found on PPC
       - Allow NULL ptr in unflatten_and_copy_device_tree
       - Update my email address
      
      * tag 'dt-fixes-for-3.13' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        MAINTAINERS: Update Rob Herring's email address
        of/irq: Fix device_node refcount in of_irq_parse_raw()
        of/Kconfig: Spelling s/one/once/
        Revert "of/address: Handle #address-cells > 2 specially"
        of: Fix NULL dereference in unflatten_and_copy()
      71ce176e
    • Linus Torvalds's avatar
      Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc · 6e4c6196
      Linus Torvalds authored
      Pull powerpc fixes from Ben Herrenschmidt:
       "A bit more endian problems found during testing of 3.13 and a few
        other simple fixes and regressions fixes"
      
      * 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc:
        powerpc: Fix alignment of secondary cpu spin vars
        powerpc: Align p_end
        powernv/eeh: Add buffer for P7IOC hub error data
        powernv/eeh: Fix possible buffer overrun in ioda_eeh_phb_diag()
        powerpc: Make 64-bit non-VMX __copy_tofrom_user bi-endian
        powerpc: Make unaligned accesses endian-safe for powerpc
        powerpc: Fix bad stack check in exception entry
        powerpc/512x: dts: disable MPC5125 usb module
        powerpc/512x: dts: remove misplaced IRQ spec from 'soc' node (5125)
      6e4c6196
    • Rob Herring's avatar
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 67e0c1b0
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "Some holiday bug fixes for 3.13...  There is still one bug I'd like to
        get fixed before 3.13-final.
      
        The vlan code erroneously assignes the header ops of the underlying
        real device to the VLAN device above it when the real device can
        hardware offload VLAN handling.  That's completely bogus because
        header ops are tied to the device type, so they only expect to see a
        'dev' argument compatible with their ops.
      
        The fix is the have the VLAN code use a special set of header ops that
        does the pass-thru correctly, by calling the underlying real device's
        header ops but _also_ passing in the real device instead of the VLAN
        device.
      
        That fix is currently waiting some testing.
      
        Anyways, of note here:
      
         1) Fix bitmap edge case in radiotap, from Johannes Berg.
      
         2) Fix oops on driver unload in rtlwifi, from Larry Finger.
      
         3) Bonding doesn't do locking correctly during speed/duplex/link
            changes, from Ding Tianhong.
      
         4) Fix header parsing in GRE code, this bug has been around for a few
            releases.  From Timo Teräs.
      
         5) SIT tunnel driver MTU check needs to take GSO into account, from
            Eric Dumazet.
      
         6) Minor info leak in inet_diag, from Daniel Borkmann.
      
         7) Info leak in YAM hamradio driver, from Salva Peiró.
      
         8) Fix route expiration state handling in ipv6 routing code, from Li
            RongQing.
      
         9) DCCP probe module does not check request_module()'s return value,
            from Wang Weidong.
      
        10) cpsw driver passes NULL device names to request_irq(), from
            Mugunthan V N.
      
        11) Prevent a NULL splat in RDS binding code, from Sasha Levin.
      
        12) Fix 4G overflow test in tg3 driver, from Nithin Sujir.
      
        13) Cure use after free in arc_emac and fec driver's software
            timestamp handling, from Eric Dumazet.
      
        14) SIT driver can fail to release the route when
            iptunnel_handle_offloads() throws an error.  From Li RongQing.
      
        15) Several batman-adv fixes from Simon Wunderlich and Antonio
            Quartulli.
      
        16) Fix deadlock during TIPC socket release, from Ying Xue.
      
        17) Fix regression in ROSE protocol recvmsg() msg_name handling, from
            Florian Westphal.
      
        18) stmmac PTP support releases wrong spinlock, from Vince Bridgers"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (73 commits)
        stmmac: Fix incorrect spinlock release and PTP cap detection.
        phy: IRQ cannot be shared
        net: rose: restore old recvmsg behavior
        xen-netback: fix guest-receive-side array sizes
        fec: Do not assume that PHY reset is active low
        tipc: fix deadlock during socket release
        netfilter: nf_tables: fix wrong datatype in nft_validate_data_load()
        batman-adv: fix vlan header access
        batman-adv: clean nf state when removing protocol header
        batman-adv: fix alignment for batadv_tvlv_tt_change
        batman-adv: fix size of batadv_bla_claim_dst
        batman-adv: fix size of batadv_icmp_header
        batman-adv: fix header alignment by unrolling batadv_header
        batman-adv: fix alignment for batadv_coded_packet
        netfilter: nf_tables: fix oops when updating table with user chains
        netfilter: nf_tables: fix dumping with large number of sets
        ipv6: release dst properly in ipip6_tunnel_xmit
        netxen: Correct off-by-one errors in bounds checks
        net: Add some clarification to skb_tx_timestamp() comment.
        arc_emac: fix potential use after free
        ...
      67e0c1b0
    • Rob Herring's avatar
      MAINTAINERS: Update Rob Herring's email address · 5d3ad8a6
      Rob Herring authored
      My Calxeda email address is going away.
      Signed-off-by: default avatarRob Herring <rob.herring@calxeda.com>
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      5d3ad8a6
    • Cédric Le Goater's avatar
      of/irq: Fix device_node refcount in of_irq_parse_raw() · 2f53a713
      Cédric Le Goater authored
      Commit 23616132, "of/irq: Refactor interrupt-map parsing" changed
      the refcount on the device_node causing an error in of_node_put():
      
      ERROR: Bad of_node_put() on /pci@800000020000000
      CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.13.0-rc3-dirty #2
      Call Trace:
      [c00000003e403500] [c0000000000144fc] .show_stack+0x7c/0x1f0 (unreliable)
      [c00000003e4035d0] [c00000000070f250] .dump_stack+0x88/0xb4
      [c00000003e403650] [c0000000005e8768] .of_node_release+0xd8/0xf0
      [c00000003e4036e0] [c0000000005eeafc] .of_irq_parse_one+0x10c/0x280
      [c00000003e4037a0] [c0000000005efd4c] .of_irq_parse_pci+0x3c/0x1d0
      [c00000003e403840] [c000000000038240] .pcibios_setup_device+0xa0/0x2e0
      [c00000003e403910] [c0000000000398f0] .pcibios_setup_bus_devices+0x60/0xd0
      [c00000003e403990] [c00000000003b3a4] .__of_scan_bus+0x1a4/0x2b0
      [c00000003e403a80] [c00000000003a62c] .pcibios_scan_phb+0x30c/0x410
      [c00000003e403b60] [c0000000009fe430] .pcibios_init+0x7c/0xd4
      
      This patch adjusts the refcount in the walk of the interrupt tree.
      When a match is found, there is no need to increase the refcount
      on 'out_irq->np' as 'newpar' is already holding a ref. The refcount
      balance between 'ipar' and 'newpar' is maintained in the skiplevel:
      goto label.
      
      This patch also removes the usage of the device_node variable 'old'
      which seems useless after the latest changes.
      Signed-off-by: default avatarCédric Le Goater <clg@fr.ibm.com>
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      2f53a713
    • Geert Uytterhoeven's avatar
      5d927086
    • Rob Herring's avatar
      Revert "of/address: Handle #address-cells > 2 specially" · 13fcca8f
      Rob Herring authored
      This reverts commit e38c0a1f.
      
      Nikita Yushchenko reports:
      While trying to make freescale p2020ds and  mpc8572ds boards working
      with mainline kernel, I faced that commit e38c0a1f (Handle
      
      Both these boards have uli1575 chip.
      Corresponding part in device tree is something like
      
                      uli1575@0 {
                              reg = <0x0 0x0 0x0 0x0 0x0>;
                              #size-cells = <2>;
                              #address-cells = <3>;
                              ranges = <0x2000000 0x0 0x80000000
                                        0x2000000 0x0 0x80000000
                                        0x0 0x20000000
      
                                        0x1000000 0x0 0x0
                                        0x1000000 0x0 0x0
                                        0x0 0x10000>;
                              isa@1e {
      ...
      
      I.e. it has #address-cells = <3>
      
      With commit e38c0a1f reverted, devices under uli1575 are registered
      correctly, e.g. for rtc
      
      OF: ** translation for device /pcie@ffe09000/pcie@0/uli1575@0/isa@1e/rtc@70 **
      OF: bus is isa (na=2, ns=1) on /pcie@ffe09000/pcie@0/uli1575@0/isa@1e
      OF: translating address: 00000001 00000070
      OF: parent bus is default (na=3, ns=2) on /pcie@ffe09000/pcie@0/uli1575@0
      OF: walking ranges...
      OF: ISA map, cp=0, s=1000, da=70
      OF: parent translation for: 01000000 00000000 00000000
      OF: with offset: 70
      OF: one level translation: 00000000 00000000 00000070
      OF: parent bus is pci (na=3, ns=2) on /pcie@ffe09000/pcie@0
      OF: walking ranges...
      OF: default map, cp=a0000000, s=20000000, da=70
      OF: default map, cp=0, s=10000, da=70
      OF: parent translation for: 01000000 00000000 00000000
      OF: with offset: 70
      OF: one level translation: 01000000 00000000 00000070
      OF: parent bus is pci (na=3, ns=2) on /pcie@ffe09000
      OF: walking ranges...
      OF: PCI map, cp=0, s=10000, da=70
      OF: parent translation for: 01000000 00000000 00000000
      OF: with offset: 70
      OF: one level translation: 01000000 00000000 00000070
      OF: parent bus is default (na=2, ns=2) on /
      OF: walking ranges...
      OF: PCI map, cp=0, s=10000, da=70
      OF: parent translation for: 00000000 ffc10000
      OF: with offset: 70
      OF: one level translation: 00000000 ffc10070
      OF: reached root node
      
      With commit e38c0a1f in place, address translation fails:
      
      OF: ** translation for device /pcie@ffe09000/pcie@0/uli1575@0/isa@1e/rtc@70 **
      OF: bus is isa (na=2, ns=1) on /pcie@ffe09000/pcie@0/uli1575@0/isa@1e
      OF: translating address: 00000001 00000070
      OF: parent bus is default (na=3, ns=2) on /pcie@ffe09000/pcie@0/uli1575@0
      OF: walking ranges...
      OF: ISA map, cp=0, s=1000, da=70
      OF: parent translation for: 01000000 00000000 00000000
      OF: with offset: 70
      OF: one level translation: 00000000 00000000 00000070
      OF: parent bus is pci (na=3, ns=2) on /pcie@ffe09000/pcie@0
      OF: walking ranges...
      OF: default map, cp=a0000000, s=20000000, da=70
      OF: default map, cp=0, s=10000, da=70
      OF: not found !
      
      Thierry Reding confirmed this commit was not needed after all:
      "We ended up merging a different address representation for Tegra PCIe
      and I've confirmed that reverting this commit doesn't cause any obvious
      regressions. I think all other drivers in drivers/pci/host ended up
      copying what we did on Tegra, so I wouldn't expect any other breakage
      either."
      
      There doesn't appear to be a simple way to support both behaviours, so
      reverting this as nothing should be depending on the new behaviour.
      
      Cc: stable@vger.kernel.org # v3.7+
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      13fcca8f
    • Benjamin Herrenschmidt's avatar
      Merge remote-tracking branch 'agust/merge' into merge · f991db1c
      Benjamin Herrenschmidt authored
      Anatolij writes:
      
      Please pull two DTS fixes for MPC5125 tower board. Without
      them the v3.13-rcX kernels do not boot.
      f991db1c
    • Vince Bridgers's avatar
      stmmac: Fix incorrect spinlock release and PTP cap detection. · 7cd01399
      Vince Bridgers authored
      This patch corrects a problem in stmmac_ptp.c, functions
      stmmac_adjust_time and stmmac_adjust_freq where the incorrect spinlocks
      were released. This patch also addresses a problem in stmmac_main,
      function stmmac_init_ptp where the capability detection for
      advanced timestamping was masked by message masking.
      
      This patch was touch tested using linuxptp, and runs without the previously
      observed instabilities. More extensive testing is ongoing.
      
      Vince
      Signed-off-by: default avatarVince Bridgers <vbridgers2013@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7cd01399
    • Sergei Shtylyov's avatar
      phy: IRQ cannot be shared · 33c133cc
      Sergei Shtylyov authored
      With the way PHY IRQ handler is implemented (all real handling being pushed to
      the workqueue and returning IRQ_HANDLED all the time PHY is active), we cannot
      really claim that PHY IRQ can be shared when calling request_irq().
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      33c133cc
    • Florian Westphal's avatar
      net: rose: restore old recvmsg behavior · f81152e3
      Florian Westphal authored
      recvmsg handler in net/rose/af_rose.c performs size-check ->msg_namelen.
      
      After commit f3d33426
      (net: rework recvmsg handler msg_name and msg_namelen logic), we now
      always take the else branch due to namelen being initialized to 0.
      
      Digging in netdev-vger-cvs git repo shows that msg_namelen was
      initialized with a fixed-size since at least 1995, so the else branch
      was never taken.
      
      Compile tested only.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f81152e3
    • Paul Durrant's avatar
      xen-netback: fix guest-receive-side array sizes · ac3d5ac2
      Paul Durrant authored
      The sizes chosen for the metadata and grant_copy_op arrays on the guest
      receive size are wrong;
      
      - The meta array is needlessly twice the ring size, when we only ever
        consume a single array element per RX ring slot
      - The grant_copy_op array is way too small. It's sized based on a bogus
        assumption: that at most two copy ops will be used per ring slot. This
        may have been true at some point in the past but it's clear from looking
        at start_new_rx_buffer() that a new ring slot is only consumed if a frag
        would overflow the current slot (plus some other conditions) so the actual
        limit is MAX_SKB_FRAGS grant_copy_ops per ring slot.
      
      This patch fixes those two sizing issues and, because grant_copy_ops grows
      so much, it pulls it out into a separate chunk of vmalloc()ed memory.
      Signed-off-by: default avatarPaul Durrant <paul.durrant@citrix.com>
      Acked-by: default avatarWei Liu <wei.liu2@citrix.com>
      Cc: Ian Campbell <ian.campbell@citrix.com>
      Cc: David Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ac3d5ac2
    • Fabio Estevam's avatar
      fec: Do not assume that PHY reset is active low · 7a399e3a
      Fabio Estevam authored
      We should not assume that the PHY reset is always active low.
      
      Retrieve this information from the device tree instead, so that the PHY reset
      can work on both cases.
      Reported-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@freescale.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7a399e3a
    • Ying Xue's avatar
      tipc: fix deadlock during socket release · 84602761
      Ying Xue authored
      A deadlock might occur if name table is withdrawn in socket release
      routine, and while packets are still being received from bearer.
      
             CPU0                       CPU1
      T0:   recv_msg()               release()
      T1:   tipc_recv_msg()          tipc_withdraw()
      T2:   [grab node lock]         [grab port lock]
      T3:   tipc_link_wakeup_ports() tipc_nametbl_withdraw()
      T4:   [grab port lock]*        named_cluster_distribute()
      T5:   wakeupdispatch()         tipc_link_send()
      T6:                            [grab node lock]*
      
      The opposite order of holding port lock and node lock on above two
      different paths may result in a deadlock. If socket lock instead of
      port lock is used to protect port instance in tipc_withdraw(), the
      reverse order of holding port lock and node lock will be eliminated,
      as a result, the deadlock is killed as well.
      Reported-by: default avatarLars Everbrand <lars.everbrand@ericsson.com>
      Reviewed-by: default avatarErik Hugne <erik.hugne@ericsson.com>
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      84602761
    • Olof Johansson's avatar
      powerpc: Fix alignment of secondary cpu spin vars · 7d4151b5
      Olof Johansson authored
      Commit 5c0484e2 ('powerpc: Endian safe trampoline') resulted in
      losing proper alignment of the spinlock variables used when booting
      secondary CPUs, causing some quite odd issues with failing to boot on
      PA Semi-based systems.
      
      This showed itself on ppc64_defconfig, but not on pasemi_defconfig,
      so it had gone unnoticed when I initially tested the LE patch set.
      
      Fix is to add explicit alignment instead of relying on good luck. :)
      
      [ It appears that there is a different issue with PA Semi systems
        however this fix is definitely correct so applying anyway -- BenH
      ]
      
      Fixes: 5c0484e2 ('powerpc: Endian safe trampoline')
      Reported-by: default avatarChristian Zigotzky <chzigotzky@xenosoft.de>
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=67811Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      7d4151b5
    • Anton Blanchard's avatar
      powerpc: Align p_end · 286e4f90
      Anton Blanchard authored
      p_end is an 8 byte value embedded in the text section. This means it
      is only 4 byte aligned when it should be 8 byte aligned. Fix this
      by adding an explicit alignment.
      
      This fixes an issue where POWER7 little endian builds with
      CONFIG_RELOCATABLE=y fail to boot.
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      286e4f90
    • Brian W Hart's avatar
      powernv/eeh: Add buffer for P7IOC hub error data · ca1de5de
      Brian W Hart authored
      Prevent ioda_eeh_hub_diag() from clobbering itself when called by supplying
      a per-PHB buffer for P7IOC hub diagnostic data.  Take care to inform OPAL of
      the correct size for the buffer.
      
      [Small style change to the use of sizeof -- BenH]
      Signed-off-by: default avatarBrian W Hart <hartb@linux.vnet.ibm.com>
      Acked-by: default avatarGavin Shan <shangw@linux.vnet.ibm.com>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      ca1de5de
    • Brian W Hart's avatar
      powernv/eeh: Fix possible buffer overrun in ioda_eeh_phb_diag() · 20acebdf
      Brian W Hart authored
      PHB diagnostic buffer may be smaller than PAGE_SIZE, especially when
      PAGE_SIZE > 4KB.
      Signed-off-by: default avatarBrian W Hart <hartb@linux.vnet.ibm.com>
      Acked-by: default avatarGavin Shan <shangw@linux.vnet.ibm.com>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      20acebdf
    • Paul E. McKenney's avatar
      powerpc: Make 64-bit non-VMX __copy_tofrom_user bi-endian · 20151169
      Paul E. McKenney authored
      The powerpc 64-bit __copy_tofrom_user() function uses shifts to handle
      unaligned invocations.  However, these shifts were designed for
      big-endian systems: On little-endian systems, they must shift in the
      opposite direction.
      
      This commit relies on the C preprocessor to insert the correct shifts
      into the assembly code.
      
      [ This is a rare but nasty LE issue. Most of the time we use the POWER7
      optimised __copy_tofrom_user_power7 loop, but when it hits an exception
      we fall back to the base __copy_tofrom_user loop. - Anton ]
      Signed-off-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      20151169
    • Rajesh B Prathipati's avatar
      powerpc: Make unaligned accesses endian-safe for powerpc · e8a00ad5
      Rajesh B Prathipati authored
      The generic put_unaligned/get_unaligned macros were made endian-safe by
      calling the appropriate endian dependent macros based on the endian type
      of the powerpc processor.
      Signed-off-by: default avatarRajesh B Prathipati <rprathip@linux.vnet.ibm.com>
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      e8a00ad5
    • Michael Neuling's avatar
      powerpc: Fix bad stack check in exception entry · 90ff5d68
      Michael Neuling authored
      In EXCEPTION_PROLOG_COMMON() we check to see if the stack pointer (r1)
      is valid when coming from the kernel.  If it's not valid, we die but
      with a nice oops message.
      
      Currently we allocate a stack frame (subtract INT_FRAME_SIZE) before we
      check to see if the stack pointer is negative.  Unfortunately, this
      won't detect a bad stack where r1 is less than INT_FRAME_SIZE.
      
      This patch fixes the check to compare the modified r1 with
      -INT_FRAME_SIZE.  With this, bad kernel stack pointers (including NULL
      pointers) are correctly detected again.
      
      Kudos to Paulus for finding this.
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      cc: stable@vger.kernel.org
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      90ff5d68
    • Linus Torvalds's avatar
      Linux 3.13-rc6 · 802eee95
      Linus Torvalds authored
      802eee95
  5. 29 Dec, 2013 2 commits