From f24a071320975b836574d9fc18b15b8294fce3a4 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 14 Apr 2014 15:11:16 -0400 Subject: [PATCH] Linux v3.14.1 --- 3.14.1-rc1.patch | 1982 ---------------------------------------------- kernel.spec | 9 +- sources | 1 + 3 files changed, 5 insertions(+), 1987 deletions(-) delete mode 100644 3.14.1-rc1.patch diff --git a/3.14.1-rc1.patch b/3.14.1-rc1.patch deleted file mode 100644 index 402957492..000000000 --- a/3.14.1-rc1.patch +++ /dev/null @@ -1,1982 +0,0 @@ -From tiwai@suse.de Tue Apr 8 14:31:41 2014 -From: Takashi Iwai -Date: Tue, 8 Apr 2014 18:49:00 +0200 -Subject: Revert "ALSA: hda - Increment default stream numbers for AMD HDMI controllers" -To: stable@vger.kernel.org -Cc: Anssi Hannula , Christian Güdel -Message-ID: <1396975740-22160-1-git-send-email-tiwai@suse.de> - -From: Takashi Iwai - -This reverts commit 7546abfb8e1f9933b549f05898377e9444ee4cb2. - -The commit [7546abfb: ALSA: hda - Increment default stream numbers for -AMD HDMI controllers] introduced a regression where the AMD HDMI -playback streams don't work properly. As the simplest fix, this patch -reverts that commit. - -The upstream code has been changed largely and already contains -another fix (by changing the stream assignment order), this revert -should be applied only to 3.14 kernel where the regression was -introduced. - -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=77002 -Reported-by: Christian Güdel -Reported-by: Anssi Hannula -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman ---- - -Greg, there is no upstream commit id due to the reason describe in the -above. It's a simple revert, so please take as is. - -thanks, - -Takashi - - sound/pci/hda/hda_intel.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/sound/pci/hda/hda_intel.c -+++ b/sound/pci/hda/hda_intel.c -@@ -297,9 +297,9 @@ enum { SDI0, SDI1, SDI2, SDI3, SDO0, SDO - #define ULI_NUM_CAPTURE 5 - #define ULI_NUM_PLAYBACK 6 - --/* ATI HDMI may have up to 8 playbacks and 0 capture */ -+/* ATI HDMI has 1 playback and 0 capture */ - #define ATIHDMI_NUM_CAPTURE 0 --#define ATIHDMI_NUM_PLAYBACK 8 -+#define ATIHDMI_NUM_PLAYBACK 1 - - /* TERA has 4 playback and 3 capture */ - #define TERA_NUM_CAPTURE 3 -From f64410ec665479d7b4b77b7519e814253ed0f686 Mon Sep 17 00:00:00 2001 -From: Paul Moore -Date: Wed, 19 Mar 2014 16:46:18 -0400 -Subject: selinux: correctly label /proc inodes in use before the policy is loaded - -From: Paul Moore - -commit f64410ec665479d7b4b77b7519e814253ed0f686 upstream. - -This patch is based on an earlier patch by Eric Paris, he describes -the problem below: - - "If an inode is accessed before policy load it will get placed on a - list of inodes to be initialized after policy load. After policy - load we call inode_doinit() which calls inode_doinit_with_dentry() - on all inodes accessed before policy load. In the case of inodes - in procfs that means we'll end up at the bottom where it does: - - /* Default to the fs superblock SID. */ - isec->sid = sbsec->sid; - - if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { - if (opt_dentry) { - isec->sclass = inode_mode_to_security_class(...) - rc = selinux_proc_get_sid(opt_dentry, - isec->sclass, - &sid); - if (rc) - goto out_unlock; - isec->sid = sid; - } - } - - Since opt_dentry is null, we'll never call selinux_proc_get_sid() - and will leave the inode labeled with the label on the superblock. - I believe a fix would be to mimic the behavior of xattrs. Look - for an alias of the inode. If it can't be found, just leave the - inode uninitialized (and pick it up later) if it can be found, we - should be able to call selinux_proc_get_sid() ..." - -On a system exhibiting this problem, you will notice a lot of files in -/proc with the generic "proc_t" type (at least the ones that were -accessed early in the boot), for example: - - # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }' - system_u:object_r:proc_t:s0 /proc/sys/kernel/shmmax - -However, with this patch in place we see the expected result: - - # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }' - system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/shmmax - -Cc: Eric Paris -Signed-off-by: Paul Moore -Acked-by: Eric Paris -Signed-off-by: Greg Kroah-Hartman - ---- - security/selinux/hooks.c | 36 +++++++++++++++++++++++++++--------- - 1 file changed, 27 insertions(+), 9 deletions(-) - ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -1418,15 +1418,33 @@ static int inode_doinit_with_dentry(stru - isec->sid = sbsec->sid; - - if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) { -- if (opt_dentry) { -- isec->sclass = inode_mode_to_security_class(inode->i_mode); -- rc = selinux_proc_get_sid(opt_dentry, -- isec->sclass, -- &sid); -- if (rc) -- goto out_unlock; -- isec->sid = sid; -- } -+ /* We must have a dentry to determine the label on -+ * procfs inodes */ -+ if (opt_dentry) -+ /* Called from d_instantiate or -+ * d_splice_alias. */ -+ dentry = dget(opt_dentry); -+ else -+ /* Called from selinux_complete_init, try to -+ * find a dentry. */ -+ dentry = d_find_alias(inode); -+ /* -+ * This can be hit on boot when a file is accessed -+ * before the policy is loaded. When we load policy we -+ * may find inodes that have no dentry on the -+ * sbsec->isec_head list. No reason to complain as -+ * these will get fixed up the next time we go through -+ * inode_doinit() with a dentry, before these inodes -+ * could be used again by userspace. -+ */ -+ if (!dentry) -+ goto out_unlock; -+ isec->sclass = inode_mode_to_security_class(inode->i_mode); -+ rc = selinux_proc_get_sid(dentry, isec->sclass, &sid); -+ dput(dentry); -+ if (rc) -+ goto out_unlock; -+ isec->sid = sid; - } - break; - } -From 42a5477251f0e0f33ad5f6a95c48d685ec03191e Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Sat, 18 Jan 2014 12:48:16 +0100 -Subject: x86, pageattr: Export page unmapping interface - -From: Borislav Petkov - -commit 42a5477251f0e0f33ad5f6a95c48d685ec03191e upstream. - -We will use it in efi so expose it. - -Signed-off-by: Borislav Petkov -Tested-by: Toshi Kani -Signed-off-by: Matt Fleming -Signed-off-by: Greg Kroah-Hartman - ---- - arch/x86/include/asm/pgtable_types.h | 2 + - arch/x86/mm/pageattr.c | 44 ++++++++++++++++++++++++----------- - 2 files changed, 33 insertions(+), 13 deletions(-) - ---- a/arch/x86/include/asm/pgtable_types.h -+++ b/arch/x86/include/asm/pgtable_types.h -@@ -385,6 +385,8 @@ extern pte_t *lookup_address(unsigned lo - extern phys_addr_t slow_virt_to_phys(void *__address); - extern int kernel_map_pages_in_pgd(pgd_t *pgd, u64 pfn, unsigned long address, - unsigned numpages, unsigned long page_flags); -+void kernel_unmap_pages_in_pgd(pgd_t *root, unsigned long address, -+ unsigned numpages); - #endif /* !__ASSEMBLY__ */ - - #endif /* _ASM_X86_PGTABLE_DEFS_H */ ---- a/arch/x86/mm/pageattr.c -+++ b/arch/x86/mm/pageattr.c -@@ -692,6 +692,18 @@ static bool try_to_free_pmd_page(pmd_t * - return true; - } - -+static bool try_to_free_pud_page(pud_t *pud) -+{ -+ int i; -+ -+ for (i = 0; i < PTRS_PER_PUD; i++) -+ if (!pud_none(pud[i])) -+ return false; -+ -+ free_page((unsigned long)pud); -+ return true; -+} -+ - static bool unmap_pte_range(pmd_t *pmd, unsigned long start, unsigned long end) - { - pte_t *pte = pte_offset_kernel(pmd, start); -@@ -805,6 +817,16 @@ static void unmap_pud_range(pgd_t *pgd, - */ - } - -+static void unmap_pgd_range(pgd_t *root, unsigned long addr, unsigned long end) -+{ -+ pgd_t *pgd_entry = root + pgd_index(addr); -+ -+ unmap_pud_range(pgd_entry, addr, end); -+ -+ if (try_to_free_pud_page((pud_t *)pgd_page_vaddr(*pgd_entry))) -+ pgd_clear(pgd_entry); -+} -+ - static int alloc_pte_page(pmd_t *pmd) - { - pte_t *pte = (pte_t *)get_zeroed_page(GFP_KERNEL | __GFP_NOTRACK); -@@ -999,9 +1021,8 @@ static int populate_pud(struct cpa_data - static int populate_pgd(struct cpa_data *cpa, unsigned long addr) - { - pgprot_t pgprot = __pgprot(_KERNPG_TABLE); -- bool allocd_pgd = false; -- pgd_t *pgd_entry; - pud_t *pud = NULL; /* shut up gcc */ -+ pgd_t *pgd_entry; - int ret; - - pgd_entry = cpa->pgd + pgd_index(addr); -@@ -1015,7 +1036,6 @@ static int populate_pgd(struct cpa_data - return -1; - - set_pgd(pgd_entry, __pgd(__pa(pud) | _KERNPG_TABLE)); -- allocd_pgd = true; - } - - pgprot_val(pgprot) &= ~pgprot_val(cpa->mask_clr); -@@ -1023,19 +1043,11 @@ static int populate_pgd(struct cpa_data - - ret = populate_pud(cpa, addr, pgd_entry, pgprot); - if (ret < 0) { -- unmap_pud_range(pgd_entry, addr, -+ unmap_pgd_range(cpa->pgd, addr, - addr + (cpa->numpages << PAGE_SHIFT)); -- -- if (allocd_pgd) { -- /* -- * If I allocated this PUD page, I can just as well -- * free it in this error path. -- */ -- pgd_clear(pgd_entry); -- free_page((unsigned long)pud); -- } - return ret; - } -+ - cpa->numpages = ret; - return 0; - } -@@ -1861,6 +1873,12 @@ out: - return retval; - } - -+void kernel_unmap_pages_in_pgd(pgd_t *root, unsigned long address, -+ unsigned numpages) -+{ -+ unmap_pgd_range(root, address, address + (numpages << PAGE_SHIFT)); -+} -+ - /* - * The testcases use internal knowledge of the implementation that shouldn't - * be exposed to the rest of the kernel. Include these directly here. -From b7b898ae0c0a82489511a1ce1b35f26215e6beb5 Mon Sep 17 00:00:00 2001 -From: Borislav Petkov -Date: Sat, 18 Jan 2014 12:48:17 +0100 -Subject: x86/efi: Make efi virtual runtime map passing more robust - -From: Borislav Petkov - -commit b7b898ae0c0a82489511a1ce1b35f26215e6beb5 upstream. - -Currently, running SetVirtualAddressMap() and passing the physical -address of the virtual map array was working only by a lucky coincidence -because the memory was present in the EFI page table too. Until Toshi -went and booted this on a big HP box - the krealloc() manner of resizing -the memmap we're doing did allocate from such physical addresses which -were not mapped anymore and boom: - -http://lkml.kernel.org/r/1386806463.1791.295.camel@misato.fc.hp.com - -One way to take care of that issue is to reimplement the krealloc thing -but with pages. We start with contiguous pages of order 1, i.e. 2 pages, -and when we deplete that memory (shouldn't happen all that often but you -know firmware) we realloc the next power-of-two pages. - -Having the pages, it is much more handy and easy to map them into the -EFI page table with the already existing mapping code which we're using -for building the virtual mappings. - -Thanks to Toshi Kani and Matt for the great debugging help. - -Reported-by: Toshi Kani -Signed-off-by: Borislav Petkov -Tested-by: Toshi Kani -Signed-off-by: Matt Fleming -Signed-off-by: Borislav Petkov -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/include/asm/efi.h | 3 - - arch/x86/platform/efi/efi.c | 99 ++++++++++++++++++++++++++++++++--------- - arch/x86/platform/efi/efi_32.c | 7 ++ - arch/x86/platform/efi/efi_64.c | 32 ++++++++++++- - 4 files changed, 115 insertions(+), 26 deletions(-) - ---- a/arch/x86/include/asm/efi.h -+++ b/arch/x86/include/asm/efi.h -@@ -130,7 +130,8 @@ extern void efi_memory_uc(u64 addr, unsi - extern void __init efi_map_region(efi_memory_desc_t *md); - extern void __init efi_map_region_fixed(efi_memory_desc_t *md); - extern void efi_sync_low_kernel_mappings(void); --extern void efi_setup_page_tables(void); -+extern int efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages); -+extern void efi_cleanup_page_tables(unsigned long pa_memmap, unsigned num_pages); - extern void __init old_map_region(efi_memory_desc_t *md); - extern void __init runtime_code_page_mkexec(void); - extern void __init efi_runtime_mkexec(void); ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -939,14 +939,36 @@ static void __init efi_map_regions_fixed - - } - -+static void *realloc_pages(void *old_memmap, int old_shift) -+{ -+ void *ret; -+ -+ ret = (void *)__get_free_pages(GFP_KERNEL, old_shift + 1); -+ if (!ret) -+ goto out; -+ -+ /* -+ * A first-time allocation doesn't have anything to copy. -+ */ -+ if (!old_memmap) -+ return ret; -+ -+ memcpy(ret, old_memmap, PAGE_SIZE << old_shift); -+ -+out: -+ free_pages((unsigned long)old_memmap, old_shift); -+ return ret; -+} -+ - /* -- * Map efi memory ranges for runtime serivce and update new_memmap with virtual -- * addresses. -+ * Map the efi memory ranges of the runtime services and update new_mmap with -+ * virtual addresses. - */ --static void * __init efi_map_regions(int *count) -+static void * __init efi_map_regions(int *count, int *pg_shift) - { -+ void *p, *new_memmap = NULL; -+ unsigned long left = 0; - efi_memory_desc_t *md; -- void *p, *tmp, *new_memmap = NULL; - - for (p = memmap.map; p < memmap.map_end; p += memmap.desc_size) { - md = p; -@@ -961,20 +983,23 @@ static void * __init efi_map_regions(int - efi_map_region(md); - get_systab_virt_addr(md); - -- tmp = krealloc(new_memmap, (*count + 1) * memmap.desc_size, -- GFP_KERNEL); -- if (!tmp) -- goto out; -- new_memmap = tmp; -+ if (left < memmap.desc_size) { -+ new_memmap = realloc_pages(new_memmap, *pg_shift); -+ if (!new_memmap) -+ return NULL; -+ -+ left += PAGE_SIZE << *pg_shift; -+ (*pg_shift)++; -+ } -+ - memcpy(new_memmap + (*count * memmap.desc_size), md, - memmap.desc_size); -+ -+ left -= memmap.desc_size; - (*count)++; - } - - return new_memmap; --out: -- kfree(new_memmap); -- return NULL; - } - - /* -@@ -1000,9 +1025,9 @@ out: - */ - void __init efi_enter_virtual_mode(void) - { -- efi_status_t status; -+ int err, count = 0, pg_shift = 0; - void *new_memmap = NULL; -- int err, count = 0; -+ efi_status_t status; - - efi.systab = NULL; - -@@ -1019,20 +1044,24 @@ void __init efi_enter_virtual_mode(void) - efi_map_regions_fixed(); - } else { - efi_merge_regions(); -- new_memmap = efi_map_regions(&count); -+ new_memmap = efi_map_regions(&count, &pg_shift); - if (!new_memmap) { - pr_err("Error reallocating memory, EFI runtime non-functional!\n"); - return; - } -- } - -- err = save_runtime_map(); -- if (err) -- pr_err("Error saving runtime map, efi runtime on kexec non-functional!!\n"); -+ err = save_runtime_map(); -+ if (err) -+ pr_err("Error saving runtime map, efi runtime on kexec non-functional!!\n"); -+ } - - BUG_ON(!efi.systab); - -- efi_setup_page_tables(); -+ if (!efi_setup) { -+ if (efi_setup_page_tables(__pa(new_memmap), 1 << pg_shift)) -+ return; -+ } -+ - efi_sync_low_kernel_mappings(); - - if (!efi_setup) { -@@ -1072,7 +1101,35 @@ void __init efi_enter_virtual_mode(void) - - efi_runtime_mkexec(); - -- kfree(new_memmap); -+ -+ /* -+ * We mapped the descriptor array into the EFI pagetable above but we're -+ * not unmapping it here. Here's why: -+ * -+ * We're copying select PGDs from the kernel page table to the EFI page -+ * table and when we do so and make changes to those PGDs like unmapping -+ * stuff from them, those changes appear in the kernel page table and we -+ * go boom. -+ * -+ * From setup_real_mode(): -+ * -+ * ... -+ * trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd; -+ * -+ * In this particular case, our allocation is in PGD 0 of the EFI page -+ * table but we've copied that PGD from PGD[272] of the EFI page table: -+ * -+ * pgd_index(__PAGE_OFFSET = 0xffff880000000000) = 272 -+ * -+ * where the direct memory mapping in kernel space is. -+ * -+ * new_memmap's VA comes from that direct mapping and thus clearing it, -+ * it would get cleared in the kernel page table too. -+ * -+ * efi_cleanup_page_tables(__pa(new_memmap), 1 << pg_shift); -+ */ -+ if (!efi_setup) -+ free_pages((unsigned long)new_memmap, pg_shift); - - /* clean DUMMY object */ - efi.set_variable(efi_dummy_name, &EFI_DUMMY_GUID, ---- a/arch/x86/platform/efi/efi_32.c -+++ b/arch/x86/platform/efi/efi_32.c -@@ -40,7 +40,12 @@ - static unsigned long efi_rt_eflags; - - void efi_sync_low_kernel_mappings(void) {} --void efi_setup_page_tables(void) {} -+void __init efi_dump_pagetable(void) {} -+int efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) -+{ -+ return 0; -+} -+void efi_cleanup_page_tables(unsigned long pa_memmap, unsigned num_pages) {} - - void __init efi_map_region(efi_memory_desc_t *md) - { ---- a/arch/x86/platform/efi/efi_64.c -+++ b/arch/x86/platform/efi/efi_64.c -@@ -137,12 +137,38 @@ void efi_sync_low_kernel_mappings(void) - sizeof(pgd_t) * num_pgds); - } - --void efi_setup_page_tables(void) -+int efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) - { -+ pgd_t *pgd; -+ -+ if (efi_enabled(EFI_OLD_MEMMAP)) -+ return 0; -+ - efi_scratch.efi_pgt = (pgd_t *)(unsigned long)real_mode_header->trampoline_pgd; -+ pgd = __va(efi_scratch.efi_pgt); -+ -+ /* -+ * It can happen that the physical address of new_memmap lands in memory -+ * which is not mapped in the EFI page table. Therefore we need to go -+ * and ident-map those pages containing the map before calling -+ * phys_efi_set_virtual_address_map(). -+ */ -+ if (kernel_map_pages_in_pgd(pgd, pa_memmap, pa_memmap, num_pages, _PAGE_NX)) { -+ pr_err("Error ident-mapping new memmap (0x%lx)!\n", pa_memmap); -+ return 1; -+ } -+ -+ efi_scratch.use_pgd = true; -+ -+ -+ return 0; -+} -+ -+void efi_cleanup_page_tables(unsigned long pa_memmap, unsigned num_pages) -+{ -+ pgd_t *pgd = (pgd_t *)__va(real_mode_header->trampoline_pgd); - -- if (!efi_enabled(EFI_OLD_MEMMAP)) -- efi_scratch.use_pgd = true; -+ kernel_unmap_pages_in_pgd(pgd, pa_memmap, num_pages); - } - - static void __init __map_region(efi_memory_desc_t *md, u64 va) -From 69cd9eba38867a493a043bb13eb9b33cad5f1a9a Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Tue, 8 Apr 2014 15:30:07 -0700 -Subject: futex: avoid race between requeue and wake - -From: Linus Torvalds - -commit 69cd9eba38867a493a043bb13eb9b33cad5f1a9a upstream. - -Jan Stancek reported: - "pthread_cond_broadcast/4-1.c testcase from openposix testsuite (LTP) - occasionally fails, because some threads fail to wake up. - - Testcase creates 5 threads, which are all waiting on same condition. - Main thread then calls pthread_cond_broadcast() without holding mutex, - which calls: - - futex(uaddr1, FUTEX_CMP_REQUEUE_PRIVATE, 1, 2147483647, uaddr2, ..) - - This immediately wakes up single thread A, which unlocks mutex and - tries to wake up another thread: - - futex(uaddr2, FUTEX_WAKE_PRIVATE, 1) - - If thread A manages to call futex_wake() before any waiters are - requeued for uaddr2, no other thread is woken up" - -The ordering constraints for the hash bucket waiter counting are that -the waiter counts have to be incremented _before_ getting the spinlock -(because the spinlock acts as part of the memory barrier), but the -"requeue" operation didn't honor those rules, and nobody had even -thought about that case. - -This fairly simple patch just increments the waiter count for the target -hash bucket (hb2) when requeing a futex before taking the locks. It -then decrements them again after releasing the lock - the code that -actually moves the futex(es) between hash buckets will do the additional -required waiter count housekeeping. - -Reported-and-tested-by: Jan Stancek -Acked-by: Davidlohr Bueso -Cc: Peter Zijlstra -Cc: Thomas Gleixner -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - kernel/futex.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -1450,6 +1450,7 @@ retry: - hb2 = hash_futex(&key2); - - retry_private: -+ hb_waiters_inc(hb2); - double_lock_hb(hb1, hb2); - - if (likely(cmpval != NULL)) { -@@ -1459,6 +1460,7 @@ retry_private: - - if (unlikely(ret)) { - double_unlock_hb(hb1, hb2); -+ hb_waiters_dec(hb2); - - ret = get_user(curval, uaddr1); - if (ret) -@@ -1508,6 +1510,7 @@ retry_private: - break; - case -EFAULT: - double_unlock_hb(hb1, hb2); -+ hb_waiters_dec(hb2); - put_futex_key(&key2); - put_futex_key(&key1); - ret = fault_in_user_writeable(uaddr2); -@@ -1517,6 +1520,7 @@ retry_private: - case -EAGAIN: - /* The owner was exiting, try again. */ - double_unlock_hb(hb1, hb2); -+ hb_waiters_dec(hb2); - put_futex_key(&key2); - put_futex_key(&key1); - cond_resched(); -@@ -1592,6 +1596,7 @@ retry_private: - - out_unlock: - double_unlock_hb(hb1, hb2); -+ hb_waiters_dec(hb2); - - /* - * drop_futex_key_refs() must be called outside the spinlocks. During -From foo@baz Thu Apr 10 20:31:46 PDT 2014 -From: Paul Durrant -Date: Fri, 28 Mar 2014 11:39:05 +0000 -Subject: xen-netback: remove pointless clause from if statement - -From: Paul Durrant - -[ Upstream commit 0576eddf24df716d8570ef8ca11452a9f98eaab2 ] - -This patch removes a test in start_new_rx_buffer() that checks whether -a copy operation is less than MAX_BUFFER_OFFSET in length, since -MAX_BUFFER_OFFSET is defined to be PAGE_SIZE and the only caller of -start_new_rx_buffer() already limits copy operations to PAGE_SIZE or less. - -Signed-off-by: Paul Durrant -Cc: Ian Campbell -Cc: Wei Liu -Cc: Sander Eikelenboom -Reported-By: Sander Eikelenboom -Tested-By: Sander Eikelenboom -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/xen-netback/netback.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/drivers/net/xen-netback/netback.c -+++ b/drivers/net/xen-netback/netback.c -@@ -192,8 +192,8 @@ static bool start_new_rx_buffer(int offs - * into multiple copies tend to give large frags their - * own buffers as before. - */ -- if ((offset + size > MAX_BUFFER_OFFSET) && -- (size <= MAX_BUFFER_OFFSET) && offset && !head) -+ BUG_ON(size > MAX_BUFFER_OFFSET); -+ if ((offset + size > MAX_BUFFER_OFFSET) && offset && !head) - return true; - - return false; -From foo@baz Thu Apr 10 20:31:46 PDT 2014 -From: Paul Durrant -Date: Fri, 28 Mar 2014 11:39:06 +0000 -Subject: xen-netback: worse-case estimate in xenvif_rx_action is underestimating - -From: Paul Durrant - -[ Upstream commit a02eb4732cf975d7fc71b6d1a71c058c9988b949 ] - -The worse-case estimate for skb ring slot usage in xenvif_rx_action() -fails to take fragment page_offset into account. The page_offset does, -however, affect the number of times the fragmentation code calls -start_new_rx_buffer() (i.e. consume another slot) and the worse-case -should assume that will always return true. This patch adds the page_offset -into the DIV_ROUND_UP for each frag. - -Unfortunately some frontends aggressively limit the number of requests -they post into the shared ring so to avoid an estimate that is 'too' -pessimal it is capped at MAX_SKB_FRAGS. - -Signed-off-by: Paul Durrant -Cc: Ian Campbell -Cc: Wei Liu -Cc: Sander Eikelenboom -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/xen-netback/netback.c | 21 ++++++++++++++++++++- - 1 file changed, 20 insertions(+), 1 deletion(-) - ---- a/drivers/net/xen-netback/netback.c -+++ b/drivers/net/xen-netback/netback.c -@@ -493,9 +493,28 @@ static void xenvif_rx_action(struct xenv - PAGE_SIZE); - for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) { - unsigned int size; -+ unsigned int offset; -+ - size = skb_frag_size(&skb_shinfo(skb)->frags[i]); -- max_slots_needed += DIV_ROUND_UP(size, PAGE_SIZE); -+ offset = skb_shinfo(skb)->frags[i].page_offset; -+ -+ /* For a worse-case estimate we need to factor in -+ * the fragment page offset as this will affect the -+ * number of times xenvif_gop_frag_copy() will -+ * call start_new_rx_buffer(). -+ */ -+ max_slots_needed += DIV_ROUND_UP(offset + size, -+ PAGE_SIZE); - } -+ -+ /* To avoid the estimate becoming too pessimal for some -+ * frontends that limit posted rx requests, cap the estimate -+ * at MAX_SKB_FRAGS. -+ */ -+ if (max_slots_needed > MAX_SKB_FRAGS) -+ max_slots_needed = MAX_SKB_FRAGS; -+ -+ /* We may need one more slot for GSO metadata */ - if (skb_is_gso(skb) && - (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4 || - skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6)) -From foo@baz Thu Apr 10 20:31:46 PDT 2014 -From: Paul Durrant -Date: Fri, 28 Mar 2014 11:39:07 +0000 -Subject: xen-netback: BUG_ON in xenvif_rx_action() not catching overflow - -From: Paul Durrant - -[ Upstream commit 1425c7a4e8d3d2eebf308bcbdc3fa3c1247686b4 ] - -The BUG_ON to catch ring overflow in xenvif_rx_action() makes the assumption -that meta_slots_used == ring slots used. This is not necessarily the case -for GSO packets, because the non-prefix GSO protocol consumes one more ring -slot than meta-slot for the 'extra_info'. This patch changes the test to -actually check ring slots. - -Signed-off-by: Paul Durrant -Cc: Ian Campbell -Cc: Wei Liu -Cc: Sander Eikelenboom -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/xen-netback/netback.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - ---- a/drivers/net/xen-netback/netback.c -+++ b/drivers/net/xen-netback/netback.c -@@ -482,6 +482,8 @@ static void xenvif_rx_action(struct xenv - - while ((skb = skb_dequeue(&vif->rx_queue)) != NULL) { - RING_IDX max_slots_needed; -+ RING_IDX old_req_cons; -+ RING_IDX ring_slots_used; - int i; - - /* We need a cheap worse case estimate for the number of -@@ -530,8 +532,12 @@ static void xenvif_rx_action(struct xenv - vif->rx_last_skb_slots = 0; - - sco = (struct skb_cb_overlay *)skb->cb; -+ -+ old_req_cons = vif->rx.req_cons; - sco->meta_slots_used = xenvif_gop_skb(skb, &npo); -- BUG_ON(sco->meta_slots_used > max_slots_needed); -+ ring_slots_used = vif->rx.req_cons - old_req_cons; -+ -+ BUG_ON(ring_slots_used > max_slots_needed); - - __skb_queue_tail(&rxq, skb); - } -From foo@baz Thu Apr 10 20:31:46 PDT 2014 -From: Hannes Frederic Sowa -Date: Mon, 31 Mar 2014 20:14:10 +0200 -Subject: ipv6: some ipv6 statistic counters failed to disable bh - -From: Hannes Frederic Sowa - -[ Upstream commit 43a43b6040165f7b40b5b489fe61a4cb7f8c4980 ] - -After commit c15b1ccadb323ea ("ipv6: move DAD and addrconf_verify -processing to workqueue") some counters are now updated in process context -and thus need to disable bh before doing so, otherwise deadlocks can -happen on 32-bit archs. Fabio Estevam noticed this while while mounting -a NFS volume on an ARM board. - -As a compensation for missing this I looked after the other *_STATS_BH -and found three other calls which need updating: - -1) icmp6_send: ip6_fragment -> icmpv6_send -> icmp6_send (error handling) -2) ip6_push_pending_frames: rawv6_sendmsg -> rawv6_push_pending_frames -> ... - (only in case of icmp protocol with raw sockets in error handling) -3) ping6_v6_sendmsg (error handling) - -Fixes: c15b1ccadb323ea ("ipv6: move DAD and addrconf_verify processing to workqueue") -Reported-by: Fabio Estevam -Tested-by: Fabio Estevam -Cc: Eric Dumazet -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/ipv6/icmp.c | 2 +- - net/ipv6/ip6_output.c | 4 ++-- - net/ipv6/mcast.c | 11 ++++++----- - net/ipv6/ping.c | 4 ++-- - 4 files changed, 11 insertions(+), 10 deletions(-) - ---- a/net/ipv6/icmp.c -+++ b/net/ipv6/icmp.c -@@ -520,7 +520,7 @@ static void icmp6_send(struct sk_buff *s - np->tclass, NULL, &fl6, (struct rt6_info *)dst, - MSG_DONTWAIT, np->dontfrag); - if (err) { -- ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTERRORS); -+ ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTERRORS); - ip6_flush_pending_frames(sk); - } else { - err = icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr, ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -1566,8 +1566,8 @@ int ip6_push_pending_frames(struct sock - if (proto == IPPROTO_ICMPV6) { - struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb)); - -- ICMP6MSGOUT_INC_STATS_BH(net, idev, icmp6_hdr(skb)->icmp6_type); -- ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTMSGS); -+ ICMP6MSGOUT_INC_STATS(net, idev, icmp6_hdr(skb)->icmp6_type); -+ ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS); - } - - err = ip6_local_out(skb); ---- a/net/ipv6/mcast.c -+++ b/net/ipv6/mcast.c -@@ -1620,11 +1620,12 @@ static void mld_sendpack(struct sk_buff - dst_output); - out: - if (!err) { -- ICMP6MSGOUT_INC_STATS_BH(net, idev, ICMPV6_MLD2_REPORT); -- ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTMSGS); -- IP6_UPD_PO_STATS_BH(net, idev, IPSTATS_MIB_OUTMCAST, payload_len); -- } else -- IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_OUTDISCARDS); -+ ICMP6MSGOUT_INC_STATS(net, idev, ICMPV6_MLD2_REPORT); -+ ICMP6_INC_STATS(net, idev, ICMP6_MIB_OUTMSGS); -+ IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUTMCAST, payload_len); -+ } else { -+ IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTDISCARDS); -+ } - - rcu_read_unlock(); - return; ---- a/net/ipv6/ping.c -+++ b/net/ipv6/ping.c -@@ -182,8 +182,8 @@ int ping_v6_sendmsg(struct kiocb *iocb, - MSG_DONTWAIT, np->dontfrag); - - if (err) { -- ICMP6_INC_STATS_BH(sock_net(sk), rt->rt6i_idev, -- ICMP6_MIB_OUTERRORS); -+ ICMP6_INC_STATS(sock_net(sk), rt->rt6i_idev, -+ ICMP6_MIB_OUTERRORS); - ip6_flush_pending_frames(sk); - } else { - err = icmpv6_push_pending_frames(sk, &fl6, -From foo@baz Thu Apr 10 20:31:46 PDT 2014 -From: Pablo Neira -Date: Tue, 1 Apr 2014 19:38:44 +0200 -Subject: netlink: don't compare the nul-termination in nla_strcmp - -From: Pablo Neira - -[ Upstream commit 8b7b932434f5eee495b91a2804f5b64ebb2bc835 ] - -nla_strcmp compares the string length plus one, so it's implicitly -including the nul-termination in the comparison. - - int nla_strcmp(const struct nlattr *nla, const char *str) - { - int len = strlen(str) + 1; - ... - d = memcmp(nla_data(nla), str, len); - -However, if NLA_STRING is used, userspace can send us a string without -the nul-termination. This is a problem since the string -comparison will not match as the last byte may be not the -nul-termination. - -Fix this by skipping the comparison of the nul-termination if the -attribute data is nul-terminated. Suggested by Thomas Graf. - -Cc: Florian Westphal -Cc: Thomas Graf -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - lib/nlattr.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - ---- a/lib/nlattr.c -+++ b/lib/nlattr.c -@@ -303,9 +303,15 @@ int nla_memcmp(const struct nlattr *nla, - */ - int nla_strcmp(const struct nlattr *nla, const char *str) - { -- int len = strlen(str) + 1; -- int d = nla_len(nla) - len; -+ int len = strlen(str); -+ char *buf = nla_data(nla); -+ int attrlen = nla_len(nla); -+ int d; - -+ if (attrlen > 0 && buf[attrlen - 1] == '\0') -+ attrlen--; -+ -+ d = attrlen - len; - if (d == 0) - d = memcmp(nla_data(nla), str, len); - -From foo@baz Thu Apr 10 20:31:46 PDT 2014 -From: Wei Liu -Date: Tue, 1 Apr 2014 12:46:12 +0100 -Subject: xen-netback: disable rogue vif in kthread context -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Wei Liu - -[ Upstream commit e9d8b2c2968499c1f96563e6522c56958d5a1d0d ] - -When netback discovers frontend is sending malformed packet it will -disables the interface which serves that frontend. - -However disabling a network interface involving taking a mutex which -cannot be done in softirq context, so we need to defer this process to -kthread context. - -This patch does the following: -1. introduce a flag to indicate the interface is disabled. -2. check that flag in TX path, don't do any work if it's true. -3. check that flag in RX path, turn off that interface if it's true. - -The reason to disable it in RX path is because RX uses kthread. After -this change the behavior of netback is still consistent -- it won't do -any TX work for a rogue frontend, and the interface will be eventually -turned off. - -Also change a "continue" to "break" after xenvif_fatal_tx_err, as it -doesn't make sense to continue processing packets if frontend is rogue. - -This is a fix for XSA-90. - -Reported-by: Török Edwin -Signed-off-by: Wei Liu -Cc: Ian Campbell -Reviewed-by: David Vrabel -Acked-by: Ian Campbell -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/xen-netback/common.h | 5 +++++ - drivers/net/xen-netback/interface.c | 11 +++++++++++ - drivers/net/xen-netback/netback.c | 16 ++++++++++++++-- - 3 files changed, 30 insertions(+), 2 deletions(-) - ---- a/drivers/net/xen-netback/common.h -+++ b/drivers/net/xen-netback/common.h -@@ -113,6 +113,11 @@ struct xenvif { - domid_t domid; - unsigned int handle; - -+ /* Is this interface disabled? True when backend discovers -+ * frontend is rogue. -+ */ -+ bool disabled; -+ - /* Use NAPI for guest TX */ - struct napi_struct napi; - /* When feature-split-event-channels = 0, tx_irq = rx_irq. */ ---- a/drivers/net/xen-netback/interface.c -+++ b/drivers/net/xen-netback/interface.c -@@ -62,6 +62,15 @@ static int xenvif_poll(struct napi_struc - struct xenvif *vif = container_of(napi, struct xenvif, napi); - int work_done; - -+ /* This vif is rogue, we pretend we've there is nothing to do -+ * for this vif to deschedule it from NAPI. But this interface -+ * will be turned off in thread context later. -+ */ -+ if (unlikely(vif->disabled)) { -+ napi_complete(napi); -+ return 0; -+ } -+ - work_done = xenvif_tx_action(vif, budget); - - if (work_done < budget) { -@@ -321,6 +330,8 @@ struct xenvif *xenvif_alloc(struct devic - vif->ip_csum = 1; - vif->dev = dev; - -+ vif->disabled = false; -+ - vif->credit_bytes = vif->remaining_credit = ~0UL; - vif->credit_usec = 0UL; - init_timer(&vif->credit_timeout); ---- a/drivers/net/xen-netback/netback.c -+++ b/drivers/net/xen-netback/netback.c -@@ -680,7 +680,8 @@ static void xenvif_tx_err(struct xenvif - static void xenvif_fatal_tx_err(struct xenvif *vif) - { - netdev_err(vif->dev, "fatal error; disabling device\n"); -- xenvif_carrier_off(vif); -+ vif->disabled = true; -+ xenvif_kick_thread(vif); - } - - static int xenvif_count_requests(struct xenvif *vif, -@@ -1151,7 +1152,7 @@ static unsigned xenvif_tx_build_gops(str - vif->tx.sring->req_prod, vif->tx.req_cons, - XEN_NETIF_TX_RING_SIZE); - xenvif_fatal_tx_err(vif); -- continue; -+ break; - } - - work_to_do = RING_HAS_UNCONSUMED_REQUESTS(&vif->tx); -@@ -1573,7 +1574,18 @@ int xenvif_kthread(void *data) - while (!kthread_should_stop()) { - wait_event_interruptible(vif->wq, - rx_work_todo(vif) || -+ vif->disabled || - kthread_should_stop()); -+ -+ /* This frontend is found to be rogue, disable it in -+ * kthread context. Currently this is only set when -+ * netback finds out frontend sends malformed packet, -+ * but we cannot disable the interface in softirq -+ * context so we defer it here. -+ */ -+ if (unlikely(vif->disabled && netif_carrier_ok(vif->dev))) -+ xenvif_carrier_off(vif); -+ - if (kthread_should_stop()) - break; - -From foo@baz Thu Apr 10 20:31:46 PDT 2014 -From: Daniel Pieczko -Date: Tue, 1 Apr 2014 13:10:34 +0100 -Subject: Call efx_set_channels() before efx->type->dimension_resources() - -From: Daniel Pieczko - -[ Upstream commit 52ad762b85ed7947ec9eff6b036eb985352f6874 ] - -When using the "separate_tx_channels=1" module parameter, the TX queues are -initially numbered starting from the first TX-only channel number (after all the -RX-only channels). efx_set_channels() renumbers the queues so that they are -indexed from zero. - -On EF10, the TX queues need to be relabelled in this way before calling the -dimension_resources NIC type operation, otherwise the TX queue PIO buffers can be -linked to the wrong VIs when using "separate_tx_channels=1". - -Added comments to explain UC/WC mappings for PIO buffers - -Signed-off-by: Shradha Shah -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/sfc/ef10.c | 7 +++++++ - drivers/net/ethernet/sfc/efx.c | 3 ++- - 2 files changed, 9 insertions(+), 1 deletion(-) - ---- a/drivers/net/ethernet/sfc/ef10.c -+++ b/drivers/net/ethernet/sfc/ef10.c -@@ -565,10 +565,17 @@ static int efx_ef10_dimension_resources( - * several of each (in fact that's the only option if host - * page size is >4K). So we may allocate some extra VIs just - * for writing PIO buffers through. -+ * -+ * The UC mapping contains (min_vis - 1) complete VIs and the -+ * first half of the next VI. Then the WC mapping begins with -+ * the second half of this last VI. - */ - uc_mem_map_size = PAGE_ALIGN((min_vis - 1) * EFX_VI_PAGE_SIZE + - ER_DZ_TX_PIOBUF); - if (nic_data->n_piobufs) { -+ /* pio_write_vi_base rounds down to give the number of complete -+ * VIs inside the UC mapping. -+ */ - pio_write_vi_base = uc_mem_map_size / EFX_VI_PAGE_SIZE; - wc_mem_map_size = (PAGE_ALIGN((pio_write_vi_base + - nic_data->n_piobufs) * ---- a/drivers/net/ethernet/sfc/efx.c -+++ b/drivers/net/ethernet/sfc/efx.c -@@ -1603,6 +1603,8 @@ static int efx_probe_nic(struct efx_nic - if (rc) - goto fail1; - -+ efx_set_channels(efx); -+ - rc = efx->type->dimension_resources(efx); - if (rc) - goto fail2; -@@ -1613,7 +1615,6 @@ static int efx_probe_nic(struct efx_nic - efx->rx_indir_table[i] = - ethtool_rxfh_indir_default(i, efx->rss_spread); - -- efx_set_channels(efx); - netif_set_real_num_tx_queues(efx->net_dev, efx->n_tx_channels); - netif_set_real_num_rx_queues(efx->net_dev, efx->n_rx_channels); - -From foo@baz Thu Apr 10 20:31:46 PDT 2014 -From: Mike Rapoport -Date: Tue, 1 Apr 2014 09:23:01 +0300 -Subject: net: vxlan: fix crash when interface is created with no group - -From: Mike Rapoport - -[ Upstream commit 5933a7bbb5de66482ea8aa874a7ebaf8e67603c4 ] - -If the vxlan interface is created without explicit group definition, -there are corner cases which may cause kernel panic. - -For instance, in the following scenario: - -node A: -$ ip link add dev vxlan42 address 2c:c2:60:00:10:20 type vxlan id 42 -$ ip addr add dev vxlan42 10.0.0.1/24 -$ ip link set up dev vxlan42 -$ arp -i vxlan42 -s 10.0.0.2 2c:c2:60:00:01:02 -$ bridge fdb add dev vxlan42 to 2c:c2:60:00:01:02 dst -$ ping 10.0.0.2 - -node B: -$ ip link add dev vxlan42 address 2c:c2:60:00:01:02 type vxlan id 42 -$ ip addr add dev vxlan42 10.0.0.2/24 -$ ip link set up dev vxlan42 -$ arp -i vxlan42 -s 10.0.0.1 2c:c2:60:00:10:20 - -node B crashes: - - vxlan42: 2c:c2:60:00:10:20 migrated from 4011:eca4:c0a8:6466:c0a8:6415:8e09:2118 to (invalid address) - vxlan42: 2c:c2:60:00:10:20 migrated from 4011:eca4:c0a8:6466:c0a8:6415:8e09:2118 to (invalid address) - BUG: unable to handle kernel NULL pointer dereference at 0000000000000046 - IP: [] ip6_route_output+0x58/0x82 - PGD 7bd89067 PUD 7bd4e067 PMD 0 - Oops: 0000 [#1] SMP - Modules linked in: - CPU: 1 PID: 0 Comm: swapper/1 Not tainted 3.14.0-rc8-hvx-xen-00019-g97a5221-dirty #154 - Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 - task: ffff88007c774f50 ti: ffff88007c79c000 task.ti: ffff88007c79c000 - RIP: 0010:[] [] ip6_route_output+0x58/0x82 - RSP: 0018:ffff88007fd03668 EFLAGS: 00010282 - RAX: 0000000000000000 RBX: ffffffff8186a000 RCX: 0000000000000040 - RDX: 0000000000000000 RSI: ffff88007b0e4a80 RDI: ffff88007fd03754 - RBP: ffff88007fd03688 R08: ffff88007b0e4a80 R09: 0000000000000000 - R10: 0200000a0100000a R11: 0001002200000000 R12: ffff88007fd03740 - R13: ffff88007b0e4a80 R14: ffff88007b0e4a80 R15: ffff88007bba0c50 - FS: 0000000000000000(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000 - CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b - CR2: 0000000000000046 CR3: 000000007bb60000 CR4: 00000000000006e0 - Stack: - 0000000000000000 ffff88007fd037a0 ffffffff8186a000 ffff88007fd03740 - ffff88007fd036c8 ffffffff814320bb 0000000000006e49 ffff88007b8b7360 - ffff88007bdbf200 ffff88007bcbc000 ffff88007b8b7000 ffff88007b8b7360 - Call Trace: - - [] ip6_dst_lookup_tail+0x2d/0xa4 - [] ip6_dst_lookup+0x10/0x12 - [] vxlan_xmit_one+0x32a/0x68c - [] ? _raw_spin_unlock_irqrestore+0x12/0x14 - [] ? lock_timer_base.isra.23+0x26/0x4b - [] vxlan_xmit+0x66a/0x6a8 - [] ? ipt_do_table+0x35f/0x37e - [] ? selinux_ip_postroute+0x41/0x26e - [] dev_hard_start_xmit+0x2ce/0x3ce - [] __dev_queue_xmit+0x2d0/0x392 - [] ? eth_header+0x28/0xb5 - [] dev_queue_xmit+0xb/0xd - [] neigh_resolve_output+0x134/0x152 - [] ip_finish_output2+0x236/0x299 - [] ip_finish_output+0x98/0x9d - [] ip_output+0x62/0x67 - [] dst_output+0xf/0x11 - [] ip_local_out+0x1b/0x1f - [] ip_send_skb+0x11/0x37 - [] ip_push_pending_frames+0x2f/0x33 - [] icmp_push_reply+0x106/0x115 - [] icmp_reply+0x142/0x164 - [] icmp_echo.part.16+0x46/0x48 - [] ? nf_iterate+0x43/0x80 - [] ? xfrm4_policy_check.constprop.11+0x52/0x52 - [] icmp_echo+0x25/0x27 - [] icmp_rcv+0x1d2/0x20a - [] ? xfrm4_policy_check.constprop.11+0x52/0x52 - [] ip_local_deliver_finish+0xd6/0x14f - [] ? xfrm4_policy_check.constprop.11+0x52/0x52 - [] NF_HOOK.constprop.10+0x4c/0x53 - [] ip_local_deliver+0x4a/0x4f - [] ip_rcv_finish+0x253/0x26a - [] ? inet_add_protocol+0x3e/0x3e - [] NF_HOOK.constprop.10+0x4c/0x53 - [] ip_rcv+0x2a6/0x2ec - [] __netif_receive_skb_core+0x43e/0x478 - [] ? virtqueue_poll+0x16/0x27 - [] __netif_receive_skb+0x55/0x5a - [] process_backlog+0x76/0x12f - [] net_rx_action+0xa2/0x1ab - [] __do_softirq+0xca/0x1d1 - [] irq_exit+0x3e/0x85 - [] do_IRQ+0xa9/0xc4 - [] common_interrupt+0x6d/0x6d - - [] ? native_safe_halt+0x6/0x8 - [] default_idle+0x9/0xd - [] arch_cpu_idle+0x13/0x1c - [] cpu_startup_entry+0xbc/0x137 - [] start_secondary+0x1a0/0x1a5 - Code: 24 14 e8 f1 e5 01 00 31 d2 a8 32 0f 95 c2 49 8b 44 24 2c 49 0b 44 24 24 74 05 83 ca 04 eb 1c 4d 85 ed 74 17 49 8b 85 a8 02 00 00 <66> 8b 40 46 66 c1 e8 07 83 e0 07 c1 e0 03 09 c2 4c 89 e6 48 89 - RIP [] ip6_route_output+0x58/0x82 - RSP - CR2: 0000000000000046 - ---[ end trace 4612329caab37efd ]--- - -When vxlan interface is created without explicit group definition, the -default_dst protocol family is initialiazed to AF_UNSPEC and the driver -assumes IPv4 configuration. On the other side, the default_dst protocol -family is used to differentiate between IPv4 and IPv6 cases and, since, -AF_UNSPEC != AF_INET, the processing takes the IPv6 path. - -Making the IPv4 assumption explicit by settting default_dst protocol -family to AF_INET4 and preventing mixing of IPv4 and IPv6 addresses in -snooped fdb entries fixes the corner case crashes. - -Signed-off-by: Mike Rapoport -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/vxlan.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - ---- a/drivers/net/vxlan.c -+++ b/drivers/net/vxlan.c -@@ -871,6 +871,9 @@ static int vxlan_fdb_add(struct ndmsg *n - if (err) - return err; - -+ if (vxlan->default_dst.remote_ip.sa.sa_family != ip.sa.sa_family) -+ return -EAFNOSUPPORT; -+ - spin_lock_bh(&vxlan->hash_lock); - err = vxlan_fdb_create(vxlan, addr, &ip, ndm->ndm_state, flags, - port, vni, ifindex, ndm->ndm_flags); -@@ -2612,9 +2615,10 @@ static int vxlan_newlink(struct net *net - vni = nla_get_u32(data[IFLA_VXLAN_ID]); - dst->remote_vni = vni; - -+ /* Unless IPv6 is explicitly requested, assume IPv4 */ -+ dst->remote_ip.sa.sa_family = AF_INET; - if (data[IFLA_VXLAN_GROUP]) { - dst->remote_ip.sin.sin_addr.s_addr = nla_get_be32(data[IFLA_VXLAN_GROUP]); -- dst->remote_ip.sa.sa_family = AF_INET; - } else if (data[IFLA_VXLAN_GROUP6]) { - if (!IS_ENABLED(CONFIG_IPV6)) - return -EPFNOSUPPORT; -From foo@baz Thu Apr 10 20:31:46 PDT 2014 -From: YOSHIFUJI Hideaki -Date: Wed, 2 Apr 2014 12:48:42 +0900 -Subject: isdnloop: Validate NUL-terminated strings from user. - -From: YOSHIFUJI Hideaki - -[ Upstream commit 77bc6bed7121936bb2e019a8c336075f4c8eef62 ] - -Return -EINVAL unless all of user-given strings are correctly -NUL-terminated. - -Signed-off-by: YOSHIFUJI Hideaki -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/isdn/isdnloop/isdnloop.c | 6 ++++++ - 1 file changed, 6 insertions(+) - ---- a/drivers/isdn/isdnloop/isdnloop.c -+++ b/drivers/isdn/isdnloop/isdnloop.c -@@ -1070,6 +1070,12 @@ isdnloop_start(isdnloop_card *card, isdn - return -EBUSY; - if (copy_from_user((char *) &sdef, (char *) sdefp, sizeof(sdef))) - return -EFAULT; -+ -+ for (i = 0; i < 3; i++) { -+ if (!memchr(sdef.num[i], 0, sizeof(sdef.num[i]))) -+ return -EINVAL; -+ } -+ - spin_lock_irqsave(&card->isdnloop_lock, flags); - switch (sdef.ptype) { - case ISDN_PTYPE_EURO: -From foo@baz Thu Apr 10 20:31:46 PDT 2014 -From: Dan Carpenter -Date: Tue, 8 Apr 2014 12:23:09 +0300 -Subject: isdnloop: several buffer overflows - -From: Dan Carpenter - -[ Upstream commit 7563487cbf865284dcd35e9ef5a95380da046737 ] - -There are three buffer overflows addressed in this patch. - -1) In isdnloop_fake_err() we add an 'E' to a 60 character string and -then copy it into a 60 character buffer. I have made the destination -buffer 64 characters and I'm changed the sprintf() to a snprintf(). - -2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60 -character buffer so we have 54 characters. The ->eazlist[] is 11 -characters long. I have modified the code to return if the source -buffer is too long. - -3) In isdnloop_command() the cbuf[] array was 60 characters long but the -max length of the string then can be up to 79 characters. I made the -cbuf array 80 characters long and changed the sprintf() to snprintf(). -I also removed the temporary "dial" buffer and changed it to use "p" -directly. - -Unfortunately, we pass the "cbuf" string from isdnloop_command() to -isdnloop_writecmd() which truncates anything over 60 characters to make -it fit in card->omsg[]. (It can accept values up to 255 characters so -long as there is a '\n' character every 60 characters). For now I have -just fixed the memory corruption bug and left the other problems in this -driver alone. - -Signed-off-by: Dan Carpenter -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/isdn/isdnloop/isdnloop.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - ---- a/drivers/isdn/isdnloop/isdnloop.c -+++ b/drivers/isdn/isdnloop/isdnloop.c -@@ -518,9 +518,9 @@ static isdnloop_stat isdnloop_cmd_table[ - static void - isdnloop_fake_err(isdnloop_card *card) - { -- char buf[60]; -+ char buf[64]; - -- sprintf(buf, "E%s", card->omsg); -+ snprintf(buf, sizeof(buf), "E%s", card->omsg); - isdnloop_fake(card, buf, -1); - isdnloop_fake(card, "NAK", -1); - } -@@ -903,6 +903,8 @@ isdnloop_parse_cmd(isdnloop_card *card) - case 7: - /* 0x;EAZ */ - p += 3; -+ if (strlen(p) >= sizeof(card->eazlist[0])) -+ break; - strcpy(card->eazlist[ch - 1], p); - break; - case 8: -@@ -1133,7 +1135,7 @@ isdnloop_command(isdn_ctrl *c, isdnloop_ - { - ulong a; - int i; -- char cbuf[60]; -+ char cbuf[80]; - isdn_ctrl cmd; - isdnloop_cdef cdef; - -@@ -1198,7 +1200,6 @@ isdnloop_command(isdn_ctrl *c, isdnloop_ - break; - if ((c->arg & 255) < ISDNLOOP_BCH) { - char *p; -- char dial[50]; - char dcode[4]; - - a = c->arg; -@@ -1210,10 +1211,10 @@ isdnloop_command(isdn_ctrl *c, isdnloop_ - } else - /* Normal Dial */ - strcpy(dcode, "CAL"); -- strcpy(dial, p); -- sprintf(cbuf, "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1), -- dcode, dial, c->parm.setup.si1, -- c->parm.setup.si2, c->parm.setup.eazmsn); -+ snprintf(cbuf, sizeof(cbuf), -+ "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1), -+ dcode, p, c->parm.setup.si1, -+ c->parm.setup.si2, c->parm.setup.eazmsn); - i = isdnloop_writecmd(cbuf, strlen(cbuf), 0, card); - } - break; -From foo@baz Thu Apr 10 20:31:46 PDT 2014 -From: Sasha Levin -Date: Sat, 29 Mar 2014 20:39:35 -0400 -Subject: rds: prevent dereference of a NULL device in rds_iw_laddr_check - -From: Sasha Levin - -[ Upstream commit bf39b4247b8799935ea91d90db250ab608a58e50 ] - -Binding might result in a NULL device which is later dereferenced -without checking. - -Signed-off-by: Sasha Levin -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/rds/iw.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/net/rds/iw.c -+++ b/net/rds/iw.c -@@ -239,7 +239,8 @@ static int rds_iw_laddr_check(__be32 add - ret = rdma_bind_addr(cm_id, (struct sockaddr *)&sin); - /* due to this, we will claim to support IB devices unless we - check node_type. */ -- if (ret || cm_id->device->node_type != RDMA_NODE_RNIC) -+ if (ret || !cm_id->device || -+ cm_id->device->node_type != RDMA_NODE_RNIC) - ret = -EADDRNOTAVAIL; - - rdsdebug("addr %pI4 ret %d node type %d\n", -From foo@baz Thu Apr 10 20:31:47 PDT 2014 -From: Gilles Chanteperdrix -Date: Sun, 6 Apr 2014 20:37:44 +0200 -Subject: net/at91_ether: avoid NULL pointer dereference - -From: Gilles Chanteperdrix - -[ Upstream commit c293fb785bdda64d88f197e6758a3c16ae83e569 ] - -The at91_ether driver calls macb_mii_init passing a 'struct macb' -structure whose tx_clk member is initialized to 0. However, -macb_handle_link_change() expects tx_clk to be the result of -a call to clk_get, and so IS_ERR(tx_clk) to be true if the clock -is invalid. This causes an oops when booting Linux 3.14 on the -csb637 board. The following changes avoids this. - -Signed-off-by: Gilles Chanteperdrix -Acked-by: Nicolas Ferre -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/ethernet/cadence/at91_ether.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/net/ethernet/cadence/at91_ether.c -+++ b/drivers/net/ethernet/cadence/at91_ether.c -@@ -342,6 +342,9 @@ static int __init at91ether_probe(struct - } - clk_enable(lp->pclk); - -+ lp->hclk = ERR_PTR(-ENOENT); -+ lp->tx_clk = ERR_PTR(-ENOENT); -+ - /* Install the interrupt handler */ - dev->irq = platform_get_irq(pdev, 0); - res = devm_request_irq(&pdev->dev, dev->irq, at91ether_interrupt, 0, dev->name, dev); -From 8930b05090acd321b1fc7c642528c697cb105c42 Mon Sep 17 00:00:00 2001 -From: Eyal Shapira -Date: Sun, 16 Mar 2014 05:23:21 +0200 -Subject: iwlwifi: mvm: rs: fix search cycle rules - -From: Eyal Shapira - -commit 8930b05090acd321b1fc7c642528c697cb105c42 upstream. - -We should explore all possible columns when searching to be -as resilient as possible to changing conditions. This fixes -for example a scenario where even after a sudden creation of -rssi difference between the 2 antennas we would keep doing MIMO -at a low rate instead of switching to SISO at a higher rate using -the better antenna which was the optimal configuration. - -Signed-off-by: Eyal Shapira -Signed-off-by: Emmanuel Grumbach -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/net/wireless/iwlwifi/mvm/rs.c | 36 +++++++++++++++++----------------- - 1 file changed, 18 insertions(+), 18 deletions(-) - ---- a/drivers/net/wireless/iwlwifi/mvm/rs.c -+++ b/drivers/net/wireless/iwlwifi/mvm/rs.c -@@ -211,9 +211,9 @@ static const struct rs_tx_column rs_tx_c - .next_columns = { - RS_COLUMN_LEGACY_ANT_B, - RS_COLUMN_SISO_ANT_A, -+ RS_COLUMN_SISO_ANT_B, - RS_COLUMN_MIMO2, -- RS_COLUMN_INVALID, -- RS_COLUMN_INVALID, -+ RS_COLUMN_MIMO2_SGI, - }, - }, - [RS_COLUMN_LEGACY_ANT_B] = { -@@ -221,10 +221,10 @@ static const struct rs_tx_column rs_tx_c - .ant = ANT_B, - .next_columns = { - RS_COLUMN_LEGACY_ANT_A, -+ RS_COLUMN_SISO_ANT_A, - RS_COLUMN_SISO_ANT_B, - RS_COLUMN_MIMO2, -- RS_COLUMN_INVALID, -- RS_COLUMN_INVALID, -+ RS_COLUMN_MIMO2_SGI, - }, - }, - [RS_COLUMN_SISO_ANT_A] = { -@@ -234,8 +234,8 @@ static const struct rs_tx_column rs_tx_c - RS_COLUMN_SISO_ANT_B, - RS_COLUMN_MIMO2, - RS_COLUMN_SISO_ANT_A_SGI, -- RS_COLUMN_INVALID, -- RS_COLUMN_INVALID, -+ RS_COLUMN_SISO_ANT_B_SGI, -+ RS_COLUMN_MIMO2_SGI, - }, - .checks = { - rs_siso_allow, -@@ -248,8 +248,8 @@ static const struct rs_tx_column rs_tx_c - RS_COLUMN_SISO_ANT_A, - RS_COLUMN_MIMO2, - RS_COLUMN_SISO_ANT_B_SGI, -- RS_COLUMN_INVALID, -- RS_COLUMN_INVALID, -+ RS_COLUMN_SISO_ANT_A_SGI, -+ RS_COLUMN_MIMO2_SGI, - }, - .checks = { - rs_siso_allow, -@@ -263,8 +263,8 @@ static const struct rs_tx_column rs_tx_c - RS_COLUMN_SISO_ANT_B_SGI, - RS_COLUMN_MIMO2_SGI, - RS_COLUMN_SISO_ANT_A, -- RS_COLUMN_INVALID, -- RS_COLUMN_INVALID, -+ RS_COLUMN_SISO_ANT_B, -+ RS_COLUMN_MIMO2, - }, - .checks = { - rs_siso_allow, -@@ -279,8 +279,8 @@ static const struct rs_tx_column rs_tx_c - RS_COLUMN_SISO_ANT_A_SGI, - RS_COLUMN_MIMO2_SGI, - RS_COLUMN_SISO_ANT_B, -- RS_COLUMN_INVALID, -- RS_COLUMN_INVALID, -+ RS_COLUMN_SISO_ANT_A, -+ RS_COLUMN_MIMO2, - }, - .checks = { - rs_siso_allow, -@@ -292,10 +292,10 @@ static const struct rs_tx_column rs_tx_c - .ant = ANT_AB, - .next_columns = { - RS_COLUMN_SISO_ANT_A, -+ RS_COLUMN_SISO_ANT_B, -+ RS_COLUMN_SISO_ANT_A_SGI, -+ RS_COLUMN_SISO_ANT_B_SGI, - RS_COLUMN_MIMO2_SGI, -- RS_COLUMN_INVALID, -- RS_COLUMN_INVALID, -- RS_COLUMN_INVALID, - }, - .checks = { - rs_mimo_allow, -@@ -307,10 +307,10 @@ static const struct rs_tx_column rs_tx_c - .sgi = true, - .next_columns = { - RS_COLUMN_SISO_ANT_A_SGI, -+ RS_COLUMN_SISO_ANT_B_SGI, -+ RS_COLUMN_SISO_ANT_A, -+ RS_COLUMN_SISO_ANT_B, - RS_COLUMN_MIMO2, -- RS_COLUMN_INVALID, -- RS_COLUMN_INVALID, -- RS_COLUMN_INVALID, - }, - .checks = { - rs_mimo_allow, -From 6eda477b3c54b8236868c8784e5e042ff14244f0 Mon Sep 17 00:00:00 2001 -From: Mischa Jonker -Date: Thu, 16 May 2013 19:36:08 +0200 -Subject: ARC: [nsimosci] Change .dts to use generic 8250 UART - -From: Mischa Jonker - -commit 6eda477b3c54b8236868c8784e5e042ff14244f0 upstream. - -The Synopsys APB DW UART has a couple of special features that are not -in the System C model. In 3.8, the 8250_dw driver didn't really use these -features, but from 3.9 onwards, the 8250_dw driver has become incompatible -with our model. - -Signed-off-by: Mischa Jonker -Signed-off-by: Vineet Gupta -Cc: Francois Bedard -Signed-off-by: Greg Kroah-Hartman - ---- - arch/arc/boot/dts/nsimosci.dts | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/arch/arc/boot/dts/nsimosci.dts -+++ b/arch/arc/boot/dts/nsimosci.dts -@@ -11,7 +11,7 @@ - - / { - compatible = "snps,nsimosci"; -- clock-frequency = <80000000>; /* 80 MHZ */ -+ clock-frequency = <20000000>; /* 20 MHZ */ - #address-cells = <1>; - #size-cells = <1>; - interrupt-parent = <&intc>; -@@ -44,15 +44,14 @@ - }; - - uart0: serial@c0000000 { -- compatible = "snps,dw-apb-uart"; -+ compatible = "ns8250"; - reg = <0xc0000000 0x2000>; - interrupts = <11>; -- #clock-frequency = <80000000>; - clock-frequency = <3686400>; - baud = <115200>; - reg-shift = <2>; - reg-io-width = <4>; -- status = "okay"; -+ no-loopback-test = <1>; - }; - - pgu0: pgu@c9000000 { -From 61fb4bfc010b0d2940f7fd87acbce6a0f03217cb Mon Sep 17 00:00:00 2001 -From: Vineet Gupta -Date: Sat, 5 Apr 2014 15:30:22 +0530 -Subject: ARC: [nsimosci] Unbork console - -From: Vineet Gupta - -commit 61fb4bfc010b0d2940f7fd87acbce6a0f03217cb upstream. - -Despite the switch to right UART driver (prev patch), serial console -still doesn't work due to missing CONFIG_SERIAL_OF_PLATFORM - -Also fix the default cmdline in DT to not refer to out-of-tree -ARC framebuffer driver for console. - -Signed-off-by: Vineet Gupta -Cc: Francois Bedard -Signed-off-by: Greg Kroah-Hartman - ---- - arch/arc/boot/dts/nsimosci.dts | 5 ++++- - arch/arc/configs/nsimosci_defconfig | 1 + - 2 files changed, 5 insertions(+), 1 deletion(-) - ---- a/arch/arc/boot/dts/nsimosci.dts -+++ b/arch/arc/boot/dts/nsimosci.dts -@@ -17,7 +17,10 @@ - interrupt-parent = <&intc>; - - chosen { -- bootargs = "console=tty0 consoleblank=0"; -+ /* this is for console on PGU */ -+ /* bootargs = "console=tty0 consoleblank=0"; */ -+ /* this is for console on serial */ -+ bootargs = "earlycon=uart8250,mmio32,0xc0000000,115200n8 console=ttyS0,115200n8 consoleblank=0 debug"; - }; - - aliases { ---- a/arch/arc/configs/nsimosci_defconfig -+++ b/arch/arc/configs/nsimosci_defconfig -@@ -54,6 +54,7 @@ CONFIG_SERIO_ARC_PS2=y - CONFIG_SERIAL_8250=y - CONFIG_SERIAL_8250_CONSOLE=y - CONFIG_SERIAL_8250_DW=y -+CONFIG_SERIAL_OF_PLATFORM=y - CONFIG_SERIAL_ARC=y - CONFIG_SERIAL_ARC_CONSOLE=y - # CONFIG_HW_RANDOM is not set -From 03b8c7b623c80af264c4c8d6111e5c6289933666 Mon Sep 17 00:00:00 2001 -From: Heiko Carstens -Date: Sun, 2 Mar 2014 13:09:47 +0100 -Subject: futex: Allow architectures to skip futex_atomic_cmpxchg_inatomic() test - -From: Heiko Carstens - -commit 03b8c7b623c80af264c4c8d6111e5c6289933666 upstream. - -If an architecture has futex_atomic_cmpxchg_inatomic() implemented and there -is no runtime check necessary, allow to skip the test within futex_init(). - -This allows to get rid of some code which would always give the same result, -and also allows the compiler to optimize a couple of if statements away. - -Signed-off-by: Heiko Carstens -Cc: Finn Thain -Cc: Geert Uytterhoeven -Link: http://lkml.kernel.org/r/20140302120947.GA3641@osiris -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman - ---- - arch/s390/Kconfig | 1 + - include/linux/futex.h | 4 ++++ - init/Kconfig | 7 +++++++ - kernel/futex.c | 37 ++++++++++++++++++++++++------------- - 4 files changed, 36 insertions(+), 13 deletions(-) - ---- a/arch/s390/Kconfig -+++ b/arch/s390/Kconfig -@@ -117,6 +117,7 @@ config S390 - select HAVE_FUNCTION_GRAPH_TRACER - select HAVE_FUNCTION_TRACER - select HAVE_FUNCTION_TRACE_MCOUNT_TEST -+ select HAVE_FUTEX_CMPXCHG if FUTEX - select HAVE_KERNEL_BZIP2 - select HAVE_KERNEL_GZIP - select HAVE_KERNEL_LZ4 ---- a/include/linux/futex.h -+++ b/include/linux/futex.h -@@ -55,7 +55,11 @@ union futex_key { - #ifdef CONFIG_FUTEX - extern void exit_robust_list(struct task_struct *curr); - extern void exit_pi_state_list(struct task_struct *curr); -+#ifdef CONFIG_HAVE_FUTEX_CMPXCHG -+#define futex_cmpxchg_enabled 1 -+#else - extern int futex_cmpxchg_enabled; -+#endif - #else - static inline void exit_robust_list(struct task_struct *curr) - { ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1387,6 +1387,13 @@ config FUTEX - support for "fast userspace mutexes". The resulting kernel may not - run glibc-based applications correctly. - -+config HAVE_FUTEX_CMPXCHG -+ bool -+ help -+ Architectures should select this if futex_atomic_cmpxchg_inatomic() -+ is implemented and always working. This removes a couple of runtime -+ checks. -+ - config EPOLL - bool "Enable eventpoll support" if EXPERT - default y ---- a/kernel/futex.c -+++ b/kernel/futex.c -@@ -157,7 +157,9 @@ - * enqueue. - */ - -+#ifndef CONFIG_HAVE_FUTEX_CMPXCHG - int __read_mostly futex_cmpxchg_enabled; -+#endif - - /* - * Futex flags used to encode options to functions and preserve them across -@@ -2880,9 +2882,28 @@ SYSCALL_DEFINE6(futex, u32 __user *, uad - return do_futex(uaddr, op, val, tp, uaddr2, val2, val3); - } - --static int __init futex_init(void) -+static void __init futex_detect_cmpxchg(void) - { -+#ifndef CONFIG_HAVE_FUTEX_CMPXCHG - u32 curval; -+ -+ /* -+ * This will fail and we want it. Some arch implementations do -+ * runtime detection of the futex_atomic_cmpxchg_inatomic() -+ * functionality. We want to know that before we call in any -+ * of the complex code paths. Also we want to prevent -+ * registration of robust lists in that case. NULL is -+ * guaranteed to fault and we get -EFAULT on functional -+ * implementation, the non-functional ones will return -+ * -ENOSYS. -+ */ -+ if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT) -+ futex_cmpxchg_enabled = 1; -+#endif -+} -+ -+static int __init futex_init(void) -+{ - unsigned int futex_shift; - unsigned long i; - -@@ -2898,18 +2919,8 @@ static int __init futex_init(void) - &futex_shift, NULL, - futex_hashsize, futex_hashsize); - futex_hashsize = 1UL << futex_shift; -- /* -- * This will fail and we want it. Some arch implementations do -- * runtime detection of the futex_atomic_cmpxchg_inatomic() -- * functionality. We want to know that before we call in any -- * of the complex code paths. Also we want to prevent -- * registration of robust lists in that case. NULL is -- * guaranteed to fault and we get -EFAULT on functional -- * implementation, the non-functional ones will return -- * -ENOSYS. -- */ -- if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT) -- futex_cmpxchg_enabled = 1; -+ -+ futex_detect_cmpxchg(); - - for (i = 0; i < futex_hashsize; i++) { - atomic_set(&futex_queues[i].waiters, 0); -From e571c58f313d35c56e0018470e3375ddd1fd320e Mon Sep 17 00:00:00 2001 -From: Finn Thain -Date: Thu, 6 Mar 2014 10:29:27 +1100 -Subject: m68k: Skip futex_atomic_cmpxchg_inatomic() test - -From: Finn Thain - -commit e571c58f313d35c56e0018470e3375ddd1fd320e upstream. - -Skip the futex_atomic_cmpxchg_inatomic() test in futex_init(). It causes a -fatal exception on 68030 (and presumably 68020 also). - -Signed-off-by: Finn Thain -Acked-by: Geert Uytterhoeven -Link: http://lkml.kernel.org/r/alpine.LNX.2.00.1403061006440.5525@nippy.intranet -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman - ---- - arch/m68k/Kconfig | 1 + - 1 file changed, 1 insertion(+) - ---- a/arch/m68k/Kconfig -+++ b/arch/m68k/Kconfig -@@ -17,6 +17,7 @@ config M68K - select FPU if MMU - select ARCH_WANT_IPC_PARSE_VERSION - select ARCH_USES_GETTIMEOFFSET if MMU && !COLDFIRE -+ select HAVE_FUTEX_CMPXCHG if MMU && FUTEX - select HAVE_MOD_ARCH_SPECIFIC - select MODULES_USE_ELF_REL - select MODULES_USE_ELF_RELA -From 8ceee72808d1ae3fb191284afc2257a2be964725 Mon Sep 17 00:00:00 2001 -From: Ard Biesheuvel -Date: Thu, 27 Mar 2014 18:14:40 +0100 -Subject: crypto: ghash-clmulni-intel - use C implementation for setkey() - -From: Ard Biesheuvel - -commit 8ceee72808d1ae3fb191284afc2257a2be964725 upstream. - -The GHASH setkey() function uses SSE registers but fails to call -kernel_fpu_begin()/kernel_fpu_end(). Instead of adding these calls, and -then having to deal with the restriction that they cannot be called from -interrupt context, move the setkey() implementation to the C domain. - -Note that setkey() does not use any particular SSE features and is not -expected to become a performance bottleneck. - -Signed-off-by: Ard Biesheuvel -Acked-by: H. Peter Anvin -Fixes: 0e1227d356e9b (crypto: ghash - Add PCLMULQDQ accelerated implementation) -Signed-off-by: Herbert Xu -Signed-off-by: Greg Kroah-Hartman - ---- - arch/x86/crypto/ghash-clmulni-intel_asm.S | 29 ----------------------------- - arch/x86/crypto/ghash-clmulni-intel_glue.c | 14 +++++++++++--- - 2 files changed, 11 insertions(+), 32 deletions(-) - ---- a/arch/x86/crypto/ghash-clmulni-intel_asm.S -+++ b/arch/x86/crypto/ghash-clmulni-intel_asm.S -@@ -24,10 +24,6 @@ - .align 16 - .Lbswap_mask: - .octa 0x000102030405060708090a0b0c0d0e0f --.Lpoly: -- .octa 0xc2000000000000000000000000000001 --.Ltwo_one: -- .octa 0x00000001000000000000000000000001 - - #define DATA %xmm0 - #define SHASH %xmm1 -@@ -134,28 +130,3 @@ ENTRY(clmul_ghash_update) - .Lupdate_just_ret: - ret - ENDPROC(clmul_ghash_update) -- --/* -- * void clmul_ghash_setkey(be128 *shash, const u8 *key); -- * -- * Calculate hash_key << 1 mod poly -- */ --ENTRY(clmul_ghash_setkey) -- movaps .Lbswap_mask, BSWAP -- movups (%rsi), %xmm0 -- PSHUFB_XMM BSWAP %xmm0 -- movaps %xmm0, %xmm1 -- psllq $1, %xmm0 -- psrlq $63, %xmm1 -- movaps %xmm1, %xmm2 -- pslldq $8, %xmm1 -- psrldq $8, %xmm2 -- por %xmm1, %xmm0 -- # reduction -- pshufd $0b00100100, %xmm2, %xmm1 -- pcmpeqd .Ltwo_one, %xmm1 -- pand .Lpoly, %xmm1 -- pxor %xmm1, %xmm0 -- movups %xmm0, (%rdi) -- ret --ENDPROC(clmul_ghash_setkey) ---- a/arch/x86/crypto/ghash-clmulni-intel_glue.c -+++ b/arch/x86/crypto/ghash-clmulni-intel_glue.c -@@ -30,8 +30,6 @@ void clmul_ghash_mul(char *dst, const be - void clmul_ghash_update(char *dst, const char *src, unsigned int srclen, - const be128 *shash); - --void clmul_ghash_setkey(be128 *shash, const u8 *key); -- - struct ghash_async_ctx { - struct cryptd_ahash *cryptd_tfm; - }; -@@ -58,13 +56,23 @@ static int ghash_setkey(struct crypto_sh - const u8 *key, unsigned int keylen) - { - struct ghash_ctx *ctx = crypto_shash_ctx(tfm); -+ be128 *x = (be128 *)key; -+ u64 a, b; - - if (keylen != GHASH_BLOCK_SIZE) { - crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); - return -EINVAL; - } - -- clmul_ghash_setkey(&ctx->shash, key); -+ /* perform multiplication by 'x' in GF(2^128) */ -+ a = be64_to_cpu(x->a); -+ b = be64_to_cpu(x->b); -+ -+ ctx->shash.a = (__be64)((b << 1) | (a >> 63)); -+ ctx->shash.b = (__be64)((a << 1) | (b >> 63)); -+ -+ if (a >> 63) -+ ctx->shash.b ^= cpu_to_be64(0xc2); - - return 0; - } diff --git a/kernel.spec b/kernel.spec index efc7566f8..cf519aa49 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 0 +%define stable_update 1 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -653,8 +653,6 @@ Patch1826: drm-i915-hush-check-crtc-state.patch # NFSv4 # patches headed upstream -Patch12015: 3.14.1-rc1.patch - Patch12016: disable-i8042-check-on-apple-mac.patch Patch14000: hibernate-freeze-filesystems.patch @@ -1357,8 +1355,6 @@ ApplyPatch drm-i915-hush-check-crtc-state.patch # Radeon DRM # Patches headed upstream -ApplyPatch 3.14.1-rc1.patch - ApplyPatch disable-i8042-check-on-apple-mac.patch # FIXME: REBASE @@ -2215,6 +2211,9 @@ fi # ||----w | # || || %changelog +* Mon Apr 14 2014 Josh Boyer +- Linux v3.14.1 + * Mon Apr 14 2014 Hans de Goede - Add min/max quirks for various new Thinkpad touchpads (rhbz 1085582 1085697) diff --git a/sources b/sources index 3d6940b42..924114b90 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ b621207b3f6ecbb67db18b13258f8ea8 linux-3.14.tar.xz d36baf2d62de5aa61f10a976d00d2d2a perf-man-3.14.tar.gz +2526eb95793ecc1c22d7e1428ef23cdc patch-3.14.1.xz