Commit Graph

361879 Commits

Author SHA1 Message Date
Al Viro
ba5bb14733 pipe: take allocation and freeing of pipe_inode_info out of ->i_mutex
* new field - pipe->files; number of struct file over that pipe (all
  sharing the same inode, of course); protected by inode->i_lock.
* pipe_release() decrements pipe->files, clears inode->i_pipe when
  if the counter has reached 0 (all under ->i_lock) and, in that case,
  frees pipe after having done pipe_unlock()
* fifo_open() starts with grabbing ->i_lock, and either bumps pipe->files
  if ->i_pipe was non-NULL or allocates a new pipe (dropping and regaining
  ->i_lock) and rechecks ->i_pipe; if it's still NULL, inserts new pipe
  there, otherwise bumps ->i_pipe->files and frees the one we'd allocated.
  At that point we know that ->i_pipe is non-NULL and won't go away, so
  we can do pipe_lock() on it and proceed as we used to.  If we end up
  failing, decrement pipe->files and if it reaches 0 clear ->i_pipe and
  free the sucker after pipe_unlock().

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:59 -04:00
Al Viro
18c03cfd40 pipe: preparation to new locking rules
* use the fact that file_inode(file)->i_pipe doesn't change
  while the file is opened - no locks needed to access that.
* switch to pipe_lock/pipe_unlock where it's easy to do

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:59 -04:00
Al Viro
fc7478a2bf pipe: switch wait_for_partner() and wake_up_partner() to pipe_inode_info
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:59 -04:00
Al Viro
599a0ac14e pipe: fold file_operations instances in one
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:58 -04:00
Al Viro
f776c73888 fold fifo.c into pipe.c
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:58 -04:00
Al Viro
2dd8c9ad37 lift sb_start_write out of ->splice_write()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:57 -04:00
Al Viro
17338fccb2 lift sb_start_write into default_file_splice_write()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:57 -04:00
Al Viro
03d95eb2f2 lift sb_start_write() out of ->write()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:56 -04:00
Al Viro
72ec35163f switch compat readv/writev variants to COMPAT_SYSCALL_DEFINE
... and take to fs/read_write.c

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:56 -04:00
Al Viro
bdaec334bb f2fs: use mnt_want_write_file() in ioctl
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:56 -04:00
Al Viro
8d71db4f08 lift sb_start_write/sb_end_write out of ->aio_write()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:55 -04:00
Al Viro
5f2e354f52 hpfs: move setting hpfs-private i_dirty to ->write_end()
... so that writev(2) doesn't miss it.  Get rid of hpfs_file_write().

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:55 -04:00
Al Viro
d5daaaff24 reiserfs: don't wank with EFBIG before calling do_sync_write()
look for file_capable() in there...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:54 -04:00
Al Viro
97216be09e fold release_mounts() into namespace_unlock()
... and provide namespace_lock() as a trivial wrapper;
switch to those two consistently.

Result is patterned after rtnl_lock/rtnl_unlock pair.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:54 -04:00
Al Viro
328e6d9014 switch unlock_mount() to namespace_unlock(), convert all umount_tree() callers
which allows to kill the last argument of umount_tree() and make release_mounts()
static.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:53 -04:00
Al Viro
3ab6abee59 more conversions to namespace_unlock()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:53 -04:00
Al Viro
b54b9be782 get rid of the second argument of shrink_submounts()
... it's always &unmounted.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:53 -04:00
Al Viro
e3197d83d6 saner umount_tree()/release_mounts(), part 1
global list of release_mounts() fodder, protected by namespace_sem;
eventually, all umount_tree() callers will use it as kill list.
Helper picking the contents of that list, releasing namespace_sem
and doing release_mounts() on what it got.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:52 -04:00
Al Viro
84d17192d2 get rid of full-hash scan on detaching vfsmounts
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:12:52 -04:00
Andrey Vagin
e9c5d8a562 mnt: release locks on error path in do_loopback
do_loopback calls lock_mount(path) and forget to unlock_mount
if clone_mnt or copy_mnt fails.

[   77.661566] ================================================
[   77.662939] [ BUG: lock held when returning to user space! ]
[   77.664104] 3.9.0-rc5+ #17 Not tainted
[   77.664982] ------------------------------------------------
[   77.666488] mount/514 is leaving the kernel with locks still held!
[   77.668027] 2 locks held by mount/514:
[   77.668817]  #0:  (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [<ffffffff811cca22>] lock_mount+0x32/0xe0
[   77.671755]  #1:  (&namespace_sem){+++++.}, at: [<ffffffff811cca3a>] lock_mount+0x4a/0xe0

Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:09:50 -04:00
Al Viro
ccf932042f palinfo fixes
* check for proc_mkdir() failures
	* fix buffer overrun - sizeof(format string) is *not* enough to
hold sprintf() result.
	* use proc_remove_subtree(); life's much easier with it

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:09:44 -04:00
Al Viro
8ce584c741 procfs: add proc_remove_subtree()
just what it sounds like; do that only to procfs subtrees you've
created - doing that to something shared with another driver is
not only antisocial, but might cause interesting races with
proc_create() and its ilk.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:09:17 -04:00
Al Viro
52f21999c7 ecryptfs: close rmmod race
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-04-09 14:08:16 -04:00
Linus Torvalds
de55eb1d60 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull vfs fixes from Al Viro:
 "stable fodder; assorted deadlock fixes"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  vt: synchronize_rcu() under spinlock is not nice...
  Nest rename_lock inside vfsmount_lock
  Don't bother with redoing rw_verify_area() from default_file_splice_from()
2013-03-26 17:42:55 -07:00
Al Viro
e8cd81693b vt: synchronize_rcu() under spinlock is not nice...
vcs_poll_data_free() calls unregister_vt_notifier(), which calls
atomic_notifier_chain_unregister(), which calls synchronize_rcu().
Do it *after* we'd dropped ->f_lock.

Cc: stable@vger.kernel.org (all kernels since 2.6.37)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-03-26 20:30:17 -04:00
Al Viro
7ea600b531 Nest rename_lock inside vfsmount_lock
... lest we get livelocks between path_is_under() and d_path() and friends.

The thing is, wrt fairness lglocks are more similar to rwsems than to rwlocks;
it is possible to have thread B spin on attempt to take lock shared while thread
A is already holding it shared, if B is on lower-numbered CPU than A and there's
a thread C spinning on attempt to take the same lock exclusive.

As the result, we need consistent ordering between vfsmount_lock (lglock) and
rename_lock (seq_lock), even though everything that takes both is going to take
vfsmount_lock only shared.

Spotted-by: Brad Spengler <spender@grsecurity.net>
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-03-26 18:25:57 -04:00
Linus Torvalds
b175293ccc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) Always increment IPV4 ID field in encapsulated GSO packets, even
    when DF is set.  Regression fix from Pravin B Shelar.

 2) Fix per-net subsystem initialization in netfilter conntrack,
    otherwise we may access dynamically allocated memory before it is
    actually allocated.  From Gao Feng.

 3) Fix DMA buffer lengths in iwl3945 driver, from Stanislaw Gruszka.

 4) Fix race between submission of sync vs async commands in mwifiex
    driver, from Amitkumar Karwar.

 5) Add missing cancel of command timer in mwifiex driver, from Bing
    Zhao.

 6) Missing SKB free in rtlwifi USB driver, from Jussi Kivilinna.

 7) Thermal layer tries to use a genetlink multicast string that is
    longer than the 16 character limit.  Fix it and add a BUG check to
    prevent this kind of thing from happening in the future.

 From Masatake YAMATO.

 8) Fix many bugs in the handling of the teardown of L2TP connections,
    UDP encapsulation instances, and sockets.  From Tom Parkin.

 9) Missing socket release in IRDA, from Kees Cook.

10) Fix fec driver modular build, from Fabio Estevam.

11) Erroneous use of kfree() instead of free_netdev() in lantiq_etop,
    from Wei Yongjun.

12) Fix bugs in handling of queue numbers and steering rules in mlx4
    driver, from Moshe Lazer, Hadar Hen Zion, and Or Gerlitz.

13) Some FOO_DIAG_MAX constants were defined off by one, fix from Andrey
    Vagin.

14) TCP segmentation deferral is unintentionally done too strongly,
    breaking ACK clocking.  Fix from Eric Dumazet.

15) net_enable_timestamp() can legitimately be invoked from software
    interrupts, and in a way that is safe, so remove the WARN_ON().
    Also from Eric Dumazet.

16) Fix use after free in VLANs, from Cong Wang.

17) Fix TCP slow start retransmit storms after SACK reneging, from
    Yuchung Cheng.

18) Unix socket release should mark a socket dead before NULL'ing out
    sock->sk, otherwise we can race.  Fix from Paul Moore.

19) IPV6 addrconf code can try to free static memory, from Hong Zhiguo.

20) Fix register mis-programming, NULL pointer derefs, and wrong PHC
    clock frequency in IGB driver.  From Lior LevyAlex Williamson, Jiri
    Benc, and Jeff Kirsher.

21) skb->ip_summed logic in pch_gbe driver is reversed, breaking packet
    forwarding.  Fix from Veaceslav Falico.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (65 commits)
  ipv4: Fix ip-header identification for gso packets.
  bonding: remove already created master sysfs link on failure
  af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
  pch_gbe: fix ip_summed checksum reporting on rx
  igb: fix PHC stopping on max freq
  igb: make sensor info static
  igb: SR-IOV init reordering
  igb: Fix null pointer dereference
  igb: fix i350 anti spoofing config
  ixgbevf: don't release the soft entries
  ipv6: fix bad free of addrconf_init_net
  unix: fix a race condition in unix_release()
  tcp: undo spurious timeout after SACK reneging
  bnx2x: fix assignment of signed expression to unsigned variable
  bridge: fix crash when set mac address of br interface
  8021q: fix a potential use-after-free
  net: remove a WARN_ON() in net_enable_timestamp()
  tcp: preserve ACK clocking in TSO
  net: fix *_DIAG_MAX constants
  net/mlx4_core: Disallow releasing VF QPs which have steering rules
  ...
2013-03-26 14:24:29 -07:00
Linus Torvalds
5d538483ea NFS client bugfixes for Linux 3.9
- Fix an NFSv4 idmapper regression
 - Fix an Oops in the pNFS blocks client
 - Fix up various issues with pNFS layoutcommit
 - Ensure correct read ordering of variables in rpc_wake_up_task_queue_locked
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.13 (GNU/Linux)
 
 iQIcBAABAgAGBQJRUedyAAoJEGcL54qWCgDyar0P/2pTT/yxX8ejTu5DmY7e4PYJ
 jhPG2AEqY/yMLn9GvB375VIs1L8tuY50+3NFhWZFjyNbEU3GV+5Y+kPpBtAgYiSI
 VyIXiJ/xMtXdYJMYuE/nh5jbcqJsHwGjpcIaSd5BuWzQUaoUYvLulxWd4QN8mmaT
 5SuzmgV+7WIqV6RjlaYF82srcOKAjwemcrfRkCNzzJr6aT39gH2YdYFbDaTr7qhU
 fw0x3QlI7887vSNQcfaGbC1+jr6oe8wRCneOR0tceU/8bcj6zlUDk5HxqSOc28mA
 jUQieoVRggcM4s5DFpNcuwW6qCPZOmzv/OFD6oqnhyyonPOrue+7zaoujZmGNmjx
 dT2V/jQehanYD25WpDO8OyFXUeYE4x9bgHKsszhBTwr4x5D8ceEJ1sugcOPiTTxu
 tflbbuWbt+BguvXp4p8QayUj0V2cplM/nOovWyUG+BH46sz3Dtv46NOgJeO2a29g
 T6jayxmKCxvtPKtG0j34BzLngiKabZTSEhFms6Qarp9lwWvHWrR9KWGuDBNvy1Ts
 GMBN8P6Ib40yVi6Pwlj5Jpy6yLKVklHtJQpactr63AZmYrF4bBBSom+MWAh3X1iO
 QtF0x9Z1bBkXY2Q/u+3vWMxQtEPeW+pSiloj8aiceFAt33zKM+1bLofDhEw0s2fI
 wJEHYsGyGtDQINgP0v1e
 =OPbZ
 -----END PGP SIGNATURE-----

Merge tag 'nfs-for-3.9-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs

Pull NFS client bugfixes from Trond Myklebust:
 - Fix an NFSv4 idmapper regression
 - Fix an Oops in the pNFS blocks client
 - Fix up various issues with pNFS layoutcommit
 - Ensure correct read ordering of variables in
   rpc_wake_up_task_queue_locked

* tag 'nfs-for-3.9-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
  SUNRPC: Add barriers to ensure read ordering in rpc_wake_up_task_queue_locked
  NFSv4.1: Add a helper pnfs_commit_and_return_layout
  NFSv4.1: Always clear the NFS_INO_LAYOUTCOMMIT in layoutreturn
  NFSv4.1: Fix a race in pNFS layoutcommit
  pnfs-block: removing DM device maybe cause oops when call dev_remove
  NFSv4: Fix the string length returned by the idmapper
2013-03-26 14:23:45 -07:00
Pravin B Shelar
330305cc4a ipv4: Fix ip-header identification for gso packets.
ip-header id needs to be incremented even if IP_DF flag is set.
This behaviour was changed in commit 490ab08127
(IP_GRE: Fix IP-Identification).

Following patch fixes it so that identification is always
incremented.

Reported-by: Cong Wang <amwang@redhat.com>
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-26 13:50:05 -04:00
Veaceslav Falico
9fe16b78ee bonding: remove already created master sysfs link on failure
If slave sysfs symlink failes to be created - we end up without removing
the master sysfs symlink. Remove it in case of failure.

Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-26 13:00:02 -04:00
dingtianhong
14134f6584 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL
SCM_SCREDENTIALS should apply to write() syscalls only either source or destination
socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong,
and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom).

Origionally-authored-by: Karel Srot <ksrot@redhat.com>
Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-26 12:33:55 -04:00
David S. Miller
465c0a1659 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net
Jeff Kirsher says:

====================
This series contains updates to ixgbevf and igb.

The ixgbevf calls to pci_disable_msix() and to free the msix_entries
memory should not occur if device open fails.  Instead they should be
called during device driver removal to balance with the call to
pci_enable_msix() and the call to allocate msix_entries memory
during the device probe and driver load.

The remaining 4 of 5 igb patches are simple 1-3 line patches to fix
several issues such as possible null pointer dereference, PHC stopping
on max frequency, make sensor info static and SR-IOV initialization
reordering.

The remaining igb patch to fix anti-spoofing config fixes a problem
in i350 where anti spoofing configuration was written into a wrong
register.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-26 12:21:31 -04:00
Veaceslav Falico
76a0e68129 pch_gbe: fix ip_summed checksum reporting on rx
skb->ip_summed should be CHECKSUM_UNNECESSARY when the driver reports that
checksums were correct and CHECKSUM_NONE in any other case. They're
currently placed vice versa, which breaks the forwarding scenario. Fix it
by placing them as described above.

Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-26 12:20:29 -04:00
Jiri Benc
75517d9211 igb: fix PHC stopping on max freq
For 82576 MAC type, max_adj is reported as 1000000000 ppb. However, if
this value is passed to igb_ptp_adjfreq_82576, incvalue overflows out of
INCVALUE_82576_MASK, resulting in setting of zero TIMINCA.incvalue, stopping
the PHC (instead of going at twice the nominal speed).

Fix the advertised max_adj value to the largest value hardware can handle.
As there is no min_adj value available (-max_adj is used instead), this will
also prevent stopping the clock intentionally. It's probably not a big deal,
other igb MAC types don't support stopping the clock, either.

Signed-off-by: Jiri Benc <jbenc@redhat.com>
Acked-by: Matthew Vick <matthew.vick@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-03-26 03:21:34 -07:00
Stephen Hemminger
05ec29e8fa igb: make sensor info static
Trivial sparse warning.

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-03-26 03:14:48 -07:00
Alex Williamson
d5e51a10d2 igb: SR-IOV init reordering
igb is ineffective at setting a lower total VFs because:

int pci_sriov_set_totalvfs(struct pci_dev *dev, u16 numvfs)
{
        ...
        /* Shouldn't change if VFs already enabled */
        if (dev->sriov->ctrl & PCI_SRIOV_CTRL_VFE)
                return -EBUSY;

Swap init ordering.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Acked-by: Greg Rose <gregory.v.rose@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-03-26 03:07:27 -07:00
Alex Williamson
d0f63acc2f igb: Fix null pointer dereference
The max_vfs= option has always been self limiting to the number of VFs
supported by the device.  fa44f2f1 added SR-IOV configuration via
sysfs, but in the process broke this self correction factor.  The
failing path is:

igb_probe
  igb_sw_init
    if (max_vfs > 7) {
        adapter->vfs_allocated_count = 7;
    ...
    igb_probe_vfs
    igb_enable_sriov(, max_vfs)
      if (num_vfs > 7) {
        err = -EPERM;
        ...

This leaves vfs_allocated_count = 7 and vf_data = NULL, so we bomb out
when igb_probe finally calls igb_reset.  It seems like a really bad
idea, and somewhat pointless, to set vfs_allocated_count separate from
vf_data, but limiting max_vfs is enough to avoid the null pointer.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Acked-by: Greg Rose <gregory.v.rose@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-03-26 03:00:32 -07:00
Lior Levy
22c12752d1 igb: fix i350 anti spoofing config
Fix a problem in i350 where anti spoofing configuration was written into a
wrong register.

Signed-off-by: Lior Levy <lior.levy@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-03-26 02:47:50 -07:00
xunleer
a1f6c6b147 ixgbevf: don't release the soft entries
When the ixgbevf driver is opened the request to allocate MSIX irq
vectors may fail.  In that case the driver will call ixgbevf_down()
which will call ixgbevf_irq_disable() to clear the HW interrupt
registers and calls synchronize_irq() using the msix_entries pointer in
the adapter structure.  However, when the function to request the MSIX
irq vectors failed it had already freed the msix_entries which causes
an OOPs from using the NULL pointer in synchronize_irq().

The calls to pci_disable_msix() and to free the msix_entries memory
should not occur if device open fails.  Instead they should be called
during device driver removal to balance with the call to
pci_enable_msix() and the call to allocate msix_entries memory
during the device probe and driver load.

Signed-off-by: Li Xun <xunleer.li@huawei.com>
Signed-off-by: Greg Rose <gregory.v.rose@intel.com>
Tested-by: Sibai Li <sibai.li@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2013-03-26 02:31:48 -07:00
Linus Torvalds
a12183c627 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull timer fix from Thomas Gleixner:
 "A single bugfix which prevents that a non functional timer device is
  selected to provide the fallback device, which is supposed to serve
  timer interrupts on behalf of non functional devices ..."

* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  clockevents: Don't allow dummy broadcast timers
2013-03-25 18:03:34 -07:00
Hong Zhiguo
a79ca223e0 ipv6: fix bad free of addrconf_init_net
Signed-off-by: Hong Zhiguo <honkiko@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-25 13:55:38 -04:00
Paul Moore
ded34e0fe8 unix: fix a race condition in unix_release()
As reported by Jan, and others over the past few years, there is a
race condition caused by unix_release setting the sock->sk pointer
to NULL before properly marking the socket as dead/orphaned.  This
can cause a problem with the LSM hook security_unix_may_send() if
there is another socket attempting to write to this partially
released socket in between when sock->sk is set to NULL and it is
marked as dead/orphaned.  This patch fixes this by only setting
sock->sk to NULL after the socket has been marked as dead; I also
take the opportunity to make unix_release_sock() a void function
as it only ever returned 0/success.

Dave, I think this one should go on the -stable pile.

Special thanks to Jan for coming up with a reproducer for this
problem.

Reported-by: Jan Stancek <jan.stancek@gmail.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-25 13:11:48 -04:00
Linus Torvalds
53b6809248 Small batch of InfiniBand/RDMA fixes for 3.9:
- Fix for TX lockup in IPoIB
  - QLogic -> Intel update for qib driver
  - Small static checker fix for qib
  - Fix error path return value in cxgb4
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABCAAGBQJRUH4BAAoJEENa44ZhAt0hP7gP/1SAVyeL8H/QNG6FDki7WUJC
 qoW4bnezuNb35/H9NSPUQ/XA0QY2XKdJamkSnDJgE5WVjWZS80hKUBcdUi3S2GBl
 Zbbs7H0Z2c/fiDvULrxRwqkZ/MlW4a6NnyKRHfSswKY+bAi+uybGoYGKmczXV4gC
 LlscYagb4WYVTNVlD5JG9sxo5ChueAx51IbzuOWq/94iyKtocFB87ZyK2FhbQaua
 n6af7lijAcTk02ad4JY2+ZZOOjGgOxP5+iigExzkXuS28dgNvNtN8FrrzLbiDHHy
 aZ7miLSdPawO790nvXzn1NGL/nZiUmRI46d7qv6K/X38IX7GUFtMNEDUFCCZknwg
 4VtNXzFExQy4YLCMpZ6di6rxMNVQ/EGj7QLN8jfD/pBEfiH/BMISdITL2KbgzcUv
 5TUQGeQFzzyY+2HwUCqb0RCskbhsIUwLDpEnhnyHI2sZKbdRrpI07ZpL3iAhTcqK
 5RDyXHNaVudVaKzaxq96vuw2OhH5fvACp3SdpaoCgZ54XuqoDoVW2q54vlj7anQI
 E0/f+EDyBf8Nu5YydQri76HE+BqG+PzCqU5Rq9866itLEG2DMsmAj9KJJUcDTiCn
 ANUIHoOpriGBAm1NP5tau/C0isvTw+lD/pBh26sdum1FwhoeqVf55PMvhxMG4Q/N
 aC3g+RMj3BPkdhewWpY+
 =SOee
 -----END PGP SIGNATURE-----

Merge tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband

Pull infiniband/rdma fixes from Roland Dreier:
 "Small batch of InfiniBand/RDMA fixes for 3.9:

   - Fix for TX lockup in IPoIB
   - QLogic -> Intel update for qib driver
   - Small static checker fix for qib
   - Fix error path return value in cxgb4"

* tag 'rdma-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/roland/infiniband:
  IB/qib: change QLogic to Intel
  IB/ipath: Silence a static checker warning
  IPoIB: Fix send lockup due to missed TX completion
  RDMA/cxgb4: Fix error return code in create_qp()
2013-03-25 09:44:40 -07:00
Linus Torvalds
fb9bb1829d arm-soc: bug fixes for 3.9-rc4
Four patches for arm-soc this week:
 
 - Kevin Hilman is no longer reachable under his previous email address.
   He submitted the patch earlier, but nobody felt responsible to pick
   it up.
 
 - One Tegra fix for an incorect register address in device tree.
 
 - IMX multiplatform support exposes a configuration option that
   leads to unbootable kernels on all other machines and that needs
   to depend on that platform.
 
 - A nontrivial bug fix for the setup of the mxs video output.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIVAwUAUVBQf2CrR//JCVInAQJwyRAA0qzt+jbn+ezvLpeWvrgdEVLikiAieVyt
 HmSex/pEWh2ytIkrX2maHv5Oov9QmX7v4ZEU2WtdvMv5YERsT7/y1hjHaZTLcdmH
 11ogfVwTRbrNVWOb41ofdd3rUVgZfgzCGQ0rfEua3wLRK6AetZJxkqsuGXRaqjdm
 BBbmgKAmLsLeM3/aBzeuFint1+EDY74WBMxgqkwUretefKFMxzcBaqhoR+FNDIdV
 YaYbOocq45LsOa44gxlF6pmJkZsOsB2pqAjoANm5KtZlphTEpDD1C/wXvBaVAOBh
 8mCuk2mHEyZsyLrufh/ZywaPcDaUMDwpO1zidATwaRCf6qWOr3jtWiCtQo4FeNYS
 o+kkYtELyAEvwDQuljghviq0p+z2vpnk52sYdXkYW8Pgz5TqhK+Gu2ywaeiqeT2B
 cbLGG32lVgJnmWOOXI7Z6MjekgKx5arx7z6Br+1pTT/fE44DgE+CtabEsCdcpFWG
 ftC7FdxZabDUhfynSaO43tgKhdVv2XpVobG3iW2RYJOWm2dJSxulZg9+jypdxITm
 VX3kPar+mjvwyf3svsGIc65SVaayR6pfiLzV8qBtR3trFRbIlrI7vo21d2tFtuS8
 PfAR+9VHkeOdjVKDbu1sl7YycWz03xq4cM9XPFhvrobeFXb5OFwDwLWn4DZR5ZWY
 iJSMJkaBSww=
 =F6UW
 -----END PGP SIGNATURE-----

Merge tag 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

Pull ARM SoC bug fixes from Arnd Bergmann:
 "Four patches for arm-soc this week:

   - Kevin Hilman is no longer reachable under his previous email
     address.  He submitted the patch earlier, but nobody felt
     responsible to pick it up.

   - One Tegra fix for an incorect register address in device tree.

   - IMX multiplatform support exposes a configuration option that leads
     to unbootable kernels on all other machines and that needs to
     depend on that platform.

   - A nontrivial bug fix for the setup of the mxs video output."

* tag 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  MAINTAINERS: update email address for Kevin Hilman
  ARM: tegra: fix register address of slink controller
  ARM: imx: add dependency check for DEBUG_IMX_UART_PORT
  ARM: video: mxs: Fix mxsfb misconfiguring VDCTRL0
2013-03-25 09:26:10 -07:00
Linus Torvalds
844fdd9ac1 Merge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux
Pull nfsd bugfixes from J Bruce Fields:
 "Fixes for a couple mistakes in the new DRC code.  And thanks to Kent
  Overstreet for noticing we've been sync'ing the wrong range on stable
  writes since 3.8."

* 'for-3.9' of git://linux-nfs.org/~bfields/linux:
  nfsd: fix bad offset use
  nfsd: fix startup order in nfsd_reply_cache_init
  nfsd: only unhash DRC entries that are in the hashtable
2013-03-25 09:25:12 -07:00
Trond Myklebust
1166fde6a9 SUNRPC: Add barriers to ensure read ordering in rpc_wake_up_task_queue_locked
We need to be careful when testing task->tk_waitqueue in
rpc_wake_up_task_queue_locked, because it can be changed while we
are holding the queue->lock.
By adding appropriate memory barriers, we can ensure that it is safe to
test task->tk_waitqueue for equality if the RPC_TASK_QUEUED bit is set.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: stable@vger.kernel.org
2013-03-25 11:23:40 -04:00
Linus Torvalds
c4052ba9da Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
 "Exynos and Intel fixes.

  The intel fixes are fairly straightforward, mostly reverts due to bugs
  found.  The exynos one is a big larger since they found some issues
  with the G2D engine and iommu interaction, and needed to verify the
  operations a lot better than they were previously, otherwise a user
  app can just crash the kernel with an iommu fault."

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  Revert "drm/i915: write backlight harder"
  drm/i915: don't disable the power well yet
  Revert "drm/i915: set TRANSCODER_EDP even earlier"
  drm/exynos: Check g2d cmd list for g2d restrictions
  drm/exynos: Add a new function to get gem buffer size
  drm/exynos: Deal with g2d buffer info more efficiently
  drm/exynos: Clean up some G2D codes for readability
  drm/exynos: Fix G2D core malfunctioning issue
  drm/exynos: clear node object type at gem unmap
  drm/exynos: Fix error routine to getting dma addr.
  drm/exynos: Replaced kzalloc & memcpy with kmemdup
  drm/exynos: fimd: calculate the correct address offset
  drm/exynos: Make mixer_check_timing static
  drm/exynos: modify the compatible string for exynos fimd
2013-03-25 02:57:32 -07:00
Dave Airlie
7ac8833f59 Merge branch 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel into HEAD
Daniel writes:
"Just three revert/disable by default patches, one of them cc: stable
(since the offending commit was cc: stable, too)."

* 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel:
  Revert "drm/i915: write backlight harder"
  drm/i915: don't disable the power well yet
  Revert "drm/i915: set TRANSCODER_EDP even earlier"
2013-03-25 12:20:00 +10:00
Dave Airlie
ac165b006b Merge branch 'exynos-drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into HEAD
Inki writes:
Includes bug fixes and code cleanups.
And it considers some restrictions to G2D hardware.
With this, the malfunction and page fault issues to g2d driver
would be fixed.

* 'exynos-drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos:
  drm/exynos: Check g2d cmd list for g2d restrictions
  drm/exynos: Add a new function to get gem buffer size
  drm/exynos: Deal with g2d buffer info more efficiently
  drm/exynos: Clean up some G2D codes for readability
  drm/exynos: Fix G2D core malfunctioning issue
  drm/exynos: clear node object type at gem unmap
  drm/exynos: Fix error routine to getting dma addr.
  drm/exynos: Replaced kzalloc & memcpy with kmemdup
  drm/exynos: fimd: calculate the correct address offset
  drm/exynos: Make mixer_check_timing static
  drm/exynos: modify the compatible string for exynos fimd
2013-03-25 12:19:10 +10:00
Yuchung Cheng
7ebe183c6d tcp: undo spurious timeout after SACK reneging
On SACK reneging the sender immediately retransmits and forces a
timeout but disables Eifel (undo). If the (buggy) receiver does not
drop any packet this can trigger a false slow-start retransmit storm
driven by the ACKs of the original packets. This can be detected with
undo and TCP timestamps.

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-24 17:27:28 -04:00