commit 39ca4845f17da44fa893786b4765d2de0062846b
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue Dec 16 09:39:45 2014 -0800
Linux 3.18.1
commit 72e9a6c522e850b73e2ca6a299f93bd458ff7376
Author: Takashi Iwai <tiwai@suse.de>
Date: Sat Dec 6 18:02:55 2014 +0100
ALSA: usb-audio: Don't resubmit pending URBs at MIDI error recovery
commit 66139a48cee1530c91f37c145384b4ee7043f0b7 upstream.
In snd_usbmidi_error_timer(), the driver tries to resubmit MIDI input
URBs to reactivate the MIDI stream, but this causes the error when
some of URBs are still pending like:
WARNING: CPU: 0 PID: 0 at ../drivers/usb/core/urb.c:339 usb_submit_urb+0x5f/0x70()
URB ef705c40 submitted while active
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.16.6-2-desktop #1
Hardware name: FOXCONN TPS01/TPS01, BIOS 080015 03/23/2010
c0984bfa f4009ed4 c078deaf f4009ee4 c024c884 c09a135c f4009f00 00000000
c0984bfa 00000153 c061ac4f c061ac4f 00000009 00000001 ef705c40 e854d1c0
f4009eec c024c8d3 00000009 f4009ee4 c09a135c f4009f00 f4009f04 c061ac4f
Call Trace:
[<c0205df6>] try_stack_unwind+0x156/0x170
[<c020482a>] dump_trace+0x5a/0x1b0
[<c0205e56>] show_trace_log_lvl+0x46/0x50
[<c02049d1>] show_stack_log_lvl+0x51/0xe0
[<c0205eb7>] show_stack+0x27/0x50
[<c078deaf>] dump_stack+0x45/0x65
[<c024c884>] warn_slowpath_common+0x84/0xa0
[<c024c8d3>] warn_slowpath_fmt+0x33/0x40
[<c061ac4f>] usb_submit_urb+0x5f/0x70
[<f7974104>] snd_usbmidi_submit_urb+0x14/0x60 [snd_usbmidi_lib]
[<f797483a>] snd_usbmidi_error_timer+0x6a/0xa0 [snd_usbmidi_lib]
[<c02570c0>] call_timer_fn+0x30/0x130
[<c0257442>] run_timer_softirq+0x1c2/0x260
[<c0251493>] __do_softirq+0xc3/0x270
[<c0204732>] do_softirq_own_stack+0x22/0x30
[<c025186d>] irq_exit+0x8d/0xa0
[<c0795228>] smp_apic_timer_interrupt+0x38/0x50
[<c0794a3c>] apic_timer_interrupt+0x34/0x3c
[<c0673d9e>] cpuidle_enter_state+0x3e/0xd0
[<c028bb8d>] cpu_idle_loop+0x29d/0x3e0
[<c028bd23>] cpu_startup_entry+0x53/0x60
[<c0bfac1e>] start_kernel+0x415/0x41a
For avoiding these errors, check the pending URBs and skip
resubmitting such ones.
Reported-and-tested-by: Stefan Seyfried <stefan.seyfried@googlemail.com>
Acked-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bf5f983f3b6a32a9b47f3e272b640a98ea6b2798
Author: Takashi Iwai <tiwai@suse.de>
Date: Thu Nov 13 07:11:38 2014 +0100
ALSA: hda - Fix built-in mic at resume on Lenovo Ideapad S210
commit fedb2245cbb8d823e449ebdd48ba9bb35c071ce0 upstream.
The built-in mic boost volume gets almost muted after suspend/resume
on Lenovo Ideapad S210.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88121
Reported-and-tested-by: Roman Kagan <rkagan@mail.ru>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a12df5927467db1b5a071513966241bfbc3e7144
Author: Takashi Iwai <tiwai@suse.de>
Date: Tue Dec 9 19:58:53 2014 +0100
ALSA: hda - Add EAPD fixup for ASUS Z99He laptop
commit f62f5eff3d40a56ad1cf0d81a6cac8dd8743e8a1 upstream.
The same fixup to enable EAPD is needed for ASUS Z99He with AD1986A
codec like another ASUS machine.
Reported-and-tested-by: Dmitry V. Zimin <pfzim@mail.ru>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6c1fbfffec95fa42b134c45fe2b5afbd37ff623c
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Oct 26 19:31:10 2014 -0400
deal with deadlock in d_walk()
commit ca5358ef75fc69fee5322a38a340f5739d997c10 upstream.
... by not hitting rename_retry for reasons other than rename having
happened. In other words, do _not_ restart when finding that
between unlocking the child and locking the parent the former got
into __dentry_kill(). Skip the killed siblings instead...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 679829c2e50332832c2e85b12ec851a423ad9892
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun Oct 26 19:19:16 2014 -0400
move d_rcu from overlapping d_child to overlapping d_alias
commit 946e51f2bf37f1656916eb75bd0742ba33983c28 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3fd3a624339756dd3872fb2cf828a0030b72eae5
Author: Larry Finger <Larry.Finger@lwfinger.net>
Date: Fri Nov 28 10:41:16 2014 -0600
rtlwifi: rtl8192ce: Fix missing interrupt ready flag
commit 87141db0848aa20c43d453f5545efc8f390d4372 upstream.
Proper operation with the rewritten PCI mini driver requires that a flag be set
when interrupts are enabled. This flag was missed. This patch is one of three needed to
fix the kernel regression reported at https://bugzilla.kernel.org/show_bug.cgi?id=88951.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-by: Catalin Iacob <iacobcatalin@gmail.com>
Tested-by: Catalin Iacob <iacobcatalin@gmail.com>
Cc: Catalin Iacob <iacobcatalin@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9cd1d3eb2653603b924d33129469697d4a55d179
Author: Larry Finger <Larry.Finger@lwfinger.net>
Date: Fri Nov 28 10:41:15 2014 -0600
rtlwifi: rtl8192ce: Fix kernel crashes due to missing callback entry
commit f892914c03131a445b926b82815b03162c19288e upstream.
In the major update of the rtlwifi-family of drivers, one of the callback entries
was missed, which leads to memory corruption. Unfortunately, this corruption
never caused a kernel oops, but showed up in other parts of the system.
This patch is one of three needed to fix the kernel regression reported at
https://bugzilla.kernel.org/show_bug.cgi?id=88951.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-by: Catalin Iacob <iacobcatalin@gmail.com>
Tested-by: Catalin Iacob <iacobcatalin@gmail.com>
Cc: Catalin Iacob <iacobcatalin@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9297b375ecef1103bf8c1f4ce157b24cf2df013a
Author: Larry Finger <Larry.Finger@lwfinger.net>
Date: Fri Nov 28 10:41:14 2014 -0600
rtlwifi: rtl8192ce: Fix editing error that causes silent memory corruption
commit 99a82f734aa6c6d397e029e6dfa933f04e0fa8c8 upstream.
In the major update of the rtlwifi-family of drivers, there was an editing
mistake. Unfortunately, this particular error leads to memory corruption that
silently leads to failure of the system. This patch is one of three needed to
fix the kernel regression reported at https://bugzilla.kernel.org/show_bug.cgi?id=88951.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-by: Catalin Iacob <iacobcatalin@gmail.com>
Tested-by: Catalin Iacob <iacobcatalin@gmail.com>
Cc: Catalin Iacob <iacobcatalin@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4b1c83d8c3dd4e11da7e1f4fc8c5cd513b77a0fe
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Wed Dec 10 16:33:10 2014 +0100
netlink: use jhash as hashfn for rhashtable
[ Upstream commit 7f19fc5e0b617593dcda0d9956adc78b559ef1f5 ]
For netlink, we shouldn't be using arch_fast_hash() as a hashing
discipline, but rather jhash() instead.
Since netlink sockets can be opened by any user, a local attacker
would be able to easily create collisions with the DPDK-derived
arch_fast_hash(), which trades off performance for security by
using crc32 CPU instructions on x86_64.
While it might have a legimite use case in other places, it should
be avoided in netlink context, though. As rhashtable's API is very
flexible, we could later on still decide on other hashing disciplines,
if legitimate.
Reference: http://thread.gmane.org/gmane.linux.kernel/1844123
Fixes: e341694e3eb5 ("netlink: Convert netlink_lookup() to use RCU protected hash table")
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Thomas Graf <tgraf@suug.ch>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 01da9f8b6b2ccc4f24aea3d4c46af1a3efbd0241
Author: Valdis.Kletnieks@vt.edu <Valdis.Kletnieks@vt.edu>
Date: Tue Dec 9 16:15:50 2014 -0500
net: fix suspicious rcu_dereference_check in net/sched/sch_fq_codel.c
[ Upstream commit 69204cf7eb9c5a72067ce6922d4699378251d053 ]
commit 46e5da40ae (net: qdisc: use rcu prefix and silence
sparse warnings) triggers a spurious warning:
net/sched/sch_fq_codel.c:97 suspicious rcu_dereference_check() usage!
The code should be using the _bh variant of rcu_dereference.
Signed-off-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 21ac2deb8e75eef817b0a3feeb6a0cef4745eba3
Author: David Vrabel <david.vrabel@citrix.com>
Date: Tue Dec 9 18:43:28 2014 +0000
xen-netfront: use correct linear area after linearizing an skb
[ Upstream commit 11d3d2a16cc1f05c6ece69a4392e99efb85666a6 ]
Commit 97a6d1bb2b658ac85ed88205ccd1ab809899884d (xen-netfront: Fix
handling packets on compound pages with skb_linearize) attempted to
fix a problem where an skb that would have required too many slots
would be dropped causing TCP connections to stall.
However, it filled in the first slot using the original buffer and not
the new one and would use the wrong offset and grant access to the
wrong page.
Netback would notice the malformed request and stop all traffic on the
VIF, reporting:
vif vif-3-0 vif3.0: txreq.offset: 85e, size: 4002, end: 6144
vif vif-3-0 vif3.0: fatal error; disabling device
Reported-by: Anthony Wright <anthony@overnetdata.com>
Tested-by: Anthony Wright <anthony@overnetdata.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7efe8f1bb70588036edacab8b6c7f899092781f2
Author: Eric Dumazet <edumazet@google.com>
Date: Tue Dec 9 09:56:08 2014 -0800
tcp: fix more NULL deref after prequeue changes
[ Upstream commit 0f85feae6b710ced3abad5b2b47d31dfcb956b62 ]
When I cooked commit c3658e8d0f1 ("tcp: fix possible NULL dereference in
tcp_vX_send_reset()") I missed other spots we could deref a NULL
skb_dst(skb)
Again, if a socket is provided, we do not need skb_dst() to get a
pointer to network namespace : sock_net(sk) is good enough.
Reported-by: Dann Frazier <dann.frazier@canonical.com>
Bisected-by: Dann Frazier <dann.frazier@canonical.com>
Tested-by: Dann Frazier <dann.frazier@canonical.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: ca777eff51f7 ("tcp: remove dst refcount false sharing for prequeue mode")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ab12ec41d8d8fe5bb286daee450f64cf845c4a09
Author: Daniel Borkmann <dborkman@redhat.com>
Date: Wed Dec 3 12:13:58 2014 +0100
net: sctp: use MAX_HEADER for headroom reserve in output path
[ Upstream commit 9772b54c55266ce80c639a80aa68eeb908f8ecf5 ]
To accomodate for enough headroom for tunnels, use MAX_HEADER instead
of LL_MAX_HEADER. Robert reported that he has hit after roughly 40hrs
of trinity an skb_under_panic() via SCTP output path (see reference).
I couldn't reproduce it from here, but not using MAX_HEADER as elsewhere
in other protocols might be one possible cause for this.
In any case, it looks like accounting on chunks themself seems to look
good as the skb already passed the SCTP output path and did not hit
any skb_over_panic(). Given tunneling was enabled in his .config, the
headroom would have been expanded by MAX_HEADER in this case.
Reported-by: Robert Święcki <robert@swiecki.net>
Reference: https://lkml.org/lkml/2014/12/1/507
Fixes: 594ccc14dfe4d ("[SCTP] Replace incorrect use of dev_alloc_skb with alloc_skb in sctp_packet_transmit().")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e7b7e0c27cbd34f01c8a9493cd1aa509707610e3
Author: Eric Dumazet <edumazet@google.com>
Date: Tue Dec 2 04:30:59 2014 -0800
net: mvneta: fix race condition in mvneta_tx()
[ Upstream commit 5f478b41033606d325e420df693162e2524c2b94 ]
mvneta_tx() dereferences skb to get skb->len too late,
as hardware might have completed the transmit and TX completion
could have freed the skb from another cpu.
Fixes: 71f6d1b31fb1 ("net: mvneta: replace Tx timer with a real interrupt")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9823d713bf257e2e0dc5b6ea64f270d33e1212ee
Author: willy tarreau <w@1wt.eu>
Date: Tue Dec 2 08:13:04 2014 +0100
net: mvneta: fix Tx interrupt delay
[ Upstream commit aebea2ba0f7495e1a1c9ea5e753d146cb2f6b845 ]
The mvneta driver sets the amount of Tx coalesce packets to 16 by
default. Normally that does not cause any trouble since the driver
uses a much larger Tx ring size (532 packets). But some sockets
might run with very small buffers, much smaller than the equivalent
of 16 packets. This is what ping is doing for example, by setting
SNDBUF to 324 bytes rounded up to 2kB by the kernel.
The problem is that there is no documented method to force a specific
packet to emit an interrupt (eg: the last of the ring) nor is it
possible to make the NIC emit an interrupt after a given delay.
In this case, it causes trouble, because when ping sends packets over
its raw socket, the few first packets leave the system, and the first
15 packets will be emitted without an IRQ being generated, so without
the skbs being freed. And since the socket's buffer is small, there's
no way to reach that amount of packets, and the ping ends up with
"send: no buffer available" after sending 6 packets. Running with 3
instances of ping in parallel is enough to hide the problem, because
with 6 packets per instance, that's 18 packets total, which is enough
to grant a Tx interrupt before all are sent.
The original driver in the LSP kernel worked around this design flaw
by using a software timer to clean up the Tx descriptors. This timer
was slow and caused terrible network performance on some Tx-bound
workloads (such as routing) but was enough to make tools like ping
work correctly.
Instead here, we simply set the packet counts before interrupt to 1.
This ensures that each packet sent will produce an interrupt. NAPI
takes care of coalescing interrupts since the interrupt is disabled
once generated.
No measurable performance impact nor CPU usage were observed on small
nor large packets, including when saturating the link on Tx, and this
fixes tools like ping which rely on too small a send buffer. If one
wants to increase this value for certain workloads where it is safe
to do so, "ethtool -C $dev tx-frames" will override this default
setting.
This fix needs to be applied to stable kernels starting with 3.10.
Tested-By: Maggie Mae Roxas <maggie.mae.roxas@gmail.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6c2f1fef82dd0803cf51ac23d15f97ddce662c13
Author: Denis Kirjanov <kda@linux-powerpc.org>
Date: Mon Dec 1 12:57:02 2014 +0300
mips: bpf: Fix broken BPF_MOD
[ Upstream commit 2e46477a12f6fd273e31a220b155d66e8352198c ]
Remove optimize_div() from BPF_MOD | BPF_K case
since we don't know the dividend and fix the
emit_mod() by reading the mod operation result from HI register
Signed-off-by: Denis Kirjanov <kda@linux-powerpc.org>
Reviewed-by: Markos Chandras <markos.chandras@imgtec.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3e496d49f336db94714d16b36ae2a5377819d203
Author: Pravin B Shelar <pshelar@nicira.com>
Date: Sun Nov 30 23:04:17 2014 -0800
openvswitch: Fix flow mask validation.
[ Upstream commit f2a01517f2a1040a0b156f171a7cefd748f2fd03 ]
Following patch fixes typo in the flow validation. This prevented
installation of ARP and IPv6 flows.
Fixes: 19e7a3df72 ("openvswitch: Fix NDP flow mask validation")
Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Reviewed-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 435dcf66f0136e58e786ee81d69faecbb445b4d6
Author: Tom Herbert <therbert@google.com>
Date: Sat Nov 29 09:59:45 2014 -0800
gre: Set inner mac header in gro complete
[ Upstream commit 6fb2a756739aa507c1fd5b8126f0bfc2f070dc46 ]
Set the inner mac header to point to the GRE payload when
doing GRO. This is needed if we proceed to send the packet
through GRE GSO which now uses the inner mac header instead
of inner network header to determine the length of encapsulation
headers.
Fixes: 14051f0452a2 ("gre: Use inner mac length when computing tunnel length")
Reported-by: Wolfgang Walter <linux@stwm.de>
Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8407165b426600915d1409479be237b70a10a759
Author: Marcelo Leitner <mleitner@redhat.com>
Date: Thu Dec 11 10:02:22 2014 -0200
Fix race condition between vxlan_sock_add and vxlan_sock_release
[ Upstream commit 00c83b01d58068dfeb2e1351cca6fccf2a83fa8f ]
Currently, when trying to reuse a socket, vxlan_sock_add will grab
vn->sock_lock, locate a reusable socket, inc refcount and release
vn->sock_lock.
But vxlan_sock_release() will first decrement refcount, and then grab
that lock. refcnt operations are atomic but as currently we have
deferred works which hold vs->refcnt each, this might happen, leading to
a use after free (specially after vxlan_igmp_leave):
CPU 1 CPU 2
deferred work vxlan_sock_add
... ...
spin_lock(&vn->sock_lock)
vs = vxlan_find_sock();
vxlan_sock_release
dec vs->refcnt, reaches 0
spin_lock(&vn->sock_lock)
vxlan_sock_hold(vs), refcnt=1
spin_unlock(&vn->sock_lock)
hlist_del_rcu(&vs->hlist);
vxlan_notify_del_rx_port(vs)
spin_unlock(&vn->sock_lock)
So when we look for a reusable socket, we check if it wasn't freed
already before reusing it.
Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Fixes: 7c47cedf43a8b3 ("vxlan: move IGMP join/leave to work queue")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>