* sanity checks belong before risky operation, not after it
* don't quit as soon as we'd found an entry
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
new helper: dir_relax(inode). Call when you are in location that will
_not_ be invalidated by directory modifications (block boundary, in case
of ext*). Returns whether the directory has survived (dropping i_mutex
allows rmdir to kill the sucker; if it returns false to us, ->iterate()
is obviously done)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
New method - ->iterate(file, ctx). That's the replacement for ->readdir();
it takes callback from ctx->actor, uses ctx->pos instead of file->f_pos and
calls dir_emit(ctx, ...) instead of filldir(data, ...). It does *not*
update file->f_pos (or look at it, for that matter); iterate_dir() does the
update.
Note that dir_emit() takes the offset from ctx->pos (and eventually
filldir_t will lose that argument).
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
iterate_dir(): new helper, replacing vfs_readdir().
struct dir_context: contains the readdir callback (and will get more stuff
in it), embedded into whatever data that callback wants to deal with;
eventually, we'll be passing it to ->readdir() replacement instead of
(data,filldir) pair.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
in the middle of 'ubifs_readdir()'.
This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses
it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage,
but this may corrupt memory and lead to all kinds of problems like crashes an
security holes.
This patch fixes the problem by using the 'file->f_version' field, which
'->llseek()' always unconditionally sets to zero. We set it to 1 in
'ubifs_readdir()' and whenever we detect that it became 0, we know there was a
seek and it is time to clear the state saved in 'file->private_data'.
I tested this patch by writing a user-space program which runds readdir and
seek in parallell. I could easily crash the kernel without these patches, but
could not crash it with these patches.
Cc: stable@vger.kernel.org
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no
mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are
in the middle of 'ubifs_readdir()'.
First of all, this means that 'file->private_data' can be freed while
'ubifs_readdir()' uses it. But this particular patch does not fix the problem.
This patch is only a preparation, and the fix will follow next.
In this patch we make 'ubifs_readdir()' stop using 'file->f_pos' directly,
because 'file->f_pos' can be changed by '->llseek()' at any point. This may
lead 'ubifs_readdir()' to returning inconsistent data: directory entry names
may correspond to incorrect file positions.
So here we introduce a local variable 'pos', read 'file->f_pose' once at very
the beginning, and then stick to 'pos'. The result of this is that when
'ubifs_dir_llseek()' changes 'file->f_pos' while we are in the middle of
'ubifs_readdir()', the latter "wins".
Cc: stable@vger.kernel.org
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This fixes the problem that "init=" options may not be passed to kernel
correctly.
parse_mem_cmdline() of mn10300 arch gets rid of "mem=" string from
redboot_command_line. Then init_setup() parses the "init=" options from
static_command_line, which is a copy of redboot_command_line, and keeps
the pointer to the init options in execute_command variable.
Since the commit 026cee0 upstream (params: <level>_initcall-like kernel
parameters), static_command_line becomes overwritten by saved_command_line at
do_initcall_level(). Notice that saved_command_line is a command line
which includes "mem=" string.
As a result, execute_command may point to weird string by the length of
"mem=" parameter.
I noticed this problem when using the command line like this:
mem=128M console=ttyS0,115200 init=/bin/sh
Here is the processing flow of command line parameters.
start_kernel()
setup_arch(&command_line)
parse_mem_cmdline(cmdline_p)
* strcpy(boot_command_line, redboot_command_line);
* Remove "mem=xxx" from redboot_command_line.
* *cmdline_p = redboot_command_line;
setup_command_line(command_line) <-- command_line is redboot_command_line
* strcpy(saved_command_line, boot_command_line)
* strcpy(static_command_line, command_line)
parse_early_param()
strlcpy(tmp_cmdline, boot_command_line, COMMAND_LINE_SIZE);
parse_early_options(tmp_cmdline);
parse_args("early options", cmdline, NULL, 0, 0, 0, do_early_param);
parse_args("Booting ..", static_command_line, ...);
init_setup() <-- save the pointer in execute_command
rest_init()
kernel_thread(kernel_init, NULL, CLONE_FS | CLONE_SIGHAND);
At this point, execute_command points to "/bin/sh" string.
kernel_init()
kernel_init_freeable()
do_basic_setup()
do_initcalls()
do_initcall_level()
(*) strcpy(static_command_line, saved_command_line);
Here, execute_command gets to point to "200" string !!
Signed-off-by: David Howells <dhowells@redhat.com>
This fixes the following compile error:
CC block/scsi_ioctl.o
block/scsi_ioctl.c: In function 'sg_scsi_ioctl':
block/scsi_ioctl.c:449: error: invalid initializer
Signed-off-by: David Howells <dhowells@redhat.com>
commit f8f7d63fd9 ("powerpc/eeh: Trace eeh
device from I/O cache") broke EEH on pseries for devices that were
present during boot and have not been hotplugged/DLPARed.
eeh_check_failure will get the eeh_dev from the cache, and will get
NULL. eeh_addr_cache_build adds the addresses to the cache, but eeh_dev
for the giving pci_device is not set yet. Just reordering the call to
eeh_addr_cache_insert_dev works fine. The ordering is similar to the one
in eeh_add_device_late.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Acked-by: Gavin Shan <shangw@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Per Stephen Boyd's coverletter:
Resending to collect higher level maintainer acks per Olof's request.
The plan is to push this patchset through MSM to the arm-soc tree.
This patchset moves the existing MSM clock code and affected drivers
to the common clock framework. A prerequisite of moving to the common
clock framework is to use clk_prepare() and clk_enable() so the first
few patches migrate drivers to that call (clk_prepare() is a no-op on
MSM right now). It also removes some custom clock APIs that MSM
provides and finally moves the proc_comm clock code to the common
struct clk.
This patch series will be used as the foundation of the MSM 8660/8960
clock code that I plan to send out after this series.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQIcBAABAgAGBQJRyK/7AAoJEOa6n1xeVN+Cu1UQALf7pzve7+JMbpHp9HtQPTCk
GxGBBZ5ay0yWYYSSDRNqMbxNAHxhTuz26AW1CSSAHNpxotMB9t1y4AGkbSqxl3H8
gZZ+9PwSBGN6kABSjfrae1kPxnU6Mg/9J56E5iXFLst0qIvgDejUGG8BXLHDuzjM
weQZJf6p6t9SZIHc/80RUsiVmRkqKM9Mp6NvyO4irQOKwfvQ76mjWNqiUrQS7wwA
+glbwR3PMg31bvUXOcWuoBp3zbZYvN65bUSwZMIagynqYqU8g+bwDA2NQKjFzoXM
ActLyurznSytcER+/+3JbRh32kMI1Bh/jnH2VbqS4TNQbtIuJd6VjYP4kE4HsRsZ
MkK2pEUS4GuMEdLqeJW3d5ch+u45CQVdtDLuSUH0e9j3RqQNHmZWIvp3IhXouKG+
HMeeo2RQfdn3Y7A+TJ18llVUW/2BTBKjnr1MvR+9JoZmMpkV0tnVnD19MQcKvEXK
dM7Qp7apAS5KpXPTsWvRXwT4uFHoGiRpyluI2UrqEjOVhYQW4DBzfJ/GQDJ80Wd8
HFH0ZPjvi2W3jLeFqOwGYzbcMgyGe4pvkkUm1yj/EV3j5GyFSCPxOhqn4t/fJegk
Vg2AMDeSf+cb504pr8AkfYF0Z0RqGBTgyKOwslgGwaRCppOHW7DZL0R6M3/5a48H
9C4z3RJ4UcTt1a93ZaV3
=0OVE
-----END PGP SIGNATURE-----
Merge tag 'msm-clock-for-3.11b' of git://git.kernel.org/pub/scm/linux/kernel/git/davidb/linux-msm into next/late
From David Brown:
MSM clock updates for 3.11.
Per Stephen Boyd's coverletter:
Resending to collect higher level maintainer acks per Olof's request.
The plan is to push this patchset through MSM to the arm-soc tree.
This patchset moves the existing MSM clock code and affected drivers
to the common clock framework. A prerequisite of moving to the common
clock framework is to use clk_prepare() and clk_enable() so the first
few patches migrate drivers to that call (clk_prepare() is a no-op on
MSM right now). It also removes some custom clock APIs that MSM
provides and finally moves the proc_comm clock code to the common
struct clk.
This patch series will be used as the foundation of the MSM 8660/8960
clock code that I plan to send out after this series.
* tag 'msm-clock-for-3.11b' of git://git.kernel.org/pub/scm/linux/kernel/git/davidb/linux-msm:
ARM: msm: Migrate to common clock framework
ARM: msm: Make proc_comm clock control into a platform driver
ARM: msm: Prepare clk_get() users in mach-msm for clock-pcom driver
ARM: msm: Remove clock-7x30.h include file
ARM: msm: Remove custom clk_set_{max,min}_rate() API
ARM: msm: Remove custom clk_set_flags() API
msm: iommu: Use clk_set_rate() instead of clk_set_min_rate()
msm: iommu: Convert to clk_prepare/unprepare
msm_sdcc: Convert to clk_prepare/unprepare
usb: otg: msm: Convert to clk_prepare/unprepare
msm_serial: Use devm_clk_get() and properly return errors
msm_serial: Convert to clk_prepare/unprepare
Acked-by: Chris Ball <cjb@laptop.org> # for msm_sdcc.c
Signed-off-by: Olof Johansson <olof@lixom.net>
If a GFS2 file system is mounted with quotas and a file is grown
in such a way that its free blocks for the allocation are represented
in a secondary bitmap, GFS2 ran out of blocks in the transaction.
That resulted in "fatal: assertion "tr->tr_num_buf <= tr->tr_blocks".
This patch reserves extra blocks for the quota change so the
transaction has enough space.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
This patch set updates da850 DTS files to enable use of
C pre-processor. Also updates pinctrl-single DT data
to go with changes done in that module to enable a
single register to service configuration of multiple
pins.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAABAgAGBQJRyzY7AAoJEGFBu2jqvgRNsZsP/05zTYOFWNm0EbchMh1HgFkw
2oXJG+i8SoC/lm9cW8Lad1fRHANMs2fYdKScH0t838wCH1ldfovFWTSHym9U5tp+
bh8rPV8On9dhPsTcXCNzgt4CE4BJ2FTHUfgdQITifyu84hDYmC67XFF+MdfHo8sU
J+HoVg3595Uv0m62UfPvzPUfEG/ckeigB2M8OeN3T8hVFccNp5KB1/od5AtB1qgk
6OAsahD02S1oTaAOLMdkYV/7M665r351PC+MjMJWuV0ee55lVViqBG+jMn0O+Hx5
IxkcDFLrp+V7Z9WXqH/NC9A9hJmx1n9nrRRUydbDmWeHkQOKUN5r8VAA7q5O/QSy
VCEhxvEnJd1oNZqpfxLTZLX71OqjC1bMNKX5x+nVwLA7EKJ4r0ZA9vzGeS+D6Ca3
ds+fP/k8NrP+xt1vecR4kCwOCg7eLYC+9LQHtLiTe55BkD54IUx58JqKZ1DiePK8
4uPGoBGvgNBk2ZF9EvrlloNrxeSsgbk2n3EkgVv9NYJ1V1e/T8bUSrBk7MGCgJmv
HQwlCPgU4qbw6KqszTEv3b3gSOx8XfR89g8w6GM50XuIonknx6QybCOhxhnYfKei
Rk9C5BKcW5IUd9PowwiNV5NMga4Yaw1nZHb1SIKrRfi4McSa47aq9reo0IX+lCyd
yz3MtBHOrkshgscnFgMz
=RU+m
-----END PGP SIGNATURE-----
Merge tag 'davinci-for-v3.11/dt' of git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci into next/late
From Sekhar Nori:
Device Tree updates for DaVinci
This patch set updates da850 DTS files to enable use of
C pre-processor. Also updates pinctrl-single DT data
to go with changes done in that module to enable a
single register to service configuration of multiple
pins.
* tag 'davinci-for-v3.11/dt' of git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci:
ARM: davinci: da850: adopt to pinctrl-single change for configuring multiple pins
ARM: davinci: da850: Use #include for all device trees
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
- external irq on non-DT boards
- cpuidle code in some circumstances
- PMC code in relation with PLLB/PLL_UTMI/USB:
mainly for SAMA5D3 and AT91SAM9N12
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAABAgAGBQJRyuyOAAoJEAf03oE53VmQDOgIALT6Ql8reZiaLcB9cuhpPVy1
vJAx8jxmJy0V1eXiD/Gl00261vb2tw7YJK9gt3zfLP0upqsYWrV5sV7f8UhR73RQ
rrJSfWfLkPFPBORYyKiHw9kWQUMBczybz9hhv3HbbxdVHmpD7LnaPRWXat71u1u/
Uh8UpF5d2s3lAE1BBqTr9Ec6n3r7vKqI/0MO2pWnyf11nfNZMI705zG9ehrQZHZx
v8hovwjWuQ/o06GD45xMJuunEp6IVHl01A2ZRcppuvQD4CtNBXo3AnlNLQ6TK7iz
9qOVhAiD8/1Td3CXSOOMiInCDBIVOXI/bbkKrAFJcTgGdL1jkAKEN3A1xUxXYVQ=
=28Xo
-----END PGP SIGNATURE-----
Merge tag 'at91-fixes' of git://github.com/at91linux/linux-at91 into next/fixes-non-critical
From Nicolas Ferre:
Several fixes for:
- external irq on non-DT boards
- cpuidle code in some circumstances
- PMC code in relation with PLLB/PLL_UTMI/USB:
mainly for SAMA5D3 and AT91SAM9N12
* tag 'at91-fixes' of git://github.com/at91linux/linux-at91:
ARM: at91/PMC: use at91_usb_rate() for UTMI PLL
ARM: at91/PMC: fix at91sam9n12 USB FS init
ARM: at91/PMC: at91sam9n12 family has a PLLB
ARM: at91/PMC: sama5d3 family doesn't have a PLLB
ARM: at91: cpuidle: Fix target_residency
ARM: at91: fix at91_extern_irq usage for non-dt boards
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
This makes the l2x0 initialization fail gracefully on non-ux500
systems.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Sending the right snapshot context with each write is required for
snapshots to work. Due to the ordering of calls, the snapshot context
is never set for any requests. This causes writes to the current
version of the image to be reflected in all snapshots, which are
supposed to be read-only.
This happens because rbd_osd_req_format_write() sets the snapshot
context based on obj_request->img_request. At this point, however,
obj_request->img_request has not been set yet, to the snapshot context
is set to NULL. Fix this by moving rbd_img_obj_request_add(), which
sets obj_request->img_request, before the osd request formatting
calls.
This resolves:
http://tracker.ceph.com/issues/5465
Reported-by: Karol Jurak <karol.jurak@gmail.com>
Signed-off-by: Josh Durgin <josh.durgin@inktank.com>
Reviewed-by: Sage Weil <sage@inktank.com>
Reviewed-by: Alex Elder <elder@linaro.org>
HSCIF support by Ulrich Hecht.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAABAgAGBQJRyqpMAAoJENfPZGlqN0++KbMP/3XPeCGPyiAvoEYFT68CTUE3
vtyVU5APL7rJ7eCkuxXvBriJ8GRcL95NUwK7kss3kPDpSTkNf4UmVCgrs1mj2gjl
8PxjxGzyeryDl/cILx1EOJYkmhm6TUjbeFrd2uFOxntbhItnCrEAHDwx7AxQhI79
Enz3L0moU1v8rq/MBiyGKh1wD2UFgyzcqbxhsdxhDurgbhElfnccWxjK9DVXxCAP
c9Lyc0GIC5CniI+LITgcbay93/2//5/ytSQTc3gDfbNkVk/8sa4HWyV4XLDNNCAz
EclVD9fLBXHITVtid6c/Nxqnn+6W31LKKsR52XDYs8anT61YxoO6QHzEiXPpzEvF
3NbR9Vv3EpgIe6NXn0JB5GwOvggJxWHNg9/8LspyZujtzS99fLe00L0ICEftfsVp
62wUnvC/477DuXr5e/o8YrSvWxnKq51tqoFthWUEn6FkjoUYC8eNuCAnvKrODf4i
y5FokvDepmhElLFOFWuCDahPeSy512WKtsGNLKzulwLF0zEmpkAitw6gtE044fsk
FLtaA8SpmdgbH0NiLW0jFuNR4w36vPZ2g7mCqWGlkAxMC9jlitfWDvSG+KssqEL6
ObgR3GyuYrHqVgB7vqGztqvZWekBSsQXdk5Y80mN15M+3qO5KwYjKo89U8lWMS4W
zMq5g9o/qW7C9NnHCPA2
=bnU/
-----END PGP SIGNATURE-----
Merge tag 'renesas-sh-sci-for-v3.11' of git://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas into next/late
Renesas sh-sci updates for v3.11
HSCIF support by Ulrich Hecht.
* tag 'renesas-sh-sci-for-v3.11' of git://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas:
serial: sh-sci: Initialise variables before access in sci_set_termios()
ARM: shmobile: r8a7790: don't use external clock for SCIFs
ARM: shmobile: r8a7790: HSCIF support
serial: sh-sci: HSCIF support
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Instead of relying on the hard-coded mem/premem bases for
the PCI side, read in these from the device tree in the
DT probe path. Hard-code the old values on the non-DT probe
path. Introduce some static locals to hold these addresses
instead of the earlier static #defines.
Reported-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
This alters the local side address of the iospace to zero,
non prefetchable memory local side address to 0x00000000 and
prefetchable memory local side address to 0x10000000,
so as to match the values actually poked in by the driver.
Reported-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
related to VLAN tagging FCoE frames.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABAgAGBQJRyfSGAAoJEEajxTw9cn4HezEP/3wE3j+Ra+3OcH5hQhFdViLZ
MWzxZ+p3R115OlkPMl2RAcvNfkaBywsfGoBIN2zJWCmlfYwFgHp6XXiLE3NBbRxb
BZDNoiUO2Gr5fkWdS+IopAhyQaM1uaJFmDgoRATCe8+0m7i8yD7VI6lnKtnJ12RR
dJUZbRChvzvWfNFNHx4fi+8qPupBj9ahHqtisbbyoP34ZuljTPzlcUrl5AldkHL1
RsklezD9ENwSCDlP0OAoTXLf6RYfVhaNvUVWOFrCg+VXI+LFEi+Nl0WX271axH3T
r7LqaDfX9TVRHZ1o37HwsZ/ic1eLQDaRIR1lmAB6ksF+WIohIcCic6SsNbmIux4D
3TybtbTrqT9/3EOg4YQxwnx8ppaHXdWDCk6BAfg7pJsLmFAr+DwVfHifEypqYExU
T+QPScCXqqXHp/ziAdVSx2ft8Pzm8BWzWEaNm0IN74nbjd+GpBbQ8Lq3yaoSOlij
PxxSDzrSmFr7EImcwrqcaxru86rKTgvufjeakxTQ73GJKvYcXrGsnvT5K7iPlt06
IZjIHpfa6U+OFL5Ah8k2QvQ7xcl7AzgmFIORMxXCtYmdweu/6Ite+3NffgcrapZo
0sFHxE7vCrMk20Us05SSpOzML3TMYBptmU5MsnbhLl+gcMmSVLZA8lq2QUDTfSQO
/ARHI2Gm7EYDjDU21mZk
=Sbz8
-----END PGP SIGNATURE-----
Merge tag 'fcoe1' into fixes
This patch fixes a critical bug that was introduced in 3.9
related to VLAN tagging FCoE frames.
Pull networking fixes from David Miller:
1) Found via trinity:
If you connect up an ipv6 socket to an ipv4 mapped address then an
ipv6 one, sendmsg() can croak because ip6_sk_dst_check() assumes the
route cached in the socket is an ipv6 one. In this case there is an
ipv4 route attached, so it gets stomped on.
Reported by Dave Jones and Hannes Frederic Sowa, fixed by Eric
Dumazet.
2) AF_KEY notifications leak some kernel memory to userspace, fix from
Mathias Krause.
3) DLCI calls __dev_get_by_name() without proper locking, and dlci_del
doesn't validate that the device being deleted is actually a DLCI
one. Fixes from Li Zefan.
4) Length check on bluetooth l2cap information responses is wrong, each
response type has a different lenth, so we should make sure it's in
a given range rather than enforce one single valid length. From
Jaganath Kanakkassery.
5) Receive FIFO overflow is really easy to trigger in stress scenerios
in the sh_eth driver, but the event isn't being handled properly at
all. Specifically, the mask of error interrupts doesn't include the
event so we never clear it, resulting in the driver becomming wedged
processing an interrupt that never gets cleared.
Fix from Sergei Shtylyov.
6) qlcnic sleeps while holding a spinlock, use mdelay() instead of
msleep(). From Shahed Shaikh.
7) Missing curly braces causes SIP netfilter NAT module to always drop
packets. Fix from Balazs Peter Odor.
8) ipt_ULOG in netfilter passes the wrong value to timer setup, causing
the timer to dereference crap when it fires. Fix from Gao Feng.
9) Missing RCU protection around txq->axq_acq traversal in
ath_txq_schedule(). Fix from Felix Fietkau.
10) Idle state transition test in ath9k_htc_config() is reversed, fix
from Sujith Manoharan.
11) IPV6 forwarding handles unicast Router Alert packets incorrectly.
It tests the wrong option state. Previously opt->ra being non-zero
indicated a router alert marking in the SKB, but now it's indicated
by a bit in opt->flags. Fix from YOSHIFUJI Hideaki.
12) SKB leak in GRE tunnel GSO handling, from Eric Dumazet.
13) get_user_pages_fast() error handling in TUN and MACVTAP use the same
local variable for the base index and the loop iterator for page
traversal, oops! Fix from Michael S Tsirkin.
14) ipv6_get_lladdr() can fail, and we must therefore check it's return
value in inet6_set_iftoken(). For from Hannes Frederic Sowa.
15) If you change an interface name and meanwhile can sneak in something
that looks up the name (like SO_BINDTODEVICE or SIOCGIFNAME) we can
deadlock with CONFIG_PREEMPT=n. Fix this by providing a helper
function that properly uses raw_seqcount_begin(). From Nicolas
Schichan.
16) Chain noise calibration test is inverted in iwlwifi, fix from
Nikolay Martynov.
17) Properly set TX iwlwifi descriptor flags for back requests. Fix
from Emmanuel Grumbach.
18) We can't assume skb_transport_header() is set in xt_TCPOPTSTRAP
module, fix from Pablo Neira Ayuso.
19) Some crummy APs don't provide the proper High Throughput info in
association response frames. Add a workaround by assume we'll use
whatever is in the beacon/probe. Fix from Johannes Berg.
20) mac80211 call to rate_idx_match_mask() swaps two arguments (mask and
channel width). Fix from Simon Wunderlich.
21) xt_TCPMSS (like xt_TCPOPTSTRAP) must not try to handle fragmented
frames. Fix from Phil Oester.
22) Fix rate control regression causing iwlwifi/iwlegacy chips to use
1Mbit/s on pre-11n networks. From Moshe Benji and Stanslaw Gruszka.
23) Disable brcmsmac power-save functions, they cause regressions. From
Arend van Spriel.
24) Enforce a sane minimum MTU in l2cap_build_cmd() otherwise we can
easily crash. Fix from Anderson Lizardo.
25) If a learning packet arrives during vxlan_stop() we crash, easily
fixed by checking netif_running(). From Stephen Hemminger.
26) Static vxlan FDB entries should not be migrated, also from Stephen.
27) skb_clone() failures not handled in vxlan_xmit(), oops. Also from
Stephen.
28) Add minimal driver for AR816x/AR817x ethernet chips, from Johannes
Berg.
29) Fix regression in userspace VLAN acceleration control, added by the
802.1ad support changes. Fix from Fernando Luis Vazquez Cao.
30) Interval selection for MLD queries in the bridging code was
reversed. Fix from Linus Lüssing.
31) ipv6's ndisc_send_redirect() erroneously writes to the packet we
received not the packet we are building to send out. Fix from
Matthias Schiffer.
32) Don't free netdev before unregistering it, in usb_8dev can driver.
From Marc Kleine-Budde.
33) Fix nl80211 attribute buffer races, from Johannes Berg.
34) Although netlink_diag.h is under uapi/ it isn't present in Kbuild.
From Stephen Hemminger.
35) Wrong address and family passed to MD5 key lookups in TCP, from
Aydin Arik.
36) phy_type attribute created by SFC driver should not be writable.
From Ben Hutchings.
37) Receive/Transmit queue allocations in pxa168_eth and mv643xx_eth
should use kzalloc(). Otherwise if setup fails half-way, we'll
dereference garbage when trying to teardown the rings. From Lubomir
Rintel.
38) Fix double-allocation of dst (resulting in unfreeable net device) in
ipv6's init_loopback(). From Gao Feng.
39) Fix fragmentation handling SKB leak in netfilter conntrack, we were
freeing the wrong skb pointer. From Phil Oester.
40) Don't report "-1" (SPEED_UNKNOWN) in bond_miimon_commit(), from
Nikolay Aleksandrov.
41) davinci_cpdma doesn't check for DMA mapping errors, letting the
device scribble to random addresses. From Sebastian Siewior.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (69 commits)
dlci: validate the net device in dlci_del()
dlci: acquire rtnl_lock before calling __dev_get_by_name()
af_key: fix info leaks in notify messages
ipv6: ip6_sk_dst_check() must not assume ipv6 dst
net: fix kernel deadlock with interface rename and netdev name retrieval.
net/tg3: Avoid delay during MMIO access
ipv6: check return value of ipv6_get_lladdr
macvtap: fix recovery from gup errors
tun: fix recovery from gup errors
gre: fix a possible skb leak
ipv6: Process unicast packet with Router Alert by checking flag in skb.
ath9k_htc: Handle IDLE state transition properly
ath9k: fix an RCU issue in calling ieee80211_get_tx_rates
netfilter: ipt_ULOG: fix incorrect setting of ulog timer
netfilter: ctnetlink: send event when conntrack label was modified
netfilter: nf_nat_sip: fix mangling
qlcnic: Do not sleep while holding spinlock
drivers: net: cpsw: fix compilation error with cpsw driver
tcp: doc : fix the syncookies default value
sh_eth: fix misreporting of transmit abort
...
Pull i915 drm fixes from Dave Airlie:
"These should be the last two fixes for i915, one is for a fence leak
killing X on some older GPUs, and one is a late regression partial
revert for an swiotlb/xen/i915 interaction, Konrad has promised to
figure out the proper answer, and this patch is the best thing to do
at this stage to avoid regressing"
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
drm/i915: make compact dma scatter lists creation work with SWIOTLB backend.
drm/i915: Restore fences after resume and GPU resets
Al Viro