commit 9f381a61f58bb6487c93ce2233bb9992f8ea9211 Merge: 21a43e3 9bbc052 Author: Linus Torvalds Date: Tue May 10 17:39:01 2011 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (27 commits) slcan: fix ldisc->open retval net/usb: mark LG VL600 LTE modem ethernet interface as WWAN xfrm: Don't allow esn with disabled anti replay detection xfrm: Assign the inner mode output function to the dst entry net: dev_close() should check IFF_UP vlan: fix GVRP at dismantle time netfilter: revert a2361c8735e07322023aedc36e4938b35af31eb0 netfilter: IPv6: fix DSCP mangle code netfilter: IPv6: initialize TOS field in REJECT target module IPVS: init and cleanup restructuring IPVS: Change of socket usage to enable name space exit. netfilter: ebtables: only call xt_compat_add_offset once per rule netfilter: fix ebtables compat support netfilter: ctnetlink: fix timestamp support for new conntracks pch_gbe: support ML7223 IOH PCH_GbE : Fixed the issue of checksum judgment PCH_GbE : Fixed the issue of collision detection NET: slip, fix ldisc->open retval be2net: Fixed bugs related to PVID. ehea: fix wrongly reported speed and port ... commit 21a43e397e7f66d3be44e09b54045f1a67838cc0 Author: David Rientjes Date: Tue May 10 17:08:54 2011 -0700 slub: Revert "[PARISC] slub: fix panic with DISCONTIGMEM" This reverts commit 4a5fa3590f09, which did not allow SLUB to be used on architectures that use DISCONTIGMEM without compiling NUMA support without CONFIG_BROKEN also set. The slub panic that it was intended to prevent is addressed by d9b41e0b54fd ("[PARISC] set memory ranges in N_NORMAL_MEMORY when onlined") on parisc so there is no further slub issues with such a configuration. The reverts allows SLUB now to be used on such architectures since there haven't been any reports of additional errors. Cc: James Bottomley Signed-off-by: David Rientjes Signed-off-by: Linus Torvalds commit 9bbc052d5e63512b0ce4e201ea97e12fba9fda82 Merge: 0d4420a 93bbce1 Author: David S. Miller Date: Tue May 10 15:04:35 2011 -0700 Merge branch 'pablo/nf-2.6-updates' of git://1984.lsi.us.es/net-2.6 commit 0d4420a90b51abdea71585f571bad6d789ff8eb7 Author: Oliver Hartkopp Date: Tue May 10 13:12:30 2011 -0700 slcan: fix ldisc->open retval TTY layer expects 0 if the ldisc->open operation succeeded. Reported-by: Matvejchikov Ilya Signed-off-by: Oliver Hartkopp Signed-off-by: David S. Miller commit aae1e743fee2b5523fb31ee050295f062cb26a31 Author: Dan Williams Date: Mon May 9 07:43:20 2011 +0000 net/usb: mark LG VL600 LTE modem ethernet interface as WWAN Like other mobile broadband device ethernet interfaces, mark the LG VL600 with the 'wwan' devtype so userspace knows it needs additional configuration via the AT port before the interface can be used. Signed-off-by: Dan Williams Signed-off-by: David S. Miller commit 6fa5ddcc675b937f94d05628e8997c07a80c6cb9 Author: Steffen Klassert Date: Mon May 9 19:43:05 2011 +0000 xfrm: Don't allow esn with disabled anti replay detection Unlike the standard case, disabled anti replay detection needs some nontrivial extra treatment on ESN. RFC 4303 states: Note: If a receiver chooses to not enable anti-replay for an SA, then the receiver SHOULD NOT negotiate ESN in an SA management protocol. Use of ESN creates a need for the receiver to manage the anti-replay window (in order to determine the correct value for the high-order bits of the ESN, which are employed in the ICV computation), which is generally contrary to the notion of disabling anti-replay for an SA. So return an error if an ESN state with disabled anti replay detection is inserted for now and add the extra treatment later if we need it. Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller commit 43a4dea4c9d44baae38ddc14b9b6d86fde4c8b88 Author: Steffen Klassert Date: Mon May 9 19:36:38 2011 +0000 xfrm: Assign the inner mode output function to the dst entry As it is, we assign the outer modes output function to the dst entry when we create the xfrm bundle. This leads to two problems on interfamily scenarios. We might insert ipv4 packets into ip6_fragment when called from xfrm6_output. The system crashes if we try to fragment an ipv4 packet with ip6_fragment. This issue was introduced with git commit ad0081e4 (ipv6: Fragment locally generated tunnel-mode IPSec6 packets as needed). The second issue is, that we might insert ipv4 packets in netfilter6 and vice versa on interfamily scenarios. With this patch we assign the inner mode output function to the dst entry when we create the xfrm bundle. So xfrm4_output/xfrm6_output from the inner mode is used and the right fragmentation and netfilter functions are called. We switch then to outer mode with the output_finish functions. Signed-off-by: Steffen Klassert Signed-off-by: David S. Miller commit e14a599335427f81bbb0008963e59aa9c6449dce Author: Eric Dumazet Date: Tue May 10 12:26:06 2011 -0700 net: dev_close() should check IFF_UP Commit 443457242beb (factorize sync-rcu call in unregister_netdevice_many) mistakenly removed one test from dev_close() Following actions trigger a BUG : modprobe bonding modprobe dummy ifconfig bond0 up ifenslave bond0 dummy0 rmmod dummy dev_close() must not close a non IFF_UP device. With help from Frank Blaschka and Einar EL Lueck Reported-by: Frank Blaschka Reported-by: Einar EL Lueck Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller commit 55aee10dec477254241e4f72968f92e0543b33ad Author: Eric Dumazet Date: Tue May 10 12:22:54 2011 -0700 vlan: fix GVRP at dismantle time ip link add link eth2 eth2.103 type vlan id 103 gvrp on loose_binding on ip link set eth2.103 up rmmod tg3 # driver providing eth2 BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] garp_request_leave+0x3e/0xc0 [garp] PGD 11d251067 PUD 11b9e0067 PMD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/virtual/net/eth2.104/ifindex CPU 0 Modules linked in: tg3(-) 8021q garp nfsd lockd auth_rpcgss sunrpc libphy sg [last unloaded: x_tables] Pid: 11494, comm: rmmod Tainted: G W 2.6.39-rc6-00261-gfd71257-dirty #580 HP ProLiant BL460c G6 RIP: 0010:[] [] garp_request_leave+0x3e/0xc0 [garp] RSP: 0018:ffff88007a19bae8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88011b5e2000 RCX: 0000000000000002 RDX: 0000000000000000 RSI: 0000000000000175 RDI: ffffffffa0030d5b RBP: ffff88007a19bb18 R08: 0000000000000001 R09: ffff88011bd64a00 R10: ffff88011d34ec00 R11: 0000000000000000 R12: 0000000000000002 R13: ffff88007a19bc48 R14: ffff88007a19bb88 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff88011fc00000(0063) knlGS:00000000f77d76c0 CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b CR2: 0000000000000000 CR3: 000000011a675000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process rmmod (pid: 11494, threadinfo ffff88007a19a000, task ffff8800798595c0) Stack: ffff88007a19bb36 ffff88011c84b800 ffff88011b5e2000 ffff88007a19bc48 ffff88007a19bb88 0000000000000006 ffff88007a19bb38 ffffffffa003a5f6 ffff88007a19bb38 670088007a19bba8 ffff88007a19bb58 ffffffffa00397e7 Call Trace: [] vlan_gvrp_request_leave+0x46/0x50 [8021q] [] vlan_dev_stop+0xb7/0xc0 [8021q] [] __dev_close_many+0x87/0xe0 [] dev_close_many+0x87/0x110 [] rollback_registered_many+0xa0/0x240 [] unregister_netdevice_many+0x19/0x60 [] vlan_device_event+0x53b/0x550 [8021q] [] ? ip6mr_device_event+0xa8/0xd0 [] notifier_call_chain+0x53/0x80 [] __raw_notifier_call_chain+0x9/0x10 [] raw_notifier_call_chain+0x11/0x20 [] call_netdevice_notifiers+0x32/0x60 [] rollback_registered_many+0x10f/0x240 [] rollback_registered+0x2f/0x40 [] unregister_netdevice_queue+0x58/0x90 [] unregister_netdev+0x1b/0x30 [] tg3_remove_one+0x6f/0x10b [tg3] We should call vlan_gvrp_request_leave() from unregister_vlan_dev(), not from vlan_dev_stop(), because vlan_gvrp_uninit_applicant() is called right after unregister_netdevice_queue(). In batch mode, unregister_netdevice_queue() doesn’t immediately call vlan_dev_stop(). Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller commit 54b333529df25b21da462c7dcc16c7dc779d9f26 Merge: 675badf 780914c Author: Linus Torvalds Date: Tue May 10 12:00:53 2011 -0700 Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/upstream-linus * 'upstream' of git://git.linux-mips.org/pub/scm/upstream-linus: (28 commits) MIPS: Alchemy: fix xxs1500 build error MIPS: Invalidate old TLB mappings when updating huge page PTEs. MIPS: Hibernation: Fixes for PAGE_SIZE >= 64kb MIPS: JZ4740: Set one-shot feature flag for the clockevent MIPS: JZ4740: Export symbols to the watchdog driver module MIPS: JZ4740: Fix GCC 4.6.0 build error. MIPS: Audit: Fix success success argument pass to audit_syscall_exit MIPS: Fix calc_vmlinuz_load_addr build warnings. MIPS: Alchemy: Fix GCC 4.6.0 build error. MIPS: Document former use of timerfd(2) syscall number. MIPS: IP27: Fix GCC 4.6.0 build error. MIPS: IP27: Fix GCC 4.6.0 build error. MIPS: bcm63xx: Fix header_crc comment in bcm963xx_tag.h MIPS: Octeon: Guard the Kconfig body with CPU_CAVIUM_OCTEON MIPS: Octeon: Cleanup Kconfig IRQ_CPU* symbols. MIPS: Rename .data..mostly and properly handle it in linker script MIPS: MSP: Fix build error MIPS: MSP71xx: Fix typo in msp_per_irq_controller MIPS: Loongson: Fix GCC 2.6.0 build error. MIPS: Jazz: Fix GCC 4.6.0 build error ... commit 675badfc48079e94adc55d6bb3557ea6e67bd831 Merge: c269a1b 7ac9565 Author: Linus Torvalds Date: Tue May 10 11:56:35 2011 -0700 Merge branch 'for-linus' of git://oss.sgi.com/xfs/xfs * 'for-linus' of git://oss.sgi.com/xfs/xfs: xfs: fix race condition in AIL push trigger xfs: make AIL target updates and compares 32bit safe. xfs: always push the AIL to the target xfs: exit AIL push work correctly when AIL is empty xfs: ensure reclaim cursor is reset correctly at end of AG commit 780914c3cf691a75a0b7fe89f4466eeff8058165 Author: Manuel Lauss Date: Sat May 7 13:55:19 2011 +0200 MIPS: Alchemy: fix xxs1500 build error This fixes: alchemy/xxs1500/init.c: In function 'prom_init': alchemy/xxs1500/init.c:57:17: error: ignoring return value of 'kstrtoul', declared with attribute warn_unused_result Signed-off-by: Manuel Lauss Cc: Linux-MIPS Patchwork: https://patchwork.linux-mips.org/patch/2340/ Signed-off-by: Ralf Baechle commit 310f1303390758ee7688e350e117a7b50ba5fa05 Author: David Daney Date: Wed Apr 27 16:39:28 2011 -0700 MIPS: Invalidate old TLB mappings when updating huge page PTEs. Without this, stale Icache or TLB entries may be used. Signed-off-by: David Daney To: linux-mips@linux-mips.org https://patchwork.linux-mips.org/patch/2318/ Signed-off-by: Ralf Baechle commit f850548ef88e5ff9e40bae9e1a7140bef0653e6b Author: Wu Zhangjin Date: Sun Apr 24 05:56:59 2011 +0800 MIPS: Hibernation: Fixes for PAGE_SIZE >= 64kb PAGE_SIZE >= 64kb (1 << 16) is too big to be the immediate of the addiu/daddiu instruction, so, use addu/daddu instruction instead. The following compiling error is fixed: AS arch/mips/power/hibernate.o arch/mips/power/hibernate.S: Assembler messages: arch/mips/power/hibernate.S:38: Error: expression out of range make[2]: *** [arch/mips/power/hibernate.o] Error 1 make[1]: *** [arch/mips/power] Error 2 Reported-by: Roman Mamedov Signed-off-by: Wu Zhangjin To: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/2313/ Signed-off-by: Ralf Baechle commit 1e2bbde4afd97b8d6a3f1f6c7bf3b6a9d226ba2e Author: Lars-Peter Clausen Date: Thu Mar 31 20:52:20 2011 +0200 MIPS: JZ4740: Set one-shot feature flag for the clockevent The code for supporting one-shot mode for the clockevent is already there, only the feature flag was not set. Setting the one-shot flag allows the kernel to run in tickless mode. Signed-off-by: Lars-Peter Clausen Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/2261/ Signed-off-by: Ralf Baechle commit aa7ce1c3038814801c5d7712f7403b15fea5d77d Author: Ralf Baechle Date: Mon Apr 18 11:19:32 2011 +0100 MIPS: JZ4740: Export symbols to the watchdog driver module MODPOST 356 modules ERROR: "jz4740_timer_disable_watchdog" [drivers/watchdog/jz4740_wdt.ko] undefine d! ERROR: "jz4740_timer_enable_watchdog" [drivers/watchdog/jz4740_wdt.ko] undefined ! make[1]: *** [__modpost] Error 1 Signed-off-by: Ralf Baechle commit f1b6a5054c5c5c1770863b781de9b721fc99c3e3 Author: Ralf Baechle Date: Mon Apr 18 11:16:42 2011 +0100 MIPS: JZ4740: Fix GCC 4.6.0 build error. CC arch/mips/jz4740/dma.o arch/mips/jz4740/dma.c: In function 'jz4740_dma_chan_irq': arch/mips/jz4740/dma.c:245:11: error: variable 'status' set but not used [-Werro r=unused-but-set-variable] Signed-off-by: Ralf Baechle commit b20bff02b21ac7b725fd09590d5724d306552529 Author: Ralf Baechle Date: Wed Apr 13 23:51:23 2011 +0200 MIPS: Audit: Fix success success argument pass to audit_syscall_exit Signed-off-by: Ralf Baechle commit 893d20fbae483913250a5d8bd9b4ce861a3adf2a Author: Ralf Baechle Date: Wed Apr 13 21:49:54 2011 +0200 MIPS: Fix calc_vmlinuz_load_addr build warnings. HOSTCC arch/mips/boot/compressed/calc_vmlinuz_load_addr arch/mips/boot/compressed/calc_vmlinuz_load_addr.c: In function 'main': arch/mips/boot/compressed/calc_vmlinuz_load_addr.c:35:2: warning: format '%llx' expects type 'long long unsigned int *', but argument 3 has type 'uint64_t *' arch/mips/boot/compressed/calc_vmlinuz_load_addr.c:54:2: warning: format '%llx' expects type 'long long unsigned int', but argument 2 has type 'uint64_t' Signed-off-by: Ralf Baechle commit 403fbdff96057ad312b672408ec676782a802b74 Author: Ralf Baechle Date: Wed Apr 13 21:15:09 2011 +0200 MIPS: Alchemy: Fix GCC 4.6.0 build error. CC arch/mips/alchemy/devboards/db1x00/board_setup.o arch/mips/alchemy/devboards/db1x00/board_setup.c: In function 'board_setup': arch/mips/alchemy/devboards/db1x00/board_setup.c:130:6: error: variable 'pin_func' set but not used [-Werror=unused-but-set-variable] Signed-off-by: Ralf Baechle commit 8bdd51429da5aec173ab6f0e431b13ee6782a888 Author: Ralf Baechle Date: Wed Apr 13 20:50:46 2011 +0200 MIPS: Document former use of timerfd(2) syscall number. Signed-off-by: Ralf Baechle commit e12f47ef1680d8bd6449a8e4e98165d2590617eb Author: Ralf Baechle Date: Mon Apr 11 11:48:31 2011 +0200 MIPS: IP27: Fix GCC 4.6.0 build error. CC arch/mips/sgi-ip27/ip27-hubio.o arch/mips/sgi-ip27/ip27-hubio.c: In function 'hub_pio_map': arch/mips/sgi-ip27/ip27-hubio.c:32:20: error: variable 'junk' set but not used [-Werror=unused-but-set-variable] cc1: all warnings being treated as errors Signed-off-by: Ralf Baechle commit a6ab5ca39404e04d46b1bae133cd059d84926a2d Author: Ralf Baechle Date: Mon Apr 11 11:37:15 2011 +0200 MIPS: IP27: Fix GCC 4.6.0 build error. CC arch/mips/sgi-ip27/ip27-hubio.o arch/mips/sgi-ip27/ip27-hubio.c: In function 'hub_pio_map': arch/mips/sgi-ip27/ip27-hubio.c:32:20: error: variable 'junk' set but not used [-Werror=unused-but-set-variable] cc1: all warnings being treated as errors Signed-off-by: Ralf Baechle commit 7da34c1dac0db934913d0e81d2fd548e4973a326 Author: Jonas Gorski Date: Fri Apr 8 14:32:15 2011 +0200 MIPS: bcm63xx: Fix header_crc comment in bcm963xx_tag.h The CRC32 actually includes the tag_version. Signed-off-by: Jonas Gorski Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/2275/ Signed-off-by: Ralf Baechle commit 23a271ecdf463e5b0198f78b0a0d5763598972b1 Author: David Daney Date: Thu Feb 17 18:23:32 2011 -0800 MIPS: Octeon: Guard the Kconfig body with CPU_CAVIUM_OCTEON Instead of making each Octeon specific option depend on CPU_CAVIUM_OCTEON, gate the body of the entire file with CPU_CAVIUM_OCTEON. With this change, CAVIUM_OCTEON_SPECIFIC_OPTIONS becomes useless, so get rid of it as well. Signed-off-by: David Daney To: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/2091/ Signed-off-by: Ralf Baechle commit e3fb3f27a7600982478e1ec415bf265c744d2ae4 Author: David Daney Date: Thu Feb 17 14:04:33 2011 -0800 MIPS: Octeon: Cleanup Kconfig IRQ_CPU* symbols. Octeon doesn't use IRQ_CPU, so don't select it. IRQ_CPU_OCTEON is a completely unused symbol, remove it completely. Signed-off-by: David Daney To: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/2086/ Signed-off-by: Ralf Baechle commit f8bec75acdadd3a6597fe0acb5c3161b71cc2ea0 Author: Catalin Marinas Date: Tue Mar 29 11:40:06 2011 +0100 MIPS: Rename .data..mostly and properly handle it in linker script Signed-off-by: Ralf Baechle commit 866d7f5622cf5830b085a4471e67d4ed9106cb2e Author: Ralf Baechle Date: Tue Mar 29 16:09:25 2011 +0200 MIPS: MSP: Fix build error Reported and original patch by Yoichi Yuasa . Signed-off-by: Ralf Baechle commit 088a42acc4f0e28fc6d8b823cafb03a00ff61aec Author: Yoichi Yuasa Date: Tue Mar 29 15:53:56 2011 +0900 MIPS: MSP71xx: Fix typo in msp_per_irq_controller CC arch/mips/pmc-sierra/msp71xx/msp_irq_per.o arch/mips/pmc-sierra/msp71xx/msp_irq_per.c:101:2: error: expected identifier before '.' token make[2]: *** [arch/mips/pmc-sierra/msp71xx/msp_irq_per.o] Error 1 Signed-off-by: Yoichi Yuasa Patchwork: https://patchwork.linux-mips.org/patch/2246/ Cc: linux-mips Signed-off-by: Ralf Baechle commit c87444af6fc853dd5571a830efff7e07c46a544e Author: Ralf Baechle Date: Tue Mar 29 12:32:55 2011 +0200 MIPS: Loongson: Fix GCC 2.6.0 build error. CC arch/mips/loongson/common/env.o arch/mips/loongson/common/env.c: In function 'prom_init_env': arch/mips/loongson/common/env.c:50:12: error: variable 'ret' set but not used [-Werror=unused-but-set-variable] arch/mips/loongson/common/env.c:51:12: error: variable 'ret' set but not used [-Werror=unused-but-set-variable] arch/mips/loongson/common/env.c:52:12: error: variable 'ret' set but not used [-Werror=unused-but-set-variable] arch/mips/loongson/common/env.c:53:12: error: variable 'ret' set but not used [-Werror=unused-but-set-variable] cc1: all warnings being treated as errors Signed-off-by: Ralf Baechle commit 84d3b0dbac103fc1b3aff1e71cb723b5456a849c Author: Ralf Baechle Date: Tue Mar 29 12:09:51 2011 +0200 MIPS: Jazz: Fix GCC 4.6.0 build error CC arch/mips/jazz/jazzdma.o arch/mips/jazz/jazzdma.c: In function 'vdma_remap': arch/mips/jazz/jazzdma.c:214:20: error: variable 'npages' set but not used [-Werror=unused-but-set-variable] cc1: all warnings being treated as errors Signed-off-by: Ralf Baechle commit 11b9d0eca559d087f3d49282033f2865cceacedd Author: Ralf Baechle Date: Tue Mar 29 11:57:11 2011 +0200 MIPS: SNI: Fix GCC 4.6.0 build error CC arch/mips/sni/time.o arch/mips/sni/time.c: In function 'dosample': arch/mips/sni/time.c:98:19: error: variable 'lsb' set but not used [-Werror=unused-but-set-variable] cc1: all warnings being treated as errors Signed-off-by: Ralf Baechle commit 6be63bbbdab66b9185dc6f67c8b1bacb6f37f946 Author: Ralf Baechle Date: Tue Mar 29 11:48:22 2011 +0200 MIPS: Malta: Fix GCC 4.6.0 build error CC arch/mips/mti-malta/malta-int.o arch/mips/mti-malta/malta-int.c: In function 'mips_pcibios_iack': arch/mips/mti-malta/malta-int.c:59:6: error: variable 'dummy' set but not used [-Werror=unused-but-set-variable] cc1: all warnings being treated as errors Signed-off-by: Ralf Baechle commit af3a1f6f4813907e143f87030cde67a9971db533 Author: Ralf Baechle Date: Tue Mar 29 11:43:19 2011 +0200 MIPS: Malta: Fix GCC 4.6.0 build error CC arch/mips/mti-malta/malta-init.o arch/mips/mti-malta/malta-init.c: In function 'prom_init': arch/mips/mti-malta/malta-init.c:196:6: error: variable 'result' set but not used [-Werror=unused-but-set-variable] cc1: all warnings being treated as errors Signed-off-by: Ralf Baechle commit 3be1afc8f64742552325d9f03c2b96339e822f9e Author: Ralf Baechle Date: Tue Mar 29 11:06:49 2011 +0200 MIPS: IP22: Fix GCC 4.6.0 build error CC arch/mips/sgi-ip22/ip22-platform.o arch/mips/sgi-ip22/ip22-platform.c: In function 'sgiseeq_devinit': arch/mips/sgi-ip22/ip22-platform.c:135:15: error: variable 'tmp' set but not used [-Werror=unused-but-set-variable] cc1: all warnings being treated as errors While at it rename the variable to pbdma for readability; there is a local variable tmp of different type being used in two nested blocks. Signed-off-by: Ralf Baechle commit 6fd78fc1fa3ed1e70501c978c2d0bef94320252f Author: Ralf Baechle Date: Tue Mar 29 11:00:44 2011 +0200 MIPS: IP22: Fix GCC 4.6.0 build error CC arch/mips/sgi-ip22/ip22-time.o arch/mips/sgi-ip22/ip22-time.c: In function 'dosample': arch/mips/sgi-ip22/ip22-time.c:35:10: error: variable 'lsb' set but not used [-Werror=unused-but-set-variable] cc1: all warnings being treated as errors Signed-off-by: Ralf Baechle commit 4a9040f451c32cd62971ecda1cb5bc4aed444c78 Author: Ralf Baechle Date: Tue Mar 29 10:54:54 2011 +0200 MIPS: tlbex: Fix GCC 4.6.0 build error CC arch/mips/mm/tlbex.o arch/mips/mm/tlbex.c: In function 'build_r4000_tlb_refill_handler': arch/mips/mm/tlbex.c:1155:22: error: variable 'vmalloc_mode' set but not used [-Werror=unused-but-set-variable] arch/mips/mm/tlbex.c:1154:28: error: variable 'htlb_info' set but not used [-Werror=unused-but-set-variable] cc1: all warnings being treated as errors Signed-off-by: Ralf Baechle commit 71271aab8cbdeb9612761db3230fe8dadb9a01c3 Author: Ralf Baechle Date: Tue Mar 29 10:50:38 2011 +0200 MIPS: c-r4k: Fix GCC 4.6.0 build error CC arch/mips/mm/c-r4k.o arch/mips/mm/c-r4k.c: In function 'probe_scache': arch/mips/mm/c-r4k.c:1078:6: error: variable 'tmp' set but not used [-Werror=unused-but-set-variable] cc1: all warnings being treated as errors Older GCC versions didn't warn about the unused variable tmp because it was getting initialized. Signed-off-by: Ralf Baechle commit c54794d19e61472156e37263c074225574c80df1 Author: David Daney Date: Tue Dec 28 13:21:37 2010 -0800 MIPS: Mask jump target in ftrace_dyn_arch_init_insns(). The current code is abusing the uasm interface by passing jump target addresses with high bits set. Mask the addresses to avoid annoying messages at boot time. Signed-off-by: David Daney Cc: Steven Rostedt Cc: Wu Zhangjin Patchwork: https://patchwork.linux-mips.org/patch/1922/ Signed-off-by: Ralf Baechle commit c269a1b2f482b8ad923b0601bb584f6389df5c4c Merge: 622b9f1 349dbc3 Author: Linus Torvalds Date: Tue May 10 09:41:03 2011 -0700 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ryusuke/nilfs2 * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/ryusuke/nilfs2: nilfs2: fix infinite loop in nilfs_palloc_freev function commit 622b9f152447c0fae9662446c948c8ae8f136e1c Merge: 693d92a 3cd7967 Author: Linus Torvalds Date: Tue May 10 09:39:11 2011 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs: net/9p: Handle get_user_pages_fast return properly commit 349dbc3669d043e656f3ed48c7bfe073ca1c6326 Author: Ryusuke Konishi Date: Tue May 10 20:59:34 2011 +0900 nilfs2: fix infinite loop in nilfs_palloc_freev function After having applied commit 9954e7af14868b8b ("nilfs2: add free entries count only if clear bit operation succeeded"), a free routine of nilfs came to fall into an infinite loop, outputting the same message endlessly: nilfs_palloc_freev: entry number 29497 already freed nilfs_palloc_freev: entry number 29497 already freed nilfs_palloc_freev: entry number 29497 already freed nilfs_palloc_freev: entry number 29497 already freed nilfs_palloc_freev: entry number 29497 already freed ... That patch broke the routine so that a loop counter is never updated in an abnormal state. This fixes the regression. Signed-off-by: Ryusuke Konishi commit 93bbce1ad0cd788190dd7d6c17d289f771fe3d0d Author: Pablo Neira Ayuso Date: Tue May 10 12:13:36 2011 +0200 netfilter: revert a2361c8735e07322023aedc36e4938b35af31eb0 This patch reverts a2361c8735e07322023aedc36e4938b35af31eb0: "[PATCH] netfilter: xt_conntrack: warn about use in raw table" Florian Wesphal says: "... when the packet was sent from the local machine the skb already has ->nfct attached, and -m conntrack seems to do the right thing." Acked-by: Jan Engelhardt Reported-by: Florian Wesphal Signed-off-by: Pablo Neira Ayuso commit 1ed2f73d90fb49bcf5704aee7e9084adb882bfc5 Author: Fernando Luis Vazquez Cao Date: Tue May 10 10:00:21 2011 +0200 netfilter: IPv6: fix DSCP mangle code The mask indicates the bits one wants to zero out, so it needs to be inverted before applying to the original TOS field. Signed-off-by: Fernando Luis Vazquez Cao Signed-off-by: Pablo Neira Ayuso commit 4319cc0cf5bb894b7368008cdf6dd20eb8868018 Author: Fernando Luis Vazquez Cao Date: Tue May 10 09:55:44 2011 +0200 netfilter: IPv6: initialize TOS field in REJECT target module The IPv6 header is not zeroed out in alloc_skb so we must initialize it properly unless we want to see IPv6 packets with random TOS fields floating around. The current implementation resets the flow label but this could be changed if deemed necessary. We stumbled upon this issue when trying to apply a mangle rule to the RST packet generated by the REJECT target module. Signed-off-by: Fernando Luis Vazquez Cao Signed-off-by: Pablo Neira Ayuso commit 7a4f0761fce32ff4918a7c23b08db564ad33092d Author: Hans Schillstrom Date: Tue May 3 22:09:31 2011 +0200 IPVS: init and cleanup restructuring DESCRIPTION This patch tries to restore the initial init and cleanup sequences that was before namspace patch. Netns also requires action when net devices unregister which has never been implemented. I.e this patch also covers when a device moves into a network namespace, and has to be released. IMPLEMENTATION The number of calls to register_pernet_device have been reduced to one for the ip_vs.ko Schedulers still have their own calls. This patch adds a function __ip_vs_service_cleanup() and an enable flag for the netfilter hooks. The nf hooks will be enabled when the first service is loaded and never disabled again, except when a namespace exit starts. Signed-off-by: Hans Schillstrom Acked-by: Julian Anastasov [horms@verge.net.au: minor edit to changelog] Signed-off-by: Simon Horman commit 1ae132b0347907ac95b8bc9dba37934f59d2a508 Author: Hans Schillstrom Date: Tue May 3 22:09:30 2011 +0200 IPVS: Change of socket usage to enable name space exit. If the sync daemons run in a name space while it crashes or get killed, there is no way to stop them except for a reboot. When all patches are there, ip_vs_core will handle register_pernet_(), i.e. ip_vs_sync_init() and ip_vs_sync_cleanup() will be removed. Kernel threads should not increment the use count of a socket. By calling sk_change_net() after creating a socket this is avoided. sock_release cant be used intead sk_release_kernel() should be used. Thanks Eric W Biederman for your advices. Signed-off-by: Hans Schillstrom [horms@verge.net.au: minor edit to changelog] Signed-off-by: Simon Horman commit 103a9778e07bcc0cd34b5c35a87281454eec719e Author: Florian Westphal Date: Thu Apr 21 10:58:25 2011 +0200 netfilter: ebtables: only call xt_compat_add_offset once per rule The optimizations in commit 255d0dc34068a976 (netfilter: x_table: speedup compat operations) assume that xt_compat_add_offset is called once per rule. ebtables however called it for each match/target found in a rule. The match/watcher/target parser already returns the needed delta, so it is sufficient to move the xt_compat_add_offset call to a more reasonable location. While at it, also get rid of the unused COMPAT iterator macros. Signed-off-by: Florian Westphal Signed-off-by: Patrick McHardy commit 5a6351eecf8c87afed9c883bb6341d09406d74ba Author: Eric Dumazet Date: Thu Apr 21 10:57:21 2011 +0200 netfilter: fix ebtables compat support commit 255d0dc34068a976 (netfilter: x_table: speedup compat operations) made ebtables not working anymore. 1) xt_compat_calc_jump() is not an exact match lookup 2) compat_table_info() has a typo in xt_compat_init_offsets() call 3) compat_do_replace() misses a xt_compat_init_offsets() call Reported-by: dann frazier Signed-off-by: Eric Dumazet Signed-off-by: Patrick McHardy commit 315c34dae0069d0c67abd714bb846cd466289c7f Author: Pablo Neira Ayuso Date: Thu Apr 21 10:55:07 2011 +0200 netfilter: ctnetlink: fix timestamp support for new conntracks This patch fixes the missing initialization of the start time if the timestamp support is enabled. libnetfilter_conntrack/utils# conntrack -E & libnetfilter_conntrack/utils# ./conntrack_create tcp 6 109 ESTABLISHED src=1.1.1.1 dst=2.2.2.2 sport=1025 dport=21 packets=0 bytes=0 [UNREPLIED] src=2.2.2.2 dst=1.1.1.1 sport=21 dport=1025 packets=0 bytes=0 mark=0 delta-time=1303296401 use=2 Signed-off-by: Pablo Neira Ayuso Signed-off-by: Patrick McHardy commit 3cd7967825a2b3926dc96ae566d986c4420919f7 Author: M. Mohan Kumar Date: Fri Apr 15 13:59:33 2011 +0530 net/9p: Handle get_user_pages_fast return properly Use proper data type to handle get_user_pages_fast error condition. Also do not treat EFAULT error as fatal. Signed-off-by: M. Mohan Kumar Signed-off-by: Venkateswararao Jujjuri Signed-off-by: Eric Van Hensbergen commit 7ac956576d0ce8f97450a39c2f304db8eea01647 Author: Dave Chinner Date: Fri May 6 02:54:08 2011 +0000 xfs: fix race condition in AIL push trigger The recent conversion of the xfsaild functionality to a work queue introduced a hard-to-hit log space grant hang. One is caused by a race condition in determining whether there is a psh in progress or not. The XFS_AIL_PUSHING_BIT is used to determine whether a push is currently in progress. When the AIL push work completes, it checked whether the target changed and cleared the PUSHING bit to allow a new push to be requeued. The race condition is as follows: Thread 1 push work smp_wmb() smp_rmb() check ailp->xa_target unchanged update ailp->xa_target test/set PUSHING bit does not queue clear PUSHING bit does not requeue Now that the push target is updated, new attempts to push the AIL will not trigger as the push target will be the same, and hence despite trying to push the AIL we won't ever wake it again. The fix is to ensure that the AIL push work clears the PUSHING bit before it checks if the target is unchanged. As a result, both push triggers operate on the same test/set bit criteria, so even if we race in the push work and miss the target update, the thread requesting the push will still set the PUSHING bit and queue the push work to occur. For safety sake, the same queue check is done if the push work detects the target change, though only one of the two will will queue new work due to the use of test_and_set_bit() checks. Signed-off-by: Dave Chinner Reviewed-by: Christoph Hellwig Reviewed-by: Alex Elder (cherry picked from commit e4d3c4a43b595d5124ae824d300626e6489ae857) commit fe0da767311933d1c1907cb8d326beea7a3cbd9c Author: Dave Chinner Date: Fri May 6 02:54:07 2011 +0000 xfs: make AIL target updates and compares 32bit safe. The recent conversion of the xfsaild functionality to a work queue introduced a hard-to-hit log space grant hang. One of the problems noticed was that updates of the push target are not 32 bit safe as the target is a 64 bit value. We cannot copy a 64 bit LSN without the possibility of corrupting the result when racing with another updating thread. We have function to do this update safely without needing to care about 32/64 bit issues - xfs_trans_ail_copy_lsn() - so use that when updating the AIL push target. Also move the reading of the target in the push work inside the AIL lock, and use XFS_LSN_CMP() for the unlocked comparison during work termination to close read holes as well. Signed-off-by: Dave Chinner Reviewed-by: Christoph Hellwig Reviewed-by: Alex Elder (cherry picked from commit fd5670f22fce247754243cf2ed41941e5762d990) commit 50e86686dfb287d720af8b0f977202d205c04215 Author: Dave Chinner Date: Fri May 6 02:54:06 2011 +0000 xfs: always push the AIL to the target The recent conversion of the xfsaild functionality to a work queue introduced a hard-to-hit log space grant hang. One of the problems discovered is a target mismatch between the item pushing loop and the target itself. The push trigger checks for the target increasing (i.e. new target > current) while the push loop only pushes items that have a LSN < current. As a result, we can get the situation where the push target is X, the items at the tail of the AIL have LSN X and they don't get pushed. The push work then completes thinking it is done, and cannot be restarted until the push target increases to >= X + 1. If the push target then never increases (because the tail is not moving), then we never run the push work again and we stall. Fix it by making sure log items with a LSN that matches the target exactly are pushed during the loop. Signed-off-by: Dave Chinner Reviewed-by: Christoph Hellwig Reviewed-by: Alex Elder (cherry picked from commit cb64026b6e8af50db598ec7c3f59d504259b00bb) commit 9e7004e741de0b2daabbbadafbaf11ff1a94e00c Author: Dave Chinner Date: Fri May 6 02:54:05 2011 +0000 xfs: exit AIL push work correctly when AIL is empty The recent conversion of the xfsaild functionality to a work queue introduced a hard-to-hit log space grant hang. The main cause is a regression where a work exit path fails to clear the PUSHING state and recheck the target correctly. Make both exit paths do the same PUSHING bit clearing and target checking when the "no more work to be done" condition is hit. Signed-off-by: Dave Chinner Reviewed-by: Christoph Hellwig Reviewed-by: Alex Elder (cherry picked from commit ea35a20021f8497390d05b93271b4d675516c654) commit 228d62dd3f74734b9801c789b5addc57fdfc208f Author: Dave Chinner Date: Fri May 6 02:54:04 2011 +0000 xfs: ensure reclaim cursor is reset correctly at end of AG On a 32 bit highmem PowerPC machine, the XFS inode cache was growing without bound and exhausting low memory causing the OOM killer to be triggered. After some effort, the problem was reproduced on a 32 bit x86 highmem machine. The problem is that the per-ag inode reclaim index cursor was not getting reset to the start of the AG if the radix tree tag lookup found no more reclaimable inodes. Hence every further reclaim attempt started at the same index beyond where any reclaimable inodes lay, and no further background reclaim ever occurred from the AG. Without background inode reclaim the VM driven cache shrinker simply cannot keep up with cache growth, and OOM is the result. While the change that exposed the problem was the conversion of the inode reclaim to use work queues for background reclaim, it was not the cause of the bug. The bug was introduced when the cursor code was added, just waiting for some weird configuration to strike.... Signed-off-by: Dave Chinner Tested-By: Christian Kujau Reviewed-by: Christoph Hellwig Reviewed-by: Alex Elder (cherry picked from commit b223221956675ce8a7b436d198ced974bb388571) commit b0e6baf5619a6fa3eaf43b55fdb4daa362c3c916 Author: Tomoya Date: Mon May 9 01:19:37 2011 +0000 pch_gbe: support ML7223 IOH Support new device OKI SEMICONDUCTOR ML7223 IOH(Input/Output Hub). The ML7223 IOH is for MP(Media Phone) use. The ML7223 is companion chip for Intel Atom E6xx series. The ML7223 is completely compatible for Intel EG20T PCH. Signed-off-by: Tomoya MORINAGA Signed-off-by: David S. Miller commit 5d05a04d283061b586e8dc819cfa6f4b8cfd5948 Author: Toshiharu Okada Date: Fri May 6 02:53:56 2011 +0000 PCH_GbE : Fixed the issue of checksum judgment The checksum judgment was mistaken. Judgment result 0:Correct 1:Wrong This patch fixes the issue. Signed-off-by: Toshiharu Okada Signed-off-by: David S. Miller commit ce3dad0f74e6b240f0b1dedbd8ea268a3f298d82 Author: Toshiharu Okada Date: Fri May 6 02:53:51 2011 +0000 PCH_GbE : Fixed the issue of collision detection The collision detection setting was invalid. When collision occurred, because data was not resent, there was an issue to which a transmitting throughput falls. This patch enables the collision detection. Signed-off-by: Toshiharu Okada Signed-off-by: David S. Miller commit 057bef938896e6266ae24ec4266d24792d27c29a Author: Matvejchikov Ilya Date: Fri May 6 06:23:09 2011 +0000 NET: slip, fix ldisc->open retval TTY layer expects 0 if the ldisc->open operation succeeded. Signed-off-by : Matvejchikov Ilya Acked-by: Oliver Hartkopp Acked-by: Alan Cox Signed-off-by: David S. Miller commit 6709d9521df05c105343473ab8b147e2ef1e13d8 Author: Somnath Kotur Date: Wed May 4 22:40:46 2011 +0000 be2net: Fixed bugs related to PVID. Fixed bug to make sure 'pvid' retrieval will work on big endian hosts. Fixed incorrect comparison between the Rx Completion's 16-bit VLAN TCI and the PVID. Now comparing only the relevant 12 bits corresponding to the VID. Renamed 'vid' field under Rx Completion to 'vlan_tag' to reflect accurate description. Signed-off-by: Somnath Kotur Signed-off-by: David S. Miller commit dcbe14b91a920657ff3a9ba0efb7c5b5562f956a Author: Kleber Sacilotto de Souza Date: Wed May 4 13:05:11 2011 +0000 ehea: fix wrongly reported speed and port Currently EHEA reports to ethtool as supporting 10M, 100M, 1G and 10G and connected to FIBRE independent of the hardware configuration. However, when connected to FIBRE the only supported speed is 10G full-duplex, and the other speeds and modes are only supported when connected to twisted pair. Signed-off-by: Kleber Sacilotto de Souza Acked-by: Breno Leitao Signed-off-by: David S. Miller commit b9f47a3aaeabdce3b42829bbb27765fa340f76ba Author: stephen hemminger Date: Wed May 4 10:04:56 2011 +0000 tcp_cubic: limit delayed_ack ratio to prevent divide error TCP Cubic keeps a metric that estimates the amount of delayed acknowledgements to use in adjusting the window. If an abnormally large number of packets are acknowledged at once, then the update could wrap and reach zero. This kind of ACK could only happen when there was a large window and huge number of ACK's were lost. This patch limits the value of delayed ack ratio. The choice of 32 is just a conservative value since normally it should be range of 1 to 4 packets. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller commit 9c412942a0bb19ba18f7bd939d42eff1e132a901 Author: Ben Hutchings Date: Tue May 3 07:49:25 2011 +0000 ipheth: Properly distinguish length and alignment in URBs and skbs The USB protocol this driver implements appears to require 2 bytes of padding in front of each received packet. This used to be equal to the value of NET_IP_ALIGN on x86, so the driver abused that constant and mostly worked, but this is no longer the case. The driver also mixed up the URB and packet lengths, resulting in 2 bytes of junk at the end of the skb. Introduce a private constant for the 2 bytes of padding; fix this confusion and check for the under-length case. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller commit e328d410826d52e9ee348aff9064c4a207f2adb1 Author: Roland Dreier Date: Fri May 6 08:32:53 2011 +0000 vmxnet3: Consistently disable irqs when taking adapter->cmd_lock Using the vmxnet3 driver produces a lockdep warning because vmxnet3_set_mc(), which is called with mc->mca_lock held, takes adapter->cmd_lock. However, there are a couple of places where adapter->cmd_lock is taken with softirqs enabled, lockdep warns that a softirq that tries to take mc->mca_lock could happen while adapter->cmd_lock is held, leading to an AB-BA deadlock. I'm not sure if this is a real potential deadlock or not, but the simplest and best fix seems to be simply to make sure we take cmd_lock with spin_lock_irqsave() everywhere -- the places with plain spin_lock just look like oversights. The full enormous lockdep warning is: ========================================================= [ INFO: possible irq lock inversion dependency detected ] 2.6.39-rc6+ #1 --------------------------------------------------------- ifconfig/567 just changed the state of lock: (&(&mc->mca_lock)->rlock){+.-...}, at: [] mld_ifc_timer_expire+0xff/0x280 but this lock took another, SOFTIRQ-unsafe lock in the past: (&(&adapter->cmd_lock)->rlock){+.+...} and interrupts could create inverse lock ordering between them. other info that might help us debug this: 4 locks held by ifconfig/567: #0: (rtnl_mutex){+.+.+.}, at: [] rtnl_lock+0x17/0x20 #1: ((inetaddr_chain).rwsem){.+.+.+}, at: [] __blocking_notifier_call_chain+0x5f/0xb0 #2: (&idev->mc_ifc_timer){+.-...}, at: [] run_timer_softirq+0xeb/0x3f0 #3: (&ndev->lock){++.-..}, at: [] mld_ifc_timer_expire+0x32/0x280 the shortest dependencies between 2nd lock and 1st lock: -> (&(&adapter->cmd_lock)->rlock){+.+...} ops: 11 { HARDIRQ-ON-W at: [] __lock_acquire+0x7f6/0x1e10 [] lock_acquire+0x9d/0x130 [] _raw_spin_lock+0x36/0x70 [] vmxnet3_alloc_intr_resources+0x22/0x230 [vmxnet3] [] vmxnet3_probe_device+0x5f6/0x15c5 [vmxnet3] [] local_pci_probe+0x5f/0xd0 [] pci_device_probe+0x119/0x120 [] driver_probe_device+0x96/0x1c0 [] __driver_attach+0xab/0xb0 [] bus_for_each_dev+0x5e/0x90 [] driver_attach+0x1e/0x20 [] bus_add_driver+0xc8/0x290 [] driver_register+0x76/0x140 [] __pci_register_driver+0x66/0xe0 [] serio_raw_poll+0x3a/0x60 [serio_raw] [] do_one_initcall+0x45/0x190 [] sys_init_module+0xfb/0x250 [] system_call_fastpath+0x16/0x1b SOFTIRQ-ON-W at: [] __lock_acquire+0x827/0x1e10 [] lock_acquire+0x9d/0x130 [] _raw_spin_lock+0x36/0x70 [] vmxnet3_alloc_intr_resources+0x22/0x230 [vmxnet3] [] vmxnet3_probe_device+0x5f6/0x15c5 [vmxnet3] [] local_pci_probe+0x5f/0xd0 [] pci_device_probe+0x119/0x120 [] driver_probe_device+0x96/0x1c0 [] __driver_attach+0xab/0xb0 [] bus_for_each_dev+0x5e/0x90 [] driver_attach+0x1e/0x20 [] bus_add_driver+0xc8/0x290 [] driver_register+0x76/0x140 [] __pci_register_driver+0x66/0xe0 [] serio_raw_poll+0x3a/0x60 [serio_raw] [] do_one_initcall+0x45/0x190 [] sys_init_module+0xfb/0x250 [] system_call_fastpath+0x16/0x1b INITIAL USE at: [] __lock_acquire+0x459/0x1e10 [] lock_acquire+0x9d/0x130 [] _raw_spin_lock+0x36/0x70 [] vmxnet3_alloc_intr_resources+0x22/0x230 [vmxnet3] [] vmxnet3_probe_device+0x5f6/0x15c5 [vmxnet3] [] local_pci_probe+0x5f/0xd0 [] pci_device_probe+0x119/0x120 [] driver_probe_device+0x96/0x1c0 [] __driver_attach+0xab/0xb0 [] bus_for_each_dev+0x5e/0x90 [] driver_attach+0x1e/0x20 [] bus_add_driver+0xc8/0x290 [] driver_register+0x76/0x140 [] __pci_register_driver+0x66/0xe0 [] serio_raw_poll+0x3a/0x60 [serio_raw] [] do_one_initcall+0x45/0x190 [] sys_init_module+0xfb/0x250 [] system_call_fastpath+0x16/0x1b } ... key at: [] __key.42516+0x0/0xffffffffffffda70 [vmxnet3] ... acquired at: [] lock_acquire+0x9d/0x130 [] _raw_spin_lock_irqsave+0x55/0xa0 [] vmxnet3_set_mc+0x97/0x1a0 [vmxnet3] [] __dev_set_rx_mode+0x40/0xb0 [] dev_set_rx_mode+0x30/0x50 [] __dev_open+0xc7/0x100 [] __dev_change_flags+0xa1/0x180 [] dev_change_flags+0x28/0x70 [] devinet_ioctl+0x730/0x800 [] inet_ioctl+0x88/0xa0 [] sock_do_ioctl+0x30/0x70 [] sock_ioctl+0x79/0x2f0 [] do_vfs_ioctl+0x98/0x570 [] sys_ioctl+0x91/0xa0 [] system_call_fastpath+0x16/0x1b -> (_xmit_ETHER){+.....} ops: 6 { HARDIRQ-ON-W at: [] __lock_acquire+0x7f6/0x1e10 [] lock_acquire+0x9d/0x130 [] _raw_spin_lock_bh+0x3b/0x70 [] __dev_mc_add+0x38/0x90 [] dev_mc_add+0x10/0x20 [] igmp6_group_added+0x10e/0x1b0 [] ipv6_dev_mc_inc+0x2cd/0x430 [] ipv6_add_dev+0x357/0x450 [] addrconf_notify+0x2f7/0xb10 [] notifier_call_chain+0x8c/0xc0 [] raw_notifier_call_chain+0x16/0x20 [] call_netdevice_notifiers+0x37/0x70 [] register_netdevice+0x244/0x2d0 [] register_netdev+0x3f/0x60 [] vmxnet3_probe_device+0x760/0x15c5 [vmxnet3] [] local_pci_probe+0x5f/0xd0 [] pci_device_probe+0x119/0x120 [] driver_probe_device+0x96/0x1c0 [] __driver_attach+0xab/0xb0 [] bus_for_each_dev+0x5e/0x90 [] driver_attach+0x1e/0x20 [] bus_add_driver+0xc8/0x290 [] driver_register+0x76/0x140 [] __pci_register_driver+0x66/0xe0 [] serio_raw_poll+0x3a/0x60 [serio_raw] [] do_one_initcall+0x45/0x190 [] sys_init_module+0xfb/0x250 [] system_call_fastpath+0x16/0x1b INITIAL USE at: [] __lock_acquire+0x459/0x1e10 [] lock_acquire+0x9d/0x130 [] _raw_spin_lock_bh+0x3b/0x70 [] __dev_mc_add+0x38/0x90 [] dev_mc_add+0x10/0x20 [] igmp6_group_added+0x10e/0x1b0 [] ipv6_dev_mc_inc+0x2cd/0x430 [] ipv6_add_dev+0x357/0x450 [] addrconf_notify+0x2f7/0xb10 [] notifier_call_chain+0x8c/0xc0 [] raw_notifier_call_chain+0x16/0x20 [] call_netdevice_notifiers+0x37/0x70 [] register_netdevice+0x244/0x2d0 [] register_netdev+0x3f/0x60 [] vmxnet3_probe_device+0x760/0x15c5 [vmxnet3] [] local_pci_probe+0x5f/0xd0 [] pci_device_probe+0x119/0x120 [] driver_probe_device+0x96/0x1c0 [] __driver_attach+0xab/0xb0 [] bus_for_each_dev+0x5e/0x90 [] driver_attach+0x1e/0x20 [] bus_add_driver+0xc8/0x290 [] driver_register+0x76/0x140 [] __pci_register_driver+0x66/0xe0 [] serio_raw_poll+0x3a/0x60 [serio_raw] [] do_one_initcall+0x45/0x190 [] sys_init_module+0xfb/0x250 [] system_call_fastpath+0x16/0x1b } ... key at: [] netdev_addr_lock_key+0x8/0x1e0 ... acquired at: [] lock_acquire+0x9d/0x130 [] _raw_spin_lock_bh+0x3b/0x70 [] __dev_mc_add+0x38/0x90 [] dev_mc_add+0x10/0x20 [] igmp6_group_added+0x10e/0x1b0 [] ipv6_dev_mc_inc+0x2cd/0x430 [] ipv6_add_dev+0x357/0x450 [] addrconf_notify+0x2f7/0xb10 [] notifier_call_chain+0x8c/0xc0 [] raw_notifier_call_chain+0x16/0x20 [] call_netdevice_notifiers+0x37/0x70 [] register_netdevice+0x244/0x2d0 [] register_netdev+0x3f/0x60 [] vmxnet3_probe_device+0x760/0x15c5 [vmxnet3] [] local_pci_probe+0x5f/0xd0 [] pci_device_probe+0x119/0x120 [] driver_probe_device+0x96/0x1c0 [] __driver_attach+0xab/0xb0 [] bus_for_each_dev+0x5e/0x90 [] driver_attach+0x1e/0x20 [] bus_add_driver+0xc8/0x290 [] driver_register+0x76/0x140 [] __pci_register_driver+0x66/0xe0 [] serio_raw_poll+0x3a/0x60 [serio_raw] [] do_one_initcall+0x45/0x190 [] sys_init_module+0xfb/0x250 [] system_call_fastpath+0x16/0x1b -> (&(&mc->mca_lock)->rlock){+.-...} ops: 6 { HARDIRQ-ON-W at: [] __lock_acquire+0x7f6/0x1e10 [] lock_acquire+0x9d/0x130 [] _raw_spin_lock_bh+0x3b/0x70 [] igmp6_group_added+0x45/0x1b0 [] ipv6_dev_mc_inc+0x2cd/0x430 [] ipv6_add_dev+0x357/0x450 [] addrconf_init+0x4e/0x183 [] inet6_init+0x191/0x2a6 [] do_one_initcall+0x45/0x190 [] kernel_init+0xe3/0x168 [] kernel_thread_helper+0x4/0x10 IN-SOFTIRQ-W at: [] __lock_acquire+0x7ce/0x1e10 [] lock_acquire+0x9d/0x130 [] _raw_spin_lock_bh+0x3b/0x70 [] mld_ifc_timer_expire+0xff/0x280 [] run_timer_softirq+0x179/0x3f0 [] __do_softirq+0xc0/0x210 [] call_softirq+0x1c/0x30 [] do_softirq+0xad/0xe0 [] irq_exit+0x9e/0xb0 [] smp_apic_timer_interrupt+0x70/0x9b [] apic_timer_interrupt+0x13/0x20 [] rt_do_flush+0x87/0x2a0 [] rt_cache_flush+0x46/0x60 [] fib_disable_ip+0x40/0x60 [] fib_inetaddr_event+0xd7/0xe0 [] notifier_call_chain+0x8c/0xc0 [] __blocking_notifier_call_chain+0x78/0xb0 [] blocking_notifier_call_chain+0x16/0x20 [] __inet_del_ifa+0xf1/0x2e0 [] inet_del_ifa+0x13/0x20 [] devinet_ioctl+0x501/0x800 [] inet_ioctl+0x88/0xa0 [] sock_do_ioctl+0x30/0x70 [] sock_ioctl+0x79/0x2f0 [] do_vfs_ioctl+0x98/0x570 [] sys_ioctl+0x91/0xa0 [] system_call_fastpath+0x16/0x1b INITIAL USE at: [] __lock_acquire+0x459/0x1e10 [] lock_acquire+0x9d/0x130 [] _raw_spin_lock_bh+0x3b/0x70 [] igmp6_group_added+0x45/0x1b0 [] ipv6_dev_mc_inc+0x2cd/0x430 [] ipv6_add_dev+0x357/0x450 [] addrconf_init+0x4e/0x183 [] inet6_init+0x191/0x2a6 [] do_one_initcall+0x45/0x190 [] kernel_init+0xe3/0x168 [] kernel_thread_helper+0x4/0x10 } ... key at: [] __key.40877+0x0/0x8 ... acquired at: [] check_usage_forwards+0x9c/0x110 [] mark_lock+0x19c/0x400 [] __lock_acquire+0x7ce/0x1e10 [] lock_acquire+0x9d/0x130 [] _raw_spin_lock_bh+0x3b/0x70 [] mld_ifc_timer_expire+0xff/0x280 [] run_timer_softirq+0x179/0x3f0 [] __do_softirq+0xc0/0x210 [] call_softirq+0x1c/0x30 [] do_softirq+0xad/0xe0 [] irq_exit+0x9e/0xb0 [] smp_apic_timer_interrupt+0x70/0x9b [] apic_timer_interrupt+0x13/0x20 [] rt_do_flush+0x87/0x2a0 [] rt_cache_flush+0x46/0x60 [] fib_disable_ip+0x40/0x60 [] fib_inetaddr_event+0xd7/0xe0 [] notifier_call_chain+0x8c/0xc0 [] __blocking_notifier_call_chain+0x78/0xb0 [] blocking_notifier_call_chain+0x16/0x20 [] __inet_del_ifa+0xf1/0x2e0 [] inet_del_ifa+0x13/0x20 [] devinet_ioctl+0x501/0x800 [] inet_ioctl+0x88/0xa0 [] sock_do_ioctl+0x30/0x70 [] sock_ioctl+0x79/0x2f0 [] do_vfs_ioctl+0x98/0x570 [] sys_ioctl+0x91/0xa0 [] system_call_fastpath+0x16/0x1b stack backtrace: Pid: 567, comm: ifconfig Not tainted 2.6.39-rc6+ #1 Call Trace: [] print_irq_inversion_bug+0x146/0x170 [] ? print_irq_inversion_bug+0x170/0x170 [] check_usage_forwards+0x9c/0x110 [] mark_lock+0x19c/0x400 [] __lock_acquire+0x7ce/0x1e10 [] ? mark_lock+0x1f3/0x400 [] ? __lock_acquire+0xf07/0x1e10 [] ? native_sched_clock+0x15/0x70 [] lock_acquire+0x9d/0x130 [] ? mld_ifc_timer_expire+0xff/0x280 [] ? lock_release_holdtime+0x3d/0x1a0 [] _raw_spin_lock_bh+0x3b/0x70 [] ? mld_ifc_timer_expire+0xff/0x280 [] ? _raw_spin_unlock+0x2b/0x40 [] mld_ifc_timer_expire+0xff/0x280 [] run_timer_softirq+0x179/0x3f0 [] ? run_timer_softirq+0xeb/0x3f0 [] ? sched_clock+0x9/0x10 [] ? mld_gq_timer_expire+0x30/0x30 [] __do_softirq+0xc0/0x210 [] ? tick_program_event+0x1f/0x30 [] call_softirq+0x1c/0x30 [] do_softirq+0xad/0xe0 [] irq_exit+0x9e/0xb0 [] smp_apic_timer_interrupt+0x70/0x9b [] apic_timer_interrupt+0x13/0x20 [] ? retint_restore_args+0x13/0x13 [] ? lock_is_held+0x17/0xd0 [] rt_do_flush+0x87/0x2a0 [] rt_cache_flush+0x46/0x60 [] fib_disable_ip+0x40/0x60 [] fib_inetaddr_event+0xd7/0xe0 [] notifier_call_chain+0x8c/0xc0 [] __blocking_notifier_call_chain+0x78/0xb0 [] blocking_notifier_call_chain+0x16/0x20 [] __inet_del_ifa+0xf1/0x2e0 [] inet_del_ifa+0x13/0x20 [] devinet_ioctl+0x501/0x800 [] ? local_clock+0x6f/0x80 [] ? do_page_fault+0x268/0x560 [] inet_ioctl+0x88/0xa0 [] sock_do_ioctl+0x30/0x70 [] sock_ioctl+0x79/0x2f0 [] ? __call_rcu+0xa7/0x190 [] do_vfs_ioctl+0x98/0x570 [] ? fget_light+0x33e/0x430 [] ? retint_swapgs+0x13/0x1b [] sys_ioctl+0x91/0xa0 [] system_call_fastpath+0x16/0x1b Signed-off-by: Roland Dreier Signed-off-by: Shreyas N Bhatewara Signed-off-by: Scott J. Goldman Signed-off-by: David S. Miller commit a294865978b701e4d0d90135672749531b9a900d Author: Dan Rosenberg Date: Fri May 6 03:27:18 2011 +0000 dccp: handle invalid feature options length A length of zero (after subtracting two for the type and len fields) for the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to the subtraction. The subsequent code may read past the end of the options value buffer when parsing. I'm unsure of what the consequences of this might be, but it's probably not good. Signed-off-by: Dan Rosenberg Cc: stable@kernel.org Acked-by: Gerrit Renker Signed-off-by: David S. Miller commit 87e9af6cc67d842cd92b52b81f3f14e665e7ab05 Author: Kurt Van Dijck Date: Mon May 2 04:50:48 2011 +0000 can: fix SJA1000 dlc for RTR packets RTR frames do have a valid data length code on CAN. The driver for SJA1000 did not handle that situation properly. Signed-off-by: Kurt Van Dijck Acked-by: Marc Kleine-Budde Signed-off-by: David S. Miller commit 75bd0cbdc21d80859c80bdd5dd00125c1a3ccbca Author: Ming Lei Date: Thu Apr 28 22:37:09 2011 +0000 usbnet: runtime pm: fix out of memory This patch makes use of the EVENT_DEV_OPEN flag introduced recently to fix one out of memory issue, which can be reproduced on omap3/4 based pandaboard/beagle XM easily with steps below: - enable runtime pm echo auto > /sys/devices/platform/usbhs-omap.0/ehci-omap.0/usb1/1-1/1-1.1/power/control - ifconfig eth0 up - then out of memroy happened, see [1] for kernel message. Follows my analysis: - 'ifconfig eth0 up' brings eth0 out of suspend, and usbnet_resume is called to schedule dev->bh, then rx urbs are submited to prepare for recieving data; - some usbnet devices will produce garbage rx packets flood if info->reset is not called in usbnet_open. - so there is no enough chances for usbnet_bh to handle and release recieved skb buffers since many rx interrupts consumes cpu, so out of memory for atomic allocation in rx_submit happened. This patch fixes the issue by simply not allowing schedule of usbnet_bh until device is opened. [1], dmesg [ 234.712005] smsc95xx 1-1.1:1.0: rpm_resume flags 0x4 [ 234.712066] usb 1-1.1: rpm_resume flags 0x0 [ 234.712066] usb 1-1: rpm_resume flags 0x0 [ 234.712097] usb usb1: rpm_resume flags 0x0 [ 234.712127] usb usb1: usb auto-resume [ 234.712158] ehci-omap ehci-omap.0: resume root hub [ 234.754028] hub 1-0:1.0: hub_resume [ 234.754821] hub 1-0:1.0: port 1: status 0507 change 0000 [ 234.756011] hub 1-0:1.0: state 7 ports 3 chg 0000 evt 0000 [ 234.756042] hub 1-0:1.0: rpm_resume flags 0x4 [ 234.756072] usb usb1: rpm_resume flags 0x0 [ 234.756164] usb usb1: rpm_resume returns 1 [ 234.756195] hub 1-0:1.0: rpm_resume returns 0 [ 234.756195] hub 1-0:1.0: rpm_suspend flags 0x4 [ 234.756225] hub 1-0:1.0: rpm_suspend returns 0 [ 234.756256] usb usb1: rpm_resume returns 0 [ 234.757141] usb 1-1: usb auto-resume [ 234.793151] ehci-omap ehci-omap.0: GetStatus port:1 status 001005 0 ACK POWER sig=se0 PE CONNECT [ 234.816558] usb 1-1: finish resume [ 234.817871] hub 1-1:1.0: hub_resume [ 234.818420] hub 1-1:1.0: port 1: status 0507 change 0000 [ 234.820495] ehci-omap ehci-omap.0: reused qh eec50220 schedule [ 234.820495] usb 1-1: link qh256-0001/eec50220 start 1 [1/0 us] [ 234.820587] usb 1-1: rpm_resume returns 0 [ 234.820800] hub 1-1:1.0: state 7 ports 5 chg 0000 evt 0000 [ 234.820800] hub 1-1:1.0: rpm_resume flags 0x4 [ 234.820831] hub 1-1:1.0: rpm_resume returns 0 [ 234.820861] hub 1-1:1.0: rpm_suspend flags 0x4 [ 234.820861] hub 1-1:1.0: rpm_suspend returns 0 [ 234.821777] usb 1-1.1: usb auto-resume [ 234.868591] hub 1-1:1.0: state 7 ports 5 chg 0000 evt 0002 [ 234.868591] hub 1-1:1.0: rpm_resume flags 0x4 [ 234.868621] hub 1-1:1.0: rpm_resume returns 0 [ 234.868652] hub 1-1:1.0: rpm_suspend flags 0x4 [ 234.868652] hub 1-1:1.0: rpm_suspend returns 0 [ 234.879486] usb 1-1.1: finish resume [ 234.880279] usb 1-1.1: rpm_resume returns 0 [ 234.880310] smsc95xx 1-1.1:1.0: rpm_resume returns 0 [ 238.880187] ksoftirqd/0: page allocation failure. order:0, mode:0x20 [ 238.880218] Backtrace: [ 238.880249] [] (dump_backtrace+0x0/0xf8) from [] (dump_stack+0x18/0x1c) [ 238.880249] r6:00000000 r5:00000000 r4:00000020 r3:00000002 [ 238.880310] [] (dump_stack+0x0/0x1c) from [] (__alloc_pages_nodemask+0x620/0x724) [ 238.880340] [] (__alloc_pages_nodemask+0x0/0x724) from [] (kmem_getpages.clone.34+0x34/0xc8) [ 238.880371] [] (kmem_getpages.clone.34+0x0/0xc8) from [] (cache_grow.clone.42+0x84/0x154) [ 238.880371] r6:ef871aa4 r5:ef871a80 r4:ef81fd40 r3:00000020 [ 238.880401] [] (cache_grow.clone.42+0x0/0x154) from [] (cache_alloc_refill+0x19c/0x1f0) [ 238.880432] [] (cache_alloc_refill+0x0/0x1f0) from [] (kmem_cache_alloc+0x90/0x190) [ 238.880462] [] (kmem_cache_alloc+0x0/0x190) from [] (__alloc_skb+0x34/0xe8) [ 238.880493] [] (__alloc_skb+0x0/0xe8) from [] (rx_submit+0x2c/0x1d4 [usbnet]) [ 238.880523] [] (rx_submit+0x0/0x1d4 [usbnet]) from [] (rx_complete+0x19c/0x1b0 [usbnet]) [ 238.880737] [] (rx_complete+0x0/0x1b0 [usbnet]) from [] (usb_hcd_giveback_urb+0xa8/0xf4 [usbcore]) [ 238.880737] r8:eeeced34 r7:eeecec00 r6:eeecec00 r5:00000000 r4:eec2dd20 [ 238.880767] r3:bf050b9c [ 238.880859] [] (usb_hcd_giveback_urb+0x0/0xf4 [usbcore]) from [] (ehci_urb_done+0xb0/0xbc [ehci_hcd]) [ 238.880859] r6:00000000 r5:eec2dd20 r4:eeeced44 r3:eec2dd34 [ 238.880920] [] (ehci_urb_done+0x0/0xbc [ehci_hcd]) from [] (qh_completions+0x308/0x3bc [ehci_hcd]) [ 238.880920] r7:00000000 r6:eeda21a0 r5:ffdfe3c0 r4:eeda21ac [ 238.880981] [] (qh_completions+0x0/0x3bc [ehci_hcd]) from [] (scan_async+0xb0/0x16c [ehci_hcd]) [ 238.881011] [] (scan_async+0x0/0x16c [ehci_hcd]) from [] (ehci_work+0x38/0x90 [ehci_hcd]) [ 238.881042] [] (ehci_work+0x0/0x90 [ehci_hcd]) from [] (ehci_irq+0x300/0x34c [ehci_hcd]) [ 238.881072] r4:eeeced34 r3:00000001 [ 238.881134] [] (ehci_irq+0x0/0x34c [ehci_hcd]) from [] (usb_hcd_irq+0x40/0xac [usbcore]) [ 238.881195] [] (usb_hcd_irq+0x0/0xac [usbcore]) from [] (handle_irq_event_percpu+0xb8/0x240) [ 238.881225] r6:eec504e0 r5:0000006d r4:eec504e0 r3:bf0067e8 [ 238.881256] [] (handle_irq_event_percpu+0x0/0x240) from [] (handle_irq_event+0x44/0x64) [ 238.881256] [] (handle_irq_event+0x0/0x64) from [] (handle_level_irq+0xe0/0x114) [ 238.881286] r6:0000006d r5:c080c14c r4:c080c100 r3:00020000 [ 238.881317] [] (handle_level_irq+0x0/0x114) from [] (asm_do_IRQ+0x90/0xd0) [ 238.881317] r5:00000000 r4:0000006d [ 238.881347] [] (asm_do_IRQ+0x0/0xd0) from [] (__irq_svc+0x50/0x134) [ 238.881378] Exception stack(0xef837e20 to 0xef837e68) [ 238.881378] 7e20: 00000001 00185610 016cc000 c00490c0 eb380000 ef800540 00000020 00004ae0 [ 238.881408] 7e40: 00000020 bf0509f4 60000013 ef837e9c ef837e40 ef837e68 c0226f0c c0298ca0 [ 238.881408] 7e60: 20000013 ffffffff [ 238.881408] r5:fa240100 r4:ffffffff [ 238.881439] [] (__kmalloc_track_caller+0x0/0x1d0) from [] (__alloc_skb+0x58/0xe8) [ 238.881469] [] (__alloc_skb+0x0/0xe8) from [] (rx_submit+0x2c/0x1d4 [usbnet]) [ 238.881500] [] (rx_submit+0x0/0x1d4 [usbnet]) from [] (usbnet_bh+0x1b4/0x250 [usbnet]) [ 238.881530] [] (usbnet_bh+0x0/0x250 [usbnet]) from [] (tasklet_action+0xb0/0x1f8) [ 238.881530] r6:00000000 r5:ef9757f0 r4:ef9757ec r3:bf051224 [ 238.881561] [] (tasklet_action+0x0/0x1f8) from [] (__do_softirq+0x140/0x290) [ 238.881561] r8:00000006 r7:00000101 r6:00000000 r5:c0806098 r4:00000001 [ 238.881591] r3:c01f907c [ 238.881622] [] (__do_softirq+0x0/0x290) from [] (run_ksoftirqd+0xd0/0x1f4) [ 238.881622] [] (run_ksoftirqd+0x0/0x1f4) from [] (kthread+0x90/0x98) [ 238.881652] r7:00000013 r6:c01f98fc r5:00000000 r4:ef831efc [ 238.881683] [] (kthread+0x0/0x98) from [] (do_exit+0x0/0x374) [ 238.881713] r6:c01f62f4 r5:c0211320 r4:ef831efc [ 238.881713] Mem-info: [ 238.881744] Normal per-cpu: [ 238.881744] CPU 0: hi: 186, btch: 31 usd: 38 [ 238.881744] CPU 1: hi: 186, btch: 31 usd: 169 [ 238.881774] HighMem per-cpu: [ 238.881774] CPU 0: hi: 90, btch: 15 usd: 66 [ 238.881774] CPU 1: hi: 90, btch: 15 usd: 86 [ 238.881805] active_anon:544 inactive_anon:71 isolated_anon:0 [ 238.881805] active_file:926 inactive_file:2538 isolated_file:0 [ 238.881805] unevictable:0 dirty:10 writeback:0 unstable:0 [ 238.881805] free:57782 slab_reclaimable:864 slab_unreclaimable:186898 [ 238.881805] mapped:632 shmem:144 pagetables:50 bounce:0 [ 238.881835] Normal free:1328kB min:3532kB low:4412kB high:5296kB active_anon:0kB inactive_anon:0kB active_file:880kB inactive_file:848kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:780288kB mlocked:0kB dirty:36kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:3456kB slab_unreclaimable:747592kB kernel_stack:392kB pagetables:200kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no [ 238.881866] lowmem_reserve[]: 0 1904 1904 [ 238.881896] HighMem free:229800kB min:236kB low:508kB high:784kB active_anon:2176kB inactive_anon:284kB active_file:2824kB inactive_file:9304kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:243712kB mlocked:0kB dirty:4kB writeback:0kB mapped:2528kB shmem:576kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB unstable:0kB bounce:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no [ 238.881927] lowmem_reserve[]: 0 0 0 [ 238.881958] Normal: 0*4kB 4*8kB 6*16kB 0*32kB 1*64kB 1*128kB 0*256kB 2*512kB 0*1024kB 0*2048kB 0*4096kB = 1344kB [ 238.882019] HighMem: 6*4kB 2*8kB 4*16kB 4*32kB 1*64kB 1*128kB 0*256kB 2*512kB 3*1024kB 0*2048kB 55*4096kB = 229800kB [ 238.882080] 3610 total pagecache pages [ 238.882080] 0 pages in swap cache [ 238.882080] Swap cache stats: add 0, delete 0, find 0/0 [ 238.882110] Free swap = 0kB [ 238.882110] Total swap = 0kB [ 238.933776] 262144 pages of RAM [ 238.933776] 58240 free pages [ 238.933776] 10503 reserved pages [ 238.933776] 187773 slab pages [ 238.933807] 2475 pages shared [ 238.933807] 0 pages swap cached Signed-off-by: Ming Lei Acked-by: Oliver Neukum Signed-off-by: David S. Miller commit 64f3b9e203bd06855072e295557dca1485a2ecba Author: Eric Dumazet Date: Wed May 4 10:02:26 2011 +0000 net: ip_expire() must revalidate route Commit 4a94445c9a5c (net: Use ip_route_input_noref() in input path) added a bug in IP defragmentation handling, in case timeout is fired. When a frame is defragmented, we use last skb dst field when building final skb. Its dst is valid, since we are in rcu read section. But if a timeout occurs, we take first queued fragment to build one ICMP TIME EXCEEDED message. Problem is all queued skb have weak dst pointers, since we escaped RCU critical section after their queueing. icmp_send() might dereference a now freed (and possibly reused) part of memory. Calling skb_dst_drop() and ip_route_input_noref() to revalidate route is the only possible choice. Reported-by: Denys Fedoryshchenko Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller