commit 97f15f187a315f6a563dd5724c0cc8cde9044963 Author: Greg Kroah-Hartman Date: Wed Jan 15 15:31:56 2014 -0800 Linux 3.12.8 commit a6b79813f2005fa5e6e4de8f80b130c26502c781 Author: Paul Turner Date: Wed Oct 16 11:16:27 2013 -0700 sched: Guarantee new group-entities always have weight commit 0ac9b1c21874d2490331233b3242085f8151e166 upstream. Currently, group entity load-weights are initialized to zero. This admits some races with respect to the first time they are re-weighted in earlty use. ( Let g[x] denote the se for "g" on cpu "x". ) Suppose that we have root->a and that a enters a throttled state, immediately followed by a[0]->t1 (the only task running on cpu[0]) blocking: put_prev_task(group_cfs_rq(a[0]), t1) put_prev_entity(..., t1) check_cfs_rq_runtime(group_cfs_rq(a[0])) throttle_cfs_rq(group_cfs_rq(a[0])) Then, before unthrottling occurs, let a[0]->b[0]->t2 wake for the first time: enqueue_task_fair(rq[0], t2) enqueue_entity(group_cfs_rq(b[0]), t2) enqueue_entity_load_avg(group_cfs_rq(b[0]), t2) account_entity_enqueue(group_cfs_ra(b[0]), t2) update_cfs_shares(group_cfs_rq(b[0])) < skipped because b is part of a throttled hierarchy > enqueue_entity(group_cfs_rq(a[0]), b[0]) ... We now have b[0] enqueued, yet group_cfs_rq(a[0])->load.weight == 0 which violates invariants in several code-paths. Eliminate the possibility of this by initializing group entity weight. Signed-off-by: Paul Turner Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/20131016181627.22647.47543.stgit@sword-of-the-dawn.mtv.corp.google.com Signed-off-by: Ingo Molnar Cc: Chris J Arges Signed-off-by: Greg Kroah-Hartman commit 4748ed5584fd8538b0e04baf9090f25c369291dc Author: Ben Segall Date: Wed Oct 16 11:16:22 2013 -0700 sched: Fix hrtimer_cancel()/rq->lock deadlock commit 927b54fccbf04207ec92f669dce6806848cbec7d upstream. __start_cfs_bandwidth calls hrtimer_cancel while holding rq->lock, waiting for the hrtimer to finish. However, if sched_cfs_period_timer runs for another loop iteration, the hrtimer can attempt to take rq->lock, resulting in deadlock. Fix this by ensuring that cfs_b->timer_active is cleared only if the _latest_ call to do_sched_cfs_period_timer is returning as idle. Then __start_cfs_bandwidth can just call hrtimer_try_to_cancel and wait for that to succeed or timer_active == 1. Signed-off-by: Ben Segall Signed-off-by: Peter Zijlstra Cc: pjt@google.com Link: http://lkml.kernel.org/r/20131016181622.22647.16643.stgit@sword-of-the-dawn.mtv.corp.google.com Signed-off-by: Ingo Molnar Cc: Chris J Arges Signed-off-by: Greg Kroah-Hartman commit d29d8f559aaca198b72e4c5898b42be7d3c9467f Author: Ben Segall Date: Wed Oct 16 11:16:17 2013 -0700 sched: Fix cfs_bandwidth misuse of hrtimer_expires_remaining commit db06e78cc13d70f10877e0557becc88ab3ad2be8 upstream. hrtimer_expires_remaining does not take internal hrtimer locks and thus must be guarded against concurrent __hrtimer_start_range_ns (but returning HRTIMER_RESTART is safe). Use cfs_b->lock to make it safe. Signed-off-by: Ben Segall Signed-off-by: Peter Zijlstra Cc: pjt@google.com Link: http://lkml.kernel.org/r/20131016181617.22647.73829.stgit@sword-of-the-dawn.mtv.corp.google.com Signed-off-by: Ingo Molnar Cc: Chris J Arges Signed-off-by: Greg Kroah-Hartman commit e99a2cb2dcbe92b33be7ab60035da0e5b94cfcae Author: Ben Segall Date: Wed Oct 16 11:16:12 2013 -0700 sched: Fix race on toggling cfs_bandwidth_used commit 1ee14e6c8cddeeb8a490d7b54cd9016e4bb900b4 upstream. When we transition cfs_bandwidth_used to false, any currently throttled groups will incorrectly return false from cfs_rq_throttled. While tg_set_cfs_bandwidth will unthrottle them eventually, currently running code (including at least dequeue_task_fair and distribute_cfs_runtime) will cause errors. Fix this by turning off cfs_bandwidth_used only after unthrottling all cfs_rqs. Tested: toggle bandwidth back and forth on a loaded cgroup. Caused crashes in minutes without the patch, hasn't crashed with it. Signed-off-by: Ben Segall Signed-off-by: Peter Zijlstra Cc: pjt@google.com Link: http://lkml.kernel.org/r/20131016181611.22647.80365.stgit@sword-of-the-dawn.mtv.corp.google.com Signed-off-by: Ingo Molnar Cc: Chris J Arges Signed-off-by: Greg Kroah-Hartman commit 807a0c12941850ddaff2ed62ba26a748e542c599 Author: Linus Torvalds Date: Sat Jan 11 19:15:52 2014 -0800 x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround commit 26bef1318adc1b3a530ecc807ef99346db2aa8b0 upstream. Before we do an EMMS in the AMD FXSAVE information leak workaround we need to clear any pending exceptions, otherwise we trap with a floating-point exception inside this code. Reported-by: halfdog Tested-by: Borislav Petkov Link: http://lkml.kernel.org/r/CA%2B55aFxQnY_PCG_n4=0w-VG=YLXL-yr7oMxyy0WU2gCBAf3ydg@mail.gmail.com Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 6aeebffeb297e84f5b73bb87deacd9571a84da16 Author: Daniel Borkmann Date: Tue Dec 31 16:28:39 2013 +0100 netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper commit 2690d97ade05c5325cbf7c72b94b90d265659886 upstream. Commit 5901b6be885e attempted to introduce IPv6 support into IRC NAT helper. By doing so, the following code seemed to be removed by accident: ip = ntohl(exp->master->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip); sprintf(buffer, "%u %u", ip, port); pr_debug("nf_nat_irc: inserting '%s' == %pI4, port %u\n", buffer, &ip, port); This leads to the fact that buffer[] was left uninitialized and contained some stack value. When we call nf_nat_mangle_tcp_packet(), we call strlen(buffer) on excatly this uninitialized buffer. If we are unlucky and the skb has enough tailroom, we overwrite resp. leak contents with values that sit on our stack into the packet and send that out to the receiver. Since the rather informal DCC spec [1] does not seem to specify IPv6 support right now, we log such occurences so that admins can act accordingly, and drop the packet. I've looked into XChat source, and IPv6 is not supported there: addresses are in u32 and print via %u format string. Therefore, restore old behaviour as in IPv4, use snprintf(). The IRC helper does not support IPv6 by now. By this, we can safely use strlen(buffer) in nf_nat_mangle_tcp_packet() and prevent a buffer overflow. Also simplify some code as we now have ct variable anyway. [1] http://www.irchelp.org/irchelp/rfc/ctcpspec.html Fixes: 5901b6be885e ("netfilter: nf_nat: support IPv6 in IRC NAT helper") Signed-off-by: Daniel Borkmann Cc: Harald Welte Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit f1b9e32a923e2d6991e8a5f21cb8a390b158ddbb Author: Phil Oester Date: Sat Nov 16 20:37:46 2013 -0800 netfilter: fix wrong byte order in nf_ct_seqadj_set internal information commit 23dfe136e2bf8d9ea1095704c535368a9bc721da upstream. In commit 41d73ec053d2, sequence number adjustments were moved to a separate file. Unfortunately, the sequence numbers that are stored in the nf_ct_seqadj structure are expressed in host byte order. The necessary ntohl call was removed when the call to adjust_tcp_sequence was collapsed into nf_ct_seqadj_set. This broke the FTP NAT helper. Fix it by adding back the byte order conversions. Reported-by: Dawid Stawiarski Signed-off-by: Phil Oester Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 040b47c80e0d3bca9db9353fe44ca044c273624a Author: Bernd Schubert Date: Mon Sep 23 14:47:32 2013 +0200 SCSI: sd: Reduce buffer size for vpd request commit af73623f5f10eb3832c87a169b28f7df040a875b upstream. Somehow older areca firmware versions have issues with scsi_get_vpd_page() and a large buffer, the firmware seems to crash and the scsi error-handler will start endless recovery retries. Limiting the buf-size to 64-bytes fixes this issue with older firmware versions (<1.49 for my controller). Fixes a regression with areca controllers and older firmware versions introduced by commit: 66c28f97120e8a621afd5aa7a31c4b85c547d33d Reported-by: Nix Tested-by: Nix Signed-off-by: Bernd Schubert Acked-by: Martin K. Petersen Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 625b7e66c2d3c55e00962425a79321a8c257192a Author: Dirk Brandewie Date: Mon Jan 6 10:59:16 2014 -0800 intel_pstate: Add X86_FEATURE_APERFMPERF to cpu match parameters. commit 6cbd7ee10e2842a3d1f9b60abede1c8f3d1f1130 upstream. KVM environments do not support APERF/MPERF MSRs. intel_pstate cannot operate without these registers. The previous validity checks in intel_pstate_msrs_not_valid() are insufficent in nested KVMs. References: https://bugzilla.redhat.com/show_bug.cgi?id=1046317 Signed-off-by: Dirk Brandewie Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit f72f1552aa9e773308cfae4fcc5f04a5d6d3461b Author: Felix Fietkau Date: Mon Dec 16 21:39:50 2013 +0100 mac80211: move "bufferable MMPDU" check to fix AP mode scan commit 277d916fc2e959c3f106904116bb4f7b1148d47a upstream. The check needs to apply to both multicast and unicast packets, otherwise probe requests on AP mode scans are sent through the multicast buffer queue, which adds long delays (often longer than the scanning interval). Signed-off-by: Felix Fietkau Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 31fc4791005d54ac887ea2253c002644f7671cf1 Author: Lan Tianyu Date: Mon Jan 6 22:50:37 2014 +0800 ACPI / Battery: Add a _BIX quirk for NEC LZ750/LS commit a90b40385735af0d3031f98e97b439e8944a31b3 upstream. The AML method _BIX of NEC LZ750/LS returns a broken package which skips the first member "Revision" (ACPI 5.0, Table 10-234). Add a quirk for this machine to skip member "Revision" during parsing the package returned by _BIX. Reference: https://bugzilla.kernel.org/show_bug.cgi?id=67351 Reported-and-tested-by: Francisco Castro Signed-off-by: Lan Tianyu Reviewed-by: Dmitry Torokhov Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit aa38bff2f25bf64257d5ac56db96569d245fd8b7 Author: Jiang Liu Date: Thu Dec 19 20:38:15 2013 +0800 ACPI / TPM: fix memory leak when walking ACPI namespace commit df45c712d1f4ef37714245fb75de726f4ca2bf8d upstream. In function ppi_callback(), memory allocated by acpi_get_name() will get leaked when current device isn't the desired TPM device, so fix the memory leak. Signed-off-by: Jiang Liu Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit a0f7028b1c093b02d2a482e6da536ef7e2d24f50 Author: Thomas Gleixner Date: Mon Dec 2 12:20:36 2013 +0100 mfd: rtsx_pcr: Disable interrupts before cancelling delayed works commit 73beb63d290f961c299526852884846b0d868840 upstream. This fixes a kernel panic when resuming from suspend to RAM. Without this fix an interrupt hits after the delayed work is canceled and thus requeues it. So we end up freeing an armed timer. Signed-off-by: Thomas Gleixner Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit ac4de081312a65427e847157f46ea35cab2d7b82 Author: Milo Kim Date: Mon Dec 2 17:21:44 2013 -0800 leds: lp5521/5523: Remove duplicate mutex commit e70988d1aaf73221355e06125c9937bd4b27761c upstream. It can be a problem when a pattern is loaded via the firmware interface. LP55xx common driver has already locked the mutex in 'lp55xx_firmware_loaded()'. So it should be deleted. On the other hand, locks are required in store_engine_load() on updating program memory. Reported-by: Pali Rohár Reported-by: Pavel Machek Signed-off-by: Milo Kim Signed-off-by: Bryan Wu Signed-off-by: Greg Kroah-Hartman commit 778b3b76c34292c7d27aa0faad5c9026a2cacf43 Author: Andrew Bresticker Date: Fri Nov 8 15:44:07 2013 +0530 clk: exynos5250: fix sysmmu_mfc{l,r} gate clocks commit 97c3557c3e0413efb1f021f582d1459760e22727 upstream. The gate clocks for the MFC sysmmus appear to be flipped, i.e. GATE_IP_MFC[2] gates sysmmu_mfcl and GATE_IP_MFC[1] gates sysmmu_mfcr. Fix this so that the MFC will start up. Signed-off-by: Andrew Bresticker Signed-off-by: Sachin Kamat Acked-by: Mike Turquette Signed-off-by: Tomasz Figa Signed-off-by: Greg Kroah-Hartman commit 801e517cf190f19c5cb2e62605d92524a9396be8 Author: Abhilash Kesavan Date: Wed Dec 11 17:27:05 2013 +0530 clk: samsung: exynos5250: Add CLK_IGNORE_UNUSED flag for the sysreg clock commit 2feed5aecf5f367b92bd6b6e92afe9e3de466907 upstream. The sysreg (system register) generates control signals for various blocks like disp1blk, i2c, mipi, usb etc. However, it gets disabled as an unused clock at boot-up. This can lead to failures in operation of above blocks, because they can not be configured properly if this clock is disabled. Signed-off-by: Abhilash Kesavan Acked-by: Mike Turquette [t.figa: Updated patch description.] Signed-off-by: Tomasz Figa Signed-off-by: Greg Kroah-Hartman commit f19053a2ddf64b1b98157e2d78c14b0cf5fb95c6 Author: Abhilash Kesavan Date: Thu Dec 12 08:32:01 2013 +0530 clk: samsung: exynos5250: Add MDMA0 clocks commit 8fb9aeb7a71ef4f3e0613d459a2e1366a7a90469 upstream. Adds gate clock for MDMA0 on Exynos5250 SoC. This is needed to ensure that the clock is enabled when MDMA0 is used on systems on which firmware gates the clockby default. Signed-off-by: Abhilash Kesavan Acked-by: Mike Turquette [t.figa: Updated patch description.] Signed-off-by: Tomasz Figa Signed-off-by: Greg Kroah-Hartman commit c1adda6a9b2afa13e0e26a966ca355c69192dbc9 Author: Abhilash Kesavan Date: Thu Dec 12 08:32:00 2013 +0530 clk: samsung: exynos5250: Fix ACP gate register offset commit 3bf34666a0cce5234ac677ed2fbe5cea82c71329 upstream. The CLK_GATE_IP_ACP register offset is incorrectly listed making definition of g2d clock incorrect, which may lead to system failures when trying to use G2D on systems on which firmware gates this clock by default. Fix this and the register ordering as well. Signed-off-by: Abhilash Kesavan Acked-by: Mike Turquette [t.figa: Updated patch description.] Signed-off-by: Tomasz Figa Signed-off-by: Greg Kroah-Hartman commit dda034c3ba2094dc414112706e1e3f353225ca07 Author: Seung-Woo Kim Date: Fri Nov 22 14:21:08 2013 +0900 clk: samsung: exynos4: Correct SRC_MFC register commit 5fdd1b56be51b1ec4dbde5b213d649ac717442da upstream. The SRC_MFC register offset was incorrect, which could cause have caused wrong calculation of rate of sclk_mfc clock, that could in turn lead to incorrect operation of MFC. This patch corrects it. Signed-off-by: Seung-Woo Kim Acked-by: Mike Turquette [t.figa: Updated patch description] Signed-off-by: Tomasz Figa Signed-off-by: Greg Kroah-Hartman commit ba8ccb9b88d9b8e6170fd4f7eb3b906531f05f87 Author: James Hogan Date: Mon Dec 16 10:41:38 2013 +0000 clk: clk-divider: fix divisor > 255 bug commit 778037e1ccb75609846deca9e419449c1dc137fa upstream. Commit 6d9252bd9a4bb (clk: Add support for power of two type dividers) merged in v3.6 added the _get_val function to convert a divisor value to a register field value depending on the flags. However it used the type u8 for the div field, causing divisors larger than 255 to be masked and the resultant clock rate to be too high. E.g. in my case an 11bit divider was supposed to divide 24.576 MHz down to 32.768KHz. The divisor was correctly calculated as 750 (0x2ee). This was masked to 238 (0xee) resulting in a frequency of 103.26KHz. Signed-off-by: James Hogan Cc: Rajendra Nayak Cc: linux-arm-kernel@lists.infradead.org Signed-off-by: Mike Turquette Signed-off-by: Greg Kroah-Hartman commit 53ed44f31153aa4d3aa5a670bec33571f403607f Author: Simon Guinot Date: Mon Dec 23 13:24:35 2013 +0100 ahci: add PCI ID for Marvell 88SE9170 SATA controller commit e098f5cbe9d410e7878b50f524dce36cc83ec40e upstream. This patch adds support for the PCI ID provided by the Marvell 88SE9170 SATA controller. Signed-off-by: Simon Guinot Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit f61151979964da8f08e28c099b85ecb0018be6ef Author: John David Anglin Date: Sun Jan 5 21:25:00 2014 -0500 parisc: Ensure full cache coherency for kmap/kunmap commit f8dae00684d678afa13041ef170cecfd1297ed40 upstream. Helge Deller noted a few weeks ago problems with the AIO support on parisc. This change is the result of numerous iterations on how best to deal with this problem. The solution adopted here is to provide full cache coherency in a uniform manner on all parisc systems. This involves calling flush_dcache_page() on kmap operations and flush_kernel_dcache_page() on kunmap operations. As a result, the copy_user_page() and clear_user_page() functions can be removed and the overall code is simpler. The change ensures that both userspace and kernel aliases to a mapped page are invalidated and flushed. This is necessary for the correct operation of PA8800 and PA8900 based systems which do not support inequivalent aliases. With this change, I have observed no cache related issues on c8000 and rp3440. It is now possible for example to do kernel builds with "-j64" on four way systems. On systems using XFS file systems, the patch recently posted by Mikulas Patocka to "fix crash using XFS on loopback" is needed to avoid a hang caused by an uninitialized lock passed to flush_dcache_page() in the page struct. Signed-off-by: John David Anglin Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit d03e8c891f82b28706ce3b419dbdd7e4894d1b63 Author: Ilia Mirkin Date: Sun Jan 5 20:07:02 2014 -0500 drm/nouveau/bios: make jump conditional commit 6d60792ec059d9f2139828f9f017679abb81aa73 upstream. This fixes a hang in VBIOS scripts of the form "condition; jump". The jump used to always be executed, while now it will only be executed if the condition is true. See https://bugs.freedesktop.org/show_bug.cgi?id=72943 Reported-by: Darcy Brás da Silva Signed-off-by: Ilia Mirkin Signed-off-by: Greg Kroah-Hartman commit ea6616b5bd2b3fc18071b91b9d89e75a2bc26b89 Author: Laurent Pinchart Date: Mon Dec 16 19:16:09 2013 +0100 ARM: shmobile: mackerel: Fix coherent DMA mask commit b6328a6b7ba57fc84c38248f6f0e387e1170f1a8 upstream. Commit 4dcfa60071b3d23f0181f27d8519f12e37cefbb9 ("ARM: DMA-API: better handing of DMA masks for coherent allocations") added an additional check to the coherent DMA mask that results in an error when the mask is larger than what dma_addr_t can address. Set the LCDC coherent DMA mask to DMA_BIT_MASK(32) instead of ~0 to fix the problem. Signed-off-by: Laurent Pinchart Signed-off-by: Simon Horman Signed-off-by: Greg Kroah-Hartman commit 1cd20d2d05cb47557ce001f2f3f3ae2d06fdd1ab Author: Laurent Pinchart Date: Mon Dec 16 19:16:07 2013 +0100 ARM: shmobile: armadillo: Fix coherent DMA mask commit dcd740b645003b866d7eb30d13d34d0729cce9db upstream. Commit 4dcfa60071b3d23f0181f27d8519f12e37cefbb9 ("ARM: DMA-API: better handing of DMA masks for coherent allocations") added an additional check to the coherent DMA mask that results in an error when the mask is larger than what dma_addr_t can address. Set the LCDC coherent DMA mask to DMA_BIT_MASK(32) instead of ~0 to fix the problem. Signed-off-by: Laurent Pinchart Signed-off-by: Simon Horman Signed-off-by: Greg Kroah-Hartman commit ecfe0d23f7b70fd4b00ce646d1da7c1185c545ba Author: Laurent Pinchart Date: Mon Dec 16 19:16:08 2013 +0100 ARM: shmobile: kzm9g: Fix coherent DMA mask commit 4f387323853c495ac589210832fad4503f75a0e7 upstream. Commit 4dcfa60071b3d23f0181f27d8519f12e37cefbb9 ("ARM: DMA-API: better handing of DMA masks for coherent allocations") added an additional check to the coherent DMA mask that results in an error when the mask is larger than what dma_addr_t can address. Set the LCDC coherent DMA mask to DMA_BIT_MASK(32) instead of ~0 to fix the problem. Signed-off-by: Laurent Pinchart Signed-off-by: Simon Horman Signed-off-by: Greg Kroah-Hartman commit f6c31fff9ad9bd0326dc5e8a59c132e642d0fe94 Author: Abhilash Kesavan Date: Thu Dec 12 08:32:02 2013 +0530 ARM: dts: exynos5250: Fix MDMA0 clock number commit 8777539479abd7b3efeb691685415dc2b057d0e0 upstream. Due to incorrect clock specified in MDMA0 node, using MDMA0 controller could cause system failures, due to wrong clock being controlled. This patch fixes this by specifying correct clock. Signed-off-by: Abhilash Kesavan Acked-by: Mike Turquette [t.figa: Corrected commit message and description.] Signed-off-by: Tomasz Figa Signed-off-by: Greg Kroah-Hartman commit 8c3d0f1f021aca05e1ba4ff47c7231c2d7ef95fe Author: Steven Capper Date: Mon Dec 16 17:25:52 2013 +0100 ARM: 7923/1: mm: fix dcache flush logic for compound high pages commit 2a7cfcbc0553365d75716f69ee7b704cac7c9248 upstream. When given a compound high page, __flush_dcache_page will only flush the first page of the compound page repeatedly rather than the entire set of constituent pages. This error was introduced by: 0b19f93 ARM: mm: Add support for flushing HugeTLB pages. This patch corrects the logic such that all constituent pages are now flushed. Signed-off-by: Steve Capper Acked-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 26009d653408c3dd058c3b64fd01e2020cc052f2 Author: Russell King Date: Fri Jan 3 15:01:39 2014 +0000 ARM: fix "bad mode in ... handler" message for undefined instructions commit 29c350bf28da333e41e30497b649fe335712a2ab upstream. The array was missing the final entry for the undefined instruction exception handler; this commit adds it. Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 32956a0646e1f63e03d2dbf35370772934d5654f Author: Russell King Date: Sun Dec 29 12:39:50 2013 +0000 ARM: fix footbridge clockevent device commit 4ff859fe1dc0da0f87bbdfff78f527898878fa4a upstream. The clockevents code was being told that the footbridge clock event device ticks at 16x the rate which it actually does. This leads to timekeeping problems since it allows the clocksource to wrap before the kernel notices. Fix this by using the correct clock. Fixes: 4e8d76373c9fd ("ARM: footbridge: convert to clockevents/clocksource") Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 702a3e12068917c504f0f6e4b86d87ca553f5566 Author: Robert Stonehouse Date: Wed Oct 9 11:52:48 2013 +0100 sfc: Poll for MCDI completion once before timeout occurs [ Upstream commit 6b294b8efedaa7cf7507154148e2c79766ad6f96 ] There is an as-yet unexplained bug that sometimes prevents (or delays) the driver seeing the completion event for a completed MCDI request on the SFC9120. The requested configuration change will have happened but the driver assumes it to have failed, and this can result in further failures. We can mitigate this by polling for completion after unsuccessfully waiting for an event. Fixes: 8127d661e77f ('sfc: Add support for Solarflare SFC9100 family') Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d8203f8f29bae8d1beffa6faf0db4b1350177af2 Author: Robert Stonehouse Date: Wed Oct 9 11:52:43 2013 +0100 sfc: Refactor efx_mcdi_poll() by introducing efx_mcdi_poll_once() [ Upstream commit 5731d7b35e5b87157a9b9973cc2eff70c50aec58 ] Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9586c55a3b581ce95ddb7eaf4dd36c201a41f18c Author: Andrew Rybchenko Date: Sat Nov 16 11:02:27 2013 +0400 sfc: RX buffer allocation takes prefix size into account in IP header alignment [ Upstream commit 2ec030144f648a6dd208f95f55ece212f1b72771 ] rx_prefix_size is 4-bytes aligned on Falcon/Siena (16 bytes), but it is equal to 14 on EF10. So, it should be taken into account if arch requires IP header to be 4-bytes aligned (via NET_IP_ALIGN). Fixes: 8127d661e77f ('sfc: Add support for Solarflare SFC9100 family') Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 04b27016f879f062f30efd7361f22d650ede269d Author: Ben Hutchings Date: Thu Dec 5 17:24:06 2013 +0000 sfc: Maintain current frequency adjustment when applying a time offset [ Upstream commit cd6fe65e923175e4f2e9fb585b1d78c6bf580fc6 ] There is a single MCDI PTP operation for setting the frequency adjustment and applying a time offset to the hardware clock. When applying a time offset we should not change the frequency adjustment. These two operations can now be requested separately but this requires a flash firmware update. Keep using the single operation, but remember and repeat the previous frequency adjustment. Fixes: 7c236c43b838 ('sfc: Add support for IEEE-1588 PTP') Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ff525bdf014c3dcc0656b297f4371c1f5a23739b Author: Alexandre Rames Date: Fri Nov 8 10:20:31 2013 +0000 sfc: Stop/re-start PTP when stopping/starting the datapath. [ Upstream commit 2ea4dc28a5bcec408e01a8772763871638a5ec79 ] This disables PTP when we bring the interface down to avoid getting unmatched RX timestamp events, and tries to re-enable it when bringing the interface up. [bwh: Make efx_ptp_stop() safe on Falcon. Introduce efx_ptp_{start,stop}_datapath() functions; we'll expand them later.] Fixes: 7c236c43b838 ('sfc: Add support for IEEE-1588 PTP') Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 128b47699811a959de54740c8264296c7138cc98 Author: Ben Hutchings Date: Fri Dec 6 22:10:46 2013 +0000 sfc: Rate-limit log message for PTP packets without a matching timestamp event [ Upstream commit 35f9a7a380728a94d417e5824a866f969423ac83 ] In case of a flood of PTP packets, the timestamp peripheral and MC firmware on the SFN[56]322F boards may not be able to provide timestamp events for all packets. Don't complain too much about this. Fixes: 7c236c43b838 ('sfc: Add support for IEEE-1588 PTP') Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 29c195da19690acbf2c1631bad23a52d72075e83 Author: Laurence Evans Date: Mon Jan 28 14:51:17 2013 +0000 sfc: PTP: Moderate log message on event queue overflow [ Upstream commit f32116003c39f3a6815215a7512e1ea8d1e4bbc7 ] Limit syslog flood if a PTP packet storm occurs. Fixes: 7c236c43b838 ('sfc: Add support for IEEE-1588 PTP') Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ec7757d70d2ef17b40e088d2865138f8908df0bd Author: Ben Hutchings Date: Fri Dec 6 19:26:40 2013 +0000 sfc: Add length checks to efx_xmit_with_hwtstamp() and efx_ptp_is_ptp_tx() [ Upstream commit e5a498e943fbc497f236ab8cf31366c75f337ce6 ] efx_ptp_is_ptp_tx() must be robust against skbs from raw sockets that have invalid IPv4 and UDP headers. Add checks that: - the transport header has been found - there is enough space between network and transport header offset for an IPv4 header - there is enough space after the transport header offset for a UDP header Fixes: 7c236c43b838 ('sfc: Add support for IEEE-1588 PTP') Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit db88653cea5f67c9175a5948305dafbe731f0606 Author: Curt Brune Date: Mon Jan 6 11:00:32 2014 -0800 bridge: use spin_lock_bh() in br_multicast_set_hash_max [ Upstream commit fe0d692bbc645786bce1a98439e548ae619269f5 ] br_multicast_set_hash_max() is called from process context in net/bridge/br_sysfs_br.c by the sysfs store_hash_max() function. br_multicast_set_hash_max() calls spin_lock(&br->multicast_lock), which can deadlock the CPU if a softirq that also tries to take the same lock interrupts br_multicast_set_hash_max() while the lock is held . This can happen quite easily when any of the bridge multicast timers expire, which try to take the same lock. The fix here is to use spin_lock_bh(), preventing other softirqs from executing on this CPU. Steps to reproduce: 1. Create a bridge with several interfaces (I used 4). 2. Set the "multicast query interval" to a low number, like 2. 3. Enable the bridge as a multicast querier. 4. Repeatedly set the bridge hash_max parameter via sysfs. # brctl addbr br0 # brctl addif br0 eth1 eth2 eth3 eth4 # brctl setmcqi br0 2 # brctl setmcquerier br0 1 # while true ; do echo 4096 > /sys/class/net/br0/bridge/hash_max; done Signed-off-by: Curt Brune Signed-off-by: Scott Feldman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 56399d8b44beae5b80e1eda0350ab6af72baf4d0 Author: David S. Miller Date: Thu Jan 2 19:50:52 2014 -0500 netpoll: Fix missing TXQ unlock and and OOPS. [ Upstream commit aca5f58f9ba803ec8c2e6bcf890db17589e8dfcc ] The VLAN tag handling code in netpoll_send_skb_on_dev() has two problems. 1) It exits without unlocking the TXQ. 2) It then tries to queue a NULL skb to npinfo->txq. Reported-by: Ahmed Tamrawi Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f680803b3bd132c43ca72fd02b4096309b603af4 Author: Daniel Borkmann Date: Mon Dec 30 23:40:50 2013 +0100 net: llc: fix use after free in llc_ui_recvmsg [ Upstream commit 4d231b76eef6c4a6bd9c96769e191517765942cb ] While commit 30a584d944fb fixes datagram interface in LLC, a use after free bug has been introduced for SOCK_STREAM sockets that do not make use of MSG_PEEK. The flow is as follow ... if (!(flags & MSG_PEEK)) { ... sk_eat_skb(sk, skb, false); ... } ... if (used + offset < skb->len) continue; ... where sk_eat_skb() calls __kfree_skb(). Therefore, cache original length and work on skb_len to check partial reads. Fixes: 30a584d944fb ("[LLX]: SOCK_DGRAM interface fixes") Signed-off-by: Daniel Borkmann Cc: Stephen Hemminger Cc: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4e18f0b53730ef56fa16e271d4971611f6a95ed9 Author: Jason Wang Date: Mon Dec 30 11:34:40 2013 +0800 virtio-net: fix refill races during restore [ Upstream commit 6cd4ce0099da7702f885b6fa9ebb49e3831d90b4 ] During restoring, try_fill_recv() was called with neither napi lock nor napi disabled. This can lead two try_fill_recv() was called in the same time. Fix this by refilling before trying to enable napi. Fixes 0741bcb5584f9e2390ae6261573c4de8314999f2 (virtio: net: Add freeze, restore handlers to support S4). Cc: Amit Shah Cc: Rusty Russell Cc: Michael S. Tsirkin Cc: Eric Dumazet Signed-off-by: Jason Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b21d217ce4403082908511d0296ee854f30a8014 Author: Wei-Chun Chao Date: Thu Dec 26 13:10:22 2013 -0800 ipv4: fix tunneled VM traffic over hw VXLAN/GRE GSO NIC [ Upstream commit 7a7ffbabf99445704be01bff5d7e360da908cf8e ] VM to VM GSO traffic is broken if it goes through VXLAN or GRE tunnel and the physical NIC on the host supports hardware VXLAN/GRE GSO offload (e.g. bnx2x and next-gen mlx4). Two issues - (VXLAN) VM traffic has SKB_GSO_DODGY and SKB_GSO_UDP_TUNNEL with SKB_GSO_TCP/UDP set depending on the inner protocol. GSO header integrity check fails in udp4_ufo_fragment if inner protocol is TCP. Also gso_segs is calculated incorrectly using skb->len that includes tunnel header. Fix: robust check should only be applied to the inner packet. (VXLAN & GRE) Once GSO header integrity check passes, NULL segs is returned and the original skb is sent to hardware. However the tunnel header is already pulled. Fix: tunnel header needs to be restored so that hardware can perform GSO properly on the original packet. Signed-off-by: Wei-Chun Chao Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit effb6d243d4da7ab063e6c0668a4f6e23cb5adb9 Author: Michael S. Tsirkin Date: Thu Dec 26 15:32:55 2013 +0200 virtio_net: don't leak memory or block when too many frags We leak an skb when there are too many frags, we also stop processing the packet in the middle, the result is almost sure to be loss of networking. Reported-by: Michael Dalton Acked-by: Michael Dalton Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit aa016e2d4009621c8d48fecb20ef46a005c75aa8 Author: Michael S. Tsirkin Date: Thu Dec 26 15:32:51 2013 +0200 virtio-net: make all RX paths handle errors consistently receive mergeable now handles errors internally. Do same for big and small packet paths, otherwise the logic is too hard to follow. Cc: Jason Wang Cc: David S. Miller Acked-by: Michael Dalton Signed-off-by: Michael S. Tsirkin (cherry picked from commit f121159d72091f25afb22007c833e60a6845e912) Acked-by: Jason Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 20d93869b19d03748b3f86d169ad830e2fbb7923 Author: Michael S. Tsirkin Date: Thu Dec 26 15:32:47 2013 +0200 virtio_net: fix error handling for mergeable buffers Eric Dumazet noticed that if we encounter an error when processing a mergeable buffer, we don't dequeue all of the buffers from this packet, the result is almost sure to be loss of networking. Fix this issue. Cc: Rusty Russell Cc: Michael Dalton Acked-by: Michael Dalton Cc: Eric Dumazet Cc: Jason Wang Cc: David S. Miller Signed-off-by: Michael S. Tsirkin (cherry picked from commit 8fc3b9e9a229778e5af3aa453c44f1a3857ba769) Acked-by: Jason Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fd661199d7b4c16806f5bb1fcd76798559ba950e Author: David S. Miller Date: Tue Dec 31 16:23:35 2013 -0500 vlan: Fix header ops passthru when doing TX VLAN offload. [ Upstream commit 2205369a314e12fcec4781cc73ac9c08fc2b47de ] When the vlan code detects that the real device can do TX VLAN offloads in hardware, it tries to arrange for the real device's header_ops to be invoked directly. But it does so illegally, by simply hooking the real device's header_ops up to the VLAN device. This doesn't work because we will end up invoking a set of header_ops routines which expect a device type which matches the real device, but will see a VLAN device instead. Fix this by providing a pass-thru set of header_ops which will arrange to pass the proper real device instead. To facilitate this add a dev_rebuild_header(). There are implementations which provide a ->cache and ->create but not a ->rebuild (f.e. PLIP). So we need a helper function just like dev_hard_header() to avoid crashes. Use this helper in the one existing place where the header_ops->rebuild was being invoked, the neighbour code. With lots of help from Florian Westphal. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e0345d19b788c17020d8f28b54898ed6d62defc8 Author: Florian Westphal Date: Mon Dec 23 00:32:31 2013 +0100 net: rose: restore old recvmsg behavior [ Upstream commit f81152e35001e91997ec74a7b4e040e6ab0acccf ] recvmsg handler in net/rose/af_rose.c performs size-check ->msg_namelen. After commit f3d3342602f8bcbf37d7c46641cb9bca7618eb1c (net: rework recvmsg handler msg_name and msg_namelen logic), we now always take the else branch due to namelen being initialized to 0. Digging in netdev-vger-cvs git repo shows that msg_namelen was initialized with a fixed-size since at least 1995, so the else branch was never taken. Compile tested only. Signed-off-by: Florian Westphal Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e05c2d9cd720263a89de93a02cae69b73af5eb57 Author: Eric Dumazet Date: Thu Dec 19 18:10:40 2013 -0800 arc_emac: fix potential use after free [ Upstream commit 37ec274e9713eafc2ba6c4471420f06cb8f68ecf ] Signed-off-by: Eric Dumazet skb_tx_timestamp(skb) should be called _before_ TX completion has a chance to trigger, otherwise it is too late and we access freed memory. Fixes: e4f2379db6c6 ("ethernet/arc/arc_emac - Add new driver") From: Eric Dumazet Cc: Alexey Brodkin Cc: Richard Cochran Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit aca33677723eb132dd91a30c4f8ac15f01be27c8 Author: Sasha Levin Date: Wed Dec 18 23:49:42 2013 -0500 rds: prevent dereference of a NULL device [ Upstream commit c2349758acf1874e4c2b93fe41d072336f1a31d0 ] Binding might result in a NULL device, which is dereferenced causing this BUG: [ 1317.260548] BUG: unable to handle kernel NULL pointer dereference at 000000000000097 4 [ 1317.261847] IP: [] rds_ib_laddr_check+0x82/0x110 [ 1317.263315] PGD 418bcb067 PUD 3ceb21067 PMD 0 [ 1317.263502] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC [ 1317.264179] Dumping ftrace buffer: [ 1317.264774] (ftrace buffer empty) [ 1317.265220] Modules linked in: [ 1317.265824] CPU: 4 PID: 836 Comm: trinity-child46 Tainted: G W 3.13.0-rc4- next-20131218-sasha-00013-g2cebb9b-dirty #4159 [ 1317.267415] task: ffff8803ddf33000 ti: ffff8803cd31a000 task.ti: ffff8803cd31a000 [ 1317.268399] RIP: 0010:[] [] rds_ib_laddr_check+ 0x82/0x110 [ 1317.269670] RSP: 0000:ffff8803cd31bdf8 EFLAGS: 00010246 [ 1317.270230] RAX: 0000000000000000 RBX: ffff88020b0dd388 RCX: 0000000000000000 [ 1317.270230] RDX: ffffffff8439822e RSI: 00000000000c000a RDI: 0000000000000286 [ 1317.270230] RBP: ffff8803cd31be38 R08: 0000000000000000 R09: 0000000000000000 [ 1317.270230] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 [ 1317.270230] R13: 0000000054086700 R14: 0000000000a25de0 R15: 0000000000000031 [ 1317.270230] FS: 00007ff40251d700(0000) GS:ffff88022e200000(0000) knlGS:000000000000 0000 [ 1317.270230] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 1317.270230] CR2: 0000000000000974 CR3: 00000003cd478000 CR4: 00000000000006e0 [ 1317.270230] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1317.270230] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000090602 [ 1317.270230] Stack: [ 1317.270230] 0000000054086700 5408670000a25de0 5408670000000002 0000000000000000 [ 1317.270230] ffffffff84223542 00000000ea54c767 0000000000000000 ffffffff86d26160 [ 1317.270230] ffff8803cd31be68 ffffffff84223556 ffff8803cd31beb8 ffff8800c6765280 [ 1317.270230] Call Trace: [ 1317.270230] [] ? rds_trans_get_preferred+0x42/0xa0 [ 1317.270230] [] rds_trans_get_preferred+0x56/0xa0 [ 1317.270230] [] rds_bind+0x73/0xf0 [ 1317.270230] [] SYSC_bind+0x92/0xf0 [ 1317.270230] [] ? context_tracking_user_exit+0xb8/0x1d0 [ 1317.270230] [] ? trace_hardirqs_on+0xd/0x10 [ 1317.270230] [] ? syscall_trace_enter+0x32/0x290 [ 1317.270230] [] SyS_bind+0xe/0x10 [ 1317.270230] [] tracesys+0xdd/0xe2 [ 1317.270230] Code: 00 8b 45 cc 48 8d 75 d0 48 c7 45 d8 00 00 00 00 66 c7 45 d0 02 00 89 45 d4 48 89 df e8 78 49 76 ff 41 89 c4 85 c0 75 0c 48 8b 03 <80> b8 74 09 00 00 01 7 4 06 41 bc 9d ff ff ff f6 05 2a b6 c2 02 [ 1317.270230] RIP [] rds_ib_laddr_check+0x82/0x110 [ 1317.270230] RSP [ 1317.270230] CR2: 0000000000000974 Signed-off-by: Sasha Levin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 79aefe144fae5436b148e4715acec146bbbc4a3e Author: Li RongQing Date: Thu Dec 19 12:40:26 2013 +0800 ipv6: always set the new created dst's from in ip6_rt_copy [ Upstream commit 24f5b855e17df7e355eacd6c4a12cc4d6a6c9ff0 ] ip6_rt_copy only sets dst.from if ort has flag RTF_ADDRCONF and RTF_DEFAULT. but the prefix routes which did get installed by hand locally can have an expiration, and no any flag combination which can ensure a potential from does never expire, so we should always set the new created dst's from. This also fixes the new created dst is always expired since the ort, which is created by RA, maybe has RTF_EXPIRES and RTF_ADDRCONF, but no RTF_DEFAULT. Suggested-by: Hannes Frederic Sowa CC: Gao feng Signed-off-by: Li RongQing Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9f15fcefe54697c97e417cc3df14c84ef294fe99 Author: Eric Dumazet Date: Thu Dec 19 10:53:02 2013 -0800 net: fec: fix potential use after free [ Upstream commit 7a2a84518cfb263d2c4171b3d63671f88316adb2 ] skb_tx_timestamp(skb) should be called _before_ TX completion has a chance to trigger, otherwise it is too late and we access freed memory. Signed-off-by: Eric Dumazet Fixes: de5fb0a05348 ("net: fec: put tx to napi poll function to fix dead lock") Cc: Frank Li Cc: Richard Cochran Acked-by: Richard Cochran Acked-by: Frank Li Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e7834c71c2cacc621ddc64bd71f83ef2054f6539 Author: Salva Peiró Date: Tue Dec 17 10:06:30 2013 +0100 hamradio/yam: fix info leak in ioctl [ Upstream commit 8e3fbf870481eb53b2d3a322d1fc395ad8b367ed ] The yam_ioctl() code fails to initialise the cmd field of the struct yamdrv_ioctl_cfg. Add an explicit memset(0) before filling the structure to avoid the 4-byte info leak. Signed-off-by: Salva Peiró Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9ba6ad65b70f30b116660d6d74304d424248ff29 Author: Wenliang Fan Date: Tue Dec 17 11:25:28 2013 +0800 drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl() [ Upstream commit e9db5c21d3646a6454fcd04938dd215ac3ab620a ] The local variable 'bi' comes from userspace. If userspace passed a large number to 'bi.data.calibrate', there would be an integer overflow in the following line: s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; Signed-off-by: Wenliang Fan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fbe0048b51d62f0c44e6e2b7267c29b66ba59912 Author: Daniel Borkmann Date: Tue Dec 17 00:38:39 2013 +0100 net: inet_diag: zero out uninitialized idiag_{src,dst} fields [ Upstream commit b1aac815c0891fe4a55a6b0b715910142227700f ] Jakub reported while working with nlmon netlink sniffer that parts of the inet_diag_sockid are not initialized when r->idiag_family != AF_INET6. That is, fields of r->id.idiag_src[1 ... 3], r->id.idiag_dst[1 ... 3]. In fact, it seems that we can leak 6 * sizeof(u32) byte of kernel [slab] memory through this. At least, in udp_dump_one(), we allocate a skb in ... rep = nlmsg_new(sizeof(struct inet_diag_msg) + ..., GFP_KERNEL); ... and then pass that to inet_sk_diag_fill() that puts the whole struct inet_diag_msg into the skb, where we only fill out r->id.idiag_src[0], r->id.idiag_dst[0] and leave the rest untouched: r->id.idiag_src[0] = inet->inet_rcv_saddr; r->id.idiag_dst[0] = inet->inet_daddr; struct inet_diag_msg embeds struct inet_diag_sockid that is correctly / fully filled out in IPv6 case, but for IPv4 not. So just zero them out by using plain memset (for this little amount of bytes it's probably not worth the extra check for idiag_family == AF_INET). Similarly, fix also other places where we fill that out. Reported-by: Jakub Zawadzki Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d6e4f9236bf279e92be402319d57060303d32cfa Author: Timo Teräs Date: Mon Dec 16 11:02:09 2013 +0200 ip_gre: fix msg_name parsing for recvfrom/recvmsg [ Upstream commit 0e3da5bb8da45890b1dc413404e0f978ab71173e ] ipgre_header_parse() needs to parse the tunnel's ip header and it uses mac_header to locate the iphdr. This got broken when gre tunneling was refactored as mac_header is no longer updated to point to iphdr. Introduce skb_pop_mac_header() helper to do the mac_header assignment and use it in ipgre_rcv() to fix msg_name parsing. Bug introduced in commit c54419321455 (GRE: Refactor GRE tunneling code.) Cc: Pravin B Shelar Signed-off-by: Timo Teräs Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3620cedf7a554744184afe5022fc9096f0977f31 Author: Sasha Levin Date: Fri Dec 13 10:54:22 2013 -0500 net: unix: allow bind to fail on mutex lock [ Upstream commit 37ab4fa7844a044dc21fde45e2a0fc2f3c3b6490 ] This is similar to the set_peek_off patch where calling bind while the socket is stuck in unix_dgram_recvmsg() will block and cause a hung task spew after a while. This is also the last place that did a straightforward mutex_lock(), so there shouldn't be any more of these patches. Signed-off-by: Sasha Levin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3e6d67b46951976b726c1fe8d54b495ffae7e23d Author: Hannes Frederic Sowa Date: Fri Dec 13 15:12:27 2013 +0100 ipv6: fix illegal mac_header comparison on 32bit Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit eec17b9bc0d444c4ed57646bf160129d36f1ca3f Author: Jason Wang Date: Fri Dec 13 17:21:27 2013 +0800 netvsc: don't flush peers notifying work during setting mtu [ Upstream commit 50dc875f2e6e2e04aed3b3033eb0ac99192d6d02 ] There's a possible deadlock if we flush the peers notifying work during setting mtu: [ 22.991149] ====================================================== [ 22.991173] [ INFO: possible circular locking dependency detected ] [ 22.991198] 3.10.0-54.0.1.el7.x86_64.debug #1 Not tainted [ 22.991219] ------------------------------------------------------- [ 22.991243] ip/974 is trying to acquire lock: [ 22.991261] ((&(&net_device_ctx->dwork)->work)){+.+.+.}, at: [] flush_work+0x5/0x2e0 [ 22.991307] but task is already holding lock: [ 22.991330] (rtnl_mutex){+.+.+.}, at: [] rtnetlink_rcv+0x1b/0x40 [ 22.991367] which lock already depends on the new lock. [ 22.991398] the existing dependency chain (in reverse order) is: [ 22.991426] -> #1 (rtnl_mutex){+.+.+.}: [ 22.991449] [] __lock_acquire+0xb19/0x1260 [ 22.991477] [] lock_acquire+0xa2/0x1f0 [ 22.991501] [] mutex_lock_nested+0x89/0x4f0 [ 22.991529] [] rtnl_lock+0x17/0x20 [ 22.991552] [] netdev_notify_peers+0x12/0x30 [ 22.991579] [] netvsc_send_garp+0x22/0x30 [hv_netvsc] [ 22.991610] [] process_one_work+0x211/0x6e0 [ 22.991637] [] worker_thread+0x11b/0x3a0 [ 22.991663] [] kthread+0xed/0x100 [ 22.991686] [] ret_from_fork+0x7c/0xb0 [ 22.991715] -> #0 ((&(&net_device_ctx->dwork)->work)){+.+.+.}: [ 22.991715] [] check_prevs_add+0x967/0x970 [ 22.991715] [] __lock_acquire+0xb19/0x1260 [ 22.991715] [] lock_acquire+0xa2/0x1f0 [ 22.991715] [] flush_work+0x4e/0x2e0 [ 22.991715] [] __cancel_work_timer+0x95/0x130 [ 22.991715] [] cancel_delayed_work_sync+0x13/0x20 [ 22.991715] [] netvsc_change_mtu+0x84/0x200 [hv_netvsc] [ 22.991715] [] dev_set_mtu+0x34/0x80 [ 22.991715] [] do_setlink+0x23a/0xa00 [ 22.991715] [] rtnl_newlink+0x394/0x5e0 [ 22.991715] [] rtnetlink_rcv_msg+0x9c/0x260 [ 22.991715] [] netlink_rcv_skb+0xa9/0xc0 [ 22.991715] [] rtnetlink_rcv+0x2a/0x40 [ 22.991715] [] netlink_unicast+0xdd/0x190 [ 22.991715] [] netlink_sendmsg+0x337/0x750 [ 22.991715] [] sock_sendmsg+0x99/0xd0 [ 22.991715] [] ___sys_sendmsg+0x39e/0x3b0 [ 22.991715] [] __sys_sendmsg+0x42/0x80 [ 22.991715] [] SyS_sendmsg+0x12/0x20 [ 22.991715] [] system_call_fastpath+0x16/0x1b This is because we hold the rtnl_lock() before ndo_change_mtu() and try to flush the work in netvsc_change_mtu(), in the mean time, netdev_notify_peers() may be called from worker and also trying to hold the rtnl_lock. This will lead the flush won't succeed forever. Solve this by not canceling and flushing the work, this is safe because the transmission done by NETDEV_NOTIFY_PEERS was synchronized with the netif_tx_disable() called by netvsc_change_mtu(). Reported-by: Yaju Cao Tested-by: Yaju Cao Cc: K. Y. Srinivasan Cc: Haiyang Zhang Signed-off-by: Jason Wang Acked-by: Haiyang Zhang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1fec18456257ee2dc307659cb75039f4b84d6966 Author: Nat Gurumoorthy Date: Mon Dec 9 10:43:21 2013 -0800 tg3: Initialize REG_BASE_ADDR at PCI config offset 120 to 0 [ Upstream commit 388d3335575f4c056dcf7138a30f1454e2145cd8 ] The new tg3 driver leaves REG_BASE_ADDR (PCI config offset 120) uninitialized. From power on reset this register may have garbage in it. The Register Base Address register defines the device local address of a register. The data pointed to by this location is read or written using the Register Data register (PCI config offset 128). When REG_BASE_ADDR has garbage any read or write of Register Data Register (PCI 128) will cause the PCI bus to lock up. The TCO watchdog will fire and bring down the system. Signed-off-by: Nat Gurumoorthy Acked-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ce5bc6c999a45748b0e530769cd4623276984a86 Author: Fan Du Date: Mon Dec 9 10:33:53 2013 +0800 vxlan: release rt when found circular route [ Upstream commit fffc15a5012e9052d3b236efc56840841a125416 ] Otherwise causing dst memory leakage. Have Checked all other type tunnel device transmit implementation, no such things happens anymore. Signed-off-by: Fan Du Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a84305bbc625fac01f8700c26d25c99f4d846c56 Author: Sasha Levin Date: Sat Dec 7 17:26:27 2013 -0500 net: unix: allow set_peek_off to fail [ Upstream commit 12663bfc97c8b3fdb292428105dd92d563164050 ] unix_dgram_recvmsg() will hold the readlock of the socket until recv is complete. In the same time, we may try to setsockopt(SO_PEEK_OFF) which will hang until unix_dgram_recvmsg() will complete (which can take a while) without allowing us to break out of it, triggering a hung task spew. Instead, allow set_peek_off to fail, this way userspace will not hang. Signed-off-by: Sasha Levin Acked-by: Pavel Emelyanov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e7556142c6db8a3a748d597a917e84a525c1b15e Author: Stefan Tomanek Date: Tue Dec 10 23:21:25 2013 +0100 inet: fix NULL pointer Oops in fib(6)_rule_suppress [ Upstream commit 673498b8ed4c4d4b7221c5309d891c5eac2b7528 ] This changes ensures that the routing entry investigated by the suppress function actually does point to a device struct before following that pointer, fixing a possible kernel oops situation when verifying the interface group associated with a routing table entry. According to Daniel Golle, this Oops can be triggered by a user process trying to establish an outgoing IPv6 connection while having no real IPv6 connectivity set up (only autoassigned link-local addresses). Fixes: 6ef94cfafba15 ("fib_rules: add route suppression based on ifgroup") Reported-by: Daniel Golle Tested-by: Daniel Golle Signed-off-by: Stefan Tomanek Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 77b0b11532bec875ef6126fe6f7ae07d2f007094 Author: Changli Gao Date: Sun Dec 8 09:36:56 2013 -0500 net: drop_monitor: fix the value of maxattr [ Upstream commit d323e92cc3f4edd943610557c9ea1bb4bb5056e8 ] maxattr in genl_family should be used to save the max attribute type, but not the max command type. Drop monitor doesn't support any attributes, so we should leave it as zero. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 776924a3bc18207a6c2d739ebaf91f001638709e Author: Hannes Frederic Sowa Date: Sat Dec 7 03:33:45 2013 +0100 ipv6: don't count addrconf generated routes against gc limit [ Upstream commit a3300ef4bbb1f1e33ff0400e1e6cf7733d988f4f ] Brett Ciphery reported that new ipv6 addresses failed to get installed because the addrconf generated dsts where counted against the dst gc limit. We don't need to count those routes like we currently don't count administratively added routes. Because the max_addresses check enforces a limit on unbounded address generation first in case someone plays with router advertisments, we are still safe here. Reported-by: Brett Ciphery Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7c4445d70c6a0e6356741e50ff65e700ca28f551 Author: Daniel Borkmann Date: Fri Dec 6 11:36:15 2013 +0100 packet: fix send path when running with proto == 0 [ Upstream commit 66e56cd46b93ef407c60adcac62cf33b06119d50 ] Commit e40526cb20b5 introduced a cached dev pointer, that gets hooked into register_prot_hook(), __unregister_prot_hook() to update the device used for the send path. We need to fix this up, as otherwise this will not work with sockets created with protocol = 0, plus with sll_protocol = 0 passed via sockaddr_ll when doing the bind. So instead, assign the pointer directly. The compiler can inline these helper functions automagically. While at it, also assume the cached dev fast-path as likely(), and document this variant of socket creation as it seems it is not widely used (seems not even the author of TX_RING was aware of that in his reference example [1]). Tested with reproducer from e40526cb20b5. [1] http://wiki.ipxwarzone.com/index.php5?title=Linux_packet_mmap#Example Fixes: e40526cb20b5 ("packet: fix use after free race in send path when dev is released") Signed-off-by: Daniel Borkmann Tested-by: Salam Noureddine Tested-by: Jesper Dangaard Brouer Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 61d338f1a9bed6386f0c1e012bd5c521cc4d90a3 Author: Jiri Pirko Date: Thu Dec 5 16:27:37 2013 +0100 br: fix use of ->rx_handler_data in code executed on non-rx_handler path [ Upstream commit 859828c0ea476b42f3a93d69d117aaba90994b6f ] br_stp_rcv() is reached by non-rx_handler path. That means there is no guarantee that dev is bridge port and therefore simple NULL check of ->rx_handler_data is not enough. There is need to check if dev is really bridge port and since only rcu read lock is held here, do it by checking ->rx_handler pointer. Note that synchronize_net() in netdev_rx_handler_unregister() ensures this approach as valid. Introduced originally by: commit f350a0a87374418635689471606454abc7beaa3a "bridge: use rx_handler_data pointer to store net_bridge_port pointer" Fixed but not in the best way by: commit b5ed54e94d324f17c97852296d61a143f01b227a "bridge: fix RCU races with bridge port" Reintroduced by: commit 716ec052d2280d511e10e90ad54a86f5b5d4dcc2 "bridge: fix NULL pointer deref of br_port_get_rcu" Please apply to stable trees as well. Thanks. RH bugzilla reference: https://bugzilla.redhat.com/show_bug.cgi?id=1025770 Reported-by: Laine Stump Debugged-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin Signed-off-by: Jiri Pirko Acked-by: Michael S. Tsirkin Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 455dcf9880ec3edf5b19070f23d6b1ebac2f09eb Author: Andrey Vagin Date: Thu Dec 5 18:36:21 2013 +0400 virtio: delete napi structures from netdev before releasing memory [ Upstream commit d4fb84eefe5164f6a6ea51d0a9e26280c661a0dd ] free_netdev calls netif_napi_del too, but it's too late, because napi structures are placed on vi->rq. netif_napi_add() is called from virtnet_alloc_queues. general protection fault: 0000 [#1] SMP Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: ip6table_filter ip6_tables iptable_filter ip_tables virtio_balloon pcspkr virtio_net(-) i2c_pii CPU: 1 PID: 347 Comm: rmmod Not tainted 3.13.0-rc2+ #171 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 task: ffff8800b779c420 ti: ffff8800379e0000 task.ti: ffff8800379e0000 RIP: 0010:[] [] __list_del_entry+0x29/0xd0 RSP: 0018:ffff8800379e1dd0 EFLAGS: 00010a83 RAX: 6b6b6b6b6b6b6b6b RBX: ffff8800379c2fd0 RCX: dead000000200200 RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000001 RDI: ffff8800379c2fd0 RBP: ffff8800379e1dd0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff8800379c2f90 R13: ffff880037839160 R14: 0000000000000000 R15: 00000000013352f0 FS: 00007f1400e34740(0000) GS:ffff8800bfb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00007f464124c763 CR3: 00000000b68cf000 CR4: 00000000000006e0 Stack: ffff8800379e1df0 ffffffff8155beab 6b6b6b6b6b6b6b2b ffff8800378391c0 ffff8800379e1e18 ffffffff8156499b ffff880037839be0 ffff880037839d20 ffff88003779d3f0 ffff8800379e1e38 ffffffffa003477c ffff88003779d388 Call Trace: [] netif_napi_del+0x1b/0x80 [] free_netdev+0x8b/0x110 [] virtnet_remove+0x7c/0x90 [virtio_net] [] virtio_dev_remove+0x23/0x80 [] __device_release_driver+0x7f/0xf0 [] driver_detach+0xc0/0xd0 [] bus_remove_driver+0x58/0xd0 [] driver_unregister+0x2c/0x50 [] unregister_virtio_driver+0xe/0x10 [] virtio_net_driver_exit+0x10/0x6ce [virtio_net] [] SyS_delete_module+0x172/0x220 [] ? trace_hardirqs_on+0xd/0x10 [] ? __audit_syscall_entry+0x9c/0xf0 [] system_call_fastpath+0x16/0x1b Code: 00 00 55 48 8b 17 48 b9 00 01 10 00 00 00 ad de 48 8b 47 08 48 89 e5 48 39 ca 74 29 48 b9 00 02 20 00 00 00 RIP [] __list_del_entry+0x29/0xd0 RSP ---[ end trace d5931cd3f87c9763 ]--- Fixes: 986a4f4d452d (virtio_net: multiqueue support) Cc: Rusty Russell Cc: "Michael S. Tsirkin" Signed-off-by: Andrey Vagin Acked-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ade6583466937b71a88eca5e72254af712b6dd07 Author: Jason Wang Date: Wed Dec 11 13:08:34 2013 +0800 macvtap: signal truncated packets [ Upstream commit ce232ce01d61b184202bb185103d119820e1260c ] macvtap_put_user() never return a value grater than iov length, this in fact bypasses the truncated checking in macvtap_recvmsg(). Fix this by always returning the size of packet plus the possible vlan header to let the trunca checking work. Cc: Vlad Yasevich Cc: Zhi Yong Wu Cc: Michael S. Tsirkin Signed-off-by: Jason Wang Acked-by: Vlad Yasevich Acked-by: Michael S. Tsirkin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0f1d447d2b8d8fd2eac2dd2af4c56906056d4816 Author: Vlad Yasevich Date: Tue Nov 26 12:37:12 2013 -0500 macvtap: Do not double-count received packets [ Upstream commit 006da7b07bc4d3a7ffabad17cf639eec6849c9dc ] Currently macvlan will count received packets after calling each vlans receive handler. Macvtap attempts to count the packet yet again when the user reads the packet from the tap socket. This code doesn't do this consistently either. Remove the counting from macvtap and let only macvlan count received packets. Signed-off-by: Vlad Yasevich Acked-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d61523f614056d4e7fa35853f0eae919103861a0 Author: Jason Wang Date: Wed Dec 11 13:08:33 2013 +0800 tun: unbreak truncated packet signalling [ Upstream commit e6fd07c899cd719bb5517bc7f32ce03a62220351 ] Commit 6680ec68eff47d36f67b4351bc9836fd6cba9532 (tuntap: hardware vlan tx support) breaks the truncated packet signal by nev return a length greater than iov length in tun_put_user(). This patch fixes by always return the length of packet plus possible vlan header. Caller can detect the truncated packet by comparing the return value and the size of io length. Cc: Zhi Yong Wu Cc: Michael S. Tsirkin Signed-off-by: Vlad Yasevich Signed-off-by: Jason Wang Acked-by: Michael S. Tsirkin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5b30f621635598a94259e0d2553920b331e6d465 Author: Zhi Yong Wu Date: Fri Dec 6 14:16:51 2013 +0800 tun: update file current position [ Upstream commit d0b7da8afa079ffe018ab3e92879b7138977fc8f ] Signed-off-by: Zhi Yong Wu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 454a47b8595f558f91f7d294c7634e1d63ace4a3 Author: Zhi Yong Wu Date: Fri Dec 6 14:16:50 2013 +0800 macvtap: update file current position [ Upstream commit e6ebc7f16ca1434a334647aa56399c546be4e64b ] Signed-off-by: Zhi Yong Wu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2a1ac25294b5a8df0bd570a9e9917ad000451c42 Author: Hannes Frederic Sowa Date: Thu Dec 5 23:29:19 2013 +0100 net: clear local_df when passing skb between namespaces [ Upstream commit 239c78db9c41a8f524cce60507440d72229d73bc ] We must clear local_df when passing the skb between namespaces as the packet is not local to the new namespace any more and thus may not get fragmented by local rules. Fred Templin noticed that other namespaces do fragment IPv6 packets while forwarding. Instead they should have send back a PTB. The same problem should be present when forwarding DF-IPv4 packets between namespaces. Reported-by: Templin, Fred L Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0a743164c25fc0c5c4ba0f581ab9d4e5dd9772f8 Author: Venkat Venkatsubra Date: Mon Dec 2 15:41:39 2013 -0800 rds: prevent BUG_ON triggered on congestion update to loopback [ Upstream commit 18fc25c94eadc52a42c025125af24657a93638c0 ] After congestion update on a local connection, when rds_ib_xmit returns less bytes than that are there in the message, rds_send_xmit calls back rds_ib_xmit with an offset that causes BUG_ON(off & RDS_FRAG_SIZE) to trigger. For a 4Kb PAGE_SIZE rds_ib_xmit returns min(8240,4096)=4096 when actually the message contains 8240 bytes. rds_send_xmit thinks there is more to send and calls rds_ib_xmit again with a data offset "off" of 4096-48(rds header) =4048 bytes thus hitting the BUG_ON(off & RDS_FRAG_SIZE) [RDS_FRAG_SIZE=4k]. The commit 6094628bfd94323fc1cea05ec2c6affd98c18f7f "rds: prevent BUG_ON triggering on congestion map updates" introduced this regression. That change was addressing the triggering of a different BUG_ON in rds_send_xmit() on PowerPC architecture with 64Kbytes PAGE_SIZE: BUG_ON(ret != 0 && conn->c_xmit_sg == rm->data.op_nents); This was the sequence it was going through: (rds_ib_xmit) /* Do not send cong updates to IB loopback */ if (conn->c_loopback && rm->m_inc.i_hdr.h_flags & RDS_FLAG_CONG_BITMAP) { rds_cong_map_updated(conn->c_fcong, ~(u64) 0); return sizeof(struct rds_header) + RDS_CONG_MAP_BYTES; } rds_ib_xmit returns 8240 rds_send_xmit: c_xmit_data_off = 0 + 8240 - 48 (rds header accounted only the first time) = 8192 c_xmit_data_off < 65536 (sg->length), so calls rds_ib_xmit again rds_ib_xmit returns 8240 rds_send_xmit: c_xmit_data_off = 8192 + 8240 = 16432, calls rds_ib_xmit again and so on (c_xmit_data_off 24672,32912,41152,49392,57632) rds_ib_xmit returns 8240 On this iteration this sequence causes the BUG_ON in rds_send_xmit: while (ret) { tmp = min_t(int, ret, sg->length - conn->c_xmit_data_off); [tmp = 65536 - 57632 = 7904] conn->c_xmit_data_off += tmp; [c_xmit_data_off = 57632 + 7904 = 65536] ret -= tmp; [ret = 8240 - 7904 = 336] if (conn->c_xmit_data_off == sg->length) { conn->c_xmit_data_off = 0; sg++; conn->c_xmit_sg++; BUG_ON(ret != 0 && conn->c_xmit_sg == rm->data.op_nents); [c_xmit_sg = 1, rm->data.op_nents = 1] What the current fix does: Since the congestion update over loopback is not actually transmitted as a message, all that rds_ib_xmit needs to do is let the caller think the full message has been transmitted and not return partial bytes. It will return 8240 (RDS_CONG_MAP_BYTES+48) when PAGE_SIZE is 4Kb. And 64Kb+48 when page size is 64Kb. Reported-by: Josh Hunt Tested-by: Honggang Li Acked-by: Bang Nguyen Signed-off-by: Venkat Venkatsubra Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d74826e419ab9d4eda753398e372fbce770e69b0 Author: Eric Dumazet Date: Mon Dec 2 08:51:13 2013 -0800 net: do not pretend FRAGLIST support [ Upstream commit 28e24c62ab3062e965ef1b3bcc244d50aee7fa85 ] Few network drivers really supports frag_list : virtual drivers. Some drivers wrongly advertise NETIF_F_FRAGLIST feature. If skb with a frag_list is given to them, packet on the wire will be corrupt. Remove this flag, as core networking stack will make sure to provide packets that can be sent without corruption. Signed-off-by: Eric Dumazet Cc: Thadeu Lima de Souza Cascardo Cc: Anirudha Sarangi Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a9adc58f81ec36a9c4df6a6aec3493949df526f3 Author: Kamala R Date: Mon Dec 2 19:55:21 2013 +0530 IPv6: Fixed support for blackhole and prohibit routes [ Upstream commit 7150aede5dd241539686e17d9592f5ebd28a2cda ] The behaviour of blackhole and prohibit routes has been corrected by setting the input and output pointers of the dst variable appropriately. For blackhole routes, they are set to dst_discard and to ip6_pkt_discard and ip6_pkt_discard_out respectively for prohibit routes. ipv6: ip6_pkt_prohibit(_out) should not depend on CONFIG_IPV6_MULTIPLE_TABLES We need ip6_pkt_prohibit(_out) available without CONFIG_IPV6_MULTIPLE_TABLES Signed-off-by: Kamala R Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman