9 years agorecordmcount: Fix handling of elf64 big-endian objects.
David Daney [Tue, 20 Dec 2011 01:42:42 +0000 (17:42 -0800)]
recordmcount: Fix handling of elf64 big-endian objects.

commit 2e885057b7f75035f0b85e02f737891482815a81 upstream.

In ELF64, the sh_flags field is 64-bits wide.  recordmcount was
erroneously treating it as a 32-bit wide field.  For little endian
objects this works because the flags of interest (SHF_EXECINSTR)
reside in the lower 32 bits of the word, and you get the same result
with either a 32-bit or 64-bit read.  Big endian objects on the
other hand do not work at all with this error.

The fix:  Correctly treat sh_flags as 64-bits wide in elf64 objects.

The symptom I observed was that my
__start_mcount_loc..__stop_mcount_loc was empty even though ftrace
function tracing was enabled.

Signed-off-by: David Daney <>
Signed-off-by: Steven Rostedt <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agox86, UV: Update Boot messages for SGI UV2 platform
Jack Steiner [Fri, 6 Jan 2012 19:19:00 +0000 (13:19 -0600)]
x86, UV: Update Boot messages for SGI UV2 platform

commit da517a08ac5913cd80ce3507cddd00f2a091b13c upstream.

SGI UV systems print a message during boot:

UV: Found <num> blades

Due to packaging changes, the blade count is not accurate for
on the next generation of the platform. This patch corrects the

Signed-off-by: Jack Steiner <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agofsnotify: don't BUG in fsnotify_destroy_mark()
Miklos Szeredi [Thu, 12 Jan 2012 16:59:46 +0000 (17:59 +0100)]
fsnotify: don't BUG in fsnotify_destroy_mark()

commit fed474857efbed79cd390d0aee224231ca718f63 upstream.

Removing the parent of a watched file results in "kernel BUG at

To reproduce

  add "-w /tmp/audit/dir/watched_file" to audit.rules
  rm -rf /tmp/audit/dir

This is caused by fsnotify_destroy_mark() being called without an
extra reference taken by the caller.

Reported by Francesco Cosoleto here:

Fix by removing the BUG_ON and adding a comment about not accessing mark after
the iput.

Signed-off-by: Miklos Szeredi <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agonfsd: Fix oops when parsing a 0 length export
Sasha Levin [Fri, 18 Nov 2011 10:14:49 +0000 (12:14 +0200)]
nfsd: Fix oops when parsing a 0 length export

commit b2ea70afade7080360ac55c4e64ff7a5fafdb67b upstream.

expkey_parse() oopses when handling a 0 length export. This is easily
triggerable from usermode by writing 0 bytes into
'/proc/[proc id]/net/rpc/nfsd.fh/channel'.

Below is the log:

[ 1402.286893] BUG: unable to handle kernel paging request at ffff880077c49fff
[ 1402.287632] IP: [<ffffffff812b4b99>] expkey_parse+0x28/0x2e1
[ 1402.287632] PGD 2206063 PUD 1fdfd067 PMD 1ffbc067 PTE 8000000077c49160
[ 1402.287632] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 1402.287632] CPU 1
[ 1402.287632] Pid: 20198, comm: trinity Not tainted 3.2.0-rc2-sasha-00058-gc65cd37 #6
[ 1402.287632] RIP: 0010:[<ffffffff812b4b99>]  [<ffffffff812b4b99>] expkey_parse+0x28/0x2e1
[ 1402.287632] RSP: 0018:ffff880077f0fd68  EFLAGS: 00010292
[ 1402.287632] RAX: ffff880077c49fff RBX: 00000000ffffffea RCX: 0000000001043400
[ 1402.287632] RDX: 0000000000000000 RSI: ffff880077c4a000 RDI: ffffffff82283de0
[ 1402.287632] RBP: ffff880077f0fe18 R08: 0000000000000001 R09: ffff880000000000
[ 1402.287632] R10: 0000000000000000 R11: 0000000000000001 R12: ffff880077c4a000
[ 1402.287632] R13: ffffffff82283de0 R14: 0000000001043400 R15: ffffffff82283de0
[ 1402.287632] FS:  00007f25fec3f700(0000) GS:ffff88007d400000(0000) knlGS:0000000000000000
[ 1402.287632] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 1402.287632] CR2: ffff880077c49fff CR3: 0000000077e1d000 CR4: 00000000000406e0
[ 1402.287632] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1402.287632] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 1402.287632] Process trinity (pid: 20198, threadinfo ffff880077f0e000, task ffff880077db17b0)
[ 1402.287632] Stack:
[ 1402.287632]  ffff880077db17b0 ffff880077c4a000 ffff880077f0fdb8 ffffffff810b411e
[ 1402.287632]  ffff880000000000 ffff880077db17b0 ffff880077c4a000 ffffffff82283de0
[ 1402.287632]  0000000001043400 ffffffff82283de0 ffff880077f0fde8 ffffffff81111f63
[ 1402.287632] Call Trace:
[ 1402.287632]  [<ffffffff810b411e>] ? lock_release+0x1af/0x1bc
[ 1402.287632]  [<ffffffff81111f63>] ? might_fault+0x97/0x9e
[ 1402.287632]  [<ffffffff81111f1a>] ? might_fault+0x4e/0x9e
[ 1402.287632]  [<ffffffff81a8bcf2>] cache_do_downcall+0x3e/0x4f
[ 1402.287632]  [<ffffffff81a8c950>] cache_write.clone.16+0xbb/0x130
[ 1402.287632]  [<ffffffff81a8c9df>] ? cache_write_pipefs+0x1a/0x1a
[ 1402.287632]  [<ffffffff81a8c9f8>] cache_write_procfs+0x19/0x1b
[ 1402.287632]  [<ffffffff8118dc54>] proc_reg_write+0x8e/0xad
[ 1402.287632]  [<ffffffff8113fe81>] vfs_write+0xaa/0xfd
[ 1402.287632]  [<ffffffff8114142d>] ? fget_light+0x35/0x9e
[ 1402.287632]  [<ffffffff8113ff8b>] sys_write+0x48/0x6f
[ 1402.287632]  [<ffffffff81bbdb92>] system_call_fastpath+0x16/0x1b
[ 1402.287632] Code: c0 c9 c3 55 48 63 d2 48 89 e5 48 8d 44 32 ff 41 57 41 56 41 55 41 54 53 bb ea ff ff ff 48 81 ec 88 00 00 00 48 89 b5 58 ff ff ff
[ 1402.287632]  38 0a 0f 85 89 02 00 00 c6 00 00 48 8b 3d 44 4a e5 01 48 85
[ 1402.287632] RIP  [<ffffffff812b4b99>] expkey_parse+0x28/0x2e1
[ 1402.287632]  RSP <ffff880077f0fd68>
[ 1402.287632] CR2: ffff880077c49fff
[ 1402.287632] ---[ end trace 368ef53ff773a5e3 ]---

Cc: "J. Bruce Fields" <>
Cc: Neil Brown <>
Signed-off-by: Sasha Levin <>
Signed-off-by: J. Bruce Fields <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agonfsd4: fix lockowner matching
J. Bruce Fields [Mon, 7 Nov 2011 21:37:57 +0000 (16:37 -0500)]
nfsd4: fix lockowner matching

commit b93d87c19821ba7d3ee11557403d782e541071ad upstream.

Lockowners are looked up by file as well as by owner, but we were
forgetting to do a comparison on the file.  This could cause an
incorrect result from lockt.

(Note looking up the inode from the lockowner is pretty awkward here.
The data structures need fixing.)

Signed-off-by: J. Bruce Fields <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agosvcrpc: avoid memory-corruption on pool shutdown
J. Bruce Fields [Tue, 29 Nov 2011 22:00:26 +0000 (17:00 -0500)]
svcrpc: avoid memory-corruption on pool shutdown

commit b4f36f88b3ee7cf26bf0be84e6c7fc15f84dcb71 upstream.

Socket callbacks use svc_xprt_enqueue() to add an xprt to a
pool->sp_sockets list.  In normal operation a server thread will later
come along and take the xprt off that list.  On shutdown, after all the
threads have exited, we instead manually walk the sv_tempsocks and
sv_permsocks lists to find all the xprt's and delete them.

So the sp_sockets lists don't really matter any more.  As a result,
we've mostly just ignored them and hoped they would go away.

Which has gotten us into trouble; witness for example ebc63e531cc6
"svcrpc: fix list-corrupting race on nfsd shutdown", the result of Ben
Greear noticing that a still-running svc_xprt_enqueue() could re-add an
xprt to an sp_sockets list just before it was deleted.  The fix was to
remove it from the list at the end of svc_delete_xprt().  But that only
made corruption less likely--I can see nothing that prevents a
svc_xprt_enqueue() from adding another xprt to the list at the same
moment that we're removing this xprt from the list.  In fact, despite
the earlier xpo_detach(), I don't even see what guarantees that
svc_xprt_enqueue() couldn't still be running on this xprt.

So, instead, note that svc_xprt_enqueue() essentially does:
lock sp_lock
if XPT_BUSY unset
add to sp_sockets
unlock sp_lock

So, if we do:

set XPT_BUSY on every xprt.
Empty every sp_sockets list, under the sp_socks locks.

Then we're left knowing that the sp_sockets lists are all empty and will
stay that way, since any svc_xprt_enqueue() will check XPT_BUSY under
the sp_lock and see it set.

And *then* we can continue deleting the xprt's.

(Thanks to Jeff Layton for being correctly suspicious of this code....)

Cc: Ben Greear <>
Cc: Jeff Layton <>
Signed-off-by: J. Bruce Fields <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agosvcrpc: destroy server sockets all at once
J. Bruce Fields [Tue, 29 Nov 2011 16:35:35 +0000 (11:35 -0500)]
svcrpc: destroy server sockets all at once

commit 2fefb8a09e7ed251ae8996e0c69066e74c5aa560 upstream.

There's no reason I can see that we need to call sv_shutdown between
closing the two lists of sockets.

Signed-off-by: J. Bruce Fields <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agosvcrpc: fix double-free on shutdown of nfsd after changing pool mode
J. Bruce Fields [Fri, 23 Dec 2011 01:22:49 +0000 (18:22 -0700)]
svcrpc: fix double-free on shutdown of nfsd after changing pool mode

commit 61c8504c428edcebf23b97775a129c5b393a302b upstream.

The pool_to and to_pool fields of the global svc_pool_map are freed on
shutdown, but are initialized in nfsd startup only in the

They *are* initialized to zero on kernel startup.  So as long as you use
only SVC_POOL_GLOBAL (the default), this will never be a problem.

You're also OK if you only ever use SVC_POOL_PERCPU or SVC_POOL_PERNODE.

However, the following sequence events leads to a double-free:

2. start nfsd: both fields are initialized.
3. shutdown nfsd: both fields are freed.
5. start nfsd: the fields are left untouched.
6. shutdown nfsd: now we try to free them again.

Step 4 is actually unnecessary, since (for some bizarre reason), nfsd
automatically resets the pool mode to SVC_POOL_GLOBAL on shutdown.

Signed-off-by: J. Bruce Fields <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agokconfig/ Fix parsing Makefile with variables
Steven Rostedt [Fri, 13 Jan 2012 22:53:40 +0000 (17:53 -0500)]
kconfig/ Fix parsing Makefile with variables

commit 364212fddaaa60c5a64f67a0f5624ad996ecc8a0 upstream.

Thomas Lange reported that when he did a 'make localmodconfig', his
config was missing the brcmsmac driver, even though he had the module

Looking into this, I found the file:
had the following in the Makefile:

MODULEPFX := brcmsmac


The way works, is parsing all the
 obj-$(CONFIG_FOO) += foo.o
lines to find that CONFIG_FOO belongs to the module foo.ko.

But in this case, the brcmsmac.o was not used, but a variable in its place.

By changing to remember defined variables in Makefiles
and substituting them when they are used in the obj-X lines, allows
Thomas (and others) to have their brcmsmac module stay configured
when it is loaded and running "make localmodconfig".

Reported-by: Thomas Lange <>
Tested-by: Thomas Lange <>
Cc: Arend van Spriel <>
Signed-off-by: Steven Rostedt <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agokconfig/ Simplify backslash line concatination
Steven Rostedt [Fri, 13 Jan 2012 22:50:39 +0000 (17:50 -0500)]
kconfig/ Simplify backslash line concatination

commit d060d963e88f3e990cec2fe5214de49de9a49eca upstream.

Simplify the way lines ending with backslashes (continuation) in Makefiles
is parsed. This is needed to implement a necessary fix.

Tested-by: Thomas Lange <>
Signed-off-by: Steven Rostedt <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoftrace: Fix unregister ftrace_ops accounting
Jiri Olsa [Mon, 5 Dec 2011 17:22:48 +0000 (18:22 +0100)]
ftrace: Fix unregister ftrace_ops accounting

commit 30fb6aa74011dcf595f306ca2727254d708b786e upstream.

Multiple users of the function tracer can register their functions
with the ftrace_ops structure. The accounting within ftrace will
update the counter on each function record that is being traced.
When the ftrace_ops filtering adds or removes functions, the
function records will be updated accordingly if the ftrace_ops is
still registered.

When a ftrace_ops is removed, the counter of the function records,
that the ftrace_ops traces, are decremented. When they reach zero
the functions that they represent are modified to stop calling the
mcount code.

When changes are made, the code is updated via stop_machine() with
a command passed to the function to tell it what to do. There is an
ENABLE and DISABLE command that tells the called function to enable
or disable the functions. But the ENABLE is really a misnomer as it
should just update the records, as records that have been enabled
and now have a count of zero should be disabled.

The DISABLE command is used to disable all functions regardless of
their counter values. This is the big off switch and is not the
complement of the ENABLE command.

To make matters worse, when a ftrace_ops is unregistered and there
is another ftrace_ops registered, neither the DISABLE nor the
ENABLE command are set when calling into the stop_machine() function
and the records will not be updated to match their counter. A command
is passed to that function that will update the mcount code to call
the registered callback directly if it is the only one left. This
means that the ftrace_ops that is still registered will have its callback
called by all functions that have been set for it as well as the ftrace_ops
that was just unregistered.

Here's a way to trigger this bug. Compile the kernel with


This will force the function profiler to use the function tracer instead
of the function graph tracer.

  # cd /sys/kernel/debug/tracing
  # echo schedule > set_ftrace_filter
  # echo function > current_tracer
  # cat set_ftrace_filter
  # cat trace
 # tracer: nop
 # entries-in-buffer/entries-written: 692/68108025   #P:4
 #                              _-----=> irqs-off
 #                             / _----=> need-resched
 #                            | / _---=> hardirq/softirq
 #                            || / _--=> preempt-depth
 #                            ||| /     delay
 #           TASK-PID   CPU#  ||||    TIMESTAMP  FUNCTION
 #              | |       |   ||||       |         |
      kworker/0:2-909   [000] ....   531.235574: schedule <-worker_thread
           <idle>-0     [001] .N..   531.235575: schedule <-cpu_idle
      kworker/0:2-909   [000] ....   531.235597: schedule <-worker_thread
             sshd-2563  [001] ....   531.235647: schedule <-schedule_hrtimeout_range_clock

  # echo 1 > function_profile_enabled
  # echo 0 > function_porfile_enabled
  # cat set_ftrace_filter
  # cat trace
 # tracer: function
 # entries-in-buffer/entries-written: 159701/118821262   #P:4
 #                              _-----=> irqs-off
 #                             / _----=> need-resched
 #                            | / _---=> hardirq/softirq
 #                            || / _--=> preempt-depth
 #                            ||| /     delay
 #           TASK-PID   CPU#  ||||    TIMESTAMP  FUNCTION
 #              | |       |   ||||       |         |
           <idle>-0     [002] ...1   604.870655: local_touch_nmi <-cpu_idle
           <idle>-0     [002] d..1   604.870655: enter_idle <-cpu_idle
           <idle>-0     [002] d..1   604.870656: atomic_notifier_call_chain <-enter_idle
           <idle>-0     [002] d..1   604.870656: __atomic_notifier_call_chain <-atomic_notifier_call_chain

The same problem could have happened with the trace_probe_ops,
but they are modified with the set_frace_filter file which does the
update at closure of the file.

The simple solution is to change ENABLE to UPDATE and call it every
time an ftrace_ops is unregistered.

Signed-off-by: Jiri Olsa <>
Signed-off-by: Steven Rostedt <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoUnused iocbs in a batch should not be accounted as active.
Gleb Natapov [Sun, 8 Jan 2012 15:07:28 +0000 (17:07 +0200)]
Unused iocbs in a batch should not be accounted as active.

commit 69e4747ee9727d660b88d7e1efe0f4afcb35db1b upstream.

Since commit 080d676de095 ("aio: allocate kiocbs in batches") iocbs are
allocated in a batch during processing of first iocbs.  All iocbs in a
batch are automatically added to ctx->active_reqs list and accounted in

If one (not the last one) of iocbs submitted by an user fails, further
iocbs are not processed, but they are still present in ctx->active_reqs
and accounted in ctx->reqs_active.  This causes process to stuck in a D
state in wait_for_all_aios() on exit since ctx->reqs_active will never
go down to zero.  Furthermore since kiocb_batch_free() frees iocb
without removing it from active_reqs list the list become corrupted
which may cause oops.

Fix this by removing iocb from ctx->active_reqs and updating
ctx->reqs_active in kiocb_batch_free().

Signed-off-by: Gleb Natapov <>
Reviewed-by: Jeff Moyer <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoV4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
Dan Carpenter [Thu, 5 Jan 2012 05:27:57 +0000 (02:27 -0300)]
V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()

commit 6c06108be53ca5e94d8b0e93883d534dd9079646 upstream.

If ctrls->count is too high the multiplication could overflow and
array_size would be lower than expected.  Mauro and Hans Verkuil
suggested that we cap it at 1024.  That comes from the maximum
number of controls with lots of room for expantion.

$ grep V4L2_CID include/linux/videodev2.h | wc -l

Signed-off-by: Dan Carpenter <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agommc: sd: Fix SDR12 timing regression
Alexander Elbs [Wed, 4 Jan 2012 04:26:53 +0000 (23:26 -0500)]
mmc: sd: Fix SDR12 timing regression

commit dd8df17fe83483d7ea06ff229895e35a42071599 upstream.

This patch fixes a failure to recognize SD cards reported on a Dell
Vostro with O2 Micro SD card reader.  Patch 49c468f ("mmc: sd: add
support for uhs bus speed mode selection") caused the problem, by
setting the SDHCI_CTRL_HISPD flag even for legacy timings.

Signed-off-by: Alexander Elbs <>
Acked-by: Philip Rakity <>
Acked-by: Arindam Nath <>
Signed-off-by: Chris Ball <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agommc: sdhci: Fix tuning timer incorrect setting when suspending host
Aaron Lu [Wed, 28 Dec 2011 03:11:12 +0000 (11:11 +0800)]
mmc: sdhci: Fix tuning timer incorrect setting when suspending host

commit c6ced0db08010ed75df221a2946c5228454b38d5 upstream.

When suspending host, the tuning timer shoule be deactivated.
And the HOST_NEEDS_TUNING flag should be set after tuning timer is

Signed-off-by: Philip Rakity <>
Signed-off-by: Aaron Lu <>
Acked-by: Adrian Hunter <>
Signed-off-by: Chris Ball <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agommc: core: Fix voltage select in DDR mode
Girish K S [Thu, 15 Dec 2011 11:57:42 +0000 (17:27 +0530)]
mmc: core: Fix voltage select in DDR mode

commit 913047e9e5787a90696533a9f109552b7694ecc9 upstream.

This patch fixes the wrong comparison before setting the interface
voltage in DDR mode.

The assignment to the variable ddr before comaprison is either
ddr = MMC_1_2V_DDR_MODE; or ddr == MMC_1_8V_DDR_MODE. But the comparison
is done with the extended csd value if ddr == EXT_CSD_CARD_TYPE_DDR_1_2V.

Signed-off-by: Girish K S <>
Acked-by: Subhash Jadavani <>
Acked-by: Philip Rakity <>
Signed-off-by: Chris Ball <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoi2c: Fix error value returned by several bus drivers
Jean Delvare [Thu, 12 Jan 2012 19:32:03 +0000 (20:32 +0100)]
i2c: Fix error value returned by several bus drivers

commit 7c1f59c9d5caf3a84f35549b5d58f3c055a68da5 upstream.

When adding checks for ACPI resource conflicts to many bus drivers,
not enough attention was paid to the error paths, and for several
drivers this causes 0 to be returned on error in some cases. Fix this
by properly returning a non-zero value on every error.

Signed-off-by: Jean Delvare <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoUBIFS: make debugging messages light again
Artem Bityutskiy [Wed, 11 Jan 2012 13:13:27 +0000 (15:13 +0200)]
UBIFS: make debugging messages light again

commit 1f5d78dc4823a85f112aaa2d0f17624f8c2a6c52 upstream.

We switch to dynamic debugging in commit
56e46742e846e4de167dde0e1e1071ace1c882a5 but did not take into account that
now we do not control anymore whether a specific message is enabled or not.
So now we lock the "dbg_lock" and release it in every debugging macro, which
make them not so light-weight.

This commit removes the "dbg_lock" protection from the debugging macros to
fix the issue.

The downside is that now our DBGKEY() stuff is broken, but this is not
critical at all and will be fixed later.

Signed-off-by: Artem Bityutskiy <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoUBIFS: fix debugging messages
Artem Bityutskiy [Tue, 10 Jan 2012 17:32:30 +0000 (19:32 +0200)]
UBIFS: fix debugging messages

commit d34315da9146253351146140ea4b277193ee5e5f upstream.

Patch 56e46742e846e4de167dde0e1e1071ace1c882a5 broke UBIFS debugging messages:
before that commit when UBIFS debugging was enabled, users saw few useful
debugging messages after mount. However, that patch turned 'dbg_msg()' into
'pr_debug()', so to enable the debugging messages users have to enable them
first via /sys/kernel/debug/dynamic_debug/control, which is very impractical.

This commit makes 'dbg_msg()' to use 'printk()' instead of 'pr_debug()', just
as it was before the breakage.

Signed-off-by: Artem Bityutskiy <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoUBI: make vid_hdr non-static
Richard Weinberger [Thu, 22 Dec 2011 15:12:57 +0000 (16:12 +0100)]
UBI: make vid_hdr non-static

commit 6bdccffe8c4268d02f71873102131fb6ed37ed9a upstream.

Remove 'static' modifier from the 'vid_hdr' local variable. I do not know
how it slipped in, but this is a bug and will break UBI if someone attaches
2 UBI volumes at the same time.

Artem: amended teh commit message, added -stable.

Signed-off-by: Richard Weinberger <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoUBI: fix debugging messages
Artem Bityutskiy [Tue, 10 Jan 2012 17:32:30 +0000 (19:32 +0200)]
UBI: fix debugging messages

commit 72f0d453d81d35087b1d3ad7c8285628c2be6e1d upstream.

Patch ab50ff684707031ed4bad2fdd313208ae392e5bb broke UBI debugging messages:
before that commit when UBI debugging was enabled, users saw few useful
debugging messages after attaching an MTD device. However, that patch turned
'dbg_msg()' into 'pr_debug()', so to enable the debugging messages users have
to enable them first via /sys/kernel/debug/dynamic_debug/control, which is
very impractical.

This commit makes 'dbg_msg()' to use 'printk()' instead of 'pr_debug()', just
as it was before the breakage.

Signed-off-by: Artem Bityutskiy <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoUBI: fix nameless volumes handling
Richard Weinberger [Fri, 13 Jan 2012 14:07:40 +0000 (15:07 +0100)]
UBI: fix nameless volumes handling

commit 4a59c797a18917a5cf3ff7ade296b46134d91e6a upstream.

Currently it's possible to create a volume without a name. E.g:
ubimkvol -n 32 -s 2MiB -t static /dev/ubi0 -N ""

After that vtbl_check() will always fail because it does not permit
empty strings.

Signed-off-by: Richard Weinberger <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agox86: Fix mmap random address range
Ludwig Nussel [Tue, 15 Nov 2011 22:46:46 +0000 (14:46 -0800)]
x86: Fix mmap random address range

commit 9af0c7a6fa860698d080481f24a342ba74b68982 upstream.

On x86_32 casting the unsigned int result of get_random_int() to
long may result in a negative value.  On x86_32 the range of
mmap_rnd() therefore was -255 to 255.  The 32bit mode on x86_64
used 0 to 255 as intended.

The bug was introduced by 675a081 ("x86: unify mmap_{32|64}.c")
in January 2008.

Signed-off-by: Ludwig Nussel <>
Cc: Linus Torvalds <>
Cc: "H. Peter Anvin" <>
Cc: Harvey Harrison <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agomemcg: add mem_cgroup_replace_page_cache() to fix LRU issue
KAMEZAWA Hiroyuki [Fri, 13 Jan 2012 01:17:44 +0000 (17:17 -0800)]
memcg: add mem_cgroup_replace_page_cache() to fix LRU issue

commit ab936cbcd02072a34b60d268f94440fd5cf1970b upstream.

Commit ef6a3c6311 ("mm: add replace_page_cache_page() function") added a
function replace_page_cache_page().  This function replaces a page in the
radix-tree with a new page.  WHen doing this, memory cgroup needs to fix
up the accounting information.  memcg need to check PCG_USED bit etc.

In some(many?) cases, 'newpage' is on LRU before calling
replace_page_cache().  So, memcg's LRU accounting information should be
fixed, too.

This patch adds mem_cgroup_replace_page_cache() and removes the old hooks.
 In that function, old pages will be unaccounted without touching
res_counter and new page will be accounted to the memcg (of old page).
WHen overwriting pc->mem_cgroup of newpage, take zone->lru_lock and avoid
races with LRU handling.

  replace_page_cache_page() is called by FUSE code in its splice() handling.
  Here, 'newpage' is replacing oldpage but this newpage is not a newly allocated
  page and may be on LRU. LRU mis-accounting will be critical for memory cgroup
  because rmdir() checks the whole LRU is empty and there is no account leak.
  If a page is on the other LRU than it should be, rmdir() will fail.

This bug was added in March 2011, but no bug report yet.  I guess there
are not many people who use memcg and FUSE at the same time with upstream

The result of this bug is that admin cannot destroy a memcg because of
account leak.  So, no panic, no deadlock.  And, even if an active cgroup
exist, umount can succseed.  So no problem at shutdown.

Signed-off-by: KAMEZAWA Hiroyuki <>
Acked-by: Johannes Weiner <>
Acked-by: Michal Hocko <>
Cc: Miklos Szeredi <>
Cc: Hugh Dickins <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoath9k: Fix regression in channelwidth switch at the same channel
Rajkumar Manoharan [Mon, 9 Jan 2012 10:07:53 +0000 (15:37 +0530)]
ath9k: Fix regression in channelwidth switch at the same channel

commit 1a19f77f3642b8194ad9cf55548cc5d92e841766 upstream.

The commit "ath9k: Fix invalid noisefloor reading due to channel update"
preserves the current channel noisefloor readings before updating
channel type at the same channel index. It is also updating the curchan
pointer. As survey updation is also referring curchan pointer to fetch
the appropriate index, which might leads to invalid memory access. This
patch partially reverts the change and stores the noise floor history
buffer before updating channel type w/o updating curchan.

Cc: Gary Morain <>
Cc: Paul Stewart <>
Reported-by: Mohammed Shafi Shajakhan <>
Signed-off-by: Rajkumar Manoharan <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agomac80211: fix rx->key NULL pointer dereference in promiscuous mode
Stanislaw Gruszka [Wed, 11 Jan 2012 08:26:54 +0000 (09:26 +0100)]
mac80211: fix rx->key NULL pointer dereference in promiscuous mode

commit 1140afa862842ac3e56678693050760edc4ecde9 upstream.


commit 816c04fe7ef01dd9649f5ccfe796474db8708be5
Author: Christian Lamparter <>
Date:   Sat Apr 30 15:24:30 2011 +0200

    mac80211: consolidate MIC failure report handling

is possible to that we dereference rx->key == NULL when driver set
promiscuous mode. This happen with rt73usb and rt61pci at least.

Before the commit we always check rx->key against NULL, so I assume
fix should be done in mac80211 (also mic_fail path has similar check).


Reported-by: Stuart D Gathman <>
Reported-by: Kai Wohlfahrt <>
Signed-off-by: Stanislaw Gruszka <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agortl8192se: Fix BUG caused by failure to check skb allocation
Larry Finger [Thu, 5 Jan 2012 02:50:47 +0000 (20:50 -0600)]
rtl8192se: Fix BUG caused by failure to check skb allocation

commit d90db4b12bc1b9b8a787ef28550fdb767ee25a49 upstream.

When downloading firmware into the device, the driver fails to check the
return when allocating an skb. When the allocation fails, a BUG can be
generated, as seen in

Signed-off-by: Larry Finger <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoinclude/linux/crash_dump.h needs elf.h
Fabio Estevam [Fri, 13 Jan 2012 01:20:20 +0000 (17:20 -0800)]
include/linux/crash_dump.h needs elf.h

commit 1f536b9e9f85456df93614b3c2f6a1a2b7d7cb9b upstream.

Building an ARM target we get the following warnings:

  CC      arch/arm/kernel/setup.o
  In file included from arch/arm/kernel/setup.c:39:
  arch/arm/include/asm/elf.h:102:1: warning: "vmcore_elf64_check_arch" redefined
  In file included from arch/arm/kernel/setup.c:24:
  include/linux/crash_dump.h:30:1: warning: this is the location of the previous definition

Quoting Russell King:

"linux/crash_dump.h makes no attempt to include asm/elf.h, but it depends
on stuff in asm/elf.h to determine how stuff inside this file is defined
at parse time.

So, if asm/elf.h is included after linux/crash_dump.h or not at all, you
get a different result from the situation where asm/elf.h is included

So add elf.h header to crash_dump.h to avoid this problem.

The original discussion about this can be found at:

Signed-off-by: Fabio Estevam <>
Cc: Russell King <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoasix: fix setting custom MAC address on Asix 88772 devices
Jussi Kivilinna [Tue, 10 Jan 2012 06:40:17 +0000 (06:40 +0000)]
asix: fix setting custom MAC address on Asix 88772 devices

commit 8ef66bdc4bda6aac2dae73b84d79dc8c2db33637 upstream.

In kernel v3.2 initialization sequence for Asix 88772 devices was changed so
that hardware is reseted on every time interface is brought up (ifconfig up),
instead just at USB probe time. This causes problem with setting custom MAC
address to device as ax88772_reset causes reload of MAC address from EEPROM.

This patch fixes the issue by rewriting MAC address at end of ax88772_reset.

Signed-off-by: Jussi Kivilinna <>
Acked-by: Grant Grundler <>
Cc: Allan Chou <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoasix: fix setting custom MAC address on Asix 88178 devices
Jussi Kivilinna [Tue, 10 Jan 2012 06:40:23 +0000 (06:40 +0000)]
asix: fix setting custom MAC address on Asix 88178 devices

commit 71bc5d94061516c4e70303570128797bcf768b10 upstream.

In kernel v3.2 initialization sequence for Asix 88178 devices was changed so
that hardware is reseted on every time interface is brought up (ifconfig up),
instead just at USB probe time. This causes problem with setting custom MAC
address to device as ax88178_reset causes reload of MAC address from EEPROM.

This patch fixes the issue by rewriting MAC address at end of ax88178_reset.

Signed-off-by: Jussi Kivilinna <>
Acked-by: Grant Grundler <>
Cc: Allan Chou <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoPNP: work around Dell 1536/1546 BIOS MMCONFIG bug that breaks USB
Bjorn Helgaas [Thu, 5 Jan 2012 21:27:24 +0000 (14:27 -0700)]
PNP: work around Dell 1536/1546 BIOS MMCONFIG bug that breaks USB

commit eb31aae8cb5eb54e234ed2d857ddac868195d911 upstream.

Some Dell BIOSes have MCFG tables that don't report the entire
MMCONFIG area claimed by the chipset.  If we move PCI devices into
that claimed-but-unreported area, they don't work.

This quirk reads the AMD MMCONFIG MSRs and adds PNP0C01 resources as
needed to cover the entire area.

Example problem scenario:

  BIOS-e820: 00000000cfec5400 - 00000000d4000000 (reserved)
  Fam 10h mmconf [d0000000dfffffff]
  PCI: MMCONFIG for domain 0000 [bus 00-3f] at [mem 0xd0000000-0xd3ffffff] (base 0xd0000000)
  pnp 00:0c: [mem 0xd0000000-0xd3ffffff]
  pci 0000:00:12.0: reg 10: [mem 0xffb00000-0xffb00fff]
  pci 0000:00:12.0: no compatible bridge window for [mem 0xffb00000-0xffb00fff]
  pci 0000:00:12.0: BAR 0: assigned [mem 0xd4000000-0xd40000ff]

Reported-by: Lisa Salimbas <>
Reported-by: <>
Tested-by: dann frazier <>
Signed-off-by: Bjorn Helgaas <>
Signed-off-by: Jesse Barnes <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoslub: fix a possible memleak in __slab_alloc()
Eric Dumazet [Tue, 13 Dec 2011 03:57:06 +0000 (04:57 +0100)]
slub: fix a possible memleak in __slab_alloc()

commit 73736e0387ba0e6d2b703407b4d26168d31516a7 upstream.

Zhihua Che reported a possible memleak in slub allocator on

It is possible current thread migrates right before disabling irqs in
__slab_alloc(). We must check again c->freelist, and perform a normal
allocation instead of scratching c->freelist.

Many thanks to Zhihua Che for spotting this bug, introduced in 2.6.39

V2: Its also possible an IRQ freed one (or several) object(s) and
populated c->freelist, so its not a CONFIG_PREEMPT only problem.

Reported-by: Zhihua Che <>
Signed-off-by: Eric Dumazet <>
Acked-by: Christoph Lameter <>
Signed-off-by: Pekka Enberg <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoima: fix invalid memory reference
Roberto Sassu [Mon, 19 Dec 2011 14:57:28 +0000 (15:57 +0100)]
ima: fix invalid memory reference

commit 7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da upstream.

Don't free a valid measurement entry on TPM PCR extend failure.

Signed-off-by: Roberto Sassu <>
Signed-off-by: Mimi Zohar <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoima: free duplicate measurement memory
Roberto Sassu [Mon, 19 Dec 2011 14:57:27 +0000 (15:57 +0100)]
ima: free duplicate measurement memory

commit 45fae7493970d7c45626ccd96d4a74f5f1eea5a9 upstream.

Info about new measurements are cached in the iint for performance.  When
the inode is flushed from cache, the associated iint is flushed as well.
Subsequent access to the inode will cause the inode to be re-measured and
will attempt to add a duplicate entry to the measurement list.

This patch frees the duplicate measurement memory, fixing a memory leak.

Signed-off-by: Roberto Sassu <>
Signed-off-by: Mimi Zohar <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agomd/raid1: perform bad-block tests for WriteMostly devices too.
NeilBrown [Sun, 8 Jan 2012 14:41:51 +0000 (01:41 +1100)]
md/raid1: perform bad-block tests for WriteMostly devices too.

commit 307729c8bc5b5a41361af8af95906eee7552acb1 upstream.

We normally try to avoid reading from write-mostly devices, but when
we do we really have to check for bad blocks and be sure not to
try reading them.

With the current code, best_good_sectors might not get set and that
causes zero-length read requests to be send down which is very

This bug was introduced in commit d2eb35acfdccbe2 and so the patch
is suitable for 3.1.x and 3.2.x

Reported-and-tested-by: Michał Mirosław <>
Reported-and-tested-by: Art -kwaak- van Breemen <>
Signed-off-by: NeilBrown <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoxen/xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX.
Ian Campbell [Wed, 4 Jan 2012 09:34:49 +0000 (09:34 +0000)]
xen/xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX.

commit 9e7860cee18241633eddb36a4c34c7b61d8cecbc upstream.

Haogang Chen found out that:

 There is a potential integer overflow in process_msg() that could result
 in cross-domain attack.

  body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);

 When a malicious guest passes 0xffffffff in msg->hdr.len, the subsequent
 call to xb_read() would write to a zero-length buffer.

 The other end of this connection is always the xenstore backend daemon
 so there is no guest (malicious or otherwise) which can do this. The
 xenstore daemon is a trusted component in the system.

 However this seem like a reasonable robustness improvement so we should
 have it.

And Ian when read the API docs found that:
        The payload length (len field of the header) is limited to 4096
        (XENSTORE_PAYLOAD_MAX) in both directions.  If a client exceeds the
        limit, its xenstored connection will be immediately killed by
        xenstored, which is usually catastrophic from the client's point of
        view.  Clients (particularly domains, which cannot just reconnect)
        should avoid this.

so this patch checks against that instead.

This also avoids a potential integer overflow pointed out by Haogang Chen.

Signed-off-by: Ian Campbell <>
Cc: Haogang Chen <>
Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoSCSI: mpt2sas : Fix for memory allocation error for large host credits [Thu, 1 Dec 2011 02:23:08 +0000 (07:53 +0530)]
SCSI: mpt2sas : Fix for memory allocation error for large host credits

commit aff132d95ffe14eca96cab90597cdd010b457af7 upstream.

The amount of memory required for tracking chain buffers is rather
large, and when the host credit count is big, memory allocation
failure occurs inside __get_free_pages.

The fix is to limit the number of chains to 100,000.  In addition,
the number of host credits is limited to 30,000 IOs. However this
limitation can be overridden this using the command line option
max_queue_depth.  The algorithm for calculating the
reply_post_queue_depth is changed so that it is equal to
(reply_free_queue_depth + 16), previously it was (reply_free_queue_depth * 2).

Signed-off-by: Nagalakshmi Nandigama <>
Signed-off-by: James Bottomley <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoSCSI: mpt2sas: Release spinlock for the raid device list before blocking it [Thu, 1 Dec 2011 02:22:56 +0000 (07:52 +0530)]
SCSI: mpt2sas: Release spinlock for the raid device list before blocking it

commit 30c43282f3d347f47f9e05199d2b14f56f3f2837 upstream.

Added code to release the spinlock that is used to protect the
raid device list before calling a function that can block. The
blocking was causing a reschedule, and subsequently it is tried
to acquire the same lock, resulting in a panic (NMI Watchdog
detecting a CPU lockup).

Signed-off-by: Nagalakshmi Nandigama <>
Signed-off-by: James Bottomley <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agox86/PCI: build amd_bus.o only when CONFIG_AMD_NB=y
Bjorn Helgaas [Thu, 12 Jan 2012 15:01:40 +0000 (08:01 -0700)]
x86/PCI: build amd_bus.o only when CONFIG_AMD_NB=y

commit 5cf9a4e69c1ff0ccdd1d2b7404f95c0531355274 upstream.

We only need amd_bus.o for AMD systems with PCI.  arch/x86/pci/Makefile
already depends on CONFIG_PCI=y, so this patch just adds the dependency

Cc: Yinghai Lu <>
Signed-off-by: Bjorn Helgaas <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agox86/PCI: amd: factor out MMCONFIG discovery
Bjorn Helgaas [Thu, 5 Jan 2012 21:27:19 +0000 (14:27 -0700)]
x86/PCI: amd: factor out MMCONFIG discovery

commit 24d25dbfa63c376323096660bfa9ad45a08870ce upstream.

This factors out the AMD native MMCONFIG discovery so we can use it
outside amd_bus.c.

amd_bus.c reads AMD MSRs so it can remove the MMCONFIG area from the
PCI resources.  We may also need the MMCONFIG information to work
around BIOS defects in the ACPI MCFG table.

Cc: Borislav Petkov <>
Cc: Yinghai Lu <>
Signed-off-by: Bjorn Helgaas <>
Signed-off-by: Jesse Barnes <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agox86/PCI: Ignore CPU non-addressable _CRS reserved memory resources
Gary Hade [Mon, 14 Nov 2011 23:42:16 +0000 (15:42 -0800)]
x86/PCI: Ignore CPU non-addressable _CRS reserved memory resources

commit ae5cd86455381282ece162966183d3f208c6fad7 upstream.

This assures that a _CRS reserved host bridge window or window region is
not used if it is not addressable by the CPU.  The new code either trims
the window to exclude the non-addressable portion or totally ignores the
window if the entire window is non-addressable.

The current code has been shown to be problematic with 32-bit non-PAE
kernels on systems where _CRS reserves resources above 4GB.

Signed-off-by: Gary Hade <>
Reviewed-by: Bjorn Helgaas <>
Cc: Thomas Renninger <>
Signed-off-by: Jesse Barnes <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoPCI: msi: Disable msi interrupts when we initialize a pci device
Eric W. Biederman [Mon, 17 Oct 2011 18:46:06 +0000 (11:46 -0700)]
PCI: msi: Disable msi interrupts when we initialize a pci device

commit a776c491ca5e38c26d9f66923ff574d041e747f4 upstream.

I traced a nasty kexec on panic boot failure to the fact that we had
screaming msi interrupts and we were not disabling the msi messages at
kernel startup.  The booting kernel had not enabled those interupts so
was not prepared to handle them.

I can see no reason why we would ever want to leave the msi interrupts
enabled at boot if something else has enabled those interrupts.  The pci
spec specifies that msi interrupts should be off by default.  Drivers
are expected to enable the msi interrupts if they want to use them.  Our
interrupt handling code reprograms the interrupt handlers at boot and
will not be be able to do anything useful with an unexpected interrupt.

This patch applies cleanly all of the way back to 2.6.32 where I noticed
the problem.

Signed-off-by: Eric W. Biederman <>
Signed-off-by: Jesse Barnes <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoPCI: Fix PCI_EXP_TYPE_RC_EC value
Alex Williamson [Wed, 16 Nov 2011 16:24:16 +0000 (09:24 -0700)]

commit 1830ea91c20b06608f7cdb2455ce05ba834b3214 upstream.

Spec shows this as 1010b = 0xa

Signed-off-by: Alex Williamson <>
Signed-off-by: Jesse Barnes <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoUBI: fix use-after-free on error path
Artem Bityutskiy [Thu, 5 Jan 2012 08:47:18 +0000 (10:47 +0200)]
UBI: fix use-after-free on error path

commit e57e0d8e818512047fe379157c3f77f1b9fabffb upstream.

When we fail to erase a PEB, we free the corresponding erase entry object,
but then re-schedule this object if the error code was something like -EAGAIN.
Obviously, it is a bug to use the object after we have freed it.

Reported-by: Emese Revfy <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoUBI: fix missing scrub when there is a bit-flip
Bhavesh Parekh [Wed, 30 Nov 2011 12:13:42 +0000 (17:43 +0530)]
UBI: fix missing scrub when there is a bit-flip

commit e801e128b2200c40a0ec236cf2330b2586b6e05a upstream.

Under some cases, when scrubbing the PEB if we did not get the lock on
the PEB it fails to scrub. Add that PEB again to the scrub list

Artem: minor amendments.

Signed-off-by: Bhavesh Parekh <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoHID: wiimote: Select INPUT_FF_MEMLESS
David Herrmann [Wed, 7 Dec 2011 20:33:59 +0000 (21:33 +0100)]
HID: wiimote: Select INPUT_FF_MEMLESS

commit ef6f41157f3864d9bf42671b2ed66062dcafb72e upstream.

We depend on memless force-feedback support, therefore correctly select the
related config options.

Reported-by: Randy Dunlap <>
Signed-off-by: David Herrmann <>
Signed-off-by: Jiri Kosina <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoHID: bump maximum global item tag report size to 96 bytes
Chase Douglas [Mon, 7 Nov 2011 19:08:05 +0000 (11:08 -0800)]
HID: bump maximum global item tag report size to 96 bytes

commit e46e927b9b7e8d95526e69322855243882b7e1a3 upstream.

This allows the latest N-Trig devices to function properly.

Signed-off-by: Chase Douglas <>
Signed-off-by: Jiri Kosina <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agonfs: fix regression in handling of context= option in NFSv4
Jeff Layton [Tue, 20 Dec 2011 11:57:45 +0000 (06:57 -0500)]
nfs: fix regression in handling of context= option in NFSv4

commit 8a0d551a59ac92d8ff048d6cb29d3a02073e81e8 upstream.

Setting the security context of a NFSv4 mount via the context= mount
option is currently broken. The NFSv4 codepath allocates a parsed
options struct, and then parses the mount options to fill it. It
eventually calls nfs4_remote_mount which calls security_init_mnt_opts.
That clobbers the lsm_opts struct that was populated earlier. This bug
also looks like it causes a small memory leak on each v4 mount where
context= is used.

Fix this by moving the initialization of the lsm_opts into
nfs_alloc_parsed_mount_data. Also, add a destructor for
nfs_parsed_mount_data to make it easier to free all of the allocations
hanging off of it, and to ensure that the security_free_mnt_opts is
called whenever security_init_mnt_opts is.

I believe this regression was introduced quite some time ago, probably
by commit c02d7adf.

Signed-off-by: Jeff Layton <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoNFSv4: include bitmap in nfsv4 get acl data
Andy Adamson [Wed, 7 Dec 2011 16:55:27 +0000 (11:55 -0500)]
NFSv4: include bitmap in nfsv4 get acl data

commit bf118a342f10dafe44b14451a1392c3254629a1f upstream.

The NFSv4 bitmap size is unbounded: a server can return an arbitrary
sized bitmap in an FATTR4_WORD0_ACL request.  Replace using the
nfs4_fattr_bitmap_maxsz as a guess to the maximum bitmask returned by a server
with the inclusion of the bitmap (xdr length plus bitmasks) and the acl data
xdr length to the (cached) acl page data.

This is a general solution to commit e5012d1f "NFSv4.1: update
nfs4_fattr_bitmap_maxsz" and fixes hitting a BUG_ON in xdr_shrink_bufhead
when getting ACLs.

Fix a bug in decode_getacl that returned -EINVAL on ACLs > page when getxattr
was called with a NULL buffer, preventing ACL > PAGE_SIZE from being retrieved.

Signed-off-by: Andy Adamson <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoNFS - fix recent breakage to NFS error handling.
NeilBrown [Wed, 16 Nov 2011 00:46:31 +0000 (11:46 +1100)]
NFS - fix recent breakage to NFS error handling.

commit 2edb6bc3852c681c0d948245bd55108dc6407604 upstream.

From c6d615d2b97fe305cbf123a8751ced859dca1d5e Mon Sep 17 00:00:00 2001
From: NeilBrown <>
Date: Wed, 16 Nov 2011 09:39:05 +1100
Subject: NFS - fix recent breakage to NFS error handling.

commit 02c24a82187d5a628c68edfe71ae60dc135cd178 made a small and
presumably unintended change to write error handling in NFS.

Previously an error from filemap_write_and_wait_range would only be of
interest if nfs_file_fsync did not return an error.  After this commit,
an error from filemap_write_and_wait_range would mean that (the rest of)
nfs_file_fsync would not even be called.

This means that:
 1/ you are more likely to see EIO than e.g. EDQUOT or ENOSPC.
 2/ NFS_CONTEXT_ERROR_WRITE remains set for longer so more writes are

This patch restores previous behaviour.

Cc: Josef Bacik <>
Cc: Jan Kara <>
Cc: Al Viro <>
Signed-off-by: NeilBrown <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoNFSv4.1: fix backchannel slotid off-by-one bug
Andy Adamson [Wed, 9 Nov 2011 18:58:20 +0000 (13:58 -0500)]
NFSv4.1: fix backchannel slotid off-by-one bug

commit 61f2e5106582d02f30b6807e3f9c07463c572ccb upstream.

Signed-off-by: Andy Adamson <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoNFS: Retry mounting NFSROOT
Chuck Lever [Mon, 5 Dec 2011 20:40:30 +0000 (15:40 -0500)]
NFS: Retry mounting NFSROOT

commit 43717c7daebf10b43f12e68512484b3095bb1ba5 upstream.

Lukas Razik <> reports that on his SPARC system,
booting with an NFS root file system stopped working after commit
56463e50 "NFS: Use super.c for NFSROOT mount option parsing."

We found that the network switch to which Lukas' client was attached
was delaying access to the LAN after the client's NIC driver reported
that its link was up.  The delay was longer than the timeouts used in
the NFS client during mounting.

NFSROOT worked for Lukas before commit 56463e50 because in those
kernels, the client's first operation was an rpcbind request to
determine which port the NFS server was listening on.  When that
request failed after a long timeout, the client simply selected the
default NFS port (2049).  By that time the switch was allowing access
to the LAN, and the mount succeeded.

Neither of these client behaviors is desirable, so reverting 56463e50
is really not a choice.  Instead, introduce a mechanism that retries
the NFSROOT mount request several times.  This is the same tactic that
normal user space NFS mounts employ to overcome server and network

Signed-off-by: Lukas Razik <>
[ cel: match kernel coding style, add proper patch description ]
[ cel: add exponential back-off ]
Signed-off-by: Chuck Lever <>
Tested-by: Lukas Razik <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agopnfs-obj: Must return layout on IO error
Boaz Harrosh [Fri, 6 Jan 2012 07:31:20 +0000 (09:31 +0200)]
pnfs-obj: Must return layout on IO error

commit fe0fe83585f88346557868a803a479dfaaa0688a upstream.

As mandated by the standard. In case of an IO error, a pNFS
objects layout driver must return it's layout. This is because
all device errors are reported to the server as part of the
layout return buffer.

This is implemented the same way PNFS_LAYOUTRET_ON_SETATTR
is done, through a bit flag on the pnfs_layoutdriver_type->flags
member. The flag is set by the layout driver that wants a
layout_return preformed at pnfs_ld_{write,read}_done in case
of an error.
(Though I have not defined a wrapper like pnfs_ld_layoutret_on_setattr
 because this code is never called outside of pnfs.c and pnfs IO

Without this patch 3.[0-2] Kernels leak memory and have an annoying
WARN_ON after every IO error utilizing the pnfs-obj driver.

Signed-off-by: Boaz Harrosh <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agopnfs-obj: pNFS errors are communicated on iodata->pnfs_error
Boaz Harrosh [Fri, 6 Jan 2012 07:28:12 +0000 (09:28 +0200)]
pnfs-obj: pNFS errors are communicated on iodata->pnfs_error

commit 5c0b4129c07b902b27d3f3ebc087757f534a3abd upstream.

Some time along the way pNFS IO errors were switched to
communicate with a special iodata->pnfs_error member instead
of the regular RPC members. But objlayout was not switched

Fix that!
Without this fix any IO error is hanged, because IO is not
switched to MDS and pages are never cleared or read.

[Applies to 3.2.0. Same bug different patch for 3.1/0 Kernels]
Signed-off-by: Boaz Harrosh <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoradeon: Fix disabling PCI bus mastering on big endian hosts.
Michel Dänzer [Thu, 5 Jan 2012 17:42:17 +0000 (18:42 +0100)]
radeon: Fix disabling PCI bus mastering on big endian hosts.

commit 3df96909b75835d487a9178761622b0cbd7310d4 upstream.

It would previously write basically random bits to PCI configuration space...
Not very surprising that the GPU tended to stop responding completely. The
resulting MCE even froze the whole machine sometimes.

Now resetting the GPU after a lockup has at least a fighting chance of

Signed-off-by: Michel Dänzer <>
Reviewed-by: Alex Deucher <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agodrm/radeon/kms: disable writeback on pre-R300 asics
Alex Deucher [Tue, 3 Jan 2012 14:48:38 +0000 (09:48 -0500)]
drm/radeon/kms: disable writeback on pre-R300 asics

commit 28eebb703e28bc455ba704adb1026f76649b768c upstream.

We often end up missing fences on older asics with
writeback enabled which leads to delays in the userspace
accel code, so just disable it by default on those asics.

Reported-by: Helge Deller <>
Reported-by: Dave Airlie <>
Signed-off-by: Alex Deucher <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agodrm/radeon/kms: workaround invalid AVI infoframe checksum issue
Rafał Miłecki [Fri, 23 Dec 2011 19:32:18 +0000 (20:32 +0100)]
drm/radeon/kms: workaround invalid AVI infoframe checksum issue

commit 92db7f6c860b8190571a9dc1fcbc16d003422fe8 upstream.

This change was verified to fix both issues with no video I've
investigated. I've also checked checksum calculation with fglrx on:
RV620, HD54xx, HD5450, HD6310, HD6320.

Signed-off-by: Rafał Miłecki <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoALSA: hda - Fix the lost power-setup of seconary pins after PM resume
Takashi Iwai [Wed, 11 Jan 2012 11:34:11 +0000 (12:34 +0100)]
ALSA: hda - Fix the lost power-setup of seconary pins after PM resume

commit f2cbba7602383cd9cdd21f0a5d0b8bd1aad47b33 upstream.

When multiple headphone or other detectable output pins are present,
the power-map has to be updated after resume appropriately, but the
current driver doesn't check all pins but only the first pin (since
it's enough to check it for the mute-behavior).  This resulted in the
silent output from the secondary outputs after PM resume.

This patch fixes the problem by checking all pins at (re-)init time.


Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoALSA: hda - Fix the detection of "Loopback Mixing" control for VIA codecs
Takashi Iwai [Tue, 10 Jan 2012 14:16:02 +0000 (15:16 +0100)]
ALSA: hda - Fix the detection of "Loopback Mixing" control for VIA codecs

commit 4808d12d1dddb046ec86425e5f6766f02e950292 upstream.

Currently the driver checks only the out_mix_path[] for the primary
output route for judging whether to create the loopback-mixing control
or not.  But, there are cases where aamix-routing is available only on
headphone or speaker paths but not on the primary output path.  So, the
driver ignores such cases inappropriately.

This patch fixes the check of the loopback-mixing control by testing
all mix-routing paths.

Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoALSA: hda - Return the error from get_wcaps_type() for invalid NIDs
Takashi Iwai [Tue, 10 Jan 2012 11:41:22 +0000 (12:41 +0100)]
ALSA: hda - Return the error from get_wcaps_type() for invalid NIDs

commit 3a90274de3548ebb2aabfbf488cea8e275a73dc6 upstream.

When an invalid NID is given, get_wcaps() returns zero as the error,
but get_wcaps_type() takes it as the normal value and returns a bogus
AC_WID_AUD_OUT value.  This confuses the parser.

With this patch, get_wcaps_type() returns -1 when value 0 is given,
i.e. an invalid NID is passed to get_wcaps().


Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoALSA: hda - Use auto-parser for HP laptops with cx20459 codec
Takashi Iwai [Tue, 10 Jan 2012 07:59:56 +0000 (08:59 +0100)]
ALSA: hda - Use auto-parser for HP laptops with cx20459 codec

commit de4da59e480cdf1075b33dbaf8078fc87bc52241 upstream.

These laptops can work well with the auto-parser and their BIOS setups,
and in addition, the auto-parser fixes the problem with S3/S4 where
the unsol event handling is killed after resume due to fallback to the
single-cmd mode.


Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoALSA: usb-audio - Avoid flood of frame-active debug messages
Takashi Iwai [Mon, 9 Jan 2012 10:37:20 +0000 (11:37 +0100)]
ALSA: usb-audio - Avoid flood of frame-active debug messages

commit 80c8a2a372599e604b04a9c568952fe39cd1851d upstream.

With some buggy devices, the usb-audio driver may give "frame xxx active"
kernel messages too often.  Better to keep it as debug-only using
snd_printdd(), and also add the rate-limit for avoiding floods.


Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoALSA: ice1724 - Check for ac97 to avoid kernel oops
Pavel Hofman [Thu, 5 Jan 2012 22:05:18 +0000 (23:05 +0100)]
ALSA: ice1724 - Check for ac97 to avoid kernel oops

commit e7848163aa2a649d9065f230fadff80dc3519775 upstream.

Cards with identical PCI ids but no AC97 config in EEPROM do not have
the ac97 field initialized. We must check for this case to avoid kernel oops.

Signed-off-by: Pavel Hofman <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoALSA: HDA: Fix automute for Cirrus Logic 421x
David Henningsson [Mon, 2 Jan 2012 11:40:16 +0000 (12:40 +0100)]
ALSA: HDA: Fix automute for Cirrus Logic 421x

commit 78e2a928e377d5124932d4399c6c581908b027a0 upstream.

There was a bug in the automute logic causing speakers not to
mute when headphones were plugged in.

Tested-by: Hsin-Yi Chen <>
Signed-off-by: David Henningsson <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoALSA: HDA: Fix master control for Cirrus Logic 421X
David Henningsson [Mon, 2 Jan 2012 11:40:15 +0000 (12:40 +0100)]
ALSA: HDA: Fix master control for Cirrus Logic 421X

commit 40d03e63e91af8ddccdfd5a536cc2a6e51433e1d upstream.

The control name "HP/Speakers" is non-standard, and since there is
only one DAC on this chip there is no need for a virtual master

Signed-off-by: David Henningsson <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoALSA: snd-usb-us122l: Delete calls to preempt_disable
Karsten Wiese [Fri, 30 Dec 2011 00:42:01 +0000 (01:42 +0100)]
ALSA: snd-usb-us122l: Delete calls to preempt_disable

commit d0f3a2eb9062560bebca8b923424f3ca02a331ba upstream.

They are not needed here.

Signed-off-by: Karsten Wiese <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoext4: fix undefined behavior in ext4_fill_flex_info()
Xi Wang [Tue, 10 Jan 2012 16:51:10 +0000 (11:51 -0500)]
ext4: fix undefined behavior in ext4_fill_flex_info()

commit d50f2ab6f050311dbf7b8f5501b25f0bf64a439b upstream.

Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
zero when trying to mount a corrupted file system") fixes CVE-2009-4307
by performing a sanity check on s_log_groups_per_flex, since it can be
set to a bogus value by an attacker.

sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
groups_per_flex = 1 << sbi->s_log_groups_per_flex;

if (groups_per_flex < 2) { ... }

This patch fixes two potential issues in the previous commit.

1) The sanity check might only work on architectures like PowerPC.
On x86, 5 bits are used for the shifting amount.  That means, given a
large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
is essentially 1 << 4 = 16, rather than 0.  This will bypass the check,
leaving s_log_groups_per_flex and groups_per_flex inconsistent.

2) The sanity check relies on undefined behavior, i.e., oversized shift.
A standard-confirming C compiler could rewrite the check in unexpected
ways.  Consider the following equivalent form, assuming groups_per_flex
is unsigned for simplicity.

groups_per_flex = 1 << sbi->s_log_groups_per_flex;
if (groups_per_flex == 0 || groups_per_flex == 1) {

We compile the code snippet using Clang 3.0 and GCC 4.6.  Clang will
completely optimize away the check groups_per_flex == 0, leaving the
patched code as vulnerable as the original.  GCC keeps the check, but
there is no guarantee that future versions will do the same.

Signed-off-by: Xi Wang <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoext4: add missing ext4_resize_end on error paths
Djalal Harouni [Wed, 4 Jan 2012 22:09:52 +0000 (17:09 -0500)]
ext4: add missing ext4_resize_end on error paths

commit 014a1770371a028d22f364718c805f4216911ecd upstream.

Online resize ioctls 'EXT4_IOC_GROUP_EXTEND' and 'EXT4_IOC_GROUP_ADD'
call ext4_resize_begin() to check permissions and to set the
EXT4_RESIZING bit lock, they do their work and they must finish with
ext4_resize_end() which calls clear_bit_unlock() to unlock and to
avoid -EBUSY errors for the next resize operations.

This patch adds the missing ext4_resize_end() calls on error paths.

Patch tested.

Signed-off-by: Djalal Harouni <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agodrivers/rtc/interface.c: fix alarm rollover when day or month is out-of-range
Ben Hutchings [Tue, 10 Jan 2012 23:11:02 +0000 (15:11 -0800)]
drivers/rtc/interface.c: fix alarm rollover when day or month is out-of-range

commit e74a8f2edb92cb690b467cea0ab652c509e9f624 upstream.

Commit f44f7f96a20a ("RTC: Initialize kernel state from RTC") introduced a
potential infinite loop.  If an alarm time contains a wildcard month and
an invalid day (> 31), or a wildcard year and an invalid month (>= 12),
the loop searching for the next matching date will never terminate.  Treat
the invalid values as wildcards.

Fixes <>, <>

Reported-by: leo weppelman <>
Reported-by: "P. van Gaans" <>
Signed-off-by: Ben Hutchings <>
Signed-off-by: Jonathan Nieder <>
Cc: Mark Brown <>
Cc: Marcelo Roberto Jimenez <>
Cc: Thomas Gleixner <>
Cc: John Stultz <>
Acked-by: Alessandro Zummo <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agomtd: tests: stresstest: bail out if device has not enough eraseblocks
Wolfram Sang [Tue, 29 Nov 2011 14:34:08 +0000 (15:34 +0100)]
mtd: tests: stresstest: bail out if device has not enough eraseblocks

commit 2f4478ccff7df845dc9c0f8996a96373122c4417 upstream.

stresstest needs at least two eraseblocks. Bail out gracefully if that
condition is not met. Fixes the following 'division by zero' OOPS:

[  619.100000] mtd_stresstest: MTD device size 131072, eraseblock size 131072, page size 2048, count of eraseblocks 1, pages per eraseblock 64, OOB size 64
[  619.120000] mtd_stresstest: scanning for bad eraseblocks
[  619.120000] mtd_stresstest: scanned 1 eraseblocks, 0 are bad
[  619.130000] mtd_stresstest: doing operations
[  619.130000] mtd_stresstest: 0 operations done
[  619.140000] Division by zero in kernel.

caused by

        /* Read or write up 2 eraseblocks at a time - hence 'ebcnt - 1' */
        eb %= (ebcnt - 1);

Signed-off-by: Wolfram Sang <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: David Woodhouse <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agomtd: mtd_blkdevs: don't increase 'open' count on error path
Brian Norris [Mon, 7 Nov 2011 23:51:05 +0000 (15:51 -0800)]
mtd: mtd_blkdevs: don't increase 'open' count on error path

commit 342ff28f5a2e5aa3236617bd2bddf6c749677ef2 upstream.

Some error paths in mtd_blkdevs were fixed in the following commit:

    commit 94735ec4044a6d318b83ad3c5794e931ed168d10
    mtd: mtd_blkdevs: fix error path in blktrans_open

But on these error paths, the block device's `dev->open' count is
already incremented before we check for errors. This meant that, while
the error path was handled correctly on the first time through
blktrans_open(), the device is erroneously considered already open on
the second time through.

This problem can be seen, for instance, when a UBI volume is
simultaneously mounted as a UBIFS partition and read through its
corresponding gluebi mtdblockX device. This results in blktrans_open()
passing its error checks (with `dev->open > 0') without actually having
a handle on the device. Here's a summarized log of the actions and
results with nandsim:

    # modprobe nandsim
    # modprobe mtdblock
    # modprobe gluebi
    # modprobe ubifs
    # ubiattach /dev/ubi_ctrl -m 0
    # ubimkvol /dev/ubi0 -N test -s 16MiB
    # mount -t ubifs ubi0:test /mnt
    # ls /dev/mtdblock*
    /dev/mtdblock0  /dev/mtdblock1
    # cat /dev/mtdblock1 > /dev/null
    cat: can't open '/dev/mtdblock4': Device or resource busy
    # cat /dev/mtdblock1 > /dev/null

    CPU 0 Unable to handle kernel paging request at virtual address
    fffffff0, epc == 8031536c, ra == 8031f280
    Call Trace:
    [<8031536c>] ubi_leb_read+0x14/0x164
    [<8031f280>] gluebi_read+0xf0/0x148
    [<802edba8>] mtdblock_readsect+0x64/0x198
    [<802ecfe4>] mtd_blktrans_thread+0x330/0x3f4
    [<8005be98>] kthread+0x88/0x90
    [<8000bc04>] kernel_thread_helper+0x10/0x18

Signed-off-by: Brian Norris <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: David Woodhouse <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agomtd: mtdoops: skip reading initially bad blocks
Roman Tereshonkov [Fri, 2 Dec 2011 13:07:17 +0000 (15:07 +0200)]
mtd: mtdoops: skip reading initially bad blocks

commit 3538c56329936c78f7d356889908790006d0124c upstream.

Use block_isbad to check and skip the bad blocks reading.
This will allow to get rid of the read errors if bad blocks
are present initially.

Signed-off-by: Roman Tereshonkov <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: David Woodhouse <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agomtdoops: fix the oops_page_used array size
Roman Tereshonkov [Tue, 29 Nov 2011 10:49:18 +0000 (12:49 +0200)]
mtdoops: fix the oops_page_used array size

commit 556f063580db2953a7e53cd46b47724246320f60 upstream.

The array of unsigned long pointed by oops_page_used is allocated
by vmalloc which requires the size to be in bytes.

BITS_PER_LONG is equal to 32.
If we want to allocate memory for 32 pages with one bit per page then
32 / BITS_PER_LONG  is equal to 1 byte that is 8 bits.
To fix it we need to multiply the result by sizeof(unsigned long) equal to 4.

Signed-off-by: Roman Tereshonkov <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: David Woodhouse <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoLinux 3.2.1 v3.2.1
Greg Kroah-Hartman [Thu, 12 Jan 2012 19:42:45 +0000 (11:42 -0800)]
Linux 3.2.1

9 years agoxfs: fix acl count validation in xfs_acl_from_disk()
Xi Wang [Mon, 12 Dec 2011 21:55:52 +0000 (21:55 +0000)]
xfs: fix acl count validation in xfs_acl_from_disk()

commit 093019cf1b18dd31b2c3b77acce4e000e2cbc9ce upstream.

Commit fa8b18ed didn't prevent the integer overflow and possible
memory corruption.  "count" can go negative and bypass the check.

Signed-off-by: Xi Wang <>
Reviewed-by: Christoph Hellwig <>
Signed-off-by: Ben Myers <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agousb: cdc-acm: Fix acm_tty_hangup() vs. acm_tty_close() race
Thilo-Alexander Ginkel [Sat, 17 Dec 2011 09:55:10 +0000 (10:55 +0100)]
usb: cdc-acm: Fix acm_tty_hangup() vs. acm_tty_close() race

[Not upstream as it was fixed differently for 3.3 with a much more
"intrusive" rework of the driver - gregkh]

There is a race condition involving acm_tty_hangup() and acm_tty_close()
where hangup() would attempt to access tty->driver_data without proper
locking and NULL checking after close() has potentially already set it
to NULL.  One possibility to (sporadically) trigger this behavior is to
perform a suspend/resume cycle with a running WWAN data connection.

This patch addresses the issue by introducing a NULL check for
tty->driver_data in acm_tty_hangup() protected by open_mutex and exiting
gracefully when hangup() is invoked on a device that has already been

Signed-off-by: Thilo-Alexander Ginkel <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agobonding: fix error handling if slave is busy (v2)
stephen hemminger [Sat, 31 Dec 2011 13:26:46 +0000 (13:26 +0000)]
bonding: fix error handling if slave is busy (v2)

commit f7d9821a6a9c83450ac35e76d3709e32fd38b76f upstream.

If slave device already has a receive handler registered, then the
error unwind of bonding device enslave function is broken.

The following will leave a pointer to freed memory in the slave
device list, causing a later kernel panic.
# modprobe dummy
# ip li add dummy0-1 link dummy0 type macvlan
# modprobe bonding
# echo +dummy0 >/sys/class/net/bond0/bonding/slaves

The fix is to detach the slave (which removes it from the list)
in the unwind path.

Signed-off-by: Stephen Hemminger <>
Reviewed-by: Nicolas de Pesloüan <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoasix: fix infinite loop in rx_fixup()
Aurelien Jacobs [Sat, 7 Jan 2012 20:15:16 +0000 (12:15 -0800)]
asix: fix infinite loop in rx_fixup()

commit 6c15d74defd38e7e7f8805392578b7a1d508097e upstream.

At this point if skb->len happens to be 2, the subsequant skb_pull(skb, 4)
call won't work and the skb->len won't be decreased and won't ever reach 0,
resulting in an infinite loop.

With an ASIX 88772 under heavy load, without this patch, rx_fixup() reaches
an infinite loop in less than a minute. With this patch applied,
no infinite loop even after hours of heavy load.

Signed-off-by: Aurelien Jacobs <>
Cc: Jussi Kivilinna <>
Signed-off-by: David S. Miller <>
9 years agoigmp: Avoid zero delay when receiving odd mixture of IGMP queries
Ben Hutchings [Mon, 9 Jan 2012 22:06:46 +0000 (14:06 -0800)]
igmp: Avoid zero delay when receiving odd mixture of IGMP queries

commit a8c1f65c79cbbb2f7da782d4c9d15639a9b94b27 upstream.

Commit 5b7c84066733c5dfb0e4016d939757b38de189e4 ('ipv4: correct IGMP
behavior on v3 query during v2-compatibility mode') added yet another
case for query parsing, which can result in max_delay = 0.  Substitute
a value of 1, as in the usual v3 case.

Reported-by: Simon McVittie <>
Signed-off-by: Ben Hutchings <>
Signed-off-by: David S. Miller <>
9 years agousb: ch9: fix up MaxStreams helper
Felipe Balbi [Mon, 2 Jan 2012 11:35:41 +0000 (13:35 +0200)]
usb: ch9: fix up MaxStreams helper

commit 18b7ede5f7ee2092aedcb578d3ac30bd5d4fc23c upstream.

[ removed the dwc3 portion of the patch as it didn't apply to
older kernels - gregkh]

According to USB 3.0 Specification Table 9-22, if
bmAttributes [4:0] are set to zero, it means "no
streams supported", but the way this helper was
defined on Linux, we will *always* have one stream
which might cause several problems.

For example on DWC3, we would tell the controller
endpoint has streams enabled and yet start transfers
with Stream ID set to 0, which would goof up the host

While doing that, convert the macro to an inline
function due to the different checks we now need.

Signed-off-by: Felipe Balbi <>
Signed-off-by: Sarah Sharp <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoxhci: Properly handle COMP_2ND_BW_ERR
Hans de Goede [Wed, 4 Jan 2012 22:29:18 +0000 (23:29 +0100)]
xhci: Properly handle COMP_2ND_BW_ERR

commit 71d85724bdd947a3b42a88d08af79f290a1a767b upstream.

I encountered a result of COMP_2ND_BW_ERR while improving how the pwc
webcam driver handles not having the full usb1 bandwidth available to

I created the following test setup, a NEC xhci controller with a
single TT USB 2 hub plugged into it, with a usb keyboard and a pwc webcam
plugged into the usb2 hub. This caused the following to show up in dmesg
when trying to stream from the pwc camera at its highest alt setting:

xhci_hcd 0000:01:00.0: ERROR: unexpected command completion code 0x23.
usb 6-2.1: Not enough bandwidth for altsetting 9

And usb_set_interface returned -EINVAL, which caused my pwc code to not
do the right thing as it expected -ENOSPC.

This patch makes the xhci driver properly handle COMP_2ND_BW_ERR and makes
usb_set_interface return -ENOSPC as expected.

This should be backported to stable kernels as old as 2.6.32.

Signed-off-by: Hans de Goede <>
Signed-off-by: Sarah Sharp <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agousb: fix number of mapped SG DMA entries
Clemens Ladisch [Sat, 3 Dec 2011 22:41:31 +0000 (23:41 +0100)]
usb: fix number of mapped SG DMA entries

commit bc677d5b64644c399cd3db6a905453e611f402ab upstream.

Add a new field num_mapped_sgs to struct urb so that we have a place to
store the number of mapped entries and can also retain the original
value of entries in num_sgs.  Previously, usb_hcd_map_urb_for_dma()
would overwrite this with the number of mapped entries, which would
break dma_unmap_sg() because it requires the original number of entries.

This fixes warnings like the following when using USB storage devices:
 ------------[ cut here ]------------
 WARNING: at lib/dma-debug.c:902 check_unmap+0x4e4/0x695()
 ehci_hcd 0000:00:12.2: DMA-API: device driver frees DMA sg list with different entry count [map count=4] [unmap count=1]
 Modules linked in: ohci_hcd ehci_hcd
 Pid: 0, comm: kworker/0:1 Not tainted 3.2.0-rc2+ #319
 Call Trace:
  <IRQ>  [<ffffffff81036d3b>] warn_slowpath_common+0x80/0x98
  [<ffffffff81036de7>] warn_slowpath_fmt+0x41/0x43
  [<ffffffff811fa5ae>] check_unmap+0x4e4/0x695
  [<ffffffff8105e92c>] ? trace_hardirqs_off+0xd/0xf
  [<ffffffff8147208b>] ? _raw_spin_unlock_irqrestore+0x33/0x50
  [<ffffffff811fa84a>] debug_dma_unmap_sg+0xeb/0x117
  [<ffffffff8137b02f>] usb_hcd_unmap_urb_for_dma+0x71/0x188
  [<ffffffff8137b166>] unmap_urb_for_dma+0x20/0x22
  [<ffffffff8137b1c5>] usb_hcd_giveback_urb+0x5d/0xc0
  [<ffffffffa0000d02>] ehci_urb_done+0xf7/0x10c [ehci_hcd]
  [<ffffffffa0001140>] qh_completions+0x429/0x4bd [ehci_hcd]
  [<ffffffffa000340a>] ehci_work+0x95/0x9c0 [ehci_hcd]
 ---[ end trace f29ac88a5a48c580 ]---
 Mapped at:
  [<ffffffff811faac4>] debug_dma_map_sg+0x45/0x139
  [<ffffffff8137bc0b>] usb_hcd_map_urb_for_dma+0x22e/0x478
  [<ffffffff8137c494>] usb_hcd_submit_urb+0x63f/0x6fa
  [<ffffffff8137d01c>] usb_submit_urb+0x2c7/0x2de
  [<ffffffff8137dcd4>] usb_sg_wait+0x55/0x161

Signed-off-by: Clemens Ladisch <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoUSB: Add USB-ID for Multiplex RC serial adapter to cp210x.c
Malte Schröder [Thu, 5 Jan 2012 19:34:40 +0000 (20:34 +0100)]
USB: Add USB-ID for Multiplex RC serial adapter to cp210x.c

commit 08e87d0d773dc9ca5faf4c3306e238ed0ea129b0 upstream.

Hi, below patch adds the USB-ID of the serial adapters sold by
Multiplex RC (

Signed-off-by: Malte Schröder <>
Cc: stable <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agousb: option: add ZD Incorporated HSPA modem
Janne Snabb [Wed, 28 Dec 2011 19:36:00 +0000 (19:36 +0000)]
usb: option: add ZD Incorporated HSPA modem

commit 3c8c9316710b83e906e425024153bf0929887b59 upstream.

Add support for Chinese Noname HSPA USB modem which is apparently
manufactured by a company called ZD Incorporated (based on texts in the
Windows drivers).

This product is available at least from Dealextreme (SKU 80032) and
possibly in India with name Olive V-MW250. It is based on Qualcomm
MSM6280 chip.

I needed to also add "options usb-storage quirks=0685:7000:i" in modprobe
configuration because udevd or the kernel keeps poking the embedded
fake-cd-rom which fails and causes the device to reset. There might be
a better way to accomplish the same. usb_modeswitch is not needed with
this device.

Signed-off-by: Janne Snabb <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoUSB: omninet: fix write_room
Johan Hovold [Sun, 6 Nov 2011 18:06:21 +0000 (19:06 +0100)]
USB: omninet: fix write_room

commit 694c6301e515bad574af74b6552134c4d9dcb334 upstream.

Fix regression introduced by commit 507ca9bc047666 ([PATCH] USB: add
ability for usb-serial drivers to determine if their write urb is
currently being used.) which inverted the logic in write_room so that it
returns zero when the write urb is actually free.

Signed-off-by: Johan Hovold <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agousb: musb: fix pm_runtime mismatch
Felipe Contreras [Mon, 19 Dec 2011 20:01:54 +0000 (22:01 +0200)]
usb: musb: fix pm_runtime mismatch

commit 772aed45b604c5ff171f0f12c12392d868333f79 upstream.

In musb_init_controller() there's a pm_runtime_put(), but there's no
pm_runtime_get(), which creates a mismatch that causes the driver to
sleep when it shouldn't.

This was introduced in 7acc619[1], but it wasn't triggered in my setup
until 18a2689[2] was merged to Linus' branch at point df0914[3]. IOW;
when PM is working as it was supposed to.

However, it seems most of the time this is used in a way that keeps the
counter above 0, so nobody noticed. Also, it seems to depend on the
configuration used in versions before 3.1, but not later (or in it).

I found the problem by loading isp1704_charger before any usb gadgets:

All versions after 2.6.39 are affected.

[1] usb: musb: Idle path retention and offmode support for OMAP3
[2] OMAP2+: musb: hwmod adaptation for musb registration
[3] Merge branch 'omap-for-linus' of git://

Cc: Hema HK <>
Signed-off-by: Felipe Contreras <>
Signed-off-by: Felipe Balbi <>
9 years agoUSB: add quirk for another camera
Oliver Neukum [Tue, 3 Jan 2012 08:58:54 +0000 (09:58 +0100)]
USB: add quirk for another camera

commit 35284b3d2f68a8a3703745e629999469f78386b5 upstream.

The Guillemot Webcam Hercules Dualpix Exchange camera
has been reported with a second ID.

Signed-off-by: Oliver Neukum <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoUSB: pxa168: Fix compilation error
Tanmay Upadhyay [Thu, 8 Dec 2011 04:33:49 +0000 (10:03 +0530)]
USB: pxa168: Fix compilation error

commit 35657c4d72925936c7219cc5caac118ca632acc2 upstream.

After commit c430131a02d677aa708f56342c1565edfdacb3c0 (Support
controllers with big endian capability regs), HC_LENGTH takes
two arguments. This patch fixes following compilation error:

In file included from drivers/usb/host/ehci-hcd.c:1323:
drivers/usb/host/ehci-pxa168.c:302:54: error: macro "HC_LENGTH" requires 2 arguments, but only 1 given
In file included from drivers/usb/host/ehci-hcd.c:1323:
drivers/usb/host/ehci-pxa168.c: In function 'ehci_pxa168_drv_probe':
drivers/usb/host/ehci-pxa168.c:302: error: 'HC_LENGTH' undeclared (first use in this function)
drivers/usb/host/ehci-pxa168.c:302: error: (Each undeclared identifier is reported only once
drivers/usb/host/ehci-pxa168.c:302: error: for each function it appears in.)

Signed-off-by: Tanmay Upadhyay <>
Acked-by: Alan Stern <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agousb: usb-storage doesn't support dynamic id currently, the patch disables the feature...
Huajun Li [Wed, 4 Jan 2012 11:25:33 +0000 (19:25 +0800)]
usb: usb-storage doesn't support dynamic id currently, the patch disables the feature to fix an oops

commit 1a3a026ba1b6bbfe0b7f79ab38cf991d691e7c9a upstream.

Echo vendor and product number of a non usb-storage device to
usb-storage driver's new_id, then plug in the device to host and you
will find following oops msg, the root cause is usb_stor_probe1()
refers invalid id entry if giving a dynamic id, so just disable the

[ 3105.018012] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
[ 3105.018062] CPU 0
[ 3105.018075] Modules linked in: usb_storage usb_libusual bluetooth
dm_crypt binfmt_misc snd_hda_codec_analog snd_hda_intel snd_hda_codec
snd_hwdep hp_wmi ppdev sparse_keymap snd_pcm snd_seq_midi snd_rawmidi
snd_seq_midi_event snd_seq snd_timer snd_seq_device psmouse snd
serio_raw tpm_infineon soundcore i915 snd_page_alloc tpm_tis
parport_pc tpm tpm_bios drm_kms_helper drm i2c_algo_bit video lp
parport usbhid hid sg sr_mod sd_mod ehci_hcd uhci_hcd usbcore e1000e
usb_common floppy
[ 3105.018408]
[ 3105.018419] Pid: 189, comm: khubd Tainted: G          I  3.2.0-rc7+
#29 Hewlett-Packard HP Compaq dc7800p Convertible Minitower/0AACh
[ 3105.018481] RIP: 0010:[<ffffffffa045830d>]  [<ffffffffa045830d>]
usb_stor_probe1+0x2fd/0xc20 [usb_storage]
[ 3105.018536] RSP: 0018:ffff880056a3d830  EFLAGS: 00010286
[ 3105.018562] RAX: ffff880065f4e648 RBX: ffff88006bb28000 RCX: 0000000000000000
[ 3105.018597] RDX: ffff88006f23c7b0 RSI: 0000000000000001 RDI: 0000000000000206
[ 3105.018632] RBP: ffff880056a3d900 R08: 0000000000000000 R09: ffff880067365000
[ 3105.018665] R10: 00000000000002ac R11: 0000000000000010 R12: ffff6000b41a7340
[ 3105.018698] R13: ffff880065f4ef60 R14: ffff88006bb28b88 R15: ffff88006f23d270
[ 3105.018733] FS:  0000000000000000(0000) GS:ffff88007a200000(0000)
[ 3105.018773] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 3105.018801] CR2: 00007fc99c8c4650 CR3: 0000000001e05000 CR4: 00000000000006f0
[ 3105.018835] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 3105.018870] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 3105.018906] Process khubd (pid: 189, threadinfo ffff880056a3c000,
task ffff88005677a400)
[ 3105.018945] Stack:
[ 3105.018959]  0000000000000000 0000000000000000 ffff880056a3d8d0
[ 3105.019011]  0000000000000000 ffff880056a3d918 ffff880000000000
[ 3105.019058]  ffff880056a3d8d0 0000000000000012 ffff880056a3d8d0
[ 3105.019105] Call Trace:
[ 3105.019128]  [<ffffffffa0458cd4>] storage_probe+0xa4/0xe0 [usb_storage]
[ 3105.019173]  [<ffffffffa0097822>] usb_probe_interface+0x172/0x330 [usbcore]
[ 3105.019211]  [<ffffffff815fda67>] driver_probe_device+0x257/0x3b0
[ 3105.019243]  [<ffffffff815fdd43>] __device_attach+0x73/0x90
[ 3105.019272]  [<ffffffff815fdcd0>] ? __driver_attach+0x110/0x110
[ 3105.019303]  [<ffffffff815fb93c>] bus_for_each_drv+0x9c/0xf0
[ 3105.019334]  [<ffffffff815fd6c7>] device_attach+0xf7/0x120
[ 3105.019364]  [<ffffffff815fc905>] bus_probe_device+0x45/0x80
[ 3105.019396]  [<ffffffff815f98a6>] device_add+0x876/0x990
[ 3105.019434]  [<ffffffffa0094e42>] usb_set_configuration+0x822/0x9e0 [usbcore]
[ 3105.019479]  [<ffffffffa00a3492>] generic_probe+0x62/0xf0 [usbcore]
[ 3105.019518]  [<ffffffffa0097a46>] usb_probe_device+0x66/0xb0 [usbcore]
[ 3105.019555]  [<ffffffff815fda67>] driver_probe_device+0x257/0x3b0
[ 3105.019589]  [<ffffffff815fdd43>] __device_attach+0x73/0x90
[ 3105.019617]  [<ffffffff815fdcd0>] ? __driver_attach+0x110/0x110
[ 3105.019648]  [<ffffffff815fb93c>] bus_for_each_drv+0x9c/0xf0
[ 3105.019680]  [<ffffffff815fd6c7>] device_attach+0xf7/0x120
[ 3105.019709]  [<ffffffff815fc905>] bus_probe_device+0x45/0x80
[ 3105.021040] usb usb6: usb auto-resume
[ 3105.021045] usb usb6: wakeup_rh
[ 3105.024849]  [<ffffffff815f98a6>] device_add+0x876/0x990
[ 3105.025086]  [<ffffffffa0088987>] usb_new_device+0x1e7/0x2b0 [usbcore]
[ 3105.025086]  [<ffffffffa008a4d7>] hub_thread+0xb27/0x1ec0 [usbcore]
[ 3105.025086]  [<ffffffff810d5200>] ? wake_up_bit+0x50/0x50
[ 3105.025086]  [<ffffffffa00899b0>] ? usb_remote_wakeup+0xa0/0xa0 [usbcore]
[ 3105.025086]  [<ffffffff810d49b8>] kthread+0xd8/0xf0
[ 3105.025086]  [<ffffffff81939884>] kernel_thread_helper+0x4/0x10
[ 3105.025086]  [<ffffffff8192a8c0>] ? _raw_spin_unlock_irq+0x50/0x80
[ 3105.025086]  [<ffffffff8192b1b4>] ? retint_restore_args+0x13/0x13
[ 3105.025086]  [<ffffffff810d48e0>] ? __init_kthread_worker+0x80/0x80
[ 3105.025086]  [<ffffffff81939880>] ? gs_change+0x13/0x13
[ 3105.025086] Code: 00 48 83 05 cd ad 00 00 01 48 83 05 cd ad 00 00
01 4c 8b ab 30 0c 00 00 48 8b 50 08 48 83 c0 30 48 89 45 a0 4c 89 a3
40 0c 00 00 <41> 0f b6 44 24 10 48 89 55 a8 3c ff 0f 84 b8 04 00 00 48
83 05
[ 3105.025086] RIP  [<ffffffffa045830d>] usb_stor_probe1+0x2fd/0xc20
[ 3105.025086]  RSP <ffff880056a3d830>
[ 3105.060037] hub 6-0:1.0: hub_resume
[ 3105.062616] usb usb5: usb auto-resume
[ 3105.064317] ehci_hcd 0000:00:1d.7: resume root hub
[ 3105.094809] ---[ end trace a7919e7f17c0a727 ]---
[ 3105.130069] hub 5-0:1.0: hub_resume
[ 3105.132131] usb usb4: usb auto-resume
[ 3105.132136] usb usb4: wakeup_rh
[ 3105.180059] hub 4-0:1.0: hub_resume
[ 3106.290052] usb usb6: suspend_rh (auto-stop)
[ 3106.290077] usb usb4: suspend_rh (auto-stop)

Signed-off-by: Huajun Li <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoUSB: isight: fix kernel bug when loading firmware
Greg Kroah-Hartman [Mon, 5 Dec 2011 22:02:59 +0000 (14:02 -0800)]
USB: isight: fix kernel bug when loading firmware

commit 59bf5cf94f0fa3b08fb1258b52649077b7d0914d upstream.

We were sending data on the stack when uploading firmware, which causes
some machines fits, and is not allowed.  Fix this by using the buffer we
already had around for this very purpose.

Reported-by: Wouter M. Koolen <>
Tested-by: Wouter M. Koolen <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agodrivers/usb/class/cdc-acm.c: clear dangling pointer
Julia Lawall [Fri, 23 Dec 2011 13:02:55 +0000 (14:02 +0100)]
drivers/usb/class/cdc-acm.c: clear dangling pointer

commit e7c8e8605d0bafc705ff27f9da98a1668427cc0f upstream.

On some failures, the country_code field of an acm structure is freed
without freeing the acm structure itself.  Elsewhere, operations including
memcpy and kfree are performed on the country_code field.  The patch sets
the country_code field to NULL when it is freed, and likewise sets the
country_code_size field to 0.

Signed-off-by: Julia Lawall <>
Acked-by: Oliver Neukum <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoudf: Fix deadlock when converting file from in-ICB one to normal one
Jan Kara [Sat, 10 Dec 2011 01:30:48 +0000 (02:30 +0100)]
udf: Fix deadlock when converting file from in-ICB one to normal one

commit d2eb8c359309ec45d6bf5b147303ab8e13be86ea upstream.

During BKL removal in 2.6.38, conversion of files from in-ICB format to normal
format got broken. We call ->writepage with i_data_sem held but udf_get_block()
also acquires i_data_sem thus creating A-A deadlock.

We fix the problem by dropping i_data_sem before calling ->writepage() which is
safe since i_mutex still protects us against any changes in the file. Also fix
pagelock - i_data_sem lock inversion in udf_expand_file_adinicb() by dropping
i_data_sem before calling find_or_create_page().

Reported-by: Matthias Matiak <>
Tested-by: Matthias Matiak <>
Reviewed-by: Namjae Jeon <>
Signed-off-by: Jan Kara <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agocgroup: fix to allow mounting a hierarchy by name
Li Zefan [Tue, 27 Dec 2011 06:25:55 +0000 (14:25 +0800)]
cgroup: fix to allow mounting a hierarchy by name

commit 0d19ea866562e46989412a0676412fa0983c9ce7 upstream.

If we mount a hierarchy with a specified name, the name is unique,
and we can use it to mount the hierarchy without specifying its
set of subsystem names. This feature is documented is
Documentation/cgroups/cgroups.txt section 2.3

Here's an example:

# mount -t cgroup -o cpuset,name=myhier xxx /cgroup1
# mount -t cgroup -o name=myhier xxx /cgroup2

But it was broken by commit 32a8cf235e2f192eb002755076994525cdbaa35a
(cgroup: make the mount options parsing more accurate)

This fixes the regression.

Signed-off-by: Li Zefan <>
Signed-off-by: Tejun Heo <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoatmel_serial: fix spinlock lockup in RS485 code
Claudio Scordino [Fri, 16 Dec 2011 14:08:49 +0000 (15:08 +0100)]
atmel_serial: fix spinlock lockup in RS485 code

commit dbf1115d3f8c7052788aa4e6e46abd27f3b3eeba upstream.

Patch to fix a spinlock lockup in the driver that sometimes happens when the
tasklet starts.

Signed-off-by: Claudio Scordino <>
Signed-off-by: Dave Bender <>
Tested-by: Dave Bender <>
Acked-by: Nicolas Ferre <>
Acked-by: Alan Cox <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agousbfs: Fix oops related to user namespace conversion.
Sarah Sharp [Fri, 16 Dec 2011 19:26:30 +0000 (11:26 -0800)]
usbfs: Fix oops related to user namespace conversion.

commit 1b41c8321e495337e877ca02d0b9680bc4112eff upstream.

When running the Point Grey "flycap" program for their USB 3.0 camera
(which was running as a USB 2.0 device for some reason), I trigger this
oops whenever I try to open a video stream:

Dec 15 16:48:34 puck kernel: [ 1798.715559] BUG: unable to handle kernel NULL pointer dereference at           (null)
Dec 15 16:48:34 puck kernel: [ 1798.719153] IP: [<ffffffff8147841e>] free_async+0x1e/0x70
Dec 15 16:48:34 puck kernel: [ 1798.720991] PGD 6f833067 PUD 6fc56067 PMD 0
Dec 15 16:48:34 puck kernel: [ 1798.722815] Oops: 0002 [#1] SMP
Dec 15 16:48:34 puck kernel: [ 1798.724627] CPU 0
Dec 15 16:48:34 puck kernel: [ 1798.724636] Modules linked in: ecryptfs encrypted_keys sha1_generic trusted binfmt_misc sha256_generic aesni_intel cryptd aes_x86_64 aes_generic parport_pc dm_crypt ppdev joydev snd_hda_codec_hdmi snd_hda_codec_conexant arc4 iwlwifi snd_hda_intel snd_hda_codec snd_hwdep snd_pcm thinkpad_acpi mac80211 snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer btusb uvcvideo snd_seq_device bluetooth videodev psmouse snd v4l2_compat_ioctl32 serio_raw tpm_tis cfg80211 tpm tpm_bios nvram soundcore snd_page_alloc lp parport i915 xhci_hcd ahci libahci drm_kms_helper drm sdhci_pci sdhci e1000e i2c_algo_bit video
Dec 15 16:48:34 puck kernel: [ 1798.734212]
Dec 15 16:48:34 puck kernel: [ 1798.736162] Pid: 2713, comm: FlyCap2 Not tainted 3.2.0-rc5+ #28 LENOVO 4286CTO/4286CTO
Dec 15 16:48:34 puck kernel: [ 1798.738148] RIP: 0010:[<ffffffff8147841e>]  [<ffffffff8147841e>] free_async+0x1e/0x70
Dec 15 16:48:34 puck kernel: [ 1798.740134] RSP: 0018:ffff88005715fd78  EFLAGS: 00010296
Dec 15 16:48:34 puck kernel: [ 1798.742118] RAX: 00000000fffffff4 RBX: ffff88006fe8f900 RCX: 0000000000004118
Dec 15 16:48:34 puck kernel: [ 1798.744116] RDX: 0000000001000000 RSI: 0000000000016390 RDI: 0000000000000000
Dec 15 16:48:34 puck kernel: [ 1798.746087] RBP: ffff88005715fd88 R08: 0000000000000000 R09: ffffffff8146f22e
Dec 15 16:48:34 puck kernel: [ 1798.748018] R10: ffff88006e520ac0 R11: 0000000000000001 R12: ffff88005715fe28
Dec 15 16:48:34 puck kernel: [ 1798.749916] R13: ffff88005d31df00 R14: ffff88006fe8f900 R15: 00007f688c995cb8
Dec 15 16:48:34 puck kernel: [ 1798.751785] FS:  00007f68a366da40(0000) GS:ffff880100200000(0000) knlGS:0000000000000000
Dec 15 16:48:34 puck kernel: [ 1798.753659] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Dec 15 16:48:34 puck kernel: [ 1798.755509] CR2: 0000000000000000 CR3: 00000000706bb000 CR4: 00000000000406f0
Dec 15 16:48:34 puck kernel: [ 1798.757334] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Dec 15 16:48:34 puck kernel: [ 1798.759124] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Dec 15 16:48:34 puck kernel: [ 1798.760871] Process FlyCap2 (pid: 2713, threadinfo ffff88005715e000, task ffff88006c675b80)
Dec 15 16:48:34 puck kernel: [ 1798.762605] Stack:
Dec 15 16:48:34 puck kernel: [ 1798.764297]  ffff88005715fe28 0000000000000000 ffff88005715fe08 ffffffff81479058
Dec 15 16:48:34 puck kernel: [ 1798.766020]  0000000000000000 ffffea0000004000 ffff880000004118 0000000000000000
Dec 15 16:48:34 puck kernel: [ 1798.767750]  ffff880000000001 ffff88006e520ac0 fffffff46fd81180 0000000000000000
Dec 15 16:48:34 puck kernel: [ 1798.769472] Call Trace:
Dec 15 16:48:34 puck kernel: [ 1798.771147]  [<ffffffff81479058>] proc_do_submiturb+0x778/0xa00
Dec 15 16:48:34 puck kernel: [ 1798.772798]  [<ffffffff8147a5fd>] usbdev_do_ioctl+0x24d/0x1200
Dec 15 16:48:34 puck kernel: [ 1798.774410]  [<ffffffff8147b5de>] usbdev_ioctl+0xe/0x20
Dec 15 16:48:34 puck kernel: [ 1798.775975]  [<ffffffff81189259>] do_vfs_ioctl+0x99/0x600
Dec 15 16:48:34 puck kernel: [ 1798.777534]  [<ffffffff81189851>] sys_ioctl+0x91/0xa0
Dec 15 16:48:34 puck kernel: [ 1798.779088]  [<ffffffff816247c2>] system_call_fastpath+0x16/0x1b
ec 15 16:48:34 puck kernel: [ 1798.780634] Code: 51 ff ff ff e9 29 ff ff ff 0f 1f 40 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 48 89 fb 48 8b 7f 18 e8 a6 ea c0 ff 4
8 8b 7b 20 <f0> ff 0f 0f 94 c0 84 c0 74 05 e8 d3 99 c1 ff 48 8b 43 40 48 8b
Dec 15 16:48:34 puck kernel: [ 1798.783970] RIP  [<ffffffff8147841e>] free_async+0x1e/0x70
Dec 15 16:48:34 puck kernel: [ 1798.785630]  RSP <ffff88005715fd78>
Dec 15 16:48:34 puck kernel: [ 1798.787274] CR2: 0000000000000000
Dec 15 16:48:34 puck kernel: [ 1798.794728] ---[ end trace 52894d3355f88d19 ]--- says the oops is in put_cred:

 ffffffff81478401:      48 89 e5                mov    %rsp,%rbp
 ffffffff81478404:      53                      push   %rbx
 ffffffff81478405:      48 83 ec 08             sub    $0x8,%rsp
 ffffffff81478409:      e8 f2 c0 1a 00          callq  ffffffff81624500 <mcount>
 ffffffff8147840e:      48 89 fb                mov    %rdi,%rbx   |  %ebx => ffff88006fe8f900
 ffffffff81478411:      48 8b 7f 18             mov    0x18(%rdi),%rdi
 ffffffff81478415:      e8 a6 ea c0 ff          callq  ffffffff81086ec0 <put_pid>
 ffffffff8147841a:      48 8b 7b 20             mov    0x20(%rbx),%rdi |  %edi => 0  %ebx = ffff88006fe8f900
 static inline int atomic_dec_and_test(atomic_t *v)
        unsigned char c;

        asm volatile(LOCK_PREFIX "decl %0; sete %1"
*ffffffff8147841e:      f0 ff 0f                lock decl (%rdi)   |  %edi = 0 <--- faulting instruction
 ffffffff81478421:      0f 94 c0                sete   %al
 static inline void put_cred(const struct cred *_cred)
        struct cred *cred = (struct cred *) _cred;

        if (atomic_dec_and_test(&(cred)->usage))
 ffffffff81478424:      84 c0                   test   %al,%al
 ffffffff81478426:      74 05                   je     ffffffff8147842d <free_async+0x2d>
 ffffffff81478428:      e8 d3 99 c1 ff          callq  ffffffff81091e00 <__put_cred>
 ffffffff8147842d:      48 8b 43 40             mov    0x40(%rbx),%rax
 ffffffff81478431:      48 8b 78 68             mov    0x68(%rax),%rdi
 ffffffff81478435:      e8 a6 e1 ce ff          callq  ffffffff811665e0 <kfree>
 ffffffff8147843a:      48 8b 43 40             mov    0x40(%rbx),%rax
 ffffffff8147843e:      48 8b b8 90 00 00 00    mov    0x90(%rax),%rdi
 ffffffff81478445:      e8 96 e1 ce ff          callq  ffffffff811665e0 <kfree>
 ffffffff8147844a:      48 8b 7b 40             mov    0x40(%rbx),%rdi
 ffffffff8147844e:      e8 0d 6b ff ff          callq  ffffffff8146ef60 <usb_free_urb>

This bug seems to have been introduced by commit
d178bc3a708f39cbfefc3fab37032d3f2511b4ec "user namespace: usb: make usb
urbs user namespace aware (v2)"

I'm not sure if this is right fix, but it does stop the oops.

Unfortunately, the Point Grey software still refuses to work, but it's a
closed source app, so I can't fix it.

Signed-off-by: Sarah Sharp <>
Acked-by: Serge Hallyn <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoUSB: update documentation for usbmon
Alan Stern [Wed, 4 Jan 2012 21:36:35 +0000 (16:36 -0500)]
USB: update documentation for usbmon

commit d8cae98cddd286e38db1724dda1b0e7b467f9237 upstream.

The documentation for usbmon is out of date; the usbfs "devices" file
now exists in /sys/kernel/debug/usb rather than /proc/bus/usb.  This
patch (as1505) updates the documentation accordingly, and also
mentions that the necessary information can be found by running lsusb.

Signed-off-by: Alan Stern <>
CC: Pete Zaitcev <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoDrivers:hv: Fix a bug in vmbus_driver_unregister()
K. Y. Srinivasan [Tue, 27 Dec 2011 21:49:37 +0000 (13:49 -0800)]
Drivers:hv: Fix a bug in vmbus_driver_unregister()

commit 8f257a142fc3868d69de3f996b95d7bdbc509560 upstream.

The function vmbus_exists() was introduced recently to deal with cases where
the vmbus driver failed to initialize and yet other Hyper-V drivers attempted
to register with the vmbus bus driver. This patch introduced a bug where
vmbus_driver_unregister() would fail to unregister the driver. This patch
fixes the problem.

Signed-off-by: K. Y. Srinivasan <>
Signed-off-by: Fuzhou Chen <>
Cc: Sasha Levin <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agodrivers: hv: Don't OOPS when you cannot init vmbus
K. Y. Srinivasan [Thu, 1 Dec 2011 17:59:34 +0000 (09:59 -0800)]
drivers: hv: Don't OOPS when you cannot init vmbus

commit cf6a2eacbcb2593b5b91d0817915c4f0464bb534 upstream.

The hv vmbus driver was causing an OOPS since it was trying to register drivers
on top of the bus even if initialization of the bus has failed for some
reason (such as the odd chance someone would run a hv enabled kernel in a
non-hv environment).

Signed-off-by: Sasha Levin <>
Signed-off-by: K. Y. Srinivasan <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoext3: Don't warn from writepage when readonly inode is spotted after error
Jan Kara [Thu, 22 Dec 2011 15:49:05 +0000 (16:49 +0100)]
ext3: Don't warn from writepage when readonly inode is spotted after error

commit 33c104d415e92a51aaf638dc3d93920cfa601e5c upstream.

WARN_ON_ONCE(IS_RDONLY(inode)) tends to trip when filesystem hits error and is
remounted read-only. This unnecessarily scares users (well, they should be
scared because of filesystem error, but the stack trace distracts them from the
right source of their fear ;-). We could as well just remove the WARN_ON but
it's not hard to fix it to not trip on filesystem with errors and not use more
cycles in the common case so that's what we do.

Signed-off-by: Jan Kara <>
Signed-off-by: Greg Kroah-Hartman <>
9 years agoreiserfs: Force inode evictions before umount to avoid crash
Jeff Mahoney [Wed, 21 Dec 2011 20:18:43 +0000 (21:18 +0100)]
reiserfs: Force inode evictions before umount to avoid crash

commit a9e36da655e54545c3289b2a0700b5c443de0edd upstream.

This patch fixes a crash in reiserfs_delete_xattrs during umount.

When shrink_dcache_for_umount clears the dcache from
generic_shutdown_super, delayed evictions are forced to disk. If an
evicted inode has extended attributes associated with it, it will
need to walk the xattr tree to locate and remove them.

But since shrink_dcache_for_umount will BUG if it encounters active
dentries, the xattr tree must be released before it's called or it will
crash during every umount.

This patch forces the evictions to occur before generic_shutdown_super
by calling shrink_dcache_sb first. The additional evictions caused
by the removal of each associated xattr file and dir will be automatically
handled as they're added to the LRU list.

Signed-off-by: Jeff Mahoney <>
Signed-off-by: Jan Kara <>
Signed-off-by: Greg Kroah-Hartman <>