8 years agoLinux 3.2.37 v3.2.37
Ben Hutchings [Wed, 16 Jan 2013 01:13:30 +0000 (01:13 +0000)]
Linux 3.2.37

8 years agoaoe: do not call bdi_init after blk_alloc_queue
Ed Cashin [Sat, 12 Jan 2013 11:43:35 +0000 (06:43 -0500)]
aoe: do not call bdi_init after blk_alloc_queue

commit 0a41409c518083133e79015092585d68915865be upstream.

blk_alloc_queue has already done a bdi_init, so do not bdi_init
again in aoeblk_gdalloc.  The extra call causes list corruption
in the per-CPU backing dev info stats lists.

Affected users see console WARNINGs about list_del corruption on
percpu_counter_destroy when doing "rmmod aoe" or "aoeflush -a"
when AoE targets have been detected and initialized by the

The patch below applies to v3.6.11, with its v47 aoe driver.  It
is expected to apply to all currently maintained stable kernels
except 3.7.y.  A related but different fix has been posted for


  RedHat bugzilla ticket with original report

  LKML discussion of bug and fix

Reported-by: Josh Boyer <>
Signed-off-by: Ed Cashin <>
Signed-off-by: Ben Hutchings <>
8 years agoACPI : do not use Lid and Sleep button for S5 wakeup
Zhang Rui [Tue, 4 Dec 2012 22:23:16 +0000 (23:23 +0100)]
ACPI : do not use Lid and Sleep button for S5 wakeup

commit b7e383046c2c7c13ad928cd7407eafff758ddd4b upstream.

When system enters power off, the _PSW of Lid device is enabled.
But this may cause the system to reboot instead of power off.

A proper way to fix this is to always disable lid wakeup capability for S5.

Signed-off-by: Zhang Rui <>
Signed-off-by: Rafael J. Wysocki <>
Signed-off-by: Ben Hutchings <>
8 years agoRDMA/nes: Fix for terminate timer crash
Tatyana Nikolova [Thu, 6 Dec 2012 19:58:27 +0000 (19:58 +0000)]
RDMA/nes: Fix for terminate timer crash

commit 7bfcfa51c35cdd2d37e0d70fc11790642dd11fb3 upstream.

The terminate timer needs to be initialized just once.

Signed-off-by: Tatyana Nikolova <>
Signed-off-by: Roland Dreier <>
Signed-off-by: Ben Hutchings <>
8 years agoRDMA/nes: Fix for crash when registering zero length MR for CQ
Tatyana Nikolova [Thu, 6 Dec 2012 20:05:02 +0000 (20:05 +0000)]
RDMA/nes: Fix for crash when registering zero length MR for CQ

commit 7d9c199a55200c9b9fcad08e150470d02fb385be upstream.

Signed-off-by: Tatyana Nikolova <>
Signed-off-by: Roland Dreier <>
Signed-off-by: Ben Hutchings <>
8 years agomvsas: Fix oops when ata commond timeout.
Jianpeng Ma [Sat, 4 Aug 2012 02:34:14 +0000 (10:34 +0800)]
mvsas: Fix oops when ata commond timeout.

commit 95ab000388974d8ffef8257306b4be6e8778b768 upstream.

Kernel message follows:

[  511.712011] sd 11:0:0:0: [sdf] command ffff8800a4e81400 timed out
[  511.712022] sas: Enter sas_scsi_recover_host busy: 1 failed: 1
[  511.712024] sas: trying to find task 0xffff8800a4d24c80
[  511.712026] sas: sas_scsi_find_task: aborting task 0xffff8800a4d24c80
[  511.712029] drivers/scsi/mvsas/mv_sas.c 1631:mvs_abort_task()
mvi=ffff8800b5300000 task=ffff8800a4d24c80 slot=ffff8800b5325038
[  511.712035] BUG: unable to handle kernel NULL pointer dereference at
[  511.712040] IP: [<ffffffff815f8c0c>] _raw_spin_lock_irqsave+0xc/0x30
[  511.712047] PGD 0
[  511.712049] Oops: 0002 [#1] SMP
[  511.712052] Modules linked in: mvsas libsas scsi_transport_sas
raid456 async_pq async_xor xor async_memcpy async_raid6_recov raid6_pq
async_tx [last unloaded: mvsas]
[  511.712062] CPU 3
[  511.712066] Pid: 7322, comm: scsi_eh_11 Not tainted 3.5.0+ #106 To Be
Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M.
[  511.712068] RIP: 0010:[<ffffffff815f8c0c>]  [<ffffffff815f8c0c>]
[  511.712073] RSP: 0018:ffff880098d3bcb0  EFLAGS: 00010086
[  511.712074] RAX: 0000000000000286 RBX: 0000000000000058 RCX:
[  511.712076] RDX: 0000000000000100 RSI: 0000000000000046 RDI:
[  511.712078] RBP: ffff880098d3bcb0 R08: 000000000000000a R09:
[  511.712080] R10: 00000000000004e8 R11: 00000000000004e7 R12:
[  511.712082] R13: 0000000000000050 R14: ffff8800b5325038 R15:
[  511.712084] FS:  0000000000000000(0000) GS:ffff8800bdb80000(0000)
[  511.712086] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  511.712088] CR2: 0000000000000058 CR3: 00000000a4ce6000 CR4:
[  511.712090] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
[  511.712091] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
[  511.712093] Process scsi_eh_11 (pid: 7322, threadinfo
ffff880098d3a000, task ffff8800a61dde40)
[  511.712095] Stack:
[  511.712096]  ffff880098d3bce0 ffffffff81060683 ffff880000000000
[  511.712099]  ffff8800a4d24c80 ffff8800b5300000 ffff880098d3bcf0
[  511.712102]  ffff880098d3bd50 ffffffffa0079bb5 ffff880000000000
[  511.712106] Call Trace:
[  511.712110]  [<ffffffff81060683>] complete+0x23/0x60
[  511.712115]  [<ffffffffa0076a88>] mvs_tmf_timedout+0x18/0x20 [mvsas]
[  511.712119]  [<ffffffffa0079bb5>] mvs_slot_complete+0x765/0x7d0
[  511.712125]  [<ffffffffa005a17d>] sas_scsi_recover_host+0x55d/0xdb0
[  511.712128]  [<ffffffff8106d600>] ? idle_balance+0xe0/0x130
[  511.712133]  [<ffffffff813b150c>] scsi_error_handler+0xcc/0x470
[  511.712136]  [<ffffffff815f7ad0>] ? __schedule+0x370/0x730
[  511.712139]  [<ffffffff8105f728>] ? __wake_up_common+0x58/0x90
[  511.712142]  [<ffffffff813b1440>] ? scsi_eh_get_sense+0x110/0x110
[  511.712146]  [<ffffffff810571be>] kthread+0x8e/0xa0
[  511.712150]  [<ffffffff816015f4>] kernel_thread_helper+0x4/0x10
[  511.712153]  [<ffffffff81057130>] ? flush_kthread_work+0x120/0x120
[  511.712156]  [<ffffffff816015f0>] ? gs_change+0xb/0xb
[  511.712157] Code: 8a 00 01 00 00 89 d0 f0 66 0f b1 0f 66 39 d0 0f 94
c0 0f b6 c0 5d c3 0f 1f 84 00 00 00 00 00 55 48 89 e5 9c 58 fa ba 00 01
00 00 <f0> 66 0f c1 17 0f b6 ce 38 d1 74 11 0f 1f 84 00 00 00 00 00 f3
[  511.712191] RIP  [<ffffffff815f8c0c>] _raw_spin_lock_irqsave+0xc/0x30
[  511.712194]  RSP <ffff880098d3bcb0>
[  511.712196] CR2: 0000000000000058
[  511.712198] ---[ end trace a781c7b1e65db92c ]---

Signed-off-by: Jianpeng Ma <>
Signed-off-by: James Bottomley <>
Signed-off-by: Ben Hutchings <>
8 years agotcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation
Eric Dumazet [Sun, 21 Oct 2012 19:57:11 +0000 (19:57 +0000)]
tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation

[ Upstream commit 354e4aa391ed50a4d827ff6fc11e0667d0859b25 ]

RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation]

  All TCP stacks MAY implement the following mitigation.  TCP stacks
  that implement this mitigation MUST add an additional input check to
  any incoming segment.  The ACK value is considered acceptable only if
  it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
  SND.NXT).  All incoming segments whose ACK value doesn't satisfy the
  above condition MUST be discarded and an ACK sent back.

Move tcp_send_challenge_ack() before tcp_ack() to avoid a forward

Signed-off-by: Eric Dumazet <>
Cc: Neal Cardwell <>
Cc: Yuchung Cheng <>
Cc: Jerry Chu <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agotcp: tcp_replace_ts_recent() should not be called from tcp_validate_incoming()
Eric Dumazet [Tue, 13 Nov 2012 05:37:18 +0000 (05:37 +0000)]
tcp: tcp_replace_ts_recent() should not be called from tcp_validate_incoming()

[ Upstream commit bd090dfc634ddd711a5fbd0cadc6e0ab4977bcaf ]

We added support for RFC 5961 in latest kernels but TCP fails
to perform exhaustive check of ACK sequence.

We can update our view of peer tsval from a frame that is
later discarded by tcp_ack()

This makes timestamps enabled sessions vulnerable to injection of
a high tsval : peers start an ACK storm, since the victim
sends a dupack each time it receives an ACK from the other peer.

As tcp_validate_incoming() is called before tcp_ack(), we should
not peform tcp_replace_ts_recent() from it, and let callers do it
at the right time.

Signed-off-by: Eric Dumazet <>
Cc: Neal Cardwell <>
Cc: Yuchung Cheng <>
Cc: Nandita Dukkipati <>
Cc: H.K. Jerry Chu <>
Cc: Romain Francoise <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agotcp: refine SYN handling in tcp_validate_incoming
Eric Dumazet [Tue, 17 Jul 2012 12:29:30 +0000 (12:29 +0000)]
tcp: refine SYN handling in tcp_validate_incoming

[ Upstream commit e371589917011efe6ff8c7dfb4e9e81934ac5855 ]

Followup of commit 0c24604b68fc (tcp: implement RFC 5961 4.2)

As reported by Vijay Subramanian, we should send a challenge ACK
instead of a dup ack if a SYN flag is set on a packet received out of

This permits the ratelimiting to work as intended, and to increase
correct SNMP counters.

Suggested-by: Vijay Subramanian <>
Signed-off-by: Eric Dumazet <>
Acked-by: Vijay Subramanian <>
Cc: Kiran Kumar Kella <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agotcp: implement RFC 5961 4.2
Eric Dumazet [Tue, 17 Jul 2012 01:41:30 +0000 (01:41 +0000)]
tcp: implement RFC 5961 4.2

[ Upstream commit 0c24604b68fc7810d429d6c3657b6f148270e528 ]

Implement the RFC 5691 mitigation against Blind
Reset attack using SYN bit.

Section 4.2 of RFC 5961 advises to send a Challenge ACK and drop
incoming packet, instead of resetting the session.

Add a new SNMP counter to count number of challenge acks sent
in response to SYN packets.
(netstat -s | grep TCPSYNChallenge)

Remove obsolete TCPAbortOnSyn, since we no longer abort a TCP session
because of a SYN flag.

Signed-off-by: Eric Dumazet <>
Cc: Kiran Kumar Kella <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agotcp: implement RFC 5961 3.2
Eric Dumazet [Tue, 17 Jul 2012 08:13:05 +0000 (10:13 +0200)]
tcp: implement RFC 5961 3.2

[ Upstream commit 282f23c6ee343126156dd41218b22ece96d747e3 ]

Implement the RFC 5691 mitigation against Blind
Reset attack using RST bit.

Idea is to validate incoming RST sequence,
to match RCV.NXT value, instead of previouly accepted

If sequence is in window but not an exact match, send
a "challenge ACK", so that the other part can resend an
RST with the appropriate sequence.

Add a new sysctl, tcp_challenge_ack_limit, to limit
number of challenge ACK sent per second.

Add a new SNMP counter to count number of challenge acks sent.
(netstat -s | grep TCPChallengeACK)

Signed-off-by: Eric Dumazet <>
Cc: Kiran Kumar Kella <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agonet: sched: integer overflow fix
Stefan Hasko [Fri, 21 Dec 2012 15:04:59 +0000 (15:04 +0000)]
net: sched: integer overflow fix

[ Upstream commit d2fe85da52e89b8012ffad010ef352a964725d5f ]

Fixed integer overflow in function htb_dequeue

Signed-off-by: Stefan Hasko <>
Acked-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agoinet: Fix kmemleak in tcp_v4/6_syn_recv_sock and dccp_v4/6_request_recv_sock
Christoph Paasch [Fri, 14 Dec 2012 04:07:58 +0000 (04:07 +0000)]
inet: Fix kmemleak in tcp_v4/6_syn_recv_sock and dccp_v4/6_request_recv_sock

[ Upstream commit e337e24d6624e74a558aa69071e112a65f7b5758 ]

If in either of the above functions inet_csk_route_child_sock() or
__inet_inherit_port() fails, the newsk will not be freed:

unreferenced object 0xffff88022e8a92c0 (size 1592):
  comm "softirq", pid 0, jiffies 4294946244 (age 726.160s)
  hex dump (first 32 bytes):
    0a 01 01 01 0a 01 01 02 00 00 00 00 a7 cc 16 00  ................
    02 00 03 01 00 00 00 00 00 00 00 00 00 00 00 00  ................
    [<ffffffff8153d190>] kmemleak_alloc+0x21/0x3e
    [<ffffffff810ab3e7>] kmem_cache_alloc+0xb5/0xc5
    [<ffffffff8149b65b>] sk_prot_alloc.isra.53+0x2b/0xcd
    [<ffffffff8149b784>] sk_clone_lock+0x16/0x21e
    [<ffffffff814d711a>] inet_csk_clone_lock+0x10/0x7b
    [<ffffffff814ebbc3>] tcp_create_openreq_child+0x21/0x481
    [<ffffffff814e8fa5>] tcp_v4_syn_recv_sock+0x3a/0x23b
    [<ffffffff814ec5ba>] tcp_check_req+0x29f/0x416
    [<ffffffff814e8e10>] tcp_v4_do_rcv+0x161/0x2bc
    [<ffffffff814eb917>] tcp_v4_rcv+0x6c9/0x701
    [<ffffffff814cea9f>] ip_local_deliver_finish+0x70/0xc4
    [<ffffffff814cec20>] ip_local_deliver+0x4e/0x7f
    [<ffffffff814ce9f8>] ip_rcv_finish+0x1fc/0x233
    [<ffffffff814cee68>] ip_rcv+0x217/0x267
    [<ffffffff814a7bbe>] __netif_receive_skb+0x49e/0x553
    [<ffffffff814a7cc3>] netif_receive_skb+0x50/0x82

This happens, because sk_clone_lock initializes sk_refcnt to 2, and thus
a single sock_put() is not enough to free the memory. Additionally, things
like xfrm, memcg, cookie_values,... may have been initialized.
We have to free them properly.

This is fixed by forcing a call to tcp_done(), ending up in
inet_csk_destroy_sock, doing the final sock_put(). tcp_done() is necessary,
because it ends up doing all the cleanup on xfrm, memcg, cookie_values,

Before calling tcp_done, we have to set the socket to SOCK_DEAD, to
force it entering inet_csk_destroy_sock. To avoid the warning in
inet_csk_destroy_sock, inet_num has to be set to 0.
As inet_csk_destroy_sock does a dec on orphan_count, we first have to
increase it.

Calling tcp_done() allows us to remove the calls to
tcp_clear_xmit_timer() and tcp_cleanup_congestion_control().

A similar approach is taken for dccp by calling dccp_done().

This is in the kernel since 093d282321 (tproxy: fix hash locking issue
when using port redirection in __inet_inherit_port()), thus since
version >= 2.6.37.

Signed-off-by: Christoph Paasch <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agosparc: huge_ptep_set_* functions need to call set_huge_pte_at()
Dave Kleikamp [Mon, 17 Dec 2012 17:52:47 +0000 (11:52 -0600)]
sparc: huge_ptep_set_* functions need to call set_huge_pte_at()

[ Upstream commit 6cb9c3697585c47977c42c5cc1b9fc49247ac530 ]

Modifying the huge pte's requires that all the underlying pte's be

Version 2: added missing flush_tlb_page()

Signed-off-by: Dave Kleikamp <>
Cc: "David S. Miller" <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agoftrace: Do not function trace inlined functions
Steven Rostedt [Mon, 12 Dec 2011 20:22:41 +0000 (15:22 -0500)]
ftrace: Do not function trace inlined functions

commit 45959ee7aa645815a5ce303a0ea1e48a21e67c6a upstream.

When gcc inlines a function, it does not mark it with the mcount
prologue, which in turn means that inlined functions are not traced
by the function tracer. But if CONFIG_OPTIMIZE_INLINING is set, then
gcc is allowed not to inline a function that is marked inline.

Depending on the options and the compiler, a function may or may
not be traced by the function tracer, depending on whether gcc
decides to inline a function or not. This has caused several
problems in the pass becaues gcc is not always consistent with
what it decides to inline between different gcc versions.

Some places should not be traced (like paravirt native_* functions)
and these are mostly marked as inline. When gcc decides not to
inline the function, and if that function should not be traced, then
the ftrace function tracer will suddenly break when it use to work
fine. This becomes even harder to debug when different versions of
gcc will not inline that function, making the same kernel and config
work for some gcc versions and not work for others.

By making all functions marked inline to not be traced will remove
the ambiguity that gcc adds when it comes to tracing functions marked
inline. All gcc versions will be consistent with what functions are
traced and having volatile working code will be removed.

Note, only the inline macro when CONFIG_OPTIMIZE_INLINING is set needs
to have notrace added, as the attribute __always_inline will force
the function to be inlined and then not traced.

Signed-off-by: Steven Rostedt <>
Signed-off-by: Ben Hutchings <>
8 years agoRevert: "rt2x00: Don't let mac80211 send a BAR when an AMPDU subframe fails"
Stanislaw Gruszka [Mon, 3 Dec 2012 11:59:04 +0000 (12:59 +0100)]
Revert: "rt2x00: Don't let mac80211 send a BAR when an AMPDU subframe fails"

commit ab9d6e4ffe192427ce9e93d4f927b0faaa8a941e upstream.

This revert:

commit be03d4a45c09ee5100d3aaaedd087f19bc20d01f
Author: Andreas Hartmann <>
Date:   Tue Apr 17 00:25:28 2012 +0200

    rt2x00: Don't let mac80211 send a BAR when an AMPDU subframe fails

To fix problem workaround by above commit use
IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL flag (see change log for
"mac80211: introduce IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL" patch).

Bisected-by: Francisco Pina Martins <>
Signed-off-by: Stanislaw Gruszka <>
Signed-off-by: Johannes Berg <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
8 years agomac80211: introduce IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL
Stanislaw Gruszka [Mon, 3 Dec 2012 11:56:33 +0000 (12:56 +0100)]
mac80211: introduce IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL

commit 5b632fe85ec82e5c43740b52e74c66df50a37db3 upstream.

Commit f0425beda4d404a6e751439b562100b902ba9c98 "mac80211: retry sending
failed BAR frames later instead of tearing down aggr" caused regression
on rt2x00 hardware (connection hangs). This regression was fixed by
commit be03d4a45c09ee5100d3aaaedd087f19bc20d01 "rt2x00: Don't let
mac80211 send a BAR when an AMPDU subframe fails". But the latter
commit caused yet another problem reported in

After long discussion in this thread:
and testing various alternative solutions, which failed on one or other
setup, we have no other good fix for the issues like just revert both
mentioned earlier commits.

To do not affect other hardware which benefit from commit
f0425beda4d404a6e751439b562100b902ba9c98, instead of reverting it,
introduce flag that when used will restore mac80211 behaviour before
the commit.

Signed-off-by: Stanislaw Gruszka <>
[replaced link with that has message-id]
Signed-off-by: Johannes Berg <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
8 years agort2x00: Don't let mac80211 send a BAR when an AMPDU subframe fails
Andreas Hartmann [Mon, 16 Apr 2012 22:25:28 +0000 (00:25 +0200)]
rt2x00: Don't let mac80211 send a BAR when an AMPDU subframe fails

commit be03d4a45c09ee5100d3aaaedd087f19bc20d01f upstream.

There are connection stalls or very poor throughputs with rt2800
hardware using 802.11n in AP mode since patch "mac80211: retry sending
failed BAR frames later instead of tearing down aggr"[1][2].

Since rt2800 hardware is not able to correctly report the tx status of
BAR frames, this patch removes as workaround the existing error handling
on AP side, which lets mac80211 send a BAR when an AMPDU subframe fails.

As a result, most wifi clients (aside from Intel STAs on Windows)
instead will timeout now the reorder buffer and request the lost frame

The correct solution would be, to tear down BA session on AP side.

This patch was born on the basis of "[RFT] rt2x00: Tear down BA
session on QoS frame failure"[3].

Thanks to Helmut Schaa for his support!


Signed-off-by: Andreas Hartmann <>
Acked-by: Helmut Schaa <>
Signed-off-by: John W. Linville <>
Signed-off-by: Ben Hutchings <>
8 years agoepoll: prevent missed events on EPOLL_CTL_MOD
Eric Wong [Tue, 1 Jan 2013 21:20:27 +0000 (21:20 +0000)]
epoll: prevent missed events on EPOLL_CTL_MOD

commit 128dd1759d96ad36c379240f8b9463e8acfd37a1 upstream.

EPOLL_CTL_MOD sets the interest mask before calling f_op->poll() to
ensure events are not missed.  Since the modifications to the interest
mask are not protected by the same lock as ep_poll_callback, we need to
ensure the change is visible to other CPUs calling ep_poll_callback.

We also need to ensure f_op->poll() has an up-to-date view of past
events which occured before we modified the interest mask.  So this
barrier also pairs with the barrier in wq_has_sleeper().

This should guarantee either ep_poll_callback or f_op->poll() (or both)
will notice the readiness of a recently-ready/modified item.

This issue was encountered by Andreas Voellmy and Junchang(Jason) Wang in:

Signed-off-by: Eric Wong <>
Cc: Hans Verkuil <>
Cc: Jiri Olsa <>
Cc: Jonathan Corbet <>
Cc: Al Viro <>
Cc: Davide Libenzi <>
Cc: Hans de Goede <>
Cc: Mauro Carvalho Chehab <>
Cc: David Miller <>
Cc: Eric Dumazet <>
Cc: Andrew Morton <>
Cc: Andreas Voellmy <>
Tested-by: "Junchang(Jason) Wang" <>
Signed-off-by: Linus Torvalds <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
8 years agoudf: don't increment lenExtents while writing to a hole
Namjae Jeon [Tue, 9 Oct 2012 15:09:12 +0000 (00:09 +0900)]
udf: don't increment lenExtents while writing to a hole

commit fb719c59bdb4fca86ee1fd1f42ab3735ca12b6b2 upstream.

Incrementing lenExtents even while writing to a hole is bad
for performance as calls to udf_discard_prealloc and
udf_truncate_tail_extent would not return from start if
isize != lenExtents

Signed-off-by: Namjae Jeon <>
Signed-off-by: Ashish Sangwan <>
Signed-off-by: Jan Kara <>
Signed-off-by: Ben Hutchings <>
8 years agodrivers/rtc/rtc-vt8500.c: fix handling of data passed in struct rtc_time
Tony Prisk [Fri, 4 Jan 2013 23:35:48 +0000 (15:35 -0800)]
drivers/rtc/rtc-vt8500.c: fix handling of data passed in struct rtc_time

commit 2f90b68309683f2c5765a1b04ca23d71e51f1494 upstream.

tm_mon is 0..11, whereas vt8500 expects 1..12 for the month field,
causing invalid date errors for January, and causing the day field to
roll over incorrectly.

The century flag is only handled in vt8500_rtc_read_time, but not set in
vt8500_rtc_set_time.  This patch corrects the behaviour of the century

Signed-off-by: Edgar Toernig <>
Signed-off-by: Tony Prisk <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
8 years agodrivers/rtc/rtc-vt8500.c: correct handling of CR_24H bitfield
Tony Prisk [Fri, 4 Jan 2013 23:35:47 +0000 (15:35 -0800)]
drivers/rtc/rtc-vt8500.c: correct handling of CR_24H bitfield

commit 532db570e5181abc8f4f7bfa6c77c69ec2240198 upstream.

Control register bitfield for 12H/24H mode is handled incorrectly.
Setting CR_24H actually enables 12H mode.  This patch renames the define
and changes the initialization code to correctly set 24H mode.

Signed-off-by: Tony Prisk <>
Cc: Edgar Toernig <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
8 years agomm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT
Michal Hocko [Fri, 4 Jan 2013 23:35:12 +0000 (15:35 -0800)]
mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT

commit 53a59fc67f97374758e63a9c785891ec62324c81 upstream.

Since commit e303297e6c3a ("mm: extended batches for generic
mmu_gather") we are batching pages to be freed until either
tlb_next_batch cannot allocate a new batch or we are done.

This works just fine most of the time but we can get in troubles with
on large machines where too aggressive batching might lead to soft
lockups during process exit path (exit_mmap) because there are no
scheduling points down the free_pages_and_swap_cache path and so the
freeing can take long enough to trigger the soft lockup.

The lockup is harmless except when the system is setup to panic on
softlockup which is not that unusual.

The simplest way to work around this issue is to limit the maximum
number of batches in a single mmu_gather.  10k of collected pages should
be safe to prevent from soft lockups (we would have 2ms for one) even if
they are all freed without an explicit scheduling point.

This patch doesn't add any new explicit scheduling points because it
relies on zap_pmd_range during page tables zapping which calls
cond_resched per PMD.

The following lockup has been reported for 3.0 kernel with a huge
process (in order of hundreds gigs but I do know any more details).

  BUG: soft lockup - CPU#56 stuck for 22s! [kernel:31053]
  Modules linked in: af_packet nfs lockd fscache auth_rpcgss nfs_acl sunrpc mptctl mptbase autofs4 binfmt_misc dm_round_robin dm_multipath bonding cpufreq_conservative cpufreq_userspace cpufreq_powersave pcc_cpufreq mperf microcode fuse loop osst sg sd_mod crc_t10dif st qla2xxx scsi_transport_fc scsi_tgt netxen_nic i7core_edac iTCO_wdt joydev e1000e serio_raw pcspkr edac_core iTCO_vendor_support acpi_power_meter rtc_cmos hpwdt hpilo button container usbhid hid dm_mirror dm_region_hash dm_log linear uhci_hcd ehci_hcd usbcore usb_common scsi_dh_emc scsi_dh_alua scsi_dh_hp_sw scsi_dh_rdac scsi_dh dm_snapshot pcnet32 mii edd dm_mod raid1 ext3 mbcache jbd fan thermal processor thermal_sys hwmon cciss scsi_mod
  Supported: Yes
  CPU 56
  Pid: 31053, comm: kernel Not tainted 3.0.31-0.9-default #1 HP ProLiant DL580 G7
  RIP: 0010:  _raw_spin_unlock_irqrestore+0x8/0x10
  RSP: 0018:ffff883ec1037af0  EFLAGS: 00000206
  RAX: 0000000000000e00 RBX: ffffea01a0817e28 RCX: ffff88803ffd9e80
  RDX: 0000000000000200 RSI: 0000000000000206 RDI: 0000000000000206
  RBP: 0000000000000002 R08: 0000000000000001 R09: ffff887ec724a400
  R10: 0000000000000000 R11: dead000000200200 R12: ffffffff8144c26e
  R13: 0000000000000030 R14: 0000000000000297 R15: 000000000000000e
  FS:  00007ed834282700(0000) GS:ffff88c03f200000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
  CR2: 000000000068b240 CR3: 0000003ec13c5000 CR4: 00000000000006e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  Process kernel (pid: 31053, threadinfo ffff883ec1036000, task ffff883ebd5d4100)
  Call Trace:
  DWARF2 unwinder stuck at int_signal+0x12/0x17

Signed-off-by: Michal Hocko <>
Cc: Mel Gorman <>
Cc: Rik van Riel <>
Cc: Peter Zijlstra <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
8 years agoACPI / scan: Do not use dummy HID for system bus ACPI nodes
Rafael J. Wysocki [Fri, 4 Jan 2013 22:00:54 +0000 (23:00 +0100)]
ACPI / scan: Do not use dummy HID for system bus ACPI nodes

commit 4f5f64cf0cc916220aaa055992e31195470cfe37 upstream.

At one point acpi_device_set_id() checks if acpi_device_hid(device)
returns NULL, but that never happens, so system bus devices with an
empty list of PNP IDs are given the dummy HID ("device") instead of
the "system bus HID" ("LNXSYBUS").  Fix the code to use the right

Signed-off-by: Rafael J. Wysocki <>
Signed-off-by: Ben Hutchings <>
8 years agoSUNRPC: Ensure that we free the rpc_task after cleanups are done
Trond Myklebust [Fri, 4 Jan 2013 17:23:21 +0000 (12:23 -0500)]
SUNRPC: Ensure that we free the rpc_task after cleanups are done

commit c6567ed1402c55e19b012e66a8398baec2a726f3 upstream.

This patch ensures that we free the rpc_task after the cleanup callbacks
are done in order to avoid a deadlock problem that can be triggered if
the callback needs to wait for another workqueue item to complete.

Signed-off-by: Trond Myklebust <>
Cc: Weston Andros Adamson <>
Cc: Tejun Heo <>
Cc: Bruce Fields <>
Signed-off-by: Ben Hutchings <>
8 years agonfs: fix null checking in nfs_get_option_str()
Xi Wang [Fri, 4 Jan 2013 08:22:57 +0000 (03:22 -0500)]
nfs: fix null checking in nfs_get_option_str()

commit e25fbe380c4e3c09afa98bcdcd9d3921443adab8 upstream.

The following null pointer check is broken.

*option = match_strdup(args);
return !option;

The pointer `option' must be non-null, and thus `!option' is always false.
Use `!*option' instead.

The bug was introduced in commit c5cb09b6f8 ("Cleanup: Factor out some
cut-and-paste code.").

Signed-off-by: Xi Wang <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Ben Hutchings <>
8 years agovideo: mxsfb: fix crash when unblanking the display
Lothar Waßmann [Thu, 22 Nov 2012 12:49:14 +0000 (13:49 +0100)]
video: mxsfb: fix crash when unblanking the display

commit 6c1ecba8d84841277d68140ef485335d5be28485 upstream.

The VDCTRL4 register does not provide the MXS SET/CLR/TOGGLE feature.
The write in mxsfb_disable_controller() sets the data_cnt for the LCD
DMA to 0 which obviously means the max. count for the LCD DMA and
leads to overwriting arbitrary memory when the display is unblanked.

Signed-off-by: Lothar Waßmann <>
Acked-by: Juergen Beisert <>
Tested-by: Lauri Hintsala <>
Signed-off-by: Shawn Guo <>
Signed-off-by: Ben Hutchings <>
8 years agodrm/nouveau: fix init with agpgart-uninorth
Aaro Koskinen [Mon, 31 Dec 2012 01:34:59 +0000 (03:34 +0200)]
drm/nouveau: fix init with agpgart-uninorth

commit eda85d6ad490923152544fba0473798b6cc0edf6 upstream.

Check that the AGP aperture can be mapped. This follows a similar change
done for Radeon (commit 365048ff, drm/radeon: AGP memory is only I/O if
the aperture can be mapped by the CPU.).

The patch fixes the following error seen on G5 iMac:

nouveau E[     DRM] failed to create kernel channel, -12

Reviewed-by: Michel Dänzer <>
Signed-off-by: Aaro Koskinen <>
Signed-off-by: Dave Airlie <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
8 years agodrm/radeon: Properly handle DDC probe for DP bridges
Niels Ole Salscheider [Thu, 3 Jan 2013 18:09:28 +0000 (19:09 +0100)]
drm/radeon: Properly handle DDC probe for DP bridges

commit 0a9069d34918659bc8a89e21e69e60b2b83291a3 upstream.

DDC information can be accessed using AUX CH

Fixes failure to probe monitors on some systems with
DP bridge chips.

agd5f: minor fixes

Signed-off-by: Niels Ole Salscheider <>
Signed-off-by: Alex Deucher <>
Signed-off-by: Ben Hutchings <>
8 years agodrm/radeon: add connector table for Mac G4 Silver
Alex Deucher [Thu, 20 Dec 2012 21:35:47 +0000 (16:35 -0500)]
drm/radeon: add connector table for Mac G4 Silver

commit cafa59b9011a7790be4ddd5979419259844a165d upstream.

Apple cards do not provide data tables in the vbios
so we have to hard code the connector parameters
in the driver.

Reported-by: Albrecht Dreß <>
Signed-off-by: Alex Deucher <>
Signed-off-by: Ben Hutchings <>
8 years agodrm/radeon: add connector table for SAM440ep embedded board
Alex Deucher [Wed, 2 May 2012 16:10:21 +0000 (12:10 -0400)]
drm/radeon: add connector table for SAM440ep embedded board

commit 6a556039e7823d27a0a7f7724d4d455053ea9253 upstream.

RV250 found on ppc embedded boards.

Cc: Hans Verkuil <>
Signed-off-by: Alex Deucher <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Ben Hutchings <>
8 years agopowerpc: Add missing NULL terminator to avoid boot panic on PPC40x
Gabor Juhos [Thu, 20 Dec 2012 03:44:28 +0000 (03:44 +0000)]
powerpc: Add missing NULL terminator to avoid boot panic on PPC40x

commit e6449c9b2d90c1bd9a5985bf05ddebfd1631cd6b upstream.

The missing NULL terminator can cause a panic on
PPC405 boards during boot:

  Linux/PowerPC load: console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs,jffs2 noinitrd init=/etc/preinit
  Finalizing device tree... flat tree at 0x6a5160
  bootconsole [udbg0] enabled
  Page fault in user mode with in_atomic() = 1 mm = (null)
  NIP = c0275f50  MSR = fffffffe
  Oops: Weird page fault, sig: 11 [#1]
  PowerPC 40x Platform
  Modules linked in:
  NIP: c0275f50 LR: c0275f60 CTR: c0280000
  REGS: c0275eb0 TRAP: 636f7265   Not tainted  (3.7.1)
  MSR: fffffffe <VEC,VSX,EE,PR,FP,ME,SE,BE,IR,DR,PMM,RI> CR: c06a6190  XER: 00000001
  TASK = c02662a8[0] 'swapper' THREAD: c0274000
  GPR00: c0275ec0 c000c658 c027c4bf 00000000 c0275ee0 c000a0ec c020a1a8 c020a1f0
  GPR08: c020f631 c020f404 c025f078 c025f080 c0275f10
   Call Trace:
   ---[ end trace 31fd0ba7d8756001 ]---

  Kernel panic - not syncing: Attempted to kill the idle task!

The panic happens since commit 9597abe00c1bab2aedce6b49866bf6d1e81c9eed
(sections: fix section conflicts in arch/powerpc), however the root
cause of this is that the NULL terminator were not added in commit
a4f740cf33f7f6c164bbde3c0cdbcc77b0c4997c (of/flattree: Add of_flat_dt_match()
helper function).

Cc: Grant Likely <>
Signed-off-by: Gabor Juhos <>
Signed-off-by: Benjamin Herrenschmidt <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
8 years agopowerpc/vdso: Remove redundant locking in update_vsyscall_tz()
Shan Hai [Thu, 8 Nov 2012 15:57:49 +0000 (15:57 +0000)]
powerpc/vdso: Remove redundant locking in update_vsyscall_tz()

commit ce73ec6db47af84d1466402781ae0872a9e7873c upstream.

The locking in update_vsyscall_tz() is not only unnecessary because the vdso
code copies the data unproteced in __kernel_gettimeofday() but also
introduces a hard to reproduce race condition between update_vsyscall()
and update_vsyscall_tz(), which causes user space process to loop
forever in vdso code.

The following patch removes the locking from update_vsyscall_tz().

Locking is not only unnecessary because the vdso code copies the data
unprotected in __kernel_gettimeofday() but also erroneous because updating
the tb_update_count is not atomic and introduces a hard to reproduce race
condition between update_vsyscall() and update_vsyscall_tz(), which further
causes user space process to loop forever in vdso code.

The below scenario describes the race condition,
x==0 Boot CPU other CPU
proc_P: x==0
    timer interrupt
x==1     x++;sync settimeofday
x==2 x++;sync
x==3     sync;x++
proc_P: x==3 (loops until x becomes even)

Because the ++ operator would be implemented as three instructions and not
atomic on powerpc.

A similar change was made for x86 in commit 6c260d58634
("x86: vdso: Remove bogus locking in update_vsyscall_tz")

Signed-off-by: Shan Hai <>
Signed-off-by: Benjamin Herrenschmidt <>
Signed-off-by: Ben Hutchings <>
8 years agop54usb: add USBIDs for two more p54usb devices
Christian Lamparter [Thu, 27 Dec 2012 14:18:20 +0000 (15:18 +0100)]
p54usb: add USBIDs for two more p54usb devices

commit 4010fe21a315b4223c25376714c6a2b61b722e5c upstream.

This patch adds USBIDs for:
- DrayTek Vigor 530
- Zoom 4410a

It also adds a note about Gemtek WUBI-100GW
and SparkLAN WL-682 USBID conflict [WUBI-100GW
is a ISL3886+NET2280 (LM86 firmare) solution,
whereas WL-682 is a ISL3887 (LM87 firmware)]

Source: <>

Signed-off-by: Christian Lamparter <>
Signed-off-by: John W. Linville <>
Signed-off-by: Ben Hutchings <>
8 years agoath9k_hw: Fix RX gain initvals for AR9485
Sujith Manoharan [Wed, 26 Dec 2012 06:57:39 +0000 (12:27 +0530)]
ath9k_hw: Fix RX gain initvals for AR9485

commit a796a1dd5da9645ad77aa687d1a890ecd63ab5a6 upstream.

Populate iniModesRxGain with the correct initvals
array for AR9485 v1.1

Signed-off-by: Sujith Manoharan <>
Signed-off-by: John W. Linville <>
[bwh: Backported to 3.2:
 - Adjust context
 - INIT_INI_ARRAY takes additional size and columns arguments]
Signed-off-by: Ben Hutchings <>
8 years agop54usb: add USB ID for T-Com Sinus 154 data II
Tomasz Guszkowski [Sat, 22 Dec 2012 17:30:01 +0000 (18:30 +0100)]
p54usb: add USB ID for T-Com Sinus 154 data II

commit 3194b7fcdf6caea338b5d2c72d76fed80437649c upstream.

Added USB ID for T-Com Sinus 154 data II.

Signed-off-by: Tomasz Guszkowski <>
Acked-by: Christian Lamparter <>
Signed-off-by: John W. Linville <>
Signed-off-by: Ben Hutchings <>
8 years agotmpfs mempolicy: fix /proc/mounts corrupting memory
Hugh Dickins [Wed, 2 Jan 2013 10:01:33 +0000 (02:01 -0800)]
tmpfs mempolicy: fix /proc/mounts corrupting memory

commit f2a07f40dbc603c15f8b06e6ec7f768af67b424f upstream.

Recently I suggested using "mount -o remount,mpol=local /tmp" in NUMA
mempolicy testing.  Very nasty.  Reading /proc/mounts, /proc/pid/mounts
or /proc/pid/mountinfo may then corrupt one bit of kernel memory, often
in a page table (causing "Bad swap" or "Bad page map" warning or "Bad
pagetable" oops), sometimes in a vm_area_struct or rbnode or somewhere
worse.  "mpol=prefer" and "mpol=prefer:Node" are equally toxic.

Recent NUMA enhancements are not to blame: this dates back to 2.6.35,
when commit e17f74af351c "mempolicy: don't call mpol_set_nodemask() when
no_context" skipped mpol_parse_str()'s call to mpol_set_nodemask(),
which used to initialize v.preferred_node, or set MPOL_F_LOCAL in flags.
With slab poisoning, you can then rely on mpol_to_str() to set the bit
for node 0x6b6b, probably in the next page above the caller's stack.

mpol_parse_str() is only called from shmem_parse_options(): no_context
is always true, so call it unused for now, and remove !no_context code.
Set v.nodes or v.preferred_node or MPOL_F_LOCAL as mpol_to_str() might
expect.  Then mpol_to_str() can ignore its no_context argument also,
the mpol being appropriately initialized whether contextualized or not.
Rename its no_context unused too, and let subsequent patch remove them
(that's not needed for stable backporting, which would involve rejects).

I don't understand why MPOL_LOCAL is described as a pseudo-policy:
it's a reasonable policy which suffers from a confusing implementation
in terms of MPOL_PREFERRED with MPOL_F_LOCAL.  I believe this would be
much more robust if MPOL_LOCAL were recognized in switch statements
throughout, MPOL_F_LOCAL deleted, and MPOL_PREFERRED use the (possibly
empty) nodes mask like everyone else, instead of its preferred_node
variant (I presume an optimization from the days before MPOL_LOCAL).
But that would take me too long to get right and fully tested.

Signed-off-by: Hugh Dickins <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
8 years agocifs: adjust sequence number downward after signing NT_CANCEL request
Jeff Layton [Thu, 27 Dec 2012 13:05:03 +0000 (08:05 -0500)]
cifs: adjust sequence number downward after signing NT_CANCEL request

commit 31efee60f489c759c341454d755a9fd13de8c03d upstream.

When a call goes out, the signing code adjusts the sequence number
upward by two to account for the request and the response. An NT_CANCEL
however doesn't get a response of its own, it just hurries the server
along to get it to respond to the original request more quickly.
Therefore, we must adjust the sequence number back down by one after
signing a NT_CANCEL request.

Reported-by: Tim Perry <>
Signed-off-by: Jeff Layton <>
Signed-off-by: Steve French <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
8 years agomm: Fix PageHead when !CONFIG_PAGEFLAGS_EXTENDED
Christoffer Dall [Fri, 21 Dec 2012 18:03:50 +0000 (13:03 -0500)]

commit ad4b3fb7ff9940bcdb1e4cd62bd189d10fa636ba upstream.

Unfortunately with !CONFIG_PAGEFLAGS_EXTENDED, (!PageHead) is false, and
(PageHead) is true, for tail pages.  If this is indeed the intended
behavior, which I doubt because it breaks cache cleaning on some ARM
systems, then the nomenclature is highly problematic.

This patch makes sure PageHead is only true for head pages and PageTail
is only true for tail pages, and neither is true for non-compound pages.

[ This buglet seems ancient - seems to have been introduced back in Apr
  2008 in commit 6a1e7f777f61: "pageflags: convert to the use of new
  macros".  And the reason nobody noticed is because the PageHead()
  tests are almost all about just sanity-checking, and only used on
  pages that are actual page heads.  The fact that the old code returned
  true for tail pages too was thus not really noticeable.   - Linus ]

Signed-off-by: Christoffer Dall <>
Acked-by: Andrea Arcangeli <>
Cc: Andrew Morton <>
Cc: Will Deacon <>
Cc: Steve Capper <>
Cc: Christoph Lameter <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
8 years agoPCI: Reduce Ricoh 0xe822 SD card reader base clock frequency to 50MHz
Andy Lutomirski [Sat, 1 Dec 2012 20:37:20 +0000 (12:37 -0800)]
PCI: Reduce Ricoh 0xe822 SD card reader base clock frequency to 50MHz

commit 812089e01b9f65f90fc8fc670d8cce72a0e01fbb upstream.

Otherwise it fails like this on cards like the Transcend 16GB SDHC card:

    mmc0: new SDHC card at address b368
    mmcblk0: mmc0:b368 SDC   15.0 GiB
    mmcblk0: error -110 sending status command, retrying
    mmcblk0: error -84 transferring data, sector 0, nr 8, cmd response 0x900, card status 0xb0

Tested on my Lenovo x200 laptop.

[bhelgaas: changelog]
Signed-off-by: Andy Lutomirski <>
Signed-off-by: Bjorn Helgaas <>
Acked-by: Chris Ball <>
CC: Manoj Iyer <>
Signed-off-by: Ben Hutchings <>
8 years agoext4: do not try to write superblock on ro remount w/o journal
Michael Tokarev [Tue, 25 Dec 2012 19:08:16 +0000 (14:08 -0500)]
ext4: do not try to write superblock on ro remount w/o journal

commit d096ad0f79a782935d2e06ae8fb235e8c5397775 upstream.

When a journal-less ext4 filesystem is mounted on a read-only block
device (blockdev --setro will do), each remount (for other, unrelated,
flags, like suid=>nosuid etc) results in a series of scary messages
from kernel telling about I/O errors on the device.

This is becauese of the following code ext4_remount():

       if (sbi->s_journal == NULL)
                ext4_commit_super(sb, 1);

at the end of remount procedure, which forces writing (flushing) of
a superblock regardless whenever it is dirty or not, if the filesystem
is readonly or not, and whenever the device itself is readonly or not.

We only need call ext4_commit_super when the file system had been
previously mounted read/write.

Thanks to Eric Sandeen for help in diagnosing this issue.

Signed-off-By: Michael Tokarev <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Ben Hutchings <>
8 years agohwmon: (lm73} Detect and report i2c bus errors
Chris Verges [Fri, 21 Dec 2012 09:58:34 +0000 (01:58 -0800)]
hwmon: (lm73} Detect and report i2c bus errors

commit 0602934f302e016e2ea5dc6951681bfac77455ef upstream.

If an LM73 device does not exist on an I2C bus, attempts to communicate
with the device result in an error code returned from the i2c read/write
functions.  The current lm73 driver casts that return value from a s32
type to a s16 type, then converts it to a temperature in celsius.
Because negative temperatures are valid, it is difficult to distinguish
between an error code printed to the response buffer and a negative
temperature recorded by the sensor.

The solution is to evaluate the return value from the i2c functions
before performing any temperature calculations.  If the i2c function did
not succeed, the error code should be passed back through the virtual
file system layer instead of being printed into the response buffer.


   $ cat /sys/class/hwmon/hwmon0/device/temp1_input


   $ cat /sys/class/hwmon/hwmon0/device/temp1_input
   cat: read error: No such device or address

Signed-off-by: Chris Verges <>
Signed-off-by: Guenter Roeck <>
Signed-off-by: Ben Hutchings <>
8 years agojbd2: fix assertion failure in jbd2_journal_flush()
Jan Kara [Fri, 21 Dec 2012 05:15:51 +0000 (00:15 -0500)]
jbd2: fix assertion failure in jbd2_journal_flush()

commit d7961c7fa4d2e3c3f12be67e21ba8799b5a7238a upstream.

The following race is possible between start_this_handle() and someone
calling jbd2_journal_flush().

Process A                              Process B
  if (journal->j_barrier_count) # false
  if (!journal->j_running_transaction) { #true
                                         if (journal->j_running_transaction) {
                                           # false
                                         ... wait for committing trans ...
    if (!journal->j_running_transaction) { # true
      jbd2_get_transaction(journal, new_transaction);
    goto repeat; # eventually blocks on j_barrier_count > 0
                                           # fails

We fix the race by rechecking j_barrier_count after reacquiring j_state_lock
in exclusive mode.

Signed-off-by: Jan Kara <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Ben Hutchings <>
8 years agoext4: check dioread_nolock on remount
Jan Kara [Thu, 20 Dec 2012 05:07:18 +0000 (00:07 -0500)]
ext4: check dioread_nolock on remount

commit 261cb20cb2f0737a247aaf08dff7eb065e3e5b66 upstream.

Currently we allow enabling dioread_nolock mount option on remount for
filesystems where blocksize < PAGE_CACHE_SIZE.  This isn't really
supported so fix the bug by moving the check for blocksize !=
PAGE_CACHE_SIZE into parse_options(). Change the original PAGE_SIZE to
PAGE_CACHE_SIZE along the way because that's what we are really
interested in.

Signed-off-by: Jan Kara <>
Signed-off-by: "Theodore Ts'o" <>
Reviewed-by: Eric Sandeen <>
Signed-off-by: Ben Hutchings <>
8 years agoi915: ensure that VGA plane is disabled
Krzysztof Mazur [Wed, 19 Dec 2012 10:03:41 +0000 (11:03 +0100)]
i915: ensure that VGA plane is disabled

commit 0fde901f1ddd2ce0e380a6444f1fb7ca555859e9 upstream.

Some broken systems (like HP nc6120) in some cases, usually after LID
close/open, enable VGA plane, making display unusable (black screen on LVDS,
some strange mode on VGA output). We used to disable VGA plane only once at
startup. Now we also check, if VGA plane is still disabled while changing
mode, and fix that if something changed it.

Signed-off-by: Krzysztof Mazur <>
Signed-off-by: Daniel Vetter <>
[bwh: Backported to 3.2: intel_modeset_setup_hw_state() does not
 exist, so call i915_redisable_vga() directly from intel_lid_notify()]
Signed-off-by: Ben Hutchings <>
8 years agoext4: fix extent tree corruption caused by hole punch
Forrest Liu [Mon, 17 Dec 2012 14:55:39 +0000 (09:55 -0500)]
ext4: fix extent tree corruption caused by hole punch

commit c36575e663e302dbaa4d16b9c72d2c9a913a9aef upstream.

When depth of extent tree is greater than 1, logical start value of
interior node is not correctly updated in ext4_ext_rm_idx.

Signed-off-by: Forrest Liu <>
Signed-off-by: "Theodore Ts'o" <>
Reviewed-by: Ashish Sangwan <>
Signed-off-by: Ben Hutchings <>
8 years agoLinux 3.2.36 v3.2.36
Ben Hutchings [Thu, 3 Jan 2013 03:34:00 +0000 (03:34 +0000)]
Linux 3.2.36

8 years agoramoops: fix use of rounddown_pow_of_two()
Marco Stornelli [Fri, 13 Jan 2012 01:20:58 +0000 (17:20 -0800)]
ramoops: fix use of rounddown_pow_of_two()

commit fdb5950754eb3dedb9fea7c8828d3e51d9dbc3f7 upstream.

The return value of rounddown_pow_of_two wasn't evaluated, so the
operation was a no-op.

Signed-off-by: Marco Stornelli <>
Reported-by: Andrew Morton <>
Reviewed-by: WANG Cong <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
8 years agostaging: vt6656: 64bit fixes: vCommandTimerWait change calculation of timer.
Malcolm Priestley [Sun, 11 Nov 2012 16:07:57 +0000 (16:07 +0000)]
staging: vt6656: 64bit fixes: vCommandTimerWait change calculation of timer.

commit 70e227790d4ee4590023d8041a3485f8053593fc upstream.

The timer appears to run too fast/race on 64 bit systems.

Using msecs_to_jiffies seems to cause a deadlock on 64 bit.

A calculation of (MSecond * HZ) / 1000 appears to run satisfactory.

Change BSSIDInfoCount to u32.

After this patch the driver can be successfully connect on little endian 64/32 bit systems.

Signed-off-by: Malcolm Priestley <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
8 years agostaging: vt6656: 64bit fixes: key.c/h change unsigned long to u32
Malcolm Priestley [Sun, 11 Nov 2012 15:49:59 +0000 (15:49 +0000)]
staging: vt6656: 64bit fixes: key.c/h change unsigned long to u32

commit c0d05b305b00c698b0a8c1b3d46c9380bce9db45 upstream.

Fixes long issues.

Signed-off-by: Malcolm Priestley <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
8 years agostaging: vt6656: 64 bit fixes: fix long warning messages.
Malcolm Priestley [Sun, 11 Nov 2012 15:45:52 +0000 (15:45 +0000)]
staging: vt6656: 64 bit fixes: fix long warning messages.

commit b4dc03af5513774277c9c36b12a25cd3f25f4404 upstream.

Fixes long warning messages from patch
[PATCH 08/14] staging: vt6656: 64 bit fixes : correct all type sizes

Signed-off-by: Malcolm Priestley <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
8 years agostaging: vt6656: 64 bit fixes : correct all type sizes
Malcolm Priestley [Sun, 11 Nov 2012 15:41:25 +0000 (15:41 +0000)]
staging: vt6656: 64 bit fixes : correct all type sizes

commit 7730492855a2f9c828599bcd8d62760f96d319e4 upstream.

After this patch all BYTE/WORD/DWORD types can be replaced with the appropriate u sizes.

Signed-off-by: Malcolm Priestley <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
8 years agostaging: vt6656: 64 bit fixes: use u32 for QWORD definition.
Malcolm Priestley [Sun, 11 Nov 2012 15:32:05 +0000 (15:32 +0000)]
staging: vt6656: 64 bit fixes: use u32 for QWORD definition.

commit a552397d5e4ef0cc0bd3e9595d6acc9a3b381171 upstream.

Size of long issues replace with u32.

Signed-off-by: Malcolm Priestley <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
8 years agostaging: vt6656: [BUG] out of bound array reference in RFbSetPower.
Malcolm Priestley [Sun, 7 Oct 2012 07:27:00 +0000 (08:27 +0100)]
staging: vt6656: [BUG] out of bound array reference in RFbSetPower.

commit ab1dd9963137a1e122004d5378a581bf16ae9bc8 upstream.

Calling RFbSetPower with uCH zero value will cause out of bound array reference.

This causes 64 bit kernels to oops on boot.

Note: Driver does not function on 64 bit kernels and should be
blacklisted on them.

Signed-off-by: Malcolm Priestley <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
8 years agoudf: fix memory leak while allocating blocks during write
Namjae Jeon [Tue, 9 Oct 2012 15:08:56 +0000 (00:08 +0900)]
udf: fix memory leak while allocating blocks during write

commit 2fb7d99d0de3fd8ae869f35ab682581d8455887a upstream.

Need to brelse the buffer_head stored in cur_epos and next_epos.

Signed-off-by: Namjae Jeon <>
Signed-off-by: Ashish Sangwan <>
Signed-off-by: Jan Kara <>
Signed-off-by: Ben Hutchings <>
8 years agothp, memcg: split hugepage for memcg oom on cow
David Rientjes [Tue, 29 May 2012 22:06:23 +0000 (15:06 -0700)]
thp, memcg: split hugepage for memcg oom on cow

commit 1f1d06c34f7675026326cd9f39ff91e4555cf355 upstream.

On COW, a new hugepage is allocated and charged to the memcg.  If the
system is oom or the charge to the memcg fails, however, the fault
handler will return VM_FAULT_OOM which results in an oom kill.

Instead, it's possible to fallback to splitting the hugepage so that the
COW results only in an order-0 page being allocated and charged to the
memcg which has a higher liklihood to succeed.  This is expensive
because the hugepage must be split in the page fault handler, but it is
much better than unnecessarily oom killing a process.

Signed-off-by: David Rientjes <>
Cc: Andrea Arcangeli <>
Cc: Johannes Weiner <>
Acked-by: KAMEZAWA Hiroyuki <>
Cc: Michal Hocko <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
8 years agoRevert "mm: vmscan: fix endless loop in kswapd balancing"
Ben Hutchings [Thu, 27 Dec 2012 18:39:54 +0000 (19:39 +0100)]
Revert "mm: vmscan: fix endless loop in kswapd balancing"

This reverts commit 39d18dc4b8b0c000fa681cbae10ac3f8a132814b which
was commit 60cefed485a02bd99b6299dad70666fe49245da7 upstream.

This was not needed and is not suitable for 3.2.y.

Reported-by: Johannes Weiner <>
Signed-off-by: Ben Hutchings <>
8 years agohpsa: gen8plus Smart Array IDs
Mike Miller [Thu, 20 Sep 2012 21:05:18 +0000 (16:05 -0500)]
hpsa: gen8plus Smart Array IDs

commit fe0c9610bb68dd0aad1017456f5e3c31264d70c2 upstream.

Signed-off-by: James Bottomley <>
Signed-off-by: Ben Hutchings <>
8 years agoi82975x_edac: Fix dimm label initialization
Mauro Carvalho Chehab [Tue, 16 Oct 2012 00:48:48 +0000 (21:48 -0300)]
i82975x_edac: Fix dimm label initialization

commit 479696840239e0cc43efb3c917bdcad2174d2215 upstream.

The driver has only 4 hardcoded labels, but allows much more memory.
Fix it by removing the hardcoded logic, using snprintf() instead.

[   19.833972] general protection fault: 0000 [#1] SMP
[   19.837733] Modules linked in: i82975x_edac(+) edac_core firewire_ohci firewire_core crc_itu_t nouveau mxm_wmi wmi video i2c_algo_bit drm_kms_helper ttm drm i2c_core
[   19.837733] CPU 0
[   19.837733] Pid: 390, comm: udevd Not tainted 3.6.1-1.fc17.x86_64.debug #1 Dell Inc.                 Precision WorkStation 390    /0MY510
[   19.837733] RIP: 0010:[<ffffffff813463a8>]  [<ffffffff813463a8>] strncpy+0x18/0x30
[   19.837733] RSP: 0018:ffff880078535b68  EFLAGS: 00010202
[   19.837733] RAX: ffff880069fa9708 RBX: ffff880078588000 RCX: ffff880069fa9708
[   19.837733] RDX: 000000000000001f RSI: 5f706f5f63616465 RDI: ffff880069fa9708
[   19.837733] RBP: ffff880078535b68 R08: ffff880069fa9727 R09: 000000000000fffe
[   19.837733] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000003
[   19.837733] R13: 0000000000000000 R14: ffff880069fa9290 R15: ffff880079624a80
[   19.837733] FS:  00007f3de01ee840(0000) GS:ffff88007c400000(0000) knlGS:0000000000000000
[   19.837733] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   19.837733] CR2: 00007f3de00b9000 CR3: 0000000078dbc000 CR4: 00000000000007f0
[   19.837733] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   19.837733] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[   19.837733] Process udevd (pid: 390, threadinfo ffff880078534000, task ffff880079642450)
[   19.837733] Stack:
[   19.837733]  ffff880078535c18 ffffffffa017c6b8 00040000816d627f ffff880079624a88
[   19.837733]  ffffc90004cd6000 ffff880079624520 ffff88007ac21148 0000000000000000
[   19.837733]  0000000000000000 0004000000000000 feda000078535bc8 ffffffff810d696d
[   19.837733] Call Trace:
[   19.837733]  [<ffffffffa017c6b8>] i82975x_init_one+0x2e6/0x3e6 [i82975x_edac]

Fix bug reported at:
And, very likely:

Cc: Alan Cox <>
Signed-off-by: Mauro Carvalho Chehab <>
[bwh: Backported to 3.2:
 - Adjust context
 - Use csrow->channels[chan].label not csrow->channels[chan]->dimm->label]
Signed-off-by: Ben Hutchings <>
8 years agotelephony: ijx: buffer overflow in ixj_write_cid()
Dan Carpenter [Mon, 3 Dec 2012 19:05:12 +0000 (22:05 +0300)]
telephony: ijx: buffer overflow in ixj_write_cid()

[Not needed in 3.8 or newer as this driver is removed there. - gregkh]

We get this from user space and nothing has been done to ensure that
these strings are NUL terminated.

Reported-by: Chen Gang <>
Signed-off-by: Dan Carpenter <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
8 years agoMISC: hpilo, remove pci_disable_device
Jiri Slaby [Thu, 13 Sep 2012 14:06:48 +0000 (16:06 +0200)]
MISC: hpilo, remove pci_disable_device

commit bcdee04ea7ae0406ae69094f6df1aacb66a69a0b upstream.

pci_disable_device(pdev) used to be in pci remove function. But this
PCI device has two functions with interrupt lines connected to a
single pin. The other one is a USB host controller. So when we disable
the PIN there e.g. by rmmod hpilo, the controller stops working. It is
because the interrupt link is disabled in ACPI since it is not
refcounted yet. See acpi_pci_link_free_irq called from

It is not the best solution whatsoever, but as a workaround until the
ACPI irq link refcounting is sorted out this should fix the reported


Signed-off-by: Jiri Slaby <>
Cc: Grant Grundler <>
Cc: Nobin Mathew <>
Cc: Robert Hancock <>
Cc: Arnd Bergmann <>
Cc: David Altobelli <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
8 years agoiwlwifi: handle DMA mapping failures
Johannes Berg [Sun, 4 Nov 2012 08:29:17 +0000 (09:29 +0100)]
iwlwifi: handle DMA mapping failures

commit 7c34158231b2eda8dcbd297be2bb1559e69cb433 upstream.

The RX replenish code doesn't handle DMA mapping failures,
which will cause issues if there actually is a failure. This
was reported by Shuah Khan who found a DMA mapping framework
warning ("device driver failed to check map error").

Reported-by: Shuah Khan <>
Reviewed-by: Emmanuel Grumbach <>
Signed-off-by: Johannes Berg <>
[bwh: Backported to 3.2:
 - Adjust filename, context, indentation
 - Use bus(trans) instead of trans where necessary
 - Use hw_params(trans).rx_page_order instead of trans_pcie->rx_page_order]
Signed-off-by: Ben Hutchings <>
8 years agousb/ipheth: Add iPhone 5 support
Jay Purohit [Sun, 14 Oct 2012 07:07:21 +0000 (07:07 +0000)]
usb/ipheth: Add iPhone 5 support

[ Upstream commit af1b85e49089f945deb46258b0fc4bc9910afb22 ]

I noticed that the iPhone ethernet driver did not support
iPhone 5. I quickly added support to it in my kernel, here's
a patch.

Signed-off-by: Jay Purohit <>
Acked-by: Valdis Kletnieks <>
Signed-off-by: Jan Ceuleers <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agoipv4: ip_check_defrag must not modify skb before unsharing
Johannes Berg [Sun, 9 Dec 2012 23:41:06 +0000 (23:41 +0000)]
ipv4: ip_check_defrag must not modify skb before unsharing

[ Upstream commit 1bf3751ec90cc3174e01f0d701e8449ce163d113 ]

ip_check_defrag() might be called from af_packet within the
RX path where shared SKBs are used, so it must not modify
the input SKB before it has unshared it for defragmentation.
Use skb_copy_bits() to get the IP header and only pull in
everything later.

The same is true for the other caller in macvlan as it is
called from dev->rx_handler which can also get a shared SKB.

Reported-by: Eric Leblond <>
Signed-off-by: Johannes Berg <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agoirda: sir_dev: Fix copy/paste typo
Alexander Shiyan [Tue, 20 Nov 2012 09:59:11 +0000 (09:59 +0000)]
irda: sir_dev: Fix copy/paste typo

[ Upstream commit 2355a62bcbdcc4b567425bab036bfab6ade87eed ]

Signed-off-by: Alexander Shiyan <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agone2000: add the right platform device
Alan Cox [Tue, 20 Nov 2012 06:31:57 +0000 (06:31 +0000)]
ne2000: add the right platform device

[ Upstream commit da9da01d9199b5bb15289d0859053c9aa3a34ac0 ]

Without this udev doesn't have a way to key the ne device to the platform

Signed-off-by: Alan Cox <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agosctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall
Tommi Rantala [Thu, 22 Nov 2012 03:23:16 +0000 (03:23 +0000)]
sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall

[ Upstream commit 6e51fe7572590d8d86e93b547fab6693d305fd0d ]

Consider the following program, that sets the second argument to the
sendto() syscall incorrectly:

 #include <string.h>
 #include <arpa/inet.h>
 #include <sys/socket.h>

 int main(void)
         int fd;
         struct sockaddr_in sa;

         fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
         if (fd < 0)
                 return 1;

         memset(&sa, 0, sizeof(sa));
         sa.sin_family = AF_INET;
         sa.sin_addr.s_addr = inet_addr("");
         sa.sin_port = htons(11111);

         sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));

         return 0;

We get -ENOMEM:

 $ strace -e sendto ./demo
 sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("")}, 16) = -1 ENOMEM (Cannot allocate memory)

Propagate the error code from sctp_user_addto_chunk(), so that we will
tell user space what actually went wrong:

 $ strace -e sendto ./demo
 sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("")}, 16) = -1 EFAULT (Bad address)

Noticed while running Trinity (the syscall fuzzer).

Signed-off-by: Tommi Rantala <>
Acked-by: Vlad Yasevich <>
Acked-by: Neil Horman <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agosctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails
Tommi Rantala [Tue, 27 Nov 2012 04:01:46 +0000 (04:01 +0000)]
sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails

[ Upstream commit be364c8c0f17a3dd42707b5a090b318028538eb9 ]

Trinity (the syscall fuzzer) discovered a memory leak in SCTP,
reproducible e.g. with the sendto() syscall by passing invalid
user space pointer in the second argument:

 #include <string.h>
 #include <arpa/inet.h>
 #include <sys/socket.h>

 int main(void)
         int fd;
         struct sockaddr_in sa;

         fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
         if (fd < 0)
                 return 1;

         memset(&sa, 0, sizeof(sa));
         sa.sin_family = AF_INET;
         sa.sin_addr.s_addr = inet_addr("");
         sa.sin_port = htons(11111);

         sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));

         return 0;

As far as I can tell, the leak has been around since ~2003.

Signed-off-by: Tommi Rantala <>
Acked-by: Vlad Yasevich <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agobonding: fix race condition in bonding_store_slaves_active [Thu, 29 Nov 2012 01:37:59 +0000 (01:37 +0000)]
bonding: fix race condition in bonding_store_slaves_active

[ Upstream commit e196c0e579902f42cf72414461fb034e5a1ffbf7 ]

Race between bonding_store_slaves_active() and slave manipulation
 functions. The bond_for_each_slave use in bonding_store_slaves_active()
 is not protected by any synchronization mechanism.
 NULL pointer dereference is easy to reach.
 Fixed by acquiring the bond->lock for the slave walk.

 v2: Make description text < 75 columns

Signed-off-by: Nikolay Aleksandrov <>
Signed-off-by: Jay Vosburgh <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agobonding: Bonding driver does not consider the gso_max_size/gso_max_segs setting of...
Sarveshwar Bandi [Wed, 21 Nov 2012 04:35:03 +0000 (04:35 +0000)]
bonding: Bonding driver does not consider the gso_max_size/gso_max_segs setting of slave devices.

[ Upstream commit 0e376bd0b791ac6ac6bdb051492df0769c840848 ]

Patch sets the lowest gso_max_size and gso_max_segs values of the slave devices during enslave and detach.

Signed-off-by: Sarveshwar Bandi <>
Acked-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agoUSB: cdc-wdm: fix regression on buffer deallocation
Herton Ronaldo Krzesinski [Fri, 14 Dec 2012 12:38:02 +0000 (10:38 -0200)]
USB: cdc-wdm: fix regression on buffer deallocation

[ no commit upstream, since usb_alloc_coherent usage was removed from
  the driver before this was fixed ]

Commit cafbe85 ("USB: cdc-wdm: better allocate a buffer that is at least
as big as we tell the USB core") introduced a regression: it changed
the size used in usb_alloc_coherent, but failed to do the same for the
usb_free_coherent calls.

It also was marked for stable and got backported to older kernels. But
in the upstream kernel, the usage of usb_alloc_coherent was right after
removed from the driver, so upstream doesn't have this problem, while
the stable kernels still have, and thus need this fix.

Signed-off-by: Herton Ronaldo Krzesinski <>
Signed-off-by: Ben Hutchings <>
8 years agodrm/i915: do not default to 18 bpp for eDP if missing from VBT
Jani Nikula [Mon, 12 Nov 2012 12:33:45 +0000 (14:33 +0200)]
drm/i915: do not default to 18 bpp for eDP if missing from VBT

commit 9a30a61f3516871c5c638fd7c025fbaa11ddf7fe upstream.

commit 500a8cc466a24e2fbc4c86ef9c6467ae2ffdeb0c
Author: Zhenyu Wang <>
Date:   Wed Jan 13 11:19:52 2010 +0800

    drm/i915: parse eDP panel color depth from VBT block

originally introduced parsing bpp for eDP from VBT, with a default of 18
bpp if the eDP BIOS data block is not present. Turns out that default seems
to break the Macbook Pro with retina display, as noted in

commit 4344b813f105a19f793f1fd93ad775b784648b95
Author: Daniel Vetter <>
Date:   Fri Aug 10 11:10:20 2012 +0200

    drm/i915: ignore eDP bpc settings from vbt

Since we can't ignore bpc settings from VBT completely after all, get rid
of the default. Do not clamp eDP to 18 bpp by default if the eDP BDB is
missing from VBT.

Signed-off-by: Jani Nikula <>
Tested-by: Henrik Rydberg <>
[danvet: paste in the updated commit message from irc.]
Signed-off-by: Daniel Vetter <>
Signed-off-by: Ben Hutchings <>
8 years agodrm/i915: do not ignore eDP bpc settings from vbt
Jani Nikula [Mon, 12 Nov 2012 12:33:44 +0000 (14:33 +0200)]
drm/i915: do not ignore eDP bpc settings from vbt

commit 2f4f649a69a9eb51f6e98130e19dd90a260a4145 upstream.

There are laptops out there that need the eDP bpc from VBT. This is
effectively a revert of

commit 4344b813f105a19f793f1fd93ad775b784648b95
Author: Daniel Vetter <>
Date:   Fri Aug 10 11:10:20 2012 +0200

    drm/i915: ignore eDP bpc settings from vbt

but putting the VBT check after the EDID check to see them both in dmesg if
this clamps more than the EDID. We have enough history with bpc clamping to
warrant the extra debug info.

Signed-off-by: Jani Nikula <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Ben Hutchings <>
8 years agodm ioctl: prevent unsafe change to dm_ioctl data_size
Alasdair G Kergon [Fri, 21 Dec 2012 20:23:30 +0000 (20:23 +0000)]
dm ioctl: prevent unsafe change to dm_ioctl data_size

commit e910d7ebecd1aac43125944a8641b6cb1a0dfabe upstream.

Abort dm ioctl processing if userspace changes the data_size parameter
after we validated it but before we finished copying the data buffer
from userspace.

The dm ioctl parameters are processed in the following sequence:
 1. ctl_ioctl() calls copy_params();
 2. copy_params() makes a first copy of the fixed-sized portion of the
    userspace parameters into the local variable "tmp";
 3. copy_params() then validates tmp.data_size and allocates a new
    structure big enough to hold the complete data and copies the whole
    userspace buffer there;
 4. ctl_ioctl() reads userspace data the second time and copies the whole
    buffer into the pointer "param";
 5. ctl_ioctl() reads param->data_size without any validation and stores it
    in the variable "input_param_size";
 6. "input_param_size" is further used as the authoritative size of the
    kernel buffer.

The problem is that userspace code could change the contents of user
memory between steps 2 and 4.  In particular, the data_size parameter
can be changed to an invalid value after the kernel has validated it.
This lets userspace force the kernel to access invalid kernel memory.

The fix is to ensure that the size has not changed at step 4.

This patch shouldn't have a security impact because CAP_SYS_ADMIN is
required to run this code, but it should be fixed anyway.

Reported-by: Mikulas Patocka <>
Signed-off-by: Alasdair G Kergon <>
Signed-off-by: Ben Hutchings <>
8 years agodm persistent data: rename node to btree_node
Mikulas Patocka [Fri, 21 Dec 2012 20:23:30 +0000 (20:23 +0000)]
dm persistent data: rename node to btree_node

commit 550929faf89e2e2cdb3e9945ea87d383989274cf upstream.

This patch fixes a compilation failure on sparc32 by renaming struct node.

struct node is already defined in include/linux/node.h. On sparc32, it
happens to be included through other dependencies and persistent-data
doesn't compile because of conflicting declarations.

Signed-off-by: Mikulas Patocka <>
Signed-off-by: Alasdair G Kergon <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
8 years agoSGI-XP: handle non-fatal traps
Robin Holt [Thu, 20 Dec 2012 23:05:50 +0000 (15:05 -0800)]
SGI-XP: handle non-fatal traps

commit 891348ca0f66206f1dc0e30d63757e3df1ae2d15 upstream.

We found a user code which was raising a divide-by-zero trap.  That trap
would lead to XPC connections between system-partitions being torn down
due to the die_chain notifier callouts it received.

This also revealed a different issue where multiple callers into
xpc_die_deactivate() would all attempt to do the disconnect in parallel
which would sometimes lock up but often overwhelm the console on very
large machines as each would print at least one line of output at the
end of the deactivate.

I reviewed all the users of the die_chain notifier and changed the code
to ignore the notifier callouts for reasons which will not actually lead
to a system to continue on to call die().

[ fix ia64]
Signed-off-by: Robin Holt <>
Cc: Thomas Gleixner <>
Cc: Ingo Molnar <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
8 years agoexec: do not leave bprm->interp on stack
Kees Cook [Thu, 20 Dec 2012 23:05:16 +0000 (15:05 -0800)]
exec: do not leave bprm->interp on stack

commit b66c5984017533316fd1951770302649baf1aa33 upstream.

If a series of scripts are executed, each triggering module loading via
unprintable bytes in the script header, kernel stack contents can leak
into the command line.

Normally execution of binfmt_script and binfmt_misc happens recursively.
However, when modules are enabled, and unprintable bytes exist in the
bprm->buf, execution will restart after attempting to load matching
binfmt modules.  Unfortunately, the logic in binfmt_script and
binfmt_misc does not expect to get restarted.  They leave bprm->interp
pointing to their local stack.  This means on restart bprm->interp is
left pointing into unused stack memory which can then be copied into the
userspace argv areas.

After additional study, it seems that both recursion and restart remains
the desirable way to handle exec with scripts, misc, and modules.  As
such, we need to protect the changes to interp.

This changes the logic to require allocation for any changes to the
bprm->interp.  To avoid adding a new kmalloc to every exec, the default
value is left as-is.  Only when passing through binfmt_script or
binfmt_misc does an allocation take place.

For a proof of concept, see from:

Signed-off-by: Kees Cook <>
Cc: halfdog <>
Cc: P J P <>
Cc: Alexander Viro <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
8 years agovfs: d_obtain_alias() needs to use "/" as default name.
NeilBrown [Fri, 9 Nov 2012 00:09:37 +0000 (16:09 -0800)]
vfs: d_obtain_alias() needs to use "/" as default name.

commit b911a6bdeef5848c468597d040e3407e0aee04ce upstream.

NFS appears to use d_obtain_alias() to create the root dentry rather than
d_make_root.  This can cause 'prepend_path()' to complain that the root
has a weird name if an NFS filesystem is lazily unmounted.  e.g.  if
"/mnt" is an NFS mount then

 { cd /mnt; umount -l /mnt ; ls -l /proc/self/cwd; }

will cause a WARN message like
   WARNING: at /home/git/linux/fs/dcache.c:2624 prepend_path+0x1d7/0x1e0()
   Root dentry has weird name <>

to appear in kernel logs.

So change d_obtain_alias() to use "/" rather than "" as the anonymous

Signed-off-by: NeilBrown <>
Cc: Trond Myklebust <>
Cc: Al Viro <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Al Viro <>
[bwh: Backported to 3.2: use named initialisers instead of QSTR_INIT()]
Signed-off-by: Ben Hutchings <>
8 years agointel-iommu: Free old page tables before creating superpage
Woodhouse, David [Wed, 19 Dec 2012 13:25:35 +0000 (13:25 +0000)]
intel-iommu: Free old page tables before creating superpage

commit 6491d4d02893d9787ba67279595990217177b351 upstream.

The dma_pte_free_pagetable() function will only free a page table page
if it is asked to free the *entire* 2MiB range that it covers. So if a
page table page was used for one or more small mappings, it's likely to
end up still present in the page tables... but with no valid PTEs.

This was fine when we'd only be repopulating it with 4KiB PTEs anyway
but the same virtual address range can end up being reused for a
*large-page* mapping. And in that case were were trying to insert the
large page into the second-level page table, and getting a complaint
from the sanity check in __domain_mapping() because there was already a
corresponding entry. This was *relatively* harmless; it led to a memory
leak of the old page table page, but no other ill-effects.

Fix it by calling dma_pte_clear_range (hopefully redundant) and
dma_pte_free_pagetable() before setting up the new large page.

Signed-off-by: David Woodhouse <>
Tested-by: Ravi Murty <>
Tested-by: Sudeep Dutt <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
8 years agoARM: missing ->mmap_sem around find_vma() in swp_emulate.c
Al Viro [Sun, 16 Dec 2012 00:25:57 +0000 (00:25 +0000)]
ARM: missing ->mmap_sem around find_vma() in swp_emulate.c

commit 7bf9b7bef881aac820bf1f2e9951a17b09bd7e04 upstream.

find_vma() is *not* safe when somebody else is removing vmas.  Not just
the return value might get bogus just as you are getting it (this instance
doesn't try to dereference the resulting vma), the search itself can get
buggered in rather spectacular ways.  IOW, ->mmap_sem really, really is
not optional here.

Signed-off-by: Al Viro <>
Signed-off-by: Russell King <>
Signed-off-by: Ben Hutchings <>
8 years agoCRIS: fix I/O macros
Corey Minyard [Tue, 18 Dec 2012 22:21:19 +0000 (14:21 -0800)]
CRIS: fix I/O macros

commit c24bf9b4cc6a0f330ea355d73bfdf1dae7e63a05 upstream.

The inb/outb macros for CRIS are broken from a number of points of view,
missing () around parameters and they have an unprotected if statement
in them.  This was breaking the compile of IPMI on CRIS and thus I was
being annoyed by build regressions, so I fixed them.

Plus I don't think they would have worked at all, since the data values
were missing "&" and the outsl had a "3" instead of a "4" for the size.
From what I can tell, this stuff is not used at all, so this can't be
any more broken than it was before, anyway.

Signed-off-by: Corey Minyard <>
Cc: Jesper Nilsson <>
Cc: Mikael Starvik <>
Acked-by: Geert Uytterhoeven <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
8 years agonfsd4: fix oops on unusual readlike compound
J. Bruce Fields [Tue, 4 Dec 2012 23:25:10 +0000 (18:25 -0500)]
nfsd4: fix oops on unusual readlike compound

commit d5f50b0c290431c65377c4afa1c764e2c3fe5305 upstream.

If the argument and reply together exceed the maximum payload size, then
a reply with a read-like operation can overlow the rq_pages array.

Signed-off-by: J. Bruce Fields <>
Signed-off-by: Ben Hutchings <>
8 years agoproc: pid/status: show all supplementary groups
Artem Bityutskiy [Tue, 18 Dec 2012 00:03:17 +0000 (16:03 -0800)]
proc: pid/status: show all supplementary groups

commit 8d238027b87e654be552eabdf492042a34c5c300 upstream.

We display a list of supplementary group for each process in
/proc/<pid>/status.  However, we show only the first 32 groups, not all of

Although this is rare, but sometimes processes do have more than 32
supplementary groups, and this kernel limitation breaks user-space apps
that rely on the group list in /proc/<pid>/status.

Number 32 comes from the internal NGROUPS_SMALL macro which defines the
length for the internal kernel "small" groups buffer.  There is no
apparent reason to limit to this value.

This patch removes the 32 groups printing limit.

The Linux kernel limits the amount of supplementary groups by NGROUPS_MAX,
which is currently set to 65536.  And this is the maximum count of groups
we may possibly print.

Signed-off-by: Artem Bityutskiy <>
Acked-by: Serge E. Hallyn <>
Acked-by: Kees Cook <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
8 years agoALSA: hda - Fix the wrong pincaps set in ALC861VD dallas/hp fixup
Takashi Iwai [Mon, 17 Dec 2012 19:06:49 +0000 (20:06 +0100)]
ALSA: hda - Fix the wrong pincaps set in ALC861VD dallas/hp fixup

commit b78562b10fa66175e30b76073e32a0ad8d92aa83 upstream.

The workaround to force VREF50 for dallas/hp model with ALC861VD
was introduced in commit 8fdcb6fe4204bdb4c6991652717ab5063751414e,
but it contained wrong pincap override bits.

This patch fixes to exclude VREF80 pincap bit correctly.

Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
8 years agoInput: walkera0701 - fix crash on startup
Peter Popovec [Sat, 15 Dec 2012 06:57:25 +0000 (22:57 -0800)]
Input: walkera0701 - fix crash on startup

commit a455e2985f57e2a71566bb8850094af38b2c932d upstream.

The driver's timer must be set up before enabling IRQ handler, otherwise
bad things may happen.

Reported-and-tested-by: Fengguang Wu <>
Signed-off-by: Peter Popovec <>
Signed-off-by: Dmitry Torokhov <>
Signed-off-by: Ben Hutchings <>
8 years agoi2400m: add Intel 6150 device IDs
Dan Williams [Fri, 14 Dec 2012 13:10:50 +0000 (13:10 +0000)]
i2400m: add Intel 6150 device IDs

commit 999a7c5776a0ed2133645fa7e008bec05bda9254 upstream.

Add device IDs for WiMAX function of Intel 6150 cards.

Signed-off-by: Dan Williams <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agofix Null pointer dereference on disk error
Xiaotian Feng [Thu, 13 Dec 2012 08:12:18 +0000 (16:12 +0800)]
fix Null pointer dereference on disk error

commit 26cd4d65deba587f3cf2329b6869ce02bcbe68ec upstream.

Following oops were observed when disk error happened:

[ 4272.896937] sd 0:0:0:0: [sda] Unhandled error code
[ 4272.896939] sd 0:0:0:0: [sda] Result: hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK
[ 4272.896942] sd 0:0:0:0: [sda] CDB: Read(10): 28 00 00 5a de a7 00 00 08 00
[ 4272.896951] end_request: I/O error, dev sda, sector 5955239
[ 4291.574947] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 4291.658305] IP: [] ahci_activity_show+0x1/0x40
[ 4291.730090] PGD 76dbbc067 PUD 6c4fba067 PMD 0
[ 4291.783408] Oops: 0000 [#1] SMP
[ 4291.822100] last sysfs file: /sys/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/sw_activity
[ 4291.934235] CPU 9
[ 4291.958301] Pid: 27942, comm: hwinfo ......

ata_scsi_find_dev could return NULL, so ata_scsi_activity_{show,store} should check if atadev is NULL.

Signed-off-by: Xiaotian Feng <>
Cc: James Bottomley <>
Signed-off-by: Jeff Garzik <>
Signed-off-by: Ben Hutchings <>
8 years agoALSA: hda - Always turn on pins for HDMI/DP
Takashi Iwai [Fri, 14 Dec 2012 09:22:35 +0000 (10:22 +0100)]
ALSA: hda - Always turn on pins for HDMI/DP

commit 6169b673618bf0b2518ce413b54925782a603f06 upstream.

We've seen the broken HDMI *video* output on some machines with GM965,
and the debugging session pointed that the culprit is the disabled
audio output pins.  Toggling these pins dynamically on demand caused
flickering of HDMI TV.

This patch changes the behavior to keep the pin ON constantly.


Signed-off-by: Takashi Iwai <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
8 years agoMIPS: Fix poweroff failure when HOTPLUG_CPU configured.
Huacai Chen [Mon, 13 Aug 2012 12:52:24 +0000 (20:52 +0800)]
MIPS: Fix poweroff failure when HOTPLUG_CPU configured.

commit 8add1ecb81f541ef2fcb0b85a5470ad9ecfb4a84 upstream.

When poweroff machine, kernel_power_off() call disable_nonboot_cpus().
And if we have HOTPLUG_CPU configured, disable_nonboot_cpus() is not an
empty function but attempt to actually disable the nonboot cpus. Since
system state is SYSTEM_POWER_OFF, play_dead() won't be called and thus
disable_nonboot_cpus() hangs. Therefore, we make this patch to avoid
poweroff failure.

Signed-off-by: Huacai Chen <>
Signed-off-by: Hongliang Tao <>
Signed-off-by: Hua Yan <>
Cc: Yong Zhang <>
Cc: Fuxin Zhang <>
Cc: Zhangjin Wu <>
Signed-off-by: Ralf Baechle <>
Signed-off-by: Ben Hutchings <>
8 years agoALSA: hda - Fix pin configuration of HP Pavilion dv7
Takashi Iwai [Thu, 13 Dec 2012 13:33:42 +0000 (14:33 +0100)]
ALSA: hda - Fix pin configuration of HP Pavilion dv7

commit 8ae5865ec77c22462c736846a0679947a6953548 upstream.

Fix the quirk entry for HP Pavilion dv7 in order to make the bass
speaker working.

Reported-and-tested-by: Tomas Pospisek <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
8 years agomtd: nand: gpmi: reset BCH earlier, too, to avoid NAND startup problems
Wolfram Sang [Wed, 5 Dec 2012 20:46:02 +0000 (21:46 +0100)]
mtd: nand: gpmi: reset BCH earlier, too, to avoid NAND startup problems

commit 6f2a6a52560ad8d85710aabd92b7a3239b3a6b07 upstream.

It could happen (1 out of 100 times) that NAND did not start up
correctly after warm rebooting, so the kernel could not find the UBI or
DMA timed out due to a stalled BCH. When resetting BCH together with
GPMI, the issue could not be observed anymore (after 10000+ reboots). We
probably need the consistent state already before sending any command to
NAND, even when no ECC is needed. I chose to keep the extra reset for
BCH when changing the flash layout to be on the safe side.

Signed-off-by: Wolfram Sang <>
Acked-by: Huang Shijie <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: Ben Hutchings <>
8 years agotarget/tcm_fc: fix the lockdep warning due to inconsistent lock state
Yi Zou [Tue, 11 Dec 2012 01:04:00 +0000 (17:04 -0800)]
target/tcm_fc: fix the lockdep warning due to inconsistent lock state

commit 9f4ad44b264f8bb61ffdd607148215566568430d upstream.

The lockdep warning below is in theory correct but it will be in really weird
rare situation that ends up that deadlock since the tcm fc session is hashed
based the rport id. Nonetheless, the complaining below is about rcu callback
that does the transport_deregister_session() is happening in softirq, where
transport_register_session() that happens earlier is not. This triggers the
lockdep warning below. So, just fix this to make lockdep happy by disabling
the soft irq before calling transport_register_session() in ft_prli.

BTW, this was found in FCoE VN2VN over two VMs, couple of create and destroy
would get this triggered.

v1: was enforcing register to be in softirq context which was not righ. See,

v2: following comments from Roland&Nick (thanks), it seems we don't have to
do transport_deregister_session() in rcu callback, so move it into ft_sess_free()
but still do kfree() of the corresponding ft_sess struct in rcu callback to
make sure the ft_sess is not freed till the rcu callback.

[ 1328.370592] scsi2 : FCoE Driver
[ 1328.383429] fcoe: No FDMI support.
[ 1328.384509] host2: libfc: Link up on port (000000)
[ 1328.934229] host2: Assigned Port ID 00a292
[ 1357.232132] host2: rport 00a393: Remove port
[ 1357.232568] host2: rport 00a393: Port sending LOGO from Ready state
[ 1357.233692] host2: rport 00a393: Delete port
[ 1357.234472] host2: rport 00a393: work event 3
[ 1357.234969] host2: rport 00a393: callback ev 3
[ 1357.235979] host2: rport 00a393: Received a LOGO response closed
[ 1357.236706] host2: rport 00a393: work delete
[ 1357.237481]
[ 1357.237631] =================================
[ 1357.238064] [ INFO: inconsistent lock state ]
[ 1357.238450] 3.7.0-rc7-yikvm+ #3 Tainted: G           O
[ 1357.238450] ---------------------------------
[ 1357.238450] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
[ 1357.238450] ksoftirqd/0/3 [HC0[0]:SC1[1]:HE0:SE0] takes:
[ 1357.238450]  (&(&se_tpg->session_lock)->rlock){+.?...}, at: [<ffffffffa01eacd4>] transport_deregister_session+0x41/0x148 [target_core_mod]
[ 1357.238450] {SOFTIRQ-ON-W} state was registered at:
[ 1357.238450]   [<ffffffff810834f5>] mark_held_locks+0x6d/0x95
[ 1357.238450]   [<ffffffff8108364a>] trace_hardirqs_on_caller+0x12d/0x197
[ 1357.238450]   [<ffffffff810836c1>] trace_hardirqs_on+0xd/0xf
[ 1357.238450]   [<ffffffff8149caba>] _raw_spin_unlock_irq+0x2d/0x45
[ 1357.238450]   [<ffffffffa01e8d10>] __transport_register_session+0xb8/0x122 [target_core_mod]
[ 1357.238450]   [<ffffffffa01e8dbe>] transport_register_session+0x44/0x5a [target_core_mod]
[ 1357.238450]   [<ffffffffa018e32c>] ft_prli+0x1e3/0x275 [tcm_fc]
[ 1357.238450]   [<ffffffffa0160e8d>] fc_rport_recv_req+0x95e/0xdc5 [libfc]
[ 1357.238450]   [<ffffffffa015be88>] fc_lport_recv_els_req+0xc4/0xd5 [libfc]
[ 1357.238450]   [<ffffffffa015c778>] fc_lport_recv_req+0x12f/0x18f [libfc]
[ 1357.238450]   [<ffffffffa015a6d7>] fc_exch_recv+0x8ba/0x981 [libfc]
[ 1357.238450]   [<ffffffffa0176d7a>] fcoe_percpu_receive_thread+0x47a/0x4e2 [fcoe]
[ 1357.238450]   [<ffffffff810549f1>] kthread+0xb1/0xb9
[ 1357.238450]   [<ffffffff814a40ec>] ret_from_fork+0x7c/0xb0
[ 1357.238450] irq event stamp: 275411
[ 1357.238450] hardirqs last  enabled at (275410): [<ffffffff810bb6a0>] rcu_process_callbacks+0x229/0x42a
[ 1357.238450] hardirqs last disabled at (275411): [<ffffffff8149c2f7>] _raw_spin_lock_irqsave+0x22/0x8e
[ 1357.238450] softirqs last  enabled at (275394): [<ffffffff8103d669>] __do_softirq+0x246/0x26f
[ 1357.238450] softirqs last disabled at (275399): [<ffffffff8103d6bb>] run_ksoftirqd+0x29/0x62
[ 1357.238450]
[ 1357.238450] other info that might help us debug this:
[ 1357.238450]  Possible unsafe locking scenario:
[ 1357.238450]
[ 1357.238450]        CPU0
[ 1357.238450]        ----
[ 1357.238450]   lock(&(&se_tpg->session_lock)->rlock);
[ 1357.238450]   <Interrupt>
[ 1357.238450]     lock(&(&se_tpg->session_lock)->rlock);
[ 1357.238450]
[ 1357.238450]  *** DEADLOCK ***
[ 1357.238450]
[ 1357.238450] no locks held by ksoftirqd/0/3.
[ 1357.238450]
[ 1357.238450] stack backtrace:
[ 1357.238450] Pid: 3, comm: ksoftirqd/0 Tainted: G           O 3.7.0-rc7-yikvm+ #3
[ 1357.238450] Call Trace:
[ 1357.238450]  [<ffffffff8149399a>] print_usage_bug+0x1f5/0x206
[ 1357.238450]  [<ffffffff8100da59>] ? save_stack_trace+0x2c/0x49
[ 1357.238450]  [<ffffffff81082aae>] ? print_irq_inversion_bug.part.14+0x1ae/0x1ae
[ 1357.238450]  [<ffffffff81083336>] mark_lock+0x106/0x258
[ 1357.238450]  [<ffffffff81084e34>] __lock_acquire+0x2e7/0xe53
[ 1357.238450]  [<ffffffff8102903d>] ? pvclock_clocksource_read+0x48/0xb4
[ 1357.238450]  [<ffffffff810ba6a3>] ? rcu_process_gp_end+0xc0/0xc9
[ 1357.238450]  [<ffffffffa01eacd4>] ? transport_deregister_session+0x41/0x148 [target_core_mod]
[ 1357.238450]  [<ffffffff81085ef1>] lock_acquire+0x119/0x143
[ 1357.238450]  [<ffffffffa01eacd4>] ? transport_deregister_session+0x41/0x148 [target_core_mod]
[ 1357.238450]  [<ffffffff8149c329>] _raw_spin_lock_irqsave+0x54/0x8e
[ 1357.238450]  [<ffffffffa01eacd4>] ? transport_deregister_session+0x41/0x148 [target_core_mod]
[ 1357.238450]  [<ffffffffa01eacd4>] transport_deregister_session+0x41/0x148 [target_core_mod]
[ 1357.238450]  [<ffffffff810bb6a0>] ? rcu_process_callbacks+0x229/0x42a
[ 1357.238450]  [<ffffffffa018ddc5>] ft_sess_rcu_free+0x17/0x24 [tcm_fc]
[ 1357.238450]  [<ffffffffa018ddae>] ? ft_sess_free+0x1b/0x1b [tcm_fc]
[ 1357.238450]  [<ffffffff810bb6d7>] rcu_process_callbacks+0x260/0x42a
[ 1357.238450]  [<ffffffff8103d55d>] __do_softirq+0x13a/0x26f
[ 1357.238450]  [<ffffffff8149b34e>] ? __schedule+0x65f/0x68e
[ 1357.238450]  [<ffffffff8103d6bb>] run_ksoftirqd+0x29/0x62
[ 1357.238450]  [<ffffffff8105c83c>] smpboot_thread_fn+0x1a5/0x1aa
[ 1357.238450]  [<ffffffff8105c697>] ? smpboot_unregister_percpu_thread+0x47/0x47
[ 1357.238450]  [<ffffffff810549f1>] kthread+0xb1/0xb9
[ 1357.238450]  [<ffffffff8149b49d>] ? wait_for_common+0xbb/0x10a
[ 1357.238450]  [<ffffffff81054940>] ? __init_kthread_worker+0x59/0x59
[ 1357.238450]  [<ffffffff814a40ec>] ret_from_fork+0x7c/0xb0
[ 1357.238450]  [<ffffffff81054940>] ? __init_kthread_worker+0x59/0x59
[ 1417.440099]  rport-2:0-0: blocked FC remote port time out: removing rport

Signed-off-by: Yi Zou <>
Cc: Open-FCoE <>
Cc: Nicholas A. Bellinger <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Ben Hutchings <>
8 years agoNFS: avoid NULL dereference in nfs_destroy_server
NeilBrown [Thu, 13 Dec 2012 04:14:36 +0000 (15:14 +1100)]
NFS: avoid NULL dereference in nfs_destroy_server

commit f259613a1e4b44a0cf85a5dafd931be96ee7c9e5 upstream.

In rare circumstances, nfs_clone_server() of a v2 or v3 server can get
an error between setting server->destory (to nfs_destroy_server), and
calling nfs_start_lockd (which will set server->nlm_host).

If this happens, nfs_clone_server will call nfs_free_server which
will call nfs_destroy_server and thence nlmclnt_done(NULL).  This
causes the NULL to be dereferenced.

So add a guard to only call nlmclnt_done() if ->nlm_host is not NULL.

The other guards there are irrelevant as nlm_host can only be non-NULL
if one of these flags are set - so remove those tests.  (Thanks to Trond
for this suggestion).

This is suitable for any stable kernel since 2.6.25.

Signed-off-by: NeilBrown <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Ben Hutchings <>
8 years agodrm/radeon: fix amd afusion gpu setup aka sumo v2
Jerome Glisse [Tue, 11 Dec 2012 16:56:52 +0000 (11:56 -0500)]
drm/radeon: fix amd afusion gpu setup aka sumo v2

commit bd25f0783dc3fb72e1e2779c2b99b2d34b67fa8a upstream.

Set the proper number of tile pipe that should be a multiple of
pipe depending on the number of se engine.


v2: Don't change sumo2

Signed-off-by: Jerome Glisse <>
Reviewed-by: Alex Deucher <>
[bwh: Backported to 3.2: don't define/use *_GB_ADDR_CONFIG_GOLDEN]
Signed-off-by: Ben Hutchings <>
8 years agoALSA: hda - Add stereo-dmic fixup for Acer Aspire One 522
Takashi Iwai [Wed, 12 Dec 2012 11:10:01 +0000 (12:10 +0100)]
ALSA: hda - Add stereo-dmic fixup for Acer Aspire One 522

commit 63a077e27648b4043b1ca1b4e29f0c42d99616b6 upstream.

Acer Aspire One 522 has the infamous digital mic unit that needs the
phase inversion fixup for stereo.


Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
8 years agosolos-pci: fix double-free of TX skb in DMA mode
David Woodhouse [Tue, 11 Dec 2012 14:57:14 +0000 (14:57 +0000)]
solos-pci: fix double-free of TX skb in DMA mode

commit cae49ede00ec3d0cda290b03fee55b72b49efc11 upstream.

We weren't clearing card->tx_skb[port] when processing the TX done interrupt.
If there wasn't another skb ready to transmit immediately, this led to a
double-free because we'd free it *again* next time we did have a packet to

Signed-off-by: David Woodhouse <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
8 years agox86, 8042: Enable A20 using KBC to fix S3 resume on some MSI laptops
Ondrej Zary [Tue, 11 Dec 2012 21:18:05 +0000 (22:18 +0100)]
x86, 8042: Enable A20 using KBC to fix S3 resume on some MSI laptops

commit ad68652412276f68ad4fe3e1ecf5ee6880876783 upstream.

Some MSI laptop BIOSes are broken - INT 15h code uses port 92h to enable A20
line but resume code assumes that KBC was used.
The laptop will not resume from S3 otherwise but powers off after a while
and then powers on again stuck with a blank screen.

Fix it by enabling A20 using KBC in i8042_platform_init for x86.


Signed-off-by: Ondrej Zary <>
Cc: Dmitry Torokhov <>
Cc: Alan Cox <>
Cc: Rafael J. Wysocki <>
Signed-off-by: H. Peter Anvin <>
Signed-off-by: Ben Hutchings <>
8 years agomm: dmapool: use provided gfp flags for all dma_alloc_coherent() calls
Marek Szyprowski [Wed, 7 Nov 2012 14:37:07 +0000 (15:37 +0100)]
mm: dmapool: use provided gfp flags for all dma_alloc_coherent() calls

commit 387870f2d6d679746020fa8e25ef786ff338dc98 upstream.

dmapool always calls dma_alloc_coherent() with GFP_ATOMIC flag,
regardless the flags provided by the caller. This causes excessive
pruning of emergency memory pools without any good reason. Additionaly,
on ARM architecture any driver which is using dmapools will sooner or
later  trigger the following error:
"ERROR: 256 KiB atomic DMA coherent pool is too small!
Please increase it with coherent_pool= kernel parameter!".
Increasing the coherent pool size usually doesn't help much and only
delays such error, because all GFP_ATOMIC DMA allocations are always
served from the special, very limited memory pool.

This patch changes the dmapool code to correctly use gfp flags provided
by the dmapool caller.

Reported-by: Soeren Moch <>
Reported-by: Thomas Petazzoni <>
Signed-off-by: Marek Szyprowski <>
Tested-by: Andrew Lunn <>
Tested-by: Soeren Moch <>
Signed-off-by: Ben Hutchings <>
8 years agoiwlwifi: don't handle masked interrupt
Emmanuel Grumbach [Wed, 28 Nov 2012 08:51:34 +0000 (10:51 +0200)]
iwlwifi: don't handle masked interrupt

commit 25a172655f837bdb032e451f95441bb4acec51bb upstream.

This can lead to a panic if the driver isn't ready to
handle them. Since our interrupt line is shared, we can get
an interrupt at any time (and CONFIG_DEBUG_SHIRQ checks
that even when the interrupt is being freed).

If the op_mode has gone away, we musn't call it. To avoid
this the transport disables the interrupts when the hw is
stopped and the op_mode is leaving.
If there is an event that would cause an interrupt the INTA
register is updated regardless of the enablement of the
interrupts: even if the interrupts are disabled, the INTA
will be changed, but the device won't issue an interrupt.
But the ISR can be called at any time, so we ought ignore
the value in the INTA otherwise we can call the op_mode
after it was freed.

I found this bug when the op_mode_start failed, and called
iwl_trans_stop_hw(trans, true). Then I played with the
RFKILL button, and removed the module.
While removing the module, the IRQ is freed, and the ISR is
called (CONFIG_DEBUG_SHIRQ enabled). Panic.

Signed-off-by: Emmanuel Grumbach <>
Reviewed-by: Gregory Greenman <>
Signed-off-by: Johannes Berg <>
[bwh: Backported to 3.2:
 - Adjust context
 - Pass bus(trans), not trans, to iwl_{read,write}32()]
Signed-off-by: Ben Hutchings <>
8 years agonfsd: avoid permission checks on EXCLUSIVE_CREATE replay
Neil Brown [Fri, 7 Dec 2012 20:40:55 +0000 (15:40 -0500)]
nfsd: avoid permission checks on EXCLUSIVE_CREATE replay

commit 7007c90fb9fef593b4aeaeee57e6a6754276c97c upstream.

With NFSv4, if we create a file then open it we explicit avoid checking
the permissions on the file during the open because the fact that we
created it ensures we should be allow to open it (the create and the
open should appear to be a single operation).

However if the reply to an EXCLUSIVE create gets lots and the client
resends the create, the current code will perform the permission check -
because it doesn't realise that it did the open already..

This patch should fix this.

Note that I haven't actually seen this cause a problem.  I was just
looking at the code trying to figure out a different EXCLUSIVE open
related issue, and this looked wrong.

(Fix confirmed with pynfs 4.0 test OPEN4--bfields)

Signed-off-by: NeilBrown <>
[bfields: use OWNER_OVERRIDE and update for 4.1]
Signed-off-by: J. Bruce Fields <>
[bwh: Backported to 3.2:
 - Adjust context
 - Use current_fh as file handle in do_open_lookup()]
Signed-off-by: Ben Hutchings <>