10 years agoUSB: serial: fix console error reporting
Johan Hovold [Fri, 10 Feb 2012 12:20:49 +0000 (13:20 +0100)]
USB: serial: fix console error reporting

commit 548dd4b6da8a8e428453d55f7fa7b8a46498d147 upstream.

Do not report errors in write path if port is used as a console as this
may trigger the same error (and error report) resulting in a loop.

Reported-by: Stephen Hemminger <>
Signed-off-by: Johan Hovold <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoTTY: Wrong unicode value copied in con_set_unimap()
Liz Clark [Thu, 15 Mar 2012 17:33:29 +0000 (10:33 -0700)]
TTY: Wrong unicode value copied in con_set_unimap()

commit 4a4c61b7ce26bfc9d49ea4bd121d52114bad9f99 upstream.

Bugzilla 40012: PIO_UNIMAP bug: error updating Unicode-to-font map

The unicode font map for the virtual console is a 32x32x64 table which
allocates rows dynamically as entries are added.  The unicode value
increases sequentially and should count all entries even in empty
rows.  The defect is when copying the unicode font map in con_set_unimap(),
the unicode value is not incremented properly.  The wrong unicode value
is entered in the new font map.

Signed-off-by: Liz Clark <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agotty: moxa: fix bit test in moxa_start()
Dan Carpenter [Wed, 7 Mar 2012 10:05:00 +0000 (13:05 +0300)]
tty: moxa: fix bit test in moxa_start()

commit 58112dfbfe02d803566a2c6c8bd97b5fa3c62cdc upstream.

This is supposed to be doing a shift before the comparison instead of
just doing a bitwise AND directly.  The current code means the start()
just returns without doing anything.

Signed-off-by: Dan Carpenter <>
Acked-by: Jiri Slaby <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agosysfs: Fix memory leak in sysfs_sd_setsecdata().
Masami Ichikawa [Mon, 20 Feb 2012 22:43:50 +0000 (07:43 +0900)]
sysfs: Fix memory leak in sysfs_sd_setsecdata().

commit 93518dd2ebafcc761a8637b2877008cfd748c202 upstream.

This patch fixies follwing two memory leak patterns that reported by kmemleak.
sysfs_sd_setsecdata() is called during sys_lsetxattr() operation.
It checks sd->s_iattr is NULL or not. Then if it is NULL, it calls
sysfs_init_inode_attrs() to allocate memory.
That code is this.

iattrs = sd->s_iattr;
if (!iattrs)
                iattrs = sysfs_init_inode_attrs(sd);

The iattrs recieves sysfs_init_inode_attrs()'s result,  but sd->s_iattr
doesn't know the address. so it needs to set correct address to
sd->s_iattr to free memory in other function.

unreferenced object 0xffff880250b73e60 (size 32):
  comm "systemd", pid 1, jiffies 4294683888 (age 94.553s)
  hex dump (first 32 bytes):
    73 79 73 74 65 6d 5f 75 3a 6f 62 6a 65 63 74 5f  system_u:object_
    72 3a 73 79 73 66 73 5f 74 3a 73 30 00 00 00 00  r:sysfs_t:s0....
    [<ffffffff814cb1d0>] kmemleak_alloc+0x73/0x98
    [<ffffffff811270ab>] __kmalloc+0x100/0x12c
    [<ffffffff8120775a>] context_struct_to_string+0x106/0x210
    [<ffffffff81207cc1>] security_sid_to_context_core+0x10b/0x129
    [<ffffffff812090ef>] security_sid_to_context+0x10/0x12
    [<ffffffff811fb0da>] selinux_inode_getsecurity+0x7d/0xa8
    [<ffffffff811fb127>] selinux_inode_getsecctx+0x22/0x2e
    [<ffffffff811f4d62>] security_inode_getsecctx+0x16/0x18
    [<ffffffff81191dad>] sysfs_setxattr+0x96/0x117
    [<ffffffff811542f0>] __vfs_setxattr_noperm+0x73/0xd9
    [<ffffffff811543d9>] vfs_setxattr+0x83/0xa1
    [<ffffffff811544c6>] setxattr+0xcf/0x101
    [<ffffffff81154745>] sys_lsetxattr+0x6a/0x8f
    [<ffffffff814efda9>] system_call_fastpath+0x16/0x1b
    [<ffffffffffffffff>] 0xffffffffffffffff
unreferenced object 0xffff88024163c5a0 (size 96):
  comm "systemd", pid 1, jiffies 4294683888 (age 94.553s)
  hex dump (first 32 bytes):
    00 00 00 00 ed 41 00 00 00 00 00 00 00 00 00 00  .....A..........
    00 00 00 00 00 00 00 00 0c 64 42 4f 00 00 00 00  .........dBO....
    [<ffffffff814cb1d0>] kmemleak_alloc+0x73/0x98
    [<ffffffff81127402>] kmem_cache_alloc_trace+0xc4/0xee
    [<ffffffff81191cbe>] sysfs_init_inode_attrs+0x2a/0x83
    [<ffffffff81191dd6>] sysfs_setxattr+0xbf/0x117
    [<ffffffff811542f0>] __vfs_setxattr_noperm+0x73/0xd9
    [<ffffffff811543d9>] vfs_setxattr+0x83/0xa1
    [<ffffffff811544c6>] setxattr+0xcf/0x101
    [<ffffffff81154745>] sys_lsetxattr+0x6a/0x8f
    [<ffffffff814efda9>] system_call_fastpath+0x16/0x1b
    [<ffffffffffffffff>] 0xffffffffffffffff

Signed-off-by: Masami Ichikawa <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agofutex: Cover all PI opcodes with cmpxchg enabled check
Thomas Gleixner [Wed, 15 Feb 2012 11:08:34 +0000 (12:08 +0100)]
futex: Cover all PI opcodes with cmpxchg enabled check

commit 59263b513c11398cd66a52d4c5b2b118ce1e0359 upstream.

Some of the newer futex PI opcodes do not check the cmpxchg enabled
variable and call unconditionally into the handling functions. Cover
all PI opcodes in a separate check.

Signed-off-by: Thomas Gleixner <>
Cc: Peter Zijlstra <>
Cc: Darren Hart <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: gadget: Make g_hid device class conform to spec.
Orjan Friberg [Wed, 7 Mar 2012 16:16:14 +0000 (17:16 +0100)]
USB: gadget: Make g_hid device class conform to spec.

commit 33d2832ab0149a26418d360af3c444969a63fb28 upstream.

HID devices should specify this in their interface descriptors, not in the
device descriptor. This fixes a "missing hardware id" bug under Windows 7 with
a VIA VL800 (3.0) controller.

Signed-off-by: Orjan Friberg <>
Cc: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agousb: gadgetfs: return number of bytes on ep0 read request
Thomas Faber [Fri, 2 Mar 2012 08:41:50 +0000 (09:41 +0100)]
usb: gadgetfs: return number of bytes on ep0 read request

commit 85b4b3c8c189e0159101f7628a71411af072ff69 upstream.

A read from GadgetFS endpoint 0 during the data stage of a control
request would always return 0 on success (as returned by
wait_event_interruptible) despite having written data into the user
This patch makes it correctly set the return value to the number of
bytes read.

Signed-off-by: Thomas Faber <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agousb: renesas_usbhs: bugfix: add .release function to gpriv->
Kuninori Morimoto [Tue, 21 Feb 2012 01:35:50 +0000 (17:35 -0800)]
usb: renesas_usbhs: bugfix: add .release function to gpriv->

commit 3b2a2e47174cd978258bbb0fdf2e2b1b5ec2144c upstream.

This patch fixup below warning on device_unregister()

renesas_usbhs renesas_usbhs.1: host probed
renesas_usbhs renesas_usbhs.1: gadget probed
renesas_usbhs renesas_usbhs.1: irq request err
------------[ cut here ]------------
WARNING: at ${LINUX}/drivers/base/core.c:1)
Device 'gadget' does not have a release() function, it is broken and must be fi.
Modules linked in:
[<c000e25c>] (unwind_backtrace+0x0/0xe4) from [<c0016960>] (warn_slowpath_commo)
[<c0016960>] (warn_slowpath_common+0x4c/0x64) from [<c00169f8>] (warn_slowpath_)
[<c00169f8>] (warn_slowpath_fmt+0x2c/0x3c) from [<c0185b80>] (device_release+0x)
[<c0185b80>] (device_release+0x70/0x84) from [<c013e300>] (kobject_cleanup+0x58)
[<c013e300>] (kobject_cleanup+0x58/0x6c) from [<c01cba14>] (usbhs_mod_gadget_re)
[<c01cba14>] (usbhs_mod_gadget_remove+0x3c/0x6c) from [<c01c8384>] (usbhs_mod_p)
[<c01c8384>] (usbhs_mod_probe+0x68/0x80) from [<c01c7f84>] (usbhs_probe+0x1cc/0)

Signed-off-by: Kuninori Morimoto <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agousb: musb: Reselect index reg in interrupt context
Supriya Karanth [Fri, 17 Feb 2012 09:24:52 +0000 (14:54 +0530)]
usb: musb: Reselect index reg in interrupt context

commit 39287076e46d2c19aaceaa6f0a44168ae4d257ec upstream.

musb INDEX register is getting modified/corrupted during temporary
un-locking in a SMP system. Set this register with proper value
after re-acquiring the lock

CPU1 is handling a data transfer completion interrupt received for
CPU2 is handling a CLASS2 thread which is queuing data to musb for

Below is the error sequence:

         CPU1                   |             CPU2
Data transfer completion inter- |
rupt recieved.                  |
musb INDEX reg set to CLASS1 EP |
musb LOCK is acquired.          |
                                | CLASS2 thread queues data.
                                | CLASS2 thread tries to acquire musb
                                | LOCK but lock is already taken by
                                | CLASS1, so CLASS2 thread is
                                | spinning.
From Interrupt Context musb     |
giveback function is called     |
The giveback function releases  | CLASS2 thread now acquires LOCK
LOCK                            |
ClASS1 Request's completion cal-| ClASS2 schedules the data transfer and
lback is called                 | sets the MUSB INDEX to Class2 EP number
Interrupt handler for CLASS1 EP |
tries to acquire LOCK and is    |
spinning                        |
Interrupt for Class1 EP acquires| Class2 completes the scheduling etc and
the MUSB LOCK                   | releases the musb LOCK
Interrupt for Class1 EP schedul-|
es the next data transfer       |
but musb INDEX register is still|
set to CLASS2 EP                |

Since the MUSB INDEX register is set to a different endpoint, we
read and modify the wrong registers. Hence data transfer will not
happen properly. This results in unpredictable behavior

So, the MUSB INDEX register is set to proper value again when
interrupt re-acquires the lock

Signed-off-by: Supriya Karanth <>
Signed-off-by: Praveena Nadahally <>
Reviewed-by: srinidhi kasagar <>
Signed-off-by: Felipe Balbi <>
10 years agousb: dwc3: use proper function for setting endpoint name
Anton Tikhomirov [Thu, 23 Feb 2012 06:38:46 +0000 (15:38 +0900)]
usb: dwc3: use proper function for setting endpoint name

commit 27a78d6a283d6782438f72306746afe4bf44c215 upstream.

It's wrong to use the size of array as an argument for strncat.
Memory corruption is possible. strlcat is exactly what we need here.

Signed-off-by: Anton Tikhomirov <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agousb: dwc3: fix bogus test in dwc3_gadget_start_isoc
Paul Zimmerman [Fri, 17 Feb 2012 22:10:16 +0000 (14:10 -0800)]
usb: dwc3: fix bogus test in dwc3_gadget_start_isoc

commit 9bafa56c7cee5c6fa68de5924220abb220c7e229 upstream.

Zero is a valid value for a microframe number. So remove the bogus
test for non-zero in dwc3_gadget_start_isoc().

Signed-off-by: Paul Zimmerman <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agostaging: r8712u: Fix regression in signal level after commit c6dc001
Larry Finger [Mon, 27 Feb 2012 04:08:36 +0000 (22:08 -0600)]
staging: r8712u: Fix regression in signal level after commit c6dc001

commit da3e6ec2f443ac00aa623c5921e3521f5f38efe4 upstream.

In commit c6dc001 "staging: r8712u: Merging Realtek's latest (v2.6.6).
Various fixes", the returned qual.qual member of the iw_statistics
struct was changed. For strong signals, this change made no difference;
however for medium and weak signals it results in a low signal that
shows considerable fluctuation, When using wicd for a medium-strength
AP, the value reported in the status line is reduced from 100% to 60% by
this bug.

This problem is reported in

Reported-and-tested-by: Robert Crawford <>
Signed-off-by: Larry Finger <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agostaging: r8712u: Fix regression introduced by commit a5ee652
Larry Finger [Sun, 26 Feb 2012 00:10:20 +0000 (18:10 -0600)]
staging: r8712u: Fix regression introduced by commit a5ee652

commit 9f4bc8cf3fe750ed093856a5f5d41c11cc12ad22 upstream.

In commit a5ee652 "staging: r8712u: Interface-state not fully tracked",
the private boolean "bup" was set false when the interface was brought down,
as that seemed appropriate. This change has not caused any problems when
using NetworkManager or manual control of the device; however, when wicd
control is used, there is a locking problem in wpa_supplicant, as shown in

This fix reverts the only code change in commit a5ee652. My
analysis is that "bup" is badly named. In its present form, it
seems to indicate the up/down state of the device, but its usage
is more consistent with an initialized/uninitialized state. That
problem will be addressed in a later patch.

Note: Commit 8c213fa, which introdued asynchronous firmware loading
for this driver, exposed this bug to a greater extent. That bug
is addressed in the next patch in this series.

This bug is also responsible for the bug in and this bug is
also part of the problems discussed at

Tested-by: Alberto Lago Ballesteros <>
Tested-by: Adrian <>
Signed-off-by: Larry Finger <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agostaging: r8712u: Add missing initialization and remove configuration parameter CONFIG...
Larry Finger [Thu, 9 Feb 2012 22:37:17 +0000 (16:37 -0600)]
staging: r8712u: Add missing initialization and remove configuration parameter CONFIG_R8712_AP

commit 073863432f7eaa23c7c09733414d4be2eabf5eef upstream.

When this driver was upgraded to the vendor 20100831 version in
commit 93c55dda092c7 et al,, one listhead initialization was missed.
This broke complete operation of the driver whenever AP mode was
enabled. This fixes

The configuration parameter R8712_AP is misleading as the driver cannot
function as an AP without a heavily hacked version of hostapd. Thus, it
makes sense to remove the parameter; however the code and data configured
for the option is left in.

Signed-off-by: Larry Finger <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agopowerpc/usb: fix bug of kernel hang when initializing usb
Shengzhou Liu [Thu, 16 Feb 2012 10:02:20 +0000 (18:02 +0800)]
powerpc/usb: fix bug of kernel hang when initializing usb

commit 28c56ea1431421dec51b7b229369e991481453df upstream.

If USB UTMI PHY is not enable, writing to portsc register will lead to
kernel hang during boot up.

Signed-off-by: Shengzhou Liu <>
Reported-by: Benjamin Herrenschmidt <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: ftdi_sio: new PID: LUMEL PD12
Michał Wróbel [Thu, 15 Mar 2012 16:24:04 +0000 (17:24 +0100)]
USB: ftdi_sio: new PID: LUMEL PD12

commit 57e596f3af88ef52dea9640ed5e34ecd38893a02 upstream.

Signed-off-by: Michał Wróbel <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: ftdi_sio: add support for FT-X series devices
Jim Paris [Wed, 14 Mar 2012 21:54:25 +0000 (17:54 -0400)]
USB: ftdi_sio: add support for FT-X series devices

commit dc0827c128c0ee5a58b822b99d662b59f4b8e970 upstream.

Add PID 0x6015, corresponding to the new series of FT-X chips
(FT220XD, FT201X, FT220X, FT221X, FT230X, FT231X, FT240X).  They all
appear as serial devices, and seem indistinguishable except for the
default product string stored in their EEPROM.  The baudrate
generation matches FT232RL devices.

Tested with a FT201X and FT230X at various baudrates (100 - 3000000).

Sample dmesg:
    ftdi_sio: v1.6.0:USB FTDI Serial Converters Driver
    usb 2-1: new full-speed USB device number 6 using ohci_hcd
    usb 2-1: New USB device found, idVendor=0403, idProduct=6015
    usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
    usb 2-1: Product: FT230X USB Half UART
    usb 2-1: Manufacturer: FTDI
    usb 2-1: SerialNumber: DC001WI6
    ftdi_sio 2-1:1.0: FTDI USB Serial Device converter detected
    drivers/usb/serial/ftdi_sio.c: ftdi_sio_port_probe
    drivers/usb/serial/ftdi_sio.c: ftdi_determine_type: bcdDevice = 0x1000, bNumInterfaces = 1
    usb 2-1: Detected FT-X
    usb 2-1: Number of endpoints 2
    usb 2-1: Endpoint 1 MaxPacketSize 64
    usb 2-1: Endpoint 2 MaxPacketSize 64
    usb 2-1: Setting MaxPacketSize 64
    drivers/usb/serial/ftdi_sio.c: read_latency_timer
    drivers/usb/serial/ftdi_sio.c: write_latency_timer: setting latency timer = 1
    drivers/usb/serial/ftdi_sio.c: create_sysfs_attrs
    drivers/usb/serial/ftdi_sio.c: sysfs attributes for FT-X
    usb 2-1: FTDI USB Serial Device converter now attached to ttyUSB0

Signed-off-by: Jim Paris <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: ftdi_sio: new PID: Distortec JTAG-lock-pick
Michał Wróbel [Fri, 9 Mar 2012 13:40:18 +0000 (14:40 +0100)]
USB: ftdi_sio: new PID: Distortec JTAG-lock-pick

commit 47594d5528f28a4c025c2955c68104c75815637c upstream.

Signed-off-by: Michał Wróbel <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: Microchip VID mislabeled as Hornby VID in ftdi_sio.
Bruno Thomsen [Sun, 4 Mar 2012 14:19:14 +0000 (15:19 +0100)]
USB: Microchip VID mislabeled as Hornby VID in ftdi_sio.

commit c1cee1d84001815a1b4321c49b995254c0df3100 upstream.

Microchip VID (0x04d8) was mislabeled as Hornby VID according to USB-IDs.

A Full Speed USB Demo Board PID (0x000a) was mislabeled as
Hornby Elite (an Digital Command Controller Console for model railways).

Most likely the Hornby based their design on
PIC18F87J50 Full Speed USB Demo Board.

Signed-off-by: Bruno Thomsen <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: ftdi_sio: add support for BeagleBone rev A5+
Peter Korsgaard [Wed, 29 Feb 2012 09:05:37 +0000 (10:05 +0100)]
USB: ftdi_sio: add support for BeagleBone rev A5+

commit 444aa7fa9bd752d19ce472d3e02558b987c3cc67 upstream.

BeagleBone changed to the default FTDI 0403:6010 id in rev A5 to make life
easier for Windows users, so we need a similar workaround as the Calao
board to support it.

Signed-off-by: Peter Korsgaard <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: ftdi_sio: fix problem when the manufacture is a NULL string
Greg Kroah-Hartman [Tue, 28 Feb 2012 17:20:09 +0000 (09:20 -0800)]
USB: ftdi_sio: fix problem when the manufacture is a NULL string

commit 656d2b3964a9d0f9864d472f8dfa2dd7dd42e6c0 upstream.

On some misconfigured ftdi_sio devices, if the manufacturer string is
NULL, the kernel will oops when the device is plugged in.  This patch
fixes the problem.

Reported-by: Wojciech M Zabolotny <>
Tested-by: Wojciech M Zabolotny <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agostaging: zcache: avoid AB-BA deadlock condition
Andrea Righi [Mon, 20 Feb 2012 12:11:49 +0000 (13:11 +0100)]
staging: zcache: avoid AB-BA deadlock condition

commit cfbc6a92212e74b07aa76c9e2f20c542e36077fb upstream.

Commit 9256a47 fixed a deadlock condition, being sure that the buddy
list spinlock is always taken before the page spinlock.

However in zbud_free_and_delist() locking order is the opposite
(page lock -> list lock).

Possible unsafe locking scenario (reported by lockdep):

        CPU0                    CPU1
        ----                    ----

Fix by grabbing the locks in opposite order in zbud_free_and_delist().

Signed-off-by: Andrea Righi <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: option: add ZTE MF820D
Bjørn Mork [Fri, 16 Mar 2012 14:41:26 +0000 (15:41 +0100)]
USB: option: add ZTE MF820D

commit 5889d3d4209c1050b4a3c96c41faf6c0976a4acf upstream.

This device presents a total of 5 interfaces with ff/ff/ff
class/subclass/protocol. The last one of these is verified
to be a QMI/wwan combined interface which should be handled
by the qmi_wwan driver, so we blacklist it here.

Signed-off-by: Bjørn Mork <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: option: make interface blacklist work again
Bjørn Mork [Fri, 16 Mar 2012 11:56:44 +0000 (12:56 +0100)]
USB: option: make interface blacklist work again

commit 963940cf472d76eca2d36296e461202cc6997352 upstream.

commit 0d905fd "USB: option: convert Huawei K3765, K4505, K4605
reservered interface to blacklist" accidentally ANDed two
blacklist tests by leaving out a return.  This was not noticed
because the two consecutive bracketless if statements made it
syntactically correct.

Signed-off-by: Bjørn Mork <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: option driver: adding support for Telit CC864-SINGLE, CC864-DUAL and DE910-DUAL...
Daniele Palmas [Wed, 29 Feb 2012 14:32:05 +0000 (15:32 +0100)]
USB: option driver: adding support for Telit CC864-SINGLE, CC864-DUAL and DE910-DUAL modems

commit 7204cf584836c24b4b06e4ad4a8e6bb8ea84908e upstream.

Adding PID for Telit CC864-SINGLE, CC864-DUAL and DE910-DUAL

Signed-off-by: Daniele Palmas <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoUSB: option: Add MediaTek MT6276M modem&app interfaces
Meng Zhang [Mon, 27 Feb 2012 07:24:19 +0000 (08:24 +0100)]
USB: option: Add MediaTek MT6276M modem&app interfaces

commit 0d8520a1d7f43328bc7085d4244d93c595064157 upstream.

Add MEDIATEK products to Option driver

Signed-off-by: Meng Zhang <>
Signed-off-by: Matthias Urlichs <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoLinux 3.2.13 v3.2.13
Greg Kroah-Hartman [Fri, 23 Mar 2012 20:54:45 +0000 (13:54 -0700)]
Linux 3.2.13

10 years agopowerpc/pmac: Fix SMP kernels on pre-core99 UP machines
Benjamin Herrenschmidt [Fri, 9 Dec 2011 04:06:18 +0000 (15:06 +1100)]
powerpc/pmac: Fix SMP kernels on pre-core99 UP machines

commit 78c5c68a4cf4329d17abfa469345ddf323d4fd62 upstream.

The code for "powersurge" SMP would kick in and cause a crash
at boot due to the lack of a NULL test.

Signed-off-by: Benjamin Herrenschmidt <>
Signed-off-by: Jeremy Kerr <>
Reported-by: Adam Conrad <>
Tested-by: Adam Conrad <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoiwl3945: fix possible il->txq NULL pointer dereference in delayed works
Stanislaw Gruszka [Thu, 8 Mar 2012 12:16:01 +0000 (13:16 +0100)]
iwl3945: fix possible il->txq NULL pointer dereference in delayed works

commit 210787e82a0ac1ffb5d7be1c796f0c51050849ad upstream.

On il3945_down procedure we free tx queue data and nullify il->txq
pointer. After that we drop mutex and then cancel delayed works. There
is possibility, that after drooping mutex and before the cancel, some
delayed work will start and crash while trying to send commands to
the device. For example, here is reported crash in

Patch fix problem by adding il->txq check on works that send commands,
hence utilize tx queue.

Reported-by: Clemens Eisserer <>
Signed-off-by: Stanislaw Gruszka <>
Signed-off-by: John W. Linville <>
10 years agoipv6: Don't dev_hold(dev) in ip6_mc_find_dev_rcu.
RongQing.Li [Thu, 15 Mar 2012 22:54:14 +0000 (22:54 +0000)]
ipv6: Don't dev_hold(dev) in ip6_mc_find_dev_rcu.

[ Upstream commit c577923756b7fe9071f28a76b66b83b306d1d001 ]

ip6_mc_find_dev_rcu() is called with rcu_read_lock(), so don't
need to dev_hold().
With dev_hold(), not corresponding dev_put(), will lead to leak.

[ bug introduced in 96b52e61be1 (ipv6: mcast: RCU conversions) ]

Signed-off-by: RongQing.Li <>
Acked-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agotcp: fix syncookie regression
Eric Dumazet [Sat, 10 Mar 2012 09:20:21 +0000 (09:20 +0000)]
tcp: fix syncookie regression

[ Upstream commit dfd25ffffc132c00070eed64200e8950da5d7e9d ]

commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit())
added a serious regression on synflood handling.

Simon Kirby discovered a successful connection was delayed by 20 seconds
before being responsive.

In my tests, I discovered that xmit frames were lost, and needed ~4
retransmits and a socket dst rebuild before being really sent.

In case of syncookie initiated connection, we use a different path to
initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared.

As ip_queue_xmit() now depends on inet flow being setup, fix this by
copying the temp flowi4 we use in cookie_v4_check().

Reported-by: Simon Kirby <>
Bisected-by: Simon Kirby <>
Signed-off-by: Eric Dumazet <>
Tested-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoperf tools: Use scnprintf where applicable
Arnaldo Carvalho de Melo [Wed, 14 Mar 2012 15:29:29 +0000 (12:29 -0300)]
perf tools: Use scnprintf where applicable

commit e7f01d1e3d8d501deb8abeaa269d5d48a703b8b0 upstream.

Several places were expecting that the value returned was the number of
characters printed, not what would be printed if there was space.

Fix it by using the scnprintf and vscnprintf variants we inherited from
the kernel sources.

Some corner cases where the number of printed characters were not
accounted were fixed too.

Reported-by: Anton Blanchard <>
Cc: Anton Blanchard <>
Cc: Eric B Munson <>
Cc: David Ahern <>
Cc: Frederic Weisbecker <>
Cc: Mike Galbraith <>
Cc: Paul Mackerras <>
Cc: Peter Zijlstra <>
Cc: Stephane Eranian <>
Cc: Yanmin Zhang <>
Signed-off-by: Arnaldo Carvalho de Melo <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoperf tools: Incorrect use of snprintf results in SEGV
Anton Blanchard [Wed, 7 Mar 2012 00:42:49 +0000 (11:42 +1100)]
perf tools: Incorrect use of snprintf results in SEGV

commit b832796caa1fda8516464a003c8c7cc547bc20c2 upstream.

I have a workload where perf top scribbles over the stack and we SEGV.
What makes it interesting is that an snprintf is causing this.

The workload is a c++ gem that has method names over 3000 characters
long, but snprintf is designed to avoid overrunning buffers. So what
went wrong?

The problem is we assume snprintf returns the number of characters

    ret += repsep_snprintf(bf + ret, size - ret, "[%c] ", self->level);
    ret += repsep_snprintf(bf + ret, size - ret, "%s", self->ms.sym->name);

Unfortunately this is not how snprintf works. snprintf returns the
number of characters that would have been written if there was enough
space. In the above case, if the first snprintf returns a value larger
than size, we pass a negative size into the second snprintf and happily
scribble over the stack. If you have 3000 character c++ methods thats a
lot of stack to trample.

This patch fixes repsep_snprintf by clamping the value at size - 1 which
is the maximum snprintf can write before adding the NULL terminator.

I get the sinking feeling that there are a lot of other uses of snprintf
that have this same bug, we should audit them all.

Cc: David Ahern <>
Cc: Eric B Munson <>
Cc: Frederic Weisbecker <>
Cc: Ingo Molnar <>
Cc: Paul Mackerras <>
Cc: Peter Zijlstra <>
Cc: Yanmin Zhang <>
Signed-off-by: Anton Blanchard <>
Signed-off-by: Arnaldo Carvalho de Melo <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoafs: Remote abort can cause BUG in rxrpc code
Anton Blanchard [Fri, 16 Mar 2012 10:28:19 +0000 (10:28 +0000)]
afs: Remote abort can cause BUG in rxrpc code

commit c0173863528a8c9212c53e080d63a1aaae5ef4f4 upstream.

When writing files to afs I sometimes hit a BUG:

kernel BUG at fs/afs/rxrpc.c:179!

With a backtrace of:


The cause is:


Looking at a tcpdump of the session the abort happens because we
are exceeding our disk quota:

rx abort fs reply store-data error diskquota exceeded (32)

So the abort error is valid. We hit the BUG because we haven't
freed all the resources for the call.

By freeing any skbs in call->rx_queue before calling afs_free_call
we avoid hitting leaking memory and avoid hitting the BUG.

Signed-off-by: Anton Blanchard <>
Signed-off-by: David Howells <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoafs: Read of file returns EBADMSG
Anton Blanchard [Fri, 16 Mar 2012 10:28:07 +0000 (10:28 +0000)]
afs: Read of file returns EBADMSG

commit 2c724fb92732c0b2a5629eb8af74e82eb62ac947 upstream.

A read of a large file on an afs mount failed:

# cat junk.file > /dev/null
cat: junk.file: Bad message

Looking at the trace, call->offset wrapped since it is only an
unsigned short. In afs_extract_data:

        _enter("{%u},{%zu},%d,,%zu", call->offset, len, last, count);

        if (call->offset < count) {
                if (last) {
                        _leave(" = -EBADMSG [%d < %zu]", call->offset, count);
                        return -EBADMSG;

Which matches the trace:

[cat   ] ==> afs_extract_data({65132},{524},1,,65536)
[cat   ] <== afs_extract_data() = -EBADMSG [0 < 65536]

call->offset went from 65132 to 0. Fix this by making call->offset an
unsigned int.

Signed-off-by: Anton Blanchard <>
Signed-off-by: David Howells <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agonilfs2: fix NULL pointer dereference in nilfs_load_super_block()
Ryusuke Konishi [Sat, 17 Mar 2012 00:08:39 +0000 (17:08 -0700)]
nilfs2: fix NULL pointer dereference in nilfs_load_super_block()

commit d7178c79d9b7c5518f9943188091a75fc6ce0675 upstream.

According to the report from Slicky Devil, nilfs caused kernel oops at
nilfs_load_super_block function during mount after he shrank the
partition without resizing the filesystem:

 BUG: unable to handle kernel NULL pointer dereference at 00000048
 IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
 *pde = 00000000
 Oops: 0000 [#1] PREEMPT SMP
 Call Trace:
  [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
  [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
  [<c0226636>] mount_fs+0x36/0x180
  [<c023d961>] vfs_kern_mount+0x51/0xa0
  [<c023ddae>] do_kern_mount+0x3e/0xe0
  [<c023f189>] do_mount+0x169/0x700
  [<c023fa9b>] sys_mount+0x6b/0xa0
  [<c04abd1f>] sysenter_do_call+0x12/0x28
 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
 EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
 CR2: 0000000000000048

This turned out due to a defect in an error path which runs if the
calculated location of the secondary super block was invalid.

This patch fixes it and eliminates the reported oops.

Reported-by: Slicky Devil <>
Signed-off-by: Ryusuke Konishi <>
Tested-by: Slicky Devil <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoLinux 3.2.12 v3.2.12
Greg Kroah-Hartman [Mon, 19 Mar 2012 16:03:17 +0000 (09:03 -0700)]
Linux 3.2.12

10 years agohwmon: (zl6100) Enable interval between chip accesses for all chips
Guenter Roeck [Tue, 13 Mar 2012 16:05:14 +0000 (09:05 -0700)]
hwmon: (zl6100) Enable interval between chip accesses for all chips

commit fecfb64422d91a9621a3f96ab75c3a5f13e80b58 upstream.

Intersil reports that all chips supported by the zl6100 driver require
an interval between chip accesses, even ZL2004 and ZL6105 which were thought
to be safe.

Reported-by: Vivek Gani <>
Signed-off-by: Guenter Roeck <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agotarget: Fix compatible reservation handling (CRH=1) with legacy RESERVE/RELEASE
Nicholas Bellinger [Wed, 14 Mar 2012 04:29:06 +0000 (21:29 -0700)]
target: Fix compatible reservation handling (CRH=1) with legacy RESERVE/RELEASE

commit 087a03b3ea1c8d6e2d5743a8d1c6d571058caa04 upstream.

This patch addresses a bug with target_check_scsi2_reservation_conflict()
return checking in target_scsi2_reservation_[reserve,release]() that was
preventing CRH=1 operation from silently succeeding in the two special
cases defined by SPC-3, and not failing with reservation conflict status
when dealing with legacy RESERVE/RELEASE + active SPC-3 PR logic.

Also explictly set cmd->scsi_status = SAM_STAT_RESERVATION_CONFLICT during
the early non reservation holder failure from pr_ops->t10_seq_non_holder()
check in transport_generic_cmd_sequencer() for fabrics that already expect
it to be set.

This bug was originally introduced in mainline commit:

commit eacac00ce5bfde8086cd0615fb53c986f7f970fe
Author: Christoph Hellwig <>
Date:   Thu Nov 3 17:50:40 2011 -0400

    target: split core_scsi2_emulate_crh

Reported-by: Martin Svec <>
Cc: Martin Svec <>
Cc: Christoph Hellwig <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoiscsi-target: Fix reservation conflict -EBUSY response handling bug
Nicholas Bellinger [Wed, 14 Mar 2012 01:20:11 +0000 (18:20 -0700)]
iscsi-target: Fix reservation conflict -EBUSY response handling bug

commit 00fdc6bbef77844ce397a7de7acfaf25e8e2e4eb upstream.

This patch addresses a iscsi-target specific bug related to reservation conflict
handling in iscsit_handle_scsi_cmd() that has been causing reservation conflicts
to complete and not fail as expected due to incorrect errno checking.  The problem
occured with the change to return -EBUSY from transport_generic_cmd_sequencer() ->
transport_generic_allocate_tasks() failures, that broke iscsit_handle_scsi_cmd()
checking for -EINVAL in order to invoke a non GOOD status response.

This was manifesting itself as data corruption with legacy SPC-2 reservations,
but also effects iscsi-target LUNs with SPC-3 persistent reservations.

This bug was originally introduced in lio-core commit:

commit 03e98c9eb916f3f0868c1dc344dde2a60287ff72
Author: Nicholas Bellinger <>
Date:   Fri Nov 4 02:36:16 2011 -0700

    target: Address legacy PYX_TRANSPORT_* return code breakage

Reported-by: Martin Svec <>
Cc: Martin Svec <>
Cc: Christoph Hellwig <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoi2c-algo-bit: Fix spurious SCL timeouts under heavy load
Ville Syrjala [Thu, 15 Mar 2012 17:11:05 +0000 (18:11 +0100)]
i2c-algo-bit: Fix spurious SCL timeouts under heavy load

commit 8ee161ce5e0cfc689eb677f227a6248191165fac upstream.

When the system is under heavy load, there can be a significant delay
between the getscl() and time_after() calls inside sclhi(). That delay
may cause the time_after() check to trigger after SCL has gone high,
causing sclhi() to return -ETIMEDOUT.

To fix the problem, double check that SCL is still low after the
timeout has been reached, before deciding to return -ETIMEDOUT.

Signed-off-by: Ville Syrjala <>
Signed-off-by: Jean Delvare <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agorapidio/tsi721: fix bug in register offset definitions
Alexandre Bounine [Thu, 15 Mar 2012 22:17:09 +0000 (15:17 -0700)]
rapidio/tsi721: fix bug in register offset definitions

commit 9bbad7da76b3dd578fb55c862624366a8c9ccd22 upstream.

Fix indexed register offset definitions that use decimal (wrong) instead
of hexadecimal (correct) notation for indexing multipliers.

Incorrect definitions do not affect Tsi721 driver in its current default
configuration because it uses only IDB queue 0.  Loss of inbound
doorbell functionality should be observed if queue other than 0 is used.

Signed-off-by: Alexandre Bounine <>
Cc: Matt Porter <>
Cc: Chul Kim <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agohwmon: (w83627ehf) Fix temp2 source for W83627UHG
Jean Delvare [Tue, 13 Mar 2012 08:03:27 +0000 (04:03 -0400)]
hwmon: (w83627ehf) Fix temp2 source for W83627UHG

commit aacb6b0052692c72fe0cb94c6b547202def6ef46 upstream.

Properly set the source of temp2 for the W83627UHG. Also fix a
comment right before that, and document the W83627UHG as reporting up
to 3 temperatures.

Signed-off-by: Jean Delvare <>
Cc: Guenter Roeck <>
Signed-off-by: Guenter Roeck <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agohwmon: (w83627ehf) Fix memory leak in probe function
Guenter Roeck [Mon, 12 Mar 2012 15:33:10 +0000 (08:33 -0700)]
hwmon: (w83627ehf) Fix memory leak in probe function

commit 32260d94408c553dca4ce54104edf79941a27536 upstream.

The driver probe function leaked memory if creating the cpu0_vid attribute file
failed. Fix by converting the driver to use devm_kzalloc.

Signed-off-by: Guenter Roeck <>
Acked-by: Jean Delvare <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agohwmon: (w83627ehf) Fix writing into fan_stop_time for NCT6775F/NCT6776F
Guenter Roeck [Mon, 12 Mar 2012 15:21:16 +0000 (08:21 -0700)]
hwmon: (w83627ehf) Fix writing into fan_stop_time for NCT6775F/NCT6776F

commit 33fa9b620409edfc71aa6cf01a51f990fbe46ab8 upstream.

NCT6775F and NCT6776F have their own set of registers for FAN_STOP_TIME. The
correct registers were used to read FAN_STOP_TIME, but writes used the wrong
registers. Fix it.

Signed-off-by: Guenter Roeck <>
Acked-by: Jean Delvare <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agosparc32: Add -Av8 to assembler command line.
David S. Miller [Wed, 14 Mar 2012 01:19:51 +0000 (18:19 -0700)]
sparc32: Add -Av8 to assembler command line.

commit e0adb9902fb338a9fe634c3c2a3e474075c733ba upstream.

Newer version of binutils are more strict about specifying the
correct options to enable certain classes of instructions.

The sparc32 build is done for v7 in order to support sun4c systems
which lack hardware integer multiply and divide instructions.

So we have to pass -Av8 when building the assembler routines that
use these instructions and get patched into the kernel when we find
out that we have a v8 capable cpu.

Reported-by: Paul Gortmaker <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoBlock: use a freezable workqueue for disk-event polling
Alan Stern [Fri, 2 Mar 2012 09:51:00 +0000 (10:51 +0100)]
Block: use a freezable workqueue for disk-event polling

commit 62d3c5439c534b0e6c653fc63e6d8c67be3a57b1 upstream.

This patch (as1519) fixes a bug in the block layer's disk-events
polling.  The polling is done by a work routine queued on the
system_nrt_wq workqueue.  Since that workqueue isn't freezable, the
polling continues even in the middle of a system sleep transition.

Obviously, polling a suspended drive for media changes and such isn't
a good thing to do; in the case of USB mass-storage devices it can
lead to real problems requiring device resets and even re-enumeration.

The patch fixes things by creating a new system-wide, non-reentrant,
freezable workqueue and using it for disk-events polling.

Signed-off-by: Alan Stern <>
Acked-by: Tejun Heo <>
Acked-by: Rafael J. Wysocki <>
Signed-off-by: Jens Axboe <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoblock: fix __blkdev_get and add_disk race condition
Stanislaw Gruszka [Fri, 2 Mar 2012 09:43:28 +0000 (10:43 +0100)]
block: fix __blkdev_get and add_disk race condition

commit 9f53d2fe815b4011ff930a7b6db98385d45faa68 upstream.

The following situation might occur:

__blkdev_get: add_disk:


disk->ev == NULL


disk->ev != NULL

Then we unblock events, when they are suppose to be blocked. This can
trigger events related block/genhd.c warnings, but also can crash in
sd_check_events() or other places.

I'm able to reproduce crashes with the following scripts (with
connected usb dongle as sdb disk).


function stop_me()
for i in `jobs -p` ; do kill $i 2> /dev/null ; done


for ((i = 0; i < 10; i++)) ; do
while true; do fdisk -l $DEV  2>&1 > /dev/null ; done &

while true ; do
echo 1 > $ENABLE
sleep 1
echo 0 > $ENABLE

I use the script to verify patch fixing oops in sd_revalidate_disk
Without Jun'ichi Nomura patch titled "Fix NULL pointer dereference in
sd_revalidate_disk" or this one, script easily crash kernel within
a few seconds. With both patches applied I do not observe crash.
Unfortunately after some time (dozen of minutes), script will hung in:

[ 1563.906432]  [<c08354f5>] schedule_timeout_uninterruptible+0x15/0x20
[ 1563.906437]  [<c04532d5>] msleep+0x15/0x20
[ 1563.906443]  [<c05d60b2>] blk_drain_queue+0x32/0xd0
[ 1563.906447]  [<c05d6e00>] blk_cleanup_queue+0xd0/0x170
[ 1563.906454]  [<c06d278f>] scsi_free_queue+0x3f/0x60
[ 1563.906459]  [<c06d7e6e>] __scsi_remove_device+0x6e/0xb0
[ 1563.906463]  [<c06d4aff>] scsi_forget_host+0x4f/0x60
[ 1563.906468]  [<c06cd84a>] scsi_remove_host+0x5a/0xf0
[ 1563.906482]  [<f7f030fb>] quiesce_and_remove_host+0x5b/0xa0 [usb_storage]
[ 1563.906490]  [<f7f03203>] usb_stor_disconnect+0x13/0x20 [usb_storage]

Anyway I think this patch is some step forward.

As drawback, I do not teardown on sysfs file create error, because I do
not know how to nullify disk->ev (since it can be used). However add_disk
error handling practically does not exist too, and things will work
without this sysfs file, except events will not be exported to user

Signed-off-by: Stanislaw Gruszka <>
Acked-by: Tejun Heo <>
Signed-off-by: Jens Axboe <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoblock, sx8: fix pointer math issue getting fw version
Dan Carpenter [Sat, 3 Mar 2012 11:09:17 +0000 (12:09 +0100)]
block, sx8: fix pointer math issue getting fw version

commit ea5f4db8ece896c2ab9eafa0924148a2596c52e4 upstream.

"mem" is type u8.  We need parenthesis here or it screws up the pointer
math probably leading to an oops.

Signed-off-by: Dan Carpenter <>
Acked-by: Jeff Garzik <>
Signed-off-by: Jens Axboe <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoblock: Fix NULL pointer dereference in sd_revalidate_disk
Jun'ichi Nomura [Fri, 2 Mar 2012 09:38:33 +0000 (10:38 +0100)]
block: Fix NULL pointer dereference in sd_revalidate_disk

commit fe316bf2d5847bc5dd975668671a7b1067603bc7 upstream.

Since 2.6.39 (1196f8b), when a driver returns -ENOMEDIUM for open(),
__blkdev_get() calls rescan_partitions() to remove
in-kernel partition structures and raise KOBJ_CHANGE uevent.

However it ends up calling driver's revalidate_disk without open
and could cause oops.

In the case of SCSI:

  process A                  process B
        returns -ENOMEDIUM
                               <scsi_device torn down>
Oopses are reported here:

This patch separates the partition invalidation from rescan_partitions()
and use it for -ENOMEDIUM case.

Reported-by: Huajun Li <>
Signed-off-by: Jun'ichi Nomura <>
Acked-by: Tejun Heo <>
Signed-off-by: Jens Axboe <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoregulator: Fix setting selector in tps6524x set_voltage function
Axel Lin [Thu, 8 Mar 2012 02:02:17 +0000 (10:02 +0800)]
regulator: Fix setting selector in tps6524x set_voltage function

commit f03570cf1709397ebe656608266b44ec772960c2 upstream.

Don't assign the voltage to selector.

Signed-off-by: Axel Lin <>
Signed-off-by: Mark Brown <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agousb: asix: Patch for Sitecom LN-031
Joerg Neikes [Thu, 8 Mar 2012 22:44:03 +0000 (22:44 +0000)]
usb: asix: Patch for Sitecom LN-031

commit 4e50391968849860dff1aacde358b4eb14aa5127 upstream.

This patch adds support for the Sitecom LN-031 USB adapter with a AX88178 chip.

Added USB id to find correct driver for AX88178 1000 Ethernet adapter.

Signed-off-by: Joerg Neikes <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoIPv6: Fix not join all-router mcast group when forwarding set.
Li Wei [Mon, 5 Mar 2012 14:45:17 +0000 (14:45 +0000)]
IPv6: Fix not join all-router mcast group when forwarding set.

[ Upstream commit d6ddef9e641d1229d4ec841dc75ae703171c3e92 ]

When forwarding was set and a new net device is register,
we need add this device to the all-router mcast group.

Signed-off-by: Li Wei <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agotcp: fix tcp_shift_skb_data() to not shift SACKed data below snd_una
Neal Cardwell [Mon, 5 Mar 2012 19:35:04 +0000 (19:35 +0000)]
tcp: fix tcp_shift_skb_data() to not shift SACKed data below snd_una

[ Upstream commit 4648dc97af9d496218a05353b0e442b3dfa6aaab ]

This commit fixes tcp_shift_skb_data() so that it does not shift
SACKed data below snd_una.

This fixes an issue whose symptoms exactly match reports showing
tp->sacked_out going negative since 3.3.0-rc4 (see "WARNING: at
net/ipv4/tcp_input.c:3418" thread on netdev).

Since 2008 (832d11c5cd076abc0aa1eaf7be96c81d1a59ce41)
tcp_shift_skb_data() had been shifting SACKed ranges that were below
snd_una. It checked that the *end* of the skb it was about to shift
from was above snd_una, but did not check that the end of the actual
shifted range was above snd_una; this commit adds that check.

Shifting SACKed ranges below snd_una is problematic because for such
ranges tcp_sacktag_one() short-circuits: it does not declare anything
as SACKed and does not increase sacked_out.

Before the fixes in commits cc9a672ee522d4805495b98680f4a3db5d0a0af9
and daef52bab1fd26e24e8e9578f8fb33ba1d0cb412, shifting SACKed ranges
below snd_una happened to work because tcp_shifted_skb() was always
(incorrectly) passing in to tcp_sacktag_one() an skb whose end_seq
tcp_shift_skb_data() had already guaranteed was beyond snd_una. Hence
tcp_sacktag_one() never short-circuited and always increased
tp->sacked_out in this case.

After those two fixes, my testing has verified that shifting SACKed
ranges below snd_una could cause tp->sacked_out to go negative with
the following sequence of events:

(1) tcp_shift_skb_data() sees an skb whose end_seq is beyond snd_una,
    then shifts a prefix of that skb that is below snd_una

(2) tcp_shifted_skb() increments the packet count of the
    already-SACKed prev sk_buff

(3) tcp_sacktag_one() sees the end of the new SACKed range is below
    snd_una, so it short-circuits and doesn't increase tp->sacked_out

(5) tcp_clean_rtx_queue() sees the SACKed skb has been ACKed,
    decrements tp->sacked_out by this "inflated" pcount that was
    missing a matching increase in tp->sacked_out, and hence
    tp->sacked_out underflows to a u32 like 0xFFFFFFFF, which casted
    to s32 is negative.

(6) this leads to the warnings seen in the recent "WARNING: at
    net/ipv4/tcp_input.c:3418" thread on the netdev list; e.g.:
    tcp_input.c:3418  WARN_ON((int)tp->sacked_out < 0);

More generally, I think this bug can be tickled in some cases where
two or more ACKs from the receiver are lost and then a DSACK arrives
that is immediately above an existing SACKed skb in the write queue.

This fix changes tcp_shift_skb_data() to abort this sequence at step
(1) in the scenario above by noticing that the bytes are below snd_una
and not shifting them.

Signed-off-by: Neal Cardwell <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agobridge: check return value of ipv6_dev_get_saddr()
Ulrich Weber [Mon, 5 Mar 2012 04:52:44 +0000 (04:52 +0000)]
bridge: check return value of ipv6_dev_get_saddr()

[ Upstream commit d1d81d4c3dd886d5fa25a2c4fa1e39cb89613712 ]

otherwise source IPv6 address of ICMPV6_MGM_QUERY packet
might be random junk if IPv6 is disabled on interface or
link-local address is not yet ready (DAD).

Signed-off-by: Ulrich Weber <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agotcp: don't fragment SACKed skbs in tcp_mark_head_lost()
Neal Cardwell [Fri, 2 Mar 2012 21:36:51 +0000 (21:36 +0000)]
tcp: don't fragment SACKed skbs in tcp_mark_head_lost()

[ Upstream commit c0638c247f559e1a16ee79e54df14bca2cb679ea ]

In tcp_mark_head_lost() we should not attempt to fragment a SACKed skb
to mark the first portion as lost. This is for two primary reasons:

(1) tcp_shifted_skb() coalesces adjacent regions of SACKed skbs. When
doing this, it preserves the sum of their packet counts in order to
reflect the real-world dynamics on the wire. But given that skbs can
have remainders that do not align to MSS boundaries, this packet count
preservation means that for SACKed skbs there is not necessarily a
direct linear relationship between tcp_skb_pcount(skb) and
skb->len. Thus tcp_mark_head_lost()'s previous attempts to fragment
off and mark as lost a prefix of length (packets - oldcnt)*mss from
SACKed skbs were leading to occasional failures of the WARN_ON(len >
skb->len) in tcp_fragment() (which used to be a BUG_ON(); see the
recent "crash in tcp_fragment" thread on netdev).

(2) there is no real point in fragmenting off part of a SACKed skb and
calling tcp_skb_mark_lost() on it, since tcp_skb_mark_lost() is a NOP
for SACKed skbs.

Signed-off-by: Neal Cardwell <>
Acked-by: Ilpo Järvinen <>
Acked-by: Yuchung Cheng <>
Acked-by: Nandita Dukkipati <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agor8169: corrupted IP fragments fix for large mtu.
françois romieu [Fri, 2 Mar 2012 04:43:14 +0000 (04:43 +0000)]
r8169: corrupted IP fragments fix for large mtu.

[ Upstream commit 9c5028e9da1255dd2b99762d8627b88b29f68cce ]

Noticed with the 8168d (-vb-gr, aka RTL_GIGA_MAC_VER_26).

ConfigX registers should only be written while the Config9346 lock
is held.

Signed-off-by: Francois Romieu <>
Reported-by: Nick Bowler <>
Cc: Hayes Wang <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agopacketengines: fix config default
stephen hemminger [Fri, 2 Mar 2012 13:38:56 +0000 (13:38 +0000)]
packetengines: fix config default

[ Upstream commit 3f2010b2ad3d66d5291497c9b274315e7b807ecd ]

As part of the big network driver reorg, each vendor directory defaults to
yes, so that older config's can migrate correctly. Looks like this one
got missed.

Signed-off-by: Stephen Hemminger <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agovmxnet3: Fix transport header size
Shreyas Bhatewara [Tue, 28 Feb 2012 22:17:38 +0000 (22:17 +0000)]
vmxnet3: Fix transport header size

[ Upstream commit efead8710aad9e384730ecf25eae0287878840d7 ]

Fix transport header size

Fix the transpoert header size for UDP packets.

Signed-off-by: Shreyas N Bhatewara <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agotcp: fix false reordering signal in tcp_shifted_skb
Neal Cardwell [Sun, 26 Feb 2012 10:06:19 +0000 (10:06 +0000)]
tcp: fix false reordering signal in tcp_shifted_skb

[ Upstream commit 4c90d3b30334833450ccbb02f452d4972a3c3c3f ]

When tcp_shifted_skb() shifts bytes from the skb that is currently
pointed to by 'highest_sack' then the increment of
TCP_SKB_CB(skb)->seq implicitly advances tcp_highest_sack_seq(). This
implicit advancement, combined with the recent fix to pass the correct
SACKed range into tcp_sacktag_one(), caused tcp_sacktag_one() to think
that the newly SACKed range was before the tcp_highest_sack_seq(),
leading to a call to tcp_update_reordering() with a degree of
reordering matching the size of the newly SACKed range (typically just
1 packet, which is a NOP, but potentially larger).

This commit fixes this by simply calling tcp_sacktag_one() before the
TCP_SKB_CB(skb)->seq advancement that can advance our notion of the
highest SACKed sequence.

Correspondingly, we can simplify the code a little now that
tcp_shifted_skb() should update the lost_cnt_hint in all cases where
skb == tp->lost_skb_hint.

Signed-off-by: Neal Cardwell <>
Acked-by: Yuchung Cheng <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agosfc: Fix assignment of ip_summed for pre-allocated skbs
Ben Hutchings [Fri, 24 Feb 2012 15:12:34 +0000 (15:12 +0000)]
sfc: Fix assignment of ip_summed for pre-allocated skbs

[ Upstream commit ff3bc1e7527504a93710535611b2f812f3bb89bf ]

When pre-allocating skbs for received packets, we set ip_summed =
CHECKSUM_UNNCESSARY.  We used to change it back to CHECKSUM_NONE when
the received packet had an incorrect checksum or unhandled protocol.

Commit bc8acf2c8c3e43fcc192762a9f964b3e9a17748b ('drivers/net: avoid
some skb->ip_summed initializations') mistakenly replaced the latter
assignment with a DEBUG-only assertion that ip_summed ==
CHECKSUM_NONE.  This assertion is always false, but it seems no-one
has exercised this code path in a DEBUG build.

Fix this by moving our assignment of CHECKSUM_UNNECESSARY into

Signed-off-by: Ben Hutchings <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoppp: fix 'ppp_mp_reconstruct bad seq' errors
Ben McKeegan [Fri, 24 Feb 2012 06:33:56 +0000 (06:33 +0000)]
ppp: fix 'ppp_mp_reconstruct bad seq' errors

[ Upstream commit 8a49ad6e89feb5015e77ce6efeb2678947117e20 ]

This patch fixes a (mostly cosmetic) bug introduced by the patch
'ppp: Use SKB queue abstraction interfaces in fragment processing'
found here:

The above patch rewrote and moved the code responsible for cleaning
up discarded fragments but the new code does not catch every case
where this is necessary.  This results in some discarded fragments
remaining in the queue, and triggering a 'bad seq' error on the
subsequent call to ppp_mp_reconstruct.  Fragments are discarded
whenever other fragments of the same frame have been lost.
This can generate a lot of unwanted and misleading log messages.

This patch also adds additional detail to the debug logging to
make it clearer which fragments were lost and which other fragments
were discarded as a result of losses. (Run pppd with 'kdebug 1'
option to enable debug logging.)

Signed-off-by: Ben McKeegan <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoipsec: be careful of non existing mac headers
Eric Dumazet [Thu, 23 Feb 2012 10:55:02 +0000 (10:55 +0000)]
ipsec: be careful of non existing mac headers

[ Upstream commit 03606895cd98c0a628b17324fd7b5ff15db7e3cd ]

Niccolo Belli reported ipsec crashes in case we handle a frame without
mac header (atm in his case)

Before copying mac header, better make sure it is present.

Bugzilla reference:

Reported-by: Niccolò Belli <>
Tested-by: Niccolò Belli <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoneighbour: Fixed race condition at tbl->nht
Michel Machado [Tue, 21 Feb 2012 11:04:13 +0000 (11:04 +0000)]
neighbour: Fixed race condition at tbl->nht

[ Upstream commit 84338a6c9dbb6ff3de4749864020f8f25d86fc81 ]

When the fixed race condition happens:

1. While function neigh_periodic_work scans the neighbor hash table
pointed by field tbl->nht, it unlocks and locks tbl->lock between
buckets in order to call cond_resched.

2. Assume that function neigh_periodic_work calls cond_resched, that is,
the lock tbl->lock is available, and function neigh_hash_grow runs.

3. Once function neigh_hash_grow finishes, and RCU calls
neigh_hash_free_rcu, the original struct neigh_hash_table that function
neigh_periodic_work was using doesn't exist anymore.

4. Once back at neigh_periodic_work, whenever the old struct
neigh_hash_table is accessed, things can go badly.

Signed-off-by: Michel Machado <>
CC: "David S. Miller" <>
CC: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoatl1c: dont use highprio tx queue
Eric Dumazet [Wed, 15 Feb 2012 20:43:11 +0000 (20:43 +0000)]
atl1c: dont use highprio tx queue

[ Upstream commit 11aad99af6ef629ff3b05d1c9f0936589b204316 ]

This driver attempts to use two TX rings but lacks proper support :

1) IRQ handler only takes care of TX completion on first TX ring
2) the stop/start logic uses the legacy functions (for non multiqueue

This means all packets witk skb mark set to 1 are sent through high
queue but are never cleaned and queue eventualy fills and block the
device, triggering the infamous "NETDEV WATCHDOG" message.

Lets use a single TX ring to fix the problem, this driver is not a real
multiqueue one yet.

Minimal fix for stable kernels.

Reported-by: Thomas Meyer <>
Tested-by: Thomas Meyer <>
Signed-off-by: Eric Dumazet <>
Cc: Jay Cliburn <>
Cc: Chris Snook <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoacer-wmi: No wifi rfkill on Lenovo machines
Ike Panhc [Fri, 3 Feb 2012 08:46:39 +0000 (16:46 +0800)]
acer-wmi: No wifi rfkill on Lenovo machines

commit 461e74377cfcfc2c0d6bbdfa8fc5fbc21b052c2a upstream.

We have several reports which says acer-wmi is loaded on ideapads
and register rfkill for wifi which can not be unblocked.

Since ideapad-laptop also register rfkill for wifi and it works
reliably, it will be fine acer-wmi is not going to register rfkill
for wifi once VPC2004 is found.

Also put IBM0068/LEN0068 in the list. Though thinkpad_acpi has no
wifi rfkill capability, there are reports which says acer-wmi also
block wireless on Thinkpad E520/E420.

Signed-off-by: Ike Panhc <>
Signed-off-by: Matthew Garrett <>
Cc: Jonathan Nieder <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agovfs: fix double put after complete_walk()
Miklos Szeredi [Tue, 6 Mar 2012 12:56:33 +0000 (13:56 +0100)]
vfs: fix double put after complete_walk()

commit 097b180ca09b581ef0dc24fbcfc1b227de3875df upstream.

complete_walk() already puts nd->path, no need to do it again at cleanup time.

This would result in Oopses if triggered, apparently the codepath is not too
well exercised.

Signed-off-by: Miklos Szeredi <>
Signed-off-by: Al Viro <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agovfs: fix return value from do_last()
Miklos Szeredi [Tue, 6 Mar 2012 12:56:34 +0000 (13:56 +0100)]
vfs: fix return value from do_last()

commit 7f6c7e62fcc123e6bd9206da99a2163fe3facc31 upstream.

complete_walk() returns either ECHILD or ESTALE.  do_last() turns this into
ECHILD unconditionally.  If not in RCU mode, this error will reach userspace
which is complete nonsense.

Signed-off-by: Miklos Szeredi <>
Signed-off-by: Al Viro <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoCIFS: Do not kmalloc under the flocks spinlock
Pavel Shilovsky [Mon, 5 Mar 2012 06:39:20 +0000 (09:39 +0300)]
CIFS: Do not kmalloc under the flocks spinlock

commit d5751469f210d2149cc2159ffff66cbeef6da3f2 upstream.

Reorganize the code to make the memory already allocated before
spinlock'ed loop.

Reviewed-by: Jeff Layton <>
Signed-off-by: Pavel Shilovsky <>
Signed-off-by: Steve French <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoperf/x86: Fix local vs remote memory events for NHM/WSM
Peter Zijlstra [Mon, 5 Mar 2012 22:59:25 +0000 (23:59 +0100)]
perf/x86: Fix local vs remote memory events for NHM/WSM

commit 87e24f4b67e68d9fd8df16e0bf9c66d1ad2a2533 upstream.

Verified using the below proglet.. before:

[root@westmere ~]# perf stat -e node-stores -e node-store-misses ./numa 0
remote write

 Performance counter stats for './numa 0':

         2,101,554 node-stores
         2,096,931 node-store-misses

       5.021546079 seconds time elapsed

[root@westmere ~]# perf stat -e node-stores -e node-store-misses ./numa 1
local write

 Performance counter stats for './numa 1':

           501,137 node-stores
               199 node-store-misses

       5.124451068 seconds time elapsed


[root@westmere ~]# perf stat -e node-stores -e node-store-misses ./numa 0
remote write

 Performance counter stats for './numa 0':

         2,107,516 node-stores
         2,097,187 node-store-misses

       5.012755149 seconds time elapsed

[root@westmere ~]# perf stat -e node-stores -e node-store-misses ./numa 1
local write

 Performance counter stats for './numa 1':

         2,063,355 node-stores
               165 node-store-misses

       5.082091494 seconds time elapsed

#define _GNU_SOURCE

#include <sched.h>
#include <stdio.h>
#include <errno.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <dirent.h>
#include <signal.h>
#include <unistd.h>
#include <numaif.h>
#include <stdlib.h>

#define SIZE (32*1024*1024)

volatile int done;

void sig_done(int sig)
done = 1;

int main(int argc, char **argv)
cpu_set_t *mask, *mask2;
size_t size;
int i, err, t;
int nrcpus = 1024;
char *mem;
unsigned long nodemask = 0x01; /* node 0 */
DIR *node;
struct dirent *de;
int read = 0;
int local = 0;

if (argc < 2) {
printf("usage: %s [0-3]\n", argv[0]);
printf("  bit0 - local/remote\n");
printf("  bit1 - read/write\n");

switch (atoi(argv[1])) {
case 0:
printf("remote write\n");
case 1:
printf("local write\n");
local = 1;
case 2:
printf("remote read\n");
read = 1;
case 3:
printf("local read\n");
local = 1;
read = 1;

mask = CPU_ALLOC(nrcpus);
size = CPU_ALLOC_SIZE(nrcpus);
CPU_ZERO_S(size, mask);

node = opendir("/sys/devices/system/node/node0/");
if (!node)
while ((de = readdir(node))) {
int cpu;

if (sscanf(de->d_name, "cpu%d", &cpu) == 1)
CPU_SET_S(cpu, size, mask);

mask2 = CPU_ALLOC(nrcpus);
CPU_ZERO_S(size, mask2);
for (i = 0; i < size; i++)
CPU_SET_S(i, size, mask2);
CPU_XOR_S(size, mask2, mask2, mask); // invert

if (!local)
mask = mask2;

err = sched_setaffinity(0, size, mask);
if (err)

err = mbind(mem, SIZE, MPOL_BIND, &nodemask, 8*sizeof(nodemask), MPOL_MF_MOVE);
if (err)

signal(SIGALRM, sig_done);

if (!read) {
while (!done) {
for (i = 0; i < SIZE; i++)
mem[i] = 0x01;
} else {
while (!done) {
for (i = 0; i < SIZE; i++)
t += *(volatile char *)(mem + i);

return 0;

Signed-off-by: Peter Zijlstra <>
Cc: Stephane Eranian <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agort2x00: fix random stalls
Stanislaw Gruszka [Fri, 9 Mar 2012 11:39:54 +0000 (12:39 +0100)]
rt2x00: fix random stalls

commit 3780d038fdf4b5ef26ead10b0604ab1f46dd9510 upstream.

Is possible that we stop queue and then do not wake up it again,
especially when packets are transmitted fast. That can be easily
reproduced with modified tx queue entry_num to some small value e.g. 16.

If mac80211 already hold local->queue_stop_reason_lock, then we can wait
on that lock in both rt2x00queue_pause_queue() and
rt2x00queue_unpause_queue(). After drooping ->queue_stop_reason_lock
is possible that __ieee80211_wake_queue() will be performed before
__ieee80211_stop_queue(), hence we stop queue and newer wake up it

Another race condition is possible when between rt2x00queue_threshold()
check and rt2x00queue_pause_queue() we will process all pending tx
buffers on different cpu. This might happen if for example interrupt
will be triggered on cpu performing rt2x00mac_tx().

To prevent race conditions serialize pause/unpause by queue->tx_lock.

Signed-off-by: Stanislaw Gruszka <>
Acked-by: Gertjan van Wingerde <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoomap3isp: ccdc: Fix crash in HS/VS interrupt handler
Laurent Pinchart [Fri, 11 Nov 2011 14:22:20 +0000 (11:22 -0300)]
omap3isp: ccdc: Fix crash in HS/VS interrupt handler

commit bd0f2e6da7ea9e225cb2dbd3229e25584b0e9538 upstream.

The HS/VS interrupt handler needs to access the pipeline object. It
erronously tries to get it from the CCDC output video node, which isn't
necessarily included in the pipeline. This leads to a NULL pointer

Fix the bug by getting the pipeline object from the CCDC subdev entity.

Reported-by: Gary Thomas <>
Signed-off-by: Laurent Pinchart <>
Acked-by: Sakari Ailus <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoPCI: ignore pre-1.1 ASPM quirking when ASPM is disabled
Matthew Garrett [Tue, 6 Mar 2012 18:41:49 +0000 (13:41 -0500)]
PCI: ignore pre-1.1 ASPM quirking when ASPM is disabled

commit 4949be16822e92a18ea0cc1616319926628092ee upstream.

Right now we won't touch ASPM state if ASPM is disabled, except in the case
where we find a device that appears to be too old to reliably support ASPM.
Right now we'll clear it in that case, which is almost certainly the wrong
thing to do. The easiest way around this is just to disable the blacklisting
when ASPM is disabled.

Signed-off-by: Matthew Garrett <>
Signed-off-by: Jesse Barnes <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agox86: Derandom delay_tsc for 64 bit
Thomas Gleixner [Fri, 9 Mar 2012 19:55:10 +0000 (20:55 +0100)]
x86: Derandom delay_tsc for 64 bit

commit a7f4255f906f60f72e00aad2fb000939449ff32e upstream.

Commit f0fbf0abc093 ("x86: integrate delay functions") converted
delay_tsc() into a random delay generator for 64 bit.  The reason is
that it merged the mostly identical versions of delay_32.c and
delay_64.c.  Though the subtle difference of the result was:

 static void delay_tsc(unsigned long loops)
- unsigned bclock, now;
+ unsigned long bclock, now;

Now the function uses rdtscl() which returns the lower 32bit of the
TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
bit this fails when the lower 32bit are close to wrap around when
bclock is read, because the following check

       if ((now - bclock) >= loops)

evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
because the unsigned long (now - bclock) of these values results in
0xffffffff00000001 which is definitely larger than the loops
value. That explains Tvortkos observation:

"Because I am seeing udelay(500) (_occasionally_) being short, and
 that by delaying for some duration between 0us (yep) and 491us."

Make those variables explicitely u32 again, so this works for both 32
and 64 bit.

Reported-by: Tvrtko Ursulin <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoaio: fix the "too late munmap()" race
Al Viro [Thu, 8 Mar 2012 17:51:19 +0000 (17:51 +0000)]
aio: fix the "too late munmap()" race

commit c7b285550544c22bc005ec20978472c9ac7138c6 upstream.

Current code has put_ioctx() called asynchronously from aio_fput_routine();
that's done *after* we have killed the request that used to pin ioctx,
so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
from progressing.  As the result, we can end up with async call of
put_ioctx() being the last one and possibly happening during exit_mmap()
or elf_core_dump(), neither of which expects stray munmap() being done
to them...

We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
with that, but that's all we care about - neither io_destroy() nor
exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
does really_put_req(), so the ioctx teardown won't be done until then
and we don't care about the contents of ioctx past that point.

Since actual freeing of these suckers is RCU-delayed, we don't need to
bump ioctx refcount when request goes into list for async removal.
All we need is rcu_read_lock held just over the ->ctx_lock-protected
area in aio_fput_routine().

Signed-off-by: Al Viro <>
Reviewed-by: Jeff Moyer <>
Acked-by: Benjamin LaHaise <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoaio: fix io_setup/io_destroy race
Al Viro [Wed, 7 Mar 2012 05:16:35 +0000 (05:16 +0000)]
aio: fix io_setup/io_destroy race

commit 86b62a2cb4fc09037bbce2959d2992962396fd7f upstream.

Have ioctx_alloc() return an extra reference, so that caller would drop it
on success and not bother with re-grabbing it on failure exit.  The current
code is obviously broken - io_destroy() from another thread that managed
to guess the address io_setup() would've returned would free ioctx right
under us; gets especially interesting if aio_context_t * we pass to
io_setup() points to PROT_READ mapping, so put_user() fails and we end
up doing io_destroy() on kioctx another thread has just got freed...

Signed-off-by: Al Viro <>
Acked-by: Benjamin LaHaise <>
Reviewed-by: Jeff Moyer <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoALSA: hda/realtek - Apply the coef-setup only to ALC269VB
Kailang Yang [Wed, 7 Mar 2012 07:25:20 +0000 (08:25 +0100)]
ALSA: hda/realtek - Apply the coef-setup only to ALC269VB

commit 526af6eb4dc71302f59806e2ccac7793963a7fe0 upstream.

The coef setup in alc269_fill_coef() was designed only for ALC269VB
model, and this has some bad effects for other ALC269 variants, such
as turning off the external mic input.  Apply it only to ALC269VB.

Signed-off-by: Kailang Yang <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoASoC: neo1973: fix neo1973 wm8753 initialization
Denis 'GNUtoo' Carikli [Sun, 26 Feb 2012 18:21:54 +0000 (19:21 +0100)]
ASoC: neo1973: fix neo1973 wm8753 initialization

commit b2ccf065f7b23147ed135a41b01d05a332ca6b7e upstream.

The neo1973 driver had wrong codec name which prevented the "sound card"
from appearing.

Signed-off-by: Denis 'GNUtoo' Carikli <>
Signed-off-by: Mark Brown <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoLinux 3.2.11 v3.2.11
Greg Kroah-Hartman [Tue, 13 Mar 2012 17:05:09 +0000 (10:05 -0700)]
Linux 3.2.11

10 years agoRevert "mfd: Test for jack detection when deciding if wm8994 should suspend"
Greg Kroah-Hartman [Tue, 13 Mar 2012 16:36:07 +0000 (09:36 -0700)]
Revert "mfd: Test for jack detection when deciding if wm8994 should suspend"

This reverts commit 315e73b400c9a287a53efb5f857d308589674ac5 as it
breaks the 3.2-stable build.

Reported-by: Ben Guthro <>
Cc: Mark Brown <>
Cc: Samuel Ortiz <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agoLinux 3.2.10 v3.2.10
Greg Kroah-Hartman [Mon, 12 Mar 2012 20:22:49 +0000 (13:22 -0700)]
Linux 3.2.10

10 years agoARM: OMAP: fix iommu, not mailbox
Ohad Ben-Cohen [Sun, 4 Mar 2012 10:01:11 +0000 (12:01 +0200)]
ARM: OMAP: fix iommu, not mailbox

commit 134d12fae0bb8f3d60dc7440a9e1950bb5427167 upstream.

For some weird (freudian?) reason, commit 435792d "ARM: OMAP: make
iommu subsys_initcall to fix builtin omap3isp" unintentionally changed
the mailbox's initcall instead of the iommu's.

Fix that.

Reported-by: Fernando Guzman Lugo <>
Signed-off-by: Ohad Ben-Cohen <>
Cc: Laurent Pinchart <>
Cc: Joerg Roedel <>
Cc: Tony Lindgren <>
Signed-off-by: Joerg Roedel <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agospi-topcliff-pch: rename pch_spi_pcidev to pch_spi_pcidev_driver
Danny Kukawka [Thu, 2 Feb 2012 13:20:30 +0000 (14:20 +0100)]
spi-topcliff-pch: rename pch_spi_pcidev to pch_spi_pcidev_driver

commit c88db233251b026fda775428f0250c760553e216 upstream.

Rename static struct pci_driver pch_spi_pcidev to
pch_spi_pcidev_driver to get rid of warnings from modpost checks.

Signed-off-by: Danny Kukawka <>
Signed-off-by: Grant Likely <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agomfd: Fix cs5535 section mismatch
Christian Gmeiner [Tue, 13 Dec 2011 20:30:04 +0000 (21:30 +0100)]
mfd: Fix cs5535 section mismatch

commit 97e43c983c721a47546e6db3b7711dcd912a6481 upstream.

Silence following warnings:
WARNING: drivers/mfd/cs5535-mfd.o(.data+0x20): Section mismatch in
reference from the variable cs5535_mfd_drv to the function
The variable cs5535_mfd_drv references
the function __devinit cs5535_mfd_probe()
If the reference is valid then annotate the
variable with __init* or __refdata (see linux/init.h) or name the variable:
*driver, *_template, *_timer, *_sht, *_ops, *_probe, *_probe_one, *_console

WARNING: drivers/mfd/cs5535-mfd.o(.data+0x28): Section mismatch in
reference from the variable cs5535_mfd_drv to the function
The variable cs5535_mfd_drv references
the function __devexit cs5535_mfd_remove()
If the reference is valid then annotate the
variable with __exit* (see linux/init.h) or name the variable:
*driver, *_template, *_timer, *_sht, *_ops, *_probe, *_probe_one, *_console

Rename the variable from *_drv to *_driver so
modpost ignore the OK references to __devinit/__devexit

Signed-off-by: Christian Gmeiner <>
Acked-by: Andres Salomon <>
Signed-off-by: Samuel Ortiz <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agocs5535-mfgpt: don't call __init function from __devinit
Danny Kukawka [Thu, 2 Feb 2012 13:20:29 +0000 (14:20 +0100)]
cs5535-mfgpt: don't call __init function from __devinit

commit 474de3bbadd9cb75ffc32cc759c40d868343d46c upstream.

Fix scan_timers() to be __devinit and not __init since
the function get called from cs5535_mfgpt_probe which is

Signed-off-by: Danny Kukawka <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agodm raid: fix flush support
Jonathan E Brassow [Wed, 7 Mar 2012 19:09:48 +0000 (19:09 +0000)]
dm raid: fix flush support

commit 0ca93de9b789e0eb05e103f0c04de72df13da73a upstream.

Fix dm-raid flush support.

Both md and dm have support for flush, but the dm-raid target
forgot to set the flag to indicate that flushes should be
passed on.  (Important for data integrity e.g. with writeback cache

Signed-off-by: Jonathan Brassow <>
Acked-by: Mike Snitzer <>
Signed-off-by: Alasdair G Kergon <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agodm raid: set MD_CHANGE_DEVS when rebuilding
Jonathan E Brassow [Wed, 7 Mar 2012 19:09:47 +0000 (19:09 +0000)]
dm raid: set MD_CHANGE_DEVS when rebuilding

commit 3aa3b2b2b1edb813dc5342d0108befc39541542d upstream.

The 'rebuild' parameter is used to rebuild individual devices in an
array (e.g. resynchronize a RAID1 device or recalculate a parity device
in higher RAID).  The MD_CHANGE_DEVS flag must be set when this
parameter is given in order to write out the superblocks and make the
change take immediate effect.  The code that handles new devices in
super_load already sets MD_CHANGE_DEVS and 'FirstUse'.  (The 'FirstUse'
flag was being set as a special case for rebuilds in

Add a condition for rebuilds in super_load to take care of both flags
without the special case in 'super_init_validation'.

Signed-off-by: Jonathan Brassow <>
Signed-off-by: Alasdair G Kergon <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agodm thin metadata: decrement counter after removing mapped block
Joe Thornber [Wed, 7 Mar 2012 19:09:44 +0000 (19:09 +0000)]
dm thin metadata: decrement counter after removing mapped block

commit af63bcb817cf708f53bcae6edc2e3fb7dd7d8051 upstream.

Correct the number of mapped sectors shown on a thin device's
status line by decrementing td->mapped_blocks in __remove() each time
a block is removed.

Signed-off-by: Joe Thornber <>
Acked-by: Mike Snitzer <>
Signed-off-by: Alasdair G Kergon <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agodm thin metadata: unlock superblock in init_pmd error path
Joe Thornber [Wed, 7 Mar 2012 19:09:43 +0000 (19:09 +0000)]
dm thin metadata: unlock superblock in init_pmd error path

commit 4469a5f387fdde956894137751a41473618a4a52 upstream.

If dm_sm_disk_create() fails the superblock must be unlocked.

Signed-off-by: Joe Thornber <>
Acked-by: Mike Snitzer <>
Signed-off-by: Alasdair G Kergon <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agodm thin metadata: remove incorrect close_device on creation error paths
Mike Snitzer [Wed, 7 Mar 2012 19:09:41 +0000 (19:09 +0000)]
dm thin metadata: remove incorrect close_device on creation error paths

commit 1f3db25d8be4ac50b897b39609802183ea68a514 upstream.

The __open_device() error paths in __create_thin() and __create_snap()
incorrectly call __close_device() even if td was not initialized by
__open_device().  Remove this.

Also document __open_device() return values, remove a redundant
td->changed = 1 in __create_thin(), and insert an additional
safeguard against creating an already-existing device.

Signed-off-by: Mike Snitzer <>
Signed-off-by: Alasdair G Kergon <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agodm flakey: fix crash on read when corrupt_bio_byte not set
Mike Snitzer [Wed, 7 Mar 2012 19:09:39 +0000 (19:09 +0000)]
dm flakey: fix crash on read when corrupt_bio_byte not set

commit 1212268fd9816e3b8801e57b896fceaec71969ad upstream.

The following BUG is hit on the first read that is submitted to a dm
flakey test device while the device is "down" if the corrupt_bio_byte
feature wasn't requested when the device's table was loaded.

Example DM table that will hit this BUG:
0 2097152 flakey 8:0 2048 0 30

This bug was introduced by commit a3998799fb4df0b0af8271a7d50c4269032397aa
(dm flakey: add corrupt_bio_byte feature) in v3.1-rc1.

BUG: unable to handle kernel paging request at ffff8801cfce3fff
IP: [<ffffffffa008c233>] corrupt_bio_data+0x6e/0xae [dm_flakey]
PGD 1606063 PUD 0
Oops: 0002 [#1] SMP
Call Trace:
 [<ffffffffa008c2b5>] flakey_end_io+0x42/0x48 [dm_flakey]
 [<ffffffffa00dca98>] clone_endio+0x54/0xb6 [dm_mod]
 [<ffffffff81130587>] bio_endio+0x2d/0x2f
 [<ffffffff811c819a>] req_bio_endio+0x96/0x9f
 [<ffffffff811c94b9>] blk_update_request+0x1dc/0x3a9
 [<ffffffff812f5ee2>] ? rcu_read_unlock+0x21/0x23
 [<ffffffff811c96a6>] blk_update_bidi_request+0x20/0x6e
 [<ffffffff811c9713>] blk_end_bidi_request+0x1f/0x5d
 [<ffffffff811c978d>] blk_end_request+0x10/0x12
 [<ffffffff8128f450>] scsi_io_completion+0x1e5/0x4b1
 [<ffffffff812882a9>] scsi_finish_command+0xec/0xf5
 [<ffffffff8128f830>] scsi_softirq_done+0xff/0x108
 [<ffffffff811ce284>] blk_done_softirq+0x84/0x98
 [<ffffffff81048d19>] __do_softirq+0xe3/0x1d5
 [<ffffffff8138f83f>] ? _raw_spin_lock+0x62/0x69
 [<ffffffff810997cf>] ? handle_irq_event+0x4c/0x61
 [<ffffffff8139833c>] call_softirq+0x1c/0x30
 [<ffffffff81003b37>] do_softirq+0x4b/0xa3
 [<ffffffff81048a39>] irq_exit+0x53/0xca
 [<ffffffff81398acd>] do_IRQ+0x9d/0xb4
 [<ffffffff81390333>] common_interrupt+0x73/0x73

Signed-off-by: Mike Snitzer <>
Signed-off-by: Alasdair G Kergon <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agodm io: fix discard support
Milan Broz [Wed, 7 Mar 2012 19:09:37 +0000 (19:09 +0000)]
dm io: fix discard support

commit 0c535e0d6f463365c29623350dbd91642363c39b upstream.

This patch fixes a crash by recognising discards in dm_io.

Currently dm_mirror can send REQ_DISCARD bios if running over a
discard-enabled device and without support in dm_io the system
crashes badly.

BUG: unable to handle kernel paging request at 00800000
IP:  __bio_add_page.part.17+0xf5/0x1e0
 dispatch_io+0x1cf/0x240 [dm_mod]
 ? km_get_page+0x50/0x50 [dm_mod]
 ? vm_next_page+0x20/0x20 [dm_mod]
 ? mirror_flush+0x130/0x130 [dm_mirror]
 dm_io+0xdc/0x2b0 [dm_mod]

Introduced in 2.6.38-rc1 by commit 5fc2ffeabb9ee0fc0e71ff16b49f34f0ed3d05b4
(dm raid1: support discard).

Signed-off-by: Milan Broz <>
Acked-by: Mike Snitzer <>
Signed-off-by: Alasdair G Kergon <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agodm ioctl: do not leak argv if target message only contains whitespace
Jesper Juhl [Wed, 7 Mar 2012 19:09:34 +0000 (19:09 +0000)]
dm ioctl: do not leak argv if target message only contains whitespace

commit 902c6a96a7cb9c50d2a8aed1788efad0a5d8f04c upstream.

If 'argc' is zero we jump to the 'out:' label, but this leaks the
(unused) memory that 'dm_split_args()' allocated for 'argv' if the
string being split consisted entirely of whitespace.  Jump to the
'out_argv:' label instead to free up that memory.

Signed-off-by: Jesper Juhl <>
Signed-off-by: Alasdair G Kergon <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agox86/amd: iommu_set_device_table() must not be __init
Jan Beulich [Thu, 8 Mar 2012 08:58:13 +0000 (08:58 +0000)]
x86/amd: iommu_set_device_table() must not be __init

commit 6b7f000eb6a0b81d7a809833edb7a457eedf8512 upstream.

This function is called from enable_iommus(), which in turn is used
from amd_iommu_resume().

Signed-off-by: Jan Beulich <>
Signed-off-by: Joerg Roedel <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agonet/usbnet: avoid recursive locking in usbnet_stop()
Sebastian Siewior [Wed, 7 Mar 2012 10:19:28 +0000 (10:19 +0000)]
net/usbnet: avoid recursive locking in usbnet_stop()

commit 4231d47e6fe69f061f96c98c30eaf9fb4c14b96d upstream.

|kernel BUG at kernel/rtmutex.c:724!
|[<c029599c>] (rt_spin_lock_slowlock+0x108/0x2bc) from [<c01c2330>] (defer_bh+0x1c/0xb4)
|[<c01c2330>] (defer_bh+0x1c/0xb4) from [<c01c3afc>] (rx_complete+0x14c/0x194)
|[<c01c3afc>] (rx_complete+0x14c/0x194) from [<c01cac88>] (usb_hcd_giveback_urb+0xa0/0xf0)
|[<c01cac88>] (usb_hcd_giveback_urb+0xa0/0xf0) from [<c01e1ff4>] (musb_giveback+0x34/0x40)
|[<c01e1ff4>] (musb_giveback+0x34/0x40) from [<c01e2b1c>] (musb_advance_schedule+0xb4/0x1c0)
|[<c01e2b1c>] (musb_advance_schedule+0xb4/0x1c0) from [<c01e2ca8>] (musb_cleanup_urb.isra.9+0x80/0x8c)
|[<c01e2ca8>] (musb_cleanup_urb.isra.9+0x80/0x8c) from [<c01e2ed0>] (musb_urb_dequeue+0xec/0x108)
|[<c01e2ed0>] (musb_urb_dequeue+0xec/0x108) from [<c01cbb90>] (unlink1+0xbc/0xcc)
|[<c01cbb90>] (unlink1+0xbc/0xcc) from [<c01cc2ec>] (usb_hcd_unlink_urb+0x54/0xa8)
|[<c01cc2ec>] (usb_hcd_unlink_urb+0x54/0xa8) from [<c01c2a84>] (unlink_urbs.isra.17+0x2c/0x58)
|[<c01c2a84>] (unlink_urbs.isra.17+0x2c/0x58) from [<c01c2b44>] (usbnet_terminate_urbs+0x94/0x10c)
|[<c01c2b44>] (usbnet_terminate_urbs+0x94/0x10c) from [<c01c2d68>] (usbnet_stop+0x100/0x15c)
|[<c01c2d68>] (usbnet_stop+0x100/0x15c) from [<c020f718>] (__dev_close_many+0x94/0xc8)

defer_bh() takes the lock which is hold during unlink_urbs(). The safe
walk suggest that the skb will be removed from the list and this is done
by defer_bh() so it seems to be okay to drop the lock here.

Reported-by: Aníbal Almeida Pinto <>
Signed-off-by: Sebastian Andrzej Siewior <>
Acked-by: Oliver Neukum <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agodrm/radeon/kms: set SX_MISC in the r6xx blit code (v2)
Marek Olšák [Wed, 7 Mar 2012 22:33:00 +0000 (23:33 +0100)]
drm/radeon/kms: set SX_MISC in the r6xx blit code (v2)

commit cf00790dea6f210ddd01a6656da58c7c9a4ea0e4 upstream.

Mesa may set it to 1, causing all primitives to be killed.

v2: also update the r7xx code

Signed-off-by: Marek Olšák <>
Reviewed-by: Alex Deucher <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agocarl9170: fix frame delivery if sta is in powersave mode
Christian Lamparter [Sat, 25 Feb 2012 20:36:36 +0000 (21:36 +0100)]
carl9170: fix frame delivery if sta is in powersave mode

commit 9926a67557532acb6cddb1c1add02952175b5c72 upstream.

Nicolas Cavallari discovered that carl9170 has some
serious problems delivering data to sleeping stations.

It turns out that the driver was not honoring two
important flags (IEEE80211_TX_CTL_POLL_RESPONSE and
IEEE80211_TX_CTL_CLEAR_PS_FILT) which are set on
frames that should be sent although the receiving
station is still in powersave mode.

Reported-by: Nicolas Cavallari <>
Signed-off-by: Christian Lamparter <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agocarl9170: Fix memory accounting when sta is in power-save mode.
Nicolas Cavallari [Thu, 23 Feb 2012 15:53:34 +0000 (16:53 +0100)]
carl9170: Fix memory accounting when sta is in power-save mode.

commit 992d52529d7840236d3059b51c15d5eb9e81a869 upstream.

On Access Point mode, when transmitting a packet, if the destination
station is in powersave mode, we abort transmitting the packet to the
device queue, but we do not reclaim the allocated memory.  Given enough
packets, we can go in a state where there is no packet on the device
queue, but we think the device has no memory left, so no packet gets
transmitted, connections breaks and the AP stops working.

This undo the allocation done in the TX path when the station is in
power-save mode.

Signed-off-by: Nicolas Cavallari <>
Acked-by: Christian Lamparter <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agohwmon: (zl6100) Maintain delay parameter in driver instance data
Guenter Roeck [Wed, 7 Mar 2012 11:58:55 +0000 (03:58 -0800)]
hwmon: (zl6100) Maintain delay parameter in driver instance data

commit 7ad6307ad6968ce25cecf209d4822d4c722be030 upstream.

A global delay parameter has the side effect of being overwritten with 0 if a
single ZL2004 or ZL6105 is instantiated. If other chips supported by the same
driver are in the system, this will result in access errors for those chips.

To solve the problem, keep a per-instance copy of the delay parameter, and do
not change the original parameter.

Signed-off-by: Guenter Roeck <>
Acked-by: Jean Delvare <>
Signed-off-by: Greg Kroah-Hartman <>
10 years agohwmon: (jc42) Add support for AT30TS00, TS3000GB2, TSE2002GB2, and MCP9804
Guenter Roeck [Mon, 5 Mar 2012 19:13:52 +0000 (11:13 -0800)]
hwmon: (jc42) Add support for AT30TS00, TS3000GB2, TSE2002GB2, and MCP9804

commit 1bd612a25855f4cc9345052b53d7da697dba6358 upstream.

Also update IDT datasheet locations.

Signed-off-by: Guenter Roeck <>
Acked-by: Jean Delvare <>
Signed-off-by: Greg Kroah-Hartman <>