Trond Myklebust [Mon, 7 Jan 2013 19:30:46 +0000 (14:30 -0500)]
SUNRPC: Ensure we release the socket write lock if the rpc_task exits early
commit
87ed50036b866db2ec2ba16b2a7aec4a2b0b7c39 upstream.
If the rpc_task exits while holding the socket write lock before it has
allocated an rpc slot, then the usual mechanism for releasing the write
lock in xprt_release() is defeated.
The problem occurs if the call to xprt_lock_write() initially fails, so
that the rpc_task is put on the xprt->sending wait queue. If the task
exits after being assigned the lock by __xprt_lock_write_func, but
before it has retried the call to xprt_lock_and_alloc_slot(), then
it calls xprt_release() while holding the write lock, but will
immediately exit due to the test for task->tk_rqstp != NULL.
Reported-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Mike Dunn [Mon, 7 Jan 2013 21:55:13 +0000 (13:55 -0800)]
ALSA: pxa27x: fix ac97 warm reset
commit
3b4bc7bccc7857274705b05cf81a0c72cfd0b0dd upstream.
This patch fixes some code that implements a work-around to a hardware bug in
the ac97 controller on the pxa27x. A bug in the controller's warm reset
functionality requires that the mfp used by the controller as the AC97_nRESET
line be temporarily reconfigured as a generic output gpio (AF0) and manually
held high for the duration of the warm reset cycle. This is what was done in
the original code, but it was broken long ago by commit
fb1bf8cd
([ARM] pxa: introduce processor specific pxa27x_assert_ac97reset())
which changed the mfp to a GPIO input instead of a high output.
The fix requires the ac97 controller to obtain the gpio via gpio_request_one(),
with arguments that configure the gpio as an output initially driven high.
Tested on a palm treo 680 machine. Reportedly, this broken code only prevents a
warm reset on hardware that lacks a pull-up on the line, which appears to be the
case for me.
Signed-off-by: Mike Dunn <mikedunn@newsguy.com>
Signed-off-by: Igor Grinberg <grinberg@compulab.co.il>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Mike Dunn [Mon, 7 Jan 2013 21:55:12 +0000 (13:55 -0800)]
ALSA: pxa27x: fix ac97 cold reset
commit
41b645c8624df6ace020a8863ad1449d69140f7d upstream.
Cold reset on the pxa27x currently fails and
pxa2xx_ac97_try_cold_reset: cold reset timeout (GSR=0x44)
appears in the kernel log. Through trial-and-error (the pxa270 developer's
manual is mostly incoherent on the topic of ac97 reset), I got cold reset to
complete by setting the WARM_RST bit in the GCR register (and later noticed that
pxa3xx does this for cold reset as well). Also, a timeout loop is needed to
wait for the reset to complete.
Tested on a palm treo 680 machine.
Signed-off-by: Mike Dunn <mikedunn@newsguy.com>
Acked-by: Igor Grinberg <grinberg@compulab.co.il>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Axel Lin [Fri, 28 Dec 2012 09:09:03 +0000 (17:09 +0800)]
regulator: max8997: Use uV in voltage_map_desc
commit
bc3b7756b5ff66828acf7bc24f148d28b8d61108 upstream.
Current code does integer division (min_vol = min_uV / 1000) before pass
min_vol to max8997_get_voltage_proper_val().
So it is possible min_vol is truncated to a smaller value.
For example, if the request min_uV is 800900 for ldo.
min_vol = 800900 / 1000 = 800 (mV)
Then max8997_get_voltage_proper_val returns 800 mV for this case which is lower
than the requested voltage.
Use uV rather than mV in voltage_map_desc to prevent truncation by integer
division.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
[bwh: Backported to 3.2:
- Adjust context
- voltage_map_desc also has an n_bits field]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ian Abbott [Fri, 4 Jan 2013 11:33:21 +0000 (11:33 +0000)]
staging: comedi: comedi_test: fix race when cancelling command
commit
c0729eeefdcd76db338f635162bf0739fd2c5f6f upstream.
Éric Piel reported a kernel oops in the "comedi_test" module. It was a
NULL pointer dereference within `waveform_ai_interrupt()` (actually a
timer function) that sometimes occurred when a running asynchronous
command is cancelled (either by the `COMEDI_CANCEL` ioctl or by closing
the device file).
This seems to be a race between the caller of `waveform_ai_cancel()`
which on return from that function goes and tears down the running
command, and the timer function which uses the command. In particular,
`async->cmd.chanlist` gets freed (and the pointer set to NULL) by
`do_become_nonbusy()` in "comedi_fops.c" but a previously scheduled
`waveform_ai_interrupt()` timer function will dereference that pointer
regardless, leading to the oops.
Fix it by replacing the `del_timer()` call in `waveform_ai_cancel()`
with `del_timer_sync()`.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Reported-by: Éric Piel <piel@delmic.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Éric Piel [Wed, 19 Dec 2012 12:03:13 +0000 (13:03 +0100)]
staging: comedi: fix minimum AO period for NI 625x and NI 628x
commit
34b55d8c48f4f76044d8f4d6ec3dc786cf210312 upstream.
The minimum period was set to 357 ns, while the divider for these boards is 50
ns. This prevented to output at maximum speed as ni_ao_cmdtest() would return
357 but would not accept it.
Not sure why it was set to 357 ns (this was done before the git history,
which starts 5 years ago). My guess is that it comes from reading the
specification stating a 2.8 MHz rate (~ 357 ns). The latest
specification states a 2.86 MHz rate (~ 350 ns), which makes a lot
more sense.
Tested on a pci-6251.
Signed-off-by: Éric Piel <piel@delmic.com>
Acked-By: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.2: drop hunk for a board that's not listed]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Samuel Thibault [Mon, 7 Jan 2013 21:03:51 +0000 (22:03 +0100)]
staging: speakup: avoid out-of-range access in synth_add()
commit
6102c48bd421074a33e102f2ebda3724e8d275f9 upstream.
Check that array index is in-bounds before accessing the synths[] array.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Cc: Nickolai Zeldovich <nickolai@csail.mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Nickolai Zeldovich [Sat, 5 Jan 2013 19:17:45 +0000 (14:17 -0500)]
staging: speakup: avoid out-of-range access in synth_init()
commit
ae428655b826f2755a8101b27beda42a275ef8ad upstream.
Check that array index is in-bounds before accessing the synths[] array.
Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu>
Cc: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Larry Finger [Sat, 29 Dec 2012 17:36:53 +0000 (11:36 -0600)]
staging: r8712u: Add new device ID
commit
da849a92d3bafaf24d770e971c2c9e5c3f60b5d1 upstream.
The ISY IWL 1000 USB WLAN stick with USB ID 050d:11f1 is a clone of
the Belkin F7D1101 V1 device.
Reported-by: Thomas Hartmann <hartmann@ict.tuwien.ac.at>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Thomas Hartmann <hartmann@ict.tuwien.ac.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Chris Wilson [Wed, 2 Jan 2013 10:31:22 +0000 (10:31 +0000)]
drm/i915; Only increment the user-pin-count after successfully pinning the bo
commit
93be8788e648817d62fda33e2998eb6ca6ebf3a3 upstream.
As along the error path we do not correct the user pin-count for the
failure, we may end up with userspace believing that it has a pinned
object at offset 0 (when interrupted by a signal for example).
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Shuah Khan [Thu, 25 Oct 2012 16:22:32 +0000 (10:22 -0600)]
ioat: Fix DMA memory sync direction correct flag
commit
ac4989874af56435c308bdde9ad9c837a26f8b23 upstream.
ioat does DMA memory sync with DMA_TO_DEVICE direction on a buffer allocated
for DMA_FROM_DEVICE dma, resulting in the following warning from dma debug.
Fixed the dma_sync_single_for_device() call to use the correct direction.
[ 226.288947] WARNING: at lib/dma-debug.c:990 check_sync+0x132/0x550()
[ 226.288948] Hardware name: ProLiant DL380p Gen8
[ 226.288951] ioatdma 0000:00:04.0: DMA-API: device driver syncs DMA memory with different direction [device address=0x00000000ffff7000] [size=4096 bytes] [mapped with DMA_FROM_DEVICE] [synced with DMA_TO_DEVICE]
[ 226.288953] Modules linked in: iTCO_wdt(+) sb_edac(+) ioatdma(+) microcode serio_raw pcspkr edac_core hpwdt(+) iTCO_vendor_support hpilo(+) dca acpi_power_meter ata_generic pata_acpi sd_mod crc_t10dif ata_piix libata hpsa tg3 netxen_nic(+) sunrpc dm_mirror dm_region_hash dm_log dm_mod
[ 226.288967] Pid: 1055, comm: work_for_cpu Tainted: G W 3.3.0-0.20.el7.x86_64 #1
[ 226.288968] Call Trace:
[ 226.288974] [<
ffffffff810644cf>] warn_slowpath_common+0x7f/0xc0
[ 226.288977] [<
ffffffff810645c6>] warn_slowpath_fmt+0x46/0x50
[ 226.288980] [<
ffffffff81345502>] check_sync+0x132/0x550
[ 226.288983] [<
ffffffff81345c9f>] debug_dma_sync_single_for_device+0x3f/0x50
[ 226.288988] [<
ffffffff81661002>] ? wait_for_common+0x72/0x180
[ 226.288995] [<
ffffffffa019590f>] ioat_xor_val_self_test+0x3e5/0x832 [ioatdma]
[ 226.288999] [<
ffffffff811a5739>] ? kfree+0x259/0x270
[ 226.289004] [<
ffffffffa0195d77>] ioat3_dma_self_test+0x1b/0x20 [ioatdma]
[ 226.289008] [<
ffffffffa01952c3>] ioat_probe+0x2f8/0x348 [ioatdma]
[ 226.289011] [<
ffffffffa0195f51>] ioat3_dma_probe+0x1d5/0x2aa [ioatdma]
[ 226.289016] [<
ffffffffa0194d12>] ioat_pci_probe+0x139/0x17c [ioatdma]
[ 226.289020] [<
ffffffff81354b8c>] local_pci_probe+0x5c/0xd0
[ 226.289023] [<
ffffffff81083e50>] ? destroy_work_on_stack+0x20/0x20
[ 226.289025] [<
ffffffff81083e68>] do_work_for_cpu+0x18/0x30
[ 226.289029] [<
ffffffff8108d997>] kthread+0xb7/0xc0
[ 226.289033] [<
ffffffff8166cef4>] kernel_thread_helper+0x4/0x10
[ 226.289036] [<
ffffffff81662d20>] ? _raw_spin_unlock_irq+0x30/0x50
[ 226.289038] [<
ffffffff81663234>] ? retint_restore_args+0x13/0x13
[ 226.289041] [<
ffffffff8108d8e0>] ? kthread_worker_fn+0x1a0/0x1a0
[ 226.289044] [<
ffffffff8166cef0>] ? gs_change+0x13/0x13
[ 226.289045] ---[ end trace
e1618afc7a606089 ]---
[ 226.289047] Mapped at:
[ 226.289048] [<
ffffffff81345307>] debug_dma_map_page+0x87/0x150
[ 226.289050] [<
ffffffffa019653c>] dma_map_page.constprop.18+0x70/0xb34 [ioatdma]
[ 226.289054] [<
ffffffffa0195702>] ioat_xor_val_self_test+0x1d8/0x832 [ioatdma]
[ 226.289058] [<
ffffffffa0195d77>] ioat3_dma_self_test+0x1b/0x20 [ioatdma]
[ 226.289061] [<
ffffffffa01952c3>] ioat_probe+0x2f8/0x348 [ioatdma]
Signed-off-by: Shuah Khan <shuah.khan@hp.com>
Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Mark Brown [Fri, 4 Jan 2013 21:18:12 +0000 (21:18 +0000)]
ASoC: wm2000: Fix sense of speech clarity enable
commit
267f8fa2e1eef0612b2007e1f1846bcbc35cc1fa upstream.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Bing Zhao [Thu, 3 Jan 2013 00:07:35 +0000 (16:07 -0800)]
mwifiex: check wait_event_interruptible return value
commit
9c969d8ccb1e17bd20742f4ac9f00c1a64487234 upstream.
wait_event_interruptible function returns -ERESTARTSYS if it's
interrupted by a signal. Driver should check the return value
and handle this case properly.
In mwifiex_wait_queue_complete() routine, as we are now checking
wait_event_interruptible return value, the condition check is not
required. Also, we have removed mwifiex_cancel_pending_ioctl()
call to avoid a chance of sending second command to FW by other path
as soon as we clear current command node. FW can not handle two
commands simultaneously.
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Amitkumar Karwar [Thu, 2 Feb 2012 04:41:43 +0000 (20:41 -0800)]
mwifiex: handle association failure case correctly
commit
b7097eb75fa11c302dcdec83f1dbfa874e0af0d1 upstream.
Currently even if association is failed "iw link" shows some
information about connected BSS and "Tx timeout" error is seen in
dmesg log.
This patch fixes below issues in the code to handle assoc failure
case correctly.
1) "status" variable in mwifiex_wait_queue_complete() is not
correctly updated. Hence driver doesn't inform cfg80211 stack
about association failure.
2) During association network queues are stopped but carrier is
not cleared, which gives Tx timeout error in failure case
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Mark Brown [Fri, 4 Jan 2013 21:06:08 +0000 (21:06 +0000)]
ASoC: wm5100: Remove DSP B and left justified formats
commit
5f960294e2031d12f10c8488c3446fecbf59628d upstream.
These are not supported
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Sarah Sharp [Tue, 27 Nov 2012 20:30:23 +0000 (12:30 -0800)]
xhci: Avoid "dead ports", add roothub port polling.
commit
c52804a472649b2e5005342308739434cbd51119 upstream.
The USB core hub thread (khubd) is designed with external USB hubs in
mind. It expects that if a port status change bit is set, the hub will
continue to send a notification through the hub status data transfer.
Basically, it expects hub notifications to be level-triggered.
The xHCI host controller is designed to be edge-triggered on the logical
'OR' of all the port status change bits. When all port status change
bits are clear, and a new change bit is set, the xHC will generate a
Port Status Change Event. If another change bit is set in the same port
status register before the first bit is cleared, it will not send
another event.
This means that the hub code may lose port status changes because of
race conditions between clearing change bits. The user sees this as a
"dead port" that doesn't react to device connects.
The fix is to turn on port polling whenever a new change bit is set.
Once the USB core issues a hub status request that shows that no change
bits are set in any USB ports, turn off port polling.
We can't allow the USB core to poll the roothub for port events during
host suspend because if the PCI host is in D3cold, the port registers
will be all f's. Instead, stop the port polling timer, and
unconditionally restart it when the host resumes. If there are no port
change bits set after the resume, the first call to hub_status_data will
disable polling.
This patch should be backported to stable kernels with the first xHCI
support, 2.6.31 and newer, that include the commit
0f2a79300a1471cf92ab43af165ea13555c8b0a5 "USB: xhci: Root hub support."
There will be merge conflicts because the check for HC_STATE_SUSPENDED
was moved into xhci_suspend in 3.8.
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Sarah Sharp [Thu, 15 Nov 2012 01:58:04 +0000 (17:58 -0800)]
USB: Handle warm reset failure on empty port.
commit
65bdac5effd15d6af619b3b7218627ef4d84ed6a upstream.
An empty port can transition to either Inactive or Compliance Mode if a
newly connected USB 3.0 device fails to link train. In that case, we
issue a warm reset. Some devices, such as John's Roseweil eusb3
enclosure, slip back into Compliance Mode after the warm reset.
The current warm reset code does not check for device connect status on
warm reset completion, and it incorrectly reports the warm reset
succeeded. This causes the USB core to attempt to send a Set Address
control transfer to a port in Compliance Mode, which will always fail.
Make hub_port_wait_reset check the current connect status and link state
after the warm reset completes. Return a failure status if the device
is disconnected or the link state is Compliance Mode or SS.Inactive.
Make hub_events disable the port if warm reset fails. This will disable
the port, and then bring it back into the RxDetect state. Make the USB
core ignore the connect change until the device reconnects.
Note that this patch does NOT handle connected devices slipping into the
Inactive state very well. This is a concern, because devices can go
into the Inactive state on U1/U2 exit failure. However, the fix for
that case is too large for stable, so it will be submitted in a separate
patch.
This patch should be backported to kernels as old as 3.2, contain the
commit ID
75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine warm
reset logic"
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: John Covici <covici@ccs.covici.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Sarah Sharp [Thu, 15 Nov 2012 22:58:04 +0000 (14:58 -0800)]
USB: Ignore port state until reset completes.
commit
4f43447e62b37ee19c82a13f72f35b1ca60a74d3 upstream.
The port reset code bails out early if the current connect status is
cleared (device disconnected). If we're issuing a hot reset, it may
also look at the link state before the reset is finished.
Section 10.14.2.6 of the USB 3.0 spec says that when a port enters the
Error state or Resetting state, the port connection bit retains the
value from the previous state. Therefore we can't trust it until the
reset finishes. Also, the xHCI spec section 4.19.1.2.5 says software
shall ignore the link state while the port is resetting, as it can be in
an unknown state.
The port state during reset is also unknown for USB 2.0 hubs. The hub
sends a reset signal by driving the bus into an SE0 state. This
overwhelms the "connect" signal from the device, so the port can't tell
whether anything is connected or not.
Fix the port reset code to ignore the port link state and current
connect bit until the reset finishes, and USB_PORT_STAT_RESET is
cleared.
Remove the check for USB_PORT_STAT_C_BH_RESET in the warm reset case,
because it's redundant. When the warm reset finishes, the port reset
bit will be cleared at the same time USB_PORT_STAT_C_BH_RESET is set.
Remove the now-redundant check for a cleared USB_PORT_STAT_RESET bit
in the code to deal with the finished reset.
This patch should be backported to all stable kernels.
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Sarah Sharp [Thu, 15 Nov 2012 01:16:52 +0000 (17:16 -0800)]
USB: Increase reset timeout.
commit
77c7f072c87fa951e9a74805febf26466f31170c upstream.
John's NEC 0.96 xHCI host controller needs a longer timeout for a warm
reset to complete. The logs show it takes 650ms to complete the warm
reset, so extend the hub reset timeout to 800ms to be on the safe side.
This commit should be backported to kernels as old as 3.2, that contain
the commit
75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine
warm reset logic".
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: John Covici <covici@ccs.covici.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Sarah Sharp [Thu, 15 Nov 2012 00:42:32 +0000 (16:42 -0800)]
USB: Allow USB 3.0 ports to be disabled.
commit
41e7e056cdc662f704fa9262e5c6e213b4ab45dd upstream.
If hot and warm reset fails, or a port remains in the Compliance Mode,
the USB core needs to be able to disable a USB 3.0 port. Unlike USB 2.0
ports, once the port is placed into the Disabled link state, it will not
report any new device connects. To get device connect notifications, we
need to put the link into the Disabled state, and then the RxDetect
state.
The xHCI driver needs to atomically clear all change bits on USB 3.0
port disable, so that we get Port Status Change Events for future port
changes. We could technically do this in the USB core instead of in the
xHCI roothub code, since the port state machine can't advance out of the
disabled state until we set the link state to RxDetect. However,
external USB 3.0 hubs don't need this code. They are level-triggered,
not edge-triggered like xHCI, so they will continue to send interrupt
events when any change bit is set. Therefore it doesn't make sense to
put this code in the USB core.
This patch is part of a series to fix several reports of infinite loops
on device enumeration failure. This includes John, when he boots with
a USB 3.0 device (Roseweil eusb3 enclosure) attached to his NEC 0.96
host controller. The fix requires warm reset support, so it does not
make sense to backport this patch to stable kernels without warm reset
support.
This patch should be backported to kernels as old as 3.2, contain the
commit ID
75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine warm
reset logic"
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: John Covici <covici@ccs.covici.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Sarah Sharp [Thu, 15 Nov 2012 00:10:49 +0000 (16:10 -0800)]
USB: Ignore xHCI Reset Device status.
commit
8b8132bc3d1cc3d4c0687e4d638a482fa920d98a upstream.
When the USB core finishes reseting a USB device, the xHCI driver sends
a Reset Device command to the host. The xHC then updates its internal
representation of the USB device to the 'Default' device state. If the
device was already in the Default state, the xHC will complete the
command with an error status.
If a device needs to be reset several times during enumeration, the
second reset will always fail because of the xHCI Reset Device command.
This can cause issues during enumeration.
For example, usb_reset_and_verify_device calls into hub_port_init in a
loop. Say that on the first call into hub_port_init, the device is
successfully reset, but doesn't respond to several set address control
transfers. Then the port will be disabled, but the udev will remain in
tact. usb_reset_and_verify_device will call into hub_port_init again.
On the second call into hub_port_init, the device will be reset, and the
xHCI driver will issue a Reset Device command. This command will fail
(because the device is already in the Default state), and
usb_reset_and_verify_device will fail. The port will be disabled, and
the device won't be able to enumerate.
Fix this by ignoring the return value of the HCD reset_device callback.
This commit should be backported to kernels as old as 3.2, that contain
the commit
75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine
warm reset logic".
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Sarah Sharp [Wed, 14 Nov 2012 23:58:52 +0000 (15:58 -0800)]
USB: Handle auto-transition from hot to warm reset.
commit
1c7439c61fa6516419c32a9824976334ea969d47 upstream.
USB 3.0 hubs and roothubs will automatically transition a failed hot
reset to a warm (BH) reset. In that case, the warm reset change bit
will be set, and the link state change bit may also be set. Change
hub_port_finish_reset to unconditionally clear those change bits for USB
3.0 hubs. If these bits are not cleared, we may lose port change events
from the roothub.
This commit should be backported to kernels as old as 3.2, that contain
the commit
75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine
warm reset logic".
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Sarah Sharp [Mon, 17 Dec 2012 22:12:35 +0000 (14:12 -0800)]
xhci: Handle HS bulk/ctrl endpoints that don't NAK.
commit
55c1945edaac94c5338a3647bc2e85ff75d9cf36 upstream.
A high speed control or bulk endpoint may have bInterval set to zero,
which means it does not NAK. If bInterval is non-zero, it means the
endpoint NAKs at a rate of 2^(bInterval - 1).
The xHCI code to compute the NAK interval does not handle the special
case of zero properly. The current code unconditionally subtracts one
from bInterval and uses it as an exponent. This causes a very large
bInterval to be used, and warning messages like these will be printed:
usb 1-1: ep 0x1 - rounding interval to 32768 microframes, ep desc says 0 microframes
This may cause the xHCI host hardware to reject the Configure Endpoint
command, which means the HS device will be unusable under xHCI ports.
This patch should be backported to kernels as old as 2.6.31, that contain
commit
dfa49c4ad120a784ef1ff0717168aa79f55a483a "USB: xhci - fix math in
xhci_get_endpoint_interval()".
Reported-by: Vincent Pelletier <plr.vincent@gmail.com>
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Johannes Berg [Thu, 13 Dec 2012 22:08:52 +0000 (23:08 +0100)]
mac80211: use del_timer_sync for final sta cleanup timer deletion
commit
a56f992cdabc63f56b4b142885deebebf936ff76 upstream.
This is a very old bug, but there's nothing that prevents the
timer from running while the module is being removed when we
only do del_timer() instead of del_timer_sync().
The timer should normally not be running at this point, but
it's not clearly impossible (or we could just remove this.)
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Alexander Graf [Wed, 2 Jan 2013 05:07:17 +0000 (15:37 +1030)]
virtio-blk: Don't free ida when disk is in use
commit
f4953fe6c4aeada2d5cafd78aa97587a46d2d8f9 upstream.
When a file system is mounted on a virtio-blk disk, we then remove it
and then reattach it, the reattached disk gets the same disk name and
ids as the hot removed one.
This leads to very nasty effects - mostly rendering the newly attached
device completely unusable.
Trying what happens when I do the same thing with a USB device, I saw
that the sd node simply doesn't get free'd when a device gets forcefully
removed.
Imitate the same behavior for vd devices. This way broken vd devices
simply are never free'd and newly attached ones keep working just fine.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Sergei Shtylyov [Wed, 14 Nov 2012 15:49:50 +0000 (18:49 +0300)]
usb: musb: core: print new line in the driver banner again
commit
2ac788f705e5118dd45204e7a5bc8d5bb6873835 upstream.
Commit
5c8a86e10a7c164f44537fabdc169fd8b4e7a440 (usb: musb: drop unneeded
musb_debug trickery) erroneously removed '\n' from the driver's banner.
Concatenate all the banner substrings while adding it back...
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Sebastian Andrzej Siewior [Tue, 20 Nov 2012 12:23:15 +0000 (13:23 +0100)]
usb: gadget: dummy: fix enumeration with g_multi
commit
1d16638e3b9cc195bac18a8fcbca748f33c1bc24 upstream.
If we do have endpoints named like "ep-a" then bEndpointAddress is
counted internally by the gadget framework.
If we do have endpoints named like "ep-1" then bEndpointAddress is
assigned from the digit after "ep-".
If we do have both, then it is likely that after we used up the
"generic" endpoints we will use the digits and thus assign one
bEndpointAddress to multiple endpoints.
This theory can be proofed by using the completely enabled g_multi.
Without this patch, the mass storage won't enumerate and times out
because it shares endpoints with RNDIS.
This patch also adds fills up the endpoints list so we have in total
endpoints 1 to 15 in + out available while some of them are restricted
to certain types like BULK or ISO. Without this change the nokia gadget
won't load because the system does not provide enough (BULK) endpoints
but it did before ep-a - ep-f were removed.
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ben Hutchings [Wed, 16 Jan 2013 01:13:30 +0000 (01:13 +0000)]
Linux 3.2.37
Ed Cashin [Sat, 12 Jan 2013 11:43:35 +0000 (06:43 -0500)]
aoe: do not call bdi_init after blk_alloc_queue
commit
0a41409c518083133e79015092585d68915865be upstream.
blk_alloc_queue has already done a bdi_init, so do not bdi_init
again in aoeblk_gdalloc. The extra call causes list corruption
in the per-CPU backing dev info stats lists.
Affected users see console WARNINGs about list_del corruption on
percpu_counter_destroy when doing "rmmod aoe" or "aoeflush -a"
when AoE targets have been detected and initialized by the
system.
The patch below applies to v3.6.11, with its v47 aoe driver. It
is expected to apply to all currently maintained stable kernels
except 3.7.y. A related but different fix has been posted for
3.7.y.
References:
RedHat bugzilla ticket with original report
https://bugzilla.redhat.com/show_bug.cgi?id=853064
LKML discussion of bug and fix
http://thread.gmane.org/gmane.linux.kernel/1416336/focus=1416497
Reported-by: Josh Boyer <jwboyer@redhat.com>
Signed-off-by: Ed Cashin <ecashin@coraid.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Zhang Rui [Tue, 4 Dec 2012 22:23:16 +0000 (23:23 +0100)]
ACPI : do not use Lid and Sleep button for S5 wakeup
commit
b7e383046c2c7c13ad928cd7407eafff758ddd4b upstream.
When system enters power off, the _PSW of Lid device is enabled.
But this may cause the system to reboot instead of power off.
A proper way to fix this is to always disable lid wakeup capability for S5.
References: https://bugzilla.kernel.org/show_bug.cgi?id=35262
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Tatyana Nikolova [Thu, 6 Dec 2012 19:58:27 +0000 (19:58 +0000)]
RDMA/nes: Fix for terminate timer crash
commit
7bfcfa51c35cdd2d37e0d70fc11790642dd11fb3 upstream.
The terminate timer needs to be initialized just once.
Signed-off-by: Tatyana Nikolova <Tatyana.E.Nikolova@intel.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Tatyana Nikolova [Thu, 6 Dec 2012 20:05:02 +0000 (20:05 +0000)]
RDMA/nes: Fix for crash when registering zero length MR for CQ
commit
7d9c199a55200c9b9fcad08e150470d02fb385be upstream.
Signed-off-by: Tatyana Nikolova <Tatyana.E.Nikolova@intel.com>
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Jianpeng Ma [Sat, 4 Aug 2012 02:34:14 +0000 (10:34 +0800)]
mvsas: Fix oops when ata commond timeout.
commit
95ab000388974d8ffef8257306b4be6e8778b768 upstream.
Kernel message follows:
[ 511.712011] sd 11:0:0:0: [sdf] command
ffff8800a4e81400 timed out
[ 511.712022] sas: Enter sas_scsi_recover_host busy: 1 failed: 1
[ 511.712024] sas: trying to find task 0xffff8800a4d24c80
[ 511.712026] sas: sas_scsi_find_task: aborting task 0xffff8800a4d24c80
[ 511.712029] drivers/scsi/mvsas/mv_sas.c 1631:mvs_abort_task()
mvi=
ffff8800b5300000 task=
ffff8800a4d24c80 slot=
ffff8800b5325038
slot_idx=x0
[ 511.712035] BUG: unable to handle kernel NULL pointer dereference at
0000000000000058
[ 511.712040] IP: [<
ffffffff815f8c0c>] _raw_spin_lock_irqsave+0xc/0x30
[ 511.712047] PGD 0
[ 511.712049] Oops: 0002 [#1] SMP
[ 511.712052] Modules linked in: mvsas libsas scsi_transport_sas
raid456 async_pq async_xor xor async_memcpy async_raid6_recov raid6_pq
async_tx [last unloaded: mvsas]
[ 511.712062] CPU 3
[ 511.712066] Pid: 7322, comm: scsi_eh_11 Not tainted 3.5.0+ #106 To Be
Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M.
[ 511.712068] RIP: 0010:[<
ffffffff815f8c0c>] [<
ffffffff815f8c0c>]
_raw_spin_lock_irqsave+0xc/0x30
[ 511.712073] RSP: 0018:
ffff880098d3bcb0 EFLAGS:
00010086
[ 511.712074] RAX:
0000000000000286 RBX:
0000000000000058 RCX:
00000000000000c3
[ 511.712076] RDX:
0000000000000100 RSI:
0000000000000046 RDI:
0000000000000058
[ 511.712078] RBP:
ffff880098d3bcb0 R08:
000000000000000a R09:
0000000000000000
[ 511.712080] R10:
00000000000004e8 R11:
00000000000004e7 R12:
ffff8800a4d24c80
[ 511.712082] R13:
0000000000000050 R14:
ffff8800b5325038 R15:
ffff8800a4eafe00
[ 511.712084] FS:
0000000000000000(0000) GS:
ffff8800bdb80000(0000)
knlGS:
0000000000000000
[ 511.712086] CS: 0010 DS: 0000 ES: 0000 CR0:
000000008005003b
[ 511.712088] CR2:
0000000000000058 CR3:
00000000a4ce6000 CR4:
00000000000407e0
[ 511.712090] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 511.712091] DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
[ 511.712093] Process scsi_eh_11 (pid: 7322, threadinfo
ffff880098d3a000, task
ffff8800a61dde40)
[ 511.712095] Stack:
[ 511.712096]
ffff880098d3bce0 ffffffff81060683 ffff880000000000
0000000000000000
[ 511.712099]
ffff8800a4d24c80 ffff8800b5300000 ffff880098d3bcf0
ffffffffa0076a88
[ 511.712102]
ffff880098d3bd50 ffffffffa0079bb5 ffff880000000000
ffff880000000018
[ 511.712106] Call Trace:
[ 511.712110] [<
ffffffff81060683>] complete+0x23/0x60
[ 511.712115] [<
ffffffffa0076a88>] mvs_tmf_timedout+0x18/0x20 [mvsas]
[ 511.712119] [<
ffffffffa0079bb5>] mvs_slot_complete+0x765/0x7d0
[mvsas]
[ 511.712125] [<
ffffffffa005a17d>] sas_scsi_recover_host+0x55d/0xdb0
[libsas]
[ 511.712128] [<
ffffffff8106d600>] ? idle_balance+0xe0/0x130
[ 511.712133] [<
ffffffff813b150c>] scsi_error_handler+0xcc/0x470
[ 511.712136] [<
ffffffff815f7ad0>] ? __schedule+0x370/0x730
[ 511.712139] [<
ffffffff8105f728>] ? __wake_up_common+0x58/0x90
[ 511.712142] [<
ffffffff813b1440>] ? scsi_eh_get_sense+0x110/0x110
[ 511.712146] [<
ffffffff810571be>] kthread+0x8e/0xa0
[ 511.712150] [<
ffffffff816015f4>] kernel_thread_helper+0x4/0x10
[ 511.712153] [<
ffffffff81057130>] ? flush_kthread_work+0x120/0x120
[ 511.712156] [<
ffffffff816015f0>] ? gs_change+0xb/0xb
[ 511.712157] Code: 8a 00 01 00 00 89 d0 f0 66 0f b1 0f 66 39 d0 0f 94
c0 0f b6 c0 5d c3 0f 1f 84 00 00 00 00 00 55 48 89 e5 9c 58 fa ba 00 01
00 00 <f0> 66 0f c1 17 0f b6 ce 38 d1 74 11 0f 1f 84 00 00 00 00 00 f3
[ 511.712191] RIP [<
ffffffff815f8c0c>] _raw_spin_lock_irqsave+0xc/0x30
[ 511.712194] RSP <
ffff880098d3bcb0>
[ 511.712196] CR2:
0000000000000058
[ 511.712198] ---[ end trace
a781c7b1e65db92c ]---
Signed-off-by: Jianpeng Ma <majianpeng@gmail.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Eric Dumazet [Sun, 21 Oct 2012 19:57:11 +0000 (19:57 +0000)]
tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation
[ Upstream commit
354e4aa391ed50a4d827ff6fc11e0667d0859b25 ]
RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation]
All TCP stacks MAY implement the following mitigation. TCP stacks
that implement this mitigation MUST add an additional input check to
any incoming segment. The ACK value is considered acceptable only if
it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
SND.NXT). All incoming segments whose ACK value doesn't satisfy the
above condition MUST be discarded and an ACK sent back.
Move tcp_send_challenge_ack() before tcp_ack() to avoid a forward
declaration.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Jerry Chu <hkchu@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Eric Dumazet [Tue, 13 Nov 2012 05:37:18 +0000 (05:37 +0000)]
tcp: tcp_replace_ts_recent() should not be called from tcp_validate_incoming()
[ Upstream commit
bd090dfc634ddd711a5fbd0cadc6e0ab4977bcaf ]
We added support for RFC 5961 in latest kernels but TCP fails
to perform exhaustive check of ACK sequence.
We can update our view of peer tsval from a frame that is
later discarded by tcp_ack()
This makes timestamps enabled sessions vulnerable to injection of
a high tsval : peers start an ACK storm, since the victim
sends a dupack each time it receives an ACK from the other peer.
As tcp_validate_incoming() is called before tcp_ack(), we should
not peform tcp_replace_ts_recent() from it, and let callers do it
at the right time.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Nandita Dukkipati <nanditad@google.com>
Cc: H.K. Jerry Chu <hkchu@google.com>
Cc: Romain Francoise <romain@orebokech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Eric Dumazet [Tue, 17 Jul 2012 12:29:30 +0000 (12:29 +0000)]
tcp: refine SYN handling in tcp_validate_incoming
[ Upstream commit
e371589917011efe6ff8c7dfb4e9e81934ac5855 ]
Followup of commit
0c24604b68fc (tcp: implement RFC 5961 4.2)
As reported by Vijay Subramanian, we should send a challenge ACK
instead of a dup ack if a SYN flag is set on a packet received out of
window.
This permits the ratelimiting to work as intended, and to increase
correct SNMP counters.
Suggested-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Cc: Kiran Kumar Kella <kkiran@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Eric Dumazet [Tue, 17 Jul 2012 01:41:30 +0000 (01:41 +0000)]
tcp: implement RFC 5961 4.2
[ Upstream commit
0c24604b68fc7810d429d6c3657b6f148270e528 ]
Implement the RFC 5691 mitigation against Blind
Reset attack using SYN bit.
Section 4.2 of RFC 5961 advises to send a Challenge ACK and drop
incoming packet, instead of resetting the session.
Add a new SNMP counter to count number of challenge acks sent
in response to SYN packets.
(netstat -s | grep TCPSYNChallenge)
Remove obsolete TCPAbortOnSyn, since we no longer abort a TCP session
because of a SYN flag.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kiran Kumar Kella <kkiran@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Eric Dumazet [Tue, 17 Jul 2012 08:13:05 +0000 (10:13 +0200)]
tcp: implement RFC 5961 3.2
[ Upstream commit
282f23c6ee343126156dd41218b22ece96d747e3 ]
Implement the RFC 5691 mitigation against Blind
Reset attack using RST bit.
Idea is to validate incoming RST sequence,
to match RCV.NXT value, instead of previouly accepted
window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND)
If sequence is in window but not an exact match, send
a "challenge ACK", so that the other part can resend an
RST with the appropriate sequence.
Add a new sysctl, tcp_challenge_ack_limit, to limit
number of challenge ACK sent per second.
Add a new SNMP counter to count number of challenge acks sent.
(netstat -s | grep TCPChallengeACK)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kiran Kumar Kella <kkiran@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Stefan Hasko [Fri, 21 Dec 2012 15:04:59 +0000 (15:04 +0000)]
net: sched: integer overflow fix
[ Upstream commit
d2fe85da52e89b8012ffad010ef352a964725d5f ]
Fixed integer overflow in function htb_dequeue
Signed-off-by: Stefan Hasko <hasko.stevo@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Christoph Paasch [Fri, 14 Dec 2012 04:07:58 +0000 (04:07 +0000)]
inet: Fix kmemleak in tcp_v4/6_syn_recv_sock and dccp_v4/6_request_recv_sock
[ Upstream commit
e337e24d6624e74a558aa69071e112a65f7b5758 ]
If in either of the above functions inet_csk_route_child_sock() or
__inet_inherit_port() fails, the newsk will not be freed:
unreferenced object 0xffff88022e8a92c0 (size 1592):
comm "softirq", pid 0, jiffies
4294946244 (age 726.160s)
hex dump (first 32 bytes):
0a 01 01 01 0a 01 01 02 00 00 00 00 a7 cc 16 00 ................
02 00 03 01 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<
ffffffff8153d190>] kmemleak_alloc+0x21/0x3e
[<
ffffffff810ab3e7>] kmem_cache_alloc+0xb5/0xc5
[<
ffffffff8149b65b>] sk_prot_alloc.isra.53+0x2b/0xcd
[<
ffffffff8149b784>] sk_clone_lock+0x16/0x21e
[<
ffffffff814d711a>] inet_csk_clone_lock+0x10/0x7b
[<
ffffffff814ebbc3>] tcp_create_openreq_child+0x21/0x481
[<
ffffffff814e8fa5>] tcp_v4_syn_recv_sock+0x3a/0x23b
[<
ffffffff814ec5ba>] tcp_check_req+0x29f/0x416
[<
ffffffff814e8e10>] tcp_v4_do_rcv+0x161/0x2bc
[<
ffffffff814eb917>] tcp_v4_rcv+0x6c9/0x701
[<
ffffffff814cea9f>] ip_local_deliver_finish+0x70/0xc4
[<
ffffffff814cec20>] ip_local_deliver+0x4e/0x7f
[<
ffffffff814ce9f8>] ip_rcv_finish+0x1fc/0x233
[<
ffffffff814cee68>] ip_rcv+0x217/0x267
[<
ffffffff814a7bbe>] __netif_receive_skb+0x49e/0x553
[<
ffffffff814a7cc3>] netif_receive_skb+0x50/0x82
This happens, because sk_clone_lock initializes sk_refcnt to 2, and thus
a single sock_put() is not enough to free the memory. Additionally, things
like xfrm, memcg, cookie_values,... may have been initialized.
We have to free them properly.
This is fixed by forcing a call to tcp_done(), ending up in
inet_csk_destroy_sock, doing the final sock_put(). tcp_done() is necessary,
because it ends up doing all the cleanup on xfrm, memcg, cookie_values,
xfrm,...
Before calling tcp_done, we have to set the socket to SOCK_DEAD, to
force it entering inet_csk_destroy_sock. To avoid the warning in
inet_csk_destroy_sock, inet_num has to be set to 0.
As inet_csk_destroy_sock does a dec on orphan_count, we first have to
increase it.
Calling tcp_done() allows us to remove the calls to
tcp_clear_xmit_timer() and tcp_cleanup_congestion_control().
A similar approach is taken for dccp by calling dccp_done().
This is in the kernel since
093d282321 (tproxy: fix hash locking issue
when using port redirection in __inet_inherit_port()), thus since
version >= 2.6.37.
Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Dave Kleikamp [Mon, 17 Dec 2012 17:52:47 +0000 (11:52 -0600)]
sparc: huge_ptep_set_* functions need to call set_huge_pte_at()
[ Upstream commit
6cb9c3697585c47977c42c5cc1b9fc49247ac530 ]
Modifying the huge pte's requires that all the underlying pte's be
modified.
Version 2: added missing flush_tlb_page()
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: sparclinux@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Steven Rostedt [Mon, 12 Dec 2011 20:22:41 +0000 (15:22 -0500)]
ftrace: Do not function trace inlined functions
commit
45959ee7aa645815a5ce303a0ea1e48a21e67c6a upstream.
When gcc inlines a function, it does not mark it with the mcount
prologue, which in turn means that inlined functions are not traced
by the function tracer. But if CONFIG_OPTIMIZE_INLINING is set, then
gcc is allowed not to inline a function that is marked inline.
Depending on the options and the compiler, a function may or may
not be traced by the function tracer, depending on whether gcc
decides to inline a function or not. This has caused several
problems in the pass becaues gcc is not always consistent with
what it decides to inline between different gcc versions.
Some places should not be traced (like paravirt native_* functions)
and these are mostly marked as inline. When gcc decides not to
inline the function, and if that function should not be traced, then
the ftrace function tracer will suddenly break when it use to work
fine. This becomes even harder to debug when different versions of
gcc will not inline that function, making the same kernel and config
work for some gcc versions and not work for others.
By making all functions marked inline to not be traced will remove
the ambiguity that gcc adds when it comes to tracing functions marked
inline. All gcc versions will be consistent with what functions are
traced and having volatile working code will be removed.
Note, only the inline macro when CONFIG_OPTIMIZE_INLINING is set needs
to have notrace added, as the attribute __always_inline will force
the function to be inlined and then not traced.
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Stanislaw Gruszka [Mon, 3 Dec 2012 11:59:04 +0000 (12:59 +0100)]
Revert: "rt2x00: Don't let mac80211 send a BAR when an AMPDU subframe fails"
commit
ab9d6e4ffe192427ce9e93d4f927b0faaa8a941e upstream.
This revert:
commit
be03d4a45c09ee5100d3aaaedd087f19bc20d01f
Author: Andreas Hartmann <andihartmann@01019freenet.de>
Date: Tue Apr 17 00:25:28 2012 +0200
rt2x00: Don't let mac80211 send a BAR when an AMPDU subframe fails
To fix problem workaround by above commit use
IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL flag (see change log for
"mac80211: introduce IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL" patch).
Resolve: https://bugzilla.kernel.org/show_bug.cgi?id=42828
Bisected-by: Francisco Pina Martins <f.pinamartins@gmail.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Stanislaw Gruszka [Mon, 3 Dec 2012 11:56:33 +0000 (12:56 +0100)]
mac80211: introduce IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL
commit
5b632fe85ec82e5c43740b52e74c66df50a37db3 upstream.
Commit
f0425beda4d404a6e751439b562100b902ba9c98 "mac80211: retry sending
failed BAR frames later instead of tearing down aggr" caused regression
on rt2x00 hardware (connection hangs). This regression was fixed by
commit
be03d4a45c09ee5100d3aaaedd087f19bc20d01 "rt2x00: Don't let
mac80211 send a BAR when an AMPDU subframe fails". But the latter
commit caused yet another problem reported in
https://bugzilla.kernel.org/show_bug.cgi?id=42828#c22
After long discussion in this thread:
http://mid.gmane.org/
20121018075615.GA18212@redhat.com
and testing various alternative solutions, which failed on one or other
setup, we have no other good fix for the issues like just revert both
mentioned earlier commits.
To do not affect other hardware which benefit from commit
f0425beda4d404a6e751439b562100b902ba9c98, instead of reverting it,
introduce flag that when used will restore mac80211 behaviour before
the commit.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
[replaced link with mid.gmane.org that has message-id]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Andreas Hartmann [Mon, 16 Apr 2012 22:25:28 +0000 (00:25 +0200)]
rt2x00: Don't let mac80211 send a BAR when an AMPDU subframe fails
commit
be03d4a45c09ee5100d3aaaedd087f19bc20d01f upstream.
There are connection stalls or very poor throughputs with rt2800
hardware using 802.11n in AP mode since patch "mac80211: retry sending
failed BAR frames later instead of tearing down aggr"[1][2].
Since rt2800 hardware is not able to correctly report the tx status of
BAR frames, this patch removes as workaround the existing error handling
on AP side, which lets mac80211 send a BAR when an AMPDU subframe fails.
As a result, most wifi clients (aside from Intel STAs on Windows)
instead will timeout now the reorder buffer and request the lost frame
again.
The correct solution would be, to tear down BA session on AP side.
This patch was born on the basis of "[RFT] rt2x00: Tear down BA
session on QoS frame failure"[3].
Thanks to Helmut Schaa for his support!
[1] http://thread.gmane.org/gmane.linux.kernel.wireless.general/83297/focus=83304
[2] http://git.kernel.org/?p=linux/kernel/git/linville/wireless-testing.git;a=commit;h=
f0425beda4d404a6e751439b562100b902ba9c98
[3] http://thread.gmane.org/gmane.linux.drivers.rt2x00.user/569
Signed-off-by: Andreas Hartmann <andihartmann@01019freenet.de>
Acked-by: Helmut Schaa <helmut.schaa@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Eric Wong [Tue, 1 Jan 2013 21:20:27 +0000 (21:20 +0000)]
epoll: prevent missed events on EPOLL_CTL_MOD
commit
128dd1759d96ad36c379240f8b9463e8acfd37a1 upstream.
EPOLL_CTL_MOD sets the interest mask before calling f_op->poll() to
ensure events are not missed. Since the modifications to the interest
mask are not protected by the same lock as ep_poll_callback, we need to
ensure the change is visible to other CPUs calling ep_poll_callback.
We also need to ensure f_op->poll() has an up-to-date view of past
events which occured before we modified the interest mask. So this
barrier also pairs with the barrier in wq_has_sleeper().
This should guarantee either ep_poll_callback or f_op->poll() (or both)
will notice the readiness of a recently-ready/modified item.
This issue was encountered by Andreas Voellmy and Junchang(Jason) Wang in:
http://thread.gmane.org/gmane.linux.kernel/1408782/
Signed-off-by: Eric Wong <normalperson@yhbt.net>
Cc: Hans Verkuil <hans.verkuil@cisco.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Davide Libenzi <davidel@xmailserver.org>
Cc: Hans de Goede <hdegoede@redhat.com>
Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
Cc: David Miller <davem@davemloft.net>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andreas Voellmy <andreas.voellmy@yale.edu>
Tested-by: "Junchang(Jason) Wang" <junchang.wang@yale.edu>
Cc: netdev@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Namjae Jeon [Tue, 9 Oct 2012 15:09:12 +0000 (00:09 +0900)]
udf: don't increment lenExtents while writing to a hole
commit
fb719c59bdb4fca86ee1fd1f42ab3735ca12b6b2 upstream.
Incrementing lenExtents even while writing to a hole is bad
for performance as calls to udf_discard_prealloc and
udf_truncate_tail_extent would not return from start if
isize != lenExtents
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Ashish Sangwan <a.sangwan@samsung.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Tony Prisk [Fri, 4 Jan 2013 23:35:48 +0000 (15:35 -0800)]
drivers/rtc/rtc-vt8500.c: fix handling of data passed in struct rtc_time
commit
2f90b68309683f2c5765a1b04ca23d71e51f1494 upstream.
tm_mon is 0..11, whereas vt8500 expects 1..12 for the month field,
causing invalid date errors for January, and causing the day field to
roll over incorrectly.
The century flag is only handled in vt8500_rtc_read_time, but not set in
vt8500_rtc_set_time. This patch corrects the behaviour of the century
flag.
Signed-off-by: Edgar Toernig <froese@gmx.de>
Signed-off-by: Tony Prisk <linux@prisktech.co.nz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Tony Prisk [Fri, 4 Jan 2013 23:35:47 +0000 (15:35 -0800)]
drivers/rtc/rtc-vt8500.c: correct handling of CR_24H bitfield
commit
532db570e5181abc8f4f7bfa6c77c69ec2240198 upstream.
Control register bitfield for 12H/24H mode is handled incorrectly.
Setting CR_24H actually enables 12H mode. This patch renames the define
and changes the initialization code to correctly set 24H mode.
Signed-off-by: Tony Prisk <linux@prisktech.co.nz>
Cc: Edgar Toernig <froese@gmx.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Michal Hocko [Fri, 4 Jan 2013 23:35:12 +0000 (15:35 -0800)]
mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT
commit
53a59fc67f97374758e63a9c785891ec62324c81 upstream.
Since commit
e303297e6c3a ("mm: extended batches for generic
mmu_gather") we are batching pages to be freed until either
tlb_next_batch cannot allocate a new batch or we are done.
This works just fine most of the time but we can get in troubles with
non-preemptible kernel (CONFIG_PREEMPT_NONE or CONFIG_PREEMPT_VOLUNTARY)
on large machines where too aggressive batching might lead to soft
lockups during process exit path (exit_mmap) because there are no
scheduling points down the free_pages_and_swap_cache path and so the
freeing can take long enough to trigger the soft lockup.
The lockup is harmless except when the system is setup to panic on
softlockup which is not that unusual.
The simplest way to work around this issue is to limit the maximum
number of batches in a single mmu_gather. 10k of collected pages should
be safe to prevent from soft lockups (we would have 2ms for one) even if
they are all freed without an explicit scheduling point.
This patch doesn't add any new explicit scheduling points because it
relies on zap_pmd_range during page tables zapping which calls
cond_resched per PMD.
The following lockup has been reported for 3.0 kernel with a huge
process (in order of hundreds gigs but I do know any more details).
BUG: soft lockup - CPU#56 stuck for 22s! [kernel:31053]
Modules linked in: af_packet nfs lockd fscache auth_rpcgss nfs_acl sunrpc mptctl mptbase autofs4 binfmt_misc dm_round_robin dm_multipath bonding cpufreq_conservative cpufreq_userspace cpufreq_powersave pcc_cpufreq mperf microcode fuse loop osst sg sd_mod crc_t10dif st qla2xxx scsi_transport_fc scsi_tgt netxen_nic i7core_edac iTCO_wdt joydev e1000e serio_raw pcspkr edac_core iTCO_vendor_support acpi_power_meter rtc_cmos hpwdt hpilo button container usbhid hid dm_mirror dm_region_hash dm_log linear uhci_hcd ehci_hcd usbcore usb_common scsi_dh_emc scsi_dh_alua scsi_dh_hp_sw scsi_dh_rdac scsi_dh dm_snapshot pcnet32 mii edd dm_mod raid1 ext3 mbcache jbd fan thermal processor thermal_sys hwmon cciss scsi_mod
Supported: Yes
CPU 56
Pid: 31053, comm: kernel Not tainted 3.0.31-0.9-default #1 HP ProLiant DL580 G7
RIP: 0010: _raw_spin_unlock_irqrestore+0x8/0x10
RSP: 0018:
ffff883ec1037af0 EFLAGS:
00000206
RAX:
0000000000000e00 RBX:
ffffea01a0817e28 RCX:
ffff88803ffd9e80
RDX:
0000000000000200 RSI:
0000000000000206 RDI:
0000000000000206
RBP:
0000000000000002 R08:
0000000000000001 R09:
ffff887ec724a400
R10:
0000000000000000 R11:
dead000000200200 R12:
ffffffff8144c26e
R13:
0000000000000030 R14:
0000000000000297 R15:
000000000000000e
FS:
00007ed834282700(0000) GS:
ffff88c03f200000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
000000008005003b
CR2:
000000000068b240 CR3:
0000003ec13c5000 CR4:
00000000000006e0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
Process kernel (pid: 31053, threadinfo
ffff883ec1036000, task
ffff883ebd5d4100)
Call Trace:
release_pages+0xc5/0x260
free_pages_and_swap_cache+0x9d/0xc0
tlb_flush_mmu+0x5c/0x80
tlb_finish_mmu+0xe/0x50
exit_mmap+0xbd/0x120
mmput+0x49/0x120
exit_mm+0x122/0x160
do_exit+0x17a/0x430
do_group_exit+0x3d/0xb0
get_signal_to_deliver+0x247/0x480
do_signal+0x71/0x1b0
do_notify_resume+0x98/0xb0
int_signal+0x12/0x17
DWARF2 unwinder stuck at int_signal+0x12/0x17
Signed-off-by: Michal Hocko <mhocko@suse.cz>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Rik van Riel <riel@redhat.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Rafael J. Wysocki [Fri, 4 Jan 2013 22:00:54 +0000 (23:00 +0100)]
ACPI / scan: Do not use dummy HID for system bus ACPI nodes
commit
4f5f64cf0cc916220aaa055992e31195470cfe37 upstream.
At one point acpi_device_set_id() checks if acpi_device_hid(device)
returns NULL, but that never happens, so system bus devices with an
empty list of PNP IDs are given the dummy HID ("device") instead of
the "system bus HID" ("LNXSYBUS"). Fix the code to use the right
check.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Trond Myklebust [Fri, 4 Jan 2013 17:23:21 +0000 (12:23 -0500)]
SUNRPC: Ensure that we free the rpc_task after cleanups are done
commit
c6567ed1402c55e19b012e66a8398baec2a726f3 upstream.
This patch ensures that we free the rpc_task after the cleanup callbacks
are done in order to avoid a deadlock problem that can be triggered if
the callback needs to wait for another workqueue item to complete.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Weston Andros Adamson <dros@netapp.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Bruce Fields <bfields@fieldses.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Xi Wang [Fri, 4 Jan 2013 08:22:57 +0000 (03:22 -0500)]
nfs: fix null checking in nfs_get_option_str()
commit
e25fbe380c4e3c09afa98bcdcd9d3921443adab8 upstream.
The following null pointer check is broken.
*option = match_strdup(args);
return !option;
The pointer `option' must be non-null, and thus `!option' is always false.
Use `!*option' instead.
The bug was introduced in commit
c5cb09b6f8 ("Cleanup: Factor out some
cut-and-paste code.").
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Lothar Waßmann [Thu, 22 Nov 2012 12:49:14 +0000 (13:49 +0100)]
video: mxsfb: fix crash when unblanking the display
commit
6c1ecba8d84841277d68140ef485335d5be28485 upstream.
The VDCTRL4 register does not provide the MXS SET/CLR/TOGGLE feature.
The write in mxsfb_disable_controller() sets the data_cnt for the LCD
DMA to 0 which obviously means the max. count for the LCD DMA and
leads to overwriting arbitrary memory when the display is unblanked.
Signed-off-by: Lothar Waßmann <LW@KARO-electronics.de>
Acked-by: Juergen Beisert <jbe@pengutronix.de>
Tested-by: Lauri Hintsala <lauri.hintsala@bluegiga.net>
Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Aaro Koskinen [Mon, 31 Dec 2012 01:34:59 +0000 (03:34 +0200)]
drm/nouveau: fix init with agpgart-uninorth
commit
eda85d6ad490923152544fba0473798b6cc0edf6 upstream.
Check that the AGP aperture can be mapped. This follows a similar change
done for Radeon (commit
365048ff, drm/radeon: AGP memory is only I/O if
the aperture can be mapped by the CPU.).
The patch fixes the following error seen on G5 iMac:
nouveau E[ DRM] failed to create kernel channel, -12
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=58806
Reviewed-by: Michel Dänzer <michel@daenzer.net>
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Dave Airlie <airlied@redhat.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Niels Ole Salscheider [Thu, 3 Jan 2013 18:09:28 +0000 (19:09 +0100)]
drm/radeon: Properly handle DDC probe for DP bridges
commit
0a9069d34918659bc8a89e21e69e60b2b83291a3 upstream.
DDC information can be accessed using AUX CH
Fixes failure to probe monitors on some systems with
DP bridge chips.
agd5f: minor fixes
Signed-off-by: Niels Ole Salscheider <niels_ole@salscheider-online.de>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Alex Deucher [Thu, 20 Dec 2012 21:35:47 +0000 (16:35 -0500)]
drm/radeon: add connector table for Mac G4 Silver
commit
cafa59b9011a7790be4ddd5979419259844a165d upstream.
Apple cards do not provide data tables in the vbios
so we have to hard code the connector parameters
in the driver.
Reported-by: Albrecht Dreß <albrecht.dress@arcor.de>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Alex Deucher [Wed, 2 May 2012 16:10:21 +0000 (12:10 -0400)]
drm/radeon: add connector table for SAM440ep embedded board
commit
6a556039e7823d27a0a7f7724d4d455053ea9253 upstream.
RV250 found on ppc embedded boards.
Cc: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gabor Juhos [Thu, 20 Dec 2012 03:44:28 +0000 (03:44 +0000)]
powerpc: Add missing NULL terminator to avoid boot panic on PPC40x
commit
e6449c9b2d90c1bd9a5985bf05ddebfd1631cd6b upstream.
The missing NULL terminator can cause a panic on
PPC405 boards during boot:
Linux/PowerPC load: console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs,jffs2 noinitrd init=/etc/preinit
Finalizing device tree... flat tree at 0x6a5160
bootconsole [udbg0] enabled
Page fault in user mode with in_atomic() = 1 mm = (null)
NIP =
c0275f50 MSR =
fffffffe
Oops: Weird page fault, sig: 11 [#1]
PowerPC 40x Platform
Modules linked in:
NIP:
c0275f50 LR:
c0275f60 CTR:
c0280000
REGS:
c0275eb0 TRAP:
636f7265 Not tainted (3.7.1)
MSR:
fffffffe <VEC,VSX,EE,PR,FP,ME,SE,BE,IR,DR,PMM,RI> CR:
c06a6190 XER:
00000001
TASK =
c02662a8[0] 'swapper' THREAD:
c0274000
GPR00:
c0275ec0 c000c658 c027c4bf 00000000 c0275ee0 c000a0ec c020a1a8 c020a1f0
GPR08:
c020f631 c020f404 c025f078 c025f080 c0275f10
Call Trace:
---[ end trace
31fd0ba7d8756001 ]---
Kernel panic - not syncing: Attempted to kill the idle task!
The panic happens since commit
9597abe00c1bab2aedce6b49866bf6d1e81c9eed
(sections: fix section conflicts in arch/powerpc), however the root
cause of this is that the NULL terminator were not added in commit
a4f740cf33f7f6c164bbde3c0cdbcc77b0c4997c (of/flattree: Add of_flat_dt_match()
helper function).
Cc: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Shan Hai [Thu, 8 Nov 2012 15:57:49 +0000 (15:57 +0000)]
powerpc/vdso: Remove redundant locking in update_vsyscall_tz()
commit
ce73ec6db47af84d1466402781ae0872a9e7873c upstream.
The locking in update_vsyscall_tz() is not only unnecessary because the vdso
code copies the data unproteced in __kernel_gettimeofday() but also
introduces a hard to reproduce race condition between update_vsyscall()
and update_vsyscall_tz(), which causes user space process to loop
forever in vdso code.
The following patch removes the locking from update_vsyscall_tz().
Locking is not only unnecessary because the vdso code copies the data
unprotected in __kernel_gettimeofday() but also erroneous because updating
the tb_update_count is not atomic and introduces a hard to reproduce race
condition between update_vsyscall() and update_vsyscall_tz(), which further
causes user space process to loop forever in vdso code.
The below scenario describes the race condition,
x==0 Boot CPU other CPU
proc_P: x==0
timer interrupt
update_vsyscall
x==1 x++;sync settimeofday
update_vsyscall_tz
x==2 x++;sync
x==3 sync;x++
sync;x++
proc_P: x==3 (loops until x becomes even)
Because the ++ operator would be implemented as three instructions and not
atomic on powerpc.
A similar change was made for x86 in commit
6c260d58634
("x86: vdso: Remove bogus locking in update_vsyscall_tz")
Signed-off-by: Shan Hai <shan.hai@windriver.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Christian Lamparter [Thu, 27 Dec 2012 14:18:20 +0000 (15:18 +0100)]
p54usb: add USBIDs for two more p54usb devices
commit
4010fe21a315b4223c25376714c6a2b61b722e5c upstream.
This patch adds USBIDs for:
- DrayTek Vigor 530
- Zoom 4410a
It also adds a note about Gemtek WUBI-100GW
and SparkLAN WL-682 USBID conflict [WUBI-100GW
is a ISL3886+NET2280 (LM86 firmare) solution,
whereas WL-682 is a ISL3887 (LM87 firmware)]
device.
Source: <http://www.wikidevi.com/wiki/Intersil/p54/usb/windows>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Sujith Manoharan [Wed, 26 Dec 2012 06:57:39 +0000 (12:27 +0530)]
ath9k_hw: Fix RX gain initvals for AR9485
commit
a796a1dd5da9645ad77aa687d1a890ecd63ab5a6 upstream.
Populate iniModesRxGain with the correct initvals
array for AR9485 v1.1
Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
[bwh: Backported to 3.2:
- Adjust context
- INIT_INI_ARRAY takes additional size and columns arguments]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Tomasz Guszkowski [Sat, 22 Dec 2012 17:30:01 +0000 (18:30 +0100)]
p54usb: add USB ID for T-Com Sinus 154 data II
commit
3194b7fcdf6caea338b5d2c72d76fed80437649c upstream.
Added USB ID for T-Com Sinus 154 data II.
Signed-off-by: Tomasz Guszkowski <tsg@o2.pl>
Acked-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Hugh Dickins [Wed, 2 Jan 2013 10:01:33 +0000 (02:01 -0800)]
tmpfs mempolicy: fix /proc/mounts corrupting memory
commit
f2a07f40dbc603c15f8b06e6ec7f768af67b424f upstream.
Recently I suggested using "mount -o remount,mpol=local /tmp" in NUMA
mempolicy testing. Very nasty. Reading /proc/mounts, /proc/pid/mounts
or /proc/pid/mountinfo may then corrupt one bit of kernel memory, often
in a page table (causing "Bad swap" or "Bad page map" warning or "Bad
pagetable" oops), sometimes in a vm_area_struct or rbnode or somewhere
worse. "mpol=prefer" and "mpol=prefer:Node" are equally toxic.
Recent NUMA enhancements are not to blame: this dates back to 2.6.35,
when commit
e17f74af351c "mempolicy: don't call mpol_set_nodemask() when
no_context" skipped mpol_parse_str()'s call to mpol_set_nodemask(),
which used to initialize v.preferred_node, or set MPOL_F_LOCAL in flags.
With slab poisoning, you can then rely on mpol_to_str() to set the bit
for node 0x6b6b, probably in the next page above the caller's stack.
mpol_parse_str() is only called from shmem_parse_options(): no_context
is always true, so call it unused for now, and remove !no_context code.
Set v.nodes or v.preferred_node or MPOL_F_LOCAL as mpol_to_str() might
expect. Then mpol_to_str() can ignore its no_context argument also,
the mpol being appropriately initialized whether contextualized or not.
Rename its no_context unused too, and let subsequent patch remove them
(that's not needed for stable backporting, which would involve rejects).
I don't understand why MPOL_LOCAL is described as a pseudo-policy:
it's a reasonable policy which suffers from a confusing implementation
in terms of MPOL_PREFERRED with MPOL_F_LOCAL. I believe this would be
much more robust if MPOL_LOCAL were recognized in switch statements
throughout, MPOL_F_LOCAL deleted, and MPOL_PREFERRED use the (possibly
empty) nodes mask like everyone else, instead of its preferred_node
variant (I presume an optimization from the days before MPOL_LOCAL).
But that would take me too long to get right and fully tested.
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Jeff Layton [Thu, 27 Dec 2012 13:05:03 +0000 (08:05 -0500)]
cifs: adjust sequence number downward after signing NT_CANCEL request
commit
31efee60f489c759c341454d755a9fd13de8c03d upstream.
When a call goes out, the signing code adjusts the sequence number
upward by two to account for the request and the response. An NT_CANCEL
however doesn't get a response of its own, it just hurries the server
along to get it to respond to the original request more quickly.
Therefore, we must adjust the sequence number back down by one after
signing a NT_CANCEL request.
Reported-by: Tim Perry <tdparmor-sambabugs@yahoo.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Christoffer Dall [Fri, 21 Dec 2012 18:03:50 +0000 (13:03 -0500)]
mm: Fix PageHead when !CONFIG_PAGEFLAGS_EXTENDED
commit
ad4b3fb7ff9940bcdb1e4cd62bd189d10fa636ba upstream.
Unfortunately with !CONFIG_PAGEFLAGS_EXTENDED, (!PageHead) is false, and
(PageHead) is true, for tail pages. If this is indeed the intended
behavior, which I doubt because it breaks cache cleaning on some ARM
systems, then the nomenclature is highly problematic.
This patch makes sure PageHead is only true for head pages and PageTail
is only true for tail pages, and neither is true for non-compound pages.
[ This buglet seems ancient - seems to have been introduced back in Apr
2008 in commit
6a1e7f777f61: "pageflags: convert to the use of new
macros". And the reason nobody noticed is because the PageHead()
tests are almost all about just sanity-checking, and only used on
pages that are actual page heads. The fact that the old code returned
true for tail pages too was thus not really noticeable. - Linus ]
Signed-off-by: Christoffer Dall <cdall@cs.columbia.edu>
Acked-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Will Deacon <Will.Deacon@arm.com>
Cc: Steve Capper <Steve.Capper@arm.com>
Cc: Christoph Lameter <cl@linux.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Andy Lutomirski [Sat, 1 Dec 2012 20:37:20 +0000 (12:37 -0800)]
PCI: Reduce Ricoh 0xe822 SD card reader base clock frequency to 50MHz
commit
812089e01b9f65f90fc8fc670d8cce72a0e01fbb upstream.
Otherwise it fails like this on cards like the Transcend 16GB SDHC card:
mmc0: new SDHC card at address b368
mmcblk0: mmc0:b368 SDC 15.0 GiB
mmcblk0: error -110 sending status command, retrying
mmcblk0: error -84 transferring data, sector 0, nr 8, cmd response 0x900, card status 0xb0
Tested on my Lenovo x200 laptop.
[bhelgaas: changelog]
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Chris Ball <cjb@laptop.org>
CC: Manoj Iyer <manoj.iyer@canonical.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Michael Tokarev [Tue, 25 Dec 2012 19:08:16 +0000 (14:08 -0500)]
ext4: do not try to write superblock on ro remount w/o journal
commit
d096ad0f79a782935d2e06ae8fb235e8c5397775 upstream.
When a journal-less ext4 filesystem is mounted on a read-only block
device (blockdev --setro will do), each remount (for other, unrelated,
flags, like suid=>nosuid etc) results in a series of scary messages
from kernel telling about I/O errors on the device.
This is becauese of the following code ext4_remount():
if (sbi->s_journal == NULL)
ext4_commit_super(sb, 1);
at the end of remount procedure, which forces writing (flushing) of
a superblock regardless whenever it is dirty or not, if the filesystem
is readonly or not, and whenever the device itself is readonly or not.
We only need call ext4_commit_super when the file system had been
previously mounted read/write.
Thanks to Eric Sandeen for help in diagnosing this issue.
Signed-off-By: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Chris Verges [Fri, 21 Dec 2012 09:58:34 +0000 (01:58 -0800)]
hwmon: (lm73} Detect and report i2c bus errors
commit
0602934f302e016e2ea5dc6951681bfac77455ef upstream.
If an LM73 device does not exist on an I2C bus, attempts to communicate
with the device result in an error code returned from the i2c read/write
functions. The current lm73 driver casts that return value from a s32
type to a s16 type, then converts it to a temperature in celsius.
Because negative temperatures are valid, it is difficult to distinguish
between an error code printed to the response buffer and a negative
temperature recorded by the sensor.
The solution is to evaluate the return value from the i2c functions
before performing any temperature calculations. If the i2c function did
not succeed, the error code should be passed back through the virtual
file system layer instead of being printed into the response buffer.
Before:
$ cat /sys/class/hwmon/hwmon0/device/temp1_input
-46
After:
$ cat /sys/class/hwmon/hwmon0/device/temp1_input
cat: read error: No such device or address
Signed-off-by: Chris Verges <kg4ysn@gmail.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Jan Kara [Fri, 21 Dec 2012 05:15:51 +0000 (00:15 -0500)]
jbd2: fix assertion failure in jbd2_journal_flush()
commit
d7961c7fa4d2e3c3f12be67e21ba8799b5a7238a upstream.
The following race is possible between start_this_handle() and someone
calling jbd2_journal_flush().
Process A Process B
start_this_handle().
if (journal->j_barrier_count) # false
if (!journal->j_running_transaction) { #true
read_unlock(&journal->j_state_lock);
jbd2_journal_lock_updates()
jbd2_journal_flush()
write_lock(&journal->j_state_lock);
if (journal->j_running_transaction) {
# false
... wait for committing trans ...
write_unlock(&journal->j_state_lock);
...
write_lock(&journal->j_state_lock);
if (!journal->j_running_transaction) { # true
jbd2_get_transaction(journal, new_transaction);
write_unlock(&journal->j_state_lock);
goto repeat; # eventually blocks on j_barrier_count > 0
...
J_ASSERT(!journal->j_running_transaction);
# fails
We fix the race by rechecking j_barrier_count after reacquiring j_state_lock
in exclusive mode.
Reported-by: yjwsignal@empal.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Jan Kara [Thu, 20 Dec 2012 05:07:18 +0000 (00:07 -0500)]
ext4: check dioread_nolock on remount
commit
261cb20cb2f0737a247aaf08dff7eb065e3e5b66 upstream.
Currently we allow enabling dioread_nolock mount option on remount for
filesystems where blocksize < PAGE_CACHE_SIZE. This isn't really
supported so fix the bug by moving the check for blocksize !=
PAGE_CACHE_SIZE into parse_options(). Change the original PAGE_SIZE to
PAGE_CACHE_SIZE along the way because that's what we are really
interested in.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Krzysztof Mazur [Wed, 19 Dec 2012 10:03:41 +0000 (11:03 +0100)]
i915: ensure that VGA plane is disabled
commit
0fde901f1ddd2ce0e380a6444f1fb7ca555859e9 upstream.
Some broken systems (like HP nc6120) in some cases, usually after LID
close/open, enable VGA plane, making display unusable (black screen on LVDS,
some strange mode on VGA output). We used to disable VGA plane only once at
startup. Now we also check, if VGA plane is still disabled while changing
mode, and fix that if something changed it.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=57434
Signed-off-by: Krzysztof Mazur <krzysiek@podlesie.net>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
[bwh: Backported to 3.2: intel_modeset_setup_hw_state() does not
exist, so call i915_redisable_vga() directly from intel_lid_notify()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Forrest Liu [Mon, 17 Dec 2012 14:55:39 +0000 (09:55 -0500)]
ext4: fix extent tree corruption caused by hole punch
commit
c36575e663e302dbaa4d16b9c72d2c9a913a9aef upstream.
When depth of extent tree is greater than 1, logical start value of
interior node is not correctly updated in ext4_ext_rm_idx.
Signed-off-by: Forrest Liu <forrestl@synology.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Reviewed-by: Ashish Sangwan <ashishsangwan2@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ben Hutchings [Thu, 3 Jan 2013 03:34:00 +0000 (03:34 +0000)]
Linux 3.2.36
Marco Stornelli [Fri, 13 Jan 2012 01:20:58 +0000 (17:20 -0800)]
ramoops: fix use of rounddown_pow_of_two()
commit
fdb5950754eb3dedb9fea7c8828d3e51d9dbc3f7 upstream.
The return value of rounddown_pow_of_two wasn't evaluated, so the
operation was a no-op.
Signed-off-by: Marco Stornelli <marco.stornelli@gmail.com>
Reported-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: WANG Cong <xiyou.wangcong@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Malcolm Priestley [Sun, 11 Nov 2012 16:07:57 +0000 (16:07 +0000)]
staging: vt6656: 64bit fixes: vCommandTimerWait change calculation of timer.
commit
70e227790d4ee4590023d8041a3485f8053593fc upstream.
The timer appears to run too fast/race on 64 bit systems.
Using msecs_to_jiffies seems to cause a deadlock on 64 bit.
A calculation of (MSecond * HZ) / 1000 appears to run satisfactory.
Change BSSIDInfoCount to u32.
After this patch the driver can be successfully connect on little endian 64/32 bit systems.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Malcolm Priestley [Sun, 11 Nov 2012 15:49:59 +0000 (15:49 +0000)]
staging: vt6656: 64bit fixes: key.c/h change unsigned long to u32
commit
c0d05b305b00c698b0a8c1b3d46c9380bce9db45 upstream.
Fixes long issues.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Malcolm Priestley [Sun, 11 Nov 2012 15:45:52 +0000 (15:45 +0000)]
staging: vt6656: 64 bit fixes: fix long warning messages.
commit
b4dc03af5513774277c9c36b12a25cd3f25f4404 upstream.
Fixes long warning messages from patch
[PATCH 08/14] staging: vt6656: 64 bit fixes : correct all type sizes
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Malcolm Priestley [Sun, 11 Nov 2012 15:41:25 +0000 (15:41 +0000)]
staging: vt6656: 64 bit fixes : correct all type sizes
commit
7730492855a2f9c828599bcd8d62760f96d319e4 upstream.
After this patch all BYTE/WORD/DWORD types can be replaced with the appropriate u sizes.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Malcolm Priestley [Sun, 11 Nov 2012 15:32:05 +0000 (15:32 +0000)]
staging: vt6656: 64 bit fixes: use u32 for QWORD definition.
commit
a552397d5e4ef0cc0bd3e9595d6acc9a3b381171 upstream.
Size of long issues replace with u32.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Malcolm Priestley [Sun, 7 Oct 2012 07:27:00 +0000 (08:27 +0100)]
staging: vt6656: [BUG] out of bound array reference in RFbSetPower.
commit
ab1dd9963137a1e122004d5378a581bf16ae9bc8 upstream.
Calling RFbSetPower with uCH zero value will cause out of bound array reference.
This causes 64 bit kernels to oops on boot.
Note: Driver does not function on 64 bit kernels and should be
blacklisted on them.
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Namjae Jeon [Tue, 9 Oct 2012 15:08:56 +0000 (00:08 +0900)]
udf: fix memory leak while allocating blocks during write
commit
2fb7d99d0de3fd8ae869f35ab682581d8455887a upstream.
Need to brelse the buffer_head stored in cur_epos and next_epos.
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Ashish Sangwan <a.sangwan@samsung.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
David Rientjes [Tue, 29 May 2012 22:06:23 +0000 (15:06 -0700)]
thp, memcg: split hugepage for memcg oom on cow
commit
1f1d06c34f7675026326cd9f39ff91e4555cf355 upstream.
On COW, a new hugepage is allocated and charged to the memcg. If the
system is oom or the charge to the memcg fails, however, the fault
handler will return VM_FAULT_OOM which results in an oom kill.
Instead, it's possible to fallback to splitting the hugepage so that the
COW results only in an order-0 page being allocated and charged to the
memcg which has a higher liklihood to succeed. This is expensive
because the hugepage must be split in the page fault handler, but it is
much better than unnecessarily oom killing a process.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Johannes Weiner <jweiner@redhat.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Ben Hutchings [Thu, 27 Dec 2012 18:39:54 +0000 (19:39 +0100)]
Revert "mm: vmscan: fix endless loop in kswapd balancing"
This reverts commit
39d18dc4b8b0c000fa681cbae10ac3f8a132814b which
was commit
60cefed485a02bd99b6299dad70666fe49245da7 upstream.
This was not needed and is not suitable for 3.2.y.
Reported-by: Johannes Weiner <hannes@cmpxchg.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Mike Miller [Thu, 20 Sep 2012 21:05:18 +0000 (16:05 -0500)]
hpsa: gen8plus Smart Array IDs
commit
fe0c9610bb68dd0aad1017456f5e3c31264d70c2 upstream.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Mauro Carvalho Chehab [Tue, 16 Oct 2012 00:48:48 +0000 (21:48 -0300)]
i82975x_edac: Fix dimm label initialization
commit
479696840239e0cc43efb3c917bdcad2174d2215 upstream.
The driver has only 4 hardcoded labels, but allows much more memory.
Fix it by removing the hardcoded logic, using snprintf() instead.
[ 19.833972] general protection fault: 0000 [#1] SMP
[ 19.837733] Modules linked in: i82975x_edac(+) edac_core firewire_ohci firewire_core crc_itu_t nouveau mxm_wmi wmi video i2c_algo_bit drm_kms_helper ttm drm i2c_core
[ 19.837733] CPU 0
[ 19.837733] Pid: 390, comm: udevd Not tainted 3.6.1-1.fc17.x86_64.debug #1 Dell Inc. Precision WorkStation 390 /0MY510
[ 19.837733] RIP: 0010:[<
ffffffff813463a8>] [<
ffffffff813463a8>] strncpy+0x18/0x30
[ 19.837733] RSP: 0018:
ffff880078535b68 EFLAGS:
00010202
[ 19.837733] RAX:
ffff880069fa9708 RBX:
ffff880078588000 RCX:
ffff880069fa9708
[ 19.837733] RDX:
000000000000001f RSI:
5f706f5f63616465 RDI:
ffff880069fa9708
[ 19.837733] RBP:
ffff880078535b68 R08:
ffff880069fa9727 R09:
000000000000fffe
[ 19.837733] R10:
0000000000000000 R11:
0000000000000000 R12:
0000000000000003
[ 19.837733] R13:
0000000000000000 R14:
ffff880069fa9290 R15:
ffff880079624a80
[ 19.837733] FS:
00007f3de01ee840(0000) GS:
ffff88007c400000(0000) knlGS:
0000000000000000
[ 19.837733] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 19.837733] CR2:
00007f3de00b9000 CR3:
0000000078dbc000 CR4:
00000000000007f0
[ 19.837733] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 19.837733] DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
[ 19.837733] Process udevd (pid: 390, threadinfo
ffff880078534000, task
ffff880079642450)
[ 19.837733] Stack:
[ 19.837733]
ffff880078535c18 ffffffffa017c6b8 00040000816d627f ffff880079624a88
[ 19.837733]
ffffc90004cd6000 ffff880079624520 ffff88007ac21148 0000000000000000
[ 19.837733]
0000000000000000 0004000000000000 feda000078535bc8 ffffffff810d696d
[ 19.837733] Call Trace:
[ 19.837733] [<
ffffffffa017c6b8>] i82975x_init_one+0x2e6/0x3e6 [i82975x_edac]
...
Fix bug reported at:
https://bugzilla.redhat.com/show_bug.cgi?id=848149
And, very likely:
https://bbs.archlinux.org/viewtopic.php?id=148033
https://bugzilla.kernel.org/show_bug.cgi?id=47171
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
[bwh: Backported to 3.2:
- Adjust context
- Use csrow->channels[chan].label not csrow->channels[chan]->dimm->label]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Dan Carpenter [Mon, 3 Dec 2012 19:05:12 +0000 (22:05 +0300)]
telephony: ijx: buffer overflow in ixj_write_cid()
[Not needed in 3.8 or newer as this driver is removed there. - gregkh]
We get this from user space and nothing has been done to ensure that
these strings are NUL terminated.
Reported-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Jiri Slaby [Thu, 13 Sep 2012 14:06:48 +0000 (16:06 +0200)]
MISC: hpilo, remove pci_disable_device
commit
bcdee04ea7ae0406ae69094f6df1aacb66a69a0b upstream.
pci_disable_device(pdev) used to be in pci remove function. But this
PCI device has two functions with interrupt lines connected to a
single pin. The other one is a USB host controller. So when we disable
the PIN there e.g. by rmmod hpilo, the controller stops working. It is
because the interrupt link is disabled in ACPI since it is not
refcounted yet. See acpi_pci_link_free_irq called from
acpi_pci_irq_disable.
It is not the best solution whatsoever, but as a workaround until the
ACPI irq link refcounting is sorted out this should fix the reported
errors.
References: https://lkml.org/lkml/2008/11/4/535
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Grant Grundler <grundler@parisc-linux.org>
Cc: Nobin Mathew <nobin.mathew@gmail.com>
Cc: Robert Hancock <hancockr@shaw.ca>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: David Altobelli <david.altobelli@hp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Johannes Berg [Sun, 4 Nov 2012 08:29:17 +0000 (09:29 +0100)]
iwlwifi: handle DMA mapping failures
commit
7c34158231b2eda8dcbd297be2bb1559e69cb433 upstream.
The RX replenish code doesn't handle DMA mapping failures,
which will cause issues if there actually is a failure. This
was reported by Shuah Khan who found a DMA mapping framework
warning ("device driver failed to check map error").
Reported-by: Shuah Khan <shuah.khan@hp.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[bwh: Backported to 3.2:
- Adjust filename, context, indentation
- Use bus(trans) instead of trans where necessary
- Use hw_params(trans).rx_page_order instead of trans_pcie->rx_page_order]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Jay Purohit [Sun, 14 Oct 2012 07:07:21 +0000 (07:07 +0000)]
usb/ipheth: Add iPhone 5 support
[ Upstream commit
af1b85e49089f945deb46258b0fc4bc9910afb22 ]
I noticed that the iPhone ethernet driver did not support
iPhone 5. I quickly added support to it in my kernel, here's
a patch.
Signed-off-by: Jay Purohit <jspurohit@velocitylimitless.com>
Acked-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
Signed-off-by: Jan Ceuleers <jan.ceuleers@computer.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Johannes Berg [Sun, 9 Dec 2012 23:41:06 +0000 (23:41 +0000)]
ipv4: ip_check_defrag must not modify skb before unsharing
[ Upstream commit
1bf3751ec90cc3174e01f0d701e8449ce163d113 ]
ip_check_defrag() might be called from af_packet within the
RX path where shared SKBs are used, so it must not modify
the input SKB before it has unshared it for defragmentation.
Use skb_copy_bits() to get the IP header and only pull in
everything later.
The same is true for the other caller in macvlan as it is
called from dev->rx_handler which can also get a shared SKB.
Reported-by: Eric Leblond <eric@regit.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Alexander Shiyan [Tue, 20 Nov 2012 09:59:11 +0000 (09:59 +0000)]
irda: sir_dev: Fix copy/paste typo
[ Upstream commit
2355a62bcbdcc4b567425bab036bfab6ade87eed ]
Signed-off-by: Alexander Shiyan <shc_work@mail.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Alan Cox [Tue, 20 Nov 2012 06:31:57 +0000 (06:31 +0000)]
ne2000: add the right platform device
[ Upstream commit
da9da01d9199b5bb15289d0859053c9aa3a34ac0 ]
Without this udev doesn't have a way to key the ne device to the platform
device.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Tommi Rantala [Thu, 22 Nov 2012 03:23:16 +0000 (03:23 +0000)]
sctp: fix -ENOMEM result with invalid user space pointer in sendto() syscall
[ Upstream commit
6e51fe7572590d8d86e93b547fab6693d305fd0d ]
Consider the following program, that sets the second argument to the
sendto() syscall incorrectly:
#include <string.h>
#include <arpa/inet.h>
#include <sys/socket.h>
int main(void)
{
int fd;
struct sockaddr_in sa;
fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
if (fd < 0)
return 1;
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr("127.0.0.1");
sa.sin_port = htons(11111);
sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
return 0;
}
We get -ENOMEM:
$ strace -e sendto ./demo
sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ENOMEM (Cannot allocate memory)
Propagate the error code from sctp_user_addto_chunk(), so that we will
tell user space what actually went wrong:
$ strace -e sendto ./demo
sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EFAULT (Bad address)
Noticed while running Trinity (the syscall fuzzer).
Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Tommi Rantala [Tue, 27 Nov 2012 04:01:46 +0000 (04:01 +0000)]
sctp: fix memory leak in sctp_datamsg_from_user() when copy from user space fails
[ Upstream commit
be364c8c0f17a3dd42707b5a090b318028538eb9 ]
Trinity (the syscall fuzzer) discovered a memory leak in SCTP,
reproducible e.g. with the sendto() syscall by passing invalid
user space pointer in the second argument:
#include <string.h>
#include <arpa/inet.h>
#include <sys/socket.h>
int main(void)
{
int fd;
struct sockaddr_in sa;
fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
if (fd < 0)
return 1;
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr("127.0.0.1");
sa.sin_port = htons(11111);
sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
return 0;
}
As far as I can tell, the leak has been around since ~2003.
Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
nikolay@redhat.com [Thu, 29 Nov 2012 01:37:59 +0000 (01:37 +0000)]
bonding: fix race condition in bonding_store_slaves_active
[ Upstream commit
e196c0e579902f42cf72414461fb034e5a1ffbf7 ]
Race between bonding_store_slaves_active() and slave manipulation
functions. The bond_for_each_slave use in bonding_store_slaves_active()
is not protected by any synchronization mechanism.
NULL pointer dereference is easy to reach.
Fixed by acquiring the bond->lock for the slave walk.
v2: Make description text < 75 columns
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Sarveshwar Bandi [Wed, 21 Nov 2012 04:35:03 +0000 (04:35 +0000)]
bonding: Bonding driver does not consider the gso_max_size/gso_max_segs setting of slave devices.
[ Upstream commit
0e376bd0b791ac6ac6bdb051492df0769c840848 ]
Patch sets the lowest gso_max_size and gso_max_segs values of the slave devices during enslave and detach.
Signed-off-by: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Herton Ronaldo Krzesinski [Fri, 14 Dec 2012 12:38:02 +0000 (10:38 -0200)]
USB: cdc-wdm: fix regression on buffer deallocation
[ no commit upstream, since usb_alloc_coherent usage was removed from
the driver before this was fixed ]
Commit cafbe85 ("USB: cdc-wdm: better allocate a buffer that is at least
as big as we tell the USB core") introduced a regression: it changed
the size used in usb_alloc_coherent, but failed to do the same for the
usb_free_coherent calls.
It also was marked for stable and got backported to older kernels. But
in the upstream kernel, the usage of usb_alloc_coherent was right after
removed from the driver, so upstream doesn't have this problem, while
the stable kernels still have, and thus need this fix.
BugLink: https://bugs.launchpad.net/bugs/1074157
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Jani Nikula [Mon, 12 Nov 2012 12:33:45 +0000 (14:33 +0200)]
drm/i915: do not default to 18 bpp for eDP if missing from VBT
commit
9a30a61f3516871c5c638fd7c025fbaa11ddf7fe upstream.
commit
500a8cc466a24e2fbc4c86ef9c6467ae2ffdeb0c
Author: Zhenyu Wang <zhenyuw@linux.intel.com>
Date: Wed Jan 13 11:19:52 2010 +0800
drm/i915: parse eDP panel color depth from VBT block
originally introduced parsing bpp for eDP from VBT, with a default of 18
bpp if the eDP BIOS data block is not present. Turns out that default seems
to break the Macbook Pro with retina display, as noted in
commit
4344b813f105a19f793f1fd93ad775b784648b95
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Fri Aug 10 11:10:20 2012 +0200
drm/i915: ignore eDP bpc settings from vbt
Since we can't ignore bpc settings from VBT completely after all, get rid
of the default. Do not clamp eDP to 18 bpp by default if the eDP BDB is
missing from VBT.
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Tested-by: Henrik Rydberg <rydberg@euromail.se>
[danvet: paste in the updated commit message from irc.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Jani Nikula [Mon, 12 Nov 2012 12:33:44 +0000 (14:33 +0200)]
drm/i915: do not ignore eDP bpc settings from vbt
commit
2f4f649a69a9eb51f6e98130e19dd90a260a4145 upstream.
There are laptops out there that need the eDP bpc from VBT. This is
effectively a revert of
commit
4344b813f105a19f793f1fd93ad775b784648b95
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Fri Aug 10 11:10:20 2012 +0200
drm/i915: ignore eDP bpc settings from vbt
but putting the VBT check after the EDID check to see them both in dmesg if
this clamps more than the EDID. We have enough history with bpc clamping to
warrant the extra debug info.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=47641
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=56401
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
git.openpandora.org / pandora-kernel.git / log