10 years agogpio: mpc8xxx: Prevent NULL pointer deref in demux handler
Thomas Gleixner [Thu, 3 May 2012 10:22:06 +0000 (12:22 +0200)]
gpio: mpc8xxx: Prevent NULL pointer deref in demux handler

commit d6de85e85edcc38c9edcde45a0a568818fcddc13 upstream.

commit cfadd838(powerpc/8xxx: Fix interrupt handling in MPC8xxx GPIO
driver) added an unconditional call of chip->irq_eoi() to the demux

This leads to a NULL pointer derefernce on MPC512x platforms which use
this driver as well.

Make it conditional.

Reported-by: Thomas Wucher <>
Signed-off-by: Thomas Gleixner <>
Cc: Felix Radensky <>
Cc: Kumar Gala <>
Cc: Grant Likely <>
Signed-off-by: Grant Likely <>
Signed-off-by: Ben Hutchings <>
10 years agob43legacy: Fix error due to MMIO access with SSB unpowered
Larry Finger [Sun, 6 May 2012 21:01:05 +0000 (16:01 -0500)]
b43legacy: Fix error due to MMIO access with SSB unpowered

commit 8f4b20388fa77226a3605627a33a23f90d559e50 upstream.

There is a dummy read of a PCI MMIO register that occurs before the SSB bus
has been powered, which is an error. This bug has not been seen earlier,
but was apparently exposed when udev was updated to version 182.

Signed-off-by: Larry Finger <>
Signed-off-by: John W. Linville <>
Signed-off-by: Ben Hutchings <>
10 years agodrm/i915: Avoid a double-read of PCH_IIR during interrupt handling
Chris Wilson [Wed, 9 May 2012 20:45:43 +0000 (21:45 +0100)]
drm/i915: Avoid a double-read of PCH_IIR during interrupt handling

commit 9adab8b5a7fde248504f484e197589f3e3c922e2 upstream.

Currently the code re-reads PCH_IIR during the hotplug interrupt
processing. Not only is this a wasted read, but introduces a potential
for handling a spurious interrupt as we then may not clear all the
interrupts processed (since the re-read IIR may contains more interrupts
asserted than we clear using the result of the original read).

Signed-off-by: Chris Wilson <>
Cc: Jesse Barnes <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Ben Hutchings <>
10 years agouvcvideo: Fix ENUMINPUT handling
Laurent Pinchart [Wed, 21 Mar 2012 12:50:36 +0000 (09:50 -0300)]
uvcvideo: Fix ENUMINPUT handling

commit 31c5f0c5e25ed71eeced170f113bb590f2f1f6f3 upstream.

Properly validate the user-supplied index against the number of inputs.
The code used the pin local variable instead of the index by mistake.

Reported-by: Jozef Vesely <>
Signed-off-by: Laurent Pinchart <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Ben Hutchings <>
10 years agosmsusb: add autodetection support for USB ID 2040:c0a0
Michael Krufky [Thu, 22 Mar 2012 16:55:05 +0000 (13:55 -0300)]
smsusb: add autodetection support for USB ID 2040:c0a0

commit 4d1b58b84472d1d300a66e1c5fd765b21e74ba15 upstream.

Signed-off-by: Michael Krufky <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Ben Hutchings <>
10 years agommc: sdio: avoid spurious calls to interrupt handlers
Nicolas Pitre [Mon, 16 Apr 2012 23:16:54 +0000 (19:16 -0400)]
mmc: sdio: avoid spurious calls to interrupt handlers

commit bbbc4c4d8c5face097d695f9bf3a39647ba6b7e7 upstream.

Commit 06e8935feb ("optimized SDIO IRQ handling for single irq")
introduced some spurious calls to SDIO function interrupt handlers,
such as when the SDIO IRQ thread is started, or the safety check
performed upon a system resume.  Let's add a flag to perform the
optimization only when a real interrupt is signaled by the host
driver and we know there is no point confirming it.

Reported-by: Sujit Reddy Thumma <>
Signed-off-by: Nicolas Pitre <>
Signed-off-by: Chris Ball <>
Signed-off-by: Ben Hutchings <>
10 years agodrm/i915: [GEN7] Use HW scheduler for fixed function shaders
Ben Widawsky [Sun, 15 Apr 2012 01:41:32 +0000 (18:41 -0700)]
drm/i915: [GEN7] Use HW scheduler for fixed function shaders

commit a1e969e0332de7a430e62822cee8f2ec8d83cd7c upstream.

This originally started as a patch from Bernard as a way of simply
setting the VS scheduler. After submitting the RFC patch, we decided to
also modify the DS scheduler. To be most explicit, I've made the patch
explicitly set all scheduler modes, and included the defines for other
modes (in case someone feels frisky later).

The rest of the story gets a bit weird. The first version of the patch
showed an almost unbelievable performance improvement. Since rebasing my
branch it appears the performance improvement has gone, unfortunately.
But setting these bits seem to be the right thing to do given that the
docs describe corruption that can occur with the default settings.

In summary, I am seeing no more perf improvements (or regressions) in my
limited testing, but we believe this should be set to prevent rendering
corruption, therefore cc stable.

v1: Clear bit 4 also (Ken + Eugeni)
Do a full clear + set of the bits we want (Me).

Cc: Bernard Kilarski <>
Reviewed-by (RFC): Kenneth Graunke <>
Signed-off-by: Ben Widawsky <>
Reviewed-by: Eugeni Dodonov <>
Reviewed-by: Kenneth Graunke <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Ben Hutchings <>
10 years agoi2c-eg20t: change timeout value 50msec to 1000msec
Tomoya MORINAGA [Mon, 26 Mar 2012 05:55:25 +0000 (14:55 +0900)]
i2c-eg20t: change timeout value 50msec to 1000msec

commit 8a52f9f347da721b199b7f9dcc0168bbe7d0baae upstream.

Currently, during i2c works alone, wait-event timeout is not occurred.
However, as CPU load increases, timeout occurs frequently.
So, I modified like this patch.
Modifying like this patch, I've never seen the timeout event with high
load test.

Signed-off-by: Tomoya MORINAGA <>
Signed-off-by: Wolfram Sang <>
Signed-off-by: Ben Hutchings <>
10 years agoOMAPDSS: VENC: fix NULL pointer dereference in DSS2 VENC sysfs debug attr on OMAP4
Danny Kukawka [Tue, 24 Jan 2012 15:44:42 +0000 (16:44 +0100)]
OMAPDSS: VENC: fix NULL pointer dereference in DSS2 VENC sysfs debug attr on OMAP4

commit cc1d3e032df53d83d0ca4d537d8eb67eb5b3e808 upstream.

Commit ba02fa37de80bea10d706f39f076dd848348320a disabled the
venc driver registration on OMAP4. Since the driver never gets
probed/initialised your get a dereferenceed NULL pointer if you
try to get info from /sys/kernel/debug/omapdss/venc

Return info message about disabled venc if venc_dump_regs() gets called.

Signed-off-by: Danny Kukawka <>
Signed-off-by: Tomi Valkeinen <>
Signed-off-by: Ben Hutchings <>
10 years agodl2k: Clean up rio_ioctl
Jeff Mahoney [Wed, 25 Apr 2012 14:32:09 +0000 (14:32 +0000)]
dl2k: Clean up rio_ioctl

commit 1bb57e940e1958e40d51f2078f50c3a96a9b2d75 upstream.

The dl2k driver's rio_ioctl call has a few issues:
- No permissions checking
- Has a few ioctls that may have been used for debugging at one point
  but have no place in the kernel proper.

This patch removes all but the MII ioctls, renumbers them to use the
standard ones, and adds the proper permission check for SIOCSMIIREG.

We can also get rid of the dl2k-specific struct mii_data in favor of
the generic struct mii_ioctl_data.

Since we have the phyid on hand, we can add the SIOCGMIIPHY ioctl too.

Most of the MII code for the driver could probably be converted to use
the generic MII library but I don't have a device to test the results.

Reported-by: Stephan Mueller <>
Signed-off-by: Jeff Mahoney <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
10 years agocifs: fix revalidation test in cifs_llseek()
Dan Carpenter [Mon, 30 Apr 2012 14:36:21 +0000 (17:36 +0300)]
cifs: fix revalidation test in cifs_llseek()

commit 48a5730e5b71201e226ff06e245bf308feba5f10 upstream.

This test is always true so it means we revalidate the length every
time, which generates more network traffic.  When it is SEEK_SET or
SEEK_CUR, then we don't need to revalidate.

Signed-off-by: Dan Carpenter <>
Reviewed-by: Jeff Layton <>
Signed-off-by: Steve French <>
Signed-off-by: Ben Hutchings <>
10 years agowake up s_wait_unfrozen when ->freeze_fs fails
Kazuya Mio [Thu, 1 Dec 2011 07:51:07 +0000 (16:51 +0900)]
wake up s_wait_unfrozen when ->freeze_fs fails

commit e1616300a20c80396109c1cf013ba9a36055a3da upstream.

dd slept infinitely when fsfeeze failed because of EIO.
To fix this problem, if ->freeze_fs fails, freeze_super() wakes up
the tasks waiting for the filesystem to become unfrozen.

When s_frozen isn't SB_UNFROZEN in __generic_file_aio_write(),
the function sleeps until FITHAW ioctl wakes up s_wait_unfrozen.

However, if ->freeze_fs fails, s_frozen is set to SB_UNFROZEN and then
freeze_super() returns an error number. In this case, FITHAW ioctl returns
EINVAL because s_frozen is already SB_UNFROZEN. There is no way to wake up
s_wait_unfrozen, so __generic_file_aio_write() sleeps infinitely.

Signed-off-by: Kazuya Mio <>
Signed-off-by: Al Viro <>
Signed-off-by: Ben Hutchings <>
10 years agohpsa: Add IRQF_SHARED back in for the non-MSI(X) interrupt handler
Stephen M. Cameron [Mon, 28 Nov 2011 16:15:20 +0000 (10:15 -0600)]
hpsa: Add IRQF_SHARED back in for the non-MSI(X) interrupt handler

commit 45bcf018d1a4779d592764ef57517c92589d55d7 upstream.

IRQF_SHARED is required for older controllers that don't support MSI(X)
and which may end up sharing an interrupt.  All the controllers hpsa
normally supports have MSI(X) capability, but older controllers may be
encountered via the hpsa_allow_any=1 module parameter.

Also remove deprecated IRQF_DISABLED.

Signed-off-by: Stephen M. Cameron <>
Signed-off-by: James Bottomley <>
Signed-off-by: Ben Hutchings <>
10 years agoACPI / PM: Add Sony Vaio VPCCW29FX to nonvs blacklist.
Lan Tianyu [Sat, 21 Jan 2012 01:23:56 +0000 (09:23 +0800)]
ACPI / PM: Add Sony Vaio VPCCW29FX to nonvs blacklist.

commit 93f770846e8dedc5d9117bd4ad9d7efd18420627 upstream.

Sony Vaio VPCCW29FX does not resume correctly without
acpi_sleep=nonvs, so add it to the ACPI sleep blacklist.

Signed-off-by: Lan Tianyu <>
Signed-off-by: Len Brown <>
Signed-off-by: Ben Hutchings <>
10 years agoext4: fix error handling on inode bitmap corruption
Jan Kara [Sun, 18 Dec 2011 22:37:02 +0000 (17:37 -0500)]
ext4: fix error handling on inode bitmap corruption

commit acd6ad83517639e8f09a8c5525b1dccd81cd2a10 upstream.

When insert_inode_locked() fails in ext4_new_inode() it most likely means inode
bitmap got corrupted and we allocated again inode which is already in use. Also
doing unlock_new_inode() during error recovery is wrong since the inode does
not have I_NEW set. Fix the problem by jumping to fail: (instead of fail_drop:)
which declares filesystem error and does not call unlock_new_inode().

Signed-off-by: Jan Kara <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Ben Hutchings <>
10 years agoext3: Fix error handling on inode bitmap corruption
Jan Kara [Thu, 8 Dec 2011 20:13:46 +0000 (21:13 +0100)]
ext3: Fix error handling on inode bitmap corruption

commit 1415dd8705394399d59a3df1ab48d149e1e41e77 upstream.

When insert_inode_locked() fails in ext3_new_inode() it most likely
means inode bitmap got corrupted and we allocated again inode which
is already in use. Also doing unlock_new_inode() during error recovery
is wrong since inode does not have I_NEW set. Fix the problem by jumping
to fail: (instead of fail_drop:) which declares filesystem error and
does not call unlock_new_inode().

Reviewed-by: Eric Sandeen <>
Signed-off-by: Jan Kara <>
Signed-off-by: Ben Hutchings <>
10 years agocompat: Fix RT signal mask corruption via sigprocmask
Jan Kiszka [Thu, 10 May 2012 13:04:36 +0000 (10:04 -0300)]
compat: Fix RT signal mask corruption via sigprocmask

commit b7dafa0ef3145c31d7753be0a08b3cbda51f0209 upstream.

compat_sys_sigprocmask reads a smaller signal mask from userspace than
sigprogmask accepts for setting.  So the high word of blocked.sig[0]
will be cleared, releasing any potentially blocked RT signal.

This was discovered via userspace code that relies on get/setcontext.
glibc's i386 versions of those functions use sigprogmask instead of
rt_sigprogmask to save/restore signal mask and caused RT signal
unblocking this way.

As suggested by Linus, this replaces the sys_sigprocmask based compat
version with one that open-codes the required logic, including the merge
of the existing blocked set with the new one provided on SIG_SETMASK.

Signed-off-by: Jan Kiszka <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
10 years agomemcg: free spare array to avoid memory leak
Sha Zhengju [Thu, 10 May 2012 20:01:45 +0000 (13:01 -0700)]
memcg: free spare array to avoid memory leak

commit 8c7577637ca31385e92769a77e2ab5b428e8b99c upstream.

When the last event is unregistered, there is no need to keep the spare
array anymore.  So free it to avoid memory leak.

Signed-off-by: Sha Zhengju <>
Acked-by: KAMEZAWA Hiroyuki <>
Reviewed-by: Kirill A. Shutemov <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
10 years agoinit: don't try mounting device as nfs root unless type fully matches
Sasha Levin [Sat, 5 May 2012 15:06:35 +0000 (17:06 +0200)]
init: don't try mounting device as nfs root unless type fully matches

commit 377485f6244af255b04d662cf19cddbbc4ae4310 upstream.

Currently, we'll try mounting any device who's major device number is
UNNAMED_MAJOR as NFS root.  This would happen for non-NFS devices as
well (such as 9p devices) but it wouldn't cause any issues since
mounting the device as NFS would fail quickly and the code proceeded to
doing the proper mount:

       [  101.522716] VFS: Unable to mount root fs via NFS, trying floppy.
       [  101.534499] VFS: Mounted root (9p filesystem) on device 0:18.

Commit 6829a048102a ("NFS: Retry mounting NFSROOT") introduced retries
when mounting NFS root, which means that now we don't immediately fail
and instead it takes an additional 90+ seconds until we stop retrying,
which has revealed the issue this patch fixes.

This meant that it would take an additional 90 seconds to boot when
we're not using a device type which gets detected in order before NFS.

This patch modifies the NFS type check to require device type to be
'Root_NFS' instead of requiring the device to have an UNNAMED_MAJOR
major.  This makes boot process cleaner since we now won't go through
the NFS mounting code at all when the device isn't an NFS root

Signed-off-by: Sasha Levin <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
10 years agosony-laptop: Enable keyboard backlight by default
Josh Boyer [Wed, 2 Nov 2011 18:32:00 +0000 (14:32 -0400)]
sony-laptop: Enable keyboard backlight by default

commit 6fe6ae56a7cebaebc2e6daa11c423e4692f9b592 upstream.

When the keyboard backlight support was originally added, the commit said
to default it to on with a 10 second timeout.  That actually wasn't the
case, as the default value is commented out for the kbd_backlight parameter.
Because it is a static variable, it gets set to 0 by default without some
other form of initialization.

However, it seems the function to set the value wasn't actually called
immediately, so whatever state the keyboard was in initially would remain.
Then commit df410d522410e67660 was introduced during the 2.6.39 timeframe to
immediately set whatever value was present (as well as attempt to
restore/reset the state on module removal or resume).  That seems to have
now forced the light off immediately when the module is loaded unless
the option kbd_backlight=1 is specified.

Let's enable it by default again (for the first time).  This should solve

Signed-off-by: Josh Boyer <>
Acked-by: Mattia Dongili <>
Signed-off-by: Matthew Garrett <>
Signed-off-by: Ben Hutchings <>
10 years agoARM: 7409/1: Do not call flush_cache_user_range with mmap_sem held
Dima Zavin [Mon, 30 Apr 2012 09:26:14 +0000 (10:26 +0100)]
ARM: 7409/1: Do not call flush_cache_user_range with mmap_sem held

commit 435a7ef52db7d86e67a009b36cac1457f8972391 upstream.

We can't be holding the mmap_sem while calling flush_cache_user_range
because the flush can fault. If we fault on a user address, the
page fault handler will try to take mmap_sem again. Since both places
acquire the read lock, most of the time it succeeds. However, if another
thread tries to acquire the write lock on the mmap_sem (e.g. mmap) in
between the call to flush_cache_user_range and the fault, the down_read
in do_page_fault will deadlock.

[will: removed drop of vma parameter as already queued by rmk (7365/1)]

Acked-by: Catalin Marinas <>
Signed-off-by: Dima Zavin <>
Signed-off-by: John Stultz <>
Signed-off-by: Will Deacon <>
Signed-off-by: Russell King <>
Signed-off-by: Ben Hutchings <>
10 years agoARM: 7365/1: drop unused parameter from flush_cache_user_range
Dima Zavin [Thu, 29 Mar 2012 19:44:06 +0000 (20:44 +0100)]
ARM: 7365/1: drop unused parameter from flush_cache_user_range

commit 4542b6a0fa6b48d9ae6b41c1efeb618b7a221b2a upstream.

vma isn't used and flush_cache_user_range isn't a standard macro that
is used on several archs with the same prototype. In fact only unicore32
has a macro with the same name (with an identical implementation and no
in-tree users).

This is a part of a patch proposed by Dima Zavin (with Message-id: that didn't get

Cc: Dima Zavin <>
Acked-by: Catalin Marinas <>
Signed-off-by: Uwe Kleine-König <>
Signed-off-by: Russell King <>
Signed-off-by: Ben Hutchings <>
10 years agoahci: Detect Marvell 88SE9172 SATA controller
Matt Johnson [Fri, 27 Apr 2012 06:42:30 +0000 (01:42 -0500)]
ahci: Detect Marvell 88SE9172 SATA controller

commit 642d89252201c4155fc3946bf9cdea409e5d263e upstream.

The Marvell 88SE9172 SATA controller (PCI ID 1b4b 917a) already worked
once it was detected, but was missing an ahci_pci_tbl entry.

Boot tested on a Gigabyte Z68X-UD3H-B3 motherboard.

Signed-off-by: Matt Johnson <>
Signed-off-by: Jeff Garzik <>
Signed-off-by: Ben Hutchings <>
10 years agoInput: wacom - relax Bamboo stylus ID check
Chris Bagwell [Thu, 27 Oct 2011 05:28:34 +0000 (22:28 -0700)]
Input: wacom - relax Bamboo stylus ID check

commit c5981411f60c31f0dff6f0f98d2d3711384badaf upstream.

Bit 0x02 always means tip versus eraser. Bit 0x01 is something related
to version of stylus and different values are starting to be used.

Relaxing proximity check is required to be used with 3rd generation
Bamboo Pen and Touch tablets.

Signed-off-by: Chris Bagwell <>
Acked-by: Ping Cheng <>
Signed-off-by: Dmitry Torokhov <>
Signed-off-by: Ben Hutchings <>
10 years agoswap: don't do discard if no discard option added
Shaohua Li [Wed, 21 Mar 2012 23:34:17 +0000 (16:34 -0700)]
swap: don't do discard if no discard option added

commit 052b1987faca3606109d88d96bce124851f7c4c2 upstream.

When swapon() was not passed the SWAP_FLAG_DISCARD option, sys_swapon()
will still perform a discard operation.  This can cause problems if
discard is slow or buggy.

Reverse the order of the check so that a discard operation is performed
only if the sys_swapon() caller is attempting to enable discard.

Signed-off-by: Shaohua Li <>
Reported-by: Holger Kiehl <>
Tested-by: Holger Kiehl <>
Cc: Hugh Dickins <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
10 years agoum: Fix __swp_type()
Richard Weinberger [Sat, 14 Apr 2012 15:46:01 +0000 (17:46 +0200)]
um: Fix __swp_type()

commit 2b76ebaa728f8a3967c52aa189261c72fe56a6f1 upstream.

The current __swp_type() function uses a too small bitshift.
Using more than one swap files causes bad pages because
the type bits clash with other page flags.

Analyzed-by: Hugh Dickins <>
Signed-off-by: Richard Weinberger <>
Signed-off-by: Ben Hutchings <>
10 years agoum: Implement a custom pte_same() function
Richard Weinberger [Sat, 14 Apr 2012 15:29:30 +0000 (17:29 +0200)]
um: Implement a custom pte_same() function

commit f15b9000eb1d09bbaa4b0a6b2089d7e1f64e84b3 upstream.

UML uses the _PAGE_NEWPAGE flag to mark pages which are not jet
installed on the host side using mmap().
pte_same() has to ignore this flag, otherwise unuse_pte_range()
is unable to unuse the page because two identical
page tables entries with different _PAGE_NEWPAGE flags would not
match and swapoff() would never return.

Analyzed-by: Hugh Dickins <>
Signed-off-by: Richard Weinberger <>
Signed-off-by: Ben Hutchings <>
10 years agomd: using GFP_NOIO to allocate bio for flush request
Shaohua Li [Sun, 20 May 2012 23:26:59 +0000 (09:26 +1000)]
md: using GFP_NOIO to allocate bio for flush request

commit b5e1b8cee7ad58a15d2fa79bcd7946acb592602d upstream.

A flush request is usually issued in transaction commit code path, so
using GFP_KERNEL to allocate memory for flush request bio falls into
the classic deadlock issue.

This is suitable for any -stable kernel to which it applies as it
avoids a possible deadlock.

Signed-off-by: Shaohua Li <>
Signed-off-by: NeilBrown <>
Signed-off-by: Ben Hutchings <>
10 years agoUSB: Remove races in devio.c
Huajun Li [Fri, 18 May 2012 12:12:51 +0000 (20:12 +0800)]
USB: Remove races in devio.c

commit 4e09dcf20f7b5358615514c2ec8584b248ab8874 upstream.

There exist races in devio.c, below is one case,
and there are similar races in destroy_async()
and proc_unlinkurb().  Remove these races.

 cancel_bulk_urbs()        async_completed()
-------------------                -----------------------



                           Lead to free_async() be triggered,
                           then urb and 'as' will be freed.

 ===> refer to the freed 'as'

Signed-off-by: Huajun Li <>
Cc: Alan Stern <>
Cc: Oncaphillis <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agoxhci: Reset reserved command ring TRBs on cleanup.
Sarah Sharp [Tue, 8 May 2012 14:09:26 +0000 (07:09 -0700)]
xhci: Reset reserved command ring TRBs on cleanup.

commit 33b2831ac870d50cc8e01c317b07fb1e69c13fe1 upstream.

When the xHCI driver needs to clean up memory (perhaps due to a failed
register restore on resume from S3 or resume from S4), it needs to reset
the number of reserved TRBs on the command ring to zero.  Otherwise,
several resume cycles (about 30) with a UAS device attached will
continually increment the number of reserved TRBs, until all command
submissions fail because there isn't enough room on the command ring.

This patch should be backported to kernels as old as 2.6.32,
that contain the commit 913a8a344ffcaf0b4a586d6662a2c66a7106557d
"USB: xhci: Change how xHCI commands are handled."

Signed-off-by: Sarah Sharp <>
Signed-off-by: Ben Hutchings <>
10 years agoUSB: fix resource leak in xhci power loss path
Oliver Neukum [Thu, 10 May 2012 08:19:21 +0000 (10:19 +0200)]
USB: fix resource leak in xhci power loss path

commit f8a9e72d125f4e00ec529ba67b674321a1f3bf31 upstream.

Some more data structures must be freed and counters
reset if an XHCI controller has lost power. The failure
to do so renders some chips inoperative after a certain number
of S4 cycles.

This patch should be backported to kernels as old as 3.2,
that contain the commits c29eea621900f18287d50519f72cb9113746d75a
"xhci: Implement HS/FS/LS bandwidth checking." and
commit 839c817ce67178ca3c7c7ad534c571bba1e69ebe
"xhci: Implement HS/FS/LS bandwidth checking."

Signed-off-by: Oliver Neukum <>
Signed-off-by: Sarah Sharp <>
Signed-off-by: Ben Hutchings <>
10 years agoperf/x86: Update event scheduling constraints for AMD family 15h models
Robert Richter [Fri, 18 May 2012 10:40:42 +0000 (12:40 +0200)]
perf/x86: Update event scheduling constraints for AMD family 15h models

commit 5bcdf5e4fee3c45e1281c25e4941f2163cb28c65 upstream.

This update is for newer family 15h cpu models from 0x02 to 0x1f.

Signed-off-by: Robert Richter <>
Acked-by: Peter Zijlstra <>
Cc: Stephane Eranian <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Ben Hutchings <>
10 years agousbcore: enable USB2 LPM if port suspend fails
Andiry Xu [Fri, 4 May 2012 16:50:10 +0000 (00:50 +0800)]
usbcore: enable USB2 LPM if port suspend fails

commit c3e751e4f4754793bb52bd5ae30e9cc027edbb12 upstream.

USB2 LPM is disabled when device begin to suspend and enabled after device
is resumed. That's because USB spec does not define the transition from
U1/U2 state to U3 state.

If usb_port_suspend() fails, usb_port_resume() is never called, and USB2 LPM
is disabled in this situation. Enable USB2 LPM if port suspend fails.

This patch should be backported to kernels as old as 3.2, that contain
the commit 65580b4321eb36f16ae8b5987bfa1bb948fc5112 "xHCI: set USB2
hardware LPM".

Signed-off-by: Andiry Xu <>
Signed-off-by: Sarah Sharp <>
Signed-off-by: Ben Hutchings <>
10 years agoxhci: Add new short TX quirk for Fresco Logic host.
Sarah Sharp [Tue, 8 May 2012 16:22:49 +0000 (09:22 -0700)]
xhci: Add new short TX quirk for Fresco Logic host.

commit 1530bbc6272d9da1e39ef8e06190d42c13a02733 upstream.

Sergio reported that when he recorded audio from a USB headset mic
plugged into the USB 3.0 port on his ASUS N53SV-DH72, the audio sounded
"robotic".  When plugged into the USB 2.0 port under EHCI on the same
laptop, the audio sounded fine.  The device is:

Bus 002 Device 004: ID 046d:0a0c Logitech, Inc. Clear Chat Comfort USB Headset

The problem was tracked down to the Fresco Logic xHCI host controller
not correctly reporting short transfers on isochronous IN endpoints.
The driver would submit a 96 byte transfer, the device would only send
88 or 90 bytes, and the xHCI host would report the transfer had a
"successful" completion code, with an untransferred buffer length of 8
or 6 bytes.

The successful completion code and non-zero untransferred length is a
contradiction.  The xHCI host is supposed to only mark a transfer as
successful if all the bytes are transferred.  Otherwise, the transfer
should be marked with a short packet completion code.  Without the EHCI
bus trace, we wouldn't know whether the xHCI driver should trust the
completion code or the untransferred length.  With it, we know to trust
the untransferred length.

Add a new xHCI quirk for the Fresco Logic host controller.  If a
transfer is reported as successful, but the untransferred length is
non-zero, print a warning.  For the Fresco Logic host, change the
completion code to COMP_SHORT_TX and process the transfer like a short

This should be backported to stable kernels that contain the commit
f5182b4155b9d686c5540a6822486400e34ddd98 "xhci: Disable MSI for some
Fresco Logic hosts."  That commit was marked for stable kernels as old
as 2.6.36.

Signed-off-by: Sarah Sharp <>
Reported-by: Sergio Correia <>
Tested-by: Sergio Correia <>
Signed-off-by: Sarah Sharp <>
Signed-off-by: Ben Hutchings <>
10 years agoworkqueue: skip nr_running sanity check in worker_enter_idle() if trustee is active
Tejun Heo [Mon, 14 May 2012 22:04:50 +0000 (15:04 -0700)]
workqueue: skip nr_running sanity check in worker_enter_idle() if trustee is active

commit 544ecf310f0e7f51fa057ac2a295fc1b3b35a9d3 upstream.

worker_enter_idle() has WARN_ON_ONCE() which triggers if nr_running
isn't zero when every worker is idle.  This can trigger spuriously
while a cpu is going down due to the way trustee sets %WORKER_ROGUE
and zaps nr_running.

It first sets %WORKER_ROGUE on all workers without updating
nr_running, releases gcwq->lock, schedules, regrabs gcwq->lock and
then zaps nr_running.  If the last running worker enters idle
inbetween, it would see stale nr_running which hasn't been zapped yet
and trigger the WARN_ON_ONCE().

Fix it by performing the sanity check iff the trustee is idle.

Signed-off-by: Tejun Heo <>
Reported-by: "Paul E. McKenney" <>
Signed-off-by: Ben Hutchings <>
10 years agotty: Allow uart_register/unregister/register
Alan Cox [Mon, 14 May 2012 13:51:22 +0000 (14:51 +0100)]
tty: Allow uart_register/unregister/register

commit 1e66cded334e6cea596c72f6f650eec351b1e959 upstream.

This is legitimate but because we don't clear the drv->state pointer in the
unregister code causes a bogus BUG().

Signed-off-by: Alan Cox <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agoUSB: cdc-wdm: cannot use dev_printk when device is gone
Bjørn Mork [Wed, 9 May 2012 11:53:22 +0000 (13:53 +0200)]
USB: cdc-wdm: cannot use dev_printk when device is gone

commit 6b0b79d38806481c1c8fffa7c5842f3c83679a42 upstream.

We cannot dereference a removed USB interface for
dev_printk. Use pr_debug instead where necessary.

Flush errors are expected if device is unplugged and are
therefore best ingored at this point.

Move the kill_urbs() call in wdm_release with dev_dbg()
for the non disconnect, as we know it has already been
called if WDM_DISCONNECTING is set.  This does not
actually fix anything, but keeps the code more consistent.

Cc: Oliver Neukum <>
Signed-off-by: Bjørn Mork <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
10 years agoUSB: cdc-wdm: add debug messages on cleanup
Bjørn Mork [Mon, 30 Apr 2012 07:26:11 +0000 (09:26 +0200)]
USB: cdc-wdm: add debug messages on cleanup

commit 880bca3a2a6f159d7453e0cbcbfe2f1d8204d907 upstream.

Device state cleanup is done in either wdm_disconnect or
wdm_release depending on the order they are called. Adding
a couple of debug messages to document the program flow.

Signed-off-by: Bjørn Mork <>
Acked-by: Oliver Neukum <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
10 years agoUSB: cdc-wdm: poll must return POLLHUP if device is gone
Bjørn Mork [Wed, 9 May 2012 11:53:21 +0000 (13:53 +0200)]
USB: cdc-wdm: poll must return POLLHUP if device is gone

commit 616b6937e348ef2b4c6ea5fef2cd3c441145efb0 upstream.

Else the poll will be restarted indefinitely in a tight loop,
preventing final device cleanup.

Cc: Oliver Neukum <>
Signed-off-by: Bjørn Mork <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agoUSB: serial: ti_usb_3410_5052: Add support for the FRI2 serial console
Darren Hart [Fri, 11 May 2012 20:56:57 +0000 (13:56 -0700)]
USB: serial: ti_usb_3410_5052: Add support for the FRI2 serial console

commit 975dc33b82cb887d75a29b1e3835c8eb063a8e99 upstream.

The Kontron M2M development board, also known as the Fish River Island II,
has an optional daughter card providing access to the PCH_UART (EG20T) via
a ti_usb_3410_5052 uart to usb chip.

Signed-off-by: Darren Hart <>
CC: Al Borchers <>
CC: Peter Berger <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agoHID: logitech: read all 32 bits of report type bitfield
Jonathan Nieder [Fri, 11 May 2012 14:17:16 +0000 (16:17 +0200)]
HID: logitech: read all 32 bits of report type bitfield

commit 44d27f7dfedd9aadc082cda31462f6600f56e4ec upstream.

On big-endian systems (e.g., Apple PowerBook), trying to use a
logitech wireless mouse with the Logitech Unifying Receiver does not
work with v3.2 and later kernels.  The device doesn't show up in
/dev/input.  Older kernels work fine.

That is because the new hid-logitech-dj driver claims the device.  The
device arrival notification appears:

20 00 41 02 00 00 00 00 00 00 00 00 00 00 00

and we read the report_types bitfield (02 00 00 00) to find out what
kind of device it is.  Unfortunately the driver only reads the first 8
bits and treats that value as a 32-bit little-endian number, so on a
powerpc the report type seems to be 0x02000000 and is not recognized.

Even on little-endian machines, connecting a media center remote
control (report type 00 01 00 00) with this driver loaded would
presumably fail for the same reason.

Fix both problems by using get_unaligned_le32() to read all four
bytes, which is a little clearer anyway.  After this change, the
wireless mouse works on Hugo's PowerBook again.

Based on a patch by Nestor Lopez Casado.

Reported-by: Hugo Osvaldo Barrera <>
Inspired-by: Nestor Lopez Casado <>
Signed-off-by: Jonathan Nieder <>
Signed-off-by: Nestor Lopez Casado <>
Signed-off-by: Jiri Kosina <>
Signed-off-by: Ben Hutchings <>
10 years agoUSB: ohci-at91: add a reset function to fix race condition
Nicolas Ferre [Wed, 9 May 2012 08:48:54 +0000 (10:48 +0200)]
USB: ohci-at91: add a reset function to fix race condition

commit 07e4e556eff4938eb2edf2591de3aa7d7fb82b52 upstream.

A possible race condition appears because we are not initializing
the ohci->regs before calling usb_hcd_request_irqs().
We move the call to ohci_init() in hcd->driver->reset() instead of
hcd->driver->start() to fix this.
This was experienced when we share the same IRQ line between OHCI and EHCI

Signed-off-by: Nicolas Ferre <>
Tested-by: Christian Eggers <>
Acked-by: Alan Stern <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agousb-storage: unusual_devs entry for Yarvik PMP400 MP4 player
Alan Stern [Tue, 8 May 2012 19:15:25 +0000 (15:15 -0400)]
usb-storage: unusual_devs entry for Yarvik PMP400 MP4 player

commit df767b71e5816692134d59c0c17e0f77cd73333d upstream.

This patch (as1553) adds an unusual_dev entrie for the Yarvik PMP400
MP4 music player.

Signed-off-by: Alan Stern <>
Reported-by: Jesse Feddema <>
Tested-by: Jesse Feddema <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agoHID: wiimote: Fix IR data parser
David Herrmann [Tue, 8 May 2012 14:52:31 +0000 (16:52 +0200)]
HID: wiimote: Fix IR data parser

commit 74b89e8a3625c17c7452532dfb997ac4f1a38751 upstream.

We incorrectly parse incoming IR data. The extra byte contains the upper
bits and not the lower bits of the x/y coordinates. User-space expects
absolute position data from us so this patch does not break existing
applications. On the contrary, it extends the virtual view and fixes
garbage reports for margin areas of the virtual screen.

Reported-by: Peter Bukovsky <>
Signed-off-by: David Herrmann <>
Signed-off-by: Jiri Kosina <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
10 years agoUSB: ffs-test: fix length argument of out function call
Matthias Fend [Mon, 7 May 2012 12:37:30 +0000 (14:37 +0200)]
USB: ffs-test: fix length argument of out function call

commit eb9c5836384cd2a276254df6254ed71117983626 upstream.

The out functions should only handle actual available data instead of the complete buffer.
Otherwise for example the ep0_consume function will report ghost events since it tries to decode
the complete buffer - which may contain partly invalid data.

Signed-off-by: Matthias Fend <>
Acked-by: Michal Nazarewicz <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agoUSB: ftdi-sio: add support for Physik Instrumente E-861
Éric Piel [Mon, 7 May 2012 10:37:54 +0000 (12:37 +0200)]
USB: ftdi-sio: add support for Physik Instrumente E-861

commit b69cc672052540e8efb1368420f10d7d4d8b8a3d upstream.

This adds VID/PID for the PI E-861. Without it, I had to do:
modprobe -q ftdi-sio product=0x1008 vendor=0x1a72

Signed-off-by: Éric Piel <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agoAdd missing call to uart_update_timeout()
Lothar Waßmann [Thu, 3 May 2012 09:37:12 +0000 (11:37 +0200)]
Add missing call to uart_update_timeout()

commit 8b979f7c6bf13a57e7b6002f1175312a44773960 upstream.

This patch fixes a problem reported here:

Signed-off-by: Lothar Waßmann <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agousb: gadget: fsl_udc_core: dTD's next dtd pointer need to be updated once written
Peter Chen [Sun, 1 Apr 2012 07:17:16 +0000 (15:17 +0800)]
usb: gadget: fsl_udc_core: dTD's next dtd pointer need to be updated once written

commit 4d0947dec4db1224354e2f6f00ae22ce38e62a43 upstream.

dTD's next dtd pointer need to be updated once CPU writes it, or this
request may not be handled by controller, then host will get NAK from
device forever.

This problem occurs when there is a request is handling, we need to add
a new request to dTD list, if this new request is added before the current
one is finished, the new request is intended to added as next dtd pointer
at current dTD, but without wmb(), the dTD's next dtd pointer may not be
updated when the controller reads it. In that case, the controller will
still get Terminate Bit is 1 at dTD's next dtd pointer, that means there is
no next request, then this new request is missed by controller.

Signed-off-by: Peter Chen <>
Acked-by: Li Yang <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Ben Hutchings <>
10 years agoxhci: Add Lynx Point to list of Intel switchable hosts.
Sarah Sharp [Thu, 9 Feb 2012 23:55:13 +0000 (15:55 -0800)]
xhci: Add Lynx Point to list of Intel switchable hosts.

commit 1c12443ab8eba71a658fae4572147e56d1f84f66 upstream.

The upcoming Intel Lynx Point chipset includes an xHCI host controller
that can have ports switched from the EHCI host controller, just like
the Intel Panther Point xHCI host.  This time, ports from both EHCI
hosts can be switched to the xHCI host controller.  The PCI config
registers to do the port switching are in the exact same place in the
xHCI PCI configuration registers, with the same semantics.

Hooray for shipping patches for next-gen hardware before the current gen
hardware is even available for purchase!

This patch should be backported to stable kernels as old as 3.0,
that contain commit 69e848c2090aebba5698a1620604c7dccb448684
"Intel xhci: Support EHCI/xHCI port switching."

Signed-off-by: Sarah Sharp <>
Signed-off-by: Ben Hutchings <>
10 years agoxhci: Avoid dead ports when CONFIG_USB_XHCI_HCD=n
Sarah Sharp [Mon, 16 Apr 2012 17:56:47 +0000 (10:56 -0700)]
xhci: Avoid dead ports when CONFIG_USB_XHCI_HCD=n

commit 51c9e6c7732b67769c0a514d31f505e49fa82dd4 upstream.

If the user chooses to say "no" to CONFIG_USB_XHCI_HCD on a system
with an Intel Panther Point chipset, the PCI quirks code or the EHCI
driver will switch the ports over to the xHCI host, but the xHCI driver
will never load.  The ports will be powered off and seem "dead" to the

Fix this by only switching the ports over if CONFIG_USB_XHCI_HCD is
either compiled in, or compiled as a module.

This patch should be backported to stable kernels as old as 3.0,
that contain commit 69e848c2090aebba5698a1620604c7dccb448684
"Intel xhci: Support EHCI/xHCI port switching."

Signed-off-by: Sarah Sharp <>
Reported-by: Eric Anholt <>
Reported-by: David Bein <>
Signed-off-by: Ben Hutchings <>
10 years agousb-xhci: Handle COMP_TX_ERR for isoc tds
Hans de Goede [Mon, 23 Apr 2012 13:06:09 +0000 (15:06 +0200)]
usb-xhci: Handle COMP_TX_ERR for isoc tds

commit 9c745995ae5c4ff787f34a359de908facc11ee00 upstream.

While testing unplugging an UVC HD webcam with usb-redirection (so through
usbdevfs), my userspace usb-redir code was getting a value of -1 in
iso_frame_desc[n].status, which according to Documentation/usb/error-codes.txt
is not a valid value.

The source of this -1 is the default case in xhci-ring.c:process_isoc_td()
adding a kprintf there showed the value of trb_comp_code to be COMP_TX_ERR
in this case, so this patch adds handling for that completion code to

This was observed and tested with the following xhci controller:
1033:0194 NEC Corporation uPD720200 USB 3.0 Host Controller (rev 04)

Note: I also wonder if setting frame->status to -1 (-EPERM) is the best we can
do, but since I cannot come up with anything better I've left that as is.

This patch should be backported to kernels as old as 2.6.36, which contain the
commit 04e51901dd44f40a5a385ced897f6bca87d5f40a "USB: xHCI: Isochronous
transfer implementation".

Signed-off-by: Hans de Goede <>
Signed-off-by: Sarah Sharp <>
Signed-off-by: Ben Hutchings <>
10 years ago8250.c: less than 2400 baud fix.
Christian Melki [Mon, 30 Apr 2012 09:21:26 +0000 (11:21 +0200)]
8250.c: less than 2400 baud fix.

commit f9a9111b540fd67db5dab332f4b83d86c90e27b1 upstream.

We noticed that we were loosing data at speed less than 2400 baud.
It turned out our (TI16750 compatible) uart with 64 byte outgoing fifo
was truncated to 16 byte (bit 5 sets fifo len) when modifying the fcr
The input code still fills the buffer with 64 bytes if I remember
correctly and thus data is lost.
Our fix was to remove whiping of the fcr content and just add the
TRIGGER_1 which we want for latency.
I can't see why this would not work on less than 2400 always, for all
uarts ...
Otherwise one would have to make sure the filling of the fifo re-checks
the current state of available fifo size (urrk).

Signed-off-by: Christian Melki <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: adjust filename; replace *port with up->port]
Signed-off-by: Ben Hutchings <>
10 years agousb: usbtest: two super speed fixes for usbtest
Paul Zimmerman [Mon, 16 Apr 2012 21:19:07 +0000 (14:19 -0700)]
usb: usbtest: two super speed fixes for usbtest

commit 6a23ccd216b6a8ba2c67a9f9d8969b4431ad2920 upstream.

bMaxPacketSize0 field for super speed is a power of 2, not a count.
The size itself is always 512.

Max packet size for a super speed bulk endpoint is 1024, so
allocate the urb size in halt_simple() accordingly.

Signed-off-by: Paul Zimmerman <>
Acked-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agousb: add USB_QUIRK_RESET_RESUME for M-Audio 88es
Steffen Müller [Mon, 30 Apr 2012 11:05:34 +0000 (13:05 +0200)]
usb: add USB_QUIRK_RESET_RESUME for M-Audio 88es

commit 166cb70e97bd83d7ae9bbec6ae59a178fd9bb823 upstream.

Tested-by: Steffen Müller <>
Signed-off-by: Steffen Müller <>
Signed-off-by: Stefan Seyfried <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years ago8250_pci: fix pch uart matching
Arnaud Patard [Wed, 25 Apr 2012 10:17:24 +0000 (12:17 +0200)]
8250_pci: fix pch uart matching

commit aaa10eb1d0034eccc096f583fe308f0921617598 upstream.

The rules used to make 8250_pci "ignore" the PCH uarts are lacking pci subids
entries, preventing it to match and thus is breaking serial port support for
theses systems.

This has been tested on a nanoETXexpress-TT, which has a specifici uart clock.

Tested-by: Erwan Velu <>
Signed-off-by: Arnaud Patard <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings <>
10 years agoUSB: cdc-wdm: fix memory leak
Oliver Neukum [Fri, 27 Apr 2012 12:36:37 +0000 (14:36 +0200)]
USB: cdc-wdm: fix memory leak

commit 2f338c8a1904e2e7aa5a8bd12fb0cf2422d17da4 upstream.

cleanup() is not called if the last close() comes after
disconnect(). That leads to a memory leak. Rectified
by checking for an earlier disconnect() in release()

Signed-off-by: Oliver Neukum <>
Signed-off-by: Greg Kroah-Hartman <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
10 years agoUSB: cdc-wdm: sanitize error returns
Oliver Neukum [Fri, 27 Apr 2012 12:23:54 +0000 (14:23 +0200)]
USB: cdc-wdm: sanitize error returns

commit 24a85bae5da2b43fed423859c09c5a81ab359473 upstream.

wdm_flush() returns unsanitized USB error codes.
They must be cleaned up to before being anded to user space

Signed-off-by: Oliver Neukum <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agoUSB: move usb_translate_errors to linux/usb.h
Johan Hovold [Thu, 10 Nov 2011 13:58:26 +0000 (14:58 +0100)]
USB: move usb_translate_errors to linux/usb.h

commit 2c4d6bf295ae10ffcd84f0df6cb642598eb66603 upstream.

Move usb_translate_errors from usb core to linux/usb.h as it is meant to
be accessed from drivers.

Signed-off-by: Johan Hovold <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agodrivers/staging/comedi/comedi_fops.c: add missing vfree
Julia Lawall [Sun, 22 Apr 2012 11:37:09 +0000 (13:37 +0200)]
drivers/staging/comedi/comedi_fops.c: add missing vfree

commit abae41e6438b798e046d721b6ccdd55b4a398170 upstream.

aux_free is freed on all other exits from the function.  By removing the
return, we can benefit from the vfree already at the end of the function.

Signed-off-by: Julia Lawall <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agodocs: update HOWTO for 2.6.x -> 3.x versioning
Kees Cook [Thu, 19 Apr 2012 06:16:45 +0000 (23:16 -0700)]
docs: update HOWTO for 2.6.x -> 3.x versioning

commit 591bfc6bf9e5e25e464fd4c87d64afd5135667c4 upstream.

The HOWTO document needed updating for the new kernel versioning. The
git URI for -next was updated as well.

Signed-off-by: Kees Cook <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agovfs: make AIO use the proper rw_verify_area() area helpers
Linus Torvalds [Mon, 21 May 2012 23:06:20 +0000 (16:06 -0700)]
vfs: make AIO use the proper rw_verify_area() area helpers

commit a70b52ec1aaeaf60f4739edb1b422827cb6f3893 upstream.

We had for some reason overlooked the AIO interface, and it didn't use
the proper rw_verify_area() helper function that checks (for example)
mandatory locking on the file, and that the size of the access doesn't
cause us to overflow the provided offset limits etc.

Instead, AIO did just the security_file_permission() thing (that
rw_verify_area() also does) directly.

This fixes it to do all the proper helper functions, which not only
means that now mandatory file locking works with AIO too, we can
actually remove lines of code.

Reported-by: Manish Honap <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
10 years agoFix blocking allocations called very early during bootup
Linus Torvalds [Mon, 21 May 2012 19:52:42 +0000 (12:52 -0700)]
Fix blocking allocations called very early during bootup

commit 31a67102f4762df5544bc2dfb34a931233d2a5b2 upstream.

During early boot, when the scheduler hasn't really been fully set up,
we really can't do blocking allocations because with certain (dubious)
configurations the "might_resched()" calls can actually result in
scheduling events.

We could just make such users always use GFP_ATOMIC, but quite often the
code that does the allocation isn't really aware of the fact that the
scheduler isn't up yet, and forcing that kind of random knowledge on the
initialization code is just annoying and not good for anybody.

And we actually have a the 'gfp_allowed_mask' exactly for this reason:
it's just that the kernel init sequence happens to set it to allow
blocking allocations much too early.

So move the 'gfp_allowed_mask' initialization from 'start_kernel()'
(which is some of the earliest init code, and runs with preemption
disabled for good reasons) into 'kernel_init()'.  kernel_init() is run
in the newly created thread that will become the 'init' process, as
opposed to the early startup code that runs within the context of what
will be the first idle thread.

So by the time we reach 'kernel_init()', we know that the scheduler must
be at least limping along, because we've already scheduled from the idle
thread into the init thread.

Reported-by: Steven Rostedt <>
Cc: David Rientjes <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
10 years agoisci: fix oem parameter validation on single controller skus
Dan Williams [Mon, 30 Apr 2012 18:57:44 +0000 (11:57 -0700)]
isci: fix oem parameter validation on single controller skus

commit fc25f79af321c01a739150ba2c09435cf977a63d upstream.

OEM parameters [1] are parsed from the platform option-rom / efi
driver.  By default the driver was validating the parameters for the
dual-controller case, but in single-controller case only the first set
of parameters may be valid.

Limit the validation to the number of actual controllers detected
otherwise the driver may fail to parse the valid parameters leading to
driver-load or runtime failures.

[1] the platform specific set of phy address, configuration,and analog
    tuning values

[stable v3.0+]
Reported-by: Dave Jiang <>
Tested-by: Dave Jiang <>
Signed-off-by: Dan Williams <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
10 years agos390/pfault: fix task state race
Heiko Carstens [Wed, 9 May 2012 07:37:30 +0000 (09:37 +0200)]
s390/pfault: fix task state race

commit d5e50a51ccbda36b379aba9d1131a852eb908dda upstream.

When setting the current task state to TASK_UNINTERRUPTIBLE this can
race with a different cpu. The other cpu could set the task state after
it inspected it (while it was still TASK_RUNNING) to TASK_RUNNING which
would change the state from TASK_UNINTERRUPTIBLE to TASK_RUNNING again.

This race was always present in the pfault interrupt code but didn't
cause anything harmful before commit f2db2e6c "[S390] pfault: cpu hotplug
vs missing completion interrupts" which relied on the fact that after
setting the task state to TASK_UNINTERRUPTIBLE the task would really
Since this is not necessarily the case the result may be a list corruption
of the pfault_list or, as observed, a use-after-free bug while trying to
access the task_struct of a task which terminated itself already.

To fix this, we need to get a reference of the affected task when receiving
the initial pfault interrupt and add special handling if we receive yet
another initial pfault interrupt when the task is already enqueued in the
pfault list.

Signed-off-by: Heiko Carstens <>
Reviewed-by: Martin Schwidefsky <>
Signed-off-by: Martin Schwidefsky <>
Signed-off-by: Ben Hutchings <>
10 years agoRDMA/cxgb4: Drop peer_abort when no endpoint found
Steve Wise [Mon, 30 Apr 2012 20:31:29 +0000 (15:31 -0500)]
RDMA/cxgb4: Drop peer_abort when no endpoint found

commit 14b9222808bb8bfefc71f72bc0dbdcf3b2f0140f upstream.

Log a warning and drop the abort message.  Otherwise we will do a
bogus wake_up() and crash.

Signed-off-by: Steve Wise <>
Signed-off-by: Roland Dreier <>
Signed-off-by: Ben Hutchings <>
10 years agoRDMA/cxgb4: Always wake up waiters in c4iw_peer_abort_intr()
Steve Wise [Fri, 27 Apr 2012 14:59:16 +0000 (09:59 -0500)]
RDMA/cxgb4: Always wake up waiters in c4iw_peer_abort_intr()

commit 0f1dcfae6bc5563424346ad3a03282b8235a4c33 upstream.

This fixes a race where an ingress abort fails to wake up the thread
blocked in rdma_init() causing the app to hang.

Signed-off-by: Steve Wise <>
Signed-off-by: Roland Dreier <>
Signed-off-by: Ben Hutchings <>
10 years agoiommu: Fix off by one in dmar_get_fault_reason()
Dan Carpenter [Sun, 13 May 2012 17:09:38 +0000 (20:09 +0300)]
iommu: Fix off by one in dmar_get_fault_reason()

commit fefe1ed1398b81e3fadc92d11d91162d343c8836 upstream.

fault_reason - 0x20 == ARRAY_SIZE(irq_remap_fault_reasons) is
one past the end of the array.

Signed-off-by: Dan Carpenter <>
Cc: Joerg Roedel <>
Cc: Youquan Song <>
Cc: walter harms <>
Cc: Suresh Siddha <>
Signed-off-by: Ingo Molnar <>
[bwh: Backported to 3.2: s/irq_remap_fault_reasons/intr_remap_fault_reasons/]
Signed-off-by: Ben Hutchings <>
10 years agoregulator: core: Release regulator-regulator supplies on error
Mark Brown [Sun, 13 May 2012 17:35:56 +0000 (18:35 +0100)]
regulator: core: Release regulator-regulator supplies on error

commit e81dba85c6388dfabcb76cbc2b8bd02836a53ae5 upstream.

If we fail while registering a regulator make sure we release the supply
for the regulator if there is one.

Signed-off-by: Mark Brown <>
Acked-by: Liam Girdwood <>
Signed-off-by: Ben Hutchings <>
10 years agoIB/core: Fix mismatch between locked and pinned pages
Yishai Hadas [Thu, 10 May 2012 20:28:05 +0000 (23:28 +0300)]
IB/core: Fix mismatch between locked and pinned pages

commit c4870eb874ac16dccef40e1bc7a002c7e9156adc upstream.

Commit bc3e53f682d9 ("mm: distinguish between mlocked and pinned
pages") introduced a separate counter for pinned pages and used it in
the IB stack.  However, in ib_umem_get() the pinned counter is
incremented, but ib_umem_release() wrongly decrements the locked
counter.  Fix this.

Signed-off-by: Yishai Hadas <>
Reviewed-by: Christoph Lameter <>
Signed-off-by: Roland Dreier <>
Signed-off-by: Ben Hutchings <>
10 years agoKEYS: Use the compat keyctl() syscall wrapper on Sparc64 for Sparc32 compat
David Howells [Fri, 11 May 2012 09:56:56 +0000 (10:56 +0100)]
KEYS: Use the compat keyctl() syscall wrapper on Sparc64 for Sparc32 compat

commit 45de6767dc51358a188f75dc4ad9dfddb7fb9480 upstream.

Use the 32-bit compat keyctl() syscall wrapper on Sparc64 for Sparc32 binary

Without this, keyctl(KEYCTL_INSTANTIATE_IOV) is liable to malfunction as it
uses an iovec array read from userspace - though the kernel should survive this
as it checks pointers and sizes anyway.

I think all the other keyctl() function should just work, provided (a) the top
32-bits of each 64-bit argument register are cleared prior to invoking the
syscall routine, and the 32-bit address space is right at the 0-end of the
64-bit address space.  Most of the arguments are 32-bit anyway, and so for
those clearing is not required.

Signed-off-by: David Howells <
cc: "David S. Miller" <>
Signed-off-by: Ben Hutchings <>
10 years agoisdn/gigaset: improve error handling querying firmware version
Tilman Schmidt [Wed, 25 Apr 2012 13:02:20 +0000 (13:02 +0000)]
isdn/gigaset: improve error handling querying firmware version

commit e055d03dc088a990fe5ea24a2d64033a168da23c upstream.

An out-of-place "OK" response to the "AT+GMR" (get firmware version)
command turns out to be, more often than not, a delayed response to
a previous command rather than an actual error, so continue waiting
for the version number in that case.

Signed-off-by: Tilman Schmidt <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust indentation]
Signed-off-by: Ben Hutchings <>
10 years agoisdn/gigaset: fix CAPI disconnect B3 handling
Tilman Schmidt [Wed, 25 Apr 2012 13:02:20 +0000 (13:02 +0000)]
isdn/gigaset: fix CAPI disconnect B3 handling

commit 62a1cfe052346b96a552b6a9178d412c709711bb upstream.

If DISCONNECT_B3_IND was synthesized because of a DISCONNECT_REQ
with existing logical connections, the connection state wasn't
updated accordingly. Also the emitted DISCONNECT_B3_IND message
wasn't included in the debug log as requested.
This patch fixes both of these issues.

Signed-off-by: Tilman Schmidt <>
Signed-off-by: David S. Miller <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
10 years agoisdn/gigaset: ratelimit CAPI message dumps
Tilman Schmidt [Wed, 25 Apr 2012 13:02:19 +0000 (13:02 +0000)]
isdn/gigaset: ratelimit CAPI message dumps

commit 8e618aad5348b6e6c5a90e8d97ea643197963b20 upstream.

Introduce a global ratelimit for CAPI message dumps to protect
against possible log flood.
Drop the ratelimit for ignored messages which is now covered by the
global one.

Signed-off-by: Tilman Schmidt <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
10 years agompt2sas: Fix for panic happening because of improper memory allocation [Tue, 20 Mar 2012 06:40:01 +0000 (12:10 +0530)]
mpt2sas: Fix for panic happening because of improper memory allocation

commit e42fafc25fa86c61824e8d4c5e7582316415d24f upstream.

The ioc->pfacts member in the IOC structure is getting set to zero
following a call to _base_get_ioc_facts due to the memset in that routine.
So if the ioc->pfacts was read after a host reset, there would be a NULL
pointer dereference. The routine _base_get_ioc_facts is called from context
of host reset.  The problem in _base_get_ioc_facts  is the size of
Mpi2IOCFactsReply is 64, whereas the sizeof "struct mpt2sas_facts" is 60,
so there is a four byte overflow resulting from the memset.

Also, there is memset in _base_get_port_facts using the incorrect structure,
it should be "struct mpt2sas_port_facts" instead of Mpi2PortFactsReply.

Signed-off-by: Nagalakshmi Nandigama <>
Signed-off-by: James Bottomley <>
Signed-off-by: Ben Hutchings <>
10 years agocfg80211: warn if db.txt is empty with CONFIG_CFG80211_INTERNAL_REGDB
Luis R. Rodriguez [Fri, 23 Mar 2012 14:23:31 +0000 (07:23 -0700)]
cfg80211: warn if db.txt is empty with CONFIG_CFG80211_INTERNAL_REGDB

commit 80007efeff0568375b08faf93c7aad65602cb97e upstream.

It has happened twice now where elaborate troubleshooting has
undergone on systems where CONFIG_CFG80211_INTERNAL_REGDB [0]
has been set but yet net/wireless/db.txt was not updated.

Despite the documentation on this it seems system integrators could
use some more help with this, so throw out a kernel warning at boot time
when their database is empty.

This does mean that the error-prone system integrator won't likely
realize the issue until they boot the machine but -- it does not seem
to make sense to enable a build bug breaking random build testing.


Cc: Stephen Rothwell <>
Cc: Youngsin Lee <>
Cc: Raja Mani <>
Cc: Senthil Kumar Balasubramanian <>
Cc: Vipin Mehta <>
Signed-off-by: Luis R. Rodriguez <>
Signed-off-by: John W. Linville <>
Signed-off-by: Ben Hutchings <>
10 years agoSELinux: if sel_make_bools errors don't leave inconsistent state
Eric Paris [Wed, 4 Apr 2012 17:47:11 +0000 (13:47 -0400)]
SELinux: if sel_make_bools errors don't leave inconsistent state

commit 154c50ca4eb9ae472f50b6a481213e21ead4457d upstream.

We reset the bool names and values array to NULL, but do not reset the
number of entries in these arrays to 0.  If we error out and then get back
into this function we will walk these NULL pointers based on the belief
that they are non-zero length.

Signed-off-by: Eric Paris <>
Signed-off-by: Ben Hutchings <>
10 years agohpsa: Fix problem with MSA2xxx devices
Stephen M. Cameron [Thu, 19 Jan 2012 20:01:04 +0000 (14:01 -0600)]
hpsa: Fix problem with MSA2xxx devices

commit 9bc3711cbb67ac620bf09b4a147cbab45b2c36c0 upstream.

Upgraded firmware on Smart Array P7xx (and some others) made them show up as
SCSI revision 5 devices and this caused the driver to fail to map MSA2xxx
logical drives to the correct bus/target/lun.  A symptom of this would be that
the target ID of the logical drives as presented by the external storage array
is ignored, and all such logical drives are assigned to target zero,
differentiated only by LUN.  Some multipath software reportedly does not deal
well with this behavior, failing to recognize different paths to the same
device as such.

Signed-off-by: Stephen M. Cameron <>
Signed-off-by: Scott Teel <>
Signed-off-by: James Bottomley <>
Signed-off-by: Ben Hutchings <>
10 years agomtd: sm_ftl: fix typo in major number.
Maxim Levitsky [Sat, 17 Mar 2012 18:16:53 +0000 (20:16 +0200)]
mtd: sm_ftl: fix typo in major number.

commit 452380efbd72d8d41f53ea64c8a6ea1fedc4394d upstream.

major == 0 allocates dynamic major, not major == -1

Signed-off-by: Maxim Levitsky <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: David Woodhouse <>
Signed-off-by: Ben Hutchings <>
10 years agotilegx: enable SYSCALL_WRAPPERS support
Chris Metcalf [Fri, 18 May 2012 17:33:24 +0000 (13:33 -0400)]
tilegx: enable SYSCALL_WRAPPERS support

commit e6d9668e119af44ae5bcd5f1197174531458afe3 upstream.

Some discussion with the glibc mailing lists revealed that this was
necessary for 64-bit platforms with MIPS-like sign-extension rules
for 32-bit values.  The original symptom was that passing (uid_t)-1 to
setreuid() was failing in programs linked -pthread because of the "setxid"
mechanism for passing setxid-type function arguments to the syscall code.
SYSCALL_WRAPPERS handles ensuring that all syscall arguments end up with
proper sign-extension and is thus the appropriate fix for this problem.

On other platforms (s390, powerpc, sparc64, and mips) this was fixed
in  The general issue is tracked as CVE-2009-0029.

Signed-off-by: Chris Metcalf <>
Signed-off-by: Ben Hutchings <>
10 years agoarch/tile/Kconfig: remove pointless "!M386" test.
Chris Metcalf [Tue, 27 Mar 2012 17:47:57 +0000 (13:47 -0400)]
arch/tile/Kconfig: remove pointless "!M386" test.

commit 8d6951439ef524683057251f1231df232046b6b6 upstream.

Looks like a cut and paste bug from the x86 version.

Signed-off-by: Chris Metcalf <>
Signed-off-by: Ben Hutchings <>
10 years agofix panic on prefetch(NULL) on PA7300LC
James Bottomley [Wed, 16 May 2012 10:10:27 +0000 (11:10 +0100)]
fix panic on prefetch(NULL) on PA7300LC

commit b3cb8674811d1851bbf1486a73d62b90c119b994 upstream.

Due to an errata, the PA7300LC generates a TLB miss interruption even on the
prefetch instruction.  This means that prefetch(NULL), which is supposed to be
a nop on linux actually generates a NULL deref fault.  Fix this by testing the
address of prefetch against NULL before doing the prefetch.

Signed-off-by: James Bottomley <>
Signed-off-by: Ben Hutchings <>
10 years agofix crash in flush_icache_page_asm on PA1.1
John David Anglin [Wed, 16 May 2012 09:14:52 +0000 (10:14 +0100)]
fix crash in flush_icache_page_asm on PA1.1

commit 207f583d7179f707f402c36a7bda5ca1fd03ad5b upstream.

As pointed out by serveral people, PA1.1 only has a type 26 instruction
meaning that the space register must be explicitly encoded.  Not giving an
explicit space means that the compiler uses the type 24 version which is PA2.0
only resulting in an illegal instruction crash.

This regression was caused by

    commit f311847c2fcebd81912e2f0caf8a461dec28db41
    Author: James Bottomley <>
    Date:   Wed Dec 22 10:22:11 2010 -0600

        parisc: flush pages through tmpalias space

Reported-by: Helge Deller <>
Signed-off-by: John David Anglin <>
Signed-off-by: James Bottomley <>
Signed-off-by: Ben Hutchings <>
10 years agofix PA1.1 oops on boot
James Bottomley [Tue, 15 May 2012 10:04:19 +0000 (11:04 +0100)]
fix PA1.1 oops on boot

commit 5e185581d7c46ddd33cd9c01106d1fc86efb9376 upstream.

All PA1.1 systems have been oopsing on boot since

commit f311847c2fcebd81912e2f0caf8a461dec28db41
Author: James Bottomley <>
Date:   Wed Dec 22 10:22:11 2010 -0600

    parisc: flush pages through tmpalias space

because a PA2.0 instruction was accidentally introduced into the PA1.1 TLB
insertion interruption path when it was consolidated with the do_alias macro.
Fix the do_alias macro only to use PA2.0 instructions if compiled for 64 bit.
Signed-off-by: James Bottomley <>
Signed-off-by: Ben Hutchings <>
10 years agoblock: fix buffer overflow when printing partition UUIDs
Tejun Heo [Tue, 15 May 2012 06:22:04 +0000 (08:22 +0200)]
block: fix buffer overflow when printing partition UUIDs

commit 05c69d298c96703741cac9a5cbbf6c53bd55a6e2 upstream.

6d1d8050b4bc8 "block, partition: add partition_meta_info to hd_struct"
added part_unpack_uuid() which assumes that the passed in buffer has
enough space for sprintfing "%pU" - 37 characters including '\0'.

Unfortunately, b5af921ec0233 "init: add support for root devices
specified by partition UUID" supplied 33 bytes buffer to the function
leading to the following panic with stackprotector enabled.

  Kernel panic - not syncing: stack-protector: Kernel stack corrupted in: ffffffff81b14c7e

  [<ffffffff815e226b>] panic+0xba/0x1c6
  [<ffffffff81b14c7e>] ? printk_all_partitions+0x259/0x26xb
  [<ffffffff810566bb>] __stack_chk_fail+0x1b/0x20
  [<ffffffff81b15c7e>] printk_all_paritions+0x259/0x26xb
  [<ffffffff81aedfe0>] mount_block_root+0x1bc/0x27f
  [<ffffffff81aee0fa>] mount_root+0x57/0x5b
  [<ffffffff81aee23b>] prepare_namespace+0x13d/0x176
  [<ffffffff8107eec0>] ? release_tgcred.isra.4+0x330/0x30
  [<ffffffff81aedd60>] kernel_init+0x155/0x15a
  [<ffffffff81087b97>] ? schedule_tail+0x27/0xb0
  [<ffffffff815f4d24>] kernel_thread_helper+0x5/0x10
  [<ffffffff81aedc0b>] ? start_kernel+0x3c5/0x3c5
  [<ffffffff815f4d20>] ? gs_change+0x13/0x13

Increase the buffer size, remove the dangerous part_unpack_uuid() and
use snprintf() directly from printk_all_partitions().

Signed-off-by: Tejun Heo <>
Reported-by: Szymon Gruszczynski <>
Cc: Will Drewry <>
Signed-off-by: Jens Axboe <>
Signed-off-by: Ben Hutchings <>
10 years agobio allocation failure due to bio_get_nr_vecs()
Bernd Schubert [Fri, 11 May 2012 14:36:44 +0000 (16:36 +0200)]
bio allocation failure due to bio_get_nr_vecs()

commit f908ee9463b09ddd05e1c1a0111132212dc05fac upstream.

The number of bio_get_nr_vecs() is passed down via bio_alloc() to
bvec_alloc_bs(), which fails the bio allocation if
nr_iovecs > BIO_MAX_PAGES. For the underlying caller this causes an
unexpected bio allocation failure.
Limiting to queue_max_segments() is not sufficient, as max_segments
also might be very large.

bvec_alloc_bs(gfp_mask, nr_iovecs, ) => NULL when nr_iovecs  > BIO_MAX_PAGES
bio_alloc_bioset(gfp_mask, nr_iovecs, ...)
bio_alloc(GFP_NOIO, nvecs)

Signed-off-by: Bernd Schubert <>
Signed-off-by: Jens Axboe <>
Signed-off-by: Ben Hutchings <>
10 years agobio: don't overflow in bio_get_nr_vecs()
Kent Overstreet [Wed, 8 Feb 2012 21:07:18 +0000 (22:07 +0100)]
bio: don't overflow in bio_get_nr_vecs()

commit 5abebfdd02450fa1349daacf242e70b3736581e3 upstream.

There were two places bio_get_nr_vecs() could overflow:

First, it did a left shift to convert from sectors to bytes immediately
before dividing by PAGE_SIZE.  If PAGE_SIZE ever was less than 512 a great
many things would break, so dividing by PAGE_SIZE >> 9 is safe and will
generate smaller code too.

The nastier overflow was in the DIV_ROUND_UP() (that's what the code was
effectively doing, anyways).  If n + d overflowed, the whole thing would
return 0 which breaks things rather effectively.

bio_get_nr_vecs() doesn't claim to give an exact value anyways, so the
DIV_ROUND_UP() is silly; we could do a straight divide except if a
device's queue_max_sectors was less than PAGE_SIZE we'd return 0.  So we
just add 1; this should always be safe - things will break badly if
bio_get_nr_vecs() returns > BIO_MAX_PAGES (bio_alloc() will suddenly start
failing) but it's queue_max_segments that must guard against this, if
queue_max_sectors is preventing this from happen things are going to
explode on architectures with different PAGE_SIZE.

Signed-off-by: Kent Overstreet <>
Cc: Tejun Heo <>
Acked-by: Valdis Kletnieks <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Jens Axboe <>
Signed-off-by: Ben Hutchings <>
10 years agoKVM: s390: Sanitize fpc registers for KVM_SET_FPU
Christian Borntraeger [Mon, 6 Feb 2012 09:59:02 +0000 (10:59 +0100)]
KVM: s390: Sanitize fpc registers for KVM_SET_FPU

(cherry picked from commit 851755871c1f3184f4124c466e85881f17fa3226)

commit 7eef87dc99e419b1cc051e4417c37e4744d7b661 (KVM: s390: fix
register setting) added a load of the floating point control register
to the KVM_SET_FPU path. Lets make sure that the fpc is valid.

Signed-off-by: Christian Borntraeger <>
Signed-off-by: Marcelo Tosatti <>
Signed-off-by: Avi Kivity <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agoKVM: s390: do store status after handling STOP_ON_STOP bit
Jens Freimann [Mon, 6 Feb 2012 09:59:03 +0000 (10:59 +0100)]
KVM: s390: do store status after handling STOP_ON_STOP bit

(cherry picked from commit 9e0d5473e2f0ba2d2fe9dab9408edef3060b710e)

In handle_stop() handle the stop bit before doing the store status as
described for "Stop and Store Status" in the Principles of Operation.
We have to give up the local_int.lock before calling kvm store status
since it calls gmap_fault() which might sleep. Since local_int.lock
only protects local_int.* and not guest memory we can give up the lock.

Signed-off-by: Jens Freimann <>
Signed-off-by: Christian Borntraeger <>
Signed-off-by: Marcelo Tosatti <>
Signed-off-by: Avi Kivity <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agoKVM: VMX: vmx_set_cr0 expects kvm->srcu locked
Marcelo Tosatti [Tue, 27 Mar 2012 22:47:26 +0000 (19:47 -0300)]
KVM: VMX: vmx_set_cr0 expects kvm->srcu locked

(cherry picked from commit 7a4f5ad051e02139a9f1c0f7f4b1acb88915852b)

vmx_set_cr0 is called from vcpu run context, therefore it expects
kvm->srcu to be held (for setting up the real-mode TSS).

Signed-off-by: Marcelo Tosatti <>
Signed-off-by: Avi Kivity <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agoKVM: nVMX: Fix erroneous exception bitmap check
Nadav Har'El [Tue, 6 Mar 2012 14:39:22 +0000 (16:39 +0200)]
KVM: nVMX: Fix erroneous exception bitmap check

(cherry picked from commit 9587190107d0c0cbaccbf7bf6b0245d29095a9ae)

The code which checks whether to inject a pagefault to L1 or L2 (in
nested VMX) was wrong, incorrect in how it checked the PF_VECTOR bit.
Thanks to Dan Carpenter for spotting this.

Signed-off-by: Nadav Har'El <>
Reported-by: Dan Carpenter <>
Signed-off-by: Avi Kivity <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agoKVM: lock slots_lock around device assignment
Alex Williamson [Wed, 18 Apr 2012 03:46:44 +0000 (21:46 -0600)]
KVM: lock slots_lock around device assignment

(cherry picked from commit 21a1416a1c945c5aeaeaf791b63c64926018eb77)

As pointed out by Jason Baron, when assigning a device to a guest
we first set the iommu domain pointer, which enables mapping
and unmapping of memory slots to the iommu.  This leaves a window
where this path is enabled, but we haven't synchronized the iommu
mappings to the existing memory slots.  Thus a slot being removed
at that point could send us down unexpected code paths removing
non-existent pinnings and iommu mappings.  Take the slots_lock
around creating the iommu domain and initial mappings as well as
around iommu teardown to avoid this race.

Signed-off-by: Alex Williamson <>
Signed-off-by: Marcelo Tosatti <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agoKVM: Ensure all vcpus are consistent with in-kernel irqchip settings
Avi Kivity [Mon, 5 Mar 2012 12:23:29 +0000 (14:23 +0200)]
KVM: Ensure all vcpus are consistent with in-kernel irqchip settings

(cherry picked from commit 3e515705a1f46beb1c942bb8043c16f8ac7b1e9e)

If some vcpus are created before KVM_CREATE_IRQCHIP, then
irqchip_in_kernel() and vcpu->arch.apic will be inconsistent, leading
to potential NULL pointer dereferences.

Fix by:
- ensuring that no vcpus are installed when KVM_CREATE_IRQCHIP is called
- ensuring that a vcpu has an apic if it is installed after KVM_CREATE_IRQCHIP

This is somewhat long winded because vcpu->arch.apic is created without
kvm->lock held.

Based on earlier patch by Michael Ellerman.

Signed-off-by: Michael Ellerman <>
Signed-off-by: Avi Kivity <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
10 years agoKVM: mmu_notifier: Flush TLBs before releasing mmu_lock
Takuya Yoshikawa [Fri, 10 Feb 2012 06:28:31 +0000 (15:28 +0900)]
KVM: mmu_notifier: Flush TLBs before releasing mmu_lock

(cherry picked from commit 565f3be2174611f364405bbea2d86e153c2e7e78

Other threads may process the same page in that small window and skip
TLB flush and then return before these functions do flush.

Signed-off-by: Takuya Yoshikawa <>
Signed-off-by: Marcelo Tosatti <>
Signed-off-by: Avi Kivity <>
Signed-off-by: Ben Hutchings <>
10 years agoLinux 3.2.18 v3.2.18
Ben Hutchings [Sun, 20 May 2012 21:56:54 +0000 (22:56 +0100)]
Linux 3.2.18

10 years agopktgen: fix module unload for good
Eric Dumazet [Thu, 17 May 2012 23:52:26 +0000 (23:52 +0000)]
pktgen: fix module unload for good

commit d4b1133558e0d417342d5d2c49e4c35b428ff20d upstream.

commit c57b5468406 (pktgen: fix crash at module unload) did a very poor
job with list primitives.

1) list_splice() arguments were in the wrong order

2) list_splice(list, head) has undefined behavior if head is not

3) We should use the list_splice_init() variant to clear pktgen_threads

Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
10 years agopktgen: fix crash at module unload
Eric Dumazet [Wed, 9 May 2012 13:29:51 +0000 (13:29 +0000)]
pktgen: fix crash at module unload

commit c57b54684060c8aced64a5b78ff69ff289af97b9 upstream.

commit 7d3d43dab4e9 (net: In unregister_netdevice_notifier unregister
the netdevices.) makes pktgen crashing at module unload.

[  296.820578] BUG: spinlock bad magic on CPU#6, rmmod/3267
[  296.820719]  lock: ffff880310c38000, .magic: ffff8803, .owner: <none>/-1, .owner_cpu: -1
[  296.820943] Pid: 3267, comm: rmmod Not tainted 3.4.0-rc5+ #254
[  296.821079] Call Trace:
[  296.821211]  [<ffffffff8168a715>] spin_dump+0x8a/0x8f
[  296.821345]  [<ffffffff8168a73b>] spin_bug+0x21/0x26
[  296.821507]  [<ffffffff812b4741>] do_raw_spin_lock+0x131/0x140
[  296.821648]  [<ffffffff8169188e>] _raw_spin_lock+0x1e/0x20
[  296.821786]  [<ffffffffa00cc0fd>] __pktgen_NN_threads+0x4d/0x140 [pktgen]
[  296.821928]  [<ffffffffa00ccf8d>] pktgen_device_event+0x10d/0x1e0 [pktgen]
[  296.822073]  [<ffffffff8154ed4f>] unregister_netdevice_notifier+0x7f/0x100
[  296.822216]  [<ffffffffa00d2a0b>] pg_cleanup+0x48/0x73 [pktgen]
[  296.822357]  [<ffffffff8109528e>] sys_delete_module+0x17e/0x2a0
[  296.822502]  [<ffffffff81699652>] system_call_fastpath+0x16/0x1b

Hold the pktgen_thread_lock while splicing pktgen_threads, and test
pktgen_exiting in pktgen_device_event() to make unload faster.

Signed-off-by: Eric Dumazet <>
Cc: Eric W. Biederman <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
10 years agostmmac: Fix compilation error in mmc_core.c
Stefan Roese [Tue, 10 Jan 2012 01:47:40 +0000 (01:47 +0000)]
stmmac: Fix compilation error in mmc_core.c

commit 1dd8117e3320fb42ec40ef2ace982871572d34ed upstream.

Fix this error:

  CC      drivers/net/ethernet/stmicro/stmmac/mmc_core.o
drivers/net/ethernet/stmicro/stmmac/mmc_core.c: In function 'dwmac_mmc_ctrl':
drivers/net/ethernet/stmicro/stmmac/mmc_core.c:143:2: error: implicit
  declaration of function 'pr_debug' [-Werror=implicit-function-declaration]

Signed-off-by: Stefan Roese <>
Cc: Giuseppe Cavallaro <>
Acked-by: Giuseppe Cavallaro <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
10 years agomtd: map.h: fix arm cross-build failure
Artem Bityutskiy [Fri, 30 Dec 2011 16:28:01 +0000 (18:28 +0200)]
mtd: map.h: fix arm cross-build failure

commit 4a42243886b87cd28a39b192161767c2af851a55 upstream.

This patch fixes the following build failure:
In file included from include/linux/mtd/qinfo.h:4:0,
                 from include/linux/mtd/pfow.h:7,
                 from drivers/mtd/lpddr/lpddr_cmds.c:27:
include/linux/mtd/map.h: In function 'inline_map_read':
include/linux/mtd/map.h:409:3: error: implicit declaration of function 'BUILD_BUG_ON' [-Werror=implicit-function-declaration]

Signed-off-by: Artem Bityutskiy <>
Signed-off-by: David Woodhouse <>
Signed-off-by: Ben Hutchings <>
10 years agoe1000: Prevent reset task killing itself.
Tushar Dave [Thu, 17 May 2012 01:04:50 +0000 (01:04 +0000)]
e1000: Prevent reset task killing itself.

commit 8ce6909f77ba1b7bcdea65cc2388fd1742b6d669 upstream.

Killing reset task while adapter is resetting causes deadlock.
Only kill reset task if adapter is not resetting.
Ref bug #43132 on

Signed-off-by: Tushar Dave <>
Tested-by: Aaron Brown <>
Signed-off-by: Jeff Kirsher <>
Signed-off-by: David S. Miller <>
Signed-off-by: Ben Hutchings <>
10 years agotcp: do_tcp_sendpages() must try to push data out on oom conditions
Willy Tarreau [Thu, 17 May 2012 11:14:14 +0000 (11:14 +0000)]
tcp: do_tcp_sendpages() must try to push data out on oom conditions

commit bad115cfe5b509043b684d3a007ab54b80090aa1 upstream.

Since recent changes on TCP splicing (starting with commits 2f533844
"tcp: allow splice() to build full TSO packets" and 35f9c09f "tcp:
tcp_sendpages() should call tcp_push() once"), I started seeing
massive stalls when forwarding traffic between two sockets using
splice() when pipe buffers were larger than socket buffers.

Latest changes (net: netdev_alloc_skb() use build_skb()) made the
problem even more apparent.

The reason seems to be that if do_tcp_sendpages() fails on out of memory
condition without being able to send at least one byte, tcp_push() is not
called and the buffers cannot be flushed.

After applying the attached patch, I cannot reproduce the stalls at all
and the data rate it perfectly stable and steady under any condition
which previously caused the problem to be permanent.

The issue seems to have been there since before the kernel migrated to
git, which makes me think that the stalls I occasionally experienced
with tux during stress-tests years ago were probably related to the
same issue.

This issue was first encountered on 3.0.31 and 3.2.17, so please backport
to -stable.

Signed-off-by: Willy Tarreau <>
Acked-by: Eric Dumazet <>
Signed-off-by: Ben Hutchings <>