commit 52e218bb34aba009c1c6ae1c8fa4cb6f95c1d1f0 Author: Jiri Slaby Date: Tue May 13 11:23:52 2014 +0200 Linux 3.12.20 commit b4dac01c9c5a10d3cf4c30cea8af87f449632c03 Author: Gerd Hoffmann Date: Mon Apr 14 11:34:48 2014 +0200 drm: cirrus: add power management support commit 2f1e800799bf478494cec3573cd63eb34ca89c9d upstream. cirrus kms driver lacks power management support, thus the vga display doesn't work any more after S3 resume. Fix this by adding suspend and resume functions. Also make the mode_set function unblank the screen. Signed-off-by: Gerd Hoffmann Signed-off-by: Dave Airlie Signed-off-by: Jiri Slaby commit 93cfde3b20bb58d4a11fd8a90ed488c0ff49783b Author: Hans de Goede Date: Wed Apr 23 13:02:35 2014 -0700 Input: synaptics - add min/max quirk for ThinkPad Edge E431 commit 27a38856a948c3e8de30dc71647ff9e1778c99fc upstream. Signed-off-by: Hans de Goede Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit 7419385d73a109c83db0a0a36fec6485addd2f7b Author: Hans de Goede Date: Sat Apr 19 22:31:18 2014 -0700 Input: synaptics - add min/max quirk for ThinkPad T431s, L440, L540, S1 Yoga and X1 commit 46a2986ebbe18757c2d8c352f8fb6e0f4f0754e3 upstream. We expect that all the Haswell series will need such quirks, sigh. The T431s seems to be T430 hardware in a T440s case, using the T440s touchpad, with the same min/max issue. The X1 Carbon 3rd generation name says 2nd while it is a 3rd generation. The X1 and T431s share a PnPID with the T540p, but the reported ranges are closer to those of the T440s. HdG: Squashed 5 quirk patches into one. T431s + L440 + L540 are written by me, S1 Yoga and X1 are written by Benjamin Tissoires. Hdg: Standardized S1 Yoga and X1 values, Yoga uses the same touchpad as the X240, X1 uses the same touchpad as the T440. Signed-off-by: Benjamin Tissoires Signed-off-by: Hans de Goede Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Slaby commit 440fc6193a5ee6004c816da57530982232285f57 Author: Russell King Date: Tue Mar 4 16:25:51 2014 -0500 mmc: sdhci-bcm-kona: fix build errors when built-in commit 4025ce24f326830135341814307c072f6c2a7738 upstream. `sdhci_bcm_kona_remove' referenced in section `.data' of drivers/built-in.o: defined in discarded section `.exit.text' of drivers/built-in.o Fixes: 058feb53666f ("mmc: sdhci-bcm-kona: make linker-section warning go away") Signed-off-by: Russell King Tested-by: Markus Mayer Acked-by: Matt Porter Signed-off-by: Chris Ball Signed-off-by: Jiri Slaby commit 743660fdf68a4462c81b1de3b728c7d6f2c19d0b Author: Jens Axboe Date: Tue Apr 8 16:04:12 2014 -0700 lib/percpu_counter.c: fix bad percpu counter state during suspend commit e39435ce68bb4685288f78b1a7e24311f7ef939f upstream. I got a bug report yesterday from Laszlo Ersek in which he states that his kvm instance fails to suspend. Laszlo bisected it down to this commit 1cf7e9c68fe8 ("virtio_blk: blk-mq support") where virtio-blk is converted to use the blk-mq infrastructure. After digging a bit, it became clear that the issue was with the queue drain. blk-mq tracks queue usage in a percpu counter, which is incremented on request alloc and decremented when the request is freed. The initial hunt was for an inconsistency in blk-mq, but everything seemed fine. In fact, the counter only returned crazy values when suspend was in progress. When a CPU is unplugged, the percpu counters merges that CPU state with the general state. blk-mq takes care to register a hotcpu notifier with the appropriate priority, so we know it runs after the percpu counter notifier. However, the percpu counter notifier only merges the state when the CPU is fully gone. This leaves a state transition where the CPU going away is no longer in the online mask, yet it still holds private values. This means that in this state, percpu_counter_sum() returns invalid results, and the suspend then hangs waiting for abs(dead-cpu-value) requests to complete which of course will never happen. Fix this by clearing the state earlier, so we never have a case where the CPU isn't in online mask but still holds private state. This bug has been there since forever, I guess we don't have a lot of users where percpu counters needs to be reliable during the suspend cycle. Signed-off-by: Jens Axboe Reported-by: Laszlo Ersek Tested-by: Laszlo Ersek Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 22fa1a91c20d09a0a2053d4930cb7ccbf1b8df8e Author: Jeff Layton Date: Tue Mar 25 11:55:26 2014 -0700 lockd: ensure we tear down any live sockets when socket creation fails during lockd_up commit 679b033df48422191c4cac52b610d9980e019f9b upstream. We had a Fedora ABRT report with a stack trace like this: kernel BUG at net/sunrpc/svc.c:550! invalid opcode: 0000 [#1] SMP [...] CPU: 2 PID: 913 Comm: rpc.nfsd Not tainted 3.13.6-200.fc20.x86_64 #1 Hardware name: Hewlett-Packard HP ProBook 4740s/1846, BIOS 68IRR Ver. F.40 01/29/2013 task: ffff880146b00000 ti: ffff88003f9b8000 task.ti: ffff88003f9b8000 RIP: 0010:[] [] svc_destroy+0x128/0x130 [sunrpc] RSP: 0018:ffff88003f9b9de0 EFLAGS: 00010206 RAX: ffff88003f829628 RBX: ffff88003f829600 RCX: 00000000000041ee RDX: 0000000000000000 RSI: 0000000000000286 RDI: 0000000000000286 RBP: ffff88003f9b9de8 R08: 0000000000017360 R09: ffff88014fa97360 R10: ffffffff8114ce57 R11: ffffea00051c9c00 R12: ffff88003f829600 R13: 00000000ffffff9e R14: ffffffff81cc7cc0 R15: 0000000000000000 FS: 00007f4fde284840(0000) GS:ffff88014fa80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4fdf5192f8 CR3: 00000000a569a000 CR4: 00000000001407e0 Stack: ffff88003f792300 ffff88003f9b9e18 ffffffffa02de02a 0000000000000000 ffffffff81cc7cc0 ffff88003f9cb000 0000000000000008 ffff88003f9b9e60 ffffffffa033bb35 ffffffff8131c86c ffff88003f9cb000 ffff8800a5715008 Call Trace: [] lockd_up+0xaa/0x330 [lockd] [] nfsd_svc+0x1b5/0x2f0 [nfsd] [] ? simple_strtoull+0x2c/0x50 [] ? write_pool_threads+0x280/0x280 [nfsd] [] write_threads+0x8b/0xf0 [nfsd] [] ? __get_free_pages+0x14/0x50 [] ? get_zeroed_page+0x16/0x20 [] ? simple_transaction_get+0xb1/0xd0 [] nfsctl_transaction_write+0x48/0x80 [nfsd] [] vfs_write+0xb4/0x1f0 [] ? putname+0x29/0x40 [] SyS_write+0x49/0xa0 [] ? __audit_syscall_exit+0x1f6/0x2a0 [] system_call_fastpath+0x16/0x1b Code: 31 c0 e8 82 db 37 e1 e9 2a ff ff ff 48 8b 07 8b 57 14 48 c7 c7 d5 c6 31 a0 48 8b 70 20 31 c0 e8 65 db 37 e1 e9 f4 fe ff ff 0f 0b <0f> 0b 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 RIP [] svc_destroy+0x128/0x130 [sunrpc] RSP Evidently, we created some lockd sockets and then failed to create others. make_socks then returned an error and we tried to tear down the svc, but svc->sv_permsocks was not empty so we ended up tripping over the BUG() in svc_destroy(). Fix this by ensuring that we tear down any live sockets we created when socket creation is going to return an error. Fixes: 786185b5f8abefa (SUNRPC: move per-net operations from...) Reported-by: Raphos Signed-off-by: Jeff Layton Reviewed-by: Stanislav Kinsbursky Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit b74183e7eca36537c32645cae85924d6e1479db5 Author: Benjamin LaHaise Date: Fri Mar 28 10:14:45 2014 -0400 aio: v4 ensure access to ctx->ring_pages is correctly serialised for migration commit fa8a53c39f3fdde98c9eace6a9b412143f0f6ed6 upstream. As reported by Tang Chen, Gu Zheng and Yasuaki Isimatsu, the following issues exist in the aio ring page migration support. As a result, for example, we have the following problem: thread 1 | thread 2 | aio_migratepage() | |-> take ctx->completion_lock | |-> migrate_page_copy(new, old) | | *NOW*, ctx->ring_pages[idx] == old | | | *NOW*, ctx->ring_pages[idx] == old | aio_read_events_ring() | |-> ring = kmap_atomic(ctx->ring_pages[0]) | |-> ring->head = head; *HERE, write to the old ring page* | |-> kunmap_atomic(ring); | |-> ctx->ring_pages[idx] = new | | *BUT NOW*, the content of | | ring_pages[idx] is old. | |-> release ctx->completion_lock | As above, the new ring page will not be updated. Fix this issue, as well as prevent races in aio_ring_setup() by holding the ring_lock mutex during kioctx setup and page migration. This avoids the overhead of taking another spinlock in aio_read_events_ring() as Tang's and Gu's original fix did, pushing the overhead into the migration code. Note that to handle the nesting of ring_lock inside of mmap_sem, the migratepage operation uses mutex_trylock(). Page migration is not a 100% critical operation in this case, so the ocassional failure can be tolerated. This issue was reported by Sasha Levin. Based on feedback from Linus, avoid the extra taking of ctx->completion_lock. Instead, make page migration fully serialised by mapping->private_lock, and have aio_free_ring() simply disconnect the kioctx from the mapping by calling put_aio_ring_file() before touching ctx->ring_pages[]. This simplifies the error handling logic in aio_migratepage(), and should improve robustness. v4: always do mutex_unlock() in cases when kioctx setup fails. Reported-by: Yasuaki Ishimatsu Reported-by: Sasha Levin Signed-off-by: Benjamin LaHaise Cc: Tang Chen Cc: Gu Zheng Signed-off-by: Jiri Slaby commit 4d22eb083cf667129e9158b407dda5588c89c64a Author: Sekhar Nori Date: Wed Mar 19 11:25:50 2014 +0530 dma: edma: fix incorrect SG list handling commit 5fc68a6cad658e45dca3e0a6607df3a8e5df4ef9 upstream. The code to handle any length SG lists calls edma_resume() even before edma_start() is called. This is incorrect because edma_resume() enables edma events on the channel after which CPU (in edma_start) cannot clear posted events by writing to ECR (per the EDMA user's guide). Because of this EDMA transfers fail to start if due to some reason there is a pending EDMA event registered even before EDMA transfers are started. This can happen if an EDMA event is a byproduct of device initialization. Fix this by calling edma_resume() only if it is not the first batch of MAX_NR_SG elements. Without this patch, MMC/SD fails to function on DA850 EVM with DMA. The behaviour is triggered by specific IP and this can explain why the issue was not reported before (example with MMC/SD on AM335x). Tested on DA850 EVM and AM335x EVM-SK using MMC/SD card. Cc: Joel Fernandes Acked-by: Joel Fernandes Tested-by: Jon Ringle Tested-by: Alexander Holler Reported-by: Jon Ringle Signed-off-by: Sekhar Nori Signed-off-by: Vinod Koul Signed-off-by: Jiri Slaby commit 170012684d66273720f9a8a2f815e65d376da3e1 Author: Mike Snitzer Date: Fri Mar 28 02:15:02 2014 -0400 dm thin: fix dangling bio in process_deferred_bios error path commit fe76cd88e654124d1431bb662a0fc6e99ca811a5 upstream. If unable to ensure_next_mapping() we must add the current bio, which was removed from the @bios list via bio_list_pop, back to the deferred_bios list before all the remaining @bios. Signed-off-by: Mike Snitzer Acked-by: Joe Thornber Signed-off-by: Jiri Slaby commit 8038ee15c63c16a64c7ee412bc7dc442ee962f6c Author: Joe Thornber Date: Thu Mar 27 14:13:23 2014 +0000 dm: take care to copy the space map roots before locking the superblock commit 5a32083d03fb543f63489b2946c4948398579ba0 upstream. In theory copying the space map root can fail, but in practice it never does because we're careful to check what size buffer is needed. But make certain we're able to copy the space map roots before locking the superblock. Signed-off-by: Joe Thornber Signed-off-by: Mike Snitzer Signed-off-by: Jiri Slaby commit 44c13517c67e063f89a1118c3ebdc6ab040b9cb6 Author: Joe Thornber Date: Thu Mar 27 14:13:20 2014 +0000 dm transaction manager: fix corruption due to non-atomic transaction commit commit a9d45396f5956d0b615c7ae3b936afd888351a47 upstream. The persistent-data library used by dm-thin, dm-cache, etc is transactional. If anything goes wrong, such as an io error when writing new metadata or a power failure, then we roll back to the last transaction. Atomicity when committing a transaction is achieved by: a) Never overwriting data from the previous transaction. b) Writing the superblock last, after all other metadata has hit the disk. This commit and the following commit ("dm: take care to copy the space map roots before locking the superblock") fix a bug associated with (b). When committing it was possible for the superblock to still be written in spite of an io error occurring during the preceeding metadata flush. With these commits we're careful not to take the write lock out on the superblock until after the metadata flush has completed. Change the transaction manager's semantics for dm_tm_commit() to assume all data has been flushed _before_ the single superblock that is passed in. As a prerequisite, split the block manager's block unlocking and flushing by simplifying dm_bm_flush_and_unlock() to dm_bm_flush(). Now the unlocking must be done separately. This issue was discovered by forcing io errors at the crucial time using dm-flakey. Signed-off-by: Joe Thornber Signed-off-by: Mike Snitzer Signed-off-by: Jiri Slaby commit 34b397a66d3ea373cee3b82981903d45840ae404 Author: Mike Snitzer Date: Thu Mar 20 10:11:15 2014 -0400 dm cache: prevent corruption caused by discard_block_size > cache_block_size commit d132cc6d9e92424bb9d4fd35f5bd0e55d583f4be upstream. If the discard block size is larger than the cache block size we will not properly quiesce IO to a region that is about to be discarded. This results in a race between a cache migration where no copy is needed, and a write to an adjacent cache block that's within the same large discard block. Workaround this by limiting the discard_block_size to cache_block_size. Also limit the max_discard_sectors to cache_block_size. A more comprehensive fix that introduces range locking support in the bio_prison and proper quiescing of a discard range that spans multiple cache blocks is already in development. Reported-by: Morgan Mears Signed-off-by: Mike Snitzer Acked-by: Joe Thornber Acked-by: Heinz Mauelshagen Signed-off-by: Jiri Slaby commit 397367d8d48e07f38d44961c21e85f4e0b5f3f04 Author: Giacomo Comes Date: Thu Apr 3 14:13:55 2014 -0400 Skip intel_crt_init for Dell XPS 8700 commit 10b6ee4a87811a110cb01eaca01eb04da6801baf upstream. The Dell XPS 8700 has a onboard Display port and HDMI port and no VGA port. The call intel_crt_init freeze the machine, so skip such call. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=73559 Signed-off-by: Giacomo Comes Signed-off-by: Daniel Vetter Signed-off-by: Jiri Slaby commit 16a7c07c715dc5d8b764b2c3cae3b43117c01de3 Author: Dan Carpenter Date: Thu Dec 5 17:53:50 2013 +0300 mtd: sm_ftl: heap corruption in sm_create_sysfs_attributes() commit b4c233057771581698a13694ab6f33b48ce837dc upstream. We always put a NUL terminator one space past the end of the "vendor" buffer. Walter Harms also pointed out that this should just use kstrndup(). Fixes: 7d17c02a01a1 ('mtd: Add new SmartMedia/xD FTL') Signed-off-by: Dan Carpenter Signed-off-by: Brian Norris Signed-off-by: Jiri Slaby commit a46c32362ed74b19462c553604726e271c89b01f Author: Dan Carpenter Date: Mon Feb 17 23:03:08 2014 +0300 mtd: nuc900_nand: NULL dereference in nuc900_nand_enable() commit c69dbbf3335a21aae74376d7e5db50a486d52439 upstream. Instead of writing to "nand->reg + REG_FMICSR" we write to "REG_FMICSR" which is NULL and not a valid register. Fixes: 8bff82cbc308 ('mtd: add nand support for w90p910 (v2)') Signed-off-by: Dan Carpenter Signed-off-by: Brian Norris Signed-off-by: Jiri Slaby commit bf1490bcaaef902ab5fa9451f6087873c0568655 Author: Herve Codina Date: Mon Mar 3 12:15:29 2014 +0100 mtd: atmel_nand: Disable subpage NAND write when using Atmel PMECC commit 90445ff6241e2a13445310803e2efa606c61f276 upstream. Crash detected on sam5d35 and its pmecc nand ecc controller. The problem was a call to chip->ecc.hwctl from nand_write_subpage_hwecc (nand_base.c) when we write a sub page. chip->ecc.hwctl function is not set when we are using PMECC controller. As a workaround, set NAND_NO_SUBPAGE_WRITE for PMECC controller in order to disable sub page access in nand_write_page. Signed-off-by: Herve Codina Acked-by: Josh Wu Signed-off-by: Brian Norris Signed-off-by: Jiri Slaby commit 80ad3f6cf355495c4c431f18013108e09e071ec2 Author: Mikulas Patocka Date: Thu Jan 23 14:43:10 2014 -0500 tgafb: fix data copying commit 6b0df6827bb6fcacb158dff29ad0a62d6418b534 upstream. The functions for data copying copyarea_foreward_8bpp and copyarea_backward_8bpp are buggy, they produce screen corruption. This patch fixes the functions and moves the logic to one function "copyarea_8bpp". For simplicity, the function only handles copying that is aligned on 8 pixes. If we copy an unaligned area, generic function cfb_copyarea is used. Signed-off-by: Mikulas Patocka Signed-off-by: Tomi Valkeinen Signed-off-by: Jiri Slaby commit ee651d1c1656778b9c69ea9689e7ca36f01aa507 Author: Marek Vasut Date: Mon Mar 24 03:38:10 2014 +0100 gpio: mxs: Allow for recursive enable_irq_wake() call commit a585f87c863e4e1d496459d382b802bf5ebe3717 upstream. The scenario here is that someone calls enable_irq_wake() from somewhere in the code. This will result in the lockdep producing a backtrace as can be seen below. In my case, this problem is triggered when using the wl1271 (TI WlCore) driver found in drivers/net/wireless/ti/ . The problem cause is rather obvious from the backtrace, but let's outline the dependency. enable_irq_wake() grabs the IRQ buslock in irq_set_irq_wake(), which in turns calls mxs_gpio_set_wake_irq() . But mxs_gpio_set_wake_irq() calls enable_irq_wake() again on the one-level-higher IRQ , thus it tries to grab the IRQ buslock again in irq_set_irq_wake() . Because the spinlock in irq_set_irq_wake()->irq_get_desc_buslock()->__irq_get_desc_lock() is not marked as recursive, lockdep will spew the stuff below. We know we can safely re-enter the lock, so use IRQ_GC_INIT_NESTED_LOCK to fix the spew. ============================================= [ INFO: possible recursive locking detected ] 3.10.33-00012-gf06b763-dirty #61 Not tainted --------------------------------------------- kworker/0:1/18 is trying to acquire lock: (&irq_desc_lock_class){-.-...}, at: [] __irq_get_desc_lock+0x48/0x88 but task is already holding lock: (&irq_desc_lock_class){-.-...}, at: [] __irq_get_desc_lock+0x48/0x88 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&irq_desc_lock_class); lock(&irq_desc_lock_class); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by kworker/0:1/18: #0: (events){.+.+.+}, at: [] process_one_work+0x134/0x4a4 #1: ((&fw_work->work)){+.+.+.}, at: [] process_one_work+0x134/0x4a4 #2: (&irq_desc_lock_class){-.-...}, at: [] __irq_get_desc_lock+0x48/0x88 stack backtrace: CPU: 0 PID: 18 Comm: kworker/0:1 Not tainted 3.10.33-00012-gf06b763-dirty #61 Workqueue: events request_firmware_work_func [] (unwind_backtrace+0x0/0xf0) from [] (show_stack+0x10/0x14) [] (show_stack+0x10/0x14) from [] (__lock_acquire+0x140c/0x1a64) [] (__lock_acquire+0x140c/0x1a64) from [] (lock_acquire+0x9c/0x104) [] (lock_acquire+0x9c/0x104) from [] (_raw_spin_lock_irqsave+0x44/0x58) [] (_raw_spin_lock_irqsave+0x44/0x58) from [] (__irq_get_desc_lock+0x48/0x88) [] (__irq_get_desc_lock+0x48/0x88) from [] (irq_set_irq_wake+0x20/0xf4) [] (irq_set_irq_wake+0x20/0xf4) from [] (mxs_gpio_set_wake_irq+0x1c/0x24) [] (mxs_gpio_set_wake_irq+0x1c/0x24) from [] (set_irq_wake_real+0x30/0x44) [] (set_irq_wake_real+0x30/0x44) from [] (irq_set_irq_wake+0x8c/0xf4) [] (irq_set_irq_wake+0x8c/0xf4) from [] (wlcore_nvs_cb+0x10c/0x97c) [] (wlcore_nvs_cb+0x10c/0x97c) from [] (request_firmware_work_func+0x38/0x58) [] (request_firmware_work_func+0x38/0x58) from [] (process_one_work+0x1c0/0x4a4) [] (process_one_work+0x1c0/0x4a4) from [] (worker_thread+0x138/0x394) [] (worker_thread+0x138/0x394) from [] (kthread+0xa4/0xb0) [] (kthread+0xa4/0xb0) from [] (ret_from_fork+0x14/0x34) wlcore: loaded Signed-off-by: Marek Vasut Acked-by: Shawn Guo Signed-off-by: Linus Walleij Signed-off-by: Jiri Slaby commit afc3700892415b2d0fc89597b82cdcdd9b68aa48 Author: Colin Ian King Date: Mon Apr 21 17:38:44 2014 +0100 rtlwifi: rtl8188ee: initialize packet_beacon commit 328e203fc35f0b4f6df1c4943f74cf553bcc04f8 upstream. static code analysis from cppcheck reports: [drivers/net/wireless/rtlwifi/rtl8188ee/trx.c:322]: (error) Uninitialized variable: packet_beacon packet_beacon is not initialized and hence packet_beacon contains garbage from the stack, so set it to false. Signed-off-by: Colin Ian King Acked-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Jiri Slaby commit 5fd5486f7d6a3811373f9c744ed1d1a4a3d331e0 Author: Larry Finger Date: Tue Mar 4 16:53:51 2014 -0600 rtlwifi: rtl8192se: Fix too long disable of IRQs commit 2610decdd0b3808ba20471a999835cfee5275f98 upstream. In commit f78bccd79ba3cd9d9664981b501d57bdb81ab8a4 entitled "rtlwifi: rtl8192ce: Fix too long disable of IRQs", Olivier Langlois fixed a problem caused by an extra long disabling of interrupts. This patch makes the same fix for rtl8192se. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Jiri Slaby commit 0ebb4b2ad6e961028bd7a748bec16b5d8aef58c2 Author: Larry Finger Date: Tue Mar 4 16:53:50 2014 -0600 rtlwifi: rtl8192cu: Fix too long disable of IRQs commit a53268be0cb9763f11da4f6fe3fb924cbe3a7d4a upstream. In commit f78bccd79ba3cd9d9664981b501d57bdb81ab8a4 entitled "rtlwifi: rtl8192ce: Fix too long disable of IRQs", Olivier Langlois fixed a problem caused by an extra long disabling of interrupts. This patch makes the same fix for rtl8192cu. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Jiri Slaby commit 0539978136e47a09a731e3dfadc8e6b8011d4af2 Author: Larry Finger Date: Tue Mar 4 16:53:52 2014 -0600 rtlwifi: rtl8188ee: Fix too long disable of IRQs commit 6b6392715856d563719991e9ce95e773491a8983 upstream. In commit f78bccd79ba3cd9d9664981b501d57bdb81ab8a4 entitled "rtlwifi: rtl8192ce: Fix too long disable of IRQs", Olivier Langlois fixed a problem caused by an extra long disabling of interrupts. This patch makes the same fix for rtl8188ee. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Jiri Slaby commit 9b4df6c5873a00f116a4cfd263b32a0d0c36db41 Author: Larry Finger Date: Tue Mar 4 16:53:53 2014 -0600 rtlwifi: rtl8723ae: Fix too long disable of IRQs commit bfc1010c418a22cbebd8b1bd1e75dad6a527a609 upstream. In commit f78bccd79ba3cd9d9664981b501d57bdb81ab8a4 entitled "rtlwifi: rtl8192ce: Fix too long disable of IRQs", Olivier Langlois fixed a problem caused by an extra long disabling of interrupts. This patch makes the same fix for rtl8723ae. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Jiri Slaby commit 362fbee83ae5f1e5ca8c3797ff24dc05a4d0e6d3 Author: Jeff Layton Date: Tue Apr 15 08:44:12 2014 -0400 locks: allow __break_lease to sleep even when break_time is 0 commit 4991a628a789dc5954e98e79476d9808812292ec upstream. A fl->fl_break_time of 0 has a special meaning to the lease break code that basically means "never break the lease". knfsd uses this to ensure that leases don't disappear out from under it. Unfortunately, the code in __break_lease can end up passing this value to wait_event_interruptible as a timeout, which prevents it from going to sleep at all. This causes __break_lease to spin in a tight loop and causes soft lockups. Fix this by ensuring that we pass a minimum value of 1 as a timeout instead. Cc: J. Bruce Fields Reported-by: Terry Barnaby Signed-off-by: Jeff Layton Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit 271c57edfaa6b564032024711fdbc6608ea83129 Author: Felix Fietkau Date: Sun Mar 9 11:02:54 2014 +0100 ath9k: fix ready time of the multicast buffer queue commit 3b3e0efb5c72c4fc940af50b33626b8a78a907dc upstream. qi->tqi_readyTime is written directly to registers that expect microseconds as unit instead of TU. When setting the CABQ ready time, cur_conf->beacon_interval is in TU, so convert it to microseconds before passing it to ath9k_hw. This should hopefully fix some Tx DMA issues with buffered multicast frames in AP mode. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Jiri Slaby commit 1c0bbecc26637b7cdd4f7aad19b9141a6524678e Author: Felix Fietkau Date: Thu Apr 10 15:06:48 2014 +0200 mac80211: exclude AP_VLAN interfaces from tx power calculation commit 764152ff66f4a8be1f9d7981e542ffdaa5bd7aff upstream. Their power value is initialized to zero. This patch fixes an issue where the configured power drops to the minimum value when AP_VLAN interfaces are created/removed. Signed-off-by: Felix Fietkau Signed-off-by: Johannes Berg Signed-off-by: Jiri Slaby commit d89a88ef727f6048ea145129da830f88896fea9f Author: Johannes Berg Date: Thu Mar 27 15:39:20 2014 +0100 mac80211: fix software remain-on-channel implementation commit 115b943a6ea12656088fa1ff6634c0d30815e55b upstream. Jouni reported that when doing off-channel transmissions mixed with on-channel transmissions, the on-channel ones ended up on the off-channel in some cases. The reason for that is that during the refactoring of the off- channel code, I lost the part that stopped all activity and as a consequence the on-channel frames (including data frames) were no longer queued but would be transmitted on the temporary channel. Fix this by simply restoring the lost activity stop call. Fixes: 2eb278e083549 ("mac80211: unify SW/offload remain-on-channel") Reported-by: Jouni Malinen Signed-off-by: Johannes Berg Signed-off-by: Jiri Slaby commit db6ffa5384e83dd4b8a3c0e8a0f7979d8730ca77 Author: Johannes Berg Date: Wed Mar 19 09:55:55 2014 +0100 mac80211: fix suspend vs. authentication race commit 1a1cb744de160ee70086a77afff605bbc275d291 upstream. Since Stanislaw's patch removing the quiescing code, mac80211 had a race regarding suspend vs. authentication: as cfg80211 doesn't track authentication attempts, it can't abort them. Therefore the attempts may be kept running while suspending, which can lead to all kinds of issues, in at least some cases causing an error in iwlmvm firmware. Fix this by aborting the authentication attempt when suspending. Fixes: 12e7f517029d ("mac80211: cleanup generic suspend/resume procedures") Signed-off-by: Johannes Berg Signed-off-by: Jiri Slaby commit 4fa516c800c27a7b3a26817e033eff674a016f54 Author: Michael Braun Date: Thu Mar 6 15:08:43 2014 +0100 mac80211: fix WPA with VLAN on AP side with ps-sta again commit 112c44b2df0984121a52fbda89425843b8e1a457 upstream. commit de74a1d9032f4d37ea453ad2a647e1aff4cd2591 "mac80211: fix WPA with VLAN on AP side with ps-sta" fixed an issue where queued multicast packets would be sent out encrypted with the key of an other bss. commit "7cbf9d017dbb5e3276de7d527925d42d4c11e732" "mac80211: fix oops on mesh PS broadcast forwarding" essentially reverted it, because vif.type cannot be AP_VLAN due to the check to vif.type in ieee80211_get_buffered_bc before. As the later commit intended to fix the MESH case, fix it by checking for IFTYPE_AP instead of IFTYPE_AP_VLAN. Fixes: 7cbf9d017dbb ("mac80211: fix oops on mesh PS broadcast forwarding") Signed-off-by: Michael Braun Signed-off-by: Johannes Berg Signed-off-by: Jiri Slaby commit 243677b1125ce3f460e45d887127072c6d323579 Author: Johannes Berg Date: Tue Mar 4 11:43:28 2014 +0100 mac80211: fix potential use-after-free commit d2722f8b87fb172ff2f31d3a2816b31d58678d40 upstream. The bss struct might be freed in ieee80211_rx_bss_put(), so we shouldn't use it afterwards. Fixes: 817cee7675237 ("mac80211: track AP's beacon rate and give it to the driver") Signed-off-by: Johannes Berg Signed-off-by: Jiri Slaby commit 02f079bf44c85322a0383d6e0e10fe5752f61595 Author: Emmanuel Grumbach Date: Mon Mar 10 15:22:03 2014 +0200 iwlwifi: dvm: take mutex when sending SYNC BT config command commit 82e5a649453a3cf23516277abb84273768a1592b upstream. There is a flow in which we send the host command in SYNC mode, but we don't take priv->mutex. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1046495 Reviewed-by: Johannes Berg Signed-off-by: Emmanuel Grumbach Signed-off-by: Jiri Slaby commit 1b18c1cf7f64cfa8a7c5cdfc3f364b4280b15660 Author: Martin K. Petersen Date: Tue Apr 1 20:42:37 2014 -0400 libata: Update queued trim blacklist for M5x0 drives commit d121f7d0cbb875abce249dbf7eb191f9bafe80b7 upstream. Crucial/Micron M500 drives properly support queued DSM TRIM starting with firmware MU05. Update the blacklist so we only disable queued trim for older firmware releases. Early M550 series drives suffer from the same issue as M500. A bugfix firmware is in the pipeline but not ready yet. Until then, blacklist queued trim for M550. Signed-off-by: Martin K. Petersen Cc: Chris Samuel Cc: Marc MERLIN Signed-off-by: Tejun Heo Signed-off-by: Jiri Slaby commit 7adc63f52f7d6ab93e7c53c2a34bcb690cc560e5 Author: Alexander Gordeev Date: Thu Apr 17 18:06:15 2014 +0200 ahci: Do not receive interrupts sent by dummy ports commit 2cf532f5e67c0cfe38c8c100e49280cdadacd2be upstream. In multiple MSI mode all AHCI ports (including dummy) get assigned separate MSI vectors and (as result of execution pci_enable_msi_exact() function) separate IRQ numbers, (mapped to the MSI vectors). Therefore, although interrupts from dummy ports are not desired they are still enabled. We do not request IRQs for dummy ports, but that only means we do not assign AHCI-specific ISRs to corresponding IRQ numbers. As result, dummy port interrupts still could come and traverse all the way from the PCI device to the kernel, causing unnecessary overhead. This update disables IRQs for dummy ports and prevents the described issue. Signed-off-by: Alexander Gordeev Signed-off-by: Tejun Heo Tested-by: David Milburn Cc: linux-ide@vger.kernel.org Fixes: 5ca72c4f7c41 ("AHCI: Support multiple MSIs") Signed-off-by: Jiri Slaby commit d168685b0bb01219443ceeb47d786a30693553a1 Author: Dan Williams Date: Thu Apr 17 11:48:21 2014 -0700 libata/ahci: accommodate tag ordered controllers commit 8a4aeec8d2d6a3edeffbdfae451cdf05cbf0fefd upstream. The AHCI spec allows implementations to issue commands in tag order rather than FIFO order: 5.3.2.12 P:SelectCmd HBA sets pSlotLoc = (pSlotLoc + 1) mod (CAP.NCS + 1) or HBA selects the command to issue that has had the PxCI bit set to '1' longer than any other command pending to be issued. The result is that commands posted sequentially (time-wise) may play out of sequence when issued by hardware. This behavior has likely been hidden by drives that arrange for commands to complete in issue order. However, it appears recent drives (two from different vendors that we have found so far) inflict out-of-order completions as a matter of course. So, we need to take care to maintain ordered submission, otherwise we risk triggering a drive to fall out of sequential-io automation and back to random-io processing, which incurs large latency and degrades throughput. This issue was found in simple benchmarks where QD=2 seq-write performance was 30-50% *greater* than QD=32 seq-write performance. Tagging for -stable and making the change globally since it has a low risk-to-reward ratio. Also, word is that recent versions of an unnamed OS also does it this way now. So, drives in the field are already experienced with this tag ordering scheme. Cc: Dave Jiang Cc: Ed Ciechanowski Reviewed-by: Matthew Wilcox Signed-off-by: Dan Williams Signed-off-by: Tejun Heo Signed-off-by: Jiri Slaby commit f7f31e5ef6d277ed917369f4e246088699b60470 Author: David Milburn Date: Wed Apr 16 11:43:46 2014 -0500 ahci: do not request irq for dummy port commit 9ae794ac5e407d3bc3fec785db481d5a2c0fa275 upstream. System may crash in ahci_hw_interrupt() or ahci_thread_fn() when accessing the interrupt status in a port's private_data if the port is actually a DUMMY port. 00:1f.2 SATA controller: Intel Corporation 82801JI (ICH10 Family) SATA AHCI Controller [ 9.352080] ahci 0000:00:1f.2: AHCI 0001.0200 32 slots 6 ports 3 Gbps 0x1 impl SATA mode [ 9.352084] ahci 0000:00:1f.2: flags: 64bit ncq sntf pm led clo pio slum part ccc [ 9.368155] Console: switching to colour frame buffer device 128x48 [ 9.439759] mgag200 0000:11:00.0: fb0: mgadrmfb frame buffer device [ 9.446765] mgag200 0000:11:00.0: registered panic notifier [ 9.470166] scsi1 : ahci [ 9.479166] scsi2 : ahci [ 9.488172] scsi3 : ahci [ 9.497174] scsi4 : ahci [ 9.506175] scsi5 : ahci [ 9.515174] scsi6 : ahci [ 9.518181] ata1: SATA max UDMA/133 abar m2048@0x95c00000 port 0x95c00100 irq 91 [ 9.526448] ata2: DUMMY [ 9.529182] ata3: DUMMY [ 9.531916] ata4: DUMMY [ 9.534650] ata5: DUMMY [ 9.537382] ata6: DUMMY [ 9.576196] [drm] Initialized mgag200 1.0.0 20110418 for 0000:11:00.0 on minor 0 [ 9.845257] ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300) [ 9.865161] ata1.00: ATAPI: Optiarc DVD RW AD-7580S, FX04, max UDMA/100 [ 9.891407] ata1.00: configured for UDMA/100 [ 9.900525] scsi 1:0:0:0: CD-ROM Optiarc DVD RW AD-7580S FX04 PQ: 0 ANSI: 5 [ 10.247399] iTCO_vendor_support: vendor-support=0 [ 10.261572] iTCO_wdt: Intel TCO WatchDog Timer Driver v1.11 [ 10.269764] iTCO_wdt: unable to reset NO_REBOOT flag, device disabled by hardware/BIOS [ 10.301932] sd 0:2:0:0: [sda] 570310656 512-byte logical blocks: (291 GB/271 GiB) [ 10.317085] sd 0:2:0:0: [sda] Write Protect is off [ 10.328326] sd 0:2:0:0: [sda] Write cache: disabled, read cache: disabled, supports DPO and FUA [ 10.375452] BUG: unable to handle kernel NULL pointer dereference at 000000000000003c [ 10.384217] IP: [] ahci_hw_interrupt+0x100/0x130 [libahci] [ 10.392101] PGD 0 [ 10.394353] Oops: 0000 [#1] SMP [ 10.397978] Modules linked in: sr_mod(+) cdrom sd_mod iTCO_wdt crc_t10dif iTCO_vendor_support crct10dif_common ahci libahci libata lpc_ich mfd_core mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ttm drm i2c_core megaraid_sas dm_mirror dm_region_hash dm_log dm_mod [ 10.426499] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.15.0-rc1 #1 [ 10.433495] Hardware name: QCI QSSC-S4R/QSSC-S4R, BIOS QSSC-S4R.QCI.01.00.S013.032920111005 03/29/2011 [ 10.443886] task: ffffffff81906460 ti: ffffffff818f0000 task.ti: ffffffff818f0000 [ 10.452239] RIP: 0010:[] [] ahci_hw_interrupt+0x100/0x130 [libahci] [ 10.462838] RSP: 0018:ffff880033c03d98 EFLAGS: 00010046 [ 10.468767] RAX: 0000000000a400a4 RBX: ffff880029a6bc18 RCX: 00000000fffffffa [ 10.476731] RDX: 00000000000000a4 RSI: ffff880029bb0000 RDI: ffff880029a6bc18 [ 10.484696] RBP: ffff880033c03dc8 R08: 0000000000000000 R09: ffff88002f800490 [ 10.492661] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000000 [ 10.500625] R13: ffff880029a6bd98 R14: 0000000000000000 R15: ffffc90000194000 [ 10.508590] FS: 0000000000000000(0000) GS:ffff880033c00000(0000) knlGS:0000000000000000 [ 10.517623] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 10.524035] CR2: 000000000000003c CR3: 00000000328ff000 CR4: 00000000000007b0 [ 10.531999] Stack: [ 10.534241] 0000000000000017 ffff880031ba7d00 000000000000005c ffff880031ba7d00 [ 10.542535] 0000000000000000 000000000000005c ffff880033c03e10 ffffffff810c2a1e [ 10.550827] ffff880031ae2900 000000008108fb4f ffff880031ae2900 ffff880031ae2984 [ 10.559121] Call Trace: [ 10.561849] [ 10.563994] [] handle_irq_event_percpu+0x3e/0x1a0 [ 10.571309] [] handle_irq_event+0x3d/0x60 [ 10.577631] [] try_one_irq.isra.6+0x8d/0xf0 [ 10.584142] [] note_interrupt+0x173/0x1f0 [ 10.590460] [] handle_irq_event_percpu+0xae/0x1a0 [ 10.597554] [] handle_irq_event+0x3d/0x60 [ 10.603872] [] handle_edge_irq+0x77/0x130 [ 10.610199] [] handle_irq+0xbf/0x150 [ 10.616040] [] ? vtime_account_idle+0xe/0x50 [ 10.622654] [] ? atomic_notifier_call_chain+0x1a/0x20 [ 10.630140] [] do_IRQ+0x4f/0xf0 [ 10.635490] [] common_interrupt+0x6d/0x6d [ 10.641805] [ 10.643950] [] ? cpuidle_enter_state+0x4f/0xc0 [ 10.650972] [] ? cpuidle_enter_state+0x48/0xc0 [ 10.657775] [] cpuidle_enter+0x17/0x20 [ 10.663807] [] cpu_startup_entry+0x2c0/0x3d0 [ 10.670423] [] rest_init+0x77/0x80 [ 10.676065] [] start_kernel+0x40f/0x41a [ 10.682190] [] ? repair_env_string+0x5c/0x5c [ 10.688799] [] ? early_idt_handlers+0x120/0x120 [ 10.695699] [] x86_64_start_reservations+0x2a/0x2c [ 10.702889] [] x86_64_start_kernel+0x143/0x152 [ 10.709689] Code: a0 fc ff 85 c0 8b 4d d4 74 c3 48 8b 7b 08 89 ca 48 c7 c6 60 66 13 a0 31 c0 e8 9d 70 28 e1 8b 4d d4 eb aa 0f 1f 84 00 00 00 00 00 <45> 8b 64 24 3c 48 89 df e8 23 47 4c e1 41 83 fc 01 19 c0 48 83 [ 10.731470] RIP [] ahci_hw_interrupt+0x100/0x130 [libahci] [ 10.739441] RSP [ 10.743333] CR2: 000000000000003c [ 10.747032] ---[ end trace b6e82636970e2690 ]--- [ 10.760190] Kernel panic - not syncing: Fatal exception in interrupt [ 10.767291] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff) Cc: Alexander Gordeev Cc: Tejun Heo Signed-of-by: David Milburn Fixes: 5ca72c4f7c41 ("AHCI: Support multiple MSIs") commit 45a963317dffc7c8a0ada4ae9fd19806591ae665 Author: Thomas Petazzoni Date: Sun Apr 13 11:15:33 2014 +0200 Revert "net: mvneta: fix usage as a module on RGMII configurations" commit cc6ca3023f2c2bbcd062e9d4cf6afc2ba2821ada upstream. This reverts commit e3a8786c10e75903f1269474e21fe8cb49c3a670. While this commit allows to use the mvneta driver as a module on some configurations, it breaks other configurations even if mvneta is used built-in. This breakage is due to the fact that on some RGMII platforms, the PCS bit has to be set, and on some other platforms, it has to be cleared. At the moment, we lack informations to know exactly the significance of this bit (the datasheet only says "enables PCS"), and so we can't produce a patch that will work on all platforms at this point. And since this change is breaking the network completely for many users, it's much better to revert it for now. We'll come back later with a proper fix that takes into account all platforms. Basically: * Armada XP GP is configured as RGMII-ID, and needs the PCS bit to be set. * Armada 370 Mirabox is configured as RGMII-ID, and needs the PCS bit to be cleared. And at the moment, we don't know how to make the distinction between those two cases. One hint is that the Armada XP GP appears in fact to be using a QSGMII connection with the PHY (Quad-SGMII), but configuring it as SGMII doesn't work, while RGMII-ID works. This needs more investigation, but in the mean time, let's unbreak the network for all those users. Signed-off-by: Thomas Petazzoni Reported-by: Arnaud Ebalard Reported-by: Alexander Reuter Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=73401 Signed-off-by: David S. Miller Signed-off-by: Jiri Slaby commit 1347f082c79dc1d939212e1ff868a5787b867ced Author: Rafał Miłecki Date: Sat Apr 5 18:08:25 2014 +0200 b43: Fix machine check error due to improper access of B43_MMIO_PSM_PHY_HDR commit 12cd43c6ed6da7bf7c5afbd74da6959cda6d056b upstream. Register B43_MMIO_PSM_PHY_HDR is 16 bit one, so accessing it with 32b functions isn't safe. On my machine it causes delayed (!) CPU exception: Disabling lock debugging due to kernel taint mce: [Hardware Error]: CPU 0: Machine Check Exception: 4 Bank 4: b200000000070f0f mce: [Hardware Error]: TSC 164083803dc mce: [Hardware Error]: PROCESSOR 2:20fc2 TIME 1396650505 SOCKET 0 APIC 0 microcode 0 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Processor context corrupt Kernel panic - not syncing: Fatal machine check on current CPU Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff) Signed-off-by: Rafał Miłecki Acked-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Jiri Slaby commit cff94c1492a2da35f8b2ab9b06c772a66277b027 Author: Mikulas Patocka Date: Thu Jan 23 14:41:59 2014 -0500 mach64: fix cursor when character width is not a multiple of 8 pixels commit 43751a1b8ee2e70ce392bf31ef3133da324e68b3 upstream. This patch fixes the hardware cursor on mach64 when font width is not a multiple of 8 pixels. If you load such a font, the cursor is expanded to the next 8-byte boundary and a part of the next character after the cursor is not visible. For example, when you load a font with 12-pixel width, the cursor width is 16 pixels and when the cursor is displayed, 4 pixels of the next character are not visible. The reason is this: atyfb_cursor is called with proper parameters to load an image that is 12-pixel wide. However, the number is aligned on the next 8-pixel boundary on the line "unsigned int width = (cursor->image.width + 7) >> 3;" and the whole function acts as it is was loading a 16-pixel image. This patch fixes it so that the value written to the framebuffer is padded with 0xaaaa (the transparent pattern) when the image size it not a multiple of 8 pixels. The transparent pattern causes that the cursor will not interfere with the next character. Signed-off-by: Mikulas Patocka Signed-off-by: Tomi Valkeinen Signed-off-by: Jiri Slaby commit 7aee7576532436a37bfad1a0ee973ccb40ebb023 Author: Mikulas Patocka Date: Thu Jan 23 14:41:09 2014 -0500 mach64: use unaligned access commit c29dd8696dc5dbd50b3ac441b8a26751277ba520 upstream. This patch fixes mach64 to use unaligned access to the font bitmap. This fixes unaligned access warning on sparc64 when 14x8 font is loaded. On x86(64), unaligned access is handled in hardware, so both functions le32_to_cpup and get_unaligned_le32 perform the same operation. On RISC machines, unaligned access is not handled in hardware, so we better use get_unaligned_le32 to avoid the unaligned trap and warning. Signed-off-by: Mikulas Patocka Signed-off-by: Tomi Valkeinen Signed-off-by: Jiri Slaby commit ee8ba7249c9faf721e0452839083feeb715969d4 Author: Mikulas Patocka Date: Thu Jan 23 14:39:04 2014 -0500 matroxfb: restore the registers M_ACCESS and M_PITCH commit a772d4736641ec1b421ad965e13457c17379fc86 upstream. When X11 is running and the user switches back to console, the card modifies the content of registers M_MACCESS and M_PITCH in periodic intervals. This patch fixes it by restoring the content of these registers before issuing any accelerator command. Signed-off-by: Mikulas Patocka Signed-off-by: Tomi Valkeinen Signed-off-by: Jiri Slaby commit d0579cf395bff32fbf409fc3d297f2b34f27c8fb Author: Mikulas Patocka Date: Thu Jan 23 14:39:29 2014 -0500 framebuffer: fix cfb_copyarea commit 00a9d699bc85052d2d3ed56251cd928024ce06a3 upstream. The function cfb_copyarea is buggy when the copy operation is not aligned on long boundary (4 bytes on 32-bit machines, 8 bytes on 64-bit machines). How to reproduce: - use x86-64 machine - use a framebuffer driver without acceleration (for example uvesafb) - set the framebuffer to 8-bit depth (for example fbset -a 1024x768-60 -depth 8) - load a font with character width that is not a multiple of 8 pixels note: the console-tools package cannot load a font that has width different from 8 pixels. You need to install the packages "kbd" and "console-terminus" and use the program "setfont" to set font width (for example: setfont Uni2-Terminus20x10) - move some text left and right on the bash command line and you get a screen corruption To expose more bugs, put this line to the end of uvesafb_init_info: info->flags |= FBINFO_HWACCEL_COPYAREA | FBINFO_READS_FAST; - Now framebuffer console will use cfb_copyarea for console scrolling. You get a screen corruption when console is scrolled. This patch is a rewrite of cfb_copyarea. It fixes the bugs, with this patch, console scrolling in 8-bit depth with a font width that is not a multiple of 8 pixels works fine. The cfb_copyarea code was very buggy and it looks like it was written and never tried with non-8-pixel font. Signed-off-by: Mikulas Patocka Signed-off-by: Tomi Valkeinen Signed-off-by: Jiri Slaby commit ca29d240d7acea0750155dce06778fb1dfd5721d Author: Vineet Gupta Date: Wed Apr 30 15:26:45 2014 +0530 ARC: !PREEMPT: Ensure Return to kernel mode is IRQ safe commit 8aa9e85adac609588eeec356e5a85059b3b819ba upstream. There was a very small race window where resume to kernel mode from a Exception Path (or pure kernel mode which is true for most of ARC exceptions anyways), was not disabling interrupts in restore_regs, clobbering the exception regs Anton found the culprit call flow (after many sleepless nights) | 1. we got a Trap from user land | 2. started to service it. | 3. While doing some stuff on user-land memory (I think it is padzero()), | we got a DataTlbMiss | 4. On return from it we are taking "resume_kernel_mode" path | 5. NEED_RESHED is not set, so we go to "return from exception" path in | restore regs. | 6. there seems to be IRQ happening Signed-off-by: Vineet Gupta Cc: Anton Kolesov Cc: Francois Bedard Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 796f316e0d820502514189f6fda5defee3d640fd Author: Richard Weinberger Date: Sun Feb 9 19:48:05 2014 +0100 ARC: Remove ARC_HAS_COH_RTSC commit d345ea2892ae7a2b70f84cf881c20731e43e4993 upstream. The symbol is an orphan, get rid of it. Fixes: 7d0857a54aed ("ARC: [SMP] Disallow RTSC") Signed-off-by: Richard Weinberger Acked-by: Paul Bolle Signed-off-by: Vineet Gupta Signed-off-by: Jiri Slaby commit 79c3ca4f9f207a9947387778df5c3227bd41926c Author: Jarkko Nikula Date: Tue Apr 15 16:58:09 2014 +0300 ASoC: dapm: Fix widget double free with auto-disable DAPM kcontrol commit 2697e4fb9209dfe1d1b24c92d254158f63d4bc8e upstream. Commit 9e1fda4ae158 ("ASoC: dapm: Implement mixer input auto-disable") is trying to free the widget it allocated by snd_soc_dapm_new_control() call in dapm_kcontrol_data_alloc() by adding kfree(data->widget) to dapm_kcontrol_free(). This is causing a widget double free with auto-disabled DAPM kcontrols in sound card unregistration because widgets are already freed before dapm_kcontrol_free() is called. Reason for that is all widgets are added into dapm->card->widgets list in snd_soc_dapm_new_control() and freed in dapm_free_widgets() during execution of snd_soc_dapm_free(). Now snd_soc_dapm_free() calls for different DAPM contexts happens before snd_card_free() call from where the call chain to dapm_kcontrol_free() begins: soc_cleanup_card_resources() soc_remove_dai_links() soc_remove_link_dais() snd_soc_dapm_free(&cpu_dai->dapm) soc_remove_link_components() soc_remove_platform() snd_soc_dapm_free(&platform->dapm) soc_remove_codec() snd_soc_dapm_free(&codec->dapm) snd_soc_dapm_free(&card->dapm) snd_card_free() snd_card_do_free() snd_device_free_all() snd_device_free() snd_ctl_dev_free() snd_ctl_remove() snd_ctl_free_one() dapm_kcontrol_free() This wasn't making harm with ordinary DAPM kcontrols since data->widget is NULL for them. Fixes: 9e1fda4ae158 (ASoC: dapm: Implement mixer input auto-disable) Signed-off-by: Jarkko Nikula Acked-by: Lars-Peter Clausen Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit 96ac4631911c6b2334b502385d6e92ff1cc319ee Author: Martin Schwidefsky Date: Fri Apr 25 10:53:44 2014 +0200 s390/bpf,jit: initialize A register if 1st insn is BPF_S_LDX_B_MSH commit 6e0de817594c61f3b392a9245deeb09609ec707d upstream. The A register needs to be initialized to zero in the prolog if the first instruction of the BPF program is BPF_S_LDX_B_MSH to prevent leaking the content of %r5 to user space. Signed-off-by: Martin Schwidefsky Signed-off-by: Jiri Slaby commit 1671b4e1a3b308a3bdc8b3cc4b0d9f1abbed1c47 Author: Sebastian Ott Date: Tue Apr 15 20:08:01 2014 +0200 s390/chsc: fix SEI usage on old FW levels commit 06cd7a874ec6e09d151aeb1fa8600e14f1ff89f6 upstream. Using a notification type mask for the store event information chsc is unsupported on some firmware levels. Retry SEI with that mask set to zero (which is the old way of requesting only channel subsystem related events). Reported-and-tested-by: Stefan Haberland Reviewed-by: Peter Oberparleiter Signed-off-by: Sebastian Ott Signed-off-by: Martin Schwidefsky Signed-off-by: Jiri Slaby commit 32dbc1ebd07747b36f66ccd06a3b0bc54a2c2b17 Author: Michael Neuling Date: Fri Apr 4 20:19:48 2014 +1100 powerpc/tm: Disable IRQ in tm_recheckpoint commit e6b8fd028b584ffca7a7255b8971f254932c9fce upstream. We can't take an IRQ when we're about to do a trechkpt as our GPR state is set to user GPR values. We've hit this when running some IBM Java stress tests in the lab resulting in the following dump: cpu 0x3f: Vector: 700 (Program Check) at [c000000007eb3d40] pc: c000000000050074: restore_gprs+0xc0/0x148 lr: 00000000b52a8184 sp: ac57d360 msr: 8000000100201030 current = 0xc00000002c500000 paca = 0xc000000007dbfc00 softe: 0 irq_happened: 0x00 pid = 34535, comm = Pooled Thread # R00 = 00000000b52a8184 R16 = 00000000b3e48fda R01 = 00000000ac57d360 R17 = 00000000ade79bd8 R02 = 00000000ac586930 R18 = 000000000fac9bcc R03 = 00000000ade60000 R19 = 00000000ac57f930 R04 = 00000000f6624918 R20 = 00000000ade79be8 R05 = 00000000f663f238 R21 = 00000000ac218a54 R06 = 0000000000000002 R22 = 000000000f956280 R07 = 0000000000000008 R23 = 000000000000007e R08 = 000000000000000a R24 = 000000000000000c R09 = 00000000b6e69160 R25 = 00000000b424cf00 R10 = 0000000000000181 R26 = 00000000f66256d4 R11 = 000000000f365ec0 R27 = 00000000b6fdcdd0 R12 = 00000000f66400f0 R28 = 0000000000000001 R13 = 00000000ada71900 R29 = 00000000ade5a300 R14 = 00000000ac2185a8 R30 = 00000000f663f238 R15 = 0000000000000004 R31 = 00000000f6624918 pc = c000000000050074 restore_gprs+0xc0/0x148 cfar= c00000000004fe28 dont_restore_vec+0x1c/0x1a4 lr = 00000000b52a8184 msr = 8000000100201030 cr = 24804888 ctr = 0000000000000000 xer = 0000000000000000 trap = 700 This moves tm_recheckpoint to a C function and moves the tm_restore_sprs into that function. It then adds IRQ disabling over the trechkpt critical section. It also sets the TEXASR FS in the signals code to ensure this is never set now that we explictly write the TM sprs in tm_recheckpoint. Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Jiri Slaby commit 9913ed945cfdb90e18130f5a10a47ac7310c7ffd Author: Anton Blanchard Date: Thu Mar 6 16:10:11 2014 +1100 powerpc/compat: 32-bit little endian machine name is ppcle, not ppc commit 422b9b9684db3c511e65c91842275c43f5910ae9 upstream. I noticed this when testing setarch. No, we don't magically support a big endian userspace on a little endian kernel. Signed-off-by: Anton Blanchard Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Jiri Slaby commit e2b70781505e2fe15540a49f10053b229efc3fbe Author: Tyler Stachecki Date: Fri Apr 25 16:41:04 2014 -0400 mpt2sas: Don't disable device twice at suspend. commit af61e27c3f77c7623b5335590ae24b6a5c323e22 upstream. On suspend, _scsih_suspend calls mpt2sas_base_free_resources, which in turn calls pci_disable_device if the device is enabled prior to suspending. However, _scsih_suspend also calls pci_disable_device itself. Thus, in the event that the device is enabled prior to suspending, pci_disable_device will be called twice. This patch removes the duplicate call to pci_disable_device in _scsi_suspend as it is both unnecessary and results in a kernel oops. Signed-off-by: Tyler Stachecki Signed-off-by: James Bottomley Signed-off-by: Jiri Slaby commit 7b600e97f9d61a4745f2d8cc05b2e2c1e6c9b2a8 Author: Fam Zheng Date: Mon Apr 14 10:16:09 2014 +0800 virtio-scsi: Skip setting affinity on uninitialized vq commit 0c8482ac92db5ac15792caf23b7f7df9e4f48ae1 upstream. virtscsi_init calls virtscsi_remove_vqs on err, even before initializing the vqs. The latter calls virtscsi_set_affinity, so let's check the pointer there before setting affinity on it. This fixes a panic when setting device's num_queues=2 on RHEL 6.5: qemu-system-x86_64 ... \ -device virtio-scsi-pci,id=scsi0,addr=0x13,...,num_queues=2 \ -drive file=/stor/vm/dummy.raw,id=drive-scsi-disk,... \ -device scsi-hd,drive=drive-scsi-disk,... [ 0.354734] scsi0 : Virtio SCSI HBA [ 0.379504] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 [ 0.380141] IP: [] __virtscsi_set_affinity+0x4f/0x120 [ 0.380141] PGD 0 [ 0.380141] Oops: 0000 [#1] SMP [ 0.380141] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.14.0+ #5 [ 0.380141] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2007 [ 0.380141] task: ffff88003c9f0000 ti: ffff88003c9f8000 task.ti: ffff88003c9f8000 [ 0.380141] RIP: 0010:[] [] __virtscsi_set_affinity+0x4f/0x120 [ 0.380141] RSP: 0000:ffff88003c9f9c08 EFLAGS: 00010256 [ 0.380141] RAX: 0000000000000000 RBX: ffff88003c3a9d40 RCX: 0000000000001070 [ 0.380141] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000 [ 0.380141] RBP: ffff88003c9f9c28 R08: 00000000000136c0 R09: ffff88003c801c00 [ 0.380141] R10: ffffffff81475229 R11: 0000000000000008 R12: 0000000000000000 [ 0.380141] R13: ffffffff81cc7ca8 R14: ffff88003cac3d40 R15: ffff88003cac37a0 [ 0.380141] FS: 0000000000000000(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000 [ 0.380141] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 0.380141] CR2: 0000000000000020 CR3: 0000000001c0e000 CR4: 00000000000006f0 [ 0.380141] Stack: [ 0.380141] ffff88003c3a9d40 0000000000000000 ffff88003cac3d80 ffff88003cac3d40 [ 0.380141] ffff88003c9f9c48 ffffffff814742e8 ffff88003c26d000 ffff88003c26d000 [ 0.380141] ffff88003c9f9c68 ffffffff81474321 ffff88003c26d000 ffff88003c3a9d40 [ 0.380141] Call Trace: [ 0.380141] [] virtscsi_set_affinity+0x28/0x40 [ 0.380141] [] virtscsi_remove_vqs+0x21/0x50 [ 0.380141] [] virtscsi_init+0x91/0x240 [ 0.380141] [] ? vp_get+0x50/0x70 [ 0.380141] [] virtscsi_probe+0xf4/0x280 [ 0.380141] [] virtio_dev_probe+0xe5/0x140 [ 0.380141] [] driver_probe_device+0x89/0x230 [ 0.380141] [] __driver_attach+0x9b/0xa0 [ 0.380141] [] ? driver_probe_device+0x230/0x230 [ 0.380141] [] ? driver_probe_device+0x230/0x230 [ 0.380141] [] bus_for_each_dev+0x8c/0xb0 [ 0.380141] [] driver_attach+0x19/0x20 [ 0.380141] [] bus_add_driver+0x198/0x220 [ 0.380141] [] driver_register+0x5f/0xf0 [ 0.380141] [] ? spi_transport_init+0x79/0x79 [ 0.380141] [] register_virtio_driver+0x1b/0x30 [ 0.380141] [] init+0x88/0xd6 [ 0.380141] [] ? scsi_init_procfs+0x5b/0x5b [ 0.380141] [] do_one_initcall+0x7f/0x10a [ 0.380141] [] kernel_init_freeable+0x14a/0x1de [ 0.380141] [] ? kernel_init_freeable+0x1de/0x1de [ 0.380141] [] ? rest_init+0x80/0x80 [ 0.380141] [] kernel_init+0x9/0xf0 [ 0.380141] [] ret_from_fork+0x7c/0xb0 [ 0.380141] [] ? rest_init+0x80/0x80 [ 0.380141] RIP [] __virtscsi_set_affinity+0x4f/0x120 [ 0.380141] RSP [ 0.380141] CR2: 0000000000000020 [ 0.380141] ---[ end trace 8074b70c3d5e1d73 ]--- [ 0.475018] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 [ 0.475018] [ 0.475068] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff) [ 0.475068] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 [jejb: checkpatch fixes] Signed-off-by: Fam Zheng Acked-by: Paolo Bonzini Signed-off-by: James Bottomley Signed-off-by: Jiri Slaby commit 3a9d307d66512bbe69edc5ee626b1959ed00245c Author: Huacai Chen Date: Sat Mar 22 17:21:44 2014 +0800 MIPS: Hibernate: Flush TLB entries in swsusp_arch_resume() commit c14af233fbe279d0e561ecf84f1208b1bae087ef upstream. The original MIPS hibernate code flushes cache and TLB entries in swsusp_arch_resume(). But they are removed in Commit 44eeab67416711 (MIPS: Hibernation: Remove SMP TLB and cacheflushing code.). A cross- CPU flush is surely unnecessary because all but the local CPU have already been disabled. But a local flush (at least the TLB flush) is needed. When we do hibernation on Loongson-3 with an E1000E NIC, it is very easy to produce a kernel panic (kernel page fault, or unaligned access). The root cause is E1000E driver use vzalloc_node() to allocate pages, the stale TLB entries of the booting kernel will be misused by the resumed target kernel. Signed-off-by: Huacai Chen Cc: John Crispin Cc: Steven J. Hill Cc: Aurelien Jarno Cc: linux-mips@linux-mips.org Cc: Fuxin Zhang Cc: Zhangjin Wu Patchwork: https://patchwork.linux-mips.org/patch/6643/ Signed-off-by: Ralf Baechle Signed-off-by: Jiri Slaby commit 33e4c53a65bf1d560ba978c1b8e392be209526fb Author: James Hogan Date: Fri Mar 14 13:06:07 2014 +0000 MIPS: KVM: Pass reserved instruction exceptions to guest commit 15505679362270d02c449626385cb74af8905514 upstream. Previously a reserved instruction exception while in guest code would cause a KVM internal error if kvm_mips_handle_ri() didn't recognise the instruction (including a RDHWR from an unrecognised hardware register). However the guest OS should really have the opportunity to catch the exception so that it can take the appropriate actions such as sending a SIGILL to the guest user process or emulating the instruction itself. Therefore in these cases emulate a guest RI exception and only return EMULATE_FAIL if that fails, being careful to revert the PC first in case the exception occurred in a branch delay slot in which case the PC will already point to the branch target. Also turn the printk messages relating to these cases into kvm_debug messages so that they aren't usually visible. This allows crashme to run in the guest without killing the entire VM. Signed-off-by: James Hogan Cc: Ralf Baechle Cc: Gleb Natapov Cc: Paolo Bonzini Cc: Sanjay Lal Cc: linux-mips@linux-mips.org Cc: kvm@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Jiri Slaby commit 723334b96cb8d500bc7d23ff3bd97f1abb8a48ae Author: Mark Salter Date: Fri Mar 28 14:25:19 2014 +0000 arm: KVM: fix possible misalignment of PGDs and bounce page commit 5d4e08c45a6cf8f1ab3c7fa375007635ac569165 upstream. The kvm/mmu code shared by arm and arm64 uses kalloc() to allocate a bounce page (if hypervisor init code crosses page boundary) and hypervisor PGDs. The problem is that kalloc() does not guarantee the proper alignment. In the case of the bounce page, the page sized buffer allocated may also cross a page boundary negating the purpose and leading to a hang during kvm initialization. Likewise the PGDs allocated may not meet the minimum alignment requirements of the underlying MMU. This patch uses __get_free_page() to guarantee the worst case alignment needs of the bounce page and PGDs on both arm and arm64. Signed-off-by: Mark Salter Acked-by: Marc Zyngier Signed-off-by: Christoffer Dall Signed-off-by: Jiri Slaby commit dfcb8cde86ee85d38caaa3140e1b66cf99ca1df8 Author: Haibin Wang Date: Thu Apr 10 13:14:32 2014 +0100 KVM: ARM: vgic: Fix sgi dispatch problem commit 91021a6c8ffdc55804dab5acdfc7de4f278b9ac3 upstream. When dispatch SGI(mode == 0), that is the vcpu of VM should send sgi to the cpu which the target_cpus list. So, there must add the "break" to branch of case 0. Signed-off-by: Haibin Wang Acked-by: Marc Zyngier Signed-off-by: Christoffer Dall Signed-off-by: Jiri Slaby commit 3d43edf5868f260dbfd1353bf243a78f030a08b0 Author: Matthew Daley Date: Mon Apr 28 19:05:21 2014 +1200 floppy: don't write kernel-only members to FDRAWCMD ioctl output commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream. Do not leak kernel-only floppy_raw_cmd structure members to userspace. This includes the linked-list pointer and the pointer to the allocated DMA space. Signed-off-by: Matthew Daley Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 36cdf95db237630373162e20142df4d11efdd543 Author: Matthew Daley Date: Mon Apr 28 19:05:20 2014 +1200 floppy: ignore kernel-only members in FDRAWCMD ioctl input commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream. Always clear out these floppy_raw_cmd struct members after copying the entire structure from userspace so that the in-kernel version is always valid and never left in an interdeterminate state. Signed-off-by: Matthew Daley Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 61461fa9182895c6396ee9704d80fe8ff9d1135d Author: Peter Hurley Date: Sat May 3 14:04:59 2014 +0200 n_tty: Fix n_tty_write crash when echoing in raw mode commit 4291086b1f081b869c6d79e5b7441633dc3ace00 upstream. The tty atomic_write_lock does not provide an exclusion guarantee for the tty driver if the termios settings are LECHO & !OPOST. And since it is unexpected and not allowed to call TTY buffer helpers like tty_insert_flip_string concurrently, this may lead to crashes when concurrect writers call pty_write. In that case the following two writers: * the ECHOing from a workqueue and * pty_write from the process race and can overflow the corresponding TTY buffer like follows. If we look into tty_insert_flip_string_fixed_flag, there is: int space = __tty_buffer_request_room(port, goal, flags); struct tty_buffer *tb = port->buf.tail; ... memcpy(char_buf_ptr(tb, tb->used), chars, space); ... tb->used += space; so the race of the two can result in something like this: A B __tty_buffer_request_room __tty_buffer_request_room memcpy(buf(tb->used), ...) tb->used += space; memcpy(buf(tb->used), ...) ->BOOM B's memcpy is past the tty_buffer due to the previous A's tb->used increment. Since the N_TTY line discipline input processing can output concurrently with a tty write, obtain the N_TTY ldisc output_lock to serialize echo output with normal tty writes. This ensures the tty buffer helper tty_insert_flip_string is not called concurrently and everything is fine. Note that this is nicely reproducible by an ordinary user using forkpty and some setup around that (raw termios + ECHO). And it is present in kernels at least after commit d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to use the normal buffering logic) in 2.6.31-rc3. js: add more info to the commit log js: switch to bool js: lock unconditionally js: lock only the tty->ops->write call References: CVE-2014-0196 Reported-and-tested-by: Jiri Slaby Signed-off-by: Peter Hurley Signed-off-by: Jiri Slaby Cc: Linus Torvalds Cc: Alan Cox Signed-off-by: Jiri Slaby commit 88d123f170079dd0f4d1a7b57091c12fcf102cd4 Author: Peter Hurley Date: Fri May 2 10:56:12 2014 -0400 tty: Fix lockless tty buffer race commit 62a0d8d7c2b29f92850e4ee3c38e5dfd936e92b2 upstream. Commit 6a20dbd6caa2358716136144bf524331d70b1e03, "tty: Fix race condition between __tty_buffer_request_room and flush_to_ldisc" correctly identifies an unsafe race condition between __tty_buffer_request_room() and flush_to_ldisc(), where the consumer flush_to_ldisc() prematurely advances the head before consuming the last of the data committed. For example: CPU 0 | CPU 1 __tty_buffer_request_room | flush_to_ldisc ... | ... | count = head->commit - head->read n = tty_buffer_alloc() | b->commit = b->used | b->next = n | | if (!count) /* T */ | if (head->next == NULL) /* F */ | buf->head = head->next In this case, buf->head has been advanced but head->commit may have been updated with a new value. Instead of reintroducing an unnecessary lock, fix the race locklessly. Read the commit-next pair in the reverse order of writing, which guarantees the commit value read is the latest value written if the head is advancing. Reported-by: Manfred Schlaegl Signed-off-by: Peter Hurley Signed-off-by: Jiri Slaby commit 04d5d946a27db8ba6ae793f3ab93fc8fb384cf1b Author: Michael Welling Date: Fri Apr 25 19:27:48 2014 -0500 tty: serial: 8250_core.c Bug fix for Exar chips. commit b790f210fe8423eff881b2a8a93ba5dbc45534d0 upstream. The sleep function was updated to put the serial port to sleep only when necessary. This appears to resolve the errant behavior of the driver as described in Kernel Bug 61961 – "My Exar Corp. XR17C/D152 Dual PCI UART modem does not work with 3.8.0". Signed-off-by: Michael Welling Signed-off-by: Jiri Slaby commit 50e2278a26074005b9a0fadc3343630126e0bd6a Author: Tomoki Sekiyama Date: Fri May 2 18:58:24 2014 -0400 drivers/tty/hvc: don't free hvc_console_setup after init commit 501fed45b7e8836ee9373f4d31e2d85e3db6103a upstream. When 'console=hvc0' is specified to the kernel parameter in x86 KVM guest, hvc console is setup within a kthread. However, that will cause SEGV and the boot will fail when the driver is builtin to the kernel, because currently hvc_console_setup() is annotated with '__init'. This patch removes '__init' to boot the guest successfully with 'console=hvc0'. Signed-off-by: Tomoki Sekiyama Signed-off-by: Jiri Slaby commit 4dba1cd1be6626cb073c7522c5501b3187c6e8ba Author: Leigh Brown Date: Wed Apr 16 12:26:35 2014 +0100 ARM: dts: am335x: update USB DT references commit a2f8d6b303213a98436455aece7e14cdd1240629 upstream. In "ARM: dts: am33xx: correcting dt node unit address for usb", the usb_ctrl_mod and cppi41dma nodes were updated with the correct register addresses. However, the dts files that reference these nodes were not updated, and those devices are no longer being enabled. This patch corrects the references for the affected dts files. Signed-off-by: Leigh Brown Signed-off-by: Tony Lindgren Cc: Johan Hovold Signed-off-by: Jiri Slaby commit 623e9d09ed6db5bd706942931121a61e38b685ad Author: Aaron Sanders Date: Mon Mar 31 15:54:21 2014 +0200 USB: pl2303: add ids for Hewlett-Packard HP POS pole displays commit b16c02fbfb963fa2941b7517ebf1f8a21946775e upstream. Add device ids to pl2303 for the Hewlett-Packard HP POS pole displays: LD960: 03f0:0B39 LCM220: 03f0:3139 LCM960: 03f0:3239 [ Johan: fix indentation and sort PIDs numerically ] Signed-off-by: Aaron Sanders Signed-off-by: Johan Hovold Signed-off-by: Jiri Slaby commit 29b56e8cf0da4e00cd7eda99ca352c67ae394d4d Author: Julius Werner Date: Fri Apr 25 19:20:13 2014 +0300 usb: xhci: Prefer endpoint context dequeue pointer over stopped_trb commit 1f81b6d22a5980955b01e08cf27fb745dc9b686f upstream. We have observed a rare cycle state desync bug after Set TR Dequeue Pointer commands on Intel LynxPoint xHCs (resulting in an endpoint that doesn't fetch new TRBs and thus an unresponsive USB device). It always triggers when a previous Set TR Dequeue Pointer command has set the pointer to the final Link TRB of a segment, and then another URB gets enqueued and cancelled again before it can be completed. Further investigation showed that the xHC had returned the Link TRB in the TRB Pointer field of the Transfer Event (CC == Stopped -- Length Invalid), but when xhci_find_new_dequeue_state() later accesses the Endpoint Context's TR Dequeue Pointer field it is set to the first TRB of the next segment. The driver expects those two values to be the same in this situation, and uses the cycle state of the latter together with the address of the former. This should be fine according to the XHCI specification, since the endpoint ring should be stopped when returning the Transfer Event and thus should not advance over the Link TRB before it gets restarted. However, real-world XHCI implementations apparently don't really care that much about these details, so the driver should follow a more defensive approach to try to work around HC spec violations. This patch removes the stopped_trb variable that had been used to store the TRB Pointer from the last Transfer Event of a stopped TRB. Instead, xhci_find_new_dequeue_state() now relies only on the Endpoint Context, requiring a small amount of additional processing to find the virtual address corresponding to the TR Dequeue Pointer. Some other parts of the function were slightly rearranged to better fit into this model. This patch should be backported to kernels as old as 2.6.31 that contain the commit ae636747146ea97efa18e04576acd3416e2514f5 "USB: xhci: URB cancellation support." Signed-off-by: Julius Werner Signed-off-by: Mathias Nyman Signed-off-by: Jiri Slaby commit ecb80519f763ad6d60fbdc143941e1afac4de3f6 Author: Theodore Ts'o Date: Sat Apr 12 12:45:25 2014 -0400 ext4: use i_size_read in ext4_unaligned_aio() commit 6e6358fc3c3c862bfe9a5bc029d3f8ce43dc9765 upstream. We haven't taken i_mutex yet, so we need to use i_size_read(). Signed-off-by: "Theodore Ts'o" Signed-off-by: Jiri Slaby commit afeeb0349158c4f63285dd148eee0348581d723a Author: Theodore Ts'o Date: Fri Apr 11 10:35:17 2014 -0400 ext4: move ext4_update_i_disksize() into mpage_map_and_submit_extent() commit 622cad1325e404598fe3b148c3fa640dbaabc235 upstream. The function ext4_update_i_disksize() is used in only one place, in the function mpage_map_and_submit_extent(). Move its code to simplify the code paths, and also move the call to ext4_mark_inode_dirty() into the i_data_sem's critical region, to be consistent with all of the other places where we update i_disksize. That way, we also keep the raw_inode's i_disksize protected, to avoid the following race: CPU #1 CPU #2 down_write(&i_data_sem) Modify i_disk_size up_write(&i_data_sem) down_write(&i_data_sem) Modify i_disk_size Copy i_disk_size to on-disk inode up_write(&i_data_sem) Copy i_disk_size to on-disk inode Signed-off-by: "Theodore Ts'o" Reviewed-by: Jan Kara Signed-off-by: Jiri Slaby commit 44b9a5adc9a831167548d5a725bf3e60b80c4207 Author: Jan Kara Date: Mon Apr 7 10:54:21 2014 -0400 ext4: fix jbd2 warning under heavy xattr load commit ec4cb1aa2b7bae18dd8164f2e9c7c51abcf61280 upstream. When heavily exercising xattr code the assertion that jbd2_journal_dirty_metadata() shouldn't return error was triggered: WARNING: at /srv/autobuild-ceph/gitbuilder.git/build/fs/jbd2/transaction.c:1237 jbd2_journal_dirty_metadata+0x1ba/0x260() CPU: 0 PID: 8877 Comm: ceph-osd Tainted: G W 3.10.0-ceph-00049-g68d04c9 #1 Hardware name: Dell Inc. PowerEdge R410/01V648, BIOS 1.6.3 02/07/2011 ffffffff81a1d3c8 ffff880214469928 ffffffff816311b0 ffff880214469968 ffffffff8103fae0 ffff880214469958 ffff880170a9dc30 ffff8802240fbe80 0000000000000000 ffff88020b366000 ffff8802256e7510 ffff880214469978 Call Trace: [] dump_stack+0x19/0x1b [] warn_slowpath_common+0x70/0xa0 [] warn_slowpath_null+0x1a/0x20 [] jbd2_journal_dirty_metadata+0x1ba/0x260 [] __ext4_handle_dirty_metadata+0xa3/0x140 [] ext4_xattr_release_block+0x103/0x1f0 [] ext4_xattr_block_set+0x1e0/0x910 [] ext4_xattr_set_handle+0x38b/0x4a0 [] ? trace_hardirqs_on+0xd/0x10 [] ext4_xattr_set+0xc2/0x140 [] ext4_xattr_user_set+0x47/0x50 [] generic_setxattr+0x6e/0x90 [] __vfs_setxattr_noperm+0x7b/0x1c0 [] vfs_setxattr+0xc4/0xd0 [] setxattr+0x13e/0x1e0 [] ? __sb_start_write+0xe7/0x1b0 [] ? mnt_want_write_file+0x28/0x60 [] ? fget_light+0x3c/0x130 [] ? mnt_want_write_file+0x28/0x60 [] ? __mnt_want_write+0x58/0x70 [] SyS_fsetxattr+0xbe/0x100 [] system_call_fastpath+0x16/0x1b The reason for the warning is that buffer_head passed into jbd2_journal_dirty_metadata() didn't have journal_head attached. This is caused by the following race of two ext4_xattr_release_block() calls: CPU1 CPU2 ext4_xattr_release_block() ext4_xattr_release_block() lock_buffer(bh); /* False */ if (BHDR(bh)->h_refcount == cpu_to_le32(1)) } else { le32_add_cpu(&BHDR(bh)->h_refcount, -1); unlock_buffer(bh); lock_buffer(bh); /* True */ if (BHDR(bh)->h_refcount == cpu_to_le32(1)) get_bh(bh); ext4_free_blocks() ... jbd2_journal_forget() jbd2_journal_unfile_buffer() -> JH is gone error = ext4_handle_dirty_xattr_block(handle, inode, bh); -> triggers the warning We fix the problem by moving ext4_handle_dirty_xattr_block() under the buffer lock. Sadly this cannot be done in nojournal mode as that function can call sync_dirty_buffer() which would deadlock. Luckily in nojournal mode the race is harmless (we only dirty already freed buffer) and thus for nojournal mode we leave the dirtying outside of the buffer lock. Reported-by: Sage Weil Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Signed-off-by: Jiri Slaby commit 92235297c05f23dca7c0483ec726acb9e853dcfe Author: Matthew Wilcox Date: Mon Apr 7 10:54:20 2014 -0400 ext4: note the error in ext4_end_bio() commit 9503c67c93ed0b95ba62d12d1fd09da6245dbdd6 upstream. ext4_end_bio() currently throws away the error that it receives. Chances are this is part of a spate of errors, one of which will end up getting the error returned to userspace somehow, but we shouldn't take that risk. Also print out the errno to aid in debug. Signed-off-by: Matthew Wilcox Signed-off-by: "Theodore Ts'o" Reviewed-by: Jan Kara Signed-off-by: Jiri Slaby commit be687f34c36e75b383a2c7df1087afee2b257167 Author: Kazuya Mio Date: Mon Apr 7 10:53:28 2014 -0400 ext4: FIBMAP ioctl causes BUG_ON due to handle EXT_MAX_BLOCKS commit 4adb6ab3e0fa71363a5ef229544b2d17de6600d7 upstream. When we try to get 2^32-1 block of the file which has the extent (ee_block=2^32-2, ee_len=1) with FIBMAP ioctl, it causes BUG_ON in ext4_ext_put_gap_in_cache(). To avoid the problem, ext4_map_blocks() needs to check the file logical block number. ext4_ext_put_gap_in_cache() called via ext4_map_blocks() cannot handle 2^32-1 because the maximum file logical block number is 2^32-2. Note that ext4_ind_map_blocks() returns -EIO when the block number is invalid. So ext4_map_blocks() should also return the same errno. Signed-off-by: Kazuya Mio Signed-off-by: "Theodore Ts'o" Signed-off-by: Jiri Slaby commit eb41a94f97f00a895dbc1130d064954b54718373 Author: Krzysztof Kozlowski Date: Fri Mar 21 13:18:17 2014 +0100 clk: s2mps11: Fix possible NULL pointer dereference commit 238e14055da87d0d012257788e39fe0df3a82226 upstream. If parent device does not have of_node set the s2mps11_clk_parse_dt() returned NULL. This NULL was later passed to of_clk_add_provider() which dereferenced it in pr_debug() call. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Mike Turquette Signed-off-by: Jiri Slaby commit 6c2d09eef51c2a403ff782c0171f6d127ffd5fc8 Author: Tetsuo Handa Date: Thu Apr 3 14:47:07 2014 -0700 ocfs2: fix panic on kfree(xattr->name) commit f81c20158f8d5f7938d5eb86ecc42ecc09273ce6 upstream. Commit 9548906b2bb7 ('xattr: Constify ->name member of "struct xattr"') missed that ocfs2 is calling kfree(xattr->name). As a result, kernel panic occurs upon calling kfree(xattr->name) because xattr->name refers static constant names. This patch removes kfree(xattr->name) from ocfs2_mknod() and ocfs2_symlink(). Signed-off-by: Tetsuo Handa Reported-by: Tariq Saeed Tested-by: Tariq Saeed Reviewed-by: Srinivas Eeda Cc: Joel Becker Cc: Mark Fasheh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 26961cab7dbc04080aabf9597c918f1c1c0596f2 Author: alex chen Date: Thu Apr 3 14:47:05 2014 -0700 ocfs2: do not put bh when buffer_uptodate failed commit f7cf4f5bfe073ad792ab49c04f247626b3e38db6 upstream. Do not put bh when buffer_uptodate failed in ocfs2_write_block and ocfs2_write_super_or_backup, because it will put bh in b_end_io. Otherwise it will hit a warning "VFS: brelse: Trying to free free buffer". Signed-off-by: Alex Chen Reviewed-by: Joseph Qi Reviewed-by: Srinivas Eeda Cc: Mark Fasheh Acked-by: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit a409d7471adbde22354da4ab80ce4aa976ff64be Author: Junxiao Bi Date: Thu Apr 3 14:46:51 2014 -0700 ocfs2: dlm: fix recovery hung commit ded2cf71419b9353060e633b59e446c42a6a2a09 upstream. There is a race window in dlm_do_recovery() between dlm_remaster_locks() and dlm_reset_recovery() when the recovery master nearly finish the recovery process for a dead node. After the master sends FINALIZE_RECO message in dlm_remaster_locks(), another node may become the recovery master for another dead node, and then send the BEGIN_RECO message to all the nodes included the old master, in the handler of this message dlm_begin_reco_handler() of old master, dlm->reco.dead_node and dlm->reco.new_master will be set to the second dead node and the new master, then in dlm_reset_recovery(), these two variables will be reset to default value. This will cause new recovery master can not finish the recovery process and hung, at last the whole cluster will hung for recovery. old recovery master: new recovery master: dlm_remaster_locks() become recovery master for another dead node. dlm_send_begin_reco_message() dlm_begin_reco_handler() { if (dlm->reco.state & DLM_RECO_STATE_FINALIZE) { return -EAGAIN; } dlm_set_reco_master(dlm, br->node_idx); dlm_set_reco_dead_node(dlm, br->dead_node); } dlm_reset_recovery() { dlm_set_reco_dead_node(dlm, O2NM_INVALID_NODE_NUM); dlm_set_reco_master(dlm, O2NM_INVALID_NODE_NUM); } will hang in dlm_remaster_locks() for request dlm locks info Before send FINALIZE_RECO message, recovery master should set DLM_RECO_STATE_FINALIZE for itself and clear it after the recovery done, this can break the race windows as the BEGIN_RECO messages will not be handled before DLM_RECO_STATE_FINALIZE flag is cleared. A similar race may happen between new recovery master and normal node which is in dlm_finalize_reco_handler(), also fix it. Signed-off-by: Junxiao Bi Reviewed-by: Srinivas Eeda Reviewed-by: Wengang Wang Cc: Joel Becker Cc: Mark Fasheh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 7cb96132df495ee5544c5bbe7b259870371c6e83 Author: Junxiao Bi Date: Thu Apr 3 14:46:49 2014 -0700 ocfs2: dlm: fix lock migration crash commit 34aa8dac482f1358d59110d5e3a12f4351f6acaa upstream. This issue was introduced by commit 800deef3f6f8 ("ocfs2: use list_for_each_entry where benefical") in 2007 where it replaced list_for_each with list_for_each_entry. The variable "lock" will point to invalid data if "tmpq" list is empty and a panic will be triggered due to this. Sunil advised reverting it back, but the old version was also not right. At the end of the outer for loop, that list_for_each_entry will also set "lock" to an invalid data, then in the next loop, if the "tmpq" list is empty, "lock" will be an stale invalid data and cause the panic. So reverting the list_for_each back and reset "lock" to NULL to fix this issue. Another concern is that this seemes can not happen because the "tmpq" list should not be empty. Let me describe how. old lock resource owner(node 1): migratation target(node 2): image there's lockres with a EX lock from node 2 in granted list, a NR lock from node x with convert_type EX in converting list. dlm_empty_lockres() { dlm_pick_migration_target() { pick node 2 as target as its lock is the first one in granted list. } dlm_migrate_lockres() { dlm_mark_lockres_migrating() { res->state |= DLM_LOCK_RES_BLOCK_DIRTY; wait_event(dlm->ast_wq, !dlm_lockres_is_dirty(dlm, res)); //after the above code, we can not dirty lockres any more, // so dlm_thread shuffle list will not run downconvert lock from EX to NR upconvert lock from NR to EX <<< migration may schedule out here, then <<< node 2 send down convert request to convert type from EX to <<< NR, then send up convert request to convert type from NR to <<< EX, at this time, lockres granted list is empty, and two locks <<< in the converting list, node x up convert lock followed by <<< node 2 up convert lock. // will set lockres RES_MIGRATING flag, the following // lock/unlock can not run dlm_lockres_release_ast(dlm, res); } dlm_send_one_lockres() dlm_process_recovery_data() for (i=0; inum_locks; i++) if (ml->node == dlm->node_num) for (j = DLM_GRANTED_LIST; j <= DLM_BLOCKED_LIST; j++) { list_for_each_entry(lock, tmpq, list) if (lock) break; <<< lock is invalid as grant list is empty. } if (lock->ml.node != ml->node) BUG() >>> crash here } I see the above locks status from a vmcore of our internal bug. Signed-off-by: Junxiao Bi Reviewed-by: Wengang Wang Cc: Sunil Mushran Reviewed-by: Srinivas Eeda Cc: Joel Becker Cc: Mark Fasheh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 998d9d2a12a3079dae6777286dcf548ed96afe80 Author: Serge Hallyn Date: Thu Apr 3 14:48:33 2014 -0700 xattr: guard against simultaneous glibc header inclusion commit ea1a8217b06b41b31a2b60b0b83f75c77ef9c873 upstream. If the glibc xattr.h header is included after the uapi header, compilation fails due to an enum re-using a #define from the uapi header. Protect against this by guarding the define and enum inclusions against each other. (See https://lists.debian.org/debian-glibc/2014/03/msg00029.html and https://sourceware.org/glibc/wiki/Synchronizing_Headers for more information.) Signed-off-by: Serge Hallyn Cc: Andrew Morton Cc: Allan McRae Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 765e8dadb8d3be09c0c880daf7f01fc7c131f6f6 Author: Mizuma, Masayoshi Date: Mon Apr 7 15:37:54 2014 -0700 mm: hugetlb: fix softlockup when a large number of hugepages are freed. commit 55f67141a8927b2be3e51840da37b8a2320143ed upstream. When I decrease the value of nr_hugepage in procfs a lot, softlockup happens. It is because there is no chance of context switch during this process. On the other hand, when I allocate a large number of hugepages, there is some chance of context switch. Hence softlockup doesn't happen during this process. So it's necessary to add the context switch in the freeing process as same as allocating process to avoid softlockup. When I freed 12 TB hugapages with kernel-2.6.32-358.el6, the freeing process occupied a CPU over 150 seconds and following softlockup message appeared twice or more. $ echo 6000000 > /proc/sys/vm/nr_hugepages $ cat /proc/sys/vm/nr_hugepages 6000000 $ grep ^Huge /proc/meminfo HugePages_Total: 6000000 HugePages_Free: 6000000 HugePages_Rsvd: 0 HugePages_Surp: 0 Hugepagesize: 2048 kB $ echo 0 > /proc/sys/vm/nr_hugepages BUG: soft lockup - CPU#16 stuck for 67s! [sh:12883] ... Pid: 12883, comm: sh Not tainted 2.6.32-358.el6.x86_64 #1 Call Trace: free_pool_huge_page+0xb8/0xd0 set_max_huge_pages+0x128/0x190 hugetlb_sysctl_handler_common+0x113/0x140 hugetlb_sysctl_handler+0x1e/0x20 proc_sys_call_handler+0x97/0xd0 proc_sys_write+0x14/0x20 vfs_write+0xb8/0x1a0 sys_write+0x51/0x90 __audit_syscall_exit+0x265/0x290 system_call_fastpath+0x16/0x1b I have not confirmed this problem with upstream kernels because I am not able to prepare the machine equipped with 12TB memory now. However I confirmed that the amount of decreasing hugepages was directly proportional to the amount of required time. I measured required times on a smaller machine. It showed 130-145 hugepages decreased in a millisecond. Amount of decreasing Required time Decreasing rate hugepages (msec) (pages/msec) ------------------------------------------------------------ 10,000 pages == 20GB 70 - 74 135-142 30,000 pages == 60GB 208 - 229 131-144 It means decrement of 6TB hugepages will trigger softlockup with the default threshold 20sec, in this decreasing rate. Signed-off-by: Masayoshi Mizuma Cc: Joonsoo Kim Cc: Michal Hocko Cc: Wanpeng Li Cc: Aneesh Kumar Cc: KOSAKI Motohiro Cc: Naoya Horiguchi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 400fc13141fe947c38e8485ee9d37066d4533363 Author: Vlastimil Babka Date: Mon Apr 7 15:37:50 2014 -0700 mm: try_to_unmap_cluster() should lock_page() before mlocking commit 57e68e9cd65b4b8eb4045a1e0d0746458502554c upstream. A BUG_ON(!PageLocked) was triggered in mlock_vma_page() by Sasha Levin fuzzing with trinity. The call site try_to_unmap_cluster() does not lock the pages other than its check_page parameter (which is already locked). The BUG_ON in mlock_vma_page() is not documented and its purpose is somewhat unclear, but apparently it serializes against page migration, which could otherwise fail to transfer the PG_mlocked flag. This would not be fatal, as the page would be eventually encountered again, but NR_MLOCK accounting would become distorted nevertheless. This patch adds a comment to the BUG_ON in mlock_vma_page() and munlock_vma_page() to that effect. The call site try_to_unmap_cluster() is fixed so that for page != check_page, trylock_page() is attempted (to avoid possible deadlocks as we already have check_page locked) and mlock_vma_page() is performed only upon success. If the page lock cannot be obtained, the page is left without PG_mlocked, which is again not a problem in the whole unevictable memory design. Signed-off-by: Vlastimil Babka Signed-off-by: Bob Liu Reported-by: Sasha Levin Cc: Wanpeng Li Cc: Michel Lespinasse Cc: KOSAKI Motohiro Acked-by: Rik van Riel Cc: David Rientjes Cc: Mel Gorman Cc: Hugh Dickins Cc: Joonsoo Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 78a20804b83f9888401158fc9e22d4224b86b66d Author: Johannes Weiner Date: Mon Apr 7 15:37:48 2014 -0700 mm: page_alloc: spill to remote nodes before waking kswapd commit 3a025760fc158b3726eac89ee95d7f29599e9dfa upstream. On NUMA systems, a node may start thrashing cache or even swap anonymous pages while there are still free pages on remote nodes. This is a result of commits 81c0a2bb515f ("mm: page_alloc: fair zone allocator policy") and fff4068cba48 ("mm: page_alloc: revert NUMA aspect of fair allocation policy"). Before those changes, the allocator would first try all allowed zones, including those on remote nodes, before waking any kswapds. But now, the allocator fastpath doubles as the fairness pass, which in turn can only consider the local node to prevent remote spilling based on exhausted fairness batches alone. Remote nodes are only considered in the slowpath, after the kswapds are woken up. But if remote nodes still have free memory, kswapd should not be woken to rebalance the local node or it may thrash cash or swap prematurely. Fix this by adding one more unfair pass over the zonelist that is allowed to spill to remote nodes after the local fairness pass fails but before entering the slowpath and waking the kswapds. This also gets rid of the GFP_THISNODE exemption from the fairness protocol because the unfair pass is no longer tied to kswapd, which GFP_THISNODE is not allowed to wake up. However, because remote spills can be more frequent now - we prefer them over local kswapd reclaim - the allocation batches on remote nodes could underflow more heavily. When resetting the batches, use atomic_long_read() directly instead of zone_page_state() to calculate the delta as the latter filters negative counter values. Signed-off-by: Johannes Weiner Acked-by: Rik van Riel Acked-by: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 3937fa5f06d7a2b60545bf52b7b7379a970a6a8a Author: Matt Fleming Date: Thu Apr 3 14:46:20 2014 -0700 sh: fix format string bug in stack tracer commit a0c32761e73c9999cbf592b702f284221fea8040 upstream. Kees reported the following error: arch/sh/kernel/dumpstack.c: In function 'print_trace_address': arch/sh/kernel/dumpstack.c:118:2: error: format not a string literal and no format arguments [-Werror=format-security] Use the "%s" format so that it's impossible to interpret 'data' as a format string. Signed-off-by: Matt Fleming Reported-by: Kees Cook Acked-by: Kees Cook Cc: Paul Mundt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby commit 1fd646cfcd588ca085885963681add522ee90131 Author: Felipe Franciosi Date: Thu Mar 13 14:34:21 2014 +0000 mtip32xx: Unmap the DMA segments before completing the IO request commit 368c89d7ac70f937c93cd6f3b65bcfdfb3ba794f upstream. If the buffers are unmapped after completing a request, then stale data might be in the request. Signed-off-by: Felipe Franciosi Signed-off-by: Jens Axboe Signed-off-by: Jiri Slaby commit df50e30db5a55dd3be295f272051424b6c76179d Author: Felipe Franciosi Date: Thu Mar 13 14:34:20 2014 +0000 mtip32xx: Set queue bounce limit commit 1044b1bb9278f2e656a1a7b63dc24a59506540aa upstream. We need to set the queue bounce limit during the device initialization to prevent excessive bouncing on 32 bit architectures. Signed-off-by: Felipe Franciosi Signed-off-by: Jens Axboe Signed-off-by: Jiri Slaby commit c1ad06e8bf308f609edbb1bbec60d0ee926009bb Author: Alan Stern Date: Wed Mar 12 11:30:38 2014 -0400 USB: unbind all interfaces before rebinding any commit 6aec044cc2f5670cf3b143c151c8be846499bd15 upstream. When a driver doesn't have pre_reset, post_reset, or reset_resume methods, the USB core unbinds that driver when its device undergoes a reset or a reset-resume, and then rebinds it afterward. The existing straightforward implementation can lead to problems, because each interface gets unbound and rebound before the next interface is handled. If a driver claims additional interfaces, the claim may fail because the old binding instance may still own the additional interface when the new instance tries to claim it. This patch fixes the problem by first unbinding all the interfaces that are marked (i.e., their needs_binding flag is set) and then rebinding all of them. The patch also makes the helper functions in driver.c a little more uniform and adjusts some out-of-date comments. Signed-off-by: Alan Stern Reported-and-tested-by: "Poulain, Loic" Signed-off-by: Jiri Slaby commit 2c66d33ded4e9431e36789c26e3b3ff114072f3a Author: Michal Simek Date: Tue Mar 11 13:23:14 2014 +0100 usb: phy: Add ulpi IDs for SMSC USB3320 and TI TUSB1210 commit ead5178bf442dbae4008ee54bf4f66a1f6a317c9 upstream. Add new ulpi IDs which are available on Xilinx Zynq boards. Signed-off-by: Michal Simek Signed-off-by: Jiri Slaby commit 5f87532efdfd864ca7d5449d4afbdf0e1a55311f Author: Paul Gortmaker Date: Tue Jan 14 16:03:37 2014 -0500 hvc: ensure hvc_init is only ever called once in hvc_console.c commit f76a1cbed18c86e2d192455f0daebb48458965f3 upstream. Commit 3e6c6f630a5282df8f3393a59f10eb9c56536d23 ("Delay creation of khcvd thread") moved the call of hvc_init from being a device_initcall into hvc_alloc, and used a non-null hvc_driver as indication of whether hvc_init had already been called. The problem with this is that hvc_driver is only assigned a value at the bottom of hvc_init, and so there is a window where multiple hvc_alloc calls can be in progress at the same time and hence try and call hvc_init multiple times. Previously the use of device_init guaranteed that hvc_init was only called once. This manifests itself as sporadic instances of two hvc_init calls racing each other, and with the loser of the race getting -EBUSY from tty_register_driver() and hence that virtual console fails: Couldn't register hvc console driver virtio-ports vport0p1: error -16 allocating hvc for port Here we add an atomic_t to guarantee we'll never run hvc_init twice. Cc: Rusty Russell Cc: Greg Kroah-Hartman Fixes: 3e6c6f630a52 ("Delay creation of khcvd thread") Reported-by: Jim Somerville Tested-by: Jim Somerville Signed-off-by: Paul Gortmaker Signed-off-by: Jiri Slaby commit 8f5c4d9bd07b4e74f19b4c6c55dc827df0a312cb Author: Felipe Balbi Date: Tue Feb 25 10:58:43 2014 -0600 usb: musb: avoid NULL pointer dereference commit eee3f15d5f1f4f0c283dd4db67dc1b874a2852d1 upstream. instead of relying on the otg pointer, which can be NULL in certain cases, we can use the gadget and host pointers we already hold inside struct musb. Tested-by: Tony Lindgren Signed-off-by: Felipe Balbi Signed-off-by: Jiri Slaby commit ea9e6d067e8a33d3b636d0765c660a758936fb22 Author: Felipe Balbi Date: Tue Mar 4 09:23:50 2014 -0600 usb: dwc3: fix randconfig build errors commit 610183051d8f9421f138c4203ca894387f9f8839 upstream. commit 388e5c5 (usb: dwc3: remove dwc3 dependency on host AND gadget.) created the possibility for host-only and peripheral-only dwc3 builds but left a possible randconfig build error when host-only builds are selected. Reported-by: Jim Davis Signed-off-by: Felipe Balbi Signed-off-by: Jiri Slaby commit 0254035661acec79a6491f12c2243b1bbbca7d92 Author: Huang Rui Date: Tue Jan 7 17:45:50 2014 +0800 usb: dwc3: fix wrong bit mask in dwc3_event_devt commit 06f9b6e59661cee510b04513b13ea7927727d758 upstream. Around DWC USB3 2.30a release another bit has been added to the Device-Specific Event (DEVT) Event Information (EvtInfo) bitfield. Because of that, what used to be 8 bits long, has become 9 bits long. Per dwc3 2.30a+ spec in the Device-Specific Event (DEVT), the field of Event Information Bits(EvtInfo) uses [24:16] bits, and it has 9 bits not 8 bits. And the following reserved field uses [31:25] bits not [31:24] bits, and it has 7 bits. So in dwc3_event_devt, the bit mask should be: event_info [24:16] 9 bits reserved31_25 [31:25] 7 bits This patch makes sure that newer core releases will work fine with Linux and that we will decode the event information properly on new core releases. [ balbi@ti.com : improve commit log a bit ] Signed-off-by: Huang Rui Signed-off-by: Felipe Balbi Signed-off-by: Jiri Slaby commit d1788487fb651ce3953a9940a0b2fa07efcf66d2 Author: Wolfram Sang Date: Sat Feb 1 15:26:00 2014 -0300 media: media: gspca: sn9c20x: add ID for Genius Look 1320 V2 commit 61f0319193c44adbbada920162d880b1fdb3aeb3 upstream. Signed-off-by: Wolfram Sang Signed-off-by: Hans de Goede Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit fb7e51092b6fb05429667ecdf41e2d0b61c14229 Author: Florian Vaussard Date: Fri Jan 17 16:37:38 2014 -0300 media: omap3isp: preview: Fix the crop margins commit 8b57b9669aa884ac75b8d09c251d6b1755533c15 upstream. Commit 3fdfedaaa "[media] omap3isp: preview: Lower the crop margins" accidentally changed the previewer's cropping, causing the previewer to miss four pixels on each line, thus corrupting the final image. Restored the removed setting. Signed-off-by: Florian Vaussard Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit ea40cecb77fd49ed40e4dcce2d8cdc33d9e9c070 Author: Hans Verkuil Date: Fri Mar 7 07:28:39 2014 -0300 media: saa7134: fix WARN_ON during resume commit 30d652823de5fd7907d40e969a2d8e23938d8d03 upstream. Do not attempt to reload the tuner modules when resuming after a suspend. This triggers a WARN_ON in kernel/kmod.c:148 __request_module. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=69581. This has always been wrong, but it was never noticed until the WARN_ON was added in 3.9. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit e998c7851818fc39d4ea5102df1e855c6911edc3 Author: Antti Palosaari Date: Tue Mar 11 06:53:16 2014 -0300 media: em28xx: fix PCTV 290e LNA oops commit 3ec40dcfb413214b2874aec858870502b61c2202 upstream. Pointer to device state has been moved to different location during some change. PCTV 290e LNA function still uses old pointer, carried over FE priv, and it crash. Reported-by: Janne Kujanpää Signed-off-by: Antti Palosaari Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit 020b13283bb1e003c91ac946addf24659c96bb64 Author: Malcolm Priestley Date: Tue Feb 25 23:05:39 2014 -0300 media: m88rs2000: add caps FE_CAN_INVERSION_AUTO commit 3c8023a782964c72574ad8268ba0ea4e2d9772fc upstream. The m88rs2000 frontend is always auto inversion. Signed-off-by: Malcolm Priestley Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit d5c3bcdc3a38877de77bb4dad71b332b998acef4 Author: Malcolm Priestley Date: Tue Feb 25 23:11:34 2014 -0300 media: m88rs2000: prevent frontend crash on continuous transponder scans commit 8272d0a0c0d374a01721e579df6e8add5577132b upstream. Add m88rs2000_get_tune_settings, min delay of 2000 ms on symbol rate more than 3000000 and delay of 3000ms less than this. Adding min delay prevents crashing the frontend on continuous transponder scans. Other dvb_frontend_tune_settings remain as default. This makes very little time difference to good channel scans, but slows down the set frontend where lock can never be achieved i.e. DVB-S2. Signed-off-by: Malcolm Priestley Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit 35bb23eeef29efce643e4e339f779f6fd1dbf53f Author: Hans Verkuil Date: Thu Mar 6 07:24:21 2014 -0300 media: v4l2-compat-ioctl32: fix wrong VIDIOC_SUBDEV_G/S_EDID32 support commit bc826d6e39fe5f09cbadf8723e9183e6331b586f upstream. The wrong ioctl numbers were used due to a copy-and-paste error. Signed-off-by: Hans Verkuil Acked-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit 01c5d718a5cd2d0063a1518d873223d7530cd1df Author: Hans Verkuil Date: Tue Mar 4 04:51:50 2014 -0300 media: v4l2-dv-timings: add module name, description, license commit c4885ada88e4331f8ac56d14296d0058359db2d7 upstream. I completely forgot to add them when I made this module. Loading this module without it will taint the kernel, which is not intended. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit 0c4d94bba0bd58d12e2a635f3332d075479e1484 Author: Antoine Ténart Date: Fri Mar 7 17:20:54 2014 +0100 video: atmel_lcdfb: ensure the hardware is initialized with the correct mode commit 7d3477d801808a5037a511cf5a5aae5718e7ecce upstream. If no driver takeover the atmel_lcdfb, the lcd won't be in a working state since atmel_lcdfb_set_par() will never be called. Enabling a driver which does, like fbcon, will call the function and put atmel_lcdfb in a working state. Fixes: b985172b328a (video: atmel_lcdfb: add device tree suport) Signed-off-by: Antoine Ténart Reported-by: Alexandre Belloni Acked-by: Alexandre Belloni Acked-by: Nicolas Ferre Signed-off-by: Tomi Valkeinen Signed-off-by: Jiri Slaby commit 1ad6545a687c9bbf42ff10b391d6c2e0e08f5660 Author: Hans Verkuil Date: Thu Feb 27 06:04:57 2014 -0300 media: videodev2.h: add parenthesis around macro arguments commit aee786acfc0a12bcd37a1c60f3198fb25cf7181a upstream. bt->width should be (bt)->width, and same for the other fields. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit 755dd380360171068c6181f51b0d6fb614763380 Author: Oleksij Rempel Date: Sun Feb 16 06:59:32 2014 -0300 media: uvcvideo: Do not use usb_set_interface on bulk EP commit b1e43f232698274871e1358c276d7b0242a7d607 upstream. The UVC specification uses alternate setting selection to notify devices of stream start/stop. This breaks when using bulk-based devices, as the video streaming interface has a single alternate setting in that case, making video stream start and video stream stop events to appear identical to the device. Bulk-based devices are thus not well supported by UVC. The webcam built in the Asus Zenbook UX302LA ignores the set interface request and will keep the video stream enabled when the driver tries to stop it. If USB autosuspend is enabled the device will then be suspended and will crash, requiring a cold reboot. USB trace capture showed that Windows sends a CLEAR_FEATURE(HALT) request to the bulk endpoint when stopping the stream instead of selecting alternate setting 0. The camera then behaves correctly, and thus seems to require that behaviour. Replace selection of alternate setting 0 with clearing of the endpoint halt feature at video stream stop for bulk-based devices. Let's refrain from blaming Microsoft this time, as it's not clear whether this Windows-specific but USB-compliant behaviour was specifically developed to handle bulkd-based UVC devices, or if the camera just took advantage of it. Signed-off-by: Oleksij Rempel Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jiri Slaby commit 0cb7ed574a6111675fc616edbed1b9e3d4c6d48d Author: David Cohen Date: Fri Apr 25 19:20:16 2014 +0300 usb/xhci: fix compilation warning when !CONFIG_PCI && !CONFIG_PM commit 01bb59ebffdec314da8da66266edf29529372f9b upstream. When CONFIG_PCI and CONFIG_PM are not selected, xhci.c gets this warning: drivers/usb/host/xhci.c:409:13: warning: ‘xhci_msix_sync_irqs’ defined but not used [-Wunused-function] Instead of creating nested #ifdefs, this patch fixes it by defining the xHCI PCI stubs as inline. This warning has been in since 3.2 kernel and was caused by commit 421aa841a134f6a743111cf44d0c6d3b45e3cf8c "usb/xhci: hide MSI code behind PCI bars", but wasn't noticed until 3.13 when a configuration with these options was tried Signed-off-by: David Cohen Signed-off-by: Mathias Nyman Signed-off-by: Jiri Slaby commit ed6e3e1b433b74a67478e749b94e08bde40c4279 Author: Denis Turischev Date: Fri Apr 25 19:20:14 2014 +0300 xhci: Switch Intel Lynx Point ports to EHCI on shutdown. commit c09ec25d3684cad74d851c0f028a495999591279 upstream. The same issue like with Panther Point chipsets. If the USB ports are switched to xHCI on shutdown, the xHCI host will send a spurious interrupt, which will wake the system. Some BIOS have work around for this, but not all. One example is Compulab's mini-desktop, the Intense-PC2. The bug can be avoided if the USB ports are switched back to EHCI on shutdown. This patch should be backported to stable kernels as old as 3.12, that contain the commit 638298dc66ea36623dbc2757a24fc2c4ab41b016 "xhci: Fix spurious wakeups after S5 on Haswell" Signed-off-by: Denis Turischev Signed-off-by: Mathias Nyman Signed-off-by: Jiri Slaby commit 5c412cc900b94dfa0a5700ed622693c0a6b8e378 Author: Mathias Nyman Date: Mon Mar 3 19:30:17 2014 +0200 xhci: Prevent runtime pm from autosuspending during initialization commit bcffae7708eb8352f44dc510b326541fe43a02a4 upstream. xHCI driver has its own pci probe function that will call usb_hcd_pci_probe to register its usb-2 bus, and then continue to manually register the usb-3 bus. usb_hcd_pci_probe does a pm_runtime_put_noidle at the end and might thus trigger a runtime suspend before the usb-3 bus is ready. Prevent the runtime suspend by increasing the usage count in the beginning of xhci_pci_probe, and decrease it once the usb-3 bus is ready. xhci-platform driver is not using usb_hcd_pci_probe to set up busses and should not need to have it's usage count increased during probe. Signed-off-by: Mathias Nyman Acked-by: Dan Williams Acked-by: Alan Stern Signed-off-by: Sarah Sharp Signed-off-by: Jiri Slaby commit 5d58fb61997104f460311f652704566a5bae42fd Author: Roger Quadros Date: Wed Mar 26 18:46:38 2014 +0200 usb: gadget: zero: Fix SuperSpeed enumeration for alternate setting 1 commit 9c1b70361e0b38e4acb8e62b54da66538cb77ff2 upstream. It was impossible to enumerate on a SuperSpeed (XHCI) host with alternate setting = 1 due to the wrongly set 'bMaxBurst' field in the SuperSpeed Endpoint Companion descriptor. Testcase: modprobe -r usbtest; modprobe usbtest alt=1 modprobe g_zero plug device to SuperSpeed port on the host. Without this patch the host always complains like so "usb 12-2: Not enough bandwidth for new device state. usb 12-2: Not enough bandwidth for altsetting 1" Bug was introduced by commit cf9a08ae in v3.9 Fixes: cf9a08ae5aec (usb: gadget: convert source sink and loopback to new function interface) Reviewed-by: Felipe Balbi Acked-by: Sebastian Andrzej Siewior Signed-off-by: Roger Quadros Signed-off-by: Felipe Balbi Signed-off-by: Jiri Slaby commit 4d08e69c8b1c40705b2631a4d1c89b3534e3087e Author: Gregory CLEMENT Date: Mon Mar 3 17:48:34 2014 +0100 usb: gadget: atmel_usba: fix crashed during stopping when DEBUG is enabled commit d8eb6c653ef6b323d630de3c5685478469e248bc upstream. commit 511f3c5 (usb: gadget: udc-core: fix a regression during gadget driver unbinding) introduced a crash when DEBUG is enabled. The debug trace in the atmel_usba_stop function made the assumption that the driver pointer passed in parameter was not NULL, but since the commit above, such assumption was no longer always true. This commit now uses the driver pointer stored in udc which fixes this issue. [ balbi@ti.com : improved commit log a bit ] Acked-by: Alexandre Belloni Signed-off-by: Gregory CLEMENT Signed-off-by: Felipe Balbi Signed-off-by: Jiri Slaby commit 34c35bea71a94296342957750b8703cd80811ee9 Author: Kees Cook Date: Tue Mar 11 13:26:16 2014 -0700 usb: gadget: tcm_usb_gadget: stop format strings commit aba37fd975f0dd58e025c99c2a79b61b20190831 upstream. This makes sure that the name coming out of configfs cannot be used accidentally as a format string. Signed-off-by: Kees Cook Signed-off-by: Jiri Slaby commit 8e7f2dc649bb6bb379ce8428c1bcfede59adc41c Author: Jeff Mahoney Date: Wed Apr 2 14:40:26 2014 -0400 reiserfs: fix race in readdir commit 01d8885785a60ae8f4c37b0ed75bdc96d0fc6a44 upstream. jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) The -ENOENT is due to readdir calling dir_emit on the same entry twice. If the dir_emit callback sleeps and the tree is changed underneath us, we won't be able to trust deh_offset(deh) anymore. We need to save next_pos before we might sleep so we can find the next entry. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara Signed-off-by: Jiri Slaby commit 065487a10a22a960bc4e41facb011d10692ef470 Author: Matt Fleming Date: Tue Apr 8 13:14:00 2014 +0100 x86/efi: Correct EFI boot stub use of code32_start commit 7e8213c1f3acc064aef37813a39f13cbfe7c3ce7 upstream. code32_start should point at the start of the protected mode code, and *not* at the beginning of the bzImage. This is much easier to do in assembly so document that callers of make_boot_params() need to fill out code32_start. The fallout from this bug is that we would end up relocating the image but copying the image at some offset, resulting in what appeared to be memory corruption. Reported-by: Thomas Bächler Signed-off-by: Matt Fleming Signed-off-by: Jiri Slaby commit 56999c6bd5ef1ac5f639c7a69e2a9bc6328f6e36 Author: Andy Grover Date: Fri Apr 4 16:44:37 2014 -0700 target/tcm_fc: Fix use-after-free of ft_tpg commit 2c42be2dd4f6586728dba5c4e197afd5cfaded78 upstream. ft_del_tpg checks tpg->tport is set before unlinking the tpg from the tport when the tpg is being removed. Set this pointer in ft_tport_create, or the unlinking won't happen in ft_del_tpg and tport->tpg will reference a deleted object. This patch sets tpg->tport in ft_tport_create, because that's what ft_del_tpg checks, and is the only way to get back to the tport to clear tport->tpg. The bug was occuring when: - lport created, tport (our per-lport, per-provider context) is allocated. tport->tpg = NULL - tpg created - a PRLI is received. ft_tport_create is called, tpg is found and tport->tpg is set - tpg removed. ft_tpg is freed in ft_del_tpg. Since tpg->tport was not set, tport->tpg is not cleared and points at freed memory - Future calls to ft_tport_create return tport via first conditional, instead of searching for new tpg by calling ft_lport_find_tpg. tport->tpg is still invalid, and will access freed memory. see https://bugzilla.redhat.com/show_bug.cgi?id=1071340 Signed-off-by: Andy Grover Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit 871fc0589b36e928e0ae2f3681f54fe78ce0c175 Author: Martin Svec Date: Tue Apr 1 16:03:02 2014 +0200 Target/sbc: Initialize COMPARE_AND_WRITE write_sg scatterlist commit a1e1774c6dfa3a524dd8df51ca95185fe5ef3247 upstream. When compiled with CONFIG_DEBUG_SG set, uninitialized SGL leads to BUG() in compare_and_write_callback(). Signed-off-by: Martin Svec Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit 4c5756030c09b5641701716b326cc25122e16a2e Author: Nicholas Bellinger Date: Wed Feb 19 23:32:14 2014 +0000 iscsi-target: Fix ERL=2 ASYNC_EVENT connection pointer bug commit d444edc679e7713412f243b792b1f964e5cff1e1 upstream. This patch fixes a long-standing bug in iscsit_build_conn_drop_async_message() where during ERL=2 connection recovery, a bogus conn_p pointer could end up being used to send the ISCSI_OP_ASYNC_EVENT + DROPPING_CONNECTION notifying the initiator that cmd->logout_cid has failed. The bug was manifesting itself as an OOPs in iscsit_allocate_cmd() with a bogus conn_p pointer in iscsit_build_conn_drop_async_message(). Reported-by: Arshad Hussain Reported-by: santosh kulkarni Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit abab64323b3a12430a55238bc3cd953b5bb016c8 Author: Dan Carpenter Date: Tue Feb 11 19:06:33 2014 +0300 SCSI: arcmsr: upper 32 of dma address lost commit e2c70425f05219b142b3a8a9489a622c736db39d upstream. The original code always set the upper 32 bits to zero because it was doing a shift of the wrong variable. Fixes: 1a4f550a09f8 ('[SCSI] arcmsr: 1.20.00.15: add SATA RAID plus other fixes') Signed-off-by: Dan Carpenter Signed-off-by: James Bottomley Signed-off-by: Jiri Slaby commit f00a58f0dc09358e7af7f050825bf575a094fee3 Author: Dan Carpenter Date: Tue Jan 21 10:00:10 2014 +0300 SCSI: qla2xxx: fix error handling of qla2x00_mem_alloc() commit b2a72ec32d0f499aaadf41264232517a12326df0 upstream. qla2x00_mem_alloc() returns 1 on success and -ENOMEM on failure. On the one hand the caller assumes non-zero is success but on the other hand the caller also assumes that it returns an error code. I've fixed it to return zero on success and a negative error code on failure. This matches the documentation as well. [jejb: checkpatch fix] Fixes: e315cd28b9ef ('[SCSI] qla2xxx: Code changes for qla data structure refactoring') Signed-off-by: Dan Carpenter Acked-by: Saurav Kashyap Signed-off-by: James Bottomley Signed-off-by: Jiri Slaby commit 7efadd64325e55b75967a6e2b6a714f14fdce795 Author: Mike Marciniszyn Date: Mon Apr 7 13:58:35 2014 -0400 ib_srpt: Use correct ib_sg_dma primitives commit b076808051f2c80d38e03fb2f1294f525c7a446d upstream. The code was incorrectly using sg_dma_address() and sg_dma_len() instead of ib_sg_dma_address() and ib_sg_dma_len(). This prevents srpt from functioning with the Intel HCA and indeed will corrupt memory badly. Cc: Bart Van Assche Reviewed-by: Dennis Dalessandro Tested-by: Vinod Kumar Signed-off-by: Mike Marciniszyn Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit 01f0e0febe2071ef80fc1a41f9f5c440774dedee Author: Yann Droneaud Date: Mon Mar 10 23:06:28 2014 +0100 IB/qib: add missing braces in do_qib_user_sdma_queue_create() commit 37a967651caf99dd267017023737bd442f5acb3d upstream. Commit c804f07248895ff9c moved qib_assign_ctxt() to do_qib_user_sdma_queue_create() but dropped the braces around the statements. This was spotted by coccicheck (coccinelle/spatch): $ make C=2 CHECK=scripts/coccicheck drivers/infiniband/hw/qib/ CHECK drivers/infiniband/hw/qib/qib_file_ops.c drivers/infiniband/hw/qib/qib_file_ops.c:1583:2-23: code aligned with following code on line 1587 This patch adds braces back. Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com Cc: Mike Marciniszyn Cc: infinipath@intel.com Cc: Julia Lawall Cc: cocci@systeme.lip6.fr Signed-off-by: Yann Droneaud Tested-by: Mike Marciniszyn Acked-by: Mike Marciniszyn Signed-off-by: Roland Dreier Signed-off-by: Jiri Slaby commit a67a38bf33f4ad75abda8177ed84ab2dcddab7fe Author: Mike Marciniszyn Date: Fri Mar 7 08:32:31 2014 -0500 IB/qib: Fix debugfs ordering issue with multiple HCAs commit f8b6c47a44c063062317646683a73371c24c69ee upstream. The debugfs init code was incorrectly called before the idr mechanism is used to get the unit number, so the dd->unit hasn't been initialized. This caused the unit relative directory creation to fail after the first. This patch moves the init for the debugfs stuff until after all of the failures and after the unit number has been determined. A bug in unwind code in qib_alloc_devdata() is also fixed. Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Roland Dreier Signed-off-by: Jiri Slaby commit 30a61a69050f9c4550a0802f15fc41b452f431b2 Author: Yann Droneaud Date: Mon Mar 10 23:06:25 2014 +0100 IB/ehca: Returns an error on ib_copy_to_udata() failure commit 5bdb0f02add5994b0bc17494f4726925ca5d6ba1 upstream. In case of error when writing to userspace, function ehca_create_cq() does not set an error code before following its error path. This patch sets the error code to -EFAULT when ib_copy_to_udata() fails. This was caught when using spatch (aka. coccinelle) to rewrite call to ib_copy_{from,to}_udata(). Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com Signed-off-by: Yann Droneaud Signed-off-by: Roland Dreier Signed-off-by: Jiri Slaby commit f34458c12dd60d9c817e3a41c1984eb54e2ec17a Author: Yann Droneaud Date: Mon Mar 10 23:06:26 2014 +0100 IB/mthca: Return an error on ib_copy_to_udata() failure commit 08e74c4b00c30c232d535ff368554959403d0432 upstream. In case of error when writing to userspace, the function mthca_create_cq() does not set an error code before following its error path. This patch sets the error code to -EFAULT when ib_copy_to_udata() fails. This was caught when using spatch (aka. coccinelle) to rewrite call to ib_copy_{from,to}_udata(). Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com Signed-off-by: Yann Droneaud Signed-off-by: Roland Dreier Signed-off-by: Jiri Slaby commit f6a6a04cde84e4345f4118583aadfc2d7eb320ea Author: Yann Droneaud Date: Mon Mar 10 23:06:27 2014 +0100 IB/nes: Return an error on ib_copy_from_udata() failure instead of NULL commit 9d194d1025f463392feafa26ff8c2d8247f71be1 upstream. In case of error while accessing to userspace memory, function nes_create_qp() returns NULL instead of an error code wrapped through ERR_PTR(). But NULL is not expected by ib_uverbs_create_qp(), as it check for error with IS_ERR(). As page 0 is likely not mapped, it is going to trigger an Oops when the kernel will try to dereference NULL pointer to access to struct ib_qp's fields. In some rare cases, page 0 could be mapped by userspace, which could turn this bug to a vulnerability that could be exploited: the function pointers in struct ib_device will be under userspace total control. This was caught when using spatch (aka. coccinelle) to rewrite calls to ib_copy_{from,to}_udata(). Link: https://www.gitorious.org/opteya/ib-hw-nes-create-qp-null Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com Signed-off-by: Yann Droneaud Signed-off-by: Roland Dreier Signed-off-by: Jiri Slaby commit 452e5d491ce7cd59fdf791f25a259406770a3b21 Author: Dennis Dalessandro Date: Thu Feb 20 11:02:53 2014 -0500 IB/ipath: Fix potential buffer overrun in sending diag packet routine commit a2cb0eb8a64adb29a99fd864013de957028f36ae upstream. Guard against a potential buffer overrun. The size to read from the user is passed in, and due to the padding that needs to be taken into account, as well as the place holder for the ICRC it is possible to overflow the 32bit value which would cause more data to be copied from user space than is allocated in the buffer. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Reviewed-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Roland Dreier Signed-off-by: Jiri Slaby commit 422f1918b143e806b0dea07ce731b37fd4465a72 Author: Jeff Layton Date: Tue Apr 15 08:51:48 2014 -0400 nfsd: set timeparms.to_maxval in setup_callback_client commit 3758cf7e14b753838fe754ede3862af10b35fdac upstream. ...otherwise the logic in the timeout handling doesn't work correctly. Spotted-by: Trond Myklebust Signed-off-by: Jeff Layton Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit f652838d1af0ff5c3fc201c0d5ecf376f352a8a7 Author: Kinglong Mee Date: Wed Mar 26 22:09:30 2014 +0800 NFSD: Traverse unconfirmed client through hash-table commit 2b9056359889c78ea5decb5b654a512c2e8a945c upstream. When stopping nfsd, I got BUG messages, and soft lockup messages, The problem is cuased by double rb_erase() in nfs4_state_destroy_net() and destroy_client(). This patch just let nfsd traversing unconfirmed client through hash-table instead of rbtree. [ 2325.021995] BUG: unable to handle kernel NULL pointer dereference at (null) [ 2325.022809] IP: [] rb_erase+0x14c/0x390 [ 2325.022982] PGD 7a91b067 PUD 7a33d067 PMD 0 [ 2325.022982] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC [ 2325.022982] Modules linked in: nfsd(OF) cfg80211 rfkill bridge stp llc snd_intel8x0 snd_ac97_codec ac97_bus auth_rpcgss nfs_acl serio_raw e1000 i2c_piix4 ppdev snd_pcm snd_timer lockd pcspkr joydev parport_pc snd parport i2c_core soundcore microcode sunrpc ata_generic pata_acpi [last unloaded: nfsd] [ 2325.022982] CPU: 1 PID: 2123 Comm: nfsd Tainted: GF O 3.14.0-rc8+ #2 [ 2325.022982] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 2325.022982] task: ffff88007b384800 ti: ffff8800797f6000 task.ti: ffff8800797f6000 [ 2325.022982] RIP: 0010:[] [] rb_erase+0x14c/0x390 [ 2325.022982] RSP: 0018:ffff8800797f7d98 EFLAGS: 00010246 [ 2325.022982] RAX: ffff880079c1f010 RBX: ffff880079f4c828 RCX: 0000000000000000 [ 2325.022982] RDX: 0000000000000000 RSI: ffff880079bcb070 RDI: ffff880079f4c810 [ 2325.022982] RBP: ffff8800797f7d98 R08: 0000000000000000 R09: ffff88007964fc70 [ 2325.022982] R10: 0000000000000000 R11: 0000000000000400 R12: ffff880079f4c800 [ 2325.022982] R13: ffff880079bcb000 R14: ffff8800797f7da8 R15: ffff880079f4c860 [ 2325.022982] FS: 0000000000000000(0000) GS:ffff88007f900000(0000) knlGS:0000000000000000 [ 2325.022982] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 2325.022982] CR2: 0000000000000000 CR3: 000000007a3ef000 CR4: 00000000000006e0 [ 2325.022982] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2325.022982] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2325.022982] Stack: [ 2325.022982] ffff8800797f7de0 ffffffffa0191c6e ffff8800797f7da8 ffff8800797f7da8 [ 2325.022982] ffff880079f4c810 ffff880079bcb000 ffffffff81cc26c0 ffff880079c1f010 [ 2325.022982] ffff880079bcb070 ffff8800797f7e28 ffffffffa01977f2 ffff8800797f7df0 [ 2325.022982] Call Trace: [ 2325.022982] [] destroy_client+0x32e/0x3b0 [nfsd] [ 2325.022982] [] nfs4_state_shutdown_net+0x1a2/0x220 [nfsd] [ 2325.022982] [] nfsd_shutdown_net+0x38/0x70 [nfsd] [ 2325.022982] [] nfsd_last_thread+0x4e/0x80 [nfsd] [ 2325.022982] [] svc_shutdown_net+0x2b/0x30 [sunrpc] [ 2325.022982] [] nfsd_destroy+0x5b/0x80 [nfsd] [ 2325.022982] [] nfsd+0x103/0x130 [nfsd] [ 2325.022982] [] ? nfsd_destroy+0x80/0x80 [nfsd] [ 2325.022982] [] kthread+0xd2/0xf0 [ 2325.022982] [] ? insert_kthread_work+0x40/0x40 [ 2325.022982] [] ret_from_fork+0x7c/0xb0 [ 2325.022982] [] ? insert_kthread_work+0x40/0x40 [ 2325.022982] Code: 48 83 e1 fc 48 89 10 0f 84 02 01 00 00 48 3b 41 10 0f 84 08 01 00 00 48 89 51 08 48 89 fa e9 74 ff ff ff 0f 1f 40 00 48 8b 50 10 02 01 0f 84 93 00 00 00 48 8b 7a 10 48 85 ff 74 05 f6 07 01 [ 2325.022982] RIP [] rb_erase+0x14c/0x390 [ 2325.022982] RSP [ 2325.022982] CR2: 0000000000000000 [ 2325.022982] ---[ end trace 28c27ed011655e57 ]--- [ 228.064071] BUG: soft lockup - CPU#0 stuck for 22s! [nfsd:558] [ 228.064428] Modules linked in: ip6t_rpfilter ip6t_REJECT cfg80211 xt_conntrack rfkill ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw nfsd(OF) auth_rpcgss nfs_acl lockd snd_intel8x0 snd_ac97_codec ac97_bus joydev snd_pcm snd_timer e1000 sunrpc snd ppdev parport_pc serio_raw pcspkr i2c_piix4 microcode parport soundcore i2c_core ata_generic pata_acpi [ 228.064539] CPU: 0 PID: 558 Comm: nfsd Tainted: GF O 3.14.0-rc8+ #2 [ 228.064539] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 228.064539] task: ffff880076adec00 ti: ffff880074616000 task.ti: ffff880074616000 [ 228.064539] RIP: 0010:[] [] rb_next+0x27/0x50 [ 228.064539] RSP: 0018:ffff880074617de0 EFLAGS: 00000282 [ 228.064539] RAX: ffff880074478010 RBX: ffff88007446f860 RCX: 0000000000000014 [ 228.064539] RDX: ffff880074478010 RSI: 0000000000000000 RDI: ffff880074478010 [ 228.064539] RBP: ffff880074617de0 R08: 0000000000000000 R09: 0000000000000012 [ 228.064539] R10: 0000000000000001 R11: ffffffffffffffec R12: ffffea0001d11a00 [ 228.064539] R13: ffff88007f401400 R14: ffff88007446f800 R15: ffff880074617d50 [ 228.064539] FS: 0000000000000000(0000) GS:ffff88007f800000(0000) knlGS:0000000000000000 [ 228.064539] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 228.064539] CR2: 00007fe9ac6ec000 CR3: 000000007a5d6000 CR4: 00000000000006f0 [ 228.064539] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 228.064539] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 228.064539] Stack: [ 228.064539] ffff880074617e28 ffffffffa01ab7db ffff880074617df0 ffff880074617df0 [ 228.064539] ffff880079273000 ffffffff81cc26c0 ffffffff81cc26c0 0000000000000000 [ 228.064539] 0000000000000000 ffff880074617e48 ffffffffa01840b8 ffffffff81cc26c0 [ 228.064539] Call Trace: [ 228.064539] [] nfs4_state_shutdown_net+0x18b/0x220 [nfsd] [ 228.064539] [] nfsd_shutdown_net+0x38/0x70 [nfsd] [ 228.064539] [] nfsd_last_thread+0x4e/0x80 [nfsd] [ 228.064539] [] svc_shutdown_net+0x2b/0x30 [sunrpc] [ 228.064539] [] nfsd_destroy+0x5b/0x80 [nfsd] [ 228.064539] [] nfsd+0x103/0x130 [nfsd] [ 228.064539] [] ? nfsd_destroy+0x80/0x80 [nfsd] [ 228.064539] [] kthread+0xd2/0xf0 [ 228.064539] [] ? insert_kthread_work+0x40/0x40 [ 228.064539] [] ret_from_fork+0x7c/0xb0 [ 228.064539] [] ? insert_kthread_work+0x40/0x40 [ 228.064539] Code: 1f 44 00 00 55 48 8b 17 48 89 e5 48 39 d7 74 3b 48 8b 47 08 48 85 c0 75 0e eb 25 66 0f 1f 84 00 00 00 00 00 48 89 d0 48 8b 50 10 <48> 85 d2 75 f4 5d c3 66 90 48 3b 78 08 75 f6 48 8b 10 48 89 c7 Fixes: ac55fdc408039 (nfsd: move the confirmed and unconfirmed hlists...) Signed-off-by: Kinglong Mee Reviewed-by: Jeff Layton Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit 7b41297323051537cedc012deb6256b8f1390f23 Author: J. Bruce Fields Date: Mon Mar 10 14:17:55 2014 -0400 nfsd4: fix setclientid encode size commit 480efaee085235bb848f1063f959bf144103c342 upstream. Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit 3324f3094e69688fe73c23433a8151d0128df6fa Author: Stanislav Kinsbursky Date: Wed Feb 26 16:50:01 2014 +0300 nfsd: check passed socket's net matches NFSd superblock's one commit 3064639423c48d6e0eb9ecc27c512a58e38c6c57 upstream. There could be a case, when NFSd file system is mounted in network, different to socket's one, like below: "ip netns exec" creates new network and mount namespace, which duplicates NFSd mount point, created in init_net context. And thus NFS server stop in nested network context leads to RPCBIND client destruction in init_net. Then, on NFSd start in nested network context, rpc.nfsd process creates socket in nested net and passes it into "write_ports", which leads to RPCBIND sockets creation in init_net context because of the same reason (NFSd monut point was created in init_net context). An attempt to register passed socket in nested net leads to panic, because no RPCBIND client present in nexted network namespace. This patch add check that passed socket's net matches NFSd superblock's one. And returns -EINVAL error to user psace otherwise. v2: Put socket on exit. Reported-by: Weng Meiling Signed-off-by: Stanislav Kinsbursky Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit af6d685c6749c78d10dd63317c81f581958e64ad Author: J. Bruce Fields Date: Mon Feb 24 14:59:47 2014 -0500 nfsd: notify_change needs elevated write count commit 9f67f189939eccaa54f3d2c9cf10788abaf2d584 upstream. Looks like this bug has been here since these write counts were introduced, not sure why it was just noticed now. Thanks also to Jan Kara for pointing out the problem. Reported-by: Matthew Rahtz Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit 7adedd285503e0a25f933b9d83e659f40404fb9b Author: J. Bruce Fields Date: Mon Feb 3 16:38:47 2014 -0500 nfsd4: leave reply buffer space for failed setattr commit 04819bf6449094e62cebaf5199d85d68d711e667 upstream. This fixes an ommission from 18032ca062e621e15683cb61c066ef3dc5414a7b "NFSD: Server implementation of MAC Labeling", which increased the size of the setattr error reply without increasing COMPOUND_ERR_SLACK_SPACE. Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit 63d04d03d4975516ad0eb354ce11348bba34430c Author: J. Bruce Fields Date: Mon Feb 3 16:31:42 2014 -0500 nfsd4: fix test_stateid error reply encoding commit a11fcce1544df08c723d950ff0edef3adac40405 upstream. If the entire operation fails then there's nothing to encode. Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit 0500e9a3b487fd8de16315a687a58c179b1354e7 Author: J. Bruce Fields Date: Tue Jan 28 16:05:15 2014 -0500 nfsd4: buffer-length check for SUPPATTR_EXCLCREAT commit de3997a7eeb9ea286b15879fdf8a95aae065b4f7 upstream. This was an omission from 8c18f2052e756e7d5dea712fc6e7ed70c00e8a39 "nfsd41: SUPPATTR_EXCLCREAT attribute". Cc: Benny Halevy Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit 0ca6add471b10cc5a3570fe1c5c8093032a5b88b Author: J. Bruce Fields Date: Tue Jan 28 16:01:04 2014 -0500 nfsd4: session needs room for following op to error out commit 4c69d5855a16f7378648c5733632628fa10431db upstream. Signed-off-by: J. Bruce Fields Signed-off-by: Jiri Slaby commit ca2ad538ba4734fbc3d6a03caedc68113ff0a3e9 Author: Trond Myklebust Date: Wed Mar 26 13:24:37 2014 -0700 NFSv4: Fix a use-after-free problem in open() commit e911b8158ee1def8153849b1641b736026b036e0 upstream. If we interrupt the nfs4_wait_for_completion_rpc_task() call in nfs4_run_open_task(), then we don't prevent the RPC call from completing. So freeing up the opendata->f_attr.mdsthreshold in the error path in _nfs4_do_open() leads to a use-after-free when the XDR decoder tries to decode the mdsthreshold information from the server. Fixes: 82be417aa37c0 (NFSv4.1 cache mdsthreshold values on OPEN) Tested-by: Steve Dickson Signed-off-by: Trond Myklebust Signed-off-by: Jiri Slaby commit ef878b6e73ac392e6bad83713bfd1361c79bdbaf Author: Alec Berg Date: Wed Mar 19 18:50:00 2014 +0000 iio: querying buffer scan_mask should return 0/1 commit 2076a20fc1a06f7b0333c62a2bb4eeeac7ed1bcb upstream. Ensure that querying the IIO buffer scan_mask returns a value of 0 or 1. Currently querying the scan mask has the value returned by test_bit(), which returns either true or false. For some architectures test_bit() may return -1 for true, which will appear to return an error when returning from iio_scan_mask_query(). Additionally, it's important for the sysfs interface to consistently return the same thing when querying the scan_mask. Signed-off-by: Alec Berg Signed-off-by: Jonathan Cameron Signed-off-by: Jiri Slaby commit 209e85195caf1854052f49073cda50a7c1a4cbc8 Author: Alan Stern Date: Mon Apr 14 13:48:47 2014 -0400 USB: fix crash during hotplug of PCI USB controller card commit a2ff864b53eac9a0e9b05bfe9d1781ccd6c2af71 upstream. The code in hcd-pci.c that matches up EHCI controllers with their companion UHCI or OHCI controllers assumes that the private drvdata fields don't get set too early. However, it turns out that this field gets set by usb_create_hcd(), before hcd-pci expects it, and this can result in a crash when two controllers are probed in parallel (as can happen when a new controller card is hotplugged). The companions_rwsem lock was supposed to prevent this sort of thing, but usb_create_hcd() is called outside the scope of the rwsem. A simple solution is to check that the root-hub pointer has been initialized as well as the drvdata field. This doesn't happen until usb_add_hcd() is called; that call and the check are both protected by the rwsem. This patch should be applied to stable kernels from 3.10 onward. Signed-off-by: Alan Stern Reported-by: Stefani Seibold Tested-by: Stefani Seibold Signed-off-by: Jiri Slaby commit b68d30bd4169785e983bb40327f5816eeba1afec Author: Jean-Jacques Hiblot Date: Fri Feb 14 11:46:15 2014 -0700 PCI: mvebu: Fix potential issue in range parsing commit 4f4bde1df33bde076f53325bdf2c6430cf85e1bb upstream. The second parameter of of_read_number() is not the index, but a size. As it happens, in this case it may work just fine because of the conversion to u32 and the favorable endianness on this architecture. Fixes: 11be65472a427 ("PCI: mvebu: Adapt to the new device tree layout") Tested-by: Thomas Petazzoni Signed-off-by: Jean-Jacques Hiblot Signed-off-by: Bjorn Helgaas Acked-by: Thomas Petazzoni Acked-by: Jason Cooper Signed-off-by: Jiri Slaby commit 2f500c80e7ed7691aaa08c0b8904188f2dc16676 Author: Charles Keepax Date: Tue Mar 18 10:49:17 2014 +0000 regulator: arizona-ldo1: Correct default regulator init_data commit a35ff2861690eaf9dbb38fa744a8a9e6f4ebfd61 upstream. Both 5102 and 8997 have the regulator capable of supplying 1.8V, and the voltage step from the 5110 regulator is different from what is specified in the default description. This patch updates the default regulator description to match 5110 and selects the 1.8V capable description for 8997. Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit 21ab0ac5ef79656fabf9cd36b1312e49fa6bf1ab Author: H. Peter Anvin Date: Sun Mar 16 15:31:54 2014 -0700 x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels commit b3b42ac2cbae1f3cecbb6229964a4d48af31d382 upstream. The IRET instruction, when returning to a 16-bit segment, only restores the bottom 16 bits of the user space stack pointer. We have a software workaround for that ("espfix") for the 32-bit kernel, but it relies on a nonzero stack segment base which is not available in 32-bit mode. Since 16-bit support is somewhat crippled anyway on a 64-bit kernel (no V86 mode), and most (if not quite all) 64-bit processors support virtualization for the users who really need it, simply reject attempts at creating a 16-bit segment when running on top of a 64-bit kernel. Cc: Linus Torvalds Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/n/tip-kicdm89kzw9lldryb1br9od0@git.kernel.org Signed-off-by: Jiri Slaby commit 7d983dca8a416017d7df075c123af9168fbb503c Author: Petr Mladek Date: Mon Feb 24 17:12:20 2014 +0100 ftrace/x86: One more missing sync after fixup of function modification failure commit 12729f14d8357fb845d75155228b21e76360272d upstream. If a failure occurs while modifying ftrace function, it bails out and will remove the tracepoints to be back to what the code originally was. There is missing the final sync run across the CPUs after the fix up is done and before the ftrace int3 handler flag is reset. Here's the description of the problem: CPU0 CPU1 ---- ---- remove_breakpoint(); modifying_ftrace_code = 0; [still sees breakpoint] [sees modifying_ftrace_code as zero] [no breakpoint handler] [goto failed case] [trap exception - kernel breakpoint, no handler] BUG() Link: http://lkml.kernel.org/r/1393258342-29978-2-git-send-email-pmladek@suse.cz Fixes: 8a4d0a687a5 "ftrace: Use breakpoint method to update ftrace caller" Acked-by: Frederic Weisbecker Acked-by: H. Peter Anvin Signed-off-by: Petr Mladek Signed-off-by: Steven Rostedt Signed-off-by: Jiri Slaby commit 5ecf6d0b7f0a212a884a76ea89c5c4a049845d76 Author: Larry Finger Date: Wed Apr 9 11:12:58 2014 -0500 staging: r8188eu: Calling rtw_get_stainfo() with a NULL sta_addr will return NULL commit 9452bf560273e4de2395ffdd79024debfb0c1290 upstream. This makes the follow-on check for psta != NULL pointless and makes the whole exercise rather pointless. This is another case of why blindly zero-initializing variables when they are declared is bad. Reported-by: Jes Sorensen Signed-off-by: Larry Finger Signed-off-by: Jiri Slaby commit 8ed38426cc92fa6b7af07a9b0498ccba9a51b9ec Author: H Hartley Sweeten Date: Fri Mar 28 09:20:58 2014 -0700 staging: comedi: usbdux: bug fix for accessing 'ao_chanlist' in private data commit 2704f807f9498054b8153002bafa3e818079e9a5 upstream. In usbdux_ao_cmd(), the channels for the command are transfered from the cmd->chanlist and stored in the private data 'ao_chanlist'. The channel numbers are bit-shifted when stored so that they become the "command" that is transfered to the device. The channel to command conversion results in the 'ao_chanlist' having these values for the channels: channel 0 -> ao_chanlist = 0x00 channel 1 -> ao_chanlist = 0x40 channel 2 -> ao_chanlist = 0x80 channel 3 -> ao_chanlist = 0xc0 The problem is, the usbduxsub_ao_isoc_irq() function uses the 'chan' value from 'ao_chanlist' to access the 'ao_readback' array in the private data. So instead of accessing the array as 0, 1, 2, 3, it accesses it as 0x00, 0x40, 0x80, 0xc0. Fix this by storing the raw channel number in 'ao_chanlist' and doing the bit-shift when creating the command. Fixes: a998a3db530bff80 "staging: comedi: usbdux: cleanup the private data 'outBuffer'" Signed-off-by: H Hartley Sweeten Reviewed-by: Ian Abbott Acked-by: Bernd Porr Signed-off-by: Jiri Slaby commit 2e034c423269d4dfd85b795f941f06fd71aff5d0 Author: Larry Finger Date: Wed Apr 16 14:49:33 2014 -0500 staging: r8712u: Fix case where ethtype was never obtained and always be checked against 0 commit f764cd68d9036498f08fe8834deb6a367b5c2542 upstream. Zero-initializing ether_type masked that the ether type would never be obtained for 8021x packets and the comparison against eapol_type would always fail. Reported-by: Jes Sorensen Signed-off-by: Larry Finger Signed-off-by: Jiri Slaby commit ee45c6d29dffcab62d0b13c7818f7e0caff7561b Author: Himangi Saraogi Date: Wed Mar 5 04:59:57 2014 +0530 staging:serqt_usb2: Fix sparse warning restricted __le16 degrades to integer commit abe5d64d1a74195a44cd14624f8178b9f48b7cc7 upstream. This patch fixes the following sparse warning : drivers/staging/serqt_usb2/serqt_usb2.c:727:40: warning: restricted __le16 degrades to integer Signed-off-by: Himangi Saraogi Signed-off-by: Jiri Slaby commit 0c1da5ec1f6da71ba027f47b00e56adf33f81d68 Author: David Fries Date: Wed Jan 15 22:29:12 2014 -0600 w1: fix w1_send_slave dropping a slave id commit 6b355b33a64fd6d8ead2b838ec16fb9b551f71e8 upstream. Previous logic, if (avail > 8) { store slave; return; } send data; clear; The logic error is, if there isn't space send the buffer and clear, but the slave wasn't added to the now empty buffer loosing that slave id. It also should have been "if (avail >= 8)" because when it is 8, there is space. Instead, if there isn't space send and clear the buffer, then there is always space for the slave id. Signed-off-by: David Fries Acked-by: Evgeniy Polyakov Signed-off-by: Jiri Slaby commit fb7f82565eb51c39faf55ef6f057eb66eb49dfa0 Author: Guenter Roeck Date: Thu Mar 20 08:12:28 2014 -0700 mfd: kempld-core: Fix potential hang-up during boot commit 204747c970c0d568721c76ab8a57dde0e5dcf0d5 upstream. On PXT and COMe-cPC2 boards it is observed that the hardware mutex is acquired but not being released during initialization. This can result in a hang-up during boot if the driver is built into the kernel. Releasing the mutex twice if it was acquired fixes the problem. Subsequent request/release cycles work as expected, so the fix is only needed during initialization. Reviewed-by: Michael Brunner Tested-by: Michael Brunner Signed-off-by: Guenter Roeck Signed-off-by: Lee Jones Signed-off-by: Jiri Slaby commit d5688296e2f56884e43f7cee7c7b8d686e892f81 Author: Krzysztof Kozlowski Date: Wed Mar 12 16:50:44 2014 +0100 mfd: tps65910: Fix possible invalid pointer dereference on regmap_add_irq_chip fail commit 483e2dfdbc94751430e41db9973985f5b054d322 upstream. Fixes: 4aab3fadad32 ("mfd: tps65910: Move interrupt implementation code to mfd file") tps65910_irq_init() sets 'tps65910->chip_irq' before calling regmap_add_irq_chip(). If the regmap_add_irq_chip() call fails in memory allocation of regmap_irq_chip_data members then: 1. The 'tps65910->chip_irq' will still hold some value 2. 'tps65910->irq_data' will be pointing to already freed memory (because regmap_add_irq_chip() will free it on error) This results in invalid memory access during driver remove because the tps65910_irq_exit() tests whether 'tps65910->chip_irq' is not zero. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Jiri Slaby commit 9c2e8dca71c77b59d2602edb4a5b9b9c7a8caf6e Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:34 2014 +0100 mfd: max8997: Fix possible NULL pointer dereference on i2c_new_dummy error commit 97dc4ed3fa377ec91bb60ba98b70d645c2099384 upstream. During probe the driver allocates dummy I2C devices for RTC, haptic and MUIC with i2c_new_dummy() but it does not check the return value of this calls. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by i2c_unregister_device(). If i2c_new_dummy() fails for RTC, haptic or MUIC devices, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Jiri Slaby commit 01caac6e253850adec3e59058eccd4770770b675 Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:35 2014 +0100 mfd: max8998: Fix possible NULL pointer dereference on i2c_new_dummy error commit ed26f87b9f71693a1d1ee85f5e6209601505080f upstream. During probe the driver allocates dummy I2C device for RTC with i2c_new_dummy() but it does not check the return value of this call. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by i2c_unregister_device(). If i2c_new_dummy() fails for RTC device, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Jiri Slaby commit 720ec8d39b6e04e3ed30ba86d395dd093e0931ee Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:33 2014 +0100 mfd: max8925: Fix possible NULL pointer dereference on i2c_new_dummy error commit 96cf3dedc491d2f1f66cc26217f2b06b0c7b6797 upstream. During probe the driver allocates dummy I2C devices for RTC and ADC with i2c_new_dummy() but it does not check the return value of this calls. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by i2c_unregister_device(). If i2c_new_dummy() fails for RTC or ADC devices, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Jiri Slaby commit bc70894e384972fc807917559b86e956f2704247 Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:32 2014 +0100 mfd: max77693: Fix possible NULL pointer dereference on i2c_new_dummy error commit ad09dd6a1f5d6244bd89314015af506ba7f9810a upstream. During probe the driver allocates dummy I2C devices for MUIC and haptic with i2c_new_dummy() but it does not check the return value of this calls. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by devm_regmap_init_i2c() and i2c_unregister_device(). If i2c_new_dummy() fails for MUIC or haptic devices, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Jiri Slaby commit 5dbe75cb800aeaea00b17646b4a643f317e483b1 Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:31 2014 +0100 mfd: max77686: Fix possible NULL pointer dereference on i2c_new_dummy error commit b9e183a1d495cd65412abe0f9df19b151716bfe7 upstream. During probe the driver allocates dummy I2C device for RTC with i2c_new_dummy() but it does not check the return value of this call. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by i2c_unregister_device(). If i2c_new_dummy() fails for RTC device, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Jiri Slaby commit 598c8e6310d0eacc1cb44dd144536981a33bf234 Author: Krzysztof Kozlowski Date: Wed Feb 12 11:10:56 2014 +0100 mfd: 88pm800: Fix I2C device resource leak if probe fails commit 141050cf3d84fc303df58796d68dc1376b0e8f67 upstream. During probe the driver allocates two dummy I2C devices for subchips in function pm800_pages_init(). Additionally this function allocates regmaps for these subchips. If any of these steps fail then these dummy I2C devices are not freed and resources leak. On pm800_pages_init() fail the driver must call pm800_pages_exit() to unregister dummy I2C devices. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Jiri Slaby commit eda6a2312bdf4d4a7f7f4fbe60641aca1313c5b8 Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:30 2014 +0100 mfd: 88pm860x: Fix I2C device resource leak on regmap init fail commit a7ab1c8b261305af583ce26bb4a14f555fdaa73e upstream. During probe the driver allocates dummy I2C device for companion chip and then allocates a regmap for it. If regmap_init_i2c() fails then the I2C driver (allocated with i2c_new_dummy()) is not freed and this resource leaks. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Jiri Slaby commit 1a842865236d89ce387f185a31f474cf508d4f70 Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:29 2014 +0100 mfd: 88pm860x: Fix possible NULL pointer dereference on i2c_new_dummy error commit 159ce52a6b777fc82fa0b51c7440e25f9e4c6feb upstream. During probe the driver allocates dummy I2C device for companion chip with i2c_new_dummy() but it does not check the return value of this call. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by regmap_init_i2c(). If i2c_new_dummy() fails for companion device, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Jiri Slaby commit e1cfcc1b5dbafcde81abfe096c0f11226e8597d8 Author: Krzysztof Kozlowski Date: Tue Feb 11 10:12:25 2014 +0100 mfd: sec-core: Fix possible NULL pointer dereference when i2c_new_dummy error commit 65aba1e04916d72b30c028730a1e31860c225412 upstream. During probe the sec-core driver allocates dummy I2C device for RTC with i2c_new_dummy() but return value is not checked. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by devm_regmap_init_i2c() or i2c_unregister_device(). If i2c_new_dummy() fails for RTC device, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Jiri Slaby commit db4ea191a27b31e913d1321038905aa535ed9cf2 Author: Alexander Usyskin Date: Tue Apr 1 23:50:41 2014 +0300 mei: ignore client writing state during cb completion commit 34ec43661fe8f1977dd0f05353302ae2ed10aabb upstream. Ignore client writing state during cb completion to fix a memory leak. When moving cbs to the completion list we should not look at writing_state as this state can be already overwritten by next write, the fact that a cb is on the write waiting list means that it was already written to the HW and we can safely complete it. Same pays for wait in poll handler, we do not have to check the state wake is done after completion list processing. Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Jiri Slaby commit 9024178c0449f35dc82e50c22e3cd54830a425aa Author: Tomas Winkler Date: Tue Mar 25 21:25:18 2014 +0200 mei: me: do not load the driver if the FW doesn't support MEI interface commit 5e6533a6f52f1a8283b2f818f5828be99a417dd6 upstream. NM and SPS FW types that may run on ME device on server platforms do not have valid MEI/HECI interface and driver should not be bound to it as this might lead to system hung. In practice not all BIOSes effectively hide such devices from the OS and in some cases it is not possible. We determine FW type by examining Host FW status registers in order to unbind the driver. In this patch we are adding check for ME on Cougar Point, Lynx Point Devices Signed-off-by: Tomas Winkler Tested-by: Nikola Ciprich Signed-off-by: Jiri Slaby commit 70b37529182d7ad5e532a2a7326b419278067e79 Author: Tomas Winkler Date: Mon Mar 10 15:10:40 2014 +0200 mei: fix memory leak of pending write cb objects commit cc99ecfdac01215594c73907726b12f251c21e20 upstream. Write callbacks are released on the write completed path but when file handler is closed before the writes are completed those are left dangling on write and write_waiting queues. We add mei_io_list_free function to perform this task Also move static functions to client.c form client.h Signed-off-by: Tomas Winkler Signed-off-by: Alexander Usyskin Signed-off-by: Jiri Slaby commit 07888057250b55d641a31a0baecc78b5d5b61102 Author: Christian Borntraeger Date: Thu Mar 6 16:01:38 2014 +0100 KVM: s390: Optimize ucontrol path commit 2955c83f72801245afd0fe5c560cc75b82bea9aa upstream. Since commit 7c470539c95630c1f2a10f109e96f249730b75eb (s390/kvm: avoid automatic sie reentry) we will run through the C code of KVM on host interrupts instead of just reentering the guest. This will result in additional ucontrol exits (at least HZ per second). Let handle a 0 intercept in the kernel and dont return to userspace, even if in ucontrol mode. Signed-off-by: Christian Borntraeger Reviewed-by: Cornelia Huck Signed-off-by: Jiri Slaby commit afff7621bd106a71610f6c390b26c5ae21e2e2c6 Author: Sebastian Ott Date: Mon Jan 27 13:26:10 2014 +0100 s390/cio: fix driver callback initialization for ccw consoles commit 2253e8d79237c69086ded391e6767afe16972527 upstream. ccw consoles are in use before they can be properly registered with the driver core. For devices which are in use by a device driver we rely on the ccw_device's pointer to the driver callbacks to be valid. For ccw consoles this pointer is NULL until they are registered later during boot and we dereferenced this pointer. This worked by chance on 64 bit builds (cdev->drv was NULL but the optional callback cdev->drv->path_event was also NULL by coincidence) and was unnoticed until we received reports about boot failures on 31 bit systems. Fix it by initializing the driver pointer for ccw consoles. Reported-by: Mike Frysinger Reported-by: Heiko Carstens Reviewed-by: Peter Oberparleiter Signed-off-by: Sebastian Ott Signed-off-by: Martin Schwidefsky Signed-off-by: Jiri Slaby commit e3f6483f71315d42e8b168226cf6a5757e9c7c0f Author: Uwe Kleine-König Date: Tue Mar 25 15:51:50 2014 +0100 spi: efm32: use $vendor,$device scheme for compatible string commit 12f6dd860cf8bf036c0bec38c00a53da71bcd43a upstream. Wolfram Sang pointed out that "efm32,$device" is non-standard. So use the common scheme and prefix device with "efm32-". The old compatible string is left in place until arch/arm/boot/dts/efm32* is fixed. Signed-off-by: Uwe Kleine-König Acked-by: Wolfram Sang Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit 44c2e5161bd66b69d52dc25791dcf4c1a75576b9 Author: Lv Zheng Date: Wed Feb 26 10:29:40 2014 +0800 ACPICA: Restore code that repairs NULL package elements in return values. commit 61db45ca21630f5ab7f678d54c5d969c21647854 upstream. The original code was lost accidently, it was not generated along with the following commit of mechanism improvements and thus not get merged: Commit: d5a36100f62fa6db5541344e08b361b34e9114c5 Subject: ACPICA: Add mechanism for early object repairs on a per-name basis Adds the framework to allow object repairs very early in the return object analysis. Enables repairs like string->unicode, etc. This patch restores the implementation of the NULL element repair code for ACPI_RTYPE_NONE. In the original design, ACPI_RTYPE_NONE is defined to collect simple NULL object repairs. Lv Zheng. Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=67901 Signed-off-by: Lv Zheng Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Jiri Slaby commit 193d2f98c5cdfd87a0e5181b78e50c99df079c72 Author: Kailang Yang Date: Wed Apr 16 15:53:12 2014 +0800 ALSA: hda/realtek - Add headset Mic support for Dell machine commit 8dc9abb93dde94e7f2bc719032fe16f5713df05c upstream. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 2742de729fa6ea599ededc548492f14c4d0d87fd Author: Kailang Yang Date: Mon Apr 14 15:09:44 2014 +0800 ALSA: hda/realtek - Add support of ALC288 codec commit 7c66593286bcd153e4868383e675673a27071bd5 upstream. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 5460d06ca8c08ace11691e36cd1f75cd549dbc93 Author: Takashi Iwai Date: Thu Apr 3 11:51:21 2014 +0200 ALSA: hda - Fix silent speaker output due to mute LED fixup commit 415d555e6b398b00fc1733f0113065a54df9106a upstream. The recent fixups for HP laptops to support the mute LED made the speaker output silent on some machines. It turned out that they use the NID 0x18 for the speaker while it's also used for controlling the LED via VREF bits although the current driver code blindly assumes that such a node is a mic pin (where 0x18 is usually so). This patch fixes the problem by only changing the VREF bits and keeping the other pin ctl bits. Reported-and-tested-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit b927ac20ff03eb054ff1ba94885e95db60b0d55d Author: Takashi Iwai Date: Tue Apr 8 16:58:34 2014 +0200 ALSA: ice1712: Fix boundary checks in PCM pointer ops commit 4f8e940095536bc002a81666a4107a581c84e9b9 upstream. PCM pointer callbacks in ice1712 driver check the buffer size boundary wrongly between bytes and frames. This leads to PCM core warnings like: snd_pcm_update_hw_ptr0: 105 callbacks suppressed ALSA pcm_lib.c:352 BUG: pcmC3D0c:0, pos = 5461, buffer size = 5461, period size = 2730 This patch fixes these checks to be placed after the proper unit conversions. Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit f0be691a55d62e35dbad5a728a0127039abedcec Author: W. Trevor King Date: Sat Mar 29 17:47:24 2014 -0700 ALSA: hda - Enable beep for ASUS 1015E commit a4b7f21d7b42b33609df3f86992a8deff80abfaf upstream. The `lspci -nnvv` output contains (wrapped for line length): 00:1b.0 Audio device [0403]: Intel Corporation 7 Series/C210 Series Chipset Family High Definition Audio Controller [8086:1e20] (rev 04) Subsystem: ASUSTeK Computer Inc. Device [1043:115d] Signed-off-by: W. Trevor King Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit dad9ad4c5abeb681a9752f41838436c02ec1643a Author: Thomas Petazzoni Date: Wed Mar 26 00:33:58 2014 +0100 ARM: mvebu: ensure the mdio node has a clock reference on Armada 370/XP commit a6e03dd451c724f785277d8ecca5d1a0b886d892 upstream. The mvmdio driver accesses some register of the Ethernet unit. It therefore takes a reference and enables a clock. However, on Armada 370/XP, no clock specification was given in the Device Tree, which leads the mvmdio driver to fail when being used as a module and loaded before the mvneta driver: it tries to access a register from a hardware unit that isn't clocked. Signed-off-by: Thomas Petazzoni Link: https://lkml.kernel.org/r/1395790439-21332-2-git-send-email-thomas.petazzoni@free-electrons.com Acked-by: Andrew Lunn Acked-by: Gregory CLEMENT Signed-off-by: Jason Cooper Signed-off-by: Jiri Slaby commit 2e61ebe88c51ebfb8283798218fa62b263abb6af Author: Liu Hua Date: Fri Apr 18 07:45:36 2014 +0100 ARM: 8030/1: ARM : kdump : add arch_crash_save_vmcoreinfo commit 56b700fd6f1e49149880fb1b6ffee0dca5be45fb upstream. For vmcore generated by LPAE enabled kernel, user space utility such as crash needs additional infomation to parse. So this patch add arch_crash_save_vmcoreinfo as what PAE enabled i386 linux does. Reviewed-by: Will Deacon Signed-off-by: Liu Hua Signed-off-by: Russell King Signed-off-by: Jiri Slaby commit b988548f6a507b2240b27aeb61685336d43acb4b Author: Xiangyu Lu Date: Tue Apr 15 09:38:17 2014 +0100 ARM: 8027/1: fix do_div() bug in big-endian systems commit 80bb3ef109ff40a7593d9481c17de9bbc4d7c0e2 upstream. In big-endian systems, "%1" get the most significant part of the value, cause the instruction to get the wrong result. When viewing ftrace record in big-endian ARM systems, we found that the timestamp errors: swapper-0 [001] 1325.970000: 0:120:R ==> [001] 16:120:R events/1 events/1-16 [001] 1325.970000: 16:120:S ==> [001] 0:120:R swapper swapper-0 [000] 1325.1000000: 0:120:R + [000] 15:120:R events/0 swapper-0 [000] 1325.1000000: 0:120:R ==> [000] 15:120:R events/0 swapper-0 [000] 1326.030000: 0:120:R + [000] 1150:120:R sshd swapper-0 [000] 1326.030000: 0:120:R ==> [000] 1150:120:R sshd When viewed ftrace records, it will call the do_div(n, base) function, which achieved arch/arm/include/asm/div64.h in. When n = 10000000, base = 1000000, in do_div(n, base) will execute "umull %Q0, %R0, %1, %Q2". Reviewed-by: Dave Martin Reviewed-by: Nicolas Pitre Signed-off-by: Alex Wu Signed-off-by: Xiangyu Lu Signed-off-by: Russell King Signed-off-by: Jiri Slaby commit e3a299d078e3513ac1fba83a14105ebc40074734 Author: Christopher Covington Date: Wed Mar 19 18:12:25 2014 +0100 ARM: 8007/1: Remove extraneous kcmp syscall ignore commit 95c52fe063351192e0f4ffb70ef9bac1aa26f5a4 upstream. The kcmp system call was ported to ARM in commit 3f7d1fe108dbaefd0c57a41753fc2c90b395f458 "ARM: 7665/1: Wire up kcmp syscall". Fixes: 3f7d1fe108db ("ARM: 7665/1: Wire up kcmp syscall") Signed-off-by: Christopher Covington Signed-off-by: Russell King Signed-off-by: Jiri Slaby commit b8ce76f9e2d00ed6036c927c9943cb22c58c3550 Author: Andrew Lunn Date: Sat Feb 22 20:14:54 2014 +0100 ARM: Fix default CPU selection for ARCH_MULTI_V5 commit 12567bbdee7ea553237085a2bbc0ffa5240f5248 upstream. CPU_ARM926T should be selected if no other CPU is. Put the ! in the right place so this works. Signed-off-by: Andrew Lunn Acked-by: Arnd Bergmann Tested-by: Jason Gunthorpe Fixes: 24e860fbfdb1c ("ARM: multiplatform: always pick one CPU type") Signed-off-by: Jason Cooper Signed-off-by: Jiri Slaby commit 6f386df0c1baef73df821631e8d122032b940dd2 Author: Will Deacon Date: Fri Feb 7 19:12:27 2014 +0100 ARM: 7954/1: mm: remove remaining domain support from ARMv6 commit b6ccb9803e90c16b212cf4ed62913a7591e79a39 upstream. CPU_32v6 currently selects CPU_USE_DOMAINS if CPU_V6 and MMU. This is because ARM 1136 r0pX CPUs lack the v6k extensions, and therefore do not have hardware thread registers. The lack of these registers requires the kernel to update the vectors page at each context switch in order to write a new TLS pointer. This write must be done via the userspace mapping, since aliasing caches can lead to expensive flushing when using kmap. Finally, this requires the vectors page to be mapped r/w for kernel and r/o for user, which has implications for things like put_user which must trigger CoW appropriately when targetting user pages. The upshot of all this is that a v6/v7 kernel makes use of domains to segregate kernel and user memory accesses. This has the nasty side-effect of making device mappings executable, which has been observed to cause subtle bugs on recent cores (e.g. Cortex-A15 performing a speculative instruction fetch from the GIC and acking an interrupt in the process). This patch solves this problem by removing the remaining domain support from ARMv6. A new memory type is added specifically for the vectors page which allows that page (and only that page) to be mapped as user r/o, kernel r/w. All other user r/o pages are mapped also as kernel r/o. Patch co-developed with Russell King. Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Jiri Slaby commit c7c39f7d9fc8add03e03480e7954f43670cb0f4e Author: Tomasz Figa Date: Fri Feb 14 07:43:54 2014 +0900 ARM: dts: Keep G3D regulator always on for exynos5250-arndale commit bfeda827278f09f4db35877e5f1ca9c149ca2890 upstream. Apparently, if G3D regulator is powered off, the SoC cannot enter low power modes and just hangs. This patch fixes this by keeping the regulator always on when the system is running, as suggested by Exynos 4 User's Manual in case of Exynos4210/4x12 SoCs (Exynos5250 UM does not have such note, but observed behavior seems to confirm that it is true for this SoC as well). This fixes an issue preventing Arndale board from entering sleep mode observed since commit 346f372f7b72a0 clk: exynos5250: Add CLK_IGNORE_UNUSED flag for pmu clock that landed in kernel 3.10, which has fixed the clock driver to make the SoC actually try to enter the sleep mode. Signed-off-by: Tomasz Figa Acked-by: Kyungmin Park Tested-by: Tushar Behera Signed-off-by: Kukjin Kim Signed-off-by: Jiri Slaby commit 1328f07fedaad59bc6812cb6c5492c48bc0991b6 Author: Mugunthan V N Date: Thu Mar 6 18:01:34 2014 +0530 ARM: dts: am33xx: correcting dt node unit address for usb commit 8abcdd680d543fb582371e146e62ba9f2af8a816 upstream. DT node's unit address should be its own register offset address to make it a unique across the system. This patch corrects the incorrect USB entries with correct register offset for unit address. Acked-by: Sebastian Andrzej Siewior Acked-by: Felipe Balbi Signed-off-by: Mugunthan V N Signed-off-by: Tony Lindgren Signed-off-by: Jiri Slaby commit 064dd736a45825e693253794e76c5ee6da686432 Author: Roger Quadros Date: Thu Apr 10 10:18:17 2014 +0300 ARM: OMAP3: hwmod data: Correct clock domains for USB modules commit c6c56697ae4bf1226263c19e8353343d7083f40e upstream. OMAP3 doesn't contain "l3_init_clkdm" clock domain. Use the proper clock domains for USB Host and USB TLL modules. Gets rid of the following warnings during boot omap_hwmod: usb_host_hs: could not associate to clkdm l3_init_clkdm omap_hwmod: usb_tll_hs: could not associate to clkdm l3_init_clkdm Reported-by: Nishanth Menon Cc: Paul Walmsley Signed-off-by: Roger Quadros Fixes: de231388cb80a8ef3e779bbfa0564ba0157b7377 ("ARM: OMAP: USB: EHCI and OHCI hwmod structures for OMAP3") Cc: Keshava Munegowda Cc: Partha Basak Signed-off-by: Paul Walmsley Signed-off-by: Jiri Slaby commit 738fd1242045c7feb1bf2df9979326e1c22614ee Author: Nishanth Menon Date: Wed Mar 12 16:43:20 2014 -0500 ARM: OMAP4: Fix definition of IS_PM44XX_ERRATUM commit 07484ca33ef83900f5cfbde075c1a19e5a237aa1 upstream. Just like IS_PM34XX_ERRATUM, IS_PM44XX_ERRATUM is valid only if CONFIG_PM is enabled, else, disabling CONFIG_PM results in build failure complaining about the following: arch/arm/mach-omap2/built-in.o: In function `omap4_boot_secondary': :(.text+0x8a70): undefined reference to `pm44xx_errata' Fixes: c962184 (ARM: OMAP4: PM: add errata support) Reported-by: Tony Lindgren Signed-off-by: Nishanth Menon Acked-by: Santosh Shilimkar Acked-by: Kevin Hilman Signed-off-by: Tony Lindgren Signed-off-by: Jiri Slaby commit 9430eeea04a92849bf543161db5179f7b66cda03 Author: Stefan Sørensen Date: Thu Mar 6 16:27:15 2014 +0100 ARM: OMAP2+: INTC: Acknowledge stuck active interrupts commit 698b48532539484b012fb7c4176b959d32a17d00 upstream. When an interrupt has become active on the INTC it will stay active until it is acked, even if masked or de-asserted. The INTC_PENDING_IRQn registers are however updated and since these are used by omap_intc_handle_irq to determine which interrupt to handle, it will never see the active interrupt. This will result in a storm of useless interrupts that is only stopped when another higher priority interrupt is asserted. Fix by sending the INTC an acknowledge if we find no interrupts to handle. Signed-off-by: Stefan Sørensen Signed-off-by: Tony Lindgren Signed-off-by: Jiri Slaby commit d99e424a4052d55ff492bcb19730420e96863d4c Author: Brian Austin Date: Tue Mar 18 13:56:21 2014 -0500 ASoC: cs42l73: Fix mask bits for SOC_VALUE_ENUM_SINGLE commit 1555b652970e541fa1cb80c61ffc696bbfb92bb7 upstream. The mask bits values were wrong for the SOC_VALUE_ENUM_SINGLE for the mono mix controls. Reported-by: Takashi Iwai Signed-off-by: Brian Austin Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit 5cfa0556c0e01c7ece64f08a5dc9865e4d60adaf Author: Brian Austin Date: Tue Mar 18 14:01:47 2014 -0500 ASoC: cs42l52: Fix mask bits for SOC_VALUE_ENUM_SINGLE commit d31a33dd7792c7d6c11fda226a3b9e4fb7f86f95 upstream. The mask bits values were wrong for the SOC_VALUE_ENUM_SINGLE for the PCM/ADC Swap controls Reported-by: Takashi Iwai Signed-off-by: Brian Austin Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit 0f08d367c2f0a03ef9e48c46fb6ed9df0b153e1e Author: Brian Austin Date: Wed Mar 19 10:40:02 2014 -0500 ASoC: cs42l51: Fix SOC_DOUBLE_R_SX_TLV shift values for ADC, PCM, and Analog kcontrols commit 7272e051157ccd5871b5d939548d0ba5a94a2965 upstream. The shift values for the ADC,PCM, and Analog kcontrols were wrong causing wrong values for the SOC_DOUBLE_R_SX_TLV macros Fixed the TLV for aout_tlv to show -102dB correctly Fixes: 1d99f2436d (ASoC: core: Rework SOC_DOUBLE_R_SX_TLV add SOC_SINGLE_SX_TLV) Reported-by: Thomas Petazzoni Signed-off-by: Brian Austin Signed-off-by: Mark Brown Signed-off-by: Jiri Slaby commit a7407e23995647e2ada050a2913b4e954cb0a373 Author: Catalin Marinas Date: Wed Mar 12 16:07:06 2014 +0000 arm64: Make DMA coherent and strongly ordered mappings not executable commit de2db7432917a82b62d55bb59635586eeca6d1bd upstream. pgprot_{dmacoherent,writecombine,noncached} don't need to generate executable mappings with side-effects like __sync_icache_dcache() being called when the mapping is in user space. Signed-off-by: Catalin Marinas Reported-by: Bharat Bhushan Tested-by: Laura Abbott Tested-by: Bharat Bhushan Signed-off-by: Jiri Slaby commit 66fe137aac722bff2ff2cb6798f2bee912276037 Author: Catalin Marinas Date: Wed Mar 12 16:28:09 2014 +0000 arm64: Do not synchronise I and D caches for special ptes commit 71fdb6bf61bf0692f004f9daf5650392c0cfe300 upstream. Special pte mappings are not intended to be executable and do not even have an associated struct page. This patch ensures that we do not call __sync_icache_dcache() on such ptes. Signed-off-by: Catalin Marinas Reported-by: Steve Capper Tested-by: Laura Abbott Tested-by: Bharat Bhushan Signed-off-by: Jiri Slaby commit daab4b1e4dfa0c580f1fcd7a69d65e83b7f54f2c Author: K. Y. Srinivasan Date: Tue May 6 15:14:42 2014 -0700 Drivers: hv: vmbus: Negotiate version 3.0 when running on ws2012r2 hosts commit 03367ef5ea811475187a0732aada068919e14d61 upstream. Only ws2012r2 hosts support the ability to reconnect to the host on VMBUS. This functionality is needed by kexec in Linux. To use this functionality we need to negotiate version 3.0 of the VMBUS protocol. This patch has been backported to apply against the 3.12 stable tree. Signed-off-by: K. Y. Srinivasan Cc: [3.9+] Signed-off-by: Jiri Slaby commit 4b6ea659ce4e37ffab2f6f4aac9582d3af5ec857 Author: K. Y. Srinivasan Date: Wed Jan 15 17:12:58 2014 -0800 Drivers: hv: vmbus: Specify the target CPU that should receive notification commit e28bab4828354583bb66ac09021ca69b341a7db4 upstream. During the initial VMBUS connect phase, starting with WS2012 R2, we should specify the VPCU in the guest that should receive the notification. Fix this issue. This fix is required to properly connect to the host in the kexeced kernel. Signed-off-by: K. Y. Srinivasan Cc: [3.9+] Signed-off-by: Greg Kroah-Hartman Signed-off-by: Jiri Slaby commit 1c5c8cebd7ab71c77debc63e74ec51fa3c63f9be Author: Nicholas Bellinger Date: Tue May 6 17:32:53 2014 +0000 iser-target: Add missing se_cmd put for WRITE_PENDING in tx_comp_err commit 03e7848a64ed535a30f5d7fc6dede2d5a6a2534b upstream. This patch fixes a bug where outstanding RDMA_READs with WRITE_PENDING status require an extra target_put_sess_cmd() in isert_put_cmd() code when called from isert_cq_tx_comp_err() + isert_cq_drain_comp_llist() context during session shutdown. The extra kref PUT is required so that transport_generic_free_cmd() invokes the last target_put_sess_cmd() -> target_release_cmd_kref(), which will complete(&se_cmd->cmd_wait_comp) the outstanding se_cmd descriptor with WRITE_PENDING status, and awake the completion in target_wait_for_sess_cmds() to invoke TFO->release_cmd(). The bug was manifesting itself in target_wait_for_sess_cmds() where a se_cmd descriptor with WRITE_PENDING status would end up sleeping indefinately. (Fix up v3.12.y context changes - nab) Acked-by: Sagi Grimberg Cc: Or Gerlitz Cc: #3.10+ Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit ce2a2e7f7a4d8cfbe16bc248b325fccc983d752d Author: Nicholas Bellinger Date: Tue May 6 17:32:52 2014 +0000 iser-target: Match FRMR descriptors to available session tags commit f46d6a8a01d6bbd83a97140f30a72a89b038807b upstream. This patch changes isert_conn_create_fastreg_pool() to follow logic in iscsi_target_locate_portal() for determining how many FRMR descriptors to allocate based upon the number of possible per-session command slots that are available. This addresses an OOPs in isert_reg_rdma() where due to the use of ISCSI_DEF_XMIT_CMDS_MAX could end up returning a bogus fast_reg_descriptor when the number of active tags exceeded the original hardcoded max. Note this also includes moving isert_conn_create_fastreg_pool() from isert_connect_request() to isert_put_login_tx() before posting the final Login Response PDU in order to determine the se_nacl->queue_depth (eg: number of tags) per session the target will be enforcing. v2 changes: - Move isert_conn->conn_fr_pool list_head init into isert_conn_request() v3 changes: - Drop unnecessary list_empty() check in isert_reg_rdma() (Sagi) (Fix up v3.12.y context changes - nab) Cc: Sagi Grimberg Cc: Or Gerlitz Cc: #3.12+ Signed-off-by: Nicholas Bellinger Signed-off-by: Jiri Slaby commit 5c9b463ca49ed99558585628a608b0914179eee9 Author: Hui Wang Date: Tue Jan 14 14:07:36 2014 +0800 ALSA: hda - automute via amp instead of pinctl on some AIO models commit 493a52a9b6645f61954580c7d4bd52fa62110934 upstream. On some AIO (All In One) models with the codec alc668 (Vendor ID: 0x10ec0668) on it, when we plug a headphone into the jack, the system will switch the output to headphone and set the speaker to automute as well as change the speaker Pin-ctls from 0x40 to 0x00, this will bring loud noise to the headphone. I tried to disable the corresponding EAPD, but it did not help to eliminate the noise. According to Takashi's suggestion, we use amp operation to replace the pinctl modification for the automute, this really eliminate the noise. BugLink: https://bugs.launchpad.net/bugs/1268468 Cc: David Henningsson Cc: stable@vger.kernel.org Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby commit 7aa1bde8f6143b2db33e6567a8c3a4debaa246f4 Author: Bart Van Assche Date: Wed Oct 16 14:20:25 2013 +0200 dlm: Avoid that dlm_release_lockspace() incorrectly returns -EBUSY commit a97f4a66d8ee4faf0f31cc4ad3f4aa0baef23fc7 upstream. When dlm_release_lockspace(ls, 1) is invoked on a busy system immediately after the last dlm_unlock() AST has finished it can occur that lkb_idr_is_local() is invoked for the unlocked LKB since removal from ls_lkbidr only occurs after the AST has returned. If that happens dlm_release_lockspace(ls, 1) will return -EBUSY instead of releasing the lockspace. Fix this race condition by changing lkb_idr_is_local() such that it only returns true for LKB's that have not yet been unlocked. Signed-off-by: Bart Van Assche Signed-off-by: David Teigland Signed-off-by: Jiri Slaby