commit 3729ed7c6aa8c5b9eee8f832e4a246b8fa1d56b5 Author: Greg Kroah-Hartman Date: Wed Nov 13 12:05:59 2013 +0900 Linux 3.10.19 commit cfa234b144de51eb96e877ee0bee47a3420e8bed Author: Jon Mason Date: Tue Jul 30 15:58:49 2013 -0700 NTB: Correct debugfs to work with more than 1 NTB Device commit 1517a3f21a1dd321f16bcf44204bddff9d21abd0 upstream. Debugfs was setup in NTB to only have a single debugfs directory. This resulted in the leaking of debugfs directories and files when multiple NTB devices were present, due to each device stomping on the variables containing the previous device's values (thus preventing them from being freed on cleanup). Correct this by creating a secondary directory of the PCI BDF for each device present, and nesting the previously existing information in those directories. Signed-off-by: Jon Mason Signed-off-by: Greg Kroah-Hartman commit 8293fc2416f0eb13ff81501b31f0206c5331b9cb Author: Jon Mason Date: Fri May 31 14:05:53 2013 -0700 NTB: Correct USD/DSD Identification commit b6750cfe0710a14fd147ba27fddbecae8ba88c77 upstream. Due to ambiguous documentation, the USD/DSD identification is backward when compared to the setting in BIOS. Correct the bits to match the BIOS setting. Signed-off-by: Jon Mason Signed-off-by: Greg Kroah-Hartman commit 576db18cb68483e6e54f18dfda4b9c24f7e07dfe Author: Jon Mason Date: Mon Jul 15 15:26:14 2013 -0700 NTB: Correct Number of Scratch Pad Registers commit 87034511519815259e37336f52edf06d114d43b6 upstream. The NTB Xeon hardware has 16 scratch pad registers and 16 back-to-back scratch pad registers. Correct the #define to represent this and update the variable names to reflect their usage. Signed-off-by: Jon Mason Signed-off-by: Greg Kroah-Hartman commit 21720562911f038d7406654e7ea0c171cfac47b8 Author: Jon Mason Date: Mon Jul 15 13:23:47 2013 -0700 NTB: Add Error Handling in ntb_device_setup commit 3b12a0d15bd1559e72ad21d9d807fd2a6706f0ab upstream. If an error is encountered in ntb_device_setup, it is possible that the spci_cmd isn't populated. Writes to the offset can result in a NULL pointer dereference. This issue is easily encountered by running in NTB-RP mode, as it currently is not supported and will generate an error. To get around this issue, return if an error is encountered prior to attempting to write to the spci_cmd offset. Signed-off-by: Jon Mason Signed-off-by: Greg Kroah-Hartman commit dad483b78d280665a110591fd418535e0f9791dc Author: Gu Zheng Date: Fri Oct 25 18:15:06 2013 +0800 seq_file: always update file->f_pos in seq_lseek() commit 05e16745c0c471bba313961b605b6da3b21a853d upstream. This issue was first pointed out by Jiaxing Wang several months ago, but no further comments: https://lkml.org/lkml/2013/6/29/41 As we know pread() does not change f_pos, so after pread(), file->f_pos and m->read_pos become different. And seq_lseek() does not update file->f_pos if offset equals to m->read_pos, so after pread() and seq_lseek()(lseek to m->read_pos), then a subsequent read may read from a wrong position, the following program produces the problem: char str1[32] = { 0 }; char str2[32] = { 0 }; int poffset = 10; int count = 20; /*open any seq file*/ int fd = open("/proc/modules", O_RDONLY); pread(fd, str1, count, poffset); printf("pread:%s\n", str1); /*seek to where m->read_pos is*/ lseek(fd, poffset+count, SEEK_SET); /*supposed to read from poffset+count, but this read from position 0*/ read(fd, str2, count); printf("read:%s\n", str2); out put: pread: ck_netbios_ns 12665 read: nf_conntrack_netbios /proc/modules: nf_conntrack_netbios_ns 12665 0 - Live 0xffffffffa038b000 nf_conntrack_broadcast 12589 1 nf_conntrack_netbios_ns, Live 0xffffffffa0386000 So we always update file->f_pos to offset in seq_lseek() to fix this issue. Signed-off-by: Jiaxing Wang Signed-off-by: Gu Zheng Signed-off-by: Al Viro Cc: Jonghwan Choi Signed-off-by: Greg Kroah-Hartman commit 2233b4db914786e69960d717a3019c87ba3bb5a5 Author: Alex Deucher Date: Thu Oct 10 16:45:27 2013 -0400 drm/radeon/atom: workaround vbios bug in transmitter table on rs780 commit c23632d4e57c0dd20bf50eca08fa0eb8ad3ff680 upstream. Some rs780 asics seem to be affected as well. See: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=91f3a6aaf280294b07c05dfe606e6c27b7ba3c72 Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=60791 Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 9c1aab0da00ed04f096fabc4136241cb45f92cc1 Author: Chris Wilson Date: Wed Oct 16 09:49:02 2013 +0100 drm: Pad drm_mode_get_connector to 64-bit boundary commit bc5bd37ce48c66e9192ad2e7231e9678880f6f8e upstream. Pavel Roskin reported that DRM_IOCTL_MODE_GETCONNECTOR was overwritting the 4 bytes beyond the end of its structure with a 32-bit userspace running on a 64-bit kernel. This is due to the padding gcc inserts as the drm_mode_get_connector struct includes a u64 and its size is not a natural multiple of u64s. 64-bit kernel: sizeof(drm_mode_get_connector)=80, alignof=8 sizeof(drm_mode_get_encoder)=20, alignof=4 sizeof(drm_mode_modeinfo)=68, alignof=4 32-bit userspace: sizeof(drm_mode_get_connector)=76, alignof=4 sizeof(drm_mode_get_encoder)=20, alignof=4 sizeof(drm_mode_modeinfo)=68, alignof=4 Fortuituously we can insert explicit padding to the tail of our structures without breaking ABI. Reported-by: Pavel Roskin Signed-off-by: Chris Wilson Cc: Dave Airlie Cc: dri-devel@lists.freedesktop.org Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 45da934f7431181cd1ccc33b4d138dc41c2cd1ba Author: Chris Wilson Date: Wed Oct 16 11:22:44 2013 +0100 drm: Prevent overwriting from userspace underallocating core ioctl structs commit b062672e305ce071f21eb9e18b102c2a430e0999 upstream. Apply the protections from commit 1b2f1489633888d4a06028315dc19d65768a1c05 Author: Dave Airlie Date: Sat Aug 14 20:20:34 2010 +1000 drm: block userspace under allocating buffer and having drivers overwrite it (v2) to the core ioctl structs as well, for we found one instance where there is a 32-/64-bit size mismatch and were guilty of writing beyond the end of the user's buffer. Signed-off-by: Chris Wilson Cc: Dave Airlie Reviewed-by: Ville Syrjälä Cc: dri-devel@lists.freedesktop.org Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 09c2c79ce6e82b226262e667971db7f4a666e430 Author: Thomas Hellstrom Date: Wed Oct 9 01:42:51 2013 -0700 drm/vmwgfx: Don't kill clients on VT switch commit c4249855ac5b2a383704d31e040d3831d6a25c6f upstream. DRI clients that tried to grab the TTM lock when the master (X server) was switched away during a VT switch were sent the SIGTERM signal by the kernel. Fix this so that they are only sent that signal when the master has exited. Signed-off-by: Thomas Hellstrom Reviewed-by: Jakob Bornecrantz Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 0d6d09974ba93877afa53f5ce5ce89f20b3dfe20 Author: Thomas Hellstrom Date: Wed Oct 9 01:42:50 2013 -0700 drm/vmwgfx: Don't put resources with invalid id's on lru list commit 26682480c202e7360cbcdc3bc9e962bf749c6b8d upstream. The evict code may try to swap them out causing a BUG in the destroy function. Signed-off-by: Thomas Hellstrom Reviewed-by: Jakob Bornecrantz Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 7bff7accd427da171501b558457ef8fa81ee2767 Author: Zhang Yanfei Date: Mon Jul 8 16:00:19 2013 -0700 mm/vmalloc.c: fix an overflow bug in alloc_vmap_area() commit bcb615a81b1765864c71c50afb56631e7a1e5283 upstream. When searching a vmap area in the vmalloc space, we use (addr + size - 1) to check if the value is less than addr, which is an overflow. But we assign (addr + size) to vmap_area->va_end. So if we come across the below case: (addr + size - 1) : not overflow (addr + size) : overflow we will assign an overflow value (e.g 0) to vmap_area->va_end, And this will trigger BUG in __insert_vmap_area, causing system panic. So using (addr + size) to check the overflow should be the correct behaviour, not (addr + size - 1). Signed-off-by: Zhang Yanfei Reported-by: Ghennadi Procopciuc Tested-by: Daniel Baluta Cc: David Rientjes Cc: Minchan Kim Cc: KOSAKI Motohiro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Anatoly Muliarski Signed-off-by: Greg Kroah-Hartman commit 18b683a2334848c003fe89e3002244ca298544f4 Author: Chen LinX Date: Wed Oct 30 13:56:18 2013 -0700 mm/pagewalk.c: fix walk_page_range() access of wrong PTEs commit 3017f079efd6af199b0852b5c425364513db460e upstream. When walk_page_range walk a memory map's page tables, it'll skip VM_PFNMAP area, then variable 'next' will to assign to vma->vm_end, it maybe larger than 'end'. In next loop, 'addr' will be larger than 'next'. Then in /proc/XXXX/pagemap file reading procedure, the 'addr' will growing forever in pagemap_pte_range, pte_to_pagemap_entry will access the wrong pte. BUG: Bad page map in process procrank pte:8437526f pmd:785de067 addr:9108d000 vm_flags:00200073 anon_vma:f0d99020 mapping: (null) index:9108d CPU: 1 PID: 4974 Comm: procrank Tainted: G B W O 3.10.1+ #1 Call Trace: dump_stack+0x16/0x18 print_bad_pte+0x114/0x1b0 vm_normal_page+0x56/0x60 pagemap_pte_range+0x17a/0x1d0 walk_page_range+0x19e/0x2c0 pagemap_read+0x16e/0x200 vfs_read+0x84/0x150 SyS_read+0x4a/0x80 syscall_call+0x7/0xb Signed-off-by: Liu ShuoX Signed-off-by: Chen LinX Acked-by: Kirill A. Shutemov Reviewed-by: Naoya Horiguchi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e86100b54cd487c13956f09f2c38955f1a1a0909 Author: Mel Gorman Date: Mon Oct 7 11:28:47 2013 +0100 mm: Account for a THP NUMA hinting update as one PTE update commit 0255d491848032f6c601b6410c3b8ebded3a37b1 upstream. A THP PMD update is accounted for as 512 pages updated in vmstat. This is large difference when estimating the cost of automatic NUMA balancing and can be misleading when comparing results that had collapsed versus split THP. This patch addresses the accounting issue. Signed-off-by: Mel Gorman Reviewed-by: Rik van Riel Cc: Andrea Arcangeli Cc: Johannes Weiner Cc: Srikar Dronamraju Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/1381141781-10992-10-git-send-email-mgorman@suse.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit a490bb33b51d0fc625c87ed5fff1edfd3a2afeb0 Author: Mel Gorman Date: Mon Oct 7 11:28:46 2013 +0100 mm: Close races between THP migration and PMD numa clearing commit 3f926ab945b60a5824369d21add7710622a2eac0 upstream. THP migration uses the page lock to guard against parallel allocations but there are cases like this still open Task A Task B --------------------- --------------------- do_huge_pmd_numa_page do_huge_pmd_numa_page lock_page mpol_misplaced == -1 unlock_page goto clear_pmdnuma lock_page mpol_misplaced == 2 migrate_misplaced_transhuge pmd = pmd_mknonnuma set_pmd_at During hours of testing, one crashed with weird errors and while I have no direct evidence, I suspect something like the race above happened. This patch extends the page lock to being held until the pmd_numa is cleared to prevent migration starting in parallel while the pmd_numa is being cleared. It also flushes the old pmd entry and orders pagetable insertion before rmap insertion. Signed-off-by: Mel Gorman Reviewed-by: Rik van Riel Cc: Andrea Arcangeli Cc: Johannes Weiner Cc: Srikar Dronamraju Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/1381141781-10992-9-git-send-email-mgorman@suse.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 174dfa40d63b2250e299d5376937d200e4662b7c Author: Mel Gorman Date: Mon Oct 7 11:28:45 2013 +0100 mm: numa: Sanitize task_numa_fault() callsites commit c61109e34f60f6e85bb43c5a1cd51c0e3db40847 upstream. There are three callers of task_numa_fault(): - do_huge_pmd_numa_page(): Accounts against the current node, not the node where the page resides, unless we migrated, in which case it accounts against the node we migrated to. - do_numa_page(): Accounts against the current node, not the node where the page resides, unless we migrated, in which case it accounts against the node we migrated to. - do_pmd_numa_page(): Accounts not at all when the page isn't migrated, otherwise accounts against the node we migrated towards. This seems wrong to me; all three sites should have the same sementaics, furthermore we should accounts against where the page really is, we already know where the task is. So modify all three sites to always account; we did after all receive the fault; and always account to where the page is after migration, regardless of success. They all still differ on when they clear the PTE/PMD; ideally that would get sorted too. Signed-off-by: Mel Gorman Reviewed-by: Rik van Riel Cc: Andrea Arcangeli Cc: Johannes Weiner Cc: Srikar Dronamraju Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/1381141781-10992-8-git-send-email-mgorman@suse.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 299723f2297726ca4c0a9d8ef3548ece5466431d Author: Mel Gorman Date: Mon Oct 7 11:28:44 2013 +0100 mm: Prevent parallel splits during THP migration commit 587fe586f44a48f9691001ba6c45b86c8e4ba21f upstream. THP migrations are serialised by the page lock but on its own that does not prevent THP splits. If the page is split during THP migration then the pmd_same checks will prevent page table corruption but the unlock page and other fix-ups potentially will cause corruption. This patch takes the anon_vma lock to prevent parallel splits during migration. Signed-off-by: Mel Gorman Reviewed-by: Rik van Riel Cc: Andrea Arcangeli Cc: Johannes Weiner Cc: Srikar Dronamraju Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/1381141781-10992-7-git-send-email-mgorman@suse.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 2e39395e03fe936171a8b45894cbf75ccfae0375 Author: Mel Gorman Date: Mon Oct 7 11:28:43 2013 +0100 mm: Wait for THP migrations to complete during NUMA hinting faults commit 42836f5f8baa33085f547098b74aa98991ee9216 upstream. The locking for migrating THP is unusual. While normal page migration prevents parallel accesses using a migration PTE, THP migration relies on a combination of the page_table_lock, the page lock and the existance of the NUMA hinting PTE to guarantee safety but there is a bug in the scheme. If a THP page is currently being migrated and another thread traps a fault on the same page it checks if the page is misplaced. If it is not, then pmd_numa is cleared. The problem is that it checks if the page is misplaced without holding the page lock meaning that the racing thread can be migrating the THP when the second thread clears the NUMA bit and faults a stale page. This patch checks if the page is potentially being migrated and stalls using the lock_page if it is potentially being migrated before checking if the page is misplaced or not. Signed-off-by: Mel Gorman Reviewed-by: Rik van Riel Cc: Andrea Arcangeli Cc: Johannes Weiner Cc: Srikar Dronamraju Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/1381141781-10992-6-git-send-email-mgorman@suse.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 699ba929e88a0c2b172e7beebf10fd37ef120142 Author: Mel Gorman Date: Mon Oct 7 11:28:42 2013 +0100 mm: numa: Do not account for a hinting fault if we raced commit 1dd49bfa3465756b3ce72214b58a33e4afb67aa3 upstream. If another task handled a hinting fault in parallel then do not double account for it. Signed-off-by: Mel Gorman Reviewed-by: Rik van Riel Cc: Andrea Arcangeli Cc: Johannes Weiner Cc: Srikar Dronamraju Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/1381141781-10992-5-git-send-email-mgorman@suse.de Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 165b4f8bf37ba929924e9099bd9a1ee5031cf4e7 Author: Jonathan Austin Date: Tue Jul 23 16:42:18 2013 +0100 clk: fixup argument order when setting VCO parameters commit 2f9f64bc5aa31836810cd25301aa4772ad73ebab upstream. The order of arguments in the call to vco_set() for the ICST clocks appears to have been switched in error, which results in the VCO not being initialised correctly. This in turn stops the integrated LCD on things like Integrator/CP from working correctly. This patch fixes the order and restores the expected functionality. Reviewed-by: Linus Walleij Signed-off-by: Jonathan Austin Signed-off-by: Mike Turquette Signed-off-by: Greg Kroah-Hartman commit a33ed3974e7b75af36553589e7810da9d8b22382 Author: Dan Carpenter Date: Tue Oct 29 22:11:06 2013 +0300 aacraid: missing capable() check in compat ioctl commit f856567b930dfcdbc3323261bf77240ccdde01f5 upstream. In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the check as well. Signed-off-by: Dan Carpenter Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e14594cd658f655ae3384fcc3ec8c345b36cd4d0 Author: Ming Lei Date: Thu Oct 31 16:34:17 2013 -0700 lib/scatterlist.c: don't flush_kernel_dcache_page on slab page commit 3d77b50c5874b7e923be946ba793644f82336b75 upstream. Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper functions") introduces two sg buffer copy helpers, and calls flush_kernel_dcache_page() on pages in SG list after these pages are written to. Unfortunately, the commit may introduce a potential bug: - Before sending some SCSI commands, kmalloc() buffer may be passed to block layper, so flush_kernel_dcache_page() can see a slab page finally - According to cachetlb.txt, flush_kernel_dcache_page() is only called on "a user page", which surely can't be a slab page. - ARCH's implementation of flush_kernel_dcache_page() may use page mapping information to do optimization so page_mapping() will see the slab page, then VM_BUG_ON() is triggered. Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled, and this patch fixes the bug by adding test of '!PageSlab(miter->page)' before calling flush_kernel_dcache_page(). Signed-off-by: Ming Lei Reported-by: Aaro Koskinen Tested-by: Simon Baatz Cc: Russell King - ARM Linux Cc: Will Deacon Cc: Aaro Koskinen Acked-by: Catalin Marinas Cc: FUJITA Tomonori Cc: Tejun Heo Cc: "James E.J. Bottomley" Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c79c7ad9d1398787f907f85afc44cf7d6623027d Author: Linus Torvalds Date: Tue Oct 29 10:21:34 2013 -0700 Fix a few incorrectly checked [io_]remap_pfn_range() calls commit 7314e613d5ff9f0934f7a0f74ed7973b903315d1 upstream. Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that really should use the vm_iomap_memory() helper. This trivially converts two of them to the helper, and comments about why the third one really needs to continue to use remap_pfn_range(), and adds the missing size check. Reported-by: Nico Golde Signed-off-by: Linus Torvalds commit f1e65e494c7914220ac6d87caa126114f46ac462 Author: Al Viro Date: Sat May 11 12:37:38 2013 -0400 au1200fb: io_remap_pfn_range() sets VM_IO commit 1fca06fafb235a88c4fa91294aa1726c0e22855b upstream. ... and single return is quite sufficient to get out of function, TYVM Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit a4c8ae2e72bdb85f6dfdfad82bec0df1e2749ac5 Author: Al Viro Date: Sat May 11 12:38:38 2013 -0400 au1100fb: VM_IO is set by io_remap_pfn_range() commit c607f450f6e49f5794f27617bedc638b51044d2e upstream. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 5fa25ee0bde3ad47e99e9877313a36a9ace95b72 Author: Uwe Kleine-König Date: Wed Aug 7 13:02:53 2013 +0200 uio: provide vm access to UIO_MEM_PHYS maps commit 7294151d0592e0ff48c61fca9fd7c93d613134da upstream. This makes it possible to let gdb access mappings of the process that is being debugged. uio_mmap_logical was moved and uio_vm_ops renamed to group related code and differentiate to new stuff. Signed-off-by: Uwe Kleine-König Signed-off-by: Greg Kroah-Hartman commit f80d1c35d87072b46bf47f323f8051c4a5073fb4 Author: Uwe Kleine-König Date: Wed Aug 7 13:02:52 2013 +0200 mm: make generic_access_phys available for modules commit 5a73633ef01cd8772defa6a3c34a588376a1df4c upstream. In the next commit this function will be used in the uio subsystem Signed-off-by: Uwe Kleine-König Signed-off-by: Greg Kroah-Hartman commit 54a702cb065e49976f61d2130c16f585bfba6c44 Author: Baruch Siach Date: Tue Oct 15 02:22:43 2013 +0400 xtensa: don't use alternate signal stack on threads commit cba9a90053e3b7973eff4f1946f33032e98eeed5 upstream. According to create_thread(3): "The new thread does not inherit the creating thread's alternate signal stack". Since commit f9a3879a (Fix sigaltstack corruption among cloned threads), current->sas_ss_size is set to 0 for cloned processes sharing VM with their parent. Don't use the (nonexistent) alternate signal stack in this case. This has been broken since commit 29c4dfd9 ([XTENSA] Remove non-rt signal handling). Fixes the SA_ONSTACK part of the nptl/tst-cancel20 test from uClibc. Signed-off-by: Baruch Siach Signed-off-by: Max Filippov Signed-off-by: Chris Zankel Signed-off-by: Greg Kroah-Hartman commit 079584656265347f310c75fac6f863a6280a17e4 Author: Dan Carpenter Date: Tue Oct 29 22:06:04 2013 +0300 uml: check length in exitcode_proc_write() commit 201f99f170df14ba52ea4c52847779042b7a623b upstream. We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e668dd8e47c2bc39c7bc31529dbe21c6169290bf Author: Dan Carpenter Date: Tue Oct 29 23:00:15 2013 +0300 staging: wlags49_h2: buffer overflow setting station name commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream. We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2958a1199ee79b5ad4cb80a4bf8da95ac602d796 Author: Dan Carpenter Date: Tue Oct 29 23:01:43 2013 +0300 Staging: sb105x: info leak in mp_get_count() commit a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 upstream. The icount.reserved[] array isn't initialized so it leaks stack information to userspace. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 421a5dcd03c36833cfe3923b6943e999c3770973 Author: Dan Carpenter Date: Tue Oct 29 23:01:11 2013 +0300 Staging: bcm: info leak in ioctl commit 8d1e72250c847fa96498ec029891de4dc638a5ba upstream. The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel information to user space. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a2f8eb6acf8b40793f3b798b0a63800f38707444 Author: Dan Carpenter Date: Tue Oct 29 22:07:47 2013 +0300 staging: ozwpan: prevent overflow in oz_cdev_write() commit c2c65cd2e14ada6de44cb527e7f1990bede24e15 upstream. We need to check "count" so we don't overflow the ei->data buffer. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2ca317899d45d60805b0b5dc9b6f879a8f93f7c6 Author: Takashi Iwai Date: Mon Oct 28 14:21:49 2013 +0100 ASoC: dapm: Fix source list debugfs outputs commit ff18620c2157671a8ee21ebb8e6a3520ea209b1f upstream. ... due to a copy & paste error. Spotted by coverity CID 710923. Signed-off-by: Takashi Iwai Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 0492665d67bb7bdff10f3027a26b9c145fe73ddb Author: Takashi Iwai Date: Wed Oct 30 08:35:02 2013 +0100 ASoC: wm_hubs: Add missing break in hp_supply_event() commit 268ff14525edba31da29a12a9dd693cdd6a7872e upstream. Spotted by coverity CID 115170. Signed-off-by: Takashi Iwai Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 58dc7706bb9becb535e8861c7b8f33d604381710 Author: Russell King Date: Thu Oct 31 15:01:37 2013 +0000 ALSA: fix oops in snd_pcm_info() caused by ASoC DPCM commit a4461f41b94cb52e0141af717dcf4ef6558c8e2e upstream. Unable to handle kernel NULL pointer dereference at virtual address 00000008 pgd = d5300000 [00000008] *pgd=0d265831, *pte=00000000, *ppte=00000000 Internal error: Oops: 17 [#1] PREEMPT ARM CPU: 0 PID: 2295 Comm: vlc Not tainted 3.11.0+ #755 task: dee74800 ti: e213c000 task.ti: e213c000 PC is at snd_pcm_info+0xc8/0xd8 LR is at 0x30232065 pc : [] lr : [<30232065>] psr: a0070013 sp : e213dea8 ip : d81cb0d0 fp : c05f7678 r10: c05f7770 r9 : fffffdfd r8 : 00000000 r7 : d8a968a8 r6 : d8a96800 r5 : d8a96200 r4 : d81cb000 r3 : 00000000 r2 : d81cb000 r1 : 00000001 r0 : d8a96200 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 15300019 DAC: 00000015 Process vlc (pid: 2295, stack limit = 0xe213c248) [] (snd_pcm_info) from [] (snd_pcm_info_user+0x34/0x9c) [] (snd_pcm_info_user) from [] (snd_pcm_control_ioctl+0x274/0x280) [] (snd_pcm_control_ioctl) from [] (snd_ctl_ioctl+0xc0/0x55c) [] (snd_ctl_ioctl) from [] (do_vfs_ioctl+0x80/0x31c) [] (do_vfs_ioctl) from [] (SyS_ioctl+0x3c/0x60) [] (SyS_ioctl) from [] (ret_fast_syscall+0x0/0x48) Code: e1a00005 e59530dc e3a01001 e1a02004 (e5933008) ---[ end trace cb3d9bdb8dfefb3c ]--- This is provoked when the ASoC front end is open along with its backend, (which causes the backend to have a runtime assigned to it) and then the SNDRV_CTL_IOCTL_PCM_INFO is requested for the (visible) backend device. Resolve this by ensuring that ASoC internal backend devices are not visible to userspace, just as the commentry for snd_pcm_new_internal() says it should be. Signed-off-by: Russell King Acked-by: Mark Brown Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f08830dbf7af3b9c551d3112425a2d1b3c2757df Author: Takashi Iwai Date: Wed Oct 30 12:29:40 2013 +0100 ALSA: hda - Add a fixup for ASUS N76VZ commit 6fc16e58adf50c0f1e4478538983fb5ff6f453d4 upstream. ASUS N76VZ needs the same fixup as N56VZ for supporting the boost speaker. Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=846529 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit c9e32ffdbe042276914daac9cdc737b8896eace6 Author: Takashi Iwai Date: Thu Oct 24 01:20:24 2013 +0200 ALSA: hda - Fix unbalanced runtime PM refcount after S3/S4 commit e6bbe666673ab044a3d39ddb74e4d9a401cf1d6f upstream. When a machine goes to S3/S4 after power-save is enabled, the runtime PM refcount might be incorrectly decreased because the power-down triggered soon after resume assumes that the controller was already powered up, and issues the pm_notify down. This patch fixes the incorrect pm_notify call simply by checking the current value properly. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8fde18bd74c8f30094bc47edf2c9ed19478661de Author: Takashi Iwai Date: Fri Oct 25 23:43:10 2013 +0200 ALSA: hda - Add missing initial vmaster hook at build_controls callback commit b63eae0a6c84839275a4638a7baa391be965cd0e upstream. The generic parser has a support of vmaster hook, but this is initialized only in the init callback with the check of the presence of the corresponding kctl. However, since kctl is NULL at the very first init callback that is called before build_controls callback, the vmaster hook sync is skipped there. Eventually this leads to the uninitialized state depending on the hook implementation. This patch adds a simple workaround, just calling the sync function explicitly at build_controls callback. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 40a894023d9a4c58379eb4f2ac12e40a2fe014d3 Author: Vineet Gupta Date: Sat Nov 2 17:47:49 2013 +0530 ARC: Incorrect mm reference used in vmalloc fault handler commit 9c41f4eeb9d51f3ece20428d35a3ea32cf3b5622 upstream. A vmalloc fault needs to sync up PGD/PTE entry from init_mm to current task's "active_mm". ARC vmalloc fault handler however was using mm. A vmalloc fault for non user task context (actually pre-userland, from init thread's open for /dev/console) caused the handler to deref NULL mm (for mm->pgd) The reasons it worked so far is amazing: 1. By default (!SMP), vmalloc fault handler uses a cached value of PGD. In SMP that MMU register is repurposed hence need for mm pointer deref. 2. In pre-3.12 SMP kernel, the problem triggering vmalloc didn't exist in pre-userland code path - it was introduced with commit 20bafb3d23d108bc "n_tty: Move buffers into n_tty_data" Signed-off-by: Vineet Gupta Cc: Gilad Ben-Yossef Cc: Noam Camus Cc: Peter Hurley Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 27b840ea211f8a36fadabaa07ef94fb1b45730c3 Author: Ming Lei Date: Sat Nov 2 09:11:33 2013 +1030 scripts/kallsyms: filter symbols not in kernel address space commit f6537f2f0eba4eba3354e48dbe3047db6d8b6254 upstream. This patch uses CONFIG_PAGE_OFFSET to filter symbols which are not in kernel address space because these symbols are generally for generating code purpose and can't be run at kernel mode, so we needn't keep them in /proc/kallsyms. For example, on ARM there are some symbols which may be linked in relocatable code section, then perf can't parse symbols any more from /proc/kallsyms, this patch fixes the problem (introduced b9b32bf70f2fb710b07c94e13afbc729afe221da) Cc: Russell King Cc: linux-arm-kernel@lists.infradead.org Cc: Michal Marek Signed-off-by: Ming Lei Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman commit daa73ffb82d3e6135de12ca879c373bbd5a9f41b Author: Helge Deller Date: Sat Oct 26 23:19:25 2013 +0200 parisc: Do not crash 64bit SMP kernels on machines with >= 4GB RAM commit 54e181e073fc1415e41917d725ebdbd7de956455 upstream. Since the beginning of the parisc-linux port, sometimes 64bit SMP kernels were not able to bring up other CPUs than the monarch CPU and instead crashed the kernel. The reason was unclear, esp. since it involved various machines (e.g. J5600, J6750 and SuperDome). Testing showed, that those crashes didn't happened when less than 4GB were installed, or if a 32bit Linux kernel was booted. In the end, the fix for those SMP problems is trivial: During the early phase of the initialization of the CPUs, including the monarch CPU, the PDC_PSW firmware function to enable WIDE (=64bit) mode is called. It's documented that this firmware function may clobber various registers, and one one of those possibly clobbered registers is %cr30 which holds the task thread info pointer. Now, if %cr30 would always have been clobbered, then this bug would have been detected much earlier. But lots of testing finally showed, that - at least for %cr30 - on some machines only the upper 32bits of the 64bit register suddenly turned zero after the firmware call. So, after finding the root cause, the explanation for the various crashes became clear: - On 32bit SMP Linux kernels all upper 32bit were zero, so we didn't faced this problem. - Monarch CPUs in 64bit mode always booted sucessfully, because the inital task thread info pointer was below 4GB. - Secondary CPUs booted sucessfully on machines with less than 4GB RAM because the upper 32bit were zero anyay. - Secondary CPus failed to boot if we had more than 4GB RAM and the task thread info pointer was located above the 4GB boundary. Finally, the patch to fix this problem is trivial by saving the %cr30 register before the firmware call and restoring it afterwards. Signed-off-by: Helge Deller Signed-off-by: John David Anglin Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit b5b02b140665d016236918cb88b88f6249050605 Author: Thomas Gleixner Date: Tue Sep 24 21:50:23 2013 +0200 clockevents: Sanitize ticks to nsec conversion commit 97b9410643475d6557d2517c2aff9fd2221141a9 upstream. Marc Kleine-Budde pointed out, that commit 77cc982 "clocksource: use clockevents_config_and_register() where possible" caused a regression for some of the converted subarchs. The reason is, that the clockevents core code converts the minimal hardware tick delta to a nanosecond value for core internal usage. This conversion is affected by integer math rounding loss, so the backwards conversion to hardware ticks will likely result in a value which is less than the configured hardware limitation. The affected subarchs used their own workaround (SIGH!) which got lost in the conversion. The solution for the issue at hand is simple: adding evt->mult - 1 to the shifted value before the integer divison in the core conversion function takes care of it. But this only works for the case where for the scaled math mult/shift pair "mult <= 1 << shift" is true. For the case where "mult > 1 << shift" we can apply the rounding add only for the minimum delta value to make sure that the backward conversion is not less than the given hardware limit. For the upper bound we need to omit the rounding add, because the backwards conversion is always larger than the original latch value. That would violate the upper bound of the hardware device. Though looking closer at the details of that function reveals another bogosity: The upper bounds check is broken as well. Checking for a resulting "clc" value greater than KTIME_MAX after the conversion is pointless. The conversion does: u64 clc = (latch << evt->shift) / evt->mult; So there is no sanity check for (latch << evt->shift) exceeding the 64bit boundary. The latch argument is "unsigned long", so on a 64bit arch the handed in argument could easily lead to an unnoticed shift overflow. With the above rounding fix applied the calculation before the divison is: u64 clc = (latch << evt->shift) + evt->mult - 1; So we need to make sure, that neither the shift nor the rounding add is overflowing the u64 boundary. [ukl: move assignment to rnd after eventually changing mult, fix build issue and correct comment with the right math] Signed-off-by: Thomas Gleixner Cc: Russell King - ARM Linux Cc: Marc Kleine-Budde Cc: nicolas.ferre@atmel.com Cc: Marc Pignat Cc: john.stultz@linaro.org Cc: kernel@pengutronix.de Cc: Ronald Wahl Cc: LAK Cc: Ludovic Desroches Link: http://lkml.kernel.org/r/1380052223-24139-1-git-send-email-u.kleine-koenig@pengutronix.de Signed-off-by: Uwe Kleine-König Signed-off-by: Greg Kroah-Hartman commit 722b78bc8a42b6910c291266e87abe2e63dc750f Author: Nicholas Bellinger Date: Fri Oct 25 10:44:15 2013 -0700 vhost/scsi: Fix incorrect usage of get_user_pages_fast write parameter commit 60a01f558af9c48b0bb31f303c479e32721add3f upstream. This patch addresses a long-standing bug where the get_user_pages_fast() write parameter used for setting the underlying page table entry permission bits was incorrectly set to write=1 for data_direction=DMA_TO_DEVICE, and passed into get_user_pages_fast() via vhost_scsi_map_iov_to_sgl(). However, this parameter is intended to signal WRITEs to pinned userspace PTEs for the virtio-scsi DMA_FROM_DEVICE -> READ payload case, and *not* for the virtio-scsi DMA_TO_DEVICE -> WRITE payload case. This bug would manifest itself as random process segmentation faults on KVM host after repeated vhost starts + stops and/or with lots of vhost endpoints + LUNs. Cc: Stefan Hajnoczi Cc: Michael S. Tsirkin Cc: Asias He Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit f21abb623ac78e2e9248057282d0de4e9b82e616 Author: Wei Yongjun Date: Fri Oct 25 21:53:33 2013 +0800 target/pscsi: fix return value check commit 58932e96e438cd78f75e765d7b87ef39d3533d15 upstream. In case of error, the function scsi_host_lookup() returns NULL pointer not ERR_PTR(). The IS_ERR() test in the return value check should be replaced with NULL test. Signed-off-by: Wei Yongjun Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit ed840bec21c6f2f99ca34e974a5905e4f2116c1b Author: Lukasz Dorau Date: Thu Oct 24 12:55:17 2013 +1100 md: Fix skipping recovery for read-only arrays. commit 61e4947c99c4494336254ec540c50186d186150b upstream. Since: commit 7ceb17e87bde79d285a8b988cfed9eaeebe60b86 md: Allow devices to be re-added to a read-only array. spares are activated on a read-only array. In case of raid1 and raid10 personalities it causes that not-in-sync devices are marked in-sync without checking if recovery has been finished. If a read-only array is degraded and one of its devices is not in-sync (because the array has been only partially recovered) recovery will be skipped. This patch adds checking if recovery has been finished before marking a device in-sync for raid1 and raid10 personalities. In case of raid5 personality such condition is already present (at raid5.c:6029). Bug was introduced in 3.10 and causes data corruption. Signed-off-by: Pawel Baldysiak Signed-off-by: Lukasz Dorau Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 0465496671f4769e0f4f00481ce5bc5598c5caa2 Author: Bian Yu Date: Sat Oct 12 01:10:03 2013 -0400 md: avoid deadlock when md_set_badblocks. commit 905b0297a9533d7a6ee00a01a990456636877dd6 upstream. When operate harddisk and hit errors, md_set_badblocks is called after scsi_restart_operations which already disabled the irq. but md_set_badblocks will call write_sequnlock_irq and enable irq. so softirq can preempt the current thread and that may cause a deadlock. I think this situation should use write_sequnlock_irqsave/irqrestore instead. I met the situation and the call trace is below: [ 638.919974] BUG: spinlock recursion on CPU#0, scsi_eh_13/1010 [ 638.921923] lock: 0xffff8800d4d51fc8, .magic: dead4ead, .owner: scsi_eh_13/1010, .owner_cpu: 0 [ 638.923890] CPU: 0 PID: 1010 Comm: scsi_eh_13 Not tainted 3.12.0-rc5+ #37 [ 638.925844] Hardware name: To be filled by O.E.M. To be filled by O.E.M./MAHOBAY, BIOS 4.6.5 03/05/2013 [ 638.927816] ffff880037ad4640 ffff880118c03d50 ffffffff8172ff85 0000000000000007 [ 638.929829] ffff8800d4d51fc8 ffff880118c03d70 ffffffff81730030 ffff8800d4d51fc8 [ 638.931848] ffffffff81a72eb0 ffff880118c03d90 ffffffff81730056 ffff8800d4d51fc8 [ 638.933884] Call Trace: [ 638.935867] [] dump_stack+0x55/0x76 [ 638.937878] [] spin_dump+0x8a/0x8f [ 638.939861] [] spin_bug+0x21/0x26 [ 638.941836] [] do_raw_spin_lock+0xa4/0xc0 [ 638.943801] [] _raw_spin_lock+0x66/0x80 [ 638.945747] [] ? scsi_device_unbusy+0x9d/0xd0 [ 638.947672] [] ? _raw_spin_unlock+0x2b/0x50 [ 638.949595] [] scsi_device_unbusy+0x9d/0xd0 [ 638.951504] [] scsi_finish_command+0x37/0xe0 [ 638.953388] [] scsi_softirq_done+0xa8/0x140 [ 638.955248] [] blk_done_softirq+0x7b/0x90 [ 638.957116] [] __do_softirq+0xfd/0x330 [ 638.958987] [] ? __lock_release+0x6f/0x100 [ 638.960861] [] call_softirq+0x1c/0x30 [ 638.962724] [] do_softirq+0x8d/0xc0 [ 638.964565] [] irq_exit+0x10e/0x150 [ 638.966390] [] smp_apic_timer_interrupt+0x4a/0x60 [ 638.968223] [] apic_timer_interrupt+0x6f/0x80 [ 638.970079] [] ? __lock_release+0x6f/0x100 [ 638.971899] [] ? _raw_spin_unlock_irq+0x3a/0x50 [ 638.973691] [] ? _raw_spin_unlock_irq+0x30/0x50 [ 638.975475] [] md_set_badblocks+0x1f3/0x4a0 [ 638.977243] [] rdev_set_badblocks+0x27/0x80 [ 638.978988] [] raid5_end_read_request+0x36b/0x4e0 [raid456] [ 638.980723] [] bio_endio+0x1d/0x40 [ 638.982463] [] req_bio_endio.isra.65+0x83/0xa0 [ 638.984214] [] blk_update_request+0x7f/0x350 [ 638.985967] [] blk_update_bidi_request+0x31/0x90 [ 638.987710] [] __blk_end_bidi_request+0x20/0x50 [ 638.989439] [] __blk_end_request_all+0x1f/0x30 [ 638.991149] [] blk_peek_request+0x106/0x250 [ 638.992861] [] ? scsi_kill_request.isra.32+0xe9/0x130 [ 638.994561] [] scsi_request_fn+0x4a/0x3d0 [ 638.996251] [] __blk_run_queue+0x37/0x50 [ 638.997900] [] blk_run_queue+0x2f/0x50 [ 638.999553] [] scsi_run_queue+0xe0/0x1c0 [ 639.001185] [] scsi_run_host_queues+0x21/0x40 [ 639.002798] [] scsi_restart_operations+0x177/0x200 [ 639.004391] [] scsi_error_handler+0xc9/0xe0 [ 639.005996] [] ? scsi_unjam_host+0xd0/0xd0 [ 639.007600] [] kthread+0xdb/0xe0 [ 639.009205] [] ? flush_kthread_worker+0x170/0x170 [ 639.010821] [] ret_from_fork+0x7c/0xb0 [ 639.012437] [] ? flush_kthread_worker+0x170/0x170 This bug was introduce in commit 2e8ac30312973dd20e68073653 (the first time rdev_set_badblock was call from interrupt context), so this patch is appropriate for 3.5 and subsequent kernels. Signed-off-by: Bian Yu Reviewed-by: Jianpeng Ma Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 1946436e87d13b44bbf69a37cb7fe07477bb5117 Author: Gwendal Grignou Date: Fri Aug 7 16:17:49 2009 -0700 libata: make ata_eh_qc_retry() bump scmd->allowed on bogus failures commit f13e220161e738c2710b9904dcb3cf8bb0bcce61 upstream. libata EH decrements scmd->retries when the command failed for reasons unrelated to the command itself so that, for example, commands aborted due to suspend / resume cycle don't get penalized; however, decrementing scmd->retries isn't enough for ATA passthrough commands. Without this fix, ATA passthrough commands are not resend to the drive, and no error is signalled to the caller because: - allowed retry count is 1 - ata_eh_qc_complete fill the sense data, so result is valid - sense data is filled with untouched ATA registers. Signed-off-by: Gwendal Grignou Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 01e608d7276508fcafb76f2092db89885e62ef66 Author: Shaohua Li Date: Sat Oct 19 14:51:42 2013 +0800 raid5: avoid finding "discard" stripe commit d47648fcf0611812286f68131b40251c6fa54f5e upstream. SCSI discard will damage discard stripe bio setting, eg, some fields are changed. If the stripe is reused very soon, we have wrong bios setting. We remove discard stripe from hash list, so next time the strip will be fully initialized. Suitable for backport to 3.7+. Signed-off-by: Shaohua Li Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 7e44a92662ce582268c4f35e68aad1f632ada8f8 Author: Shaohua Li Date: Sat Oct 19 14:50:28 2013 +0800 raid5: set bio bi_vcnt 0 for discard request commit 37c61ff31e9b5e3fcf3cc6579f5c68f6ad40c4b1 upstream. SCSI layer will add new payload for discard request. If two bios are merged to one, the second bio has bi_vcnt 1 which is set in raid5. This will confuse SCSI and cause oops. Suitable for backport to 3.7+ Reported-by: Jes Sorensen Signed-off-by: Shaohua Li Signed-off-by: NeilBrown Acked-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 4053771449476d9c323bd00c0c87bbd390588e55 Author: Geyslan G. Bem Date: Fri Oct 11 16:49:16 2013 -0300 ecryptfs: Fix memory leakage in keystore.c commit 3edc8376c06133e3386265a824869cad03a4efd4 upstream. In 'decrypt_pki_encrypted_session_key' function: Initializes 'payload' pointer and releases it on exit. Signed-off-by: Geyslan G. Bem Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit da0d4136d107d926273c227fdeaf805159044f66 Author: Aaron Lu Date: Thu Oct 10 13:22:36 2013 +0800 SCSI: sd: call blk_pm_runtime_init before add_disk commit 10c580e4239df5c3344ca00322eca86ab2de880b upstream. Sujit has found a race condition that would make q->nr_pending unbalanced, it occurs as Sujit explained: " sd_probe_async() -> add_disk() -> disk_add_event() -> schedule(disk_events_workfn) sd_revalidate_disk() blk_pm_runtime_init() return; Let's say the disk_events_workfn() calls sd_check_events() which tries to send test_unit_ready() and because of sd_revalidate_disk() trying to send another commands the test_unit_ready() might be re-queued as the tagged command queuing is disabled. So the race condition is - Thread 1 | Thread 2 sd_revalidate_disk() | sd_check_events() ...nr_pending = 0 as q->dev = NULL| scsi_queue_insert() blk_runtime_pm_init() | blk_pm_requeue_request() -> | nr_pending = -1 since | q->dev != NULL " The problem is, the test_unit_ready request doesn't get counted the first time it is queued, so the later decrement of q->nr_pending in blk_pm_requeue_request makes it unbalanced. Fix this by calling blk_pm_runtime_init before add_disk so that all requests initiated there will all be counted. Signed-off-by: Aaron Lu Reported-and-tested-by: Sujit Reddy Thumma Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit d60241f65bdc363f1be2b099bd98ff13a96c1f0d Author: Marc Kleine-Budde Date: Fri Oct 4 10:52:36 2013 +0200 can: flexcan: flexcan_chip_start: fix regression, mark one MB for TX and abort pending TX commit d5a7b406c529e4595ce03dc8f6dcf7fa36f106fa upstream. In patch 0d1862e can: flexcan: fix flexcan_chip_start() on imx6 the loop in flexcan_chip_start() that iterates over all mailboxes after the soft reset of the CAN core was removed. This loop put all mailboxes (even the ones marked as reserved 1...7) into EMPTY/INACTIVE mode. On mailboxes 8...63, this aborts any pending TX messages. After a cold boot there is random garbage in the mailboxes, which leads to spontaneous transmit of CAN frames during first activation. Further if the interface was disabled with a pending message (usually due to an error condition on the CAN bus), this message is retransmitted after enabling the interface again. This patch fixes the regression by: 1) Limiting the maximum number of used mailboxes to 8, 0...7 are used by the RX FIFO, 8 is used by TX. 2) Marking the TX mailbox as EMPTY/INACTIVE, so that any pending TX of that mailbox is aborted. Cc: Lothar Waßmann Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit e350ff50bcd46d650d56015a1416c622d057ec90 Author: Marc Kleine-Budde Date: Thu Oct 3 23:51:55 2013 +0200 can: flexcan: fix mx28 detection by rearanging OF match table commit e358784297992b012e8071764d996191dd2b1a54 upstream. The current implemetation of of_match_device() relies that the of_device_id table in the driver is sorted from most specific to least specific compatible. Without this patch the mx28 is detected as the less specific p1010. This leads to a p1010 specific workaround is activated on the mx28, which is not needed. Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 1a64b62db0883ba42db1c3860a8aa25aa398e020 Author: Marc Kleine-Budde Date: Wed Oct 9 12:19:19 2013 +0200 can: at91-can: fix device to driver data mapping for platform devices commit 5abbeea553c8260ed4e2ac4aae962aff800b6c6d upstream. In commit: 3078cde7 can: at91_can: add dt support device tree support was added to the at91_can driver. In this commit the mapping of device to driver data was mixed up. This results in the sam9x5 parameters being used for the sam9263 and the workaround for the broken mailbox 0 on the sam9263 not being activated. This patch fixes the broken platform_device_id table. Cc: Ludovic Desroches Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 4ac4eb6520aa52f77be36780bbe5b17ca3bce983 Author: Dave Kleikamp Date: Fri Sep 6 21:49:56 2013 -0500 jfs: fix error path in ialloc commit 8660998608cfa1077e560034db81885af8e1e885 upstream. If insert_inode_locked() fails, we shouldn't be calling unlock_new_inode(). Signed-off-by: Dave Kleikamp Tested-by: Michael L. Semon Signed-off-by: Greg Kroah-Hartman commit fa2025dc177d9bef300b48289b689a5d667f5ae9 Author: Emmanuel Grumbach Date: Tue Sep 24 19:34:26 2013 +0300 iwlwifi: pcie: add SKUs for 6000, 6005 and 6235 series commit 08a5dd3842f2ac61c6d69661d2d96022df8ae359 upstream. Add some new PCI IDs to the table for 6000, 6005 and 6235 series. Signed-off-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 3af669ca9923d504d5476bcfe04eaf4bbde03515 Author: Mark Cave-Ayland Date: Tue Oct 8 10:18:20 2013 -0500 rtlwifi: rtl8192cu: Fix error in pointer arithmetic commit 9473ca6e920a3b9ca902753ce52833657f9221cc upstream. An error in calculating the offset in an skb causes the driver to read essential device info from the wrong locations. The main effect is that automatic gain calculations are nonsense. Signed-off-by: Mark Cave-Ayland Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 6f2c0ed7835fd30d6c137198cf1dc964f061f132 Author: Amitkumar Karwar Date: Fri Sep 27 10:55:38 2013 -0700 mwifiex: fix SDIO interrupt lost issue commit 453b0c3f6910672f79da354077af728d92f95c5b upstream. 601216e "mwifiex: process RX packets in SDIO IRQ thread directly" introduced a command timeout issue which can be reproduced easily on an AM33xx platform using a test application written by Daniel Mack: https://gist.github.com/zonque/6579314 mwifiex_main_process() is called from both the SDIO handler and the workqueue. In case an interrupt occurs right after the int_status check, but before updating the mwifiex_processing flag, this interrupt gets lost, resulting in a command timeout and consequently a card reset. Let main_proc_lock protect both int_status and mwifiex_processing flag. This fixes the interrupt lost issue. Reported-by: Sven Neumann Reported-by: Andreas Fenkart Tested-by: Daniel Mack Reviewed-by: Dylan Reid Signed-off-by: Amitkumar Karwar Signed-off-by: Bing Zhao Signed-off-by: Paul Stewart Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit e83301f88258e3f204392cf59b0ffd706a051a26 Author: Bruno Randolf Date: Thu Sep 26 16:55:28 2013 +0100 cfg80211: fix warning when using WEXT for IBSS commit f478f33a93f9353dcd1fe55445343d76b1c3f84a upstream. Fix kernel warning when using WEXT for configuring ad-hoc mode, e.g. "iwconfig wlan0 essid test channel 1" WARNING: at net/wireless/chan.c:373 cfg80211_chandef_usable+0x50/0x21c [cfg80211]() The warning is caused by an uninitialized variable center_freq1. Signed-off-by: Bruno Randolf Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit fc756d89ff073a9c7fb8e4788fa63705d3d8f2a2 Author: Felix Fietkau Date: Sat Oct 5 14:09:30 2013 +0200 ath9k: fix tx queue scheduling after channel changes commit ec30326ea773900da210c495e14cfeb532550ba2 upstream. Otherwise, if queues are full during a scan, tx scheduling does not resume after switching back to the home channel. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 0b1621f62382e9b6f97b35861e9ade1a979b95b8 Author: Johannes Berg Date: Fri Oct 11 15:47:06 2013 +0200 mac80211: fix crash if bitrate calculation goes wrong commit d86aa4f8ca58898ec6a94c0635da20b948171ed7 upstream. If a frame's timestamp is calculated, and the bitrate calculation goes wrong and returns zero, the system will attempt to divide by zero and crash. Catch this case and print the rate information that the driver reported when this happens. Reported-by: Thomas Lindroth Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 31da12cec6d7882acb2bd968566b1cfbbcae695a Author: Felix Fietkau Date: Sun Sep 29 21:39:34 2013 +0200 mac80211: update sta->last_rx on acked tx frames commit 0c5b93290b2f3c7a376567c03ae8d385b0e99851 upstream. When clients are idle for too long, hostapd sends nullfunc frames for probing. When those are acked by the client, the idle time needs to be updated. To make this work (and to avoid unnecessary probing), update sta->last_rx whenever an ACK was received for a tx packet. Only do this if the flag IEEE80211_HW_REPORTS_TX_ACK_STATUS is set. Signed-off-by: Felix Fietkau Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 8d4f150d4e8d52a761e424f9f640c57cd118105f Author: Felix Fietkau Date: Sun Sep 29 21:39:33 2013 +0200 mac80211: use sta_info_get_bss() for nl80211 tx and client probing commit 03bb7f42765ce596604f03d179f3137d7df05bba upstream. This allows calls for clients in AP_VLANs (e.g. for 4-addr) to succeed Signed-off-by: Felix Fietkau Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit d7da0fc72d073181e65970edad0a9461542e02c6 Author: Felix Fietkau Date: Tue Sep 17 11:15:43 2013 +0200 mac80211: drop spoofed packets in ad-hoc mode commit 6329b8d917adc077caa60c2447385554130853a3 upstream. If an Ad-Hoc node receives packets with the Cell ID or its own MAC address as source address, it hits a WARN_ON in sta_info_insert_check() With many packets, this can massively spam the logs. One way that this can easily happen is through having Cisco APs in the area with rouge AP detection and countermeasures enabled. Such Cisco APs will regularly send fake beacons, disassoc and deauth packets that trigger these warnings. To fix this issue, drop such spoofed packets early in the rx path. Reported-by: Thomas Huehn Signed-off-by: Felix Fietkau Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 715a606d73f63e94259e6251565e6e12e3271d0f Author: Emmanuel Grumbach Date: Mon Sep 16 11:12:07 2013 +0300 mac80211: correctly close cancelled scans commit a754055a1296fcbe6f32de3a5eaca6efb2fd1865 upstream. __ieee80211_scan_completed is called from a worker. This means that the following flow is possible. * driver calls ieee80211_scan_completed * mac80211 cancels the scan (that is already complete) * __ieee80211_scan_completed runs When scan_work will finally run, it will see that the scan hasn't been aborted and might even trigger another scan on another band. This leads to a situation where cfg80211's scan is not done and no further scan can be issued. Fix this by setting a new flag when a HW scan is being cancelled so that no other scan will be triggered. Signed-off-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 5be794dc4bb66266acc91eb589ace48e82a6c77e Author: Anjana V Kumar Date: Sat Oct 12 10:59:17 2013 +0800 cgroup: fix to break the while loop in cgroup_attach_task() correctly commit ea84753c98a7ac6b74e530b64c444a912b3835ca upstream. Both Anjana and Eunki reported a stall in the while_each_thread loop in cgroup_attach_task(). It's because, when we attach a single thread to a cgroup, if the cgroup is exiting or is already in that cgroup, we won't break the loop. If the task is already in the cgroup, the bug can lead to another thread being attached to the cgroup unexpectedly: # echo 5207 > tasks # cat tasks 5207 # echo 5207 > tasks # cat tasks 5207 5215 What's worse, if the task to be attached isn't the leader of the thread group, we might never exit the loop, hence cpu stall. Thanks for Oleg's analysis. This bug was introduced by commit 081aa458c38ba576bdd4265fc807fa95b48b9e79 ("cgroup: consolidate cgroup_attach_task() and cgroup_attach_proc()") [ lizf: - fixed the first continue, pointed out by Oleg, - rewrote changelog. ] Reported-by: Eunki Kim Reported-by: Anjana V Kumar Signed-off-by: Anjana V Kumar Signed-off-by: Li Zefan Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 955a23e181561a792d6e4c1572848b7ba306499f Author: Kent Overstreet Date: Tue Oct 22 15:35:50 2013 -0700 bcache: Fixed incorrect order of arguments to bio_alloc_bioset() commit d4eddd42f592a0cf06818fae694a3d271f842e4d upstream. Signed-off-by: Kent Overstreet Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f606b358df6e174cd57f0509e5f5299bd4a73854 Author: Dirk Brandewie Date: Tue Oct 15 11:06:14 2013 -0700 cpufreq / intel_pstate: Fix max_perf_pct on resume commit 52e0a509e5d6f902ec26bc2a8bb02b137dc453be upstream. If the system is suspended while max_perf_pct is less than 100 percent or no_turbo set policy->{min,max} will be set incorrectly with scaled values which turn the scaled values into hard limits. References: https://bugzilla.kernel.org/show_bug.cgi?id=61241 Reported-by: Patrick Bartels Signed-off-by: Dirk Brandewie Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 40f3a9e5aea1753ececbcbbfe483b0c05788b001 Author: Russ Anderson Date: Mon Oct 14 11:17:34 2013 -0500 x86: Update UV3 hub revision ID commit dd3c9c4b603c664fedc12facf180db0f1794aafe upstream. The UV3 hub revision ID is different than expected. The first revision was supposed to start at 1 but instead will start at 0. Signed-off-by: Russ Anderson Link: http://lkml.kernel.org/r/20131014161733.GA6274@sgi.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit a73e47ff525d2a69d61767a5928ba00937f77e1b Author: Алексей Крамаренко Date: Fri Nov 1 17:26:38 2013 +0400 USB: serial: ftdi_sio: add id for Z3X Box device commit e1466ad5b1aeda303f9282463d55798d2eda218c upstream. Custom VID/PID for Z3X Box device, popular tool for cellphone flashing. Signed-off-by: Alexey E. Kramarenko Signed-off-by: Greg Kroah-Hartman commit 59fa93ea76e2de29910bab0a49dbb14f56b79aea Author: Oliver Neukum Date: Wed Oct 16 12:26:07 2013 +0200 USB: quirks: add touchscreen that is dazzeled by remote wakeup commit 614ced91fc6fbb5a1cdd12f0f1b6c9197d9f1350 upstream. The device descriptors are messed up after remote wakeup Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit ac1acaf7b6cb48562f6466e4f793d0f24a5726d8 Author: Oliver Neukum Date: Mon Oct 14 16:22:40 2013 +0200 USB: quirks.c: add one device that cannot deal with suspension commit 4294bca7b423d1a5aa24307e3d112a04075e3763 upstream. The device is not responsive when resumed, unless it is reset. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 75094c77c2e413cf85ca797f9f352ecc4c3533ad Author: Fangxiaozhi (Franko) Date: Fri Oct 11 03:48:21 2013 +0000 USB: support new huawei devices in option.c commit d544db293a44a2a3b09feab7dbd59668b692de71 upstream. Add new supporting declarations to option.c, to support Huawei new devices with new bInterfaceSubClass value. Signed-off-by: fangxiaozhi Signed-off-by: Greg Kroah-Hartman commit b910ef250be4f872e383c62d1dfc40641b6f1c5b Author: Oliver Neukum Date: Mon Oct 14 15:24:55 2013 +0200 usb-storage: add quirk for mandatory READ_CAPACITY_16 commit 32c37fc30c52508711ea6a108cfd5855b8a07176 upstream. Some USB drive enclosures do not correctly report an overflow condition if they hold a drive with a capacity over 2TB and are confronted with a READ_CAPACITY_10. They answer with their capacity modulo 2TB. The generic layer cannot cope with that. It must be told to use READ_CAPACITY_16 from the beginning. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman