commit 22feaed11f1b0c58aab5df196c0bf011e7095a62 Author: Greg Kroah-Hartman Date: Sat Jun 7 16:02:54 2014 -0700 Linux 3.4.92 commit 11b9a7a786232e811cbe988543cb83b5ff1a829c Author: Thomas Gleixner Date: Tue Jun 3 12:27:08 2014 +0000 futex: Make lookup_pi_state more robust commit 54a217887a7b658e2650c3feff22756ab80c7339 upstream. The current implementation of lookup_pi_state has ambigous handling of the TID value 0 in the user space futex. We can get into the kernel even if the TID value is 0, because either there is a stale waiters bit or the owner died bit is set or we are called from the requeue_pi path or from user space just for fun. The current code avoids an explicit sanity check for pid = 0 in case that kernel internal state (waiters) are found for the user space address. This can lead to state leakage and worse under some circumstances. Handle the cases explicit: Waiter | pi_state | pi->owner | uTID | uODIED | ? [1] NULL | --- | --- | 0 | 0/1 | Valid [2] NULL | --- | --- | >0 | 0/1 | Valid [3] Found | NULL | -- | Any | 0/1 | Invalid [4] Found | Found | NULL | 0 | 1 | Valid [5] Found | Found | NULL | >0 | 1 | Invalid [6] Found | Found | task | 0 | 1 | Valid [7] Found | Found | NULL | Any | 0 | Invalid [8] Found | Found | task | ==taskTID | 0/1 | Valid [9] Found | Found | task | 0 | 0 | Invalid [10] Found | Found | task | !=taskTID | 0/1 | Invalid [1] Indicates that the kernel can acquire the futex atomically. We came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit. [2] Valid, if TID does not belong to a kernel thread. If no matching thread is found then it indicates that the owner TID has died. [3] Invalid. The waiter is queued on a non PI futex [4] Valid state after exit_robust_list(), which sets the user space value to FUTEX_WAITERS | FUTEX_OWNER_DIED. [5] The user space value got manipulated between exit_robust_list() and exit_pi_state_list() [6] Valid state after exit_pi_state_list() which sets the new owner in the pi_state but cannot access the user space value. [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set. [8] Owner and user space value match [9] There is no transient state which sets the user space TID to 0 except exit_robust_list(), but this is indicated by the FUTEX_OWNER_DIED bit. See [4] [10] There is no transient state which leaves owner and user space TID out of sync. Signed-off-by: Thomas Gleixner Cc: Kees Cook Cc: Will Drewry Cc: Darren Hart Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a8f96abb1a78f16c498cb1e03386cc1a7b55a28c Author: Thomas Gleixner Date: Tue Jun 3 12:27:07 2014 +0000 futex: Always cleanup owner tid in unlock_pi commit 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e upstream. If the owner died bit is set at futex_unlock_pi, we currently do not cleanup the user space futex. So the owner TID of the current owner (the unlocker) persists. That's observable inconsistant state, especially when the ownership of the pi state got transferred. Clean it up unconditionally. Signed-off-by: Thomas Gleixner Cc: Kees Cook Cc: Will Drewry Cc: Darren Hart Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2397889b03ef0f394e176b86ba37c421a01a9c89 Author: Thomas Gleixner Date: Tue Jun 3 12:27:06 2014 +0000 futex: Validate atomic acquisition in futex_lock_pi_atomic() commit b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270 upstream. We need to protect the atomic acquisition in the kernel against rogue user space which sets the user space futex to 0, so the kernel side acquisition succeeds while there is existing state in the kernel associated to the real owner. Verify whether the futex has waiters associated with kernel state. If it has, return -EINVAL. The state is corrupted already, so no point in cleaning it up. Subsequent calls will fail as well. Not our problem. [ tglx: Use futex_top_waiter() and explain why we do not need to try restoring the already corrupted user space state. ] Signed-off-by: Darren Hart Cc: Kees Cook Cc: Will Drewry Signed-off-by: Thomas Gleixner Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4cca4db7bd5fb663660da34a3514d9fa8f5f14f3 Author: Thomas Gleixner Date: Tue Jun 3 12:27:06 2014 +0000 futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) commit e9c243a5a6de0be8e584c604d353412584b592f8 upstream. If uaddr == uaddr2, then we have broken the rule of only requeueing from a non-pi futex to a pi futex with this call. If we attempt this, then dangling pointers may be left for rt_waiter resulting in an exploitable condition. This change brings futex_requeue() in line with futex_wait_requeue_pi() which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()") [ tglx: Compare the resulting keys as well, as uaddrs might be different depending on the mapping ] Fixes CVE-2014-3153. Reported-by: Pinkie Pie Signed-off-by: Will Drewry Signed-off-by: Kees Cook Signed-off-by: Thomas Gleixner Reviewed-by: Darren Hart Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c6f9d698ffd5cfbb941177bec02b43542c748d77 Author: Stanislaw Gruszka Date: Wed Feb 19 13:15:17 2014 +0100 ath9k: protect tid->sched check commit 21f8aaee0c62708654988ce092838aa7df4d25d8 upstream. We check tid->sched without a lock taken on ath_tx_aggr_sleep(). That is race condition which can result of doing list_del(&tid->list) twice (second time with poisoned list node) and cause crash like shown below: [424271.637220] BUG: unable to handle kernel paging request at 00100104 [424271.637328] IP: [] ath_tx_aggr_sleep+0x62/0xe0 [ath9k] ... [424271.639953] Call Trace: [424271.639998] [] ? ath9k_get_survey+0x110/0x110 [ath9k] [424271.640083] [] ath9k_sta_notify+0x42/0x50 [ath9k] [424271.640177] [] sta_ps_start+0x8f/0x1c0 [mac80211] [424271.640258] [] ? free_compound_page+0x2e/0x40 [424271.640346] [] ieee80211_rx_handlers+0x9d5/0x2340 [mac80211] [424271.640437] [] ? kmem_cache_free+0x1d8/0x1f0 [424271.640510] [] ? kfree_skbmem+0x34/0x90 [424271.640578] [] ? put_page+0x2c/0x40 [424271.640640] [] ? kfree_skbmem+0x34/0x90 [424271.640706] [] ? kfree_skbmem+0x34/0x90 [424271.640787] [] ? ieee80211_rx_handlers_result+0x73/0x1d0 [mac80211] [424271.640897] [] ieee80211_prepare_and_rx_handle+0x520/0xad0 [mac80211] [424271.641009] [] ? ieee80211_rx_handlers+0x2ed/0x2340 [mac80211] [424271.641104] [] ? ip_output+0x7e/0xd0 [424271.641182] [] ieee80211_rx+0x307/0x7c0 [mac80211] [424271.641266] [] ath_rx_tasklet+0x88e/0xf70 [ath9k] [424271.641358] [] ? ieee80211_rx+0x1dc/0x7c0 [mac80211] [424271.641445] [] ath9k_tasklet+0xcb/0x130 [ath9k] Bug report: https://bugzilla.kernel.org/show_bug.cgi?id=70551 Reported-and-tested-by: Max Sydorenko Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville [bwh: Backported to 3.2: - Adjust context - Use spin_unlock_bh() directly] Signed-off-by: Ben Hutchings [gkh: backported to 3.4: - adjust context - back out bwh's spinlock change] Signed-off-by: Greg Kroah-Hartman commit a592e24417be6e6f7e31d89e1e88c1c5999771bd Author: Alan Cox Date: Tue Sep 4 15:10:08 2012 +0100 dj: memory scribble in logi_dj commit 8a55ade76551e3927b4e41ee9e7751875d18bc25 upstream. Allocate a structure not a pointer to it ! Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds Cc: Yijing Wang Cc: Marc Dionne Signed-off-by: Greg Kroah-Hartman commit 761dae91fdfa90c58254f9367ff05a37281855c3 Author: Marc Dionne Date: Fri Jun 1 18:12:14 2012 -0400 HID: logitech: don't use stack based dj_report structures commit d8dc3494f77a5cc3b274bae36f7e74e85cf8a407 upstream. On a system with a logitech wireless keyboard/mouse and DMA-API debugging enabled, this warning appears at boot: kernel: WARNING: at lib/dma-debug.c:929 check_for_stack.part.12+0x70/0xa7() kernel: Hardware name: MS-7593 kernel: uhci_hcd 0000:00:1d.1: DMA-API: device driver maps memory fromstack [addr=ffff8801b0079c29] Make logi_dj_recv_query_paired_devices and logi_dj_recv_switch_to_dj_mode use a structure allocated with kzalloc rather than a stack based one. Signed-off-by: Marc Dionne Signed-off-by: Jiri Kosina Signed-off-by: Ben Hutchings Cc: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit 359c6340faa39167666c0e9b9f44ad54a521c409 Author: Joe Lawrence Date: Tue Jan 15 15:31:28 2013 -0500 PCI/ASPM: Don't touch ASPM if forcibly disabled commit a26d5ecb3201c11e03663a8f4a7dedc0c5f85c07 upstream. Don't allocate and track PCIe ASPM state when "pcie_aspm=off" is specified on the kernel command line. Based-on-patch-from: Matthew Garrett Signed-off-by: Joe Lawrence Signed-off-by: Bjorn Helgaas Reviewed-by: David Bulkow Acked-by: Myron Stowe [wyj: Backported to 3.4: context adjust] Signed-off-by: Yijing Wang Signed-off-by: Greg Kroah-Hartman commit 6cc43d85ca1752b61135559aa35b8aebadc17252 Author: Wei Liu Date: Mon Apr 22 02:20:41 2013 +0000 xen-netfront: reduce gso_max_size to account for max TCP header commit 9ecd1a75d977e2e8c48139c7d3efed183f898d94 upstream. The maximum packet including header that can be handled by netfront / netback wire format is 65535. Reduce gso_max_size accordingly. Drop skb and print warning when skb->len > 65535. This can 1) save the effort to send malformed packet to netback, 2) help spotting misconfiguration of netfront in the future. Signed-off-by: Wei Liu Acked-by: Ian Campbell Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings [hq: Backported to 3.4: adjust context] Signed-off-by: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit b3c463e8762ce90f22efbef947094467909011ea Author: Joe Perches Date: Sun May 13 21:56:25 2012 +0000 net: Add net_ratelimited_function and net__ratelimited macros commit 3a3bfb61e64476ff1e4ac3122cb6dec9c79b795c upstream. __ratelimit() can be considered an inverted bool test because it returns true when not ratelimited. Several tests in the kernel tree use this __ratelimit() function incorrectly. No net_ratelimit uses are incorrect currently though. Most uses of net_ratelimit are to log something via printk or pr_. In order to minimize the uses of net_ratelimit, and to start standardizing the code style used for __ratelimit() and net_ratelimit(), add a net_ratelimited_function() macro and net__ratelimited() logging macros similar to pr__ratelimited that use the global net_ratelimit instead of a static per call site "struct ratelimit_state". Signed-off-by: Joe Perches Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 8ba2272db8bd9fd6f011949020bf1991605b1c14 Author: Gerald Schaefer Date: Tue Nov 19 17:12:47 2013 +0100 crypto: s390 - Fix aes-xts parameter corruption commit 9dda2769af4f3f3093434648c409bb351120d9e8 upstream. Some s390 crypto algorithms incorrectly use the crypto_tfm structure to store private data. As the tfm can be shared among multiple threads, this can result in data corruption. This patch fixes aes-xts by moving the xts and pcc parameter blocks from the tfm onto the stack (48 + 96 bytes). Signed-off-by: Gerald Schaefer Signed-off-by: Herbert Xu [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit f7c02bf438f74ce4c7a8fb0c79cd435d85a795be Author: Oliver Hartkopp Date: Thu Nov 21 18:03:07 2013 +0100 can: sja1000: fix {pre,post}_irq() handling and IRQ handler return value commit 2fea6cd303c0d0cd9067da31d873b6a6d5bd75e7 upstream. This patch fixes the issue that the sja1000_interrupt() function may have returned IRQ_NONE without processing the optional pre_irq() and post_irq() function before. Further the irq processing counter 'n' is moved to the end of the while statement to return correct IRQ_[NONE|HANDLED] values at error conditions. Reported-by: Wolfgang Grandegger Acked-by: Wolfgang Grandegger Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde [bwh: Backported to 3.2: s/SJA1000_IER/REG_IER/; s/SJA1000_IR/REG_IR/] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 4381872d5a41635275c291f2a7c523197ba1f5e1 Author: Johan Hovold Date: Tue Nov 12 15:09:39 2013 -0800 backlight: atmel-pwm-bl: fix gpio polarity in remove commit ad5066d4c2b1d696749f8d7816357c23b648c4d3 upstream. Make sure to honour gpio polarity also at remove so that the backlight is actually disabled on boards with active-low enable pin. Signed-off-by: Johan Hovold Acked-by: Jingoo Han Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit c341968e1a44810713ade43ca8b0f5dd802a1ce9 Author: Brian Norris Date: Wed Jul 24 18:32:07 2013 -0700 mtd: m25p80: fix allocation size commit 778d226a1462572b51d6777cdb1d611543410cb4 upstream. This patch fixes two memory errors: 1. During a probe failure (in mtd_device_parse_register?) the command buffer would not be freed. 2. The command buffer's size is determined based on the 'fast_read' boolean, but the assignment of fast_read is made after this allocation. Thus, the buffer may be allocated "too small". To fix the first, just switch to the devres version of kzalloc. To fix the second, increase MAX_CMD_SIZE unconditionally. It's not worth saving a byte to fiddle around with the conditions here. This problem was reported by Yuhang Wang a while back. Signed-off-by: Brian Norris Reported-by: Yuhang Wang Reviewed-by: Sourav Poddar [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 63badff125489e717a320c5b725026f09256ed19 Author: Herbert Xu Date: Tue Nov 5 19:36:27 2013 +0800 crypto: s390 - Fix aes-cbc IV corruption commit f262f0f5cad0c9eca61d1d383e3b67b57dcbe5ea upstream. The cbc-aes-s390 algorithm incorrectly places the IV in the tfm data structure. As the tfm is shared between multiple threads, this introduces a possibility of data corruption. This patch fixes this by moving the parameter block containing the IV and key onto the stack (the block is 48 bytes long). The same bug exists elsewhere in the s390 crypto system and they will be fixed in subsequent patches. Signed-off-by: Herbert Xu [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 40dccfb2259f13eed66993a0d9b153e0695c8504 Author: Felix Fietkau Date: Tue Sep 17 11:15:43 2013 +0200 mac80211: drop spoofed packets in ad-hoc mode commit 6329b8d917adc077caa60c2447385554130853a3 upstream. If an Ad-Hoc node receives packets with the Cell ID or its own MAC address as source address, it hits a WARN_ON in sta_info_insert_check() With many packets, this can massively spam the logs. One way that this can easily happen is through having Cisco APs in the area with rouge AP detection and countermeasures enabled. Such Cisco APs will regularly send fake beacons, disassoc and deauth packets that trigger these warnings. To fix this issue, drop such spoofed packets early in the rx path. Reported-by: Thomas Huehn Signed-off-by: Felix Fietkau Signed-off-by: Johannes Berg [bwh: Backported to 3.2: use compare_ether_addr() instead of ether_addr_equal()] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 595cfbc5ae5bfaefa29b57a3f4dec04b76e108c5 Author: Marcelo Tosatti Date: Thu Jun 20 18:05:56 2013 -0300 vgacon.c: add cond reschedule points in vgacon_do_font_op commit 7e6d72c15ff4cc0c27573901bb05f9eddbd71ed4 upstream. Booting a 64-vcpu KVM guest, with CONFIG_PREEMPT_VOLUNTARY, can result in a soft lockup: BUG: soft lockup - CPU#41 stuck for 67s! [setfont:1505] RIP: 0010:[] [] vgacon_do_font_op.clone.0+0x1ba/0x550 This is due to the 8192 (cmapsz) IO operations taking longer than expected due to lock contention in QEMU. Add conditional resched points in between writes allowing other tasks to execute. Signed-off-by: Marcelo Tosatti Signed-off-by: Dave Airlie [bwh: Backported to 3.2: add #include , already present upstream] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 18c51452a1424cdf55ca9e6de2e4c75604272bb5 Author: Hauke Mehrtens Date: Sun Jun 9 18:53:58 2013 +0200 b43: ensue that BCMA is "y" when B43 is "y" commit 693026ef2e751fd94d2e6c71028e68343cc875d5 upstream. When b43 gets build into the kernel and it should use bcma we have to ensure that bcma was also build into the kernel and not as a module. In this patch this is also done for SSB, although you can not build b43 without ssb support for now. This fixes a build problem reported by Randy Dunlap in 5187EB95.2060605@infradead.org Reported-By: Randy Dunlap Signed-off-by: Hauke Mehrtens Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 56e9240f53e1d84b024851ab9b1dcf42ca2ff318 Author: Shane Huang Date: Mon Jun 3 18:24:55 2013 +0800 i2c-piix4: Add AMD CZ SMBus device ID commit b996ac90f595dda271cbd858b136b45557fc1a57 upstream. To add AMD CZ SMBus controller device ID. [bhelgaas: drop pci_ids.h update] Signed-off-by: Shane Huang Signed-off-by: Bjorn Helgaas Reviewed-by: Tejun Heo Reviewed-by: Jean Delvare [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 377929f225ac24146fda8c5401553e556872a705 Author: Johannes Berg Date: Thu May 23 18:10:21 2013 +0200 cfg80211: check wdev->netdev in connection work commit c815797663b72e3ac1736f1886538152bc48e4af upstream. If a P2P-Device is present and another virtual interface triggers the connection work, the system crash because it tries to check if the P2P-Device's netdev (which doesn't exist) is up. Skip any wdevs that have no netdev to fix this. Reported-by: YanBo Signed-off-by: Johannes Berg [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 77dcc24b5bb3af980e88831266ed27507a788c52 Author: Jiri Kosina Date: Fri May 24 15:55:33 2013 -0700 random: fix accounting race condition with lockless irq entropy_count update commit 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 upstream. Commit 902c098a3663 ("random: use lockless techniques in the interrupt path") turned IRQ path from being spinlock protected into lockless cmpxchg-retry update. That commit removed r->lock serialization between crediting entropy bits from IRQ context and accounting when extracting entropy on userspace read path, but didn't turn the r->entropy_count reads/updates in account() to use cmpxchg as well. It has been observed, that under certain circumstances this leads to read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets corrupted and becomes negative, which in turn results in propagating 0 all the way from account() to the actual read() call. Convert the accounting code to be the proper lockless counterpart of what has been partially done by 902c098a3663. Signed-off-by: Jiri Kosina Cc: Theodore Ts'o Cc: Greg KH Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 06b08fa44855ef1f292ba720a74e9f8dc07f52eb Author: Ben Hutchings Date: Sun Jun 2 03:34:36 2013 +0100 rapidio/tsi721: Fix interrupt mask when handling MSI commit 94e0104bca7d6927e85119030b8e6e31fde88a7a upstream. Commit 1619f441963e 'rapidio/tsi721: fix bug in MSI interrupt handling' (commit 1ccc819da6fd upstream) makes the MSI handler disable and re-enable interrupts. When re-enabling interrupts, we should set the same flags as were originally set, but this changed in Linux 3.5 so the flags are now inconsistent in 3.2. In fact, the extra flag isn't even defined in 3.2. Remove the extra flag from the MSI handler. Reported-by: Steve Conklin Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 13bbf8c9ea7e22f1ddeb73d0e2e3876ae59b036d Author: Alexandre Bounine Date: Fri May 24 15:55:17 2013 -0700 rapidio/tsi721: fix bug in MSI interrupt handling commit 1ccc819da6fda9bee10ab8b72e9adbb5ad3e4959 upstream. Fix bug in MSI interrupt handling which causes loss of event notifications. Typical indication of lost MSI interrupts are stalled message and doorbell transfers between RapidIO endpoints. To avoid loss of MSI interrupts all interrupts from the device must be disabled on entering the interrupt handler routine and re-enabled when exiting it. Re-enabling device interrupts will trigger new MSI message(s) if Tsi721 registered new events since entering interrupt handler routine. This patch is applicable to kernel versions starting from v3.2. Signed-off-by: Alexandre Bounine Cc: Matt Porter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit c21fcbb1bd3e7dbf06e75dd8b02101f6d369534d Author: Maxim Mikityanskiy Date: Sat Dec 15 19:31:31 2012 +0200 msi-wmi: Fix memory leak commit 51c94491c82c3d9029f6e87a1a153db321d88e35 upstream. Fix memory leak - don't forget to kfree ACPI object when returning from msi_wmi_notify() after suppressing key event. Signed-off-by: Maxim Mikityanskiy Acked-by: Anisse Astier Signed-off-by: Lee, Chun-Yi Signed-off-by: Matthew Garrett Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 7b74f336c5553f45e97f710808cbf7617fbcac7f Author: Jakub Kicinski Date: Wed Apr 3 16:50:54 2013 +0000 ixgbe: fix registration order of driver and DCA nofitication commit f01fc1a82c2ee68726b400fadb156bd623b5f2f1 upstream. ixgbe_notify_dca cannot be called before driver registration because it expects driver's klist_devices to be allocated and initialized. While on it make sure debugfs files are removed when registration fails. Signed-off-by: Jakub Kicinski Tested-by: Phil Schmitt Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller [bwh: Backported to 3.2: no debugfs support] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 676bf08007ece185cbbfba33abfdd117e803f769 Author: Laxman Dewangan Date: Fri Mar 15 05:34:08 2013 +0000 i2c: tegra: check the clk_prepare_enable() return value commit 132c803f7b70b17322579f6f4f3f65cf68e55135 upstream. NVIDIA's Tegra SoC allows read/write of controller register only if controller clock is enabled. System hangs if read/write happens to registers without enabling clock. clk_prepare_enable() can be fail due to unknown reason and hence adding check for return value of this function. If this function success then only access register otherwise return to caller with error. Signed-off-by: Laxman Dewangan Reviewed-by: Stephen Warren Signed-off-by: Wolfram Sang [bwh: Backported to 3.2: - Adjust context - Keep calling clk_enable() directly] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit cc4b50e025d3b1919db247b1b451835eec31bdb7 Author: Samuel Thibault Date: Sun Aug 26 23:35:17 2012 +0200 speakup: lower default software speech rate commit cfd757010691eae4e17acc246f74e7622c3a2f05 upstream. Speech synthesis beginners need a low speech rate, and trained people want a high speech rate. A medium speech rate is thus actually not a good default for neither. Since trained people will typically know how to change the rate, better default for a low speech rate, which beginners can grasp and learn how to increase it afterwards This was agreed with users on the speakup mailing list. Signed-off-by: Samuel Thibault Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit de1ba64669367db11718dee87e00c2cd14663e4d Author: James Ralston Date: Thu Aug 9 09:34:20 2012 -0700 ata_piix: Add Device IDs for Intel Lynx Point-LP PCH commit 389cd784969e9148fedcde0608f15bd74d6b769e upstream. This patch adds the IDE-mode SATA Device IDs for the Intel Lynx Point-LP PCH Signed-off-by: James Ralston Signed-off-by: Jeff Garzik Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit cd33b5a46edac04bdfe51f4cba28fc11dad94a56 Author: Linus Walleij Date: Tue Feb 12 13:46:19 2013 -0800 drivers/rtc/rtc-pl031.c: restore ST variant functionality commit 3399cfb5df9594495b876d1843a7165f77366b2b upstream. Commit e7e034e18a0a ("drivers/rtc/rtc-pl031.c: fix the missing operation on enable") accidentally broke the ST variants of PL031. The bit that is being poked as "clockwatch" enable bit for the ST variants does the work of bit 0 on this variant. Bit 0 is used for a clock divider on the ST variants, and setting it to 1 will affect timekeeping in a very bad way. Signed-off-by: Linus Walleij Acked-by: Haojian Zhuang Cc: Mian Yousaf KAUKAB Cc: Srinidhi Kasagar Cc: Alessandro Zummo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 2b38e37b0d964cb650bd814e7871ac001dec1923 Author: Maia Kozheva Date: Sun Dec 9 16:07:40 2012 +0700 rt2800usb: Add support for 2001:3c1e (D-Link DWA-125 rev B1) USB Wi-Fi adapter commit fd7b9270120ca7e53fbf0469febe0c68acf6a0a2 upstream. D-Link DWA-125/B1 is a relatively new USB Wi-Fi adapter, using a Ralink chipset supported by the rt2800usb driver. Currently, to work around the problem (it's missing in all present kernel versions, up to and including 3.7.x), I had to add this to /etc/rc.local: echo 2001 3c1e >> /sys/bus/usb/drivers/rt2800usb/new_id After that, the device works without problems. Been using it for over a week with no bugs in sight. The attached patch is trivial and simply adds the new USB ID to the list of devices handled by rt2800usb. Signed-off-by: Maia Kozheva Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 826821471984bd98a2f9c52ed4ae0fb11460b9c7 Author: Jaume Delclòs Date: Fri Nov 2 23:35:20 2012 +0100 Wireless: rt2x00: Add device id for Sweex LW323 to rt2800usb.c commit 36f318bb124b231c01db6965a009f46d5731f012 upstream. This patch adds detection for the Sweex LW323 USB wireless network card in the rt2x00 driver (just one line in rt2800usb.c). It applies to linux-3.7-rc3. Signed-off-by: Jaume Delclòs Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit af69184e19a87c6f137181e3aeb84fd8934cf72b Author: Xose Vazquez Perez Date: Sat Apr 14 23:00:01 2012 +0200 wireless: rt2x00: rt{2500,73}usb.c put back duplicate id commit 8f35f787b75e9b6435ea37dabcae2d40dc72d31c upstream. put back 0x050d,0x7050 to rt73usb, same usb_id for two chips: K7SF5D7050A ver 2xxx is rt2500 K7SF5D7050B ver 3xxx is rt73 Signed-off-by: Xose Vazquez Perez Signed-off-by: John W. Linville Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit d188fc097b4c8fb907ff871651e4109196ea5c9d Author: Haojian Zhuang Date: Mon Feb 4 14:28:54 2013 -0800 drivers/rtc/rtc-pl031.c: fix the missing operation on enable commit e7e034e18a0ab6bafb2425c3242cac311164f4d6 upstream. The RTC control register should be enabled in the process of initializing. Without this patch, I failed to enable RTC in Hisilicon Hi3620 SoC. The register mapping section in RTC is always read as zero. So I doubt that ST guys may already enable this register in bootloader. So they won't meet this issue. Signed-off-by: Haojian Zhuang Cc: Srinidhi Kasagar Cc: Linus Walleij Cc: Alessandro Zummo Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 309fabafdb5cf7112d1a89922ab6acbe7ea7c790 Author: Alex Deucher Date: Sun Aug 4 12:13:17 2013 -0400 drm/radeon: always program the MC on startup commit 6fab3febf6d949b0a12b1e4e73db38e4a177a79e upstream. For r6xx+ asics. This mirrors the behavior of pre-r6xx asics. We need to program the MC even if something else in startup() fails. Failure to do so results in an unusable GPU. Based on a fix from: Mark Kettenis Signed-off-by: Alex Deucher [wml: Backported to 3.4: - adjust context - drop changes to cik.c] Signed-off-by: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit d9d3e8ed90d9513ee90af49302cbcfcc636d71a5 Author: Alex Deucher Date: Thu Apr 18 09:36:42 2013 -0400 drm/radeon: fix hdmi mode enable on RS600/RS690/RS740 commit dcb852905772416e322536ced5cb3c796d176af5 upstream. These chips were previously skipped since they are pre-R600. Signed-off-by: Alex Deucher [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings [wml: Backported to 3.4: - adjust context - no !ASIC_IS_DCE3(rdev)] Signed-off-by: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 63034aee5f85e6c4decdaa600ed1febfa90a348f Author: Thomas Hellstrom Date: Mon Oct 28 02:02:19 2013 -0700 drm/ttm: Fix memory type compatibility check commit 59c8e66378fb78adbcd05f0d09783dde6fef282b upstream. Also check the busy placements before deciding to move a buffer object. Failing to do this may result in a completely unneccessary move within a single memory type. Signed-off-by: Thomas Hellstrom Reviewed-by: Jakob Bornecrantz [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 465282b316e98ed17698900af70fa8260c9c9e70 Author: Chris Wilson Date: Wed Oct 16 09:49:02 2013 +0100 drm: Pad drm_mode_get_connector to 64-bit boundary commit bc5bd37ce48c66e9192ad2e7231e9678880f6f8e upstream. Pavel Roskin reported that DRM_IOCTL_MODE_GETCONNECTOR was overwritting the 4 bytes beyond the end of its structure with a 32-bit userspace running on a 64-bit kernel. This is due to the padding gcc inserts as the drm_mode_get_connector struct includes a u64 and its size is not a natural multiple of u64s. 64-bit kernel: sizeof(drm_mode_get_connector)=80, alignof=8 sizeof(drm_mode_get_encoder)=20, alignof=4 sizeof(drm_mode_modeinfo)=68, alignof=4 32-bit userspace: sizeof(drm_mode_get_connector)=76, alignof=4 sizeof(drm_mode_get_encoder)=20, alignof=4 sizeof(drm_mode_modeinfo)=68, alignof=4 Fortuituously we can insert explicit padding to the tail of our structures without breaking ABI. Reported-by: Pavel Roskin Signed-off-by: Chris Wilson Cc: Dave Airlie Cc: dri-devel@lists.freedesktop.org Signed-off-by: Dave Airlie [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit a27d31e36ba71a3fd2fe7e222a433488a5a2f87a Author: Alex Deucher Date: Fri Sep 13 18:33:16 2013 -0400 drm/radeon: fix panel scaling with eDP and LVDS bridges commit 855f5f1d882a34e4e9dd27b299737cd3508a5624 upstream. We were using the wrong set_properly callback so we always ended up with Full scaling even if something else (Center or Full aspect) was selected. Signed-off-by: Alex Deucher [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 60b3d181a406c7e47edbb41e227b54380d35fa8a Author: Jani Nikula Date: Fri Aug 23 10:50:39 2013 +0300 drm/i915: try not to lose backlight CBLV precision commit cac6a5ae0118832936eb162ec4cedb30f2422bcc upstream. ACPI has _BCM and _BQC methods to set and query the backlight brightness, respectively. The ACPI opregion has variables BCLP and CBLV to hold the requested and current backlight brightness, respectively. The BCLP variable has range 0..255 while the others have range 0..100. This means the _BCM method has to scale the brightness for BCLP, and the gfx driver has to scale the requested value back for CBLV. If the _BQC method uses the CBLV variable (apparently some implementations do, some don't) for current backlight level reporting, there's room for rounding errors. Use DIV_ROUND_UP for scaling back to CBLV to get back to the same values that were passed to _BCM, presuming the _BCM simply uses bclp = (in * 255) / 100 for scaling to BCLP. Reference: https://gist.github.com/aaronlu/6314920 Reported-by: Aaron Lu Signed-off-by: Jani Nikula Reviewed-by: Aaron Lu Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: - Adjust context - ASLE region is treated as normal memory rather than __iomem] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit ac5d182c17af8728ada8cfac051292a8e35d9a90 Author: Ondrej Zary Date: Fri Jul 19 21:08:48 2013 +0200 drm/radeon: Another card with wrong primary dac adj commit f7929f34fa0e0bb6736a2484fdc07d77a1653081 upstream. Hello, got another card with "too bright" problem: Sapphire Radeon VE 7000 DDR (VGA+S-Video) lspci -vnn: 01:00.0 VGA compatible controller [0300]: Advanced Micro Devices [AMD] nee ATI RV100 QY [Radeon 7000/VE] [1002:5159] (prog-if 00 [VGA controller]) Subsystem: PC Partner Limited Sapphire Radeon VE 7000 DDR [174b:7c28] The patch below fixes the problem for this card. But I don't like the blacklist, couldn't some heuristic be used instead? The interesting thing is that the manufacturer is the same as the other card needing the same quirk. I wonder how many different types are broken this way. The "wrong" ps2_pdac_adj value that comes from BIOS on this card is 0x300. ==================== drm/radeon: Add primary dac adj quirk for Sapphire Radeon VE 7000 DDR Values from BIOS are wrong, causing too bright colors. Use default values instead. Signed-off-by: Ondrej Zary Signed-off-by: Alex Deucher Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 9887b229cd239b0daccbaeb0383647af5dfa5a92 Author: Jani Nikula Date: Fri Apr 12 15:18:38 2013 +0300 drm/i915: ensure single initialization and cleanup of backlight device commit dc652f90e088798bfa31f496ba994ddadd5d5680 upstream. Backlight cleanup in the eDP connector destroy callback caused the backlight device to be removed on some systems that first initialized LVDS and then attempted to initialize eDP. Prevent multiple backlight initializations, and ensure backlight cleanup is only done once by moving it to modeset cleanup. A small wrinkle is the introduced asymmetry in backlight setup/cleanup. This could be solved by adding refcounting, but it seems overkill considering that there should only ever be one backlight device. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=55701 Signed-off-by: Jani Nikula Tested-by: Peter Verthez Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: - Adjust context - s/dev_priv->backlight\.device/dev_priv->backlight/] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 58fcd1468315dab98ce90cb9756d4fedfd033f0b Author: Chris Wilson Date: Thu Apr 4 21:31:03 2013 +0100 drm/i915: Workaround incoherence between fences and LLC across multiple CPUs commit 25ff1195f8a0b3724541ae7bbe331b4296de9c06 upstream. In order to fully serialize access to the fenced region and the update to the fence register we need to take extreme measures on SNB+, and manually flush writes to memory prior to writing the fence register in conjunction with the memory barriers placed around the register write. Fixes i-g-t/gem_fence_thrash v2: Bring a bigger gun v3: Switch the bigger gun for heavier bullets (Arjan van de Ven) v4: Remove changes for working generations. v5: Reduce to a per-cpu wbinvd() call prior to updating the fences. v6: Rewrite comments to ellide forgotten history. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=62191 Signed-off-by: Chris Wilson Cc: Jon Bloomfield Tested-by: Jon Bloomfield (v2) Reviewed-by: Jesse Barnes Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: insert the cache flush in i915_gem_object_get_fence()] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit a5b5cc72ac42ce8dbd32cae9ed7a4b2392987cfa Author: Alex Deucher Date: Fri Apr 12 19:15:52 2013 -0400 drm/radeon: cleanup properly if mmio mapping fails commit 0cd9cb76ae26a19df21abc6f94f5fff141e689c7 upstream. If we fail to map the mmio BAR, skip driver tear down that requires mmio. Should fix: https://bugzilla.kernel.org/show_bug.cgi?id=56541 Signed-off-by: Alex Deucher [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit f909046a7bab57744c0498125b8a91450aa12829 Author: Alex Deucher Date: Mon Apr 1 16:06:25 2013 -0400 drm/radeon: use frac fb div on RS780/RS880 commit 411678288d61ba17afe1f8afed92200be6bbc65d upstream. Monitors seem to prefer it. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=37696 Signed-off-by: Alex Deucher [bwh: Backported to 3.2: - Adjust context - Add to pll->flags, not radeon_crtc->pll_flags] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit ace6581eb5abd4608dd05e858a985c0c2f0e3761 Author: Egbert Eich Date: Sun Oct 14 15:46:38 2012 +0200 DRM/i915: Add QUIRK_INVERT_BRIGHTNESS for NCR machines. commit 5f85f176c2f1c9d2a23f60ca0b99e4d0aa5a26a7 upstream. NCR machines with LVDS panels using Intel chipsets need to have the QUIRK_INVERT_BRIGHTNESS bit set. Unfortunately NCR doesn't set a meaningful subvendor/subdevice ID, therefore we add a DMI dependent quirk list. Signed-off-by: Egbert Eich [danvet: fixup whitespace fail.] Signed-off-by: Daniel Vetter Acked-by: Jani Nikula [bwh: Backported to 3.2: - Adjust context - Add #include ] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit ce3a20e79213a1debca10b55df45cd3dda9f46b0 Author: Jani Nikula Date: Tue Jan 22 12:50:36 2013 +0200 drm/i915: add quirk to invert brightness on Packard Bell NCL20 commit 5559ecadad5a73b27f863e92f4b4f369501dce6f upstream. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=44156 Reported-by: Alan Zimmerman Signed-off-by: Jani Nikula Signed-off-by: Daniel Vetter Signed-off-by: Ben Hutchings [wml: Backported to 3.4: Adjust context] Signed-off-by: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 1bf4029831239a3751eff53029f1b25c0402b273 Author: Jani Nikula Date: Tue Jan 22 12:50:35 2013 +0200 drm/i915: add quirk to invert brightness on eMachines e725 commit 01e3a8feb40e54b962a20fa7eb595c5efef5e109 upstream. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=31522#c35 [Note: There are more than one broken setups in the bug. This fixes one.] Reported-by: Martins Signed-off-by: Jani Nikula Signed-off-by: Daniel Vetter Signed-off-by: Ben Hutchings [wml: Backported to 3.4: Adjust context] Signed-off-by: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit d0fa0f8829eaf4b609a1c34371ae24be94311595 Author: Jani Nikula Date: Tue Jan 22 12:50:34 2013 +0200 drm/i915: add quirk to invert brightness on eMachines G725 commit 1ffff60320879830e469e26062c18f75236822ba upstream. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=59628 Reported-by: Roland Gruber Signed-off-by: Jani Nikula Signed-off-by: Daniel Vetter Signed-off-by: Ben Hutchings [wml: Backported to 3.4: Adjust context] Signed-off-by: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 678bb5deb58183028c896c1ae197e6b3e3a0afe9 Author: Carsten Emde Date: Thu Mar 15 15:56:27 2012 +0100 drm/i915: panel: invert brightness acer aspire 5734z commit 5a15ab5b93e4a3ebcd4fa6c76cf646a45e9cf806 upstream. Mark the Acer Aspire 5734Z that this machines requires the module to invert the panel backlight brightness value after reading from and prior to writing to the PCI configuration space. Signed-off-by: Carsten Emde Acked-by: Chris Wilson Signed-off-by: Daniel Vetter Acked-by: Jani Nikula Signed-off-by: Ben Hutchings [wml: Backported to 3.4: Adjust context] Signed-off-by: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit ed0bff16ccb6ab0219a541f7cbf861a9118dd34b Author: Carsten Emde Date: Thu Mar 15 15:56:26 2012 +0100 drm/i915: panel: invert brightness via quirk commit 4dca20efb1a9c2efefc28ad2867e5d6c3f5e1955 upstream. A machine may need to invert the panel backlight brightness value. This patch adds the infrastructure for a quirk to do so. Signed-off-by: Carsten Emde Reviewed-by: Chris Wilson Signed-off-by: Daniel Vetter Acked-by: Jani Nikula Signed-off-by: Ben Hutchings [wml: Backported to 3.4: - Adjust context - one more flag QUIRK_NO_PCH_PWM_ENABLE] Signed-off-by: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 4c4478f4b87b3cc18572d7e50063f7fd34c95c5b Author: Carsten Emde Date: Thu Mar 15 15:56:25 2012 +0100 drm/i915: panel: invert brightness via parameter commit 7bd90909bbf9ce7c40e1da3d72b97b93839c188a upstream. Following the documentation of the Legacy Backlight Brightness (LBB) Register in the configuration space of some Intel PCI graphics adapters, setting the LBB register with the value 0x0 causes the backlight to be turned off, and 0xFF causes the backlight to be set to 100% intensity (http://download.intel.com/embedded/processors/Whitepaper/324567.pdf). The Acer Aspire 5734Z, however, turns the backlight off at 0xFF and sets it to maximum intensity at 0. In consequence, the screen of this systems becomes dark at an early boot stage which makes it unusable. The same inversion applies to the BLC_PWM_CTL I915 register. This problem was introduced in kernel version 2.6.38 when the PCI device of this system was first supported by the i915 KMS module. This patch adds a parameter to the i915 module to enable inversion of the brightness variable (i915.invert_brightness). Signed-off-by: Carsten Emde Reviewed-by: Chris Wilson Signed-off-by: Daniel Vetter Acked-by: Jani Nikula Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 13ecaa9385007e7c907fa1db3f8504cbb054b8ec Author: Jani Nikula Date: Thu Feb 14 11:23:35 2013 +0200 drm/i915: add missing \n to UTS_RELEASE in the error_state commit fdfa175d0a9cfa2082ce24e67e284e5acbba452a upstream. Amending commit 4518f611ba21ba165ea3714055938a8984a44ff9 Author: Daniel Vetter Date: Wed Jan 23 16:16:35 2013 +0100 drm/i915: dump UTS_RELEASE into the error_state Signed-off-by: Jani Nikula Reviewed-by: Chris Wilson Signed-off-by: Daniel Vetter Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 830a450e266a3471476036c1dbc4896ec5ccfbf7 Author: Daniel Vetter Date: Wed Jan 23 16:16:35 2013 +0100 drm/i915: dump UTS_RELEASE into the error_state commit 4518f611ba21ba165ea3714055938a8984a44ff9 upstream. Useful for statistics or on overflowing bug reports to keep things all lined up. Reviewed-by: Chris Wilson Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 5fbe150df29254ba07b42834d582689c80a00f08 Author: Chris Wilson Date: Wed Jan 2 10:31:22 2013 +0000 drm/i915; Only increment the user-pin-count after successfully pinning the bo commit 93be8788e648817d62fda33e2998eb6ca6ebf3a3 upstream. As along the error path we do not correct the user pin-count for the failure, we may end up with userspace believing that it has a pinned object at offset 0 (when interrupted by a signal for example). Signed-off-by: Chris Wilson Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit c87e58bd2c711816335bb869f747ce25e0ce66ea Author: Chris Wilson Date: Mon Dec 3 11:36:30 2012 +0000 drm/i915: Close race between processing unpin task and queueing the flip commit e7d841ca03b7ab668620045cd7b428eda9f41601 upstream. Before queuing the flip but crucially after attaching the unpin-work to the crtc, we continue to setup the unpin-work. However, should the hardware fire early, we see the connected unpin-work and queue the task. The task then promptly runs and unpins the fb before we finish taking the required references or even pinning it... Havoc. To close the race, we use the flip-pending atomic to indicate when the flip is finally setup and enqueued. So during the flip-done processing, we can check more accurately whether the flip was expected. v2: Add the appropriate mb() to ensure that the writes to the page-flip worker are complete prior to marking it active and emitting the MI_FLIP. On the read side, the mb should be enforced by the spinlocks. Signed-off-by: Chris Wilson Cc: stable@vger.kernel.org [danvet: Review the barriers a bit, we need a write barrier both before and after updating ->pending. Similarly we need a read barrier in the interrupt handler both before and after reading ->pending. With well-ordered irqs only one barrier in each place should be required, but since this patch explicitly sets out to combat spurious interrupts with is staged activation of the unpin work we need to go full-bore on the barriers, too. Discussed with Chris Wilson on irc and changes acked by him.] Signed-off-by: Daniel Vetter [wml: Backported to 3.4: adjust context] Signed-off-by: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 9d889e3fa80632c7d107e4d4410e79d8050ddd05 Author: Alex Deucher Date: Mon Nov 5 16:34:58 2012 +0000 drm/radeon: fix typo in evergreen_mc_resume() commit 695ddeb457584a602f2ba117d08ce37cf6ec1589 upstream. Add missing index that may have led us to enabling more crtcs than necessary. May also fix: https://bugs.freedesktop.org/show_bug.cgi?id=56139 Signed-off-by: Alex Deucher Reviewed-by: Michel Dänzer Signed-off-by: Dave Airlie Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit b29fe4dc9e56700e3772be99a35f6209fa4e57aa Author: Aaro Koskinen Date: Mon Dec 31 03:34:59 2012 +0200 drm/nouveau: fix init with agpgart-uninorth commit eda85d6ad490923152544fba0473798b6cc0edf6 upstream. Check that the AGP aperture can be mapped. This follows a similar change done for Radeon (commit 365048ff, drm/radeon: AGP memory is only I/O if the aperture can be mapped by the CPU.). The patch fixes the following error seen on G5 iMac: nouveau E[ DRM] failed to create kernel channel, -12 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=58806 Reviewed-by: Michel Dänzer Signed-off-by: Aaro Koskinen Signed-off-by: Dave Airlie [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 8b2360118bb16aa06e2f8a165fba5c9f0a18fe88 Author: Alex Deucher Date: Thu Dec 20 16:35:47 2012 -0500 drm/radeon: add connector table for Mac G4 Silver commit cafa59b9011a7790be4ddd5979419259844a165d upstream. Apple cards do not provide data tables in the vbios so we have to hard code the connector parameters in the driver. Reported-by: Albrecht Dreß Signed-off-by: Alex Deucher Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit befa3d28d06b3fb5ea8232298658eb3ecc2fa62b Author: Alex Deucher Date: Wed May 2 12:10:21 2012 -0400 drm/radeon: add connector table for SAM440ep embedded board commit 6a556039e7823d27a0a7f7724d4d455053ea9253 upstream. RV250 found on ppc embedded boards. Cc: Hans Verkuil Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 81d0e97cb5797cae879e42b46f43763fe590ac30 Author: Jerome Glisse Date: Tue Dec 11 11:56:52 2012 -0500 drm/radeon: fix amd afusion gpu setup aka sumo v2 commit bd25f0783dc3fb72e1e2779c2b99b2d34b67fa8a upstream. Set the proper number of tile pipe that should be a multiple of pipe depending on the number of se engine. Fix: https://bugs.freedesktop.org/show_bug.cgi?id=56405 https://bugs.freedesktop.org/show_bug.cgi?id=56720 v2: Don't change sumo2 Signed-off-by: Jerome Glisse Reviewed-by: Alex Deucher [bwh: Backported to 3.2: don't define/use *_GB_ADDR_CONFIG_GOLDEN] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 650ab0c0b0ee0496085a98e2ed8943c87de482b0 Author: Alex Deucher Date: Tue Nov 13 18:03:41 2012 -0500 drm/radeon/dce32+: use fractional fb dividers for high clocks commit a02dc74b317d78298cb0587b9b1f6f741fd5c139 upstream. Fixes flickering with some high res montiors. Signed-off-by: Alex Deucher [bwh: Backported to 3.2: use pll->flags instead of radeon_crtc->pll_flags] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 5f68cf4c76b5ac3808551555b81764c03c0a3b75 Author: Alex Deucher Date: Fri Nov 9 17:26:32 2012 +0000 drm: fix documentation for drm_crtc_set_mode() commit 4c9287c6009b37754c42e0ba73a4cc79de92d8f8 upstream. x and y parameters are offsets, not width/height Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit f11a1d5595cb0dc906e23819cfb2e320a524f790 Author: Jani Nikula Date: Mon Nov 12 18:31:35 2012 +0200 drm/i915/sdvo: clean up connectors on intel_sdvo_init() failures commit d0ddfbd3d1346c1f481ec2289eef350cdba64b42 upstream. Any failures in intel_sdvo_init() after the intel_sdvo_setup_output() call left behind ghost connectors, attached (with a dangling pointer) to the sdvo that has been cleaned up and freed. Properly destroy any connectors attached to the encoder. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=46381 CC: Chris Wilson Signed-off-by: Jani Nikula Tested-by: bjo@nord-west.org [danvet: added a comment to explain why we need to clean up connectors even when sdvo_output_setup fails.] Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 4f9e14fad5e381e075f942677e9c1ae70e0f186e Author: Jason Wang Date: Tue Jun 18 13:04:23 2013 +0800 drivers: hv: switch to use mb() instead of smp_mb() commit 35848f68b07df3f917cb13fc3c134718669f569b upstream. Even if guest were compiled without SMP support, it could not assume that host wasn't. So switch to use mb() instead of smp_mb() to force memory barriers for UP guest. Signed-off-by: Jason Wang Cc: Haiyang Zhang Signed-off-by: K. Y. Srinivasan Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: - Drop changes to functions that don't exist here - hv_ringbuffer_write() has only a write memory barrier] Signed-off-by: Ben Hutchings [hq: Backported to 3.4: - Add the change in hv_ringbuffer_read] Signed-off-by: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit f40ed19c957e23cee2a178a688c45197aa1bc30c Author: Paolo Bonzini Date: Wed Feb 27 17:05:25 2013 -0800 nbd: fsync and kill block device on shutdown commit 3a2d63f87989e01437ba994df5f297528c353d7d upstream. There are two problems with shutdown in the NBD driver. 1: Receiving the NBD_DISCONNECT ioctl does not sync the filesystem. This patch adds the sync operation into __nbd_ioctl()'s NBD_DISCONNECT handler. This is useful because BLKFLSBUF is restricted to processes that have CAP_SYS_ADMIN, and the NBD client may not possess it (fsync of the block device does not sync the filesystem, either). 2: Once we clear the socket we have no guarantee that later reads will come from the same backing storage. The patch adds calls to kill_bdev() in __nbd_ioctl()'s socket clearing code so the page cache is cleaned, lest reads that hit on the page cache will return stale data from the previously-accessible disk. Example: # qemu-nbd -r -c/dev/nbd0 /dev/sr0 # file -s /dev/nbd0 /dev/stdin: # UDF filesystem data (version 1.5) etc. # qemu-nbd -d /dev/nbd0 # qemu-nbd -r -c/dev/nbd0 /dev/sda # file -s /dev/nbd0 /dev/stdin: # UDF filesystem data (version 1.5) etc. While /dev/sda has: # file -s /dev/sda /dev/sda: x86 boot sector; etc. Signed-off-by: Paolo Bonzini Acked-by: Paul Clements Cc: Alex Bligh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: - Adjusted context - s/\bnbd\b/lo/ - Incorporate export of kill_bdev() from commit ff01bb483265 ('fs: move code out of buffer.c')] Signed-off-by: Ben Hutchings [hq: Backported to 3.4: Adjusted context] Signed-off-by: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 354ad5e4dda15aef33da119a93e413161ae99525 Author: Ben Hutchings Date: Sun Jun 16 21:27:12 2013 +0100 x86/efi: Fix dummy variable buffer allocation commit b8cb62f82103083a6e8fa5470bfe634a2c06514d upstream. 1. Check for allocation failure 2. Clear the buffer contents, as they may actually be written to flash 3. Don't leak the buffer Compile-tested only. [ Tested successfully on my buggy ASUS machine - Matt ] Signed-off-by: Ben Hutchings Signed-off-by: Matt Fleming Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit f4f009b04f6ae98e0a147e9b3d3f4078bbd416ee Author: Matthew Garrett Date: Sat Jun 1 16:06:20 2013 -0400 Modify UEFI anti-bricking code commit f8b8404337de4e2466e2e1139ea68b1f8295974f upstream. This patch reworks the UEFI anti-bricking code, including an effective reversion of cc5a080c and 31ff2f20. It turns out that calling QueryVariableInfo() from boot services results in some firmware implementations jumping to physical addresses even after entering virtual mode, so until we have 1:1 mappings for UEFI runtime space this isn't going to work so well. Reverting these gets us back to the situation where we'd refuse to create variables on some systems because they classify deleted variables as "used" until the firmware triggers a garbage collection run, which they won't do until they reach a lower threshold. This results in it being impossible to install a bootloader, which is unhelpful. Feedback from Samsung indicates that the firmware doesn't need more than 5KB of storage space for its own purposes, so that seems like a reasonable threshold. However, there's still no guarantee that a platform will attempt garbage collection merely because it drops below this threshold. It seems that this is often only triggered if an attempt to write generates a genuine EFI_OUT_OF_RESOURCES error. We can force that by attempting to create a variable larger than the remaining space. This should fail, but if it somehow succeeds we can then immediately delete it. I've tested this on the UEFI machines I have available, but I don't have a Samsung and so can't verify that it avoids the bricking problem. Signed-off-by: Matthew Garrett Signed-off-by: Lee, Chun-Y [ dummy variable cleanup ] Signed-off-by: Matt Fleming [bwh: Backported to 3.2: the reverted changes were never applied here] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 3fd6f849dd0f9ba7a4f8e2f88b0d9e49659d30b2 Author: Richard Weinberger Date: Wed Apr 17 01:00:53 2013 +0200 x86,efi: Implement efi_no_storage_paranoia parameter commit 8c58bf3eec3b8fc8162fe557e9361891c20758f2 upstream. Using this parameter one can disable the storage_size/2 check if he is really sure that the UEFI does sane gc and fulfills the spec. This parameter is useful if a devices uses more than 50% of the storage by default. The Intel DQSW67 desktop board is such a sucker for exmaple. Signed-off-by: Richard Weinberger Signed-off-by: Matt Fleming [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 891d583c403cbce091f6e759e3f9b411917638f6 Author: Sergey Vlasov Date: Tue Apr 16 18:31:09 2013 +0400 efi: Export efi_query_variable_store() for efivars.ko commit 3668011d4ad556224f7c012c1e870a6eaa0e59da upstream. Fixes build with CONFIG_EFI_VARS=m which was broken after the commit "x86, efivars: firmware bug workarounds should be in platform code". Signed-off-by: Sergey Vlasov Signed-off-by: Matt Fleming Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit d352874118cfe49a1e793c913c9e448e4f5f3245 Author: Richard Weinberger Date: Wed Apr 10 10:59:34 2013 +0200 x86,efi: Check max_size only if it is non-zero. commit 7791c8423f1f7f4dad94e753bae67461d5b80be8 upstream. Some EFI implementations return always a MaximumVariableSize of 0, check against max_size only if it is non-zero. My Intel DQ67SW desktop board has such an implementation. Signed-off-by: Richard Weinberger Signed-off-by: Matt Fleming Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 0b94d72798ba9f2e93891033107af49486650c22 Author: Matt Fleming Date: Mon Mar 25 09:14:30 2013 +0000 x86, efivars: firmware bug workarounds should be in platform code commit a6e4d5a03e9e3587e88aba687d8f225f4f04c792 upstream. Let's not burden ia64 with checks in the common efivars code that we're not writing too much data to the variable store. That kind of thing is an x86 firmware bug, plain and simple. efi_query_variable_store() provides platforms with a wrapper in which they can perform checks and workarounds for EFI variable storage bugs. Cc: H. Peter Anvin Cc: Matthew Garrett Signed-off-by: Matt Fleming [xr: Backported to 3.4: adjust context] Signed-off-by: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit b28299b42d3fb210fc0a6af6da435041e048fa39 Author: Seiji Aguchi Date: Tue Feb 12 13:04:41 2013 -0800 efi_pstore: Introducing workqueue updating sysfs commit a93bc0c6e07ed9bac44700280e65e2945d864fd4 upstream. [Problem] efi_pstore creates sysfs entries, which enable users to access to NVRAM, in a write callback. If a kernel panic happens in an interrupt context, it may fail because it could sleep due to dynamic memory allocations during creating sysfs entries. [Patch Description] This patch removes sysfs operations from a write callback by introducing a workqueue updating sysfs entries which is scheduled after the write callback is called. Also, the workqueue is kicked in a just oops case. A system will go down in other cases such as panic, clean shutdown and emergency restart. And we don't need to create sysfs entries because there is no chance for users to access to them. efi_pstore will be robust against a kernel panic in an interrupt context with this patch. Signed-off-by: Seiji Aguchi Acked-by: Matt Fleming Signed-off-by: Tony Luck [xr: Backported to 3.4: - Adjust contest - Remove repeated definition of helper function variable_is_present] Signed-off-by: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 9001ccbda1be58798d1bd221c3e2a2443133b8bb Author: Ben Hutchings Date: Fri Mar 22 19:56:51 2013 +0000 efivars: Fix check for CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE commit ca0ba26fbbd2d81c43085df49ce0abfe34535a90 upstream. The 'CONFIG_' prefix is not implicit in IS_ENABLED(). Signed-off-by: Ben Hutchings Cc: Seth Forshee Signed-off-by: Matt Fleming Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 026f0287cdb6154517a7c7e23c6541a8ba30979b Author: Seth Forshee Date: Mon Mar 11 16:17:50 2013 -0500 efivars: Add module parameter to disable use as a pstore backend commit ec0971ba5372a4dfa753f232449d23a8fd98490e upstream. We know that with some firmware implementations writing too much data to UEFI variables can lead to bricking machines. Recent changes attempt to address this issue, but for some it may still be prudent to avoid writing large amounts of data until the solution has been proven on a wide variety of hardware. Crash dumps or other data from pstore can potentially be a large data source. Add a pstore_module parameter to efivars to allow disabling its use as a backend for pstore. Also add a config option, CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE, to allow setting the default value of this paramter to true (i.e. disabled by default). Signed-off-by: Seth Forshee Cc: Josh Boyer Cc: Matthew Garrett Cc: Seiji Aguchi Cc: Tony Luck Signed-off-by: Matt Fleming [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit f6a087af822a54e098fd7934d1498256e8627254 Author: Seth Forshee Date: Thu Mar 7 11:40:17 2013 -0600 efivars: Allow disabling use as a pstore backend commit ed9dc8ce7a1c8115dba9483a9b51df8b63a2e0ef upstream. Add a new option, CONFIG_EFI_VARS_PSTORE, which can be set to N to avoid using efivars as a backend to pstore, as some users may want to compile out the code completely. Set the default to Y to maintain backwards compatability, since this feature has always been enabled until now. Signed-off-by: Seth Forshee Cc: Josh Boyer Cc: Matthew Garrett Cc: Seiji Aguchi Cc: Tony Luck Signed-off-by: Matt Fleming [xr: Backported to 3.4: adjust context] Signed-off-by: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 1c4e6e91fec88f6a544259d5d536991e0a41f5e3 Author: Ben Hutchings Date: Sat Mar 23 03:49:53 2013 +0000 efivars: pstore: Do not check size when erasing variable commit 80a19debc2f2d398cfa57fae97bc99826748a602 upstream. In 3.2, unlike mainline, efi_pstore_erase() calls efi_pstore_write() with a size of 0, as the underlying EFI interface treats a size of 0 as meaning deletion. This was not taken into account in my backport of commit d80a361d779a 'efi_pstore: Check remaining space with QueryVariableInfo() before writing data'. The size check should be omitted when erasing. Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit e887bb41a177d6c6f245d80ad427f1b91fbed91e Author: Josh Boyer Date: Mon Mar 11 17:48:53 2013 -0400 efi: be more paranoid about available space when creating variables commit 68d929862e29a8b52a7f2f2f86a0600423b093cd upstream. UEFI variables are typically stored in flash. For various reasons, avaiable space is typically not reclaimed immediately upon the deletion of a variable - instead, the system will garbage collect during initialisation after a reboot. Some systems appear to handle this garbage collection extremely poorly, failing if more than 50% of the system flash is in use. This can result in the machine refusing to boot. The safest thing to do for the moment is to forbid writes if they'd end up using more than half of the storage space. We can make this more finegrained later if we come up with a method for identifying the broken machines. Signed-off-by: Matthew Garrett Signed-off-by: Matt Fleming [bwh: Backported to 3.2: - Drop efivarfs changes and unused check_var_size() - Add error codes to include/linux/efi.h, added upstream by commit 5d9db883761a ('efi: Add support for a UEFI variable filesystem') - Add efi_status_to_err(), added upstream by commit 7253eaba7b17 ('efivarfs: Return an error if we fail to read a variable')] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit ff534f031ab3192952fc6403bb8618feda758a38 Author: Josh Boyer Date: Mon Mar 11 17:47:42 2013 -0400 efivars: Disable external interrupt while holding efivars->lock commit 81fa4e581d9283f7992a0d8c534bb141eb840a14 upstream. [Problem] There is a scenario which efi_pstore fails to log messages in a panic case. - CPUA holds an efi_var->lock in either efivarfs parts or efi_pstore with interrupt enabled. - CPUB panics and sends IPI to CPUA in smp_send_stop(). - CPUA stops with holding the lock. - CPUB kicks efi_pstore_write() via kmsg_dump(KSMG_DUMP_PANIC) but it returns without logging messages. [Patch Description] This patch disables an external interruption while holding efivars->lock as follows. In efi_pstore_write() and get_var_data(), spin_lock/spin_unlock is replaced by spin_lock_irqsave/spin_unlock_irqrestore because they may be called in an interrupt context. In other functions, they are replaced by spin_lock_irq/spin_unlock_irq. because they are all called from a process context. By applying this patch, we can avoid the problem above with a following senario. - CPUA holds an efi_var->lock with interrupt disabled. - CPUB panics and sends IPI to CPUA in smp_send_stop(). - CPUA receives the IPI after releasing the lock because it is disabling interrupt while holding the lock. - CPUB waits for one sec until CPUA releases the lock. - CPUB kicks efi_pstore_write() via kmsg_dump(KSMG_DUMP_PANIC) And it can hold the lock successfully. Signed-off-by: Seiji Aguchi Acked-by: Mike Waychison Acked-by: Matt Fleming Signed-off-by: Tony Luck [bwh: Backported to 3.2: - Drop efivarfs changes - Adjust context - Drop change to efi_pstore_erase(), which is implemented using efi_pstore_write() here] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 8e74ecf7da0e7a9d0ef4e2474f87a5cba86b4347 Author: Seiji Aguchi Date: Wed Nov 14 20:25:37 2012 +0000 efi_pstore: Check remaining space with QueryVariableInfo() before writing data commit d80a361d779a9f19498943d1ca84243209cd5647 upstream. [Issue] As discussed in a thread below, Running out of space in EFI isn't a well-tested scenario. And we wouldn't expect all firmware to handle it gracefully. http://marc.info/?l=linux-kernel&m=134305325801789&w=2 On the other hand, current efi_pstore doesn't check a remaining space of storage at writing time. Therefore, efi_pstore may not work if it tries to write a large amount of data. [Patch Description] To avoid handling the situation above, this patch checks if there is a space enough to log with QueryVariableInfo() before writing data. Signed-off-by: Seiji Aguchi Acked-by: Mike Waychison Signed-off-by: Tony Luck Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 75a0ac16ab0b957c19795a0e47d774ca614af7c7 Author: H. Peter Anvin Date: Sun Jan 13 20:36:39 2013 -0800 x86/Sandy Bridge: mark arrays in __init functions as __initconst commit 91c90db1aa92a50fa1d7f289502b49ddb46a90d3 upstream. commit ab3cd8670e0b3fcde7f029e1503ed3c5138e9571 upstream. Mark static arrays as __initconst so they get removed when the init sections are flushed. Reported-by: Mathias Krause Link: http://lkml.kernel.org/r/75F4BEE6-CB0E-4426-B40B-697451677738@googlemail.com Signed-off-by: H. Peter Anvin Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit acb33555bc562b8b72c879af8f67bfb09e84cbf5 Author: Oleg Nesterov Date: Sat Aug 11 18:06:42 2012 +0200 ptrace/x86: Partly fix set_task_blockstep()->update_debugctlmsr() logic commit 95cf00fa5d5e2a200a2c044c84bde8389a237e02 upstream. Afaics the usage of update_debugctlmsr() and TIF_BLOCKSTEP in step.c was always very wrong. 1. update_debugctlmsr() was simply unneeded. The child sleeps TASK_TRACED, __switch_to_xtra(next_p => child) should notice TIF_BLOCKSTEP and set/clear DEBUGCTLMSR_BTF after resume if needed. 2. It is wrong. The state of DEBUGCTLMSR_BTF bit in CPU register should always match the state of current's TIF_BLOCKSTEP bit. 3. Even get_debugctlmsr() + update_debugctlmsr() itself does not look right. Irq can change other bits in MSR_IA32_DEBUGCTLMSR register or the caller can be preempted in between. 4. It is not safe to play with TIF_BLOCKSTEP if task != current. DEBUGCTLMSR_BTF and TIF_BLOCKSTEP should always match each other if the task is running. The tracee is stopped but it can be SIGKILL'ed right before set/clear_tsk_thread_flag(). However, now that uprobes uses user_enable_single_step(current) we can't simply remove update_debugctlmsr(). So this patch adds the additional "task == current" check and disables irqs to avoid the race with interrupts/preemption. Unfortunately this patch doesn't solve the last problem, we need another fix. Probably we should teach ptrace_stop() to set/clear single/block stepping after resume. And afaics there is yet another problem: perf can play with MSR_IA32_DEBUGCTLMSR from nmi, this obviously means that even __switch_to_xtra() has problems. Signed-off-by: Oleg Nesterov Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit fa060a3631ad4f9d555e0bc6d9a4d4147137cef9 Author: Oleg Nesterov Date: Fri Aug 3 17:31:46 2012 +0200 ptrace/x86: Introduce set_task_blockstep() helper commit 848e8f5f0ad3169560c516fff6471be65f76e69f upstream. No functional changes, preparation for the next fix and for uprobes single-step fixes. Move the code playing with TIF_BLOCKSTEP/DEBUGCTLMSR_BTF into the new helper, set_task_blockstep(). Signed-off-by: Oleg Nesterov Acked-by: Srikar Dronamraju Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 65d41bb38519d09387b630e411e109423ccfff29 Author: Radu Caragea Date: Wed Aug 21 20:55:59 2013 +0300 x86 get_unmapped_area: Access mmap_legacy_base through mm_struct member commit 41aacc1eea645c99edbe8fbcf78a97dc9b862adc upstream. This is the updated version of df54d6fa5427 ("x86 get_unmapped_area(): use proper mmap base for bottom-up direction") that only randomizes the mmap base address once. Signed-off-by: Radu Caragea Reported-and-tested-by: Jeff Shorey Cc: Andrew Morton Cc: Michel Lespinasse Cc: Oleg Nesterov Cc: Rik van Riel Cc: Ingo Molnar Cc: Adrian Sendroiu Cc: Greg KH Cc: Kamal Mostafa Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 65947f14c1c811bf7b6e6d2f78c57cdff4b18b59 Author: Russ Gorby Date: Mon Aug 13 13:45:15 2012 +0100 n_gsm: replace kfree_skb w/ appropriate dev_* versions commit 329e56780e514a7ab607bcb51a52ab0dc2669414 upstream. Drivers are supposed to use the dev_* versions of the kfree_skb interfaces. In a couple of cases we were called with IRQs disabled as well which kfree_skb() does not expect. Replaced kfree_skb calls w/ dev_kfree_skb and dev_kfree_skb_any Signed-off-by: Russ Gorby Tested-by: Yin, Fengwei Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 401a93e7e742379f6f5382098adc556b13e96fe5 Author: Russ Gorby Date: Mon Aug 13 13:44:59 2012 +0100 n_gsm: avoid accessing freed memory during CMD_FCOFF condition commit b4338e1efc339986cf6c0a3652906e914a86e2d3 upstream. gsm_data_kick was recently modified to allow messages on the tx queue bound for DLCI0 to flow even during FCOFF conditions. Unfortunately we introduced a bug discovered by code inspection where subsequent list traversers can access freed memory if the DLCI0 messages were not all at the head of the list. Replaced singly linked tx list w/ a list_head and used provided interfaces for traversing and deleting members. Signed-off-by: Russ Gorby Tested-by: Yin, Fengwei Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 10e03a431b2dd84b2cd671ddc402bf1a18a33906 Author: samix.lebsir Date: Mon Aug 13 13:44:22 2012 +0100 char: n_gsm: remove message filtering for contipated DLCI commit 10c6c383e43565c9c6ec07ff8eb2825f8091bdf0 upstream. The design of uplink flow control in the mux driver is that for constipated channels data will backup into the per-channel fifos, and any messages that make it to the outbound message queue will still go out. Code was added to also stop messages that were in the outbound queue but this requires filtering through all the messages on the queue for stopped dlcis and changes some of the mux logic unneccessarily. The message fiiltering was removed to be in line w/ the original design as the message filtering does not provide any solution. Extra debug messages used during investigation were also removed. Signed-off-by: samix.lebsir Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 28bae9a8ddef6184e91c1d4efa85fcb70237d344 Author: Frederic Berat Date: Mon Aug 13 13:43:58 2012 +0100 n_gsm : Flow control handling in Mux driver commit c01af4fec2c8f303d6b3354d44308d9e6bef8026 upstream. - Correcting handling of FCon/FCoff in order to respect 27.010 spec - Consider FCon/off will overide all dlci flow control except for dlci0 as we must be able to send control frames. - Dlci constipated handling according to FC, RTC and RTR values. - Modifying gsm_dlci_data_kick and gsm_dlci_data_sweep according to dlci constipated value Signed-off-by: Frederic Berat Signed-off-by: Russ Gorby Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 6aa07d6b6ea43ec513a3fb2c64369a9cfe56167f Author: Randy Dunlap Date: Tue Jun 18 12:33:40 2013 -0700 x86: fix build error and kconfig for ia32_emulation and binfmt commit d1603990ea626668c78527376d9ec084d634202d upstream. Fix kconfig warning and build errors on x86_64 by selecting BINFMT_ELF when COMPAT_BINFMT_ELF is being selected. warning: (IA32_EMULATION) selects COMPAT_BINFMT_ELF which has unmet direct dependencies (COMPAT && BINFMT_ELF) fs/built-in.o: In function `elf_core_dump': compat_binfmt_elf.c:(.text+0x3e093): undefined reference to `elf_core_extra_phdrs' compat_binfmt_elf.c:(.text+0x3ebcd): undefined reference to `elf_core_extra_data_size' compat_binfmt_elf.c:(.text+0x3eddd): undefined reference to `elf_core_write_extra_phdrs' compat_binfmt_elf.c:(.text+0x3f004): undefined reference to `elf_core_write_extra_data' [ hpa: This was sent to me for -next but it is a low risk build fix ] Signed-off-by: Randy Dunlap Link: http://lkml.kernel.org/r/51C0B614.5000708@infradead.org Signed-off-by: H. Peter Anvin Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 570a73ebc127470b325a39f5d8b18eeedb05cc58 Author: Fenghua Yu Date: Wed Oct 23 18:30:12 2013 -0700 x86/apic: Disable I/O APIC before shutdown of the local APIC commit 522e66464467543c0d88d023336eec4df03ad40b upstream. In reboot and crash path, when we shut down the local APIC, the I/O APIC is still active. This may cause issues because external interrupts can still come in and disturb the local APIC during shutdown process. To quiet external interrupts, disable I/O APIC before shutdown local APIC. Signed-off-by: Fenghua Yu Link: http://lkml.kernel.org/r/1382578212-4677-1-git-send-email-fenghua.yu@intel.com [ I suppose the 'issue' is a hang during shutdown. It's a fine change nevertheless. ] Signed-off-by: Ingo Molnar [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 1ad128f9d1c899983847a0581385a95ea9d491ff Author: H. Peter Anvin Date: Mon Dec 9 15:43:38 2013 -0800 x86, build: Pass in additional -mno-mmx, -mno-sse options commit 8b3b005d675726e38bc504d2e35a991e55819155 upstream. In checkin 5551a34e5aea x86-64, build: Always pass in -mno-sse we unconditionally added -mno-sse to the main build, to keep newer compilers from generating SSE instructions from autovectorization. However, this did not extend to the special environments (arch/x86/boot, arch/x86/boot/compressed, and arch/x86/realmode/rm). Add -mno-sse to the compiler command line for these environments, and add -mno-mmx to all the environments as well, as we don't want a compiler to generate MMX code either. This patch also removes a $(cc-option) call for -m32, since we have long since stopped supporting compilers too old for the -m32 option, and in fact hardcode it in other places in the Makefiles. Reported-by: Kevin B. Smith Cc: Sunil K. Pandey Signed-off-by: H. Peter Anvin Cc: H. J. Lu Link: http://lkml.kernel.org/n/tip-j21wzqv790q834n7yc6g80j1@git.kernel.org [bwh: Backported to 3.2: - Drop changes to arch/x86/Makefile, which sets these flags earlier - Adjust context - Drop changes to arch/x86/realmode/rm/Makefile which doesn't exist] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 2c1dca2262846a50ca30f816ec361500d92ec3fe Author: H. Peter Anvin Date: Tue Dec 10 14:56:06 2013 -0800 x86, build, icc: Remove uninitialized_var() from compiler-intel.h commit 503cf95c061a0551eb684da364509297efbe55d9 upstream. When compiling with icc, ends up included because the icc environment defines __GNUC__. Thus, we neither need nor want to have this macro defined in both compiler-gcc.h and compiler-intel.h, and the fact that they are inconsistent just makes the compiler spew warnings. Reported-by: Sunil K. Pandey Cc: Kevin B. Smith Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/n/tip-0mbwou1zt7pafij09b897lg3@git.kernel.org [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit d981d3fc5bf7923c1b9bf46016c4a6e83ee843b9 Author: Dirk Behme Date: Fri Aug 31 10:02:47 2012 +0200 tty: serial: imx: don't reinit clock in imx_setup_ufcr() commit 7be0670f7b9198382938a03ff3db7f47ef6b4780 upstream. Remove the clock configuration from imx_setup_ufcr(). This isn't needed here and will cause garbage output if done. To be be sure that we only touch the bits we want (TXTL and RXTL) we have to mask out all other bits of the UFCR register. Add one non-existing bit macro for this, too (bit 6, DCEDTE on i.MX6). Signed-off-by: Dirk Behme CC: Shawn Guo CC: Sascha Hauer CC: Troy Kisky CC: Xinyu Chen Acked-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: deleted code in imx_setup_ufcr() refers to sport->clk not sport->clk_per] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit ffb88d59ca6ddb54e4ed24155b8f9a77bf200680 Author: Takashi Iwai Date: Wed Nov 6 18:47:42 2013 +0100 ALSA: hda - Add support for CX20952 commit 8f42d7698751a45cd9f7134a5da49bc5b6206179 upstream. It's a superset of the existing CX2075x codecs, so we can reuse the existing parser code. Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit a162811ff92ab4de3dba3941a627ffae47d9f09f Author: Takashi Iwai Date: Mon Jan 21 16:53:37 2013 +0100 ALSA: hda - Add Conexant CX20755/20756/20757 codec IDs commit 42c364ace52ae6b4699105b39f2559c256b6cd4c upstream. These are just compatible with other CX2075x codecs. Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 1168045bcc57f64c661e215082307724a4f66a5c Author: Takashi Iwai Date: Fri May 11 08:39:24 2012 +0200 ALSA: hda/conexant - Correct vendor IDs for new codecs commit 2d825fd82eb765412a558a56e193b77117d56699 upstream. Never trust datasheet... Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit cdab1ea80688e84c47319607a52e293289a6b115 Author: Takashi Iwai Date: Wed Dec 12 12:10:01 2012 +0100 ALSA: hda - Add stereo-dmic fixup for Acer Aspire One 522 commit 63a077e27648b4043b1ca1b4e29f0c42d99616b6 upstream. Acer Aspire One 522 has the infamous digital mic unit that needs the phase inversion fixup for stereo. Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=715737 Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit d3ecba4704c3e15008eea16333710383f7d99f62 Author: David Henningsson Date: Tue Apr 10 13:05:29 2012 +0200 ALSA: hda - Fix oops caused by recent commit "Fix internal mic for Lenovo Ideapad U300s" commit 83b0c6ba999643ee8ad6329f26e1cdc870e1a920 upstream. Make sure we don't dereference the "quirk" pointer when it is null. Reported-by: Dan Carpenter Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 419f4dff0eca95853a22c582e7dc754887a14a8d Author: Felix Kaechele Date: Wed Sep 26 01:20:44 2012 +0200 ALSA: hda - Add inverted internal mic quirk for Lenovo IdeaPad U310 commit e4db0952e542090c605fd41d31d761f1b4624f4a upstream. The Lenovo IdeaPad U310 has an internal mic where the right channel is phase inverted. Signed-off-by: Felix Kaechele Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 8194af4024e631882afdb7c200dfee11e469e47b Author: David Henningsson Date: Thu Jun 21 16:03:01 2012 +0200 ALSA: HDA: Add inverted internal mic quirk for Lenovo S205 commit b3c5dce81584391af8b6dedb0647e65c17aab3a2 upstream. The Lenovo Ideapad S205 has an internal mic where the right channel is phase inverted. BugLink: https://bugs.launchpad.net/bugs/884652 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings Cc: Weng Meiling Signed-off-by: Greg Kroah-Hartman commit 2467a26e7069cb61fe52d8a8fc7c6f2e5c7fa935 Author: Alex Hung Date: Tue Apr 24 16:40:52 2012 +0800 thinkpad-acpi: fix issuing duplicated key events for brightness up/down commit ff413195e830541afeae469fc866ecd0319abd7e upstream. The tp_features.bright_acpimode will not be set correctly for brightness control because ACPI_VIDEO_HID will not be located in ACPI. As a result, a duplicated key event will always be sent. acpi_video_backlight_support() is sufficient to detect standard ACPI brightness control. Signed-off-by: Alex Hung Signed-off-by: Matthew Garrett Cc: Andreas Sturmlechner Signed-off-by: Greg Kroah-Hartman commit 51a937d48eee52b33ba1f2feb2b8b40d254800c9 Author: Bjorn Helgaas Date: Fri Jan 11 12:21:15 2013 -0700 PCI: shpchp: Use per-slot workqueues to avoid deadlock commit f652e7d2916fe2fcf9e7d709aa5b7476b431e2dd upstream. When we have an SHPC-capable bridge with a second SHPC-capable bridge below it, pushing the upstream bridge's attention button causes a deadlock. The deadlock happens because we use the shpchp_wq workqueue to run shpchp_pushbutton_thread(), which uses shpchp_disable_slot() to remove devices below the upstream bridge. When we remove the downstream bridge, we call shpc_remove(), the shpchp driver's .remove() method. That calls flush_workqueue(shpchp_wq), which deadlocks because the shpchp_pushbutton_thread() work item is still running. This patch avoids the deadlock by creating a workqueue for every slot and removing the single shared workqueue. Here's the call path that leads to the deadlock: shpchp_queue_pushbutton_work queue_work(shpchp_wq) # shpchp_pushbutton_thread ... shpchp_pushbutton_thread shpchp_disable_slot remove_board shpchp_unconfigure_device pci_stop_and_remove_bus_device ... shpc_remove # shpchp driver .remove method hpc_release_ctlr cleanup_slots flush_workqueue(shpchp_wq) This change is based on code inspection, since we don't have hardware with this topology. Based-on-patch-by: Yijing Wang Signed-off-by: Bjorn Helgaas [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings [hq: Backported to 3.4: adjust context] Signed-off-by: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 3a2c0d4b76454fe93fa4a5042962cfd76a0a31e2 Author: Stanislaw Gruszka Date: Mon Dec 3 12:56:33 2012 +0100 mac80211: introduce IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL commit 5b632fe85ec82e5c43740b52e74c66df50a37db3 upstream. Commit f0425beda4d404a6e751439b562100b902ba9c98 "mac80211: retry sending failed BAR frames later instead of tearing down aggr" caused regression on rt2x00 hardware (connection hangs). This regression was fixed by commit be03d4a45c09ee5100d3aaaedd087f19bc20d01 "rt2x00: Don't let mac80211 send a BAR when an AMPDU subframe fails". But the latter commit caused yet another problem reported in https://bugzilla.kernel.org/show_bug.cgi?id=42828#c22 After long discussion in this thread: http://mid.gmane.org/20121018075615.GA18212@redhat.com and testing various alternative solutions, which failed on one or other setup, we have no other good fix for the issues like just revert both mentioned earlier commits. To do not affect other hardware which benefit from commit f0425beda4d404a6e751439b562100b902ba9c98, instead of reverting it, introduce flag that when used will restore mac80211 behaviour before the commit. Signed-off-by: Stanislaw Gruszka [replaced link with mid.gmane.org that has message-id] Signed-off-by: Johannes Berg [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings [hq: Backported to 3.4: adjust context] Signed-off-by: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit d6f6a6494dbe3be2992ae95baa52f94356d98c81 Author: Bruce Allan Date: Fri Aug 24 20:38:11 2012 +0000 e1000e: DoS while TSO enabled caused by link partner with small MSS commit d821a4c4d11ad160925dab2bb009b8444beff484 upstream. With a low enough MSS on the link partner and TSO enabled locally, the networking stack can periodically send a very large (e.g. 64KB) TCP message for which the driver will attempt to use more Tx descriptors than are available by default in the Tx ring. This is due to a workaround in the code that imposes a limit of only 4 MSS-sized segments per descriptor which appears to be a carry-over from the older e1000 driver and may be applicable only to some older PCI or PCIx parts which are not supported in e1000e. When the driver gets a message that is too large to fit across the configured number of Tx descriptors, it stops the upper stack from queueing any more and gets stuck in this state. After a timeout, the upper stack assumes the adapter is hung and calls the driver to reset it. Remove the unnecessary limitation of using up to only 4 MSS-sized segments per Tx descriptor, and put in a hard failure test to catch when attempting to check for message sizes larger than would fit in the whole Tx ring. Refactor the remaining logic that limits the size of data per Tx descriptor from a seemingly arbitrary 8KB to a limit based on the dynamic size of the Tx packet buffer as described in the hardware specification. Also, fix the logic in the check for space in the Tx ring for the next largest possible packet after the current one has been successfully queued for transmit, and use the appropriate defines for default ring sizes in e1000_probe instead of magic values. This issue goes back to the introduction of e1000e in 2.6.24 when it was split off from e1000. Reported-by: Ben Hutchings Signed-off-by: Bruce Allan Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit c7b5c6cd19c6ecfe7380c76b88ffdac349d60589 Author: Alexander Stein Date: Thu Dec 13 10:06:10 2012 +0100 can: c_can: Set reserved bit in IFx_MASK2 to 1 on write commit 2bd3bc4e8472424f1a6009825397639a8968920a upstream. According to C_CAN documentation, the reserved bit in IFx_MASK2 register is fixed 1. Signed-off-by: Alexander Stein Signed-off-by: Marc Kleine-Budde [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit a070047141a84e11ea0a6c2a568763d874825675 Author: Konrad Rzeszutek Wilk Date: Wed Jan 16 23:40:01 2013 +0100 intel_idle: Don't register CPU notifier if we are not running. commit 6f8c2e7933679f54b6478945dc72e59ef9a3d5e0 upstream. The 'intel_idle_probe' probes the CPU and sets the CPU notifier. But if later on during the module initialization we fail (say in cpuidle_register_driver), we stop loading, but we neglect to unregister the CPU notifier. This means that during CPU hotplug events the system will fail: calling intel_idle_init+0x0/0x326 @ 1 intel_idle: MWAIT substates: 0x1120 intel_idle: v0.4 model 0x2A intel_idle: lapic_timer_reliable_states 0xffffffff intel_idle: intel_idle yielding to none initcall intel_idle_init+0x0/0x326 returned -19 after 14 usecs ... some time later, offlining and onlining a CPU: cpu 3 spinlock event irq 62 BUG: unable to ] __cpuidle_register_device+0x1c/0x120 PGD 99b8b067 PUD 99b95067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: xen_evtchn nouveau mxm_wmi wmi radeon ttm i915 fbcon tileblit font atl1c bitblit softcursor drm_kms_helper video xen_blkfront xen_netfront fb_sys_fops sysimgblt sysfillrect syscopyarea xenfs xen_privcmd mperf CPU 0 Pid: 2302, comm: udevd Not tainted 3.8.0-rc3upstream-00249-g09ad159 #1 MSI MS-7680/H61M-P23 (MS-7680) RIP: e030:[] [] __cpuidle_register_device+0x1c/0x120 RSP: e02b:ffff88009dacfcb8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff880105380000 RCX: 000000000000001c RDX: 0000000000000000 RSI: 0000000000000055 RDI: ffff880105380000 RBP: ffff88009dacfce8 R08: ffffffff81a4f048 R09: 0000000000000008 R10: 0000000000000008 R11: 0000000000000000 R12: ffff880105380000 R13: 00000000ffffffdd R14: 0000000000000000 R15: ffffffff81a523d0 FS: 00007f37bd83b7a0(0000) GS:ffff880105200000(0000) knlGS:0000000000000000 CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 00000000a09ea000 CR4: 0000000000042660 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process udevd (pid: 2302, threadinfo ffff88009dace000, task ffff88009afb47f0) Stack: ffffffff8107f2d0 ffffffff810c2fb7 ffff88009dacfce8 00000000ffffffea ffff880105380000 00000000ffffffdd ffff88009dacfd08 ffffffff814d9882 0000000000000003 ffff880105380000 ffff88009dacfd28 ffffffff81340afd Call Trace: [] ? collect_cpu_info_local+0x30/0x30 [] ? __might_sleep+0xe7/0x100 [] cpuidle_register_device+0x32/0x70 [] intel_idle_cpu_init+0xad/0x110 [] cpu_hotplug_notify+0x68/0x80 [] notifier_call_chain+0x4d/0x70 [] __raw_notifier_call_chain+0x9/0x10 [] __cpu_notify+0x1b/0x30 [] _cpu_up+0x103/0x14b [] cpu_up+0xd9/0xec [] store_online+0x94/0xd0 [] dev_attr_store+0x1b/0x20 [] sysfs_write_file+0xf4/0x170 [] vfs_write+0xb4/0x130 [] sys_write+0x5a/0xa0 [] system_call_fastpath+0x16/0x1b Code: 03 18 00 c9 c3 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 48 83 ec 30 48 89 5d e8 4c 89 65 f0 48 89 fb 4c 89 6d f8 e8 84 08 00 00 <48> 8b 78 08 49 89 c4 e8 f8 7f c1 ff 89 c2 b8 ea ff ff ff 84 d2 RIP [] __cpuidle_register_device+0x1c/0x120 RSP This patch fixes that by moving the CPU notifier registration as the last item to be done by the module. Signed-off-by: Konrad Rzeszutek Wilk Reviewed-by: Srivatsa S. Bhat Signed-off-by: Rafael J. Wysocki [bwh: Backported to 3.2: notifier is registered only if we do not have ARAT] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit af857f1c3e407fd2650665f5e5c92f70994905fa Author: Axel Lin Date: Wed Jan 9 19:34:57 2013 +0800 regulator: max8998: Ensure enough delay time for max8998_set_voltage_buck_time_sel commit e8d9897ff064b1683c11c15ea1296a67a45d77b0 upstream. commit 81d0a6ae7befb24c06f4aa4856af7f8d1f612171 upstream. Use DIV_ROUND_UP to prevent truncation by integer division issue. This ensures we return enough delay time. Signed-off-by: Axel Lin Signed-off-by: Mark Brown [bwh: Backported to 3.2: delay is done by driver, not returned to the caller] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit cd858528541c10bb879436da8fce44e0c9c85b97 Author: Axel Lin Date: Fri Dec 28 17:09:03 2012 +0800 regulator: max8997: Use uV in voltage_map_desc commit bc3b7756b5ff66828acf7bc24f148d28b8d61108 upstream. Current code does integer division (min_vol = min_uV / 1000) before pass min_vol to max8997_get_voltage_proper_val(). So it is possible min_vol is truncated to a smaller value. For example, if the request min_uV is 800900 for ldo. min_vol = 800900 / 1000 = 800 (mV) Then max8997_get_voltage_proper_val returns 800 mV for this case which is lower than the requested voltage. Use uV rather than mV in voltage_map_desc to prevent truncation by integer division. Signed-off-by: Axel Lin Signed-off-by: Mark Brown [bwh: Backported to 3.2: - Adjust context - voltage_map_desc also has an n_bits field] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit c7e0950c2d360599d5b859ff43caf142115ac518 Author: Krzysztof Mazur Date: Wed Dec 19 11:03:41 2012 +0100 i915: ensure that VGA plane is disabled commit 0fde901f1ddd2ce0e380a6444f1fb7ca555859e9 upstream. Some broken systems (like HP nc6120) in some cases, usually after LID close/open, enable VGA plane, making display unusable (black screen on LVDS, some strange mode on VGA output). We used to disable VGA plane only once at startup. Now we also check, if VGA plane is still disabled while changing mode, and fix that if something changed it. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=57434 Signed-off-by: Krzysztof Mazur Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: intel_modeset_setup_hw_state() does not exist, so call i915_redisable_vga() directly from intel_lid_notify()] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit cabb4147cb8b0d92b8c779dfaff63e695f204598 Author: Mauro Carvalho Chehab Date: Mon Oct 15 21:48:48 2012 -0300 i82975x_edac: Fix dimm label initialization commit 479696840239e0cc43efb3c917bdcad2174d2215 upstream. The driver has only 4 hardcoded labels, but allows much more memory. Fix it by removing the hardcoded logic, using snprintf() instead. [ 19.833972] general protection fault: 0000 [#1] SMP [ 19.837733] Modules linked in: i82975x_edac(+) edac_core firewire_ohci firewire_core crc_itu_t nouveau mxm_wmi wmi video i2c_algo_bit drm_kms_helper ttm drm i2c_core [ 19.837733] CPU 0 [ 19.837733] Pid: 390, comm: udevd Not tainted 3.6.1-1.fc17.x86_64.debug #1 Dell Inc. Precision WorkStation 390 /0MY510 [ 19.837733] RIP: 0010:[] [] strncpy+0x18/0x30 [ 19.837733] RSP: 0018:ffff880078535b68 EFLAGS: 00010202 [ 19.837733] RAX: ffff880069fa9708 RBX: ffff880078588000 RCX: ffff880069fa9708 [ 19.837733] RDX: 000000000000001f RSI: 5f706f5f63616465 RDI: ffff880069fa9708 [ 19.837733] RBP: ffff880078535b68 R08: ffff880069fa9727 R09: 000000000000fffe [ 19.837733] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000003 [ 19.837733] R13: 0000000000000000 R14: ffff880069fa9290 R15: ffff880079624a80 [ 19.837733] FS: 00007f3de01ee840(0000) GS:ffff88007c400000(0000) knlGS:0000000000000000 [ 19.837733] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 19.837733] CR2: 00007f3de00b9000 CR3: 0000000078dbc000 CR4: 00000000000007f0 [ 19.837733] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 19.837733] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 19.837733] Process udevd (pid: 390, threadinfo ffff880078534000, task ffff880079642450) [ 19.837733] Stack: [ 19.837733] ffff880078535c18 ffffffffa017c6b8 00040000816d627f ffff880079624a88 [ 19.837733] ffffc90004cd6000 ffff880079624520 ffff88007ac21148 0000000000000000 [ 19.837733] 0000000000000000 0004000000000000 feda000078535bc8 ffffffff810d696d [ 19.837733] Call Trace: [ 19.837733] [] i82975x_init_one+0x2e6/0x3e6 [i82975x_edac] ... Fix bug reported at: https://bugzilla.redhat.com/show_bug.cgi?id=848149 And, very likely: https://bbs.archlinux.org/viewtopic.php?id=148033 https://bugzilla.kernel.org/show_bug.cgi?id=47171 Cc: Alan Cox Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.2: - Adjust context - Use csrow->channels[chan].label not csrow->channels[chan]->dimm->label] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit fb35bbb9a046982828c481137aebe8566ee9c074 Author: Jiri Slaby Date: Thu Sep 13 16:06:48 2012 +0200 MISC: hpilo, remove pci_disable_device commit bcdee04ea7ae0406ae69094f6df1aacb66a69a0b upstream. pci_disable_device(pdev) used to be in pci remove function. But this PCI device has two functions with interrupt lines connected to a single pin. The other one is a USB host controller. So when we disable the PIN there e.g. by rmmod hpilo, the controller stops working. It is because the interrupt link is disabled in ACPI since it is not refcounted yet. See acpi_pci_link_free_irq called from acpi_pci_irq_disable. It is not the best solution whatsoever, but as a workaround until the ACPI irq link refcounting is sorted out this should fix the reported errors. References: https://lkml.org/lkml/2008/11/4/535 Signed-off-by: Jiri Slaby Cc: Grant Grundler Cc: Nobin Mathew Cc: Robert Hancock Cc: Arnd Bergmann Cc: David Altobelli Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 85923c3d426b2059121171c042ccd82fc1beab21 Author: Herton Ronaldo Krzesinski Date: Mon Aug 27 20:56:54 2012 -0300 floppy: properly handle failure on add_disk loop commit d60e7ec18c3fb2cbf90969ccd42889eb2d03aef9 upstream. On floppy initialization, if something failed inside the loop we call add_disk, there was no cleanup of previous iterations in the error handling. Signed-off-by: Herton Ronaldo Krzesinski Signed-off-by: Jiri Kosina Signed-off-by: Jens Axboe [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit ad4751d31602b7e5334e3c9d6cd488ca35d0b89c Author: Seth Forshee Date: Fri Sep 28 10:29:21 2012 -0700 Input: synaptics - adjust threshold for treating position values as negative commit 824efd37415961d38821ecbd9694e213fb2e8b32 upstream. Commit c039450 (Input: synaptics - handle out of bounds values from the hardware) caused any hardware reported values over 7167 to be treated as a wrapped-around negative value. It turns out that some firmware uses the value 8176 to indicate a finger near the edge of the touchpad whose actual position cannot be determined. This value now gets treated as negative, which can cause pointer jumps and broken edge scrolling on these machines. I only know of one touchpad which reports negative values, and this hardware never reports any value lower than -8 (i.e. 8184). Moving the threshold for treating a value as negative up to 8176 should work fine then for any hardware we currently know about, and since we're dealing with unspecified behavior it's probably the best we can do. The special 8176 value is also likely to result in sudden jumps in position, so let's also clamp this to the maximum specified value for the axis. BugLink: http://bugs.launchpad.net/bugs/1046512 https://bugzilla.kernel.org/show_bug.cgi?id=46371 Signed-off-by: Seth Forshee Reviewed-by: Daniel Kurtz Tested-by: Alan Swanson Tested-by: Arteom Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit b2d995371398e957f9bde58786b719162434f0aa Author: Matthieu CASTET Date: Wed Aug 22 16:03:46 2012 +0200 UBI: erase free PEB with bitflip in EC header commit 193819cf2e6e395b1e1be2d36785dc5563a6edca upstream. Without this patch, these PEB are not scrubbed until we put data in them. Bitflip can accumulate latter and we can loose the EC header (but VID header should be intact and allow to recover data). Signed-off-by: Matthieu Castet Signed-off-by: Artem Bityutskiy [bwh: Backported to 3.2: adjust filename, context] Signed-off-by: Ben Hutchings Cc: Qiang Huang Signed-off-by: Greg Kroah-Hartman commit 70e8fcb681a1f43568778bbb74b7ad2655fa8e74 Author: Rashika Kheria Date: Wed Oct 30 18:36:32 2013 +0530 Staging: zram: Fix access of NULL pointer commit 46a51c80216cb891f271ad021f59009f34677499 upstream. This patch fixes the bug in reset_store caused by accessing NULL pointer. The bdev gets its value from bdget_disk() which could fail when memory pressure is severe and hence can return NULL because allocation of inode in bdget could fail. Hence, this patch introduces a check for bdev to prevent reference to a NULL pointer in the later part of the code. It also removes unnecessary check of bdev for fsync_bdev(). Acked-by: Jerome Marchand Signed-off-by: Rashika Kheria Acked-by: Minchan Kim Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings Cc: Jianguo Wu Signed-off-by: Greg Kroah-Hartman commit 1f6074590c50b7a7bc1ef49ff02d749664b9d46d Author: Sergey Senozhatsky Date: Sat Jun 22 17:21:00 2013 +0300 zram: allow request end to coincide with disksize commit 75c7caf5a052ffd8db3312fa7864ee2d142890c4 upstream. Pass valid_io_request() checks if request end coincides with disksize (end equals bound), only fail if we attempt to read beyond the bound. mkfs.ext2 produces numerous errors: [ 2164.632747] quiet_error: 1 callbacks suppressed [ 2164.633260] Buffer I/O error on device zram0, logical block 153599 [ 2164.633265] lost page write due to I/O error on zram0 Signed-off-by: Sergey Senozhatsky Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings Cc: Jianguo Wu Signed-off-by: Greg Kroah-Hartman commit f3ec6e7a5ba399b324470aae720b3696049fb3e2 Author: Jiang Liu Date: Fri Jun 7 00:07:26 2013 +0800 zram: avoid access beyond the zram device commit 12a7ad3b810e77137d0caf97a6dd97591e075b30 upstream. Function valid_io_request() should verify the entire request are within the zram device address range. Otherwise it may cause invalid memory access when accessing/modifying zram->meta->table[index] because the 'index' is out of range. Then it may access non-exist memory, randomly modify memory belong to other subsystems, which is hard to track down. Signed-off-by: Jiang Liu Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings Cc: Jianguo Wu Signed-off-by: Greg Kroah-Hartman commit 11fc2ee51436c4bbcf9872ed3d31457490e071de Author: Jiang Liu Date: Fri Jun 7 00:07:24 2013 +0800 zram: destroy all devices on error recovery path in zram_init() commit 39a9b8ac9333e4268ecff7da6c9d1ab3823ff243 upstream. On error recovery path of zram_init(), it leaks the zram device object causing the failure. So change create_device() to free allocated resources on error path. Signed-off-by: Jiang Liu Acked-by: Minchan Kim Acked-by: Jerome Marchand Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Jianguo Wu Signed-off-by: Greg Kroah-Hartman commit 5e84bf6dcac8cdf4bbe10b238efe8bf3c85012dd Author: Jiang Liu Date: Fri Jun 7 00:07:22 2013 +0800 zram: avoid invalid memory access in zram_exit() commit 6030ea9b35971a4200062f010341ab832e878ac9 upstream. Memory for zram->disk object may have already been freed after returning from destroy_device(zram), then it's unsafe for zram_reset_device(zram) to access zram->disk again. We can't solve this bug by flipping the order of destroy_device(zram) and zram_reset_device(zram), that will cause deadlock issues to the zram sysfs handler. So fix it by holding an extra reference to zram->disk before calling destroy_device(zram). Signed-off-by: Jiang Liu Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Jianguo Wu Signed-off-by: Greg Kroah-Hartman commit 74eb879bd073a9a40b7f33ebc551b4510337b4e3 Author: Minchan Kim Date: Wed Jan 30 11:41:39 2013 +0900 zram: Fix deadlock bug in partial read/write commit 7e5a5104c6af709a8d97d5f4711e7c917761d464 upstream. Now zram allocates new page with GFP_KERNEL in zram I/O path if IO is partial. Unfortunately, It may cause deadlock with reclaim path like below. write_page from fs fs_lock allocation(GFP_KERNEL) reclaim pageout write_page from fs fs_lock <-- deadlock This patch fixes it by using GFP_NOIO. In read path, we reorganize code flow so that kmap_atomic is called after the GFP_NOIO allocation. Acked-by: Jerome Marchand Acked-by: Nitin Gupta [ penberg@kernel.org: don't use GFP_ATOMIC ] Signed-off-by: Pekka Enberg Signed-off-by: Minchan Kim Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: no reordering is needed in the read path] Signed-off-by: Ben Hutchings Cc: Jianguo Wu Signed-off-by: Greg Kroah-Hartman commit 87dba703d0d9eb4352506dbd8f8878e3e2ee92f0 Author: Joe Thornber Date: Wed Mar 20 17:21:24 2013 +0000 dm thin: fix discard corruption commit f046f89a99ccfd9408b94c653374ff3065c7edb3 upstream. Fix a bug in dm_btree_remove that could leave leaf values with incorrect reference counts. The effect of this was that removal of a shared block could result in the space maps thinking the block was no longer used. More concretely, if you have a thin device and a snapshot of it, sending a discard to a shared region of the thin could corrupt the snapshot. Thinp uses a 2-level nested btree to store it's mappings. This first level is indexed by thin device, and the second level by logical block. Often when we're removing an entry in this mapping tree we need to rebalance nodes, which can involve shadowing them, possibly creating a copy if the block is shared. If we do create a copy then children of that node need to have their reference counts incremented. In this way reference counts percolate down the tree as shared trees diverge. The rebalance functions were incrementing the children at the appropriate time, but they were always assuming the children were internal nodes. This meant the leaf values (in our case packed block/flags entries) were not being incremented. Signed-off-by: Joe Thornber Signed-off-by: Alasdair G Kergon [bwh: Backported to 3.2: bump target version numbers from 1.0.1 to 1.0.2] Signed-off-by: Ben Hutchings [xr: Backported to 3.4: bump target version numbers to 1.1.1] Signed-off-by: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 5e301eba0a521b3682aec467eb13a94dd6c4027a Author: Shiva Krishna Merla Date: Wed Oct 30 03:26:38 2013 +0000 dm mpath: fix race condition between multipath_dtr and pg_init_done commit 954a73d5d3073df2231820c718fdd2f18b0fe4c9 upstream. Whenever multipath_dtr() is happening we must prevent queueing any further path activation work. Implement this by adding a new 'pg_init_disabled' flag to the multipath structure that denotes future path activation work should be skipped if it is set. By disabling pg_init and then re-enabling in flush_multipath_work() we also avoid the potential for pg_init to be initiated while suspending an mpath device. Without this patch a race condition exists that may result in a kernel panic: 1) If after pg_init_done() decrements pg_init_in_progress to 0, a call to wait_for_pg_init_completion() assumes there are no more pending path management commands. 2) If pg_init_required is set by pg_init_done(), due to retryable mode_select errors, then process_queued_ios() will again queue the path activation work. 3) If free_multipath() completes before activate_path() work is called a NULL pointer dereference like the following can be seen when accessing members of the recently destructed multipath: BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 RIP: 0010:[] [] activate_path+0x1b/0x30 [dm_multipath] [] worker_thread+0x170/0x2a0 [] ? autoremove_wake_function+0x0/0x40 [switch to disabling pg_init in flush_multipath_work & header edits by Mike Snitzer] Signed-off-by: Shiva Krishna Merla Reviewed-by: Krishnasamy Somasundaram Tested-by: Speagle Andy Acked-by: Junichi Nomura Signed-off-by: Mike Snitzer [bwh: Backported to 3.2: - Adjust context - Bump version to 1.3.2 not 1.6.0] Signed-off-by: Ben Hutchings [xr: Backported to 3.4: Adjust context] Signed-off-by: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit d110fd5113953b6f539dee75dbabd9a86dce790f Author: Mikulas Patocka Date: Fri Nov 29 18:13:37 2013 -0500 dm snapshot: avoid snapshot space leak on crash commit 230c83afdd9cd384348475bea1e14b80b3b6b1b8 upstream. There is a possible leak of snapshot space in case of crash. The reason for space leaking is that chunks in the snapshot device are allocated sequentially, but they are finished (and stored in the metadata) out of order, depending on the order in which copying finished. For example, supposed that the metadata contains the following records SUPERBLOCK METADATA (blocks 0 ... 250) DATA 0 DATA 1 DATA 2 ... DATA 250 Now suppose that you allocate 10 new data blocks 251-260. Suppose that copying of these blocks finish out of order (block 260 finished first and the block 251 finished last). Now, the snapshot device looks like this: SUPERBLOCK METADATA (blocks 0 ... 250, 260, 259, 258, 257, 256) DATA 0 DATA 1 DATA 2 ... DATA 250 DATA 251 DATA 252 DATA 253 DATA 254 DATA 255 METADATA (blocks 255, 254, 253, 252, 251) DATA 256 DATA 257 DATA 258 DATA 259 DATA 260 Now, if the machine crashes after writing the first metadata block but before writing the second metadata block, the space for areas DATA 250-255 is leaked, it contains no valid data and it will never be used in the future. This patch makes dm-snapshot complete exceptions in the same order they were allocated, thus fixing this bug. Note: when backporting this patch to the stable kernel, change the version field in the following way: * if version in the stable kernel is {1, 11, 1}, change it to {1, 12, 0} * if version in the stable kernel is {1, 10, 0} or {1, 10, 1}, change it to {1, 10, 2} Userspace reads the version to determine if the bug was fixed, so the version change is needed. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer [xr: Backported to 3.4: adjust version] Signed-off-by: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 4834ca940bf17fd203487ad93b69276ebff49688 Author: Harshula Jayasuriya Date: Tue Jul 23 14:21:35 2013 +1000 nfsd: nfsd_open: when dentry_open returns an error do not propagate as struct file commit e4daf1ffbe6cc3b12aab4d604e627829e93e9914 upstream. The following call chain: ------------------------------------------------------------ nfs4_get_vfs_file - nfsd_open - dentry_open - do_dentry_open - __get_file_write_access - get_write_access - return atomic_inc_unless_negative(&inode->i_writecount) ? 0 : -ETXTBSY; ------------------------------------------------------------ can result in the following state: ------------------------------------------------------------ struct nfs4_file { ... fi_fds = {0xffff880c1fa65c80, 0xffffffffffffffe6, 0x0}, fi_access = {{ counter = 0x1 }, { counter = 0x0 }}, ... ------------------------------------------------------------ 1) First time around, in nfs4_get_vfs_file() fp->fi_fds[O_WRONLY] is NULL, hence nfsd_open() is called where we get status set to an error and fp->fi_fds[O_WRONLY] to -ETXTBSY. Thus we do not reach nfs4_file_get_access() and fi_access[O_WRONLY] is not incremented. 2) Second time around, in nfs4_get_vfs_file() fp->fi_fds[O_WRONLY] is NOT NULL (-ETXTBSY), so nfsd_open() is NOT called, but nfs4_file_get_access() IS called and fi_access[O_WRONLY] is incremented. Thus we leave a landmine in the form of the nfs4_file data structure in an incorrect state. 3) Eventually, when __nfs4_file_put_access() is called it finds fi_access[O_WRONLY] being non-zero, it decrements it and calls nfs4_file_put_fd() which tries to fput -ETXTBSY. ------------------------------------------------------------ ... [exception RIP: fput+0x9] RIP: ffffffff81177fa9 RSP: ffff88062e365c90 RFLAGS: 00010282 RAX: ffff880c2b3d99cc RBX: ffff880c2b3d9978 RCX: 0000000000000002 RDX: dead000000100101 RSI: 0000000000000001 RDI: ffffffffffffffe6 RBP: ffff88062e365c90 R8: ffff88041fe797d8 R9: ffff88062e365d58 R10: 0000000000000008 R11: 0000000000000000 R12: 0000000000000001 R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #9 [ffff88062e365c98] __nfs4_file_put_access at ffffffffa0562334 [nfsd] #10 [ffff88062e365cc8] nfs4_file_put_access at ffffffffa05623ab [nfsd] #11 [ffff88062e365ce8] free_generic_stateid at ffffffffa056634d [nfsd] #12 [ffff88062e365d18] release_open_stateid at ffffffffa0566e4b [nfsd] #13 [ffff88062e365d38] nfsd4_close at ffffffffa0567401 [nfsd] #14 [ffff88062e365d88] nfsd4_proc_compound at ffffffffa0557f28 [nfsd] #15 [ffff88062e365dd8] nfsd_dispatch at ffffffffa054543e [nfsd] #16 [ffff88062e365e18] svc_process_common at ffffffffa04ba5a4 [sunrpc] #17 [ffff88062e365e98] svc_process at ffffffffa04babe0 [sunrpc] #18 [ffff88062e365eb8] nfsd at ffffffffa0545b62 [nfsd] #19 [ffff88062e365ee8] kthread at ffffffff81090886 #20 [ffff88062e365f48] kernel_thread at ffffffff8100c14a ------------------------------------------------------------ Signed-off-by: Harshula Jayasuriya Signed-off-by: J. Bruce Fields [xr: Backported to 3.4: adjust context] Signed-off-by: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 352f526f91dca8673d9be1ba3166411fd8fea918 Author: NeilBrown Date: Thu Sep 27 12:35:21 2012 +1000 md/raid10: fix "enough" function for detecting if array is failed. commit 80b4812407c6b1f66a4f2430e69747a13f010839 upstream. The 'enough' function is written to work with 'near' arrays only in that is implicitly assumes that the offset from one 'group' of devices to the next is the same as the number of copies. In reality it is the number of 'near' copies. So change it to make this number explicit. This bug makes it possible to run arrays without enough drives present, which is dangerous. It is appropriate for an -stable kernel, but will almost certainly need to be modified for some of them. Reported-by: Jakub Husák Signed-off-by: NeilBrown [bwh: Backported to 3.2: s/geo->/conf->/] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit e4bf93019b63da30c8f9e9edb436862998865865 Author: Mikulas Patocka Date: Fri Mar 1 22:45:47 2013 +0000 dm snapshot: add missing module aliases commit 23cb21092eb9dcec9d3604b68d95192b79915890 upstream. Add module aliases so that autoloading works correctly if the user tries to activate "snapshot-origin" or "snapshot-merge" targets. Reference: https://bugzilla.redhat.com/889973 Reported-by: Chao Yang Signed-off-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit bed74df4fd8380c87adb576c121f40cb1037435b Author: Mikulas Patocka Date: Fri May 10 14:37:15 2013 +0100 dm bufio: avoid a possible __vmalloc deadlock commit 502624bdad3dba45dfaacaf36b7d83e39e74b2d2 upstream. This patch uses memalloc_noio_save to avoid a possible deadlock in dm-bufio. (it could happen only with large block size, at most PAGE_SIZE << MAX_ORDER (typically 8MiB). __vmalloc doesn't fully respect gfp flags. The specified gfp flags are used for allocation of requested pages, structures vmap_area, vmap_block and vm_struct and the radix tree nodes. However, the kernel pagetables are allocated always with GFP_KERNEL. Thus the allocation of pagetables can recurse back to the I/O layer and cause a deadlock. This patch uses the function memalloc_noio_save to set per-process PF_MEMALLOC_NOIO flag and the function memalloc_noio_restore to restore it. When this flag is set, all allocations in the process are done with implied GFP_NOIO flag, thus the deadlock can't happen. This should be backported to stable kernels, but they don't have the PF_MEMALLOC_NOIO flag and memalloc_noio_save/memalloc_noio_restore functions. So, PF_MEMALLOC should be set and restored instead. Signed-off-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon [bwh: Backported to 3.2 as recommended] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit ba7959277325911b09944c5aedf3c4bf139be2f2 Author: Trond Myklebust Date: Wed Jan 30 13:04:10 2013 -0500 NFSv4.1: Handle NFS4ERR_DELAY when resetting the NFSv4.1 session commit c489ee290bdbbace6bb63ebe6ebd4dd605819495 upstream. NFS4ERR_DELAY is a legal reply when we call DESTROY_SESSION. It usually means that the server is busy handling an unfinished RPC request. Just sleep for a second and then retry. We also need to be able to handle the NFS4ERR_BACK_CHAN_BUSY return value. If the NFS server has outstanding callbacks, we just want to similarly sleep & retry. Signed-off-by: Trond Myklebust [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 0c5fa16a931d8c8297bff1da1cdb98a6fb8f3377 Author: Weston Andros Adamson Date: Fri Feb 15 16:03:46 2013 -0500 NFSv4.1: Don't decode skipped layoutgets commit 085b7a45c63d3da5be155faab9249a5cab224561 upstream. layoutget's prepare hook can call rpc_exit with status = NFS4_OK (0). Because of this, nfs4_proc_layoutget can't depend on a 0 status to mean that the RPC was successfully sent, received and parsed. To fix this, use the result's len member to see if parsing took place. This fixes the following OOPS -- calling xdr_init_decode() with a buffer length 0 doesn't set the stream's 'p' member and ends up using uninitialized memory in filelayout_decode_layout. BUG: unable to handle kernel paging request at 0000000000008050 IP: [] memcpy+0x18/0x120 PGD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/irq CPU 1 Modules linked in: nfs_layout_nfsv41_files nfs lockd fscache auth_rpcgss nfs_acl autofs4 sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 dm_mirror dm_region_hash dm_log dm_mod ppdev parport_pc parport snd_ens1371 snd_rawmidi snd_ac97_codec ac97_bus snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc e1000 microcode vmware_balloon i2c_piix4 i2c_core sg shpchp ext4 mbcache jbd2 sr_mod cdrom sd_mod crc_t10dif pata_acpi ata_generic ata_piix mptspi mptscsih mptbase scsi_transport_spi [last unloaded: speedstep_lib] Pid: 1665, comm: flush-0:22 Not tainted 2.6.32-356-test-2 #2 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform RIP: 0010:[] [] memcpy+0x18/0x120 RSP: 0018:ffff88003dfab588 EFLAGS: 00010206 RAX: ffff88003dc42000 RBX: ffff88003dfab610 RCX: 0000000000000009 RDX: 000000003f807ff0 RSI: 0000000000008050 RDI: ffff88003dc42000 RBP: ffff88003dfab5b0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000080 R12: 0000000000000024 R13: ffff88003dc42000 R14: ffff88003f808030 R15: ffff88003dfab6a0 FS: 0000000000000000(0000) GS:ffff880003420000(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 0000000000008050 CR3: 000000003bc92000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process flush-0:22 (pid: 1665, threadinfo ffff88003dfaa000, task ffff880037f77540) Stack: ffffffffa0398ac1 ffff8800397c5940 ffff88003dfab610 ffff88003dfab6a0 ffff88003dfab5d0 ffff88003dfab680 ffffffffa01c150b ffffea0000d82e70 000000508116713b 0000000000000000 0000000000000000 0000000000000000 Call Trace: [] ? xdr_inline_decode+0xb1/0x120 [sunrpc] [] filelayout_decode_layout+0xeb/0x350 [nfs_layout_nfsv41_files] [] filelayout_alloc_lseg+0x8c/0x3c0 [nfs_layout_nfsv41_files] [] ? __wait_on_bit+0x7e/0x90 Signed-off-by: Weston Andros Adamson Signed-off-by: Trond Myklebust [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 079ee145e792069d09ebd0aaa4e6574cc35ca676 Author: Trond Myklebust Date: Wed Mar 20 12:34:32 2013 -0400 NFSv4.1: Fix a race in pNFS layoutcommit commit a073dbff359f4741013ae4b8395f5364c5e00b48 upstream. We need to clear the NFS_LSEG_LAYOUTCOMMIT bits atomically with the NFS_INO_LAYOUTCOMMIT bit, otherwise we may end up with situations where the two are out of sync. The first half of the problem is to ensure that pnfs_layoutcommit_inode clears the NFS_LSEG_LAYOUTCOMMIT bit through pnfs_list_write_lseg. We still need to keep the reference to those segments until the RPC call is finished, so in order to make it clear _where_ those references come from, we add a helper pnfs_list_write_lseg_done() that cleans up after pnfs_list_write_lseg. Signed-off-by: Trond Myklebust Acked-by: Benny Halevy [bwh: Backported to 3.2: s/pnfs_put_lseg/put_lseg/] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit f40661f4d28ae5060a88117f8a37e2d63e659b5f Author: Chuck Lever Date: Wed Jul 11 16:30:32 2012 -0400 NFS: nfs_getaclargs.acl_len is a size_t commit 56d08fef2369d5ca9ad2e1fc697f5379fd8af751 upstream. Squelch compiler warnings: fs/nfs/nfs4proc.c: In function ‘__nfs4_get_acl_uncached’: fs/nfs/nfs4proc.c:3811:14: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] fs/nfs/nfs4proc.c:3818:15: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] Introduced by commit bf118a34 "NFSv4: include bitmap in nfsv4 get acl data", Dec 7, 2011. Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 79854e6ee54195b89217e72fb0443c49e158c3bd Author: fanchaoting Date: Mon Apr 1 21:07:22 2013 +0800 nfsd: don't run get_file if nfs4_preprocess_stateid_op return error commit b022032e195ffca83d7002d6b84297d796ed443b upstream. we should return error status directly when nfs4_preprocess_stateid_op return error. Signed-off-by: fanchaoting Signed-off-by: J. Bruce Fields [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 42b607da2d04e91439ba58d263e90a70d0243388 Author: Dan Carpenter Date: Tue Jun 12 10:37:08 2012 +0300 NFSv4.1: integer overflow in decode_cb_sequence_args() commit 0439f31c35d1da0b28988b308ea455e38e6a350d upstream. This seems like it could overflow on 32 bits. Use kmalloc_array() which has overflow protection built in. Signed-off-by: Dan Carpenter Signed-off-by: Trond Myklebust Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit ca36e74e1b126d0e02987a23bbe0b59922f4c548 Author: J. Bruce Fields Date: Tue Nov 19 17:32:43 2013 -0500 nfsd4: fix xdr decoding of large non-write compounds commit 365da4adebb1c012febf81019ad3dc5bb52e2a13 upstream. This fixes a regression from 247500820ebd02ad87525db5d9b199e5b66f6636 "nfsd4: fix decoding of compounds across page boundaries". The previous code was correct: argp->pagelist is initialized in nfs4svc_deocde_compoundargs to rqstp->rq_arg.pages, and is therefore a pointer to the page *after* the page we are currently decoding. The reason that patch nevertheless fixed a problem with decoding compounds containing write was a bug in the write decoding introduced by 5a80a54d21c96590d013378d8c5f65f879451ab4 "nfsd4: reorganize write decoding", after which write decoding no longer adhered to the rule that argp->pagelist point to the next page. Signed-off-by: J. Bruce Fields [bwh: Backported to 3.2: adjust context; there is only one instance to fix] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit e9d735ee08140122dfab5752ab54ed506f2100dd Author: Andy Adamson Date: Fri Nov 15 16:36:16 2013 -0500 NFSv4 wait on recovery for async session errors commit 4a82fd7c4e78a1b7a224f9ae8bb7e1fd95f670e0 upstream. When the state manager is processing the NFS4CLNT_DELEGRETURN flag, session draining is off, but DELEGRETURN can still get a session error. The async handler calls nfs4_schedule_session_recovery returns -EAGAIN, and the DELEGRETURN done then restarts the RPC task in the prepare state. With the state manager still processing the NFS4CLNT_DELEGRETURN flag with session draining off, these DELEGRETURNs will cycle with errors filling up the session slots. This prevents OPEN reclaims (from nfs_delegation_claim_opens) required by the NFS4CLNT_DELEGRETURN state manager processing from completing, hanging the state manager in the __rpc_wait_for_completion_task in nfs4_run_open_task as seen in this kernel thread dump: kernel: 4.12.32.53-ma D 0000000000000000 0 3393 2 0x00000000 kernel: ffff88013995fb60 0000000000000046 ffff880138cc5400 ffff88013a9df140 kernel: ffff8800000265c0 ffffffff8116eef0 ffff88013fc10080 0000000300000001 kernel: ffff88013a4ad058 ffff88013995ffd8 000000000000fbc8 ffff88013a4ad058 kernel: Call Trace: kernel: [] ? cache_alloc_refill+0x1c0/0x240 kernel: [] ? rpc_wait_bit_killable+0x0/0xa0 [sunrpc] kernel: [] rpc_wait_bit_killable+0x42/0xa0 [sunrpc] kernel: [] __wait_on_bit+0x5f/0x90 kernel: [] ? rpc_wait_bit_killable+0x0/0xa0 [sunrpc] kernel: [] out_of_line_wait_on_bit+0x78/0x90 kernel: [] ? wake_bit_function+0x0/0x50 kernel: [] __rpc_wait_for_completion_task+0x2d/0x30 [sunrpc] kernel: [] nfs4_run_open_task+0x11c/0x160 [nfs] kernel: [] nfs4_open_recover_helper+0x87/0x120 [nfs] kernel: [] nfs4_open_recover+0xc6/0x150 [nfs] kernel: [] ? nfs4_open_recoverdata_alloc+0x2f/0x60 [nfs] kernel: [] nfs4_open_delegation_recall+0x6a/0xa0 [nfs] kernel: [] nfs_end_delegation_return+0x120/0x2e0 [nfs] kernel: [] ? queue_work+0x1f/0x30 kernel: [] nfs_client_return_marked_delegations+0xd7/0x110 [nfs] kernel: [] nfs4_run_state_manager+0x548/0x620 [nfs] kernel: [] ? nfs4_run_state_manager+0x0/0x620 [nfs] kernel: [] kthread+0x96/0xa0 kernel: [] child_rip+0xa/0x20 kernel: [] ? kthread+0x0/0xa0 kernel: [] ? child_rip+0x0/0x20 The state manager can not therefore process the DELEGRETURN session errors. Change the async handler to wait for recovery on session errors. Signed-off-by: Andy Adamson Signed-off-by: Trond Myklebust [bwh: Backported to 3.2: - Adjust context - There's no restart_call label] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 38feb080dcee05067222c77c32286710de2cba6d Author: Mateusz Guzik Date: Fri Mar 8 16:30:03 2013 +0100 cifs: delay super block destruction until all cifsFileInfo objects are gone commit 24261fc23db950951760d00c188ba63cc756b932 upstream. cifsFileInfo objects hold references to dentries and it is possible that these will still be around in workqueues when VFS decides to kill super block during unmount. This results in panics like this one: BUG: Dentry ffff88001f5e76c0{i=66b4a,n=1M-2} still in use (1) [unmount of cifs cifs] ------------[ cut here ]------------ kernel BUG at fs/dcache.c:943! [..] Process umount (pid: 1781, threadinfo ffff88003d6e8000, task ffff880035eeaec0) [..] Call Trace: [] shrink_dcache_for_umount+0x33/0x60 [] generic_shutdown_super+0x2c/0xe0 [] kill_anon_super+0x16/0x30 [] cifs_kill_sb+0x1a/0x30 [cifs] [] deactivate_locked_super+0x57/0x80 [] deactivate_super+0x4e/0x70 [] mntput_no_expire+0xd7/0x130 [] sys_umount+0x9c/0x3c0 [] system_call_fastpath+0x16/0x1b Fix this by making each cifsFileInfo object hold a reference to cifs super block, which implicitly keeps VFS super block around as well. Signed-off-by: Mateusz Guzik Reviewed-by: Jeff Layton Reported-and-Tested-by: Ben Greear Signed-off-by: Steve French [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings [xr: Backported to 3.4: adjust context] Signed-off-by: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 9b67aeff9256ad337e22b0f3b228b7ec01ff2a20 Author: Linus Torvalds Date: Sat Apr 28 14:55:17 2012 -0700 VFS: make vfs_fstat() use f[get|put]_light() commit e994defb7b6813ba6fa7a2a36e86d2455ad1dc35 upstream. Use the *_light() versions that properly avoid doing the file user count updates when they are unnecessary. Signed-off-by: Linus Torvalds [xr: Backported to 3.4: adjust function name] Signed-off-by: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 4652951d1202cef2798b1a0dfbf4122794594b41 Author: Steven Rostedt (Red Hat) Date: Thu Mar 14 14:20:54 2013 -0400 tracing: Keep overwrite in sync between regular and snapshot buffers commit 80902822658aab18330569587cdb69ac1dfdcea8 upstream. Changing the overwrite mode for the ring buffer via the trace option only sets the normal buffer. But the snapshot buffer could swap with it, and then the snapshot would be in non overwrite mode and the normal buffer would be in overwrite mode, even though the option flag states otherwise. Keep the two buffers overwrite modes in sync. Signed-off-by: Steven Rostedt Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 926685e95e4d6518110794b77676b3bb7f9c4be0 Author: Wei Yongjun Date: Fri Apr 12 11:05:54 2013 +0800 perf: Fix error return code commit c481420248c6730246d2a1b1773d5d7007ae0835 upstream. Fix to return -ENOMEM in the allocation error case instead of 0 (if pmu_bus_running == 1), as done elsewhere in this function. Signed-off-by: Wei Yongjun Cc: a.p.zijlstra@chello.nl Cc: paulus@samba.org Cc: acme@ghostprotocols.net Link: http://lkml.kernel.org/r/CAPgLHd8j_fWcgqe%3DKLWjpBj%2B%3Do0Pw6Z-SEq%3DNTPU08c2w1tngQ@mail.gmail.com [ Tweaked the error code setting placement and the changelog. ] Signed-off-by: Ingo Molnar Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit e5f1ec5d39f6d59bfe5c53f4b28a94e3a4245e02 Author: libin Date: Mon Apr 8 14:39:12 2013 +0800 sched/debug: Fix sd->*_idx limit range avoiding overflow commit fd9b86d37a600488dbd80fe60cca46b822bff1cd upstream. Commit 201c373e8e ("sched/debug: Limit sd->*_idx range on sysctl") was an incomplete bug fix. This patch fixes sd->*_idx limit range to [0 ~ CPU_LOAD_IDX_MAX-1] avoiding array overflow caused by setting sd->*_idx to CPU_LOAD_IDX_MAX on sysctl. Signed-off-by: Libin Cc: Cc: Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/51626610.2040607@huawei.com Signed-off-by: Ingo Molnar Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 4aff95ab8f985d14f585187b5f78c65a56dd716b Author: Namhyung Kim Date: Thu Aug 16 17:03:24 2012 +0900 sched/debug: Limit sd->*_idx range on sysctl commit 201c373e8e4823700d3160d5c28e1ab18fd1193e upstream. Various sd->*_idx's are used for refering the rq's load average table when selecting a cpu to run. However they can be set to any number with sysctl knobs so that it can crash the kernel if something bad is given. Fix it by limiting them into the actual range. Signed-off-by: Namhyung Kim Signed-off-by: Peter Zijlstra Link: http://lkml.kernel.org/r/1345104204-8317-1-git-send-email-namhyung@kernel.org Signed-off-by: Ingo Molnar Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 74d86ed74b4ddf37de24a9ad979a8aafd2d4c25f Author: Steven Rostedt (Red Hat) Date: Tue Jul 30 00:04:32 2013 -0400 ftrace: Check module functions being traced on reload commit 8c4f3c3fa9681dc549cd35419b259496082fef8b upstream. There's been a nasty bug that would show up and not give much info. The bug displayed the following warning: WARNING: at kernel/trace/ftrace.c:1529 __ftrace_hash_rec_update+0x1e3/0x230() Pid: 20903, comm: bash Tainted: G O 3.6.11+ #38405.trunk Call Trace: [] warn_slowpath_common+0x7f/0xc0 [] warn_slowpath_null+0x1a/0x20 [] __ftrace_hash_rec_update+0x1e3/0x230 [] ftrace_hash_move+0x28/0x1d0 [] ? kfree+0x2c/0x110 [] ftrace_regex_release+0x8e/0x150 [] __fput+0xae/0x220 [] ____fput+0xe/0x10 [] task_work_run+0x72/0x90 [] do_notify_resume+0x6c/0xc0 [] ? trace_hardirqs_on_thunk+0x3a/0x3c [] int_signal+0x12/0x17 ---[ end trace 793179526ee09b2c ]--- It was finally narrowed down to unloading a module that was being traced. It was actually more than that. When functions are being traced, there's a table of all functions that have a ref count of the number of active tracers attached to that function. When a function trace callback is registered to a function, the function's record ref count is incremented. When it is unregistered, the function's record ref count is decremented. If an inconsistency is detected (ref count goes below zero) the above warning is shown and the function tracing is permanently disabled until reboot. The ftrace callback ops holds a hash of functions that it filters on (and/or filters off). If the hash is empty, the default means to filter all functions (for the filter_hash) or to disable no functions (for the notrace_hash). When a module is unloaded, it frees the function records that represent the module functions. These records exist on their own pages, that is function records for one module will not exist on the same page as function records for other modules or even the core kernel. Now when a module unloads, the records that represents its functions are freed. When the module is loaded again, the records are recreated with a default ref count of zero (unless there's a callback that traces all functions, then they will also be traced, and the ref count will be incremented). The problem is that if an ftrace callback hash includes functions of the module being unloaded, those hash entries will not be removed. If the module is reloaded in the same location, the hash entries still point to the functions of the module but the module's ref counts do not reflect that. With the help of Steve and Joern, we found a reproducer: Using uinput module and uinput_release function. cd /sys/kernel/debug/tracing modprobe uinput echo uinput_release > set_ftrace_filter echo function > current_tracer rmmod uinput modprobe uinput # check /proc/modules to see if loaded in same addr, otherwise try again echo nop > current_tracer [BOOM] The above loads the uinput module, which creates a table of functions that can be traced within the module. We add uinput_release to the filter_hash to trace just that function. Enable function tracincg, which increments the ref count of the record associated to uinput_release. Remove uinput, which frees the records including the one that represents uinput_release. Load the uinput module again (and make sure it's at the same address). This recreates the function records all with a ref count of zero, including uinput_release. Disable function tracing, which will decrement the ref count for uinput_release which is now zero because of the module removal and reload, and we have a mismatch (below zero ref count). The solution is to check all currently tracing ftrace callbacks to see if any are tracing any of the module's functions when a module is loaded (it already does that with callbacks that trace all functions). If a callback happens to have a module function being traced, it increments that records ref count and starts tracing that function. There may be a strange side effect with this, where tracing module functions on unload and then reloading a new module may have that new module's functions being traced. This may be something that confuses the user, but it's not a big deal. Another approach is to disable all callback hashes on module unload, but this leaves some ftrace callbacks that may not be registered, but can still have hashes tracing the module's function where ftrace doesn't know about it. That situation can cause the same bug. This solution solves that case too. Another benefit of this solution, is it is possible to trace a module's function on unload and load. Link: http://lkml.kernel.org/r/20130705142629.GA325@redhat.com Reported-by: Jörn Engel Reported-by: Dave Jones Reported-by: Steve Hodgson Tested-by: Steve Hodgson Signed-off-by: Steven Rostedt Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 1fbbea7be9248d652fc2bb191e6ec9e823df422c Author: Peter Zijlstra Date: Mon Oct 28 13:55:29 2013 +0100 perf: Fix perf ring buffer memory ordering commit bf378d341e4873ed928dc3c636252e6895a21f50 upstream. The PPC64 people noticed a missing memory barrier and crufty old comments in the perf ring buffer code. So update all the comments and add the missing barrier. When the architecture implements local_t using atomic_long_t there will be double barriers issued; but short of introducing more conditional barrier primitives this is the best we can do. Reported-by: Victor Kaplansky Tested-by: Victor Kaplansky Signed-off-by: Peter Zijlstra Cc: Mathieu Desnoyers Cc: michael@ellerman.id.au Cc: Paul McKenney Cc: Michael Neuling Cc: Frederic Weisbecker Cc: anton@samba.org Cc: benh@kernel.crashing.org Link: http://lkml.kernel.org/r/20131025173749.GG19466@laptop.lan Signed-off-by: Ingo Molnar [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 76504c2489ad9e9bdc20fc8e24d23ac5e39b88b6 Author: Justin Lecher Date: Mon Jul 30 14:42:53 2012 -0700 fs: cachefiles: add support for large files in filesystem caching commit 98c350cda2c14a343d34ea01a3d9c24fea5ec66d upstream. Support the caching of large files. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=31182 Signed-off-by: Justin Lecher Signed-off-by: Suresh Jayaraman Tested-by: Suresh Jayaraman Acked-by: David Howells Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds [bwh: Backported to 3.2: - Adjust context - dentry_open() takes dentry and vfsmount pointers, not a path pointer] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 2e4191b3109e2399bda9192313cc1fb2a95681a6 Author: Geyslan G. Bem Date: Fri Oct 11 16:49:16 2013 -0300 ecryptfs: Fix memory leakage in keystore.c commit 3edc8376c06133e3386265a824869cad03a4efd4 upstream. In 'decrypt_pki_encrypted_session_key' function: Initializes 'payload' pointer and releases it on exit. Signed-off-by: Geyslan G. Bem Signed-off-by: Tyler Hicks [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 47532a2912f1840809a23b733d2a5bdf09a906ee Author: Pavel Shilovsky Date: Wed Aug 29 21:13:38 2012 +0400 CIFS: Fix error handling in cifs_push_mandatory_locks commit e2f2886a824ff0a56da1eaa13019fde86aa89fa6 upstream. Signed-off-by: Pavel Shilovsky Signed-off-by: Steve French [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit afaf7f61a5fbb5e6e7d264519806453e805ebf40 Author: Steve French Date: Fri Nov 15 20:41:32 2013 -0600 setfacl removes part of ACL when setting POSIX ACLs to Samba commit b1d93356427be6f050dc55c86eb019d173700af6 upstream. setfacl over cifs mounts can remove the default ACL when setting the (non-default part of) the ACL and vice versa (we were leaving at 0 rather than setting to -1 the count field for the unaffected half of the ACL. For example notice the setfacl removed the default ACL in this sequence: steven@steven-GA-970A-DS3:~/cifs-2.6$ getfacl /mnt/test-dir ; setfacl -m default:user:test:rwx,user:test:rwx /mnt/test-dir getfacl: Removing leading '/' from absolute path names user::rwx group::r-x other::r-x default:user::rwx default:user:test:rwx default:group::r-x default:mask::rwx default:other::r-x steven@steven-GA-970A-DS3:~/cifs-2.6$ getfacl /mnt/test-dir getfacl: Removing leading '/' from absolute path names user::rwx user:test:rwx group::r-x mask::rwx other::r-x Signed-off-by: Steve French Acked-by: Jeremy Allison [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Cc: Rui Xiang Signed-off-by: Greg Kroah-Hartman commit 0c5e98d553d9cf7a76a5e9e390a568ac9cdd1aac Author: Horia Geanta Date: Fri Apr 18 13:01:42 2014 +0300 crypto: caam - add allocation failure handling in SPRINTFCAT macro commit 27c5fb7a84242b66bf1e0b2fe6bf40d19bcc5c04 upstream. GFP_ATOMIC memory allocation could fail. In this case, avoid NULL pointer dereference and notify user. Cc: Kim Phillips Signed-off-by: Horia Geanta Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 7ad8d3dbd9f2f203e14c265e73e82f1fd8d4758e Author: Du, Wenkai Date: Thu Apr 10 23:03:19 2014 +0000 i2c: designware: Mask all interrupts during i2c controller enable commit 47bb27e78867997040a228328f2a631c3c7f2c82 upstream. There have been "i2c_designware 80860F41:00: controller timed out" errors on a number of Baytrail platforms. The issue is caused by incorrect value in Interrupt Mask Register (DW_IC_INTR_MASK) when i2c core is being enabled. This causes call to __i2c_dw_enable() to immediately start the transfer which leads to timeout. There are 3 failure modes observed: 1. Failure in S0 to S3 resume path The default value after reset for DW_IC_INTR_MASK is 0x8ff. When we start the first transaction after resuming from system sleep, TX_EMPTY interrupt is already unmasked because of the hardware default. 2. Failure in normal operational path This failure happens rarely and is hard to reproduce. Debug trace showed that DW_IC_INTR_MASK had value of 0x254 when failure occurred, which meant TX_EMPTY was unmasked. 3. Failure in S3 to S0 suspend path This failure also happens rarely and is hard to reproduce. Adding debug trace that read DW_IC_INTR_MASK made this failure not reproducible. But from ISR call trace we could conclude TX_EMPTY was unmasked when problem occurred. The patch masks all interrupts before the controller is enabled to resolve the faulty DW_IC_INTR_MASK conditions. Signed-off-by: Wenkai Du Acked-by: Mika Westerberg [wsa: improved the comment and removed typo in commit msg] Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit bb09378539c61d236a373c1765f968a155a291cd Author: Hans de Goede Date: Mon May 5 11:38:09 2014 +0200 ACPI / blacklist: Add dmi_enable_osi_linux quirk for Asus EEE PC 1015PX commit f6e6e1b9fee88c90586787b71dc49bb3ce62bb89 upstream. Without this this EEE PC exports a non working WMI interface, with this it exports a working "good old" eeepc_laptop interface, fixing brightness control not working as well as rfkill being stuck in a permanent wireless blocked state. This is not an ideal way to fix this, but various attempts to fix this otherwise have failed, see: References: https://bugzilla.redhat.com/show_bug.cgi?id=1067181 Reported-and-tested-by: lou.cardone@gmail.com Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit e5cc5b9c0f4acab5757785706528010288b52c2c Author: Marcel Apfelbaum Date: Thu May 15 12:42:49 2014 -0600 PCI: shpchp: Check bridge's secondary (not primary) bus speed commit 93fa9d32670f5592c8e56abc9928fc194e1e72fc upstream. When a new device is added below a hotplug bridge, the bridge's secondary bus speed and the device's bus speed must match. The shpchp driver previously checked the bridge's *primary* bus speed, not the secondary bus speed. This caused hot-add errors like: shpchp 0000:00:03.0: Speed of bus ff and adapter 0 mismatch Check the secondary bus speed instead. [bhelgaas: changelog] Link: https://bugzilla.kernel.org/show_bug.cgi?id=75251 Fixes: 3749c51ac6c1 ("PCI: Make current and maximum bus speeds part of the PCI core") Signed-off-by: Marcel Apfelbaum Signed-off-by: Bjorn Helgaas Acked-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit 215990aad3c4f5312970ae2da206bcfff3ce720e Author: Linus Torvalds Date: Wed May 14 16:33:54 2014 -0700 x86-64, modify_ldt: Make support for 16-bit segments a runtime option commit fa81511bb0bbb2b1aace3695ce869da9762624ff upstream. Checkin: b3b42ac2cbae x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels disabled 16-bit segments on 64-bit kernels due to an information leak. However, it does seem that people are genuinely using Wine to run old 16-bit Windows programs on Linux. A proper fix for this ("espfix64") is coming in the upcoming merge window, but as a temporary fix, create a sysctl to allow the administrator to re-enable support for 16-bit segments. It adds a "/proc/sys/abi/ldt16" sysctl that defaults to zero (off). If you hit this issue and care about your old Windows program more than you care about a kernel stack address information leak, you can do echo 1 > /proc/sys/abi/ldt16 as root (add it to your startup scripts), and you should be ok. The sysctl table is only added if you have COMPAT support enabled on x86-64, but I assume anybody who runs old windows binaries very much does that ;) Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/r/CA%2B55aFw9BPoD10U1LfHbOMpHWZkvJTkMcfCs9s3urPr1YyWBxw@mail.gmail.com Signed-off-by: Greg Kroah-Hartman commit 18390a2aba619ceb5cb38489c80cf438327ab11e Author: Charles Keepax Date: Tue May 13 13:45:15 2014 +0100 ASoC: wm8962: Update register CLASS_D_CONTROL_1 to be non-volatile commit 44330ab516c15dda8a1e660eeaf0003f84e43e3f upstream. The register CLASS_D_CONTROL_1 is marked as volatile because it contains a bit, DAC_MUTE, which is also mirrored in the ADC_DAC_CONTROL_1 register. This causes problems for the "Speaker Switch" control, which will report an error if the CODEC is suspended because it relies on a volatile register. To resolve this issue mark CLASS_D_CONTROL_1 as non-volatile and manually keep the register cache in sync by updating both bits when changing the mute status. Reported-by: Shawn Guo Signed-off-by: Charles Keepax Tested-by: Shawn Guo Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 6baddd03b577bfdbf103570c0b3257679c99e267 Author: Jianyu Zhan Date: Mon Apr 14 13:47:40 2014 +0800 percpu: make pcpu_alloc_chunk() use pcpu_mem_free() instead of kfree() commit 5a838c3b60e3a36ade764cf7751b8f17d7c9c2da upstream. pcpu_chunk_struct_size = sizeof(struct pcpu_chunk) + BITS_TO_LONGS(pcpu_unit_pages) * sizeof(unsigned long) It hardly could be ever bigger than PAGE_SIZE even for large-scale machine, but for consistency with its couterpart pcpu_mem_zalloc(), use pcpu_mem_free() instead. Commit b4916cb17c26 ("percpu: make pcpu_free_chunk() use pcpu_mem_free() instead of kfree()") addressed this problem, but missed this one. tj: commit message updated Signed-off-by: Jianyu Zhan Signed-off-by: Tejun Heo Fixes: 099a19d91ca4 ("percpu: allow limited allocation before slab is online) Signed-off-by: Greg Kroah-Hartman commit a18e4c1145390fbedb21fd805dd1f155172d628a Author: J. Bruce Fields Date: Tue May 20 15:55:21 2014 -0400 nfsd4: remove lockowner when removing lock stateid commit a1b8ff4c97b4375d21b6d6c45d75877303f61b3b upstream. The nfsv4 state code has always assumed a one-to-one correspondance between lock stateid's and lockowners even if it appears not to in some places. We may actually change that, but for now when FREE_STATEID releases a lock stateid it also needs to release the parent lockowner. Symptoms were a subsequent LOCK crashing in find_lockowner_str when it calls same_lockowner_ino on a lockowner that unexpectedly has an empty so_stateids list. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit d9eea1ccc7008c95043ad4076e50edeb37f1e865 Author: J. Bruce Fields Date: Thu May 8 11:19:41 2014 -0400 nfsd4: warn on finding lockowner without stateid's commit 27b11428b7de097c42f205beabb1764f4365443b upstream. The current code assumes a one-to-one lockowner<->lock stateid correspondance. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 6ba3ac4483f506394dd096eb7d06b4b10ce061c2 Author: Kinglong Mee Date: Fri Apr 18 20:49:04 2014 +0800 NFSD: Call ->set_acl with a NULL ACL structure if no entries commit aa07c713ecfc0522916f3cd57ac628ea6127c0ec upstream. After setting ACL for directory, I got two problems that caused by the cached zero-length default posix acl. This patch make sure nfsd4_set_nfs4_acl calls ->set_acl with a NULL ACL structure if there are no entries. Thanks for Christoph Hellwig's advice. First problem: ............ hang ........... Second problem: [ 1610.167668] ------------[ cut here ]------------ [ 1610.168320] kernel BUG at /root/nfs/linux/fs/nfsd/nfs4acl.c:239! [ 1610.168320] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC [ 1610.168320] Modules linked in: nfsv4(OE) nfs(OE) nfsd(OE) rpcsec_gss_krb5 fscache ip6t_rpfilter ip6t_REJECT cfg80211 xt_conntrack rfkill ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw auth_rpcgss nfs_acl snd_intel8x0 ppdev lockd snd_ac97_codec ac97_bus snd_pcm snd_timer e1000 pcspkr parport_pc snd parport serio_raw joydev i2c_piix4 sunrpc(OE) microcode soundcore i2c_core ata_generic pata_acpi [last unloaded: nfsd] [ 1610.168320] CPU: 0 PID: 27397 Comm: nfsd Tainted: G OE 3.15.0-rc1+ #15 [ 1610.168320] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 1610.168320] task: ffff88005ab653d0 ti: ffff88005a944000 task.ti: ffff88005a944000 [ 1610.168320] RIP: 0010:[] [] _posix_to_nfsv4_one+0x3cd/0x3d0 [nfsd] [ 1610.168320] RSP: 0018:ffff88005a945b00 EFLAGS: 00010293 [ 1610.168320] RAX: 0000000000000001 RBX: ffff88006700bac0 RCX: 0000000000000000 [ 1610.168320] RDX: 0000000000000000 RSI: ffff880067c83f00 RDI: ffff880068233300 [ 1610.168320] RBP: ffff88005a945b48 R08: ffffffff81c64830 R09: 0000000000000000 [ 1610.168320] R10: ffff88004ea85be0 R11: 000000000000f475 R12: ffff880068233300 [ 1610.168320] R13: 0000000000000003 R14: 0000000000000002 R15: ffff880068233300 [ 1610.168320] FS: 0000000000000000(0000) GS:ffff880077800000(0000) knlGS:0000000000000000 [ 1610.168320] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 1610.168320] CR2: 00007f5bcbd3b0b9 CR3: 0000000001c0f000 CR4: 00000000000006f0 [ 1610.168320] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1610.168320] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 1610.168320] Stack: [ 1610.168320] ffffffff00000000 0000000b67c83500 000000076700bac0 0000000000000000 [ 1610.168320] ffff88006700bac0 ffff880068233300 ffff88005a945c08 0000000000000002 [ 1610.168320] 0000000000000000 ffff88005a945b88 ffffffffa034e2d5 000000065a945b68 [ 1610.168320] Call Trace: [ 1610.168320] [] nfsd4_get_nfs4_acl+0x95/0x150 [nfsd] [ 1610.168320] [] nfsd4_encode_fattr+0x646/0x1e70 [nfsd] [ 1610.168320] [] ? kmemleak_alloc+0x4e/0xb0 [ 1610.168320] [] ? nfsd_setuser_and_check_port+0x52/0x80 [nfsd] [ 1610.168320] [] ? selinux_cred_prepare+0x1b/0x30 [ 1610.168320] [] nfsd4_encode_getattr+0x5a/0x60 [nfsd] [ 1610.168320] [] nfsd4_encode_operation+0x67/0x110 [nfsd] [ 1610.168320] [] nfsd4_proc_compound+0x21d/0x810 [nfsd] [ 1610.168320] [] nfsd_dispatch+0xbb/0x200 [nfsd] [ 1610.168320] [] svc_process_common+0x46d/0x6d0 [sunrpc] [ 1610.168320] [] svc_process+0x103/0x170 [sunrpc] [ 1610.168320] [] nfsd+0xbf/0x130 [nfsd] [ 1610.168320] [] ? nfsd_destroy+0x80/0x80 [nfsd] [ 1610.168320] [] kthread+0xd2/0xf0 [ 1610.168320] [] ? insert_kthread_work+0x40/0x40 [ 1610.168320] [] ret_from_fork+0x7c/0xb0 [ 1610.168320] [] ? insert_kthread_work+0x40/0x40 [ 1610.168320] Code: 78 02 e9 e7 fc ff ff 31 c0 31 d2 31 c9 66 89 45 ce 41 8b 04 24 66 89 55 d0 66 89 4d d2 48 8d 04 80 49 8d 5c 84 04 e9 37 fd ff ff <0f> 0b 90 0f 1f 44 00 00 55 8b 56 08 c7 07 00 00 00 00 8b 46 0c [ 1610.168320] RIP [] _posix_to_nfsv4_one+0x3cd/0x3d0 [nfsd] [ 1610.168320] RSP [ 1610.257313] ---[ end trace 838254e3e352285b ]--- Signed-off-by: Kinglong Mee Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit efb36edc5e9dcc4c93b83c85aa504aa4d300c401 Author: Romain Izard Date: Tue Mar 4 10:09:39 2014 +0100 trace: module: Maintain a valid user count commit 098507ae3ec2331476fb52e85d4040c1cc6d0ef4 upstream. The replacement of the 'count' variable by two variables 'incs' and 'decs' to resolve some race conditions during module unloading was done in parallel with some cleanup in the trace subsystem, and was integrated as a merge. Unfortunately, the formula for this replacement was wrong in the tracing code, and the refcount in the traces was not usable as a result. Use 'count = incs - decs' to compute the user count. Link: http://lkml.kernel.org/p/1393924179-9147-1-git-send-email-romain.izard.pro@gmail.com Acked-by: Ingo Molnar Cc: Rusty Russell Cc: Frederic Weisbecker Fixes: c1ab9cab7509 "merge conflict resolution" Signed-off-by: Romain Izard Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit d1a999df834a81d751be87dd62b88f2f99bc650a Author: Salva Peiró Date: Wed Apr 30 19:48:02 2014 +0200 media: media-device: fix infoleak in ioctl media_enum_entities() commit e6a623460e5fc960ac3ee9f946d3106233fd28d8 upstream. This fixes CVE-2014-1739. Signed-off-by: Salva Peiró Acked-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 2e6c336b4ee4b512d1536c0a6d16e8dda2e703da Author: Tim Chen Date: Mon Mar 17 16:52:26 2014 -0700 crypto: crypto_wq - Fix late crypto work queue initialization commit 130fa5bc81b44b6cc1fbdea3abf6db0da22964e0 upstream. The crypto algorithm modules utilizing the crypto daemon could be used early when the system start up. Using module_init does not guarantee that the daemon's work queue is initialized when the cypto alorithm depending on crypto_wq starts. It is necessary to initialize the crypto work queue earlier at the subsystem init time to make sure that it is initialized when used. Signed-off-by: Tim Chen Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 3cf2aab961c888ef1add8fbdbb206e2403f0f243 Author: Geert Uytterhoeven Date: Mon Apr 14 18:52:14 2014 +0200 Documentation: Update stable address in Chinese and Japanese translations commit 98b0f811aade1b7c6e7806c86aa0befd5919d65f upstream. The English and Korean translations were updated, the Chinese and Japanese weren't. Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 36f26e715d5af2ded7ea0faf970d4e6f84788b5b Author: Ilia Mirkin Date: Wed Mar 26 19:37:21 2014 -0400 drm/nouveau/acpi: allow non-optimus setups to load vbios from acpi commit a3d0b1218d351c6e6f3cea36abe22236a08cb246 upstream. There appear to be a crop of new hardware where the vbios is not available from PROM/PRAMIN, but there is a valid _ROM method in ACPI. The data read from PCIROM almost invariably contains invalid instructions (still has the x86 opcodes), which makes this a low-risk way to try to obtain a valid vbios image. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=76475 Signed-off-by: Ilia Mirkin Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit 576d1afddd63a92a99f8a08adc28ce3fd9bb7c9d Author: Ben Hutchings Date: Sat Apr 26 21:59:04 2014 +0100 rtl8192cu: Fix unbalanced irq enable in error path of rtl92cu_hw_init() commit 3234f5b06fc3094176a86772cc64baf3decc98fc upstream. Fixes: a53268be0cb9 ('rtlwifi: rtl8192cu: Fix too long disable of IRQs') Signed-off-by: Ben Hutchings Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 3b2437c2a0316013a52cfa55c0486aafe5b94f77 Author: Liu Hua Date: Thu Mar 27 06:56:18 2014 +0100 ARM: 8012/1: kdump: Avoid overflow when converting pfn to physaddr commit 8fad87bca7ac9737e413ba5f1656f1114a8c314d upstream. When we configure CONFIG_ARM_LPAE=y, pfn << PAGE_SHIFT will overflow if pfn >= 0x100000 in copy_oldmem_page. So use __pfn_to_phys for converting. Signed-off-by: Liu Hua Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit fa9869e6b2c03052c024e97a71871841516a2497 Author: Christoph Hellwig Date: Sun May 4 13:03:32 2014 +0200 posix_acl: handle NULL ACL in posix_acl_equiv_mode commit 50c6e282bdf5e8dabf8d7cf7b162545a55645fd9 upstream. Various filesystems don't bother checking for a NULL ACL in posix_acl_equiv_mode, and thus can dereference a NULL pointer when it gets passed one. This usually happens from the NFS server, as the ACL tools never pass a NULL ACL, but instead of one representing the mode bits. Instead of adding boilerplat to all filesystems put this check into one place, which will allow us to remove the check from other filesystems as well later on. Signed-off-by: Christoph Hellwig Reported-by: Ben Greear Reported-by: Marco Munderloh , Cc: Chuck Lever Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 60d3d144fc5e5dfb786e6699231d6a6bfacc065c Author: Stanislaw Gruszka Date: Thu Apr 17 11:08:47 2014 +0200 rt2x00: fix beaconing on USB commit 8834d3608cc516f13e2e510f4057c263f3d2ce42 upstream. When disable beaconing we clear register with beacon and newer set it back, what make we stop send beacons infinitely. Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 9fb8be4c5b6a35612cc7c6b8a89d8edab543cc79 Author: Daniele Forsi Date: Mon Apr 28 17:09:11 2014 +0200 USB: Nokia 5300 should be treated as unusual dev commit 6ed07d45d09bc2aa60e27b845543db9972e22a38 upstream. Signed-off-by: Daniele Forsi Signed-off-by: Greg Kroah-Hartman commit ae5b7325ee162291119a8d85b0d16c6467562f94 Author: Victor A. Santos Date: Sat Apr 26 23:20:14 2014 -0300 USB: Nokia 305 should be treated as unusual dev commit f0ef5d41792a46a1085dead9dfb0bdb2c574638e upstream. Signed-off-by: Victor A. Santos Signed-off-by: Greg Kroah-Hartman commit 201b8e0b566f66dee8a1ae3914fdc11af3888ff1 Author: Daniele Forsi Date: Tue Apr 29 11:44:03 2014 +0200 usb: storage: shuttle_usbat: fix discs being detected twice commit df602c2d2358f02c6e49cffc5b49b9daa16db033 upstream. Even if the USB-to-ATAPI converter supported multiple LUNs, this driver would always detect the same physical device or media because it doesn't use srb->device->lun in any way. Tested with an Hewlett-Packard CD-Writer Plus 8200e. Signed-off-by: Daniele Forsi Signed-off-by: Greg Kroah-Hartman commit e50ded310417919655baba7b2eb3081dfc3df4cb Author: Jean-Jacques Hiblot Date: Wed Mar 12 17:30:08 2014 +0100 usb: gadget: at91-udc: fix irq and iomem resource retrieval commit 886c7c426d465732ec9d1b2bbdda5642fc2e7e05 upstream. When using dt resources retrieval (interrupts and reg properties) there is no predefined order for these resources in the platform dev resource table. Also don't expect the number of resource to be always 2. Signed-off-by: Jean-Jacques Hiblot Acked-by: Boris BREZILLON Acked-by: Nicolas Ferre Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit a0eaa5aa5fa2075c82a657904bdce01a816857e3 Author: Alex Deucher Date: Tue Apr 15 12:44:34 2014 -0400 drm/radeon: fix ATPX detection on non-VGA GPUs commit e9a4099a59cc598a44006059dd775c25e422b772 upstream. Some newer PX laptops have the pci device class set to DISPLAY_OTHER rather than DISPLAY_VGA. This properly detects ATPX on those laptops. Based on a patch from: Pali Rohár Signed-off-by: Alex Deucher Cc: airlied@gmail.com Signed-off-by: Greg Kroah-Hartman commit 546c518fb111a753a00f55af9052ea275ab69f12 Author: NeilBrown Date: Tue May 6 09:36:08 2014 +1000 md: avoid possible spinning md thread at shutdown. commit 0f62fb220aa4ebabe8547d3a9ce4a16d3c045f21 upstream. If an md array with externally managed metadata (e.g. DDF or IMSM) is in use, then we should not set safemode==2 at shutdown because: 1/ this is ineffective: user-space need to be involved in any 'safemode' handling, 2/ The safemode management code doesn't cope with safemode==2 on external metadata and md_check_recover enters an infinite loop. Even at shutdown, an infinite-looping process can be problematic, so this could cause shutdown to hang. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 11f87a6a6049455cd0d1e6db13c0b984a888a4b4 Author: Viresh Kumar Date: Mon May 12 13:42:29 2014 +0530 hrtimer: Set expiry time before switch_hrtimer_base() commit 84ea7fe37908254c3bd90910921f6e1045c1747a upstream. switch_hrtimer_base() calls hrtimer_check_target() which ensures that we do not migrate a timer to a remote cpu if the timer expires before the current programmed expiry time on that remote cpu. But __hrtimer_start_range_ns() calls switch_hrtimer_base() before the new expiry time is set. So the sanity check in hrtimer_check_target() is operating on stale or even uninitialized data. Update expiry time before calling switch_hrtimer_base(). [ tglx: Rewrote changelog once again ] Signed-off-by: Viresh Kumar Cc: linaro-kernel@lists.linaro.org Cc: linaro-networking@linaro.org Cc: fweisbec@gmail.com Cc: arvind.chauhan@arm.com Link: http://lkml.kernel.org/r/81999e148745fc51bbcd0615823fbab9b2e87e23.1399882253.git.viresh.kumar@linaro.org Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit a91ccfcaaaa358eba4579965d9a85dbb756c2596 Author: Leon Ma Date: Wed Apr 30 16:43:10 2014 +0800 hrtimer: Prevent remote enqueue of leftmost timers commit 012a45e3f4af68e86d85cce060c6c2fed56498b2 upstream. If a cpu is idle and starts an hrtimer which is not pinned on that same cpu, the nohz code might target the timer to a different cpu. In the case that we switch the cpu base of the timer we already have a sanity check in place, which determines whether the timer is earlier than the current leftmost timer on the target cpu. In that case we enqueue the timer on the current cpu because we cannot reprogram the clock event device on the target. If the timers base is already the target CPU we do not have this sanity check in place so we enqueue the timer as the leftmost timer in the target cpus rb tree, but we cannot reprogram the clock event device on the target cpu. So the timer expires late and subsequently prevents the reprogramming of the target cpu clock event device until the previously programmed event fires or a timer with an earlier expiry time gets enqueued on the target cpu itself. Add the same target check as we have for the switch base case and start the timer on the current cpu if it would become the leftmost timer on the target. [ tglx: Rewrote subject and changelog ] Signed-off-by: Leon Ma Link: http://lkml.kernel.org/r/1398847391-5994-1-git-send-email-xindong.ma@intel.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 3d8b2f5e4007d4b28ac760e1aa72e91f4021ea90 Author: Stuart Hayes Date: Tue Apr 29 17:55:02 2014 -0500 hrtimer: Prevent all reprogramming if hang detected commit 6c6c0d5a1c949d2e084706f9e5fb1fccc175b265 upstream. If the last hrtimer interrupt detected a hang it sets hang_detected=1 and programs the clock event device with a delay to let the system make progress. If hang_detected == 1, we prevent reprogramming of the clock event device in hrtimer_reprogram() but not in hrtimer_force_reprogram(). This can lead to the following situation: hrtimer_interrupt() hang_detected = 1; program ce device to Xms from now (hang delay) We have two timers pending: T1 expires 50ms from now T2 expires 5s from now Now T1 gets canceled, which causes hrtimer_force_reprogram() to be invoked, which in turn programs the clock event device to T2 (5 seconds from now). Any hrtimer_start after that will not reprogram the hardware due to hang_detected still being set. So we effectivly block all timers until the T2 event fires and cleans up the hang situation. Add a check for hang_detected to hrtimer_force_reprogram() which prevents the reprogramming of the hang delay in the hardware timer. The subsequent hrtimer_interrupt will resolve all outstanding issues. [ tglx: Rewrote subject and changelog and fixed up the comment in hrtimer_force_reprogram() ] Signed-off-by: Stuart Hayes Link: http://lkml.kernel.org/r/53602DC6.2060101@gmail.com Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 9dbdf25ec58ee67beee56e9bcc2f193ee29cc7b3 Author: Grant Likely Date: Tue Apr 29 12:05:22 2014 +0100 drivercore: deferral race condition fix commit 58b116bce13612e5aa6fcd49ecbd4cf8bb59e835 upstream. When the kernel is built with CONFIG_PREEMPT it is possible to reach a state when all modules loaded but some driver still stuck in the deferred list and there is a need for external event to kick the deferred queue to probe these drivers. The issue has been observed on embedded systems with CONFIG_PREEMPT enabled, audio support built as modules and using nfsroot for root filesystem. The following log fragment shows such sequence when all audio modules were loaded but the sound card is not present since the machine driver has failed to probe due to missing dependency during it's probe. The board is am335x-evmsk (McASP<->tlv320aic3106 codec) with davinci-evm machine driver: ... [ 12.615118] davinci-mcasp 4803c000.mcasp: davinci_mcasp_probe: ENTER [ 12.719969] davinci_evm sound.3: davinci_evm_probe: ENTER [ 12.725753] davinci_evm sound.3: davinci_evm_probe: snd_soc_register_card [ 12.753846] davinci-mcasp 4803c000.mcasp: davinci_mcasp_probe: snd_soc_register_component [ 12.922051] davinci-mcasp 4803c000.mcasp: davinci_mcasp_probe: snd_soc_register_component DONE [ 12.950839] davinci_evm sound.3: ASoC: platform (null) not registered [ 12.957898] davinci_evm sound.3: davinci_evm_probe: snd_soc_register_card DONE (-517) [ 13.099026] davinci-mcasp 4803c000.mcasp: Kicking the deferred list [ 13.177838] davinci-mcasp 4803c000.mcasp: really_probe: probe_count = 2 [ 13.194130] davinci_evm sound.3: snd_soc_register_card failed (-517) [ 13.346755] davinci_mcasp_driver_init: LEAVE [ 13.377446] platform sound.3: Driver davinci_evm requests probe deferral [ 13.592527] platform sound.3: really_probe: probe_count = 0 In the log the machine driver enters it's probe at 12.719969 (this point it has been removed from the deferred lists). McASP driver already executing it's probing (since 12.615118). The machine driver tries to construct the sound card (12.950839) but did not found one of the components so it fails. After this McASP driver registers all the ASoC components (the machine driver still in it's probe function after it failed to construct the card) and the deferred work is prepared at 13.099026 (note that this time the machine driver is not in the lists so it is not going to be handled when the work is executing). Lastly the machine driver exit from it's probe and the core places it to the deferred list but there will be no other driver going to load and the deferred queue is not going to be kicked again - till we have external event like connecting USB stick, etc. The proposed solution is to try the deferred queue once more when the last driver is asking for deferring and we had drivers loaded while this last driver was probing. This way we can avoid drivers stuck in the deferred queue. Signed-off-by: Grant Likely Reviewed-by: Peter Ujfalusi Tested-by: Peter Ujfalusi Acked-by: Greg Kroah-Hartman Cc: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 786f95ca604ce585d6feee71ab653b04d4bb9a50 Author: Josef Gajdusek Date: Mon May 12 13:48:26 2014 +0200 hwmon: (emc1403) Support full range of known chip revision numbers commit 3a18e1398fc2dc9c32bbdc50664da3a77959a8d1 upstream. The datasheet for EMC1413/EMC1414, which is fully compatible to EMC1403/1404 and uses the same chip identification, references revision numbers 0x01, 0x03, and 0x04. Accept the full range of revision numbers from 0x01 to 0x04 to make sure none are missed. Signed-off-by: Josef Gajdusek [Guenter Roeck: Updated headline and description] Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 73cff75c551fb35bc952e96583a83b47ec33ee89 Author: Josef Gajdusek Date: Sun May 11 14:40:44 2014 +0200 hwmon: (emc1403) fix inverted store_hyst() commit 17c048fc4bd95efea208a1920f169547d8588f1f upstream. Attempts to set the hysteresis value to a temperature below the target limit fails with "write error: Numerical result out of range" due to an inverted comparison. Signed-off-by: Josef Gajdusek Reviewed-by: Jean Delvare [Guenter Roeck: Updated headline and description] Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 1ebe3d11087a74fea05620b13e33b0a30f6af2d0 Author: Chen Yucong Date: Thu May 22 11:54:15 2014 -0700 hwpoison, hugetlb: lock_page/unlock_page does not match for handling a free hugepage commit b985194c8c0a130ed155b71662e39f7eaea4876f upstream. For handling a free hugepage in memory failure, the race will happen if another thread hwpoisoned this hugepage concurrently. So we need to check PageHWPoison instead of !PageHWPoison. If hwpoison_filter(p) returns true or a race happens, then we need to unlock_page(hpage). Signed-off-by: Chen Yucong Reviewed-by: Naoya Horiguchi Tested-by: Naoya Horiguchi Reviewed-by: Andi Kleen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8fb57ba5d095b7a660d5bc7d1d5b385392020c07 Author: Anthony Iliopoulos Date: Wed May 14 11:29:48 2014 +0200 x86, mm, hugetlb: Add missing TLB page invalidation for hugetlb_cow() commit 9844f5462392b53824e8b86726e7c33b5ecbb676 upstream. The invalidation is required in order to maintain proper semantics under CoW conditions. In scenarios where a process clones several threads, a thread operating on a core whose DTLB entry for a particular hugepage has not been invalidated, will be reading from the hugepage that belongs to the forked child process, even after hugetlb_cow(). The thread will not see the updated page as long as the stale DTLB entry remains cached, the thread attempts to write into the page, the child process exits, or the thread gets migrated to a different processor. Signed-off-by: Anthony Iliopoulos Link: http://lkml.kernel.org/r/20140514092948.GA17391@server-36.huawei.corp Suggested-by: Shay Goikhman Acked-by: Dave Hansen Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit c16d9a8078cd2599228cb274027ce8b255ae76b5 Author: Corey Minyard Date: Mon Apr 14 09:46:52 2014 -0500 ipmi: Reset the KCS timeout when starting error recovery commit eb6d78ec213e6938559b801421d64714dafcf4b2 upstream. The OBF timer in KCS was not reset in one situation when error recovery was started, resulting in an immediate timeout. Reported-by: Bodo Stroesser Signed-off-by: Corey Minyard Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 21eaf4442aee2b5e25e698c7431b67c5961bce05 Author: Bodo Stroesser Date: Mon Apr 14 09:46:51 2014 -0500 ipmi: Fix a race restarting the timer commit 48e8ac2979920ffa39117e2d725afa3a749bfe8d upstream. With recent changes it is possible for the timer handler to detect an idle interface and not start the timer, but the thread to start an operation at the same time. The thread will not start the timer in that instance, resulting in the timer not running. Instead, move all timer operations under the lock and start the timer in the thread if it detect non-idle and the timer is not already running. Moving under locks allows the last timeout to be set in both the thread and the timer. 'Timer is not running' means that the timer is not pending and smi_timeout() is not running. So we need a flag to detect this correctly. Also fix a few other timeout bugs: setting the last timeout when the interrupt has to be disabled and the timer started, and setting the last timeout in check_start_timer_thread possibly racing with the timer Signed-off-by: Corey Minyard Signed-off-by: Bodo Stroesser Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 11e69564f65b6c7a1089c5d45929714e3ed6a921 Author: Jiri Bohac Date: Fri Apr 18 17:23:11 2014 +0200 timer: Prevent overflow in apply_slack commit 98a01e779f3c66b0b11cd7e64d531c0e41c95762 upstream. On architectures with sizeof(int) < sizeof (long), the computation of mask inside apply_slack() can be undefined if the computed bit is > 32. E.g. with: expires = 0xffffe6f5 and slack = 25, we get: expires_limit = 0x20000000e bit = 33 mask = (1 << 33) - 1 /* undefined */ On x86, mask becomes 1 and and the slack is not applied properly. On s390, mask is -1, expires is set to 0 and the timer fires immediately. Use 1UL << bit to solve that issue. Suggested-by: Deborah Townsend Signed-off-by: Jiri Bohac Link: http://lkml.kernel.org/r/20140418152310.GA13654@midget.suse.cz Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 3be2bb4956e5d9d849329d5d1b92f6510ac12315 Author: Linus Torvalds Date: Tue Apr 22 13:49:40 2014 -0700 mm: make fixup_user_fault() check the vma access rights too commit 1b17844b29ae042576bea588164f2f1e9590a8bc upstream. fixup_user_fault() is used by the futex code when the direct user access fails, and the futex code wants it to either map in the page in a usable form or return an error. It relied on handle_mm_fault() to map the page, and correctly checked the error return from that, but while that does map the page, it doesn't actually guarantee that the page will be mapped with sufficient permissions to be then accessed. So do the appropriate tests of the vma access rights by hand. [ Side note: arguably handle_mm_fault() could just do that itself, but we have traditionally done it in the caller, because some callers - notably get_user_pages() - have been able to access pages even when they are mapped with PROT_NONE. Maybe we should re-visit that design decision, but in the meantime this is the minimal patch. ] Found by Dave Jones running his trinity tool. Reported-by: Dave Jones Acked-by: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 72c2f03ad9cb37d1673c0c986bdb341c1ae8052a Author: Bartlomiej Zolnierkiewicz Date: Mon Mar 31 19:51:14 2014 +0200 pata_at91: fix ata_host_activate() failure handling commit 27aa64b9d1bd0d23fd692c91763a48309b694311 upstream. Add missing clk_put() call to ata_host_activate() failure path. Sergei says, "Hm, I have once fixed that (see that *if* (!ret)) but looks like a later commit 477c87e90853d136b188c50c0e4a93d01cad872e (ARM: at91/pata: use gpio_is_valid to check the gpio) broke it again. :-( Would be good if the changelog did mention that..." Cc: Andrew Victor Cc: Nicolas Ferre Cc: Jean-Christophe Plagniol-Villard Cc: Sergei Shtylyov Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 8f4c0e8b5438725d66c6c27f11cb2a1c61c6d6c5 Author: Steven Rostedt (Red Hat) Date: Thu Apr 24 10:40:12 2014 -0400 ftrace/module: Hardcode ftrace_module_init() call into load_module() commit a949ae560a511fe4e3adf48fa44fefded93e5c2b upstream. A race exists between module loading and enabling of function tracer. CPU 1 CPU 2 ----- ----- load_module() module->state = MODULE_STATE_COMING register_ftrace_function() mutex_lock(&ftrace_lock); ftrace_startup() update_ftrace_function(); ftrace_arch_code_modify_prepare() set_all_module_text_rw(); ftrace_arch_code_modify_post_process() set_all_module_text_ro(); [ here all module text is set to RO, including the module that is loading!! ] blocking_notifier_call_chain(MODULE_STATE_COMING); ftrace_init_module() [ tries to modify code, but it's RO, and fails! ftrace_bug() is called] When this race happens, ftrace_bug() will produces a nasty warning and all of the function tracing features will be disabled until reboot. The simple solution is to treate module load the same way the core kernel is treated at boot. To hardcode the ftrace function modification of converting calls to mcount into nops. This is done in init/main.c there's no reason it could not be done in load_module(). This gives a better control of the changes and doesn't tie the state of the module to its notifiers as much. Ftrace is special, it needs to be treated as such. The reason this would work, is that the ftrace_module_init() would be called while the module is in MODULE_STATE_UNFORMED, which is ignored by the set_all_module_text_ro() call. Link: http://lkml.kernel.org/r/1395637826-3312-1-git-send-email-indou.takao@jp.fujitsu.com Reported-by: Takao Indoh Acked-by: Rusty Russell Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 6427aede5eaac2e39a1d2b3306d960a603d7c3d9 Author: Thomas Gleixner Date: Mon May 12 20:45:35 2014 +0000 futex: Prevent attaching to kernel threads commit f0d71b3dcb8332f7971b5f2363632573e6d9486a upstream. We happily allow userspace to declare a random kernel thread to be the owner of a user space PI futex. Found while analysing the fallout of Dave Jones syscall fuzzer. We also should validate the thread group for private futexes and find some fast way to validate whether the "alleged" owner has RW access on the file which backs the SHM, but that's a separate issue. Signed-off-by: Thomas Gleixner Cc: Dave Jones Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Darren Hart Cc: Davidlohr Bueso Cc: Steven Rostedt Cc: Clark Williams Cc: Paul McKenney Cc: Lai Jiangshan Cc: Roland McGrath Cc: Carlos ODonell Cc: Jakub Jelinek Cc: Michael Kerrisk Cc: Sebastian Andrzej Siewior Link: http://lkml.kernel.org/r/20140512201701.194824402@linutronix.de Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 7bf0aee237176a3edcd054b80dba2dad3e2be7ff Author: Thomas Gleixner Date: Mon May 12 20:45:34 2014 +0000 futex: Add another early deadlock detection check commit 866293ee54227584ffcb4a42f69c1f365974ba7f upstream. Dave Jones trinity syscall fuzzer exposed an issue in the deadlock detection code of rtmutex: http://lkml.kernel.org/r/20140429151655.GA14277@redhat.com That underlying issue has been fixed with a patch to the rtmutex code, but the futex code must not call into rtmutex in that case because - it can detect that issue early - it avoids a different and more complex fixup for backing out If the user space variable got manipulated to 0x80000000 which means no lock holder, but the waiters bit set and an active pi_state in the kernel is found we can figure out the recursive locking issue by looking at the pi_state owner. If that is the current task, then we can safely return -EDEADLK. The check should have been added in commit 59fa62451 (futex: Handle futex_pi OWNER_DIED take over correctly) already, but I did not see the above issue caused by user space manipulation back then. Signed-off-by: Thomas Gleixner Cc: Dave Jones Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Darren Hart Cc: Davidlohr Bueso Cc: Steven Rostedt Cc: Clark Williams Cc: Paul McKenney Cc: Lai Jiangshan Cc: Roland McGrath Cc: Carlos ODonell Cc: Jakub Jelinek Cc: Michael Kerrisk Cc: Sebastian Andrzej Siewior Link: http://lkml.kernel.org/r/20140512201701.097349971@linutronix.de Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit d16beab575e17e46a4b187fb9f8211fab3adfbae Author: Eric Dumazet Date: Thu Apr 3 09:28:10 2014 -0700 net-gro: reset skb->truesize in napi_reuse_skb() [ Upstream commit e33d0ba8047b049c9262fdb1fcafb93cb52ceceb ] Recycling skb always had been very tough... This time it appears GRO layer can accumulate skb->truesize adjustments made by drivers when they attach a fragment to skb. skb_gro_receive() can only subtract from skb->truesize the used part of a fragment. I spotted this problem seeing TcpExtPruneCalled and TcpExtTCPRcvCollapsed that were unexpected with a recent kernel, where TCP receive window should be sized properly to accept traffic coming from a driver not overshooting skb->truesize. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1102122b2bdf4307cae269c725fab4c9c6141f5b Author: Alexander Duyck Date: Fri May 4 14:26:56 2012 +0000 skb: Add inline helper for getting the skb end offset from head [ Upstream commit ec47ea82477404631d49b8e568c71826c9b663ac ] With the recent changes for how we compute the skb truesize it occurs to me we are probably going to have a lot of calls to skb_end_pointer - skb->head. Instead of running all over the place doing that it would make more sense to just make it a separate inline skb_end_offset(skb) that way we can return the correct value without having gcc having to do all the optimization to cancel out skb->head - skb->head. Signed-off-by: Alexander Duyck Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 62e1a647e74f708eeabf1c79f3d40833d8ce45eb Author: Li RongQing Date: Thu May 22 16:36:55 2014 +0800 ipv4: initialise the itag variable in __mkroute_input [ Upstream commit fbdc0ad095c0a299e9abf5d8ac8f58374951149a ] the value of itag is a random value from stack, and may not be initiated by fib_validate_source, which called fib_combine_itag if CONFIG_IP_ROUTE_CLASSID is not set This will make the cached dst uncertainty Signed-off-by: Li RongQing Acked-by: Alexei Starovoitov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7c8a60a9e3cdfcc04bc4de488876c07225fa0347 Author: Jason Wang Date: Wed Aug 15 20:44:27 2012 +0000 act_mirred: do not drop packets when fails to mirror it [ Upstream commit 16c0b164bd24d44db137693a36b428ba28970c62 ] We drop packet unconditionally when we fail to mirror it. This is not intended in some cases. Consdier for kvm guest, we may mirror the traffic of the bridge to a tap device used by a VM. When kernel fails to mirror the packet in conditions such as when qemu crashes or stop polling the tap, it's hard for the management software to detect such condition and clean the the mirroring before. This would lead all packets to the bridge to be dropped and break the netowrk of other virtual machines. To solve the issue, the patch does not drop packets when kernel fails to mirror it, and only drop the redirected packets. Signed-off-by: Jason Wang Signed-off-by: Jamal Hadi Salim Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dfe37ad5ddd74bfb299bb50b62db2f5c6b0bc78a Author: Sergey Popovich Date: Tue May 6 18:23:08 2014 +0300 ipv4: fib_semantics: increment fib_info_cnt after fib_info allocation [ Upstream commit aeefa1ecfc799b0ea2c4979617f14cecd5cccbfd ] Increment fib_info_cnt in fib_create_info() right after successfuly alllocating fib_info structure, overwise fib_metrics allocation failure leads to fib_info_cnt incorrectly decremented in free_fib_info(), called on error path from fib_create_info(). Signed-off-by: Sergey Popovich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bd91cb56f951a7b0da8c3098ea9cd56854ece66c Author: Florian Westphal Date: Sun May 4 23:24:31 2014 +0200 net: ipv4: ip_forward: fix inverted local_df test [ Upstream commit ca6c5d4ad216d5942ae544bbf02503041bd802aa ] local_df means 'ignore DF bit if set', so if its set we're allowed to perform ip fragmentation. This wasn't noticed earlier because the output path also drops such skbs (and emits needed icmp error) and because netfilter ip defrag did not set local_df until couple of days ago. Only difference is that DF-packets-larger-than MTU now discarded earlier (f.e. we avoid pointless netfilter postrouting trip). While at it, drop the repeated test ip_exceeds_mtu, checking it once is enough... Fixes: fe6cc55f3a9 ("net: ip, ipv6: handle gso skbs in forwarding path") Signed-off-by: Florian Westphal Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b8b4577dff4f2d0964546a6ee9dcb542b13c3337 Author: Liu Yu Date: Wed Apr 30 17:34:09 2014 +0800 tcp_cubic: fix the range of delayed_ack [ Upstream commit 0cda345d1b2201dd15591b163e3c92bad5191745 ] commit b9f47a3aaeab (tcp_cubic: limit delayed_ack ratio to prevent divide error) try to prevent divide error, but there is still a little chance that delayed_ack can reach zero. In case the param cnt get negative value, then ratio+cnt would overflow and may happen to be zero. As a result, min(ratio, ACK_RATIO_LIMIT) will calculate to be zero. In some old kernels, such as 2.6.32, there is a bug that would pass negative param, which then ultimately leads to this divide error. commit 5b35e1e6e9c (tcp: fix tcp_trim_head() to adjust segment count with skb MSS) fixed the negative param issue. However, it's safe that we fix the range of delayed_ack as well, to make sure we do not hit a divide by zero. CC: Stephen Hemminger Signed-off-by: Liu Yu Signed-off-by: Eric Dumazet Acked-by: Neal Cardwell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2c11ea07f5818be0043b59aa85e7a3ceb927af5e Author: Vlad Yasevich Date: Tue Apr 29 10:09:51 2014 -0400 Revert "macvlan : fix checksums error when we are in bridge mode" [ Upstream commit f114890cdf84d753f6b41cd0cc44ba51d16313da ] This reverts commit 12a2856b604476c27d85a5f9a57ae1661fc46019. The commit above doesn't appear to be necessary any more as the checksums appear to be correctly computed/validated. Additionally the above commit breaks kvm configurations where one VM is using a device that support checksum offload (virtio) and the other VM does not. In this case, packets leaving virtio device will have CHECKSUM_PARTIAL set. The packets is forwarded to a macvtap that has offload features turned off. Since we use CHECKSUM_UNNECESSARY, the host does does not update the checksum and thus a bad checksum is passed up to the guest. CC: Daniel Lezcano CC: Patrick McHardy CC: Andrian Nord CC: Eric Dumazet CC: Michael S. Tsirkin CC: Jason Wang Signed-off-by: Vlad Yasevich Acked-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3a17d3e6da875f6cccb3233af73272d7ac38389f Author: David Gibson Date: Thu Apr 24 10:22:36 2014 +1000 rtnetlink: Only supply IFLA_VF_PORTS information when RTEXT_FILTER_VF is set [ Upstream commit c53864fd60227de025cb79e05493b13f69843971 ] Since 115c9b81928360d769a76c632bae62d15206a94a (rtnetlink: Fix problem with buffer allocation), RTM_NEWLINK messages only contain the IFLA_VFINFO_LIST attribute if they were solicited by a GETLINK message containing an IFLA_EXT_MASK attribute with the RTEXT_FILTER_VF flag. That was done because some user programs broke when they received more data than expected - because IFLA_VFINFO_LIST contains information for each VF it can become large if there are many VFs. However, the IFLA_VF_PORTS attribute, supplied for devices which implement ndo_get_vf_port (currently the 'enic' driver only), has the same problem. It supplies per-VF information and can therefore become large, but it is not currently conditional on the IFLA_EXT_MASK value. Worse, it interacts badly with the existing EXT_MASK handling. When IFLA_EXT_MASK is not supplied, the buffer for netlink replies is fixed at NLMSG_GOODSIZE. If the information for IFLA_VF_PORTS exceeds this, then rtnl_fill_ifinfo() returns -EMSGSIZE on the first message in a packet. netlink_dump() will misinterpret this as having finished the listing and omit data for this interface and all subsequent ones. That can cause getifaddrs(3) to enter an infinite loop. This patch addresses the problem by only supplying IFLA_VF_PORTS when IFLA_EXT_MASK is supplied with the RTEXT_FILTER_VF flag set. Signed-off-by: David Gibson Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4fab0f56cea44d39a2ab41e2869a7ec30c309204 Author: David Gibson Date: Thu Apr 24 10:22:35 2014 +1000 rtnetlink: Warn when interface's information won't fit in our packet [ Upstream commit 973462bbde79bb827824c73b59027a0aed5c9ca6 ] Without IFLA_EXT_MASK specified, the information reported for a single interface in response to RTM_GETLINK is expected to fit within a netlink packet of NLMSG_GOODSIZE. If it doesn't, however, things will go badly wrong, When listing all interfaces, netlink_dump() will incorrectly treat -EMSGSIZE on the first message in a packet as the end of the listing and omit information for that interface and all subsequent ones. This can cause getifaddrs(3) to enter an infinite loop. This patch won't fix the problem, but it will WARN_ON() making it easier to track down what's going wrong. Signed-off-by: David Gibson Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c7dedf9d07e1471acec49947f3aacd77ea379bdf Author: Ivan Vecera Date: Thu Apr 17 14:51:08 2014 +0200 tg3: update rx_jumbo_pending ring param only when jumbo frames are enabled The patch fixes a problem with dropped jumbo frames after usage of 'ethtool -G ... rx'. Scenario: 1. ip link set eth0 up 2. ethtool -G eth0 rx N # <- This zeroes rx-jumbo 3. ip link set mtu 9000 dev eth0 The ethtool command set rx_jumbo_pending to zero so any received jumbo packets are dropped and you need to use 'ethtool -G eth0 rx-jumbo N' to workaround the issue. The patch changes the logic so rx_jumbo_pending value is changed only if jumbo frames are enabled (MTU > 1500). Signed-off-by: Ivan Vecera Acked-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7dca1b9e80e5742b8edfd747dbee9fee5995c3cf Author: Mathias Krause Date: Sun Apr 13 18:23:33 2014 +0200 filter: prevent nla extensions to peek beyond the end of the message [ Upstream commit 05ab8f2647e4221cbdb3856dd7d32bd5407316b3 ] The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check for a minimal message length before testing the supplied offset to be within the bounds of the message. This allows the subtraction of the nla header to underflow and therefore -- as the data type is unsigned -- allowing far to big offset and length values for the search of the netlink attribute. The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is also wrong. It has the minuend and subtrahend mixed up, therefore calculates a huge length value, allowing to overrun the end of the message while looking for the netlink attribute. The following three BPF snippets will trigger the bugs when attached to a UNIX datagram socket and parsing a message with length 1, 2 or 3. ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]-- | ld #0x87654321 | ldx #42 | ld #nla | ret a `--- ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]-- | ld #0x87654321 | ldx #42 | ld #nlan | ret a `--- ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]-- | ; (needs a fake netlink header at offset 0) | ld #0 | ldx #42 | ld #nlan | ret a `--- Fix the first issue by ensuring the message length fulfills the minimal size constrains of a nla header. Fix the second bug by getting the math for the remainder calculation right. Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction") Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..") Cc: Patrick McHardy Cc: Pablo Neira Ayuso Signed-off-by: Mathias Krause Acked-by: Daniel Borkmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 67c6fc9e79121c69134efdd03a6d35aa6adf6c92 Author: Wang, Xiaoming Date: Mon Apr 14 12:30:45 2014 -0400 net: ipv4: current group_info should be put after using. [ Upstream commit b04c46190219a4f845e46a459e3102137b7f6cac ] Plug a group_info refcount leak in ping_init. group_info is only needed during initialization and the code failed to release the reference on exit. While here move grabbing the reference to a place where it is actually needed. Signed-off-by: Chuansheng Liu Signed-off-by: Zhang Dongxing Signed-off-by: xiaoming wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6392b2685b864f0ace1eaae43c998dccb856bd30 Author: Eric Dumazet Date: Thu Apr 10 21:23:36 2014 -0700 ipv6: Limit mtu to 65575 bytes [ Upstream commit 30f78d8ebf7f514801e71b88a10c948275168518 ] Francois reported that setting big mtu on loopback device could prevent tcp sessions making progress. We do not support (yet ?) IPv6 Jumbograms and cook corrupted packets. We must limit the IPv6 MTU to (65535 + 40) bytes in theory. Tested: ifconfig lo mtu 70000 netperf -H ::1 Before patch : Throughput : 0.05 Mbits After patch : Throughput : 35484 Mbits Reported-by: Francois WELLENREITER Signed-off-by: Eric Dumazet Acked-by: YOSHIFUJI Hideaki Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cedc89a20df8cb06e3fee2f3f7b9d90430142e22 Author: Thomas Richter Date: Wed Apr 9 12:52:59 2014 +0200 bonding: Remove debug_fs files when module init fails [ Upstream commit db29868653394937037d71dc3545768302dda643 ] Remove the bonding debug_fs entries when the module initialization fails. The debug_fs entries should be removed together with all other already allocated resources. Signed-off-by: Thomas Richter Signed-off-by: Jay Vosburgh Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 20874f008f43d98548af632bbbfb54336183a98a Author: Florian Westphal Date: Wed Apr 9 10:28:50 2014 +0200 net: core: don't account for udp header size when computing seglen [ Upstream commit 6d39d589bb76ee8a1c6cde6822006ae0053decff ] In case of tcp, gso_size contains the tcpmss. For UFO (udp fragmentation offloading) skbs, gso_size is the fragment payload size, i.e. we must not account for udp header size. Otherwise, when using virtio drivers, a to-be-forwarded UFO GSO packet will be needlessly fragmented in the forward path, because we think its individual segments are too large for the outgoing link. Fixes: fe6cc55f3a9a053 ("net: ip, ipv6: handle gso skbs in forwarding path") Cc: Eric Dumazet Reported-by: Tobias Brunner Signed-off-by: Florian Westphal Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f32abfaa76f1859eae458ea4b6fee2f9385a0d59 Author: Dmitry Petukhov Date: Wed Apr 9 02:23:20 2014 +0600 l2tp: take PMTU from tunnel UDP socket [ Upstream commit f34c4a35d87949fbb0e0f31eba3c054e9f8199ba ] When l2tp driver tries to get PMTU for the tunnel destination, it uses the pointer to struct sock that represents PPPoX socket, while it should use the pointer that represents UDP socket of the tunnel. Signed-off-by: Dmitry Petukhov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7658e7de68b967b01be536c998b0b90d0b6ec013 Author: Daniel Borkmann Date: Wed Apr 9 16:10:20 2014 +0200 net: sctp: test if association is dead in sctp_wake_up_waiters [ Upstream commit 1e1cdf8ac78793e0875465e98a648df64694a8d0 ] In function sctp_wake_up_waiters(), we need to involve a test if the association is declared dead. If so, we don't have any reference to a possible sibling association anymore and need to invoke sctp_write_space() instead, and normally walk the socket's associations and notify them of new wmem space. The reason for special casing is that otherwise, we could run into the following issue when a sctp_primitive_SEND() call from sctp_sendmsg() fails, and tries to flush an association's outq, i.e. in the following way: sctp_association_free() `-> list_del(&asoc->asocs) <-- poisons list pointer asoc->base.dead = true sctp_outq_free(&asoc->outqueue) `-> __sctp_outq_teardown() `-> sctp_chunk_free() `-> consume_skb() `-> sctp_wfree() `-> sctp_wake_up_waiters() <-- dereferences poisoned pointers if asoc->ep->sndbuf_policy=0 Therefore, only walk the list in an 'optimized' way if we find that the current association is still active. We could also use list_del_init() in addition when we call sctp_association_free(), but as Vlad suggests, we want to trap such bugs and thus leave it poisoned as is. Why is it safe to resolve the issue by testing for asoc->base.dead? Parallel calls to sctp_sendmsg() are protected under socket lock, that is lock_sock()/release_sock(). Only within that path under lock held, we're setting skb/chunk owner via sctp_set_owner_w(). Eventually, chunks are freed directly by an association still under that lock. So when traversing association list on destruction time from sctp_wake_up_waiters() via sctp_wfree(), a different CPU can't be running sctp_wfree() while another one calls sctp_association_free() as both happens under the same lock. Therefore, this can also not race with setting/testing against asoc->base.dead as we are guaranteed for this to happen in order, under lock. Further, Vlad says: the times we check asoc->base.dead is when we've cached an association pointer for later processing. In between cache and processing, the association may have been freed and is simply still around due to reference counts. We check asoc->base.dead under a lock, so it should always be safe to check and not race against sctp_association_free(). Stress-testing seems fine now, too. Fixes: cd253f9f357d ("net: sctp: wake up all assocs if sndbuf policy is per socket") Signed-off-by: Daniel Borkmann Cc: Vlad Yasevich Acked-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0fc175dff42444b3fe24dff93d25aa5c7c427724 Author: Daniel Borkmann Date: Tue Apr 8 17:26:13 2014 +0200 net: sctp: wake up all assocs if sndbuf policy is per socket [ Upstream commit 52c35befb69b005c3fc5afdaae3a5717ad013411 ] SCTP charges chunks for wmem accounting via skb->truesize in sctp_set_owner_w(), and sctp_wfree() respectively as the reverse operation. If a sender runs out of wmem, it needs to wait via sctp_wait_for_sndbuf(), and gets woken up by a call to __sctp_write_space() mostly via sctp_wfree(). __sctp_write_space() is being called per association. Although we assign sk->sk_write_space() to sctp_write_space(), which is then being done per socket, it is only used if send space is increased per socket option (SO_SNDBUF), as SOCK_USE_WRITE_QUEUE is set and therefore not invoked in sock_wfree(). Commit 4c3a5bdae293 ("sctp: Don't charge for data in sndbuf again when transmitting packet") fixed an issue where in case sctp_packet_transmit() manages to queue up more than sndbuf bytes, sctp_wait_for_sndbuf() will never be woken up again unless it is interrupted by a signal. However, a still remaining issue is that if net.sctp.sndbuf_policy=0, that is accounting per socket, and one-to-many sockets are in use, the reclaimed write space from sctp_wfree() is 'unfairly' handed back on the server to the association that is the lucky one to be woken up again via __sctp_write_space(), while the remaining associations are never be woken up again (unless by a signal). The effect disappears with net.sctp.sndbuf_policy=1, that is wmem accounting per association, as it guarantees a fair share of wmem among associations. Therefore, if we have reclaimed memory in case of per socket accounting, wake all related associations to a socket in a fair manner, that is, traverse the socket association list starting from the current neighbour of the association and issue a __sctp_write_space() to everyone until we end up waking ourselves. This guarantees that no association is preferred over another and even if more associations are taken into the one-to-many session, all receivers will get messages from the server and are not stalled forever on high load. This setting still leaves the advantage of per socket accounting in touch as an association can still use up global limits if unused by others. Fixes: 4eb701dfc618 ("[SCTP] Fix SCTP sendbuffer accouting.") Signed-off-by: Daniel Borkmann Cc: Thomas Graf Cc: Neil Horman Cc: Vlad Yasevich Acked-by: Vlad Yasevich Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fce85b081c08c1326d9bcab0ff9ea1c85b7e9858 Author: Oleg Nesterov Date: Tue Nov 12 15:10:01 2013 -0800 list: introduce list_next_entry() and list_prev_entry() [ Upstream commit 008208c6b26f21c2648c250a09c55e737c02c5f8 ] Add two trivial helpers list_next_entry() and list_prev_entry(), they can have a lot of users including list.h itself. In fact the 1st one is already defined in events/core.c and bnx2x_sp.c, so the patch simply moves the definition to list.h. Signed-off-by: Oleg Nesterov Cc: Eilon Greenstein Cc: Greg Kroah-Hartman Cc: Peter Zijlstra Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ced68efe273377c2f525418da0b75f8d2d6d2402 Author: Alex Deucher Date: Mon Mar 31 11:19:46 2014 -0400 drm/radeon: call drm_edid_to_eld when we update the edid commit 16086279353cbfecbb3ead474072dced17b97ddc upstream. This needs to be done to update some of the fields in the connector structure used by the audio code. Noticed by several users on irc. Signed-off-by: Alex Deucher Signed-off-by: Christian König Signed-off-by: Greg Kroah-Hartman commit b8a0ddefa0086479a20270c43fb00f71cb5ce573 Author: Christopher Friedt Date: Sat Feb 1 10:01:15 2014 -0500 drm/vmwgfx: correct fb_fix_screeninfo.line_length commit aa6de142c901cd2d90ef08db30ae87da214bedcc upstream. Previously, the vmwgfx_fb driver would allow users to call FBIOSET_VINFO, but it would not adjust the FINFO properly, resulting in distorted screen rendering. The patch corrects that behaviour. See https://bugs.gentoo.org/show_bug.cgi?id=494794 for examples. Signed-off-by: Christopher Friedt Reviewed-by: Thomas Hellstrom Signed-off-by: Greg Kroah-Hartman commit 2b8b56486c1cb6bb0ea3a5eafc5f54748fd05c7a Author: Bjørn Mork Date: Fri Apr 25 18:49:20 2014 +0200 usb: option: add and update a number of CMOTech devices commit 34f972d6156fe9eea2ab7bb418c71f9d1d5c8e7b upstream. A number of older CMOTech modems are based on Qualcomm chips. The blacklisted interfaces are QMI/wwan. Reported-by: Lars Melin Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman commit 3794e546cf34fa6da751518a9e3aeac62cc82202 Author: Bjørn Mork Date: Fri Apr 25 18:49:19 2014 +0200 usb: option: add Alcatel L800MA commit dd6b48ecec2ea7d15f28d5e5474388681899a5e1 upstream. Device interface layout: 0: ff/ff/ff - serial 1: ff/00/00 - serial AT+PPP 2: ff/ff/ff - QMI/wwan 3: 08/06/50 - storage Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman commit 08e1505871a4bde2e454591a8c3d2fb522fecd69 Author: Bjørn Mork Date: Fri Apr 25 18:49:18 2014 +0200 usb: option: add Olivetti Olicard 500 commit 533b3994610f316e5cd61b56d0c4daa15c830f89 upstream. Device interface layout: 0: ff/ff/ff - serial 1: ff/ff/ff - serial AT+PPP 2: 08/06/50 - storage 3: ff/ff/ff - serial 4: ff/ff/ff - QMI/wwan Reported-by: Julio Araujo Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman commit 818346b5be68137e39adf5895fe0172a9c84b949 Author: Johan Hovold Date: Fri Apr 25 15:23:03 2014 +0200 USB: io_ti: fix firmware download on big-endian machines commit 5509076d1b4485ce9fb07705fcbcd2695907ab5b upstream. During firmware download the device expects memory addresses in big-endian byte order. As the wIndex parameter which hold the address is sent in little-endian byte order regardless of host byte order, we need to use swab16 rather than cpu_to_be16. Also make sure to handle the struct ti_i2c_desc size parameter which is returned in little-endian byte order. Reported-by: Ludovic Drolez Tested-by: Ludovic Drolez Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit d3972467efba36977afd3810c23617ecf5853656 Author: Johan Hovold Date: Fri Mar 28 18:05:10 2014 +0100 Revert "USB: serial: add usbid for dell wwan card to sierra.c" commit 2e01280d2801c72878cf3a7119eac30077b463d5 upstream. This reverts commit 1ebca9dad5abe8b2ed4dbd186cd657fb47c1f321. This device was erroneously added to the sierra driver even though it's not a Sierra device and was already handled by the option driver. Cc: Richard Farina Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit a1611e6cc002b38a449e61dc69e8f24b2a627854 Author: Daniele Palmas Date: Wed Apr 2 11:19:48 2014 +0200 usb: option driver, add support for Telit UE910v2 commit d6de486bc22255779bd54b0fceb4c240962bf146 upstream. option driver, added VID/PID for Telit UE910v2 modem Signed-off-by: Daniele Palmas Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 7f72c55d0b8869aa40181b1e8b5456a800c4c154 Author: Michele Baldessari Date: Mon Mar 31 10:51:00 2014 +0200 USB: serial: ftdi_sio: add id for Brainboxes serial cards commit efe26e16b1d93ac0085e69178cc18811629e8fc5 upstream. Custom VID/PIDs for Brainboxes cards as reported in https://bugzilla.redhat.com/show_bug.cgi?id=1071914 Signed-off-by: Michele Baldessari Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 971779e857794be65387204ceee8fd4e9afddb72 Author: Tristan Bruns Date: Sun Apr 13 23:57:16 2014 +0200 USB: cp210x: Add 8281 (Nanotec Plug & Drive) commit 72b3007951010ce1bbf950e23b19d9839fa905a5 upstream. Signed-off-by: Tristan Bruns Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit b08f08b56fdbff8617e4d85182500684f754890e Author: Michael Ulbricht Date: Tue Mar 25 10:34:18 2014 +0100 USB: cdc-acm: Remove Motorola/Telit H24 serial interfaces from ACM driver commit 895d240d1db0b2736d779200788e4c4aea28a0c6 upstream. By specifying NO_UNION_NORMAL the ACM driver does only use the first two USB interfaces (modem data & control). The AT Port, Diagnostic and NMEA interfaces are left to the USB serial driver. Signed-off-by: Michael Ulbricht Signed-off-by: Alexander Stein Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit e4e351a30ae3928b889cf23e5153075591938926 Author: Mizuma, Masayoshi Date: Fri Apr 18 15:07:18 2014 -0700 mm/hugetlb.c: add cond_resched_lock() in return_unused_surplus_pages() commit 7848a4bf51b34f41fcc9bd77e837126d99ae84e3 upstream. soft lockup in freeing gigantic hugepage fixed in commit 55f67141a892 "mm: hugetlb: fix softlockup when a large number of hugepages are freed." can happen in return_unused_surplus_pages(), so let's fix it. Signed-off-by: Masayoshi Mizuma Signed-off-by: Naoya Horiguchi Cc: Joonsoo Kim Cc: Michal Hocko Cc: Aneesh Kumar Cc: KOSAKI Motohiro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 69ec67c1c1360345aa949fa571039bd8c69d7721 Author: Helge Deller Date: Sun Apr 13 00:03:55 2014 +0200 parisc: fix epoll_pwait syscall on compat kernel commit ab3e55b119c9653b19ea4edffb86f04db867ac98 upstream. This bug was detected with the libio-epoll-perl debian package where the test case IO-Ppoll-compat.t failed. Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman