commit 19b00d2dc9bedf0856e366cb7b9c7733ded659e4 Author: Greg Kroah-Hartman Date: Mon Mar 4 06:04:08 2013 +0800 Linux 3.8.2 commit 2cd182d6f0f948aaa10e69f9efccd63dd61e6dcd Author: Dave Chinner Date: Mon Feb 11 15:58:13 2013 +1100 xfs: xfs_bmap_add_attrfork_local is too generic commit 1e82379b018ceed0f0912327c60d73107dacbcb3 upstream. When we are converting local data to an extent format as a result of adding an attribute, the type of data contained in the local fork determines the behaviour that needs to occur. xfs_bmap_add_attrfork_local() already handles the directory data case specially by using S_ISDIR() and calling out to xfs_dir2_sf_to_block(), but with verifiers we now need to handle each different type of metadata specially and different metadata formats require different verifiers (and eventually block header initialisation). There is only a single place that we add and attribute fork to the inode, but that is in the attribute code and it knows nothing about the specific contents of the data fork. It is only the case of local data that is the issue here, so adding code to hadnle this case in the attribute specific code is wrong. Hence we are really stuck trying to detect the data fork contents in xfs_bmap_add_attrfork_local() and performing the correct callout there. Luckily the current cases can be determined by S_IS* macros, and we can push the work off to data specific callouts, but each of those callouts does a lot of work in common with xfs_bmap_local_to_extents(). The only reason that this fails for symlinks right now is is that xfs_bmap_local_to_extents() assumes the data fork contains extent data, and so attaches a a bmap extent data verifier to the buffer and simply copies the data fork information straight into it. To fix this, allow us to pass a "formatting" callback into xfs_bmap_local_to_extents() which is responsible for setting the buffer type, initialising it and copying the data fork contents over to the new buffer. This allows callers to specify how they want to format the new buffer (which is necessary for the upcoming CRC enabled metadata blocks) and hence make xfs_bmap_local_to_extents() useful for any type of data fork content. Signed-off-by: Dave Chinner Reviewed-by: Mark Tinguely Signed-off-by: Ben Myers Signed-off-by: Greg Kroah-Hartman commit 688289c4b745c018b3449b4b4c5a2030083c8eaf Author: Matt Fleming Date: Fri Feb 1 11:02:28 2013 +0000 efivarfs: guid part of filenames are case-insensitive commit da27a24383b2b10bf6ebd0db29b325548aafecb4 upstream. It makes no sense to treat the following filenames as unique, VarName-abcdefab-abcd-abcd-abcd-abcdefabcdef VarName-ABCDEFAB-ABCD-ABCD-ABCD-ABCDEFABCDEF VarName-ABcDEfAB-ABcD-ABcD-ABcD-ABcDEfABcDEf VarName-aBcDEfAB-aBcD-aBcD-aBcD-aBcDEfaBcDEf ... etc ... since the guid will be converted into a binary representation, which has no case. Roll our own dentry operations so that we can treat the variable name part of filenames ("VarName" in the above example) as case-sensitive, but the guid portion as case-insensitive. That way, efivarfs will refuse to create the above files if any one already exists. Reported-by: Lingzhu Xiang Cc: Matthew Garrett Cc: Jeremy Kerr Cc: Al Viro Signed-off-by: Matt Fleming Signed-off-by: Greg Kroah-Hartman commit 70afdfc6b4e4fec67bd07a5af56e0f8f7ecc7f46 Author: Matt Fleming Date: Thu Jan 31 19:02:03 2013 +0000 efivarfs: Validate filenames much more aggressively commit 47f531e8ba3bc3901a0c493f4252826c41dea1a1 upstream. The only thing that efivarfs does to enforce a valid filename is ensure that the name isn't too short. We need to strongly sanitise any filenames, not least because variable creation is delayed until efivarfs_file_write(), which means we can't rely on the firmware to inform us of an invalid name, because if the file is never written to we'll never know it's invalid. Perform a couple of steps before agreeing to create a new file, * hex_to_bin() returns a value indicating whether or not it was able to convert its arguments to a binary representation - we should check it. * Ensure that the GUID portion of the filename is the correct length and format. * The variable name portion of the filename needs to be at least one character in size. Reported-by: Lingzhu Xiang Cc: Matthew Garrett Cc: Jeremy Kerr Cc: Al Viro Signed-off-by: Matt Fleming Signed-off-by: Greg Kroah-Hartman commit 595aa2afac1f6cb2ab5e3c3a45b965fb400dc795 Author: Thomas Renninger Date: Fri Feb 22 14:12:22 2013 +0100 ACPI: Overriding ACPI tables via initrd only works with an initrd and on X86 commit 565d956a7e191e95d81f515196951715f2616e6b upstream. Reflect this dependency in Kconfig, to prevent build failures. Shorten the config description as suggested by Borislav Petkov. Finding a suitable memory area to store the modified table(s) has been taken over from arch/x86/kernel/setup.c and makes use of max_low_pfn_mapped: memblock_find_in_range(0, max_low_pfn_mapped,...) This one is X86 specific. It may not be hard to extend this functionality for other ACPI aware architectures if there is need for. For now make this feature only available for X86 to avoid build failures on IA64, compare with: https://bugzilla.kernel.org/show_bug.cgi?id=54091 Signed-off-by: Thomas Renninger Link: http://lkml.kernel.org/r/1361538742-67599-3-git-send-email-trenn@suse.de Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit c5d6774c8df7a755c13e8c9e1d9306f4f8c8c452 Author: Lee, Chun-Yi Date: Thu Dec 20 19:33:22 2012 +0800 x86, efi: Allow slash in file path of initrd commit deb94101c4fda22e152c2a311210cf09ae51adf6 upstream. When initrd file didn't put at the same place with stub kernel, we need give the file path of initrd, but need use backslash to separate directory and file. It's not friendly to unix/linux user, and not so intuitive for bootloader forward paramters to efi stub kernel by chainloading. This patch add support to handle_ramdisks for allow slash in file path of initrd, it convert slash to backlash when parsing path. In additional, this patch also separates print code of efi_char16_t from efi_printk, and print out the path/filename of initrd when failed to open initrd file. It's good for debug and discover typo. Signed-off-by: Lee, Chun-Yi Cc: Matthew Garrett Cc: H. Peter Anvin Signed-off-by: Matt Fleming Signed-off-by: Greg Kroah-Hartman commit 9b48ad4a2bfd0acb3f58dcf291e2edb005fca2d7 Author: Alexey Klimov Date: Mon Nov 12 02:57:03 2012 -0300 usb hid quirks for Masterkit MA901 usb radio commit 0322bd3980b3ebf7dde8474e22614cb443d6479a upstream. Don't let Masterkit MA901 USB radio be handled by usb hid drivers. This device will be handled by radio-ma901.c driver. Signed-off-by: Alexey Klimov Acked-by: Hans Verkuil Acked-by: Jiri Kosina Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 58a24bbc42eb4db49ca8703d7db8292c333c329f Author: James Ralston Date: Fri Feb 8 17:34:47 2013 -0800 ahci: Add Device IDs for Intel Wellsburg PCH commit 151743fd8dfb02956c5184b5f4f0f42677eb75bc upstream. This patch adds the AHCI-mode SATA Device IDs for the Intel Wellsburg PCH Signed-off-by: James Ralston Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit f5248a1fd9fdf6670266dd29b135a2964bc868a9 Author: Seth Heasley Date: Fri Jan 25 12:01:05 2013 -0800 ahci: AHCI-mode SATA patch for Intel Avoton DeviceIDs commit 29e674dd5c8e781589f09c3ee139c80f6da274e4 upstream. This patch adds the AHCI and RAID-mode SATA DeviceIDs for the Intel Avoton SOC. Signed-off-by: Seth Heasley Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 19be8a03ba658e620ac6a5e3d51fbbf2b8b03ecf Author: James Ralston Date: Fri Feb 8 17:24:12 2013 -0800 ata_piix: Add Device IDs for Intel Wellsburg PCH commit 3aee8bc52c415aba8148f144e5e5359b0fd75dd1 upstream. This patch adds the IDE-mode SATA Device IDs for the Intel Wellsburg PCH Signed-off-by: James Ralston Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 1b6a883f5d96e03cb3a23034164cc77ac265354a Author: Seth Heasley Date: Fri Jan 25 11:57:05 2013 -0800 ata_piix: IDE-mode SATA patch for Intel Avoton DeviceIDs commit aaa515277db9585eeb4fdeb4637b9f9df50a1dd9 upstream. This patch adds the IDE-mode SATA DeviceIDs for the Intel Avoton SOC. Signed-off-by: Seth Heasley Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 9cb9a5913b9217b8ac94d06905a8a27afe3ea0a2 Author: Ian Abbott Date: Wed Feb 27 10:56:19 2013 +0000 staging: comedi: check s->async for poll(), read() and write() commit cc400e185c07c15a42d2635995f422de5b94b696 upstream. Some low-level comedi drivers (incorrectly) point `dev->read_subdev` or `dev->write_subdev` to a subdevice that does not support asynchronous commands. Comedi's poll(), read() and write() file operation handlers assume these subdevices do support asynchronous commands. In particular, they assume `s->async` is valid (where `s` points to the read or write subdevice), which it won't be if it has been set incorrectly. This can lead to a NULL pointer dereference. Check `s->async` is non-NULL in `comedi_poll()`, `comedi_read()` and `comedi_write()` to avoid the bug. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 30f3a0a711a2d86050c333b3cd2128fc8e0787f7 Author: Joseph Salisbury Date: Tue Feb 5 00:16:29 2013 +0000 ACPI: Add DMI entry for Sony VGN-FW41E_H commit 66f2fda93b67fa744d406e6dcf443f67bac204b6 upstream. This patch adds a quirk to allow the Sony VGN-FW41E_H to suspend/resume properly. References: http://bugs.launchpad.net/bugs/1113547 Signed-off-by: Joseph Salisbury Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 1564220437d4e77154d3e9fbdccf039d60c60a68 Author: Rajanikanth H.V Date: Wed Jan 23 09:56:45 2013 +0530 ab8500_btemp: Demote initcall sequence commit eeb0751c99522a4d1bbcc7b6bc1460cd07d07488 upstream. Power supply subsystem creates thermal zone device for the property 'POWER_SUPPLY_PROP_TEMP' which requires thermal subsystem to be ready before 'ab8500 battery temperature monitor' driver is initialized. ab8500 btemp driver is initialized with subsys_initcall whereas thermal subsystem is initialized with fs_initcall which causes thermal_zone_device_register(...) to crash since the required structure 'thermal_class' is not initialized yet: Unable to handle kernel NULL pointer dereference at virtual address 000000a4 pgd = c0004000 [000000a4] *pgd=00000000 Internal error: Oops: 5 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 Tainted: G W (3.8.0-rc4-00001-g632fda8-dirty #1) PC is at _raw_spin_lock+0x18/0x54 LR is at get_device_parent+0x50/0x1b8 pc : [] lr : [] psr: 60000013 sp : ef04bdc8 ip : 00000000 fp : c0446180 r10: ef216e38 r9 : c03af5d0 r8 : ef275c18 r7 : 00000000 r6 : c0476c14 r5 : ef275c18 r4 : ef095840 r3 : ef04a000 r2 : 00000001 r1 : 00000000 r0 : 000000a4 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel Control: 10c5787d Table: 0000404a DAC: 00000015 Process swapper/0 (pid: 1, stack limit = 0xef04a238) Stack: (0xef04bdc8 to 0xef04c000) [...] [] (_raw_spin_lock+0x18/0x54) from [] (get_device_parent+0x50/0x1b8) [] (get_device_parent+0x50/0x1b8) from [] (device_add+0xa4/0x574) [] (device_add+0xa4/0x574) from [] (thermal_zone_device_register+0x118/0x938) [] (thermal_zone_device_register+0x118/0x938) from [] (power_supply_register+0x170/0x1f8) [] (power_supply_register+0x170/0x1f8) from [] (ab8500_btemp_probe+0x208/0x47c) [] (ab8500_btemp_probe+0x208/0x47c) from [] (platform_drv_probe+0x14/0x18) [] (platform_drv_probe+0x14/0x18) from [] (driver_probe_device+0x74/0x20c) [] (driver_probe_device+0x74/0x20c) from [] (__driver_attach+0x8c/0x90) [] (__driver_attach+0x8c/0x90) from [] (bus_for_each_dev+0x4c/0x80) [] (bus_for_each_dev+0x4c/0x80) from [] (bus_add_driver+0x16c/0x23c) [] (bus_add_driver+0x16c/0x23c) from [] (driver_register+0x78/0x14c) [] (driver_register+0x78/0x14c) from [] (do_one_initcall+0xfc/0x164) [] (do_one_initcall+0xfc/0x164) from [] (kernel_init+0x120/0x2b8) [] (kernel_init+0x120/0x2b8) from [] (ret_from_fork+0x14/0x3c) Code: e3c3303f e5932004 e2822001 e5832004 (e1903f9f) ---[ end trace ed9df72941b5bada ]--- Signed-off-by: Rajanikanth H.V Signed-off-by: Anton Vorontsov Signed-off-by: Greg Kroah-Hartman commit 71b9101a2b66f46703573c0a4aeca91b92038dbc Author: Lee Jones Date: Thu Jan 17 14:21:53 2013 +0000 ab8500-chargalg: Only root should have write permission on sysfs file commit e3455002d04276c256a531f7175dce0f7d1cb78a upstream. Only root should have write permission on sysfs file ab8500_chargalg/chargalg. Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit eddf61b2363eb515138aa7fd1627c1747f269131 Author: NeilBrown Date: Sun Dec 2 20:34:21 2012 +1100 bq27x00_battery: Fix bugs introduced with BQ27425 support commit bde83b9a6b44c1e0fd872e57ecc869cfcf88538f upstream. commit a66f59ba2e994bf70274ef0513e24e0e7ae20c63 bq27x00_battery: Add support for BQ27425 chip introduced 2 bugs. 1/ 'chip' was set to BQ27425 unconditionally - breaking support for other devices; 2/ BQ27425 does not support cycle count, how the code still tries to get the cycle count for BQ27425, and now does it twice for other chips. Signed-off-by: NeilBrown Cc: Saranya Gopal Signed-off-by: Anton Vorontsov Signed-off-by: Greg Kroah-Hartman commit ec463f0ca581308b1a46ae4bfbe7faeb8ea3c378 Author: Li Zefan Date: Thu Jan 24 14:43:28 2013 +0800 cgroup: fix exit() vs rmdir() race commit 71b5707e119653039e6e95213f00479668c79b75 upstream. In cgroup_exit() put_css_set_taskexit() is called without any lock, which might lead to accessing a freed cgroup: thread1 thread2 --------------------------------------------- exit() cgroup_exit() put_css_set_taskexit() atomic_dec(cgrp->count); rmdir(); /* not safe !! */ check_for_release(cgrp); rcu_read_lock() can be used to make sure the cgroup is alive. Signed-off-by: Li Zefan Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit b19c8d0b4c18448006ce960d1c2a3902c481f9b9 Author: Li Zefan Date: Fri Jan 25 16:08:01 2013 +0800 cpuset: fix cpuset_print_task_mems_allowed() vs rename() race commit 63f43f55c9bbc14f76b582644019b8a07dc8219a upstream. rename() will change dentry->d_name. The result of this race can be worse than seeing partially rewritten name, but we might access a stale pointer because rename() will re-allocate memory to hold a longer name. It's safe in the protection of dentry->d_lock. v2: check NULL dentry before acquiring dentry lock. Signed-off-by: Li Zefan Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 225234a28f6f7655ae3ed5bfbba536d0468209bd Author: Seiji Aguchi Date: Fri Jan 11 18:09:41 2013 +0000 pstore: Avoid deadlock in panic and emergency-restart path commit 9f244e9cfd70c7c0f82d3c92ce772ab2a92d9f64 upstream. [Issue] When pstore is in panic and emergency-restart paths, it may be blocked in those paths because it simply takes spin_lock. This is an example scenario which pstore may hang up in a panic path: - cpuA grabs psinfo->buf_lock - cpuB panics and calls smp_send_stop - smp_send_stop sends IRQ to cpuA - after 1 second, cpuB gives up on cpuA and sends an NMI instead - cpuA is now in an NMI handler while still holding buf_lock - cpuB is deadlocked This case may happen if a firmware has a bug and cpuA is stuck talking with it more than one second. Also, this is a similar scenario in an emergency-restart path: - cpuA grabs psinfo->buf_lock and stucks in a firmware - cpuB kicks emergency-restart via either sysrq-b or hangcheck timer. And then, cpuB is deadlocked by taking psinfo->buf_lock again. [Solution] This patch avoids the deadlocking issues in both panic and emergency_restart paths by introducing a function, is_non_blocking_path(), to check if a cpu can be blocked in current path. With this patch, pstore is not blocked even if another cpu has taken a spin_lock, in those paths by changing from spin_lock_irqsave to spin_trylock_irqsave. In addition, according to a comment of emergency_restart() in kernel/sys.c, spin_lock shouldn't be taken in an emergency_restart path to avoid deadlock. This patch fits the comment below. /** * emergency_restart - reboot the system * * Without shutting down any hardware or taking any locks * reboot the system. This is called when we know we are in * trouble so this is our best effort to reboot. This is * safe to call in interrupt context. */ void emergency_restart(void) Signed-off-by: Seiji Aguchi Acked-by: Don Zickus Signed-off-by: Tony Luck Cc: CAI Qian Signed-off-by: Greg Kroah-Hartman commit e50e7d633e76caf48ca5341a9679fcfdd1318d80 Author: Tejun Heo Date: Tue Dec 18 10:35:02 2012 -0800 workqueue: consider work function when searching for busy work items commit a2c1c57be8d9fd5b716113c8991d3d702eeacf77 upstream. To avoid executing the same work item concurrenlty, workqueue hashes currently busy workers according to their current work items and looks up the the table when it wants to execute a new work item. If there already is a worker which is executing the new work item, the new item is queued to the found worker so that it gets executed only after the current execution finishes. Unfortunately, a work item may be freed while being executed and thus recycled for different purposes. If it gets recycled for a different work item and queued while the previous execution is still in progress, workqueue may make the new work item wait for the old one although the two aren't really related in any way. In extreme cases, this false dependency may lead to deadlock although it's extremely unlikely given that there aren't too many self-freeing work item users and they usually don't wait for other work items. To alleviate the problem, record the current work function in each busy worker and match it together with the work item address in find_worker_executing_work(). While this isn't complete, it ensures that unrelated work items don't interact with each other and in the very unlikely case where a twisted wq user triggers it, it's always onto itself making the culprit easy to spot. Signed-off-by: Tejun Heo Reported-by: Andrey Isakov Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=51701 Cc: stable@vger.kernel.org commit c205ae0e166fa0fdfdfb2cb55a4fc597b0dd68be Author: Miklos Szeredi Date: Mon Feb 4 15:57:42 2013 +0100 fuse: don't WARN when nlink is zero commit dfca7cebc2679f3d129f8e680a8f199a7ad16e38 upstream. drop_nlink() warns if nlink is already zero. This is triggerable by a buggy userspace filesystem. The cure, I think, is worse than the disease so disable the warning. Reported-by: Tero Roponen Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit d62365d15278c2e3bdd17b413620264c74590ee6 Author: Fernando Luis Vázquez Cao Date: Tue Jan 22 15:20:38 2013 +0900 HID: clean up quirk for Sony RF receivers commit 99d249021abd4341771523ed8dd7946276103432 upstream. Document what the fix-up is does and make it more robust by ensuring that it is only applied to the USB interface that corresponds to the mouse (sony_report_fixup() is called once per interface during probing). Signed-off-by: Fernando Luis Vazquez Cao Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 9637341b0dc61b1f541e6eeb8dd2dfee3c9c8245 Author: Fernando Luis Vázquez Cao Date: Tue Jan 15 19:40:48 2013 +0900 HID: add support for Sony RF receiver with USB product id 0x0374 commit a464918419f94a0043d2f549d6defb4c3f69f68a upstream. Some Vaio desktop computers, among them the VGC-LN51JGB multimedia PC, have a RF receiver, multi-interface USB device 054c:0374, that is used to connect a wireless keyboard and a wireless mouse. The keyboard works flawlessly, but the mouse (VGP-WMS3 in my case) does not seem to be generating any pointer events. The problem is that the mouse pointer is wrongly declared as a constant non-data variable in the report descriptor (see lsusb and usbhid-dump output below), with the consequence that it is ignored by the HID code. Add this device to the have-special-driver list and fix up the report descriptor in the Sony-specific driver which happens to already have a fixup for a similar firmware bug. # lsusb -vd 054C:0374 Bus 003 Device 002: ID 054c:0374 Sony Corp. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x054c Sony Corp. idProduct 0x0374 iSerial 0 [...] Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 3 Human Interface Device bInterfaceSubClass 1 Boot Interface Subclass bInterfaceProtocol 2 Mouse iInterface 2 RF Receiver [...] Report Descriptor: (length is 100) [...] Item(Global): Usage Page, data= [ 0x01 ] 1 Generic Desktop Controls Item(Local ): Usage, data= [ 0x30 ] 48 Direction-X Item(Local ): Usage, data= [ 0x31 ] 49 Direction-Y Item(Global): Report Count, data= [ 0x02 ] 2 Item(Global): Report Size, data= [ 0x08 ] 8 Item(Global): Logical Minimum, data= [ 0x81 ] 129 Item(Global): Logical Maximum, data= [ 0x7f ] 127 Item(Main ): Input, data= [ 0x07 ] 7 Constant Variable Relative No_Wrap Linear Preferred_State No_Null_Position Non_Volatile Bitfield # usbhid-dump 003:002:001:DESCRIPTOR 1357910009.758544 05 01 09 02 A1 01 05 01 09 02 A1 02 85 01 09 01 A1 00 05 09 19 01 29 05 95 05 75 01 15 00 25 01 81 02 75 03 95 01 81 01 05 01 09 30 09 31 95 02 75 08 15 81 25 7F 81 07 A1 02 85 01 09 38 35 00 45 00 15 81 25 7F 95 01 75 08 81 06 C0 A1 02 85 01 05 0C 15 81 25 7F 95 01 75 08 0A 38 02 81 06 C0 C0 C0 C0 Signed-off-by: Fernando Luis Vazquez Cao Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit acb9bc5fb5a7fb6051002633a430c1a977388912 Author: J. Bruce Fields Date: Sun Feb 10 16:08:11 2013 -0500 svcrpc: fix rpc server shutdown races commit cc630d9f476445927fca599f81182c7f06f79058 upstream. Rewrite server shutdown to remove the assumption that there are no longer any threads running (no longer true, for example, when shutting down the service in one network namespace while it's still running in others). Do that by doing what we'd do in normal circumstances: just CLOSE each socket, then enqueue it. Since there may not be threads to handle the resulting queued xprts, also run a simplified version of the svc_recv() loop run by a server to clean up any closed xprts afterwards. Tested-by: Jason Tibbitts Tested-by: Paweł Sikora Acked-by: Stanislav Kinsbursky Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit cc5e7bc758e2d0e06d2b21ca0fd13144210735e5 Author: J. Bruce Fields Date: Sun Feb 10 11:33:48 2013 -0500 svcrpc: make svc_age_temp_xprts enqueue under sv_lock commit e75bafbff2270993926abcc31358361db74a9bc2 upstream. svc_age_temp_xprts expires xprts in a two-step process: first it takes the sv_lock and moves the xprts to expire off their server-wide list (sv_tempsocks or sv_permsocks) to a local list. Then it drops the sv_lock and enqueues and puts each one. I see no reason for this: svc_xprt_enqueue() will take sp_lock, but the sv_lock and sp_lock are not otherwise nested anywhere (and documentation at the top of this file claims it's correct to nest these with sp_lock inside.) Tested-by: Jason Tibbitts Tested-by: Paweł Sikora Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit d7bfb00023c660210c3fa106b444e422bce1ed5e Author: majianpeng Date: Tue Jan 29 13:16:06 2013 +0800 nfsd: Fix memleak commit 2d32b29a1c2830f7c42caa8258c714acd983961f upstream. When free nfs-client, it must free the ->cl_stateids. Signed-off-by: Jianpeng Ma Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 0ff827cf5d03a542c09aecadbb6a2b9e449263f5 Author: Lukas Czerner Date: Fri Feb 22 15:27:52 2013 -0500 ext4: fix free clusters calculation in bigalloc filesystem commit 304e220f0879198b1f5309ad6f0be862b4009491 upstream. ext4_has_free_clusters() should tell us whether there is enough free clusters to allocate, however number of free clusters in the file system is converted to blocks using EXT4_C2B() which is not only wrong use of the macro (we should have used EXT4_NUM_B2C) but it's also completely wrong concept since everything else is in cluster units. Moreover when calculating number of root clusters we should be using macro EXT4_NUM_B2C() instead of EXT4_B2C() otherwise the result might be off by one. However r_blocks_count should always be a multiple of the cluster ratio so doing a plain bit shift should be enough here. We avoid using EXT4_B2C() because it's confusing. As a result of the first problem number of free clusters is much bigger than it should have been and ext4_has_free_clusters() would return 1 even if there is really not enough free clusters available. Fix this by removing the EXT4_C2B() conversion of free clusters and using bit shift when calculating number of root clusters. This bug affects number of xfstests tests covering file system ENOSPC situation handling. With this patch most of the ENOSPC problems with bigalloc file system disappear, especially the errors caused by delayed allocation not having enough space when the actual allocation is finally requested. Signed-off-by: Lukas Czerner Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 808b5ab0e71e25d2df99b1fecfd000a112bbaedd Author: Lukas Czerner Date: Mon Feb 18 12:12:07 2013 -0500 ext4: fix xattr block allocation/release with bigalloc commit 1231b3a1eb5740192aeebf5344dd6d6da000febf upstream. Currently when new xattr block is created or released we we would call dquot_free_block() or dquot_alloc_block() respectively, among the else decrementing or incrementing the number of blocks assigned to the inode by one block. This however does not work for bigalloc file system because we always allocate/free the whole cluster so we have to count with that in dquot_free_block() and dquot_alloc_block() as well. Use the clusters-to-blocks conversion EXT4_C2B() when passing number of blocks to the dquot_alloc/free functions to fix the problem. The problem has been revealed by xfstests #117 (and possibly others). Signed-off-by: Lukas Czerner Signed-off-by: "Theodore Ts'o" Reviewed-by: Eric Sandeen Signed-off-by: Greg Kroah-Hartman commit 8a6a8f044a39224fa29b0a0f11092858258194e0 Author: Niu Yawei Date: Fri Feb 1 21:31:27 2013 -0500 ext4: fix race in ext4_mb_add_n_trim() commit f1167009711032b0d747ec89a632a626c901a1ad upstream. In ext4_mb_add_n_trim(), lg_prealloc_lock should be taken when changing the lg_prealloc_list. Signed-off-by: Niu Yawei Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit bcd7f174b550763c3d632a602b1c039e5afd53c6 Author: Theodore Ts'o Date: Thu Jan 24 23:24:54 2013 -0500 ext4: release sysfs kobject when failing to enable quotas on mount commit 72ba74508b2857e71d65fc93f0d6b684492fc740 upstream. In addition, print the error returned from ext4_enable_quotas() Signed-off-by: "Theodore Ts'o" Reviewed-by: Carlos Maiolino Signed-off-by: Greg Kroah-Hartman commit 70d31ea833f3ac9f3cbdf3b819ef25b6cbbeb8be Author: Eryu Guan Date: Sat Jan 12 16:33:25 2013 -0500 ext4: check bh in ext4_read_block_bitmap() commit 15b49132fc972c63894592f218ea5a9a61b1a18f upstream. Validate the bh pointer before using it, since ext4_read_block_bitmap_nowait() might return NULL. I've seen this in fsfuzz testing. EXT4-fs error (device loop0): ext4_read_block_bitmap_nowait:385: comm touch: Cannot get buffer for block bitmap - block_group = 0, block_bitmap = 3925999616 BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] ext4_wait_block_bitmap+0x25/0xe0 ... Call Trace: [] ext4_read_block_bitmap+0x35/0x60 [] ext4_free_blocks+0x236/0xb80 [] ? __getblk+0x36/0x70 [] ? __find_get_block+0x8f/0x210 [] ? kmem_cache_free+0x33/0x140 [] ext4_xattr_release_block+0x1b5/0x1d0 [] ext4_xattr_delete_inode+0xbe/0x100 [] ext4_free_inode+0x7c/0x4d0 [] ? ext4_mark_inode_dirty+0x88/0x230 [] ext4_evict_inode+0x32c/0x490 [] evict+0xa7/0x1c0 [] iput_final+0xe3/0x170 [] iput+0x3e/0x50 [] ext4_add_nondir+0x4d/0x90 [] ext4_create+0xeb/0x170 [] vfs_create+0xac/0xd0 [] lookup_open+0x185/0x1c0 [] ? selinux_inode_permission+0xa9/0x170 [] do_last+0x2d4/0x7a0 [] path_openat+0xb3/0x480 [] ? handle_mm_fault+0x251/0x3b0 [] do_filp_open+0x49/0xa0 [] ? __alloc_fd+0xdd/0x150 [] do_sys_open+0x108/0x1f0 [] sys_open+0x21/0x30 [] system_call_fastpath+0x16/0x1b Also fix comment for ext4_read_block_bitmap_nowait() Signed-off-by: Eryu Guan Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 94bd696b65ded45d57f4a9563edf4e8b77dc070f Author: Theodore Ts'o Date: Sat Jan 12 16:19:36 2013 -0500 ext4: return ENOMEM if sb_getblk() fails commit 860d21e2c585f7ee8a4ecc06f474fdc33c9474f4 upstream. The only reason for sb_getblk() failing is if it can't allocate the buffer_head. So ENOMEM is more appropriate than EIO. In addition, make sure that the file system is marked as being inconsistent if sb_getblk() fails. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 84d239fa2e3c0ab232577774dd35596b049de235 Author: Dan Carpenter Date: Tue Nov 27 13:35:09 2012 -0300 media: rc: unlock on error in show_protocols() commit 30ebc5e44d057a1619ad63fe32c8c1670c37c4b8 upstream. We recently introduced a new return -ENODEV in this function but we need to unlock before returning. [mchehab@redhat.com: found two patches with the same fix. Merged SOB's/acks into one patch] Acked-by: Herton R. Krzesinski Signed-off-by: Dan Carpenter Signed-off-by: Douglas Bagnall Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 1952a8d9fb1c7f042c6b3733ce06dc929a0d6b73 Author: Al Viro Date: Sun Dec 16 16:04:46 2012 -0300 media: omap_vout: find_vma() needs ->mmap_sem held commit 55ee64b30a38d688232e5eb2860467dddc493573 upstream. Walking rbtree while it's modified is a Bad Idea(tm); besides, the result of find_vma() can be freed just as it's getting returned to caller. Fortunately, it's easy to fix - just take ->mmap_sem a bit earlier (and don't bother with find_vma() at all if virtp >= PAGE_OFFSET - in that case we don't even look at its result). While we are at it, what prevents VIDIOC_PREPARE_BUF calling v4l_prepare_buf() -> (e.g) vb2_ioctl_prepare_buf() -> vb2_prepare_buf() -> __buf_prepare() -> __qbuf_userptr() -> vb2_vmalloc_get_userptr() -> find_vma(), AFAICS without having taken ->mmap_sem anywhere in process? The code flow is bloody convoluted and depends on a bunch of things done by initialization, so I certainly might've missed something... Signed-off-by: Al Viro Cc: Sakari Ailus Cc: Laurent Pinchart Cc: Archit Taneja Cc: Prabhakar Lad Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 59af41c9012ea4aeaae5904b5c671aef69762f8f Author: Laurent Pinchart Date: Sat Nov 24 21:35:48 2012 -0300 media: v4l: Reset subdev v4l2_dev field to NULL if registration fails commit 317efce991620adc589b3005b9baed433dcb2a56 upstream. When subdev registration fails the subdev v4l2_dev field is left to a non-NULL value. Later calls to v4l2_device_unregister_subdev() will consider the subdev as registered and will module_put() the subdev module without any matching module_get(). Fix this by setting the subdev v4l2_dev field to NULL in v4l2_device_register_subdev() when the function fails. Signed-off-by: Laurent Pinchart Acked-by: Sylwester Nawrocki Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 6afda116f93e0af68ef466304aca0483f5ff87d5 Author: Hans Verkuil Date: Sat Feb 9 05:40:10 2013 -0300 media: cx18/ivtv: fix regression: remove __init from a non-init function commit cfb046cb800ba306b211fbbe4ac633486e11055f upstream. Commits 5e6e81b2890db3969527772a8350825a85c22d5c (cx18) and 2aebbf6737212265b917ed27c875c59d3037110a (ivtv) added an __init annotation to the cx18-alsa-load and ivtv-alsa-load functions. However, these functions are called *after* initialization by the main cx18/ivtv driver. By that time the memory containing those functions is already freed and your machine goes BOOM. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 3aa7a4669eabfaa67a2915cd116413e2e4e162e4 Author: Jan Kara Date: Tue Jan 29 22:48:17 2013 -0500 ext4: fix possible use-after-free with AIO commit 091e26dfc156aeb3b73bc5c5f277e433ad39331c upstream. Running AIO is pinning inode in memory using file reference. Once AIO is completed using aio_complete(), file reference is put and inode can be freed from memory. So we have to be sure that calling aio_complete() is the last thing we do with the inode. Reviewed-by: Carlos Maiolino Acked-by: Jeff Moyer Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit a50f81417a3a08d843a2da3bea16a03f4d593783 Author: Jan Kara Date: Wed Jan 30 00:28:01 2013 +0100 fs: Fix possible use-after-free with AIO commit 54c807e71d5ac59dee56c685f2b66e27cd54c475 upstream. Running AIO is pinning inode in memory using file reference. Once AIO is completed using aio_complete(), file reference is put and inode can be freed from memory. So we have to be sure that calling aio_complete() is the last thing we do with the inode. Acked-by: Jeff Moyer CC: Christoph Hellwig CC: Jens Axboe CC: Jeff Moyer Signed-off-by: Jan Kara Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit f9cf4f43eb21f39d69f0d0846166d87279234cd0 Author: Paolo Bonzini Date: Wed Feb 27 17:05:25 2013 -0800 nbd: fsync and kill block device on shutdown commit 3a2d63f87989e01437ba994df5f297528c353d7d upstream. There are two problems with shutdown in the NBD driver. 1: Receiving the NBD_DISCONNECT ioctl does not sync the filesystem. This patch adds the sync operation into __nbd_ioctl()'s NBD_DISCONNECT handler. This is useful because BLKFLSBUF is restricted to processes that have CAP_SYS_ADMIN, and the NBD client may not possess it (fsync of the block device does not sync the filesystem, either). 2: Once we clear the socket we have no guarantee that later reads will come from the same backing storage. The patch adds calls to kill_bdev() in __nbd_ioctl()'s socket clearing code so the page cache is cleaned, lest reads that hit on the page cache will return stale data from the previously-accessible disk. Example: # qemu-nbd -r -c/dev/nbd0 /dev/sr0 # file -s /dev/nbd0 /dev/stdin: # UDF filesystem data (version 1.5) etc. # qemu-nbd -d /dev/nbd0 # qemu-nbd -r -c/dev/nbd0 /dev/sda # file -s /dev/nbd0 /dev/stdin: # UDF filesystem data (version 1.5) etc. While /dev/sda has: # file -s /dev/sda /dev/sda: x86 boot sector; etc. Signed-off-by: Paolo Bonzini Acked-by: Paul Clements Cc: Alex Bligh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 603e070fed3c15250c98b5de8af1db0f0647ff3c Author: Xi Wang Date: Wed Feb 27 17:05:21 2013 -0800 sysctl: fix null checking in bin_dn_node_address() commit df1778be1a33edffa51d094eeda87c858ded6560 upstream. The null check of `strchr() + 1' is broken, which is always non-null, leading to OOB read. Instead, check the result of strchr(). Signed-off-by: Xi Wang Cc: "Eric W. Biederman" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fd9471ef7e6ee38a7f29f5556928ddf4824f8bdd Author: Tejun Heo Date: Wed Feb 27 17:04:04 2013 -0800 firewire: add minor number range check to fw_device_init() commit 3bec60d511179853138836ae6e1b61fe34d9235f upstream. fw_device_init() didn't check whether the allocated minor number isn't too large. Fail if it goes overflows MINORBITS. Signed-off-by: Tejun Heo Suggested-by: Stefan Richter Acked-by: Stefan Richter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ca4e7610b166ff557a5f357bac6f12ec66a1ac1a Author: Tejun Heo Date: Wed Feb 27 17:03:56 2013 -0800 block: fix synchronization and limit check in blk_alloc_devt() commit ce23bba842aee98092225d9576dba47c82352521 upstream. idr allocation in blk_alloc_devt() wasn't synchronized against lookup and removal, and its limit check was off by one - 1 << MINORBITS is the number of minors allowed, not the maximum allowed minor. Add locking and rename MAX_EXT_DEVT to NR_EXT_DEVT and fix limit checking. Signed-off-by: Tejun Heo Acked-by: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bf9493433113145c9aa9a622d0c9dcc7b51c5d83 Author: Tejun Heo Date: Wed Feb 27 17:03:34 2013 -0800 idr: fix a subtle bug in idr_get_next() commit 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 upstream. The iteration logic of idr_get_next() is borrowed mostly verbatim from idr_for_each(). It walks down the tree looking for the slot matching the current ID. If the matching slot is not found, the ID is incremented by the distance of single slot at the given level and repeats. The implementation assumes that during the whole iteration id is aligned to the layer boundaries of the level closest to the leaf, which is true for all iterations starting from zero or an existing element and thus is fine for idr_for_each(). However, idr_get_next() may be given any point and if the starting id hits in the middle of a non-existent layer, increment to the next layer will end up skipping the same offset into it. For example, an IDR with IDs filled between [64, 127] would look like the following. [ 0 64 ... ] /----/ | | | NULL [ 64 ... 127 ] If idr_get_next() is called with 63 as the starting point, it will try to follow down the pointer from 0. As it is NULL, it will then try to proceed to the next slot in the same level by adding the slot distance at that level which is 64 - making the next try 127. It goes around the loop and finds and returns 127 skipping [64, 126]. Note that this bug also triggers in idr_for_each_entry() loop which deletes during iteration as deletions can make layers go away leaving the iteration with unaligned ID into missing layers. Fix it by ensuring proceeding to the next slot doesn't carry over the unaligned offset - ie. use round_up(id + 1, slot_distance) instead of id += slot_distance. Signed-off-by: Tejun Heo Reported-by: David Teigland Cc: KAMEZAWA Hiroyuki Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit dfd7c4e87378a9d9d7087df5c0e11aa34c1b8231 Author: Roger Pau Monne Date: Thu Feb 14 11:12:09 2013 +0100 xen-blkback: use balloon pages for persistent grants commit 087ffecdaa1875cc683a7a5bc0695b3ebfce3bad upstream. With current persistent grants implementation we are not freeing the persistent grants after we disconnect the device. Since grant map operations change the mfn of the allocated page, and we can no longer pass it to __free_page without setting the mfn to a sane value, use balloon grant pages instead, as the gntdev device does. Signed-off-by: Roger Pau Monné Cc: Konrad Rzeszutek Wilk Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit a4c06c2a9b1cfdd6f0e310f93de35549cb72fec8 Author: Konrad Rzeszutek Wilk Date: Wed Feb 13 13:01:55 2013 -0500 xen-blkfront: drop the use of llist_for_each_entry_safe commit f84adf4921ae3115502f44ff467b04bf2f88cf04 upstream. Replace llist_for_each_entry_safe with a while loop. llist_for_each_entry_safe can trigger a bug in GCC 4.1, so it's best to remove it and use a while loop and do the deletion manually. Specifically this bug can be triggered by hot-unplugging a disk, either by doing xm block-detach or by save/restore cycle. BUG: unable to handle kernel paging request at fffffffffffffff0 IP: [] blkif_free+0x63/0x130 [xen_blkfront] The crash call trace is: ... bad_area_nosemaphore+0x13/0x20 do_page_fault+0x25e/0x4b0 page_fault+0x25/0x30 ? blkif_free+0x63/0x130 [xen_blkfront] blkfront_resume+0x46/0xa0 [xen_blkfront] xenbus_dev_resume+0x6c/0x140 pm_op+0x192/0x1b0 device_resume+0x82/0x1e0 dpm_resume+0xc9/0x1a0 dpm_resume_end+0x15/0x30 do_suspend+0x117/0x1e0 When drilling down to the assembler code, on newer GCC it does .L29: cmpq $-16, %r12 #, persistent_gnt check je .L30 #, out of the loop .L25: ... code in the loop testq %r13, %r13 # n je .L29 #, back to the top of the loop cmpq $-16, %r12 #, persistent_gnt check movq 16(%r12), %r13 # .node.next, n jne .L25 #, back to the top of the loop .L30: While on GCC 4.1, it is: L78: ... code in the loop testq %r13, %r13 # n je .L78 #, back to the top of the loop movq 16(%rbx), %r13 # .node.next, n jmp .L78 #, back to the top of the loop Which basically means that the exit loop condition instead of being: &(pos)->member != NULL; is: ; which makes the loop unbound. Since xen-blkfront is the only user of the llist_for_each_entry_safe macro remove it from llist.h. Orabug: 16263164 Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit ef56ca64ea733c3b88f0bb74b04da128b1dc35d8 Author: Konrad Rzeszutek Wilk Date: Wed Jan 16 11:36:23 2013 -0500 xen/blkback: Don't trust the handle from the frontend. commit 01c681d4c70d64cb72142a2823f27c4146a02e63 upstream. The 'handle' is the device that the request is from. For the life-time of the ring we copy it from a request to a response so that the frontend is not surprised by it. But we do not need it - when we start processing I/Os we have our own 'struct phys_req' which has only most essential information about the request. In fact the 'vbd_translate' ends up over-writing the preq.dev with a value from the backend. This assignment of preq.dev with the 'handle' value is superfluous so lets not do it. Acked-by: Jan Beulich Acked-by: Ian Campbell Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit 55782573e878c563a9a8e080be353e6e963327dc Author: Jan Beulich Date: Thu Dec 20 10:31:11 2012 +0000 xen-blkback: do not leak mode property commit 9d092603cc306ee6edfe917bf9ab8beb5f32d7bc upstream. "be->mode" is obtained from xenbus_read(), which does a kmalloc() for the message body. The short string is never released, so do it along with freeing "be" itself, and make sure the string isn't kept when backend_changed() doesn't complete successfully (which made it desirable to slightly re-structure that function, so that the error cleanup can be done in one place). Reported-by: Olaf Hering Signed-off-by: Jan Beulich Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Greg Kroah-Hartman commit c5799187ac9e45170a0ddfe1df074227b9a0b8f6 Author: Tomas Henzl Date: Wed Feb 27 17:03:32 2013 -0800 block: fix ext_devt_idr handling commit 7b74e912785a11572da43292786ed07ada7e3e0c upstream. While adding and removing a lot of disks disks and partitions this sometimes shows up: WARNING: at fs/sysfs/dir.c:512 sysfs_add_one+0xc9/0x130() (Not tainted) Hardware name: sysfs: cannot create duplicate filename '/dev/block/259:751' Modules linked in: raid1 autofs4 bnx2fc cnic uio fcoe libfcoe libfc 8021q scsi_transport_fc scsi_tgt garp stp llc sunrpc cpufreq_ondemand powernow_k8 freq_table mperf ipv6 dm_mirror dm_region_hash dm_log power_meter microcode dcdbas serio_raw amd64_edac_mod edac_core edac_mce_amd i2c_piix4 i2c_core k10temp bnx2 sg ixgbe dca mdio ext4 mbcache jbd2 dm_round_robin sr_mod cdrom sd_mod crc_t10dif ata_generic pata_acpi pata_atiixp ahci mptsas mptscsih mptbase scsi_transport_sas dm_multipath dm_mod [last unloaded: scsi_wait_scan] Pid: 44103, comm: async/16 Not tainted 2.6.32-195.el6.x86_64 #1 Call Trace: warn_slowpath_common+0x87/0xc0 warn_slowpath_fmt+0x46/0x50 sysfs_add_one+0xc9/0x130 sysfs_do_create_link+0x12b/0x170 sysfs_create_link+0x13/0x20 device_add+0x317/0x650 idr_get_new+0x13/0x50 add_partition+0x21c/0x390 rescan_partitions+0x32b/0x470 sd_open+0x81/0x1f0 [sd_mod] __blkdev_get+0x1b6/0x3c0 blkdev_get+0x10/0x20 register_disk+0x155/0x170 add_disk+0xa6/0x160 sd_probe_async+0x13b/0x210 [sd_mod] add_wait_queue+0x46/0x60 async_thread+0x102/0x250 default_wake_function+0x0/0x20 async_thread+0x0/0x250 kthread+0x96/0xa0 child_rip+0xa/0x20 kthread+0x0/0xa0 child_rip+0x0/0x20 This most likely happens because dev_t is freed while the number is still used and idr_get_new() is not protected on every use. The fix adds a mutex where it wasn't before and moves the dev_t free function so it is called after device del. Signed-off-by: Tomas Henzl Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 68719e23c62aff61969713cd2158dd0fa37d45cd Author: Xiaowei.Hu Date: Wed Feb 27 17:02:49 2013 -0800 ocfs2: ac->ac_allow_chain_relink=0 won't disable group relink commit 309a85b6861fedbb48a22d45e0e079d1be993b3a upstream. ocfs2_block_group_alloc_discontig() disables chain relink by setting ac->ac_allow_chain_relink = 0 because it grabs clusters from multiple cluster groups. It doesn't keep the credits for all chain relink,but ocfs2_claim_suballoc_bits overrides this in this call trace: ocfs2_block_group_claim_bits()->ocfs2_claim_clusters()-> __ocfs2_claim_clusters()->ocfs2_claim_suballoc_bits() ocfs2_claim_suballoc_bits set ac->ac_allow_chain_relink = 1; then call ocfs2_search_chain() one time and disable it again, and then we run out of credits. Fix is to allow relink by default and disable it in ocfs2_block_group_alloc_discontig. Without this patch, End-users will run into a crash due to run out of credits, backtrace like this: RIP: 0010:[] [] jbd2_journal_dirty_metadata+0x164/0x170 [jbd2] RSP: 0018:ffff8801b919b5b8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88022139ddc0 RCX: ffff880159f652d0 RDX: ffff880178aa3000 RSI: ffff880159f652d0 RDI: ffff880087f09bf8 RBP: ffff8801b919b5e8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000001e00 R11: 00000000000150b0 R12: ffff880159f652d0 R13: ffff8801a0cae908 R14: ffff880087f09bf8 R15: ffff88018d177800 FS: 00007fc9b0b6b6e0(0000) GS:ffff88022fd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 000000000040819c CR3: 0000000184017000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process dd (pid: 9945, threadinfo ffff8801b919a000, task ffff880149a264c0) Call Trace: ocfs2_journal_dirty+0x2f/0x70 [ocfs2] ocfs2_relink_block_group+0x111/0x480 [ocfs2] ocfs2_search_chain+0x455/0x9a0 [ocfs2] ... Signed-off-by: Xiaowei.Hu Reviewed-by: Srinivas Eeda Cc: Mark Fasheh Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a13433e0e776879008e0e6ab851a975a65451f6f Author: Jeff Liu Date: Wed Feb 27 17:02:48 2013 -0800 ocfs2: fix ocfs2_init_security_and_acl() to initialize acl correctly commit 32918dd9f19e5960af4cdfa41190bb843fb2247b upstream. We need to re-initialize the security for a new reflinked inode with its parent dirs if it isn't specified to be preserved for ocfs2_reflink(). However, the code logic is broken at ocfs2_init_security_and_acl() although ocfs2_init_security_get() succeed. As a result, ocfs2_acl_init() does not involked and therefore the default ACL of parent dir was missing on the new inode. Note this was introduced by 9d8f13ba3 ("security: new security_inode_init_security API adds function callback") To reproduce: set default ACL for the parent dir(ocfs2 in this case): $ setfacl -m default:user:jeff:rwx ../ocfs2/ $ getfacl ../ocfs2/ # file: ../ocfs2/ # owner: jeff # group: jeff user::rwx group::r-x other::r-x default:user::rwx default:user:jeff:rwx default:group::r-x default:mask::rwx default:other::r-x $ touch a $ getfacl a # file: a # owner: jeff # group: jeff user::rw- group::rw- other::r-- Before patching, create reflink file b from a, the user default ACL entry(user:jeff:rwx)was missing: $ ./ocfs2_reflink a b $ getfacl b # file: b # owner: jeff # group: jeff user::rw- group::rw- other::r-- In this case, the end user can also observed an error message at syslog: (ocfs2_reflink,3229,2):ocfs2_init_security_and_acl:7193 ERROR: status = 0 After applying this patch, create reflink file c from a: $ ./ocfs2_reflink a c $ getfacl c # file: c # owner: jeff # group: jeff user::rw- user:jeff:rwx #effective:rw- group::r-x #effective:r-- mask::rw- other::r-- Test program: /* Usage: reflink */ #include #include #include #include #include #include #include #include #include static int reflink_file(char const *src_name, char const *dst_name, bool preserve_attrs) { int fd; #ifndef REFLINK_ATTR_NONE # define REFLINK_ATTR_NONE 0 #endif #ifndef REFLINK_ATTR_PRESERVE # define REFLINK_ATTR_PRESERVE 1 #endif #ifndef OCFS2_IOC_REFLINK struct reflink_arguments { uint64_t old_path; uint64_t new_path; uint64_t preserve; }; # define OCFS2_IOC_REFLINK _IOW ('o', 4, struct reflink_arguments) #endif struct reflink_arguments args = { .old_path = (unsigned long) src_name, .new_path = (unsigned long) dst_name, .preserve = preserve_attrs ? REFLINK_ATTR_PRESERVE : REFLINK_ATTR_NONE, }; fd = open(src_name, O_RDONLY); if (fd < 0) { fprintf(stderr, "Failed to open %s: %s\n", src_name, strerror(errno)); return -1; } if (ioctl(fd, OCFS2_IOC_REFLINK, &args) < 0) { fprintf(stderr, "Failed to reflink %s to %s: %s\n", src_name, dst_name, strerror(errno)); return -1; } } int main(int argc, char *argv[]) { if (argc != 3) { fprintf(stdout, "Usage: %s source dest\n", argv[0]); return 1; } return reflink_file(argv[1], argv[2], 0); } Signed-off-by: Jie Liu Reviewed-by: Tao Ma Cc: Mimi Zohar Cc: Joel Becker Cc: Mark Fasheh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 37a473985b8f697f7979ff1f9d24222a65db35c8 Author: Jan Kara Date: Wed Feb 20 13:16:39 2013 +1100 ocfs2: fix possible use-after-free with AIO commit 9b171e0c74ca0549d0610990a862dd895870f04a upstream. Running AIO is pinning inode in memory using file reference. Once AIO is completed using aio_complete(), file reference is put and inode can be freed from memory. So we have to be sure that calling aio_complete() is the last thing we do with the inode. Signed-off-by: Jan Kara Acked-by: Jeff Moyer Acked-by: Joel Becker Cc: Mark Fasheh Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 89651d99c93fea49a2fdc97e8fa7f3fa60094108 Author: Nicholas Bellinger Date: Mon Feb 18 18:31:37 2013 -0800 target: Add missing mapped_lun bounds checking during make_mappedlun setup commit fbbf8555a986ed31e54f006b6cc637ea4ff1425b upstream. This patch adds missing bounds checking for the configfs provided mapped_lun value during target_fabric_make_mappedlun() setup ahead of se_lun_acl initialization. This addresses a potential OOPs when using a mapped_lun value that exceeds the hardcoded TRANSPORT_MAX_LUNS_PER_TPG-1 value within se_node_acl->device_list[]. Reported-by: Jan Engelhardt Cc: Jan Engelhardt Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 62bfc5c9f00702407220c34cb3110c37d2353480 Author: Nicholas Bellinger Date: Mon Feb 18 18:00:33 2013 -0800 target: Fix lookup of dynamic NodeACLs during cached demo-mode operation commit fcf29481fb8e106daad6688f2e898226ee928992 upstream. This patch fixes a bug in core_tpg_check_initiator_node_acl() -> core_tpg_get_initiator_node_acl() where a dynamically created se_node_acl generated during session login would be skipped during subsequent lookup due to the '!acl->dynamic_node_acl' check, causing a new se_node_acl to be created with a duplicate ->initiatorname. This would occur when a fabric endpoint was configured with TFO->tpg_check_demo_mode()=1 + TPF->tpg_check_demo_mode_cache()=1 preventing the release of an existing se_node_acl during se_session shutdown. Also, drop the unnecessary usage of core_tpg_get_initiator_node_acl() within core_dev_init_initiator_node_lun_acl() that originally required the extra '!acl->dynamic_node_acl' check, and just pass the configfs provided se_node_acl pointer instead. Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 33bf3f11695ab4e5c4febd50adfb6e5441112261 Author: H. Peter Anvin Date: Wed Feb 27 12:46:40 2013 -0800 x86: Make sure we can boot in the case the BDA contains pure garbage commit 7c10093692ed2e6f318387d96b829320aa0ca64c upstream. On non-BIOS platforms it is possible that the BIOS data area contains garbage instead of being zeroed or something equivalent (firmware people: we are talking of 1.5K here, so please do the sane thing.) We need on the order of 20-30K of low memory in order to boot, which may grow up to < 64K in the future. We probably want to avoid the lowest of the low memory. At the same time, it seems extremely unlikely that a legitimate EBDA would ever reach down to the 128K (which would require it to be over half a megabyte in size.) Thus, pick 128K as the cutoff for "this is insane, ignore." We may still end up reserving a bunch of extra memory on the low megabyte, but that is not really a major issue these days. In the worst case we lose 512K of RAM. This code really should be merged with trim_bios_range() in arch/x86/kernel/setup.c, but that is a bigger patch for a later merge window. Reported-by: Darren Hart Signed-off-by: H. Peter Anvin Cc: Matt Fleming Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org Signed-off-by: Greg Kroah-Hartman commit 4ed62ead329b1d3dda942e44fdddbfb49ba50feb Author: Konrad Rzeszutek Wilk Date: Mon Feb 25 15:54:09 2013 -0500 doc, kernel-parameters: Document 'console=hvc' commit a2fd6419174470f5ae6383f5037d0ee21ed9833f upstream. Both the PowerPC hypervisor and Xen hypervisor can utilize the hvc driver. Signed-off-by: Konrad Rzeszutek Wilk Link: http://lkml.kernel.org/r/1361825650-14031-3-git-send-email-konrad.wilk@oracle.com Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit c53f3a52561e84be62fad7ac1a5e82e5cc678f5d Author: Konrad Rzeszutek Wilk Date: Mon Feb 25 15:54:08 2013 -0500 doc, xen: Mention 'earlyprintk=xen' in the documentation. commit 2482a92e7d17187301d7313cfe5021b13393a0b4 upstream. The earlyprintk for Xen PV guests utilizes a simple hypercall (console_io) to provide output to Xen emergency console. Note that the Xen hypervisor should be booted with 'loglevel=all' to output said information. Reported-by: H. Peter Anvin Signed-off-by: Konrad Rzeszutek Wilk Link: http://lkml.kernel.org/r/1361825650-14031-2-git-send-email-konrad.wilk@oracle.com Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit bf64a63f4b9ba3b895ba1803dc901de1a936ee3f Author: Matt Fleming Date: Wed Feb 20 20:36:12 2013 +0000 x86, efi: Make "noefi" really disable EFI runtime serivces commit fb834c7acc5e140cf4f9e86da93a66de8c0514da upstream. commit 1de63d60cd5b ("efi: Clear EFI_RUNTIME_SERVICES rather than EFI_BOOT by "noefi" boot parameter") attempted to make "noefi" true to its documentation and disable EFI runtime services to prevent the bricking bug described in commit e0094244e41c ("samsung-laptop: Disable on EFI hardware"). However, it's not possible to clear EFI_RUNTIME_SERVICES from an early param function because EFI_RUNTIME_SERVICES is set in efi_init() *after* parse_early_param(). This resulted in "noefi" effectively becoming a no-op and no longer providing users with a way to disable EFI, which is bad for those users that have buggy machines. Reported-by: Walt Nelson Jr Cc: Satoru Takeuchi Signed-off-by: Matt Fleming Link: http://lkml.kernel.org/r/1361392572-25657-1-git-send-email-matt@console-pimps.org Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 5301bad549d69f19ba2d89c38239c92435ae3b89 Author: Mathias Krause Date: Tue Feb 19 20:47:07 2013 +0100 x86/apic: Fix parsing of the 'lapic' cmdline option commit 27cf929845b10043f2257693c7d179a9e0b1980e upstream. Including " lapic " in the kernel cmdline on an x86-64 kernel makes it panic while parsing early params -- e.g. with no user visible output. Fix this bug by ensuring arg is non-NULL before passing it to strncmp(). Reported-by: PaX Team Signed-off-by: Mathias Krause Acked-by: David Rientjes Cc: Suresh Siddha Link: http://lkml.kernel.org/r/1361303227-13174-1-git-send-email-minipli@googlemail.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit e839e49caff7f31a165e9115c5a84a9236e958ab Author: Steven Rostedt (Red Hat) Date: Wed Feb 13 15:18:38 2013 -0500 ftrace: Call ftrace cleanup module notifier after all other notifiers commit 8c189ea64eea01ca20d102ddb74d6936dd16c579 upstream. Commit: c1bf08ac "ftrace: Be first to run code modification on modules" changed ftrace module notifier's priority to INT_MAX in order to process the ftrace nops before anything else could touch them (namely kprobes). This was the correct thing to do. Unfortunately, the ftrace module notifier also contains the ftrace clean up code. As opposed to the set up code, this code should be run *after* all the module notifiers have run in case a module is doing correct clean-up and unregisters its ftrace hooks. Basically, ftrace needs to do clean up on module removal, as it needs to know about code being removed so that it doesn't try to modify that code. But after it removes the module from its records, if a ftrace user tries to remove a probe, that removal will fail due as the record of that code segment no longer exists. Nothing really bad happens if the probe removal is called after ftrace did the clean up, but the ftrace removal function will return an error. Correct code (such as kprobes) will produce a WARN_ON() if it fails to remove the probe. As people get annoyed by frivolous warnings, it's best to do the ftrace clean up after everything else. By splitting the ftrace_module_notifier into two notifiers, one that does the module load setup that is run at high priority, and the other that is called for module clean up that is run at low priority, the problem is solved. Reported-by: Frank Ch. Eigler Acked-by: Masami Hiramatsu Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit a8bd30c32f544663a4b455aa5ddd4dc4b06b916f Author: Tejun Heo Date: Wed Feb 20 15:24:12 2013 -0800 posix-timer: Don't call idr_find() with out-of-range ID commit e182bb38d7db7494fa5dcd82da17fe0dedf60ecf upstream. When idr_find() was fed a negative ID, it used to look up the ID ignoring the sign bit before recent ("idr: remove MAX_IDR_MASK and move left MAX_IDR_* into idr.c") patch. Now a negative ID triggers a WARN_ON_ONCE(). __lock_timer() feeds timer_id from userland directly to idr_find() without sanitizing it which can trigger the above malfunctions. Add a range check on @timer_id before invoking idr_find() in __lock_timer(). While timer_t is defined as int by all archs at the moment, Andrew worries that it may be defined as a larger type later on. Make the test cover larger integers too so that it at least is guaranteed to not return the wrong timer. Note that WARN_ON_ONCE() in idr_find() on id < 0 is transitional precaution while moving away from ignoring MSB. Once it's gone we can remove the guard as long as timer_t isn't larger than int. Signed-off-by: Tejun Heo Reported-by: Sasha Levin Cc: Andrew Morton Link: http://lkml.kernel.org/r/20130220232412.GL3570@htj.dyndns.org Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 9b2eee352d5d276f212b751ad86d3bd4f156fd51 Author: Joerg Roedel Date: Wed Feb 6 12:55:23 2013 +0100 iommu/amd: Initialize device table after dma_ops commit f528d980c17b8714aedc918ba86e058af914d66b upstream. When dma_ops are initialized the unity mappings are created. The init_device_table_dma() function makes sure DMA from all devices is blocked by default. This opens a short window in time where DMA to unity mapped regions is blocked by the IOMMU. Make sure this does not happen by initializing the device table after dma_ops. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit d90dc15e9799e68afce2834a67113f6fff3046fe Author: Adam Thomas Date: Sat Feb 2 22:35:08 2013 +0000 UBIFS: fix double free of ubifs_orphan objects commit 8afd500cb52a5d00bab4525dd5a560d199f979b9 upstream. The last orphan in the dnext list has its dnext set to NULL. Because of that, ubifs_delete_orphan assumes that it is not on the dnext list and frees it immediately instead ignoring it as a second delete. The orphan is later freed again by erase_deleted. This change adds an explicit flag to ubifs_orphan indicating whether it is pending delete. Signed-off-by: Adam Thomas Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit ce7f4e84411ba5280e3b781f1da56de95e1fd3e7 Author: Adam Thomas Date: Sat Feb 2 22:32:31 2013 +0000 UBIFS: fix use of freed ubifs_orphan objects commit 2928f0d0c5ebd6c9605c0d98207a44376387c298 upstream. The last orphan in the cnext list has its cnext set to NULL. Because of that, ubifs_delete_orphan assumes that it is not on the cnext list and frees it immediately instead of adding it to the dnext list. The freed orphan is later modified by write_orph_node. This can cause various inconsistencies including directory entries that cannot be removed and this error: UBIFS error (pid 20685): layout_cnodes: LPT out of space at LEB 14:129009 needing 17, done_ltab 1, done_lsave 1 This is a regression introduced by "7074e5eb UBIFS: remove invalid reference to list iterator variable". This change adds an explicit flag to ubifs_orphan indicating whether it is pending commit. Signed-off-by: Adam Thomas Reviewed-by: Adrian Hunter Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 66c45d44d42012bd9ad5e5154cd7d2b391b1183e Author: Larry Finger Date: Mon Feb 25 06:09:24 2013 +0000 b43: Fix lockdep splat on module unload commit 63a02ce1c5c59baa40b99756492e3ec8d6b51483 upstream. On unload, b43 produces a lockdep warning that can be summarized in the following way: ====================================================== [ INFO: possible circular locking dependency detected ] 3.8.0-wl+ #117 Not tainted ------------------------------------------------------- modprobe/5557 is trying to acquire lock: ((&wl->firmware_load)){+.+.+.}, at: [] flush_work+0x0/0x2a0 but task is already holding lock: (rtnl_mutex){+.+.+.}, at: [] rtnl_lock+0x12/0x20 which lock already depends on the new lock. [ INFO: possible circular locking dependency detected ] ====================================================== The full output is available at http://lkml.indiana.edu/hypermail/linux/kernel/1302.3/00060.html. To summarize, commit 6b6fa58 added a 'cancel_work_sync(&wl->firmware_load)' call in the wrong place. The fix is to move the cancel_work_sync() call to b43_bcma_remove() and b43_ssb_remove(). Thanks to Johannes Berg and Michael Buesch for help in diagnosing the log output. Signed-off-by: Larry Finger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e3d7ed9c659eebbf83fc20e8c80bb3c58a24028d Author: Felipe Balbi Date: Thu Jan 24 11:56:11 2013 +0200 usb: dwc3: gadget: change HIRD threshold to 12 commit 1a947746dbe1486d0e305ab512ddf085b7874cb3 upstream. First of all, that 28 value makes no sense as HIRD threshold is a 4-bit value, second of all it's causing issues for OMAP5. Using 12 because commit cbc725b3 (usb: dwc3: keep default hird threshold value as 4b1100) had the intention of setting the maximum allowed value of 0xc. Also, original code has been wrong forever, so this should be backported as far back as possible. Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit d7c430bd3285dcdbdbe3c0d71a42b6fde442733e Author: Pratyush Anand Date: Mon Jan 14 15:59:35 2013 +0530 usb: dwc3: gadget: fix skip LINK_TRB on ISOC commit 915e202aeeb59e272992a6364c910aaef3073544 upstream. When we reach to link trb, we just need to increase free_slot and then calculate TRB. Return is not correct, as it will cause wrong TRB DMA address to fetch in case of update transfer. Signed-off-by: Pratyush Anand Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 3f08ff607d29c29c63e90bc650356aa476e5054d Author: Pratyush Anand Date: Mon Jan 14 15:59:34 2013 +0530 usb: dwc3: gadget: fix isoc END TRANSFER Condition commit cdc359dd87ab6c39a67dab724fd0b61c16e6f08b upstream. There were still some corner cases where isoc transfer was not able to restart, specially when missed isoc does not happen , and in fact gadget does not queue any new request during giveback. Cleanup function calls giveback first, which provides a way to queue another request to gadget. But gadget did not had any data. So , it did not call ep_queue. To twist it further, gadget did not queue till cleanup for last queued TRB is called. If we ever reach this scenario, we must call END TRANSFER, so that we receive a new xfernotready with information about current microframe number. Also insure that there is no request submitted to core when issuing END TRANSFER. Signed-off-by: Pratyush Anand Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 2f097fdb6b0d09084143d38fc43db86937610324 Author: Pratyush Anand Date: Mon Jan 14 15:59:32 2013 +0530 usb: dwc3: gadget: fix missed isoc commit 7efea86c2868b8fd9df65e589e33aebe498ce21d upstream. There are two reasons to generate missed isoc. 1. when the host does not poll for all the data. 2. because of application-side delays that prevent all the data from being transferred in programmed microframe. Current code was able to handle first case only. This patch handles scenario 2 as well.Scenario 2 sometime may occur with complex gadget application, however it can be easily reproduced for testing purpose as follows: a. use isoc binterval as 1 in f_sourcesink. b. use pattern=0 c. introduce a delay of 150us deliberately in source_sink_complete, so that after few frames it lands into scenario 2. d. now run testusb 16 (isoc in test). You will notice that if this patch is not applied then isoc transfer is not able to recover after first missed. Current patch's approach is as under: If missed isoc occurs and there is no request queued then issue END TRANSFER, so that core generates next xfernotready and we will issue a fresh START TRANSFER. If there are still queued request then wait, do not issue either END or UPDATE TRANSFER, just attach next request in request_list during giveback. If any future queued request is successfully transferred then we will issue UPDATE TRANSFER for all request in the request_list. Signed-off-by: Pratyush Anand Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit d1e2a92b95b9cf0e76a5b65282e313acdc3de2b2 Author: Pratyush Anand Date: Mon Jan 14 15:59:31 2013 +0530 usb: dwc3: Enable usb2 LPM only when connected as usb2.0 commit 2b758350af19db9a5c98241cf222c2e211d7a912 upstream. Synopsys says: The HIRD Threshold field must be set to ‘0’ when the device core is operating in super speed mode. This patch implements above statement. Acked-by: Paul Zimmerman Signed-off-by: Pratyush Anand Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 6ccf21e6b1742be263c1b990fd0581d7f5fa4dfd Author: Theodore Ts'o Date: Thu Jan 24 23:24:56 2013 -0500 quota: autoload the quota_v2 module for QFMT_VFS_V1 quota format commit c3ad83d9efdfe6a86efd44945a781f00c879b7b4 upstream. Otherwise, ext4 file systems with the quota featured enable will get a very confusing "No such process" error message if the quota code is built as a module and the quota_v2 module has not been loaded. Signed-off-by: "Theodore Ts'o" Reviewed-by: Carlos Maiolino Acked-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 9c38ffeea11b0a87b53080cd36de69a1c333521d Author: Bart Van Assche Date: Thu Feb 21 17:20:00 2013 +0000 IB/srp: Fail I/O requests if the transport is offline commit 2ce19e72f4d570c87e025ee6fca4eae699a8b712 upstream. If an SRP target is no longer reachable and srp_reset_host() fails to reconnect then ib_srp will invoke scsi_remove_host(). That function will invoke __scsi_remove_device() for each LUN. And that last function will change the device state from SDEV_TRANSPORT_OFFLINE into SDEV_CANCEL. Certain user space software, e.g. older versions of multipathd, continue queueing I/O to SCSI devices that are in the SDEV_CANCEL state. If these I/O requests are submitted as SG_IO that means that the REQ_PREEMPT flag will be set and hence that these requests will be passed to srp_queuecommand(). These requests will time out. If new requests are queued fast enough from user space these active requests will prevent __scsi_remove_device() to finish. Avoid this by failing I/O requests in the SDEV_CANCEL state if the transport is offline. Introduce a new variable to keep track of the transport state instead of failing requests if (!target->connected || target->qp_in_error), so that the SCSI error handler has a chance to retry commands after a transport layer failure occurred. Signed-off-by: Bart Van Assche Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 283f1b39dae90586db18c1e4a35fcf86fe8b8323 Author: Bart Van Assche Date: Thu Feb 21 17:19:04 2013 +0000 IB/srp: Avoid endless SCSI error handling loop commit c7c4e7ff8047e43c45628b85ac200582e9404c39 upstream. If a SCSI command times out it is passed to the SCSI error handler. The SCSI error handler will try to abort the commands that timed out. If aborting fails, a device reset will be attempted. If the device reset also fails a host reset will be attempted. If the host reset also fails the whole procedure will be repeated. srp_abort() and srp_reset_device() fail for a QP in the error state. srp_reset_host() fails after host removal has started. Hence if the SCSI error handler gets invoked after host removal has started and with the QP in the error state an endless loop will be triggered. Modify the SCSI error handling functions in ib_srp as follows: - Abort SCSI commands properly even if the QP is in the error state. - Make srp_reset_host() reset SCSI requests even after host removal has already started or if reconnecting fails. Signed-off-by: Bart Van Assche Acked-by: David Dillow Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 21290853f60c7ca205c5860d059f240f2655ea65 Author: Bart Van Assche Date: Thu Feb 21 17:18:00 2013 +0000 IB/srp: Avoid sending a task management function needlessly commit 3780d1f08856f692116bcf026e4acf1c521df1c7 upstream. Do not send a task management function if sending will fail anyway because either there is no RDMA/RC connection or the QP is in the error state. Signed-off-by: Bart Van Assche Acked-by: David Dillow Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 988eda029beb3475704c6bc99709f805cd3c768c Author: Bart Van Assche Date: Thu Feb 21 17:16:54 2013 +0000 IB/srp: Track connection state properly commit e1b2f13aba9ff714d23ecd4a950e744ee7ad72e1 upstream. Remove an assignment that incorrectly overwrites the connection state update by srp_connect_target(). Signed-off-by: Bart Van Assche Acked-by: David Dillow Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 76d09eabf3ef361efc0a51125cd6da380a9239e5 Author: Florian Zeitz Date: Mon Feb 25 09:53:35 2013 +0100 ALSA: emu10k1: Load firmware when it was already cached commit b56ddbe55a363eee4ff7410a97050dad08215f7c upstream. This expands the regression fix from d28215996b0c3a900411769039aa3c54cf7008ab. The firmware also needs to be loaded when it was already cached. Signed-off-by: Florian Zeitz Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 83092b1c99832c76e9eae9d94284745830683367 Author: Mihail Zenkov Date: Fri Feb 22 11:25:27 2013 +0000 ALSA: emu10k1: Fix regression in emu1010 firmware loading commit d28215996b0c3a900411769039aa3c54cf7008ab upstream. This patch fix regression in emu1010 firmware loading after http://git.alsa-project.org/?p=alsa-kprivate.git;a=commitdiff;h=b209c4dfcd960ab176d4746ab7dc442a3edb4575 I just revert small part of this commit. Tested on emu1212m pci. Signed-off-by: Mihail Zenkov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 22c0bc2801540b486dd89db7abba99790a6ec876 Author: David Henningsson Date: Fri Feb 22 10:16:28 2013 +0100 ALSA: hda - hdmi: Make jacks phantom, if they're not detectable commit 30efd8debd1ef30be342d374f01e993509f5b76b upstream. Just as for analog codecs, a jack that isn't suitable for detection (in this case, NO_PRESENCE was set) should be a phantom Jack instead of a normal one. Thanks to Raymond Yau for spotting. BugLink: https://bugs.launchpad.net/bugs/961286 BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=903869 Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 146a89dcb2cbc032cdd36e656252410980b4aa04 Author: Takashi Iwai Date: Mon Feb 25 09:48:45 2013 +0100 ALSA: bt87x: Make load_all parameter working again commit aacfddfdadb3540651d263245069631f341e953a upstream. Along with a clean up commit [e9f66d9b9: ALSA: pci: clean up using module_pci_driver()], bt87x driver lost the functionality of load_all parameter. This patch does a partial revert of the commit only for bt87x.c to recover it. Reported-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 00243dda62e27a3a0e9ca8c4017622b3fb35676f Author: Linus Torvalds Date: Wed Feb 27 08:36:04 2013 -0800 mm: do not grow the stack vma just because of an overrun on preceding vma commit 09884964335e85e897876d17783c2ad33cf8a2e0 upstream. The stack vma is designed to grow automatically (marked with VM_GROWSUP or VM_GROWSDOWN depending on architecture) when an access is made beyond the existing boundary. However, particularly if you have not limited your stack at all ("ulimit -s unlimited"), this can cause the stack to grow even if the access was really just one past *another* segment. And that's wrong, especially since we first grow the segment, but then immediately later enforce the stack guard page on the last page of the segment. So _despite_ first growing the stack segment as a result of the access, the kernel will then make the access cause a SIGSEGV anyway! So do the same logic as the guard page check does, and consider an access to within one page of the next segment to be a bad access, rather than growing the stack to abut the next segment. Reported-and-tested-by: Heiko Carstens Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman