]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
12 years agoUSB: mos7840: fix port-data memory leak
Johan Hovold [Wed, 31 Oct 2012 19:52:42 +0000 (20:52 +0100)]
USB: mos7840: fix port-data memory leak

commit 80c00750f0c9867a65b30a17880939b6bc660a77 upstream.

Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Note that the indentation was kept intact using a do-while(0) in order
to facilitate review. A follow-up patch will remove it.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoceph: avoid 32-bit page index overflow
Alex Elder [Tue, 2 Oct 2012 15:25:51 +0000 (10:25 -0500)]
ceph: avoid 32-bit page index overflow

commit 6285bc231277419255f3498d3eb5ddc9f8e7fe79 upstream.

A pgoff_t is defined (by default) to have type (unsigned long).  On
architectures such as i686 that's a 32-bit type.  The ceph address
space code was attempting to produce 64 bit offsets by shifting a
page's index by PAGE_CACHE_SHIFT, but the result was not what was
desired because the shift occurred before the result got promoted
to 64 bits.

Fix this by converting all uses of page->index used in this way to
use the page_offset() macro, which ensures the 64-bit result has the
intended value.

This fixes http://tracker.newdream.net/issues/3112

Reported-by: Mohamed Pakkeer <pakkeer.mohideen@realimage.com>
Signed-off-by: Alex Elder <elder@inktank.com>
Reviewed-by: Sage Weil <sage@inktank.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agolibceph: check for invalid mapping
Sage Weil [Tue, 25 Sep 2012 03:59:48 +0000 (20:59 -0700)]
libceph: check for invalid mapping

commit d63b77f4c552cc3a20506871046ab0fcbc332609 upstream.

If we encounter an invalid (e.g., zeroed) mapping, return an error
and avoid a divide by zero.

Signed-off-by: Sage Weil <sage@inktank.com>
Reviewed-by: Alex Elder <elder@inktank.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoceph: Fix oops when handling mdsmap that decreases max_mds
Yan, Zheng [Thu, 20 Sep 2012 09:42:25 +0000 (17:42 +0800)]
ceph: Fix oops when handling mdsmap that decreases max_mds

commit 3e8f43a089f06279c5f76a9ccd42578eebf7bfa5 upstream.

When i >= newmap->m_max_mds, ceph_mdsmap_get_addr(newmap, i) return
NULL. Passing NULL to memcmp() triggers oops.

Signed-off-by: Yan, Zheng <zheng.z.yan@intel.com>
Signed-off-by: Sage Weil <sage@inktank.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoceph: fix dentry reference leak in encode_fh()
David Zafman [Thu, 18 Oct 2012 21:01:43 +0000 (14:01 -0700)]
ceph: fix dentry reference leak in encode_fh()

commit 52eb5a900a9863a8b77a895f770e5d825c8e02c6 upstream.

Call to d_find_alias() needs a corresponding dput()

This fixes http://tracker.newdream.net/issues/3271

Signed-off-by: David Zafman <david.zafman@inktank.com>
Reviewed-by: Sage Weil <sage@inktank.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agolibceph: avoid NULL kref_put when osd reset races with alloc_msg
Sage Weil [Wed, 24 Oct 2012 23:12:58 +0000 (16:12 -0700)]
libceph: avoid NULL kref_put when osd reset races with alloc_msg

commit 9bd952615a42d7e2ce3fa2c632e808e804637a1a upstream.

The ceph_on_in_msg_alloc() method drops con->mutex while it allocates a
message.  If that races with a timeout that resends a zillion messages and
resets the connection, and the ->alloc_msg() method returns a NULL message,
it will call ceph_msg_put(NULL) and BUG.

Fix by only calling put if msg is non-NULL.

Fixes http://tracker.newdream.net/issues/3142

Signed-off-by: Sage Weil <sage@inktank.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agorbd: reset BACKOFF if unable to re-queue
Alex Elder [Tue, 9 Oct 2012 03:37:30 +0000 (20:37 -0700)]
rbd: reset BACKOFF if unable to re-queue

commit 588377d6199034c36d335e7df5818b731fea072c upstream.

If ceph_fault() is unable to queue work after a delay, it sets the
BACKOFF connection flag so con_work() will attempt to do so.

In con_work(), when BACKOFF is set, if queue_delayed_work() doesn't
result in newly-queued work, it simply ignores this condition and
proceeds as if no backoff delay were desired.  There are two
problems with this--one of which is a bug.

The first problem is simply that the intended behavior is to back
off, and if we aren't able queue the work item to run after a delay
we're not doing that.

The only reason queue_delayed_work() won't queue work is if the
provided work item is already queued.  In the messenger, this
means that con_work() is already scheduled to be run again.  So
if we simply set the BACKOFF flag again when this occurs, we know
the next con_work() call will again attempt to hold off activity
on the connection until after the delay.

The second problem--the bug--is a leak of a reference count.  If
queue_delayed_work() returns 0 in con_work(), con->ops->put() drops
the connection reference held on entry to con_work().  However,
processing is (was) allowed to continue, and at the end of the
function a second con->ops->put() is called.

This patch fixes both problems.

Signed-off-by: Alex Elder <elder@inktank.com>
Reviewed-by: Sage Weil <sage@inktank.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agofloppy: properly handle failure on add_disk loop
Herton Ronaldo Krzesinski [Mon, 27 Aug 2012 23:56:54 +0000 (20:56 -0300)]
floppy: properly handle failure on add_disk loop

commit d60e7ec18c3fb2cbf90969ccd42889eb2d03aef9 upstream.

On floppy initialization, if something failed inside the loop we call
add_disk, there was no cleanup of previous iterations in the error
handling.

Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agofloppy: do put_disk on current dr if blk_init_queue fails
Herton Ronaldo Krzesinski [Mon, 27 Aug 2012 23:56:52 +0000 (20:56 -0300)]
floppy: do put_disk on current dr if blk_init_queue fails

commit 238ab78469c6ab7845b43d5061cd3c92331b2452 upstream.

If blk_init_queue fails, we do not call put_disk on the current dr
(dr is decremented first in the error handling loop).

Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agofloppy: don't call alloc_ordered_workqueue inside the alloc_disk loop
Herton Ronaldo Krzesinski [Mon, 27 Aug 2012 23:56:51 +0000 (20:56 -0300)]
floppy: don't call alloc_ordered_workqueue inside the alloc_disk loop

commit b54e1f88897bcacc2cd359f48ea3b39eaf55f084 upstream.

Since commit 070ad7e ("floppy: convert to delayed work and single-thread
wq"), we end up calling alloc_ordered_workqueue multiple times inside
the loop, which shouldn't be intended. Besides the leak, other side
effect in the current code is if blk_init_queue fails, we would end up
calling unregister_blkdev even if we didn't call yet register_blkdev.

Just moved the allocation of floppy_wq before the loop, and adjusted the
code accordingly.

Acked-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agomd/raid1: Fix assembling of arrays containing Replacements.
NeilBrown [Wed, 31 Oct 2012 00:42:03 +0000 (11:42 +1100)]
md/raid1: Fix assembling of arrays containing Replacements.

commit 02b898f2f04e418094f0093a3ad0b415bcdbe8eb upstream.

setup_conf in raid1.c uses conf->raid_disks before assigning
a value.  It is used when including 'Replacement' devices.

The consequence is that assembling an array which contains a
replacement will misbehave and either not include the replacement, or
not include the device being replaced.

Though this doesn't lead directly to data corruption, it could lead to
reduced data safety.

So use mddev->raid_disks, which is initialised, instead.

Bug was introduced by commit c19d57980b38a5bb613a898937a1cf85f422fb9b
      md/raid1: recognise replacements when assembling arrays.

in 3.3, so fix is suitable for 3.3.y thru 3.6.y.

Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agogpiolib: Don't return -EPROBE_DEFER to sysfs, or for invalid gpios
Mathias Nyman [Thu, 25 Oct 2012 11:03:03 +0000 (14:03 +0300)]
gpiolib: Don't return -EPROBE_DEFER to sysfs, or for invalid gpios

commit ad2fab36d7922401c4576fb7ea9b21a47a29a17f upstream.

gpios requested with invalid numbers, or gpios requested from userspace via sysfs
should not try to be deferred on failure.

Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agogpio-timberdale: fix a potential wrapping issue
Dan Carpenter [Thu, 11 Oct 2012 06:56:35 +0000 (09:56 +0300)]
gpio-timberdale: fix a potential wrapping issue

commit d79550a7bc35c16476ebdc27c78378d8093390ec upstream.

->last_ier is an unsigned long but the high bits can't be used int the
original code because the shift wraps.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoblkcg: Fix use-after-free of q->root_blkg and q->root_rl.blkg
Jun'ichi Nomura [Wed, 17 Oct 2012 08:45:36 +0000 (17:45 +0900)]
blkcg: Fix use-after-free of q->root_blkg and q->root_rl.blkg

commit 65635cbc37e011e71b208257a25e7c1078cd039b upstream.

blk_put_rl() does not call blkg_put() for q->root_rl because we
don't take request list reference on q->root_blkg.
However, if root_blkg is once attached then detached (freed),
blk_put_rl() is confused by the bogus pointer in q->root_blkg.

For example, with !CONFIG_BLK_DEV_THROTTLING &&
CONFIG_CFQ_GROUP_IOSCHED,
switching IO scheduler from cfq to deadline will cause system stall
after the following warning with 3.6:

> WARNING: at /work/build/linux/block/blk-cgroup.h:250
> blk_put_rl+0x4d/0x95()
> Modules linked in: bridge stp llc sunrpc acpi_cpufreq freq_table mperf
> ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4
> Pid: 0, comm: swapper/0 Not tainted 3.6.0 #1
> Call Trace:
>  <IRQ>  [<ffffffff810453bd>] warn_slowpath_common+0x85/0x9d
>  [<ffffffff810453ef>] warn_slowpath_null+0x1a/0x1c
>  [<ffffffff811d5f8d>] blk_put_rl+0x4d/0x95
>  [<ffffffff811d614a>] __blk_put_request+0xc3/0xcb
>  [<ffffffff811d71a3>] blk_finish_request+0x232/0x23f
>  [<ffffffff811d76c3>] ? blk_end_bidi_request+0x34/0x5d
>  [<ffffffff811d76d1>] blk_end_bidi_request+0x42/0x5d
>  [<ffffffff811d7728>] blk_end_request+0x10/0x12
>  [<ffffffff812cdf16>] scsi_io_completion+0x207/0x4d5
>  [<ffffffff812c6fcf>] scsi_finish_command+0xfa/0x103
>  [<ffffffff812ce2f8>] scsi_softirq_done+0xff/0x108
>  [<ffffffff811dcea5>] blk_done_softirq+0x8d/0xa1
>  [<ffffffff810915d5>] ?
>  generic_smp_call_function_single_interrupt+0x9f/0xd7
>  [<ffffffff8104cf5b>] __do_softirq+0x102/0x213
>  [<ffffffff8108a5ec>] ? lock_release_holdtime+0xb6/0xbb
>  [<ffffffff8104d2b4>] ? raise_softirq_irqoff+0x9/0x3d
>  [<ffffffff81424dfc>] call_softirq+0x1c/0x30
>  [<ffffffff81011beb>] do_softirq+0x4b/0xa3
>  [<ffffffff8104cdb0>] irq_exit+0x53/0xd5
>  [<ffffffff8102d865>] smp_call_function_single_interrupt+0x34/0x36
>  [<ffffffff8142486f>] call_function_single_interrupt+0x6f/0x80
>  <EOI>  [<ffffffff8101800b>] ? mwait_idle+0x94/0xcd
>  [<ffffffff81018002>] ? mwait_idle+0x8b/0xcd
>  [<ffffffff81017811>] cpu_idle+0xbb/0x114
>  [<ffffffff81401fbd>] rest_init+0xc1/0xc8
>  [<ffffffff81401efc>] ? csum_partial_copy_generic+0x16c/0x16c
>  [<ffffffff81cdbd3d>] start_kernel+0x3d4/0x3e1
>  [<ffffffff81cdb79e>] ? kernel_init+0x1f7/0x1f7
>  [<ffffffff81cdb2dd>] x86_64_start_reservations+0xb8/0xbd
>  [<ffffffff81cdb3e3>] x86_64_start_kernel+0x101/0x110

This patch clears q->root_blkg and q->root_rl.blkg when root blkg
is destroyed.

Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoext4: fix unjournaled inode bitmap modification
Eric Sandeen [Mon, 29 Oct 2012 02:24:57 +0000 (22:24 -0400)]
ext4: fix unjournaled inode bitmap modification

commit ffb5387e85d528fb6d0d924abfa3fbf0fc484071 upstream.

commit 119c0d4460b001e44b41dcf73dc6ee794b98bd31 changed
ext4_new_inode() such that the inode bitmap was being modified
outside a transaction, which could lead to corruption, and was
discovered when journal_checksum found a bad checksum in the
journal during log replay.

Nix ran into this when using the journal_async_commit mount
option, which enables journal checksumming.  The ensuing
journal replay failures due to the bad checksums led to
filesystem corruption reported as the now infamous
"Apparent serious progressive ext4 data corruption bug"

[ Changed by tytso to only call ext4_journal_get_write_access() only
  when we're fairly certain that we're going to allocate the inode. ]

I've tested this by mounting with journal_checksum and
running fsstress then dropping power; I've also tested by
hacking DM to create snapshots w/o first quiescing, which
allows me to test journal replay repeatedly w/o actually
power-cycling the box.  Without the patch I hit a journal
checksum error every time.  With this fix it survives
many iterations.

Reported-by: Nix <nix@esperi.org.uk>
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoLinux 3.6.5 v3.6.5
Greg Kroah-Hartman [Wed, 31 Oct 2012 17:11:22 +0000 (10:11 -0700)]
Linux 3.6.5

12 years agopnfsblock: fix non-aligned DIO write
Peng Tao [Thu, 23 Aug 2012 16:27:53 +0000 (00:27 +0800)]
pnfsblock: fix non-aligned DIO write

commit 96c9eae638765c2bf2ca4f5a6325484f9bb69aa7 upstream.

For DIO writes, if it is not blocksize aligned, we need to do
internal serialization. It may slow down writers anyway. So we
just bail them out and resend to MDS.

Signed-off-by: Peng Tao <tao.peng@emc.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agopnfsblock: fix non-aligned DIO read
Peng Tao [Thu, 23 Aug 2012 16:27:52 +0000 (00:27 +0800)]
pnfsblock: fix non-aligned DIO read

commit f742dc4a32587bff50b13dde9d8894b96851951a upstream.

For DIO read, if it is not sector aligned, we should reject it
and resend via MDS. Otherwise there might be data corruption.
Also teach bl_read_pagelist to handle partial page reads for DIO.

Signed-off-by: Peng Tao <tao.peng@emc.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agox86, mm: Use memblock memory loop instead of e820_RAM
Yinghai Lu [Mon, 22 Oct 2012 23:35:18 +0000 (16:35 -0700)]
x86, mm: Use memblock memory loop instead of e820_RAM

commit 1f2ff682ac951ed82cc043cf140d2851084512df upstream.

We need to handle E820_RAM and E820_RESERVED_KERNEL at the same time.

Also memblock has page aligned range for ram, so we could avoid mapping
partial pages.

Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Link: http://lkml.kernel.org/r/CAE9FiQVZirvaBMFYRfXMmWEcHbKSicQEHz4VAwUv0xFCk51ZNw@mail.gmail.com
Acked-by: Jacob Shin <jacob.shin@amd.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agox86: efi: Turn off efi_enabled after setup on mixed fw/kernel
Olof Johansson [Wed, 24 Oct 2012 17:00:44 +0000 (10:00 -0700)]
x86: efi: Turn off efi_enabled after setup on mixed fw/kernel

commit 5189c2a7c7769ee9d037d76c1a7b8550ccf3481c upstream.

When 32-bit EFI is used with 64-bit kernel (or vice versa), turn off
efi_enabled once setup is done. Beyond setup, it is normally used to
determine if runtime services are available and we will have none.

This will resolve issues stemming from efivars modprobe panicking on a
32/64-bit setup, as well as some reboot issues on similar setups.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=45991

Reported-by: Marko Kohtala <marko.kohtala@gmail.com>
Reported-by: Maxim Kammerer <mk@dee.su>
Signed-off-by: Olof Johansson <olof@lixom.net>
Acked-by: Maarten Lankhorst <maarten.lankhorst@canonical.com>
Cc: Matthew Garrett <mjg@redhat.com>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoefi: Defer freeing boot services memory until after ACPI init
Josh Triplett [Sat, 29 Sep 2012 00:55:44 +0000 (17:55 -0700)]
efi: Defer freeing boot services memory until after ACPI init

commit 785107923a83d8456bbd8564e288a24d84109a46 upstream.

Some new ACPI 5.0 tables reference resources stored in boot services
memory, so keep that memory around until we have ACPI and can extract
data from it.

Signed-off-by: Josh Triplett <josh@joshtriplett.org>
Link: http://lkml.kernel.org/r/baaa6d44bdc4eb0c58e5d1b4ccd2c729f854ac55.1348876882.git.josh@joshtriplett.org
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Cc: Matt Fleming <matt@console-pimps.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agocfg80211/mac80211: avoid state mishmash on deauth
Stanislaw Gruszka [Mon, 15 Oct 2012 12:52:41 +0000 (14:52 +0200)]
cfg80211/mac80211: avoid state mishmash on deauth

commit 6863255bd0e48bc41ae5a066d5c771801e92735a upstream.

Avoid situation when we are on associate state in mac80211 and
on disassociate state in cfg80211. This can results on crash
during modules unload (like showed on this thread:
http://marc.info/?t=134373976300001&r=1&w=2) and possibly other
problems.

Reported-by: Pedro Francisco <pedrogfrancisco@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agox86, mm: Undo incorrect revert in arch/x86/mm/init.c
Yinghai Lu [Thu, 25 Oct 2012 22:45:26 +0000 (15:45 -0700)]
x86, mm: Undo incorrect revert in arch/x86/mm/init.c

commit f82f64dd9f485e13f29f369772d4a0e868e5633a upstream.

Commit

    844ab6f9 x86, mm: Find_early_table_space based on ranges that are actually being mapped

added back some lines back wrongly that has been removed in commit

    7b16bbf97 Revert "x86/mm: Fix the size calculation of mapping tables"

remove them again.

Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Link: http://lkml.kernel.org/r/CAE9FiQW_vuaYQbmagVnxT2DGsYc=9tNeAbdBq53sYkitPOwxSQ@mail.gmail.com
Acked-by: Jacob Shin <jacob.shin@amd.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agox86, mm: Find_early_table_space based on ranges that are actually being mapped
Jacob Shin [Wed, 24 Oct 2012 19:24:44 +0000 (14:24 -0500)]
x86, mm: Find_early_table_space based on ranges that are actually being mapped

commit 844ab6f993b1d32eb40512503d35ff6ad0c57030 upstream.

Current logic finds enough space for direct mapping page tables from 0
to end. Instead, we only need to find enough space to cover mr[0].start
to mr[nr_range].end -- the range that is actually being mapped by
init_memory_mapping()

This is needed after 1bbbbe779aabe1f0768c2bf8f8c0a5583679b54a, to address
the panic reported here:

  https://lkml.org/lkml/2012/10/20/160
  https://lkml.org/lkml/2012/10/21/157

Signed-off-by: Jacob Shin <jacob.shin@amd.com>
Link: http://lkml.kernel.org/r/20121024195311.GB11779@jshin-Toonie
Tested-by: Tom Rini <trini@ti.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoRevert "ath9k_hw: Updated AR9003 tx gain table for 5GHz"
Felix Fietkau [Wed, 17 Oct 2012 11:50:43 +0000 (13:50 +0200)]
Revert "ath9k_hw: Updated AR9003 tx gain table for 5GHz"

commit 73b26df5fa1a6245d6fc982362518b620bc7c2fe upstream.

This reverts commit a240dc7b3c7463bd60cf0a9b2a90f52f78aae0fd.

This commit is reducing tx power by at least 10 db on some devices,
e.g. the Buffalo WZR-HP-G450H.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Cc: rmanohar@qca.qualcomm.com
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agocpufreq / powernow-k8: Remove usage of smp_processor_id() in preemptible code
Andreas Herrmann [Mon, 22 Oct 2012 22:55:10 +0000 (00:55 +0200)]
cpufreq / powernow-k8: Remove usage of smp_processor_id() in preemptible code

commit e4df1cbcc1f329e53a1fff7450b2229e0addff20 upstream.

Commit 6889125b8b4e09c5e53e6ecab3433bed1ce198c9
(cpufreq/powernow-k8: workqueue user shouldn't migrate the kworker to another CPU)
causes powernow-k8 to trigger a preempt warning, e.g.:

  BUG: using smp_processor_id() in preemptible [00000000] code: cpufreq/3776
  caller is powernowk8_target+0x20/0x49
  Pid: 3776, comm: cpufreq Not tainted 3.6.0 #9
  Call Trace:
   [<ffffffff8125b447>] debug_smp_processor_id+0xc7/0xe0
   [<ffffffff814877e7>] powernowk8_target+0x20/0x49
   [<ffffffff81482b02>] __cpufreq_driver_target+0x82/0x8a
   [<ffffffff81484fc6>] cpufreq_governor_performance+0x4e/0x54
   [<ffffffff81482c50>] __cpufreq_governor+0x8c/0xc9
   [<ffffffff81482e6f>] __cpufreq_set_policy+0x1a9/0x21e
   [<ffffffff814839af>] store_scaling_governor+0x16f/0x19b
   [<ffffffff81484f16>] ? cpufreq_update_policy+0x124/0x124
   [<ffffffff8162b4a5>] ? _raw_spin_unlock_irqrestore+0x2c/0x49
   [<ffffffff81483640>] store+0x60/0x88
   [<ffffffff811708c0>] sysfs_write_file+0xf4/0x130
   [<ffffffff8111243b>] vfs_write+0xb5/0x151
   [<ffffffff811126e0>] sys_write+0x4a/0x71
   [<ffffffff816319a9>] system_call_fastpath+0x16/0x1b

Fix this by by always using work_on_cpu().

Signed-off-by: Andreas Herrmann <andreas.herrmann3@amd.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agonet/wireless: ipw2200: Fix panic occurring in ipw_handle_promiscuous_tx()
Stanislav Yakovlev [Mon, 15 Oct 2012 14:14:32 +0000 (14:14 +0000)]
net/wireless: ipw2200: Fix panic occurring in ipw_handle_promiscuous_tx()

commit bf11315eeda510ea4fc1a2bf972d8155d31d89b4 upstream.

The driver does not count space of radiotap fields when allocating skb for
radiotap packet. This leads to kernel panic with the following call trace:

...
[67607.676067] [<c152f90f>] error_code+0x67/0x6c
[67607.676067] [<c142f831>] ? skb_put+0x91/0xa0
[67607.676067] [<f8cf5e5b>] ? ipw_handle_promiscuous_tx+0x16b/0x2d0 [ipw2200]
[67607.676067] [<f8cf5e5b>] ipw_handle_promiscuous_tx+0x16b/0x2d0 [ipw2200]
[67607.676067] [<f8cf899b>] ipw_net_hard_start_xmit+0x8b/0x90 [ipw2200]
[67607.676067] [<f8741c5a>] libipw_xmit+0x55a/0x980 [libipw]
[67607.676067] [<c143d3e8>] dev_hard_start_xmit+0x218/0x4d0
...

This bug was found by VittGam.
https://bugzilla.kernel.org/show_bug.cgi?id=43255

Signed-off-by: Stanislav Yakovlev <stas.yakovlev@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agobcma: fix unregistration of cores
Piotr Haber [Thu, 11 Oct 2012 12:05:15 +0000 (14:05 +0200)]
bcma: fix unregistration of cores

commit 1fffa905adffbf0d3767fc978ef09afb830275eb upstream.

When cores are unregistered, entries
need to be removed from cores list in a safe manner.

Reported-by: Stanislaw Gruszka <sgruszka@redhat.com>
Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Signed-off-by: Piotr Haber <phaber@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoiwlwifi: fix 6000 series channel switch command
Johannes Berg [Tue, 25 Sep 2012 14:40:12 +0000 (16:40 +0200)]
iwlwifi: fix 6000 series channel switch command

commit 8f7b8db6e0557c8437adf9371e020cd89a7e85dc upstream.

The channel switch command for 6000 series devices
is larger than the maximum inline command size of
320 bytes. The command is therefore refused with a
warning. Fix this by allocating the command and
using the NOCOPY mechanism.

Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agodmaengine: imx-dma: fix missing unlock on error in imxdma_xfer_desc()
Wei Yongjun [Sun, 21 Oct 2012 11:58:30 +0000 (19:58 +0800)]
dmaengine: imx-dma: fix missing unlock on error in imxdma_xfer_desc()

commit 720dfd250e48a8c7fd1b2b8645955413989c4ee0 upstream.

Add the missing unlock on the error handling path in function
imxdma_xfer_desc().

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agodmaengine: sirf: fix a typo in moving running dma_desc to active queue
Barry Song [Thu, 27 Sep 2012 08:36:10 +0000 (16:36 +0800)]
dmaengine: sirf: fix a typo in moving running dma_desc to active queue

commit 26fd12209c08fe947be1828896ef4ffc5bd0e6df upstream.

list_move_tail(&schan->queued, &schan->active) makes the list_empty(schan->queued)
undefined, we either should change it to:
list_move_tail(schan->queued.next, &schan->active)
or
list_move_tail(&sdesc->node, &schan->active)

Signed-off-by: Barry Song <Baohua.Song@csr.com>
Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agodmaengine: sirf: fix a typo in dma_prep_interleaved
Barry Song [Thu, 27 Sep 2012 08:35:38 +0000 (16:35 +0800)]
dmaengine: sirf: fix a typo in dma_prep_interleaved

commit 5997e089e4c3a7f0958a8fb0a54ec2b5a6f06168 upstream.

either DEV_TO_MEM or MEM_TO_DEV is supported, so change
OR to AND.

Signed-off-by: Barry Song <Baohua.Song@csr.com>
Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agofreezer: exec should clear PF_NOFREEZE along with PF_KTHREAD
Oleg Nesterov [Thu, 25 Oct 2012 20:28:12 +0000 (22:28 +0200)]
freezer: exec should clear PF_NOFREEZE along with PF_KTHREAD

commit b40a79591ca918e7b91b0d9b6abd5d00f2e88c19 upstream.

flush_old_exec() clears PF_KTHREAD but forgets about PF_NOFREEZE.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoqmi_wwan/cdc_ether: move Novatel 551 and E362 to qmi_wwan
Dan Williams [Wed, 24 Oct 2012 12:10:34 +0000 (12:10 +0000)]
qmi_wwan/cdc_ether: move Novatel 551 and E362 to qmi_wwan

commit f8295ec22cb0f1ee6849b862addbfa3ea9320755 upstream.

These devices provide QMI and ethernet functionality via a standard CDC
ethernet descriptor.  But when driven by cdc_ether, the QMI
functionality is unavailable because only cdc_ether can claim the USB
interface.  Thus blacklist the devices in cdc_ether and add their IDs to
qmi_wwan, which enables both QMI and ethernet simultaneously.

Signed-off-by: Dan Williams <dcbw@redhat.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoBluetooth: SMP: Fix setting unknown auth_req bits
Johan Hedberg [Thu, 11 Oct 2012 14:26:06 +0000 (16:26 +0200)]
Bluetooth: SMP: Fix setting unknown auth_req bits

commit 065a13e2cc665f6547dc7e8a9d6b6565badf940a upstream.

When sending a pairing request or response we should not just blindly
copy the value that the remote device sent. Instead we should at least
make sure to mask out any unknown bits. This is particularly critical
from the upcoming LE Secure Connections feature perspective as
incorrectly indicating support for it (by copying the remote value)
would cause a failure to pair with devices that support it.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agotilegx: fix some issues in the SW TSO support
Chris Metcalf [Thu, 25 Oct 2012 07:25:20 +0000 (07:25 +0000)]
tilegx: fix some issues in the SW TSO support

commit 3da3fff8006c608f19a51859d44ba47ca8b41461 upstream.

This change correctly computes the header length and data length in
the fragments to avoid a bug where we would end up with extremely
slow performance.  Also adopt use of skb_frag_size() accessor.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agob43: Fix oops on unload when firmware not found
Larry Finger [Wed, 24 Oct 2012 13:57:16 +0000 (08:57 -0500)]
b43: Fix oops on unload when firmware not found

commit f89ff6441df06abc2d95f3ef67525923032d6283 upstream.

When b43 fails to find firmware when loaded, a subsequent unload will
oops due to calling ieee80211_unregister_hw() when the corresponding
register call was never made.

Commit 2d838bb608e2d1f6cb4280e76748cb812dc822e7 fixed the same problem
for b43legacy.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Tested-by: Markus Kanet <dvmailing@gmx.eu>
Cc: Markus Kanet <dvmailing@gmx.eu>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agomac80211: use ieee80211_free_txskb in a few more places
Felix Fietkau [Wed, 10 Oct 2012 20:40:23 +0000 (22:40 +0200)]
mac80211: use ieee80211_free_txskb in a few more places

commit d4fa14cd62bd078c8e3ef39283b9f237e5b2ff0f upstream.

Free tx status skbs when draining power save buffers, pending frames, or
when tearing down a vif.
Fixes remaining conditions that can lead to hostapd/wpa_supplicant hangs when
running out of socket write memory.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agomac80211: check if key has TKIP type before updating IV
Stanislaw Gruszka [Tue, 2 Oct 2012 19:34:23 +0000 (21:34 +0200)]
mac80211: check if key has TKIP type before updating IV

commit 4045f72bcf3c293c7c5932ef001742d8bb5ded76 upstream.

This patch fix corruption which can manifest itself by following crash
when switching on rfkill switch with rt2x00 driver:
https://bugzilla.redhat.com/attachment.cgi?id=615362

Pointer key->u.ccmp.tfm of group key get corrupted in:

ieee80211_rx_h_michael_mic_verify():

        /* update IV in key information to be able to detect replays */
        rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32;
        rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16;

because rt2x00 always set RX_FLAG_MMIC_STRIPPED, even if key is not TKIP.

We already check type of the key in different path in
ieee80211_rx_h_michael_mic_verify() function, so adding additional
check here is reasonable.

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agomac80211: connect with HT20 if HT40 is not permitted
Johannes Berg [Mon, 1 Oct 2012 13:52:00 +0000 (15:52 +0200)]
mac80211: connect with HT20 if HT40 is not permitted

commit 3a40414f826a8f1096d9b94c4a53ef91b25ba28d upstream.

Some changes to fix issues with HT40 APs in Korea
and follow-up changes to allow using HT40 even if
the local regulatory database disallows it caused
issues with iwlwifi (and could cause issues with
other devices); iwlwifi firmware would assert if
you tried to connect to an AP that has an invalid
configuration (e.g. using HT40- on channel 140.)

Fix this, while avoiding the "Korean AP" issue by
disabling HT40 and advertising HT20 to the AP
when connecting.

Reported-by: Florian Reitmeir <florian@reitmeir.org>
Tested-by: Florian Reitmeir <florian@reitmeir.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoARM: at91: fix external interrupt specification in board code
Nicolas Ferre [Wed, 24 Oct 2012 14:19:47 +0000 (16:19 +0200)]
ARM: at91: fix external interrupt specification in board code

commit 69e7ea04c9365626c0963ff09bbaa3a1b49e293a upstream.

Since the switch to sparse irq, we have to add the NR_IRQS_LEGACY
offset to static irq numbers. It has been forgotten on these
SPI irq definitions in board code.

Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Acked-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoARM: at91: fix external interrupts in non-DT case
Nicolas Ferre [Wed, 24 Oct 2012 14:09:57 +0000 (16:09 +0200)]
ARM: at91: fix external interrupts in non-DT case

commit 738a0fd752dc60e20beeda6f2f0f62e58dc0e344 upstream.

Management of external interrupts has changed but the
non-DT code has not integrated these changes.
Add a mask to pass external irq specification from SoC
specific code to the at91_aic_init() function.

Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Acked-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoARM: at91: at91sam9g10: fix SOC type detection
Ivan Shugov [Wed, 24 Oct 2012 09:02:44 +0000 (11:02 +0200)]
ARM: at91: at91sam9g10: fix SOC type detection

commit 3d9a0183dd3423353e9e363bcc261c1220d05f9f upstream.

Newer at91sam9g10 SoC revision can't be detected, so the kernel can't boot with
this kind of kernel panic:
"AT91: Impossible to detect the SOC type"

CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: Atmel AT91SAM9G10-EK
Ignoring tag cmdline (using the default kernel command line)
bootconsole [earlycon0] enabled
Memory policy: ECC disabled, Data cache writeback
Kernel panic - not syncing: AT91: Impossible to detect the SOC type
[<c00133d4>] (unwind_backtrace+0x0/0xe0) from [<c02366dc>] (panic+0x78/0x1cc)
[<c02366dc>] (panic+0x78/0x1cc) from [<c02fa35c>] (at91_map_io+0x90/0xc8)
[<c02fa35c>] (at91_map_io+0x90/0xc8) from [<c02f9860>] (paging_init+0x564/0x6d0)
[<c02f9860>] (paging_init+0x564/0x6d0) from [<c02f7914>] (setup_arch+0x464/0x704)
[<c02f7914>] (setup_arch+0x464/0x704) from [<c02f44f8>] (start_kernel+0x6c/0x2d4)
[<c02f44f8>] (start_kernel+0x6c/0x2d4) from [<20008040>] (0x20008040)

The reason for this is that the Debug Unit Chip ID Register has changed between
Engineering Sample and definitive revision of the SoC. Changing the check of
cidr to socid will address the problem. We do not integrate this check to the
list just above because we also have to make sure that the extended id is
disregarded.

Signed-off-by: Ivan Shugov <ivan.shugov@gmail.com>
[nicolas.ferre@atmel.com: change commit message]
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Acked-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoARM: at91/i2c: change id to let i2c-gpio work
Bo Shen [Mon, 15 Oct 2012 09:30:27 +0000 (17:30 +0800)]
ARM: at91/i2c: change id to let i2c-gpio work

commit 7840487cd6298f9f931103b558290d8d98d41c49 upstream.

The i2c core driver will turn the platform device ID to busnum
When using platfrom device ID as -1, it means dynamically assigned
the busnum. When writing code, we need to make sure the busnum,
and call i2c_register_board_info(int busnum, ...) to register device
if using -1, we do not know the value of busnum

In order to solve this issue, set the platform device ID as a fix number
Here using 0 to match the busnum used in i2c_regsiter_board_info()

Signed-off-by: Bo Shen <voice.shen@atmel.com>
Acked-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Acked-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoARM: at91/tc: fix typo in the DT document
Josh Wu [Fri, 14 Sep 2012 09:01:29 +0000 (17:01 +0800)]
ARM: at91/tc: fix typo in the DT document

commit 11930c530f3edf81160e4962e363d579f5cdce7e upstream.

Signed-off-by: Josh Wu <josh.wu@atmel.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Acked-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoARM: SAMSUNG: Add naming of s3c64xx-spi devices
Heiko Stuebner [Wed, 17 Oct 2012 07:47:11 +0000 (16:47 +0900)]
ARM: SAMSUNG: Add naming of s3c64xx-spi devices

commit 308b3afb97dc342e9c4f958d8b4c459ae0e22bd7 upstream.

Commit a5238e360b71 (spi: s3c64xx: move controller information into driver
data) introduced separate device names for the different subtypes of the
spi controller but forgot to set these in the relevant machines.

To fix this introduce a s3c64xx_spi_setname function and populate all
Samsung arches with the correct names. The function resides in a new
header, as the s3c64xx-spi.h contains driver platform data and should
therefore at some later point move out of the Samsung include dir.

Tested on a s3c2416-based machine.

Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
[s.nawrocki@samsung.com: tested on mach-exynos]
Tested-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agovhost: fix mergeable bufs on BE hosts
Michael S. Tsirkin [Wed, 24 Oct 2012 18:37:51 +0000 (20:37 +0200)]
vhost: fix mergeable bufs on BE hosts

commit 910a578f7e9400a78a3b13aba0b4d2df16a2cb05 upstream.

We copy head count to a 16 bit field, this works by chance on LE but on
BE guest gets 0. Fix it up.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Alexander Graf <agraf@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: mos7840: remove invalid disconnect handling
Johan Hovold [Thu, 25 Oct 2012 16:56:33 +0000 (18:56 +0200)]
USB: mos7840: remove invalid disconnect handling

commit e681b66f2e19fadbe8a7e2a17900978cb6bc921f upstream.

Remove private zombie flag used to signal disconnect and to prevent
control urb from being submitted from interrupt urb completion handler.

The control urb will not be re-submitted as both the control urb and the
interrupt urb is killed on disconnect.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: mos7840: remove NULL-urb submission
Johan Hovold [Thu, 25 Oct 2012 16:56:32 +0000 (18:56 +0200)]
USB: mos7840: remove NULL-urb submission

commit 28c3ae9a8cf45f439c9a0779ebd0256e2ae72813 upstream.

The private int_urb is never allocated so the submission from the
control completion handler will always fail. Remove this odd piece of
broken code.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: mos7840: fix port-device leak in error path
Johan Hovold [Thu, 25 Oct 2012 11:35:10 +0000 (13:35 +0200)]
USB: mos7840: fix port-device leak in error path

commit 3eb55cc4ed88eee3b5230f66abcdbd2a91639eda upstream.

The driver set the usb-serial port pointers to NULL on errors in attach,
effectively preventing usb-serial core from decrementing the port ref
counters and releasing the port devices and associated data.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: mos7840: fix urb leak at release
Johan Hovold [Thu, 25 Oct 2012 11:35:09 +0000 (13:35 +0200)]
USB: mos7840: fix urb leak at release

commit 65a4cdbb170e4ec1a7fa0e94936d47e24a17b0e8 upstream.

Make sure control urb is freed at release.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: sierra: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:29:19 +0000 (10:29 +0200)]
USB: sierra: fix port-data memory leak

commit f525c05babc7938cc1d4236550fd8a659fb05960 upstream.

Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Note also that urb-count for multi-port interfaces has not been changed
even though the usb-serial port number is now determined from the port
and interface minor numbers.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: sierra: fix memory leak in probe error path
Johan Hovold [Thu, 25 Oct 2012 08:29:18 +0000 (10:29 +0200)]
USB: sierra: fix memory leak in probe error path

commit 084817d79399ab5ccab2f90a148b0369912a8369 upstream.

Move interface data allocation to attach so that it is deallocated on
errors in usb-serial probe.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: sierra: fix memory leak in attach error path
Johan Hovold [Thu, 25 Oct 2012 08:29:17 +0000 (10:29 +0200)]
USB: sierra: fix memory leak in attach error path

commit 7e41f9bcdd2e813ea2a3c40db291d87ea06b559f upstream.

Make sure port private data is deallocated on errors in attach.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: serial: Fix memory leak in sierra_release()
Lennart Sorensen [Wed, 24 Oct 2012 14:23:09 +0000 (10:23 -0400)]
USB: serial: Fix memory leak in sierra_release()

commit f7bc5051667b74c3861f79eed98c60d5c3b883f7 upstream.

I found a memory leak in sierra_release() (well sierra_probe() I guess)
that looses 8 bytes each time the driver releases a device.

Signed-off-by: Len Sorensen <lsorense@csclub.uwaterloo.ca>
Acked-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: quatech2: fix io after disconnect
Johan Hovold [Thu, 25 Oct 2012 08:29:10 +0000 (10:29 +0200)]
USB: quatech2: fix io after disconnect

commit 2f0295adf6438188c4cd0868f2b1976a2b034e1d upstream.

Make sure no control urb is submitted during close after a disconnect by
checking the disconnected flag.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: quatech2: fix close and disconnect urb handling
Johan Hovold [Thu, 25 Oct 2012 08:29:09 +0000 (10:29 +0200)]
USB: quatech2: fix close and disconnect urb handling

commit 8e512ab0b675da20e023439a5811e3f2554e6852 upstream.

Kill urbs unconditionally at close and disconnect.

Note that URB status is not valid outside of completion handler.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: quatech2: fix port-data memory leaks
Johan Hovold [Thu, 25 Oct 2012 08:29:08 +0000 (10:29 +0200)]
USB: quatech2: fix port-data memory leaks

commit 40d04738491d7ac1aa708ba434ff3480ec9e1b96 upstream.

Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Note that this also fixes memory leaks in the error path of attach where
the write urbs were not freed on errors.

Make sure all interface-data deallocation is done in release by moving
the read urb deallocation from disconnect.

Note that the write urb is killed during close so that the call in
disconnect was superfluous.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: Bill Pemberton <wfp5p@virginia.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: quatech2: fix memory leak in error path
Johan Hovold [Thu, 25 Oct 2012 08:29:07 +0000 (10:29 +0200)]
USB: quatech2: fix memory leak in error path

commit b8a0055050b6294826171641b182c09f78f4cc63 upstream.

Fix memory leak in attach error path where the read urb was never freed.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: Bill Pemberton <wfp5p@virginia.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: mos7720: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:29:05 +0000 (10:29 +0200)]
USB: mos7720: fix port-data memory leak

commit 4230af572f95b3115bba1ee6fb95681f3851ab26 upstream.

Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Note that this patch also fixes a second port-data memory leak in the
error path of attach, should parallel-port initialisation fail.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: metro-usb: fix io after disconnect
Johan Hovold [Thu, 25 Oct 2012 08:29:00 +0000 (10:29 +0200)]
USB: metro-usb: fix io after disconnect

commit 2ee44fbeac92c36e53779a57ee84cfee1affe418 upstream.

Make sure no control urb is submitted during close after a disconnect by
checking the disconnected flag.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: metro-usb: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:28:59 +0000 (10:28 +0200)]
USB: metro-usb: fix port-data memory leak

commit 50dde8686eec41bf3d7cbec7a6f76c073ab01903 upstream.

Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Note that the call to metrousb_clean (close) in shutdown was redundant.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: opticon: fix memory leak in error path
Johan Hovold [Thu, 25 Oct 2012 08:29:12 +0000 (10:29 +0200)]
USB: opticon: fix memory leak in error path

commit acbf0e5263de563e25f7c104868e4490b9e72b13 upstream.

Fix memory leak in write error path.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: opticon: fix DMA from stack
Johan Hovold [Thu, 25 Oct 2012 08:29:11 +0000 (10:29 +0200)]
USB: opticon: fix DMA from stack

commit ea0dbebffe118724cd4df7d9b071ea8ee48d48f0 upstream.

Make sure to allocate the control-message buffer dynamically as some
platforms cannot do DMA from stack.

Note that only the first byte of the old buffer was used.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: whiteheat: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:29:02 +0000 (10:29 +0200)]
USB: whiteheat: fix port-data memory leak

commit c467206ed6bcce26c83d0435612cc4fee2527305 upstream.

Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Note that the fifth port (command port) is never registered as a
port device and thus should be handled in attach and release.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: <support@connecttech.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: whiteheat: fix memory leak in error path
Johan Hovold [Thu, 25 Oct 2012 08:29:01 +0000 (10:29 +0200)]
USB: whiteheat: fix memory leak in error path

commit c129197c99550d356cf5f69b046994dd53cd1b9d upstream.

Make sure command buffer is deallocated in case of errors during attach.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: <support@connecttech.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: qcserial: fix interface-data memory leak in error path
Johan Hovold [Thu, 25 Oct 2012 13:42:41 +0000 (15:42 +0200)]
USB: qcserial: fix interface-data memory leak in error path

commit 961be09e1ead58509ed4bed0d5819a15d8613d8d upstream.

Move interface data allocation to attach so that it is deallocated
should usb-serial probe fail.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: omninet: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:29:06 +0000 (10:29 +0200)]
USB: omninet: fix port-data memory leak

commit feffa7ca6008ab859dd7ab7448a5a899bf0aa98f upstream.

Fix port-data memory leak by replacing attach and release with
port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: keyspan: fix NULL-pointer dereferences and memory leaks
Johan Hovold [Thu, 25 Oct 2012 08:29:15 +0000 (10:29 +0200)]
USB: keyspan: fix NULL-pointer dereferences and memory leaks

commit f79b2d0fe81eecb412dc48e87a119afc690da8e9 upstream.

Fix NULL-pointer dereference at release by moving port data allocation
and deallocation to port_probe and port_remove.

Fix NULL-pointer dereference at disconnect by stopping port urbs at
port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer accessible at
disconnect or release.

Note that this patch also fixes port and interface-data memory leaks in
the error path of attach should port initialisation fail for any port.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: option: fix interface-data memory leak in error path
Johan Hovold [Thu, 25 Oct 2012 13:42:40 +0000 (15:42 +0200)]
USB: option: fix interface-data memory leak in error path

commit c2dd4a8eac7821fed2c2d19e4607d0986b53b0fe upstream.

Move interface data allocation to attach so that it is deallocated
should usb-serial probe fail.

Note that the usb device id is stored at probe so that it can be used
in attach to determine send-setup blacklisting.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: mct_u232: fix broken close
Johan Hovold [Thu, 25 Oct 2012 08:29:14 +0000 (10:29 +0200)]
USB: mct_u232: fix broken close

commit 5260e458f5eff269a43e4f1e9c47186c57b88ddb upstream.

Make sure generic close is called at close.

The driver relies on the generic write implementation but did not call
generic close.

Note that the call to kill the read urb is not redundant, as mct_u232
uses an interrupt urb from the second port as the read urb and that
generic close therefore fails to kill it.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: mct_u232: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:29:13 +0000 (10:29 +0200)]
USB: mct_u232: fix port-data memory leak

commit a8f2ae7a3aa59079d7e7e1ddf5007f03532f458c upstream.

Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Note that the write waitqueue was initialised but never used.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: ipw: fix interface-data memory leak in error path
Johan Hovold [Thu, 25 Oct 2012 13:42:39 +0000 (15:42 +0200)]
USB: ipw: fix interface-data memory leak in error path

commit a997448c89905b80aa4022f734f03685e733d711 upstream.

Move interface data allocation to attach so that it is deallocated
should usb-serial probe fail.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: digi_acceleport: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:29:04 +0000 (10:29 +0200)]
USB: digi_acceleport: fix port-data memory leak

commit fb44ff854e148bc5c5982dad32da98b7a0989d2d upstream.

Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Note that the oob port is never registered as a port device and should
thus be handled in attach and release.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: Peter Berger <pberger@brimson.com>
Cc: Al Borchers <alborchers@steinerpoint.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: ch341: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:29:03 +0000 (10:29 +0200)]
USB: ch341: fix port-data memory leak

commit 456c5be56ed070a4d883c60b587bcc1c97a8cf3e upstream.

Fix port-data memory leak by moving port data allocation to port_probe
and actually implementing deallocation.

Note that this driver has never even bothered to try to deallocate it's
port data...

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agousb hub: send clear_tt_buffer_complete events when canceling TT clear work
Octavian Purdila [Mon, 1 Oct 2012 19:21:12 +0000 (22:21 +0300)]
usb hub: send clear_tt_buffer_complete events when canceling TT clear work

commit 3b6054da68f9b0d5ed6a7ed0f42a79e61904352c upstream.

There is a race condition in the USB hub code with regard to handling
TT clear requests that can get the HCD driver in a deadlock. Usually
when an TT clear request is scheduled it will be executed immediately:

<7>[    6.077583] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us]
<3>[    6.078041] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82
<7>[    6.078299] hub_tt_work:731
<7>[    9.309089] usb 2-1.5: link qh1-0e01/f4d506c0 start 0 [1/2 us]
<7>[    9.324526] ehci_hcd 0000:00:1d.0: reused qh f4d4db00 schedule
<7>[    9.324539] usb 2-1.3: link qh1-0e01/f4d4db00 start 0 [1/2 us]
<7>[    9.341530] usb 1-1.1: link qh4-0e01/f397aec0 start 2 [1/2 us]
<7>[   10.116159] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us]
<3>[   10.116459] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82
<7>[   10.116537] hub_tt_work:731

However, if a suspend operation is triggered before hub_tt_work is
scheduled, hub_quiesce will cancel the work without notifying the HCD
driver:

<3>[   35.033941] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d80
<5>[   35.034022] sd 0:0:0:0: [sda] Stopping disk
<7>[   35.034039] hub 2-1:1.0: hub_suspend
<7>[   35.034067] usb 2-1: unlink qh256-0001/f3b1ab00 start 1 [1/0 us]
<7>[   35.035085] hub 1-0:1.0: hub_suspend
<7>[   35.035102] usb usb1: bus suspend, wakeup 0
<7>[   35.035106] ehci_hcd 0000:00:1a.0: suspend root hub
<7>[   35.035298] hub 2-0:1.0: hub_suspend
<7>[   35.035313] usb usb2: bus suspend, wakeup 0
<7>[   35.035315] ehci_hcd 0000:00:1d.0: suspend root hub
<6>[   35.250017] PM: suspend of devices complete after 216.979 msecs
<6>[   35.250822] PM: late suspend of devices complete after 0.799 msecs
<7>[   35.252343] ehci_hcd 0000:00:1d.0: wakeup: 1
<7>[   35.262923] ehci_hcd 0000:00:1d.0: --> PCI D3hot
<7>[   35.263302] ehci_hcd 0000:00:1a.0: wakeup: 1
<7>[   35.273912] ehci_hcd 0000:00:1a.0: --> PCI D3hot
<6>[   35.274254] PM: noirq suspend of devices complete after 23.442 msecs
<6>[   35.274975] ACPI: Preparing to enter system sleep state S3
<6>[   35.292666] PM: Saving platform NVS memory
<7>[   35.295030] Disabling non-boot CPUs ...
<6>[   35.297351] CPU 1 is now offline
<6>[   35.300345] CPU 2 is now offline
<6>[   35.303929] CPU 3 is now offline
<7>[   35.303931] lockdep: fixing up alternatives.
<6>[   35.304825] Extended CMOS year: 2000

When the device will resume the EHCI driver will get stuck in
ehci_endpoint_disable waiting for the tt_clearing flag to reset:

<0>[   47.610967] usb 2-1.3: **** DPM device timeout ****
<7>[   47.610972]  f2f11c60 00000092 f2f11c0c c10624a5 00000003 f4c6e880 c1c8a4c0 c1c8a4c0
<7>[   47.610983]  15c55698 0000000b f56b34c0 f2a45b70 f4c6e880 00000082 f2a4602c f2f11c30
<7>[   47.610993]  c10787f8 f4cac000 f2a45b70 00000000 f4cac010 f2f11c58 00000046 00000001
<7>[   47.611004] Call Trace:
<7>[   47.611006]  [<c10624a5>] ? sched_clock_cpu+0xf5/0x160
<7>[   47.611019]  [<c10787f8>] ? lock_release_holdtime.part.22+0x88/0xf0
<7>[   47.611026]  [<c103ed46>] ? lock_timer_base.isra.35+0x26/0x50
<7>[   47.611034]  [<c17592d3>] ? schedule_timeout+0x133/0x290
<7>[   47.611044]  [<c175b43e>] schedule+0x1e/0x50
<7>[   47.611051]  [<c17592d8>] schedule_timeout+0x138/0x290
<7>[   47.611057]  [<c10624a5>] ? sched_clock_cpu+0xf5/0x160
<7>[   47.611063]  [<c103e560>] ? usleep_range+0x40/0x40
<7>[   47.611070]  [<c1759445>] schedule_timeout_uninterruptible+0x15/0x20
<7>[   47.611077]  [<c14935f4>] ehci_endpoint_disable+0x64/0x160
<7>[   47.611084]  [<c147d1ee>] ? usb_hcd_flush_endpoint+0x10e/0x1d0
<7>[   47.611092]  [<c1165663>] ? sysfs_add_file+0x13/0x20
<7>[   47.611100]  [<c147d5a9>] usb_hcd_disable_endpoint+0x29/0x40
<7>[   47.611107]  [<c147fafc>] usb_disable_endpoint+0x5c/0x80
<7>[   47.611111]  [<c147fb57>] usb_disable_interface+0x37/0x50
<7>[   47.611116]  [<c1477650>] usb_reset_and_verify_device+0x4b0/0x640
<7>[   47.611122]  [<c1474665>] ? hub_port_status+0xb5/0x100
<7>[   47.611129]  [<c147a975>] usb_port_resume+0xd5/0x220
<7>[   47.611136]  [<c148877f>] generic_resume+0xf/0x30
<7>[   47.611142]  [<c14821a3>] usb_resume+0x133/0x180
<7>[   47.611147]  [<c1473b10>] ? usb_dev_thaw+0x10/0x10
<7>[   47.611152]  [<c1473b1d>] usb_dev_resume+0xd/0x10
<7>[   47.611157]  [<c13baa60>] dpm_run_callback+0x40/0xb0
<7>[   47.611164]  [<c13bdb03>] ? pm_runtime_enable+0x43/0x70
<7>[   47.611171]  [<c13bafc6>] device_resume+0x1a6/0x2c0
<7>[   47.611177]  [<c13ba940>] ? dpm_show_time+0xe0/0xe0
<7>[   47.611183]  [<c13bb0f9>] async_resume+0x19/0x40
<7>[   47.611189]  [<c10580c4>] async_run_entry_fn+0x64/0x160
<7>[   47.611196]  [<c104a244>] ? process_one_work+0x104/0x480
<7>[   47.611203]  [<c104a24c>] ? process_one_work+0x10c/0x480
<7>[   47.611209]  [<c104a2c0>] process_one_work+0x180/0x480
<7>[   47.611215]  [<c104a244>] ? process_one_work+0x104/0x480
<7>[   47.611220]  [<c1058060>] ? async_schedule+0x10/0x10
<7>[   47.611226]  [<c104c15c>] worker_thread+0x11c/0x2f0
<7>[   47.611233]  [<c104c040>] ? manage_workers.isra.27+0x1f0/0x1f0
<7>[   47.611239]  [<c10507f8>] kthread+0x78/0x80
<7>[   47.611244]  [<c1750000>] ? timer_cpu_notify+0xd6/0x20d
<7>[   47.611253]  [<c1050780>] ? __init_kthread_worker+0x60/0x60
<7>[   47.611258]  [<c176357e>] kernel_thread_helper+0x6/0xd
<7>[   47.611283] ------------[ cut here ]------------

This patch changes hub_quiesce behavior to flush the TT clear work
instead of canceling it, to make sure that no TT clear request remains
uncompleted before suspend.

Signed-off-by: Octavian Purdila <octavian.purdila@intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: usb-wwan: fix multiple memory leaks in error paths
Johan Hovold [Thu, 25 Oct 2012 08:29:16 +0000 (10:29 +0200)]
USB: usb-wwan: fix multiple memory leaks in error paths

commit b8f0e82044c9ba40e92340c8a6d47d6bd6d819bc upstream.

Fix port-data memory leak in usb-serial probe error path by moving port
data allocation to port_probe.

Since commit a1028f0abf ("usb: usb_wwan: replace release and disconnect
with a port_remove hook") port data is deallocated in port_remove. This
leaves a possibility for memory leaks if usb-serial probe fails after
attach but before the port in question has been successfully registered.

Note that this patch also fixes two additional memory leaks in the error
path of attach should port initialisation fail for any port as the urbs
were never freed and neither was the data of any of the successfully
initialised ports.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agousb-storage: add unusual_devs entry for Casio EX-N1 digital camera
Michael Shigorin [Mon, 22 Oct 2012 09:18:56 +0000 (12:18 +0300)]
usb-storage: add unusual_devs entry for Casio EX-N1 digital camera

commit d7870af7e2e3a91b462075ec1ca669b482215187 upstream.

This commit sets removable subclass for Casio EX-N1 digital camera.

The patch has been tested within an ALT Linux kernel:
http://git.altlinux.org/people/led/packages/?p=kernel-image-3.0.git;a=commitdiff;h=c0fd891836e89fe0c93a4d536a59216d90e4e3e7

See also https://bugzilla.kernel.org/show_bug.cgi?id=49221

Signed-off-by: Oleksandr Chumachenko <ledest@gmail.com>
Signed-off-by: Michael Shigorin <mike@osdn.org.ua>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoehci: Add yet-another Lucid nohandoff pci quirk
Anisse Astier [Tue, 9 Oct 2012 10:22:37 +0000 (12:22 +0200)]
ehci: Add yet-another Lucid nohandoff pci quirk

commit 8daf8b6086f9d575200cd0aa3797e26137255609 upstream.

Board name changed on another shipping Lucid tablet.

Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoehci: fix Lucid nohandoff pci quirk to be more generic with BIOS versions
Anisse Astier [Tue, 9 Oct 2012 10:22:36 +0000 (12:22 +0200)]
ehci: fix Lucid nohandoff pci quirk to be more generic with BIOS versions

commit c323dc023b9501e5d09582ec7efd1d40a9001d99 upstream.

BIOS vendors keep changing the BIOS versions. Only match the beginning
of the string to match all Lucid tablets with board name M11JB.

Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoDrivers: hv: Cleanup error handling in vmbus_open()
K. Y. Srinivasan [Fri, 12 Oct 2012 20:22:42 +0000 (13:22 -0700)]
Drivers: hv: Cleanup error handling in vmbus_open()

commit 1392550240aaa72ce3a094a38bd23525cd67ce60 upstream.

Fix a memory leak  in the error handling path in the function vmbus_open().

Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Reported-by: Jason Wang <jasowang@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoextcon: unregister compat link on cleanup
Peter Huewe [Mon, 24 Sep 2012 06:36:24 +0000 (15:36 +0900)]
extcon: unregister compat link on cleanup

commit 824a1bc045cef278aec15bef35d8d0b59ce77856 upstream.

Since extcon registers this compat link at device registration
(extcon_dev_register), we should probably remove them at deregistration/cleanup.

Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
12 years agoextcon: Unregister compat class at module unload to fix oops
Peter Huewe [Mon, 24 Sep 2012 06:32:31 +0000 (15:32 +0900)]
extcon: Unregister compat class at module unload to fix oops

commit 0dc77b6dabec8fd298392018cc0de5214af2dc43 upstream.

If you compile extcon with CONFIG_ANDROID and then load and unload the
module you get a simple oops as the driver does not unregister its
compat class and thus cannot register it again.

Full trace:

root@(none):~# modprobe extcon_class
root@(none):~# rmmod extcon_class
root@(none):~# modprobe extcon_class
------------[ cut here ]------------
WARNING: at fs/sysfs/dir.c:536 sysfs_add_one+0xde/0x100()
sysfs: cannot create duplicate filename '/class/switch'
Modules linked in: extcon_class(+) [last unloaded: extcon_class]
Call Trace:
9f451a00:  [<602a58bc>] printk+0x0/0xa8
9f451a18:  [<60039b43>] warn_slowpath_common+0x93/0xd0
9f451a28:  [<6012c6de>] sysfs_add_one+0xde/0x100
9f451a50:  [<601d3d90>] strcat+0x0/0x40
9f451a68:  [<60039cdc>] warn_slowpath_fmt+0x9c/0xa0
9f451a90:  [<6002fe32>] unblock_signals+0x0/0x84
9f451ab0:  [<60039c40>] warn_slowpath_fmt+0x0/0xa0
9f451ac0:  [<6002fe32>] unblock_signals+0x0/0x84
9f451ae8:  [<6012bd97>] sysfs_pathname.isra.10+0x57/0x70
9f451b00:  [<601d3d90>] strcat+0x0/0x40
9f451b18:  [<6012bd97>] sysfs_pathname.isra.10+0x57/0x70
9f451b48:  [<6012c6de>] sysfs_add_one+0xde/0x100
9f451b78:  [<6012c96f>] create_dir+0x8f/0x100
9f451bc0:  [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451bd8:  [<6012cda6>] sysfs_create_dir+0xa6/0x1c0
9f451be8:  [<601d89f1>] kvasprintf+0x81/0xa0
9f451bf8:  [<601cf0f0>] kobject_get+0x0/0x50
9f451c18:  [<601cf396>] kobject_add_internal+0x96/0x280
9f451c60:  [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451c78:  [<601cfb93>] kobject_add+0xd3/0x140
9f451cc0:  [<601cfac0>] kobject_add+0x0/0x140
9f451cd0:  [<6002fe32>] unblock_signals+0x0/0x84
9f451cf8:  [<6002fffc>] set_signals+0x29/0x3f
9f451d28:  [<600c1de1>] kmem_cache_alloc+0xe1/0x100
9f451d78:  [<601cffa0>] kobject_create_and_add+0x50/0xa0
9f451da8:  [<601fbe76>] class_compat_register+0x56/0x80
9f451dc8:  [<a085d118>] create_extcon_class+0x88/0xd0 [extcon_class]
9f451de8:  [<a0861010>] extcon_class_init+0x10/0x12 [extcon_class]
9f451df8:  [<600189a8>] do_one_initcall+0x48/0x1f0
9f451e20:  [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e30:  [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e58:  [<6007e3c3>] sys_init_module+0xa3/0x280
9f451e88:  [<6001e2ad>] handle_syscall+0x8d/0x90
9f451ea8:  [<60033370>] userspace+0x405/0x531
9f451ee8:  [<6001e380>] copy_chunk_to_user+0x0/0x40
9f451ef8:  [<6001e5cd>] do_op_one_page+0x14d/0x220
9f451fd8:  [<6001a355>] fork_handler+0x95/0xa0

---[ end trace dd512cc03fe1c367 ]---
------------[ cut here ]------------
WARNING: at lib/kobject.c:196 kobject_add_internal+0x26e/0x280()
kobject_add_internal failed for switch with -EEXIST, don't try to
register things with the same name in the same directory.
Modules linked in: extcon_class(+) [last unloaded: extcon_class]
Call Trace:
9f451ad0:  [<602a58bc>] printk+0x0/0xa8
9f451ae8:  [<60039b43>] warn_slowpath_common+0x93/0xd0
9f451af8:  [<601cf56e>] kobject_add_internal+0x26e/0x280
9f451b18:  [<601cf140>] kobject_put+0x0/0x70
9f451b20:  [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451b38:  [<60039cdc>] warn_slowpath_fmt+0x9c/0xa0
9f451b88:  [<60039c40>] warn_slowpath_fmt+0x0/0xa0
9f451bc0:  [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451bd8:  [<6012cda6>] sysfs_create_dir+0xa6/0x1c0
9f451be8:  [<601d89f1>] kvasprintf+0x81/0xa0
9f451bf8:  [<601cf0f0>] kobject_get+0x0/0x50
9f451c18:  [<601cf56e>] kobject_add_internal+0x26e/0x280
9f451c60:  [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451c78:  [<601cfb93>] kobject_add+0xd3/0x140
9f451cc0:  [<601cfac0>] kobject_add+0x0/0x140
9f451cd0:  [<6002fe32>] unblock_signals+0x0/0x84
9f451cf8:  [<6002fffc>] set_signals+0x29/0x3f
9f451d28:  [<600c1de1>] kmem_cache_alloc+0xe1/0x100
9f451d78:  [<601cffa0>] kobject_create_and_add+0x50/0xa0
9f451da8:  [<601fbe76>] class_compat_register+0x56/0x80
9f451dc8:  [<a085d118>] create_extcon_class+0x88/0xd0 [extcon_class]
9f451de8:  [<a0861010>] extcon_class_init+0x10/0x12 [extcon_class]
9f451df8:  [<600189a8>] do_one_initcall+0x48/0x1f0
9f451e20:  [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e30:  [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e58:  [<6007e3c3>] sys_init_module+0xa3/0x280
9f451e88:  [<6001e2ad>] handle_syscall+0x8d/0x90
9f451ea8:  [<60033370>] userspace+0x405/0x531
9f451ee8:  [<6001e380>] copy_chunk_to_user+0x0/0x40
9f451ef8:  [<6001e5cd>] do_op_one_page+0x14d/0x220
9f451fd8:  [<6001a355>] fork_handler+0x95/0xa0

---[ end trace dd512cc03fe1c368 ]---
kobject_create_and_add: kobject_add error: -17
------------[ cut here ]------------
WARNING: at drivers/extcon/extcon_class.c:545
create_extcon_class+0xbc/0xd0 [extcon_class]()
cannot allocate
Modules linked in: extcon_class(+) [last unloaded: extcon_class]
Call Trace:
9f451c80:  [<602a58bc>] printk+0x0/0xa8
9f451c98:  [<60039b43>] warn_slowpath_common+0x93/0xd0
9f451ca0:  [<6002fe32>] unblock_signals+0x0/0x84
9f451ca8:  [<a085d14c>] create_extcon_class+0xbc/0xd0 [extcon_class]
9f451cd0:  [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451ce8:  [<60039cdc>] warn_slowpath_fmt+0x9c/0xa0
9f451d20:  [<6002fe32>] unblock_signals+0x0/0x84
9f451d28:  [<60039c40>] warn_slowpath_fmt+0x0/0xa0
9f451d48:  [<6002fffc>] set_signals+0x29/0x3f
9f451d58:  [<601cf172>] kobject_put+0x32/0x70
9f451d78:  [<600c22c3>] kfree+0xb3/0x100
9f451da8:  [<601fbe9a>] class_compat_register+0x7a/0x80
9f451dc8:  [<a085d14c>] create_extcon_class+0xbc/0xd0 [extcon_class]
9f451de8:  [<a0861010>] extcon_class_init+0x10/0x12 [extcon_class]
9f451df8:  [<600189a8>] do_one_initcall+0x48/0x1f0
9f451e20:  [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e30:  [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e58:  [<6007e3c3>] sys_init_module+0xa3/0x280
9f451e88:  [<6001e2ad>] handle_syscall+0x8d/0x90
9f451ea8:  [<60033370>] userspace+0x405/0x531
9f451ee8:  [<6001e380>] copy_chunk_to_user+0x0/0x40
9f451ef8:  [<6001e5cd>] do_op_one_page+0x14d/0x220
9f451fd8:  [<6001a355>] fork_handler+0x95/0xa0

---[ end trace dd512cc03fe1c369 ]---
FATAL: Error inserting extcon_class
(/lib/modules/3.6.0-rc6-00178-g811315f/kernel/drivers/extcon/extcon_class.ko):
Cannot allocate memory

This patch fixes this.

Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: comedi: amplc_pc236: fix possible NULL deref during detach
Ian Abbott [Wed, 3 Oct 2012 15:25:18 +0000 (16:25 +0100)]
staging: comedi: amplc_pc236: fix possible NULL deref during detach

commit 2db012bd40b889d8e5483d3daa07af04c4c109d8 upstream.

`pc236_detach()` is called by the comedi core to clean up if either
`pc236_attach()` or `pc236_attach_pci()` returns an error.  It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  This is a valid assumption if `pc236_attach()` fails, but not
if `pc236_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `pc236_detach()` and return early if it
is `NULL`.  This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: comedi: amplc_pc236: fix invalid register access during detach
Ian Abbott [Wed, 3 Oct 2012 15:25:17 +0000 (16:25 +0100)]
staging: comedi: amplc_pc236: fix invalid register access during detach

commit aaeb61a97b7159ebe30b18a422d04eeabfa8790b upstream.

`pc236_detach()` is called by the comedi core if it attempted to attach
a device and failed.  `pc236_detach()` calls `pc236_intr_disable()` if
the comedi device private data pointer (`devpriv`) is non-null.  This
test is insufficient as `pc236_intr_disable()` accesses hardware
registers and the attach routine may have failed before it has saved
their I/O base addresses.

Fix it by checking `dev->iobase` is non-zero before calling
`pc236_intr_disable()` as that means the I/O base addresses have been
saved and the hardware registers can be accessed.  It also implies the
comedi device private data pointer is valid, so there is no need to
check it.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: comedi: amplc_pc263: fix possible NULL deref during detach
Ian Abbott [Wed, 3 Oct 2012 15:25:19 +0000 (16:25 +0100)]
staging: comedi: amplc_pc263: fix possible NULL deref during detach

commit 1d1171ffda585c1cab7bd7cf4bd8f8fd5923fb4a upstream.

`pc263_detach()` is called by the comedi core to clean up if either
`pc263_attach()` or `pc263_attach_pci()` returns an error.  It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  This is a valid assumption if `pc263_attach()` fails, but not
if `pc263_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `pc263_detach()` and return early if it
is `NULL`.  This is okay because no other resources need cleaning up in
this case.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: comedi: amplc_dio200: fix possible NULL deref during detach
Ian Abbott [Wed, 3 Oct 2012 15:25:16 +0000 (16:25 +0100)]
staging: comedi: amplc_dio200: fix possible NULL deref during detach

commit dfb2540e91e1f63765bc3ff497ad0b714d774261 upstream.

`dio200_detach()` is called by the comedi core to clean up if either
`dio200_attach()` or `dio200_attach_pci()` return an error.  It assigns
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  In the case of a previous call to `dio200_attach()` it won't
be `NULL` because the comedi core will have pointed it to one of the
elements of `dio200_boards[]`, but in the case of a previous call to
`dio200_attach_pci()` it could be `NULL`, leading to a null pointer
dereference.

Check that `thisboard` is valid at the top of `dio200_detach()` and
return early if it is `NULL`.  This is okay because the only other thing
that could have been allocated is `dev->private` and that is freed by
the comedi core, not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: comedi: ni_labpc: fix possible NULL deref during detach
Ian Abbott [Wed, 3 Oct 2012 15:25:21 +0000 (16:25 +0100)]
staging: comedi: ni_labpc: fix possible NULL deref during detach

commit 922b67c1ac53014d80649a961a2fde700cd065d8 upstream.

`labpc_common_detach()` is called by the comedi core to clean up if
either `labpc_attach()` (including the one in the "ni_labpc_cs" module)
or `labpc_attach_pci()` returns an error.  It assumes the `thisboard`
macro (expanding to `((struct labpc_board_struct *)dev->board_ptr)`) is
non-null.  This is a valid assumption if `labpc_attach()` fails, but not
if `labpc_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `labpc_common_detach()` and return early
if it is `NULL`.  This is okay because the only other thing that could
have been allocated is `dev->private` and that is freed by the comedi
core, not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: comedi: ni_daq_700: fix dio subdevice regression
Fred Brooks [Tue, 2 Oct 2012 10:10:26 +0000 (11:10 +0100)]
staging: comedi: ni_daq_700: fix dio subdevice regression

commit 6681e63399926651cc29bcb9d92229b6f1cf1daa upstream.

Here is a small patch to fix a problem caused by a previous patch that
removed the  callback function.  The callback remove patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1de02225358988e8fd48d1dc3fd12336bbae258a

I finally booted my dev machine on the latest kernel (running Debian
here so it's still on 3.2 normally) to test the ni_daq_700 driver with
my test program and noticed this bug.

Shift the DIO_R read result to bits 8..15 Digital direction
configuration: channels 0-7 output, 8-15 input (8225 device emu as port
A output, port B input, port C N/A).

Signed-off-by: Fred Brooks <nsaspook@nsaspook.com>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: comedi: das08: fix possible NULL deref during detach
Ian Abbott [Wed, 3 Oct 2012 15:25:20 +0000 (16:25 +0100)]
staging: comedi: das08: fix possible NULL deref during detach

commit ee280d134f2e05e0172369a53fbe202dbfc527fa upstream.

`das08_detach()` is called by the comedi core to clean up if either
`das08_attach()` or `das08_attach_pci()` returns an error.  It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  This is a valid assumption if `das08_attach()` fails, but not
if `das08_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `das08_detach()` and return early if it
is `NULL`.  This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: zram: Fix handling of incompressible pages
Nitin Gupta [Thu, 11 Oct 2012 00:42:18 +0000 (17:42 -0700)]
staging: zram: Fix handling of incompressible pages

commit c8f2f0db1d0294aaf37e8a85bea9bbc4aaf5c0fe upstream.

Change 130f315a (staging: zram: remove special handle of uncompressed page)
introduced a bug in the handling of incompressible pages which resulted in
memory allocation failure for such pages.

When a page expands on compression, say from 4K to 4K+30, we were trying to
do zsmalloc(pool, 4K+30). However, the maximum size which zsmalloc can
allocate is PAGE_SIZE (for obvious reasons), so such allocation requests
always return failure (0).

For a page that has compressed size larger than the original size (this may
happen with already compressed or random data), there is no point storing
the compressed version as that would take more space and would also require
time for decompression when needed again. So, the fix is to store any page,
whose compressed size exceeds a threshold (max_zpage_size), as-it-is i.e.
without compression.  Memory required for storing this uncompressed page can
then be requested from zsmalloc which supports PAGE_SIZE sized allocations.

Lastly, the fix checks that we do not attempt to "decompress" the page which
we stored in the uncompressed form -- we just memcpy() out such pages.

Signed-off-by: Nitin Gupta <ngupta@vflare.org>
Reported-by: viechweg@gmail.com
Reported-by: paerley@gmail.com
Reported-by: wu.tommy@gmail.com
Acked-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoStaging: android: binder: Allow using highmem for binder buffers
Arve Hjønnevåg [Tue, 16 Oct 2012 22:29:55 +0000 (15:29 -0700)]
Staging: android: binder: Allow using highmem for binder buffers

commit 585650dcec88e704a19bb226a34b6a7166111623 upstream.

The default kernel mapping for the pages allocated for the binder
buffers is never used. Set the __GFP_HIGHMEM flag when allocating
these pages so we don't needlessly use low memory pages that may
be required elsewhere.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoStaging: android: binder: Fix memory leak on thread/process exit
Arve Hjønnevåg [Tue, 16 Oct 2012 22:29:54 +0000 (15:29 -0700)]
Staging: android: binder: Fix memory leak on thread/process exit

commit 675d66b0ed5fd170d6a44cf8dbb3fa56a5347bdb upstream.

If a thread or process exited while a reply, one-way transaction or
death notification was pending, the struct holding the pending work
was leaked.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agosysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat()
Geert Uytterhoeven [Sat, 29 Sep 2012 20:23:19 +0000 (22:23 +0200)]
sysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat()

commit 66081a72517a131430dcf986775f3268aafcb546 upstream.

The warning check for duplicate sysfs entries can cause a buffer overflow
when printing the warning, as strcat() doesn't check buffer sizes.
Use strlcat() instead.

Since strlcat() doesn't return a pointer to the passed buffer, unlike
strcat(), I had to convert the nested concatenation in sysfs_add_one() to
an admittedly more obscure comma operator construct, to avoid emitting code
for the concatenation if CONFIG_BUG is disabled.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoxhci: endianness xhci_calculate_intel_u2_timeout
Oliver Neukum [Wed, 17 Oct 2012 10:17:50 +0000 (12:17 +0200)]
xhci: endianness xhci_calculate_intel_u2_timeout

commit 966e7a854177097083683176ced871558b631a12 upstream.

An le16 is accessed without conversion.

This patch should be backported to kernels as old as 3.5, that contain
the commit e3567d2c15a7a8e2f992a5f7c7683453ca406d82 "xhci: Add Intel
U1/U2 timeout policy."

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoxhci: fix integer overflow
Oliver Neukum [Wed, 17 Oct 2012 08:16:16 +0000 (10:16 +0200)]
xhci: fix integer overflow

commit 16b45fdf9c4e82f5d3bc53aa70737650e7c8d5ed upstream.

xhci_service_interval_to_ns() returns long long
to avoid an overflow. However, the type cast happens
too late. The fix is to force ULL from the beginning.

This patch should be backported to kernels as old as 3.5, that contain
the commit e3567d2c15a7a8e2f992a5f7c7683453ca406d82 "xhci: Add Intel
U1/U2 timeout policy."

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoxhci: Fix potential NULL ptr deref in command cancellation.
Sarah Sharp [Tue, 16 Oct 2012 20:17:43 +0000 (13:17 -0700)]
xhci: Fix potential NULL ptr deref in command cancellation.

commit 43a09f7fb01fa1e091416a2aa49b6c666458c1ee upstream.

The command cancellation code doesn't check whether find_trb_seg()
couldn't find the segment that contains the TRB to be canceled.  This
could cause a NULL pointer deference later in the function when next_trb
is called.  It's unlikely to happen unless something is wrong with the
command ring pointers, so add some debugging in case it happens.

This patch should be backported to stable kernels as old as 3.0, that
contain the commit b63f4053cc8aa22a98e3f9a97845afe6c15d0a0d "xHCI:
handle command after aborting the command ring".

Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoLOCKD: Clear ln->nsm_clnt only when ln->nsm_users is zero
Trond Myklebust [Wed, 24 Oct 2012 12:53:35 +0000 (08:53 -0400)]
LOCKD: Clear ln->nsm_clnt only when ln->nsm_users is zero

commit e498daa81295d02f7359af313c2b7f87e1062207 upstream.

The current code is clearing it in all cases _except_ when zero.

Reported-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoSUNRPC: Prevent races in xs_abort_connection()
Trond Myklebust [Tue, 23 Oct 2012 21:50:07 +0000 (17:50 -0400)]
SUNRPC: Prevent races in xs_abort_connection()

commit 4bc1e68ed6a8b59be8a79eb719be515a55c7bc68 upstream.

The call to xprt_disconnect_done() that is triggered by a successful
connection reset will trigger another automatic wakeup of all tasks
on the xprt->pending rpc_wait_queue. In particular it will cause an
early wake up of the task that called xprt_connect().

All we really want to do here is clear all the socket-specific state
flags, so we split that functionality out of xs_sock_mark_closed()
into a helper that can be called by xs_abort_connection()

Reported-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Tested-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoLOCKD: fix races in nsm_client_get
Trond Myklebust [Tue, 23 Oct 2012 17:51:58 +0000 (13:51 -0400)]
LOCKD: fix races in nsm_client_get

commit a4ee8d978e47e79d536226dccb48991f70091168 upstream.

Commit e9406db20fecbfcab646bad157b4cfdc7cadddfb (lockd: per-net
NSM client creation and destruction helpers introduced) contains
a nasty race on initialisation of the per-net NSM client because
it doesn't check whether or not the client is set after grabbing
the nsm_create_mutex.

Reported-by: Nix <nix@esperi.org.uk>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>