Blackfin: Annotate strnlen_user and strlen_user 'src' parameter with __user
The 'src' parameter of strnlen_user and strlen_user is supposed to take a
userspace pointer, so annotate it with __user. This fixes the following and
similar sparse warnings:
fs/binfmt_elf_fdpic.c:671:36: warning: incorrect type in argument 1 (different address spaces)
fs/binfmt_elf_fdpic.c:671:36: expected char const *src
fs/binfmt_elf_fdpic.c:671:36: got char [noderef] <asn:1>*[assigned] p
fs/binfmt_elf_fdpic.c:683:36: warning: incorrect type in argument 1 (different address spaces)
fs/binfmt_elf_fdpic.c:683:36: expected char const *src
fs/binfmt_elf_fdpic.c:683:36: got char [noderef] <asn:1>*[assigned] p
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Bob Liu <lliubbo@gmail.com>
Blackfin: Annotate clear_user 'to' parameter with __user
The 'to' parameter of clear_user is supposed to take a userspace pointer, so
annotate it with __user. This fixes the following and similar sparse warnings:
fs/binfmt_elf_fdpic.c:714:35: warning: incorrect type in argument 1 (different address spaces)
fs/binfmt_elf_fdpic.c:714:35: expected void [noderef] <asn:1>*to
fs/binfmt_elf_fdpic.c:714:35: got void *<noident>
fs/binfmt_elf_fdpic.c:1119:29: warning: incorrect type in argument 1 (different address spaces)
fs/binfmt_elf_fdpic.c:1119:29: expected void *to
fs/binfmt_elf_fdpic.c:1119:29: got void [noderef] <asn:1>*<noident>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Bob Liu <lliubbo@gmail.com>
Jerry Chu [Mon, 22 Oct 2012 11:26:36 +0000 (11:26 +0000)]
tcp: Reject invalid ack_seq to Fast Open sockets
A packet with an invalid ack_seq may cause a TCP Fast Open socket to switch
to the unexpected TCP_CLOSING state, triggering a BUG_ON kernel panic.
When a FIN packet with an invalid ack_seq# arrives at a socket in
the TCP_FIN_WAIT1 state, rather than discarding the packet, the current
code will accept the FIN, causing state transition to TCP_CLOSING.
This may be a small deviation from RFC793, which seems to say that the
packet should be dropped. Unfortunately I did not expect this case for
Fast Open hence it will trigger a BUG_ON panic.
It turns out there is really nothing bad about a TFO socket going into
TCP_CLOSING state so I could just remove the BUG_ON statements. But after
some thought I think it's better to treat this case like TCP_SYN_RECV
and return a RST to the confused peer who caused the unacceptable ack_seq
to be generated in the first place.
Signed-off-by: H.K. Jerry Chu <hkchu@google.com> Cc: Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Acked-by: Yuchung Cheng <ycheng@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Jean Delvare [Thu, 18 Oct 2012 20:11:38 +0000 (22:11 +0200)]
MAINTAINERS: NETWORKING DRIVERS matches too much
File pattern include/linux/*device.h matches too much, including
completely unrelated files. Replace it with an explicit list of
network device-related header files.
Signed-off-by: Jean Delvare <khali@linux-fr.org> Cc: Joe Perches <joe@perches.com> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Veaceslav Falico [Mon, 22 Oct 2012 04:43:25 +0000 (04:43 +0000)]
pch_gbe: don't reset MAC_RX on FIFO overflow
Currently, when FIFO_ERR happens, we stop the dma, wait for it to become
idle and then reset the whole MAC_RX logic (and after that we must re-set
multicast addresses and also re-enable MAC_RX when we're finally ready to
accept new packets). This leads to CRC errors on high number of incoming
packets and is not needed according to the datasheet.
This patch fixes it by the following steps:
1) remove this reset in pch_gbe_stop_receive(), which causes some functions
to not be used anywhere
2) remove already unused functions pch_gbe_wait_clr_bit_irq() and
pch_gbe_mac_reset_rx() to correctly build
3) move pch_gbe_enable_mac_rx() out of pch_gbe_start_receive() to
pch_gbe_up() where it's only needed after we've removed the MAC_RX reset
4) rename pch_gbe_start/stop_receive() to pch_gbe_enable/disable_dma_rx()
to more precisely reflect what the functions are now doing.
After these changes we already don't see the CRC errors and gain some
increase in RX processing speed.
Signed-off-by: Veaceslav Falico <vfalico@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Veaceslav Falico [Mon, 22 Oct 2012 04:43:24 +0000 (04:43 +0000)]
pch_gbe: don't re-set RX_FIFO_ERR flag in napi_poll
If we were in RX_FIFO_ERR state and entered pch_gbe_napi_poll(), we'll
anyway clean some rx space and thus can continue to receive more packets.
Currently, we re-set the RX_FIFO_ERR in situations when we've exhausted our
budget for RX cleaning or cleaned some TX packets. Removing it gives us
+20%-40% speed increase and a lot less of RX_FIFO_ERRors reported.
Signed-off-by: Veaceslav Falico <vfalico@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Tue, 23 Oct 2012 05:51:07 +0000 (08:51 +0300)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
"Fixes for intel and nouveau mainly.
- intel: disable HSW by default, sdvo fixes, link train regression
fix
- nouveau: acpi rom loading regression fix, with a few other fixes
from the rework
-core: just other minor fixes and race fixes for ttm."
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (24 commits)
drm/ttm: Fix a theoretical race in ttm_bo_cleanup_refs()
drm/ttm: Fix a theoretical race
drm: platform: Don't initialize driver-private data
drm/debugfs: remove redundant info from gem_names
drm: fb: cma: Fail gracefully on allocation failure
drm: fb: cma: Fix typo in debug message
drm/nouveau/clock: fix missing pll type/addr when matching default entry
drm/nouveau/fb: fix reporting of memory type on GF8+ IGPs
drm/nv41/vm: don't init hw pciegart on boards with agp bridge
drm/nouveau/bios: fetch full 4KiB block to determine ACPI ROM image size
drm/nouveau: validate vbios size
drm/nouveau: warn when trying to free mm which is still in use
drm/nouveau: fix nouveau_mm/nouveau_mm_node leak
drm/nouveau/bios: improve error handling when reading the vbios from ACPI
drm/nouveau: handle same-fb page flips
drm/i915: Initialize obj->pages before use by i915_gem_object_do_bit17_swizzle()
drm/i915: Add no-lvds quirk for Supermicro X7SPA-H
drm/i915: Insert i915_preliminary_hw_support variable.
drm/i915: shut up spurious WARN in the gtt fault handler
Revert "drm/i915: Try harder to complete DP training pattern 1"
...
Linus Torvalds [Tue, 23 Oct 2012 05:48:26 +0000 (08:48 +0300)]
Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
Pull ext4 fixes from Ted Ts'o:
"Various bug fixes for ext4. The most serious of them fixes a security
bug (CVE-2012-4508) which leads to stale data exposure when we have
fallocate racing against writes to files undergoing delayed
allocation. We also have two fixes for the metadata checksum feature,
the most serious of which can cause the superblock to have a invalid
checksum after a power failure."
* tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
ext4: Avoid underflow in ext4_trim_fs()
ext4: Checksum the block bitmap properly with bigalloc enabled
ext4: fix undefined bit shift result in ext4_fill_flex_info
ext4: fix metadata checksum calculation for the superblock
ext4: race-condition protection for ext4_convert_unwritten_extents_endio
ext4: serialize fallocate with ext4_convert_unwritten_extents
Linus Torvalds [Tue, 23 Oct 2012 05:47:38 +0000 (08:47 +0300)]
Merge tag 'nfs-for-3.7-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs
Pull NFS client bugfixes from Trond Myklebust:
- Do not call pnfs_return_layout() from an rpciod context
- nfs4_ds_disconnect can cause Oopses. Kill it...
- Fix the return value for nfs_callback_start_svc
- Fix a number of compile warnings
* tag 'nfs-for-3.7-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
NFSv4: Fix the return value for nfs_callback_start_svc
NFSv4.1: Declare osd_pri_2_pnfs_err(), objio_init_read/write to be static
NFSv4: fs/nfs/nfs4getroot.c needs to include "internal.h"
NFSv4.1: Use kcalloc() to allocate zeroed arrays instead of kzalloc()
NFSv4.1: Do not call pnfs_return_layout() from an rpciod context
NFSv4.1: Kill nfs4_ds_disconnect()
Thomas Hellstrom [Mon, 22 Oct 2012 12:51:26 +0000 (12:51 +0000)]
drm/ttm: Fix a theoretical race in ttm_bo_cleanup_refs()
In theory, that function could release the lru lock between
checking for bo on ddestroy list and a successful reserve if the bo
was already reserved, and the function was called with waiting reserves
allowed.
However, all current reservers of a bo on the ddestroy list would
atomically take the bo off the list after a successful reserve so this
race should not have been hit, so no need to backport for stable.
This patch also fixes a case found by Maarten Lankhorst where
ttm_mem_evict_first called with no_wait_gpu would incorrectly
spin waiting for bo idle if trying to evict a busy buffer that
also sits on the ddestroy list.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Thomas Hellstrom [Mon, 22 Oct 2012 12:51:25 +0000 (12:51 +0000)]
drm/ttm: Fix a theoretical race
The ttm_mem_evict_first function could theoretically drop the
lru lock without retrying if a reservation from off the LRU list
ended up waiting.
However, since currently there are no users that could cause a wait
in that situation so this is not suitable for stable
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Thierry Reding [Mon, 15 Oct 2012 18:03:42 +0000 (18:03 +0000)]
drm: platform: Don't initialize driver-private data
Platform device drivers usually use the driver-private data for their
own purposes. Having it overwritten by drm_platform_init() is confusing
and error-prone.
Signed-off-by: Thierry Reding <thierry.reding@avionic-design.de> Signed-off-by: Dave Airlie <airlied@redhat.com>
Marcin Slusarz [Tue, 16 Oct 2012 21:47:35 +0000 (21:47 +0000)]
drm/debugfs: remove redundant info from gem_names
It's a relic of "drm: Convert proc files to seq_file and introduce debugfs",
which wrongly converted DRM_INFO + sprintf to 2 seq_printfs.
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com> Cc: Ben Gamari <bgamari@gmail.com> Cc: Eric Anholt <eric@anholt.net> Signed-off-by: Dave Airlie <airlied@redhat.com>
Thierry Reding [Sat, 20 Oct 2012 10:32:47 +0000 (10:32 +0000)]
drm: fb: cma: Fail gracefully on allocation failure
The drm_gem_cma_create() function never returns NULL but rather an error
encoded in the return value using the ERR_PTR() macro. Callers therefore
need to check for errors using the IS_ERR() macro. This change allows
drivers to handle contiguous DMA allocation failures gracefully.
Randy Dunlap [Thu, 11 Oct 2012 16:34:11 +0000 (09:34 -0700)]
staging: ramster: depends on NET
ramster uses network interfaces that are only present when
CONFIG_NET is enabled, so it should depend on NET.
Fixes these build errors:
drivers/built-in.o: In function `sc_kref_release':
tcp.c:(.text+0x24b9af): undefined reference to `sock_release'
drivers/built-in.o: In function `r2net_open_listening_sock':
tcp.c:(.text+0x24ca2b): undefined reference to `sock_create'
tcp.c:(.text+0x24cb91): undefined reference to `sock_release'
drivers/built-in.o: In function `r2net_recv_tcp_msg':
tcp.c:(.text+0x24cdbd): undefined reference to `sock_recvmsg'
drivers/built-in.o: In function `r2net_send_tcp_msg':
tcp.c:(.text+0x24d341): undefined reference to `sock_sendmsg'
drivers/built-in.o: In function `r2net_start_connect':
tcp.c:(.text+0x24d8fa): undefined reference to `sock_create'
drivers/built-in.o: In function `r2net_shutdown_sc':
tcp.c:(.text+0x24e30c): undefined reference to `kernel_sock_shutdown'
drivers/built-in.o: In function `r2net_accept_one':
tcp.c:(.text+0x24f392): undefined reference to `sock_create_lite'
tcp.c:(.text+0x24f3c3): undefined reference to `sock_release'
drivers/built-in.o: In function `r2net_stop_listening':
(.text+0x250f63): undefined reference to `sock_release'
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Cc: konrad.wilk@oracle.com Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: omapdrm: fix allocation size for page addresses array
Signed-off-by: Rob Clark <rob@ti.com> Signed-off-by: Vincent Penquerc'h <vincent.penquerch@collabora.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Lukas Czerner [Mon, 22 Oct 2012 22:01:19 +0000 (18:01 -0400)]
ext4: Avoid underflow in ext4_trim_fs()
Currently if len argument in ext4_trim_fs() is smaller than one block,
the 'end' variable underflow. Avoid that by returning EINVAL if len is
smaller than file system block.
Nitin Gupta [Thu, 11 Oct 2012 00:42:18 +0000 (17:42 -0700)]
staging: zram: Fix handling of incompressible pages
Change 130f315a (staging: zram: remove special handle of uncompressed page)
introduced a bug in the handling of incompressible pages which resulted in
memory allocation failure for such pages.
When a page expands on compression, say from 4K to 4K+30, we were trying to
do zsmalloc(pool, 4K+30). However, the maximum size which zsmalloc can
allocate is PAGE_SIZE (for obvious reasons), so such allocation requests
always return failure (0).
For a page that has compressed size larger than the original size (this may
happen with already compressed or random data), there is no point storing
the compressed version as that would take more space and would also require
time for decompression when needed again. So, the fix is to store any page,
whose compressed size exceeds a threshold (max_zpage_size), as-it-is i.e.
without compression. Memory required for storing this uncompressed page can
then be requested from zsmalloc which supports PAGE_SIZE sized allocations.
Lastly, the fix checks that we do not attempt to "decompress" the page which
we stored in the uncompressed form -- we just memcpy() out such pages.
Arve Hjønnevåg [Tue, 16 Oct 2012 22:29:55 +0000 (15:29 -0700)]
Staging: android: binder: Allow using highmem for binder buffers
The default kernel mapping for the pages allocated for the binder
buffers is never used. Set the __GFP_HIGHMEM flag when allocating
these pages so we don't needlessly use low memory pages that may
be required elsewhere.
Eric Dumazet [Mon, 22 Oct 2012 09:03:40 +0000 (09:03 +0000)]
net: fix secpath kmemleak
Mike Kazantsev found 3.5 kernels and beyond were leaking memory,
and tracked the faulty commit to a1c7fff7e18f59e ("net:
netdev_alloc_skb() use build_skb()")
While this commit seems fine, it uncovered a bug introduced
in commit bad43ca8325 ("net: introduce skb_try_coalesce()), in function
kfree_skb_partial()"):
If head is stolen, we free the sk_buff,
without removing references on secpath (skb->sp).
So IPsec + IP defrag/reassembly (using skb coalescing), or
TCP coalescing could leak secpath objects.
Fix this bug by calling skb_release_head_state(skb) to properly
release all possible references to linked objects.
Reported-by: Mike Kazantsev <mk.fraggod@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Bisected-by: Mike Kazantsev <mk.fraggod@gmail.com> Tested-by: Mike Kazantsev <mk.fraggod@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Joe Jin [Sun, 21 Oct 2012 14:40:36 +0000 (14:40 +0000)]
qla3xxx: Ensure request/response queue addr writes to the registers
Before use the request and response queue addr, make sure it has wrote
to the registers.
Signed-off-by: Joe Jin <joe.jin@oracle.com> Cc: Jitendra Kalsaria <jitendra.kalsaria@qlogic.com> Cc: Ron Mercer <ron.mercer@qlogic.com> Acked-by: Jitendra Kalsaria <jitendra.kalsaria@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Yuchung Cheng [Fri, 19 Oct 2012 15:14:44 +0000 (15:14 +0000)]
tcp: add SYN/data info to TCP_INFO
Add a bit TCPI_OPT_SYN_DATA (32) to the socket option TCP_INFO:tcpi_options.
It's set if the data in SYN (sent or received) is acked by SYN-ACK. Server or
client application can use this information to check Fast Open success rate.
Signed-off-by: Yuchung Cheng <ycheng@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Ian Abbott [Wed, 3 Oct 2012 15:25:21 +0000 (16:25 +0100)]
staging: comedi: ni_labpc: fix possible NULL deref during detach
`labpc_common_detach()` is called by the comedi core to clean up if
either `labpc_attach()` (including the one in the "ni_labpc_cs" module)
or `labpc_attach_pci()` returns an error. It assumes the `thisboard`
macro (expanding to `((struct labpc_board_struct *)dev->board_ptr)`) is
non-null. This is a valid assumption if `labpc_attach()` fails, but not
if `labpc_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `labpc_common_detach()` and return early
if it is `NULL`. This is okay because the only other thing that could
have been allocated is `dev->private` and that is freed by the comedi
core, not by this function.
Ian Abbott [Wed, 3 Oct 2012 15:25:20 +0000 (16:25 +0100)]
staging: comedi: das08: fix possible NULL deref during detach
`das08_detach()` is called by the comedi core to clean up if either
`das08_attach()` or `das08_attach_pci()` returns an error. It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. This is a valid assumption if `das08_attach()` fails, but not
if `das08_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `das08_detach()` and return early if it
is `NULL`. This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.
Ian Abbott [Wed, 3 Oct 2012 15:25:19 +0000 (16:25 +0100)]
staging: comedi: amplc_pc263: fix possible NULL deref during detach
`pc263_detach()` is called by the comedi core to clean up if either
`pc263_attach()` or `pc263_attach_pci()` returns an error. It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. This is a valid assumption if `pc263_attach()` fails, but not
if `pc263_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `pc263_detach()` and return early if it
is `NULL`. This is okay because no other resources need cleaning up in
this case.
Ian Abbott [Wed, 3 Oct 2012 15:25:18 +0000 (16:25 +0100)]
staging: comedi: amplc_pc236: fix possible NULL deref during detach
`pc236_detach()` is called by the comedi core to clean up if either
`pc236_attach()` or `pc236_attach_pci()` returns an error. It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. This is a valid assumption if `pc236_attach()` fails, but not
if `pc236_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `pc236_detach()` and return early if it
is `NULL`. This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.
Ian Abbott [Wed, 3 Oct 2012 15:25:17 +0000 (16:25 +0100)]
staging: comedi: amplc_pc236: fix invalid register access during detach
`pc236_detach()` is called by the comedi core if it attempted to attach
a device and failed. `pc236_detach()` calls `pc236_intr_disable()` if
the comedi device private data pointer (`devpriv`) is non-null. This
test is insufficient as `pc236_intr_disable()` accesses hardware
registers and the attach routine may have failed before it has saved
their I/O base addresses.
Fix it by checking `dev->iobase` is non-zero before calling
`pc236_intr_disable()` as that means the I/O base addresses have been
saved and the hardware registers can be accessed. It also implies the
comedi device private data pointer is valid, so there is no need to
check it.
Ian Abbott [Wed, 3 Oct 2012 15:25:16 +0000 (16:25 +0100)]
staging: comedi: amplc_dio200: fix possible NULL deref during detach
`dio200_detach()` is called by the comedi core to clean up if either
`dio200_attach()` or `dio200_attach_pci()` return an error. It assigns
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. In the case of a previous call to `dio200_attach()` it won't
be `NULL` because the comedi core will have pointed it to one of the
elements of `dio200_boards[]`, but in the case of a previous call to
`dio200_attach_pci()` it could be `NULL`, leading to a null pointer
dereference.
Check that `thisboard` is valid at the top of `dio200_detach()` and
return early if it is `NULL`. This is okay because the only other thing
that could have been allocated is `dev->private` and that is freed by
the comedi core, not by this function.
Ian Abbott [Wed, 3 Oct 2012 15:25:15 +0000 (16:25 +0100)]
staging: comedi: 8255_pci: fix possible NULL deref during detach
`pci_8255_detach()` will be called by the comedi core if
`pci_8255_attach_pci()` returns an error. It currently assumes that
both `board` (assigned from the return value of `comedi_board(dev)`) and
`devpriv` (assigned from `dev->private`) are non-null, but they might
be null, leading to a null pointer dereference.
`pci_8255_detach()` doesn't need to do anything if either `board` or
`devpriv` are null, so just return early in this case.
Fred Brooks [Tue, 2 Oct 2012 10:10:26 +0000 (11:10 +0100)]
staging: comedi: ni_daq_700: fix dio subdevice regression
Here is a small patch to fix a problem caused by a previous patch that
removed the callback function. The callback remove patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1de02225358988e8fd48d1dc3fd12336bbae258a
I finally booted my dev machine on the latest kernel (running Debian
here so it's still on 3.2 normally) to test the ni_daq_700 driver with
my test program and noticed this bug.
Shift the DIO_R read result to bits 8..15 Digital direction
configuration: channels 0-7 output, 8-15 input (8225 device emu as port
A output, port B input, port C N/A).
Cc: <stable@vger.kernel.org> # 3.6.x Signed-off-by: Fred Brooks <nsaspook@nsaspook.com> Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb hub: send clear_tt_buffer_complete events when canceling TT clear work
There is a race condition in the USB hub code with regard to handling
TT clear requests that can get the HCD driver in a deadlock. Usually
when an TT clear request is scheduled it will be executed immediately:
<7>[ 6.077583] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us]
<3>[ 6.078041] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82
<7>[ 6.078299] hub_tt_work:731
<7>[ 9.309089] usb 2-1.5: link qh1-0e01/f4d506c0 start 0 [1/2 us]
<7>[ 9.324526] ehci_hcd 0000:00:1d.0: reused qh f4d4db00 schedule
<7>[ 9.324539] usb 2-1.3: link qh1-0e01/f4d4db00 start 0 [1/2 us]
<7>[ 9.341530] usb 1-1.1: link qh4-0e01/f397aec0 start 2 [1/2 us]
<7>[ 10.116159] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us]
<3>[ 10.116459] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82
<7>[ 10.116537] hub_tt_work:731
However, if a suspend operation is triggered before hub_tt_work is
scheduled, hub_quiesce will cancel the work without notifying the HCD
driver:
<3>[ 35.033941] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d80
<5>[ 35.034022] sd 0:0:0:0: [sda] Stopping disk
<7>[ 35.034039] hub 2-1:1.0: hub_suspend
<7>[ 35.034067] usb 2-1: unlink qh256-0001/f3b1ab00 start 1 [1/0 us]
<7>[ 35.035085] hub 1-0:1.0: hub_suspend
<7>[ 35.035102] usb usb1: bus suspend, wakeup 0
<7>[ 35.035106] ehci_hcd 0000:00:1a.0: suspend root hub
<7>[ 35.035298] hub 2-0:1.0: hub_suspend
<7>[ 35.035313] usb usb2: bus suspend, wakeup 0
<7>[ 35.035315] ehci_hcd 0000:00:1d.0: suspend root hub
<6>[ 35.250017] PM: suspend of devices complete after 216.979 msecs
<6>[ 35.250822] PM: late suspend of devices complete after 0.799 msecs
<7>[ 35.252343] ehci_hcd 0000:00:1d.0: wakeup: 1
<7>[ 35.262923] ehci_hcd 0000:00:1d.0: --> PCI D3hot
<7>[ 35.263302] ehci_hcd 0000:00:1a.0: wakeup: 1
<7>[ 35.273912] ehci_hcd 0000:00:1a.0: --> PCI D3hot
<6>[ 35.274254] PM: noirq suspend of devices complete after 23.442 msecs
<6>[ 35.274975] ACPI: Preparing to enter system sleep state S3
<6>[ 35.292666] PM: Saving platform NVS memory
<7>[ 35.295030] Disabling non-boot CPUs ...
<6>[ 35.297351] CPU 1 is now offline
<6>[ 35.300345] CPU 2 is now offline
<6>[ 35.303929] CPU 3 is now offline
<7>[ 35.303931] lockdep: fixing up alternatives.
<6>[ 35.304825] Extended CMOS year: 2000
When the device will resume the EHCI driver will get stuck in
ehci_endpoint_disable waiting for the tt_clearing flag to reset:
This patch changes hub_quiesce behavior to flush the TT clear work
instead of canceling it, to make sure that no TT clear request remains
uncompleted before suspend.
Ming Lei [Tue, 9 Oct 2012 04:01:04 +0000 (12:01 +0800)]
firmware loader: sync firmware cache by async_synchronize_full_domain
async.c has provided synchronization mechanism on async_schedule_*,
so use async_synchronize_full_domain to sync caching firmware instead
of reinventing the wheel.
Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ming Lei [Tue, 9 Oct 2012 04:01:03 +0000 (12:01 +0800)]
firmware loader: let direct loading back on 'firmware_buf'
Firstly 'firmware_buf' is introduced to make all loading requests
to share one firmware kernel buffer, so firmware_buf should
be used in direct loading for saving memory and speedup firmware
loading.
introduces direct loading for fixing udev regression, but it
bypasses the firmware cache meachnism, so this patch enables
caching firmware for direct loading case since it is still needed
to solve drivers' dependency during system resume.
Cc: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ming Lei [Tue, 9 Oct 2012 04:01:02 +0000 (12:01 +0800)]
firmware loader: fix one reqeust_firmware race
Several loading requests may be pending on one same
firmware buf, and this patch moves fw_map_pages_buf()
before complete_all(&fw_buf->completion) and let all
requests see the mapped 'buf->data' once the loading
is completed.
Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ming Lei [Tue, 9 Oct 2012 04:01:01 +0000 (12:01 +0800)]
firmware loader: cancel uncache work before caching firmware
Under 'Opportunistic sleep' situation, system sleep might be
triggered very frequently, so the uncahce work may not be completed
before caching firmware during next suspend.
This patch cancels the uncache work before caching firmware to
fix the problem above.
Also this patch optimizes the cacheing firmware mechanism a bit by
only storing one firmware cache entry for one firmware image.
So if the firmware is still cached during suspend, it doesn't need
to be loaded from user space any more.
Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linus Walleij [Mon, 22 Oct 2012 09:17:24 +0000 (10:17 +0100)]
ARM: 7560/1: SMP_TWD: use DIV_ROUND_CLOSEST() for periodic mode
The periodic mode is currently calculated by a simple division
but we should pay more attention to our integer arithmetics.
Also delete a comment that does not make any sense.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Will Deacon [Fri, 19 Oct 2012 16:53:01 +0000 (17:53 +0100)]
ARM: 7559/1: smp: switch away from the idmap before updating init_mm.mm_count
When booting a secondary CPU, the primary CPU hands two sets of page
tables via the secondary_data struct:
(1) swapper_pg_dir: a normal, cacheable, shared (if SMP) mapping
of the kernel image (i.e. the tables used by init_mm).
(2) idmap_pgd: an uncached mapping of the .idmap.text ELF
section.
The idmap is generally used when enabling and disabling the MMU, which
includes early CPU boot. In this case, the secondary CPU switches to
swapper as soon as it enters C code:
struct mm_struct *mm = &init_mm;
unsigned int cpu = smp_processor_id();
/*
* All kernel threads share the same mm context; grab a
* reference and switch to it.
*/
atomic_inc(&mm->mm_count);
current->active_mm = mm;
cpumask_set_cpu(cpu, mm_cpumask(mm));
cpu_switch_mm(mm->pgd, mm);
This causes a problem on ARMv7, where the identity mapping is treated as
strongly-ordered leading to architecturally UNPREDICTABLE behaviour of
exclusive accesses, such as those used by atomic_inc.
This patch re-orders the secondary_start_kernel function so that we
switch to swapper before performing any exclusive accesses.
Cc: <stable@vger.kernel.org> Cc: David McKay <david.mckay@st.com> Reported-by: Gilles Chanteperdrix <gilles.chanteperdrix@xenomai.org> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
David Daney [Wed, 17 Oct 2012 23:39:58 +0000 (16:39 -0700)]
MIPS: Cavium: Update defconfig
Turn on support for most hardware present on OCTEON development boards
as well as some filesystems and SATA controllers so we can boot off of
a disk or CF
Heiko Carstens [Thu, 18 Oct 2012 16:10:06 +0000 (18:10 +0200)]
s390/traps: preinitialize program check table
Preinitialize the program check table, so we can put it into the
read-only data section.
Also use only four byte entries for the table, since each program
check handler resides within the first 2GB. Therefore this reduces
the size of the table by 50% on 64 bit builds.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Heiko Carstens [Wed, 17 Oct 2012 10:18:05 +0000 (12:18 +0200)]
s390/mm,vmemmap: use 1MB frames for vmemmap
Use 1MB frames for vmemmap if EDAT1 is available in order to
reduce TLB pressure
Always use a 1MB frame even if its only partially needed for
struct pages. Otherwise we would end up with a mix of large
frame and page mappings, because vmemmap_populate gets called
for each section (256MB -> 3.5MB memmap) separately.
Worst case is that we would waste 512KB.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Dave Airlie [Mon, 22 Oct 2012 07:50:07 +0000 (17:50 +1000)]
Merge branch 'drm-nouveau-fixes' of git://git.freedesktop.org/git/nouveau/linux-2.6 into drm-fixes
Fixes from Ben, off note:
ACPI ROM regression fix,
some IGP and AGP regressions fixes from rework fallout.
* 'drm-nouveau-fixes' of git://git.freedesktop.org/git/nouveau/linux-2.6:
drm/nouveau/clock: fix missing pll type/addr when matching default entry
drm/nouveau/fb: fix reporting of memory type on GF8+ IGPs
drm/nv41/vm: don't init hw pciegart on boards with agp bridge
drm/nouveau/bios: fetch full 4KiB block to determine ACPI ROM image size
drm/nouveau: validate vbios size
drm/nouveau: warn when trying to free mm which is still in use
drm/nouveau: fix nouveau_mm/nouveau_mm_node leak
drm/nouveau/bios: improve error handling when reading the vbios from ACPI
drm/nouveau: handle same-fb page flips
Ralf Baechle [Tue, 16 Oct 2012 22:39:09 +0000 (00:39 +0200)]
MIPS: Cavium: Add EDAC support.
Drivers for EDAC on Cavium. Supported subsystems are:
o CPU primary caches. These are parity protected only, so only error
reporting.
o Second level cache - ECC protected, provides SECDED.
o Memory: ECC / SECDEC if used with suitable DRAM modules. The driver will
will only initialize if ECC is enabled on a system so is safe to run on
non-ECC memory.
o PCI: Parity error reporting
Since it is very hard to test this sort of code the implementation is very
conservative and uses polling where possible for now.
Ralf Baechle [Tue, 16 Oct 2012 20:20:26 +0000 (22:20 +0200)]
MIPS: tlbex: Better debug output.
Pgtable bits are assigned dynamically depending on processor feature and
statically based on kernel configuration. To make sense out of the
disassembled TLB exception handlers a list of the actual assignments
used for a particular configuration and hardware setup can be very useful.
Output the actual TLB exception handlers in a format that simplifies their
post processsing from dmesg output.
Dmitry Torokhov [Mon, 22 Oct 2012 00:57:20 +0000 (17:57 -0700)]
Input: fix use-after-free introduced with dynamic minor changes
Commit 7f8d4cad1e4e ("Input: extend the number of event (and other)
devices") made evdev, joydev and mousedev to embed struct cdev into
their respective structures representing input devices.
Unfortunately character device structure may outlive the parent
structure unless we do not set it up as parent of character device so
that it will stay pinned until character device is freed.
Also, now that parent structure is pinned while character device exists
we do not need to pin and unpin it every time user opens or closes it.
Reported-by: Dave Jones <davej@redhat.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Dmitry Torokhov [Mon, 22 Oct 2012 00:57:19 +0000 (17:57 -0700)]
char_dev: pin parent kobject
In certain cases (for example when a cdev structure is embedded into
another object whose lifetime is controlled by a separate kobject) it is
beneficial to tie lifetime of another object to the lifetime of
character device so that related object is not freed until after
char_dev object is freed.
To achieve this let's pin kobject's parent when doing cdev_add() and
unpin when last reference to cdev structure is being released.
Ben Skeggs [Mon, 22 Oct 2012 04:10:16 +0000 (14:10 +1000)]
drm/nouveau/clock: fix missing pll type/addr when matching default entry
This issue is a regression from 70790f4f819875e8f390871fd15bbbf823f28e1b,
and causes us to miss a special-case for C51 (NV4E) chipsets and return
the wrong reference frequency for the VPLLs.
Tao Ma [Mon, 22 Oct 2012 04:34:32 +0000 (00:34 -0400)]
ext4: Checksum the block bitmap properly with bigalloc enabled
In mke2fs, we only checksum the whole bitmap block and it is right.
While in the kernel, we use EXT4_BLOCKS_PER_GROUP to indicate the
size of the checksumed bitmap which is wrong when we enable bigalloc.
The right size should be EXT4_CLUSTERS_PER_GROUP and this patch fixes
it.
Also as every caller of ext4_block_bitmap_csum_set and
ext4_block_bitmap_csum_verify pass in EXT4_BLOCKS_PER_GROUP(sb)/8,
we'd better removes this parameter and sets it in the function itself.
Signed-off-by: Tao Ma <boyu.mt@taobao.com> Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Reviewed-by: Lukas Czerner <lczerner@redhat.com> Cc: stable@vger.kernel.org
Blackfin: Annotate strncpy_from_user src parameter with __user
The src parameter of strncpy_from_user is supposed to take a string from
userspace, so it should be annotated with __user. Doing so fixes the following
and similar warnings from sparse:
kernel/sys.c:491:51: warning: incorrect type in argument 2 (different address spaces)
kernel/sys.c:491:51: expected char const *src
kernel/sys.c:491:51: got void [noderef] <asn:1>*arg
kernel/sys.c:2061:54: warning: incorrect type in argument 2 (different address spaces)
kernel/sys.c:2061:54: expected char const *src
kernel/sys.c:2061:54: got char [noderef] <asn:1>*<noident>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Bob Liu <lliubbo@gmail.com>
Marcin Slusarz [Sun, 21 Oct 2012 23:59:20 +0000 (09:59 +1000)]
drm/nouveau: validate vbios size
Without checking, we could detect vbios size as 0, allocate 0-byte array
(kmalloc returns invalid pointer for such allocation) and crash in
nouveau_bios_score while checking for vbios signature.
Reported-by: Heinz Diehl <htd@fritha.org> Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com> Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Marcin Slusarz [Fri, 5 Oct 2012 10:26:32 +0000 (12:26 +0200)]
drm/nouveau: handle same-fb page flips
It's questionable use case, but weston/wayland already relies on this
behaviour, and other drivers don't care about it, so it's a matter of
compatibility. Without it, process invoking such page flip hangs in
unkillable state, trying to reserve the same buffer twice.
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com> Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
David S. Miller [Mon, 22 Oct 2012 00:57:37 +0000 (20:57 -0400)]
Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
John W. Linville says:
====================
This is a batch of fixes intended for the 3.7 stream.
Dan Carpenter brings a fix for a simple signedness bug that could
prevent the proper termination of a loop.
Felix Fietkau found a few more places that need to use
ieee80211_free_txskb for properly releasing SKBs used by mac80211.
Franky Lin offers a pair of brcmfmac fixes, both fixing simple state
reporting errors.
Hante Meuleman corrects an error reporting case that wasn't handling
all types of errors properly.
Johan Hedberg offers a fix for an issue discovered at the Bluetooth
UnPlug Fest. Gustavo says "the patch fixes a failure to pair with
devices that support the LE Secure Connections feature."
Johannes Berg sends an iwlwifi fix to handle a message type that
is too large for the normal command mechanism. He also provides a
mac80211 fix to use HT20 channels when HT40 channels are not permitted.
Jouni Malinen offers a mac80211 fix for a masking error that was
incorrectly marking some frames.
Piotr Haber provides a fix to make sure bcma devices are unregistered
properly.
Stanislav Yakovlev gives us a fix for a panic in the ipw2200 driver.
Stanislaw Gruszka sends a pair of fixes: one prevents a mismatch on
connection states between cfg80211 and mac80211; the other prevents
some frame corruption related to handling encryption.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
projects / karo-tx-linux.git / log