]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
13 years agotick: Clear broadcast active bit when switching to oneshot
Thomas Gleixner [Mon, 16 May 2011 09:07:48 +0000 (11:07 +0200)]
tick: Clear broadcast active bit when switching to oneshot

commit 07f4beb0b5bbfaf36a64aa00d59e670ec578a95a upstream.

The first cpu which switches from periodic to oneshot mode switches
also the broadcast device into oneshot mode. The broadcast device
serves as a backup for per cpu timers which stop in deeper
C-states. To avoid starvation of the cpus which might be in idle and
depend on broadcast mode it marks the other cpus as broadcast active
and sets the brodcast expiry value of those cpus to the next tick.

The oneshot mode broadcast bit for the other cpus is sticky and gets
only cleared when those cpus exit idle. If a cpu was not idle while
the bit got set in consequence the bit prevents that the broadcast
device is armed on behalf of that cpu when it enters idle for the
first time after it switched to oneshot mode.

In most cases that goes unnoticed as one of the other cpus has usually
a timer pending which keeps the broadcast device armed with a short
timeout. Now if the only cpu which has a short timer active has the
bit set then the broadcast device will not be armed on behalf of that
cpu and will fire way after the expected timer expiry. In the case of
Christians bug report it took ~145 seconds which is about half of the
wrap around time of HPET (the limit for that device) due to the fact
that all other cpus had no timers armed which expired before the 145
seconds timeframe.

The solution is simply to clear the broadcast active bit
unconditionally when a cpu switches to oneshot mode after the first
cpu switched the broadcast device over. It's not idle at that point
otherwise it would not be executing that code.

[ I fundamentally hate that broadcast crap. Why the heck thought some
  folks that when going into deep idle it's a brilliant concept to
  switch off the last device which brings the cpu back from that
  state? ]

Thanks to Christian for providing all the valuable debug information!

Reported-and-tested-by: Christian Hoffmann <email@christianhoffmann.info>
Cc: John Stultz <johnstul@us.ibm.com>
Link: http://lkml.kernel.org/r/%3Calpine.LFD.2.02.1105161105170.3078%40ionos%3E
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoclocksource: Install completely before selecting
john stultz [Thu, 5 May 2011 01:16:50 +0000 (18:16 -0700)]
clocksource: Install completely before selecting

commit e05b2efb82596905ebfe88e8612ee81dec9b6592 upstream.

Christian Hoffmann reported that the command line clocksource override
with acpi_pm timer fails:

 Kernel command line: <SNIP> clocksource=acpi_pm
 hpet clockevent registered
 Switching to clocksource hpet
 Override clocksource acpi_pm is not HRT compatible.
 Cannot switch while in HRT/NOHZ mode.

The watchdog code is what enables CLOCK_SOURCE_VALID_FOR_HRES, but we
actually end up selecting the clocksource before we enqueue it into
the watchdog list, so that's why we see the warning and fail to switch
to acpi_pm timer as requested. That's particularly bad when we want to
debug timekeeping related problems in early boot.

Put the selection call last.

Reported-by: Christian Hoffmann <email@christianhoffmann.info>
Signed-off-by: John Stultz <johnstul@us.ibm.com>
Link: http://lkml.kernel.org/r/%3C1304558210.2943.24.camel%40work-vm%3E
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86, AMD: Fix ARAT feature setting again
Borislav Petkov [Tue, 17 May 2011 12:55:19 +0000 (14:55 +0200)]
x86, AMD: Fix ARAT feature setting again

commit 14fb57dccb6e1defe9f89a66f548fcb24c374c1d upstream.

Trying to enable the local APIC timer on early K8 revisions
uncovers a number of other issues with it, in conjunction with
the C1E enter path on AMD. Fixing those causes much more churn
and troubles than the benefit of using that timer brings so
don't enable it on K8 at all, falling back to the original
functionality the kernel had wrt to that.

Reported-and-bisected-by: Nick Bowler <nbowler@elliptictech.com>
Cc: Boris Ostrovsky <Boris.Ostrovsky@amd.com>
Cc: Andreas Herrmann <andreas.herrmann3@amd.com>
Cc: Greg Kroah-Hartman <greg@kroah.com>
Cc: Hans Rosenfeld <hans.rosenfeld@amd.com>
Cc: Nick Bowler <nbowler@elliptictech.com>
Cc: Joerg-Volker-Peetz <jvpeetz@web.de>
Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
Link: http://lkml.kernel.org/r/1305636919-31165-3-git-send-email-bp@amd64.org
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoRevert "x86, AMD: Fix APIC timer erratum 400 affecting K8 Rev.A-E processors"
Borislav Petkov [Tue, 17 May 2011 12:55:18 +0000 (14:55 +0200)]
Revert "x86, AMD: Fix APIC timer erratum 400 affecting K8 Rev.A-E processors"

commit 328935e6348c6a7cb34798a68c326f4b8372e68a upstream.

This reverts commit e20a2d205c05cef6b5783df339a7d54adeb50962, as it crashes
certain boxes with specific AMD CPU models.

Moving the lower endpoint of the Erratum 400 check to accomodate
earlier K8 revisions (A-E) opens a can of worms which is simply
not worth to fix properly by tweaking the errata checking
framework:

* missing IntPenging MSR on revisions < CG cause #GP:

http://marc.info/?l=linux-kernel&m=130541471818831

* makes earlier revisions use the LAPIC timer instead of the C1E
idle routine which switches to HPET, thus not waking up in
deeper C-states:

http://lkml.org/lkml/2011/4/24/20

Therefore, leave the original boundary starting with K8-revF.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agorapidio: fix default routing initialization
Alexandre Bounine [Tue, 17 May 2011 22:44:08 +0000 (15:44 -0700)]
rapidio: fix default routing initialization

commit 0bf2461fdd9008290cf429e50e4f362dafab4249 upstream.

Fix switch initialization to ensure that all switches have default routing
disabled.  This guarantees that no unexpected RapidIO packets arrive to
the default port set by reset and there is no default routing destination
until it is properly configured by software.

This update also unifies handling of unmapped destinations by tsi57x, IDT
Gen1 and IDT Gen2 switches.

Signed-off-by: Alexandre Bounine <alexandre.bounine@idt.com>
Cc: Kumar Gala <galak@kernel.crashing.org>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Li Yang <leoli@freescale.com>
Cc: Thomas Moll <thomas.moll@sysgo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocifs: add fallback in is_path_accessible for old servers
Jeff Layton [Tue, 17 May 2011 10:40:30 +0000 (06:40 -0400)]
cifs: add fallback in is_path_accessible for old servers

commit 221d1d797202984cb874e3ed9f1388593d34ee22 upstream.

The is_path_accessible check uses a QPathInfo call, which isn't
supported by ancient win9x era servers. Fall back to an older
SMBQueryInfo call if it fails with the magic error codes.

Reported-and-Tested-by: Sandro Bonazzola <sandro.bonazzola@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoRevert "mmc: fix a race between card-detect rescan and clock-gate work instances"
Chris Ball [Mon, 16 May 2011 15:32:26 +0000 (11:32 -0400)]
Revert "mmc: fix a race between card-detect rescan and clock-gate work instances"

commit 86f315bbb2374f1f077500ad131dd9b71856e697 upstream.

This reverts commit 26fc8775b51484d8c0a671198639c6d5ae60533e, which has
been reported to cause boot/resume-time crashes for some users:

https://bbs.archlinux.org/viewtopic.php?id=118751.

Signed-off-by: Chris Ball <cjb@laptop.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: fix extended lvds info parsing
Alex Deucher [Wed, 11 May 2011 18:02:07 +0000 (14:02 -0400)]
drm/radeon/kms: fix extended lvds info parsing

commit 05fa7ea7d23980de0014417a0e0af2048a0f9fc1 upstream.

On rev <= 1.1 tables, the offset is absolute,
on newer tables, it's relative.

Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=700326

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Reviewed-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agolibata: fix oops when LPM is used with PMP
Tejun Heo [Mon, 9 May 2011 14:04:11 +0000 (16:04 +0200)]
libata: fix oops when LPM is used with PMP

commit 5f6f12ccf3aa42cfc0c5bde9228df0c843dd63f7 upstream.

ae01b2493c (libata: Implement ATA_FLAG_NO_DIPM and apply it to mcp65)
added ATA_FLAG_NO_DIPM and made ata_eh_set_lpm() check the flag.
However, @ap is NULL if @link points to a PMP link and thus the
unconditional @ap->flags dereference leads to the following oops.

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
  IP: [<ffffffff813f98e1>] ata_eh_recover+0x9a1/0x1510
  ...
  Pid: 295, comm: scsi_eh_4 Tainted: P            2.6.38.5-core2 #1 System76, Inc. Serval Professional/Serval Professional
  RIP: 0010:[<ffffffff813f98e1>]  [<ffffffff813f98e1>] ata_eh_recover+0x9a1/0x1510
  RSP: 0018:ffff880132defbf0  EFLAGS: 00010246
  RAX: 0000000000000000 RBX: ffff880132f40000 RCX: 0000000000000000
  RDX: ffff88013377c000 RSI: ffff880132f40000 RDI: 0000000000000000
  RBP: ffff880132defce0 R08: ffff88013377dc58 R09: ffff880132defd98
  R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000
  R13: 0000000000000000 R14: ffff88013377c000 R15: 0000000000000000
  FS:  0000000000000000(0000) GS:ffff8800bf700000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
  CR2: 0000000000000018 CR3: 0000000001a03000 CR4: 00000000000406e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  Process scsi_eh_4 (pid: 295, threadinfo ffff880132dee000, task ffff880133b416c0)
  Stack:
   0000000000000000 ffff880132defcc0 0000000000000000 ffff880132f42738
   ffffffff813ee8f0 ffffffff813eefe0 ffff880132defd98 ffff88013377f190
   ffffffffa00b3e30 ffffffff813ef030 0000000032defc60 ffff880100000000
  Call Trace:
   [<ffffffff81400867>] sata_pmp_error_handler+0x607/0xc30
   [<ffffffffa00b273f>] ahci_error_handler+0x1f/0x70 [libahci]
   [<ffffffff813faade>] ata_scsi_error+0x5be/0x900
   [<ffffffff813cf724>] scsi_error_handler+0x124/0x650
   [<ffffffff810834b6>] kthread+0x96/0xa0
   [<ffffffff8100cd64>] kernel_thread_helper+0x4/0x10
  Code: 8b 95 70 ff ff ff b8 00 00 00 00 48 3b 9a 10 2e 00 00 48 0f 44 c2 48 89 85 70 ff ff ff 48 8b 8d 70 ff ff ff f6 83 69 02 00 00 01 <48> 8b 41 18 0f 85 48 01 00 00 48 85 c9 74 12 48 8b 51 08 48 83
  RIP  [<ffffffff813f98e1>] ata_eh_recover+0x9a1/0x1510
   RSP <ffff880132defbf0>
  CR2: 0000000000000018

Fix it by testing @link->ap->flags instead.

stable: ATA_FLAG_NO_DIPM was added during 2.6.39 cycle but was
        backported to 2.6.37 and 38.  This is a fix for that and thus
        also applicable to 2.6.37 and 38.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: "Nathan A. Mourey II" <nmoureyii@ne.rr.com>
LKML-Reference: <1304555277.2059.2.camel@localhost.localdomain>
Cc: Connor H <cmdkhh@gmail.com>
Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agotmpfs: fix spurious ENOSPC when racing with unswap
Hugh Dickins [Wed, 11 May 2011 22:13:38 +0000 (15:13 -0700)]
tmpfs: fix spurious ENOSPC when racing with unswap

commit 59a16ead572330deb38e5848151d30ed1af754bc upstream.

Testing the shmem_swaplist replacements for igrab() revealed another bug:
writes to /dev/loop0 on a tmpfs file which fills its filesystem were
sometimes failing with "Buffer I/O error"s.

These came from ENOSPC failures of shmem_getpage(), when racing with
swapoff: the same could happen when racing with another shmem_getpage(),
pulling the page in from swap in between our find_lock_page() and our
taking the info->lock (though not in the single-threaded loop case).

This is unacceptable, and surprising that I've not noticed it before:
it dates back many years, but (presumably) was made a lot easier to
reproduce in 2.6.36, which sited a page preallocation in the race window.

Fix it by rechecking the page cache before settling on an ENOSPC error.

Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agotmpfs: fix off-by-one in max_blocks checks
Hugh Dickins [Thu, 14 Apr 2011 22:22:07 +0000 (15:22 -0700)]
tmpfs: fix off-by-one in max_blocks checks

commit fc5da22ae35d4720be59af8787a8a6d5e4da9517 upstream.

If you fill up a tmpfs, df was showing

  tmpfs                   460800         -         -   -  /tmp

because of an off-by-one in the max_blocks checks.  Fix it so df shows

  tmpfs                   460800    460800         0 100% /tmp

Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agotmpfs: fix race between swapoff and writepage
Hugh Dickins [Sat, 14 May 2011 19:06:42 +0000 (12:06 -0700)]
tmpfs: fix race between swapoff and writepage

commit 05bf86b4ccfd0f197da61c67bd372111d15a6620 upstream.

Shame on me!  Commit b1dea800ac39 "tmpfs: fix race between umount and
writepage" fixed the advertized race, but introduced another: as even
its comment makes clear, we cannot safely rely on a peek at list_empty()
while holding no lock - until info->swapped is set, shmem_unuse_inode()
may delete any formerly-swapped inode from the shmem_swaplist, which
in this case would leave a swap area impossible to swapoff.

Although I don't relish taking the mutex every time, I don't care much
for the alternatives either; and at least the peek at list_empty() in
shmem_evict_inode() (a hotter path since most inodes would never have
been swapped) remains safe, because we already truncated the whole file.

Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agotmpfs: fix race between umount and writepage
Hugh Dickins [Wed, 11 May 2011 22:13:36 +0000 (15:13 -0700)]
tmpfs: fix race between umount and writepage

commit b1dea800ac39599301d4bb8dcf2b1d29c2558211 upstream.

Konstanin Khlebnikov reports that a dangerous race between umount and
shmem_writepage can be reproduced by this script:

  for i in {1..300} ; do
mkdir $i
while true ; do
mount -t tmpfs none $i
dd if=/dev/zero of=$i/test bs=1M count=$(($RANDOM % 100))
umount $i
done &
  done

on a 6xCPU node with 8Gb RAM: kernel very unstable after this accident. =)

Kernel log:

  VFS: Busy inodes after unmount of tmpfs.
                 Self-destruct in 5 seconds.  Have a nice day...

  WARNING: at lib/list_debug.c:53 __list_del_entry+0x8d/0x98()
  list_del corruption. prev->next should be ffff880222fdaac8, but was (null)
  Pid: 11222, comm: mount.tmpfs Not tainted 2.6.39-rc2+ #4
  Call Trace:
   warn_slowpath_common+0x80/0x98
   warn_slowpath_fmt+0x41/0x43
   __list_del_entry+0x8d/0x98
   evict+0x50/0x113
   iput+0x138/0x141
  ...
  BUG: unable to handle kernel paging request at ffffffffffffffff
  IP: shmem_free_blocks+0x18/0x4c
  Pid: 10422, comm: dd Tainted: G        W   2.6.39-rc2+ #4
  Call Trace:
   shmem_recalc_inode+0x61/0x66
   shmem_writepage+0xba/0x1dc
   pageout+0x13c/0x24c
   shrink_page_list+0x28e/0x4be
   shrink_inactive_list+0x21f/0x382
  ...

shmem_writepage() calls igrab() on the inode for the page which came from
page reclaim, to add it later into shmem_swaplist for swapoff operation.

This igrab() can race with super-block deactivating process:

  shrink_inactive_list()          deactivate_super()
  pageout()                       tmpfs_fs_type->kill_sb()
  shmem_writepage()               kill_litter_super()
                                  generic_shutdown_super()
                                   evict_inodes()
   igrab()
                                    atomic_read(&inode->i_count)
                                     skip-inode
   iput()
                                   if (!list_empty(&sb->s_inodes))
                                          printk("VFS: Busy inodes after...

This igrap-iput pair was added in commit 1b1b32f2c6f6 "tmpfs: fix
shmem_swaplist races" based on incorrect assumptions: igrab() protects the
inode from concurrent eviction by deletion, but it does nothing to protect
it from concurrent unmounting, which goes ahead despite the raised
i_count.

So this use of igrab() was wrong all along, but the race made much worse
in 2.6.37 when commit 63997e98a3be "split invalidate_inodes()" replaced
two attempts at invalidate_inodes() by a single evict_inodes().

Konstantin posted a plausible patch, raising sb->s_active too: I'm unsure
whether it was correct or not; but burnt once by igrab(), I am sure that
we don't want to rely more deeply upon externals here.

Fix it by adding the inode to shmem_swaplist earlier, while the page lock
on page in page cache still secures the inode against eviction, without
artifically raising i_count.  It was originally added later because
shmem_unuse_inode() is liable to remove an inode from the list while it's
unswapped; but we can guard against that by taking spinlock before
dropping mutex.

Reported-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Signed-off-by: Hugh Dickins <hughd@google.com>
Tested-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agozorro8390: Fix regression caused during net_device_ops conversion
Geert Uytterhoeven [Thu, 12 May 2011 09:11:38 +0000 (09:11 +0000)]
zorro8390: Fix regression caused during net_device_ops conversion

commit cf7e032fc87d59c475df26c4d40bf45d401b2adb upstream.

Changeset b6114794a1c394534659f4a17420e48cf23aa922 ("zorro8390: convert to
net_device_ops") broke zorro8390 by adding 8390.o to the link. That
meant that lib8390.c was included twice, once in zorro8390.c and once in
8390.c, subject to different macros. This patch reverts that by
avoiding the wrappers in 8390.c.

Fix based on commits 217cbfa856dc1cbc2890781626c4032d9e3ec59f ("mac8390:
fix regression caused during net_device_ops conversion") and
4e0168fa4842e27795a75b205a510f25b62181d9 ("mac8390: fix build with
NET_POLL_CONTROLLER").

Reported-by: Christian T. Steigies <cts@debian.org>
Suggested-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Christian T. Steigies <cts@debian.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agolibertas: fix cmdpendingq locking
Paul Fox [Mon, 9 May 2011 09:40:42 +0000 (10:40 +0100)]
libertas: fix cmdpendingq locking

commit 2ae1b8b35faba31a59b153cbad07f9c15de99740 upstream.

We occasionally see list corruption using libertas.

While we haven't been able to diagnose this precisely, we have spotted
a possible cause: cmdpendingq is generally modified with driver_lock
held. However, there are a couple of points where this is not the case.

Fix up those operations to execute under the lock, it seems like
the correct thing to do and will hopefully improve the situation.

Signed-off-by: Paul Fox <pgf@laptop.org>
Signed-off-by: Daniel Drake <dsd@laptop.org>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoehea: Fix memory hotplug oops
Anton Blanchard [Tue, 10 May 2011 16:17:10 +0000 (16:17 +0000)]
ehea: Fix memory hotplug oops

commit 21ccc7936dac5ca9b3e2838bbc112a60f34e18b3 upstream.

The ehea driver oopses during memory hotplug if the ports are not
up. A simple testcase:

# ifconfig ethX down
# echo offline > /sys/devices/system/memory/memory32/state

Oops: Kernel access of bad area, sig: 11 [#1]
last sysfs file: /sys/devices/system/memory/memory32/state
REGS: c000000709393110 TRAP: 0300   Not tainted  (2.6.39-rc2-01385-g7ef73bc-dirty)
DAR: 0000000000000000, DSISR: 40000000
...
NIP [c000000000067c98] .__wake_up_common+0x48/0xf0
LR [c00000000006d034] .__wake_up+0x54/0x90
Call Trace:
[c00000000006d034] .__wake_up+0x54/0x90
[d000000006bb6270] .ehea_rereg_mrs+0x140/0x730 [ehea]
[d000000006bb69c4] .ehea_mem_notifier+0x164/0x170 [ehea]
[c0000000006fc8a8] .notifier_call_chain+0x78/0xf0
[c0000000000b3d70] .__blocking_notifier_call_chain+0x70/0xb0
[c000000000458d78] .memory_notify+0x28/0x40
[c0000000001871d8] .remove_memory+0x208/0x6d0
[c000000000458264] .memory_section_action+0x94/0x140
[c0000000004583ec] .memory_block_change_state+0xdc/0x1d0
[c0000000004585cc] .store_mem_state+0xec/0x160
[c00000000044768c] .sysdev_store+0x3c/0x50
[c00000000020b48c] .sysfs_write_file+0xec/0x1f0
[c00000000018f86c] .vfs_write+0xec/0x1e0
[c00000000018fa88] .SyS_write+0x58/0xd0

To fix this, initialise the waitqueues during port probe instead
of port open.

Signed-off-by: Anton Blanchard <anton@samba.org>
Acked-by: Breno Leitao <leitao@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agohydra: Fix regression caused during net_device_ops conversion
Geert Uytterhoeven [Thu, 12 May 2011 09:11:39 +0000 (09:11 +0000)]
hydra: Fix regression caused during net_device_ops conversion

commit 0b25e0157dfa236a0629c16c8ad6f222f633f682 upstream.

Changeset 5618f0d1193d6b051da9b59b0e32ad24397f06a4 ("hydra: convert to
net_device_ops") broke hydra by adding 8390.o to the link. That
meant that lib8390.c was included twice, once in hydra.c and once in
8390.c, subject to different macros. This patch reverts that by
avoiding the wrappers in 8390.c.

Fix based on commits 217cbfa856dc1cbc2890781626c4032d9e3ec59f ("mac8390:
fix regression caused during net_device_ops conversion") and
4e0168fa4842e27795a75b205a510f25b62181d9 ("mac8390: fix build with
NET_POLL_CONTROLLER").

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agone-h8300: Fix regression caused during net_device_ops conversion
Geert Uytterhoeven [Thu, 12 May 2011 09:11:40 +0000 (09:11 +0000)]
ne-h8300: Fix regression caused during net_device_ops conversion

commit 2592a7354092afd304a8c067319b15ab1e441e35 upstream.

Changeset dcd39c90290297f6e6ed8a04bb20da7ac2b043c5 ("ne-h8300: convert to
net_device_ops") broke ne-h8300 by adding 8390.o to the link. That
meant that lib8390.c was included twice, once in ne-h8300.c and once in
8390.c, subject to different macros. This patch reverts that by
avoiding the wrappers in 8390.c.

Fix based on commits 217cbfa856dc1cbc2890781626c4032d9e3ec59f ("mac8390:
fix regression caused during net_device_ops conversion") and
4e0168fa4842e27795a75b205a510f25b62181d9 ("mac8390: fix build with
NET_POLL_CONTROLLER").

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoASoC: SSM2602: Fix 'Mic Boost2' control
Lars-Peter Clausen [Thu, 5 May 2011 14:59:16 +0000 (16:59 +0200)]
ASoC: SSM2602: Fix 'Mic Boost2' control

commit 36c90ab33feabbd63da775bd92ad356e5bd5cf56 upstream.

The 'Mic Boost2' control's shift was off by one and thus was not working.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Liam Girdwood <lrg@ti.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoASoC: UDA134x: Remove POWER_OFF_ON_STANDBY define.
Marek Belisko [Tue, 3 May 2011 12:46:32 +0000 (14:46 +0200)]
ASoC: UDA134x: Remove POWER_OFF_ON_STANDBY define.

commit bf707de21fec7bb203dace2d0a2bbd124d1b36ca upstream.

Define POWER_OFF_ON_STANDBY cause trobles when trying to get some
sound from codec because code for bias setup was not compiled
(define wasn't defined). This define was removed in commit:
cc3202f5 but again introduced by commit: f0fba2ad1 which then
completely break codec functionality so remove it again.

Signed-off-by: Marek Belisko <marek.belisko@open-nandra.com>
Acked-by: Liam Girdwood <lrg@ti.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoslcan: fix ldisc->open retval
Oliver Hartkopp [Tue, 10 May 2011 20:12:30 +0000 (13:12 -0700)]
slcan: fix ldisc->open retval

commit 0d4420a90b51abdea71585f571bad6d789ff8eb7 upstream.

TTY layer expects 0 if the ldisc->open operation succeeded.

Reported-by: Matvejchikov Ilya <matvejchikov@gmail.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet: dev_close() should check IFF_UP
Eric Dumazet [Tue, 10 May 2011 19:26:06 +0000 (12:26 -0700)]
net: dev_close() should check IFF_UP

commit e14a599335427f81bbb0008963e59aa9c6449dce upstream.

Commit 443457242beb (factorize sync-rcu call in
unregister_netdevice_many) mistakenly removed one test from dev_close()

Following actions trigger a BUG :

modprobe bonding
modprobe dummy
ifconfig bond0 up
ifenslave bond0 dummy0
rmmod dummy

dev_close() must not close a non IFF_UP device.

With help from Frank Blaschka and Einar EL Lueck

Reported-by: Frank Blaschka <blaschka@linux.vnet.ibm.com>
Reported-by: Einar EL Lueck <ELELUECK@de.ibm.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agopch_gbe: support ML7223 IOH
Tomoya [Mon, 9 May 2011 01:19:37 +0000 (01:19 +0000)]
pch_gbe: support ML7223 IOH

commit b0e6baf5619a6fa3eaf43b55fdb4daa362c3c916 upstream.

Support new device OKI SEMICONDUCTOR ML7223 IOH(Input/Output Hub).
The ML7223 IOH is for MP(Media Phone) use.
The ML7223 is companion chip for Intel Atom E6xx series.
The ML7223 is completely compatible for Intel EG20T PCH.

Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoPCH_GbE : Fixed the issue of checksum judgment
Toshiharu Okada [Fri, 6 May 2011 02:53:56 +0000 (02:53 +0000)]
PCH_GbE : Fixed the issue of checksum judgment

commit 5d05a04d283061b586e8dc819cfa6f4b8cfd5948 upstream.

The checksum judgment was mistaken.
  Judgment result
     0:Correct 1:Wrong

This patch fixes the issue.

Signed-off-by: Toshiharu Okada <toshiharu-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoPCH_GbE : Fixed the issue of collision detection
Toshiharu Okada [Fri, 6 May 2011 02:53:51 +0000 (02:53 +0000)]
PCH_GbE : Fixed the issue of collision detection

commit ce3dad0f74e6b240f0b1dedbd8ea268a3f298d82 upstream.

The collision detection setting was invalid.
When collision occurred, because data was not resent,
there was an issue to which a transmitting throughput falls.

This patch enables the collision detection.

Signed-off-by: Toshiharu Okada <toshiharu-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoNET: slip, fix ldisc->open retval
Matvejchikov Ilya [Fri, 6 May 2011 06:23:09 +0000 (06:23 +0000)]
NET: slip, fix ldisc->open retval

commit 057bef938896e6266ae24ec4266d24792d27c29a upstream.

TTY layer expects 0 if the ldisc->open operation succeeded.

Signed-off-by : Matvejchikov Ilya <matvejchikov@gmail.com>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Acked-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoehea: fix wrongly reported speed and port
Kleber Sacilotto de Souza [Wed, 4 May 2011 13:05:11 +0000 (13:05 +0000)]
ehea: fix wrongly reported speed and port

commit dcbe14b91a920657ff3a9ba0efb7c5b5562f956a upstream.

Currently EHEA reports to ethtool as supporting 10M, 100M, 1G and
10G and connected to FIBRE independent of the hardware configuration.
However, when connected to FIBRE the only supported speed is 10G
full-duplex, and the other speeds and modes are only supported
when connected to twisted pair.

Signed-off-by: Kleber Sacilotto de Souza <klebers@linux.vnet.ibm.com>
Acked-by: Breno Leitao <leitao@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agovmxnet3: Consistently disable irqs when taking adapter->cmd_lock
Roland Dreier [Fri, 6 May 2011 08:32:53 +0000 (08:32 +0000)]
vmxnet3: Consistently disable irqs when taking adapter->cmd_lock

commit e328d410826d52e9ee348aff9064c4a207f2adb1 upstream.

Using the vmxnet3 driver produces a lockdep warning because
vmxnet3_set_mc(), which is called with mc->mca_lock held, takes
adapter->cmd_lock.  However, there are a couple of places where
adapter->cmd_lock is taken with softirqs enabled, lockdep warns that a
softirq that tries to take mc->mca_lock could happen while
adapter->cmd_lock is held, leading to an AB-BA deadlock.

I'm not sure if this is a real potential deadlock or not, but the
simplest and best fix seems to be simply to make sure we take cmd_lock
with spin_lock_irqsave() everywhere -- the places with plain spin_lock
just look like oversights.

The full enormous lockdep warning is:

 =========================================================
 [ INFO: possible irq lock inversion dependency detected ]
 2.6.39-rc6+ #1
 ---------------------------------------------------------
 ifconfig/567 just changed the state of lock:
  (&(&mc->mca_lock)->rlock){+.-...}, at: [<ffffffff81531e9f>] mld_ifc_timer_expire+0xff/0x280
 but this lock took another, SOFTIRQ-unsafe lock in the past:
  (&(&adapter->cmd_lock)->rlock){+.+...}

 and interrupts could create inverse lock ordering between them.

 other info that might help us debug this:
 4 locks held by ifconfig/567:
  #0:  (rtnl_mutex){+.+.+.}, at: [<ffffffff8147d547>] rtnl_lock+0x17/0x20
  #1:  ((inetaddr_chain).rwsem){.+.+.+}, at: [<ffffffff810896cf>] __blocking_notifier_call_chain+0x5f/0xb0
  #2:  (&idev->mc_ifc_timer){+.-...}, at: [<ffffffff8106f21b>] run_timer_softirq+0xeb/0x3f0
  #3:  (&ndev->lock){++.-..}, at: [<ffffffff81531dd2>] mld_ifc_timer_expire+0x32/0x280

 the shortest dependencies between 2nd lock and 1st lock:
   -> (&(&adapter->cmd_lock)->rlock){+.+...} ops: 11 {
      HARDIRQ-ON-W at:
                                            [<ffffffff8109ad86>] __lock_acquire+0x7f6/0x1e10
                                            [<ffffffff8109ca4d>] lock_acquire+0x9d/0x130
                                            [<ffffffff81571156>] _raw_spin_lock+0x36/0x70
                                            [<ffffffffa000d212>] vmxnet3_alloc_intr_resources+0x22/0x230 [vmxnet3]
                                            [<ffffffffa0014031>] vmxnet3_probe_device+0x5f6/0x15c5 [vmxnet3]
                                            [<ffffffff812df67f>] local_pci_probe+0x5f/0xd0
                                            [<ffffffff812dfde9>] pci_device_probe+0x119/0x120
                                            [<ffffffff81373df6>] driver_probe_device+0x96/0x1c0
                                            [<ffffffff81373fcb>] __driver_attach+0xab/0xb0
                                            [<ffffffff81372a1e>] bus_for_each_dev+0x5e/0x90
                                            [<ffffffff81373a2e>] driver_attach+0x1e/0x20
                                            [<ffffffff813735b8>] bus_add_driver+0xc8/0x290
                                            [<ffffffff813745b6>] driver_register+0x76/0x140
                                            [<ffffffff812e0046>] __pci_register_driver+0x66/0xe0
                                            [<ffffffffa001b03a>] serio_raw_poll+0x3a/0x60 [serio_raw]
                                            [<ffffffff81002165>] do_one_initcall+0x45/0x190
                                            [<ffffffff810aa76b>] sys_init_module+0xfb/0x250
                                            [<ffffffff8157a142>] system_call_fastpath+0x16/0x1b
      SOFTIRQ-ON-W at:
                                            [<ffffffff8109adb7>] __lock_acquire+0x827/0x1e10
                                            [<ffffffff8109ca4d>] lock_acquire+0x9d/0x130
                                            [<ffffffff81571156>] _raw_spin_lock+0x36/0x70
                                            [<ffffffffa000d212>] vmxnet3_alloc_intr_resources+0x22/0x230 [vmxnet3]
                                            [<ffffffffa0014031>] vmxnet3_probe_device+0x5f6/0x15c5 [vmxnet3]
                                            [<ffffffff812df67f>] local_pci_probe+0x5f/0xd0
                                            [<ffffffff812dfde9>] pci_device_probe+0x119/0x120
                                            [<ffffffff81373df6>] driver_probe_device+0x96/0x1c0
                                            [<ffffffff81373fcb>] __driver_attach+0xab/0xb0
                                            [<ffffffff81372a1e>] bus_for_each_dev+0x5e/0x90
                                            [<ffffffff81373a2e>] driver_attach+0x1e/0x20
                                            [<ffffffff813735b8>] bus_add_driver+0xc8/0x290
                                            [<ffffffff813745b6>] driver_register+0x76/0x140
                                            [<ffffffff812e0046>] __pci_register_driver+0x66/0xe0
                                            [<ffffffffa001b03a>] serio_raw_poll+0x3a/0x60 [serio_raw]
                                            [<ffffffff81002165>] do_one_initcall+0x45/0x190
                                            [<ffffffff810aa76b>] sys_init_module+0xfb/0x250
                                            [<ffffffff8157a142>] system_call_fastpath+0x16/0x1b
      INITIAL USE at:
                                           [<ffffffff8109a9e9>] __lock_acquire+0x459/0x1e10
                                           [<ffffffff8109ca4d>] lock_acquire+0x9d/0x130
                                           [<ffffffff81571156>] _raw_spin_lock+0x36/0x70
                                           [<ffffffffa000d212>] vmxnet3_alloc_intr_resources+0x22/0x230 [vmxnet3]
                                           [<ffffffffa0014031>] vmxnet3_probe_device+0x5f6/0x15c5 [vmxnet3]
                                           [<ffffffff812df67f>] local_pci_probe+0x5f/0xd0
                                           [<ffffffff812dfde9>] pci_device_probe+0x119/0x120
                                           [<ffffffff81373df6>] driver_probe_device+0x96/0x1c0
                                           [<ffffffff81373fcb>] __driver_attach+0xab/0xb0
                                           [<ffffffff81372a1e>] bus_for_each_dev+0x5e/0x90
                                           [<ffffffff81373a2e>] driver_attach+0x1e/0x20
                                           [<ffffffff813735b8>] bus_add_driver+0xc8/0x290
                                           [<ffffffff813745b6>] driver_register+0x76/0x140
                                           [<ffffffff812e0046>] __pci_register_driver+0x66/0xe0
                                           [<ffffffffa001b03a>] serio_raw_poll+0x3a/0x60 [serio_raw]
                                           [<ffffffff81002165>] do_one_initcall+0x45/0x190
                                           [<ffffffff810aa76b>] sys_init_module+0xfb/0x250
                                           [<ffffffff8157a142>] system_call_fastpath+0x16/0x1b
    }
    ... key      at: [<ffffffffa0017590>] __key.42516+0x0/0xffffffffffffda70 [vmxnet3]
    ... acquired at:
    [<ffffffff8109ca4d>] lock_acquire+0x9d/0x130
    [<ffffffff81571bb5>] _raw_spin_lock_irqsave+0x55/0xa0
    [<ffffffffa000de27>] vmxnet3_set_mc+0x97/0x1a0 [vmxnet3]
    [<ffffffff8146ffa0>] __dev_set_rx_mode+0x40/0xb0
    [<ffffffff81470040>] dev_set_rx_mode+0x30/0x50
    [<ffffffff81470127>] __dev_open+0xc7/0x100
    [<ffffffff814703c1>] __dev_change_flags+0xa1/0x180
    [<ffffffff81470568>] dev_change_flags+0x28/0x70
    [<ffffffff814da960>] devinet_ioctl+0x730/0x800
    [<ffffffff814db508>] inet_ioctl+0x88/0xa0
    [<ffffffff814541f0>] sock_do_ioctl+0x30/0x70
    [<ffffffff814542a9>] sock_ioctl+0x79/0x2f0
    [<ffffffff81188798>] do_vfs_ioctl+0x98/0x570
    [<ffffffff81188d01>] sys_ioctl+0x91/0xa0
    [<ffffffff8157a142>] system_call_fastpath+0x16/0x1b

  -> (_xmit_ETHER){+.....} ops: 6 {
     HARDIRQ-ON-W at:
                                          [<ffffffff8109ad86>] __lock_acquire+0x7f6/0x1e10
                                          [<ffffffff8109ca4d>] lock_acquire+0x9d/0x130
                                          [<ffffffff8157124b>] _raw_spin_lock_bh+0x3b/0x70
                                          [<ffffffff81475618>] __dev_mc_add+0x38/0x90
                                          [<ffffffff814756a0>] dev_mc_add+0x10/0x20
                                          [<ffffffff81532c9e>] igmp6_group_added+0x10e/0x1b0
                                          [<ffffffff81533f2d>] ipv6_dev_mc_inc+0x2cd/0x430
                                          [<ffffffff81515e17>] ipv6_add_dev+0x357/0x450
                                          [<ffffffff81519f27>] addrconf_notify+0x2f7/0xb10
                                          [<ffffffff81575c1c>] notifier_call_chain+0x8c/0xc0
                                          [<ffffffff81089586>] raw_notifier_call_chain+0x16/0x20
                                          [<ffffffff814689b7>] call_netdevice_notifiers+0x37/0x70
                                          [<ffffffff8146a944>] register_netdevice+0x244/0x2d0
                                          [<ffffffff8146aa0f>] register_netdev+0x3f/0x60
                                          [<ffffffffa001419b>] vmxnet3_probe_device+0x760/0x15c5 [vmxnet3]
                                          [<ffffffff812df67f>] local_pci_probe+0x5f/0xd0
                                          [<ffffffff812dfde9>] pci_device_probe+0x119/0x120
                                          [<ffffffff81373df6>] driver_probe_device+0x96/0x1c0
                                          [<ffffffff81373fcb>] __driver_attach+0xab/0xb0
                                          [<ffffffff81372a1e>] bus_for_each_dev+0x5e/0x90
                                          [<ffffffff81373a2e>] driver_attach+0x1e/0x20
                                          [<ffffffff813735b8>] bus_add_driver+0xc8/0x290
                                          [<ffffffff813745b6>] driver_register+0x76/0x140
                                          [<ffffffff812e0046>] __pci_register_driver+0x66/0xe0
                                          [<ffffffffa001b03a>] serio_raw_poll+0x3a/0x60 [serio_raw]
                                          [<ffffffff81002165>] do_one_initcall+0x45/0x190
                                          [<ffffffff810aa76b>] sys_init_module+0xfb/0x250
                                          [<ffffffff8157a142>] system_call_fastpath+0x16/0x1b
     INITIAL USE at:
                                         [<ffffffff8109a9e9>] __lock_acquire+0x459/0x1e10
                                         [<ffffffff8109ca4d>] lock_acquire+0x9d/0x130
                                         [<ffffffff8157124b>] _raw_spin_lock_bh+0x3b/0x70
                                         [<ffffffff81475618>] __dev_mc_add+0x38/0x90
                                         [<ffffffff814756a0>] dev_mc_add+0x10/0x20
                                         [<ffffffff81532c9e>] igmp6_group_added+0x10e/0x1b0
                                         [<ffffffff81533f2d>] ipv6_dev_mc_inc+0x2cd/0x430
                                         [<ffffffff81515e17>] ipv6_add_dev+0x357/0x450
                                         [<ffffffff81519f27>] addrconf_notify+0x2f7/0xb10
                                         [<ffffffff81575c1c>] notifier_call_chain+0x8c/0xc0
                                         [<ffffffff81089586>] raw_notifier_call_chain+0x16/0x20
                                         [<ffffffff814689b7>] call_netdevice_notifiers+0x37/0x70
                                         [<ffffffff8146a944>] register_netdevice+0x244/0x2d0
                                         [<ffffffff8146aa0f>] register_netdev+0x3f/0x60
                                         [<ffffffffa001419b>] vmxnet3_probe_device+0x760/0x15c5 [vmxnet3]
                                         [<ffffffff812df67f>] local_pci_probe+0x5f/0xd0
                                         [<ffffffff812dfde9>] pci_device_probe+0x119/0x120
                                         [<ffffffff81373df6>] driver_probe_device+0x96/0x1c0
                                         [<ffffffff81373fcb>] __driver_attach+0xab/0xb0
                                         [<ffffffff81372a1e>] bus_for_each_dev+0x5e/0x90
                                         [<ffffffff81373a2e>] driver_attach+0x1e/0x20
                                         [<ffffffff813735b8>] bus_add_driver+0xc8/0x290
                                         [<ffffffff813745b6>] driver_register+0x76/0x140
                                         [<ffffffff812e0046>] __pci_register_driver+0x66/0xe0
                                         [<ffffffffa001b03a>] serio_raw_poll+0x3a/0x60 [serio_raw]
                                         [<ffffffff81002165>] do_one_initcall+0x45/0x190
                                         [<ffffffff810aa76b>] sys_init_module+0xfb/0x250
                                         [<ffffffff8157a142>] system_call_fastpath+0x16/0x1b
   }
   ... key      at: [<ffffffff827fd868>] netdev_addr_lock_key+0x8/0x1e0
   ... acquired at:
    [<ffffffff8109ca4d>] lock_acquire+0x9d/0x130
    [<ffffffff8157124b>] _raw_spin_lock_bh+0x3b/0x70
    [<ffffffff81475618>] __dev_mc_add+0x38/0x90
    [<ffffffff814756a0>] dev_mc_add+0x10/0x20
    [<ffffffff81532c9e>] igmp6_group_added+0x10e/0x1b0
    [<ffffffff81533f2d>] ipv6_dev_mc_inc+0x2cd/0x430
    [<ffffffff81515e17>] ipv6_add_dev+0x357/0x450
    [<ffffffff81519f27>] addrconf_notify+0x2f7/0xb10
    [<ffffffff81575c1c>] notifier_call_chain+0x8c/0xc0
    [<ffffffff81089586>] raw_notifier_call_chain+0x16/0x20
    [<ffffffff814689b7>] call_netdevice_notifiers+0x37/0x70
    [<ffffffff8146a944>] register_netdevice+0x244/0x2d0
    [<ffffffff8146aa0f>] register_netdev+0x3f/0x60
    [<ffffffffa001419b>] vmxnet3_probe_device+0x760/0x15c5 [vmxnet3]
    [<ffffffff812df67f>] local_pci_probe+0x5f/0xd0
    [<ffffffff812dfde9>] pci_device_probe+0x119/0x120
    [<ffffffff81373df6>] driver_probe_device+0x96/0x1c0
    [<ffffffff81373fcb>] __driver_attach+0xab/0xb0
    [<ffffffff81372a1e>] bus_for_each_dev+0x5e/0x90
    [<ffffffff81373a2e>] driver_attach+0x1e/0x20
    [<ffffffff813735b8>] bus_add_driver+0xc8/0x290
    [<ffffffff813745b6>] driver_register+0x76/0x140
    [<ffffffff812e0046>] __pci_register_driver+0x66/0xe0
    [<ffffffffa001b03a>] serio_raw_poll+0x3a/0x60 [serio_raw]
    [<ffffffff81002165>] do_one_initcall+0x45/0x190
    [<ffffffff810aa76b>] sys_init_module+0xfb/0x250
    [<ffffffff8157a142>] system_call_fastpath+0x16/0x1b

 -> (&(&mc->mca_lock)->rlock){+.-...} ops: 6 {
    HARDIRQ-ON-W at:
                                        [<ffffffff8109ad86>] __lock_acquire+0x7f6/0x1e10
                                        [<ffffffff8109ca4d>] lock_acquire+0x9d/0x130
                                        [<ffffffff8157124b>] _raw_spin_lock_bh+0x3b/0x70
                                        [<ffffffff81532bd5>] igmp6_group_added+0x45/0x1b0
                                        [<ffffffff81533f2d>] ipv6_dev_mc_inc+0x2cd/0x430
                                        [<ffffffff81515e17>] ipv6_add_dev+0x357/0x450
                                        [<ffffffff81ce0d16>] addrconf_init+0x4e/0x183
                                        [<ffffffff81ce0ba1>] inet6_init+0x191/0x2a6
                                        [<ffffffff81002165>] do_one_initcall+0x45/0x190
                                        [<ffffffff81ca4d3f>] kernel_init+0xe3/0x168
                                        [<ffffffff8157b2e4>] kernel_thread_helper+0x4/0x10
    IN-SOFTIRQ-W at:
                                        [<ffffffff8109ad5e>] __lock_acquire+0x7ce/0x1e10
                                        [<ffffffff8109ca4d>] lock_acquire+0x9d/0x130
                                        [<ffffffff8157124b>] _raw_spin_lock_bh+0x3b/0x70
                                        [<ffffffff81531e9f>] mld_ifc_timer_expire+0xff/0x280
                                        [<ffffffff8106f2a9>] run_timer_softirq+0x179/0x3f0
                                        [<ffffffff810666d0>] __do_softirq+0xc0/0x210
                                        [<ffffffff8157b3dc>] call_softirq+0x1c/0x30
                                        [<ffffffff8100d42d>] do_softirq+0xad/0xe0
                                        [<ffffffff81066afe>] irq_exit+0x9e/0xb0
                                        [<ffffffff8157bd40>] smp_apic_timer_interrupt+0x70/0x9b
                                        [<ffffffff8157ab93>] apic_timer_interrupt+0x13/0x20
                                        [<ffffffff8149d857>] rt_do_flush+0x87/0x2a0
                                        [<ffffffff814a16b6>] rt_cache_flush+0x46/0x60
                                        [<ffffffff814e36e0>] fib_disable_ip+0x40/0x60
                                        [<ffffffff814e5447>] fib_inetaddr_event+0xd7/0xe0
                                        [<ffffffff81575c1c>] notifier_call_chain+0x8c/0xc0
                                        [<ffffffff810896e8>] __blocking_notifier_call_chain+0x78/0xb0
                                        [<ffffffff81089736>] blocking_notifier_call_chain+0x16/0x20
                                        [<ffffffff814d8021>] __inet_del_ifa+0xf1/0x2e0
                                        [<ffffffff814d8223>] inet_del_ifa+0x13/0x20
                                        [<ffffffff814da731>] devinet_ioctl+0x501/0x800
                                        [<ffffffff814db508>] inet_ioctl+0x88/0xa0
                                        [<ffffffff814541f0>] sock_do_ioctl+0x30/0x70
                                        [<ffffffff814542a9>] sock_ioctl+0x79/0x2f0
                                        [<ffffffff81188798>] do_vfs_ioctl+0x98/0x570
                                        [<ffffffff81188d01>] sys_ioctl+0x91/0xa0
                                        [<ffffffff8157a142>] system_call_fastpath+0x16/0x1b
    INITIAL USE at:
                                       [<ffffffff8109a9e9>] __lock_acquire+0x459/0x1e10
                                       [<ffffffff8109ca4d>] lock_acquire+0x9d/0x130
                                       [<ffffffff8157124b>] _raw_spin_lock_bh+0x3b/0x70
                                       [<ffffffff81532bd5>] igmp6_group_added+0x45/0x1b0
                                       [<ffffffff81533f2d>] ipv6_dev_mc_inc+0x2cd/0x430
                                       [<ffffffff81515e17>] ipv6_add_dev+0x357/0x450
                                       [<ffffffff81ce0d16>] addrconf_init+0x4e/0x183
                                       [<ffffffff81ce0ba1>] inet6_init+0x191/0x2a6
                                       [<ffffffff81002165>] do_one_initcall+0x45/0x190
                                       [<ffffffff81ca4d3f>] kernel_init+0xe3/0x168
                                       [<ffffffff8157b2e4>] kernel_thread_helper+0x4/0x10
  }
  ... key      at: [<ffffffff82801be2>] __key.40877+0x0/0x8
  ... acquired at:
    [<ffffffff810997bc>] check_usage_forwards+0x9c/0x110
    [<ffffffff8109a32c>] mark_lock+0x19c/0x400
    [<ffffffff8109ad5e>] __lock_acquire+0x7ce/0x1e10
    [<ffffffff8109ca4d>] lock_acquire+0x9d/0x130
    [<ffffffff8157124b>] _raw_spin_lock_bh+0x3b/0x70
    [<ffffffff81531e9f>] mld_ifc_timer_expire+0xff/0x280
    [<ffffffff8106f2a9>] run_timer_softirq+0x179/0x3f0
    [<ffffffff810666d0>] __do_softirq+0xc0/0x210
    [<ffffffff8157b3dc>] call_softirq+0x1c/0x30
    [<ffffffff8100d42d>] do_softirq+0xad/0xe0
    [<ffffffff81066afe>] irq_exit+0x9e/0xb0
    [<ffffffff8157bd40>] smp_apic_timer_interrupt+0x70/0x9b
    [<ffffffff8157ab93>] apic_timer_interrupt+0x13/0x20
    [<ffffffff8149d857>] rt_do_flush+0x87/0x2a0
    [<ffffffff814a16b6>] rt_cache_flush+0x46/0x60
    [<ffffffff814e36e0>] fib_disable_ip+0x40/0x60
    [<ffffffff814e5447>] fib_inetaddr_event+0xd7/0xe0
    [<ffffffff81575c1c>] notifier_call_chain+0x8c/0xc0
    [<ffffffff810896e8>] __blocking_notifier_call_chain+0x78/0xb0
    [<ffffffff81089736>] blocking_notifier_call_chain+0x16/0x20
    [<ffffffff814d8021>] __inet_del_ifa+0xf1/0x2e0
    [<ffffffff814d8223>] inet_del_ifa+0x13/0x20
    [<ffffffff814da731>] devinet_ioctl+0x501/0x800
    [<ffffffff814db508>] inet_ioctl+0x88/0xa0
    [<ffffffff814541f0>] sock_do_ioctl+0x30/0x70
    [<ffffffff814542a9>] sock_ioctl+0x79/0x2f0
    [<ffffffff81188798>] do_vfs_ioctl+0x98/0x570
    [<ffffffff81188d01>] sys_ioctl+0x91/0xa0
    [<ffffffff8157a142>] system_call_fastpath+0x16/0x1b

 stack backtrace:
 Pid: 567, comm: ifconfig Not tainted 2.6.39-rc6+ #1
 Call Trace:
  <IRQ>  [<ffffffff810996f6>] print_irq_inversion_bug+0x146/0x170
  [<ffffffff81099720>] ? print_irq_inversion_bug+0x170/0x170
  [<ffffffff810997bc>] check_usage_forwards+0x9c/0x110
  [<ffffffff8109a32c>] mark_lock+0x19c/0x400
  [<ffffffff8109ad5e>] __lock_acquire+0x7ce/0x1e10
  [<ffffffff8109a383>] ? mark_lock+0x1f3/0x400
  [<ffffffff8109b497>] ? __lock_acquire+0xf07/0x1e10
  [<ffffffff81012255>] ? native_sched_clock+0x15/0x70
  [<ffffffff8109ca4d>] lock_acquire+0x9d/0x130
  [<ffffffff81531e9f>] ? mld_ifc_timer_expire+0xff/0x280
  [<ffffffff8109759d>] ? lock_release_holdtime+0x3d/0x1a0
  [<ffffffff8157124b>] _raw_spin_lock_bh+0x3b/0x70
  [<ffffffff81531e9f>] ? mld_ifc_timer_expire+0xff/0x280
  [<ffffffff8157170b>] ? _raw_spin_unlock+0x2b/0x40
  [<ffffffff81531e9f>] mld_ifc_timer_expire+0xff/0x280
  [<ffffffff8106f2a9>] run_timer_softirq+0x179/0x3f0
  [<ffffffff8106f21b>] ? run_timer_softirq+0xeb/0x3f0
  [<ffffffff810122b9>] ? sched_clock+0x9/0x10
  [<ffffffff81531da0>] ? mld_gq_timer_expire+0x30/0x30
  [<ffffffff810666d0>] __do_softirq+0xc0/0x210
  [<ffffffff8109455f>] ? tick_program_event+0x1f/0x30
  [<ffffffff8157b3dc>] call_softirq+0x1c/0x30
  [<ffffffff8100d42d>] do_softirq+0xad/0xe0
  [<ffffffff81066afe>] irq_exit+0x9e/0xb0
  [<ffffffff8157bd40>] smp_apic_timer_interrupt+0x70/0x9b
  [<ffffffff8157ab93>] apic_timer_interrupt+0x13/0x20
  <EOI>  [<ffffffff81571f14>] ? retint_restore_args+0x13/0x13
  [<ffffffff810974a7>] ? lock_is_held+0x17/0xd0
  [<ffffffff8149d857>] rt_do_flush+0x87/0x2a0
  [<ffffffff814a16b6>] rt_cache_flush+0x46/0x60
  [<ffffffff814e36e0>] fib_disable_ip+0x40/0x60
  [<ffffffff814e5447>] fib_inetaddr_event+0xd7/0xe0
  [<ffffffff81575c1c>] notifier_call_chain+0x8c/0xc0
  [<ffffffff810896e8>] __blocking_notifier_call_chain+0x78/0xb0
  [<ffffffff81089736>] blocking_notifier_call_chain+0x16/0x20
  [<ffffffff814d8021>] __inet_del_ifa+0xf1/0x2e0
  [<ffffffff814d8223>] inet_del_ifa+0x13/0x20
  [<ffffffff814da731>] devinet_ioctl+0x501/0x800
  [<ffffffff8108a3af>] ? local_clock+0x6f/0x80
  [<ffffffff81575898>] ? do_page_fault+0x268/0x560
  [<ffffffff814db508>] inet_ioctl+0x88/0xa0
  [<ffffffff814541f0>] sock_do_ioctl+0x30/0x70
  [<ffffffff814542a9>] sock_ioctl+0x79/0x2f0
  [<ffffffff810dfe87>] ? __call_rcu+0xa7/0x190
  [<ffffffff81188798>] do_vfs_ioctl+0x98/0x570
  [<ffffffff8117737e>] ? fget_light+0x33e/0x430
  [<ffffffff81571ef9>] ? retint_swapgs+0x13/0x1b
  [<ffffffff81188d01>] sys_ioctl+0x91/0xa0
  [<ffffffff8157a142>] system_call_fastpath+0x16/0x1b

Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Shreyas N Bhatewara <sbhatewara@vmware.com>
Signed-off-by: Scott J. Goldman <scottjg@vmware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoipheth: Properly distinguish length and alignment in URBs and skbs
Ben Hutchings [Tue, 3 May 2011 07:49:25 +0000 (07:49 +0000)]
ipheth: Properly distinguish length and alignment in URBs and skbs

commit 9c412942a0bb19ba18f7bd939d42eff1e132a901 upstream.

The USB protocol this driver implements appears to require 2 bytes of
padding in front of each received packet.  This used to be equal to
the value of NET_IP_ALIGN on x86, so the driver abused that constant
and mostly worked, but this is no longer the case.  The driver also
mixed up the URB and packet lengths, resulting in 2 bytes of junk at
the end of the skb.

Introduce a private constant for the 2 bytes of padding; fix this
confusion and check for the under-length case.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocan: fix SJA1000 dlc for RTR packets
Kurt Van Dijck [Mon, 2 May 2011 04:50:48 +0000 (04:50 +0000)]
can: fix SJA1000 dlc for RTR packets

commit 87e9af6cc67d842cd92b52b81f3f14e665e7ab05 upstream.

RTR frames do have a valid data length code on CAN.
The driver for SJA1000 did not handle that situation properly.

Signed-off-by: Kurt Van Dijck <kurt.van.dijck@eia.be>
Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet: ip_expire() must revalidate route
Eric Dumazet [Wed, 4 May 2011 10:02:26 +0000 (10:02 +0000)]
net: ip_expire() must revalidate route

commit 64f3b9e203bd06855072e295557dca1485a2ecba upstream.

Commit 4a94445c9a5c (net: Use ip_route_input_noref() in input path)
added a bug in IP defragmentation handling, in case timeout is fired.

When a frame is defragmented, we use last skb dst field when building
final skb. Its dst is valid, since we are in rcu read section.

But if a timeout occurs, we take first queued fragment to build one ICMP
TIME EXCEEDED message. Problem is all queued skb have weak dst pointers,
since we escaped RCU critical section after their queueing. icmp_send()
might dereference a now freed (and possibly reused) part of memory.

Calling skb_dst_drop() and ip_route_input_noref() to revalidate route is
the only possible choice.

Reported-by: Denys Fedoryshchenko <denys@visp.net.lb>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoPM / Hibernate: Fix ioctl SNAPSHOT_S2RAM
Rafael J. Wysocki [Tue, 10 May 2011 19:10:13 +0000 (21:10 +0200)]
PM / Hibernate: Fix ioctl SNAPSHOT_S2RAM

commit 36cb7035ea0c11ef2c7fa2bbe0cd181b23569b29 upstream.

The SNAPSHOT_S2RAM ioctl used for implementing the feature allowing
one to suspend to RAM after creating a hibernation image is currently
broken, because it doesn't clear the "ready" flag in the struct
snapshot_data object handled by it.  As a result, the
SNAPSHOT_UNFREEZE doesn't work correctly after SNAPSHOT_S2RAM has
returned and the user space hibernate task cannot thaw the other
processes as appropriate.  Make SNAPSHOT_S2RAM clear data->ready
to fix this problem.

Tested-by: Alexandre Felipe Muller de Souza <alexandrefm@mandriva.com.br>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoPM / Hibernate: Make snapshot_release() restore GFP mask
Rafael J. Wysocki [Tue, 10 May 2011 19:10:01 +0000 (21:10 +0200)]
PM / Hibernate: Make snapshot_release() restore GFP mask

commit 9744997a8a2280e67984d4bffd87221d24f3b6b1 upstream.

If the process using the hibernate user space interface closes
/dev/snapshot after creating a hibernation image without thawing
tasks, snapshot_release() should call pm_restore_gfp_mask() to
restore the GFP mask used before the creation of the image.  Make
that happen.

Tested-by: Alexandre Felipe Muller de Souza <alexandrefm@mandriva.com.br>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoPM: Fix warning in pm_restrict_gfp_mask() during SNAPSHOT_S2RAM ioctl
Rafael J. Wysocki [Tue, 10 May 2011 19:09:53 +0000 (21:09 +0200)]
PM: Fix warning in pm_restrict_gfp_mask() during SNAPSHOT_S2RAM ioctl

commit 87186475a402391a1ca7d42a675c9b35a18dc348 upstream.

A warning is printed by pm_restrict_gfp_mask() while the
SNAPSHOT_S2RAM ioctl is being executed after creating a hibernation
image, because pm_restrict_gfp_mask() has been called once already
before the image creation and suspend_devices_and_enter() calls it
once again.  This happens after commit 452aa6999e6703ffbddd7f6ea124d3
(mm/pm: force GFP_NOIO during suspend/hibernation and resume).

To avoid this issue, move pm_restrict_gfp_mask() and
pm_restore_gfp_mask() from suspend_devices_and_enter() to its caller
in kernel/power/suspend.c.

Reported-by: Alexandre Felipe Muller de Souza <alexandrefm@mandriva.com.br>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoARM: zImage: make sure the stack is 64-bit aligned
Nicolas Pitre [Fri, 22 Apr 2011 01:45:08 +0000 (21:45 -0400)]
ARM: zImage: make sure the stack is 64-bit aligned

commit 3bd2cbb95543acf44fe123eb9f038de54e655eb4 upstream.

With ARMv5+ and EABI, the compiler expects a 64-bit aligned stack so
instructions like STRD and LDRD can be used.  Without this, mysterious
boot failures were seen semi randomly with the LZMA decompressor.

While at it, let's align .bss as well.

Signed-off-by: Nicolas Pitre <nicolas.pitre@linaro.org>
Tested-by: Shawn Guo <shawn.guo@linaro.org>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agotmpfs: fix race between umount and swapoff
Hugh Dickins [Wed, 11 May 2011 22:13:37 +0000 (15:13 -0700)]
tmpfs: fix race between umount and swapoff

commit 778dd893ae785c5fd505dac30b5fc40aae188bf1 upstream.

The use of igrab() in swapoff's shmem_unuse_inode() is just as vulnerable
to umount as that in shmem_writepage().

Fix this instance by extending the protection of shmem_swaplist_mutex
right across shmem_unuse_inode(): while it's on the list, the inode cannot
be evicted (and the filesystem cannot be unmounted) without
shmem_evict_inode() taking that mutex to remove it from the list.

But since shmem_writepage() might take that mutex, we should avoid making
memory allocations or memcg charges while holding it: prepare them at the
outer level in shmem_unuse().  When mem_cgroup_cache_charge() was
originally placed, we didn't know until that point that the page from swap
was actually a shmem page; but nowadays it's noted in the swap_map, so
we're safe to charge upfront.  For the radix_tree, do as is done in
shmem_getpage(): preload upfront, but don't pin to the cpu; so we make a
habit of refreshing the node pool, but might dip into GFP_NOWAIT reserves
on occasion if subsequently preempted.

With the allocation and charge moved out from shmem_unuse_inode(),
we can also hold index map and info->lock over from finding the entry.

Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomm: use alloc_bootmem_node_nopanic() on really needed path
Yinghai Lu [Wed, 11 May 2011 22:13:32 +0000 (15:13 -0700)]
mm: use alloc_bootmem_node_nopanic() on really needed path

commit 8f389a99b652aab5b42297280bd94d95933ad12f upstream.

Stefan found nobootmem does not work on his system that has only 8M of
RAM.  This causes an early panic:

  BIOS-provided physical RAM map:
   BIOS-88: 0000000000000000 - 000000000009f000 (usable)
   BIOS-88: 0000000000100000 - 0000000000840000 (usable)
  bootconsole [earlyser0] enabled
  Notice: NX (Execute Disable) protection missing in CPU or disabled in BIOS!
  DMI not present or invalid.
  last_pfn = 0x840 max_arch_pfn = 0x100000
  init_memory_mapping: 0000000000000000-0000000000840000
  8MB LOWMEM available.
    mapped low ram: 0 - 00840000
    low ram: 0 - 00840000
  Zone PFN ranges:
    DMA      0x00000001 -> 0x00001000
    Normal   empty
  Movable zone start PFN for each node
  early_node_map[2] active PFN ranges
      0: 0x00000001 -> 0x0000009f
      0: 0x00000100 -> 0x00000840
  BUG: Int 6: CR2 (null)
       EDI c034663c  ESI (null)  EBP c0329f38  ESP c0329ef4
       EBX c0346380  EDX 00000006  ECX ffffffff  EAX fffffff4
       err (null)  EIP c0353191   CS c0320060  flg 00010082
  Stack: (null) c030c533 000007cd (null) c030c533 00000001 (null) (null)
         00000003 0000083f 00000018 00000002 00000002 c0329f6c c03534d6 (null)
         (null) 00000100 00000840 (null) c0329f64 00000001 00001000 (null)
  Pid: 0, comm: swapper Not tainted 2.6.36 #5
  Call Trace:
   [<c02e3707>] ? 0xc02e3707
   [<c035e6e5>] 0xc035e6e5
   [<c0353191>] ? 0xc0353191
   [<c03534d6>] 0xc03534d6
   [<c034f1cd>] 0xc034f1cd
   [<c034a824>] 0xc034a824
   [<c03513cb>] ? 0xc03513cb
   [<c0349432>] 0xc0349432
   [<c0349066>] 0xc0349066

It turns out that we should ignore the low limit of 16M.

Use alloc_bootmem_node_nopanic() in this case.

[akpm@linux-foundation.org: less mess]
Signed-off-by: Yinghai LU <yinghai@kernel.org>
Reported-by: Stefan Hellermann <stefan@the2masters.de>
Tested-by: Stefan Hellermann <stefan@the2masters.de>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: "H. Peter Anvin" <hpa@linux.intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrivers/rtc/rtc-s3c.c: fixup wake support for rtc
Ben Dooks [Wed, 11 May 2011 22:13:28 +0000 (15:13 -0700)]
drivers/rtc/rtc-s3c.c: fixup wake support for rtc

commit 52cd4e5c620af9e21b5298bf01844b98573505a7 upstream.

The driver is not balancing set_irq and disable_irq_wake() calls, so
ensure that it keeps track of whether the wake is enabled.

The fixes the following error on S3C6410 devices:

  WARNING: at kernel/irq/manage.c:382 set_irq_wake+0x84/0xec()
  Unbalanced IRQ 92 wake disable

Signed-off-by: Ben Dooks <ben-linux@fluff.org>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoCIFS: Fix memory over bound bug in cifs_parse_mount_options
Pavel Shilovsky [Thu, 14 Apr 2011 18:00:56 +0000 (22:00 +0400)]
CIFS: Fix memory over bound bug in cifs_parse_mount_options

commit 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d upstream.

While password processing we can get out of options array bound if
the next character after array is delimiter. The patch adds a check
if we reach the end.

Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodccp: handle invalid feature options length
Dan Rosenberg [Fri, 6 May 2011 03:27:18 +0000 (03:27 +0000)]
dccp: handle invalid feature options length

commit a294865978b701e4d0d90135672749531b9a900d upstream.

A length of zero (after subtracting two for the type and len fields) for
the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
the subtraction.  The subsequent code may read past the end of the
options value buffer when parsing.  I'm unsure of what the consequences
of this might be, but it's probably not good.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/i915: Release object along create user fb error path
Chris Wilson [Sat, 16 Apr 2011 09:23:51 +0000 (10:23 +0100)]
drm/i915: Release object along create user fb error path

commit 2dd251f0a294300a1cf8f4b63768145fa6153c4d upstream.

Reported-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/i915/lvds: Only act on lid notify when the device is on
Alex Williamson [Thu, 21 Apr 2011 22:08:14 +0000 (16:08 -0600)]
drm/i915/lvds: Only act on lid notify when the device is on

commit 2fb4e61d9471867677c97bf11dba8f1e9dfa7f7c upstream.

If we're using vga switcheroo, the device may be turned off
and poking it can return random state. This provokes an OOPS fixed
separately by 8ff887c847 (drm/i915/dp: Be paranoid in case we disable a
DP before it is attached). Trying to use and respond to events on a
device that has been turned off by the user is in principle a silly thing
to do.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/i915/dp: Be paranoid in case we disable a DP before it is attached
Chris Wilson [Sun, 17 Apr 2011 05:38:35 +0000 (06:38 +0100)]
drm/i915/dp: Be paranoid in case we disable a DP before it is attached

commit 31acbcc408f412d1ba73765b846c38642be553c3 upstream.

Given that the hardware may be left in a random condition by the BIOS,
it is conceivable that we then attempt to clear the DP_PIPEB_SELECT bit
without us ever enabling/attaching the DP encoder to a pipe. Thus
causing a NULL deference when we attempt to wait for a vblank on that
crtc.

Reported-and-tested-by: Bryan Christ <bryan.christ@gmail.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=36314
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=36456
Reported-and-tested-by: Bo Wang <bo.b.wang@intel.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoDon't lock guardpage if the stack is growing up
Mikulas Patocka [Mon, 9 May 2011 11:01:09 +0000 (13:01 +0200)]
Don't lock guardpage if the stack is growing up

commit a09a79f66874c905af35d5bb5e5f2fdc7b6b894d upstream.

Linux kernel excludes guard page when performing mlock on a VMA with
down-growing stack. However, some architectures have up-growing stack
and locking the guard page should be excluded in this case too.

This patch fixes lvm2 on PA-RISC (and possibly other architectures with
up-growing stack). lvm2 calculates number of used pages when locking and
when unlocking and reports an internal error if the numbers mismatch.

[ Patch changed fairly extensively to also fix /proc/<pid>/maps for the
  grows-up case, and to move things around a bit to clean it all up and
  share the infrstructure with the /proc bits.

  Tested on ia64 that has both grow-up and grow-down segments  - Linus ]

Signed-off-by: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
Tested-by: Tony Luck <tony.luck@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agovm: fix vm_pgoff wrap in upward expansion
Hugh Dickins [Tue, 10 May 2011 00:44:42 +0000 (17:44 -0700)]
vm: fix vm_pgoff wrap in upward expansion

commit 42c36f63ac1366ab0ecc2d5717821362c259f517 upstream.

Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed
the case of an expanding mapping causing vm_pgoff wrapping when you had
downward stack expansion.  But there was another case where IA64 and
PA-RISC expand mappings: upward expansion.

This fixes that case too.

Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: fix gart setup on fusion parts (v2) backport
Alex Deucher [Fri, 6 May 2011 18:29:55 +0000 (14:29 -0400)]
drm/radeon/kms: fix gart setup on fusion parts (v2) backport

Backport of 8aeb96f80232e9a701b5c4715504f4c9173978bd
(drm/radeon/kms: fix gart setup on fusion parts (v2))
to the stable tree.

Out of the entire GART/VM subsystem, the hw designers changed
the location of 3 regs.

v2: airlied: add parameter for userspace to work from.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoiwlwifi: add {ack, plpc}_check module parameters
Stanislaw Gruszka [Mon, 9 May 2011 19:27:30 +0000 (21:27 +0200)]
iwlwifi: add {ack, plpc}_check module parameters

commit b7977ffaab5187ad75edaf04ac854615cea93828 upstream.

Add module ack_check, and plcp_check parameters. Ack_check is disabled
by default since is proved that check ack health can cause troubles.
Plcp_check is enabled by default.

This prevent connection hangs with "low ack count detected" messages.

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=666646

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agohw_breakpoints, powerpc: Fix CONFIG_HAVE_HW_BREAKPOINT off-case in ptrace_set_debugreg()
Frederic Weisbecker [Thu, 5 May 2011 23:53:18 +0000 (01:53 +0200)]
hw_breakpoints, powerpc: Fix CONFIG_HAVE_HW_BREAKPOINT off-case in ptrace_set_debugreg()

commit 925f83c085e1bb08435556c5b4844a60de002e31 upstream.

We make use of ptrace_get_breakpoints() / ptrace_put_breakpoints() to
protect ptrace_set_debugreg() even if CONFIG_HAVE_HW_BREAKPOINT if off.
However in this case, these APIs are not implemented.

To fix this, push the protection down inside the relevant ifdef.
Best would be to export the code inside
CONFIG_HAVE_HW_BREAKPOINT into a standalone function to cleanup
the ifdefury there and call the breakpoint ref API inside. But
as it is more invasive, this should be rather made in an -rc1.

Fixes this build error:

  arch/powerpc/kernel/ptrace.c:1594: error: implicit declaration of function 'ptrace_get_breakpoints' make[2]: ***

Reported-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: LPPC <linuxppc-dev@lists.ozlabs.org>
Cc: Prasad <prasad@linux.vnet.ibm.com>
Link: http://lkml.kernel.org/r/1304639598-4707-1-git-send-email-fweisbec@gmail.com
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoptrace: Prepare to fix racy accesses on task breakpoints
Frederic Weisbecker [Thu, 7 Apr 2011 14:53:20 +0000 (16:53 +0200)]
ptrace: Prepare to fix racy accesses on task breakpoints

commit bf26c018490c2fce7fe9b629083b96ce0e6ad019 upstream.

When a task is traced and is in a stopped state, the tracer
may execute a ptrace request to examine the tracee state and
get its task struct. Right after, the tracee can be killed
and thus its breakpoints released.
This can happen concurrently when the tracer is in the middle
of reading or modifying these breakpoints, leading to dereferencing
a freed pointer.

Hence, to prepare the fix, create a generic breakpoint reference
holding API. When a reference on the breakpoints of a task is
held, the breakpoints won't be released until the last reference
is dropped. After that, no more ptrace request on the task's
breakpoints can be serviced for the tracer.

Reported-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Prasad <prasad@linux.vnet.ibm.com>
Cc: Paul Mundt <lethal@linux-sh.org>
Link: http://lkml.kernel.org/r/1302284067-7860-2-git-send-email-fweisbec@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86, hw_breakpoints: Fix racy access to ptrace breakpoints
Frederic Weisbecker [Fri, 8 Apr 2011 15:29:36 +0000 (17:29 +0200)]
x86, hw_breakpoints: Fix racy access to ptrace breakpoints

commit 87dc669ba25777b67796d7262c569429e58b1ed4 upstream.

While the tracer accesses ptrace breakpoints, the child task may
concurrently exit due to a SIGKILL and thus release its breakpoints
at the same time. We can then dereference some freed pointers.

To fix this, hold a reference on the child breakpoints before
manipulating them.

Reported-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Prasad <prasad@linux.vnet.ibm.com>
Cc: Paul Mundt <lethal@linux-sh.org>
Link: http://lkml.kernel.org/r/1302284067-7860-3-git-send-email-fweisbec@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agothinkpad-acpi: module autoloading for newer Lenovo ThinkPads.
Manoj Iyer [Sun, 8 May 2011 22:04:29 +0000 (18:04 -0400)]
thinkpad-acpi: module autoloading for newer Lenovo ThinkPads.

commit 9fbdaeb4f4dd14a0caa9fc35c496d5440c251a3a upstream.

The newer Lenovo ThinkPads have HKEY HID of LEN0068 instead
of IBM0068. Added new HID so that thinkpad_acpi module will
auto load on these newer Lenovo ThinkPads.

Acked-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Signed-off-by: Manoj Iyer <manoj.iyer@canonical.com>
Signed-off-by: Andy Lutomirski <luto@mit.edu>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: add pci id to acer travelmate quirk for 5730
Alex Deucher [Wed, 4 May 2011 15:41:47 +0000 (11:41 -0400)]
drm/radeon/kms: add pci id to acer travelmate quirk for 5730

commit 4f87af46107499415afd238be104587b5a9d7ac3 upstream.

Fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=34082

Reported by: Sampo Laaksonen <zhamahn@gmail.com>
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoValidate size of EFI GUID partition entries.
Timo Warns [Fri, 6 May 2011 11:47:35 +0000 (13:47 +0200)]
Validate size of EFI GUID partition entries.

commit fa039d5f6b126fbd65eefa05db2f67e44df8f121 upstream.

Otherwise corrupted EFI partition tables can cause total confusion.

Signed-off-by: Timo Warns <warns@pre-sense.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocifs: handle errors from coalesce_t2
Jeff Layton [Fri, 29 Apr 2011 10:52:44 +0000 (06:52 -0400)]
cifs: handle errors from coalesce_t2

commit 16541ba11c4f04ffe94b073e301f00b749fb84a1 upstream.

cifs_demultiplex_thread calls coalesce_t2 to try and merge follow-on t2
responses into the original mid buffer. coalesce_t2 however can return
errors, but the caller doesn't handle that situation properly. Fix the
thread to treat such a case as it would a malformed packet. Mark the
mid as being malformed and issue the callback.

Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocifs: refactor mid finding loop in cifs_demultiplex_thread
Jeff Layton [Fri, 29 Apr 2011 10:52:43 +0000 (06:52 -0400)]
cifs: refactor mid finding loop in cifs_demultiplex_thread

commit 146f9f65bd13f56665205aed7205d531c810cb35 upstream.

...to reduce the extreme indentation. This should introduce no
behavioral changes.

Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocifs: sanitize length checking in coalesce_t2 (try #3)
Jeff Layton [Wed, 27 Apr 2011 17:29:49 +0000 (13:29 -0400)]
cifs: sanitize length checking in coalesce_t2 (try #3)

commit 2a2047bc94d0efc316401170c3d078d9edc20dc4 upstream.

There are a couple of places in this code where these values can wrap or
go negative, and that could potentially end up overflowing the buffer.
Ensure that that doesn't happen. Do all of the length calculation and
checks first, and only perform the memcpy after they pass.

Also, increase some stack variables to 32 bits to ensure that they don't
wrap without being detected.

Finally, change the error codes to be a bit more descriptive of any
problems detected. -EINVAL isn't very accurate.

Reported-and-Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocifs: check for bytes_remaining going to zero in CIFS_SessSetup
Jeff Layton [Wed, 27 Apr 2011 17:25:51 +0000 (13:25 -0400)]
cifs: check for bytes_remaining going to zero in CIFS_SessSetup

commit fcda7f4578bbf9717444ca6da8a421d21489d078 upstream.

It's possible that when we go to decode the string area in the
SESSION_SETUP response, that bytes_remaining will be 0. Decrementing it at
that point will mean that it can go "negative" and wrap. Check for a
bytes_remaining value of 0, and don't try to decode the string area if
that's the case.

Reported-and-Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocifs: change bleft in decode_unicode_ssetup back to signed type
Jeff Layton [Wed, 27 Apr 2011 17:25:51 +0000 (13:25 -0400)]
cifs: change bleft in decode_unicode_ssetup back to signed type

commit bfacf2225a955bea9c41c707fc72ba16009674a0 upstream.

The buffer length checks in this function depend on this value being a
signed data type, but 690c522fa converted it to an unsigned type.

Also, eliminate a problem with the null termination check in the same
function. cifs_strndup_from_ucs handles that situation correctly
already, and the existing check could potentially lead to a buffer
overrun since it increments bleft without checking to see whether it
falls off the end of the buffer.

Reported-and-Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoLinux 2.6.38.6 v2.6.38.6
Greg Kroah-Hartman [Mon, 9 May 2011 22:16:23 +0000 (15:16 -0700)]
Linux 2.6.38.6

13 years agoVM: skip the stack guard page lookup in get_user_pages only for mlock
Linus Torvalds [Thu, 5 May 2011 04:30:28 +0000 (21:30 -0700)]
VM: skip the stack guard page lookup in get_user_pages only for mlock

commit a1fde08c74e90accd62d4cfdbf580d2ede938fe7 upstream.

The logic in __get_user_pages() used to skip the stack guard page lookup
whenever the caller wasn't interested in seeing what the actual page
was.  But Michel Lespinasse points out that there are cases where we
don't care about the physical page itself (so 'pages' may be NULL), but
do want to make sure a page is mapped into the virtual address space.

So using the existence of the "pages" array as an indication of whether
to look up the guard page or not isn't actually so great, and we really
should just use the FOLL_MLOCK bit.  But because that bit was only set
for the VM_LOCKED case (and not all vma's necessarily have it, even for
mlock()), we couldn't do that originally.

Fix that by moving the VM_LOCKED check deeper into the call-chain, which
actually simplifies many things.  Now mlock() gets simpler, and we can
also check for FOLL_MLOCK in __get_user_pages() and the code ends up
much more straightforward.

Reported-and-reviewed-by: Michel Lespinasse <walken@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofix oops in scsi_run_queue()
James Bottomley [Sun, 1 May 2011 14:42:07 +0000 (09:42 -0500)]
fix oops in scsi_run_queue()

commit c055f5b2614b4f758ae6cc86733f31fa4c2c5844 upstream.

The recent commit closing the race window in device teardown:

commit 86cbfb5607d4b81b1a993ff689bbd2addd5d3a9b
Author: James Bottomley <James.Bottomley@suse.de>
Date:   Fri Apr 22 10:39:59 2011 -0500

    [SCSI] put stricter guards on queue dead checks

is causing a potential NULL deref in scsi_run_queue() because the
q->queuedata may already be NULL by the time this function is called.
Since we shouldn't be running a queue that is being torn down, simply
add a NULL check in scsi_run_queue() to forestall this.

Tested-by: Jim Schutt <jaschut@sandia.gov>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocan: add missing socket check in can/raw release
Oliver Hartkopp [Wed, 20 Apr 2011 01:57:15 +0000 (01:57 +0000)]
can: add missing socket check in can/raw release

commit 10022a6c66e199d8f61d9044543f38785713cbbd upstream.

v2: added space after 'if' according code style.

We can get here with a NULL socket argument passed from userspace,
so we need to handle it accordingly.

Thanks to Dave Jones pointing at this issue in net/can/bcm.c

Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: add some new pci ids
Alex Deucher [Tue, 3 May 2011 19:15:55 +0000 (15:15 -0400)]
drm/radeon/kms: add some new pci ids

commit e2c85d8e3974c9041ad7b080846b28d2243e771b upstream.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoKVM: SVM: check for progress after IRET interception
Avi Kivity [Thu, 3 Feb 2011 13:29:52 +0000 (15:29 +0200)]
KVM: SVM: check for progress after IRET interception

commit bd3d1ec3d26b61120bb4f60b18ee99aa81839e6b upstream.

When we enable an NMI window, we ask for an IRET intercept, since
the IRET re-enables NMIs.  However, the IRET intercept happens before
the instruction executes, while the NMI window architecturally opens
afterwards.

To compensate for this mismatch, we only open the NMI window in the
following exit, assuming that the IRET has by then executed; however,
this assumption is not always correct; we may exit due to a host interrupt
or page fault, without having executed the instruction.

Fix by checking for forward progress by recording and comparing the IRET's
rip.  This is somewhat of a hack, since an unchaging rip does not mean that
no forward progress has been made, but is the simplest fix for now.

Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocx88: Fix HVR4000 IR keymap
Lawrence Rust [Thu, 5 May 2011 02:25:10 +0000 (23:25 -0300)]
cx88: Fix HVR4000 IR keymap

[fixed in .39 in a much different way that is too big to backport to
.38 - gregkh]

Fixes the RC key input for Nova-S plus, HVR1100, HVR3000 and HVR4000 in
the 2.6.38 kernel.

Signed-off-by: Lawrence Rust <lvr@softsystem.dot.uk>
Acked-by: Jarod Wilson <jarod@wilsonet.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
13 years agofs/partitions/ldm.c: fix oops caused by corrupted partition table
Timo Warns [Thu, 14 Apr 2011 22:21:56 +0000 (15:21 -0700)]
fs/partitions/ldm.c: fix oops caused by corrupted partition table

commit c340b1d640001c8c9ecff74f68fd90422ae2448a upstream.

The kernel automatically evaluates partition tables of storage devices.
The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
a bug that causes a kernel oops on certain corrupted LDM partitions.
A kernel subsystem seems to crash, because, after the oops, the kernel no
longer recognizes newly connected storage devices.

The patch validates the value of vblk_size.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Timo Warns <warns@pre-sense.de>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Cc: Harvey Harrison <harvey.harrison@gmail.com>
Cc: Richard Russon <rich@flatcap.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocan: Add missing socket check in can/bcm release.
Dave Jones [Wed, 20 Apr 2011 03:36:59 +0000 (20:36 -0700)]
can: Add missing socket check in can/bcm release.

commit c6914a6f261aca0c9f715f883a353ae7ff51fe83 upstream.

We can get here with a NULL socket argument passed from userspace,
so we need to handle it accordingly.

Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoOpen with O_CREAT flag set fails to open existing files on non writable directories
Sachin Prabhu [Wed, 20 Apr 2011 12:09:35 +0000 (13:09 +0100)]
Open with O_CREAT flag set fails to open existing files on non writable directories

commit 1574dff8996ab1ed92c09012f8038b5566fce313 upstream.

An open on a NFS4 share using the O_CREAT flag on an existing file for
which we have permissions to open but contained in a directory with no
write permissions will fail with EACCES.

A tcpdump shows that the client had set the open mode to UNCHECKED which
indicates that the file should be created if it doesn't exist and
encountering an existing flag is not an error. Since in this case the
file exists and can be opened by the user, the NFS server is wrong in
attempting to check create permissions on the parent directory.

The patch adds a conditional statement to check for create permissions
only if the file doesn't exist.

Signed-off-by: Sachin S. Prabhu <sprabhu@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoXZ decompressor: Fix decoding of empty LZMA2 streams
Lasse Collin [Sun, 1 May 2011 16:38:42 +0000 (19:38 +0300)]
XZ decompressor: Fix decoding of empty LZMA2 streams

commit 646032e3b05b32d3f20cb108a030593d9d792eb5 upstream.

The old code considered valid empty LZMA2 streams to be corrupt.
Note that a typical empty .xz file has no LZMA2 data at all,
and thus most .xz files having no uncompressed data are handled
correctly even without this fix.

Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoARM: 6891/1: prevent heap corruption in OABI semtimedop
Dan Rosenberg [Fri, 29 Apr 2011 14:48:07 +0000 (15:48 +0100)]
ARM: 6891/1: prevent heap corruption in OABI semtimedop

commit 0f22072ab50cac7983f9660d33974b45184da4f9 upstream.

When CONFIG_OABI_COMPAT is set, the wrapper for semtimedop does not
bound the nsops argument.  A sufficiently large value will cause an
integer overflow in allocation size, followed by copying too much data
into the allocated buffer.  Fix this by restricting nsops to SEMOPM.
Untested.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoaf_unix: Only allow recv on connected seqpacket sockets.
Eric W. Biederman [Sun, 24 Apr 2011 01:54:57 +0000 (01:54 +0000)]
af_unix: Only allow recv on connected seqpacket sockets.

commit a05d2ad1c1f391c7f514a1d1e09b5417968a7d07 upstream.

This fixes the following oops discovered by Dan Aloni:
> Anyway, the following is the output of the Oops that I got on the
> Ubuntu kernel on which I first detected the problem
> (2.6.37-12-generic). The Oops that followed will be more useful, I
> guess.

>[ 5594.669852] BUG: unable to handle kernel NULL pointer dereference
> at Â  Â  Â  Â  Â  (null)
> [ 5594.681606] IP: [<ffffffff81550b7b>] unix_dgram_recvmsg+0x1fb/0x420
> [ 5594.687576] PGD 2a05d067 PUD 2b951067 PMD 0
> [ 5594.693720] Oops: 0002 [#1] SMP
> [ 5594.699888] last sysfs file:

The bug was that unix domain sockets use a pseduo packet for
connecting and accept uses that psudo packet to get the socket.
In the buggy seqpacket case we were allowing unconnected
sockets to call recvmsg and try to receive the pseudo packet.

That is always wrong and as of commit 7361c36c5 the pseudo
packet had become enough different from a normal packet
that the kernel started oopsing.

Do for seqpacket_recv what was done for seqpacket_send in 2.5
and only allow it on connected seqpacket sockets.

Tested-by: Dan Aloni <dan@aloni.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: fix SMPS debugfs locking
Johannes Berg [Tue, 19 Apr 2011 18:44:04 +0000 (20:44 +0200)]
mac80211: fix SMPS debugfs locking

commit 243e6df4ed919880d079d717641ad699c6530a03 upstream.

The locking with SMPS requests means that the
debugs file should lock the mgd mutex, not the
iflist mutex. Calls to __ieee80211_request_smps()
need to hold that mutex, so add an assertion.

This has always been wrong, but for some reason
never been noticed, probably because the locking
error only happens while unassociated.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: fix the return value of ath_stoprecv
Felix Fietkau [Thu, 14 Apr 2011 22:41:43 +0000 (00:41 +0200)]
ath9k: fix the return value of ath_stoprecv

commit 2232d31bf18ba02f5cd632bbfc3466aeca394c75 upstream.

The patch 'ath9k_hw: fix stopping rx DMA during resets' added code to detect
a condition where rx DMA was stopped, but the MAC failed to enter the idle
state. This condition requires a hardware reset, however the return value
of ath_stoprecv was 'true' in that case, which allowed it to skip the reset
when issuing a fast channel change.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Reported-by: Paul Stewart <pstew@google.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86, AMD: Fix APIC timer erratum 400 affecting K8 Rev.A-E processors
Boris Ostrovsky [Fri, 29 Apr 2011 21:47:43 +0000 (17:47 -0400)]
x86, AMD: Fix APIC timer erratum 400 affecting K8 Rev.A-E processors

commit e20a2d205c05cef6b5783df339a7d54adeb50962 upstream.

Older AMD K8 processors (Revisions A-E) are affected by erratum
400 (APIC timer interrupts don't occur in C states greater than
C1). This, for example, means that X86_FEATURE_ARAT flag should
not be set for these parts.

This addresses regression introduced by commit
b87cf80af3ba4b4c008b4face3c68d604e1715c6 ("x86, AMD: Set ARAT
feature on AMD processors") where the system may become
unresponsive until external interrupt (such as keyboard input)
occurs. This results, for example, in time not being reported
correctly, lack of progress on the system and other lockups.

Reported-by: Joerg-Volker Peetz <jvpeetz@web.de>
Tested-by: Joerg-Volker Peetz <jvpeetz@web.de>
Acked-by: Borislav Petkov <borislav.petkov@amd.com>
Signed-off-by: Boris Ostrovsky <Boris.Ostrovsky@amd.com>
Link: http://lkml.kernel.org/r/1304113663-6586-1-git-send-email-ostr@amd64.org
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoflex_arrays: allow zero length flex arrays
Eric Paris [Thu, 28 Apr 2011 19:55:52 +0000 (15:55 -0400)]
flex_arrays: allow zero length flex arrays

commit bf69d41d198138e3c601e9a6645f4f1369aff7e0 upstream.

Just like kmalloc will allow one to allocate a 0 length segment of memory
flex arrays should do the same thing.  It should bomb if you try to use
something, but it should at least allow the allocation.

This is needed because when SELinux switched to using flex_arrays in 2.6.38
the inability to allocate a 0 length array resulted in SELinux policy load
returning -ENOSPC when previously it worked.

Based-on-patch-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Tested-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoflex_array: flex_array_prealloc takes a number of elements, not an end
Eric Paris [Thu, 28 Apr 2011 19:55:52 +0000 (15:55 -0400)]
flex_array: flex_array_prealloc takes a number of elements, not an end

commit 5d30b10bd68df007e7ae21e77d1e0ce184b53040 upstream.

Change flex_array_prealloc to take the number of elements for which space
should be allocated instead of the last (inclusive) element. Users
and documentation are updated accordingly.  flex_arrays got introduced before
they had users.  When folks started using it, they ended up needing a
different API than was coded up originally.  This swaps over to the API that
folks apparently need.

Based-on-patch-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Tested-by: Chris Richards <gizmo@giz-works.com>
Acked-by: Dave Hansen <dave@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoimon: add conditional locking in change_protocol
Jarod Wilson [Wed, 27 Apr 2011 22:01:44 +0000 (19:01 -0300)]
imon: add conditional locking in change_protocol

commit 23ef710e1a6c4d6b9ef1c2fa19410f7f1479401e upstream.

The imon_ir_change_protocol function gets called two different ways, one
way is from rc_register_device, for initial protocol selection/setup,
and the other is via a userspace-initiated protocol change request,
either by direct sysfs prodding or by something like ir-keytable.

In the rc_register_device case, the imon context lock is already held,
but when initiated from userspace, it is not, so we must acquire it,
prior to calling send_packet, which requires that the lock is held.

Without this change, there's an easily reproduceable deadlock when
another function calls send_packet (such as either of the display write
fops) after a userspace-initiated change_protocol.

With a lock-debugging-enabled kernel, I was getting this:

[   15.014153] =====================================
[   15.015048] [ BUG: bad unlock balance detected! ]
[   15.015048] -------------------------------------
[   15.015048] ir-keytable/773 is trying to release lock (&ictx->lock) at:
[   15.015048] [<ffffffff814c6297>] mutex_unlock+0xe/0x10
[   15.015048] but there are no more locks to release!
[   15.015048]
[   15.015048] other info that might help us debug this:
[   15.015048] 2 locks held by ir-keytable/773:
[   15.015048]  #0:  (&buffer->mutex){+.+.+.}, at: [<ffffffff8119d400>] sysfs_write_file+0x3c/0x144
[   15.015048]  #1:  (s_active#87){.+.+.+}, at: [<ffffffff8119d4ab>] sysfs_write_file+0xe7/0x144
[   15.015048]
[   15.015048] stack backtrace:
[   15.015048] Pid: 773, comm: ir-keytable Not tainted 2.6.38.4-20.fc15.x86_64.debug #1
[   15.015048] Call Trace:
[   15.015048]  [<ffffffff81089715>] ? print_unlock_inbalance_bug+0xca/0xd5
[   15.015048]  [<ffffffff8108b35c>] ? lock_release_non_nested+0xc1/0x263
[   15.015048]  [<ffffffff814c6297>] ? mutex_unlock+0xe/0x10
[   15.015048]  [<ffffffff814c6297>] ? mutex_unlock+0xe/0x10
[   15.015048]  [<ffffffff8108b67b>] ? lock_release+0x17d/0x1a4
[   15.015048]  [<ffffffff814c6229>] ? __mutex_unlock_slowpath+0xc5/0x125
[   15.015048]  [<ffffffff814c6297>] ? mutex_unlock+0xe/0x10
[   15.015048]  [<ffffffffa02964b6>] ? send_packet+0x1c9/0x264 [imon]
[   15.015048]  [<ffffffff8108b376>] ? lock_release_non_nested+0xdb/0x263
[   15.015048]  [<ffffffffa0296731>] ? imon_ir_change_protocol+0x126/0x15e [imon]
[   15.015048]  [<ffffffffa024a334>] ? store_protocols+0x1c3/0x286 [rc_core]
[   15.015048]  [<ffffffff81326e4e>] ? dev_attr_store+0x20/0x22
[   15.015048]  [<ffffffff8119d4cc>] ? sysfs_write_file+0x108/0x144
...

The original report that led to the investigation was the following:

[ 1679.457305] INFO: task LCDd:8460 blocked for more than 120 seconds.
[ 1679.457307] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 1679.457309] LCDd            D ffff88010fcd89c8     0  8460      1 0x00000000
[ 1679.457312]  ffff8800d5a03b48 0000000000000082 0000000000000000 ffff8800d5a03fd8
[ 1679.457314]  00000000012dcd30 fffffffffffffffd ffff8800d5a03fd8 ffff88010fcd86f0
[ 1679.457316]  ffff8800d5a03fd8 ffff8800d5a03fd8 ffff88010fcd89d0 ffff8800d5a03fd8
[ 1679.457319] Call Trace:
[ 1679.457324]  [<ffffffff810ff1a5>] ? zone_statistics+0x75/0x90
[ 1679.457327]  [<ffffffff810ea907>] ? get_page_from_freelist+0x3c7/0x820
[ 1679.457330]  [<ffffffff813b0a49>] __mutex_lock_slowpath+0x139/0x320
[ 1679.457335]  [<ffffffff813b0c41>] mutex_lock+0x11/0x30
[ 1679.457338]  [<ffffffffa0d54216>] display_open+0x66/0x130 [imon]
[ 1679.457345]  [<ffffffffa01d06c0>] usb_open+0x180/0x310 [usbcore]
[ 1679.457349]  [<ffffffff81143b3b>] chrdev_open+0x1bb/0x2d0
[ 1679.457350]  [<ffffffff8113d93d>] __dentry_open+0x10d/0x370
[ 1679.457352]  [<ffffffff81143980>] ? chrdev_open+0x0/0x2d0
...

Bump the driver version here so its easier to tell if people have this
locking fix or not, and also make locking during probe easier to follow.

Reported-by: Benjamin Hodgetts <ben@xnode.org>
Signed-off-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agov4l: make sure drivers supply a zeroed struct v4l2_subdev
Herton Ronaldo Krzesinski [Fri, 1 Apr 2011 17:12:02 +0000 (14:12 -0300)]
v4l: make sure drivers supply a zeroed struct v4l2_subdev

commit 80845a33165278f3236812009e9c568ba8c29938 upstream.

Some v4l drivers currently don't initialize their struct v4l2_subdev
with zeros, and this is a problem since some of the v4l2 code expects
this. One example is the addition of internal_ops in commit 45f6f84,
after that we are at risk of random oopses with these drivers when code
in v4l2_device_register_subdev tries to dereference sd->internal_ops->*,
as can be shown by the report at http://bugs.launchpad.net/bugs/745213
and analysis of its crash at https://lkml.org/lkml/2011/4/1/168

Use kzalloc within problematic drivers to ensure we have a zeroed struct
v4l2_subdev.

BugLink: http://bugs.launchpad.net/bugs/745213
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agousbnet: add support for some Huawei modems with cdc-ether ports
Dan Williams [Wed, 27 Apr 2011 09:54:28 +0000 (09:54 +0000)]
usbnet: add support for some Huawei modems with cdc-ether ports

commit b3c914aa84f4e4bbb3efc8f41c359d96e5e932d2 upstream.

Some newer Huawei devices (T-Mobile Rocket, others) have cdc-ether
compatible ports, so recognize and expose them.

Signed-off-by: Dan Williams <dcbw@redhat.com>
Acked-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofirewire: Fix for broken configrom updates in quick succession
B.J. Buchalter [Mon, 2 May 2011 17:33:42 +0000 (13:33 -0400)]
firewire: Fix for broken configrom updates in quick succession

commit 2e053a27d9d5ad5e0831e002cbf8043836fb2060 upstream.

Current implementation of ohci_set_config_rom() uses a deferred
bus reset via fw_schedule_bus_reset(). If clients add multiple
unit descriptors to the config_rom in quick succession, the
deferred bus reset may not have fired before succeeding update
requests have come in. This can lead to an incorrect partial
update of the config_rom for both addition and removal of
config_rom descriptors, as the ohci_set_config_rom() routine
will return -EBUSY if a previous pending update has not been
completed yet; the requested update just gets dropped on the floor.

This patch recognizes that the "in-flight" update can be modified
until it has been processed by the bus-reset, and the locking
in the bus_reset_tasklet ensures that the update is done atomically
with respect to modifications made by ohci_set_config_rom(). The
-EBUSY error case is simply removed.

[Stefan R:  The bug always existed at least theoretically.  But it
became easy to trigger since 2.6.36 commit 02d37bed188c "firewire: core:
integrate software-forced bus resets with bus management" which
introduced long mandatory delays between janitorial bus resets.]

Signed-off-by: Benjamin Buchalter <bj@mhlabs.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: fix regression in usbip by setting has_tt flag
Alan Stern [Mon, 2 May 2011 18:21:44 +0000 (14:21 -0400)]
USB: fix regression in usbip by setting has_tt flag

commit cee6a262550f53a13acfefbc1e3e5ff35c96182c upstream.

This patch (as1460) fixes a regression in the usbip driver caused by
the new check for Transaction Translators in USB-2 hubs.  The root hub
registered by vhci_hcd needs to have the has_tt flag set, because it
can connect to low- and full-speed devices as well as high-speed
devices.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon: fix regression on atom cards with hardcoded EDID record.
Dave Airlie [Sun, 1 May 2011 10:16:30 +0000 (20:16 +1000)]
drm/radeon: fix regression on atom cards with hardcoded EDID record.

commit eaa4f5e1d0b816291a59a47917e569c0384f2b6f upstream.

Since fafcf94e2b5732d1e13b440291c53115d2b172e9 introduced an edid size, it seems to have broken this path.

This manifest as oops on T500 Lenovo laptops with dual graphics primarily.

Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=33812
Reviewed-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agommc: sdhci: Check mrq != NULL in sdhci_tasklet_finish
Chris Ball [Wed, 27 Apr 2011 21:35:31 +0000 (17:35 -0400)]
mmc: sdhci: Check mrq != NULL in sdhci_tasklet_finish

commit 0c9c99a765321104cc5f9c97f949382a9ba4927e upstream.

It seems that under certain circumstances the sdhci_tasklet_finish()
call can be entered with mrq set to NULL, causing the system to crash
with a NULL pointer de-reference.

Seen on S3C6410 system.  Based on a patch by Dimitris Papastamos.

Reported-by: Dimitris Papastamos <dp@opensource.wolfsonmicro.com>
Signed-off-by: Chris Ball <cjb@laptop.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agommc: sdhci: Check mrq->cmd in sdhci_tasklet_finish
Ben Dooks [Wed, 27 Apr 2011 13:24:19 +0000 (14:24 +0100)]
mmc: sdhci: Check mrq->cmd in sdhci_tasklet_finish

commit b7b4d3426d2b5ecab21578eb20d8e456a1aace8f upstream.

It seems that under certain circumstances that the sdhci_tasklet_finish()
call can be entered with mrq->cmd set to NULL, causing the system to crash
with a NULL pointer de-reference.

Unable to handle kernel NULL pointer dereference at virtual address 00000000
PC is at sdhci_tasklet_finish+0x34/0xe8
LR is at sdhci_tasklet_finish+0x24/0xe8

Seen on S3C6410 system.

Signed-off-by: Ben Dooks <ben-linux@fluff.org>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Chris Ball <cjb@laptop.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agommc: sdhci-pci: Fix error case in sdhci_pci_probe_slot()
Chris Ball [Tue, 29 Mar 2011 04:46:12 +0000 (00:46 -0400)]
mmc: sdhci-pci: Fix error case in sdhci_pci_probe_slot()

commit 9fdcdbb0d84922e7ccda2f717a04ea62629f7e18 upstream.

If pci_ioremap_bar() fails during probe, we "goto release;" and free the
host, but then we return 0 -- which tells sdhci_pci_probe() that the probe
succeeded.  Since we think the probe succeeded, when we unload sdhci we'll
go to sdhci_pci_remove_slot() and it will try to dereference slot->host,
which is now NULL because we freed it in the error path earlier.

The patch simply sets ret appropriately, so that sdhci_pci_probe() will
detect the failure immediately and bail out.

Signed-off-by: Chris Ball <cjb@laptop.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agommc: fix a race between card-detect rescan and clock-gate work instances
Guennadi Liakhovetski [Fri, 15 Apr 2011 18:08:19 +0000 (20:08 +0200)]
mmc: fix a race between card-detect rescan and clock-gate work instances

commit 26fc8775b51484d8c0a671198639c6d5ae60533e upstream.

Currently there is a race in the MMC core between a card-detect
rescan work and the clock-gating work, scheduled from a command
completion. Fix it by removing the dedicated clock-gating mutex
and using the MMC standard locking mechanism instead.

Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Cc: Simon Horman <horms@verge.net.au>
Cc: Magnus Damm <damm@opensource.se>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Chris Ball <cjb@laptop.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUBIFS: seek journal heads to the latest bud in replay
Artem Bityutskiy [Mon, 25 Apr 2011 15:46:31 +0000 (18:46 +0300)]
UBIFS: seek journal heads to the latest bud in replay

commit 52c6e6f990669deac3f370f1603815adb55a1dbd upstream.

This is the second fix of the following symptom:

UBIFS error (pid 34456): could not find an empty LEB

which sometimes happens after power cuts when we mount the file-system - UBIFS
refuses it with the above error message which comes from the
'ubifs_rcvry_gc_commit()' function. I can reproduce this using the integck test
with the UBIFS power cut emulation enabled.

Analysis of the problem.

Currently UBIFS replay seeks the journal heads to the last _replayed_ bud.
But the buds are replayed out-of-order, so the replay basically seeks journal
heads to the "random" bud belonging to this head, and not to the _last_ one.

The result of this is that the GC head may be seeked to a full LEB with no free
space, or very little free space. And 'ubifs_rcvry_gc_commit()' tries to find a
fully or mostly dirty LEB to match the current GC head (because we need to
garbage-collect that dirty LEB at one go, because we do not have @c->gc_lnum).
So 'ubifs_find_dirty_leb()' fails and we fall back to finding an empty LEB and
also fail. As a result - recovery fails and mounting fails.

This patch teaches the replay to initialize the GC heads exactly to the latest
buds, i.e. the buds which have the largest sequence number in corresponding
log reference nodes.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUBIFS: do not free write-buffers when in R/O mode
Artem Bityutskiy [Mon, 25 Apr 2011 15:17:09 +0000 (18:17 +0300)]
UBIFS: do not free write-buffers when in R/O mode

commit b50b9f408502a2ea90459ae36ba8cdc9cc005cfe upstream.

Currently UBIFS has a small optimization - it frees write-buffers when it is
re-mounted from R/W mode to R/O mode. Of course, when it is mounted R/O, it
does not allocate write-buffers as well.

This optimization is nice but it leads to subtle problems and complications
in recovery, which I can reproduce using the integck test. The symptoms are
that after a power cut the file-system cannot be mounted if we first mount
it R/O, and then re-mount R/W - 'ubifs_rcvry_gc_commit()' prints:

UBIFS error (pid 34456): could not find an empty LEB

Analysis of the  problem.

When mounting R/W, the reply process sets journal heads to buds [1], but
when mounting R/O - it does not do this, because the write-buffers are not
allocated. So 'ubifs_rcvry_gc_commit()' works completely differently for the
same file-system but for the following 2 cases:

1. mounting R/W after a power cut and recover
2. mounting R/O after a power cut, re-mounting R/W and run deferred recovery

In the former case, we have journal heads seeked to the a bud, in the latter
case, they are non-seeked (wbuf->lnum == -1). So in the latter case we do not
try to recover the GC LEB by garbage-collecting to the GC head, but we just
try to find an empty LEB, and there may be no empty LEBs, so we just fail.
On the other hand, in the former case (mount R/W), we are able to make a GC LEB
(@c->gc_lnum) by garbage-collecting.

Thus, let's remove this small nice optimization and always allocate
write-buffers. This should not make too big difference - we have only 3
of them, each of max. write unit size, which is usually 2KiB. So this is
about 6KiB of RAM for the typical case, and only when mounted R/O.

[1]: Note, currently the replay process is setting (seeking) the journal heads
to _some_ buds, not necessarily to the buds which had been the journal heads
before the power cut happened. This will be fixed separately.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoatl1c: Fix work event interrupt/task races
Tim Gardner [Wed, 20 Apr 2011 09:00:49 +0000 (09:00 +0000)]
atl1c: Fix work event interrupt/task races

commit cb771838715b1c470bc5735bdae709b33b18e0ad upstream.

The mechanism used to initiate work events from the interrupt
handler has a classic read/modify/write race between the interrupt
handler that sets the condition, and the worker task that reads and
clears the condition. Close these races by using atomic
bit fields.

Cc: Jie Yang <jie.yang@atheros.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoiwlagn: fix "Received BA when not expected"
Stanislaw Gruszka [Fri, 29 Apr 2011 15:51:06 +0000 (17:51 +0200)]
iwlagn: fix "Received BA when not expected"

commit bfd36103ec26599557c2bd3225a1f1c9267f8fcb upstream.

Need to use broadcast sta_id for management frames, otherwise we broke
BA session in the firmware and get messages like that:

"Received BA when not expected"

or (on older kernels):

"BA scd_flow 0 does not match txq_id 10"

This fix regression introduced in 2.6.35 during station management
code rewrite by:

commit 2a87c26bbe9587baeb9e56d3ce0b4971bd777643
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri Apr 30 11:30:45 2010 -0700

    iwlwifi: use iwl_find_station less

Patch partially resolve:
https://bugzilla.kernel.org/show_bug.cgi?id=16691
However, there are still 11n performance problems on 4965 and 5xxx
devices that need to be investigated.

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Acked-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoiwlwifi: fix skb usage after free
Stanislaw Gruszka [Wed, 20 Apr 2011 13:57:14 +0000 (15:57 +0200)]
iwlwifi: fix skb usage after free

commit b25026981aecde3685dd0e45ad980fff9f528daa upstream.

Since

commit a120e912eb51e347f36c71b60a1d13af74d30e83
Author: Stanislaw Gruszka <sgruszka@redhat.com>
Date:   Fri Feb 19 15:47:33 2010 -0800

    iwlwifi: sanity check before counting number of tfds can be free

we use skb->data after calling ieee80211_tx_status_irqsafe(), which
could free skb instantly.

On current kernels I do not observe practical problems related with
bug, but on 2.6.35.y it cause random system hangs when stressing
wireless link.

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoworkqueue: fix deadlock in worker_maybe_bind_and_lock()
Tejun Heo [Fri, 29 Apr 2011 16:08:37 +0000 (18:08 +0200)]
workqueue: fix deadlock in worker_maybe_bind_and_lock()

commit 5035b20fa5cd146b66f5f89619c20a4177fb736d upstream.

If a rescuer and stop_machine() bringing down a CPU race with each
other, they may deadlock on non-preemptive kernel.  The CPU won't
accept a new task, so the rescuer can't migrate to the target CPU,
while stop_machine() can't proceed because the rescuer is holding one
of the CPU retrying migration.  GCWQ_DISASSOCIATED is never cleared
and worker_maybe_bind_and_lock() retries indefinitely.

This problem can be reproduced semi reliably while the system is
entering suspend.

 http://thread.gmane.org/gmane.linux.kernel/1122051

A lot of kudos to Thilo-Alexander for reporting this tricky issue and
painstaking testing.

stable: This affects all kernels with cmwq, so all kernels since and
        including v2.6.36 need this fix.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Thilo-Alexander Ginkel <thilo@ginkel.com>
Tested-by: Thilo-Alexander Ginkel <thilo@ginkel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoi2c-parport: Fix adapter list handling
Jean Delvare [Sun, 1 May 2011 16:18:49 +0000 (18:18 +0200)]
i2c-parport: Fix adapter list handling

commit 56acc7a39ac4ac7638cdc32cd3d0832ebbc834e4 upstream.

Use a standard list with proper locking to handle the list of
adapters. Thankfully it only matters on systems with more than one
parallel port, which are very rare.

Thanks to Lukasz Kapiec for reporting the problem to me.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: hda - Fix Realtek's chained fixup checks
Takashi Iwai [Mon, 2 May 2011 11:55:36 +0000 (13:55 +0200)]
ALSA: hda - Fix Realtek's chained fixup checks

commit 24af2b1cc418d6791b1d9e56bf6070cccb752db3 upstream.

The check of chained fixup list entry was done against the wrong element.
A stupid mistake during refactoring.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoRevert "ALSA: hda - Fix pin-config of Gigabyte mobo"
Takashi Iwai [Mon, 2 May 2011 08:37:29 +0000 (10:37 +0200)]
Revert "ALSA: hda - Fix pin-config of Gigabyte mobo"

commit ebb47241ea0eac6a5a23404821a2d62f64c68496 upstream.

This reverts commit c6b358748e19ce7e230b0926ac42696bc485a562.

It turned out that there are different pin configurations for this
PCI SSID, including multi-channel modes.  And more proper fix for
allowing line-out mutes will come up in 2.6.40 tree, so we won't need
this fixup any more there.

Reported-by: Andrew Clayton <andrew@digital-domain.net>
Reported-by: Emmanuel Benisty <benisty.e@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: HDA: Fix automute for Gateway NV79
David Henningsson [Fri, 29 Apr 2011 12:10:55 +0000 (14:10 +0200)]
ALSA: HDA: Fix automute for Gateway NV79

commit 94024cd1aefa0f8bcc9dfe46c05bd7ce3f471a1c upstream.

The PCI SSID is 1025:031c and the codec SSID is 1025:031d,
so the driver mistakes this for a SKU value, but looking at
the numbers, this is obviously wrong.

BugLink: http://bugs.launchpad.net/bugs/761861
Signed-off-by: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoput stricter guards on queue dead checks
James Bottomley [Fri, 22 Apr 2011 15:39:59 +0000 (10:39 -0500)]
put stricter guards on queue dead checks

commit 86cbfb5607d4b81b1a993ff689bbd2addd5d3a9b upstream.

SCSI uses request_queue->queuedata == NULL as a signal that the queue
is dying.  We set this state in the sdev release function.  However,
this allows a small window where we release the last reference but
haven't quite got to this stage yet and so something will try to take
a reference in scsi_request_fn and oops.  It's very rare, but we had a
report here, so we're pushing this as a bug fix

The actual fix is to set request_queue->queuedata to NULL in
scsi_remove_device() before we drop the reference.  This causes
correct automatic rejects from scsi_request_fn as people who hold
additional references try to submit work and prevents anything from
getting a new reference to the sdev that way.

Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoscsi_dh: fix reference counting in scsi_dh_activate error path
Mike Snitzer [Fri, 8 Apr 2011 19:05:36 +0000 (15:05 -0400)]
scsi_dh: fix reference counting in scsi_dh_activate error path

commit 0b8393578c70bc1f09790eeae7d918f38da2e010 upstream.

Commit db422318cbca55168cf965f655471dbf8be82433 ([SCSI] scsi_dh:
propagate SCSI device deletion) introduced a regression where the device
reference is not dropped prior to scsi_dh_activate's early return from
the error path.

Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Reviewed-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agompt2sas: prevent heap overflows and unchecked reads
Dan Rosenberg [Tue, 5 Apr 2011 16:45:59 +0000 (12:45 -0400)]
mpt2sas: prevent heap overflows and unchecked reads

commit a1f74ae82d133ebb2aabb19d181944b4e83e9960 upstream.

At two points in handling device ioctls via /dev/mpt2ctl, user-supplied
length values are used to copy data from userspace into heap buffers
without bounds checking, allowing controllable heap corruption and
subsequently privilege escalation.

Additionally, user-supplied values are used to determine the size of a
copy_to_user() as well as the offset into the buffer to be read, with no
bounds checking, allowing users to read arbitrary kernel memory.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Acked-by: Eric Moore <eric.moore@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agopmcraid: reject negative request size
Dan Rosenberg [Tue, 5 Apr 2011 17:27:31 +0000 (13:27 -0400)]
pmcraid: reject negative request size

commit 5f6279da3760ce48f478f2856aacebe0c59a39f3 upstream.

There's a code path in pmcraid that can be reached via device ioctl that
causes all sorts of ugliness, including heap corruption or triggering
the OOM killer due to consecutive allocation of large numbers of pages.
Not especially relevant from a security perspective, since users must
have CAP_SYS_ADMIN to open the character device.

First, the user can call pmcraid_chr_ioctl() with a type
PMCRAID_PASSTHROUGH_IOCTL.  A pmcraid_passthrough_ioctl_buffer
is copied in, and the request_size variable is set to
buffer->ioarcb.data_transfer_length, which is an arbitrary 32-bit signed
value provided by the user.

If a negative value is provided here, bad things can happen.  For
example, pmcraid_build_passthrough_ioadls() is called with this
request_size, which immediately calls pmcraid_alloc_sglist() with a
negative size.  The resulting math on allocating a scatter list can
result in an overflow in the kzalloc() call (if num_elem is 0, the
sglist will be smaller than expected), or if num_elem is unexpectedly
large the subsequent loop will call alloc_pages() repeatedly, a high
number of pages will be allocated and the OOM killer might be invoked.

Prevent this value from being negative in pmcraid_ioctl_passthrough().

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: Anil Ravindranath <anil_ravindranath@pmc-sierra.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>