]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
13 years agobridge: fix a possible use after free
Eric Dumazet [Tue, 23 Aug 2011 19:57:05 +0000 (19:57 +0000)]
bridge: fix a possible use after free

[ Upstream commit 22df13319d1fec30b8f9bcaadc295829647109bb ]

br_multicast_ipv6_rcv() can call pskb_trim_rcsum() and therefore skb
head can be reallocated.

Cache icmp6_type field instead of dereferencing twice the struct
icmp6hdr pointer.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agobridge: Pseudo-header required for the checksum of ICMPv6
Yan, Zheng [Tue, 23 Aug 2011 22:54:33 +0000 (22:54 +0000)]
bridge: Pseudo-header required for the checksum of ICMPv6

[ Upstream commit 4b275d7efa1c4412f0d572fcd7f78ed0919370b3 ]

Checksum of ICMPv6 is not properly computed because the pseudo header is not used.
Thus, the MLD packet gets dropped by the bridge.

Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
Reported-by: Ang Way Chuang <wcang@sfc.wide.ad.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoxfrm: Perform a replay check after return from async codepaths
Steffen Klassert [Tue, 20 Sep 2011 23:38:58 +0000 (23:38 +0000)]
xfrm: Perform a replay check after return from async codepaths

[ Upstream commit bcf66bf54aabffc150acd1c99e0f4bc51935eada ]

When asyncronous crypto algorithms are used, there might be many
packets that passed the xfrm replay check, but the replay advance
function is not called yet for these packets. So the replay check
function would accept a replay of all of these packets. Also the
system might crash if there are more packets in async processing
than the size of the anti replay window, because the replay advance
function would try to update the replay window beyond the bounds.

This pach adds a second replay check after resuming from the async
processing to fix these issues.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agovlan: reset headers on accel emulation path
Jiri Pirko [Fri, 19 Aug 2011 04:29:27 +0000 (21:29 -0700)]
vlan: reset headers on accel emulation path

[ Upstream commit c5114cd59d2664f258b0d021d79b1532d94bdc2b ]

It's after all necessary to do reset headers here. The reason is we
cannot depend that it gets reseted in __netif_receive_skb once skb is
reinjected. For incoming vlanids without vlan_dev, vlan_do_receive()
returns false with skb != NULL and __netif_reveive_skb continues, skb is
not reinjected.

This might be good material for 3.0-stable as well

Reported-by: Mike Auty <mike.auty@gmail.com>
Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agotcp: initialize variable ecn_ok in syncookies path
Mike Waychison [Thu, 11 Aug 2011 04:59:57 +0000 (21:59 -0700)]
tcp: initialize variable ecn_ok in syncookies path

[ Upstream commit f0e3d0689da401f7d1981c2777a714ba295ea5ff ]

Using a gcc 4.4.3, warnings are emitted for a possibly uninitialized use
of ecn_ok.

This can happen if cookie_check_timestamp() returns due to not having
seen a timestamp.  Defaulting to ecn off seems like a reasonable thing
to do in this case, so initialized ecn_ok to false.

Signed-off-by: Mike Waychison <mikew@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agotcp: fix validation of D-SACK
Zheng Yan [Mon, 19 Sep 2011 02:37:34 +0000 (22:37 -0400)]
tcp: fix validation of D-SACK

[ Upstream commit f779b2d60ab95c17f1e025778ed0df3ec2f05d75 ]

D-SACK is allowed to reside below snd_una. But the corresponding check
in tcp_is_sackblock_valid() is the exact opposite. It looks like a typo.

Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoscm: Capture the full credentials of the scm sender
Tim Chen [Tue, 9 Aug 2011 06:48:32 +0000 (06:48 +0000)]
scm: Capture the full credentials of the scm sender

[ Upstream commit e33f7a9f37d486f4c6cce5de18a6eea11d68f64f ]

This patch corrects an erroneous update of credential's gid with uid
introduced in commit 257b5358b32f17 since 2.6.36.

Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Reviewed-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoRevert "sfc: Use write-combining to reduce TX latency" and follow-ups
Ben Hutchings [Thu, 1 Sep 2011 12:09:29 +0000 (12:09 +0000)]
Revert "sfc: Use write-combining to reduce TX latency" and follow-ups

[ Upstream commit 86c432ca5d6da90a26ac8d3e680f2268b502d9c5 ]

This reverts commits 65f0b417dee94f779ce9b77102b7d73c93723b39,
d88d6b05fee3cc78e5b0273eb58c31201dcc6b76,
fcfa060468a4edcf776f0c1211d826d5de1668c1,
747df2258b1b9a2e25929ef496262c339c380009 and
867955f5682f7157fdafe8670804b9f8ea077bc7.

Depending on the processor model, write-combining may result in
reordering that the NIC will not tolerate.  This typically results
in a DMA error event and reset by the driver, logged as:

sfc 0000:0e:00.0: eth2: TX DMA Q reports TX_EV_PKT_ERR.
sfc 0000:0e:00.0: eth2: resetting (ALL)

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet_sched: prio: use qdisc_dequeue_peeked
Florian Westphal [Tue, 9 Aug 2011 02:04:43 +0000 (02:04 +0000)]
net_sched: prio: use qdisc_dequeue_peeked

[ Upstream commit 3557619f0f6f7496ed453d4825e24958ab1884e0 ]

commit 07bd8df5df4369487812bf85a237322ff3569b77
(sch_sfq: fix peek() implementation) changed sfq to use generic
peek helper.

This makes HFSC complain about a non-work-conserving child qdisc, if
prio with sfq child is used within hfsc:

hfsc peeks into prio qdisc, which will then peek into sfq.
returned skb is stashed in sch->gso_skb.

Next, hfsc tries to dequeue from prio, but prio will call sfq dequeue
directly, which may return NULL instead of previously peeked-at skb.

Have prio call qdisc_dequeue_peeked, so sfq->dequeue() is
not called in this case.

Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonetfilter: TCP and raw fix for ip_route_me_harder
Julian Anastasov [Sun, 7 Aug 2011 09:11:00 +0000 (09:11 +0000)]
netfilter: TCP and raw fix for ip_route_me_harder

[ Upstream commit 797fd3913abf2f7036003ab8d3d019cbea41affd ]

TCP in some cases uses different global (raw) socket
to send RST and ACK. The transparent flag is not set there.
Currently, it is a problem for rerouting after the previous
change.

Fix it by simplifying the checks in ip_route_me_harder
and use FLOWI_FLAG_ANYSRC even for sockets. It looks safe
because the initial routing allowed this source address to
be used and now we just have to make sure the packet is rerouted.

As a side effect this also allows rerouting for normal
raw sockets that use spoofed source addresses which was not possible
even before we eliminated the ip_route_input call.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomcast: Fix source address selection for multicast listener report
Yan, Zheng [Tue, 23 Aug 2011 22:54:37 +0000 (22:54 +0000)]
mcast: Fix source address selection for multicast listener report

[ Upstream commit e05c4ad3ed874ee4f5e2c969e55d318ec654332c ]

Should check use count of include mode filter instead of total number
of include mode filters.

Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoipv6: Fix ipv6_getsockopt for IPV6_2292PKTOPTIONS
Daniel Baluta [Fri, 19 Aug 2011 10:19:07 +0000 (03:19 -0700)]
ipv6: Fix ipv6_getsockopt for IPV6_2292PKTOPTIONS

[ Upstream commit 98e77438aed3cd3343cbb86825127b1d9d2bea33 ]

IPV6_2292PKTOPTIONS is broken for 32-bit applications running
in COMPAT mode on 64-bit kernels.

The same problem was fixed for IPv4 with the patch:
ipv4: Fix ip_getsockopt for IP_PKTOPTIONS,
commit dd23198e58cd35259dd09e8892bbdb90f1d57748

Signed-off-by: Sorin Dumitru <sdumitru@ixiacom.com>
Signed-off-by: Daniel Baluta <dbaluta@ixiacom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoipv4: some rt_iif -> rt_route_iif conversions
Julian Anastasov [Tue, 9 Aug 2011 04:01:16 +0000 (04:01 +0000)]
ipv4: some rt_iif -> rt_route_iif conversions

[ Upstream commit 97a804102021431fa6fa33c21c85df762b0f5cb9 ]

As rt_iif represents input device even for packets
coming from loopback with output route, it is not an unique
key specific to input routes. Now rt_route_iif has such role,
it was fl.iif in 2.6.38, so better to change the checks at
some places to save CPU cycles and to restore 2.6.38 semantics.

compare_keys:
- input routes: only rt_route_iif matters, rt_iif is same
- output routes: only rt_oif matters, rt_iif is not
used for matching in __ip_route_output_key
- now we are back to 2.6.38 state

ip_route_input_common:
- matching rt_route_iif implies input route
- compared to 2.6.38 we eliminated one rth->fl.oif check
because it was not needed even for 2.6.38

compare_hash_inputs:
Only the change here is not an optimization, it has
effect only for output routes. I assume I'm restoring
the original intention to ignore oif, it was using fl.iif
- now we are back to 2.6.38 state

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofib:fix BUG_ON in fib_nl_newrule when add new fib rule
Gao feng [Sun, 11 Sep 2011 15:36:05 +0000 (15:36 +0000)]
fib:fix BUG_ON in fib_nl_newrule when add new fib rule

[ Upstream commit 561dac2d410ffac0b57a23b85ae0a623c1a076ca ]

add new fib rule can cause BUG_ON happen
the reproduce shell is
ip rule add pref 38
ip rule add pref 38
ip rule add to 192.168.3.0/24 goto 38
ip rule del pref 38
ip rule add to 192.168.3.0/24 goto 38
ip rule add pref 38

then the BUG_ON will happen
del BUG_ON and use (ctarget == NULL) identify whether this rule is unresolved

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agobridge: fix a possible net_device leak
Eric Dumazet [Mon, 22 Aug 2011 06:05:59 +0000 (06:05 +0000)]
bridge: fix a possible net_device leak

[ Upstream commit 11f3a6bdc2528d1ce2af50202dbf7138fdee1b34 ]

Jan Beulich reported a possible net_device leak in bridge code after
commit bb900b27a2f4 (bridge: allow creating bridge devices with netlink)

Reported-by: Jan Beulich <JBeulich@novell.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoarp: fix rcu lockdep splat in arp_process()
Eric Dumazet [Mon, 22 Aug 2011 19:32:42 +0000 (19:32 +0000)]
arp: fix rcu lockdep splat in arp_process()

[ Upstream commit 20e6074eb8e096b3a595c093d1cb222f378cd671 ]

Dave Jones reported a lockdep splat triggered by an arp_process() call
from parp_redo().

Commit faa9dcf793be (arp: RCU changes) is the origin of the bug, since
it assumed arp_process() was called under rcu_read_lock(), which is not
true in this particular path.

Instead of adding rcu_read_lock() in parp_redo(), I chose to add it in
neigh_proxy_process() to take care of IPv6 side too.

 ===================================================
 [ INFO: suspicious rcu_dereference_check() usage. ]
 ---------------------------------------------------
 include/linux/inetdevice.h:209 invoked rcu_dereference_check() without
protection!

 other info that might help us debug this:

 rcu_scheduler_active = 1, debug_locks = 0
 4 locks held by setfiles/2123:
  #0:  (&sb->s_type->i_mutex_key#13){+.+.+.}, at: [<ffffffff8114cbc4>]
walk_component+0x1ef/0x3e8
  #1:  (&isec->lock){+.+.+.}, at: [<ffffffff81204bca>]
inode_doinit_with_dentry+0x3f/0x41f
  #2:  (&tbl->proxy_timer){+.-...}, at: [<ffffffff8106a803>]
run_timer_softirq+0x157/0x372
  #3:  (class){+.-...}, at: [<ffffffff8141f256>] neigh_proxy_process
+0x36/0x103

 stack backtrace:
 Pid: 2123, comm: setfiles Tainted: G        W
3.1.0-0.rc2.git7.2.fc16.x86_64 #1
 Call Trace:
  <IRQ>  [<ffffffff8108ca23>] lockdep_rcu_dereference+0xa7/0xaf
  [<ffffffff8146a0b7>] __in_dev_get_rcu+0x55/0x5d
  [<ffffffff8146a751>] arp_process+0x25/0x4d7
  [<ffffffff8146ac11>] parp_redo+0xe/0x10
  [<ffffffff8141f2ba>] neigh_proxy_process+0x9a/0x103
  [<ffffffff8106a8c4>] run_timer_softirq+0x218/0x372
  [<ffffffff8106a803>] ? run_timer_softirq+0x157/0x372
  [<ffffffff8141f220>] ? neigh_stat_seq_open+0x41/0x41
  [<ffffffff8108f2f0>] ? mark_held_locks+0x6d/0x95
  [<ffffffff81062bb6>] __do_softirq+0x112/0x25a
  [<ffffffff8150d27c>] call_softirq+0x1c/0x30
  [<ffffffff81010bf5>] do_softirq+0x4b/0xa2
  [<ffffffff81062f65>] irq_exit+0x5d/0xcf
  [<ffffffff8150dc11>] smp_apic_timer_interrupt+0x7c/0x8a
  [<ffffffff8150baf3>] apic_timer_interrupt+0x73/0x80
  <EOI>  [<ffffffff8108f439>] ? trace_hardirqs_on_caller+0x121/0x158
  [<ffffffff814fc285>] ? __slab_free+0x30/0x24c
  [<ffffffff814fc283>] ? __slab_free+0x2e/0x24c
  [<ffffffff81204e74>] ? inode_doinit_with_dentry+0x2e9/0x41f
  [<ffffffff81204e74>] ? inode_doinit_with_dentry+0x2e9/0x41f
  [<ffffffff81204e74>] ? inode_doinit_with_dentry+0x2e9/0x41f
  [<ffffffff81130cb0>] kfree+0x108/0x131
  [<ffffffff81204e74>] inode_doinit_with_dentry+0x2e9/0x41f
  [<ffffffff81204fc6>] selinux_d_instantiate+0x1c/0x1e
  [<ffffffff81200f4f>] security_d_instantiate+0x21/0x23
  [<ffffffff81154625>] d_instantiate+0x5c/0x61
  [<ffffffff811563ca>] d_splice_alias+0xbc/0xd2
  [<ffffffff811b17ff>] ext4_lookup+0xba/0xeb
  [<ffffffff8114bf1e>] d_alloc_and_lookup+0x45/0x6b
  [<ffffffff8114cbea>] walk_component+0x215/0x3e8
  [<ffffffff8114cdf8>] lookup_last+0x3b/0x3d
  [<ffffffff8114daf3>] path_lookupat+0x82/0x2af
  [<ffffffff8110fc53>] ? might_fault+0xa5/0xac
  [<ffffffff8110fc0a>] ? might_fault+0x5c/0xac
  [<ffffffff8114c564>] ? getname_flags+0x31/0x1ca
  [<ffffffff8114dd48>] do_path_lookup+0x28/0x97
  [<ffffffff8114df2c>] user_path_at+0x59/0x96
  [<ffffffff811467ad>] ? cp_new_stat+0xf7/0x10d
  [<ffffffff811469a6>] vfs_fstatat+0x44/0x6e
  [<ffffffff811469ee>] vfs_lstat+0x1e/0x20
  [<ffffffff81146b3d>] sys_newlstat+0x1a/0x33
  [<ffffffff8108f439>] ? trace_hardirqs_on_caller+0x121/0x158
  [<ffffffff812535fe>] ? trace_hardirqs_on_thunk+0x3a/0x3f
  [<ffffffff8150af82>] system_call_fastpath+0x16/0x1b

Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoperf, x86: Add model 45 SandyBridge support
Youquan Song [Tue, 2 Aug 2011 06:01:35 +0000 (14:01 +0800)]
perf, x86: Add model 45 SandyBridge support

commit a34668f6beb4ab01e07683276d6a24bab6c175e0 upstream.

Add support to Romely-EP SandyBridge.

Signed-off-by: Youquan Song <youquan.song@intel.com>
Signed-off-by: Anhua Xu <anhua.xu@intel.com>
Signed-off-by: Lin Ming <ming.m.lin@intel.com>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Link: http://lkml.kernel.org/r/1312264895-2010-1-git-send-email-youquan.song@intel.com
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agompt2sas: Adding support for customer specific branding
Kashyap, Desai [Tue, 14 Jun 2011 05:27:31 +0000 (10:57 +0530)]
mpt2sas: Adding support for customer specific branding

commit ab3e5f60d1fc8fe725d02510ff820ff207a8dbef upstream.

Signed-off-by: Kashyap Desai <kashyap.desai@lsi.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agompt2sas: Added DID_NO_CONNECT return when driver remove and avoid shutdown call
Kashyap, Desai [Tue, 14 Jun 2011 05:27:08 +0000 (10:57 +0530)]
mpt2sas: Added DID_NO_CONNECT return when driver remove and avoid shutdown call

commit 7821578caa8cb831868989041112ab808029ca65 upstream.

Driver should not call shutdown call from _scsih_remove otherwise,
The scsi midlayer can be deadlocked when devices are removed from the driver
pci_driver->shutdown handler.

Signed-off-by: Kashyap Desai <kashyap.desai@lsi.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofcoe: Unable to select the exchangeID from offload pool for storage targets
Kiran Patil [Mon, 20 Jun 2011 23:59:15 +0000 (16:59 -0700)]
fcoe: Unable to select the exchangeID from offload pool for storage targets

commit 1ff9918b625457ce20d450d00f9ed0a12ba191b7 upstream.

Problem: When initiator sends write command to target, target tries to
assign new sequence. It allocates new exchangeID (RX_ID)
always from non-offloaded pool (Non-offload EMA)

Fix: Enhanced fcoe_oem_match routine to look at F_CTL flags and if it
is exchange responder and command type is WRITEDATA, then function
returns TRUE instead of FALSE. This function is used to determine
which pool to use (offload pool of exchange is used only if this
function returns TRUE).

Technical Notes: N/A

Signed-off-by: Kiran Patil <kiran.patil@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agolibfc: Enhancement to RPORT state machine applicable only for VN2VN mode
Kiran Patil [Mon, 20 Jun 2011 23:58:59 +0000 (16:58 -0700)]
libfc: Enhancement to RPORT state machine applicable only for VN2VN mode

commit 480584818a4bb3655d8d0d875ed60b427fc61cc5 upstream.

Problem: Existing RPORT state machine continues witg FLOGI/PLOGI
process only after it receices beacon from other end. Once claiming
stage is over (either clain notify or clain repose), beacon is sent
and state machine enters into operational mode where it initiates the
rlogin process (FLOGI/PLOGI) to the peer but before this rlogin is
initiated, exitsing implementation checks if it received beacon from
other end, it beacon is not received yet, rlogin process is not
initiated. Other end initiates FLOGI but peer end keeps on rejecting
FLOGI, hence after 3 retries other end deletes associated rport, then
sends a beacon. Once the beacon is received, peer end now initiates
rlogin to the peer end but since associated rport is deleted FLOGI is
neither accepted nor the reject response send out because rport is
deleted. Hence unable to proceed withg FLOGI/PLOGI process and fails
to establish VN2VN connection.

Fix: VN2VN spec is not standard yet but based on exitsing collateral
on T11, it appears that, both end shall send beacon and enter into
'operational mode' without explictly waiting for beacon from other
end. Fix is to allow the RPORT login process as long as respective
RPORT is created (as part of claim notification / claim response) even
though state of RPORT is INIT. Means don't wait for beacon from peer
end, if peer end initiates FLOGI (means peer end exist and
responding).

Notes: This patch is preparing the FCoE stack for target wrt
offload. This is generic patch and harmless even if applied on storage
initiator because 'else if' condition of function 'fcoe_oem_found'
shall evaluate to TRUE only for targets.

Dependencies: None

Signed-off-by: Kiran Patil <kiran.patil@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocdc_ncm: fix endianness problem.
Giuseppe Scrivano [Wed, 3 Aug 2011 22:10:29 +0000 (22:10 +0000)]
cdc_ncm: fix endianness problem.

commit 36c35416a94f5632c3addad05217ff02c39b3b61 upstream.

Fix a misusage of the struct usb_cdc_notification to pass arguments to the
usb_control_msg function.  The usb_control_msg function expects host endian
arguments but usb_cdc_notification stores these values as little endian.

Now usb_control_msg is directly invoked with host endian values.

Signed-off-by: Giuseppe Scrivano <giuseppe@southpole.se>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoASIX: Add AX88772B USB ID
Marek Vasut [Wed, 20 Jul 2011 05:57:04 +0000 (05:57 +0000)]
ASIX: Add AX88772B USB ID

commit 308859097831831a979f2e82cbeef0a94f438080 upstream.

This device can be found in Acer Iconia TAB W500 tablet dock.

Signed-off-by: Marek Vasut <marek.vasut@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: PL2303: correctly handle baudrates above 115200
Michal Sroczynski [Tue, 5 Jul 2011 19:53:35 +0000 (21:53 +0200)]
USB: PL2303: correctly handle baudrates above 115200

commit 8d48fdf689fed2c73c493e5146d1463689246442 upstream.

PL2303: correctly handle baudrates above 115200

Signed-off-by: Michal Sroczynski <msroczyn@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoehci: add pci quirk for Ordissimo and RM Slate 100 too
Anisse Astier [Tue, 5 Jul 2011 14:38:46 +0000 (16:38 +0200)]
ehci: add pci quirk for Ordissimo and RM Slate 100 too

commit 0c42a4e84502533ec40544324debe2a62836ae11 upstream.

Add another variant of the Pegatron tablet used by Ordissimo, and
apparently RM Slate 100, to the list of models that should skip the
negociation for the handoff of the EHCI controller.

Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoehci: refactor pci quirk to use standard dmi_check_system method
Anisse Astier [Tue, 5 Jul 2011 14:38:45 +0000 (16:38 +0200)]
ehci: refactor pci quirk to use standard dmi_check_system method

commit 03c75362181b0b1d6a330e7cf8def10ba988dfbe upstream.

In commit 3610ea5397b80822e417aaa0e706fd803fb05680 (ehci: workaround for pci
quirk timeout on ExoPC), a workaround was added to skip the negociation for
the handoff of the EHCI controller.

Refactor the DMI detection code to use standard dmi_check_system function.

Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agotg3: Fix int selftest for recent devices.
Matt Carlson [Wed, 20 Jul 2011 10:20:55 +0000 (10:20 +0000)]
tg3: Fix int selftest for recent devices.

commit 3aa1cdf87c0b3f2345e75c474acc32ebbf0a4724 upstream.

This patch fixes interrupt selftest failures for recent devices (57765,
5717, 5718. 5719, 5720) by disabling MSI one-shot mode and applying the
status tag workaround to the selftest code.

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Reviewed-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agotg3: Add 5719 and 5720 to EEE_CAP list
Matt Carlson [Wed, 20 Jul 2011 10:20:53 +0000 (10:20 +0000)]
tg3: Add 5719 and 5720 to EEE_CAP list

commit 5baa5e9aa28baccd2a1227095c25bb3e999f250d upstream.

This patch adds the 5719 and the 5720 to the list of devices that are
EEE capable.

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Reviewed-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoqdio: clear shared DSCI before scheduling the queue handler
Jan Glauber [Sun, 24 Jul 2011 08:48:00 +0000 (10:48 +0200)]
qdio: clear shared DSCI before scheduling the queue handler

commit b02f0c2ea25781e0f94b4fc8f6f85582057857b3 upstream.

The following race can occur with qdio devices that use the shared device
state change indicator:

Device (Shared DSCI)    CPU0                            CPU1
===============================================================================

1. DSCI 0 => 1,
   INT pending
                        2. Thinint handler
                        * si_used = 1
                        * Inbound tasklet_schedule
                        * DSCI 1 => 0

3. DSCI 0 => 1,
   INT pending

                                                        4. Thinint handler
                                                        * si_used = 1
                                                        * Inbound tasklet_schedu
le
                                                           => NOP

                        5. Inbound tasklet run

6. DSCI = 1,
   INT surpressed

                                                        7. DSCI 1 => 0

The race would lead to a stall where new data in the input queue is
not recognized so the device stops working in case of no further traffic.

Fix the race by resetting the DSCI before scheduling the inbound tasklet
so the device generates an interrupt if new data arrives in the above
scenario in step 6.

Reviewed-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: Jan Glauber <jang@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agowriteback: update dirtied_when for synced inode to prevent livelock
Wu Fengguang [Thu, 28 Apr 2011 01:05:21 +0000 (19:05 -0600)]
writeback: update dirtied_when for synced inode to prevent livelock

commit 94c3dcbb0b0cdfd82cedd21705424d8044edc42c upstream.

Explicitly update .dirtied_when on synced inodes, so that they are no
longer considered for writeback in the next round.

It can prevent both of the following livelock schemes:

- while true; do echo data >> f; done
- while true; do touch f;        done (in theory)

The exact livelock condition is, during sync(1):

(1) no new inodes are dirtied
(2) an inode being actively dirtied

On (2), the inode will be tagged and synced with .nr_to_write=LONG_MAX.
When finished, it will be redirty_tail()ed because it's still dirty
and (.nr_to_write > 0). redirty_tail() won't update its ->dirtied_when
on condition (1). The sync work will then revisit it on the next
queue_io() and find it eligible again because its old ->dirtied_when
predates the sync work start time.

We'll do more aggressive "keep writeback as long as we wrote something"
logic in wb_writeback(). The "use LONG_MAX .nr_to_write" trick in commit
b9543dac5bbc ("writeback: avoid livelocking WB_SYNC_ALL writeback") will
no longer be enough to stop sync livelock.

Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agowriteback: introduce .tagged_writepages for the WB_SYNC_NONE sync stage
Wu Fengguang [Sun, 6 Jun 2010 16:38:15 +0000 (10:38 -0600)]
writeback: introduce .tagged_writepages for the WB_SYNC_NONE sync stage

commit 6e6938b6d3130305a5960c86b1a9b21e58cf6144 upstream.

sync(2) is performed in two stages: the WB_SYNC_NONE sync and the
WB_SYNC_ALL sync. Identify the first stage with .tagged_writepages and
do livelock prevention for it, too.

Jan's commit f446daaea9 ("mm: implement writeback livelock avoidance
using page tagging") is a partial fix in that it only fixed the
WB_SYNC_ALL phase livelock.

Although ext4 is tested to no longer livelock with commit f446daaea9,
it may due to some "redirty_tail() after pages_skipped" effect which
is by no means a guarantee for _all_ the file systems.

Note that writeback_inodes_sb() is called by not only sync(), they are
treated the same because the other callers also need livelock prevention.

Impact:  It changes the order in which pages/inodes are synced to disk.
Now in the WB_SYNC_NONE stage, it won't proceed to write the next inode
until finished with the current inode.

Acked-by: Jan Kara <jack@suse.cz>
CC: Dave Chinner <david@fromorbit.com>
Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoipc/mqueue.c: fix mq_open() return value
Jiri Slaby [Tue, 26 Jul 2011 23:08:47 +0000 (16:08 -0700)]
ipc/mqueue.c: fix mq_open() return value

commit d40dcdb0172a1ba853464983a059fb45e0aaf61a upstream.

We return ENOMEM from mqueue_get_inode even when we have enough memory.
Namely in case the system rlimit of mqueue was reached.  This error
propagates to mq_queue and user sees the error unexpectedly.  So fix
this up to properly return EMFILE as described in the manpage:

EMFILE The process already has the maximum number of files and
       message queues open.

instead of:

ENOMEM Insufficient memory.

With the previous patch we just switch to ERR_PTR/PTR_ERR/IS_ERR error
handling here.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoipc/mqueue.c: refactor failure handling
Jiri Slaby [Tue, 26 Jul 2011 23:08:46 +0000 (16:08 -0700)]
ipc/mqueue.c: refactor failure handling

commit 04715206c0c2fd4ec5ca77fa51e3a5b41ce71492 upstream.

If new_inode fails to allocate an inode we need only to return with
NULL.  But now we test the opposite and have all the work in a nested
block.  So do the opposite to save one indentation level (and remove
unnecessary line breaks).

This is only a preparation/cleanup for the next patch where we fix up
return values from mqueue_get_inode.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agotg3: Fix io failures after chip reset
Matt Carlson [Wed, 20 Jul 2011 10:20:50 +0000 (10:20 +0000)]
tg3: Fix io failures after chip reset

commit 9e975cc291d80d5e4562d6bed15ec171e896d69b upstream.

Commit f2096f94b514d88593355995d5dd276961e88af1, entitled
"tg3: Add 5720 H2BMC support", needed to add code to preserve some bits
set by firmware.  Unfortunately the new code causes throughput to stop
after a chip reset because it enables state machines before they are
ready.  This patch undoes the problematic code.  The bits will be
restored later in the init sequence.

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Reviewed-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoiscsi_tcp: fix locking around iscsi sk user data
Mike Christie [Fri, 24 Jun 2011 20:11:54 +0000 (15:11 -0500)]
iscsi_tcp: fix locking around iscsi sk user data

commit 03adb5f91280b433c3685d0ee86b2e1424af3d88 upstream.

iscsi_sw_tcp_conn_restore_callbacks could have set
the sk_user_data field to NULL then iscsi_sw_tcp_data_ready
could read that and try to access the NULL pointer. This
adds some checks for NULL sk_user_data in the sk
callback functions and it uses the sk_callback_lock to
set/get that sk_user_data field.

Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoblk-cgroup: be able to remove the record of unplugged device
Wanlong Gao [Wed, 21 Sep 2011 08:22:10 +0000 (10:22 +0200)]
blk-cgroup: be able to remove the record of unplugged device

commit d11bb4462c4cc6ddd45c6927c617ad79fa6fb8fc upstream.

The bug is we're not able to remove the device from blkio cgroup's
per-device control files if it gets unplugged.

To reproduce the bug:

  # mount -t cgroup -o blkio xxx /cgroup
  # cd /cgroup
  # echo "8:0 1000" > blkio.throttle.read_bps_device
  # unplug the device
  # cat blkio.throttle.read_bps_device
  8:0 1000
  # echo "8:0 0" > blkio.throttle.read_bps_device
  -bash: echo: write error: No such device

After patching, the device removal will succeed.

Thanks for the comments of Paul, Zefan, and Vivek.

Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
Cc: Li Zefan <lizf@cn.fujitsu.com>
Cc: Paul Menage <paul@paulmenage.org>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoiwlagn: workaround bug crashing some APs
Don Fry [Thu, 15 Sep 2011 15:36:22 +0000 (08:36 -0700)]
iwlagn: workaround bug crashing some APs

commit 2249b011432ca3dcce112f0f71e0f531b4bb9347 upstream.

This patch reverts commit 9b7688328422b88a7a15dc0dc123ad9ab1a6e22d which
was introduced in 2.6.38-rc1.  It works around a problem where the iwlagn
driver stimulates a bug crashing (requiring power cycle to recover) some
APs under heavy traffic.

Signed-off-by: Don Fry <donald.h.fry@intel.com>
SIgned-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agortl2800usb: Fix incorrect storage of MAC address on big-endian platforms
Larry Finger [Wed, 14 Sep 2011 21:50:23 +0000 (16:50 -0500)]
rtl2800usb: Fix incorrect storage of MAC address on big-endian platforms

commit daabead1c32f331edcfb255fd973411c667977e8 upstream.

The eeprom data is stored in little-endian order in the rt2x00 library.
As it was converted to cpu order in the read routines, the data need to
be converted to LE on a big-endian platform.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agowireless: Reset beacon_found while updating regulatory
Rajkumar Manoharan [Wed, 14 Sep 2011 08:58:17 +0000 (14:28 +0530)]
wireless: Reset beacon_found while updating regulatory

commit aa3d7eef398dd4f29045e9889b817d5161afe03e upstream.

During the association, the regulatory is updated by country IE
that reaps the previously found beacons. The impact is that
after a STA disconnects *or* when for any reason a regulatory
domain change happens the beacon hint flag is not cleared
therefore preventing future beacon hints to be learned.
This is important as a regulatory domain change or a restore
of regulatory settings would set back the passive scan and no-ibss
flags on the channel. This is the right place to do this given that
it covers any regulatory domain change.

Reviewed-by: Luis R. Rodriguez <mcgrof@gmail.com>
Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Acked-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoxen/e820: if there is no dom0_mem=, don't tweak extra_pages.
David Vrabel [Tue, 13 Sep 2011 14:17:32 +0000 (10:17 -0400)]
xen/e820: if there is no dom0_mem=, don't tweak extra_pages.

commit e3b73c4a25e9a5705b4ef28b91676caf01f9bc9f upstream.

The patch "xen: use maximum reservation to limit amount of usable RAM"
(d312ae878b6aed3912e1acaaf5d0b2a9d08a4f11) breaks machines that
do not use 'dom0_mem=' argument with:

reserve RAM buffer: 000000133f2e2000 - 000000133fffffff
(XEN) mm.c:4976:d0 Global bit is set to kernel page fffff8117e
(XEN) domain_crash_sync called from entry.S
(XEN) Domain 0 (vcpu#0) crashed on cpu#0:
...

The reason being that the last E820 entry is created using the
'extra_pages' (which is based on how many pages have been freed).
The mentioned git commit sets the initial value of 'extra_pages'
using a hypercall which returns the number of pages (if dom0_mem
has been used) or -1 otherwise. If the later we return with
MAX_DOMAIN_PAGES as basis for calculation:

    return min(max_pages, MAX_DOMAIN_PAGES);

and use it:

     extra_limit = xen_get_max_pages();
     if (extra_limit >= max_pfn)
             extra_pages = extra_limit - max_pfn;
     else
             extra_pages = 0;

which means we end up with extra_pages = 128GB in PFNs (33554432)
- 8GB in PFNs (2097152, on this specific box, can be larger or smaller),
and then we add that value to the E820 making it:

  Xen: 00000000ff000000 - 0000000100000000 (reserved)
  Xen: 0000000100000000 - 000000133f2e2000 (usable)

which is clearly wrong. It should look as so:

  Xen: 00000000ff000000 - 0000000100000000 (reserved)
  Xen: 0000000100000000 - 000000027fbda000 (usable)

Naturally this problem does not present itself if dom0_mem=max:X
is used.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoxen: use maximum reservation to limit amount of usable RAM
David Vrabel [Fri, 19 Aug 2011 14:57:16 +0000 (15:57 +0100)]
xen: use maximum reservation to limit amount of usable RAM

commit d312ae878b6aed3912e1acaaf5d0b2a9d08a4f11 upstream.

Use the domain's maximum reservation to limit the amount of extra RAM
for the memory balloon. This reduces the size of the pages tables and
the amount of reserved low memory (which defaults to about 1/32 of the
total RAM).

On a system with 8 GiB of RAM with the domain limited to 1 GiB the
kernel reports:

Before:

Memory: 627792k/4472000k available

After:

Memory: 549740k/11132224k available

A increase of about 76 MiB (~1.5% of the unused 7 GiB).  The reserved
low memory is also reduced from 253 MiB to 32 MiB.  The total
additional usable RAM is 329 MiB.

For dom0, this requires at patch to Xen ('x86: use 'dom0_mem' to limit
the number of pages for dom0') (c/s 23790)

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoteach /proc/$pid/numa_maps about transparent hugepages
Dave Hansen [Tue, 20 Sep 2011 22:19:41 +0000 (15:19 -0700)]
teach /proc/$pid/numa_maps about transparent hugepages

commit 32ef43848f283e0ef945d3c67e851c143fea3970 upstream.

This is modeled after the smaps code.

It detects transparent hugepages and then does a single gather_stats()
for the page as a whole.  This has two benifits:
 1. It is more efficient since it does many pages in a single shot.
 2. It does not have to break down the huge page.

Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
Acked-by: Hugh Dickins <hughd@google.com>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agobreak out numa_maps gather_pte_stats() checks
Dave Hansen [Tue, 20 Sep 2011 22:19:39 +0000 (15:19 -0700)]
break out numa_maps gather_pte_stats() checks

commit 3200a8aaab0c9ccdc0f59b0dac2d4a47029137fa upstream.

gather_pte_stats() does a number of checks on a target page
to see whether it should even be considered for statistics.
This breaks that code out in to a separate function so that
we can use it in the transparent hugepage case in the next
patch.

Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Christoph Lameter <cl@gentwo.org>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomake /proc/$pid/numa_maps gather_stats() take variable page size
Dave Hansen [Tue, 20 Sep 2011 22:19:38 +0000 (15:19 -0700)]
make /proc/$pid/numa_maps gather_stats() take variable page size

commit eb4866d0066ffd5446751c102d64feb3318d8bd1 upstream.

We need to teach the numa_maps code about transparent huge pages.  The
first step is to teach gather_stats() that the pte it is dealing with
might represent more than one page.

Note that will we use this in a moment for transparent huge pages since
they have use a single pmd_t which _acts_ as a "surrogate" for a bunch
of smaller pte_t's.

I'm a _bit_ unhappy that this interface counts in hugetlbfs page sizes
for hugetlbfs pages and PAGE_SIZE for normal pages.  That means that to
figure out how many _bytes_ "dirty=1" means, you must first know the
hugetlbfs page size.  That's easier said than done especially if you
don't have visibility in to the mount.

But, that's probably a discussion for another day especially since it
would change behavior to fix it.  But, just in case anyone wonders why
this patch only passes a '1' in the hugetlb case...

Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
Acked-by: Hugh Dickins <hughd@google.com>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agort2800pci: Fix compiler error on PowerPC
Larry Finger [Wed, 14 Sep 2011 21:50:22 +0000 (16:50 -0500)]
rt2800pci: Fix compiler error on PowerPC

commit d331eb51e4d4190b2178c30fcafea54a94a577e8 upstream.

Using gcc 4.4.5 on a Powerbook G4 with a PPC cpu, a complicated
if statement results in incorrect flow, whereas the equivalent switch
statement works correctly.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoXZ: Fix incorrect XZ_BUF_ERROR
Lasse Collin [Wed, 21 Sep 2011 14:30:50 +0000 (17:30 +0300)]
XZ: Fix incorrect XZ_BUF_ERROR

commit 9c1f8594df4814ebfd6822ca3c9444fb3445888d upstream.

xz_dec_run() could incorrectly return XZ_BUF_ERROR if all of the
following was true:

 - The caller knows how many bytes of output to expect and only provides
   that much output space.

 - When the last output bytes are decoded, the caller-provided input
   buffer ends right before the LZMA2 end of payload marker.  So LZMA2
   won't provide more output anymore, but it won't know it yet and thus
   won't return XZ_STREAM_END yet.

 - A BCJ filter is in use and it hasn't left any unfiltered bytes in the
   temp buffer.  This can happen with any BCJ filter, but in practice
   it's more likely with filters other than the x86 BCJ.

This fixes <https://bugzilla.redhat.com/show_bug.cgi?id=735408> where
Squashfs thinks that a valid file system is corrupt.

This also fixes a similar bug in single-call mode where the uncompressed
size of a block using BCJ + LZMA2 was 0 bytes and caller provided no
output space.  Many empty .xz files don't contain any blocks and thus
don't trigger this bug.

This also tweaks a closely related detail: xz_dec_bcj_run() could call
xz_dec_lzma2_run() to decode into temp buffer when it was known to be
useless.  This was harmless although it wasted a minuscule number of CPU
cycles.

Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoixgbe: fix possible null buffer error
Jesse Brandeburg [Tue, 20 Sep 2011 15:13:03 +0000 (15:13 +0000)]
ixgbe: fix possible null buffer error

commit b811ce9104a7f7663ddae4f7795a194a103b8f90 upstream.

It seems that at least one PPC machine would occasionally give a (valid) 0 as
the return value from dma_map, this caused the ixgbe code to not work
correctly.  A fix is pending in the PPC tree to not return 0 from dma map, but
we can also fix the driver to make sure we don't mess up in other arches as
well.

This patch is applicable to all current stable kernels.

Ref: https://bugzilla.redhat.com/show_bug.cgi?id=683611

Reported-by: Neil Horman <nhorman@redhat.com>
Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
CC: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agob43: Fix beacon problem in ad-hoc mode
Manual Munz [Sun, 18 Sep 2011 23:24:03 +0000 (18:24 -0500)]
b43: Fix beacon problem in ad-hoc mode

commit 8c23516fbb209ccf8f8c36268311c721faff29ee upstream.

In ad-hoc mode, driver b43 does not issue beacons.

Signed-off-by: Manual Munz <freifunk@somakoma.de>
Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofloppy: use del_timer_sync() in init cleanup
Carsten Emde [Wed, 21 Sep 2011 08:22:11 +0000 (10:22 +0200)]
floppy: use del_timer_sync() in init cleanup

commit 6c4867f6469964e34c5f4ee229a2a7f71a34c7ff upstream.

When no floppy is found the module code can be released while a timer
function is pending or about to be executed.

CPU0                                  CPU1
      floppy_init()
timer_softirq()
   spin_lock_irq(&base->lock);
   detach_timer();
   spin_unlock_irq(&base->lock);
   -> Interrupt
del_timer();
        return -ENODEV;
                                      module_cleanup();
   <- EOI
   call_timer_fn();
   OOPS

Use del_timer_sync() to prevent this.

Signed-off-by: Carsten Emde <C.Emde@osadl.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoARM: Dove: fix second SPI initialization call
Nicolas Pitre [Wed, 14 Sep 2011 05:22:05 +0000 (01:22 -0400)]
ARM: Dove: fix second SPI initialization call

commit 72cc205611879525db0374d9831f84f787112b25 upstream.

Commit 980f9f601a "ARM: orion: Consolidate SPI initialization."
broke it by overwriting the SPI0 registration.

Signed-off-by: Nicolas Pitre <nicolas.pitre@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoFix the conflict between rwpidforward and rw mount options
Steve French [Mon, 29 Aug 2011 18:54:12 +0000 (18:54 +0000)]
Fix the conflict between rwpidforward and rw mount options

commit c9c7fa0064f4afe1d040e72f24c2256dd8ac402d upstream.

Both these options are started with "rw" - that's why the first one
isn't switched on even if it is specified. Fix this by adding a length
check for "rw" option check.

Signed-off-by: Pavel Shilovsky <piastry@etersoft.ru>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocifs: fix possible memory corruption in CIFSFindNext
Jeff Layton [Tue, 23 Aug 2011 11:21:28 +0000 (07:21 -0400)]
cifs: fix possible memory corruption in CIFSFindNext

commit 9438fabb73eb48055b58b89fc51e0bc4db22fabd upstream.

The name_len variable in CIFSFindNext is a signed int that gets set to
the resume_name_len in the cifs_search_info. The resume_name_len however
is unsigned and for some infolevels is populated directly from a 32 bit
value sent by the server.

If the server sends a very large value for this, then that value could
look negative when converted to a signed int. That would make that
value pass the PATH_MAX check later in CIFSFindNext. The name_len would
then be used as a length value for a memcpy. It would then be treated
as unsigned again, and the memcpy scribbles over a ton of memory.

Fix this by making the name_len an unsigned value in CIFSFindNext.

Reported-by: Darren Lavender <dcl@hppine99.gbr.hp.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: hda/realtek - Fix auto-mute with HP+LO configuration
Takashi Iwai [Mon, 19 Sep 2011 09:31:34 +0000 (11:31 +0200)]
ALSA: hda/realtek - Fix auto-mute with HP+LO configuration

commit 8974bd51a77824d91010176f9a5da28513c2e1f5 upstream.

When the system has only the headphone and the line-out jacks without
speakers, the current auto-mute code doesn't work.  It's because the
spec->automute_lines flag is wrongly referred in update_speakers().
This flag must be meaningless when spec->automute_hp_lo isn't set, thus
they should be always coupled.

The patch fixes the problem and add a comment to indicate the
relationship briefly.

BugLink: http://bugs.launchpad.net/bugs/851697
Reported-by: David Henningsson <david.henningsson@canonical.com>
Tested-By: Jayne Han <jayne.han@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoiwlagn: fix command queue timeout
Johannes Berg [Mon, 12 Sep 2011 19:09:10 +0000 (12:09 -0700)]
iwlagn: fix command queue timeout

commit 282cdb325aea4ebbc42ce753b47cc96145eb54bc upstream.

If the command queue is constantly busy,
which can happen in P2P, the hangcheck
timer will frequently find a command in
it and will eventually reset the device
because nothing sets the timestamp for
this queue when commands are processed.

Fix this by setting the timestamp when
a command completes.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: xhci: Set change bit when warm reset change is set.
Sarah Sharp [Mon, 19 Sep 2011 23:05:11 +0000 (16:05 -0700)]
USB: xhci: Set change bit when warm reset change is set.

commit 44f4c3ed60fb21e1d2dd98304390ac121e6c7c6d upstream.

Sometimes, when a USB 3.0 device is disconnected, the Intel Panther
Point xHCI host controller will report a link state change with the
state set to "SS.Inactive".  This causes the xHCI host controller to
issue a warm port reset, which doesn't finish before the USB core times
out while waiting for it to complete.

When the warm port reset does complete, and the xHC gives back a port
status change event, the xHCI driver kicks khubd.  However, it fails to
set the bit indicating there is a change event for that port because the
logic in xhci-hub.c doesn't check for the warm port reset bit.

After that, the warm port status change bit is never cleared by the USB
core, and the xHC stops reporting port status change bits.  (The xHCI
spec says it shouldn't report more port events until all change bits are
cleared.) This means any port changes when a new device is connected
will never be reported, and the port will seem "dead" until the xHCI
driver is unloaded and reloaded, or the computer is rebooted.  Fix this
by making the xHCI driver set the port change bit when a warm port reset
change bit is set.

A better solution would be to make the USB core handle warm port reset
in differently, merging the current code with the standard port reset
code that does an incremental backoff on the timeout, and tries to
complete the port reset two more times before giving up.  That more
complicated fix will be merged next window, and this fix will be
backported to stable.

This should be backported to kernels as old as 3.0, since that was the
first kernel with commit a11496ebf375 ("xHCI: warm reset support").

Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agodrm/radeon/kms: Make GPU/CPU page size handling consistent in blit code (v2)
Alex Deucher [Fri, 16 Sep 2011 16:04:08 +0000 (12:04 -0400)]
drm/radeon/kms: Make GPU/CPU page size handling consistent in blit code (v2)

commit 003cefe0c238e683a29d2207dba945b508cd45b7 upstream.

The BO blit code inconsistenly handled the page size.  This wasn't
an issue on system with 4k pages since the GPU's page size is 4k as
well.  Switch the driver blit callbacks to take num pages in GPU
page units.

Fixes lemote mipsel systems using AMD rs780/rs880 chipsets.

v2: incorporate suggestions from Michel.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofirewire: ohci: add no MSI quirk for O2Micro controller
Ming Lei [Wed, 31 Aug 2011 02:45:46 +0000 (10:45 +0800)]
firewire: ohci: add no MSI quirk for O2Micro controller

commit f39aa30d7741f40ad964341e9243dbbd7f8ff057 upstream.

This fixes https://bugs.launchpad.net/ubuntu/+source/linux/+bug/801719 .

An O2Micro PCI Express FireWire controller,
"FireWire (IEEE 1394) [0c00]: O2 Micro, Inc. Device [1217:11f7] (rev 05)"
which is a combination device together with an SDHCI controller and some
sort of storage controller, misses SBP-2 status writes from an attached
FireWire HDD.  This problem goes away if MSI is disabled for this
FireWire controller.

The device reportedly does not require QUIRK_CYCLE_TIMER.

Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoibmveth: Checksum offload is always disabled
Anton Blanchard [Wed, 7 Sep 2011 14:41:05 +0000 (14:41 +0000)]
ibmveth: Checksum offload is always disabled

commit 91aae1e5c407d4fc79f6983e6c6ba04756c004cb upstream.

Commit b9367bf3ee6d (net: ibmveth: convert to hw_features) reversed
a check in ibmveth_set_csum_offload that results in checksum offload
never being enabled.

Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoibmveth: Fix issue with DMA mapping failure
Anton Blanchard [Wed, 7 Sep 2011 14:41:04 +0000 (14:41 +0000)]
ibmveth: Fix issue with DMA mapping failure

commit b93da27f5234198433345e40b39ff59797bc6f6e upstream.

descs[].fields.address is 32bit which truncates any dma mapping
errors so dma_mapping_error() fails to catch it.

Use a dma_addr_t to do the comparison. With this patch I was able
to transfer many gigabytes of data with IOMMU fault injection set
at 10% probability.

Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoibmveth: Fix DMA unmap error
Brian King [Wed, 7 Sep 2011 14:41:03 +0000 (14:41 +0000)]
ibmveth: Fix DMA unmap error

commit 33a48ab105a75d37021e422a0a3283241099b142 upstream.

Commit 6e8ab30ec677 (ibmveth: Add scatter-gather support) introduced a
DMA mapping API inconsistency resulting in dma_unmap_page getting
called on memory mapped via dma_map_single. This was seen when
CONFIG_DMA_API_DEBUG was enabled. Fix up this API usage inconsistency.

Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Acked-by: Anton Blanchard <anton@samba.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: pcm - fix race condition in wait_for_avail()
Arjan van de Ven [Thu, 15 Sep 2011 06:49:25 +0000 (08:49 +0200)]
ALSA: pcm - fix race condition in wait_for_avail()

commit 763437a9e7737535b2fc72175ad4974048769be6 upstream.

wait_for_avail() in pcm_lib.c has a race in it (observed in practice by an
Intel validation group).

The function is supposed to return once space in the buffer has become
available, or if some timeout happens.  The entity that creates space (irq
handler of sound driver and some such) will do a wake up on a waitqueue
that this function registers for.

However there are two races in the existing code

1) If space became available between the caller noticing there was no
   space and this function actually sleeping, the wakeup is missed and the
   timeout condition will happen instead

2) If a wakeup happened but not sufficient space became available, the
   code will loop again and wait for more space.  However, if the second
   wake comes in prior to hitting the schedule_timeout_interruptible(), it
   will be missed, and potentially you'll wait out until the timeout
   happens.

The fix consists of using more careful setting of the current state (so
that if a wakeup happens in the main loop window, the schedule_timeout()
falls through) and by checking for available space prior to going into the
schedule_timeout() loop, but after being on the waitqueue and having the
state set to interruptible.

[tiwai: the following changes have been added to Arjan's original patch:
 - merged akpm's fix for waitqueue adding order into a single patch
 - reduction of duplicated code of avail check
]

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoworkqueue: lock cwq access in drain_workqueue
Thomas Tuttle [Wed, 14 Sep 2011 23:22:28 +0000 (16:22 -0700)]
workqueue: lock cwq access in drain_workqueue

commit fa2563e41c3d6d6e8af437643981ed28ae0cb56d upstream.

Take cwq->gcwq->lock to avoid racing between drain_workqueue checking to
make sure the workqueues are empty and cwq_dec_nr_in_flight decrementing
and then incrementing nr_active when it activates a delayed work.

We discovered this when a corner case in one of our drivers resulted in
us trying to destroy a workqueue in which the remaining work would
always requeue itself again in the same workqueue.  We would hit this
race condition and trip the BUG_ON on workqueue.c:3080.

Signed-off-by: Thomas Tuttle <ttuttle@chromium.org>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrivers/cpufreq/pcc-cpufreq.c: avoid NULL pointer dereference
Naga Chumbalkar [Wed, 14 Sep 2011 23:22:23 +0000 (16:22 -0700)]
drivers/cpufreq/pcc-cpufreq.c: avoid NULL pointer dereference

commit e71f5cc402ecb42b407ae52add7b173bf1c53daa upstream.

per_cpu(processors, n) can be NULL, resulting in:

  Loading CPUFreq modules[  437.661360] BUG: unable to handle kernel NULL pointer dereference at (null)
  IP: [<ffffffffa0434314>] pcc_cpufreq_cpu_init+0x74/0x220 [pcc_cpufreq]

It's better to avoid the oops by failing the driver, and allowing the
system to boot.

Signed-off-by: Naga Chumbalkar <nagananda.chumbalkar@hp.com>
Cc: Dave Jones <davej@codemonkey.org.uk>
Cc: Len Brown <lenb@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrivers/leds/ledtrig-timer.c: fix broken sysfs delay handling
Johan Hovold [Wed, 14 Sep 2011 23:22:16 +0000 (16:22 -0700)]
drivers/leds/ledtrig-timer.c: fix broken sysfs delay handling

commit 7a5caabd090b8f7d782c40fc1c048d798f2b6fd7 upstream.

Fix regression introduced by commit 5ada28bf7675 ("led-class: always
implement blinking") which broke sysfs delay handling by not storing the
updated value.  Consequently it was only possible to set one of the delays
through the sysfs interface as the other delay was automatically restored
to it's default value.  Reading the parameters always gave the defaults.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Acked-by: Florian Fainelli <florian@openwrt.org>
Acked-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomm: sync vmalloc address space page tables in alloc_vm_area()
David Vrabel [Wed, 14 Sep 2011 23:22:02 +0000 (16:22 -0700)]
mm: sync vmalloc address space page tables in alloc_vm_area()

commit 461ae488ecb125b140d7ea29ceeedbcce9327003 upstream.

Xen backend drivers (e.g., blkback and netback) would sometimes fail to
map grant pages into the vmalloc address space allocated with
alloc_vm_area().  The GNTTABOP_map_grant_ref would fail because Xen could
not find the page (in the L2 table) containing the PTEs it needed to
update.

(XEN) mm.c:3846:d0 Could not find L1 PTE for address fbb42000

netback and blkback were making the hypercall from a kernel thread where
task->active_mm != &init_mm and alloc_vm_area() was only updating the page
tables for init_mm.  The usual method of deferring the update to the page
tables of other processes (i.e., after taking a fault) doesn't work as a
fault cannot occur during the hypercall.

This would work on some systems depending on what else was using vmalloc.

Fix this by reverting ef691947d8a3 ("vmalloc: remove vmalloc_sync_all()
from alloc_vm_area()") and add a comment to explain why it's needed.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Cc: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Ian Campbell <Ian.Campbell@citrix.com>
Cc: Keir Fraser <keir.xen@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agorestore pinning the victim dentry in vfs_rmdir()/vfs_rename_dir()
Al Viro [Wed, 14 Sep 2011 17:55:41 +0000 (18:55 +0100)]
restore pinning the victim dentry in vfs_rmdir()/vfs_rename_dir()

commit 1d2ef5901483004d74947bbf78d5146c24038fe7 upstream.

We used to get the victim pinned by dentry_unhash() prior to commit
64252c75a219 ("vfs: remove dget() from dentry_unhash()") and ->rmdir()
and ->rename() instances relied on that; most of them don't care, but
ones that used d_delete() themselves do.  As the result, we are getting
rmdir() oopses on NFS now.

Just grab the reference before locking the victim and drop it explicitly
after unlocking, same as vfs_rename_other() does.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Simon Kirby <sim@hostway.ca>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon: Don't read from CP ring write pointer registers.
Michel Dänzer [Tue, 13 Sep 2011 09:27:35 +0000 (11:27 +0200)]
drm/radeon: Don't read from CP ring write pointer registers.

commit 87463ff83bcda210d8f0ae440bd64d1548f852e7 upstream.

Apparently this doesn't always work reliably, e.g. at resume time.

Just initialize to 0, so the ring is considered empty.

Tested with hibernation on Sumo and Cayman cards.

Should fix https://bugs.launchpad.net/ubuntu/+source/linux/+bug/820746/ .

Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: HDA: Cirrus - fix "Surround Speaker" volume control name
David Henningsson [Wed, 14 Sep 2011 11:22:54 +0000 (13:22 +0200)]
ALSA: HDA: Cirrus - fix "Surround Speaker" volume control name

commit 2e1210bc3d065a6e26ff5fef228a9a7e08921d2c upstream.

This patch fixes "Surround Speaker Playback Volume" being cut off.
(Commit b4dabfc452a10 was probably meant to fix this, but it fixed
only the "Switch" name, not the "Volume" name.)

Signed-off-by: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86, iommu: Mark DMAR IRQ as non-threaded
Thomas Gleixner [Tue, 19 Jul 2011 14:25:42 +0000 (16:25 +0200)]
x86, iommu: Mark DMAR IRQ as non-threaded

commit 477694e71113fd0694b6bb0bcc2d006b8ac62691 upstream.

Mark this lowlevel IRQ handler as non-threaded. This prevents a boot
crash when "threadirqs" is on the kernel commandline. Also the
interrupt handler is handling hardware critical events which should
not be delayed into a thread.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: fix missing sta_lock in __sta_info_destroy
Johannes Berg [Tue, 6 Sep 2011 10:47:39 +0000 (12:47 +0200)]
mac80211: fix missing sta_lock in __sta_info_destroy

commit 4bae7d976976fa52d345805ba686934cd548343e upstream.

Since my commit 34e895075e21be3e21e71d6317440d1ee7969ad0
("mac80211: allow station add/remove to sleep") there is
a race in mac80211 when it clears the TIM bit because a
sleeping station disconnected, the spinlock isn't held
around the relevant code any more. Use the right API to
acquire the spinlock correctly.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agortlwifi: Fix problem when switching connections
George [Sat, 3 Sep 2011 15:58:48 +0000 (10:58 -0500)]
rtlwifi: Fix problem when switching connections

commit bac2555c6d86387132930af4d14cb47c4dd3f4f7 upstream.

The driver fails to clear encryption keys making it impossible
to switch connections.

Signed-off-by: George <george0505@realtek.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agortlwifi: rtl8192su: Fix problem connecting to HT-enabled AP
George [Sat, 3 Sep 2011 15:58:47 +0000 (10:58 -0500)]
rtlwifi: rtl8192su: Fix problem connecting to HT-enabled AP

commit 3401dc6eba788ebc7c14ce51018d775b1c263399 upstream.

The driver fails to connect to 802.11n-enabled APs. The patch fixes
Bug #42262.

Signed-off-by: George <george0505@realtek.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agogenirq: Make irq_shutdown() symmetric vs. irq_startup again
Geert Uytterhoeven [Sun, 11 Sep 2011 11:59:27 +0000 (13:59 +0200)]
genirq: Make irq_shutdown() symmetric vs. irq_startup again

commit ed585a651681e822089087b426e6ebfb6d3d9873 upstream.

If an irq_chip provides .irq_shutdown(), but neither of .irq_disable() or
.irq_mask(), free_irq() crashes when jumping to NULL.
Fix this by only trying .irq_disable() and .irq_mask() if there's no
.irq_shutdown() provided.

This revives the symmetry with irq_startup(), which tries .irq_startup(),
.irq_enable(), and irq_unmask(), and makes it consistent with the comment for
irq_chip.irq_shutdown() in <linux/irq.h>, which says:

 * @irq_shutdown: shut down the interrupt (defaults to ->disable if NULL)

This is also how __free_irq() behaved before the big overhaul, cfr. e.g.
3b56f0585fd4c02d047dc406668cb40159b2d340 ("genirq: Remove bogus conditional"),
where the core interrupt code always overrode .irq_shutdown() to
.irq_disable() if .irq_shutdown() was NULL.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: linux-m68k@lists.linux-m68k.org
Link: http://lkml.kernel.org/r/1315742394-16036-2-git-send-email-geert@linux-m68k.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomfd: Make omap-usb-host TLL mode work again
Anand Gadiyar [Thu, 18 Aug 2011 10:44:31 +0000 (16:14 +0530)]
mfd: Make omap-usb-host TLL mode work again

commit e600cffe618ff0da29ae1f8b8d3824ce0e2409fc upstream.

This code section seems to have been accidentally copy pasted.
It causes incorrect bits to be set up in the TLL_CHANNEL_CONF
register and prevents the TLL mode from working correctly.

Signed-off-by: Anand Gadiyar <gadiyar@ti.com>
Cc: Keshava Munegowda <keshava_mgowda@ti.com>
Acked-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomfd: Fix initialisation of tps65910 interrupts
Johan Hovold [Mon, 15 Aug 2011 10:42:03 +0000 (12:42 +0200)]
mfd: Fix initialisation of tps65910 interrupts

commit fa948761e685fb03823b3029e5b6bdb52229d6ce upstream.

Fix regression introduced by commit
a2974732ca7614aaf0baf9d6dd3ad893d50ce1c5 (TPS65911: Add new irq
definitions) which caused irq_num to be incorrectly set for tps65910.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Acked-by: Graeme Gregory <gg@slimlogic.co.uk>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomfd: Fix value of WM8994_CONFIGURE_GPIO
Mark Brown [Wed, 3 Aug 2011 09:04:29 +0000 (18:04 +0900)]
mfd: Fix value of WM8994_CONFIGURE_GPIO

commit 8efcc57dedfebc99c3cd39564e3fc47cd1a24b75 upstream.

This needs to be an out of band value for the register and on this device
registers are 16 bit so we must shift left one to the 17th bit.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoASoC: Blackfin: bf5xx-ad193x: Fix codec device name
Lars-Peter Clausen [Mon, 5 Sep 2011 11:49:57 +0000 (13:49 +0200)]
ASoC: Blackfin: bf5xx-ad193x: Fix codec device name

commit c5d2e650bd805a00ff9af537d5b5dede598a198c upstream.

Fix the codec_name field of the dai_link to match the actual device name
of the codec. Otherwise the card won't be instantiated.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Liam Girdwood <lrg@ti.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoASoC: Fix reporting of partial jack updates
Mark Brown [Sun, 4 Sep 2011 15:18:18 +0000 (08:18 -0700)]
ASoC: Fix reporting of partial jack updates

commit 747da0f80e566500421bd7760b2e050fea3fde5e upstream.

We need to report the entire jack state to the core jack code, not just
the bits that were being updated by the caller, otherwise the status
reported by other detection methods will be omitted from the state seen
by userspace.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Acked-by: Liam Girdwood <lrg@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoe1000: Fix driver to be used on PA RISC C8000 workstations
Jeff Kirsher [Wed, 31 Aug 2011 00:58:56 +0000 (20:58 -0400)]
e1000: Fix driver to be used on PA RISC C8000 workstations

commit e2faeec2de9e2c73958e6ea6065dde1e8cd6f3a2 upstream.

The checksum field in the EEPROM on HPPA is really not a
checksum but a signature (0x16d6).  So allow 0x16d6 as the
matching checksum on HPPA systems.

This issue is present on longterm/stable kernels, I have
verified that this patch is applicable back to at least
2.6.32.y kernels.

v2- changed ifdef to use CONFIG_PARISC instead of __hppa__

CC: Guy Martin <gmsoft@tuxicoman.be>
CC: Rolf Eike Beer <eike-kernel@sf-tec.de>
CC: Matt Turner <mattst88@gmail.com>
Reported-by: Mikulas Patocka <mikulas@artax.kerlin.mff.cuni.cz>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k_hw: fix calibration on 5 ghz
Felix Fietkau [Mon, 29 Aug 2011 08:06:14 +0000 (10:06 +0200)]
ath9k_hw: fix calibration on 5 ghz

commit 0e4660cbe51276e86dbdab17228733dbcdb49249 upstream.

ADC calibrations cannot run on 5 GHz with fast clock enabled. They
need to be disabled, otherwise they'll hang and IQ mismatch calibration
will not be run either.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Reported-by: Adrian Chadd <adrian@freebsd.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoacpica: ACPI_MAX_SLEEP should be 2 sec, not 20
Len Brown [Tue, 30 Aug 2011 03:01:58 +0000 (23:01 -0400)]
acpica: ACPI_MAX_SLEEP should be 2 sec, not 20

commit b33c25d6a62ac253caabda2b5f43258abff451c0 upstream.

This limit is a workaround for AML that sleeps too long,
but the workaround didn't work b/c of a typo.

https://bugzilla.kernel.org/show_bug.cgi?id=13195

Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoiwlegacy: fix BUG_ON(info->control.rates[0].idx < 0)
Stanislaw Gruszka [Fri, 26 Aug 2011 15:24:59 +0000 (17:24 +0200)]
iwlegacy: fix BUG_ON(info->control.rates[0].idx < 0)

commit 7c2510120e9b43b0caf32c3786a6ab831f7d9e87 upstream.

When trying to connect to 5GHz we can provide negative index to
mac80211 what trigger BUG_ON. Reason of iwl-3945-rs malfunction
on 5GHz is unknown and needs further investigation. For now, to
do not trigger a bug, correct value and just print WARNING.

Address bug:
https://bugzilla.redhat.com/show_bug.cgi?id=730653

Reported-and-tested-by: Jan Teichmann <jan.teichmann@gmail.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoqla2xxx: Correct inadvertent loop state transitions during port-update handling.
Andrew Vasquez [Tue, 16 Aug 2011 18:29:28 +0000 (11:29 -0700)]
qla2xxx: Correct inadvertent loop state transitions during port-update handling.

commit 58b48576966ed0afd3f63ef17480ec12748a7119 upstream.

Transitioning to a LOOP_UPDATE loop-state could cause the driver
to miss normal link/target processing.  LOOP_UPDATE is a crufty
artifact leftover from at time the driver performed it's own
internal command-queuing.  Safely remove this state.

Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agohpsa: fix physical device lun and target numbering problem
Stephen M. Cameron [Tue, 9 Aug 2011 13:18:01 +0000 (08:18 -0500)]
hpsa: fix physical device lun and target numbering problem

commit 01350d05539d1c95ef3568d062d864ab76ae7670 upstream.

If a physical device exposed to the OS by hpsa
is replaced (e.g. one hot plug tape drive is replaced
by another, or a tape drive is placed into "OBDR" mode
in which it acts like a CD-ROM device) and a rescan is
initiated, the replaced device will be added to the
SCSI midlayer with target and lun numbers set to -1.
After that, a panic is likely to ensue.  When a physical
device is replaced, the lun and target number should be
preserved.

Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agohpsa: fix problem that OBDR devices are not detected
Stephen M. Cameron [Tue, 9 Aug 2011 13:17:30 +0000 (08:17 -0500)]
hpsa: fix problem that OBDR devices are not detected

commit 0b0e1d6cbcc8627970e0399df8f06edd690ec7d9 upstream.

The test to detect OBDR ("One Button Disaster Recovery")
cd-rom devices was comparing against uninitialized data.

Fixed by moving the test for the device to where the
inquiry data is collected, and uninitialized variable
altogether as it wasn't really being used.

Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoASoC: MPC5200: replace of_device with platform_device
Timur Tabi [Tue, 23 Aug 2011 21:48:26 +0000 (16:48 -0500)]
ASoC: MPC5200: replace of_device with platform_device

commit 3bdf28feafc52864bd7f17b39deec64833a89d19 upstream.

'struct of_device' no longer exists, and its functionality has been merged
into platform_device.  Update the MPC5200 audio DMA driver (mpc5200_dma)
accordingly.  This fixes a build break.

Signed-off-by: Timur Tabi <timur@freescale.com>
Acked-by: Liam Girdwood <lrg@ti.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoisci: fix 32-bit operation when CONFIG_HIGHMEM64G=n
Dan Williams [Sat, 30 Jul 2011 00:16:45 +0000 (17:16 -0700)]
isci: fix 32-bit operation when CONFIG_HIGHMEM64G=n

commit ee33e2b771f9e9e4aaba2bb2ace7b727fe451a8b upstream.

The unsolicited frame control infrastructure requires a table of dma
addresses for the hardware to lookup the frame buffer location by an
index.  The hardware expects the elements of this table to be 64-bit
quantities, so we cannot reference these elements as dma_addr_t.  All
unsolicited frame protocols are affected, particularly SATA-PIO and SMP
which prevented direct-attached SATA drives and expander-attached drives
to not be discovered.

Reported-by: Jacek Danecki <jacek.danecki@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoisci: fix sata response handling
Dan Williams [Sat, 30 Jul 2011 00:16:40 +0000 (17:16 -0700)]
isci: fix sata response handling

commit 1a878284473284f9577d44babf16d87152a05c33 upstream.

A bug (likely copy/paste) that has been carried from the original
implementation.  The unsolicited frame handling structure returns the
d2h fis in the isci_request.stp.rsp buffer.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofs/9p: Use protocol-defined value for lock/getlock 'type' field.
Jim Garlick [Sat, 20 Aug 2011 18:51:18 +0000 (00:21 +0530)]
fs/9p: Use protocol-defined value for lock/getlock 'type' field.

commit 51b8b4fb32271d39fbdd760397406177b2b0fd36 upstream.

Signed-off-by: Jim Garlick <garlick@llnl.gov>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Harsh Prateek Bora <harsh@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofs/9p: Always ask new inode in lookup for cache mode disabled
Aneesh Kumar K.V [Tue, 16 Aug 2011 16:49:28 +0000 (22:19 +0530)]
fs/9p: Always ask new inode in lookup for cache mode disabled

commit 73f507171cfa407b19f254aef95cbb058c8180cf upstream.

This make sure we don't end up reusing the unlinked inode object.
The ideal way is to use inode i_generation. But i_generation is
not available in userspace always.

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet/9p: Fix kernel crash with msize 512K
Aneesh Kumar K.V [Wed, 17 Aug 2011 16:56:04 +0000 (16:56 +0000)]
net/9p: Fix kernel crash with msize 512K

commit b49d8b5d7007a673796f3f99688b46931293873e upstream.

With msize equal to 512K (PAGE_SIZE * VIRTQUEUE_NUM), we hit multiple
crashes. This patch fix those.

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofs/9p: Add OS dependent open flags in 9p protocol
Aneesh Kumar K.V [Wed, 3 Aug 2011 14:25:32 +0000 (19:55 +0530)]
fs/9p: Add OS dependent open flags in 9p protocol

commit f88657ce3f9713a0c62101dffb0e972a979e77b9 upstream.

Some of the flags are OS/arch dependent we add a 9p
protocol value which maps to asm-generic/fcntl.h values in Linux
Based on the original patch from Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>

[extra comments from author as to why this needs to go to stable:

Earlier for different operation such as open we used the values of open
flag as defined by the OS.  But some of these flags such as O_DIRECT are
arch dependent. So if we have the 9p client and server running on
different architectures, we end up with client sending client
architecture value of these open flag and server will try to map these
values to what its architecture states. For ex: O_DIRECT on a x86 client
maps to

#define O_DIRECT        00040000

Where as on sparc server it will maps to

#define O_DIRECT        0x100000

Hence we need to map these open flags to OS/arch independent flag
values.  Getting these changes to an early version of kernel ensures us
that we work with different combination of client and server. We should
ideally backport this patch to all possible kernel version.]

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Harsh Prateek Bora <harsh@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofs/9p: Don't update file type when updating file attributes
Aneesh Kumar K.V [Mon, 25 Jul 2011 18:06:33 +0000 (18:06 +0000)]
fs/9p: Don't update file type when updating file attributes

commit 45089142b1497dab2327d60f6c71c40766fc3ea4 upstream.

We should only update attributes that we can change on stat2inode.
Also do file type initialization in v9fs_init_inode.

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofs/9p: Add fid before dentry instantiation
Aneesh Kumar K.V [Mon, 25 Jul 2011 18:06:32 +0000 (18:06 +0000)]
fs/9p: Add fid before dentry instantiation

commit 5441ae5eb3614d3c28f77073370738a2820c88e4 upstream.

d_instantiate marks the dentry positive. So a parallel lookup and mkdir of
the directory can find dentry that doesn't have fid attached. This can result
in both the code path doing v9fs_fid_add which results in v9fs_dentry leak.

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoACPICA: Do not repair _TSS return package if _PSS is present
Fenghua Yu [Mon, 4 Jul 2011 08:36:16 +0000 (08:36 +0000)]
ACPICA: Do not repair _TSS return package if _PSS is present

commit 8f9c91273e36e5762c617c23e4fd48d5172e0dac upstream.

We can only sort the _TSS return package if there is no _PSS
in the same scope. This is because if _PSS is present, the ACPI
specification dictates that the _TSS Power Dissipation field is
to be ignored, and therefore some BIOSs leave garbage values in
the _TSS Power field(s).  In this case, it is best to just return
the _TSS package as-is.

Reported-by: Fenghua Yu <fenghua.yu@intel.com>
Signed-off-by: Fenghua Yu <fenghua.yu@intel.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Lin Ming <ming.m.lin@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoiommu/amd: Make sure iommu->need_sync contains correct value
Joerg Roedel [Fri, 2 Sep 2011 12:10:32 +0000 (14:10 +0200)]
iommu/amd: Make sure iommu->need_sync contains correct value

commit f1ca1512e765337a7c09eb875eedef8ea4e07654 upstream.

The value is only set to true but never set back to false,
which causes to many completion-wait commands to be sent to
hardware. Fix it with this patch.

Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoiommu/amd: Don't take domain->lock recursivly
Joerg Roedel [Fri, 2 Sep 2011 12:19:50 +0000 (14:19 +0200)]
iommu/amd: Don't take domain->lock recursivly

commit e33acde91140f1809952d1c135c36feb66a51887 upstream.

The domain_flush_devices() function takes the domain->lock.
But this function is only called from update_domain() which
itself is already called unter the domain->lock. This causes
a deadlock situation when the dma-address-space of a domain
grows larger than 1GB.

Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoirda: fix smsc-ircc2 section mismatch warning
Randy Dunlap [Wed, 22 Jun 2011 03:32:53 +0000 (20:32 -0700)]
irda: fix smsc-ircc2 section mismatch warning

commit f470e5ae34d68880a38aa79ee5c102ebc2a1aef6 upstream.

Fix section mismatch warning:

WARNING: drivers/net/irda/smsc-ircc2.o(.devinit.text+0x1a7): Section mismatch in reference from the function smsc_ircc_pnp_probe() to the function .init.text:smsc_ircc_open()

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years ago9p: close ACL leaks
Al Viro [Sat, 23 Jul 2011 06:28:13 +0000 (02:28 -0400)]
9p: close ACL leaks

commit 1ec95bf34d976b38897d1977b155a544d77b05e7 upstream.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet/9p: Fix the msize calculation.
Venkateswararao Jujjuri (JV) [Thu, 30 Jun 2011 01:06:33 +0000 (18:06 -0700)]
net/9p: Fix the msize calculation.

commit c9ffb05ca5b5098d6ea468c909dd384d90da7d54 upstream.

msize represents the maximum PDU size that includes P9_IOHDRSZ.

Signed-off-by: Venkateswararao Jujjuri "<jvrao@linux.vnet.ibm.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>