Blackfin: Annotate strnlen_user and strlen_user 'src' parameter with __user
The 'src' parameter of strnlen_user and strlen_user is supposed to take a
userspace pointer, so annotate it with __user. This fixes the following and
similar sparse warnings:
fs/binfmt_elf_fdpic.c:671:36: warning: incorrect type in argument 1 (different address spaces)
fs/binfmt_elf_fdpic.c:671:36: expected char const *src
fs/binfmt_elf_fdpic.c:671:36: got char [noderef] <asn:1>*[assigned] p
fs/binfmt_elf_fdpic.c:683:36: warning: incorrect type in argument 1 (different address spaces)
fs/binfmt_elf_fdpic.c:683:36: expected char const *src
fs/binfmt_elf_fdpic.c:683:36: got char [noderef] <asn:1>*[assigned] p
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Bob Liu <lliubbo@gmail.com>
Blackfin: Annotate clear_user 'to' parameter with __user
The 'to' parameter of clear_user is supposed to take a userspace pointer, so
annotate it with __user. This fixes the following and similar sparse warnings:
fs/binfmt_elf_fdpic.c:714:35: warning: incorrect type in argument 1 (different address spaces)
fs/binfmt_elf_fdpic.c:714:35: expected void [noderef] <asn:1>*to
fs/binfmt_elf_fdpic.c:714:35: got void *<noident>
fs/binfmt_elf_fdpic.c:1119:29: warning: incorrect type in argument 1 (different address spaces)
fs/binfmt_elf_fdpic.c:1119:29: expected void *to
fs/binfmt_elf_fdpic.c:1119:29: got void [noderef] <asn:1>*<noident>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Bob Liu <lliubbo@gmail.com>
Jerry Chu [Mon, 22 Oct 2012 11:26:36 +0000 (11:26 +0000)]
tcp: Reject invalid ack_seq to Fast Open sockets
A packet with an invalid ack_seq may cause a TCP Fast Open socket to switch
to the unexpected TCP_CLOSING state, triggering a BUG_ON kernel panic.
When a FIN packet with an invalid ack_seq# arrives at a socket in
the TCP_FIN_WAIT1 state, rather than discarding the packet, the current
code will accept the FIN, causing state transition to TCP_CLOSING.
This may be a small deviation from RFC793, which seems to say that the
packet should be dropped. Unfortunately I did not expect this case for
Fast Open hence it will trigger a BUG_ON panic.
It turns out there is really nothing bad about a TFO socket going into
TCP_CLOSING state so I could just remove the BUG_ON statements. But after
some thought I think it's better to treat this case like TCP_SYN_RECV
and return a RST to the confused peer who caused the unacceptable ack_seq
to be generated in the first place.
Signed-off-by: H.K. Jerry Chu <hkchu@google.com> Cc: Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Acked-by: Yuchung Cheng <ycheng@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Jean Delvare [Thu, 18 Oct 2012 20:11:38 +0000 (22:11 +0200)]
MAINTAINERS: NETWORKING DRIVERS matches too much
File pattern include/linux/*device.h matches too much, including
completely unrelated files. Replace it with an explicit list of
network device-related header files.
Signed-off-by: Jean Delvare <khali@linux-fr.org> Cc: Joe Perches <joe@perches.com> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Veaceslav Falico [Mon, 22 Oct 2012 04:43:25 +0000 (04:43 +0000)]
pch_gbe: don't reset MAC_RX on FIFO overflow
Currently, when FIFO_ERR happens, we stop the dma, wait for it to become
idle and then reset the whole MAC_RX logic (and after that we must re-set
multicast addresses and also re-enable MAC_RX when we're finally ready to
accept new packets). This leads to CRC errors on high number of incoming
packets and is not needed according to the datasheet.
This patch fixes it by the following steps:
1) remove this reset in pch_gbe_stop_receive(), which causes some functions
to not be used anywhere
2) remove already unused functions pch_gbe_wait_clr_bit_irq() and
pch_gbe_mac_reset_rx() to correctly build
3) move pch_gbe_enable_mac_rx() out of pch_gbe_start_receive() to
pch_gbe_up() where it's only needed after we've removed the MAC_RX reset
4) rename pch_gbe_start/stop_receive() to pch_gbe_enable/disable_dma_rx()
to more precisely reflect what the functions are now doing.
After these changes we already don't see the CRC errors and gain some
increase in RX processing speed.
Signed-off-by: Veaceslav Falico <vfalico@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Veaceslav Falico [Mon, 22 Oct 2012 04:43:24 +0000 (04:43 +0000)]
pch_gbe: don't re-set RX_FIFO_ERR flag in napi_poll
If we were in RX_FIFO_ERR state and entered pch_gbe_napi_poll(), we'll
anyway clean some rx space and thus can continue to receive more packets.
Currently, we re-set the RX_FIFO_ERR in situations when we've exhausted our
budget for RX cleaning or cleaned some TX packets. Removing it gives us
+20%-40% speed increase and a lot less of RX_FIFO_ERRors reported.
Signed-off-by: Veaceslav Falico <vfalico@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Tue, 23 Oct 2012 05:51:07 +0000 (08:51 +0300)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
"Fixes for intel and nouveau mainly.
- intel: disable HSW by default, sdvo fixes, link train regression
fix
- nouveau: acpi rom loading regression fix, with a few other fixes
from the rework
-core: just other minor fixes and race fixes for ttm."
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (24 commits)
drm/ttm: Fix a theoretical race in ttm_bo_cleanup_refs()
drm/ttm: Fix a theoretical race
drm: platform: Don't initialize driver-private data
drm/debugfs: remove redundant info from gem_names
drm: fb: cma: Fail gracefully on allocation failure
drm: fb: cma: Fix typo in debug message
drm/nouveau/clock: fix missing pll type/addr when matching default entry
drm/nouveau/fb: fix reporting of memory type on GF8+ IGPs
drm/nv41/vm: don't init hw pciegart on boards with agp bridge
drm/nouveau/bios: fetch full 4KiB block to determine ACPI ROM image size
drm/nouveau: validate vbios size
drm/nouveau: warn when trying to free mm which is still in use
drm/nouveau: fix nouveau_mm/nouveau_mm_node leak
drm/nouveau/bios: improve error handling when reading the vbios from ACPI
drm/nouveau: handle same-fb page flips
drm/i915: Initialize obj->pages before use by i915_gem_object_do_bit17_swizzle()
drm/i915: Add no-lvds quirk for Supermicro X7SPA-H
drm/i915: Insert i915_preliminary_hw_support variable.
drm/i915: shut up spurious WARN in the gtt fault handler
Revert "drm/i915: Try harder to complete DP training pattern 1"
...
Linus Torvalds [Tue, 23 Oct 2012 05:48:26 +0000 (08:48 +0300)]
Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
Pull ext4 fixes from Ted Ts'o:
"Various bug fixes for ext4. The most serious of them fixes a security
bug (CVE-2012-4508) which leads to stale data exposure when we have
fallocate racing against writes to files undergoing delayed
allocation. We also have two fixes for the metadata checksum feature,
the most serious of which can cause the superblock to have a invalid
checksum after a power failure."
* tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
ext4: Avoid underflow in ext4_trim_fs()
ext4: Checksum the block bitmap properly with bigalloc enabled
ext4: fix undefined bit shift result in ext4_fill_flex_info
ext4: fix metadata checksum calculation for the superblock
ext4: race-condition protection for ext4_convert_unwritten_extents_endio
ext4: serialize fallocate with ext4_convert_unwritten_extents
Linus Torvalds [Tue, 23 Oct 2012 05:47:38 +0000 (08:47 +0300)]
Merge tag 'nfs-for-3.7-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs
Pull NFS client bugfixes from Trond Myklebust:
- Do not call pnfs_return_layout() from an rpciod context
- nfs4_ds_disconnect can cause Oopses. Kill it...
- Fix the return value for nfs_callback_start_svc
- Fix a number of compile warnings
* tag 'nfs-for-3.7-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
NFSv4: Fix the return value for nfs_callback_start_svc
NFSv4.1: Declare osd_pri_2_pnfs_err(), objio_init_read/write to be static
NFSv4: fs/nfs/nfs4getroot.c needs to include "internal.h"
NFSv4.1: Use kcalloc() to allocate zeroed arrays instead of kzalloc()
NFSv4.1: Do not call pnfs_return_layout() from an rpciod context
NFSv4.1: Kill nfs4_ds_disconnect()
Thomas Hellstrom [Mon, 22 Oct 2012 12:51:26 +0000 (12:51 +0000)]
drm/ttm: Fix a theoretical race in ttm_bo_cleanup_refs()
In theory, that function could release the lru lock between
checking for bo on ddestroy list and a successful reserve if the bo
was already reserved, and the function was called with waiting reserves
allowed.
However, all current reservers of a bo on the ddestroy list would
atomically take the bo off the list after a successful reserve so this
race should not have been hit, so no need to backport for stable.
This patch also fixes a case found by Maarten Lankhorst where
ttm_mem_evict_first called with no_wait_gpu would incorrectly
spin waiting for bo idle if trying to evict a busy buffer that
also sits on the ddestroy list.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Thomas Hellstrom [Mon, 22 Oct 2012 12:51:25 +0000 (12:51 +0000)]
drm/ttm: Fix a theoretical race
The ttm_mem_evict_first function could theoretically drop the
lru lock without retrying if a reservation from off the LRU list
ended up waiting.
However, since currently there are no users that could cause a wait
in that situation so this is not suitable for stable
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com> Signed-off-by: Dave Airlie <airlied@redhat.com>
Thierry Reding [Mon, 15 Oct 2012 18:03:42 +0000 (18:03 +0000)]
drm: platform: Don't initialize driver-private data
Platform device drivers usually use the driver-private data for their
own purposes. Having it overwritten by drm_platform_init() is confusing
and error-prone.
Signed-off-by: Thierry Reding <thierry.reding@avionic-design.de> Signed-off-by: Dave Airlie <airlied@redhat.com>
Marcin Slusarz [Tue, 16 Oct 2012 21:47:35 +0000 (21:47 +0000)]
drm/debugfs: remove redundant info from gem_names
It's a relic of "drm: Convert proc files to seq_file and introduce debugfs",
which wrongly converted DRM_INFO + sprintf to 2 seq_printfs.
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com> Cc: Ben Gamari <bgamari@gmail.com> Cc: Eric Anholt <eric@anholt.net> Signed-off-by: Dave Airlie <airlied@redhat.com>
Thierry Reding [Sat, 20 Oct 2012 10:32:47 +0000 (10:32 +0000)]
drm: fb: cma: Fail gracefully on allocation failure
The drm_gem_cma_create() function never returns NULL but rather an error
encoded in the return value using the ERR_PTR() macro. Callers therefore
need to check for errors using the IS_ERR() macro. This change allows
drivers to handle contiguous DMA allocation failures gracefully.
Randy Dunlap [Thu, 11 Oct 2012 16:34:11 +0000 (09:34 -0700)]
staging: ramster: depends on NET
ramster uses network interfaces that are only present when
CONFIG_NET is enabled, so it should depend on NET.
Fixes these build errors:
drivers/built-in.o: In function `sc_kref_release':
tcp.c:(.text+0x24b9af): undefined reference to `sock_release'
drivers/built-in.o: In function `r2net_open_listening_sock':
tcp.c:(.text+0x24ca2b): undefined reference to `sock_create'
tcp.c:(.text+0x24cb91): undefined reference to `sock_release'
drivers/built-in.o: In function `r2net_recv_tcp_msg':
tcp.c:(.text+0x24cdbd): undefined reference to `sock_recvmsg'
drivers/built-in.o: In function `r2net_send_tcp_msg':
tcp.c:(.text+0x24d341): undefined reference to `sock_sendmsg'
drivers/built-in.o: In function `r2net_start_connect':
tcp.c:(.text+0x24d8fa): undefined reference to `sock_create'
drivers/built-in.o: In function `r2net_shutdown_sc':
tcp.c:(.text+0x24e30c): undefined reference to `kernel_sock_shutdown'
drivers/built-in.o: In function `r2net_accept_one':
tcp.c:(.text+0x24f392): undefined reference to `sock_create_lite'
tcp.c:(.text+0x24f3c3): undefined reference to `sock_release'
drivers/built-in.o: In function `r2net_stop_listening':
(.text+0x250f63): undefined reference to `sock_release'
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Cc: konrad.wilk@oracle.com Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: omapdrm: fix allocation size for page addresses array
Signed-off-by: Rob Clark <rob@ti.com> Signed-off-by: Vincent Penquerc'h <vincent.penquerch@collabora.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Lukas Czerner [Mon, 22 Oct 2012 22:01:19 +0000 (18:01 -0400)]
ext4: Avoid underflow in ext4_trim_fs()
Currently if len argument in ext4_trim_fs() is smaller than one block,
the 'end' variable underflow. Avoid that by returning EINVAL if len is
smaller than file system block.
Nitin Gupta [Thu, 11 Oct 2012 00:42:18 +0000 (17:42 -0700)]
staging: zram: Fix handling of incompressible pages
Change 130f315a (staging: zram: remove special handle of uncompressed page)
introduced a bug in the handling of incompressible pages which resulted in
memory allocation failure for such pages.
When a page expands on compression, say from 4K to 4K+30, we were trying to
do zsmalloc(pool, 4K+30). However, the maximum size which zsmalloc can
allocate is PAGE_SIZE (for obvious reasons), so such allocation requests
always return failure (0).
For a page that has compressed size larger than the original size (this may
happen with already compressed or random data), there is no point storing
the compressed version as that would take more space and would also require
time for decompression when needed again. So, the fix is to store any page,
whose compressed size exceeds a threshold (max_zpage_size), as-it-is i.e.
without compression. Memory required for storing this uncompressed page can
then be requested from zsmalloc which supports PAGE_SIZE sized allocations.
Lastly, the fix checks that we do not attempt to "decompress" the page which
we stored in the uncompressed form -- we just memcpy() out such pages.
Arve Hjønnevåg [Tue, 16 Oct 2012 22:29:55 +0000 (15:29 -0700)]
Staging: android: binder: Allow using highmem for binder buffers
The default kernel mapping for the pages allocated for the binder
buffers is never used. Set the __GFP_HIGHMEM flag when allocating
these pages so we don't needlessly use low memory pages that may
be required elsewhere.
Eric Dumazet [Mon, 22 Oct 2012 09:03:40 +0000 (09:03 +0000)]
net: fix secpath kmemleak
Mike Kazantsev found 3.5 kernels and beyond were leaking memory,
and tracked the faulty commit to a1c7fff7e18f59e ("net:
netdev_alloc_skb() use build_skb()")
While this commit seems fine, it uncovered a bug introduced
in commit bad43ca8325 ("net: introduce skb_try_coalesce()), in function
kfree_skb_partial()"):
If head is stolen, we free the sk_buff,
without removing references on secpath (skb->sp).
So IPsec + IP defrag/reassembly (using skb coalescing), or
TCP coalescing could leak secpath objects.
Fix this bug by calling skb_release_head_state(skb) to properly
release all possible references to linked objects.
Reported-by: Mike Kazantsev <mk.fraggod@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Bisected-by: Mike Kazantsev <mk.fraggod@gmail.com> Tested-by: Mike Kazantsev <mk.fraggod@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Joe Jin [Sun, 21 Oct 2012 14:40:36 +0000 (14:40 +0000)]
qla3xxx: Ensure request/response queue addr writes to the registers
Before use the request and response queue addr, make sure it has wrote
to the registers.
Signed-off-by: Joe Jin <joe.jin@oracle.com> Cc: Jitendra Kalsaria <jitendra.kalsaria@qlogic.com> Cc: Ron Mercer <ron.mercer@qlogic.com> Acked-by: Jitendra Kalsaria <jitendra.kalsaria@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Yuchung Cheng [Fri, 19 Oct 2012 15:14:44 +0000 (15:14 +0000)]
tcp: add SYN/data info to TCP_INFO
Add a bit TCPI_OPT_SYN_DATA (32) to the socket option TCP_INFO:tcpi_options.
It's set if the data in SYN (sent or received) is acked by SYN-ACK. Server or
client application can use this information to check Fast Open success rate.
Signed-off-by: Yuchung Cheng <ycheng@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Ian Abbott [Wed, 3 Oct 2012 15:25:21 +0000 (16:25 +0100)]
staging: comedi: ni_labpc: fix possible NULL deref during detach
`labpc_common_detach()` is called by the comedi core to clean up if
either `labpc_attach()` (including the one in the "ni_labpc_cs" module)
or `labpc_attach_pci()` returns an error. It assumes the `thisboard`
macro (expanding to `((struct labpc_board_struct *)dev->board_ptr)`) is
non-null. This is a valid assumption if `labpc_attach()` fails, but not
if `labpc_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `labpc_common_detach()` and return early
if it is `NULL`. This is okay because the only other thing that could
have been allocated is `dev->private` and that is freed by the comedi
core, not by this function.
Ian Abbott [Wed, 3 Oct 2012 15:25:20 +0000 (16:25 +0100)]
staging: comedi: das08: fix possible NULL deref during detach
`das08_detach()` is called by the comedi core to clean up if either
`das08_attach()` or `das08_attach_pci()` returns an error. It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. This is a valid assumption if `das08_attach()` fails, but not
if `das08_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `das08_detach()` and return early if it
is `NULL`. This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.
Ian Abbott [Wed, 3 Oct 2012 15:25:19 +0000 (16:25 +0100)]
staging: comedi: amplc_pc263: fix possible NULL deref during detach
`pc263_detach()` is called by the comedi core to clean up if either
`pc263_attach()` or `pc263_attach_pci()` returns an error. It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. This is a valid assumption if `pc263_attach()` fails, but not
if `pc263_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `pc263_detach()` and return early if it
is `NULL`. This is okay because no other resources need cleaning up in
this case.
Ian Abbott [Wed, 3 Oct 2012 15:25:18 +0000 (16:25 +0100)]
staging: comedi: amplc_pc236: fix possible NULL deref during detach
`pc236_detach()` is called by the comedi core to clean up if either
`pc236_attach()` or `pc236_attach_pci()` returns an error. It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. This is a valid assumption if `pc236_attach()` fails, but not
if `pc236_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `pc236_detach()` and return early if it
is `NULL`. This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.
Ian Abbott [Wed, 3 Oct 2012 15:25:17 +0000 (16:25 +0100)]
staging: comedi: amplc_pc236: fix invalid register access during detach
`pc236_detach()` is called by the comedi core if it attempted to attach
a device and failed. `pc236_detach()` calls `pc236_intr_disable()` if
the comedi device private data pointer (`devpriv`) is non-null. This
test is insufficient as `pc236_intr_disable()` accesses hardware
registers and the attach routine may have failed before it has saved
their I/O base addresses.
Fix it by checking `dev->iobase` is non-zero before calling
`pc236_intr_disable()` as that means the I/O base addresses have been
saved and the hardware registers can be accessed. It also implies the
comedi device private data pointer is valid, so there is no need to
check it.
Ian Abbott [Wed, 3 Oct 2012 15:25:16 +0000 (16:25 +0100)]
staging: comedi: amplc_dio200: fix possible NULL deref during detach
`dio200_detach()` is called by the comedi core to clean up if either
`dio200_attach()` or `dio200_attach_pci()` return an error. It assigns
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. In the case of a previous call to `dio200_attach()` it won't
be `NULL` because the comedi core will have pointed it to one of the
elements of `dio200_boards[]`, but in the case of a previous call to
`dio200_attach_pci()` it could be `NULL`, leading to a null pointer
dereference.
Check that `thisboard` is valid at the top of `dio200_detach()` and
return early if it is `NULL`. This is okay because the only other thing
that could have been allocated is `dev->private` and that is freed by
the comedi core, not by this function.
Ian Abbott [Wed, 3 Oct 2012 15:25:15 +0000 (16:25 +0100)]
staging: comedi: 8255_pci: fix possible NULL deref during detach
`pci_8255_detach()` will be called by the comedi core if
`pci_8255_attach_pci()` returns an error. It currently assumes that
both `board` (assigned from the return value of `comedi_board(dev)`) and
`devpriv` (assigned from `dev->private`) are non-null, but they might
be null, leading to a null pointer dereference.
`pci_8255_detach()` doesn't need to do anything if either `board` or
`devpriv` are null, so just return early in this case.
Fred Brooks [Tue, 2 Oct 2012 10:10:26 +0000 (11:10 +0100)]
staging: comedi: ni_daq_700: fix dio subdevice regression
Here is a small patch to fix a problem caused by a previous patch that
removed the callback function. The callback remove patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1de02225358988e8fd48d1dc3fd12336bbae258a
I finally booted my dev machine on the latest kernel (running Debian
here so it's still on 3.2 normally) to test the ni_daq_700 driver with
my test program and noticed this bug.
Shift the DIO_R read result to bits 8..15 Digital direction
configuration: channels 0-7 output, 8-15 input (8225 device emu as port
A output, port B input, port C N/A).
Cc: <stable@vger.kernel.org> # 3.6.x Signed-off-by: Fred Brooks <nsaspook@nsaspook.com> Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usb hub: send clear_tt_buffer_complete events when canceling TT clear work
There is a race condition in the USB hub code with regard to handling
TT clear requests that can get the HCD driver in a deadlock. Usually
when an TT clear request is scheduled it will be executed immediately:
<7>[ 6.077583] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us]
<3>[ 6.078041] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82
<7>[ 6.078299] hub_tt_work:731
<7>[ 9.309089] usb 2-1.5: link qh1-0e01/f4d506c0 start 0 [1/2 us]
<7>[ 9.324526] ehci_hcd 0000:00:1d.0: reused qh f4d4db00 schedule
<7>[ 9.324539] usb 2-1.3: link qh1-0e01/f4d4db00 start 0 [1/2 us]
<7>[ 9.341530] usb 1-1.1: link qh4-0e01/f397aec0 start 2 [1/2 us]
<7>[ 10.116159] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us]
<3>[ 10.116459] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82
<7>[ 10.116537] hub_tt_work:731
However, if a suspend operation is triggered before hub_tt_work is
scheduled, hub_quiesce will cancel the work without notifying the HCD
driver:
<3>[ 35.033941] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d80
<5>[ 35.034022] sd 0:0:0:0: [sda] Stopping disk
<7>[ 35.034039] hub 2-1:1.0: hub_suspend
<7>[ 35.034067] usb 2-1: unlink qh256-0001/f3b1ab00 start 1 [1/0 us]
<7>[ 35.035085] hub 1-0:1.0: hub_suspend
<7>[ 35.035102] usb usb1: bus suspend, wakeup 0
<7>[ 35.035106] ehci_hcd 0000:00:1a.0: suspend root hub
<7>[ 35.035298] hub 2-0:1.0: hub_suspend
<7>[ 35.035313] usb usb2: bus suspend, wakeup 0
<7>[ 35.035315] ehci_hcd 0000:00:1d.0: suspend root hub
<6>[ 35.250017] PM: suspend of devices complete after 216.979 msecs
<6>[ 35.250822] PM: late suspend of devices complete after 0.799 msecs
<7>[ 35.252343] ehci_hcd 0000:00:1d.0: wakeup: 1
<7>[ 35.262923] ehci_hcd 0000:00:1d.0: --> PCI D3hot
<7>[ 35.263302] ehci_hcd 0000:00:1a.0: wakeup: 1
<7>[ 35.273912] ehci_hcd 0000:00:1a.0: --> PCI D3hot
<6>[ 35.274254] PM: noirq suspend of devices complete after 23.442 msecs
<6>[ 35.274975] ACPI: Preparing to enter system sleep state S3
<6>[ 35.292666] PM: Saving platform NVS memory
<7>[ 35.295030] Disabling non-boot CPUs ...
<6>[ 35.297351] CPU 1 is now offline
<6>[ 35.300345] CPU 2 is now offline
<6>[ 35.303929] CPU 3 is now offline
<7>[ 35.303931] lockdep: fixing up alternatives.
<6>[ 35.304825] Extended CMOS year: 2000
When the device will resume the EHCI driver will get stuck in
ehci_endpoint_disable waiting for the tt_clearing flag to reset:
This patch changes hub_quiesce behavior to flush the TT clear work
instead of canceling it, to make sure that no TT clear request remains
uncompleted before suspend.
Ming Lei [Tue, 9 Oct 2012 04:01:04 +0000 (12:01 +0800)]
firmware loader: sync firmware cache by async_synchronize_full_domain
async.c has provided synchronization mechanism on async_schedule_*,
so use async_synchronize_full_domain to sync caching firmware instead
of reinventing the wheel.
Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ming Lei [Tue, 9 Oct 2012 04:01:03 +0000 (12:01 +0800)]
firmware loader: let direct loading back on 'firmware_buf'
Firstly 'firmware_buf' is introduced to make all loading requests
to share one firmware kernel buffer, so firmware_buf should
be used in direct loading for saving memory and speedup firmware
loading.
introduces direct loading for fixing udev regression, but it
bypasses the firmware cache meachnism, so this patch enables
caching firmware for direct loading case since it is still needed
to solve drivers' dependency during system resume.
Cc: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ming Lei [Tue, 9 Oct 2012 04:01:02 +0000 (12:01 +0800)]
firmware loader: fix one reqeust_firmware race
Several loading requests may be pending on one same
firmware buf, and this patch moves fw_map_pages_buf()
before complete_all(&fw_buf->completion) and let all
requests see the mapped 'buf->data' once the loading
is completed.
Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ming Lei [Tue, 9 Oct 2012 04:01:01 +0000 (12:01 +0800)]
firmware loader: cancel uncache work before caching firmware
Under 'Opportunistic sleep' situation, system sleep might be
triggered very frequently, so the uncahce work may not be completed
before caching firmware during next suspend.
This patch cancels the uncache work before caching firmware to
fix the problem above.
Also this patch optimizes the cacheing firmware mechanism a bit by
only storing one firmware cache entry for one firmware image.
So if the firmware is still cached during suspend, it doesn't need
to be loaded from user space any more.
Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linus Walleij [Mon, 22 Oct 2012 09:17:24 +0000 (10:17 +0100)]
ARM: 7560/1: SMP_TWD: use DIV_ROUND_CLOSEST() for periodic mode
The periodic mode is currently calculated by a simple division
but we should pay more attention to our integer arithmetics.
Also delete a comment that does not make any sense.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Will Deacon [Fri, 19 Oct 2012 16:53:01 +0000 (17:53 +0100)]
ARM: 7559/1: smp: switch away from the idmap before updating init_mm.mm_count
When booting a secondary CPU, the primary CPU hands two sets of page
tables via the secondary_data struct:
(1) swapper_pg_dir: a normal, cacheable, shared (if SMP) mapping
of the kernel image (i.e. the tables used by init_mm).
(2) idmap_pgd: an uncached mapping of the .idmap.text ELF
section.
The idmap is generally used when enabling and disabling the MMU, which
includes early CPU boot. In this case, the secondary CPU switches to
swapper as soon as it enters C code:
struct mm_struct *mm = &init_mm;
unsigned int cpu = smp_processor_id();
/*
* All kernel threads share the same mm context; grab a
* reference and switch to it.
*/
atomic_inc(&mm->mm_count);
current->active_mm = mm;
cpumask_set_cpu(cpu, mm_cpumask(mm));
cpu_switch_mm(mm->pgd, mm);
This causes a problem on ARMv7, where the identity mapping is treated as
strongly-ordered leading to architecturally UNPREDICTABLE behaviour of
exclusive accesses, such as those used by atomic_inc.
This patch re-orders the secondary_start_kernel function so that we
switch to swapper before performing any exclusive accesses.
Cc: <stable@vger.kernel.org> Cc: David McKay <david.mckay@st.com> Reported-by: Gilles Chanteperdrix <gilles.chanteperdrix@xenomai.org> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Dave Airlie [Mon, 22 Oct 2012 07:50:07 +0000 (17:50 +1000)]
Merge branch 'drm-nouveau-fixes' of git://git.freedesktop.org/git/nouveau/linux-2.6 into drm-fixes
Fixes from Ben, off note:
ACPI ROM regression fix,
some IGP and AGP regressions fixes from rework fallout.
* 'drm-nouveau-fixes' of git://git.freedesktop.org/git/nouveau/linux-2.6:
drm/nouveau/clock: fix missing pll type/addr when matching default entry
drm/nouveau/fb: fix reporting of memory type on GF8+ IGPs
drm/nv41/vm: don't init hw pciegart on boards with agp bridge
drm/nouveau/bios: fetch full 4KiB block to determine ACPI ROM image size
drm/nouveau: validate vbios size
drm/nouveau: warn when trying to free mm which is still in use
drm/nouveau: fix nouveau_mm/nouveau_mm_node leak
drm/nouveau/bios: improve error handling when reading the vbios from ACPI
drm/nouveau: handle same-fb page flips
Dmitry Torokhov [Mon, 22 Oct 2012 00:57:20 +0000 (17:57 -0700)]
Input: fix use-after-free introduced with dynamic minor changes
Commit 7f8d4cad1e4e ("Input: extend the number of event (and other)
devices") made evdev, joydev and mousedev to embed struct cdev into
their respective structures representing input devices.
Unfortunately character device structure may outlive the parent
structure unless we do not set it up as parent of character device so
that it will stay pinned until character device is freed.
Also, now that parent structure is pinned while character device exists
we do not need to pin and unpin it every time user opens or closes it.
Reported-by: Dave Jones <davej@redhat.com> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Dmitry Torokhov [Mon, 22 Oct 2012 00:57:19 +0000 (17:57 -0700)]
char_dev: pin parent kobject
In certain cases (for example when a cdev structure is embedded into
another object whose lifetime is controlled by a separate kobject) it is
beneficial to tie lifetime of another object to the lifetime of
character device so that related object is not freed until after
char_dev object is freed.
To achieve this let's pin kobject's parent when doing cdev_add() and
unpin when last reference to cdev structure is being released.
Ben Skeggs [Mon, 22 Oct 2012 04:10:16 +0000 (14:10 +1000)]
drm/nouveau/clock: fix missing pll type/addr when matching default entry
This issue is a regression from 70790f4f819875e8f390871fd15bbbf823f28e1b,
and causes us to miss a special-case for C51 (NV4E) chipsets and return
the wrong reference frequency for the VPLLs.
Tao Ma [Mon, 22 Oct 2012 04:34:32 +0000 (00:34 -0400)]
ext4: Checksum the block bitmap properly with bigalloc enabled
In mke2fs, we only checksum the whole bitmap block and it is right.
While in the kernel, we use EXT4_BLOCKS_PER_GROUP to indicate the
size of the checksumed bitmap which is wrong when we enable bigalloc.
The right size should be EXT4_CLUSTERS_PER_GROUP and this patch fixes
it.
Also as every caller of ext4_block_bitmap_csum_set and
ext4_block_bitmap_csum_verify pass in EXT4_BLOCKS_PER_GROUP(sb)/8,
we'd better removes this parameter and sets it in the function itself.
Signed-off-by: Tao Ma <boyu.mt@taobao.com> Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Reviewed-by: Lukas Czerner <lczerner@redhat.com> Cc: stable@vger.kernel.org
Blackfin: Annotate strncpy_from_user src parameter with __user
The src parameter of strncpy_from_user is supposed to take a string from
userspace, so it should be annotated with __user. Doing so fixes the following
and similar warnings from sparse:
kernel/sys.c:491:51: warning: incorrect type in argument 2 (different address spaces)
kernel/sys.c:491:51: expected char const *src
kernel/sys.c:491:51: got void [noderef] <asn:1>*arg
kernel/sys.c:2061:54: warning: incorrect type in argument 2 (different address spaces)
kernel/sys.c:2061:54: expected char const *src
kernel/sys.c:2061:54: got char [noderef] <asn:1>*<noident>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Bob Liu <lliubbo@gmail.com>
Marcin Slusarz [Sun, 21 Oct 2012 23:59:20 +0000 (09:59 +1000)]
drm/nouveau: validate vbios size
Without checking, we could detect vbios size as 0, allocate 0-byte array
(kmalloc returns invalid pointer for such allocation) and crash in
nouveau_bios_score while checking for vbios signature.
Reported-by: Heinz Diehl <htd@fritha.org> Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com> Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Marcin Slusarz [Fri, 5 Oct 2012 10:26:32 +0000 (12:26 +0200)]
drm/nouveau: handle same-fb page flips
It's questionable use case, but weston/wayland already relies on this
behaviour, and other drivers don't care about it, so it's a matter of
compatibility. Without it, process invoking such page flip hangs in
unkillable state, trying to reserve the same buffer twice.
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com> Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
David S. Miller [Mon, 22 Oct 2012 00:57:37 +0000 (20:57 -0400)]
Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
John W. Linville says:
====================
This is a batch of fixes intended for the 3.7 stream.
Dan Carpenter brings a fix for a simple signedness bug that could
prevent the proper termination of a loop.
Felix Fietkau found a few more places that need to use
ieee80211_free_txskb for properly releasing SKBs used by mac80211.
Franky Lin offers a pair of brcmfmac fixes, both fixing simple state
reporting errors.
Hante Meuleman corrects an error reporting case that wasn't handling
all types of errors properly.
Johan Hedberg offers a fix for an issue discovered at the Bluetooth
UnPlug Fest. Gustavo says "the patch fixes a failure to pair with
devices that support the LE Secure Connections feature."
Johannes Berg sends an iwlwifi fix to handle a message type that
is too large for the normal command mechanism. He also provides a
mac80211 fix to use HT20 channels when HT40 channels are not permitted.
Jouni Malinen offers a mac80211 fix for a masking error that was
incorrectly marking some frames.
Piotr Haber provides a fix to make sure bcma devices are unregistered
properly.
Stanislav Yakovlev gives us a fix for a panic in the ipw2200 driver.
Stanislaw Gruszka sends a pair of fixes: one prevents a mismatch on
connection states between cfg80211 and mac80211; the other prevents
some frame corruption related to handling encryption.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Dave Airlie [Sun, 21 Oct 2012 23:55:29 +0000 (09:55 +1000)]
Merge branch 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel into drm-fixes
Daniel writes:
The big thing is the disabling of the hsw support by default, cc: stable.
We've aimed for basic hsw support in 3.6, but due to a few bad
happenstances we've screwed up and only 3.8 will have better modeset
support than vesa. To avoid yet another round of fallout from such a
gaffle on for the next platform we've added a module option to disable
early hw support by default. That should also give us more flexibility in
bring-up.
Otherwise just small fixes:
- 3 fixes from Egbert for sdvo corner cases
- invert-brightness quirk entry from Egbert
- revert a dp link training change, it regresses some setups
- and shut up a spurious WARN in our gem fault handler.
- regression fix for an oops on bit17 swizzling machines, introduce in 3.7
- another no-lvds quirk
* 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel:
drm/i915: Initialize obj->pages before use by i915_gem_object_do_bit17_swizzle()
drm/i915: Add no-lvds quirk for Supermicro X7SPA-H
drm/i915: Insert i915_preliminary_hw_support variable.
drm/i915: shut up spurious WARN in the gtt fault handler
Revert "drm/i915: Try harder to complete DP training pattern 1"
DRM/i915: Restore sdvo_flags after dtd->mode->dtd Roundrtrip.
DRM/i915: Don't clone SDVO LVDS with analog.
DRM/i915: Add QUIRK_INVERT_BRIGHTNESS for NCR machines.
DRM/i915: Don't delete DPLL Multiplier during DAC init.
Julia Lawall [Sun, 21 Oct 2012 10:52:03 +0000 (12:52 +0200)]
ALSA: sound/isa/opti9xx/miro.c: eliminate possible double free
snd_miro_probe is a static function that is only called twice in the file
that defines it. At each call site, its argument is freed using
snd_card_free. Thus, there is no need for snd_miro_probe to call
snd_card_free on its argument on any of its error exit paths.
Because snd_card_free both reads the fields of its argument and kfrees its
argments, the results of the second snd_card_free should be unpredictable.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
Linus Torvalds [Sat, 20 Oct 2012 16:48:10 +0000 (09:48 -0700)]
Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64
Pull arm64 fixes from Catalin Marinas:
"Main changes:
- AArch64 Linux compilation fixes following 3.7-rc1 changes
(MODULES_USE_ELF_RELA, update_vsyscall() prototype)
- Unnecessary register setting in start_thread() (thanks to Al Viro)
- ptrace fixes"
* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/cmarinas/linux-aarch64:
arm64: fix alignment padding in assembly code
arm64: ptrace: use HW_BREAKPOINT_EMPTY type for disabled breakpoints
arm64: ptrace: make structure padding explicit for debug registers
arm64: No need to set the x0-x2 registers in start_thread()
arm64: Ignore memory blocks below PHYS_OFFSET
arm64: Fix the update_vsyscall() prototype
arm64: Select MODULES_USE_ELF_RELA
arm64: Remove duplicate inclusion of mmu_context.h in smp.c
Marc Zyngier [Fri, 19 Oct 2012 16:33:27 +0000 (17:33 +0100)]
arm64: fix alignment padding in assembly code
An interesting effect of using the generic version of linkage.h
is that the padding is defined in terms of x86 NOPs, which can have
even more interesting effects when the assembly code looks like this:
ENTRY(func1)
mov x0, xzr
ENDPROC(func1)
// fall through
ENTRY(func2)
mov x0, #1
ret
ENDPROC(func2)
Admittedly, the code is not very nice. But having code from another
architecture doesn't look completely sane either.
The fix is to add arm64's version of linkage.h, which causes the insertion
of proper AArch64 NOPs.
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com> Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Adrian Knoth [Fri, 19 Oct 2012 15:42:26 +0000 (17:42 +0200)]
ALSA: hdspm - Also report autosync_sample_rate on MADI and MADIface
MADI and MADIface used to report the autosync_sample_rate. This
functionality was lost in commit 0dca1793063c28dde8f6c49c9c72203fe5cb6efc, this commit now adds it back.
Signed-off-by: Adrian Knoth <adi@drcomp.erfurt.thur.de> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Adrian Knoth [Fri, 19 Oct 2012 15:42:24 +0000 (17:42 +0200)]
ALSA: hdspm - Fix sync check reporting on all RME HDSPM cards
Due to missing breaks and the resulting fall-through, card subtype
selection was effectively missing, thus causing the wrong sync check
functions to be called.
Signed-off-by: Adrian Knoth <adi@drcomp.erfurt.thur.de> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Adrian Knoth [Fri, 19 Oct 2012 15:42:22 +0000 (17:42 +0200)]
ALSA: hdspm - Allow DDS/Varispeed to be set from userspace
The DDS value is the actual physical sample rate. We set it indirectly
when selecting 44100, 48000 and so on via snd_hdspm_hw_params or
hdspm_set_clock_source.
This commit now allows the DDS value to be altered at runtime, thus
speeding up or slowing down the physical sample rate. This is required
for MADI's varispeed that allows for ±12.5% speed adjustment from the
"selected" rate (32kHz, 44100kHz, 48kHz and so on).
Signed-off-by: Adrian Knoth <adi@drcomp.erfurt.thur.de> Signed-off-by: Takashi Iwai <tiwai@suse.de>
projects / karo-tx-linux.git / log