]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
12 years agoUSB: sierra: fix memory leak in attach error path
Johan Hovold [Thu, 25 Oct 2012 08:29:17 +0000 (10:29 +0200)]
USB: sierra: fix memory leak in attach error path

commit 7e41f9bcdd2e813ea2a3c40db291d87ea06b559f upstream.

Make sure port private data is deallocated on errors in attach.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: serial: Fix memory leak in sierra_release()
Lennart Sorensen [Wed, 24 Oct 2012 14:23:09 +0000 (10:23 -0400)]
USB: serial: Fix memory leak in sierra_release()

commit f7bc5051667b74c3861f79eed98c60d5c3b883f7 upstream.

I found a memory leak in sierra_release() (well sierra_probe() I guess)
that looses 8 bytes each time the driver releases a device.

Signed-off-by: Len Sorensen <lsorense@csclub.uwaterloo.ca>
Acked-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: quatech2: fix io after disconnect
Johan Hovold [Thu, 25 Oct 2012 08:29:10 +0000 (10:29 +0200)]
USB: quatech2: fix io after disconnect

commit 2f0295adf6438188c4cd0868f2b1976a2b034e1d upstream.

Make sure no control urb is submitted during close after a disconnect by
checking the disconnected flag.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: quatech2: fix close and disconnect urb handling
Johan Hovold [Thu, 25 Oct 2012 08:29:09 +0000 (10:29 +0200)]
USB: quatech2: fix close and disconnect urb handling

commit 8e512ab0b675da20e023439a5811e3f2554e6852 upstream.

Kill urbs unconditionally at close and disconnect.

Note that URB status is not valid outside of completion handler.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: quatech2: fix port-data memory leaks
Johan Hovold [Thu, 25 Oct 2012 08:29:08 +0000 (10:29 +0200)]
USB: quatech2: fix port-data memory leaks

commit 40d04738491d7ac1aa708ba434ff3480ec9e1b96 upstream.

Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Note that this also fixes memory leaks in the error path of attach where
the write urbs were not freed on errors.

Make sure all interface-data deallocation is done in release by moving
the read urb deallocation from disconnect.

Note that the write urb is killed during close so that the call in
disconnect was superfluous.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: Bill Pemberton <wfp5p@virginia.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: quatech2: fix memory leak in error path
Johan Hovold [Thu, 25 Oct 2012 08:29:07 +0000 (10:29 +0200)]
USB: quatech2: fix memory leak in error path

commit b8a0055050b6294826171641b182c09f78f4cc63 upstream.

Fix memory leak in attach error path where the read urb was never freed.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: Bill Pemberton <wfp5p@virginia.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: mos7720: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:29:05 +0000 (10:29 +0200)]
USB: mos7720: fix port-data memory leak

commit 4230af572f95b3115bba1ee6fb95681f3851ab26 upstream.

Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Note that this patch also fixes a second port-data memory leak in the
error path of attach, should parallel-port initialisation fail.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: metro-usb: fix io after disconnect
Johan Hovold [Thu, 25 Oct 2012 08:29:00 +0000 (10:29 +0200)]
USB: metro-usb: fix io after disconnect

commit 2ee44fbeac92c36e53779a57ee84cfee1affe418 upstream.

Make sure no control urb is submitted during close after a disconnect by
checking the disconnected flag.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: metro-usb: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:28:59 +0000 (10:28 +0200)]
USB: metro-usb: fix port-data memory leak

commit 50dde8686eec41bf3d7cbec7a6f76c073ab01903 upstream.

Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Note that the call to metrousb_clean (close) in shutdown was redundant.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: opticon: fix memory leak in error path
Johan Hovold [Thu, 25 Oct 2012 08:29:12 +0000 (10:29 +0200)]
USB: opticon: fix memory leak in error path

commit acbf0e5263de563e25f7c104868e4490b9e72b13 upstream.

Fix memory leak in write error path.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: opticon: fix DMA from stack
Johan Hovold [Thu, 25 Oct 2012 08:29:11 +0000 (10:29 +0200)]
USB: opticon: fix DMA from stack

commit ea0dbebffe118724cd4df7d9b071ea8ee48d48f0 upstream.

Make sure to allocate the control-message buffer dynamically as some
platforms cannot do DMA from stack.

Note that only the first byte of the old buffer was used.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: whiteheat: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:29:02 +0000 (10:29 +0200)]
USB: whiteheat: fix port-data memory leak

commit c467206ed6bcce26c83d0435612cc4fee2527305 upstream.

Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Note that the fifth port (command port) is never registered as a
port device and thus should be handled in attach and release.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: <support@connecttech.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: whiteheat: fix memory leak in error path
Johan Hovold [Thu, 25 Oct 2012 08:29:01 +0000 (10:29 +0200)]
USB: whiteheat: fix memory leak in error path

commit c129197c99550d356cf5f69b046994dd53cd1b9d upstream.

Make sure command buffer is deallocated in case of errors during attach.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: <support@connecttech.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: qcserial: fix interface-data memory leak in error path
Johan Hovold [Thu, 25 Oct 2012 13:42:41 +0000 (15:42 +0200)]
USB: qcserial: fix interface-data memory leak in error path

commit 961be09e1ead58509ed4bed0d5819a15d8613d8d upstream.

Move interface data allocation to attach so that it is deallocated
should usb-serial probe fail.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: omninet: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:29:06 +0000 (10:29 +0200)]
USB: omninet: fix port-data memory leak

commit feffa7ca6008ab859dd7ab7448a5a899bf0aa98f upstream.

Fix port-data memory leak by replacing attach and release with
port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: keyspan: fix NULL-pointer dereferences and memory leaks
Johan Hovold [Thu, 25 Oct 2012 08:29:15 +0000 (10:29 +0200)]
USB: keyspan: fix NULL-pointer dereferences and memory leaks

commit f79b2d0fe81eecb412dc48e87a119afc690da8e9 upstream.

Fix NULL-pointer dereference at release by moving port data allocation
and deallocation to port_probe and port_remove.

Fix NULL-pointer dereference at disconnect by stopping port urbs at
port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer accessible at
disconnect or release.

Note that this patch also fixes port and interface-data memory leaks in
the error path of attach should port initialisation fail for any port.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: option: fix interface-data memory leak in error path
Johan Hovold [Thu, 25 Oct 2012 13:42:40 +0000 (15:42 +0200)]
USB: option: fix interface-data memory leak in error path

commit c2dd4a8eac7821fed2c2d19e4607d0986b53b0fe upstream.

Move interface data allocation to attach so that it is deallocated
should usb-serial probe fail.

Note that the usb device id is stored at probe so that it can be used
in attach to determine send-setup blacklisting.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: mct_u232: fix broken close
Johan Hovold [Thu, 25 Oct 2012 08:29:14 +0000 (10:29 +0200)]
USB: mct_u232: fix broken close

commit 5260e458f5eff269a43e4f1e9c47186c57b88ddb upstream.

Make sure generic close is called at close.

The driver relies on the generic write implementation but did not call
generic close.

Note that the call to kill the read urb is not redundant, as mct_u232
uses an interrupt urb from the second port as the read urb and that
generic close therefore fails to kill it.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: mct_u232: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:29:13 +0000 (10:29 +0200)]
USB: mct_u232: fix port-data memory leak

commit a8f2ae7a3aa59079d7e7e1ddf5007f03532f458c upstream.

Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Note that the write waitqueue was initialised but never used.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: ipw: fix interface-data memory leak in error path
Johan Hovold [Thu, 25 Oct 2012 13:42:39 +0000 (15:42 +0200)]
USB: ipw: fix interface-data memory leak in error path

commit a997448c89905b80aa4022f734f03685e733d711 upstream.

Move interface data allocation to attach so that it is deallocated
should usb-serial probe fail.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: digi_acceleport: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:29:04 +0000 (10:29 +0200)]
USB: digi_acceleport: fix port-data memory leak

commit fb44ff854e148bc5c5982dad32da98b7a0989d2d upstream.

Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.

Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.

Note that the oob port is never registered as a port device and should
thus be handled in attach and release.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: Peter Berger <pberger@brimson.com>
Cc: Al Borchers <alborchers@steinerpoint.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: ch341: fix port-data memory leak
Johan Hovold [Thu, 25 Oct 2012 08:29:03 +0000 (10:29 +0200)]
USB: ch341: fix port-data memory leak

commit 456c5be56ed070a4d883c60b587bcc1c97a8cf3e upstream.

Fix port-data memory leak by moving port data allocation to port_probe
and actually implementing deallocation.

Note that this driver has never even bothered to try to deallocate it's
port data...

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agousb hub: send clear_tt_buffer_complete events when canceling TT clear work
Octavian Purdila [Mon, 1 Oct 2012 19:21:12 +0000 (22:21 +0300)]
usb hub: send clear_tt_buffer_complete events when canceling TT clear work

commit 3b6054da68f9b0d5ed6a7ed0f42a79e61904352c upstream.

There is a race condition in the USB hub code with regard to handling
TT clear requests that can get the HCD driver in a deadlock. Usually
when an TT clear request is scheduled it will be executed immediately:

<7>[    6.077583] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us]
<3>[    6.078041] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82
<7>[    6.078299] hub_tt_work:731
<7>[    9.309089] usb 2-1.5: link qh1-0e01/f4d506c0 start 0 [1/2 us]
<7>[    9.324526] ehci_hcd 0000:00:1d.0: reused qh f4d4db00 schedule
<7>[    9.324539] usb 2-1.3: link qh1-0e01/f4d4db00 start 0 [1/2 us]
<7>[    9.341530] usb 1-1.1: link qh4-0e01/f397aec0 start 2 [1/2 us]
<7>[   10.116159] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us]
<3>[   10.116459] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82
<7>[   10.116537] hub_tt_work:731

However, if a suspend operation is triggered before hub_tt_work is
scheduled, hub_quiesce will cancel the work without notifying the HCD
driver:

<3>[   35.033941] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d80
<5>[   35.034022] sd 0:0:0:0: [sda] Stopping disk
<7>[   35.034039] hub 2-1:1.0: hub_suspend
<7>[   35.034067] usb 2-1: unlink qh256-0001/f3b1ab00 start 1 [1/0 us]
<7>[   35.035085] hub 1-0:1.0: hub_suspend
<7>[   35.035102] usb usb1: bus suspend, wakeup 0
<7>[   35.035106] ehci_hcd 0000:00:1a.0: suspend root hub
<7>[   35.035298] hub 2-0:1.0: hub_suspend
<7>[   35.035313] usb usb2: bus suspend, wakeup 0
<7>[   35.035315] ehci_hcd 0000:00:1d.0: suspend root hub
<6>[   35.250017] PM: suspend of devices complete after 216.979 msecs
<6>[   35.250822] PM: late suspend of devices complete after 0.799 msecs
<7>[   35.252343] ehci_hcd 0000:00:1d.0: wakeup: 1
<7>[   35.262923] ehci_hcd 0000:00:1d.0: --> PCI D3hot
<7>[   35.263302] ehci_hcd 0000:00:1a.0: wakeup: 1
<7>[   35.273912] ehci_hcd 0000:00:1a.0: --> PCI D3hot
<6>[   35.274254] PM: noirq suspend of devices complete after 23.442 msecs
<6>[   35.274975] ACPI: Preparing to enter system sleep state S3
<6>[   35.292666] PM: Saving platform NVS memory
<7>[   35.295030] Disabling non-boot CPUs ...
<6>[   35.297351] CPU 1 is now offline
<6>[   35.300345] CPU 2 is now offline
<6>[   35.303929] CPU 3 is now offline
<7>[   35.303931] lockdep: fixing up alternatives.
<6>[   35.304825] Extended CMOS year: 2000

When the device will resume the EHCI driver will get stuck in
ehci_endpoint_disable waiting for the tt_clearing flag to reset:

<0>[   47.610967] usb 2-1.3: **** DPM device timeout ****
<7>[   47.610972]  f2f11c60 00000092 f2f11c0c c10624a5 00000003 f4c6e880 c1c8a4c0 c1c8a4c0
<7>[   47.610983]  15c55698 0000000b f56b34c0 f2a45b70 f4c6e880 00000082 f2a4602c f2f11c30
<7>[   47.610993]  c10787f8 f4cac000 f2a45b70 00000000 f4cac010 f2f11c58 00000046 00000001
<7>[   47.611004] Call Trace:
<7>[   47.611006]  [<c10624a5>] ? sched_clock_cpu+0xf5/0x160
<7>[   47.611019]  [<c10787f8>] ? lock_release_holdtime.part.22+0x88/0xf0
<7>[   47.611026]  [<c103ed46>] ? lock_timer_base.isra.35+0x26/0x50
<7>[   47.611034]  [<c17592d3>] ? schedule_timeout+0x133/0x290
<7>[   47.611044]  [<c175b43e>] schedule+0x1e/0x50
<7>[   47.611051]  [<c17592d8>] schedule_timeout+0x138/0x290
<7>[   47.611057]  [<c10624a5>] ? sched_clock_cpu+0xf5/0x160
<7>[   47.611063]  [<c103e560>] ? usleep_range+0x40/0x40
<7>[   47.611070]  [<c1759445>] schedule_timeout_uninterruptible+0x15/0x20
<7>[   47.611077]  [<c14935f4>] ehci_endpoint_disable+0x64/0x160
<7>[   47.611084]  [<c147d1ee>] ? usb_hcd_flush_endpoint+0x10e/0x1d0
<7>[   47.611092]  [<c1165663>] ? sysfs_add_file+0x13/0x20
<7>[   47.611100]  [<c147d5a9>] usb_hcd_disable_endpoint+0x29/0x40
<7>[   47.611107]  [<c147fafc>] usb_disable_endpoint+0x5c/0x80
<7>[   47.611111]  [<c147fb57>] usb_disable_interface+0x37/0x50
<7>[   47.611116]  [<c1477650>] usb_reset_and_verify_device+0x4b0/0x640
<7>[   47.611122]  [<c1474665>] ? hub_port_status+0xb5/0x100
<7>[   47.611129]  [<c147a975>] usb_port_resume+0xd5/0x220
<7>[   47.611136]  [<c148877f>] generic_resume+0xf/0x30
<7>[   47.611142]  [<c14821a3>] usb_resume+0x133/0x180
<7>[   47.611147]  [<c1473b10>] ? usb_dev_thaw+0x10/0x10
<7>[   47.611152]  [<c1473b1d>] usb_dev_resume+0xd/0x10
<7>[   47.611157]  [<c13baa60>] dpm_run_callback+0x40/0xb0
<7>[   47.611164]  [<c13bdb03>] ? pm_runtime_enable+0x43/0x70
<7>[   47.611171]  [<c13bafc6>] device_resume+0x1a6/0x2c0
<7>[   47.611177]  [<c13ba940>] ? dpm_show_time+0xe0/0xe0
<7>[   47.611183]  [<c13bb0f9>] async_resume+0x19/0x40
<7>[   47.611189]  [<c10580c4>] async_run_entry_fn+0x64/0x160
<7>[   47.611196]  [<c104a244>] ? process_one_work+0x104/0x480
<7>[   47.611203]  [<c104a24c>] ? process_one_work+0x10c/0x480
<7>[   47.611209]  [<c104a2c0>] process_one_work+0x180/0x480
<7>[   47.611215]  [<c104a244>] ? process_one_work+0x104/0x480
<7>[   47.611220]  [<c1058060>] ? async_schedule+0x10/0x10
<7>[   47.611226]  [<c104c15c>] worker_thread+0x11c/0x2f0
<7>[   47.611233]  [<c104c040>] ? manage_workers.isra.27+0x1f0/0x1f0
<7>[   47.611239]  [<c10507f8>] kthread+0x78/0x80
<7>[   47.611244]  [<c1750000>] ? timer_cpu_notify+0xd6/0x20d
<7>[   47.611253]  [<c1050780>] ? __init_kthread_worker+0x60/0x60
<7>[   47.611258]  [<c176357e>] kernel_thread_helper+0x6/0xd
<7>[   47.611283] ------------[ cut here ]------------

This patch changes hub_quiesce behavior to flush the TT clear work
instead of canceling it, to make sure that no TT clear request remains
uncompleted before suspend.

Signed-off-by: Octavian Purdila <octavian.purdila@intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoUSB: usb-wwan: fix multiple memory leaks in error paths
Johan Hovold [Thu, 25 Oct 2012 08:29:16 +0000 (10:29 +0200)]
USB: usb-wwan: fix multiple memory leaks in error paths

commit b8f0e82044c9ba40e92340c8a6d47d6bd6d819bc upstream.

Fix port-data memory leak in usb-serial probe error path by moving port
data allocation to port_probe.

Since commit a1028f0abf ("usb: usb_wwan: replace release and disconnect
with a port_remove hook") port data is deallocated in port_remove. This
leaves a possibility for memory leaks if usb-serial probe fails after
attach but before the port in question has been successfully registered.

Note that this patch also fixes two additional memory leaks in the error
path of attach should port initialisation fail for any port as the urbs
were never freed and neither was the data of any of the successfully
initialised ports.

Compile-only tested.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agousb-storage: add unusual_devs entry for Casio EX-N1 digital camera
Michael Shigorin [Mon, 22 Oct 2012 09:18:56 +0000 (12:18 +0300)]
usb-storage: add unusual_devs entry for Casio EX-N1 digital camera

commit d7870af7e2e3a91b462075ec1ca669b482215187 upstream.

This commit sets removable subclass for Casio EX-N1 digital camera.

The patch has been tested within an ALT Linux kernel:
http://git.altlinux.org/people/led/packages/?p=kernel-image-3.0.git;a=commitdiff;h=c0fd891836e89fe0c93a4d536a59216d90e4e3e7

See also https://bugzilla.kernel.org/show_bug.cgi?id=49221

Signed-off-by: Oleksandr Chumachenko <ledest@gmail.com>
Signed-off-by: Michael Shigorin <mike@osdn.org.ua>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoehci: Add yet-another Lucid nohandoff pci quirk
Anisse Astier [Tue, 9 Oct 2012 10:22:37 +0000 (12:22 +0200)]
ehci: Add yet-another Lucid nohandoff pci quirk

commit 8daf8b6086f9d575200cd0aa3797e26137255609 upstream.

Board name changed on another shipping Lucid tablet.

Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoehci: fix Lucid nohandoff pci quirk to be more generic with BIOS versions
Anisse Astier [Tue, 9 Oct 2012 10:22:36 +0000 (12:22 +0200)]
ehci: fix Lucid nohandoff pci quirk to be more generic with BIOS versions

commit c323dc023b9501e5d09582ec7efd1d40a9001d99 upstream.

BIOS vendors keep changing the BIOS versions. Only match the beginning
of the string to match all Lucid tablets with board name M11JB.

Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoDrivers: hv: Cleanup error handling in vmbus_open()
K. Y. Srinivasan [Fri, 12 Oct 2012 20:22:42 +0000 (13:22 -0700)]
Drivers: hv: Cleanup error handling in vmbus_open()

commit 1392550240aaa72ce3a094a38bd23525cd67ce60 upstream.

Fix a memory leak  in the error handling path in the function vmbus_open().

Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Reported-by: Jason Wang <jasowang@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoextcon: unregister compat link on cleanup
Peter Huewe [Mon, 24 Sep 2012 06:36:24 +0000 (15:36 +0900)]
extcon: unregister compat link on cleanup

commit 824a1bc045cef278aec15bef35d8d0b59ce77856 upstream.

Since extcon registers this compat link at device registration
(extcon_dev_register), we should probably remove them at deregistration/cleanup.

Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
12 years agoextcon: Unregister compat class at module unload to fix oops
Peter Huewe [Mon, 24 Sep 2012 06:32:31 +0000 (15:32 +0900)]
extcon: Unregister compat class at module unload to fix oops

commit 0dc77b6dabec8fd298392018cc0de5214af2dc43 upstream.

If you compile extcon with CONFIG_ANDROID and then load and unload the
module you get a simple oops as the driver does not unregister its
compat class and thus cannot register it again.

Full trace:

root@(none):~# modprobe extcon_class
root@(none):~# rmmod extcon_class
root@(none):~# modprobe extcon_class
------------[ cut here ]------------
WARNING: at fs/sysfs/dir.c:536 sysfs_add_one+0xde/0x100()
sysfs: cannot create duplicate filename '/class/switch'
Modules linked in: extcon_class(+) [last unloaded: extcon_class]
Call Trace:
9f451a00:  [<602a58bc>] printk+0x0/0xa8
9f451a18:  [<60039b43>] warn_slowpath_common+0x93/0xd0
9f451a28:  [<6012c6de>] sysfs_add_one+0xde/0x100
9f451a50:  [<601d3d90>] strcat+0x0/0x40
9f451a68:  [<60039cdc>] warn_slowpath_fmt+0x9c/0xa0
9f451a90:  [<6002fe32>] unblock_signals+0x0/0x84
9f451ab0:  [<60039c40>] warn_slowpath_fmt+0x0/0xa0
9f451ac0:  [<6002fe32>] unblock_signals+0x0/0x84
9f451ae8:  [<6012bd97>] sysfs_pathname.isra.10+0x57/0x70
9f451b00:  [<601d3d90>] strcat+0x0/0x40
9f451b18:  [<6012bd97>] sysfs_pathname.isra.10+0x57/0x70
9f451b48:  [<6012c6de>] sysfs_add_one+0xde/0x100
9f451b78:  [<6012c96f>] create_dir+0x8f/0x100
9f451bc0:  [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451bd8:  [<6012cda6>] sysfs_create_dir+0xa6/0x1c0
9f451be8:  [<601d89f1>] kvasprintf+0x81/0xa0
9f451bf8:  [<601cf0f0>] kobject_get+0x0/0x50
9f451c18:  [<601cf396>] kobject_add_internal+0x96/0x280
9f451c60:  [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451c78:  [<601cfb93>] kobject_add+0xd3/0x140
9f451cc0:  [<601cfac0>] kobject_add+0x0/0x140
9f451cd0:  [<6002fe32>] unblock_signals+0x0/0x84
9f451cf8:  [<6002fffc>] set_signals+0x29/0x3f
9f451d28:  [<600c1de1>] kmem_cache_alloc+0xe1/0x100
9f451d78:  [<601cffa0>] kobject_create_and_add+0x50/0xa0
9f451da8:  [<601fbe76>] class_compat_register+0x56/0x80
9f451dc8:  [<a085d118>] create_extcon_class+0x88/0xd0 [extcon_class]
9f451de8:  [<a0861010>] extcon_class_init+0x10/0x12 [extcon_class]
9f451df8:  [<600189a8>] do_one_initcall+0x48/0x1f0
9f451e20:  [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e30:  [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e58:  [<6007e3c3>] sys_init_module+0xa3/0x280
9f451e88:  [<6001e2ad>] handle_syscall+0x8d/0x90
9f451ea8:  [<60033370>] userspace+0x405/0x531
9f451ee8:  [<6001e380>] copy_chunk_to_user+0x0/0x40
9f451ef8:  [<6001e5cd>] do_op_one_page+0x14d/0x220
9f451fd8:  [<6001a355>] fork_handler+0x95/0xa0

---[ end trace dd512cc03fe1c367 ]---
------------[ cut here ]------------
WARNING: at lib/kobject.c:196 kobject_add_internal+0x26e/0x280()
kobject_add_internal failed for switch with -EEXIST, don't try to
register things with the same name in the same directory.
Modules linked in: extcon_class(+) [last unloaded: extcon_class]
Call Trace:
9f451ad0:  [<602a58bc>] printk+0x0/0xa8
9f451ae8:  [<60039b43>] warn_slowpath_common+0x93/0xd0
9f451af8:  [<601cf56e>] kobject_add_internal+0x26e/0x280
9f451b18:  [<601cf140>] kobject_put+0x0/0x70
9f451b20:  [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451b38:  [<60039cdc>] warn_slowpath_fmt+0x9c/0xa0
9f451b88:  [<60039c40>] warn_slowpath_fmt+0x0/0xa0
9f451bc0:  [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451bd8:  [<6012cda6>] sysfs_create_dir+0xa6/0x1c0
9f451be8:  [<601d89f1>] kvasprintf+0x81/0xa0
9f451bf8:  [<601cf0f0>] kobject_get+0x0/0x50
9f451c18:  [<601cf56e>] kobject_add_internal+0x26e/0x280
9f451c60:  [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451c78:  [<601cfb93>] kobject_add+0xd3/0x140
9f451cc0:  [<601cfac0>] kobject_add+0x0/0x140
9f451cd0:  [<6002fe32>] unblock_signals+0x0/0x84
9f451cf8:  [<6002fffc>] set_signals+0x29/0x3f
9f451d28:  [<600c1de1>] kmem_cache_alloc+0xe1/0x100
9f451d78:  [<601cffa0>] kobject_create_and_add+0x50/0xa0
9f451da8:  [<601fbe76>] class_compat_register+0x56/0x80
9f451dc8:  [<a085d118>] create_extcon_class+0x88/0xd0 [extcon_class]
9f451de8:  [<a0861010>] extcon_class_init+0x10/0x12 [extcon_class]
9f451df8:  [<600189a8>] do_one_initcall+0x48/0x1f0
9f451e20:  [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e30:  [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e58:  [<6007e3c3>] sys_init_module+0xa3/0x280
9f451e88:  [<6001e2ad>] handle_syscall+0x8d/0x90
9f451ea8:  [<60033370>] userspace+0x405/0x531
9f451ee8:  [<6001e380>] copy_chunk_to_user+0x0/0x40
9f451ef8:  [<6001e5cd>] do_op_one_page+0x14d/0x220
9f451fd8:  [<6001a355>] fork_handler+0x95/0xa0

---[ end trace dd512cc03fe1c368 ]---
kobject_create_and_add: kobject_add error: -17
------------[ cut here ]------------
WARNING: at drivers/extcon/extcon_class.c:545
create_extcon_class+0xbc/0xd0 [extcon_class]()
cannot allocate
Modules linked in: extcon_class(+) [last unloaded: extcon_class]
Call Trace:
9f451c80:  [<602a58bc>] printk+0x0/0xa8
9f451c98:  [<60039b43>] warn_slowpath_common+0x93/0xd0
9f451ca0:  [<6002fe32>] unblock_signals+0x0/0x84
9f451ca8:  [<a085d14c>] create_extcon_class+0xbc/0xd0 [extcon_class]
9f451cd0:  [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451ce8:  [<60039cdc>] warn_slowpath_fmt+0x9c/0xa0
9f451d20:  [<6002fe32>] unblock_signals+0x0/0x84
9f451d28:  [<60039c40>] warn_slowpath_fmt+0x0/0xa0
9f451d48:  [<6002fffc>] set_signals+0x29/0x3f
9f451d58:  [<601cf172>] kobject_put+0x32/0x70
9f451d78:  [<600c22c3>] kfree+0xb3/0x100
9f451da8:  [<601fbe9a>] class_compat_register+0x7a/0x80
9f451dc8:  [<a085d14c>] create_extcon_class+0xbc/0xd0 [extcon_class]
9f451de8:  [<a0861010>] extcon_class_init+0x10/0x12 [extcon_class]
9f451df8:  [<600189a8>] do_one_initcall+0x48/0x1f0
9f451e20:  [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e30:  [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e58:  [<6007e3c3>] sys_init_module+0xa3/0x280
9f451e88:  [<6001e2ad>] handle_syscall+0x8d/0x90
9f451ea8:  [<60033370>] userspace+0x405/0x531
9f451ee8:  [<6001e380>] copy_chunk_to_user+0x0/0x40
9f451ef8:  [<6001e5cd>] do_op_one_page+0x14d/0x220
9f451fd8:  [<6001a355>] fork_handler+0x95/0xa0

---[ end trace dd512cc03fe1c369 ]---
FATAL: Error inserting extcon_class
(/lib/modules/3.6.0-rc6-00178-g811315f/kernel/drivers/extcon/extcon_class.ko):
Cannot allocate memory

This patch fixes this.

Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: comedi: amplc_pc236: fix possible NULL deref during detach
Ian Abbott [Wed, 3 Oct 2012 15:25:18 +0000 (16:25 +0100)]
staging: comedi: amplc_pc236: fix possible NULL deref during detach

commit 2db012bd40b889d8e5483d3daa07af04c4c109d8 upstream.

`pc236_detach()` is called by the comedi core to clean up if either
`pc236_attach()` or `pc236_attach_pci()` returns an error.  It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  This is a valid assumption if `pc236_attach()` fails, but not
if `pc236_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `pc236_detach()` and return early if it
is `NULL`.  This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: comedi: amplc_pc236: fix invalid register access during detach
Ian Abbott [Wed, 3 Oct 2012 15:25:17 +0000 (16:25 +0100)]
staging: comedi: amplc_pc236: fix invalid register access during detach

commit aaeb61a97b7159ebe30b18a422d04eeabfa8790b upstream.

`pc236_detach()` is called by the comedi core if it attempted to attach
a device and failed.  `pc236_detach()` calls `pc236_intr_disable()` if
the comedi device private data pointer (`devpriv`) is non-null.  This
test is insufficient as `pc236_intr_disable()` accesses hardware
registers and the attach routine may have failed before it has saved
their I/O base addresses.

Fix it by checking `dev->iobase` is non-zero before calling
`pc236_intr_disable()` as that means the I/O base addresses have been
saved and the hardware registers can be accessed.  It also implies the
comedi device private data pointer is valid, so there is no need to
check it.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: comedi: amplc_pc263: fix possible NULL deref during detach
Ian Abbott [Wed, 3 Oct 2012 15:25:19 +0000 (16:25 +0100)]
staging: comedi: amplc_pc263: fix possible NULL deref during detach

commit 1d1171ffda585c1cab7bd7cf4bd8f8fd5923fb4a upstream.

`pc263_detach()` is called by the comedi core to clean up if either
`pc263_attach()` or `pc263_attach_pci()` returns an error.  It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  This is a valid assumption if `pc263_attach()` fails, but not
if `pc263_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `pc263_detach()` and return early if it
is `NULL`.  This is okay because no other resources need cleaning up in
this case.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: comedi: amplc_dio200: fix possible NULL deref during detach
Ian Abbott [Wed, 3 Oct 2012 15:25:16 +0000 (16:25 +0100)]
staging: comedi: amplc_dio200: fix possible NULL deref during detach

commit dfb2540e91e1f63765bc3ff497ad0b714d774261 upstream.

`dio200_detach()` is called by the comedi core to clean up if either
`dio200_attach()` or `dio200_attach_pci()` return an error.  It assigns
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  In the case of a previous call to `dio200_attach()` it won't
be `NULL` because the comedi core will have pointed it to one of the
elements of `dio200_boards[]`, but in the case of a previous call to
`dio200_attach_pci()` it could be `NULL`, leading to a null pointer
dereference.

Check that `thisboard` is valid at the top of `dio200_detach()` and
return early if it is `NULL`.  This is okay because the only other thing
that could have been allocated is `dev->private` and that is freed by
the comedi core, not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: comedi: ni_labpc: fix possible NULL deref during detach
Ian Abbott [Wed, 3 Oct 2012 15:25:21 +0000 (16:25 +0100)]
staging: comedi: ni_labpc: fix possible NULL deref during detach

commit 922b67c1ac53014d80649a961a2fde700cd065d8 upstream.

`labpc_common_detach()` is called by the comedi core to clean up if
either `labpc_attach()` (including the one in the "ni_labpc_cs" module)
or `labpc_attach_pci()` returns an error.  It assumes the `thisboard`
macro (expanding to `((struct labpc_board_struct *)dev->board_ptr)`) is
non-null.  This is a valid assumption if `labpc_attach()` fails, but not
if `labpc_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `labpc_common_detach()` and return early
if it is `NULL`.  This is okay because the only other thing that could
have been allocated is `dev->private` and that is freed by the comedi
core, not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: comedi: ni_daq_700: fix dio subdevice regression
Fred Brooks [Tue, 2 Oct 2012 10:10:26 +0000 (11:10 +0100)]
staging: comedi: ni_daq_700: fix dio subdevice regression

commit 6681e63399926651cc29bcb9d92229b6f1cf1daa upstream.

Here is a small patch to fix a problem caused by a previous patch that
removed the  callback function.  The callback remove patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1de02225358988e8fd48d1dc3fd12336bbae258a

I finally booted my dev machine on the latest kernel (running Debian
here so it's still on 3.2 normally) to test the ni_daq_700 driver with
my test program and noticed this bug.

Shift the DIO_R read result to bits 8..15 Digital direction
configuration: channels 0-7 output, 8-15 input (8225 device emu as port
A output, port B input, port C N/A).

Signed-off-by: Fred Brooks <nsaspook@nsaspook.com>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: comedi: das08: fix possible NULL deref during detach
Ian Abbott [Wed, 3 Oct 2012 15:25:20 +0000 (16:25 +0100)]
staging: comedi: das08: fix possible NULL deref during detach

commit ee280d134f2e05e0172369a53fbe202dbfc527fa upstream.

`das08_detach()` is called by the comedi core to clean up if either
`das08_attach()` or `das08_attach_pci()` returns an error.  It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  This is a valid assumption if `das08_attach()` fails, but not
if `das08_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `das08_detach()` and return early if it
is `NULL`.  This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agostaging: zram: Fix handling of incompressible pages
Nitin Gupta [Thu, 11 Oct 2012 00:42:18 +0000 (17:42 -0700)]
staging: zram: Fix handling of incompressible pages

commit c8f2f0db1d0294aaf37e8a85bea9bbc4aaf5c0fe upstream.

Change 130f315a (staging: zram: remove special handle of uncompressed page)
introduced a bug in the handling of incompressible pages which resulted in
memory allocation failure for such pages.

When a page expands on compression, say from 4K to 4K+30, we were trying to
do zsmalloc(pool, 4K+30). However, the maximum size which zsmalloc can
allocate is PAGE_SIZE (for obvious reasons), so such allocation requests
always return failure (0).

For a page that has compressed size larger than the original size (this may
happen with already compressed or random data), there is no point storing
the compressed version as that would take more space and would also require
time for decompression when needed again. So, the fix is to store any page,
whose compressed size exceeds a threshold (max_zpage_size), as-it-is i.e.
without compression.  Memory required for storing this uncompressed page can
then be requested from zsmalloc which supports PAGE_SIZE sized allocations.

Lastly, the fix checks that we do not attempt to "decompress" the page which
we stored in the uncompressed form -- we just memcpy() out such pages.

Signed-off-by: Nitin Gupta <ngupta@vflare.org>
Reported-by: viechweg@gmail.com
Reported-by: paerley@gmail.com
Reported-by: wu.tommy@gmail.com
Acked-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoStaging: android: binder: Allow using highmem for binder buffers
Arve Hjønnevåg [Tue, 16 Oct 2012 22:29:55 +0000 (15:29 -0700)]
Staging: android: binder: Allow using highmem for binder buffers

commit 585650dcec88e704a19bb226a34b6a7166111623 upstream.

The default kernel mapping for the pages allocated for the binder
buffers is never used. Set the __GFP_HIGHMEM flag when allocating
these pages so we don't needlessly use low memory pages that may
be required elsewhere.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoStaging: android: binder: Fix memory leak on thread/process exit
Arve Hjønnevåg [Tue, 16 Oct 2012 22:29:54 +0000 (15:29 -0700)]
Staging: android: binder: Fix memory leak on thread/process exit

commit 675d66b0ed5fd170d6a44cf8dbb3fa56a5347bdb upstream.

If a thread or process exited while a reply, one-way transaction or
death notification was pending, the struct holding the pending work
was leaked.

Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agosysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat()
Geert Uytterhoeven [Sat, 29 Sep 2012 20:23:19 +0000 (22:23 +0200)]
sysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat()

commit 66081a72517a131430dcf986775f3268aafcb546 upstream.

The warning check for duplicate sysfs entries can cause a buffer overflow
when printing the warning, as strcat() doesn't check buffer sizes.
Use strlcat() instead.

Since strlcat() doesn't return a pointer to the passed buffer, unlike
strcat(), I had to convert the nested concatenation in sysfs_add_one() to
an admittedly more obscure comma operator construct, to avoid emitting code
for the concatenation if CONFIG_BUG is disabled.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoxhci: endianness xhci_calculate_intel_u2_timeout
Oliver Neukum [Wed, 17 Oct 2012 10:17:50 +0000 (12:17 +0200)]
xhci: endianness xhci_calculate_intel_u2_timeout

commit 966e7a854177097083683176ced871558b631a12 upstream.

An le16 is accessed without conversion.

This patch should be backported to kernels as old as 3.5, that contain
the commit e3567d2c15a7a8e2f992a5f7c7683453ca406d82 "xhci: Add Intel
U1/U2 timeout policy."

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoxhci: fix integer overflow
Oliver Neukum [Wed, 17 Oct 2012 08:16:16 +0000 (10:16 +0200)]
xhci: fix integer overflow

commit 16b45fdf9c4e82f5d3bc53aa70737650e7c8d5ed upstream.

xhci_service_interval_to_ns() returns long long
to avoid an overflow. However, the type cast happens
too late. The fix is to force ULL from the beginning.

This patch should be backported to kernels as old as 3.5, that contain
the commit e3567d2c15a7a8e2f992a5f7c7683453ca406d82 "xhci: Add Intel
U1/U2 timeout policy."

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoxhci: Fix potential NULL ptr deref in command cancellation.
Sarah Sharp [Tue, 16 Oct 2012 20:17:43 +0000 (13:17 -0700)]
xhci: Fix potential NULL ptr deref in command cancellation.

commit 43a09f7fb01fa1e091416a2aa49b6c666458c1ee upstream.

The command cancellation code doesn't check whether find_trb_seg()
couldn't find the segment that contains the TRB to be canceled.  This
could cause a NULL pointer deference later in the function when next_trb
is called.  It's unlikely to happen unless something is wrong with the
command ring pointers, so add some debugging in case it happens.

This patch should be backported to stable kernels as old as 3.0, that
contain the commit b63f4053cc8aa22a98e3f9a97845afe6c15d0a0d "xHCI:
handle command after aborting the command ring".

Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoLOCKD: Clear ln->nsm_clnt only when ln->nsm_users is zero
Trond Myklebust [Wed, 24 Oct 2012 12:53:35 +0000 (08:53 -0400)]
LOCKD: Clear ln->nsm_clnt only when ln->nsm_users is zero

commit e498daa81295d02f7359af313c2b7f87e1062207 upstream.

The current code is clearing it in all cases _except_ when zero.

Reported-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoSUNRPC: Prevent races in xs_abort_connection()
Trond Myklebust [Tue, 23 Oct 2012 21:50:07 +0000 (17:50 -0400)]
SUNRPC: Prevent races in xs_abort_connection()

commit 4bc1e68ed6a8b59be8a79eb719be515a55c7bc68 upstream.

The call to xprt_disconnect_done() that is triggered by a successful
connection reset will trigger another automatic wakeup of all tasks
on the xprt->pending rpc_wait_queue. In particular it will cause an
early wake up of the task that called xprt_connect().

All we really want to do here is clear all the socket-specific state
flags, so we split that functionality out of xs_sock_mark_closed()
into a helper that can be called by xs_abort_connection()

Reported-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Tested-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoLOCKD: fix races in nsm_client_get
Trond Myklebust [Tue, 23 Oct 2012 17:51:58 +0000 (13:51 -0400)]
LOCKD: fix races in nsm_client_get

commit a4ee8d978e47e79d536226dccb48991f70091168 upstream.

Commit e9406db20fecbfcab646bad157b4cfdc7cadddfb (lockd: per-net
NSM client creation and destruction helpers introduced) contains
a nasty race on initialisation of the per-net NSM client because
it doesn't check whether or not the client is set after grabbing
the nsm_create_mutex.

Reported-by: Nix <nix@esperi.org.uk>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoRevert "SUNRPC: Ensure we close the socket on EPIPE errors too..."
Trond Myklebust [Tue, 23 Oct 2012 15:40:02 +0000 (11:40 -0400)]
Revert "SUNRPC: Ensure we close the socket on EPIPE errors too..."

commit b9d2bb2ee537424a7f855e1f93eed44eb9ee0854 upstream.

This reverts commit 55420c24a0d4d1fce70ca713f84aa00b6b74a70e.
Now that we clear the connected flag when entering TCP_CLOSE_WAIT,
the deadlock described in this commit is no longer possible.
Instead, the resulting call to xs_tcp_shutdown() can interfere
with pending reconnection attempts.

Reported-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Tested-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoSUNRPC: Clear the connect flag when socket state is TCP_CLOSE_WAIT
Trond Myklebust [Tue, 23 Oct 2012 15:35:47 +0000 (11:35 -0400)]
SUNRPC: Clear the connect flag when socket state is TCP_CLOSE_WAIT

commit d0bea455dd48da1ecbd04fedf00eb89437455fdc upstream.

This is needed to ensure that we call xprt_connect() upon the next
call to call_connect().

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Tested-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoSUNRPC: Get rid of the xs_error_report socket callback
Trond Myklebust [Mon, 22 Oct 2012 21:14:36 +0000 (17:14 -0400)]
SUNRPC: Get rid of the xs_error_report socket callback

commit f878b657ce8e7d3673afe48110ec208a29e38c4a upstream.

Chris Perl reports that we're seeing races between the wakeup call in
xs_error_report and the connect attempts. Basically, Chris has shown
that in certain circumstances, the call to xs_error_report causes the
rpc_task that is responsible for reconnecting to wake up early, thus
triggering a disconnect and retry.

Since the sk->sk_error_report() calls in the socket layer are always
followed by a tcp_done() in the cases where we care about waking up
the rpc_tasks, just let the state_change callbacks take responsibility
for those wake ups.

Reported-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Tested-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agomm: fix XFS oops due to dirty pages without buffers on s390
Jan Kara [Thu, 25 Oct 2012 20:37:31 +0000 (13:37 -0700)]
mm: fix XFS oops due to dirty pages without buffers on s390

commit ef5d437f71afdf4afdbab99213add99f4b1318fd upstream.

On s390 any write to a page (even from kernel itself) sets architecture
specific page dirty bit.  Thus when a page is written to via buffered
write, HW dirty bit gets set and when we later map and unmap the page,
page_remove_rmap() finds the dirty bit and calls set_page_dirty().

Dirtying of a page which shouldn't be dirty can cause all sorts of
problems to filesystems.  The bug we observed in practice is that
buffers from the page get freed, so when the page gets later marked as
dirty and writeback writes it, XFS crashes due to an assertion
BUG_ON(!PagePrivate(page)) in page_buffers() called from
xfs_count_page_state().

Similar problem can also happen when zero_user_segment() call from
xfs_vm_writepage() (or block_write_full_page() for that matter) set the
hardware dirty bit during writeback, later buffers get freed, and then
page unmapped.

Fix the issue by ignoring s390 HW dirty bit for page cache pages of
mappings with mapping_cap_account_dirty().  This is safe because for
such mappings when a page gets marked as writeable in PTE it is also
marked dirty in do_wp_page() or do_page_fault().  When the dirty bit is
cleared by clear_page_dirty_for_io(), the page gets writeprotected in
page_mkclean().  So pagecache page is writeable if and only if it is
dirty.

Thanks to Hugh Dickins for pointing out mapping has to have
mapping_cap_account_dirty() for things to work and proposing a cleaned
up variant of the patch.

The patch has survived about two hours of running fsx-linux on tmpfs
while heavily swapping and several days of running on out build machines
where the original problem was triggered.

Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Hugh Dickins <hughd@google.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agox86, mm: Trim memory in memblock to be page aligned
Yinghai Lu [Mon, 22 Oct 2012 23:35:18 +0000 (16:35 -0700)]
x86, mm: Trim memory in memblock to be page aligned

commit 6ede1fd3cb404c0016de6ac529df46d561bd558b upstream.

We will not map partial pages, so need to make sure memblock
allocation will not allocate those bytes out.

Also we will use for_each_mem_pfn_range() to loop to map memory
range to keep them consistent.

Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Link: http://lkml.kernel.org/r/CAE9FiQVZirvaBMFYRfXMmWEcHbKSicQEHz4VAwUv0xFCk51ZNw@mail.gmail.com
Acked-by: Jacob Shin <jacob.shin@amd.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoRevert "x86/mm: Fix the size calculation of mapping tables"
Dave Young [Thu, 18 Oct 2012 06:33:23 +0000 (14:33 +0800)]
Revert "x86/mm: Fix the size calculation of mapping tables"

commit 7b16bbf97375d9fb7fc107b3f80afeb94a204e44 upstream.

Commit:

   722bc6b16771 x86/mm: Fix the size calculation of mapping tables

Tried to address the issue that the first 2/4M should use 4k pages
if PSE enabled, but extra counts should only be valid for x86_32.

This commit caused a kdump regression: the kdump kernel hangs.

Work is in progress to fundamentally fix the various page table
initialization issues that we have, via the design suggested
by H. Peter Anvin, but it's not ready yet to be merged.

So, to get a working kdump revert to the last known working version,
which is the revert of this commit and of a followup fix (which was
incomplete):

   bd2753b2dda7 x86/mm: Only add extra pages count for the first memory range during pre-allocation

Tested kdump on physical and virtual machines.

Signed-off-by: Dave Young <dyoung@redhat.com>
Acked-by: Yinghai Lu <yinghai@kernel.org>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Flavio Leitner <fbl@redhat.com>
Tested-by: Flavio Leitner <fbl@redhat.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Flavio Leitner <fbl@redhat.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: ianfang.cn@gmail.com
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agox86-64: Fix page table accounting
Jan Beulich [Thu, 4 Oct 2012 13:48:10 +0000 (14:48 +0100)]
x86-64: Fix page table accounting

commit 876ee61aadf01aa0db981b5d249cbdd53dc28b5e upstream.

Commit 20167d3421a089a1bf1bd680b150dc69c9506810 ("x86-64: Fix
accounting in kernel_physical_mapping_init()") went a little too
far by entirely removing the counting of pre-populated page
tables: this should be done at boot time (to cover the page
tables set up in early boot code), but shouldn't be done during
memory hot add.

Hence, re-add the removed increments of "pages", but make them
and the one in phys_pte_init() conditional upon !after_bootmem.

Reported-Acked-and-Tested-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Link: http://lkml.kernel.org/r/506DAFBA020000780009FA8C@nat28.tlf.novell.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoARM: 7559/1: smp: switch away from the idmap before updating init_mm.mm_count
Will Deacon [Fri, 19 Oct 2012 16:53:01 +0000 (17:53 +0100)]
ARM: 7559/1: smp: switch away from the idmap before updating init_mm.mm_count

commit 5f40b909728ad784eb43aa309d3c4e9bdf050781 upstream.

When booting a secondary CPU, the primary CPU hands two sets of page
tables via the secondary_data struct:

(1) swapper_pg_dir: a normal, cacheable, shared (if SMP) mapping
    of the kernel image (i.e. the tables used by init_mm).

(2) idmap_pgd: an uncached mapping of the .idmap.text ELF
    section.

The idmap is generally used when enabling and disabling the MMU, which
includes early CPU boot. In this case, the secondary CPU switches to
swapper as soon as it enters C code:

struct mm_struct *mm = &init_mm;
unsigned int cpu = smp_processor_id();

/*
 * All kernel threads share the same mm context; grab a
 * reference and switch to it.
 */
atomic_inc(&mm->mm_count);
current->active_mm = mm;
cpumask_set_cpu(cpu, mm_cpumask(mm));
cpu_switch_mm(mm->pgd, mm);

This causes a problem on ARMv7, where the identity mapping is treated as
strongly-ordered leading to architecturally UNPREDICTABLE behaviour of
exclusive accesses, such as those used by atomic_inc.

This patch re-orders the secondary_start_kernel function so that we
switch to swapper before performing any exclusive accesses.

Reported-by: Gilles Chanteperdrix <gilles.chanteperdrix@xenomai.org>
Cc: David McKay <david.mckay@st.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agogenalloc: stop crashing the system when destroying a pool
Thadeu Lima de Souza Cascardo [Thu, 25 Oct 2012 20:37:51 +0000 (13:37 -0700)]
genalloc: stop crashing the system when destroying a pool

commit eedce141cd2dad8d0cefc5468ef41898949a7031 upstream.

The genalloc code uses the bitmap API from include/linux/bitmap.h and
lib/bitmap.c, which is based on long values.  Both bitmap_set from
lib/bitmap.c and bitmap_set_ll, which is the lockless version from
genalloc.c, use BITMAP_LAST_WORD_MASK to set the first bits in a long in
the bitmap.

That one uses (1 << bits) - 1, 0b111, if you are setting the first three
bits.  This means that the API counts from the least significant bits
(LSB from now on) to the MSB.  The LSB in the first long is bit 0, then.
The same works for the lookup functions.

The genalloc code uses longs for the bitmap, as it should.  In
include/linux/genalloc.h, struct gen_pool_chunk has unsigned long
bits[0] as its last member.  When allocating the struct, genalloc should
reserve enough space for the bitmap.  This should be a proper number of
longs that can fit the amount of bits in the bitmap.

However, genalloc allocates an integer number of bytes that fit the
amount of bits, but may not be an integer amount of longs.  9 bytes, for
example, could be allocated for 70 bits.

This is a problem in itself if the Least Significat Bit in a long is in
the byte with the largest address, which happens in Big Endian machines.
This means genalloc is not allocating the byte in which it will try to
set or check for a bit.

This may end up in memory corruption, where genalloc will try to set the
bits it has not allocated.  In fact, genalloc may not set these bits
because it may find them already set, because they were not zeroed since
they were not allocated.  And that's what causes a BUG when
gen_pool_destroy is called and check for any set bits.

What really happens is that genalloc uses kmalloc_node with __GFP_ZERO
on gen_pool_add_virt.  With SLAB and SLUB, this means the whole slab
will be cleared, not only the requested bytes.  Since struct
gen_pool_chunk has a size that is a multiple of 8, and slab sizes are
multiples of 8, we get lucky and allocate and clear the right amount of
bytes.

Hower, this is not the case with SLOB or with older code that did memset
after allocating instead of using __GFP_ZERO.

So, a simple module as this (running 3.6.0), will cause a crash when
rmmod'ed.

  [root@phantom-lp2 foo]# cat foo.c
  #include <linux/kernel.h>
  #include <linux/module.h>
  #include <linux/init.h>
  #include <linux/genalloc.h>

  MODULE_LICENSE("GPL");
  MODULE_VERSION("0.1");

  static struct gen_pool *foo_pool;

  static __init int foo_init(void)
  {
          int ret;
          foo_pool = gen_pool_create(10, -1);
          if (!foo_pool)
                  return -ENOMEM;
          ret = gen_pool_add(foo_pool, 0xa0000000, 32 << 10, -1);
          if (ret) {
                  gen_pool_destroy(foo_pool);
                  return ret;
          }
          return 0;
  }

  static __exit void foo_exit(void)
  {
          gen_pool_destroy(foo_pool);
  }

  module_init(foo_init);
  module_exit(foo_exit);
  [root@phantom-lp2 foo]# zcat /proc/config.gz | grep SLOB
  CONFIG_SLOB=y
  [root@phantom-lp2 foo]# insmod ./foo.ko
  [root@phantom-lp2 foo]# rmmod foo
  ------------[ cut here ]------------
  kernel BUG at lib/genalloc.c:243!
  cpu 0x4: Vector: 700 (Program Check) at [c0000000bb0e7960]
      pc: c0000000003cb50c: .gen_pool_destroy+0xac/0x110
      lr: c0000000003cb4fc: .gen_pool_destroy+0x9c/0x110
      sp: c0000000bb0e7be0
     msr: 8000000000029032
    current = 0xc0000000bb0e0000
    paca    = 0xc000000006d30e00   softe: 0        irq_happened: 0x01
      pid   = 13044, comm = rmmod
  kernel BUG at lib/genalloc.c:243!
  [c0000000bb0e7ca0d000000004b00020 .foo_exit+0x20/0x38 [foo]
  [c0000000bb0e7d20c0000000000dff98 .SyS_delete_module+0x1a8/0x290
  [c0000000bb0e7e30c0000000000097d4 syscall_exit+0x0/0x94
  --- Exception: c00 (System Call) at 000000800753d1a0
  SP (fffd0b0e640) is in userspace

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
Cc: Benjamin Gaignard <benjamin.gaignard@stericsson.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agodrivers/rtc/rtc-imxdi.c: add missing spin lock initialization
Jan Luebbe [Thu, 25 Oct 2012 20:38:11 +0000 (13:38 -0700)]
drivers/rtc/rtc-imxdi.c: add missing spin lock initialization

commit fee0de7791f967c2c5f0d43eb7b7261761b45e64 upstream.

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: Roland Stigge <stigge@antcom.de>
Cc: Grant Likely <grant.likely@secretlab.ca>
Tested-by: Roland Stigge <stigge@antcom.de>
Cc: Sascha Hauer <kernel@pengutronix.de>
Cc: Russell King <linux@arm.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agofs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check
Kees Cook [Thu, 25 Oct 2012 20:38:16 +0000 (13:38 -0700)]
fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check

commit 12176503366885edd542389eed3aaf94be163fdb upstream.

The compat ioctl for VIDEO_SET_SPU_PALETTE was missing an error check
while converting ioctl arguments.  This could lead to leaking kernel
stack contents into userspace.

Patch extracted from existing fix in grsecurity.

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: David Miller <davem@davemloft.net>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: PaX Team <pageexec@freemail.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agogen_init_cpio: avoid stack overflow when expanding
Kees Cook [Thu, 25 Oct 2012 20:38:14 +0000 (13:38 -0700)]
gen_init_cpio: avoid stack overflow when expanding

commit 20f1de659b77364d55d4e7fad2ef657e7730323f upstream.

Fix possible overflow of the buffer used for expanding environment
variables when building file list.

In the extremely unlikely case of an attacker having control over the
environment variables visible to gen_init_cpio, control over the
contents of the file gen_init_cpio parses, and gen_init_cpio was built
without compiler hardening, the attacker can gain arbitrary execution
control via a stack buffer overflow.

  $ cat usr/crash.list
  file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0
  $ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list
  *** buffer overflow detected ***: ./usr/gen_init_cpio terminated

This also replaces the space-indenting with tabs.

Patch based on existing fix extracted from grsecurity.

Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: PaX Team <pageexec@freemail.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoVFS: don't do protected {sym,hard}links by default
Linus Torvalds [Fri, 26 Oct 2012 17:05:07 +0000 (10:05 -0700)]
VFS: don't do protected {sym,hard}links by default

commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 upstream.

In commit 800179c9b8a1 ("This adds symlink and hardlink restrictions to
the Linux VFS"), the new link protections were enabled by default, in
the hope that no actual application would care, despite it being
technically against legacy UNIX (and documented POSIX) behavior.

However, it does turn out to break some applications.  It's rare, and
it's unfortunate, but it's unacceptable to break existing systems, so
we'll have to default to legacy behavior.

In particular, it has broken the way AFD distributes files, see

  http://www.dwd.de/AFD/

along with some legacy scripts.

Distributions can end up setting this at initrd time or in system
scripts: if you have security problems due to link attacks during your
early boot sequence, you have bigger problems than some kernel sysctl
setting. Do:

echo 1 > /proc/sys/fs/protected_symlinks
echo 1 > /proc/sys/fs/protected_hardlinks

to re-enable the link protections.

Alternatively, we may at some point introduce a kernel config option
that sets these kinds of "more secure but not traditional" behavioural
options automatically.

Reported-by: Nick Bowler <nbowler@elliptictech.com>
Reported-by: Holger Kiehl <Holger.Kiehl@dwd.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoALSA: hda - Fix silent headphone output from Toshiba P200
Takashi Iwai [Sat, 20 Oct 2012 08:55:21 +0000 (10:55 +0200)]
ALSA: hda - Fix silent headphone output from Toshiba P200

commit cb766404e6b8c566569eb9ada02ea45d28729864 upstream.

By some reason, Toshiba laptop doesn't like the EAPD turned up for the
headphone pin.  Add a fix up code to force to turn down EAPD for NID
0x15.

Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=569991

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoALSA: hda - add dock support for Thinkpad T430
Stefán Freyr [Fri, 19 Oct 2012 20:46:00 +0000 (22:46 +0200)]
ALSA: hda - add dock support for Thinkpad T430

commit 84f98fdf7865fbd35b312eb39ea91e5618c514c7 upstream.

I have a Lenovo ThinkPad T430 and an UltraBase Series 3 docking
station.

Without this patch, if I plug my headphones into the jack on the
computer, everything works fine. The computer speakers mute and the
audio is played in the headphones. However, if I plug into the docking
station headphone jack the computer speakers are muted but there is no
audio in the headphones.

Addresses https://bugs.launchpad.net/bugs/1060372

Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agodrm/radeon: add error output if VM CS fails on cayman
Alex Deucher [Fri, 19 Oct 2012 17:27:04 +0000 (13:27 -0400)]
drm/radeon: add error output if VM CS fails on cayman

commit c71721324c612f7f040657ce9917d87f530f9784 upstream.

So we know why the CS was rejected.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agodrm/radeon: add some new SI PCI ids
Alex Deucher [Tue, 16 Oct 2012 16:51:45 +0000 (12:51 -0400)]
drm/radeon: add some new SI PCI ids

commit b6aa22db7857ab7ed042d6c56b800bfc727cfdff upstream.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoLinux 3.6.4 v3.6.4
Greg Kroah-Hartman [Sun, 28 Oct 2012 17:57:51 +0000 (10:57 -0700)]
Linux 3.6.4

12 years agomac80211: call drv_get_tsf() in sleepable context
Thomas Pedersen [Sat, 6 Oct 2012 00:57:39 +0000 (17:57 -0700)]
mac80211: call drv_get_tsf() in sleepable context

commit 55fabefe3695241e6ccfa0cd4974f3fa497693dc upstream.

The call to drv_get/set_tsf() was put on the workqueue to perform tsf
adjustments since that function might sleep. However it ended up inside
a spinlock, whose critical section must be atomic. Do tsf adjustment
outside the spinlock instead, and get rid of a warning.

Signed-off-by: Thomas Pedersen <thomas@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agosparc64: Fix bit twiddling in sparc_pmu_enable_event().
David S. Miller [Tue, 16 Oct 2012 20:05:25 +0000 (13:05 -0700)]
sparc64: Fix bit twiddling in sparc_pmu_enable_event().

[ Upstream commit e793d8c6740f8fe704fa216e95685f4d92c4c4b9 ]

There was a serious disconnect in the logic happening in
sparc_pmu_disable_event() vs. sparc_pmu_enable_event().

Event disable is implemented by programming a NOP event into the PCR.

However, event enable was not reversing this operation.  Instead, it
was setting the User/Priv/Hypervisor trace enable bits.

That's not sparc_pmu_enable_event()'s job, that's what
sparc_pmu_enable() and sparc_pmu_disable() do .

The intent of sparc_pmu_enable_event() is clear, since it first clear
out the event type encoding field.  So fix this by OR'ing in the event
encoding rather than the trace enable bits.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agosparc64: Like x86 we should check current->mm during perf backtrace generation.
David S. Miller [Mon, 15 Oct 2012 00:59:40 +0000 (17:59 -0700)]
sparc64: Like x86 we should check current->mm during perf backtrace generation.

[ Upstream commit 08280e6c4c2e8049ac61d9e8e3536ec1df629c0d ]

If the MM is not active, only report the top-level PC.  Do not try to
access the address space.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agosparc64: fix ptrace interaction with force_successful_syscall_return()
Al Viro [Thu, 11 Oct 2012 00:25:00 +0000 (17:25 -0700)]
sparc64: fix ptrace interaction with force_successful_syscall_return()

[ Upstream commit 55c2770e413e96871147b9406a9c41fe9bc5209c ]

we want syscall_trace_leave() called on exit from any syscall;
skipping its call in case we'd done force_successful_syscall_return()
is broken...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoipv6: addrconf: fix /proc/net/if_inet6
Eric Dumazet [Tue, 16 Oct 2012 07:37:27 +0000 (07:37 +0000)]
ipv6: addrconf: fix /proc/net/if_inet6

[ Upstream commit 9f0d3c2781baa1102108e16efbe640dd74564a7c ]

Commit 1d5783030a1 (ipv6/addrconf: speedup /proc/net/if_inet6 filling)
added bugs hiding some devices from if_inet6 and breaking applications.

"ip -6 addr" could still display all IPv6 addresses, while "ifconfig -a"
couldnt.

One way to reproduce the bug is by starting in a shell :

unshare -n /bin/bash
ifconfig lo up

And in original net namespace, lo device disappeared from if_inet6

Reported-by: Jan Hinnerk Stosch <janhinnerk.stosch@gmail.com>
Tested-by: Jan Hinnerk Stosch <janhinnerk.stosch@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Mihai Maruseac <mihai.maruseac@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agotcp: resets are misrouted
Alexey Kuznetsov [Fri, 12 Oct 2012 04:34:17 +0000 (04:34 +0000)]
tcp: resets are misrouted

[ Upstream commit 4c67525849e0b7f4bd4fab2487ec9e43ea52ef29 ]

After commit e2446eaa ("tcp_v4_send_reset: binding oif to iif in no
sock case").. tcp resets are always lost, when routing is asymmetric.
Yes, backing out that patch will result in misrouting of resets for
dead connections which used interface binding when were alive, but we
actually cannot do anything here.  What's died that's died and correct
handling normal unbound connections is obviously a priority.

Comment to comment:
> This has few benefits:
>   1. tcp_v6_send_reset already did that.

It was done to route resets for IPv6 link local addresses. It was a
mistake to do so for global addresses. The patch fixes this as well.

Actually, the problem appears to be even more serious than guaranteed
loss of resets.  As reported by Sergey Soloviev <sol@eqv.ru>, those
misrouted resets create a lot of arp traffic and huge amount of
unresolved arp entires putting down to knees NAT firewalls which use
asymmetric routing.

Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoRDS: fix rds-ping spinlock recursion
jeff.liu [Mon, 8 Oct 2012 18:57:27 +0000 (18:57 +0000)]
RDS: fix rds-ping spinlock recursion

[ Upstream commit 5175a5e76bbdf20a614fb47ce7a38f0f39e70226 ]

This is the revised patch for fixing rds-ping spinlock recursion
according to Venkat's suggestions.

RDS ping/pong over TCP feature has been broken for years(2.6.39 to
3.6.0) since we have to set TCP cork and call kernel_sendmsg() between
ping/pong which both need to lock "struct sock *sk". However, this
lock has already been hold before rds_tcp_data_ready() callback is
triggerred. As a result, we always facing spinlock resursion which
would resulting in system panic.

Given that RDS ping is only used to test the connectivity and not for
serious performance measurements, we can queue the pong transmit to
rds_wq as a delayed response.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
CC: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
CC: David S. Miller <davem@davemloft.net>
CC: James Morris <james.l.morris@oracle.com>
Signed-off-by: Jie Liu <jeff.liu@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoipvs: fix ARP resolving for direct routing mode
Julian Anastasov [Mon, 8 Oct 2012 11:41:20 +0000 (11:41 +0000)]
ipvs: fix ARP resolving for direct routing mode

[ Upstream commit ad4d3ef8b7eb527cca478dc08c02c10936e64115 ]

After the change "Make neigh lookups directly in output packet path"
(commit a263b30936) IPVS can not reach the real server for DR mode
because we resolve the destination address from IP header, not from
route neighbour. Use the new FLOWI_FLAG_KNOWN_NH flag to request
output routes with known nexthop, so that it has preference
on resolving.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoipv4: Add FLOWI_FLAG_KNOWN_NH
Julian Anastasov [Mon, 8 Oct 2012 11:41:19 +0000 (11:41 +0000)]
ipv4: Add FLOWI_FLAG_KNOWN_NH

[ Upstream commit c92b96553a80c1dbe2ebe128bbe37c8f98f148bf ]

Add flag to request that output route should be
returned with known rt_gateway, in case we want to use
it as nexthop for neighbour resolving.

The returned route can be cached as follows:

- in NH exception: because the cached routes are not shared
with other destinations
- in FIB NH: when using gateway because all destinations for
NH share same gateway

As last option, to return rt_gateway!=0 we have to
set DST_NOCACHE.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoipv4: introduce rt_uses_gateway
Julian Anastasov [Mon, 8 Oct 2012 11:41:18 +0000 (11:41 +0000)]
ipv4: introduce rt_uses_gateway

[ Upstream commit 155e8336c373d14d87a7f91e356d85ef4b93b8f9 ]

Add new flag to remember when route is via gateway.
We will use it to allow rt_gateway to contain address of
directly connected host for the cases when DST_NOCACHE is
used or when the NH exception caches per-destination route
without DST_NOCACHE flag, i.e. when routes are not used for
other destinations. By this way we force the neighbour
resolving to work with the routed destination but we
can use different address in the packet, feature needed
for IPVS-DR where original packet for virtual IP is routed
via route to real IP.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoipv4: make sure nh_pcpu_rth_output is always allocated
Julian Anastasov [Mon, 8 Oct 2012 11:41:17 +0000 (11:41 +0000)]
ipv4: make sure nh_pcpu_rth_output is always allocated

[ Upstream commit f8a17175c63fd3e8b573719f7538816f8c96abf4 ]

Avoid checking nh_pcpu_rth_output in fast path,
abort fib_info creation on alloc_percpu failure.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoipv4: fix forwarding for strict source routes
Julian Anastasov [Mon, 8 Oct 2012 11:41:16 +0000 (11:41 +0000)]
ipv4: fix forwarding for strict source routes

[ Upstream commit e0adef0f7456d5d3a3bfe8ea61c7dddf146b40e1 ]

After the change "Adjust semantics of rt->rt_gateway"
(commit f8126f1d51) rt_gateway can be 0 but ip_forward() compares
it directly with nexthop. What we want here is to check if traffic
is to directly connected nexthop and to fail if using gateway.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoipv4: fix sending of redirects
Julian Anastasov [Mon, 8 Oct 2012 11:41:15 +0000 (11:41 +0000)]
ipv4: fix sending of redirects

[ Upstream commit e81da0e113a1b7fc7449ae6213f65f89ccac6d06 ]

After "Cache input routes in fib_info nexthops" (commit
d2d68ba9fe) and "Elide fib_validate_source() completely when possible"
(commit 7a9bc9b81a) we can not send ICMP redirects. It seems we
should not cache the RTCF_DOREDIRECT flag in nh_rth_input because
the same fib_info can be used for traffic that is not redirected,
eg. from other input devices or from sources that are not in same subnet.

As result, we have to disable the caching of RTCF_DOREDIRECT
flag and to force source validation for the case when forwarding
traffic to the input device. If traffic comes from directly connected
source we allow redirection as it was done before both changes.

Avoid setting RTCF_DOREDIRECT if IN_DEV_TX_REDIRECTS
is disabled, this can avoid source address validation and to
help caching the routes.

After the change "Adjust semantics of rt->rt_gateway"
(commit f8126f1d51) we should make sure our ICMP_REDIR_HOST messages
contain daddr instead of 0.0.0.0 when target is directly connected.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agovlan: don't deliver frames for unknown vlans to protocols
Florian Zumbiehl [Sun, 7 Oct 2012 15:51:58 +0000 (15:51 +0000)]
vlan: don't deliver frames for unknown vlans to protocols

[ Upstream commit 48cc32d38a52d0b68f91a171a8d00531edc6a46e ]

6a32e4f9dd9219261f8856f817e6655114cfec2f made the vlan code skip marking
vlan-tagged frames for not locally configured vlans as PACKET_OTHERHOST if
there was an rx_handler, as the rx_handler could cause the frame to be received
on a different (virtual) vlan-capable interface where that vlan might be
configured.

As rx_handlers do not necessarily return RX_HANDLER_ANOTHER, this could cause
frames for unknown vlans to be delivered to the protocol stack as if they had
been received untagged.

For example, if an ipv6 router advertisement that's tagged for a locally not
configured vlan is received on an interface with macvlan interfaces attached,
macvlan's rx_handler returns RX_HANDLER_PASS after delivering the frame to the
macvlan interfaces, which caused it to be passed to the protocol stack, leading
to ipv6 addresses for the announced prefix being configured even though those
are completely unusable on the underlying interface.

The fix moves marking as PACKET_OTHERHOST after the rx_handler so the
rx_handler, if there is one, sees the frame unchanged, but afterwards,
before the frame is delivered to the protocol stack, it gets marked whether
there is an rx_handler or not.

Signed-off-by: Florian Zumbiehl <florz@florz.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoskge: Add DMA mask quirk for Marvell 88E8001 on ASUS P5NSLI motherboard
Graham Gower [Mon, 8 Oct 2012 08:34:50 +0000 (08:34 +0000)]
skge: Add DMA mask quirk for Marvell 88E8001 on ASUS P5NSLI motherboard

[ Upstream commit a2af139ff1cd85df586690ff626619ab1ee88b0a ]

Marvell 88E8001 on an ASUS P5NSLI motherboard is unable to send/receive
packets on a system with >4gb ram unless a 32bit DMA mask is used.

This issue has been around for years and a fix was sent 3.5 years ago, but
there was some debate as to whether it should instead be fixed as a PCI quirk.
http://www.spinics.net/lists/netdev/msg88670.html

However, 18 months later a similar workaround was introduced for another
chipset exhibiting the same problem.
http://www.spinics.net/lists/netdev/msg142287.html

Signed-off-by: Graham Gower <graham.gower@gmail.com>
Signed-off-by: Jan Ceuleers <jan.ceuleers@computer.org>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoipv4: Don't report stale pmtu values to userspace
Steffen Klassert [Mon, 8 Oct 2012 00:56:54 +0000 (00:56 +0000)]
ipv4: Don't report stale pmtu values to userspace

[ Upstream commit ee9a8f7ab2edf801b8b514c310455c94acc232f6 ]

We report cached pmtu values even if they are already expired.
Change this to not report these values after they are expired
and fix a race in the expire time calculation, as suggested by
Eric Dumazet.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoipv4: Don't create nh exeption when the device mtu is smaller than the reported pmtu
Steffen Klassert [Sun, 7 Oct 2012 22:48:18 +0000 (22:48 +0000)]
ipv4: Don't create nh exeption when the device mtu is smaller than the reported pmtu

[ Upstream commit 7f92d334ba19a0d8e96f8f8f092219553367d921 ]

When a local tool like tracepath tries to send packets bigger than
the device mtu, we create a nh exeption and set the pmtu to device
mtu. The device mtu does not expire, so check if the device mtu is
smaller than the reported pmtu and don't crerate a nh exeption in
that case.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoipv4: Always invalidate or update the route on pmtu events
Steffen Klassert [Sun, 7 Oct 2012 22:47:25 +0000 (22:47 +0000)]
ipv4: Always invalidate or update the route on pmtu events

[ Upstream commit d851c12b60471188e15e5c8405b289073e8dd025 ]

Some protocols, like IPsec still cache routes. So we need to invalidate
the old route on pmtu events to avoid the reuse of stale routes.
We also need to update the mtu and expire time of the route if we already
use a nh exception route, otherwise we ignore newly learned pmtu values
after the first expiration.

With this patch we always invalidate or update the route on pmtu events.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoipv6: GRO should be ECN friendly
Eric Dumazet [Fri, 5 Oct 2012 20:43:30 +0000 (20:43 +0000)]
ipv6: GRO should be ECN friendly

[ Upstream commit 51ec04038c113a811b177baa85d293feff9ce995 ]

IPv4 side of the problem was addressed in commit a9e050f4e7f9d
(net: tcp: GRO should be ECN friendly)

This patch does the same, but for IPv6 : A Traffic Class mismatch
doesnt mean flows are different, but instead should force a flush
of previous packets.

This patch removes artificial packet reordering problem.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agonet: Fix skb_under_panic oops in neigh_resolve_output
ramesh.nagappa@gmail.com [Fri, 5 Oct 2012 19:10:15 +0000 (19:10 +0000)]
net: Fix skb_under_panic oops in neigh_resolve_output

[ Upstream commit e1f165032c8bade3a6bdf546f8faf61fda4dd01c ]

The retry loop in neigh_resolve_output() and neigh_connected_output()
call dev_hard_header() with out reseting the skb to network_header.
This causes the retry to fail with skb_under_panic. The fix is to
reset the network_header within the retry loop.

Signed-off-by: Ramesh Nagappa <ramesh.nagappa@ericsson.com>
Reviewed-by: Shawn Lu <shawn.lu@ericsson.com>
Reviewed-by: Robert Coulson <robert.coulson@ericsson.com>
Reviewed-by: Billie Alsup <billie.alsup@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agonet: remove skb recycling
Eric Dumazet [Fri, 5 Oct 2012 06:23:55 +0000 (06:23 +0000)]
net: remove skb recycling

[ Upstream commits acb600def2110b1310466c0e485c0d26299898ae
  and 66eef59f22275002f621ff9d951886b513d011b3. ]

Over time, skb recycling infrastructure got litle interest and
many bugs. Generic rx path skb allocation is now using page
fragments for efficient GRO / TCP coalescing, and recyling
a tx skb for rx path is not worth the pain.

Last identified bug is that fat skbs can be recycled
and it can endup using high order pages after few iterations.

With help from Maxime Bizon, who pointed out that commit
87151b8689d (net: allow pskb_expand_head() to get maximum tailroom)
introduced this regression for recycled skbs.

Instead of fixing this bug, lets remove skb recycling.

Drivers wanting really hot skbs should use build_skb() anyway,
to allocate/populate sk_buff right before netif_receive_skb()

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Maxime Bizon <mbizon@freebox.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoinfiniband: pass rdma_cm module to netlink_dump_start
Gao feng [Thu, 4 Oct 2012 20:15:49 +0000 (20:15 +0000)]
infiniband: pass rdma_cm module to netlink_dump_start

[ Upstream commit 809d5fc9bf6589276a12bd4fd611e4c7ff9940c3 ]

set netlink_dump_control.module to avoid panic.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Cc: Roland Dreier <roland@kernel.org>
Cc: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agonetlink: add reference of module in netlink_dump_start
Gao feng [Thu, 4 Oct 2012 20:15:48 +0000 (20:15 +0000)]
netlink: add reference of module in netlink_dump_start

[ Upstream commit 6dc878a8ca39e93f70c42f3dd7260bde10c1e0f1 ]

I get a panic when I use ss -a and rmmod inet_diag at the
same time.

It's because netlink_dump uses inet_diag_dump which belongs to module
inet_diag.

I search the codes and find many modules have the same problem.  We
need to add a reference to the module which the cb->dump belongs to.

Thanks for all help from Stephen,Jan,Eric,Steffen and Pablo.

Change From v3:
change netlink_dump_start to inline,suggestion from Pablo and
Eric.

Change From v2:
delete netlink_dump_done,and call module_put in netlink_dump
and netlink_sock_destruct.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agodrm/i915: Use cpu relocations if the object is in the GTT but not mappable
Chris Wilson [Thu, 23 Aug 2012 12:12:52 +0000 (13:12 +0100)]
drm/i915: Use cpu relocations if the object is in the GTT but not mappable

commit 504c7267a1e84b157cbd7e9c1b805e1bc0c2c846 upstream.

This prevents the case of unbinding the object in order to process the
relocations through the GTT and then rebinding it only to then proceed
to use cpu relocations as the object is now in the CPU write domain. By
choosing to use cpu relocations up front, we can therefore avoid the
rebind penalty.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agomedia: au0828: fix case where STREAMOFF being called on stopped stream causes BUG()
Devin Heitmueller [Tue, 7 Aug 2012 01:47:03 +0000 (22:47 -0300)]
media: au0828: fix case where STREAMOFF being called on stopped stream causes BUG()

commit a595c1ce4c9d572cf53513570b9f1a263d7867f2 upstream.

We weren't checking whether the resource was in use before calling
res_free(), so applications which called STREAMOFF on a v4l2 device that
wasn't already streaming would cause a BUG() to be hit (MythTV).

Reported-by: Larry Finger <larry.finger@lwfinger.net>
Reported-by: Jay Harbeston <jharbestonus@gmail.com>
Signed-off-by: Devin Heitmueller <dheitmueller@kernellabs.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
12 years agoxtensa: add missing system calls to the syscall table
Chris Zankel [Fri, 19 Oct 2012 17:46:44 +0000 (10:46 -0700)]
xtensa: add missing system calls to the syscall table

commit 7216cabfff5149670445cd65d415ed5db21314b4 upstream.

Add the following system calls to the syscall table:

fallocate
sendmmsg
umount2
syncfs
epoll_create1
inotify_init1
signalfd4
dup3
pipe2
timerfd_create
timerfd_settime
timerfd_gettime
eventfd2
preadv
pwritev
fanotify_init
fanotify_mark
process_vm_readv
process_vm_writev
name_to_handle_at
open_by_handle_at
sync_file_range
perf_event_open
rt_tgsigqueueinfo
clock_adjtime
prlimit64
kcmp

Note that we have to use the 'sys_sync_file_range2' version, so that
the 64-bit arguments are aligned correctly to the argument registers.

Signed-off-by: Chris Zankel <chris@zankel.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoamd64_edac:__amd64_set_scrub_rate(): avoid overindexing scrubrates[]
Andrew Morton [Tue, 23 Oct 2012 21:09:39 +0000 (14:09 -0700)]
amd64_edac:__amd64_set_scrub_rate(): avoid overindexing scrubrates[]

commit 168bfeef7bba3f9784f7540b053e4ac72b769ce9 upstream.

If none of the elements in scrubrates[] matches, this loop will cause
__amd64_set_scrub_rate() to incorrectly use the n+1th element.

As the function is designed to use the final scrubrates[] element in the
case of no match, we can fix this bug by simply terminating the array
search at the n-1th element.

Boris: this code is fragile anyway, see here why:
http://marc.info/?l=linux-kernel&m=135102834131236&w=2

It will be rewritten more robustly soonish.

Reported-by: Denis Kirjanov <kirjanov@gmail.com>
Cc: Doug Thompson <dougthompson@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoiommu/tegra: smmu: Fix deadly typo
Hiro Sugawara [Thu, 18 Oct 2012 05:35:10 +0000 (08:35 +0300)]
iommu/tegra: smmu: Fix deadly typo

commit d0078e72314df2e5ede03f2102cddde06767c374 upstream.

Fix a deadly typo in macro definition.

Signed-off-by: Hiro Sugawara <hsugawara@nvidia.com>
Signed-off-by: Hiroshi Doyu <hdoyu@nvidia.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agopinctrl: fix missing unlock on error in pinctrl_groups_show()
Wei Yongjun [Mon, 22 Oct 2012 04:58:09 +0000 (12:58 +0800)]
pinctrl: fix missing unlock on error in pinctrl_groups_show()

commit b4dd784ba8af03bf1f9ee5118c792d7abd4919bd upstream.

Add the missing unlock on the error handle path in function
pinctrl_groups_show().

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agopinctrl: remove mutex lock in groups show
Haojian Zhuang [Thu, 18 Oct 2012 09:07:01 +0000 (17:07 +0800)]
pinctrl: remove mutex lock in groups show

commit 7ae9d71e8df27a3ab60a05ae3add08728debc09c upstream.

Mutex is locked duplicatly by pinconf_groups_show() and
pin_config_group_get(). It results dead lock. So avoid to lock mutex
in pinconf_groups_show().

Signed-off-by: Haojian Zhuang <haojian.zhuang@gmail.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agopinctrl: tegra: set low power mode bank width to 2
Pritesh Raithatha [Wed, 17 Oct 2012 11:39:36 +0000 (17:09 +0530)]
pinctrl: tegra: set low power mode bank width to 2

commit 154f3ebf53edcfbe28728452b4ab37a118581125 upstream.

Signed-off-by: Pritesh Raithatha <praithatha@nvidia.com>
Acked-by: Stephen Warren <swarren@nvidia.com>
Tested-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agodt: Document: correct tegra20/30 pinctrl slew-rate name
Pritesh Raithatha [Wed, 17 Oct 2012 11:37:00 +0000 (17:07 +0530)]
dt: Document: correct tegra20/30 pinctrl slew-rate name

commit d6ec6b60a56a1e7d99da1fc69c031fa5ab54ba94 upstream.

change nvidia,slew_rate* to nvidia,slew-rate*

Signed-off-by: Pritesh Raithatha <praithatha@nvidia.com>
Acked-by: Stephen Warren <swarren@nvidia.com>
Tested-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agopinctrl: tegra: correct bank for pingroup and drv pingroup
Pritesh Raithatha [Wed, 17 Oct 2012 06:21:37 +0000 (11:51 +0530)]
pinctrl: tegra: correct bank for pingroup and drv pingroup

commit a03690e44468dcd3088f6600ab036d17bd2130ff upstream.

Signed-off-by: Pritesh Raithatha <praithatha@nvidia.com>
Acked-by: Stephen Warren <swarren@nvidia.com>
Tested-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoRevert "cgroup: Drop task_lock(parent) on cgroup_fork()"
Tejun Heo [Fri, 19 Oct 2012 00:52:07 +0000 (17:52 -0700)]
Revert "cgroup: Drop task_lock(parent) on cgroup_fork()"

commit 9bb71308b8133d643648776243e4d5599b1c193d upstream.

This reverts commit 7e381b0eb1e1a9805c37335562e8dc02e7d7848c.

The commit incorrectly assumed that fork path always performed
threadgroup_change_begin/end() and depended on that for
synchronization against task exit and cgroup migration paths instead
of explicitly grabbing task_lock().

threadgroup_change is not locked when forking a new process (as
opposed to a new thread in the same process) and even if it were it
wouldn't be effective as different processes use different threadgroup
locks.

Revert the incorrect optimization.

Signed-off-by: Tejun Heo <tj@kernel.org>
LKML-Reference: <20121008020000.GB2575@localhost>
Acked-by: Li Zefan <lizefan@huawei.com>
Bitterly-Acked-by: Frederic Weisbecker <fweisbec@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
12 years agoRevert "cgroup: Remove task_lock() from cgroup_post_fork()"
Tejun Heo [Fri, 19 Oct 2012 00:40:30 +0000 (17:40 -0700)]
Revert "cgroup: Remove task_lock() from cgroup_post_fork()"

commit d87838321124061f6c935069d97f37010fa417e6 upstream.

This reverts commit 7e3aa30ac8c904a706518b725c451bb486daaae9.

The commit incorrectly assumed that fork path always performed
threadgroup_change_begin/end() and depended on that for
synchronization against task exit and cgroup migration paths instead
of explicitly grabbing task_lock().

threadgroup_change is not locked when forking a new process (as
opposed to a new thread in the same process) and even if it were it
wouldn't be effective as different processes use different threadgroup
locks.

Revert the incorrect optimization.

Signed-off-by: Tejun Heo <tj@kernel.org>
LKML-Reference: <20121008020000.GB2575@localhost>
Acked-by: Li Zefan <lizefan@huawei.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>