firefly-linux-kernel-4.4.55.git
13 years agofilter: make sure filters dont read uninitialized memory
David S. Miller [Wed, 10 Nov 2010 18:38:24 +0000 (10:38 -0800)]
filter: make sure filters dont read uninitialized memory

commit 57fe93b374a6b8711995c2d466c502af9f3a08bb upstream.

There is a possibility malicious users can get limited information about
uninitialized stack mem array. Even if sk_run_filter() result is bound
to packet length (0 .. 65535), we could imagine this can be used by
hostile user.

Initializing mem[] array, like Dan Rosenberg suggested in his patch is
expensive since most filters dont even use this array.

Its hard to make the filter validation in sk_chk_filter(), because of
the jumps. This might be done later.

In this patch, I use a bitmap (a single long var) so that only filters
using mem[] loads/stores pay the price of added security checks.

For other filters, additional cost is a single instruction.

[ Since we access fentry->k a lot now, cache it in a local variable
  and mark filter entry pointer as const. -DaveM ]

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agokbuild: use getopt_long(), not its _only() variant
Arnaud Lacombe [Mon, 23 Aug 2010 16:01:24 +0000 (12:01 -0400)]
kbuild: use getopt_long(), not its _only() variant

commit c94d3fb01fb6db1899cdf53ea4eb9d38e08a08fe upstream.

NetBSD lacks getopt_long_only() whereas getopt_long() works just fine.

Signed-off-by: Arnaud Lacombe <lacombar@gmail.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Michal Marek <mmarek@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agovlan: Avoid hwaccel vlan packets when vid not used.
Jesse Gross [Mon, 8 Nov 2010 21:23:01 +0000 (13:23 -0800)]
vlan: Avoid hwaccel vlan packets when vid not used.

[This patch applies only to 2.6.36 stable.  The problem was introduced
in that release and is already fixed by larger changes to the vlan
code in 2.6.37.]

Normally hardware accelerated vlan packets are quickly dropped if
there is no corresponding vlan device configured.  The one exception
is promiscuous mode, where we allow all of these packets through so
they can be picked up by tcpdump.  However, this behavior causes a
crash if we actually try to receive these packets.  This fixes that
crash by ignoring packets with vids not corresponding to a configured
device in the vlan hwaccel routines and then dropping them before they
get to consumers in the network stack.

Reported-by: Ben Greear <greearb@candelatech.com>
Tested-by: Nikola Ciprich <extmaillist@linuxbox.cz>
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomemory corruption in X.25 facilities parsing
andrew hendry [Wed, 3 Nov 2010 12:54:53 +0000 (12:54 +0000)]
memory corruption in X.25 facilities parsing

commit a6331d6f9a4298173b413cf99a40cc86a9d92c37 upstream.

Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoOMAP3: DMA: Errata i541: sDMA FIFO draining does not finish
Peter Ujfalusi [Mon, 11 Oct 2010 21:18:56 +0000 (14:18 -0700)]
OMAP3: DMA: Errata i541: sDMA FIFO draining does not finish

commit 0e4905c0199d683497833be60a428c784d7575b8 upstream.

Implement the suggested workaround for OMAP3 regarding to sDMA draining
issue, when the channel is disabled on the fly.
This errata affects the following configuration:
sDMA transfer is source synchronized
Buffering is enabled
SmartStandby is selected.

The issue can be easily reproduced by creating overrun situation while
recording audio.
Either introduce load to the CPU:
nice -19 arecord -D hw:0 -M -B 10000 -F 5000 -f dat > /dev/null & \
dd if=/dev/urandom of=/dev/null

or suspending the arecord, and resuming it:
arecord -D hw:0 -M -B 10000 -F 5000 -f dat > /dev/null
CTRL+Z; fg; CTRL+Z; fg; ...

In case of overrun audio stops DMA, and restarts it (without reseting
the sDMA channel). When we hit this errata in stop case (sDMA drain did
not complete), at the coming start the sDMA will not going to be
operational (it is still draining).
This leads to DMA stall condition.
On OMAP3 we can recover with sDMA channel reset, it has been observed
that by introducing unrelated sDMA activity might also help (reading
from MMC for example).

The same errata exists for OMAP2, where the suggestion is to disable the
buffering to avoid this type of error.
On OMAP3 the suggestion is to set sDMA to NoStandby before disabling
the channel, and wait for the drain to finish, than configure sDMA to
SmartStandby again.

Signed-off-by: Peter Ujfalusi <peter.ujfalusi@nokia.com>
Acked-by: Jarkko Nikula <jhnikula@gmail.com>
Acked-by : Santosh Shilimkar <santosh.shilimkar@ti.com>
Acked-by : Manjunath Kondaiah G <manjugk@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoomap: dma: Fix buffering disable bit setting for omap24xx
Jarkko Nikula [Mon, 11 Oct 2010 21:18:45 +0000 (14:18 -0700)]
omap: dma: Fix buffering disable bit setting for omap24xx

commit 3e57f1626b5febe5cc99aa6870377deef3ae03cc upstream.

An errata workaround for omap24xx is not setting the buffering disable bit
25 what is the purpose but channel enable bit 7 instead.

Background for this fix is the DMA stalling issue with ASoC omap-mcbsp
driver. Peter Ujfalusi <peter.ujfalusi@nokia.com> has found an issue in
recording that the DMA stall could happen if there were a buffer overrun
detected by ALSA and the DMA was stopped and restarted due that. This
problem is known to occur on both OMAP2420 and OMAP3. It can recover on
OMAP3 after dma free, dma request and reconfiguration cycle. However, on
OMAP2420 it seems that only way to recover is a reset.

Problem was not visible before the commit c12abc0. That commit changed that
the McBSP transmitter/receiver is released from reset only when needed. That
is, only enabled McBSP transmitter without transmission was able to prevent
this DMA stall problem in receiving side and underlying problem did not show
up until now. McBSP transmitter itself seems to no be reason since DMA
stall does not recover by enabling the transmission after stall.

Debugging showed that there were a DMA write active during DMA stop time and
it never completed even when restarting the DMA. Experimenting showed that
the DMA buffering disable bit could be used to avoid stalling when using
source synchronized transfers. However that could have performance hit and
OMAP3 TRM states that buffering disable is not allowed for destination
synchronized transfers so subsequent patch will implement a method to
complete DMA writes when stopping.

This patch is based on assumtion that complete lock-up on OMAP2420 is
different but related problem. I don't have access to OMAP2420 errata but
I believe this old workaround here is put for a reason but unfortunately
a wrong bit was typed and problem showed up only now.

Signed-off-by: Jarkko Nikula <jhnikula@gmail.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@nokia.com>
Acked-by: Manjunath Kondaiah G <manjugk@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoInput: i8042 - add Sony VAIO VPCZ122GX to nomux list
Dmitry Torokhov [Thu, 4 Nov 2010 16:12:44 +0000 (09:12 -0700)]
Input: i8042 - add Sony VAIO VPCZ122GX to nomux list

[Note that the mainline will not have this particular fix but rather
will blacklist entire VAIO line based off DMI board name. For stable
I am being a bit more cautious and blacklist one particular product.]

Trying to query/activate active multiplexing mode on this VAIO makes
both keyboard and touchpad inoperable. Futher kernels will blacklist
entire VAIO line, however here we blacklist just one particular model.

Reported-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet: Limit socket I/O iovec total length to INT_MAX.
David S. Miller [Thu, 28 Oct 2010 18:41:55 +0000 (11:41 -0700)]
net: Limit socket I/O iovec total length to INT_MAX.

commit 8acfe468b0384e834a303f08ebc4953d72fb690a upstream.

This helps protect us from overflow issues down in the
individual protocol sendmsg/recvmsg handlers.  Once
we hit INT_MAX we truncate out the rest of the iovec
by setting the iov_len members to zero.

This works because:

1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
   writes are allowed and the application will just continue
   with another write to send the rest of the data.

2) For datagram oriented sockets, where there must be a
   one-to-one correspondance between write() calls and
   packets on the wire, INT_MAX is going to be far larger
   than the packet size limit the protocol is going to
   check for and signal with -EMSGSIZE.

Based upon a patch by Linus Torvalds.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet: Truncate recvfrom and sendto length to INT_MAX.
Linus Torvalds [Sat, 30 Oct 2010 23:43:10 +0000 (16:43 -0700)]
net: Truncate recvfrom and sendto length to INT_MAX.

commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agogenirq: Fix incorrect proc spurious output
Kenji Kaneshige [Tue, 30 Nov 2010 08:36:08 +0000 (17:36 +0900)]
genirq: Fix incorrect proc spurious output

commit 25c9170ed64a6551beefe9315882f754e14486f4 upstream.

Since commit a1afb637(switch /proc/irq/*/spurious to seq_file) all
/proc/irq/XX/spurious files show the information of irq 0.

Current irq_spurious_proc_open() passes on NULL as the 3rd argument,
which is used as an IRQ number in irq_spurious_proc_show(), to the
single_open(). Because of this, all the /proc/irq/XX/spurious file
shows IRQ 0 information regardless of the IRQ number.

To fix the problem, irq_spurious_proc_open() must pass on the
appropreate data (IRQ number) to single_open().

Signed-off-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Reviewed-by: Yong Zhang <yong.zhang0@gmail.com>
LKML-Reference: <4CF4B778.90604@jp.fujitsu.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonohz/s390: fix arch_needs_cpu() return value on offline cpus
Heiko Carstens [Wed, 1 Dec 2010 09:08:01 +0000 (10:08 +0100)]
nohz/s390: fix arch_needs_cpu() return value on offline cpus

commit 398812159e328478ae49b4bd01f0d71efea96c39 upstream.

This fixes the same problem as described in the patch "nohz: fix
printk_needs_cpu() return value on offline cpus" for the arch_needs_cpu()
primitive:

arch_needs_cpu() may return 1 if called on offline cpus. When a cpu gets
offlined it schedules the idle process which, before killing its own cpu,
will call tick_nohz_stop_sched_tick().
That function in turn will call arch_needs_cpu() in order to check if the
local tick can be disabled. On offline cpus this function should naturally
return 0 since regardless if the tick gets disabled or not the cpu will be
dead short after. That is besides the fact that __cpu_disable() should already
have made sure that no interrupts on the offlined cpu will be delivered anyway.

In this case it prevents tick_nohz_stop_sched_tick() to call
select_nohz_load_balancer(). No idea if that really is a problem. However what
made me debug this is that on 2.6.32 the function get_nohz_load_balancer() is
used within __mod_timer() to select a cpu on which a timer gets enqueued.
If arch_needs_cpu() returns 1 then the nohz_load_balancer cpu doesn't get
updated when a cpu gets offlined. It may contain the cpu number of an offline
cpu. In turn timers get enqueued on an offline cpu and not very surprisingly
they never expire and cause system hangs.

This has been observed 2.6.32 kernels. On current kernels __mod_timer() uses
get_nohz_timer_target() which doesn't have that problem. However there might
be other problems because of the too early exit tick_nohz_stop_sched_tick()
in case a cpu goes offline.

This specific bug was indrocuded with 3c5d92a0 "nohz: Introduce
arch_needs_cpu".

In this case a cpu hotplug notifier is used to fix the issue in order to keep
the normal/fast path small. All we need to do is to clear the condition that
makes arch_needs_cpu() return 1 since it is just a performance improvement
which is supposed to keep the local tick running for a short period if a cpu
goes idle. Nothing special needs to be done except for clearing the condition.

Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agowmi: use memcmp instead of strncmp to compare GUIDs
Thadeu Lima de Souza Cascardo [Sun, 28 Nov 2010 21:46:50 +0000 (19:46 -0200)]
wmi: use memcmp instead of strncmp to compare GUIDs

commit 8b14d7b22c61f17ccb869e0047d9df6dd9f50a9f upstream.

While looking for the duplicates in /sys/class/wmi/, I couldn't find
them. The code that looks for duplicates uses strncmp in a binary GUID,
which may contain zero bytes. The right function is memcmp, which is
also used in another section of wmi code.

It was finding 49142400-C6A3-40FA-BADB-8A2652834100 as a duplicate of
39142400-C6A3-40FA-BADB-8A2652834100. Since the first byte is the fourth
printed, they were found as equal by strncmp.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoPM / Hibernate: Fix memory corruption related to swap
Rafael J. Wysocki [Fri, 3 Dec 2010 21:57:45 +0000 (22:57 +0100)]
PM / Hibernate: Fix memory corruption related to swap

commit c9e664f1fdf34aa8cede047b206deaa8f1945af0 upstream.

There is a problem that swap pages allocated before the creation of
a hibernation image can be released and used for storing the contents
of different memory pages while the image is being saved.  Since the
kernel stored in the image doesn't know of that, it causes memory
corruption to occur after resume from hibernation, especially on
systems with relatively small RAM that need to swap often.

This issue can be addressed by keeping the GFP_IOFS bits clear
in gfp_allowed_mask during the entire hibernation, including the
saving of the image, until the system is finally turned off or
the hibernation is aborted.  Unfortunately, for this purpose
it's necessary to rework the way in which the hibernate and
suspend code manipulates gfp_allowed_mask.

This change is based on an earlier patch from Hugh Dickins.

Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Reported-by: Ondrej Zary <linux@rainbow-software.org>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoARM: cns3xxx: Fix build with CONFIG_PCI=y
Anton Vorontsov [Mon, 29 Nov 2010 15:46:22 +0000 (18:46 +0300)]
ARM: cns3xxx: Fix build with CONFIG_PCI=y

commit 44266416f786514ec43a0d15ad951c34566b99c9 upstream.

commit 6338a6aa7c082f11d55712251e14178c68bf5869 ("ARM: 6269/1: Add 'code'
parameter for hook_fault_code()") breaks CNS3xxx build:

  CC      arch/arm/mach-cns3xxx/pcie.o
pcie.c: In function 'cns3xxx_pcie_init':
pcie.c:373: warning: passing argument 4 of 'hook_fault_code' makes integer from pointer without a cast
pcie.c:373: error: too few arguments to function 'hook_fault_code'

This commit fixes the small issue.

Signed-off-by: Anton Vorontsov <cbouatmailru@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoARM: 6456/1: Fix for building DEBUG with sa11xx_base.c as a module.
Marcelo Roberto Jimenez [Mon, 18 Oct 2010 21:38:08 +0000 (22:38 +0100)]
ARM: 6456/1: Fix for building DEBUG with sa11xx_base.c as a module.

commit b9f515e3e3861abbaa093359f7c6f31283695228 upstream.

This patch fixes a compilation issue when compiling PCMCIA SA1100
support as a module with PCMCIA_DEBUG enabled. The symbol
soc_pcmcia_debug was not beeing exported.
ARM: pcmcia: Fix for building DEBUG with sa11xx_base.c as a module.

This patch fixes a compilation issue when compiling PCMCIA SA1100
support as a module with PCMCIA_DEBUG enabled. The symbol
soc_pcmcia_debug was not beeing exported.

Signed-off-by: Marcelo Roberto Jimenez <mroberto@cpti.cetuc.puc-rio.br>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoperf: Fix inherit vs. context rotation bug
Thomas Gleixner [Wed, 24 Nov 2010 09:05:55 +0000 (10:05 +0100)]
perf: Fix inherit vs. context rotation bug

commit dddd3379a619a4cb8247bfd3c94ca9ae3797aa2e upstream.

It was found that sometimes children of tasks with inherited events had
one extra event. Eventually it turned out to be due to the list rotation
no being exclusive with the list iteration in the inheritance code.

Cure this by temporarily disabling the rotation while we inherit the events.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
LKML-Reference: <new-submission>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoStaging: batman-adv: ensure that eth_type_trans gets linear memory
Marek Lindner [Mon, 22 Nov 2010 11:34:49 +0000 (12:34 +0100)]
Staging: batman-adv: ensure that eth_type_trans gets linear memory

commit b6faaae1a15a352d68b3e3cd8b840e56709820bf upstream.

eth_type_trans tries to pull data with the length of the ethernet header
from the skb. We only ensured that enough data for the first ethernet
header and the batman header is available in non-paged memory of the skb
and not for the ethernet after the batman header.

eth_type_trans would fail sometimes with drivers which don't ensure that
all there data is perfectly linearised.

The failure was noticed through a kernel bug Oops generated by the
skb_pull inside eth_type_trans.

Reported-by: Rafal Lesniak <lesniak@eresi-project.org>
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
Signed-off-by: Sven Eckelmann <sven.eckelmann@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agostaging: rtl8187se: Change panic to warn when RF switch turned off
Larry Finger [Sat, 13 Nov 2010 19:01:56 +0000 (13:01 -0600)]
staging: rtl8187se: Change panic to warn when RF switch turned off

commit f36d83a8cb7224f45fdfa1129a616dff56479a09 upstream.

This driver issues a kernel panic over conditions that do not
justify such drastic action. Change these to log entries with
a stack dump.

This patch fixes the system crash reported in
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/674285.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-and-Tested-by: Robie Basik <rb-oss-3@justgohome.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoStaging: frontier: fix up some sysfs attribute permissions
Greg Kroah-Hartman [Tue, 16 Nov 2010 19:18:33 +0000 (11:18 -0800)]
Staging: frontier: fix up some sysfs attribute permissions

commit 3bad28ec006ad6ab2bca4e5103860b75391e3c9d and
2a767fda5d0d8dcff465724dfad6ee131489b3f2 upstream merged together.

They should not be writable by any user

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Taht <d@teklibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoStaging: samsung-laptop: fix up my fixup for some sysfs attribute permissions
Greg Kroah-Hartman [Thu, 18 Nov 2010 19:21:04 +0000 (11:21 -0800)]
Staging: samsung-laptop: fix up my fixup for some sysfs attribute permissions

commit 4d7bc388b44e42a1feafa35e50eef4f24d6ca59d upstream.

They should be writable by root, not readable.
Doh, stupid me with the wrong flags.

Reported-by: Jonathan Cameron <jic23@cam.ac.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoStaging: samsung-laptop: fix up some sysfs attribute permissions
Greg Kroah-Hartman [Tue, 16 Nov 2010 19:21:03 +0000 (11:21 -0800)]
Staging: samsung-laptop: fix up some sysfs attribute permissions

commit 90c05b97fdec8d2196e420d98f774bab731af7aa upstream.

They should not be writable by any user

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoStaging: iio: adis16220: fix up my fixup for some sysfs attribute permissions
Greg Kroah-Hartman [Thu, 18 Nov 2010 19:21:04 +0000 (11:21 -0800)]
Staging: iio: adis16220: fix up my fixup for some sysfs attribute permissions

commit c9e51d9e4bee3da47623622884f4828e079a0581 upstream.

They should be writable by root, not readable.
Doh, stupid me with the wrong flags.

Reported-by: Jonathan Cameron <jic23@cam.ac.uk>
Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
Cc: Barry Song <Barry.Song@analog.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoStaging: iio: adis16220: fix up some sysfs attribute permissions
Greg Kroah-Hartman [Tue, 16 Nov 2010 19:19:53 +0000 (11:19 -0800)]
Staging: iio: adis16220: fix up some sysfs attribute permissions

commit 1d904e8950c86e670ace237eaea1d48cd81e94df upstream.

They should not be writable by any user

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jonathan Cameron <jic23@cam.ac.uk>
Cc: Barry Song <Barry.Song@analog.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoStaging: udlfb: fix up some sysfs attribute permissions
Greg Kroah-Hartman [Tue, 16 Nov 2010 19:21:36 +0000 (11:21 -0800)]
Staging: udlfb: fix up some sysfs attribute permissions

commit cc9ca9dfddda46b1802d325891a69d7efdbe1f1e and
cc9ca9dfddda46b1802d325891a69d7efdbe1f1e upstream merged together.

They should not be writable by any user

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Bernie Thompson <bernie@plugable.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoRevert "vfs: show unreachable paths in getcwd and proc"
Eric W. Biederman [Sun, 5 Dec 2010 23:51:21 +0000 (15:51 -0800)]
Revert "vfs: show unreachable paths in getcwd and proc"

commit 7b2a69ba7055da9a04eb96aa7b38c8e3280aaaa5 upstream.

Because it caused a chroot ttyname regression in 2.6.36.

As of 2.6.36 ttyname does not work in a chroot.  It has already been
reported that screen breaks, and for me this breaks an automated
distribution testsuite, that I need to preserve the ability to run the
existing binaries on for several more years.  glibc 2.11.3 which has a
fix for this is not an option.

The root cause of this breakage is:

    commit 8df9d1a4142311c084ffeeacb67cd34d190eff74
    Author: Miklos Szeredi <mszeredi@suse.cz>
    Date:   Tue Aug 10 11:41:41 2010 +0200

    vfs: show unreachable paths in getcwd and proc

    Prepend "(unreachable)" to path strings if the path is not reachable
    from the current root.

    Two places updated are
     - the return string from getcwd()
     - and symlinks under /proc/$PID.

    Other uses of d_path() are left unchanged (we know that some old
    software crashes if /proc/mounts is changed).

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
So remove the nice sounding, but ultimately ill advised change to how
/proc/fd symlinks work.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomemcg: avoid deadlock between move charge and try_charge()
Daisuke Nishimura [Wed, 24 Nov 2010 20:57:06 +0000 (12:57 -0800)]
memcg: avoid deadlock between move charge and try_charge()

commit b1dd693e5b9348bd68a80e679e03cf9c0973b01b upstream.

__mem_cgroup_try_charge() can be called under down_write(&mmap_sem)(e.g.
mlock does it). This means it can cause deadlock if it races with move charge:

Ex.1)
                move charge             |        try charge
  --------------------------------------+------------------------------
    mem_cgroup_can_attach()             |  down_write(&mmap_sem)
      mc.moving_task = current          |    ..
      mem_cgroup_precharge_mc()         |  __mem_cgroup_try_charge()
        mem_cgroup_count_precharge()    |    prepare_to_wait()
          down_read(&mmap_sem)          |    if (mc.moving_task)
          -> cannot aquire the lock     |    -> true
                                        |      schedule()

Ex.2)
                move charge             |        try charge
  --------------------------------------+------------------------------
    mem_cgroup_can_attach()             |
      mc.moving_task = current          |
      mem_cgroup_precharge_mc()         |
        mem_cgroup_count_precharge()    |
          down_read(&mmap_sem)          |
          ..                            |
          up_read(&mmap_sem)            |
                                        |  down_write(&mmap_sem)
    mem_cgroup_move_task()              |    ..
      mem_cgroup_move_charge()          |  __mem_cgroup_try_charge()
        down_read(&mmap_sem)            |    prepare_to_wait()
        -> cannot aquire the lock       |    if (mc.moving_task)
                                        |    -> true
                                        |      schedule()

To avoid this deadlock, we do all the move charge works (both can_attach() and
attach()) under one mmap_sem section.
And after this patch, we set/clear mc.moving_task outside mc.lock, because we
use the lock only to check mc.from/to.

Signed-off-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoserial: mfd: adjust the baud rate setting
Feng Tang [Fri, 19 Nov 2010 03:01:48 +0000 (11:01 +0800)]
serial: mfd: adjust the baud rate setting

commit a5880a9e5bb40fbae55de60051d69a29091053c3 upstream.

Previous baud rate setting code only has been tested with 3.5M/9600/
115200/230400/460800 bps, and recently we got a 3M bps device to test,
which needs to modify current MUL register setting, and with this
patch 2.5M/2M/1.5M/1M/0.5M should also work as they just use a MUL
value scale down from 3M's.

Also got some reference register setting from silicon guys for
different baud rates, which tries to keep the pre-scalar register value
to 16.

Signed-off-by: Feng Tang <feng.tang@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoleds: fix bug with reading NAS SS4200 dmi code
Steven Rostedt [Wed, 24 Nov 2010 20:56:52 +0000 (12:56 -0800)]
leds: fix bug with reading NAS SS4200 dmi code

commit 50d431e8a15701b599c98afe2b464eb33c952477 upstream.

While running randconfg with ktest.pl I stumbled upon this bug:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000003
  IP: [<ffffffff815fe44f>] strstr+0x39/0x86
  PGD 0
  Oops: 0000 [#1] SMP
  last sysfs file:
  CPU 0
  Modules linked in:

  Pid: 1, comm: swapper Not tainted 2.6.37-rc1-test+ #6 DG965MQ/
  RIP: 0010:[<ffffffff815fe44f>]  [<ffffffff815fe44f>] strstr+0x39/0x86
  RSP: 0018:ffff8800797cbd80  EFLAGS: 00010213
  RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffffffffffff
  RDX: 0000000000000000 RSI: ffffffff82eb7ac9 RDI: 0000000000000003
  RBP: ffff8800797cbda0 R08: ffff880000000003 R09: 0000000000030725
  R10: ffff88007d294c00 R11: 0000000000014c00 R12: 0000000000000020
  R13: ffffffff82eb7ac9 R14: ffffffffffffffff R15: ffffffff82eb7b08
  FS:  0000000000000000(0000) GS:ffff88007d200000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
  CR2: 0000000000000003 CR3: 0000000002a1d000 CR4: 00000000000006f0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  Process swapper (pid: 1, threadinfo ffff8800797ca000, task ffff8800797d0000)
  Stack:
   00000000000000ba ffffffff82eb7ac9 ffffffff82eb7ab8 00000000000000ba
   ffff8800797cbdf0 ffffffff81e2050f ffff8800797cbdc0 00000000815f913b
   ffff8800797cbe00 ffffffff82eb7ab8 0000000000000000 0000000000000000
  Call Trace:
   [<ffffffff81e2050f>] dmi_matches+0x117/0x154
   [<ffffffff81e205d7>] dmi_check_system+0x3d/0x8d
   [<ffffffff82e1ad25>] ? nas_gpio_init+0x0/0x2c8
   [<ffffffff82e1ad49>] nas_gpio_init+0x24/0x2c8
   [<ffffffff820d750d>] ? wm8350_led_init+0x0/0x20
   [<ffffffff82e1ad25>] ? nas_gpio_init+0x0/0x2c8
   [<ffffffff810022f7>] do_one_initcall+0xab/0x1b2
   [<ffffffff82da749c>] kernel_init+0x248/0x331
   [<ffffffff8100e624>] kernel_thread_helper+0x4/0x10
   [<ffffffff82da7254>] ? kernel_init+0x0/0x331

Found that the nas_led_whitelist dmi_system_id structure array had no
NULL end delimiter, causing the dmi_check_system() loop to read an
undefined entry.

Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Acked-by: Dave Hansen <dave@sr71.net>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Acked-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoARM: 6482/2: Fix find_next_zero_bit and related assembly
James Jones [Tue, 23 Nov 2010 23:21:37 +0000 (00:21 +0100)]
ARM: 6482/2: Fix find_next_zero_bit and related assembly

commit 0e91ec0c06d2cd15071a6021c94840a50e6671aa upstream.

The find_next_bit, find_first_bit, find_next_zero_bit
and find_first_zero_bit functions were not properly
clamping to the maxbit argument at the bit level. They
were instead only checking maxbit at the byte level.
To fix this, add a compare and a conditional move
instruction to the end of the common bit-within-the-
byte code used by all the functions and be sure not to
clobber the maxbit argument before it is used.

Reviewed-by: Nicolas Pitre <nicolas.pitre@linaro.org>
Tested-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: James Jones <jajones@nvidia.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoARM: 6489/1: thumb2: fix incorrect optimisation in usracc
Will Deacon [Fri, 19 Nov 2010 12:18:31 +0000 (13:18 +0100)]
ARM: 6489/1: thumb2: fix incorrect optimisation in usracc

commit 1142b71d85894dcff1466dd6c871ea3c89e0352c upstream.

Commit 8b592783 added a Thumb-2 variant of usracc which, when it is
called with \rept=2, calls usraccoff once with an offset of 0 and
secondly with a hard-coded offset of 4 in order to avoid incrementing
the pointer again. If \inc != 4 then we will store the data to the wrong
offset from \ptr. Luckily, the only caller that passes \rept=2 to this
function is __clear_user so we haven't been actively corrupting user data.

This patch fixes usracc to pass \inc instead of #4 to usraccoff
when it is called a second time.

Reported-by: Tony Thompson <tony.thompson@arm.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoARM: 6464/2: fix spinlock recursion in adjust_pte()
Mika Westerberg [Thu, 28 Oct 2010 10:45:22 +0000 (11:45 +0100)]
ARM: 6464/2: fix spinlock recursion in adjust_pte()

commit 4e54d93d3c9846ba1c2644ad06463dafa690d1b7 upstream.

When running following code in a machine which has VIVT caches and
USE_SPLIT_PTLOCKS is not defined:

  fd = open("/etc/passwd", O_RDONLY);
  addr = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd, 0);
  addr2 = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd, 0);

  v = *((int *)addr);

we will hang in spinlock recursion in the page fault handler:

  BUG: spinlock recursion on CPU#0, mmap_test/717
  lock: c5e295d8, .magic: dead4ead, .owner: mmap_test/717,
                  .owner_cpu: 0
  [<c0026604>] (unwind_backtrace+0x0/0xec)
  [<c014ee48>] (do_raw_spin_lock+0x40/0x140)
  [<c0027f68>] (update_mmu_cache+0x208/0x250)
  [<c0079db4>] (__do_fault+0x320/0x3ec)
  [<c007af7c>] (handle_mm_fault+0x2f0/0x6d8)
  [<c0027834>] (do_page_fault+0xdc/0x1cc)
  [<c00202d0>] (do_DataAbort+0x34/0x94)

This comes from the fact that when USE_SPLIT_PTLOCKS is not defined,
the only lock protecting the page tables is mm->page_table_lock
which is already locked before update_mmu_cache() is called.

Signed-off-by: Mika Westerberg <mika.westerberg@iki.fi>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoperf_events: Fix perf_counter_mmap() hook in mprotect()
Pekka Enberg [Mon, 8 Nov 2010 19:29:07 +0000 (21:29 +0200)]
perf_events: Fix perf_counter_mmap() hook in mprotect()

commit 63bfd7384b119409685a17d5c58f0b56e5dc03da upstream.

As pointed out by Linus, commit dab5855 ("perf_counter: Add mmap event hooks to
mprotect()") is fundamentally wrong as mprotect_fixup() can free 'vma' due to
merging. Fix the problem by moving perf_event_mmap() hook to
mprotect_fixup().

Note: there's another successful return path from mprotect_fixup() if old
flags equal to new flags. We don't, however, need to call
perf_event_mmap() there because 'perf' already knows the VMA is
executable.

Reported-by: Dave Jones <davej@redhat.com>
Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ingo Molnar <mingo@elte.hu>
Reviewed-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Pekka Enberg <penberg@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoDECnet: don't leak uninitialized stack byte
Dan Rosenberg [Tue, 23 Nov 2010 11:02:13 +0000 (11:02 +0000)]
DECnet: don't leak uninitialized stack byte

commit 3c6f27bf33052ea6ba9d82369fb460726fb779c0 upstream.

A single uninitialized padding byte is leaked to userspace.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agommc: fix rmmod race for hosts using card-detection polling
Guennadi Liakhovetski [Thu, 11 Nov 2010 16:32:25 +0000 (17:32 +0100)]
mmc: fix rmmod race for hosts using card-detection polling

commit d9bcbf343ec63e1104b5276195888ee06b4d086f upstream.

MMC hosts that poll for card detection by defining the MMC_CAP_NEEDS_POLL
flag have a race on rmmod, where the delayed work is cancelled without
waiting for completed polling. To prevent this a _sync version of the work
cancellation has to be used.

Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Chris Ball <cjb@laptop.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86: Ignore trap bits on single step exceptions
Frederic Weisbecker [Thu, 11 Nov 2010 20:18:43 +0000 (21:18 +0100)]
x86: Ignore trap bits on single step exceptions

commit 6c0aca288e726405b01dacb12cac556454d34b2a upstream.

When a single step exception fires, the trap bits, used to
signal hardware breakpoints, are in a random state.

These trap bits might be set if another exception will follow,
like a breakpoint in the next instruction, or a watchpoint in the
previous one. Or there can be any junk there.

So if we handle these trap bits during the single step exception,
we are going to handle an exception twice, or we are going to
handle junk.

Just ignore them in this case.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=21332

Reported-by: Michael Stefaniuc <mstefani@redhat.com>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Rafael J. Wysocki <rjw@sisk.pl>
Cc: Maciej Rutecki <maciej.rutecki@gmail.com>
Cc: Alexandre Julliard <julliard@winehq.org>
Cc: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoPM / PM QoS: Fix reversed min and max
Colin Cross [Mon, 15 Nov 2010 21:45:22 +0000 (22:45 +0100)]
PM / PM QoS: Fix reversed min and max

commit 00fafcda1773245a5292f953321ec3f0668c8c28 upstream.

pm_qos_get_value had min and max reversed, causing all pm_qos
requests to have no effect.

Signed-off-by: Colin Cross <ccross@android.com>
Acked-by: mark <markgross@thegnar.org>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonommu: yield CPU while disposing VM
Steven J. Magnani [Wed, 24 Nov 2010 20:56:54 +0000 (12:56 -0800)]
nommu: yield CPU while disposing VM

commit 04c3496152394d17e3bc2316f9731ee3e8a026bc upstream.

Depending on processor speed, page size, and the amount of memory a
process is allowed to amass, cleanup of a large VM may freeze the system
for many seconds.  This can result in a watchdog timeout.

Make sure other tasks receive some service when cleaning up large VMs.

Signed-off-by: Steven J. Magnani <steve@digidescorp.com>
Cc: Greg Ungerer <gerg@snapgear.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agobacklight: grab ops_lock before testing bd->ops
Uwe Kleine-König [Wed, 24 Nov 2010 20:57:14 +0000 (12:57 -0800)]
backlight: grab ops_lock before testing bd->ops

commit d1d73578e053b981c3611e5a211534290d24a5eb upstream.

According to the comment describing ops_lock in the definition of struct
backlight_device and when comparing with other functions in backlight.c
the mutex must be hold when checking ops to be non-NULL.

Fixes a problem added by c835ee7f4154992e6 ("backlight: Add suspend/resume
support to the backlight core") in Jan 2009.

Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agouml: disable winch irq before freeing handler data
Will Newton [Wed, 24 Nov 2010 20:56:55 +0000 (12:56 -0800)]
uml: disable winch irq before freeing handler data

commit 69e83dad5207f8f03c9699e57e1febb114383cb8 upstream.

Disable the winch irq early to make sure we don't take an interrupt part
way through the freeing of the handler data, resulting in a crash on
shutdown:

  winch_interrupt : read failed, errno = 9
  fd 13 is losing SIGWINCH support
  ------------[ cut here ]------------
  WARNING: at lib/list_debug.c:48 list_del+0xc6/0x100()
  list_del corruption, next is LIST_POISON1 (00100100)
  082578c8:  [<081fd77f>] dump_stack+0x22/0x24
  082578e0:  [<0807a18a>] warn_slowpath_common+0x5a/0x80
  08257908:  [<0807a23e>] warn_slowpath_fmt+0x2e/0x30
  08257920:  [<08172196>] list_del+0xc6/0x100
  08257940:  [<08060244>] free_winch+0x14/0x80
  08257958:  [<080606fb>] winch_interrupt+0xdb/0xe0
  08257978:  [<080a65b5>] handle_IRQ_event+0x35/0xe0
  08257998:  [<080a8717>] handle_edge_irq+0xb7/0x170
  082579bc:  [<08059bc4>] do_IRQ+0x34/0x50
  082579d4:  [<08059e1b>] sigio_handler+0x5b/0x80
  082579ec:  [<0806a374>] sig_handler_common+0x44/0xb0
  08257a68:  [<0806a538>] sig_handler+0x38/0x50
  08257a78:  [<0806a77c>] handle_signal+0x5c/0xa0
  08257a9c:  [<0806be28>] hard_handler+0x18/0x20
  08257aac:  [<00c14400>] 0xc14400

Signed-off-by: Will Newton <will.newton@gmail.com>
Acked-by: WANG Cong <xiyou.wangcong@gmail.com>
Cc: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: fix timeout on stopping rx dma
Felix Fietkau [Sat, 20 Nov 2010 02:08:47 +0000 (03:08 +0100)]
ath9k: fix timeout on stopping rx dma

commit d47844a014fada1a788719f6426bc7044f2a0fd8 upstream.

It seems that using ath9k_hw_stoppcurecv to stop rx dma is not enough.
When it's time to stop DMA, the PCU is still busy, so the rx enable
bit never clears.
Using ath9k_hw_abortpcurecv helps with getting rx stopped much faster,
with this change, I cannot reproduce the rx stop related WARN_ON anymore.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocifs: fix parsing of hostname in dfs referrals
Jeff Layton [Tue, 30 Nov 2010 20:14:48 +0000 (15:14 -0500)]
cifs: fix parsing of hostname in dfs referrals

commit ba03864872691c0bb580a7fb47388da337ef4aa2 upstream.

The DFS referral parsing code does a memchr() call to find the '\\'
delimiter that separates the hostname in the referral UNC from the
sharename. It then uses that value to set the length of the hostname via
pointer subtraction.  Instead of subtracting the start of the hostname
however, it subtracts the start of the UNC, which causes the code to
pass in a hostname length that is 2 bytes too long.

Regression introduced in commit 1a4240f4.

Reported-and-Tested-by: Robbert Kouprie <robbert@exx.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Cc: Wang Lei <wang840925@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocifs: fix another memleak, in cifs_root_iget
Oskar Schirmer [Wed, 10 Nov 2010 21:06:13 +0000 (21:06 +0000)]
cifs: fix another memleak, in cifs_root_iget

commit a7851ce73b9fdef53f251420e6883cf4f3766534 upstream.

cifs_root_iget allocates full_path through
cifs_build_path_to_root, but fails to kfree it upon
cifs_get_inode_info* failure.

Make all failure exit paths traverse clean up
handling at the end of the function.

Signed-off-by: Oskar Schirmer <oskar@scara.com>
Reviewed-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomm/hugetlb.c: avoid double unlock_page() in hugetlb_fault()
Dean Nelson [Thu, 2 Dec 2010 22:31:12 +0000 (14:31 -0800)]
mm/hugetlb.c: avoid double unlock_page() in hugetlb_fault()

commit 1f64d69c7ad2e48e697493e45590679f7a69b7b2 upstream.

Have hugetlb_fault() call unlock_page(page) only if it had previously
called lock_page(page).

Setting CONFIG_DEBUG_VM=y and then running the libhugetlbfs test suite,
resulted in the tripping of VM_BUG_ON(!PageLocked(page)) in
unlock_page() having been called by hugetlb_fault() when page ==
pagecache_page.  This patch remedied the problem.

Signed-off-by: Dean Nelson <dnelson@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodo_exit(): make sure that we run with get_fs() == USER_DS
Nelson Elhage [Thu, 2 Dec 2010 22:31:21 +0000 (14:31 -0800)]
do_exit(): make sure that we run with get_fs() == USER_DS

commit 33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 upstream.

If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
otherwise reset before do_exit().  do_exit may later (via mm_release in
fork.c) do a put_user to a user-controlled address, potentially allowing
a user to leverage an oops into a controlled write into kernel memory.

This is only triggerable in the presence of another bug, but this
potentially turns a lot of DoS bugs into privilege escalations, so it's
worth fixing.  I have proof-of-concept code which uses this bug along
with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
I've tested that this is not theoretical.

A more logical place to put this fix might be when we know an oops has
occurred, before we call do_exit(), but that would involve changing
every architecture, in multiple places.

Let's just stick it in do_exit instead.

[akpm@linux-foundation.org: update code comment]
Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocs5535-gpio: apply CS5536 errata workaround for GPIOs
Andres Salomon [Thu, 2 Dec 2010 22:31:17 +0000 (14:31 -0800)]
cs5535-gpio: apply CS5536 errata workaround for GPIOs

commit 853ff88324a248a9f5da6e110850223db353ec07 upstream.

The AMD Geode CS5536 Companion Device Silicon Revision B1 Specification
Update mentions the follow as issue #36:

 "Atomic write transactions to the atomic GPIO High Bank Feature Bit
  registers should only affect the bits selected [...]"

 "after Suspend, an atomic write transaction [...] will clear all
  non-selected bits of the accessed register."

In other words, writing to the high bank for a single GPIO bit will
clear every other GPIO bit (but only sometimes after a suspend).

The workaround described is obvious and simple; do a read-modify-write.
This patch does that, and documents why we're doing it.

Signed-off-by: Andres Salomon <dilinger@queued.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofuse: fix attributes after open(O_TRUNC)
Ken Sumrall [Wed, 24 Nov 2010 20:57:00 +0000 (12:57 -0800)]
fuse: fix attributes after open(O_TRUNC)

commit a0822c55779d9319939eac69f00bb729ea9d23da upstream.

The attribute cache for a file was not being cleared when a file is opened
with O_TRUNC.

If the filesystem's open operation truncates the file ("atomic_o_trunc"
feature flag is set) then the kernel should invalidate the cached st_mtime
and st_ctime attributes.

Also i_size should be explicitly be set to zero as it is used sometimes
without refreshing the cache.

Signed-off-by: Ken Sumrall <ksumrall@android.com>
Cc: Anfei <anfei.zhou@gmail.com>
Cc: "Anand V. Avati" <avati@gluster.com>
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosaa7134: Fix autodetect for Behold A7 and H7 TV cards
Dmitri Belimov [Tue, 26 Oct 2010 03:31:40 +0000 (00:31 -0300)]
saa7134: Fix autodetect for Behold A7 and H7 TV cards

commit 35bbe587d0959712b69540077c9e0fd27d3e6baf upstream.

The entries for those cards are after the generic entries,
so they don't work, in practice. Moving them to happen before the
generic entres fix the issue.

Signed-off-by: Beholder Intl. Ltd. Dmitry Belimov <d.belimov@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoPNPACPI: cope with invalid device IDs
Dmitry Torokhov [Sat, 18 Sep 2010 17:11:09 +0000 (10:11 -0700)]
PNPACPI: cope with invalid device IDs

commit 420a0f66378c84b00b0e603e4d38210102dbe367 upstream.

If primary ID (HID) is invalid try locating first valid ID on compatible
ID list before giving up.

This helps, for example, to recognize i8042 AUX port on Sony Vaio VPCZ1
which uses SNYSYN0003 as HID. Without the patch users are forced to
boot with i8042.nopnp to make use of their touchpads.

Tested-by: Jan-Hendrik Zab <jan@jhz.name>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoACPI: debugfs custom_method open to non-root
Dave Jones [Sat, 13 Nov 2010 05:58:54 +0000 (00:58 -0500)]
ACPI: debugfs custom_method open to non-root

commit ed3aada1bf34c5a9e98af167f125f8a740fc726a upstream.

Currently we have:

  --w--w--w-. 1 root root 0 2010-11-11 14:56 /sys/kernel/debug/acpi/custom_method

which is just crazy. Change this to --w-------.

Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoacpi-cpufreq: fix a memleak when unloading driver
Zhang Rui [Tue, 12 Oct 2010 01:09:37 +0000 (09:09 +0800)]
acpi-cpufreq: fix a memleak when unloading driver

commit dab5fff14df2cd16eb1ad4c02e83915e1063fece upstream.

We didn't free per_cpu(acfreq_data, cpu)->freq_table
when acpi_freq driver is unloaded.

Resulting in the following messages in /sys/kernel/debug/kmemleak:

unreferenced object 0xf6450e80 (size 64):
  comm "modprobe", pid 1066, jiffies 4294677317 (age 19290.453s)
  hex dump (first 32 bytes):
    00 00 00 00 e8 a2 24 00 01 00 00 00 00 9f 24 00  ......$.......$.
    02 00 00 00 00 6a 18 00 03 00 00 00 00 35 0c 00  .....j.......5..
  backtrace:
    [<c123ba97>] kmemleak_alloc+0x27/0x50
    [<c109f96f>] __kmalloc+0xcf/0x110
    [<f9da97ee>] acpi_cpufreq_cpu_init+0x1ee/0x4e4 [acpi_cpufreq]
    [<c11cd8d2>] cpufreq_add_dev+0x142/0x3a0
    [<c11920b7>] sysdev_driver_register+0x97/0x110
    [<c11cce56>] cpufreq_register_driver+0x86/0x140
    [<f9dad080>] 0xf9dad080
    [<c1001130>] do_one_initcall+0x30/0x160
    [<c10626e9>] sys_init_module+0x99/0x1e0
    [<c1002d97>] sysenter_do_call+0x12/0x26
    [<ffffffff>] 0xffffffff

https://bugzilla.kernel.org/show_bug.cgi?id=15807#c21

Tested-by: Toralf Forster <toralf.foerster@gmx.de>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoACPI battery: support percentage battery remaining capacity
Zhang Rui [Fri, 22 Oct 2010 02:02:06 +0000 (10:02 +0800)]
ACPI battery: support percentage battery remaining capacity

commit 557d58687dcdee6bc00c1a8f1fd4e0eac8fefce9 upstream.

According to the ACPI spec, some kinds of primary battery can
report percentage battery remaining capacity directly to OS.

In this case, it reports the LastFullChargedCapacity == 100,
BatteryPresentRate = 0xFFFFFFFF, and BatteryRemaingCapacity a
percentage value, which actually means RemainingBatteryPercentage.

Now we found some battery follows this rule even if it's a rechargeable.
https://bugzilla.kernel.org/show_bug.cgi?id=15979

Handle these batteries correctly in ACPI battery driver
so that they won't break userspace.

Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Tested-by: Sitsofe Wheeler <sitsofe@yahoo.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoACPI: install ACPI table handler before any dynamic tables being loaded
Zhang Rui [Tue, 26 Oct 2010 02:06:54 +0000 (10:06 +0800)]
ACPI: install ACPI table handler before any dynamic tables being loaded

commit b1d248d96c71665c79befb81207f38f894c7c082 upstream.

ACPI table sysfs I/F is broken by commit

78f1699659963fff97975df44db6d5dbe7218e55
Author: Alex Chiang <achiang@hp.com>
Date:   Sun Dec 20 12:19:09 2009 -0700
    ACPI: processor: call _PDC early

because dynamic SSDT tables may be loaded in _PDC,
before installing the ACPI table handler.
As a result, the sysfs I/F of these dynamic tables are
located at  /sys/firmware/acpi/tables instead of
/sys/firmware/acpi/tables/dynamic, which is not true.

Invoke acpi_sysfs_init() before acpi_early_processor_set_pdc(),
so that the table handler is installed before any dynamic tables loaded.

https://bugzilla.kernel.org/show_bug.cgi?id=21142

CC: Dennis Jansen <dennis.jansen@web.de>
CC: Alex Chiang <achiang@hp.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoe1000: fix screaming IRQ
Anupam Chanda [Sun, 21 Nov 2010 17:54:21 +0000 (09:54 -0800)]
e1000: fix screaming IRQ

commit ab08853fab2093e5c6f5de56827a4c93dce4b055 upstream.

VMWare reports that the e1000 driver has a bug when bringing down the
interface, such that interrupts are not disabled in the hardware but the
driver stops reporting that it consumed the interrupt.

The fix is to set the driver's "down" flag later in the routine,
after all the timers and such have exited, preventing the interrupt
handler from being called and exiting early without handling the
interrupt.

CC: Anupam Chanda <anupamc@vmware.com>
Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: fix autosuspend bug in usb-serial
Alan Stern [Mon, 29 Nov 2010 15:17:22 +0000 (10:17 -0500)]
USB: fix autosuspend bug in usb-serial

commit abf03184a31a3286fc0ab30f838ddee8ba9f9b7b upstream.

This patch (as1437) fixes a bug in the usb-serial autosuspend
handling.  Since the usb-serial core now has autosuspend support, it
must set the .supports_autosuspend member in every serial driver it
registers.  Otherwise the usb_autopm_get_interface() call won't work.

This fixes Bugzilla #23012.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Kevin Smith <thirdwiggin@gmail.com>
Reported-and-tested-by: Simon Gerber <gesimu@gmail.com>
Reported-and-tested-by: Matteo Croce <matteo@openwrt.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: serial: ftdi_sio: Vardaan USB RS422/485 converter PID added
Jacques Viviers [Wed, 24 Nov 2010 09:56:38 +0000 (11:56 +0200)]
USB: serial: ftdi_sio: Vardaan USB RS422/485 converter PID added

commit 6fdbad8021151a9e93af8159a6232c8f26415c09 upstream.

Add the PID for the Vardaan Enterprises VEUSB422R3 USB to RS422/485
converter. It uses the same chip as the FTDI_8U232AM_PID 0x6001.

This should also work with the stable branches for:
2.6.31, 2.6.32, 2.6.33, 2.6.34, 2.6.35, 2.6.36

Signed-off-by: Jacques Viviers <jacques.viviers@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: ftdi_sio: Add ID for RT Systems USB-29B radio cable
Michael Stuermer [Wed, 17 Nov 2010 23:45:43 +0000 (00:45 +0100)]
USB: ftdi_sio: Add ID for RT Systems USB-29B radio cable

commit 28942bb6a9dd4e2ed793675e515cfb8297ed355b upstream.

Another variant of the RT Systems programming cable for ham radios.

Signed-off-by: Michael Stuermer <ms@mallorn.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: misc: usbsevseg: fix up some sysfs attribute permissions
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:36:44 +0000 (11:36 -0800)]
USB: misc: usbsevseg: fix up some sysfs attribute permissions

commit e24d7ace4e822debcb78386bf279c9aba4d7fbd1 upstream.

They should not be writable by any user.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Harrison Metzger <harrisonmetz@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: misc: trancevibrator: fix up a sysfs attribute permission
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:34:26 +0000 (11:34 -0800)]
USB: misc: trancevibrator: fix up a sysfs attribute permission

commit d489a4b3926bad571d404ca6508f6744b9602776 upstream.

It should not be writable by any user.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Sam Hocevar <sam@zoy.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: misc: usbled: fix up some sysfs attribute permissions
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:35:49 +0000 (11:35 -0800)]
USB: misc: usbled: fix up some sysfs attribute permissions

commit 48f115470e68d443436b76b22dad63ffbffd6b97 upstream.

They should not be writable by any user.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: misc: cypress_cy7c63: fix up some sysfs attribute permissions
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:32:38 +0000 (11:32 -0800)]
USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions

commit c990600d340641150f7270470a64bd99a5c0b225 upstream.

They should not be writable by any user.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Oliver Bock <bock@tfh-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: atm: ueagle-atm: fix up some permissions on the sysfs files
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:11:45 +0000 (11:11 -0800)]
USB: atm: ueagle-atm: fix up some permissions on the sysfs files

commit e502ac5e1eca99d7dc3f12b2a6780ccbca674858 upstream.

Some of the sysfs files had the incorrect permissions.  Some didn't make
sense at all (writable for a file that you could not write to?)

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matthieu Castet <castet.matthieu@free.fr>
Cc: Stanislaw Gruszka <stf_xl@wp.pl>
Cc: Damien Bergamini <damien.bergamini@free.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: storage: sierra_ms: fix sysfs file attribute
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:17:52 +0000 (11:17 -0800)]
USB: storage: sierra_ms: fix sysfs file attribute

commit d9624e75f6ad94d8a0718c1fafa89186d271a78c upstream.

A non-writable sysfs file shouldn't have writable attributes.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kevin Lloyd <klloyd@sierrawireless.com>
Cc: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: ehci: disable LPM and PPCD for nVidia MCP89 chips
Brian J. Tarricone [Mon, 22 Nov 2010 05:15:52 +0000 (21:15 -0800)]
USB: ehci: disable LPM and PPCD for nVidia MCP89 chips

commit a85b4e7f4481c5a1ca89fa63c9c871151965075e upstream.

Tested on MacBookAir3,1.  Without this, we get EPROTO errors when
fetching device config descriptors.

Signed-off-by: Brian Tarricone <brian@tarricone.org>
Reported-by: Benoit Gschwind <gschwind@gnu-log.net>
Tested-by: Edgar Hucek <gimli@dark-green.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: EHCI: fix obscure race in ehci_endpoint_disable
Alan Stern [Tue, 16 Nov 2010 15:57:37 +0000 (10:57 -0500)]
USB: EHCI: fix obscure race in ehci_endpoint_disable

commit 02e2c51ba3e80acde600721ea784c3ef84da5ea1 upstream.

This patch (as1435) fixes an obscure and unlikely race in ehci-hcd.
When an async URB is unlinked, the corresponding QH is removed from
the async list.  If the QH's endpoint is then disabled while the URB
is being given back, ehci_endpoint_disable() won't find the QH on the
async list, causing it to believe that the QH has been lost.  This
will lead to a memory leak at best and quite possibly to an oops.

The solution is to trust usbcore not to lose track of endpoints.  If
the QH isn't on the async list then it doesn't need to be taken off
the list, but the driver should still wait for the QH to become IDLE
before disabling it.

In theory this fixes Bugzilla #20182.  In fact the race is so rare
that it's not possible to tell whether the bug is still present.
However, adding delays and making other changes to force the race
seems to show that the patch works.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
CC: David Brownell <david-b@pacbell.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: ehci: fix debugfs 'lpm' permissions
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:15:11 +0000 (11:15 -0800)]
USB: ehci: fix debugfs 'lpm' permissions

commit 723b991a62d94f74c9f19abd3da6e937288eb969 upstream.

The permissions for the lpm debugfs file is incorrect, this fixes it.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alek Du <alek.du@intel.com>
Cc: Jacob Pan <jacob.jun.pan@intel.com>
Cc: David Brownell <dbrownell@users.sourceforge.net>
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoStaging: rt2870: Add USB ID for Buffalo Airstation WLI-UC-GN
John Tapsell [Thu, 25 Mar 2010 13:30:45 +0000 (13:30 +0000)]
Staging: rt2870: Add USB ID for Buffalo Airstation WLI-UC-GN

commit 251d380034c6c34efe75ffb89d863558ba68ec6a upstream.

BugLink: http://bugs.launchpad.net/bugs/441990
This was tested to successfully enable the hardware.

Signed-off-by: John Tapsell <johnflux@gmail.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: ohci-jz4740: Fix spelling in MODULE_ALIAS
Stefan Weil [Sun, 7 Nov 2010 21:14:31 +0000 (22:14 +0100)]
USB: ohci-jz4740: Fix spelling in MODULE_ALIAS

commit 1c0a38038e8fcfaa6b5a81d53a4898f3f939f582 upstream.

platfrom -> platform

Cc: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Stefan Weil <weil@mail.berlios.de>
Reviewed-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agousb: core: fix information leak to userland
Vasiliy Kulikov [Sat, 6 Nov 2010 14:41:28 +0000 (17:41 +0300)]
usb: core: fix information leak to userland

commit 886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream.

Structure usbdevfs_connectinfo is copied to userland with padding byted
after "slow" field uninitialized.  It leads to leaking of contents of
kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agousb: misc: iowarrior: fix information leak to userland
Vasiliy Kulikov [Sat, 6 Nov 2010 14:41:31 +0000 (17:41 +0300)]
usb: misc: iowarrior: fix information leak to userland

commit eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream.

Structure iowarrior_info is copied to userland with padding byted
between "serial" and "revision" fields uninitialized.  It leads to
leaking of contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Acked-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agousb: misc: sisusbvga: fix information leak to userland
Vasiliy Kulikov [Sat, 6 Nov 2010 14:41:35 +0000 (17:41 +0300)]
usb: misc: sisusbvga: fix information leak to userland

commit 5dc92cf1d0b4b0debbd2e333b83f9746c103533d upstream.

Structure sisusb_info is copied to userland with "sisusb_reserved" field
uninitialized.  It leads to leaking of contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: option: fix when the driver is loaded incorrectly for some Huawei devices.
ma rui [Mon, 1 Nov 2010 03:32:18 +0000 (11:32 +0800)]
USB: option: fix when the driver is loaded incorrectly for some Huawei devices.

commit 58c0d9d70109bd7e82bdb9517007311a48499960 upstream.

When huawei datacard with PID 0x14AC is insterted into Linux system, the
present kernel will load the "option" driver to all the interfaces. But
actually, some interfaces run as other function and do not need "option"
driver.

In this path, we modify the id_tables, when the PID is 0x14ac ,VID is
0x12d1, Only when the interface's Class is 0xff,Subclass is 0xff, Pro is
0xff, it does need "option" driver.

Signed-off-by: ma rui <m00150988@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: ftdi_sio: add device IDs for Milkymist One JTAG/serial
Sebastien Bourdeauducq [Wed, 3 Nov 2010 10:54:12 +0000 (11:54 +0100)]
USB: ftdi_sio: add device IDs for Milkymist One JTAG/serial

commit 7fea0f714ffb3f303d4b66933af2df2f5584c9bf upstream.

Add the USB IDs for the Milkymist One FTDI-based JTAG/serial adapter
(http://projects.qi-hardware.com/index.php/p/mmone-jtag-serial-cable/)
to the ftdi_sio driver and disable the first serial channel (used as
JTAG from userspace).

Signed-off-by: Sebastien Bourdeauducq <sebastien@milkymist.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agousb: musb: fix kernel oops when loading musb_hdrc module for the 2nd time
Ming Lei [Wed, 27 Oct 2010 14:42:32 +0000 (09:42 -0500)]
usb: musb: fix kernel oops when loading musb_hdrc module for the 2nd time

commit b212091474a5f967979e62c5c24687ee4d0342d9 upstream.

musb driver still may write MUSB_DEVCTL register after clock is disabled
in musb_platform_exit, which may cause the kernel oops[1] when musb_hdrc
module is loaded for the 2nd time.

The patch fixes the kernel oops in this case.

[1] kernel oops when loading musb_hdrc module for the 2nd time

[   93.380279] musb_hdrc: version 6.0, musb-dma, otg (peripheral+host), debug=5
[   93.387847] bus: 'platform': add driver musb_hdrc
[   93.388153] bus: 'platform': driver_probe_device: matched device musb_hdrc with driver musb_hdrc
[   93.388183] bus: 'platform': really_probe: probing driver musb_hdrc with device musb_hdrc
[   93.405090] HS USB OTG: revision 0x33, sysconfig 0x2010, sysstatus 0x1, intrfsel 0x1, simenable  0x0
[   93.405364] musb_hdrc: ConfigData=0xde (UTMI-8, dyn FIFOs, bulk combine, bulk split, HB-ISO Rx, HB-ISO Tx, SoftConn)
[   93.405395] musb_hdrc: MHDRC RTL version 1.400
[   93.405426] musb_hdrc: setup fifo_mode 3
[   93.405456] musb_hdrc: 7/31 max ep, 3648/16384 memory
[   93.405487] musb_core_init 1524: musb_hdrc: hw_ep 0shared, max 64
[   93.405487] musb_core_init 1524: musb_hdrc: hw_ep 1tx, doublebuffer, max 512
[   93.405517] musb_core_init 1533: musb_hdrc: hw_ep 1rx, doublebuffer, max 512
[   93.405548] musb_core_init 1524: musb_hdrc: hw_ep 2tx, max 512
[   93.405578] musb_core_init 1533: musb_hdrc: hw_ep 2rx, max 512
[   93.405578] musb_core_init 1524: musb_hdrc: hw_ep 3shared, max 256
[   93.405609] musb_core_init 1524: musb_hdrc: hw_ep 4shared, max 256
[   93.405853] musb_platform_try_idle 133: b_idle inactive, for idle timer for 7 ms
[   93.405944] device: 'gadget': device_add
[   93.406921] PM: Adding info for No Bus:gadget
[   93.406951] musb_init_controller 2136: OTG mode, status 0, dev80
[   93.407379] musb_do_idle 51: musb_do_idle: state=1
[   93.408233] musb_hdrc musb_hdrc: USB OTG mode controller at fa0ab000 using DMA, IRQ 92
[   93.416656] driver: 'musb_hdrc': driver_bound: bound to device 'musb_hdrc'
[   93.416687] bus: 'platform': really_probe: bound device musb_hdrc to driver musb_hdrc
[  124.486938] bus: 'platform': remove driver musb_hdrc
[  124.490509] twl4030_usb twl4030_usb: twl4030_phy_suspend
[  124.491424] device: 'gadget': device_unregister
[  124.491424] PM: Removing info for No Bus:gadget
[  124.495269]  gadget: musb_gadget_release
[  124.498992] driver: 'musb_hdrc': driver_release
[  129.569366] musb_hdrc: version 6.0, musb-dma, otg (peripheral+host), debug=5
[  129.576934] bus: 'platform': add driver musb_hdrc
[  129.577209] bus: 'platform': driver_probe_device: matched device musb_hdrc with driver musb_hdrc
[  129.577239] bus: 'platform': really_probe: probing driver musb_hdrc with device musb_hdrc
[  129.592651] twl4030_usb twl4030_usb: twl4030_phy_resume
[  129.592681] Unhandled fault: external abort on non-linefetch (0x1028) at 0xfa0ab404
[  129.600830] Internal error: : 1028 [#1]
[  129.604858] last sysfs file: /sys/devices/platform/i2c_omap.3/i2c-3/i2c-dev/i2c-3/dev
[  129.613067] Modules linked in: musb_hdrc(+) [last unloaded: musb_hdrc]
[  129.619964] CPU: 0    Not tainted  (2.6.36-next-20101021+ #372)
[  129.626281] PC is at musb_platform_init+0xb0/0x1c8 [musb_hdrc]
[  129.632415] LR is at mark_held_locks+0x64/0x94
[  129.637084] pc : [<bf032198>]    lr : [<c00ad7c4>]    psr: 20000013
[  129.637084] sp : c6d5fcb0  ip : c6d5fc38  fp : c6d5fcd4
[  129.649139] r10: c6e72180  r9 : fa0ab000  r8 : c05612e8
[  129.654602] r7 : 0000005c  r6 : c0559cc8  r5 : c6e72180  r4 : c0561548
[  129.661468] r3 : 04d60047  r2 : fa0ab000  r1 : c07169d8  r0 : 00000000
[  129.668304] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[  129.675811] Control: 10c5387d  Table: 86e4c019  DAC: 00000015
[  129.681823] Process insmod (pid: 554, stack limit = 0xc6d5e2f0)
[  129.688049] Stack: (0xc6d5fcb0 to 0xc6d60000)
[  129.692626] fca0:                                     fa0ab000 c0555c54 c6d5fcd4 c0561548
[  129.701202] fcc0: 00000003 c05612e0 c6d5fe04 c6d5fcd8 bf03140c bf0320f4 c6d5fd9c c6d5fce8
[  129.709808] fce0: c015cb94 c041448c c06d9d10 ffffffff c6d5fd14 c6d5fd00 c00adbec c6d5fd40
[  129.718383] fd00: c015d478 c6d5fdb0 c6d5fd24 c00a9d18 c6d5e000 60000013 bf02a4ac c05612bc
[  129.726989] fd20: c0414fb4 c00a9cf0 c6d5fd54 c6d5fd38 c015bbdc c0244280 c6e8b7b0 c7929330
[  129.735565] fd40: c6d5fdb0 c6d5fdb0 c6d5fd7c c6e7227c c015c010 c015bb90 c015c2ac c6d5fdb0
[  129.744171] fd60: c7929330 c6d5fdb0 c7929330 c6e8b7b0 c6d5fd9c 00000000 c7929330 c6e8b7b0
[  129.752746] fd80: c6d5fdb0 00000000 00000001 00000000 c6d5fde4 c6d5fda0 c015d478 c015cb74
[  129.761322] fda0: c056138c 00000000 c6d5fdcc c6d5fdb8 c7929330 00000000 c056138c c05612e8
[  129.769927] fdc0: 00000000 c05612f0 c0c5d62c c06f6e00 c73217c0 00000000 c6d5fdf4 c05612e8
[  129.778503] fde0: c05612e8 bf02a2e4 c0c5d62c c06f6e00 c73217c0 00000000 c6d5fe14 c6d5fe08
[  129.787109] fe00: c029a398 bf0311c8 c6d5fe4c c6d5fe18 c0299120 c029a384 c7919140 22222222
[  129.795684] fe20: c6d5fe4c c05612e8 c056131c bf02a2e4 c0299278 c06f6e00 c73217c0 00000000
[  129.804290] fe40: c6d5fe6c c6d5fe50 c0299314 c0299020 00000000 c6d5fe70 bf02a2e4 c0299278
[  129.812866] fe60: c6d5fe94 c6d5fe70 c02987d4 c0299284 c7825060 c78c6618 00000000 bf02a2e4
[  129.821441] fe80: c06e4c98 00000000 c6d5fea4 c6d5fe98 c0298ea4 c0298778 c6d5fedc c6d5fea8
[  129.830047] fea0: c0297f84 c0298e8c bf02716c 000b9008 bf02a2e4 bf02a2d0 000b9008 bf02a2e4
[  129.838623] fec0: 00000000 c06f6e00 bf031000 00000000 c6d5fefc c6d5fee0 c0299614 c0297ec0
[  129.847229] fee0: bf02a2d0 000b9008 bf02a388 00000000 c6d5ff0c c6d5ff00 c029a868 c02995a8
[  129.855804] ff00: c6d5ff24 c6d5ff10 c029a88c c029a818 0010281c 000b9008 c6d5ff34 c6d5ff28
[  129.864410] ff20: bf03104c c029a878 c6d5ff7c c6d5ff38 c00463dc bf03100c 00000000 00000000
[  129.872985] ff40: 00000000 0010281c 000b9008 bf02a388 00000000 0010281c 000b9008 bf02a388
[  129.881591] ff60: 00000000 c00521c8 c6d5e000 00000000 c6d5ffa4 c6d5ff80 c00bb9b8 c00463ac
[  129.890167] ff80: c00adc88 c00ada68 00097e8e bebbfcf4 0010281c 00000080 00000000 c6d5ffa8
[  129.898742] ffa0: c0052000 c00bb908 00097e8e bebbfcf4 402c9008 0010281c 000b9008 bebbfe5a
[  129.907348] ffc0: 00097e8e bebbfcf4 0010281c 00000080 00000014 bebbfcf4 bebbfe06 0000005b
[  129.915924] ffe0: bebbf9a0 bebbf990 0001a108 40263ec0 60000010 402c9008 011b0000 0000007c
[  129.924499] Backtrace:
[  129.927185] [<bf0320e8>] (musb_platform_init+0x0/0x1c8 [musb_hdrc]) from [<bf03140c>] (musb_probe+0x250/0xf2c [musb_hdrc])
[  129.938781]  r6:c05612e0 r5:00000003 r4:c0561548
[  129.943695] [<bf0311bc>] (musb_probe+0x0/0xf2c [musb_hdrc]) from [<c029a398>] (platform_drv_probe+0x20/0x24)
[  129.954040] [<c029a378>] (platform_drv_probe+0x0/0x24) from [<c0299120>] (driver_probe_device+0x10c/0x264)
[  129.964172] [<c0299014>] (driver_probe_device+0x0/0x264) from [<c0299314>] (__driver_attach+0x9c/0xa0)
[  129.973968] [<c0299278>] (__driver_attach+0x0/0xa0) from [<c02987d4>] (bus_for_each_dev+0x68/0x94)
[  129.983367]  r7:c0299278 r6:bf02a2e4 r5:c6d5fe70 r4:00000000
[  129.989349] [<c029876c>] (bus_for_each_dev+0x0/0x94) from [<c0298ea4>] (driver_attach+0x24/0x28)
[  129.998565]  r7:00000000 r6:c06e4c98 r5:bf02a2e4 r4:00000000
[  130.004547] [<c0298e80>] (driver_attach+0x0/0x28) from [<c0297f84>] (bus_add_driver+0xd0/0x274)
[  130.013671] [<c0297eb4>] (bus_add_driver+0x0/0x274) from [<c0299614>] (driver_register+0x78/0x158)
[  130.023101] [<c029959c>] (driver_register+0x0/0x158) from [<c029a868>] (platform_driver_register+0x5c/0x60)
[  130.033325]  r7:00000000 r6:bf02a388 r5:000b9008 r4:bf02a2d0
[  130.039276] [<c029a80c>] (platform_driver_register+0x0/0x60) from [<c029a88c>] (platform_driver_probe+0x20/0xa8)
[  130.050018] [<c029a86c>] (platform_driver_probe+0x0/0xa8) from [<bf03104c>] (musb_init+0x4c/0x54 [musb_hdrc])
[  130.060424]  r5:000b9008 r4:0010281c
[  130.064239] [<bf031000>] (musb_init+0x0/0x54 [musb_hdrc]) from [<c00463dc>] (do_one_initcall+0x3c/0x1c0)
[  130.074218] [<c00463a0>] (do_one_initcall+0x0/0x1c0) from [<c00bb9b8>] (sys_init_module+0xbc/0x1d0)
[  130.083709] [<c00bb8fc>] (sys_init_module+0x0/0x1d0) from [<c0052000>] (ret_fast_syscall+0x0/0x3c)
[  130.093109]  r7:00000080 r6:0010281c r5:bebbfcf4 r4:00097e8e
[  130.099090] Code: 0a000046 e3a01001 e12fff33 e59520e4 (e5923404)
[  130.105621] ---[ end trace 1d0bd69deb79164d ]---

Cc: Ajay Kumar Gupta <ajay.gupta@ti.com>
Cc: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Cc: Anand Gadiyar <gadiyar@ti.com>
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: gadget: AT91: fix typo in atmel_usba_udc driver
Josh Wu [Tue, 16 Nov 2010 10:51:32 +0000 (11:51 +0100)]
USB: gadget: AT91: fix typo in atmel_usba_udc driver

commit b48809518631880207796b4aab0fc39c2f036754 upstream.

compile fix for bug introduced by 969affff547027)

Signed-off-by: Josh Wu <josh.wu@atmel.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoxhci: Don't let the USB core disable SuperSpeed ports.
Sarah Sharp [Tue, 16 Nov 2010 23:58:52 +0000 (15:58 -0800)]
xhci: Don't let the USB core disable SuperSpeed ports.

commit 6dd0a3a7e0793dbeae1b951f091025d8cf896cb4 upstream.

Disabling SuperSpeed ports is a Very Bad Thing (TM).  It disables
SuperSpeed terminations, which means that devices will never connect at
SuperSpeed on that port.  For USB 2.0/1.1 ports, disabling the port meant
that the USB core could always get a connect status change later.  That's
not true with USB 3.0 ports.

Do not let the USB core disable SuperSpeed ports.  We can't rely on the
device speed in the port status registers, since that isn't valid until
there's a USB device connected to the port.  Instead, we use the port
speed array that's created from the Extended Capabilities registers.

Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Tested-by: Don Zickus <dzickus@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoxhci: Setup array of USB 2.0 and USB 3.0 ports.
Sarah Sharp [Tue, 26 Oct 2010 23:47:13 +0000 (16:47 -0700)]
xhci: Setup array of USB 2.0 and USB 3.0 ports.

commit da6699ce4a889c3795624ccdcfe7181cc89f18e8 upstream.

An xHCI host controller contains USB 2.0 and USB 3.0 ports, which can
occur in any order in the PORTSC registers.  We cannot read the port speed
bits in the PORTSC registers at init time to determine the port speed,
since those bits are only valid when a USB device is plugged into the
port.

Instead, we read the "Supported Protocol Capability" registers in the xHC
Extended Capabilities space.  Those describe the protocol, port offset in
the PORTSC registers, and port count.  We use those registers to create
two arrays of pointers to the PORTSC registers, one for USB 3.0 ports, and
another for USB 2.0 ports.  A third array keeps track of the port protocol
major revision, and is indexed with the internal xHCI port number.

This commit is a bit big, but it should be queued for stable because the "Don't
let the USB core disable SuperSpeed ports" patch depends on it.  There is no
other way to determine which ports are SuperSpeed ports without this patch.

Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Tested-by: Don Zickus <dzickus@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoxhci: Fix reset-device and configure-endpoint commands
Paul Zimmerman [Thu, 18 Nov 2010 00:26:50 +0000 (16:26 -0800)]
xhci: Fix reset-device and configure-endpoint commands

commit 7a3783efffc7bc2e702d774e47fad5b8e37e9ad1 upstream.

We have been having problems with the USB-IF Gold Tree tests when plugging
and unplugging devices from the tree. I have seen that the reset-device
and configure-endpoint commands, which are invoked from
xhci_discover_or_reset_device() and xhci_configure_endpoint(), will sometimes
time out.

After much debugging, I determined that the commands themselves do not actually
time out, but rather their completion events do not get delivered to the right
place.

This happens when the command ring has just wrapped around, and it's enqueue
pointer is left pointing to the link TRB. xhci_discover_or_reset_device() and
xhci_configure_endpoint() use the enqueue pointer directly as their command
TRB pointer, without checking whether it's pointing to the link TRB.

When the completion event arrives, if the command TRB is pointing to the link
TRB, the check against the command ring dequeue pointer in
handle_cmd_in_cmd_wait_list() fails, so the completion inside the command does
not get signaled.

The patch below fixes the timeout problem for me.

This should be queued for the 2.6.35 and 2.6.36 stable trees.

Signed-off-by: Paul Zimmerman <paulz@synopsys.com>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoxHCI: fix wMaxPacketSize mask
Andiry Xu [Thu, 11 Nov 2010 09:43:57 +0000 (17:43 +0800)]
xHCI: fix wMaxPacketSize mask

commit dc07c91b9b4067022210e68d914a6890a4d70622 upstream.

USB2.0 spec 9.6.6 says: For all endpoints, bit 10..0 specify the maximum
packet size(in bytes).

So the wMaxPacketSize mask should be 0x7ff rather than 0x3ff.

This patch should be queued for the stable tree.  The bug in
xhci_endpoint_init() was present as far back as 2.6.31, and the bug in
xhci_get_max_esit_payload() was present when the function was introduced
in 2.6.34.

Reported-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: Andiry Xu <andiry.xu@amd.com>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoxhci: Remove excessive printks with shared IRQs.
Sarah Sharp [Fri, 5 Nov 2010 13:59:01 +0000 (09:59 -0400)]
xhci: Remove excessive printks with shared IRQs.

commit 241b652f1995de138106afd2f2e4eda9f8a3c240 upstream.

If the xHCI host controller shares an interrupt line with another device,
the xHCI driver needs to check if the interrupt was generated by its
hardware.  Unfortunately, the user will see a ton of "Spurious interrupt."
lines if the other hardware interrupts often.  Lawrence found his dmesg
output cluttered with this output when the xHCI host shared an interrupt
with his i915 hardware.

Remove the warning, as sharing an interrupt is a normal thing.

This should be applied to the 2.6.36 stable tree.

Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Reported-by: Lawrence Rust <lvr@softsystem.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoPCI: fix offset check for sysfs mmapped files
Darrick J. Wong [Tue, 16 Nov 2010 17:13:41 +0000 (09:13 -0800)]
PCI: fix offset check for sysfs mmapped files

commit 8c05cd08a7504b855c265263e84af61aabafa329 upstream.

I just loaded 2.6.37-rc2 on my machines, and I noticed that X no longer starts.
Running an strace of the X server shows that it's doing this:

open("/sys/bus/pci/devices/0000:07:00.0/resource0", O_RDWR) = 10
mmap(NULL, 16777216, PROT_READ|PROT_WRITE, MAP_SHARED, 10, 0) = -1 EINVAL (Invalid argument)

This code seems to be asking for a shared read/write mapping of 16MB worth of
BAR0 starting at file offset 0, and letting the kernel assign a starting
address.  Unfortunately, this -EINVAL causes X not to start.  Looking into
dmesg, there's a complaint like so:

process "Xorg" tried to map 0x01000000 bytes at page 0x00000000 on 0000:07:00.0 BAR 0 (start 0x        96000000, size 0x         1000000)

...with the following code in pci_mmap_fits:

pci_start = (mmap_api == PCI_MMAP_SYSFS) ?
pci_resource_start(pdev, resno) >> PAGE_SHIFT : 0;
        if (start >= pci_start && start < pci_start + size &&
                        start + nr <= pci_start + size)

It looks like the logic here is set up such that when the mmap call comes via
sysfs, the check in pci_mmap_fits wants vma->vm_pgoff to be between the
resource's start and end address, and the end of the vma to be no farther than
the end.  However, the sysfs PCI resource files always start at offset zero,
which means that this test always fails for programs that mmap the sysfs files.
Given the comment in the original commit
3b519e4ea618b6943a82931630872907f9ac2c2b, I _think_ the old procfs files
require that the file offset be equal to the resource's base address when
mmapping.

I think what we want here is for pci_start to be 0 when mmap_api ==
PCI_MMAP_PROCFS.  The following patch makes that change, after which the Matrox
and Mach64 X drivers work again.

Acked-by: Martin Wilck <martin.wilck@ts.fujitsu.com>
Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoPCI: fix size checks for mmap() on /proc/bus/pci files
Martin Wilck [Wed, 10 Nov 2010 10:03:21 +0000 (11:03 +0100)]
PCI: fix size checks for mmap() on /proc/bus/pci files

commit 3b519e4ea618b6943a82931630872907f9ac2c2b upstream.

The checks for valid mmaps of PCI resources made through /proc/bus/pci files
that were introduced in 9eff02e2042f96fb2aedd02e032eca1c5333d767 have several
problems:

1. mmap() calls on /proc/bus/pci files are made with real file offsets > 0,
whereas under /sys/bus/pci/devices, the start of the resource corresponds
to offset 0. This may lead to false negatives in pci_mmap_fits(), which
implicitly assumes the /sys/bus/pci/devices layout.

2. The loop in proc_bus_pci_mmap doesn't skip empty resouces. This leads
to false positives, because pci_mmap_fits() doesn't treat empty resources
correctly (the calculated size is 1 << (8*sizeof(resource_size_t)-PAGE_SHIFT)
in this case!).

3. If a user maps resources with BAR > 0, pci_mmap_fits will emit bogus
WARNINGS for the first resources that don't fit until the correct one is found.

On many controllers the first 2-4 BARs are used, and the others are empty.
In this case, an mmap attempt will first fail on the non-empty BARs
(including the "right" BAR because of 1.) and emit bogus WARNINGS because
of 3., and finally succeed on the first empty BAR because of 2.
This is certainly not the intended behaviour.

This patch addresses all 3 issues.
Updated with an enum type for the additional parameter for pci_mmap_fits().

Signed-off-by: Martin Wilck <martin.wilck@ts.fujitsu.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agolibata: fix NULL sdev dereference race in atapi_qc_complete()
Tejun Heo [Mon, 1 Nov 2010 10:39:19 +0000 (11:39 +0100)]
libata: fix NULL sdev dereference race in atapi_qc_complete()

commit 2a5f07b5ec098edc69e05fdd2f35d3fbb1235723 upstream.

SCSI commands may be issued between __scsi_add_device() and dev->sdev
assignment, so it's unsafe for ata_qc_complete() to dereference
dev->sdev->locked without checking whether it's NULL or not.  Fix it.

Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosched: fix RCU lockdep splat from task_group()
Peter Zijlstra [Thu, 16 Sep 2010 15:50:31 +0000 (17:50 +0200)]
sched: fix RCU lockdep splat from task_group()

commit 6506cf6ce68d78a5470a8360c965dafe8e4b78e3 upstream.

This addresses the following RCU lockdep splat:

[0.051203] CPU0: AMD QEMU Virtual CPU version 0.12.4 stepping 03
[0.052999] lockdep: fixing up alternatives.
[0.054105]
[0.054106] ===================================================
[0.054999] [ INFO: suspicious rcu_dereference_check() usage. ]
[0.054999] ---------------------------------------------------
[0.054999] kernel/sched.c:616 invoked rcu_dereference_check() without protection!
[0.054999]
[0.054999] other info that might help us debug this:
[0.054999]
[0.054999]
[0.054999] rcu_scheduler_active = 1, debug_locks = 1
[0.054999] 3 locks held by swapper/1:
[0.054999]  #0:  (cpu_add_remove_lock){+.+.+.}, at: [<ffffffff814be933>] cpu_up+0x42/0x6a
[0.054999]  #1:  (cpu_hotplug.lock){+.+.+.}, at: [<ffffffff810400d8>] cpu_hotplug_begin+0x2a/0x51
[0.054999]  #2:  (&rq->lock){-.-...}, at: [<ffffffff814be2f7>] init_idle+0x2f/0x113
[0.054999]
[0.054999] stack backtrace:
[0.054999] Pid: 1, comm: swapper Not tainted 2.6.35 #1
[0.054999] Call Trace:
[0.054999]  [<ffffffff81068054>] lockdep_rcu_dereference+0x9b/0xa3
[0.054999]  [<ffffffff810325c3>] task_group+0x7b/0x8a
[0.054999]  [<ffffffff810325e5>] set_task_rq+0x13/0x40
[0.054999]  [<ffffffff814be39a>] init_idle+0xd2/0x113
[0.054999]  [<ffffffff814be78a>] fork_idle+0xb8/0xc7
[0.054999]  [<ffffffff81068717>] ? mark_held_locks+0x4d/0x6b
[0.054999]  [<ffffffff814bcebd>] do_fork_idle+0x17/0x2b
[0.054999]  [<ffffffff814bc89b>] native_cpu_up+0x1c1/0x724
[0.054999]  [<ffffffff814bcea6>] ? do_fork_idle+0x0/0x2b
[0.054999]  [<ffffffff814be876>] _cpu_up+0xac/0x127
[0.054999]  [<ffffffff814be946>] cpu_up+0x55/0x6a
[0.054999]  [<ffffffff81ab562a>] kernel_init+0xe1/0x1ff
[0.054999]  [<ffffffff81003854>] kernel_thread_helper+0x4/0x10
[0.054999]  [<ffffffff814c353c>] ? restore_args+0x0/0x30
[0.054999]  [<ffffffff81ab5549>] ? kernel_init+0x0/0x1ff
[0.054999]  [<ffffffff81003850>] ? kernel_thread_helper+0x0/0x10
[0.056074] Booting Node   0, Processors  #1lockdep: fixing up alternatives.
[0.130045]  #2lockdep: fixing up alternatives.
[0.203089]  #3 Ok.
[0.275286] Brought up 4 CPUs
[0.276005] Total of 4 processors activated (16017.17 BogoMIPS).

The cgroup_subsys_state structures referenced by idle tasks are never
freed, because the idle tasks should be part of the root cgroup,
which is not removable.

The problem is that while we do in-fact hold rq->lock, the newly spawned
idle thread's cpu is not yet set to the correct cpu so the lockdep check
in task_group():

  lockdep_is_held(&task_rq(p)->lock)

will fail.

But this is a chicken and egg problem.  Setting the CPU's runqueue requires
that the CPU's runqueue already be set.  ;-)

So insert an RCU read-side critical section to avoid the complaint.

Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agointel-gtt: fix gtt_total_entries detection
Daniel Vetter [Sat, 28 Aug 2010 09:04:32 +0000 (11:04 +0200)]
intel-gtt: fix gtt_total_entries detection

commit e5e408fc94595aab897f613b6f4e2f5b36870a6f upstream.

In commit f1befe71 Chris Wilson added some code to clear the full gtt
on g33/pineview instead of just the mappable part. The code looks like
it was copy-pasted from agp/intel-gtt.c, at least an identical piece
of code is still there (in intel_i830_init_gtt_entries). This lead to
a regression in 2.6.35 which was supposedly fixed in commit e7b96f28

Now this commit makes absolutely no sense to me. It seems to be
slightly confused about chipset generations - it references docs for
4th gen but the regression concerns 3rd gen g33. Luckily the the g33
gmch docs are available with the GMCH Graphics Control pci config
register definitions. The other (bigger problem) is that the new
check in there uses the i830 stolen mem bits (.5M, 1M or 8M of stolen
mem). They are different since the i855GM.

The most likely case is that it hits the 512M fallback, which was
probably the right thing for the boxes this was tested on.

So the original approach by Chris Wilson seems to be wrong and the
current code is definitely wrong. There is a third approach by Jesse
Barnes from his RFC patch "Who wants a bigger GTT mapping range?"
where he simply shoves g33 in the same clause like later chipset
generations.

I've asked him and Jesse confirmed that this should work. So implement
it.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=16891$
Tested-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoi915: reprogram power monitoring registers on resume
Kyle McMartin [Wed, 3 Nov 2010 20:27:57 +0000 (16:27 -0400)]
i915: reprogram power monitoring registers on resume

commit 48fcfc888b48ad49dd83faa107264bbfb0089cad upstream.

Fixes issue where i915_gfx_val was reporting values several
orders of magnitude higher than physically possible (without
leaving scorch marks on my thighs at least.)

Signed-off-by: Kyle McMartin <kyle@redhat.com>
Reviewed-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/i915/sdvo: Always add a 30ms delay to make SDVO TV detection reliable
Chris Wilson [Wed, 24 Nov 2010 17:37:17 +0000 (17:37 +0000)]
drm/i915/sdvo: Always add a 30ms delay to make SDVO TV detection reliable

commit ba84cd1f2b5dd49bda9300c5a11373f7e14c3c66 upstream.

Commit d09c23de intended to add a 30ms delay to give the ADD time to
detect any TVs connected. However, it used the sdvo->is_tv flag to do so
which is dependent upon the previous detection result and not whether the
output supports TVs.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoexec: copy-and-paste the fixes into compat_do_execve() paths
Oleg Nesterov [Tue, 30 Nov 2010 19:56:02 +0000 (20:56 +0100)]
exec: copy-and-paste the fixes into compat_do_execve() paths

commit 114279be2120a916e8a04feeb2ac976a10016f2f upstream.

Note: this patch targets 2.6.37 and tries to be as simple as possible.
That is why it adds more copy-and-paste horror into fs/compat.c and
uglifies fs/exec.c, this will be cleanuped later.

compat_copy_strings() plays with bprm->vma/mm directly and thus has
two problems: it lacks the RLIMIT_STACK check and argv/envp memory
is not visible to oom killer.

Export acct_arg_size() and get_arg_page(), change compat_copy_strings()
to use get_arg_page(), change compat_do_execve() to do acct_arg_size(0)
as do_execve() does.

Add the fatal_signal_pending/cond_resched checks into compat_count() and
compat_copy_strings(), this matches the code in fs/exec.c and certainly
makes sense.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoexec: make argv/envp memory visible to oom-killer
Oleg Nesterov [Tue, 30 Nov 2010 19:55:34 +0000 (20:55 +0100)]
exec: make argv/envp memory visible to oom-killer

commit 3c77f845722158206a7209c45ccddc264d19319c upstream.

Brad Spengler published a local memory-allocation DoS that
evades the OOM-killer (though not the virtual memory RLIMIT):
http://www.grsecurity.net/~spender/64bit_dos.c

execve()->copy_strings() can allocate a lot of memory, but
this is not visible to oom-killer, nobody can see the nascent
bprm->mm and take it into account.

With this patch get_arg_page() increments current's MM_ANONPAGES
counter every time we allocate the new page for argv/envp. When
do_execve() succeds or fails, we change this counter back.

Technically this is not 100% correct, we can't know if the new
page is swapped out and turn MM_ANONPAGES into MM_SWAPENTS, but
I don't think this really matters and everything becomes correct
once exec changes ->mm or fails.

Reported-by: Brad Spengler <spender@grsecurity.net>
Reviewed-and-discussed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: fix interlaced and doublescan handling
Alex Deucher [Tue, 30 Nov 2010 20:46:47 +0000 (15:46 -0500)]
drm/radeon/kms: fix interlaced and doublescan handling

commit c49948f4bd39e27dd06a1cdb0c3743ca2a734f5e upstream.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: fix regression in rs4xx i2c setup
Alex Deucher [Sun, 21 Nov 2010 15:58:05 +0000 (10:58 -0500)]
drm/radeon/kms: fix regression in rs4xx i2c setup

commit 791cfe2684a74ed7155254816ff9e89e6064277c upstream.

typo in my last i2c rework.

Fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=23222

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: fix resume regression for some r5xx laptops
Alex Deucher [Fri, 19 Nov 2010 23:27:04 +0000 (23:27 +0000)]
drm/radeon/kms: fix resume regression for some r5xx laptops

commit f24d86f1a49505cdea56728b853a5d0a3f8e3d11 upstream.

I had removed this when I switched the atom indirect io methods
to use the io bar rather than the mmio bar, but it appears it's
still needed.

Reported-by: Mark Lord <kernel@teksavvy.com>
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: fix i2c pad masks on rs4xx
Alex Deucher [Thu, 18 Nov 2010 22:18:08 +0000 (17:18 -0500)]
drm/radeon/kms: fix i2c pad masks on rs4xx

commit be66305718bee9927e6acc6b75618ce3cd745718 upstream.

These got lost in the last i2c cleanup.  Fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=23222

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: fix thermal sensor reporting on rv6xx
Alex Deucher [Mon, 8 Nov 2010 18:39:18 +0000 (18:39 +0000)]
drm/radeon/kms: fix thermal sensor reporting on rv6xx

commit b2298fd27127f872881048fd37cb9217a648ae06 upstream.

Temperature is not shifted as on newer asics.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: Fix retrying ttm_bo_init() after it failed once.
Michel Dänzer [Tue, 9 Nov 2010 10:50:05 +0000 (11:50 +0100)]
drm/radeon/kms: Fix retrying ttm_bo_init() after it failed once.

commit 2b66b50b12cabc05f05543e792d4c9c2465d5702 upstream.

If ttm_bo_init() returns failure, it already destroyed the BO, so we need to
retry from scratch.

Signed-off-by: Michel Dänzer <daenzer@vmware.com>
Tested-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: add workaround for dce3 ddc line vbios bug
Alex Deucher [Tue, 30 Nov 2010 05:15:10 +0000 (00:15 -0500)]
drm/radeon/kms: add workaround for dce3 ddc line vbios bug

commit 3074adc8b6d9bf28b574a58241b958057a69a7a0 upstream.

fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=23752

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: fix typos in disabled vbios code
Alex Deucher [Wed, 1 Dec 2010 00:11:45 +0000 (19:11 -0500)]
drm/radeon/kms: fix typos in disabled vbios code

commit 0ec80d645661dda50acd417bdfcb33df2e5dd31e upstream.

6xx/7xx was hitting the wrong BUS_CNTL reg and bits.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms/atom: set sane defaults in atombios_get_encoder_mode()
Alex Deucher [Wed, 17 Nov 2010 07:49:40 +0000 (02:49 -0500)]
drm/radeon/kms/atom: set sane defaults in atombios_get_encoder_mode()

commit c7a71fc761551dc8be8543f14a90d08cda4e77f9 upstream.

If there was no connector mapped to the encoder, atombios_get_encoder_mode()
returned 0 which is the id for DP.  Return something sane instead based on
the encoder id.  This avoids hitting the DP paths on non-DP encoders.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agobio: take care not overflow page count when mapping/copying user data
Jens Axboe [Wed, 10 Nov 2010 13:36:25 +0000 (14:36 +0100)]
bio: take care not overflow page count when mapping/copying user data

commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.

If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
to overflow, we could end up attempting to map a huge number of
pages. Check for this invalid input type.

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomm/vfs: revalidate page->mapping in do_generic_file_read()
Dave Hansen [Thu, 11 Nov 2010 22:05:15 +0000 (14:05 -0800)]
mm/vfs: revalidate page->mapping in do_generic_file_read()

commit 8d056cb965b8fb7c53c564abf28b1962d1061cd3 upstream.

70 hours into some stress tests of a 2.6.32-based enterprise kernel, we
ran into a NULL dereference in here:

int block_is_partially_uptodate(struct page *page, read_descriptor_t *desc,
                                        unsigned long from)
{
----> struct inode *inode = page->mapping->host;

It looks like page->mapping was the culprit.  (xmon trace is below).
After closer examination, I realized that do_generic_file_read() does a
find_get_page(), and eventually locks the page before calling
block_is_partially_uptodate().  However, it doesn't revalidate the
page->mapping after the page is locked.  So, there's a small window
between the find_get_page() and ->is_partially_uptodate() where the page
could get truncated and page->mapping cleared.

We _have_ a reference, so it can't get reclaimed, but it certainly
can be truncated.

I think the correct thing is to check page->mapping after the
trylock_page(), and jump out if it got truncated.  This patch has been
running in the test environment for a month or so now, and we have not
seen this bug pop up again.

xmon info:

  1f:mon> e
  cpu 0x1f: Vector: 300 (Data Access) at [c0000002ae36f770]
      pc: c0000000001e7a6c: .block_is_partially_uptodate+0xc/0x100
      lr: c000000000142944: .generic_file_aio_read+0x1e4/0x770
      sp: c0000002ae36f9f0
     msr: 8000000000009032
     dar: 0
   dsisr: 40000000
    current = 0xc000000378f99e30
    paca    = 0xc000000000f66300
      pid   = 21946, comm = bash
  1f:mon> r
  R00 = 0025c0500000006d   R16 = 0000000000000000
  R01 = c0000002ae36f9f0   R17 = c000000362cd3af0
  R02 = c000000000e8cd80   R18 = ffffffffffffffff
  R03 = c0000000031d0f88   R19 = 0000000000000001
  R04 = c0000002ae36fa68   R20 = c0000003bb97b8a0
  R05 = 0000000000000000   R21 = c0000002ae36fa68
  R06 = 0000000000000000   R22 = 0000000000000000
  R07 = 0000000000000001   R23 = c0000002ae36fbb0
  R08 = 0000000000000002   R24 = 0000000000000000
  R09 = 0000000000000000   R25 = c000000362cd3a80
  R10 = 0000000000000000   R26 = 0000000000000002
  R11 = c0000000001e7b60   R27 = 0000000000000000
  R12 = 0000000042000484   R28 = 0000000000000001
  R13 = c000000000f66300   R29 = c0000003bb97b9b8
  R14 = 0000000000000001   R30 = c000000000e28a08
  R15 = 000000000000ffff   R31 = c0000000031d0f88
  pc  = c0000000001e7a6c .block_is_partially_uptodate+0xc/0x100
  lr  = c000000000142944 .generic_file_aio_read+0x1e4/0x770
  msr = 8000000000009032   cr  = 22000488
  ctr = c0000000001e7a60   xer = 0000000020000000   trap =  300
  dar = 0000000000000000   dsisr = 40000000
  1f:mon> t
  [link register   ] c000000000142944 .generic_file_aio_read+0x1e4/0x770
  [c0000002ae36f9f0c000000000142a14 .generic_file_aio_read+0x2b4/0x770 (unreliable)
  [c0000002ae36fb40c0000000001b03e4 .do_sync_read+0xd4/0x160
  [c0000002ae36fce0c0000000001b153c .vfs_read+0xec/0x1f0
  [c0000002ae36fd80c0000000001b1768 .SyS_read+0x58/0xb0
  [c0000002ae36fe30c00000000000852c syscall_exit+0x0/0x40
  --- Exception: c00 (System Call) at 00000080a840bc54
  SP (fffca15df30) is in userspace
  1f:mon> di c0000000001e7a6c
  c0000000001e7a6c  e9290000      ld      r9,0(r9)
  c0000000001e7a70  418200c0      beq     c0000000001e7b30        # .block_is_partially_uptodate+0xd0/0x100
  c0000000001e7a74  e9440008      ld      r10,8(r4)
  c0000000001e7a78  78a80020      clrldi  r8,r5,32
  c0000000001e7a7c  3c000001      lis     r0,1
  c0000000001e7a80  812900a8      lwz     r9,168(r9)
  c0000000001e7a84  39600001      li      r11,1
  c0000000001e7a88  7c080050      subf    r0,r8,r0
  c0000000001e7a8c  7f805040      cmplw   cr7,r0,r10
  c0000000001e7a90  7d6b4830      slw     r11,r11,r9
  c0000000001e7a94  796b0020      clrldi  r11,r11,32
  c0000000001e7a98  419d00a8      bgt     cr7,c0000000001e7b40    # .block_is_partially_uptodate+0xe0/0x100
  c0000000001e7a9c  7fa55840      cmpld   cr7,r5,r11
  c0000000001e7aa0  7d004214      add     r8,r0,r8
  c0000000001e7aa4  79080020      clrldi  r8,r8,32
  c0000000001e7aa8  419c0078      blt     cr7,c0000000001e7b20    # .block_is_partially_uptodate+0xc0/0x100

Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
Reviewed-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: <arunabal@in.ibm.com>
Cc: <sbest@us.ibm.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Minchan Kim <minchan.kim@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agolatencytop: fix per task accumulator
Ken Chen [Thu, 11 Nov 2010 22:05:16 +0000 (14:05 -0800)]
latencytop: fix per task accumulator

commit 38715258aa2e8cd94bd4aafadc544e5104efd551 upstream.

Per task latencytop accumulator prematurely terminates due to erroneous
placement of latency_record_count.  It should be incremented whenever a
new record is allocated instead of increment on every latencytop event.

Also fix search iterator to only search known record events instead of
blindly searching all pre-allocated space.

Signed-off-by: Ken Chen <kenchen@google.com>
Reviewed-by: Arjan van de Ven <arjan@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>