firefly-linux-kernel-4.4.55.git
13 years agocfg80211: fix bug on regulatory core exit on access to last_request
Luis R. Rodriguez [Tue, 8 Nov 2011 22:28:06 +0000 (14:28 -0800)]
cfg80211: fix bug on regulatory core exit on access to last_request

commit 58ebacc66bd11be2327edcefc79de94bd6f5bb4a upstream.

Commit 4d9d88d1 by Scott James Remnant <keybuk@google.com> added
the .uevent() callback for the regulatory device used during
the platform device registration. The change was done to account
for queuing up udev change requests through udevadm triggers.
The change also meant that upon regulatory core exit we will now
send a uevent() but the uevent() callback, reg_device_uevent(),
also accessed last_request. Right before commiting device suicide
we free'd last_request but never set it to NULL so
platform_device_unregister() would lead to bogus kernel paging
request. Fix this and also simply supress uevents right before
we commit suicide as they are pointless.

This fix is required for kernels >= v2.6.39

$ git describe --contains 4d9d88d1
v2.6.39-rc1~468^2~25^2^2~21

The impact of not having this present is that a bogus paging
access may occur (only read) upon cfg80211 unload time. You
may also get this BUG complaint below. Although Johannes
could not reproduce the issue this fix is theoretically correct.

mac80211_hwsim: unregister radios
mac80211_hwsim: closing netlink
BUG: unable to handle kernel paging request at ffff88001a06b5ab
IP: [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211]
PGD 1836063 PUD 183a063 PMD 1ffcb067 PTE 1a06b160
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
CPU 0
Modules linked in: cfg80211(-) [last unloaded: mac80211]

Pid: 2279, comm: rmmod Tainted: G        W   3.1.0-wl+ #663 Bochs Bochs
RIP: 0010:[<ffffffffa030df9a>]  [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211]
RSP: 0000:ffff88001c5f9d58  EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88001d2eda88 RCX: ffff88001c7468fc
RDX: ffff88001a06b5a0 RSI: ffff88001c7467b0 RDI: ffff88001c7467b0
RBP: ffff88001c5f9d58 R08: 000000000000ffff R09: 000000000000ffff
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88001c7467b0
R13: ffff88001d2eda78 R14: ffffffff8164a840 R15: 0000000000000001
FS:  00007f8a91d8a6e0(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffff88001a06b5ab CR3: 000000001c62e000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process rmmod (pid: 2279, threadinfo ffff88001c5f8000, task ffff88000023c780)
Stack:
 ffff88001c5f9d98 ffffffff812ff7e5 ffffffff8176ab3d ffff88001c7468c2
 000000000000ffff ffff88001d2eda88 ffff88001c7467b0 ffff880000114820
 ffff88001c5f9e38 ffffffff81241dc7 ffff88001c5f9db8 ffffffff81040189
Call Trace:
 [<ffffffff812ff7e5>] dev_uevent+0xc5/0x170
 [<ffffffff81241dc7>] kobject_uevent_env+0x1f7/0x490
 [<ffffffff81040189>] ? sub_preempt_count+0x29/0x60
 [<ffffffff814cab1a>] ? _raw_spin_unlock_irqrestore+0x4a/0x90
 [<ffffffff81305307>] ? devres_release_all+0x27/0x60
 [<ffffffff8124206b>] kobject_uevent+0xb/0x10
 [<ffffffff812fee27>] device_del+0x157/0x1b0
 [<ffffffff8130377d>] platform_device_del+0x1d/0x90
 [<ffffffff81303b76>] platform_device_unregister+0x16/0x30
 [<ffffffffa030fffd>] regulatory_exit+0x5d/0x180 [cfg80211]
 [<ffffffffa032bec3>] cfg80211_exit+0x2b/0x45 [cfg80211]
 [<ffffffff8109a84c>] sys_delete_module+0x16c/0x220
 [<ffffffff8108a23e>] ? trace_hardirqs_on_caller+0x7e/0x120
 [<ffffffff814cba02>] system_call_fastpath+0x16/0x1b
Code: <all your base are belong to me>
RIP  [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211]
 RSP <ffff88001c5f9d58>
CR2: ffff88001a06b5ab
---[ end trace 147c5099a411e8c0 ]---

Reported-by: Johannes Berg <johannes@sipsolutions.net>
Cc: Scott James Remnant <keybuk@google.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonl80211: fix HT capability attribute validation
Johannes Berg [Thu, 3 Nov 2011 08:27:01 +0000 (09:27 +0100)]
nl80211: fix HT capability attribute validation

commit 6c7394197af90f6a332180e33f5d025d3037d883 upstream.

Since the NL80211_ATTR_HT_CAPABILITY attribute is
used as a struct, it needs a minimum, not maximum
length. Enforce that properly. Not doing so could
potentially lead to reading after the buffer.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: fix bug in ieee80211_build_probe_req
Johannes Berg [Tue, 8 Nov 2011 12:04:41 +0000 (13:04 +0100)]
mac80211: fix bug in ieee80211_build_probe_req

commit 5b2bbf75a24d6b06afff6de0eb4819413fd81971 upstream.

ieee80211_probereq_get() can return NULL in
which case we should clean up & return NULL
in ieee80211_build_probe_req() as well.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: fix NULL dereference in radiotap code
Johannes Berg [Tue, 8 Nov 2011 11:28:33 +0000 (12:28 +0100)]
mac80211: fix NULL dereference in radiotap code

commit f8d1ccf15568268c76f913b45ecdd33134387f1a upstream.

When receiving failed PLCP frames is enabled, there
won't be a rate pointer when we add the radiotap
header and thus the kernel will crash. Fix this by
not assuming the rate pointer is always valid. It's
still always valid for frames that have good PLCP
though, and that is checked & enforced.

This was broken by my
commit fc88518916793af8ad6a02e05ff254d95c36d875
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri Jul 30 13:23:12 2010 +0200

    mac80211: don't check rates on PLCP error frames

where I removed the check in this case but didn't
take into account that the rate info would be used.

Reported-by: Xiaokang Qin <xiaokang.qin@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agort2x00: Fix sleep-while-atomic bug in powersaving code.
Gertjan van Wingerde [Sat, 12 Nov 2011 18:10:44 +0000 (19:10 +0100)]
rt2x00: Fix sleep-while-atomic bug in powersaving code.

commit ed66ba472a742cd8df37d7072804b2111cdb1014 upstream.

The generic powersaving code that determines after reception of a frame
whether the device should go back to sleep or whether is could stay
awake was calling rt2x00lib_config directly from RX tasklet context.
On a number of the devices this call can actually sleep, due to having
to confirm that the sleeping commands have been executed successfully.

Fix this by moving the call to rt2x00lib_config to a workqueue call.

This fixes bug https://bugzilla.redhat.com/show_bug.cgi?id=731672

Tested-by: Tomas Trnka <tomastrnka@gmx.com>
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoNet, libertas: Resolve memory leak in if_spi_host_to_card()
Jesper Juhl [Sun, 13 Nov 2011 21:14:32 +0000 (22:14 +0100)]
Net, libertas: Resolve memory leak in if_spi_host_to_card()

commit fe09b32a4361bea44169b2063e8c867cabb6a8ba upstream.

If we hit the default case in the switch in if_spi_host_to_card() we'll leak
the memory we allocated for 'packet'. This patch resolves the leak by freeing
the allocated memory in that case.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoARM: 7150/1: Allow kernel unaligned accesses on ARMv6+ processors
Catalin Marinas [Mon, 7 Nov 2011 17:05:53 +0000 (18:05 +0100)]
ARM: 7150/1: Allow kernel unaligned accesses on ARMv6+ processors

commit 8428e84d42179c2a00f5f6450866e70d802d1d05 upstream.

Recent gcc versions generate unaligned accesses by default on ARMv6 and
later processors. This patch ensures that the SCTLR.A bit is always
cleared on such processors to avoid kernel traping before
alignment_init() is called.

Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: John Linn <John.Linn@xilinx.com>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/i915/pch: Save/restore PCH_PORT_HOTPLUG across suspend
Adam Jackson [Tue, 26 Jul 2011 20:53:06 +0000 (16:53 -0400)]
drm/i915/pch: Save/restore PCH_PORT_HOTPLUG across suspend

commit cda2bb78c24de7674eafa3210314dc75bed344a6 upstream.

At least on a Lenovo X220 the HPD bits of this are enabled at boot but
cleared after resume, which means plug interrupts stop working.

This also happens to fix DP displays re-lighting on resume.  I'm quite
certain that's an accident: the first DP link train inevitably fails on
that machine, and it's only serendipity that we're getting multiple plug
interrupts and the second train works.  But I shall take my victories
where I get them.

Signed-off-by: Adam Jackson <ajax@redhat.com>
Tested-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Cc: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosaa7164: Add support for another HVR2200 hardware revision
Tony Jago [Fri, 12 Aug 2011 03:19:11 +0000 (00:19 -0300)]
saa7164: Add support for another HVR2200 hardware revision

commit 62dd28d0c659db29bdb89cfe9f0aefe42f0adfe9 upstream.

Hauppauge have released a new model rev, sub id 8940, this adds
support.

[stoth@kernellabs.com: I modified Tony's patch slightly in relation to the
 card numbering in saa7164.h, appending rather than inserting the new card
 - normal practise]
Signed-off-by: Tony Jago <tony@hammertelecom.com.au>
Signed-off-by: Steven Toth <stoth@kernellabs.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoaacraid: controller hangs if kernel uses non-default ASPM policy
Vasily Averin [Fri, 11 Nov 2011 09:42:16 +0000 (13:42 +0400)]
aacraid: controller hangs if kernel uses non-default ASPM policy

commit cf16123c9c8e346ed1dd171295a678d77648d7f8 upstream.

Aacraid controller can hang on some nodes if kernel uses non-default
(powersave) ASPM policy.  Controller hangs shortly after successful load and
hardware detection. Scsi error handler detects this hang and tries to restart
hardware but it does not help.

Initially it was noticed on RHEL6-based openVZ kernel after backporting
aacraid driver from mainline (RHEL6 kernel with original driver works well)
http://bugzilla.openvz.org/show_bug.cgi?id=2043

This issue happens because default ASPM policy was changed in Red Hat
kernels. Therefore guys from Red Hat have noticed this problem long time ago:
on Fedora 12
 https://bugzilla.redhat.com/show_bug.cgi?id=540478
on Fedora 14
 https://bugzilla.redhat.com/show_bug.cgi?id=679385

In RHEL6 kernel this issue was fixed, ASPM was disabled in aacraid driver. In
kernel changelog I've found that seems it was done by Matthew Garrett: -
[scsi] aacraid: Disable ASPM by default (Matthew Garrett) [599735]

However seems this patch was not submitted to mainline. I've reproduced this
issue on vanilla 3.1.0 kernel booted with "pcie_aspm.policy=powersave" option,
So I believe it makes sense to do it now.

Signed-off-by: Vasily Averin <vvs@sw.ru>
[mjg: Checking the Windows drivers indicates that they disable ASPM under all
circumstances, so:]
Acked-by: Matthew Garrett <mjg@redhat.com>
Acked-by: Achim Leubner <Achim_Leubner@pmc-sierra.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agohpsa: Disable ASPM
Matthew Garrett [Fri, 11 Nov 2011 16:14:23 +0000 (11:14 -0500)]
hpsa: Disable ASPM

commit e5a44df85e8d78e5c2d3d2e4f59b460905691e2f upstream.

The Windows driver .inf disables ASPM on hpsa devices. Do the same because the
selection of a non default ASPM policy can cause the device to hang.

Signed-off-by: Matthew Garrett <mjg@redhat.com>
Acked-by: Mike Miller <mike.miller@hp.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofix WARNING: at drivers/scsi/scsi_lib.c:1704
James Bottomley [Mon, 7 Nov 2011 14:51:24 +0000 (08:51 -0600)]
fix WARNING: at drivers/scsi/scsi_lib.c:1704

commit 4e6c82b3614a18740ef63109d58743a359266daf upstream.

On Mon, 2011-11-07 at 17:24 +1100, Stephen Rothwell wrote:
> Hi all,
>
> Starting some time last week I am getting the following during boot on
> our PPC970 blade:
>
> calling  .ipr_init+0x0/0x68 @ 1
> ipr: IBM Power RAID SCSI Device Driver version: 2.5.2 (April 27, 2011)
> ipr 0000:01:01.0: Found IOA with IRQ: 26
> ipr 0000:01:01.0: Starting IOA initialization sequence.
> ipr 0000:01:01.0: Adapter firmware version: 06160039
> ipr 0000:01:01.0: IOA initialized.
> scsi0 : IBM 572E Storage Adapter
> ------------[ cut here ]------------
> WARNING: at drivers/scsi/scsi_lib.c:1704
> Modules linked in:
> NIP: c00000000053b3d4 LR: c00000000053e5b0 CTR: c000000000541d70
> REGS: c0000000783c2f60 TRAP: 0700   Not tainted  (3.1.0-autokern1)
> MSR: 8000000000029032 <EE,ME,CE,IR,DR>  CR: 24002024  XER: 20000002
> TASK = c0000000783b8000[1] 'swapper' THREAD: c0000000783c0000 CPU: 0
> GPR00: 0000000000000001 c0000000783c31e0 c000000000cf38b0 c00000000239a9d0
> GPR04: c000000000cbe8f8 0000000000000000 c0000000783c3040 0000000000000000
> GPR08: c000000075daf488 c000000078a3b7ff c000000000bcacc8 0000000000000000
> GPR12: 0000000044002028 c000000007ffb000 0000000002e40000 000000000099b800
> GPR16: 0000000000000000 c000000000bba5fc c000000000a61db8 0000000000000000
> GPR20: 0000000001b77200 0000000000000000 c000000078990000 0000000000000001
> GPR24: c000000002396828 0000000000000000 0000000000000000 c000000078a3b938
> GPR28: fffffffffffffffa c0000000008ad2c0 c000000000c7faa8 c00000000239a9d0
> NIP [c00000000053b3d4] .scsi_free_queue+0x24/0x90
> LR [c00000000053e5b0] .scsi_alloc_sdev+0x280/0x2e0
> Call Trace:
> [c0000000783c31e0] [c000000000c7faa8] wireless_seq_fops+0x278d0/0x2eb88 (unreliable)
> [c0000000783c3270] [c00000000053e5b0] .scsi_alloc_sdev+0x280/0x2e0
> [c0000000783c3330] [c00000000053eba0] .scsi_probe_and_add_lun+0x390/0xb40
> [c0000000783c34a0] [c00000000053f7ec] .__scsi_scan_target+0x16c/0x650
> [c0000000783c35f0] [c00000000053fd90] .scsi_scan_channel+0xc0/0x100
> [c0000000783c36a0] [c00000000053fefc] .scsi_scan_host_selected+0x12c/0x1c0
> [c0000000783c3750] [c00000000083dcb4] .ipr_probe+0x2c0/0x390
> [c0000000783c3830] [c0000000003f50b4] .local_pci_probe+0x34/0x50
> [c0000000783c38a0] [c0000000003f5f78] .pci_device_probe+0x148/0x150
> [c0000000783c3950] [c0000000004e1e8c] .driver_probe_device+0xdc/0x210
> [c0000000783c39f0] [c0000000004e20cc] .__driver_attach+0x10c/0x110
> [c0000000783c3a80] [c0000000004e1228] .bus_for_each_dev+0x98/0xf0
> [c0000000783c3b30] [c0000000004e1bf8] .driver_attach+0x28/0x40
> [c0000000783c3bb0] [c0000000004e07d8] .bus_add_driver+0x218/0x340
> [c0000000783c3c60] [c0000000004e2a2c] .driver_register+0x9c/0x1b0
> [c0000000783c3d00] [c0000000003f62d4] .__pci_register_driver+0x64/0x140
> [c0000000783c3da0] [c000000000b99f88] .ipr_init+0x4c/0x68
> [c0000000783c3e20] [c00000000000ad24] .do_one_initcall+0x1a4/0x1e0
> [c0000000783c3ee0] [c000000000b512d0] .kernel_init+0x14c/0x1fc
> [c0000000783c3f90] [c000000000022468] .kernel_thread+0x54/0x70
> Instruction dump:
ebe1fff8 7c0803a6 4e800020 7c0802a6 fba1ffe8 fbe1fff8 7c7f1b78 f8010010
f821ff71 e8030398 3120ffff 7c090110 <0b000000e86303b0 482de065 60000000
> ---[ end trace 759bed76a85e8dec ]---
> scsi 0:0:1:0: Direct-Access     IBM-ESXS MAY2036RC        T106 PQ: 0 ANSI: 5
> ------------[ cut here ]------------
>
> I get lots more of these.  The obvious commit to point the finger at
> is 3308511c93e6 ("[SCSI] Make scsi_free_queue() kill pending SCSI
> commands") but the root cause may be something different.

Caused by

commit f7c9c6bb14f3104608a3a83cadea10a6943d2804
Author: Anton Blanchard <anton@samba.org>
Date:   Thu Nov 3 08:56:22 2011 +1100

    [SCSI] Fix block queue and elevator memory leak in scsi_alloc_sdev

Doesn't completely do the teardown.  The true fix is to do a proper
teardown instead of hand rolling it

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Tested-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agogenirq: Fix irqfixup, irqpoll regression
Edward Donovan [Tue, 1 Nov 2011 19:29:44 +0000 (15:29 -0400)]
genirq: Fix irqfixup, irqpoll regression

commit c75d720fca8a91ce99196d33adea383621027bf2 upstream.

commit d05c65fff0 ("genirq: spurious: Run only one poller at a time")
introduced a regression, leaving the boot options 'irqfixup' and
'irqpoll' non-functional. The patch placed tests in each function, to
exit if the function is already running. The test in 'misrouted_irq'
exited when it should have proceeded, effectively disabling
'misrouted_irq' and 'poll_spurious_irqs'.

The check for an already running poller needs to be "!= 1" not "== 1"
as "1" is the value when the first poller starts running.

Signed-off-by: Edward Donovan <edward.donovan@numble.net>
Cc: maciej.rutecki@gmail.com
Link: http://lkml.kernel.org/r/1320175784-6745-1-git-send-email-edward.donovan@numble.net
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoLinux 3.0.10
Greg Kroah-Hartman [Mon, 21 Nov 2011 22:37:44 +0000 (14:37 -0800)]
Linux 3.0.10

13 years agoblock: Always check length of all iov entries in blk_rq_map_user_iov()
Ben Hutchings [Sun, 13 Nov 2011 18:58:09 +0000 (19:58 +0100)]
block: Always check length of all iov entries in blk_rq_map_user_iov()

commit 6b76106d8ef31111d6fc469564b83b5f5542794f upstream.

Even after commit 5478755616ae2ef1ce144dded589b62b2a50d575
("block: check for proper length of iov entries earlier ...")
we still won't check for zero-length entries after an unaligned
entry.  Remove the break-statement, so all entries are checked.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agobacking-dev: ensure wakeup_timer is deleted
Rabin Vincent [Fri, 11 Nov 2011 12:29:04 +0000 (13:29 +0100)]
backing-dev: ensure wakeup_timer is deleted

commit 7a401a972df8e184b3d1a3fc958c0a4ddee8d312 upstream.

bdi_prune_sb() in bdi_unregister() attempts to removes the bdi links
from all super_blocks and then del_timer_sync() the writeback timer.

However, this can race with __mark_inode_dirty(), leading to
bdi_wakeup_thread_delayed() rearming the writeback timer on the bdi
we're unregistering, after we've called del_timer_sync().

This can end up with the bdi being freed with an active timer inside it,
as in the case of the following dump after the removal of an SD card.

Fix this by redoing the del_timer_sync() in bdi_destory().

 ------------[ cut here ]------------
 WARNING: at /home/rabin/kernel/arm/lib/debugobjects.c:262 debug_print_object+0x9c/0xc8()
 ODEBUG: free active (active state 0) object type: timer_list hint: wakeup_timer_fn+0x0/0x180
 Modules linked in:
 Backtrace:
 [<c00109dc>] (dump_backtrace+0x0/0x110) from [<c0236e4c>] (dump_stack+0x18/0x1c)
  r6:c02bc638 r5:00000106 r4:c79f5d18 r3:00000000
 [<c0236e34>] (dump_stack+0x0/0x1c) from [<c0025e6c>] (warn_slowpath_common+0x54/0x6c)
 [<c0025e18>] (warn_slowpath_common+0x0/0x6c) from [<c0025f28>] (warn_slowpath_fmt+0x38/0x40)
  r8:20000013 r7:c780c6f0 r6:c031613c r5:c780c6f0 r4:c02b1b29
 r3:00000009
 [<c0025ef0>] (warn_slowpath_fmt+0x0/0x40) from [<c015eb4c>] (debug_print_object+0x9c/0xc8)
  r3:c02b1b29 r2:c02bc662
 [<c015eab0>] (debug_print_object+0x0/0xc8) from [<c015f574>] (debug_check_no_obj_freed+0xac/0x1dc)
  r6:c7964000 r5:00000001 r4:c7964000
 [<c015f4c8>] (debug_check_no_obj_freed+0x0/0x1dc) from [<c00a9e38>] (kmem_cache_free+0x88/0x1f8)
 [<c00a9db0>] (kmem_cache_free+0x0/0x1f8) from [<c014286c>] (blk_release_queue+0x70/0x78)
 [<c01427fc>] (blk_release_queue+0x0/0x78) from [<c015290c>] (kobject_release+0x70/0x84)
  r5:c79641f0 r4:c796420c
 [<c015289c>] (kobject_release+0x0/0x84) from [<c0153ce4>] (kref_put+0x68/0x80)
  r7:00000083 r6:c74083d0 r5:c015289c r4:c796420c
 [<c0153c7c>] (kref_put+0x0/0x80) from [<c01527d0>] (kobject_put+0x48/0x5c)
  r5:c79643b4 r4:c79641f0
 [<c0152788>] (kobject_put+0x0/0x5c) from [<c013ddd8>] (blk_cleanup_queue+0x68/0x74)
  r4:c7964000
 [<c013dd70>] (blk_cleanup_queue+0x0/0x74) from [<c01a6370>] (mmc_blk_put+0x78/0xe8)
  r5:00000000 r4:c794c400
 [<c01a62f8>] (mmc_blk_put+0x0/0xe8) from [<c01a64b4>] (mmc_blk_release+0x24/0x38)
  r5:c794c400 r4:c0322824
 [<c01a6490>] (mmc_blk_release+0x0/0x38) from [<c00de11c>] (__blkdev_put+0xe8/0x170)
  r5:c78d5e00 r4:c74083c0
 [<c00de034>] (__blkdev_put+0x0/0x170) from [<c00de2c0>] (blkdev_put+0x11c/0x12c)
  r8:c79f5f70 r7:00000001 r6:c74083d0 r5:00000083 r4:c74083c0
 r3:00000000
 [<c00de1a4>] (blkdev_put+0x0/0x12c) from [<c00b0724>] (kill_block_super+0x60/0x6c)
  r7:c7942300 r6:c79f4000 r5:00000083 r4:c74083c0
 [<c00b06c4>] (kill_block_super+0x0/0x6c) from [<c00b0a94>] (deactivate_locked_super+0x44/0x70)
  r6:c79f4000 r5:c031af64 r4:c794dc00 r3:c00b06c4
 [<c00b0a50>] (deactivate_locked_super+0x0/0x70) from [<c00b1358>] (deactivate_super+0x6c/0x70)
  r5:c794dc00 r4:c794dc00
 [<c00b12ec>] (deactivate_super+0x0/0x70) from [<c00c88b0>] (mntput_no_expire+0x188/0x194)
  r5:c794dc00 r4:c7942300
 [<c00c8728>] (mntput_no_expire+0x0/0x194) from [<c00c95e0>] (sys_umount+0x2e4/0x310)
  r6:c7942300 r5:00000000 r4:00000000 r3:00000000
 [<c00c92fc>] (sys_umount+0x0/0x310) from [<c000d940>] (ret_fast_syscall+0x0/0x30)
 ---[ end trace e5c83c92ada51c76 ]---

Signed-off-by: Rabin Vincent <rabin.vincent@stericsson.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agopowerpc: Copy down exception vectors after feature fixups
Anton Blanchard [Mon, 14 Nov 2011 12:54:47 +0000 (12:54 +0000)]
powerpc: Copy down exception vectors after feature fixups

commit d715e433b7ad19c02fc4becf0d5e9a59f97925de upstream.

kdump fails because we try to execute an HV only instruction. Feature
fixups are being applied after we copy the exception vectors down to 0
so they miss out on any updates.

We have always had this issue but it only became critical in v3.0
when we added CFAR support (breaks POWER5) and v3.1 when we added
POWERNV (breaks everyone).

Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agopowerpc/ps3: Fix lost SMP IPIs
Geoff Levand [Tue, 8 Nov 2011 12:37:26 +0000 (12:37 +0000)]
powerpc/ps3: Fix lost SMP IPIs

commit 72f3bea075287785ed32b777b6dd2636aa7002e8 upstream.

Fixes the PS3 bootup hang introduced in 3.0-rc1 by:

  commit 317f394160e9beb97d19a84c39b7e5eb3d7815a
  sched: Move the second half of ttwu() to the remote cpu

Move the PS3's LV1 EOI call lv1_end_of_interrupt_ext() from ps3_chip_eoi()
to ps3_get_irq() for IPI messages.

If lv1_send_event_locally() is called between a previous call to
lv1_send_event_locally() and the coresponding call to
lv1_end_of_interrupt_ext() the second event will not be delivered to the
target cpu.

The PS3's SMP IPIs are implemented using lv1_send_event_locally(), so if two
IPI messages of the same type are sent to the same target in a relatively
short period of time the second IPI event can become lost when
lv1_end_of_interrupt_ext() is called from ps3_chip_eoi().

Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoxen-gntalloc: signedness bug in add_grefs()
Dan Carpenter [Fri, 4 Nov 2011 18:24:36 +0000 (21:24 +0300)]
xen-gntalloc: signedness bug in add_grefs()

commit 99cb2ddcc617f43917e94a4147aa3ccdb2bcd77e upstream.

gref->gref_id is unsigned so the error handling didn't work.
gnttab_grant_foreign_access() returns an int type, so we can add a
cast here, and it doesn't cause any problems.
gnttab_grant_foreign_access() can return a variety of errors
including -ENOSPC, -ENOSYS and -ENOMEM.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoxen-gntalloc: integer overflow in gntalloc_ioctl_alloc()
Dan Carpenter [Fri, 4 Nov 2011 18:24:08 +0000 (21:24 +0300)]
xen-gntalloc: integer overflow in gntalloc_ioctl_alloc()

commit 21643e69a4c06f7ef155fbc70e3fba13fba4a756 upstream.

On 32 bit systems a high value of op.count could lead to an integer
overflow in the kzalloc() and gref_ids would be smaller than
expected.  If the you triggered another integer overflow in
"if (gref_size + op.count > limit)" then you'd probably get memory
corruption inside add_grefs().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoxen:pvhvm: enable PVHVM VCPU placement when using more than 32 CPUs.
Zhenzhong Duan [Fri, 28 Oct 2011 05:28:59 +0000 (22:28 -0700)]
xen:pvhvm: enable PVHVM VCPU placement when using more than 32 CPUs.

commit 90d4f5534d14815bd94c10e8ceccc57287657ecc upstream.

PVHVM running with more than 32 vcpus and pv_irq/pv_time enabled
need VCPU placement to work, or else it will softlockup.

Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomfd: Fix twl4030 dependencies for audio codec
Thomas Weber [Mon, 5 Sep 2011 09:26:33 +0000 (11:26 +0200)]
mfd: Fix twl4030 dependencies for audio codec

commit f09ee0451a44a4e913a7c3cec3805508f7de6c54 upstream.

The codec for Devkit8000 (TWL4030)  was not detected except
when build with CONFIG_SND_SOC_ALL_CODECS.

twl-core.c still uses the CONFIG_TWL4030_CODEC for
twl_has_codec().

In commit 57fe7251f5bfc4332f24479376de48a1e8ca6211
the CONFIG_TWL4030_CODEC was renamed
into CONFIG_MFD_TWL4030_AUDIO, thatswhy the codec
was not detected.

This patch renames the CONFIG_ TWL4030_CODEC into
CONFIG_MFD_TWL4030_AUDIO in twl-core.c.

Signed-off-by: Thomas Weber <weber@corscience.de>
Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Cc: Jarkko Nikula <jarkko.nikula@bitmer.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomd/raid5: abort any pending parity operations when array fails.
NeilBrown [Tue, 8 Nov 2011 05:22:01 +0000 (16:22 +1100)]
md/raid5: abort any pending parity operations when array fails.

commit 9a3f530f39f4490eaa18b02719fb74ce5f4d2d86 upstream.

When the number of failed devices exceeds the allowed number
we must abort any active parity operations (checks or updates) as they
are no longer meaningful, and can lead to a BUG_ON in
handle_parity_checks6.

This bug was introduce by commit 6c0069c0ae9659e3a91b68eaed06a5c6c37f45c8
in 2.6.29.

Reported-by: Manish Katiyar <mkatiyar@gmail.com>
Tested-by: Manish Katiyar <mkatiyar@gmail.com>
Acked-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agob43: refuse to load unsupported firmware
Rafał Miłecki [Tue, 8 Nov 2011 16:15:03 +0000 (17:15 +0100)]
b43: refuse to load unsupported firmware

[This patch is supposed to be applied in 3.1 (and maybe older) branches only.]

New kernels support newer firmware that users may try to incorrectly use
with older kernels. Display error and explain the problem in such a case

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86, mrst: use a temporary variable for SFI irq
Mika Westerberg [Thu, 13 Oct 2011 09:04:20 +0000 (12:04 +0300)]
x86, mrst: use a temporary variable for SFI irq

commit 153b19a3b9fd8b9478495b9ee1f93f6a77c564f9 upstream.

SFI tables reside in RAM and should not be modified once they are
written.  Current code went to set pentry->irq to zero which causes
subsequent reads to fail with invalid SFI table checksum.  This will
break kexec as the second kernel fails to validate SFI tables.

To fix this we use temporary variable for irq number.

Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosfi: table irq 0xFF means 'no interrupt'
Kirill A. Shutemov [Fri, 26 Aug 2011 11:20:59 +0000 (12:20 +0100)]
sfi: table irq 0xFF means 'no interrupt'

commit a94cc4e6c0a26a7c8f79a432ab2c89534aa674d5 upstream.

According to the SFI specification irq number 0xFF means device has no
interrupt or interrupt attached via GPIO.

Currently, we don't handle this special case and set irq field in
*_board_info structs to 255.  It leads to confusion in some drivers.
Accelerometer driver tries to register interrupt 255, fails and prints
"Cannot get IRQ" to dmesg.

Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/i915: enable ring freq scaling, RC6 and graphics turbo on Ivy Bridge v3
Jesse Barnes [Wed, 29 Jun 2011 20:34:36 +0000 (13:34 -0700)]
drm/i915: enable ring freq scaling, RC6 and graphics turbo on Ivy Bridge v3

commit 1c70c0cebd1295a42fec75045b8a6b4419cedef3 upstream.

They use the same register interfaces, so we can simply enable the
existing code on IVB.

v2:
  - resolve conflict with ring freq scaling, we can enable it too
v3:
  - resolve conflict again, this time on drm-intel-next

Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Robert Hooker <robert.hooker@canonical.com>
Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com>
Acked-by: Herton Krzesinski <herton.krzesinski@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon: add some missing FireMV pci ids
Alex Deucher [Mon, 14 Nov 2011 14:33:56 +0000 (09:33 -0500)]
drm/radeon: add some missing FireMV pci ids

commit b872a37437e93df9d112ce674752b3b3a0a17020 upstream.

Noticed by Egbert.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: Egbert Eich <eich@suse.de>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoRevert "leds: save the delay values after a successful call to blink_set()"
Johan Hovold [Tue, 15 Nov 2011 22:35:52 +0000 (14:35 -0800)]
Revert "leds: save the delay values after a successful call to blink_set()"

commit cb871513f656bdfc48b185b55f37857b5c750c40 upstream.

Revert commit 6123b0e274503a0d3588e84fbe07c9aa01bfaf5d.

The problem this patch intends to solve has alreadqy been fixed by
commit 7a5caabd090b ("drivers/leds/ledtrig-timer.c: fix broken sysfs
delay handling").

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: Antonio Ospite <ospite@studenti.unina.it>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Richard Purdie <rpurdie@rpsys.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agohfs: add sanity check for file name length
Dan Carpenter [Mon, 14 Nov 2011 14:52:08 +0000 (17:52 +0300)]
hfs: add sanity check for file name length

commit bc5b8a9003132ae44559edd63a1623b7b99dfb68 upstream.

On a corrupted file system the ->len field could be wrong leading to
a buffer overflow.

Reported-and-acked-by: Clement LECIGNE <clement.lecigne@netasq.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoKEYS: Fix a NULL pointer deref in the user-defined key type
David Howells [Tue, 15 Nov 2011 22:09:45 +0000 (22:09 +0000)]
KEYS: Fix a NULL pointer deref in the user-defined key type

commit 9f35a33b8d06263a165efe3541d9aa0cdbd70b3b upstream.

Fix a NULL pointer deref in the user-defined key type whereby updating a
negative key into a fully instantiated key will cause an oops to occur
when the code attempts to free the non-existent old payload.

This results in an oops that looks something like the following:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
  IP: [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
  PGD 3391d067 PUD 3894a067 PMD 0
  Oops: 0002 [#1] SMP
  CPU 1
  Pid: 4354, comm: keyctl Not tainted 3.1.0-fsdevel+ #1140                  /DG965RY
  RIP: 0010:[<ffffffff81085fa1>]  [<ffffffff81085fa1>] __call_rcu+0x11/0x13e
  RSP: 0018:ffff88003d591df8  EFLAGS: 00010246
  RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000006e
  RDX: ffffffff8161d0c0 RSI: 0000000000000000 RDI: 0000000000000000
  RBP: ffff88003d591e18 R08: 0000000000000000 R09: ffffffff8152fa6c
  R10: 0000000000000000 R11: 0000000000000300 R12: ffff88003b8f9538
  R13: ffffffff8161d0c0 R14: ffff88003b8f9d50 R15: ffff88003c69f908
  FS:  00007f97eb18c720(0000) GS:ffff88003bd00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000008 CR3: 000000003d47a000 CR4: 00000000000006e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  Process keyctl (pid: 4354, threadinfo ffff88003d590000, task ffff88003c78a040)
  Stack:
   ffff88003e0ffde0 ffff88003b8f9538 0000000000000001 ffff88003b8f9d50
   ffff88003d591e28 ffffffff810860f0 ffff88003d591e68 ffffffff8117bfea
   ffff88003d591e68 ffffffff00000000 ffff88003e0ffde1 ffff88003e0ffde0
  Call Trace:
   [<ffffffff810860f0>] call_rcu_sched+0x10/0x12
   [<ffffffff8117bfea>] user_update+0x8d/0xa2
   [<ffffffff8117723a>] key_create_or_update+0x236/0x270
   [<ffffffff811789b1>] sys_add_key+0x123/0x17e
   [<ffffffff813b84bb>] system_call_fastpath+0x16/0x1b

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Neil Horman <nhorman@redhat.com>
Acked-by: Steve Dickson <steved@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: usb-audio - Fix the missing volume quirks at delayed init
Takashi Iwai [Tue, 8 Nov 2011 16:50:27 +0000 (17:50 +0100)]
ALSA: usb-audio - Fix the missing volume quirks at delayed init

commit dcaaf9f2c16b56f8bb316881fcd3f15c18fc71e7 upstream.

In the recent usb-audio driver, the initialization of volume ranges
may be delayed when the device doesn't respond well at the probing time.
But the volume quirks for certain devices are applied only in
mixer_ctl_feature_info() thus only at the very first probe and will be
missing when the volume range is initialized later.

This patch moves the volume quirk code to be always called from the
volume-range extraction (get_min_max()), so that the quirks are properly
applied in the later init time.

Reported-and-tested-by: Alexey Fisher <bug-track@fisher-privat.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: usb-audio - Check the dB-range validity in the later read, too
Takashi Iwai [Fri, 19 Aug 2011 06:30:53 +0000 (08:30 +0200)]
ALSA: usb-audio - Check the dB-range validity in the later read, too

commit 9fcd0ab130579d9742538340edda3225f2b49a3e upstream.

When the initial check of dB-range failed due to the read error, try to
check again at the later read, too.  When an invalid dB range is found,
remove TLV flags and notify the mixer info change.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: make an aux failure debug only
Alex Deucher [Tue, 8 Nov 2011 15:09:58 +0000 (10:09 -0500)]
drm/radeon/kms: make an aux failure debug only

commit 091264f0bc12419560ac64fcef4567809d611658 upstream.

Can happen when there is no DP panel attached, confusing
users.  Make it debug only.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/nouveau: initialize chan->fence.lock before use
Marcin Slusarz [Fri, 9 Sep 2011 12:16:42 +0000 (14:16 +0200)]
drm/nouveau: initialize chan->fence.lock before use

commit 5e60ee780e792efe6dce97eceb110b1d30bab850 upstream.

Fence lock needs to be initialized before any call to nouveau_channel_put
because it calls nouveau_channel_idle->nouveau_fence_update which uses
fence lock.

BUG: spinlock bad magic on CPU#0, test/24134
 lock: ffff88019f90dba8, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
Pid: 24134, comm: test Not tainted 3.0.0-nv+ #800
Call Trace:
 spin_bug+0x9c/0xa3
 do_raw_spin_lock+0x29/0x13c
 _raw_spin_lock+0x1e/0x22
 nouveau_fence_update+0x2d/0xf1
 nouveau_channel_idle+0x22/0xa0
 nouveau_channel_put_unlocked+0x84/0x1bd
 nouveau_channel_put+0x20/0x24
 nouveau_channel_alloc+0x4ec/0x585
 nouveau_ioctl_fifo_alloc+0x50/0x130
 drm_ioctl+0x289/0x361
 do_vfs_ioctl+0x4dd/0x52c
 sys_ioctl+0x42/0x65
 system_call_fastpath+0x16/0x1b

It's easily triggerable from userspace.

Additionally remove double initialization of chan->fence.pending.

Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/i915: Fix object refcount leak on mmappable size limit error path.
Eric Anholt [Tue, 1 Nov 2011 06:16:21 +0000 (23:16 -0700)]
drm/i915: Fix object refcount leak on mmappable size limit error path.

commit 14660ccd599dc7bd6ecef17408bd76dc853f9b77 upstream.

I've been seeing memory leaks on my system in the form of large
(300-400MB) GEM objects created by now-dead processes laying around
clogging up memory.  I usually notice when it gets to about 1.2GB of
them.  Hopefully this clears up the issue, but I just found this bug
by inspection.

Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosh: Fix cached/uncaced address calculation in 29bit mode
Nobuhiro Iwamatsu [Fri, 4 Nov 2011 13:13:50 +0000 (22:13 +0900)]
sh: Fix cached/uncaced address calculation in 29bit mode

commit dfd3b596fbbfa48b8e7966ef996d587157554b69 upstream.

In the case of 29bit mode, CAC/UNCAC_ADDR does not return a right address.
This revises this problem by using P1SEGADDR and P2SEGADDR in 29bit mode.

Reported-by: Yutaro Ebihara <ebiharaml@si-linux.co.jp>
Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Tested-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Tested-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoASoC: Don't use wm8994->control_data in wm8994_readable_register()
Mark Brown [Fri, 4 Nov 2011 15:52:31 +0000 (15:52 +0000)]
ASoC: Don't use wm8994->control_data in wm8994_readable_register()

commit 8eeea521d9d0fa6afd62df8c6e6566ee946117fa upstream.

The field is no longer initialised so this will crash if running on
wm8958.

Reported-by: Thomas Abraham <thomas.abraham@linaro.org>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agovirtio-pci: fix use after free
Michael S. Tsirkin [Mon, 7 Nov 2011 16:37:05 +0000 (18:37 +0200)]
virtio-pci: fix use after free

commit 72103bd1285211440621f2c46f4fce377584de54 upstream.

Commit 31a3ddda166cda86d2b5111e09ba4bda5239fae6 introduced
a use after free in virtio-pci. The main issue is
that the release method signals removal of the virtio device,
while remove signals removal of the pci device.

For example, on driver removal or hot-unplug,
virtio_pci_release_dev is called before virtio_pci_remove.
We then might get a crash as virtio_pci_remove tries to use the
device freed by virtio_pci_release_dev.

We allocate/free all resources together with the
pci device, so we can leave the release method empty.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: hda - Don't add elements of other codecs to vmaster slave
Takashi Iwai [Thu, 10 Nov 2011 11:28:38 +0000 (12:28 +0100)]
ALSA: hda - Don't add elements of other codecs to vmaster slave

commit aeb4b88ec0a948efce8e3a23a8f964d3560a7308 upstream.

When a virtual mater control is created, the driver looks for slave
elements from the assigned card instance.  But this may include the
elements of other codecs when multiple codecs are on the same HD-audio
bus.  This works at the first time, but it'll give Oops when it's once
freed and re-created via reconfig sysfs.

This patch changes the element-look-up strategy to limit only to the
mixer elements of the same codec.

Reported-by: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoLinux 3.0.9
Greg Kroah-Hartman [Fri, 11 Nov 2011 18:12:24 +0000 (10:12 -0800)]
Linux 3.0.9

13 years agohid/apple: modern macbook airs use the standard apple function key translations
Linus Torvalds [Mon, 7 Nov 2011 02:34:03 +0000 (18:34 -0800)]
hid/apple: modern macbook airs use the standard apple function key translations

commit 21404b772a1c65f7b935b8c0fddc388a949f4e31 upstream.

This removes the use of the special "macbookair_fn_keys" keyboard
translation table for the MacBookAir4,x models (ie the 2011 refresh).
They use the standard apple_fn_keys[] translation.  Apparently only the
old MacBook Air's need a different translation table.

This mirrors the change that commit da617c7cb915 ("HID: consolidate
MacbookAir 4,1 mappings") did for the WELLSPRING6A ones, but does it for
the WELLSPRING6 model used on the MacBookAir4,2.

Reported-and-tested-by: Dirk Hohndel <hohndel@infradead.org>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Joshua V Dillon <jvdillon@gmail.com>
Cc: Chase Douglas <chase.douglas@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoHID: consolidate MacbookAir 4,1 mappings
Jiri Kosina [Wed, 5 Oct 2011 14:54:45 +0000 (16:54 +0200)]
HID: consolidate MacbookAir 4,1 mappings

commit da617c7cb915545dda4280df888dd6f8d5697420 upstream.

MacbookAir 4,1 doesn't require extra mapping table, as the mappings
are identical to apple_fn_keys[].

Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoHID: hid-apple: add device ID of another wireless aluminium
Andreas Krist [Fri, 28 Oct 2011 16:50:39 +0000 (18:50 +0200)]
HID: hid-apple: add device ID of another wireless aluminium

commit ad734bc1565364f9e4b70888d3ce5743b3c1030a upstream.

I've recently bought a Apple wireless aluminum keyboard (model 2011) which is
not yet supported by the kernel - it seems they just changed the device id.
After applying the attached patch, the device is fully functional.

Signed-off-by: Andreas Krist <andreas.krist@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoHID: Add device IDs for Macbook Pro 8 keyboards
Gökçen Eraslan [Sat, 22 Oct 2011 19:39:06 +0000 (22:39 +0300)]
HID: Add device IDs for Macbook Pro 8 keyboards

commit 213f9da80533940560bef8fa43b10c590895459c upstream.

This patch adds keyboard support for Macbook Pro 8 models which has
WELLSPRING5A model name and 0x0252, 0x0253 and 0x0254 USB IDs. Trackpad
support for those models are added to bcm5974 in
c331eb580a0a7906c0cdb8dbae3cfe99e3c0e555 ("Input: bcm5974 - Add
support for newer MacBookPro8,2).

Signed-off-by: Gökçen Eraslan <gokcen@pardus.org.tr>
Acked-by: Henrik Rydberg <rydberg@euromail.se>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Cc: Chase Douglas <chase.douglas@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoHID: Add support MacbookAir 4,1 keyboard
Nobuhiro Iwamatsu [Sat, 1 Oct 2011 06:54:53 +0000 (15:54 +0900)]
HID: Add support MacbookAir 4,1 keyboard

commit d762cc290b9f17e346f4297fd5984b70ce71ef66 upstream.

Added USB device IDs and keyboard map for MacBookAir 4,1 keyboard.

Signed-off-by: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoHID: add MacBookAir4,2 to hid_have_special_driver[]
Jiri Kosina [Wed, 10 Aug 2011 12:12:52 +0000 (14:12 +0200)]
HID: add MacBookAir4,2 to hid_have_special_driver[]

commit f6f554f09c5b831efdaf67c449e18ca06ee648fe upstream.

Otherwise the generic driver wouldn't unbind from it and wouldn't
let hid-apple to automatically take over.

Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoHID: hid-multitouch: Add LG Display Multitouch device.
Jeff Brown [Tue, 16 Aug 2011 04:12:09 +0000 (21:12 -0700)]
HID: hid-multitouch: Add LG Display Multitouch device.

commit c50bb1a4005630f47b5da26336f74a485033a515 upstream.

This panel is also known as the Dell ST2220Tc.

Signed-off-by: jeffbrown@android.com
Reviewed-By: Benjamin Tissoires <Benjamin_Tissoires@logitech.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoHID: add support for MacBookAir4,2 keyboard.
Joshua V. Dillon [Fri, 5 Aug 2011 19:05:22 +0000 (12:05 -0700)]
HID: add support for MacBookAir4,2 keyboard.

commit 5d922baa631058c7e37ae33e81c4d3e6437f8d1d upstream.

Added USB device IDs for MacBookAir4,2 keyboard. Device constants were
copied from the MacBookAir3,2 constants. The 4,2 device specification is
reportedly unchanged from the 3,2 predecessor and seems to work well.

Signed-off-by: Joshua V Dillon <jvdillon@gmail.com>
Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoHID: add support for HuiJia USB Gamepad connector
Clemens Werther [Thu, 25 Aug 2011 13:35:14 +0000 (15:35 +0200)]
HID: add support for HuiJia USB Gamepad connector

commit 6d1db0777981e1626ae71243984ac300b61789ff upstream.

Create each gamepad as a separate joystick

Signed-off-by: Clemens Werther <clemens.werther@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoHID: add support for new revision of Apple aluminum keyboard
Dan Bastone [Sun, 31 Jul 2011 11:40:49 +0000 (07:40 -0400)]
HID: add support for new revision of Apple aluminum keyboard

commit 4a4c879904aa0cc64629e14a49b64fb3d149bf1a upstream.

Add USB device ids for the new revision (MB110LL/B) of Apple's wired aluminum
keyboard.  I have only confirmed that the ANSI version is correct - it is
assumed that the ISO and JIS versions follow the standard numbering convention.

Signed-off-by: Dan Bastone <dan@pwienterprises.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomtd: nand_base: always initialise oob_poi before writing OOB data
THOMSON, Adam (Adam) [Tue, 14 Jun 2011 14:52:38 +0000 (16:52 +0200)]
mtd: nand_base: always initialise oob_poi before writing OOB data

commit f722013ee9fd24623df31dec9a91a6d02c3e2f2f upstream.

In nand_do_write_ops() code it is possible for a caller to provide
ops.oobbuf populated and ops.mode == MTD_OOB_AUTO, which currently
means that the chip->oob_poi buffer isn't initialised to all 0xFF.
The nand_fill_oob() method then carries out the task of copying
the provided OOB data to oob_poi, but with MTD_OOB_AUTO it skips
areas marked as unavailable by the layout struct, including the
bad block marker bytes.

An example of this causing issues is when the last OOB data read
was from the start of a bad block where the markers are not 0xFF,
and the caller wishes to write new OOB data at the beginning of
another block. In this scenario the caller would provide OOB data,
but nand_fill_oob() would skip the bad block marker bytes in
oob_poi before copying the OOB data provided by the caller.
This means that when the OOB data is written back to NAND,
the block is inadvertently marked as bad without the caller knowing.
This has been witnessed when using YAFFS2 where tags are stored
in the OOB.

To avoid this oob_poi is always initialised to 0xFF to make sure
no left over data is inadvertently written back to the OOB area.

Credits to Brian Norris <computersforpeace@gmail.com> for fixing this
patch.

Signed-off-by: Adam Thomson <adam.thomson@alcatel-lucent.com>
Signed-off-by: Artem Bityutskiy <dedekind1@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k_hw: Fix regression of register offset for AR9003 chips
Rajkumar Manoharan [Thu, 20 Oct 2011 08:52:43 +0000 (14:22 +0530)]
ath9k_hw: Fix regression of register offset for AR9003 chips

commit 52d6d4ef5e6d1517688e27c11c01ab303ec681dd upstream.

My recent commits (3782c69d324c74a) introduced regression
for register offset selection that based on the macversion.
Not using parentheses in proper manner for ternary operator
leads to select wrong offset for the registers.

This issue was observed with AR9462 chip that immediate disconnect
after the association with the following message

ieee80211 phy3: wlan0: Failed to send nullfunc to AP 00:23:69:12:ea:47
after 500ms, disconnecting.

Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodp83640: use proper function to free transmit time stamping packets
Richard Cochran [Fri, 21 Oct 2011 00:49:16 +0000 (00:49 +0000)]
dp83640: use proper function to free transmit time stamping packets

commit f5ff7cd1a84caa9545d952a37ac872ccb73825fb upstream.

The previous commit enforces a new rule for handling the cloned packets
for transmit time stamping. These packets must not be freed using any other
function than skb_complete_tx_timestamp. This commit fixes the one and only
driver using this API.

The driver first appeared in v3.0.

Signed-off-by: Richard Cochran <richard.cochran@omicron.at>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocrypto: cryptd - Use subsys_initcall to prevent races with aesni
Herbert Xu [Fri, 19 Aug 2011 08:11:23 +0000 (16:11 +0800)]
crypto: cryptd - Use subsys_initcall to prevent races with aesni

commit b2bac6acf86d05d8af0499f37d91ecac15722803 upstream.

As cryptd is depeneded on by other algorithms such as aesni-intel,
it needs to be registered before them.  When everything is built
as modules, this occurs naturally.  However, for this to work when
they are built-in, we need to use subsys_initcall in cryptd.

Tested-by: Josh Boyer <jwboyer@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Kerin Millar <kerframil@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoPM / Suspend: Off by one in pm_suspend()
Dan Carpenter [Wed, 21 Sep 2011 18:55:04 +0000 (20:55 +0200)]
PM / Suspend: Off by one in pm_suspend()

commit 528f7ce6e439edeac38f6b3f8561f1be129b5e91 upstream.

In enter_state() we use "state" as an offset for the pm_states[]
array.  The pm_states[] array only has PM_SUSPEND_MAX elements so
this test is off by one.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet: Handle different key sizes between address families in flow cache
dpward [Mon, 5 Sep 2011 16:47:24 +0000 (16:47 +0000)]
net: Handle different key sizes between address families in flow cache

commit aa1c366e4febc7f5c2b84958a2dd7cd70e28f9d0 upstream.

With the conversion of struct flowi to a union of AF-specific structs, some
operations on the flow cache need to account for the exact size of the key.

Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Kim Phillips <kim.phillips@freescale.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet: Align AF-specific flowi structs to long
David Ward [Mon, 5 Sep 2011 16:47:23 +0000 (16:47 +0000)]
net: Align AF-specific flowi structs to long

commit 728871bc05afc8ff310b17dba3e57a2472792b13 upstream.

AF-specific flowi structs are now passed to flow_key_compare, which must
also be aligned to a long.

Signed-off-by: David Ward <david.ward@ll.mit.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Kim Phillips <kim.phillips@freescale.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoext4: remove i_mutex lock in ext4_evict_inode to fix lockdep complaining
Jiaying Zhang [Wed, 31 Aug 2011 15:50:51 +0000 (11:50 -0400)]
ext4: remove i_mutex lock in ext4_evict_inode to fix lockdep complaining

commit 8c0bec2151a47906bf779c6715a10ce04453ab77 upstream.

The i_mutex lock and flush_completed_IO() added by commit 2581fdc810
in ext4_evict_inode() causes lockdep complaining about potential
deadlock in several places.  In most/all of these LOCKDEP complaints
it looks like it's a false positive, since many of the potential
circular locking cases can't take place by the time the
ext4_evict_inode() is called; but since at the very least it may mask
real problems, we need to address this.

This change removes the flush_completed_IO() and i_mutex lock in
ext4_evict_inode().  Instead, we take a different approach to resolve
the software lockup that commit 2581fdc810 intends to fix.  Rather
than having ext4-dio-unwritten thread wait for grabing the i_mutex
lock of an inode, we use mutex_trylock() instead, and simply requeue
the work item if we fail to grab the inode's i_mutex lock.

This should speed up work queue processing in general and also
prevents the following deadlock scenario: During page fault,
shrink_icache_memory is called that in turn evicts another inode B.
Inode B has some pending io_end work so it calls ext4_ioend_wait()
that waits for inode B's i_ioend_count to become zero.  However, inode
B's ioend work was queued behind some of inode A's ioend work on the
same cpu's ext4-dio-unwritten workqueue.  As the ext4-dio-unwritten
thread on that cpu is processing inode A's ioend work, it tries to
grab inode A's i_mutex lock.  Since the i_mutex lock of inode A is
still hold before the page fault happened, we enter a deadlock.

Signed-off-by: Jiaying Zhang <jiayingz@google.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomtd: pxa3xx_nand: Fix blank page ECC mismatch
Daniel Mack [Tue, 7 Jun 2011 10:01:07 +0000 (03:01 -0700)]
mtd: pxa3xx_nand: Fix blank page ECC mismatch

commit 543e32d5ff165d0d68deedb0e3557478c7c36a4a upstream.

This bug was introduced in f8155a40 ("mtd: pxa3xx_nand: rework irq
logic") and causes the PXA3xx NAND controller fail to operate with NAND
flash that has empty pages. According to the comment in this block, the
hardware controller will report a double-bit error for empty pages,
which can and must be ignored.

This patch restores the original behaviour of the driver.

Signed-off-by: Daniel Mack <zonque@gmail.com>
Acked-by: Lei Wen <leiwen@marvell.com>
Cc: Haojian Zhuang <haojian.zhuang@marvell.com>
Cc: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomtd: pxa3xx_nand: fix nand detection issue
Lei Wen [Tue, 7 Jun 2011 10:01:06 +0000 (03:01 -0700)]
mtd: pxa3xx_nand: fix nand detection issue

commit 0fab028b77d714ad302404b23306cf7adb885223 upstream.

When keep_config is set, the detection would goes different routine.
That the driver would read out the setting which is set previously
by bootloader. While most bootloader keep the irq mask as off, and
current driver need all irq default open, keep_config behavior would
lead to no irq at all.

Signed-off-by: Lei Wen <leiwen@marvell.com>
Tested-by: Daniel Mack <zonque@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomtd: provide an alias for the redboot module name
Andres Salomon [Fri, 14 Oct 2011 14:33:20 +0000 (07:33 -0700)]
mtd: provide an alias for the redboot module name

commit d5de1907d0af22e1a02de2b16a624148517a39c2 upstream.

parse_mtd_partitions takes a list of partition types; if the driver
isn't loaded, it attempts to load it, and then it grabs the partition
parser.  For redboot, the module name is "redboot.ko", while the parser
name is "RedBoot".  Since modprobe is case-sensitive, attempting to
modprobe "RedBoot" will never work.  I suspect the embedded systems that
make use of redboot just always manually loaded redboot prior to loading
their specific nand chip drivers (or statically compiled it in).

Signed-off-by: Andres Salomon <dilinger@queued.net>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomtd: mtdchar: add missing initializer on raw write
Peter Wippich [Mon, 6 Jun 2011 13:50:58 +0000 (15:50 +0200)]
mtd: mtdchar: add missing initializer on raw write

commit bf5140817b2d65faac9b32fc9057a097044ac35b upstream.

On writes in MODE_RAW the mtd_oob_ops struct is not sufficiently
initialized which may cause nandwrite to fail. With this patch
it is possible to write raw nand/oob data without additional ECC
(either for testing or when some sectors need different oob layout
e.g. bootloader) like
nandwrite  -n -r -o  /dev/mtd0 <myfile>

Signed-off-by: Peter Wippich <pewi@gw-instruments.de>
Tested-by: Ricard Wanderlof <ricardw@axis.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: disable powersave for broken APs
Johannes Berg [Fri, 28 Oct 2011 09:59:47 +0000 (11:59 +0200)]
mac80211: disable powersave for broken APs

commit 05cb91085760ca378f28fc274fbf77fc4fd9886c upstream.

Only AID values 1-2007 are valid, but some APs have been
found to send random bogus values, in the reported case an
AP that was sending the AID field value 0xffff, an AID of
0x3fff (16383).

There isn't much we can do but disable powersave since
there's no way it can work properly in this case.

Reported-by: Bill C Riemers <briemers@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: config hw when going back on-channel
Eliad Peller [Thu, 20 Oct 2011 17:05:50 +0000 (19:05 +0200)]
mac80211: config hw when going back on-channel

commit 6911bf0453e0d6ea8eb694a4ce67a68d071c538e upstream.

When going back on-channel, we should reconfigure
the hw iff the hardware is not already configured
to the operational channel.

Signed-off-by: Eliad Peller <eliad@wizery.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: fix remain_off_channel regression
Eliad Peller [Thu, 20 Oct 2011 17:05:49 +0000 (19:05 +0200)]
mac80211: fix remain_off_channel regression

commit eaa7af2ae582c9a8c51b374c48d5970b748a5ce2 upstream.

The offchannel code is currently broken - we should
remain_off_channel if the work was started, and
the work's channel and channel_type are the same
as local->tmp_channel and local->tmp_channel_type.

However, if wk->chan_type and local->tmp_channel_type
coexist (e.g. have the same channel type), we won't
remain_off_channel.

This behavior was introduced by commit da2fd1f
("mac80211: Allow work items to use existing
channel type.")

Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k_hw: Update AR9485 initvals to fix system hang issue
Rajkumar Manoharan [Mon, 24 Oct 2011 12:43:40 +0000 (18:13 +0530)]
ath9k_hw: Update AR9485 initvals to fix system hang issue

commit 98fb2cc115b4ef1ea0a2d87a170c183bd395dd6c upstream.

This patch fixes system hang when resuming from S3 state
and lower rate sens failure issue.

Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonetlink: validate NLA_MSECS length
Johannes Berg [Thu, 3 Nov 2011 00:07:32 +0000 (00:07 +0000)]
netlink: validate NLA_MSECS length

commit c30bc94758ae2a38a5eb31767c1985c0aae0950b upstream.

L2TP for example uses NLA_MSECS like this:
policy:
        [L2TP_ATTR_RECV_TIMEOUT]        = { .type = NLA_MSECS, },
code:
        if (info->attrs[L2TP_ATTR_RECV_TIMEOUT])
                cfg.reorder_timeout = nla_get_msecs(info->attrs[L2TP_ATTR_RECV_TIMEOUT]);

As nla_get_msecs() is essentially nla_get_u64() plus the
conversion to a HZ-based value, this will not properly
reject attributes from userspace that aren't long enough
and might overrun the message.

Add NLA_MSECS to the attribute minlen array to check the
size properly.

Cc: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoACPI atomicio: Convert width in bits to bytes in __acpi_ioremap_fast()
Luck, Tony [Fri, 21 Oct 2011 21:42:55 +0000 (14:42 -0700)]
ACPI atomicio: Convert width in bits to bytes in __acpi_ioremap_fast()

commit 3bf3f8b19d2bfccc40f13c456bf339fd8f535ebc upstream.

Callers to __acpi_ioremap_fast() pass the bit_width that they found in the
acpi_generic_address structure. Convert from bits to bytes when passing to
__acpi_find_iomap() - as it wants to see bytes, not bits.

Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agopowerpc: Fix deadlock in icswx code
Anton Blanchard [Wed, 14 Sep 2011 09:43:15 +0000 (09:43 +0000)]
powerpc: Fix deadlock in icswx code

commit 8bdafa39a47265bc029838b35cc6585f69224afa upstream.

The icswx code introduced an A-B B-A deadlock:

     CPU0                    CPU1
     ----                    ----
lock(&anon_vma->mutex);
                             lock(&mm->mmap_sem);
                             lock(&anon_vma->mutex);
lock(&mm->mmap_sem);

Instead of using the mmap_sem to keep mm_users constant, take the
page table spinlock.

Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agopowerpc/eeh: Fix /proc/ppc64/eeh creation
Thadeu Lima de Souza Cascardo [Fri, 26 Aug 2011 10:36:31 +0000 (10:36 +0000)]
powerpc/eeh: Fix /proc/ppc64/eeh creation

commit 8feaa43494cee5e938fd5a57b9e9bf1c827e6ccd upstream.

Since commit 188917e183cf9ad0374b571006d0fc6d48a7f447, /proc/ppc64 is a
symlink to /proc/powerpc/. That means that creating /proc/ppc64/eeh will
end up with a unaccessible file, that is not listed under /proc/powerpc/
and, then, not listed under /proc/ppc64/.

Creating /proc/powerpc/eeh fixes that problem and maintain the
compatibility intended with the ppc64 symlink.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agopowerpc/pseries: Avoid spurious error during hotplug CPU add
Anton Blanchard [Sun, 14 Aug 2011 14:30:30 +0000 (14:30 +0000)]
powerpc/pseries: Avoid spurious error during hotplug CPU add

commit 9c740025c51a26ab00192cfc464064d4ccbfe3fc upstream.

During hotplug CPU add we get the following error:

Unexpected Error (0) returned from configure-connector

ibm,configure-connector returns 0 for configuration complete, so
catch this and avoid the error.

Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agopowerpc: Fix oops when echoing bad values to /sys/devices/system/memory/probe
Anton Blanchard [Wed, 10 Aug 2011 20:44:24 +0000 (20:44 +0000)]
powerpc: Fix oops when echoing bad values to /sys/devices/system/memory/probe

commit a11940978bd598e65996b4f807cf4904793f7025 upstream.

If we echo an address the hypervisor doesn't like to
/sys/devices/system/memory/probe we oops the box:

# echo 0x10000000000 > /sys/devices/system/memory/probe

kernel BUG at arch/powerpc/mm/hash_utils_64.c:541!

The backtrace is:

create_section_mapping
arch_add_memory
add_memory
memory_probe_store
sysdev_class_store
sysfs_write_file
vfs_write
SyS_write

In create_section_mapping we BUG if htab_bolt_mapping returned
an error. A better approach is to return an error which will
propagate back to userspace.

Rerunning the test with this patch applied:

# echo 0x10000000000 > /sys/devices/system/memory/probe
-bash: echo: write error: Invalid argument

Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agopowerpc/numa: Remove double of_node_put in hot_add_node_scn_to_nid
Anton Blanchard [Wed, 10 Aug 2011 20:44:21 +0000 (20:44 +0000)]
powerpc/numa: Remove double of_node_put in hot_add_node_scn_to_nid

commit 6083184269fd723affca4f6340e491950267622a upstream.

During memory hotplug testing, I got the following warning:

ERROR: Bad of_node_put() on /memory@0

of_node_release
kref_put
of_node_put
of_find_node_by_type
hot_add_node_scn_to_nid
hot_add_scn_to_nid
memory_add_physaddr_to_nid
...

of_find_node_by_type() loop does the of_node_put for us so we only
need the handle the case where we terminate the loop early.

As suggested by Stephen Rothwell we can do the of_node_put
unconditionally outside of the loop since of_node_put handles a
NULL argument fine.

Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoVFS: we need to set LOOKUP_JUMPED on mountpoint crossing
Al Viro [Mon, 7 Nov 2011 21:21:26 +0000 (21:21 +0000)]
VFS: we need to set LOOKUP_JUMPED on mountpoint crossing

commit a3fbbde70a0cec017f2431e8f8de208708c76acc upstream.

Mountpoint crossing is similar to following procfs symlinks - we do
not get ->d_revalidate() called for dentry we have arrived at, with
unpleasant consequences for NFS4.

Simple way to reproduce the problem in mainline:

    cat >/tmp/a.c <<'EOF'
    #include <unistd.h>
    #include <fcntl.h>
    #include <stdio.h>
    main()
    {
            struct flock fl = {.l_type = F_RDLCK, .l_whence = SEEK_SET, .l_len = 1};
            if (fcntl(0, F_SETLK, &fl))
                    perror("setlk");
    }
    EOF
    cc /tmp/a.c -o /tmp/test

then on nfs4:

    mount --bind file1 file2
    /tmp/test < file1 # ok
    /tmp/test < file2 # spews "setlk: No locks available"...

What happens is the missing call of ->d_revalidate() after mountpoint
crossing and that's where NFS4 would issue OPEN request to server.

The fix is simple - treat mountpoint crossing the same way we deal with
following procfs-style symlinks.  I.e.  set LOOKUP_JUMPED...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agohpsa: add small delay when using PCI Power Management to reset for kump
Mike Miller [Fri, 21 Oct 2011 06:19:43 +0000 (08:19 +0200)]
hpsa: add small delay when using PCI Power Management to reset for kump

commit c4853efec665134b2e6fc9c13447323240980351 upstream.

The P600 requires a small delay when changing states. Otherwise we may think
the board did not reset and we bail. This for kdump only and is particular
to the P600.

Signed-off-by: Mike Miller <mike.miller@hp.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoVFS: fix statfs() automounter semantics regression
Dan McGee [Tue, 1 Nov 2011 23:23:10 +0000 (18:23 -0500)]
VFS: fix statfs() automounter semantics regression

commit 5c8a0fbba543d9428a486f0d1282bbcf3cf1d95a upstream.

No one in their right mind would expect statfs() to not work on a
automounter managed mount point. Fix it.

[ I'm not sure about the "no one in their right mind" part.  It's not
  mounted, and you didn't ask for it to be mounted.  But nobody will
  really care, and this probably makes it match previous semantics, so..
      - Linus ]

This mirrors the fix made to the quota code in 815d405ceff0d69646.

Signed-off-by: Dan McGee <dpmcgee@gmail.com>
Cc: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoxen/blkback: Report VBD_WSECT (wr_sect) properly.
Konrad Rzeszutek Wilk [Mon, 10 Oct 2011 16:33:21 +0000 (12:33 -0400)]
xen/blkback: Report VBD_WSECT (wr_sect) properly.

commit 5c62cb48602dba95159c81ffeca179d3852e25be upstream.

We did not increment the amount of sectors written to disk
b/c we tested for the == WRITE which is incorrect - as the
operations are more of WRITE_FLUSH, WRITE_ODIRECT. This patch
fixes it by doing a & WRITE check.

Reported-by: Andy Burns <xen.lists@burns.me.uk>
Suggested-by: Ian Campbell <Ian.Campbell@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoblock: make gendisk hold a reference to its queue
Tejun Heo [Mon, 17 Oct 2011 11:42:43 +0000 (13:42 +0200)]
block: make gendisk hold a reference to its queue

commit f992ae801a7dec34a4ed99a6598bbbbfb82af4fb upstream.

The following command sequence triggers an oops.

# mount /dev/sdb1 /mnt
# echo 1 > /sys/class/scsi_device/0\:0\:1\:0/device/delete
# umount /mnt

 general protection fault: 0000 [#1] PREEMPT SMP
 CPU 2
 Modules linked in:

 Pid: 791, comm: umount Not tainted 3.1.0-rc3-work+ #8 Bochs Bochs
 RIP: 0010:[<ffffffff810d0879>]  [<ffffffff810d0879>] __lock_acquire+0x389/0x1d60
...
 Call Trace:
  [<ffffffff810d2845>] lock_acquire+0x95/0x140
  [<ffffffff81aed87b>] _raw_spin_lock+0x3b/0x50
  [<ffffffff811573bc>] bdi_lock_two+0x5c/0x70
  [<ffffffff811c2f6c>] bdev_inode_switch_bdi+0x4c/0xf0
  [<ffffffff811c3fcb>] __blkdev_put+0x11b/0x1d0
  [<ffffffff811c4010>] __blkdev_put+0x160/0x1d0
  [<ffffffff811c40df>] blkdev_put+0x5f/0x190
  [<ffffffff8118f18d>] kill_block_super+0x4d/0x80
  [<ffffffff8118f4a5>] deactivate_locked_super+0x45/0x70
  [<ffffffff8119003a>] deactivate_super+0x4a/0x70
  [<ffffffff811ac4ad>] mntput_no_expire+0xed/0x130
  [<ffffffff811acf2e>] sys_umount+0x7e/0x3a0
  [<ffffffff81aeeeab>] system_call_fastpath+0x16/0x1b

This is because bdev holds on to disk but disk doesn't pin the
associated queue.  If a SCSI device is removed while the device is
still open, the sdev puts the base reference to the queue on release.
When the bdev is finally released, the associated queue is already
gone along with the bdi and bdev_inode_switch_bdi() ends up
dereferencing already freed bdi.

Even if it were not for this bug, disk not holding onto the associated
queue is very unusual and error-prone.

Fix it by making add_disk() take an extra reference to its queue and
put it on disk_release() and ensuring that disk and its fops owner are
put in that order after all accesses to the disk and queue are
complete.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoNFS/sunrpc: don't use a credential with extra groups.
NeilBrown [Mon, 24 Oct 2011 23:25:49 +0000 (10:25 +1100)]
NFS/sunrpc: don't use a credential with extra groups.

commit dc6f55e9f8dac4b6479be67c5c9128ad37bb491f upstream.

The sunrpc layer keeps a cache of recently used credentials and
'unx_match' is used to find the credential which matches the current
process.

However unx_match allows a match when the cached credential has extra
groups at the end of uc_gids list which are not in the process group list.

So if a process with a list of (say) 4 group accesses a file and gains
access because of the last group in the list, then another process
with the same uid and gid, and a gid list being the first tree of the
gids of the original process tries to access the file, it will be
granted access even though it shouldn't as the wrong rpc credential
will be used.

Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoASoC: Ensure the WM8962 oscillator and PLLs start up disabled
Mark Brown [Tue, 1 Nov 2011 13:53:37 +0000 (13:53 +0000)]
ASoC: Ensure the WM8962 oscillator and PLLs start up disabled

commit 2af8de8c39cf58e5a5e40a9d5d71332da98e6ba7 upstream.

Since there is no current software control for these they would otherwise
be left enabled, consuming power.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoASoC: Ensure WM8962 PLL registers are reset
Mark Brown [Tue, 1 Nov 2011 13:36:10 +0000 (13:36 +0000)]
ASoC: Ensure WM8962 PLL registers are reset

commit 4f4488abc97c1c27ff029f887944e6a6da1f5733 upstream.

The WM8962 has a separate software reset for the PLL registers. Ensure that
these are reset also on startup.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoASoC: WM8904: Set `invert' bit for Capture Switch
Hong Xu [Fri, 28 Oct 2011 07:36:39 +0000 (15:36 +0800)]
ASoC: WM8904: Set `invert' bit for Capture Switch

commit 5a7c5f26df3c0122814dfa1c13ef6dfbdbffdb86 upstream.

Set `invert' bit for Capture Switch. Otherwise analogue is muted when
Capture Switch is ON.

Signed-off-by: Hong Xu <hong.xu@atmel.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoASoC: Leave input audio data bit length settings untouched in wm8711_set_dai_fmt
Axel Lin [Fri, 28 Oct 2011 07:17:56 +0000 (15:17 +0800)]
ASoC: Leave input audio data bit length settings untouched in wm8711_set_dai_fmt

commit d558cfc30064a97c2c65dbd2b3a4f5a1dea7ec1b upstream.

Current implementation in wm8711_set_dai_fmt always clear BIT[3:2]
(the Input Audio Data Bit Length Select) of WM8711_IFACE(07h) register.
Input Audio Data Bit Length Select bits are set by wm8711_hw_params,
we should leave BIT[3:2] untouched in wm8711_set_dai_fmt.

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoASoC: wm8711: Fix wrong mask for setting input audio data bit length select
Axel Lin [Fri, 28 Oct 2011 03:08:01 +0000 (11:08 +0800)]
ASoC: wm8711: Fix wrong mask for setting input audio data bit length select

commit 04c57163c8edfbc50e022737014069998ba4fc5f upstream.

The Input Audio Data Bit Length Select is controlled by BIT[3:2] of
WM8711_IFACE(07h) register.
Current code incorrectly masks BIT[1:0] which is for Audio Data Format Select.

Signed-off-by: Axel Lin <axel.lin@gmail.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agompt2sas: Fix for system hang when discovery in progress
nagalakshmi.nandigama@lsi.com [Fri, 21 Oct 2011 04:36:33 +0000 (10:06 +0530)]
mpt2sas: Fix for system hang when discovery in progress

commit 0167ac67ff6f35bf2364f7672c8012b0cd40277f upstream.

Fix for issue : While discovery is in progress, hot unplug and hot plug of
enclosure connected to the controller card is causing system to hang.

When a device is in the process of being detected at driver load time then
if it is removed, the device that is no longer present will not be added
to the list. So the code in _scsih_probe_sas() is rearranged as such so
the devices that failed to be detected are not added to the list.

Signed-off-by: Nagalakshmi Nandigama <nagalakshmi.nandigama@lsi.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoFix block queue and elevator memory leak in scsi_alloc_sdev
Anton Blanchard [Wed, 2 Nov 2011 21:56:22 +0000 (08:56 +1100)]
Fix block queue and elevator memory leak in scsi_alloc_sdev

commit f7c9c6bb14f3104608a3a83cadea10a6943d2804 upstream.

When looking at memory consumption issues I noticed quite a
lot of memory in the kmalloc-2048 bucket:

  OBJS ACTIVE  USE OBJ SIZE  SLABS OBJ/SLAB CACHE SIZE NAME
  6561   6471  98%    2.30K    243       27     15552K kmalloc-2048

Over 15MB. slub debug shows that cfq is responsible for almost
all of it:

# sort -nr /sys/kernel/slab/kmalloc-2048/alloc_calls
6402 .cfq_init_queue+0xec/0x460 age=43423/43564/43655 pid=1 cpus=4,11,13

In scsi_alloc_sdev we do scsi_alloc_queue but if slave_alloc
fails we don't free it with scsi_free_queue.

The patch below fixes the issue:

  OBJS ACTIVE  USE OBJ SIZE  SLABS OBJ/SLAB CACHE SIZE NAME
   135     72  53%    2.30K      5       27       320K kmalloc-2048

# cat /sys/kernel/slab/kmalloc-2048/alloc_calls
3 .cfq_init_queue+0xec/0x460 age=3811/3876/3925 pid=1 cpus=4,11,13

Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoMake scsi_free_queue() kill pending SCSI commands
Bart Van Assche [Fri, 23 Sep 2011 17:48:18 +0000 (19:48 +0200)]
Make scsi_free_queue() kill pending SCSI commands

commit 3308511c93e6ad0d3c58984ecd6e5e57f96b12c8 upstream.

Make sure that SCSI device removal via scsi_remove_host() does finish
all pending SCSI commands. Currently that's not the case and hence
removal of a SCSI host during I/O can cause a deadlock. See also
"blkdev_issue_discard() hangs forever if underlying storage device is
removed" (http://bugzilla.kernel.org/show_bug.cgi?id=40472). See also
http://lkml.org/lkml/2011/8/27/6.

Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoscsi_dh: check queuedata pointer before proceeding further
Moger, Babu [Wed, 26 Oct 2011 18:29:38 +0000 (14:29 -0400)]
scsi_dh: check queuedata pointer before proceeding further

commit a18a920c70d48a8e4a2b750d8a183b3c1a4be514 upstream.

This patch validates sdev pointer in scsi_dh_activate before proceeding further.

Without this check we might see the panic as below. I have seen this
panic multiple times..

Call trace:

 #0 [ffff88007d647b50] machine_kexec at ffffffff81020902
 #1 [ffff88007d647ba0] crash_kexec at ffffffff810875b0
 #2 [ffff88007d647c70] oops_end at ffffffff8139c650
 #3 [ffff88007d647c90] __bad_area_nosemaphore at ffffffff8102dd15
 #4 [ffff88007d647d50] page_fault at ffffffff8139b8cf
    [exception RIP: scsi_dh_activate+0x82]
    RIP: ffffffffa0041922  RSP: ffff88007d647e00  RFLAGS: 00010046
    RAX: 0000000000000000  RBX: 0000000000000000  RCX: 00000000000093c5
    RDX: 00000000000093c5  RSI: ffffffffa02e6640  RDI: ffff88007cc88988
    RBP: 000000000000000f   R8: ffff88007d646000   R9: 0000000000000000
    R10: ffff880082293790  R11: 00000000ffffffff  R12: ffff88007cc88988
    R13: 0000000000000000  R14: 0000000000000286  R15: ffff880037b845e0
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0000
 #5 [ffff88007d647e38] run_workqueue at ffffffff81060268
 #6 [ffff88007d647e78] worker_thread at ffffffff81060386
 #7 [ffff88007d647ee8] kthread at ffffffff81064436
 #8 [ffff88007d647f48] kernel_thread at ffffffff81003fba

Signed-off-by: Babu Moger <babu.moger@netapp.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agost: fix race in st_scsi_execute_end
Petr Uzel [Fri, 21 Oct 2011 11:31:09 +0000 (13:31 +0200)]
st: fix race in st_scsi_execute_end

commit c68bf8eeaa57c852e74adcf597237be149eef830 upstream.

The call to complete() in st_scsi_execute_end() wakes up sleeping thread
in write_behind_check(), which frees the st_request, thus invalidating
the pointer to the associated bio structure, which is then passed to the
blk_rq_unmap_user(). Fix by storing pointer to bio structure into
temporary local variable.

This bug is present since at least linux-2.6.32.

Signed-off-by: Petr Uzel <petr.uzel@suse.cz>
Reported-by: Juergen Groß <juergen.gross@ts.fujitsu.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Acked-by: Kai Mäkisara <kai.makisara@kolumbus.fi>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agotcm_loop: Add explict read buffer memset for SCF_SCSI_CONTROL_SG_IO_CDB
Nicholas Bellinger [Mon, 24 Oct 2011 20:35:37 +0000 (13:35 -0700)]
tcm_loop: Add explict read buffer memset for SCF_SCSI_CONTROL_SG_IO_CDB

commit 8cd79f24350826b81e16990d9e12bc878e67d385 upstream.

This patch addresses an issue with buggy userspace code sending I/O
via scsi-generic that does not explictly clear their associated read
buffers.  It adds an explict memset of the first SGL entry within
tcm_loop_new_cmd_map() for SCF_SCSI_CONTROL_SG_IO_CDB payloads that
are currently guaranteed to be a single SGL by target-core code.

This issue is a side effect of the v3.1-rc1 merge to remove the
extra memcpy between certain control CDB types using a contigious
+ cleared buffer in target-core, and performing a memcpy into the
SGL list within tcm_loop.

It was originally mainfesting itself by udev + scsi_id + scsi-generic
not properly setting up the expected /dev/disk/by-id/ symlinks because
the INQUIRY payload was containing extra bogus data preventing the
proper NAA IEEE WWN from being parsed by userspace.

Cc: Christoph Hellwig <hch@lst.de>
Cc: Andy Grover <agrover@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agohwmon: (w83627ehf) Fix broken driver init
Guenter Roeck [Sun, 6 Nov 2011 19:25:18 +0000 (20:25 +0100)]
hwmon: (w83627ehf) Fix broken driver init

commit bfa02b0da66965caf46e441270af87edda4fea14 upstream.

Commit 2265cef2 (hwmon: (w83627ehf) Properly report PECI and AMD-SI
sensor types) results in kernel panic if data->temp_label was not
initialized.
The problem was found with chip W83627DHG-P.

Add check if data->temp->label was set before use.

Based on incomplete patch by Alexander Beregalov.

Reported-by: Alexander Beregalov <a.beregalov@gmail.com>
Tested-by: Alexander Beregalov <a.beregalov@gmail.com>
Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agohwmon: (w83627ehf) Properly report PECI and AMD-SI sensor types
Jean Delvare [Fri, 4 Nov 2011 11:00:47 +0000 (12:00 +0100)]
hwmon: (w83627ehf) Properly report PECI and AMD-SI sensor types

commit 2265cef2751b3441df91f85e0107f9f549e5b711 upstream.

When temperature sources are PECI or AMD-SI agents, it makes no sense
to report their type as diode or thermistor. Instead we must report
their digital nature.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agohwmon: (coretemp) Fix for non-SMP builds
Jean Delvare [Sun, 6 Nov 2011 19:25:18 +0000 (20:25 +0100)]
hwmon: (coretemp) Fix for non-SMP builds

commit 2aba6cac2a84f3b80e11a680c34d55e7739b474d upstream.

The definition of TO_ATTR_NO in the non-SMP case is wrong. As the SMP
definition resolves to the correct value, just use this for both
cases.

Without this fix the temperature attributes are named temp0_* instead
of temp2_*, so libsensors won't pick them. Broken since kernel 3.0.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Tested-by: Phil Sutter <phil@nwl.cc>
Acked-by: Durgadoss R <Durgadoss.r@intel.com>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocciss: add small delay when using PCI Power Management to reset for kump
Mike Miller [Thu, 20 Oct 2011 20:19:17 +0000 (22:19 +0200)]
cciss: add small delay when using PCI Power Management to reset for kump

commit ab5dbebe33e0c353e8545f09c34553ac3351dad6 upstream.

The P600 requires a small delay when changing states. Otherwise we may think
the board did not reset and we bail. This for kdump only and is particular
to the P600.

Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: Update last_busy time after autosuspend fails
Alan Stern [Thu, 3 Nov 2011 23:52:46 +0000 (00:52 +0100)]
USB: Update last_busy time after autosuspend fails

commit b2c0a863e14676fa5760c6d828fd373288e2f64a upstream.

Originally, the runtime PM core would send an idle notification
whenever a suspend attempt failed.  The idle callback routine could
then schedule a delayed suspend for some time later.

However this behavior was changed by commit
f71648d73c1650b8b4aceb3856bebbde6daa3b86 (PM / Runtime: Remove idle
notification after failing suspend).  No notifications were sent, and
there was no clear mechanism to retry failed suspends.

This caused problems for the usbhid driver, because it fails
autosuspend attempts as long as a key is being held down.  A companion
patch changes the PM core's behavior, but we also need to change the
USB core.  In particular, this patch (as1493) updates the device's
last_busy time when an autosuspend fails, so that the PM core will
retry the autosuspend in the future when the delay time expires
again.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Henrik Rydberg <rydberg@euromail.se>
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoPM / Runtime: Automatically retry failed autosuspends
Alan Stern [Thu, 3 Nov 2011 22:39:18 +0000 (23:39 +0100)]
PM / Runtime: Automatically retry failed autosuspends

commit 886486b792e4f6f96d4fbe8ec5bf20811cab7d6a upstream.

Originally, the runtime PM core would send an idle notification
whenever a suspend attempt failed.  The idle callback routine could
then schedule a delayed suspend for some time later.

However this behavior was changed by commit
f71648d73c1650b8b4aceb3856bebbde6daa3b86 (PM / Runtime: Remove idle
notification after failing suspend).  No notifications were sent, and
there was no clear mechanism to retry failed suspends.

This caused problems for the usbhid driver, because it fails
autosuspend attempts as long as a key is being held down.  Therefore
this patch (as1492) adds a mechanism for retrying failed
autosuspends.  If the callback routine updates the last_busy field so
that the next autosuspend expiration time is in the future, the
autosuspend will automatically be rescheduled.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Henrik Rydberg <rydberg@euromail.se>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agokbuild: Fix help text not displayed in choice option.
Srinivas Kandagatla [Tue, 2 Aug 2011 17:49:52 +0000 (18:49 +0100)]
kbuild: Fix help text not displayed in choice option.

commit 3f198dfee49d2e9c30583c62b0c79286c78c7b44 upstream.

Help text under choice menu is never displayed because it does not have
symbol name associated with it, however many kconfigs have help text
under choice, assuming that it will be displayed when user selects help.
for example in Kconfig if we have:
choice
        prompt "Choice"
        ---help---
           HELP TEXT ...

config A
        bool "A"

config B
        bool "B"

endchoice

Without this patch "HELP TEXT" is not displayed when user selects help
option when "Choice" is highlighted from menuconfig or xconfig or
gconfig.

This patch changes the logic in menu_get_ext_help to display help for
cases which dont have symbol names like choice.

Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@st.com>
Reviewed-by: Stuart Menefy <stuart.menefy@st.com>
Reviewed-by: Arnaud Lacombe <lacombar@gmail.com>
Signed-off-by: Michal Marek <mmarek@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: set HPD polarity in hpd_init()
Alex Deucher [Thu, 3 Nov 2011 15:21:39 +0000 (11:21 -0400)]
drm/radeon/kms: set HPD polarity in hpd_init()

commit 64912e997f0fe13512e4c7b90e4f7c11cb922ab5 upstream.

Polarity needs to be set accordingly to connector status (connected
or disconnected). Set it up in hpd_init() so first hotplug works
reliably no matter what is the initial set of connector. hpd_init()
also covers resume so HPD will work correctly after resume as well.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: Jerome Glisse <j.glisse@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: add MSI module parameter
Alex Deucher [Tue, 1 Nov 2011 18:20:30 +0000 (14:20 -0400)]
drm/radeon/kms: add MSI module parameter

commit a18cee15ed4c8b6a35f96b7b26a46bac32e04bd9 upstream.

Allow the user to override whether MSIs are enabled
or not on supported ASICs.  MSIs are disabled by default
on IGP chips as they tend not to work.  However certain
IGP chips only seem to work with MSIs enabled.

I suspect this is a chipset or bios issue, but I'm not sure
what the proper fix is.  This will at least make diagnosing
and working around the problem much easier.

See:
https://bugs.freedesktop.org/show_bug.cgi?id=37679

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>