firefly-linux-kernel-4.4.55.git
12 years agothp: set compound tail page _count to zero
Youquan Song [Thu, 8 Dec 2011 22:34:18 +0000 (14:34 -0800)]
thp: set compound tail page _count to zero

commit 58a84aa92723d1ac3e1cc4e3b0ff49291663f7e1 upstream.

Commit 70b50f94f1644 ("mm: thp: tail page refcounting fix") keeps all
page_tail->_count zero at all times.  But the current kernel does not
set page_tail->_count to zero if a 1GB page is utilized.  So when an
IOMMU 1GB page is used by KVM, it wil result in a kernel oops because a
tail page's _count does not equal zero.

  kernel BUG at include/linux/mm.h:386!
  invalid opcode: 0000 [#1] SMP
  Call Trace:
    gup_pud_range+0xb8/0x19d
    get_user_pages_fast+0xcb/0x192
    ? trace_hardirqs_off+0xd/0xf
    hva_to_pfn+0x119/0x2f2
    gfn_to_pfn_memslot+0x2c/0x2e
    kvm_iommu_map_pages+0xfd/0x1c1
    kvm_iommu_map_memslots+0x7c/0xbd
    kvm_iommu_map_guest+0xaa/0xbf
    kvm_vm_ioctl_assigned_device+0x2ef/0xa47
    kvm_vm_ioctl+0x36c/0x3a2
    do_vfs_ioctl+0x49e/0x4e4
    sys_ioctl+0x5a/0x7c
    system_call_fastpath+0x16/0x1b
  RIP  gup_huge_pud+0xf2/0x159

Signed-off-by: Youquan Song <youquan.song@intel.com>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agothp: add compound tail page _mapcount when mapped
Youquan Song [Thu, 8 Dec 2011 22:34:16 +0000 (14:34 -0800)]
thp: add compound tail page _mapcount when mapped

commit b6999b19120931ede364fa3b685e698a61fed31d upstream.

With the 3.2-rc kernel, IOMMU 2M pages in KVM works.  But when I tried
to use IOMMU 1GB pages in KVM, I encountered an oops and the 1GB page
failed to be used.

The root cause is that 1GB page allocation calls gup_huge_pud() while 2M
page calls gup_huge_pmd.  If compound pages are used and the page is a
tail page, gup_huge_pmd() increases _mapcount to record tail page are
mapped while gup_huge_pud does not do that.

So when the mapped page is relesed, it will result in kernel oops
because the page is not marked mapped.

This patch add tail process for compound page in 1GB huge page which
keeps the same process as 2M page.

Reproduce like:
1. Add grub boot option: hugepagesz=1G hugepages=8
2. mount -t hugetlbfs -o pagesize=1G hugetlbfs /dev/hugepages
3. qemu-kvm -m 2048 -hda os-kvm.img -cpu kvm64 -smp 4 -mem-path /dev/hugepages
-net none -device pci-assign,host=07:00.1

  kernel BUG at mm/swap.c:114!
  invalid opcode: 0000 [#1] SMP
  Call Trace:
    put_page+0x15/0x37
    kvm_release_pfn_clean+0x31/0x36
    kvm_iommu_put_pages+0x94/0xb1
    kvm_iommu_unmap_memslots+0x80/0xb6
    kvm_assign_device+0xba/0x117
    kvm_vm_ioctl_assigned_device+0x301/0xa47
    kvm_vm_ioctl+0x36c/0x3a2
    do_vfs_ioctl+0x49e/0x4e4
    sys_ioctl+0x5a/0x7c
    system_call_fastpath+0x16/0x1b
  RIP  put_compound_page+0xd4/0x168

Signed-off-by: Youquan Song <youquan.song@intel.com>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andi Kleen <andi@firstfloor.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agofs/proc/meminfo.c: fix compilation error
Claudio Scordino [Thu, 8 Dec 2011 22:33:56 +0000 (14:33 -0800)]
fs/proc/meminfo.c: fix compilation error

commit b53fc7c2974a50913f49e1d800fe904a28c338e3 upstream.

Fix the error message "directives may not be used inside a macro argument"
which appears when the kernel is compiled for the cris architecture.

Signed-off-by: Claudio Scordino <claudio@evidence.eu.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoASoC: Provide a more complete DMA driver stub
Mark Brown [Mon, 5 Dec 2011 20:50:45 +0000 (20:50 +0000)]
ASoC: Provide a more complete DMA driver stub

commit cefcc03ffc9527dde56807339edb1719c8dbae5f upstream.

Allow userspace applications to do more parameter setting by providing a
more complete stub DMA driver specifying a wildcard set of formats and
channels and essentially random values for the DMA parameters. This is
required for useful runtime operation of the dummy DMA driver until we
are able to figure out how to power up links and do hw_params() from DAPM.

Sending to stable as without this the dummy driver is not terribly
useful.

Reported-by: Kyung-Kwee Ryu <Kyung-Kwee.Ryu@wolfsonmicro.com>
Tested-by: Kyung-Kwee Ryu <Kyung-Kwee.Ryu@wolfsonmicro.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoARM: davinci: dm646x evm: wrong register used in setup_vpif_input_channel_mode
Hans Verkuil [Mon, 14 Nov 2011 18:20:49 +0000 (19:20 +0100)]
ARM: davinci: dm646x evm: wrong register used in setup_vpif_input_channel_mode

commit 83713fc9373be2e943f82e9d36213708c6b0050e upstream.

The function setup_vpif_input_channel_mode() used the VSCLKDIS register
instead of VIDCLKCTL. This meant that when in HD mode videoport channel 0
used a different clock from channel 1.

Clearly a copy-and-paste error.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Manjunath Hadli <manjunath.hadli@ti.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoARM: at91: fix clock conid for atmel_tcb.1 on 9260/9g20
Jean-Christophe PLAGNIOL-VILLARD [Mon, 28 Nov 2011 11:53:08 +0000 (12:53 +0100)]
ARM: at91: fix clock conid for atmel_tcb.1 on 9260/9g20

commit 1808958d27b1250295f01dff4997d8a8814adaab upstream.

The conid is supposed to be t0/t1/t2_clk.

Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoarm: mx23: recognise stmp378x as mx23
Wolfram Sang [Sat, 26 Nov 2011 10:39:14 +0000 (11:39 +0100)]
arm: mx23: recognise stmp378x as mx23

commit 11357be9246c7d1acf9b37ad54a18b29bbb734be upstream.

Adding the machine_is_* line was forgotten when converting mach-stmp378x to
mach-mxs.

Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoARM: davinci: da850 evm: change audio edma event queue to EVENTQ_0
Manjunathappa, Prakash [Thu, 10 Nov 2011 06:13:21 +0000 (11:43 +0530)]
ARM: davinci: da850 evm: change audio edma event queue to EVENTQ_0

commit f1b21c525693b0159aed83b5871f2d0f077f208e upstream.

On OMAP-L138 platform, EDMA event queue 0 should be used for audio
transfers so that they are not starved by video data moving on event queue 1.

Commit 48519f0ae03bc7e86b3dc93e56f1334d53803770 (ASoC: davinci: let platform
data define edma queue numbers) had a side-effect of changing this behavior
by making the driver actually honor the platform data passed.

Fix this now by passing event queue 0 as the queue to be used for audio
transfers.

Signed-off-by: Manjunathappa, Prakash <prakash.pm@ti.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoalarmtimers: Fix time comparison
Thomas Gleixner [Mon, 5 Dec 2011 20:20:23 +0000 (21:20 +0100)]
alarmtimers: Fix time comparison

commit c9c024b3f3e07d087974db4c0dc46217fff3a6c0 upstream.

The expiry function compares the timer against current time and does
not expire the timer when the expiry time is >= now. That's wrong. If
the timer is set for now, then it must expire.

Make the condition expiry > now for breaking out the loop.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoALSA: hda/realtek - Fix Oops in alc_mux_select()
Takashi Iwai [Fri, 2 Dec 2011 14:29:12 +0000 (15:29 +0100)]
ALSA: hda/realtek - Fix Oops in alc_mux_select()

commit cce4aa378a049f4275416ee6302dd24f37b289df upstream.

When no imux is available (e.g. a single capture source),
alc_auto_init_input_src() may trigger an Oops due to the access to -1.
Add a proper zero-check to avoid it.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoALSA: sis7019 - give slow codecs more time to reset
David Dillow [Fri, 2 Dec 2011 04:26:53 +0000 (23:26 -0500)]
ALSA: sis7019 - give slow codecs more time to reset

commit fc084e0b930d546872ab23667052499f7daf0fed upstream.

There are some AC97 codec and board combinations that have been observed
to take a very long time to respond after the cold reset has completed.
In one case, more than 350 ms was required. To allow users to have sound
on those platforms, we'll wait up to 500ms for the codec to become
ready.

As a board may have multiple codecs, with some faster than others to
reset, we add a module parameter to inform the driver which codecs
should be present.

Reported-by: KotCzarny <tjosko@yahoo.com>
Signed-off-by: David Dillow <dave@thedillows.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoLinux 3.0.13
Greg Kroah-Hartman [Fri, 9 Dec 2011 16:53:50 +0000 (08:53 -0800)]
Linux 3.0.13

12 years agoclockevents: Set noop handler in clockevents_exchange_device()
Thomas Gleixner [Fri, 2 Dec 2011 15:02:45 +0000 (16:02 +0100)]
clockevents: Set noop handler in clockevents_exchange_device()

commit de28f25e8244c7353abed8de0c7792f5f883588c upstream.

If a device is shutdown, then there might be a pending interrupt,
which will be processed after we reenable interrupts, which causes the
original handler to be run. If the old handler is the (broadcast)
periodic handler the shutdown state might hang the kernel completely.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoclocksource: Fix bug with max_deferment margin calculation
Yang Honggang (Joseph) [Fri, 2 Dec 2011 03:22:41 +0000 (22:22 -0500)]
clocksource: Fix bug with max_deferment margin calculation

commit b1f919664d04a8d0ba29cb76673c7ca3325a2006 upstream.

In order to leave a margin of 12.5% we should >> 3 not >> 5.

Signed-off-by: Yang Honggang (Joseph) <eagle.rtlinux@gmail.com>
[jstultz: Modified commit subject]
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agooprofile: Fix crash when unloading module (hr timer mode)
Robert Richter [Fri, 7 Oct 2011 14:31:46 +0000 (16:31 +0200)]
oprofile: Fix crash when unloading module (hr timer mode)

commit 87121ca504fd1d963a66b3fb0c72054b0fd9a177 upstream.

Oprofile may crash in a KVM guest while unlaoding modules. This
happens if oprofile_arch_init() fails and oprofile switches to the hr
timer mode as a fallback. In this case oprofile_arch_exit() is called,
but it never was initialized properly which causes the crash. This
patch fixes this.

oprofile: using timer interrupt.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: [<ffffffff8123c226>] unregister_syscore_ops+0x41/0x58
PGD 41da3f067 PUD 41d80e067 PMD 0
Oops: 0002 [#1] PREEMPT SMP
CPU 5
Modules linked in: oprofile(-)

Pid: 2382, comm: modprobe Not tainted 3.1.0-rc7-00018-g709a39d #18 Advanced Micro Device Anaheim/Anaheim
RIP: 0010:[<ffffffff8123c226>]  [<ffffffff8123c226>] unregister_syscore_ops+0x41/0x58
RSP: 0018:ffff88041de1de98  EFLAGS: 00010296
RAX: 0000000000000000 RBX: ffffffffa00060e0 RCX: dead000000200200
RDX: 0000000000000000 RSI: dead000000100100 RDI: ffffffff8178c620
RBP: ffff88041de1dea8 R08: 0000000000000001 R09: 0000000000000082
R10: 0000000000000000 R11: ffff88041de1dde8 R12: 0000000000000080
R13: fffffffffffffff5 R14: 0000000000000001 R15: 0000000000610210
FS:  00007f9ae5bef700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000008 CR3: 000000041ca44000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process modprobe (pid: 2382, threadinfo ffff88041de1c000, task ffff88042db6d040)
Stack:
 ffff88041de1deb8 ffffffffa0006770 ffff88041de1deb8 ffffffffa000251e
 ffff88041de1dec8 ffffffffa00022c2 ffff88041de1ded8 ffffffffa0004993
 ffff88041de1df78 ffffffff81073115 656c69666f72706f 0000000000610200
Call Trace:
 [<ffffffffa000251e>] op_nmi_exit+0x15/0x17 [oprofile]
 [<ffffffffa00022c2>] oprofile_arch_exit+0xe/0x10 [oprofile]
 [<ffffffffa0004993>] oprofile_exit+0x13/0x15 [oprofile]
 [<ffffffff81073115>] sys_delete_module+0x1c3/0x22f
 [<ffffffff811bf09e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [<ffffffff8148070b>] system_call_fastpath+0x16/0x1b
Code: 20 c6 78 81 e8 c5 cc 23 00 48 8b 13 48 8b 43 08 48 be 00 01 10 00 00 00 ad de 48 b9 00 02 20 00 00 00 ad de 48 c7 c7 20 c6 78 81
 89 42 08 48 89 10 48 89 33 48 89 4b 08 e8 a6 c0 23 00 5a 5b
RIP  [<ffffffff8123c226>] unregister_syscore_ops+0x41/0x58
 RSP <ffff88041de1de98>
CR2: 0000000000000008
---[ end trace 06d4e95b6aa3b437 ]---

Signed-off-by: Robert Richter <robert.richter@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agojump_label: jump_label_inc may return before the code is patched
Gleb Natapov [Tue, 18 Oct 2011 17:55:51 +0000 (19:55 +0200)]
jump_label: jump_label_inc may return before the code is patched

commit bbbf7af4bf8fc69bc751818cf30521080fa47dcb upstream.

If cpu A calls jump_label_inc() just after atomic_add_return() is
called by cpu B, atomic_inc_not_zero() will return value greater then
zero and jump_label_inc() will return to a caller before jump_label_update()
finishes its job on cpu B.

Link: http://lkml.kernel.org/r/20111018175551.GH17571@redhat.com
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Acked-by: Jason Baron <jbaron@redhat.com>
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoperf: Fix parsing of __print_flags() in TP_printk()
Steven Rostedt [Fri, 4 Nov 2011 20:32:25 +0000 (16:32 -0400)]
perf: Fix parsing of __print_flags() in TP_printk()

commit d06c27b22aa66e48e32f03f9387328a9af9b0625 upstream.

A update is made to the sched:sched_switch event that adds some
logic to the first parameter of the __print_flags() that shows the
state of tasks. This change cause perf to fail parsing the flags.

A simple fix is needed to have the parser be able to process ops
within the argument.

Reported-by: Andrew Vagin <avagin@openvz.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agotick-broadcast: Stop active broadcast device when replacing it
Thomas Gleixner [Fri, 2 Dec 2011 11:34:16 +0000 (12:34 +0100)]
tick-broadcast: Stop active broadcast device when replacing it

commit c1be84309c58b1e7c6d626e28fba41a22b364c3d upstream.

When a better rated broadcast device is installed, then the current
active device is not disabled, which results in two running broadcast
devices.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agotracing: fix event_subsystem ref counting
Ilya Dryomov [Mon, 31 Oct 2011 09:07:42 +0000 (11:07 +0200)]
tracing: fix event_subsystem ref counting

commit cb59974742aea24adf6637eb0c4b8e7b48bca6fb upstream.

Fix a bug introduced by e9dbfae5, which prevents event_subsystem from
ever being released.

Ref_count was added to keep track of subsystem users, not for counting
events.  Subsystem is created with ref_count = 1, so there is no need to
increment it for every event, we have nr_events for that.  Fix this by
touching ref_count only when we actually have a new user -
subsystem_open().

Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Link: http://lkml.kernel.org/r/1320052062-7846-1-git-send-email-idryomov@gmail.com
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agortc: Disable the alarm in the hardware
Rabin Vincent [Tue, 22 Nov 2011 10:03:14 +0000 (11:03 +0100)]
rtc: Disable the alarm in the hardware

commit c0afabd3d553c521e003779c127143ffde55a16f upstream.

Currently, the RTC code does not disable the alarm in the hardware.

This means that after a sequence such as the one below (the files are in the
RTC sysfs), the box will boot up after 2 minutes even though we've
asked for the alarm to be turned off.

# echo $((`cat since_epoch`)+120) > wakealarm
# echo 0 > wakealarm
# poweroff

Fix this by disabling the alarm when there are no timers to run.

Cc: John Stultz <john.stultz@linaro.org>
Signed-off-by: Rabin Vincent <rabin.vincent@stericsson.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agotrace_events_filter: Use rcu_assign_pointer() when setting ftrace_event_call->filter
Tejun Heo [Wed, 23 Nov 2011 16:49:49 +0000 (08:49 -0800)]
trace_events_filter: Use rcu_assign_pointer() when setting ftrace_event_call->filter

commit d3d9acf646679c1981032b0985b386d12fccc60c upstream.

ftrace_event_call->filter is sched RCU protected but didn't use
rcu_assign_pointer().  Use it.

TODO: Add proper __rcu annotation to call->filter and all its users.

-v2: Use RCU_INIT_POINTER() for %NULL clearing as suggested by Eric.

Link: http://lkml.kernel.org/r/20111123164949.GA29639@google.com
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoxfs: fix attr2 vs large data fork assert
Christoph Hellwig [Tue, 6 Dec 2011 21:21:30 +0000 (16:21 -0500)]
xfs: fix attr2 vs large data fork assert

commit 4c393a6059f8442a70512a48ce4639b882b6f6ad upstream.

With Dmitry fsstress updates I've seen very reproducible crashes in
xfs_attr_shortform_remove because xfs_attr_shortform_bytesfit claims that
the attributes would not fit inline into the inode after removing an
attribute.  It turns out that we were operating on an inode with lots
of delalloc extents, and thus an if_bytes values for the data fork that
is larger than biggest possible on-disk storage for it which utterly
confuses the code near the end of xfs_attr_shortform_bytesfit.

Fix this by always allowing the current attribute fork, like we already
do for the attr1 format, given that delalloc conversion will take care
for moving either the data or attribute area out of line if it doesn't
fit at that point - or making the point moot by merging extents at this
point.

Also document the function better, and clean up some loose bits.

Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Myers <bpm@sgi.com>
Acked-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoxfs: force buffer writeback before blocking on the ilock in inode reclaim
Christoph Hellwig [Tue, 6 Dec 2011 21:21:15 +0000 (16:21 -0500)]
xfs: force buffer writeback before blocking on the ilock in inode reclaim

commit 4dd2cb4a28b7ab1f37163a4eba280926a13a8749 upstream.

If we are doing synchronous inode reclaim we block the VM from making
progress in memory reclaim.  So if we encouter a flush locked inode
promote it in the delwri list and wake up xfsbufd to write it out now.
Without this we can get hangs of up to 30 seconds during workloads hitting
synchronous inode reclaim.

The scheme is copied from what we do for dquot reclaims.

Reported-by: Simon Kirby <sim@hostway.ca>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Tested-by: Simon Kirby <sim@hostway.ca>
Signed-off-by: Ben Myers <bpm@sgi.com>
Acked-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoxfs: validate acl count
Christoph Hellwig [Tue, 6 Dec 2011 21:21:05 +0000 (16:21 -0500)]
xfs: validate acl count

commit fa8b18edd752a8b4e9d1ee2cd615b82c93cf8bba upstream.

This prevents in-memory corruption and possible panics if the on-disk
ACL is badly corrupted.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Myers <bpm@sgi.com>
Acked-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoNFS: Prevent 3.0 from crashing if it receives a partial layout
Trond Myklebust [Tue, 18 Oct 2011 17:11:07 +0000 (10:11 -0700)]
NFS: Prevent 3.0 from crashing if it receives a partial layout

This is a backport of critical parts of
commit 7c24d9489f "NFSv4.1: File layout only supports whole file layouts"

It prevents the file layout driver from (incorrectly) using
partial layouts, but ignores the part of the referenced commmit that
relies on additional machinery to change the LAYOUTGET request
based on layout driver.

Signed-off-by: Fred Isaman <iisaman@netapp.com>
Acked-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agogenirq: Fix race condition when stopping the irq thread
Ido Yariv [Thu, 1 Dec 2011 11:55:08 +0000 (13:55 +0200)]
genirq: Fix race condition when stopping the irq thread

commit 550acb19269d65f32e9ac4ddb26c2b2070e37f1c upstream.

In irq_wait_for_interrupt(), the should_stop member is verified before
setting the task's state to TASK_INTERRUPTIBLE and calling schedule().
In case kthread_stop sets should_stop and wakes up the process after
should_stop is checked by the irq thread but before the task's state
is changed, the irq thread might never exit:

kthread_stop                    irq_wait_for_interrupt
------------                    ----------------------

                                 ...
...                              while (!kthread_should_stop()) {
kthread->should_stop = 1;
wake_up_process(k);
wait_for_completion(&kthread->exited);
...
                                     set_current_state(TASK_INTERRUPTIBLE);

                                     ...

                                     schedule();
                                 }

Fix this by checking if the thread should stop after modifying the
task's state.

[ tglx: Simplified it a bit ]

Signed-off-by: Ido Yariv <ido@wizery.com>
Link: http://lkml.kernel.org/r/1322740508-22640-1-git-send-email-ido@wizery.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agocfg80211: amend regulatory NULL dereference fix
Luis R. Rodriguez [Mon, 28 Nov 2011 21:47:16 +0000 (16:47 -0500)]
cfg80211: amend regulatory NULL dereference fix

commit 0bac71af6e66dc798bf07d0c0dd14ee5503362f9 upstream.

Johannes' patch for "cfg80211: fix regulatory NULL dereference"
broke user regulaotry hints and it did not address the fact that
last_request was left populated even if the previous regulatory
hint was stale due to the wiphy disappearing.

Fix user reguluatory hints by only bailing out if for those
regulatory hints where a request_wiphy is expected. The stale last_request
considerations are addressed through the previous fixes on last_request
where we reset the last_request to a static world regdom request upon
reset_regdomains(). In this case though we further enhance the effect
by simply restoring reguluatory settings completely.

Cc: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agocfg80211: fix race on init and driver registration
Luis R. Rodriguez [Mon, 28 Nov 2011 21:47:15 +0000 (16:47 -0500)]
cfg80211: fix race on init and driver registration

commit a042994dd377d86bff9446ee76151ceb6267c9ba upstream.

There is a theoretical race that if hit will trigger
a crash. The race is between when we issue the first
regulatory hint, regulatory_hint_core(), gets processed
by the workqueue and between when the first device
gets registered to the wireless core. This is not easy
to reproduce but it was easy to do so through the
regulatory simulator I have been working on. This
is a port of the fix I implemented there [1].

[1] https://github.com/mcgrof/regsim/commit/a246ccf81f059cb662eee288aa13100f631e4cc8

Cc: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoadd missing .set function for NT_S390_LAST_BREAK regset
Martin Schwidefsky [Thu, 1 Dec 2011 12:32:17 +0000 (13:32 +0100)]
add missing .set function for NT_S390_LAST_BREAK regset

commit b934069c991355d27a053a932591c77960f4e414 upstream.

The last breaking event address is a read-only value, the regset misses the
.set function. If a PTRACE_SETREGSET is done for NT_S390_LAST_BREAK we
get an oops due to a branch to zero:

Kernel BUG at 0000000000000002 verbose debug info unavailable
illegal operation: 0001 #1 SMP
...
Call Trace:
(<0000000000158294> ptrace_regset+0x184/0x188)
 <00000000001595b6> ptrace_request+0x37a/0x4fc
 <0000000000109a78> arch_ptrace+0x108/0x1fc
 <00000000001590d6> SyS_ptrace+0xaa/0x12c
 <00000000005c7a42> sysc_noemu+0x16/0x1c
 <000003fffd5ec10c> 0x3fffd5ec10c
Last Breaking-Event-Address:
 <0000000000158242> ptrace_regset+0x132/0x188

Add a nop .set function to prevent the branch to zero.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agooprofile, x86: Fix crash when unloading module (nmi timer mode)
Robert Richter [Mon, 10 Oct 2011 14:21:10 +0000 (16:21 +0200)]
oprofile, x86: Fix crash when unloading module (nmi timer mode)

commit 97f7f8189fe54e3cfe324ef9ad35064f3d2d3bff upstream.

If oprofile uses the nmi timer interrupt there is a crash while
unloading the module. The bug can be triggered with oprofile build as
module and kernel parameter nolapic set. This patch fixes this.

oprofile: using NMI timer interrupt.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: [<ffffffff8123c226>] unregister_syscore_ops+0x41/0x58
PGD 42dbca067 PUD 41da6a067 PMD 0
Oops: 0002 [#1] PREEMPT SMP
CPU 5
Modules linked in: oprofile(-) [last unloaded: oprofile]

Pid: 2518, comm: modprobe Not tainted 3.1.0-rc7-00019-gb2fb49d #19 Advanced Micro Device Anaheim/Anaheim
RIP: 0010:[<ffffffff8123c226>]  [<ffffffff8123c226>] unregister_syscore_ops+0x41/0x58
RSP: 0018:ffff88041ef71e98  EFLAGS: 00010296
RAX: 0000000000000000 RBX: ffffffffa0017100 RCX: dead000000200200
RDX: 0000000000000000 RSI: dead000000100100 RDI: ffffffff8178c620
RBP: ffff88041ef71ea8 R08: 0000000000000001 R09: 0000000000000082
R10: 0000000000000000 R11: ffff88041ef71de8 R12: 0000000000000080
R13: fffffffffffffff5 R14: 0000000000000001 R15: 0000000000610210
FS:  00007fc902f20700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000008 CR3: 000000041cdb6000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process modprobe (pid: 2518, threadinfo ffff88041ef70000, task ffff88041d348040)
Stack:
 ffff88041ef71eb8 ffffffffa0017790 ffff88041ef71eb8 ffffffffa0013532
 ffff88041ef71ec8 ffffffffa00132d6 ffff88041ef71ed8 ffffffffa00159b2
 ffff88041ef71f78 ffffffff81073115 656c69666f72706f 0000000000610200
Call Trace:
 [<ffffffffa0013532>] op_nmi_exit+0x15/0x17 [oprofile]
 [<ffffffffa00132d6>] oprofile_arch_exit+0xe/0x10 [oprofile]
 [<ffffffffa00159b2>] oprofile_exit+0x1e/0x20 [oprofile]
 [<ffffffff81073115>] sys_delete_module+0x1c3/0x22f
 [<ffffffff811bf09e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [<ffffffff8148070b>] system_call_fastpath+0x16/0x1b
Code: 20 c6 78 81 e8 c5 cc 23 00 48 8b 13 48 8b 43 08 48 be 00 01 10 00 00 00 ad de 48 b9 00 02 20 00 00 00 ad de 48 c7 c7 20 c6 78 81
 89 42 08 48 89 10 48 89 33 48 89 4b 08 e8 a6 c0 23 00 5a 5b
RIP  [<ffffffff8123c226>] unregister_syscore_ops+0x41/0x58
 RSP <ffff88041ef71e98>
CR2: 0000000000000008
---[ end trace 43a541a52956b7b0 ]---

Signed-off-by: Robert Richter <robert.richter@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoperf/x86: Fix PEBS instruction unwind
Peter Zijlstra [Fri, 7 Oct 2011 11:36:40 +0000 (13:36 +0200)]
perf/x86: Fix PEBS instruction unwind

commit 57d1c0c03c6b48b2b96870d831b9ce6b917f53ac upstream.

Masami spotted that we always try to decode the instruction stream as
64bit instructions when running a 64bit kernel, this doesn't work for
ia32-compat proglets.

Use TIF_IA32 to detect if we need to use the 32bit instruction
decoder.

Reported-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agox86/paravirt: PTE updates in k(un)map_atomic need to be synchronous, regardless of...
Konrad Rzeszutek Wilk [Tue, 15 Nov 2011 22:49:09 +0000 (14:49 -0800)]
x86/paravirt: PTE updates in k(un)map_atomic need to be synchronous, regardless of lazy_mmu mode

commit 2cd1c8d4dc7ecca9e9431e2dabe41ae9c7d89e51 upstream.

Fix an outstanding issue that has been reported since 2.6.37.
Under a heavy loaded machine processing "fork()" calls could
crash with:

BUG: unable to handle kernel paging request at f573fc8c
IP: [<c01abc54>] swap_count_continued+0x104/0x180
*pdpt = 000000002a3b9027 *pde = 0000000001bed067 *pte = 0000000000000000 Oops: 0000 [#1] SMP
Modules linked in:
Pid: 1638, comm: apache2 Not tainted 3.0.4-linode37 #1
EIP: 0061:[<c01abc54>] EFLAGS: 00210246 CPU: 3
EIP is at swap_count_continued+0x104/0x180
.. snip..
Call Trace:
 [<c01ac222>] ? __swap_duplicate+0xc2/0x160
 [<c01040f7>] ? pte_mfn_to_pfn+0x87/0xe0
 [<c01ac2e4>] ? swap_duplicate+0x14/0x40
 [<c01a0a6b>] ? copy_pte_range+0x45b/0x500
 [<c01a0ca5>] ? copy_page_range+0x195/0x200
 [<c01328c6>] ? dup_mmap+0x1c6/0x2c0
 [<c0132cf8>] ? dup_mm+0xa8/0x130
 [<c013376a>] ? copy_process+0x98a/0xb30
 [<c013395f>] ? do_fork+0x4f/0x280
 [<c01573b3>] ? getnstimeofday+0x43/0x100
 [<c010f770>] ? sys_clone+0x30/0x40
 [<c06c048d>] ? ptregs_clone+0x15/0x48
 [<c06bfb71>] ? syscall_call+0x7/0xb

The problem is that in copy_page_range() we turn lazy mode on,
and then in swap_entry_free() we call swap_count_continued()
which ends up in:

         map = kmap_atomic(page, KM_USER0) + offset;

and then later we touch *map.

Since we are running in batched mode (lazy) we don't actually
set up the PTE mappings and the kmap_atomic is not done
synchronously and ends up trying to dereference a page that has
not been set.

Looking at kmap_atomic_prot_pfn(), it uses
'arch_flush_lazy_mmu_mode' and doing the same in
kmap_atomic_prot() and __kunmap_atomic() makes the problem go
away.

Interestingly, commit b8bcfe997e4615 ("x86/paravirt: remove lazy
mode in interrupts") removed part of this to fix an interrupt
issue - but it went to far and did not consider this scenario.

Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agox86: Fix "Acer Aspire 1" reboot hang
Peter Chubb [Mon, 5 Dec 2011 13:53:53 +0000 (16:53 +0300)]
x86: Fix "Acer Aspire 1" reboot hang

commit 1ef03890969932e9359b9a4c658f7f87771910ac upstream.

Looks like on some Acer Aspire 1s with older bioses, reboot via bios
fails.  It works on my machine, (with BIOS version 0.3310) but
not on some others (BIOS version 0.3309).

There's a log of problems at:

  https://bbs.archlinux.org/viewtopic.php?id=124136

This patch adds a different callback to the reboot quirk table,
to allow rebooting via keybaord controller.

Reported-by: Uroš Vampl <mobile.leecher@gmail.com>
Tested-by: Vasily Khoruzhick <anarsoul@gmail.com>
Signed-off-by: Peter Chubb <peter.chubb@nicta.com.au>
Cc: Don Zickus <dzickus@redhat.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Link: http://lkml.kernel.org/r/1323093233-9481-1-git-send-email-anarsoul@gmail.com
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agox86/mpparse: Account for bus types other than ISA and PCI
Bjorn Helgaas [Sun, 25 Sep 2011 21:29:00 +0000 (15:29 -0600)]
x86/mpparse: Account for bus types other than ISA and PCI

commit 9e6866686bdf2dcf3aeb0838076237ede532dcc8 upstream.

In commit f8924e770e04 ("x86: unify mp_bus_info"), the 32-bit
and 64-bit versions of MP_bus_info were rearranged to match each
other better.  Unfortunately it introduced a regression: prior
to that change we used to always set the mp_bus_not_pci bit,
then clear it if we found a PCI bus.  After it, we set
mp_bus_not_pci for ISA buses, clear it for PCI buses, and leave
it alone otherwise.

In the cases of ISA and PCI, there's not much difference.  But
ISA is not the only non-PCI bus, so it's better to always set
mp_bus_not_pci and clear it only for PCI.

Without this change, Dan's Dell PowerEdge 4200 panics on boot
with a log indicating interrupt routing trouble unless the
"noapic" option is supplied.  With this change, the machine
boots reliably without "noapic".

Fixes http://bugs.debian.org/586494

Reported-bisected-and-tested-by: Dan McGrath <troubledaemon@gmail.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Dan McGrath <troubledaemon@gmail.com>
Cc: Alexey Starikovskiy <aystarik@gmail.com>
[jrnieder@gmail.com: clarified commit message]
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Link: http://lkml.kernel.org/r/20111122215000.GA9151@elie.hsd1.il.comcast.net
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agosched, x86: Avoid unnecessary overflow in sched_clock
Salman Qazi [Tue, 15 Nov 2011 22:12:06 +0000 (14:12 -0800)]
sched, x86: Avoid unnecessary overflow in sched_clock

commit 4cecf6d401a01d054afc1e5f605bcbfe553cb9b9 upstream.

(Added the missing signed-off-by line)

In hundreds of days, the __cycles_2_ns calculation in sched_clock
has an overflow.  cyc * per_cpu(cyc2ns, cpu) exceeds 64 bits, causing
the final value to become zero.  We can solve this without losing
any precision.

We can decompose TSC into quotient and remainder of division by the
scale factor, and then use this to convert TSC into nanoseconds.

Signed-off-by: Salman Qazi <sqazi@google.com>
Acked-by: John Stultz <johnstul@us.ibm.com>
Reviewed-by: Paul Turner <pjt@google.com>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Link: http://lkml.kernel.org/r/20111115221121.7262.88871.stgit@dungbeetle.mtv.corp.google.com
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoxHCI: fix bug in xhci_clear_command_ring()
Andiry Xu [Wed, 30 Nov 2011 08:37:41 +0000 (16:37 +0800)]
xHCI: fix bug in xhci_clear_command_ring()

commit 158886cd2cf4599e04f9b7e10cb767f5f39b14f1 upstream.

When system enters suspend, xHCI driver clears command ring by writing zero
to all the TRBs. However, this also writes zero to the Link TRB, and the ring
is mangled. This may cause driver accesses wrong memory address and the
result is unpredicted.

When clear the command ring, keep the last Link TRB intact, only clear its
cycle bit. This should fix the "command ring full" issue reported by Oliver
Neukum.

This should be backported to stable kernels as old as 2.6.37, since the
commit 89821320 "xhci: Fix command ring replay after resume" is merged.

Signed-off-by: Andiry Xu <andiry.xu@amd.com>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Reported-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoEHCI : Fix a regression in the ISO scheduler
Matthieu CASTET [Mon, 28 Nov 2011 10:30:22 +0000 (11:30 +0100)]
EHCI : Fix a regression in the ISO scheduler

commit e3420901eba65b1c46bed86d360e3a8685d20734 upstream.

Fix a regression that was introduced by commit
811c926c538f7e8d3c08b630dd5844efd7e000f6 (USB: EHCI: fix HUB TT scheduling
issue with iso transfer).

We detect an error if next == start, but this means uframe 0 can't be allocated
anymore for iso transfer...

Reported-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: Matthieu CASTET <castet.matthieu@free.fr>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoUSB: EHCI: fix HUB TT scheduling issue with iso transfer
Thomas Poussevin [Thu, 27 Oct 2011 16:46:48 +0000 (18:46 +0200)]
USB: EHCI: fix HUB TT scheduling issue with iso transfer

commit 811c926c538f7e8d3c08b630dd5844efd7e000f6 upstream.

The current TT scheduling doesn't allow to play and then record on a
full-speed device connected to a high speed hub.

The IN iso stream can only start on the first uframe (0-2 for a 165 us)
because of CSPLIT transactions.
For the OUT iso stream there no such restriction. uframe 0-5 are possible.

The idea of this patch is that the first uframe are precious (for IN TT iso
stream) and we should allocate the last uframes first if possible.

For that we reverse the order of uframe allocation (last uframe first).

Here an example :

hid interrupt stream
----------------------------------------------------------------------
uframe                |  0  |  1  |  2  |  3  |  4  |  5  |  6  |  7  |
----------------------------------------------------------------------
max_tt_usecs          | 125 | 125 | 125 | 125 | 125 | 125 | 30  |  0  |
----------------------------------------------------------------------
used usecs on a frame | 13  |  0  |  0  |  0  |  0  |  0  |  0  |  0  |
----------------------------------------------------------------------

iso OUT stream
----------------------------------------------------------------------
uframe                |  0  |  1  |  2  |  3  |  4  |  5  |  6  |  7  |
----------------------------------------------------------------------
max_tt_usecs          | 125 | 125 | 125 | 125 | 125 | 125 | 30  |  0  |
----------------------------------------------------------------------
used usecs on a frame | 13  | 125 |  39 |  0  |  0  |  0  |  0  |  0  |
----------------------------------------------------------------------

There no place for iso IN stream  (uframe 0-2 are used) and we got "cannot
submit datapipe for urb 0, error -28: not enough bandwidth" error.

With the patch this become.

iso OUT stream
----------------------------------------------------------------------
uframe                |  0  |  1  |  2  |  3  |  4  |  5  |  6  |  7  |
----------------------------------------------------------------------
max_tt_usecs          | 125 | 125 | 125 | 125 | 125 | 125 | 30  |  0  |
----------------------------------------------------------------------
used usecs on a frame |  13 |  0  |  0  |  0  | 125 |  39 |  0  |  0  |
----------------------------------------------------------------------

iso IN stream
----------------------------------------------------------------------
uframe                |  0  |  1  |  2  |  3  |  4  |  5  |  6  |  7  |
----------------------------------------------------------------------
max_tt_usecs          | 125 | 125 | 125 | 125 | 125 | 125 | 30  |  0  |
----------------------------------------------------------------------
used usecs on a frame |  13 |  0  | 125 | 40  | 125 |  39 |  0  |  0  |
----------------------------------------------------------------------

Signed-off-by: Matthieu Castet <matthieu.castet@parrot.com>
Signed-off-by: Thomas Poussevin <thomas.poussevin@parrot.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoUSB: usb-storage: unusual_devs entry for Kingston DT 101 G2
Qinglin Ye [Wed, 23 Nov 2011 15:39:32 +0000 (23:39 +0800)]
USB: usb-storage: unusual_devs entry for Kingston DT 101 G2

commit cec28a5428793b6bc64e56687fb239759d6da74e upstream.

Kingston DT 101 G2 replies a wrong tag while transporting, add an
unusal_devs entry to ignore the tag validation.

Signed-off-by: Qinglin Ye <yestyle@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agousb: option: add SIMCom SIM5218
Veli-Pekka Peltola [Thu, 24 Nov 2011 20:08:56 +0000 (22:08 +0200)]
usb: option: add SIMCom SIM5218

commit ec0cd94d881ca89cc9fb61d00d0f4b2b52e605b3 upstream.

Tested with SIM5218EVB-KIT evaluation kit.

Signed-off-by: Veli-Pekka Peltola <veli-pekka.peltola@bluegiga.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agousb: option: add Huawei E353 controlling interfaces
Dirk Nehring [Thu, 24 Nov 2011 18:22:23 +0000 (19:22 +0100)]
usb: option: add Huawei E353 controlling interfaces

commit 46b1848360c8e634e0b063932a1261062fa0f7d6 upstream.

This patch creates the missing controlling devices for the Huawei E353
HSPA+ stick.

Signed-off-by: Dirk Nehring <dnehring@gmx.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agousb: ftdi_sio: add PID for Propox ISPcable III
Marcin Kościelnicki [Wed, 30 Nov 2011 16:01:04 +0000 (17:01 +0100)]
usb: ftdi_sio: add PID for Propox ISPcable III

commit 307369b0ca06b27b511b61714e335ddfccf19c4f upstream.

Signed-off-by: Marcin Kościelnicki <koriakin@0x04.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoHID: Correct General touch PID
Benjamin Tissoires [Wed, 16 Nov 2011 10:39:52 +0000 (11:39 +0100)]
HID: Correct General touch PID

commit b1807719f6acdf18cc4bde3b5400d05d77801494 upstream.

Genera Touch told us that 0001 is their single point device
and 0003 is the multitouch one. Apparently, we made the tests
someone having a prototype, and not the final product.
They said it should be safe to do the switch.

This partially reverts 5572da0 ("HID: hid-mulitouch: add support
for the 'Sensing Win7-TwoFinger'").

Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoUSB: whci-hcd: fix endian conversion in qset_clear()
Dan Carpenter [Tue, 22 Nov 2011 07:28:31 +0000 (10:28 +0300)]
USB: whci-hcd: fix endian conversion in qset_clear()

commit 8746c83d538cab273d335acb2be226d096f4a5af upstream.

qset->qh.link is an __le64 field and we should be using cpu_to_le64()
to fill it.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoStaging: comedi: fix signal handling in read and write
Federico Vaga [Sat, 29 Oct 2011 07:47:39 +0000 (09:47 +0200)]
Staging: comedi: fix signal handling in read and write

commit 6a9ce6b654e491981f6ef7e214cbd4f63e033848 upstream.

After sleeping on a wait queue, signal_pending(current) should be
checked (not before sleeping).

Acked-by: Alessandro Rubini <rubini@gnudd.com>
Signed-off-by: Federico Vaga <federico.vaga@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoStaging: comedi: fix mmap_count
Federico Vaga [Sat, 29 Oct 2011 07:45:39 +0000 (09:45 +0200)]
Staging: comedi: fix mmap_count

commit df30b21cb0eed5ba8a8e0cdfeebc66ba8cde821d upstream.

In comedi_fops, mmap_count is decremented at comedi_vm_ops->close but
it is not incremented at comedi_vm_ops->open. This may result in a negative
counter.  The patch introduces the open method to keep the counter
consistent.

The bug was triggerd by this sample code:

        mmap(0, ...., comedi_fd);
        fork();
        exit(0);

Acked-by: Alessandro Rubini <rubini@gnudd.com>
Signed-off-by: Federico Vaga <federico.vaga@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agostaging: comedi: fix oops for USB DAQ devices.
Bernd Porr [Tue, 8 Nov 2011 21:23:03 +0000 (21:23 +0000)]
staging: comedi: fix oops for USB DAQ devices.

commit 3ffab428f40849ed5f21bcfd7285bdef7902f9ca upstream.

This fixes kernel oops when an USB DAQ device is plugged out while it's
communicating with the userspace software.

Signed-off-by: Bernd Porr <berndporr@f2s.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agostaging: usbip: bugfix for deadlock
Bart Westgeest [Tue, 1 Nov 2011 19:01:28 +0000 (15:01 -0400)]
staging: usbip: bugfix for deadlock

commit 438957f8d4a84daa7fa5be6978ad5897a2e9e5e5 upstream.

Interrupts must be disabled prior to calling usb_hcd_unlink_urb_from_ep.
If interrupts are not disabled, it can potentially lead to a deadlock.
The deadlock is readily reproduceable on a slower (ARM based) device
such as the TI Pandaboard.

Signed-off-by: Bart Westgeest <bart@elbrys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agofirmware: Sigma: Fix endianess issues
Lars-Peter Clausen [Mon, 28 Nov 2011 08:44:16 +0000 (09:44 +0100)]
firmware: Sigma: Fix endianess issues

commit bda63586bc5929e97288cdb371bb6456504867ed upstream.

Currently the SigmaDSP firmware loader only works correctly on little-endian
systems. Fix this by using the proper endianess conversion functions.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agofirmware: Sigma: Skip header during CRC generation
Lars-Peter Clausen [Mon, 28 Nov 2011 08:44:15 +0000 (09:44 +0100)]
firmware: Sigma: Skip header during CRC generation

commit c56935bdc0a8edf50237d3b0205133a5b0adc604 upstream.

The firmware header is not part of the CRC, so skip it. Otherwise the firmware
will be rejected due to non-matching CRCs.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agofirmware: Sigma: Prevent out of bounds memory access
Lars-Peter Clausen [Mon, 28 Nov 2011 08:44:14 +0000 (09:44 +0100)]
firmware: Sigma: Prevent out of bounds memory access

commit 4f718a29fe4908c2cea782f751e9805319684e2b upstream.

The SigmaDSP firmware loader currently does not perform enough boundary size
checks when processing the firmware. As a result it is possible that a
malformed firmware can cause an out of bounds memory access.

This patch adds checks which ensure that both the action header and the payload
are completely inside the firmware data boundaries before processing them.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agodrm/radeon/kms: add some loop timeouts in pageflip code
Alex Deucher [Mon, 28 Nov 2011 19:49:26 +0000 (14:49 -0500)]
drm/radeon/kms: add some loop timeouts in pageflip code

commit f64964796dedca340608fb1075ab6baad5625851 upstream.

Avoid infinite loops waiting for surface updates if a GPU
reset happens while waiting for a page flip.

See:
https://bugs.freedesktop.org/show_bug.cgi?id=43191

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Mario Kleiner <mario.kleiner@tuebingen.mpg.de>
Tested-by: Simon Farnsworth <simon.farnsworth@onelan.co.uk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agodrm/radeon/kms: add some new pci ids
Alex Deucher [Thu, 1 Dec 2011 16:02:11 +0000 (11:02 -0500)]
drm/radeon/kms: add some new pci ids

commit 2ed4d9d648cbd4fb1c232a646dbdbdfdd373ca94 upstream.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agohugetlb: release pages in the error path of hugetlb_cow()
Hillf Danton [Tue, 15 Nov 2011 22:36:12 +0000 (14:36 -0800)]
hugetlb: release pages in the error path of hugetlb_cow()

commit ea4039a34c4c206d015d34a49d0b00868e37db1d upstream.

If we fail to prepare an anon_vma, the {new, old}_page should be released,
or they will leak.

Signed-off-by: Hillf Danton <dhillf@gmail.com>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Johannes Weiner <jweiner@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoSCSI: Silencing 'killing requests for dead queue'
Hannes Reinecke [Wed, 9 Nov 2011 07:39:24 +0000 (08:39 +0100)]
SCSI: Silencing 'killing requests for dead queue'

commit 745718132c3c7cac98a622b610e239dcd5217f71 upstream.

When we tear down a device we try to flush all outstanding
commands in scsi_free_queue(). However the check in
scsi_request_fn() is imperfect as it only signals that
we _might start_ aborting commands, not that we've actually
aborted some.
So move the printk inside the scsi_kill_request function,
this will also give us a hint about which commands are aborted.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Cc: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agorevert "mfd: Fix twl4030 dependencies for audio codec"
Greg Kroah-Hartman [Fri, 2 Dec 2011 23:14:57 +0000 (15:14 -0800)]
revert "mfd: Fix twl4030 dependencies for audio codec"

This reverts commit 11b8fc6ae54bf18a48c94e181c37ca135b858b42, which was commit f09ee0451a44a4e913a7c3cec3805508f7de6c54 upstream.

Koen Kooi <koen@dominion.thruhere.net> reports that this shouldn't have been applied to the 3.0 kernel as it isn't relevant there, only 3.1.

Reported-by: Koen Kooi <koen@dominion.thruhere.net>
Cc: Thomas Weber <weber@corscience.de>
Cc: Peter Ujfalusi <peter.ujfalusi@ti.com>
Cc: Samuel Ortiz <sameo@linux.intel.com>
Cc: Jarkko Nikula <jarkko.nikula@bitmer.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agohwmon: (coretemp) Fix oops on driver load
Jean Delvare [Thu, 1 Dec 2011 16:21:28 +0000 (17:21 +0100)]
hwmon: (coretemp) Fix oops on driver load

This is for stable kernel branch 3.0 only. Previous and later versions
have different code paths and are not affected by this bug.

If the CPU microcode is too old, the coretemp driver won't work. But
instead of failing gracefully, it currently oops. Check for NULL
platform device data to avoid this.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Durgadoss R <durgadoss.r@intel.com>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agomac80211: fix race between the AGG SM and the Tx data path
Emmanuel Grumbach [Sun, 27 Nov 2011 13:29:44 +0000 (15:29 +0200)]
mac80211: fix race between the AGG SM and the Tx data path

commit 2a1e0fd175dcfd72096ba9291d31e3b1b5342e60 upstream.

When a packet is supposed to sent be as an a-MPDU, mac80211 sets
IEEE80211_TX_CTL_AMPDU to let the driver know. On the other
hand, mac80211 configures the driver for aggregration with the
ampdu_action callback.
There is race between these two mechanisms since the following
scenario can occur when the BA agreement is torn down:

Tx softIRQ   drv configuration
========== =================

check OPERATIONAL bit
Set the TX_CTL_AMPDU bit in the packet

clear OPERATIONAL bit
stop Tx AGG
Pass Tx packet to the driver.

In that case the driver would get a packet with TX_CTL_AMPDU set
although it has already been notified that the BA session has been
torn down.

To fix this, we need to synchronize all the Qdisc activity after we
cleared the OPERATIONAL bit. After that step, all the following
packets will be buffered until the driver reports it is ready to get
new packets for this RA / TID. This buffering allows not to run into
another race that would send packets with TX_CTL_AMPDU unset while
the driver hasn't been requested to tear down the BA session yet.

This race occurs in practice and iwlwifi complains with a WARN_ON
when it happens.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agomac80211: don't stop a single aggregation session twice
Johannes Berg [Thu, 24 Nov 2011 19:06:14 +0000 (20:06 +0100)]
mac80211: don't stop a single aggregation session twice

commit 24f50a9d165745fd0701c6e089d35f58a229ea69 upstream.

Nikolay noticed (by code review) that mac80211 can
attempt to stop an aggregation session while it is
already being stopped. So to fix it, check whether
stop is already being done and bail out if so.

Also move setting the STOPPING state into the lock
so things are properly atomic.

Reported-by: Nikolay Martynov <mar.kolya@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agocfg80211: fix regulatory NULL dereference
Johannes Berg [Mon, 21 Nov 2011 09:44:00 +0000 (10:44 +0100)]
cfg80211: fix regulatory NULL dereference

commit de3584bd62d87b4c250129fbc46ca52c80330add upstream.

By the time userspace returns with a response to
the regulatory domain request, the wiphy causing
the request might have gone away. If this is so,
reject the update but mark the request as having
been processed anyway.

Cc: Luis R. Rodriguez <lrodriguez@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agonl80211: fix MAC address validation
Eliad Peller [Thu, 24 Nov 2011 16:13:56 +0000 (18:13 +0200)]
nl80211: fix MAC address validation

commit e007b857e88097c96c45620bf3b04a4e309053d1 upstream.

MAC addresses have a fixed length. The current
policy allows passing < ETH_ALEN bytes, which
might result in reading beyond the buffer.

Signed-off-by: Eliad Peller <eliad@wizery.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agort2x00: Fix efuse EEPROM reading on PPC32.
Gertjan van Wingerde [Wed, 16 Nov 2011 22:16:15 +0000 (23:16 +0100)]
rt2x00: Fix efuse EEPROM reading on PPC32.

commit 68fa64ef606bcee688fce46d07aa68f175070156 upstream.

Fix __le32 to __le16 conversion of the first word of an 8-word block
of EEPROM read via the efuse method.

Reported-and-tested-by: Ingvar Hagelund <ingvar@redpill-linpro.com>
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Acked-by: Helmut Schaa <helmut.schaa@googlemail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agop54spi: Fix workqueue deadlock
Michael Büsch [Wed, 16 Nov 2011 22:55:46 +0000 (23:55 +0100)]
p54spi: Fix workqueue deadlock

commit 2d1618170eb493d18f66f2ac03775409a6fb97c6 upstream.

priv->work must not be synced while priv->mutex is locked, because
the mutex is taken in the work handler.
Move cancel_work_sync down to after the device shutdown code.
This is safe, because the work handler checks fw_state and bails out
early in case of a race.

Signed-off-by: Michael Buesch <m@bues.ch>
Acked-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agop54spi: Add missing spin_lock_init
Michael Büsch [Wed, 16 Nov 2011 22:48:31 +0000 (23:48 +0100)]
p54spi: Add missing spin_lock_init

commit 32d3a3922d617a5a685a5e2d24b20d0e88f192a9 upstream.

The tx_lock is not initialized properly. Add spin_lock_init().

Signed-off-by: Michael Buesch <m@bues.ch>
Acked-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agohrtimer: Fix extra wakeups from __remove_hrtimer()
Jeff Ohlstein [Fri, 18 Nov 2011 23:47:10 +0000 (15:47 -0800)]
hrtimer: Fix extra wakeups from __remove_hrtimer()

commit 27c9cd7e601632b3794e1c3344d37b86917ffb43 upstream.

__remove_hrtimer() attempts to reprogram the clockevent device when
the timer being removed is the next to expire. However,
__remove_hrtimer() reprograms the clockevent *before* removing the
timer from the timerqueue and thus when hrtimer_force_reprogram()
finds the next timer to expire it finds the timer we're trying to
remove.

This is especially noticeable when the system switches to NOHz mode
and the system tick is removed. The timer tick is removed from the
system but the clockevent is programmed to wakeup in another HZ
anyway.

Silence the extra wakeup by removing the timer from the timerqueue
before calling hrtimer_force_reprogram() so that we actually program
the clockevent for the next timer to expire.

This was broken by 998adc3 "hrtimers: Convert hrtimers to use
timerlist infrastructure".

Signed-off-by: Jeff Ohlstein <johlstei@codeaurora.org>
Link: http://lkml.kernel.org/r/1321660030-8520-1-git-send-email-johlstei@codeaurora.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agotimekeeping: add arch_offset hook to ktime_get functions
Hector Palacios [Mon, 14 Nov 2011 10:15:25 +0000 (11:15 +0100)]
timekeeping: add arch_offset hook to ktime_get functions

commit d004e024058a0eaca097513ce62cbcf978913e0a upstream.

ktime_get and ktime_get_ts were calling timekeeping_get_ns()
but later they were not calling arch_gettimeoffset() so architectures
using this mechanism returned 0 ns when calling these functions.

This happened for example when running Busybox's ping which calls
syscall(__NR_clock_gettime, CLOCK_MONOTONIC, ts) which eventually
calls ktime_get. As a result the returned ping travel time was zero.

Signed-off-by: Hector Palacios <hector.palacios@digi.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agocgroup_freezer: fix freezing groups with stopped tasks
Michal Hocko [Tue, 22 Nov 2011 15:44:47 +0000 (07:44 -0800)]
cgroup_freezer: fix freezing groups with stopped tasks

commit 884a45d964dd395eda945842afff5e16bcaedf56 upstream.

2d3cbf8b (cgroup_freezer: update_freezer_state() does incorrect state
transitions) removed is_task_frozen_enough and replaced it with a simple
frozen call. This, however, breaks freezing for a group with stopped tasks
because those cannot be frozen and so the group remains in CGROUP_FREEZING
state (update_if_frozen doesn't count stopped tasks) and never reaches
CGROUP_FROZEN.

Let's add is_task_frozen_enough back and use it at the original locations
(update_if_frozen and try_to_freeze_cgroup). Semantically we consider
stopped tasks as frozen enough so we should consider both cases when
testing frozen tasks.

Testcase:
mkdir /dev/freezer
mount -t cgroup -o freezer none /dev/freezer
mkdir /dev/freezer/foo
sleep 1h &
pid=$!
kill -STOP $pid
echo $pid > /dev/freezer/foo/tasks
echo FROZEN > /dev/freezer/foo/freezer.state
while true
do
cat /dev/freezer/foo/freezer.state
[ "`cat /dev/freezer/foo/freezer.state`" = "FROZEN" ] && break
sleep 1
done
echo OK

Signed-off-by: Michal Hocko <mhocko@suse.cz>
Acked-by: Li Zefan <lizf@cn.fujitsu.com>
Cc: Tomasz Buchert <tomasz.buchert@inria.fr>
Cc: Paul Menage <paul@paulmenage.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Tejun Heo <htejun@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agogenirq: fix regression in irqfixup, irqpoll
Edward Donovan [Mon, 28 Nov 2011 04:07:34 +0000 (23:07 -0500)]
genirq: fix regression in irqfixup, irqpoll

commit 52553ddffad76ccf192d4dd9ce88d5818f57f62a upstream.

Commit fa27271bc8d2("genirq: Fixup poll handling") introduced a
regression that broke irqfixup/irqpoll for some hardware configurations.

Amidst reorganizing 'try_one_irq', that patch removed a test that
checked for 'action->handler' returning IRQ_HANDLED, before acting on
the interrupt.  Restoring this test back returns the functionality lost
since 2.6.39.  In the current set of tests, after 'action' is set, it
must precede '!action->next' to take effect.

With this and my previous patch to irq/spurious.c, c75d720fca8a, all
IRQ regressions that I have encountered are fixed.

Signed-off-by: Edward Donovan <edward.donovan@numble.net>
Reported-and-tested-by: Rogério Brito <rbrito@ime.usp.br>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoSUNRPC: Ensure we return EAGAIN in xs_nospace if congestion is cleared
Trond Myklebust [Tue, 22 Nov 2011 12:44:28 +0000 (14:44 +0200)]
SUNRPC: Ensure we return EAGAIN in xs_nospace if congestion is cleared

commit 24ca9a847791fd53d9b217330b15f3c285827a18 upstream.

By returning '0' instead of 'EAGAIN' when the tests in xs_nospace() fail
to find evidence of socket congestion, we are making the RPC engine believe
that the message was incorrectly sent and so it disconnects the socket
instead of just retrying.

The bug appears to have been introduced by commit
5e3771ce2d6a69e10fcc870cdf226d121d868491 (SUNRPC: Ensure that xs_nospace
return values are propagated).

Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Tested-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoASoC: Ensure WM8731 register cache is synced when resuming from disabled
Mark Brown [Mon, 21 Nov 2011 11:55:41 +0000 (11:55 +0000)]
ASoC: Ensure WM8731 register cache is synced when resuming from disabled

commit ed3e80c4c991a52f9fce3421536a78e331ae0949 upstream.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoASoC: wm8753: Skip noop reconfiguration of DAI mode
Timo Juhani Lindfors [Thu, 17 Nov 2011 00:52:50 +0000 (02:52 +0200)]
ASoC: wm8753: Skip noop reconfiguration of DAI mode

commit 2391a0e06789a3f1718dee30b282562f7ed28c87 upstream.

This patch makes it possible to set DAI mode to its currently applied
value even if codec is active. This is necessary to allow

aplay -t raw -r 44100 -f S16_LE -c 2 < /dev/urandom &
alsactl store -f backup.state
alsactl restore -f backup.state

to work without returning errors. This patch is based on a patch sent
by Klaus Kurzmann <mok@fluxnetz.de>.

Signed-off-by: Timo Juhani Lindfors <timo.lindfors@iki.fi>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoASoC: fsl_ssi: properly initialize the sysfs attribute object
Timur Tabi [Mon, 14 Nov 2011 22:35:26 +0000 (16:35 -0600)]
ASoC: fsl_ssi: properly initialize the sysfs attribute object

commit 0f768a7235d3dfb6f4833030a95a06419df089cb upstream.

Commit 6992f533 ("sysfs: Use one lockdep class per sysfs attribute")
requires 'struct attribute' objects to be initialized with sysfs_attr_init().

Signed-off-by: Timur Tabi <timur@freescale.com>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoALSA: lx6464es - fix device communication via command bus
Tim Blechmann [Tue, 22 Nov 2011 10:15:45 +0000 (11:15 +0100)]
ALSA: lx6464es - fix device communication via command bus

commit a29878553a9a7b4c06f93c7e383527cf014d4ceb upstream.

commit 6175ddf06b6172046a329e3abfd9c901a43efd2e optimized the mem*io
functions that have been used to send commands to the device. these
optimizations somehow corrupted the communication with the lx6464es,
that resulted the device to be unusable with kernels after 2.6.33.

this patch emulates the memcpy_*_io functions via a loop to avoid these
problems.

Signed-off-by: Tim Blechmann <tim@klingt.org>
LKML-Reference: <4ECB5257.4040600@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoARM: 7161/1: errata: no automatic store buffer drain
Will Deacon [Mon, 14 Nov 2011 16:24:58 +0000 (17:24 +0100)]
ARM: 7161/1: errata: no automatic store buffer drain

commit 11ed0ba1754841316d4095478944300acf19acc3 upstream.

This patch implements a workaround for PL310 erratum 769419. On
revisions of the PL310 prior to r3p2, the Store Buffer does not
automatically drain. This can cause normal, non-cacheable writes to be
retained when the memory system is idle, leading to suboptimal I/O
performance for drivers using coherent DMA.

This patch adds an optional wmb() call to the cpu_idle loop. On systems
with an outer cache, this causes an explicit flush of the store buffer.

Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Tested-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoARM: OMAP2: select ARM_AMBA if OMAP3_EMU is defined
Ming Lei [Wed, 23 Nov 2011 22:44:50 +0000 (14:44 -0800)]
ARM: OMAP2: select ARM_AMBA if OMAP3_EMU is defined

commit a8a6565c7615cab3608d75af95b5c8a3522cd7c4 upstream.

This patch selects ARM_AMBA if OMAP3_EMU is defined because
OC_ETM depends on ARM_AMBA, so fix the link failure[1].

[1],
arch/arm/kernel/built-in.o: In function `etm_remove':
/home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:609: undefined
reference to `amba_release_regions'
arch/arm/kernel/built-in.o: In function `etb_remove':
/home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:409: undefined
reference to `amba_release_regions'
arch/arm/kernel/built-in.o: In function `etm_init':
/home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:640: undefined
reference to `amba_driver_register'
/home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:646: undefined
reference to `amba_driver_register'
/home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:648: undefined
reference to `amba_driver_unregister'
arch/arm/kernel/built-in.o: In function `etm_probe':
/home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:545: undefined
reference to `amba_request_regions'
/home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:595: undefined
reference to `amba_release_regions'
arch/arm/kernel/built-in.o: In function `etb_probe':
/home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:347: undefined
reference to `amba_request_regions'
/home/tom/git/omap/linux-2.6-omap/arch/arm/kernel/etm.c:392: undefined
reference to `amba_release_regions'
arch/arm/mach-omap2/built-in.o: In function `emu_init':
/home/tom/git/omap/linux-2.6-omap/arch/arm/mach-omap2/emu.c:62:
undefined reference to `amba_device_register'
/home/tom/git/omap/linux-2.6-omap/arch/arm/mach-omap2/emu.c:63:
undefined reference to `amba_device_register'
make: *** [.tmp_vmlinux1] Error 1
making modules

Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoARM: OMAP: smartreflex: fix IRQ handling bug
Felipe Balbi [Wed, 23 Nov 2011 22:43:37 +0000 (14:43 -0800)]
ARM: OMAP: smartreflex: fix IRQ handling bug

commit 5a4f1844c2ba21f804d7729306d9b16eaeb724a8 upstream.

Fix a bug which has been on this driver since
it was added by the original commit 984aa6db
which would never clear IRQSTATUS bits.

Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Kevin Hilman <khilman@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoarm: mx28: fix bit operation in clock setting
Wolfram Sang [Sat, 10 Sep 2011 10:26:07 +0000 (12:26 +0200)]
arm: mx28: fix bit operation in clock setting

commit c2735391fbc68feae10d6d14e60956c8106e725f upstream.

reg | (1 << clk->enable_shift) always evaluates to true. Switch it
to & which makes much more sense. Same fix as 13be9f00 (ARM i.MX28: fix
bit operation) at a different location.

Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
Cc: Sascha Hauer <s.hauer@pengutronix.de>
Cc: Shawn Guo <shawn.guo@freescale.com>
Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoARM: pxa: fix inconsistent CONFIG_USB_PXA27X
Haojian Zhuang [Wed, 9 Nov 2011 23:13:07 +0000 (07:13 +0800)]
ARM: pxa: fix inconsistent CONFIG_USB_PXA27X

commit c0a39151a4055332897cba615623d3de2f3896df upstream.

Since CONFIG_USB_GADGET_PXA27X and other macros are renamed to
CONFIG_USB_PXA27X. Update them in arch/arm/mach-pxa and arch/arm/configs
to keep consistent.

Signed-off-by: Haojian Zhuang <haojian.zhuang@marvell.com>
Acked-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Eric Miao <eric.y.miao@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoviafb: correct sync polarity for OLPC DCON
Daniel Drake [Mon, 21 Nov 2011 15:05:56 +0000 (15:05 +0000)]
viafb: correct sync polarity for OLPC DCON

commit a32839696a8eef813a1aff604fbad9a32dff6c95 upstream.

While the OLPC display appears to be able to handle either positive
or negative sync, the Display Controller only recognises positive sync.

This brings viafb (for XO-1.5) in line with lxfb (for XO-1) and
fixes a recent regression where the XO-1.5 DCON could no longer be
frozen. Thanks to Florian Tobias Schandinat for helping identify
the fix.

Test case: from a vt,
echo 1 > /sys/devices/platform/dcon/freeze
should cause the current screen contents to freeze, rather than garbage being
displayed.

Signed-off-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agodrm/radeon/kms: fix up gpio i2c mask bits for r4xx
Alex Deucher [Mon, 14 Nov 2011 19:32:01 +0000 (14:32 -0500)]
drm/radeon/kms: fix up gpio i2c mask bits for r4xx

commit 6c47e5c23aa2a7c54ad7ac13af4bd56cd9e703bf upstream.

Fixes i2c test failures when i2c_algo_bit.bit_test=1.

The hw doesn't actually require a mask, so just set it
to the default mask bits for r1xx-r4xx radeon ddc.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoPCI hotplug: shpchp: don't blindly claim non-AMD 0x7450 device IDs
Bjorn Helgaas [Tue, 23 Aug 2011 16:16:43 +0000 (10:16 -0600)]
PCI hotplug: shpchp: don't blindly claim non-AMD 0x7450 device IDs

commit 4cac2eb158c6da0c761689345c6cc5df788a6292 upstream.

Previously we claimed device ID 0x7450, regardless of the vendor, which is
clearly wrong.  Now we'll claim that device ID only for AMD.

I suspect this was just a typo in the original code, but it's possible this
change will break shpchp on non-7450 AMD bridges.  If so, we'll have to fix
them as we find them.

Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638863
Reported-by: Ralf Jung <ralfjung-e@gmx.de>
Cc: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agodrm/i915: fix CB tuning check for ILK+
Jesse Barnes [Thu, 28 Jul 2011 21:50:30 +0000 (14:50 -0700)]
drm/i915: fix CB tuning check for ILK+

commit cb0e093162d7b6589c2217a00e2abfef686b32d6 upstream.

CB tuning is needed to handle potential process variations that might
cause clock jitter for certain PLL settings.  However, we were setting
it incorrectly since we were using the wrong M value as a check (M1 when
we needed to use the whole M value).  Fix it up, making my HDMI
attached display a little prettier (used to have occasional dots crawl
across the display).

Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Timo Aaltonen <timo@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agodrm/ttm: request zeroed system memory pages for new TT buffer objects
Ben Skeggs [Tue, 13 Sep 2011 20:08:06 +0000 (06:08 +1000)]
drm/ttm: request zeroed system memory pages for new TT buffer objects

commit ff02b13f6867af72682d7a9bb9bd705f9af2bab0 upstream.

Fixes an information leak to userspace, we were handing out un-zeroed pages
for any newly created TTM_PL_TT buffer.

Reported-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Tested-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agodrm/i915: Turn on another required clock gating bit on gen6.
Eric Anholt [Tue, 8 Nov 2011 00:07:05 +0000 (16:07 -0800)]
drm/i915: Turn on another required clock gating bit on gen6.

commit 9ca1d10d748e56964de95e3ed80211b192f56cf4 upstream.

Unlike the previous one, I don't have known testcases it fixes.  I'd
rather not go through the same debug cycle on whatever testcases those
might be.

Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agodrm/i915: Turn on a required 3D clock gating bit on Sandybridge.
Eric Anholt [Tue, 8 Nov 2011 00:07:04 +0000 (16:07 -0800)]
drm/i915: Turn on a required 3D clock gating bit on Sandybridge.

commit 406478dc911e16677fbd9c84d1d50cdffbc031ab upstream.

Fixes rendering failures in Unigine Tropics and Sanctuary and the mesa
"fire" demo.

Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agodrm/i915: Ivybridge still has fences!
Daniel Vetter [Sun, 9 Oct 2011 19:52:01 +0000 (21:52 +0200)]
drm/i915: Ivybridge still has fences!

commit 775d17b6ca4357048f36c22151335addfe15db4b upstream.

So don't forget to restore them on resume and dump them into
the error state.

Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agodrm/radeon/kms: fix up gpio i2c mask bits for r4xx for real
Alex Deucher [Mon, 21 Nov 2011 17:10:14 +0000 (12:10 -0500)]
drm/radeon/kms: fix up gpio i2c mask bits for r4xx for real

commit d724502a9d7a46f4a56a1663b1f50d2dc9d1ef40 upstream.

Fixes i2c test failures when i2c_algo_bit.bit_test=1.

The hw doesn't actually require a mask, so just set it
to the default mask bits for r1xx-r4xx radeon ddc.

I missed this part the first time through.

Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agodrm: integer overflow in drm_mode_dirtyfb_ioctl()
Xi Wang [Wed, 23 Nov 2011 06:12:01 +0000 (01:12 -0500)]
drm: integer overflow in drm_mode_dirtyfb_ioctl()

commit a5cd335165e31db9dbab636fd29895d41da55dd2 upstream.

There is a potential integer overflow in drm_mode_dirtyfb_ioctl()
if userspace passes in a large num_clips.  The call to kmalloc would
allocate a small buffer, and the call to fb->funcs->dirty may result
in a memory corruption.

Reported-by: Haogang Chen <haogangchen@gmail.com>
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agocrypto: mv_cesa - fix hashing of chunks > 1920 bytes
Phil Sutter [Wed, 16 Nov 2011 17:28:01 +0000 (18:28 +0100)]
crypto: mv_cesa - fix hashing of chunks > 1920 bytes

commit 274252862f386b7868f35bf5ceaa5391a8ccfdf3 upstream.

This was broken by commit 7759995c75ae0cbd4c861582908449f6b6208e7a (yes,
myself). The basic problem here is since the digest state is only saved
after the last chunk, the state array is only valid when handling the
first chunk of the next buffer. Broken since linux-3.0.

Signed-off-by: Phil Sutter <phil.sutter@viprinet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoeCryptfs: Extend array bounds for all filename chars
Tyler Hicks [Wed, 23 Nov 2011 17:31:24 +0000 (11:31 -0600)]
eCryptfs: Extend array bounds for all filename chars

commit 0f751e641a71157aa584c2a2e22fda52b52b8a56 upstream.

From mhalcrow's original commit message:

    Characters with ASCII values greater than the size of
    filename_rev_map[] are valid filename characters.
    ecryptfs_decode_from_filename() will access kernel memory beyond
    that array, and ecryptfs_parse_tag_70_packet() will then decrypt
    those characters. The attacker, using the FNEK of the crafted file,
    can then re-encrypt the characters to reveal the kernel memory past
    the end of the filename_rev_map[] array. I expect low security
    impact since this array is statically allocated in the text area,
    and the amount of memory past the array that is accessible is
    limited by the largest possible ASCII filename character.

This patch solves the issue reported by mhalcrow but with an
implementation suggested by Linus to simply extend the length of
filename_rev_map[] to 256. Characters greater than 0x7A are mapped to
0x00, which is how invalid characters less than 0x7A were previously
being handled.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reported-by: Michael Halcrow <mhalcrow@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoi2c-algo-bit: Generate correct i2c address sequence for 10-bit target
Jeffrey (Sheng-Hui) Chu [Wed, 23 Nov 2011 10:33:07 +0000 (11:33 +0100)]
i2c-algo-bit: Generate correct i2c address sequence for 10-bit target

commit cc6bcf7d2ec2234e7b41770185e4dc826390185e upstream.

The wrong bits were put on the wire, fix that.

This fixes kernel bug #42562.

Signed-off-by: Sheng-Hui J. Chu <jeffchu@broadcom.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoeCryptfs: Flush file in vma close
Tyler Hicks [Mon, 21 Nov 2011 23:31:29 +0000 (17:31 -0600)]
eCryptfs: Flush file in vma close

commit 32001d6fe9ac6b0423e674a3093aa56740849f3b upstream.

Dirty pages weren't being written back when an mmap'ed eCryptfs file was
closed before the mapping was unmapped. Since f_ops->flush() is not
called by the munmap() path, the lower file was simply being released.
This patch flushes the eCryptfs file in the vm_ops->close() path.

https://launchpad.net/bugs/870326

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoLinux 3.0.12
Greg Kroah-Hartman [Mon, 28 Nov 2011 22:47:43 +0000 (07:47 +0900)]
Linux 3.0.12

12 years agoRevert "USB: EHCI: fix HUB TT scheduling issue with iso transfer"
Greg Kroah-Hartman [Mon, 28 Nov 2011 22:38:25 +0000 (07:38 +0900)]
Revert "USB: EHCI: fix HUB TT scheduling issue with iso transfer"

This reverts commit 317451c11fefcb0e05383f0a0080bb7f5445cfcf.

Cc: Matthieu Castet <matthieu.castet@parrot.com>
Cc: Thomas Poussevin <thomas.poussevin@parrot.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoLinux 3.0.11
Greg Kroah-Hartman [Sat, 26 Nov 2011 17:11:26 +0000 (09:11 -0800)]
Linux 3.0.11

12 years agodrm/i915: always set FDI composite sync bit
Jesse Barnes [Mon, 10 Oct 2011 21:28:52 +0000 (14:28 -0700)]
drm/i915: always set FDI composite sync bit

commit c4f9c4c2b3f1831e932e04db992cf6fe92c2a95a upstream.

It's needed for 3 pipe support as well as just regular functionality
(e.g. DisplayPort).

Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Tested-by: Adam Jackson <ajax@redhat.com>
Tested-by: Eugeni Dodonov <eugeni.dodonov@intel.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Robert Hooker <robert.hooker@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agodrm/i915: fix IVB cursor support
Jesse Barnes [Wed, 12 Oct 2011 18:10:21 +0000 (11:10 -0700)]
drm/i915: fix IVB cursor support

commit 65a21cd65316145f9302594be8e69074369e1050 upstream.

The cursor regs have moved around, add the offsets and new macros for
getting at them.

Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Tested-By: Eugeni Dodonov <eugeni.dodonov@intel.com>
Reviewed-By: Eugeni Dodonov <eugeni.dodonov@intel.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Robert Hooker <robert.hooker@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoxfs: fix ->write_inode return values
Christoph Hellwig [Sat, 19 Nov 2011 18:13:39 +0000 (13:13 -0500)]
xfs: fix ->write_inode return values

patch 58d84c4ee0389ddeb86238d5d8359a982c9f7a5b upstream.

Currently we always redirty an inode that was attempted to be written out
synchronously but has been cleaned by an AIL pushed internall, which is
rather bogus.  Fix that by doing the i_update_core check early on and
return 0 for it.  Also include async calls for it, as doing any work for
those is just as pointless.  While we're at it also fix the sign for the
EIO return in case of a filesystem shutdown, and fix the completely
non-sensical locking around xfs_log_inode.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Alex Elder <aelder@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoxfs: use doalloc flag in xfs_qm_dqattach_one()
Mitsuo Hayasaka [Sat, 19 Nov 2011 18:13:45 +0000 (13:13 -0500)]
xfs: use doalloc flag in xfs_qm_dqattach_one()

commit db3e74b582915d66e10b0c73a62763418f54c340 upstream

The doalloc arg in xfs_qm_dqattach_one() is a flag that indicates
whether a new area to handle quota information will be allocated
if needed. Originally, it was passed to xfs_qm_dqget(), but has
been removed by the following commit (probably by mistake):

commit 8e9b6e7fa4544ea8a0e030c8987b918509c8ff47
Author: Christoph Hellwig <hch@lst.de>
Date:   Sun Feb 8 21:51:42 2009 +0100

xfs: remove the unused XFS_QMOPT_DQLOCK flag

As the result, xfs_qm_dqget() called from xfs_qm_dqattach_one()
never allocates the new area even if it is needed.

This patch gives the doalloc arg to xfs_qm_dqget() in
xfs_qm_dqattach_one() to fix this problem.

Signed-off-by: Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com>
Cc: Alex Elder <aelder@sgi.com>
Cc: Christoph Hellwig <hch@infradead.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ben Myers <bpm@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
12 years agoxfs: Fix possible memory corruption in xfs_readlink
Carlos Maiolino [Sat, 19 Nov 2011 18:13:44 +0000 (13:13 -0500)]
xfs: Fix possible memory corruption in xfs_readlink

commit b52a360b2aa1c59ba9970fb0f52bbb093fcc7a24 upstream.

Fixes a possible memory corruption when the link is larger than
MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the
S_ISLNK assert, since the inode mode is checked previously in
xfs_readlink_by_handle() and via VFS.

Updated to address concerns raised by Ben Hutchings about the loose
attention paid to 32- vs 64-bit values, and the lack of handling a
potentially negative pathlen value:
 - Changed type of "pathlen" to be xfs_fsize_t, to match that of
   ip->i_d.di_size
 - Added checking for a negative pathlen to the too-long pathlen
   test, and generalized the message that gets reported in that case
   to reflect the change
As a result, if a negative pathlen were encountered, this function
would return EFSCORRUPTED (and would fail an assertion for a debug
build)--just as would a too-long pathlen.

Signed-off-by: Alex Elder <aelder@sgi.com>
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>