* [000/251] 3.6.11.9-rc1-stable review
@ 2013-09-11 4:27 Steven Rostedt
2013-09-11 4:27 ` [001/251] powerpc/smp: Section mismatch from smp_release_cpus to __initdata spinning_secondaries Steven Rostedt
` (250 more replies)
0 siblings, 251 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 47891 bytes --]
[ Yes, I know I said I would stop support of 3.6-stable, but
I had a need for another release. I may make one or two more
but don't count on it. ]
This is the start of the stable review cycle for 3.6.11.9-rc1 release.
There are 251 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat Sep 14 00:25:47 2013.
Anything received after that time might be too late.
Aaro Koskinen (1):
powerpc/windfarm: Fix noisy slots-fan on Xserve (rm31)
[fe956a1d4081ce1a959f87df397a15e252201f10]
Aaron Plattner (1):
ALSA: hda - Add new GPU codec ID to snd-hda
[d52392b1a80458c0510810789c7db4a39b88022a]
Al Viro (2):
reiserfs: fix deadlock in umount
[672fe15d091ce76d6fb98e489962e9add7c1ba4c]
livelock avoidance in sget()
[acfec9a5a892f98461f52ed5770de99a3e571ae2]
Alex Deucher (3):
drm/radeon/atom: initialize more atom interpretor elements to 0
[42a21826dc54583cdb79cc8477732e911ac9c376]
drm/radeon: improve dac adjust heuristics for legacy pdac
[03ed8cf9b28d886c64c7e705c7bb1a365fd8fb95]
drm/radeon: fix endian issues with DP handling (v3)
[34be8c9af7b8728465963740fc11136ae90dfc36]
Alex Williamson (1):
iommu/amd: Only unmap large pages from the first pte
[60d0ca3cfd199b6612bbbbf4999a3470dad38bb1]
Alexandr \\\"Sky\\\" Ivanov (1):
USB: option: add D-Link DWM-152/C1 and DWM-156/C1
[ca24763588844b14f019ffc45c7df6d9e8f932c5]
Amit Shah (5):
virtio: console: return -ENODEV on all read operations after unplug
[96f97a83910cdb9d89d127c5ee523f8fc040a804]
virtio: console: fix raising SIGIO after port unplug
[92d3453815fbe74d539c86b60dab39ecdf01bb99]
virtio: console: clean up port data immediately at time of unplug
[ea3768b4386a8d1790f4cc9a35de4f55b92d6442]
virtio: console: fix race in port_fops_open() and port unplug
[671bdea2b9f210566610603ecbb6584c8a201c8c]
virtio: console: fix race with port unplug and open/close
[057b82be3ca3d066478e43b162fc082930a746c9]
Andrew Vagin (1):
tracing: Fix fields of struct trace_iterator that are zeroed by mistake
[ed5467da0e369e65b247b99eb6403cb79172bcda]
Anthony Foiani (1):
sata_fsl: save irqs while coalescing
[99bbdfa6bdcb4bdf5be914a48e9b46941bf30819]
Anton Blanchard (1):
powerpc/modules: Module CRC relocation fix causes perf issues
[0e0ed6406e61434d3f38fb58aa8464ec4722b77e]
Arnd Bergmann (2):
mtd: omap2: allow bulding as a module
[930d800bded771b26d9944c47810829130ff7c8c]
nsp32: use mdelay instead of large udelay constants
[b497ceb964a80ebada3b9b3cea4261409039e25a]
Barry Grussling (1):
usb: cp210x support SEL C662 Vendor/Device
[b579fa52f6be0b4157ca9cc5e94d44a2c89a7e95]
Baruch Siach (1):
clocksource: dw_apb: Fix error check
[1a33bd2be705cbb3f57d7223b60baea441039307]
Benjamin Herrenschmidt (1):
powerpc: Don't Oops when accessing /proc/powerpc/lparcfg without hypervisor
[f5f6cbb61610b7bf9d9d96db9c3979d62a424bab]
Bjørn Mork (1):
megaraid_sas: fix memory leak if SGL has zero length entries
[7a6a731bd00ca90d0e250867c3b9c05b5ff0fa49]
Brian Austin (1):
ASoC: cs42l52: Reorder Min/Max and update to SX_TLV for Beep Volume
[e2c98a8bba958045bde861fe1d66be54315c7790]
Bu, Yitian (1):
printk: Fix rq->lock vs logbuf_lock unlock lock inversion
[dbda92d16f8655044e082930e4e9d244b87fde77]
Catalin Marinas (1):
ARM: 7790/1: Fix deferred mm switch on VIVT processors
[bdae73cd374e28db544fdd9b77de689a36e3c129]
Chen Gang (2):
cifs: extend the buffer length enought for sprintf() using
[057d6332b24a4497c55a761c83c823eed9e3f23b]
powerpc/smp: Section mismatch from smp_release_cpus to __initdata spinning_secondaries
[8246aca7058f3f2c2ae503081777965cd8df7b90]
Chih-Chung Chang (1):
ASoC: max98088 - fix element type of the register cache.
[cb6f66a2d278e57a6c9d8fb59bd9ebd8ab3965c2]
Cho, Yu-Chen (1):
Bluetooth: Add support for Mediatek Bluetooth device [0e8d:763f]
[178c059e7640aa8e50213400c6f3dde00189d979]
Chris Wilson (1):
drm/i915: Invalidate TLBs for the rings after a reset
[884020bf3d2a3787a1cc6df902e98e0eec60330b]
Chuck Anderson (1):
xen/smp: initialize IPI vectors before marking CPU online
[fc78d343fa74514f6fd117b5ef4cd27e4ac30236]
Clemens Ladisch (1):
ALSA: usb-audio: do not trust too-big wMaxPacketSize values
[57e6dae1087bbaa6b33d3dd8a8e90b63888939a3]
Cong Wang (1):
vti: remove duplicated code to fix a memory leak
[ab6c7a0a43c2eaafa57583822b619b22637b49c7]
Curt Brune (1):
hwmon: (adt7470) Fix incorrect return code check
[93d783bcca69bfacc8dc739d8a050498402587b5]
Dan Carpenter (6):
Hostap: copying wrong data prism2_ioctl_giwaplist()
[909bd5926d474e275599094acad986af79671ac9]
net_sched: info leak in atm_tc_dump_class()
[8cb3b9c3642c0263d48f31d525bcee7170eedc20]
af_key: more info leaks in pfkey messages
[ff862a4668dd6dba962b1d2d8bd344afa6375683]
arcnet: cleanup sizeof parameter
[087d273caf4f7d3f2159256f255f1f432bc84a5b]
fanotify: info leak in copy_event_to_user()
[de1e0c40aceb9d5bff09c3a3b97b2f1b178af53f]
svcrdma: underflow issue in decode_write_list()
[b2781e1021525649c0b33fffd005ef219da33926]
Dan Williams (1):
usb: serial: option: add Olivetti Olicard 200
[4cf76df06ecc852633ed927d91e01c83c33bc331]
Daniel Drake (1):
drivers/platform/olpc/olpc-ec.c: initialise earlier
[93dbc1b3b506e16c1f6d5b5dcfe756a85cb1dc58]
Daniel Hansel (1):
zfcp: fix adapter (re)open recovery while link to SAN is down
[f76ccaac4f82c463a037aa4a1e4ccb85c7011814]
Dave Airlie (1):
drm/ast: invalidate page tables when pinning a BO
[3ac65259328324de323dc006b52ff7c1a5b18d19]
Dave Jones (1):
x25: Fix broken locking in ioctl error paths.
[4ccb93ce7439b63c31bc7597bfffd13567fa483d]
Dave Kleikamp (2):
jfs: fix readdir cookie incompatibility with NFSv4
[44512449c0ab368889dd13ae0031fba74ee7e1d2]
sunvnet: vnet_port_remove must call unregister_netdev
[aabb9875d02559ab9b928cd6f259a5cc4c21a589]
David Jeffery (1):
lockd: protect nlm_blocked access in nlmsvc_retry_blocked
[1c327d962fc420aea046c16215a552710bde8231]
David S. Miller (1):
net_sched: Fix stack info leak in cbq_dump_wrr().
[a0db856a95a29efb1c23db55c02d9f0ff4f0db48]
David Vrabel (3):
x86/xen: do not identity map UNUSABLE regions in the machine E820
[3bc38cbceb85881a8eb789ee1aa56678038b1909]
xen/events: initialize local per-cpu mask for all possible events
[84ca7a8e45dafb49cd5ca90a343ba033e2885c17]
xen/evtchn: avoid a deadlock when unbinding an event channel
[179fbd5a45f0d4034cc6fd37b8d367a3b79663c4]
Egbert Eich (1):
drm/mgag200: Invalidate page tables when pinning a BO
[ecaac1c866bcda4780a963b3d18cd310d971aea3]
Eldad Zack (1):
ALSA: usb-audio: 6fire: return correct XRUN indication
[be2f93a4c4981b3646b6f98f477154411b8516cb]
Emmanuel Grumbach (2):
iwlwifi: pcie: disable L1 Active after pci_enable_device
[eabc4ac5d7606a57ee2b7308cb7323ea8f60183b]
iwlwifi: add DELL SKU for 5150 HMC
[a1923f1d4723e5757cefdd60f7c7ab30e472007a]
Enrico Mioso (2):
usb: serial: option.c: remove ONDA MT825UP product ID fromdriver
[878c69aae986ae97084458c0183a8c0a059865b1]
usb: serial: option: blacklist ONDA MT689DC QMI interface
[3d1a69e726406ab662ab88fa30a3a05ed404334d]
Eric Dumazet (4):
atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring
[7b70176421993866e616f1cbc4d0dd4054f1bf78]
vlan: fix a race in egress prio management
[3e3aac497513c669e1c62c71e1d552ea85c1d974]
vlan: mask vlan prio bits
[d4b812dea4a236f729526facf97df1a9d18e191c]
neighbour: fix a race in neigh_destroy()
[c9ab4d85de222f3390c67aedc9c18a50e767531e]
Eugene Surovegin (1):
powerpc/hvsi: Increase handshake timeout from 200ms to 400ms.
[d220980b701d838560a70de691b53be007e99e78]
Ewan D. Milne (1):
sd: fix crash when UA received on DIF enabled device
[085b513f97d8d799d28491239be4b451bcd8c2c5]
Fabio Estevam (1):
ASoC: sglt5000: Fix SGTL5000_PLL_FRAC_DIV_MASK
[5c78dfe87ea04b501ee000a7f03b9432ac9d008c]
Felipe Balbi (1):
usb: dwc3: gadget: don't prevent gadget from being probed if we fail
[cdcedd6981194e511cc206887db661d016069d68]
Gabor Juhos (1):
rt2x00: read 5GHz TX power values from the correct offset
[0a6f3a8ebaf13407523c2c7d575b4ca2debd23ba]
Geert Uytterhoeven (1):
m68k/atari: ARAnyM - Fix NatFeat module support
[e8184e10f89736a23ea6eea8e24cd524c5c513d2]
George Cherian (1):
usb: host: xhci: Enable XHCI_SPURIOUS_SUCCESS for all controllers with xhci 1.0
[07f3cb7c28bf3f4dd80bfb136cf45810c46ac474]
Gregory CLEMENT (1):
ARM: 7722/1: zImage: Convert 32bits memory size and address from ATAG to 64bits DTB
[faefd550c45d8d314e8f260f21565320355c947f]
H.J. Lu (1):
x86, fpu: correct the asm constraints for fxsave, unbreak mxcsr.daz
[eaa5a990191d204ba0f9d35dbe5505ec2cdd1460]
Hannes Frederic Sowa (4):
ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup
[905a6f96a1b18e490a75f810d733ced93c39b0e5]
ipv6: in case of link failure remove route directly instead of letting it expire
[1eb4f758286884e7566627164bca4c4a16952a83]
ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
[75a493e60ac4bbe2e977e7129d6d8cbb0dd236be]
ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
[8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1]
Hannes Reinecke (1):
dm mpath: fix ioctl deadlock when no paths
[6c182cd88d179cbbd06f4f8a8a19b6977940753f]
Harshula Jayasuriya (1):
nfsd: nfsd_open: when dentry_open returns an error do not propagate as struct file
[e4daf1ffbe6cc3b12aab4d604e627829e93e9914]
Hauke Mehrtens (1):
b43: ensue that BCMA is "y" when B43 is "y"
[693026ef2e751fd94d2e6c71028e68343cc875d5]
Helmut Schaa (1):
ath9k_htc: Restore skb headroom when returning skb to mac80211
[d2e9fc141e2aa21f4b35ee27072d84e9aa6e2ba0]
Huang Rui (1):
usb: dwc3: fix wrong bit mask in dwc3_event_type
[1974d494dea05ea227cb42f5e918828801e237aa]
Ian Abbott (1):
staging: comedi: COMEDI_CANCEL ioctl should wake up read/write
[69acbaac303e8cb948801a9ddd0ac24e86cc4a1b]
Imre Deak (1):
drm/i915: ivb: fix edp voltage swing reg val
[77fa4cbd5fa389e28419bbe8ac491b5fdd54840d]
J. Bruce Fields (1):
svcrpc: fix handling of too-short rpc's
[cf3aa02cb4a0c5af5557dd47f15a08a7df33182a]
Jacob Keller (1):
ixgbe: Fix Tx Hang issue with lldpad on 82598EB
[1eb9ac14c34a948bf1538bfb9034e8ab29099a64]
Jakob Bornecrantz (1):
drm/vmwgfx: Split GMR2_REMAP commands if they are to large
[6e4dcff3adbf25acb87e74500a58e3c07bdec40f]
Jan Beulich (1):
xen-netfront: pull on receive skb may need to happen earlier
[093b9c71b6e450e375f4646ba86faed0195ec7df]
Jan Kara (2):
jbd2: Fix use after free after error in jbd2_journal_dirty_metadata()
[91aa11fae1cf8c2fd67be0609692ea9741cdcc43]
writeback: Fix periodic writeback after fs mount
[a5faeaf9109578e65e1a32e2a3e76c8b47e7dcb6]
Jason Wang (4):
macvtap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS
[ece793fcfc417b3925844be88a6a6dc82ae8f7c6]
tuntap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS
[885291761dba2bfe04df4c0f7bb75e4c920ab82e]
macvtap: correctly linearize skb when zerocopy is used
[61d46bf979d5cd7c164709a80ad5676a35494aae]
tuntap: correctly linearize skb when zerocopy is used
[3dd5c3308e8b671e8e8882ba972f51cefbe9fd0d]
Jeff Skirvin (1):
isci: Fix a race condition in the SSP task management path
[96f15f29038e58e1b0a96483e2b369ff446becf1]
Jeff Wu (1):
ACPI: add _STA evaluation at do_acpi_find_child()
[c7d9ca90aa9497f0b6e301ec67c52dd4b57a7852]
Jiang Liu (6):
zram: protect sysfs handler from invalid memory access
[5863e10b441e7ea4b492f930f1be180a97d026f3]
zram: avoid access beyond the zram device
[12a7ad3b810e77137d0caf97a6dd97591e075b30]
zram: avoid double free in function zram_bvec_write()
[65c484609a3b25c35e4edcd5f2c38f98f5226093]
zram: destroy all devices on error recovery path in zram_init()
[39a9b8ac9333e4268ecff7da6c9d1ab3823ff243]
zram: use zram->lock to protect zram_free_page() in swap free notify path
[57ab048532c0d975538cebd4456491b5c34248f4]
zram: avoid invalid memory access in zram_exit()
[6030ea9b35971a4200062f010341ab832e878ac9]
Jianpeng Ma (1):
elevator: Fix a race in elevator switching
[d50235b7bc3ee0a0427984d763ea7534149531b4]
Jiri Olsa (2):
perf: Remove WARN_ON_ONCE() check in __perf_event_enable() for valid scenario
[06f417968beac6e6b614e17b37d347aa6a6b1d30]
perf: Clone child context from parent context pmu
[734df5ab549ca44f40de0f07af1c8803856dfb18]
Joe Perches (1):
ndisc: Add missing inline to ndisc_addr_option_pad
[d9d10a30964504af834d8d250a0c76d4ae91eb1e]
Johan Hovold (10):
USB: keyspan: fix null-deref at disconnect and release
[ff8a43c10f1440f07a5faca0c1556921259f7f76]
USB: mos7720: fix broken control requests
[ef6c8c1d733e244f0499035be0dabe1f4ed98c6f]
USB: mos7840: fix big-endian probe
[d551ec9b690f3de65b0091a2e767f1382adc792d]
USB: ti_usb_3410_5052: fix big-endian firmware handling
[e877dd2f2581628b7119df707d4cf03d940cff49]
USB: mos7840: fix pointer casts
[683a0e4d7971c3186dc4d429027debfe309129aa]
USB: mos7840: fix race in led handling
[05cf0dec5ccc696a7636c84b265b477173498156]
USB: mos7840: fix device-type detection
[40c24f2893ba0ba7df485871f6aac0c197ceef5b]
USB: mos7840: fix race in register handling
[d8a083cc746664916d9d36ed9e4d08a29525f245]
USB: ti_usb_3410_5052: fix dynamic-id matching
[1fad56424f5ad3ce4973505a357212b2e2282b3f]
USB: mos7840: fix memory leak in open
[5f8a2e68b679b41cc8e9b642f2f5aa45dd678641]
Johannes Berg (4):
cfg80211: fix P2P GO interface teardown
[74418edec915d0f446debebde08d170c7b8ba0ee]
genetlink: fix family dump race
[58ad436fcf49810aa006016107f494c9ac9013db]
mac80211: fix ethtool stats for non-station interfaces
[e13bae4f807401729b3f27c7e882a96b8b292809]
mac80211: fix duplicate retransmission detection
[6b0f32745dcfba01d7be33acd1b40306c7a914c6]
Josef Bacik (2):
Btrfs: re-add root to dead root list if we stop dropping it
[d29a9f629e009c9b90e5859bce581070fd6247fc]
Btrfs: fix lock leak when resuming snapshot deletion
[fec386ac1428f9c0e672df952cbca5cebd4e4e2f]
Jussi Kivilinna (2):
zd1201: do not use stack as URB transfer_buffer
[1206ff4ff9d2ef7468a355328bc58ac6ebf5be44]
ALSA: 6fire: fix DMA issues with URB transfer_buffer usage
[ddb6b5a964371e8e52e696b2b258bda144c8bd3f]
Jóhann B. Guðmundsson (1):
USB: misc: Add Manhattan Hi-Speed USB DVI Converter to sisusbvga
[58fc90db8261b571c026bb8bf23aad48a7233118]
Jörn Engel (1):
iscsi-target: Fix tfc_tpg_nacl_auth_cit configfs length overflow
[0fbfc46fb0b2f543a8b539e94c6c293ebc0b05a6]
Karlis Ogsts (1):
staging: android: logger: Correct write offset reset on error
[72bb99cfe9c57d2044445fb34bbc95b4c0bae6f2]
Kevin Hilman (1):
regmap: Add another missing header for !CONFIG_REGMAP stubs
[3f0fa9a808f98fa10a18ba2a73f13d65fda990fb]
Konrad Rzeszutek Wilk (1):
xen/blkback: Check device permissions before allowing OP_DISCARD
[604c499cbbcc3d5fe5fb8d53306aa0fae1990109]
Konstantin Khlebnikov (1):
drm/i915: fix long-standing SNB regression in power consumption after resume v2
[7dcd2677ea912573d9ed4bcd629b0023b2d11505]
Lan Tianyu (1):
ACPI / battery: Fix parsing _BIX return value
[016d5baad04269e8559332df05f89bd95b52d6ad]
Li Zefan (1):
cgroup: fix umount vs cgroup_cfts_commit() race
[084457f284abf6789d90509ee11dae383842b23b]
Liu ShuoX (1):
PM / Sleep: avoid 'autosleep' in shutdown progress
[e5248a111bf4048a9f3fab1a9c94c4630a10592a]
Luiz Angelo Daros de Luca (1):
usb: serial: cp210x: Add USB ID for Netgear Switches embedded serial adapter
[90625070c4253377025878c4e82feed8b35c7116]
Mahesh Rajashekhara (1):
aacraid: Fix for arrays are going offline in the system. System hangs
[c5bebd829dd95602c15f8da8cc50fa938b5e0254]
Mark Kettenis (1):
drm/radeon: fix combios tables on older cards
[cef1d00cd56f600121ad121875655ad410a001b8]
Markos Chandras (2):
MIPS: Expose missing pci_io{map,unmap} declarations
[78857614104a26cdada4c53eea104752042bf5a1]
lib/Kconfig.debug: Restrict FRAME_POINTER for MIPS
[25c87eae1725ed77a8b44d782a86abdc279b4ede]
Martin K. Petersen (1):
Don't attempt to send extended INQUIRY command if skip_vpd_pages is set
[7562523e84ddc742fe1f9db8bd76b01acca89f6b]
Martin Peschke (2):
zfcp: fix schedule-inside-lock in scsi_device list loops
[924dd584b198a58aa7cb3efefd8a03326550ce8f]
zfcp: fix lock imbalance by reworking request queue locking
[d79ff142624e1be080ad8d09101f7004d79c36e1]
Mateusz Krawczuk (1):
regmap: Add missing header for !CONFIG_REGMAP stubs
[49ccc142f9cbc33fdda18e8fa90c1c5b4a79c0ad]
Matt Burtch (1):
USB-Serial: Fix error handling of usb_wwan
[6c1ee66a0b2bdbd64c078fba684d640cf2fd38a9]
Michael S. Tsirkin (3):
skb: report completion status for zero copy skbs
[e19d6763cc300fcb706bd291b24ac06be71e1ce6]
virtio_net: fix race in RX VQ processing
[cbdadbbf0c790f79350a8f36029208944c5487d0]
virtio: support unlocked queue poll
[cc229884d3f77ec3b1240e467e0236c3e0647c0c]
Michal Kazior (1):
nl80211: fix mgmt tx status and testmode reporting for netns
[a0ec570f4f69c4cb700d743a915096c2c8f56a99]
Michal Srb (1):
drm/cirrus: Invalidate page tables when pinning a BO
[109a51598869a39fdcec2d49672a9a39b6d89481]
Michal Tesar (1):
sysctl net: Keep tcp_syn_retries inside the boundary
[651e92716aaae60fc41b9652f54cb6803896e0da]
Mikulas Patocka (1):
dm verity: fix inability to use a few specific devices sizes
[b1bf2de07271932326af847a3c6a01fdfd29d4be]
Neil Horman (3):
8139cp: Add dma_mapping_error checking
[cf3c4c03060b688cbc389ebc5065ebcce5653e96]
x86/iommu/vt-d: Expand interrupt remapping quirk to cover x58 chipset
[803075dba31c17af110e1d9a915fe7262165b213]
atl1e: fix dma mapping warnings
[352900b583b2852152a1e05ea0e8b579292e731e]
NeilBrown (3):
md/raid10: remove use-after-free bug.
[0eb25bb027a100f5a9df8991f2f628e7d851bc1e]
md/raid5: fix interaction of 'replace' and 'recovery'.
[f94c0b6658c7edea8bc19d13be321e3860a3fa54]
md/raid10: fix two bugs affecting RAID10 reshape.
[78eaa0d4cbcdb345992fa3dd22b3bcbb473cc064]
Nicholas Bellinger (1):
target: Fix trailing ASCII space usage in INQUIRY vendor+model
[ee60bddba5a5f23e39598195d944aa0eb2d455e5]
Nicolas Ferre (1):
ARM: at91/DT: fix at91sam9n12ek memory node
[a57603ca2871ee0773b00839c1ea35c4a2d3eeb0]
Nicolas Pitre (1):
ARM: 7816/1: CONFIG_KUSER_HELPERS: fix help text
[ac124504ecf6b20a2457d873d0728a8b991a5b0c]
Nicolin Chen (1):
ASoC: wm8962: Remove remaining direct register cache accesses
[2e7ee15ced914e109a1a5b6dfcd463d846a13bd5]
Oleg Nesterov (2):
debugfs: debugfs_remove_recursive() must not rely on list_empty(d_subdirs)
[776164c1faac4966ab14418bb0922e1820da1d19]
userns: limit the maximum depth of user_namespace->parent chain
[8742f229b635bf1c1c84a3dfe5e47c814c20b5c8]
Oleksij Rempel (2):
ath9k_htc: do some initial hardware configuration
[dc2a87f519a4d8cb376ab54f22b6b98a943b51ce]
xhci: fix null pointer dereference on ring_doorbell_for_active_rings
[d66eaf9f89502971fddcb0de550b01fa6f409d83]
Oliver Neukum (1):
usb: add two quirky touchscreen
[304ab4ab079a8ed03ce39f1d274964a532db036b]
Paul Mackerras (1):
powerpc: Work around gcc miscompilation of __pa() on 64-bit
[bdbc29c19b2633b1d9c52638fb732bcde7a2031a]
Peter Zijlstra (1):
perf: Fix perf_lock_task_context() vs RCU
[058ebd0eba3aff16b144eabf4510ed9510e1416e]
Piotr Sarna (1):
ext4: fix mount/remount error messages for incompatible mount options
[6ae6514b33f941d3386da0dfbe2942766eab1577]
Radu Caragea (1):
x86 get_unmapped_area(): use proper mmap base for bottom-up direction
[df54d6fa54275ce59660453e29d1228c2b45a826]
Ralf Baechle (2):
RAPIDIO: IDT_GEN2: Fix build error.
[27f62b9f294b7e2019c94c385abda43a0af6bb8b]
MIPS: Oceton: Fix build error.
[39205750efa6d335fac4f9bcd32b49c7e71c12b7]
Ren Bigcren (1):
USB: storage: Add MicroVault Flash Drive to unusual_devs
[e7a6121f4929c17215f0cdca3726f4bf3e4e9529]
Rick Farina (Zero_Chaos) (1):
USB: serial: ftdi_sio: add more RT Systems ftdi devices
[fed1f1ed90bce42ea010e2904cbc04e7b8304940]
Roger Quadros (1):
USB: EHCI: Fix resume signalling on remote wakeup
[47a64a13d54f6c669b00542848d5550be3d3310e]
Roland Dreier (1):
sg: Fix user memory corruption when SG_IO is interrupted by a signal
[35dc248383bbab0a7203fca4d722875bc81ef091]
Russ Anderson (1):
drivers/base/memory.c: fix show_mem_removable() to handle missing sections
[21ea9f5ace3a7317cc3ba1fbc749758021a83136]
Russell King (7):
ARM: make vectors page inaccessible from userspace
[a5463cd3435475386cbbe7b06e01292ac169d36f]
ARM: allow kuser helpers to be removed from the vector page
[f6f91b0d9fd971c630cef908dde8fe8795aefbf8]
ARM: update FIQ support for relocation of vectors
[e39e3f3ebfef03450cf7bfa7a974a8c61f7980c8]
ARM: use linker magic for vectors and vector stubs
[b9b32bf70f2fb710b07c94e13afbc729afe221da]
ARM: move vector stubs
[19accfd373847ac3d10623c5d20f948846299741]
ARM: poison memory between kuser helpers
[5b43e7a383d69381ffe53423e46dd0fafae07da3]
ARM: poison the vectors page
[f928d4f2a86f46b030fa0850385b4391fc2b5918]
Sami Rahman (1):
USB: cp210x: add MMB and PI ZigBee USB Device Support
[7681156982026ebf7eafd7301eb0374d7648d068]
Sarah Sharp (1):
xhci: Avoid NULL pointer deref when host dies.
[203a86613fb3bf2767335659513fa98563a3eb71]
Sasha Levin (1):
9p: fix off by one causing access violations and memory corruption
[110ecd69a9feea82a152bbf9b12aba57e6396883]
Saurav Kashyap (1):
qla2xxx: Properly set the tagging for commands.
[c3ccb1d7cf4c4549151876dd37c0944a682fd9e1]
Sekhar Nori (1):
ARM: davinci: nand: specify ecc strength
[acd36357edc08649e85ff15dc4ed62353c912eff]
Sergey Senozhatsky (2):
zram: allow request end to coincide with disksize
[75c7caf5a052ffd8db3312fa7864ee2d142890c4]
radeon kms: do not flush uninitialized hotplug work
[a01c34f72e7cd2624570818f579b5ab464f93de2]
Seth Heasley (1):
ata_piix: IDE-mode SATA patch for Intel Coleto Creek DeviceIDs
[c7e8695bfa0611b39493a9dfe8bab9f63f9809bd]
Shane Huang (1):
i2c-piix4: Add AMD CZ SMBus device ID
[b996ac90f595dda271cbd858b136b45557fc1a57]
Sreekanth Reddy (1):
mpt2sas: fix firmware failure with wrong task attribute
[48ba2efc382f94fae16ca8ca011e5961a81ad1ea]
Stanislaw Gruszka (5):
iwlwifi: dvm: fix calling ieee80211_chswitch_done() with NULL
[9186a1fd9ed190739423db84bc344d258ef3e3d7]
iwl4965: reset firmware after rfkill off
[788f7a56fce1bcb2067b62b851a086fca48a0056]
iwl4965: set power mode early
[eca396d7a5bdcc1fd67b1b12f737c213ac78a6f4]
rt2x00: fix stop queue
[e2288b66fe7ff0288382b2af671b4da558b44472]
Bluetooth: ath3k: don't use stack memory for DMA
[517828a87994f41af6ae5a0f96f0f069f05baa81]
Steffen Maier (2):
zfcp: status read buffers on first adapter open with link down
[9edf7d75ee5f21663a0183d21f702682d0ef132f]
zfcp: block queue limits with data router
[5fea4291deacd80188b996d2f555fc6a1940e5d4]
Stephane Grosjean (1):
can: pcan_usb: fix wrong memcpy() bytes length
[3c322a56b01695df15c70bfdc2d02e0ccd80654e]
Stephen Boyd (1):
perf/arm: Fix armpmu_map_hw_event()
[b88a2595b6d8aedbd275c07dfa784657b4f757eb]
Stephen Warren (1):
ASoC: tegra: fix Tegra30 I2S capture parameter setup
[c90c0d7a96e634a73ef1580f1d20993606545647]
Sujith Manoharan (3):
ath9k: Enable PLL fix only for AR9340/AR9330
[19c361608ce3e73f352e323262f7e0a8264be3af]
ath9k: Do not assign noise for NULL caldata
[d3bcb7b24bbf09fde8405770e676fe0c11c79662]
ath9k_hw: Assign default xlna config for AR9485
[30d5b709da23f4ab9836c7f66d2d2e780a69cf12]
Sumit.Saxena@lsi.com (1):
megaraid_sas: megaraid_sas driver init fails in kdump kernel
[6431f5d7c6025f8b007af06ea090de308f7e6881]
Takashi Iwai (13):
ALSA: opti9xx: Fix conflicting driver object name
[fb615499f0ad28ed74201c1cdfddf9e64e205424]
ALSA: hda - Add inverted digital mic fixup for Acer Aspire One
[d3d3835ce919438c00c5d1270d6f9d6ffea59d03]
ALSA: hda - Add a fixup for Gateway LT27
[1801928e0f99d94c55e33c584c5eb2ff5e246ee6]
staging: line6: Fix unlocked snd_pcm_stop() call
[86f0b5b86d142b9323432fef078a6cf0fb5dda74]
ASoC: s6000: Fix unlocked snd_pcm_stop() call
[61be2b9a18ec70f3cbe3deef7a5f77869c71b5ae]
ALSA: usx2y: Fix unlocked snd_pcm_stop() call
[5be1efb4c2ed79c3d7c0cbcbecae768377666e84]
ALSA: asihpi: Fix unlocked snd_pcm_stop() call
[60478295d6876619f8f47f6d1a5c25eaade69ee3]
ALSA: atiixp: Fix unlocked snd_pcm_stop() call
[cc7282b8d5abbd48c81d1465925d464d9e3eaa8f]
ALSA: pxa2xx: Fix unlocked snd_pcm_stop() call
[46f6c1aaf790be9ea3c8ddfc8f235a5f677d08e2]
ALSA: ua101: Fix unlocked snd_pcm_stop() call
[9538aa46c2427d6782aa10036c4da4c541605e0e]
ALSA: 6fire: Fix unlocked snd_pcm_stop() call
[5b9ab3f7324a1b94a5a5a76d44cf92dfeb3b5e80]
ALSA: seq-oss: Initialize MIDI clients asynchronously
[256ca9c3ad5013ff8a8f165e5a82fab437628c8e]
ALSA: hda - Cache the MUX selection for generic HDMI
[bddee96b5d0db869f47b195fe48c614ca824203c]
Tejun Heo (3):
workqueue: cond_resched() after processing each work item
[b22ce2785d97423846206cceec4efee0c4afd980]
libata: make it clear that sata_inic162x is experimental
[bb9696192826a7d9279caf872e95b41bc26c7eff]
libata: skip SRST for all SIMG [34]7x port-multipliers
[7a87718d92760fc688628ad6a430643dafa16f1f]
Terry Suereth (1):
libata: apply behavioral quirks to sil3826 PMP
[8ffff94d20b7eb446e848e0046107d51b17a20a8]
Theodore Ts'o (2):
ext4: allow the mount options nodelalloc and data=journal
[59d9fa5c2e9086db11aa287bb4030151d0095a17]
ext4: make sure group number is bumped after a inode allocation race
[a34eb503742fd25155fd6cff6163daacead9fbc3]
Thomas Gleixner (2):
hrtimers: Move SMP function call to thread context
[5ec2481b7b47a4005bb446d176e5d0257400c77d]
tick: Prevent uncontrolled switch to oneshot mode
[1f73a9806bdd07a5106409bbcab3884078bd34fe]
Thomas Pugliese (1):
wusbcore: fix kernel panic when disconnecting a wireless USB->serial device
[ec58fad1feb76c323ef47efff1d1e8660ed4644c]
Tomasz Moń (1):
mwifiex: Add missing endian conversion.
[83e612f632c3897be29ef02e0472f6d63e258378]
Torsten Schenk (2):
ALSA: 6fire: make buffers DMA-able (midi)
[4c2aee0032b70083dafebd733ed9c774633b2fa3]
ALSA: 6fire: make buffers DMA-able (pcm)
[5ece263f1d93fba8d992e67e3ab8a71acf674db9]
Toshi Kani (1):
ACPI / memhotplug: Fix a stale pointer in error path
[d19f503e22316a84c39bc19445e0e4fdd49b3532]
Trond Myklebust (1):
SUNRPC: Fix memory corruption issue on 32-bit highmem systems
[347e2233b7667e336d9f671f1a52dfa3f0416e2c]
Uwe Kleine-König (2):
serial/mxs-auart: increase time to wait for transmitter to become idle
[079a036f4283e2b0e5c26080b8c5112bc0cc1831]
serial/mxs-auart: fix race condition in interrupt handler
[d970d7fe65adff5efe75b4a73c4ffc9be57089f7]
Vince Weaver (1):
perf/x86: Fix intel QPI uncore event definitions
[c9601247f8f3fdc18aed7ed7e490e8dfcd07f122]
Vineet Gupta (1):
mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots
[e6c495a96ce02574e765d5140039a64c8d4e8c9e]
Vinod Koul (1):
ALSA: compress: fix the return value for SNDRV_COMPRESS_VERSION
[a8d30608eaed6cc759b8e2e8a8bbbb42591f797f]
Vyacheslav Dubeyko (2):
nilfs2: fix issue with counting number of bio requests for BIO_EOPNOTSUPP error detection
[4bf93b50fd04118ac7f33a3c2b8a0a1f9fa80bc9]
nilfs2: remove double bio_put() in nilfs_end_bio_write() for BIO_EOPNOTSUPP error
[2df37a19c686c2d7c4e9b4ce1505b5141e3e5552]
Wei Yongjun (1):
l2tp: add missing .owner to struct pppox_proto
[e1558a93b61962710733dc8c11a2bc765607f1cd]
Will Deacon (1):
ARM: 7809/1: perf: fix event validation for software group leaders
[c95eb3184ea1a3a2551df57190c81da695e2144b]
William Gulland (1):
usb: Clear both buffers when clearing a control transfer TT buffer.
[2c7b871b9102c497ba8f972aa5d38532f05b654d]
Wladislav Wiebe (1):
of: fdt: fix memory initialization for expanded DT
[9e40127526e857fa3f29d51e83277204fbdfc6ba]
Yinghai Lu (1):
x86: Fix /proc/mtrr with base/size more than 44bits
[d5c78673b1b28467354c2c30c3d4f003666ff385]
dingtianhong (3):
ifb: fix oops when loading the ifb failed
[f2966cd5691058b8674a20766525bedeaea9cbcf]
dummy: fix oops when loading the dummy failed
[2c8a01894a12665d8059fad8f0a293c98a264121]
ifb: fix rcu_sched self-detected stalls
[440d57bc5ff55ec1efb3efc9cbe9420b4bbdfefa]
yonghua zheng (1):
fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
[8c8296223f3abb142be8fc31711b18a704c0e7d8]
zhangwei(Jovi) (2):
tracing: Fix irqs-off tag display in syscall tracing
[11034ae9c20f4057a6127fc965906417978e69b2]
uprobes: Fix return value in error handling path
[fa44063f9ef163c3a4c8d8c0465bb8a056b42035]
----
Documentation/i2c/busses/i2c-piix4 | 2 +-
arch/arm/Kconfig | 3 +-
arch/arm/boot/compressed/atags_to_fdt.c | 44 ++++-
arch/arm/boot/dts/at91sam9n12ek.dts | 4 +-
arch/arm/include/asm/mmu.h | 2 +
arch/arm/include/asm/mmu_context.h | 20 ++-
arch/arm/include/asm/page.h | 2 +
arch/arm/include/asm/thread_info.h | 1 -
arch/arm/kernel/entry-armv.S | 103 ++++++------
arch/arm/kernel/fiq.c | 19 ++-
arch/arm/kernel/perf_event.c | 10 +-
arch/arm/kernel/process.c | 7 +-
arch/arm/kernel/traps.c | 37 +++--
arch/arm/kernel/vmlinux.lds.S | 17 ++
arch/arm/mach-davinci/board-dm355-leopard.c | 1 +
arch/arm/mach-davinci/board-dm644x-evm.c | 1 +
arch/arm/mach-davinci/board-dm646x-evm.c | 1 +
arch/arm/mach-davinci/board-neuros-osd2.c | 1 +
arch/arm/mm/Kconfig | 37 +++++
arch/arm/mm/mmu.c | 14 +-
arch/m68k/emu/natfeat.c | 23 ++-
arch/mips/Kconfig | 2 +-
arch/mips/cavium-octeon/setup.c | 3 +-
arch/mips/include/asm/io.h | 5 +
arch/powerpc/Kconfig | 1 +
arch/powerpc/include/asm/module.h | 5 +-
arch/powerpc/include/asm/page.h | 10 ++
arch/powerpc/kernel/lparcfg.c | 23 +--
arch/powerpc/kernel/setup_64.c | 2 +-
arch/powerpc/kernel/vmlinux.lds.S | 3 -
arch/x86/kernel/cpu/mtrr/generic.c | 21 +--
arch/x86/kernel/cpu/mtrr/main.c | 16 +-
arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +-
arch/x86/kernel/early-quirks.c | 14 +-
arch/x86/kernel/i387.c | 2 +-
arch/x86/kernel/sys_x86_64.c | 2 +-
arch/x86/mm/mmap.c | 2 +-
arch/x86/xen/setup.c | 22 +++
arch/x86/xen/smp.c | 11 +-
block/cfq-iosched.c | 17 +-
block/deadline-iosched.c | 16 +-
block/elevator.c | 25 +--
block/noop-iosched.c | 17 +-
drivers/acpi/acpi_memhotplug.c | 1 +
drivers/acpi/battery.c | 2 +
drivers/acpi/glue.c | 6 +-
drivers/ata/Kconfig | 2 +-
drivers/ata/ata_piix.c | 2 +
drivers/ata/libata-pmp.c | 45 ++---
drivers/ata/sata_fsl.c | 5 +-
drivers/ata/sata_inic162x.c | 14 ++
drivers/base/memory.c | 2 +
drivers/block/xen-blkback/blkback.c | 13 +-
drivers/bluetooth/ath3k.c | 38 ++++-
drivers/bluetooth/btusb.c | 3 +
drivers/char/virtio_console.c | 47 +++---
drivers/clocksource/dw_apb_timer_of.c | 2 +-
drivers/gpu/drm/ast/ast_ttm.c | 1 +
drivers/gpu/drm/cirrus/cirrus_ttm.c | 1 +
drivers/gpu/drm/i915/i915_dma.c | 10 +-
drivers/gpu/drm/i915/i915_reg.h | 4 +-
drivers/gpu/drm/i915/intel_ringbuffer.c | 12 ++
drivers/gpu/drm/mgag200/mgag200_ttm.c | 1 +
drivers/gpu/drm/radeon/atom.c | 5 +
drivers/gpu/drm/radeon/atombios_dp.c | 43 ++++-
drivers/gpu/drm/radeon/radeon_combios.c | 151 +++++------------
drivers/gpu/drm/radeon/radeon_irq_kms.c | 9 +-
drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 ++++---
drivers/hwmon/adt7470.c | 2 +-
drivers/i2c/busses/Kconfig | 1 +
drivers/i2c/busses/i2c-piix4.c | 3 +-
drivers/iommu/amd_iommu.c | 6 +-
drivers/macintosh/windfarm_rm31.c | 18 +-
drivers/md/dm-mpath.c | 8 +-
drivers/md/dm-verity.c | 5 +-
drivers/md/dm.c | 9 +-
drivers/md/raid10.c | 12 +-
drivers/md/raid5.c | 15 +-
drivers/md/raid5.h | 1 +
drivers/mtd/nand/Kconfig | 2 +-
drivers/net/arcnet/arcnet.c | 2 +-
drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +-
drivers/net/dummy.c | 4 +
drivers/net/ethernet/atheros/atl1c/atl1c.h | 3 +
drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 40 ++++-
drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 28 +++-
drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_82598.c | 3 +-
drivers/net/ethernet/realtek/8139cp.c | 48 +++++-
drivers/net/ethernet/sun/sunvnet.c | 2 +
drivers/net/ifb.c | 8 +-
drivers/net/macvtap.c | 66 +++++---
drivers/net/tun.c | 69 +++++---
drivers/net/virtio_net.c | 5 +-
drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 8 +-
drivers/net/wireless/ath/ath9k/ar9003_phy.h | 2 +
drivers/net/wireless/ath/ath9k/calib.c | 1 -
drivers/net/wireless/ath/ath9k/htc_drv_init.c | 1 +
drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 10 ++
drivers/net/wireless/ath/ath9k/main.c | 3 +-
drivers/net/wireless/b43/Kconfig | 4 +-
drivers/net/wireless/hostap/hostap_ioctl.c | 4 +-
drivers/net/wireless/iwlegacy/4965-mac.c | 16 +-
drivers/net/wireless/iwlegacy/common.c | 1 +
drivers/net/wireless/iwlwifi/dvm/mac80211.c | 5 +-
drivers/net/wireless/iwlwifi/pcie/drv.c | 1 +
drivers/net/wireless/iwlwifi/pcie/trans.c | 10 +-
drivers/net/wireless/mwifiex/sdio.c | 4 +-
drivers/net/wireless/rt2x00/rt2800lib.c | 4 +-
drivers/net/wireless/rt2x00/rt2x00queue.c | 18 +-
drivers/net/wireless/rt2x00/rt61pci.c | 3 +-
drivers/net/wireless/rt2x00/rt73usb.c | 3 +-
drivers/net/wireless/zd1201.c | 4 +-
drivers/net/xen-netfront.c | 50 ++----
drivers/of/fdt.c | 2 +
drivers/platform/olpc/olpc-ec.c | 2 +-
drivers/rapidio/switches/idt_gen2.c | 2 +
drivers/s390/scsi/zfcp_aux.c | 5 +-
drivers/s390/scsi/zfcp_erp.c | 29 +++-
drivers/s390/scsi/zfcp_fsf.c | 27 ++-
drivers/s390/scsi/zfcp_qdio.c | 8 +-
drivers/s390/scsi/zfcp_scsi.c | 10 +-
drivers/scsi/aacraid/src.c | 3 +
drivers/scsi/isci/task.c | 9 +-
drivers/scsi/megaraid/megaraid_sas_base.c | 30 +++-
drivers/scsi/mpt2sas/mpt2sas_scsih.c | 6 +-
drivers/scsi/nsp32.c | 2 +-
drivers/scsi/qla2xxx/qla_iocb.c | 11 +-
drivers/scsi/scsi.c | 3 +
drivers/scsi/sd.c | 22 +--
drivers/staging/android/logger.c | 4 +-
drivers/staging/comedi/comedi_fops.c | 7 +-
drivers/staging/line6/pcm.c | 5 +-
drivers/staging/zram/zram_drv.c | 38 +++--
drivers/staging/zram/zram_drv.h | 5 +-
drivers/staging/zram/zram_sysfs.c | 2 +
drivers/target/iscsi/iscsi_target_configfs.c | 2 +-
drivers/target/target_core_spc.c | 9 +-
drivers/tty/hvc/hvsi_lib.c | 4 +-
drivers/tty/serial/mxs-auart.c | 38 +++--
drivers/usb/core/hub.c | 9 +
drivers/usb/core/quirks.c | 6 +
drivers/usb/dwc3/core.h | 4 +-
drivers/usb/dwc3/gadget.c | 1 +
drivers/usb/host/ehci-hub.c | 1 +
drivers/usb/host/xhci-pci.c | 1 -
drivers/usb/host/xhci-ring.c | 2 +-
drivers/usb/host/xhci.c | 13 +-
drivers/usb/misc/sisusbvga/sisusb.c | 1 +
drivers/usb/serial/cp210x.c | 4 +
drivers/usb/serial/ftdi_sio.c | 31 +++-
drivers/usb/serial/ftdi_sio_ids.h | 34 +++-
drivers/usb/serial/keyspan.c | 2 +-
drivers/usb/serial/mos7720.c | 21 ++-
drivers/usb/serial/mos7840.c | 175 ++++++++++++--------
drivers/usb/serial/option.c | 14 +-
drivers/usb/serial/ti_usb_3410_5052.c | 11 +-
drivers/usb/serial/usb_wwan.c | 20 +--
drivers/usb/storage/unusual_devs.h | 7 +
drivers/usb/wusbcore/wa-xfer.c | 9 +-
drivers/vhost/vhost.c | 2 +-
drivers/vhost/vhost.h | 2 +-
drivers/virtio/virtio_ring.c | 54 ++++--
drivers/xen/events.c | 2 +-
drivers/xen/evtchn.c | 21 +--
fs/bio.c | 20 ++-
fs/block_dev.c | 9 +-
fs/btrfs/extent-tree.c | 13 ++
fs/cifs/cifsencrypt.c | 2 +-
fs/cifs/cifsglob.h | 1 +
fs/cifs/connect.c | 7 +-
fs/cifs/sess.c | 6 +-
fs/debugfs/inode.c | 69 +++-----
fs/ext4/ext4_jbd2.c | 8 +-
fs/ext4/ialloc.c | 10 +-
fs/ext4/super.c | 19 ++-
fs/jfs/jfs_dtree.c | 31 +++-
fs/lockd/svclock.c | 4 +
fs/nfsd/vfs.c | 5 +-
fs/nilfs2/segbuf.c | 5 +-
fs/notify/fanotify/fanotify_user.c | 1 +
fs/proc/task_mmu.c | 8 +-
fs/reiserfs/procfs.c | 92 +++-------
fs/reiserfs/super.c | 3 +-
fs/super.c | 25 ++-
include/linux/elevator.h | 6 +-
include/linux/ftrace_event.h | 4 +-
include/linux/if_vlan.h | 3 +-
include/linux/regmap.h | 2 +
include/linux/sched.h | 1 +
include/linux/skbuff.h | 4 +-
include/linux/user_namespace.h | 1 +
include/linux/virtio.h | 4 +
include/linux/wait.h | 57 +++++++
include/net/ndisc.h | 2 +-
include/net/udp.h | 1 +
kernel/cgroup.c | 9 +-
kernel/events/core.c | 28 +++-
kernel/hrtimer.c | 28 ++--
kernel/power/autosleep.c | 3 +-
kernel/printk.c | 2 +-
kernel/time/tick-broadcast.c | 10 +-
kernel/trace/trace.c | 1 +
kernel/trace/trace_syscalls.c | 21 ++-
kernel/trace/trace_uprobe.c | 4 +-
kernel/user_namespace.c | 4 +
kernel/workqueue.c | 9 +
lib/Kconfig.debug | 2 +-
mm/memory.c | 9 +-
net/8021q/vlan_core.c | 2 +-
net/8021q/vlan_dev.c | 7 +
net/9p/trans_common.c | 10 +-
net/core/dev.c | 11 +-
net/core/neighbour.c | 12 +-
net/core/skbuff.c | 4 +-
net/ipv4/ip_vti.c | 7 -
net/ipv4/sysctl_net_ipv4.c | 6 +-
net/ipv4/udp.c | 3 +-
net/ipv6/ip6_output.c | 16 +-
net/ipv6/ip6mr.c | 5 +
net/ipv6/route.c | 9 +-
net/ipv6/udp.c | 7 +-
net/key/af_key.c | 4 +
net/l2tp/l2tp_ppp.c | 3 +-
net/mac80211/cfg.c | 2 +
net/mac80211/rx.c | 10 +-
net/netlink/genetlink.c | 7 +
net/sched/sch_atm.c | 1 +
net/sched/sch_cbq.c | 1 +
net/sunrpc/svcsock.c | 5 +-
net/sunrpc/xdr.c | 9 +-
net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++-
net/wireless/core.c | 1 +
net/wireless/nl80211.c | 7 +-
net/x25/af_x25.c | 15 +-
sound/arm/pxa2xx-pcm-lib.c | 2 +
sound/core/compress_offload.c | 2 +-
sound/core/seq/oss/seq_oss_init.c | 16 +-
sound/core/seq/oss/seq_oss_midi.c | 2 +-
sound/isa/opti9xx/opti92x-ad1848.c | 8 +-
sound/pci/asihpi/asihpi.c | 3 +
sound/pci/atiixp.c | 2 +
sound/pci/atiixp_modem.c | 2 +
sound/pci/hda/patch_hdmi.c | 4 +-
sound/pci/hda/patch_realtek.c | 2 +
sound/soc/codecs/cs42l52.c | 2 +-
sound/soc/codecs/max98088.c | 2 +-
sound/soc/codecs/sgtl5000.h | 2 +-
sound/soc/codecs/wm8962.c | 24 +--
sound/soc/s6000/s6000-pcm.c | 2 +
sound/soc/tegra/tegra30_i2s.c | 2 +-
sound/usb/6fire/comm.c | 38 ++++-
sound/usb/6fire/comm.h | 2 +-
sound/usb/6fire/midi.c | 16 +-
sound/usb/6fire/midi.h | 6 +-
sound/usb/6fire/pcm.c | 55 +++++-
sound/usb/6fire/pcm.h | 2 +-
sound/usb/endpoint.c | 13 +-
sound/usb/misc/ua101.c | 14 +-
sound/usb/usx2y/usbusx2yaudio.c | 4 +
259 files changed, 2152 insertions(+), 1107 deletions(-)
^ permalink raw reply [flat|nested] 271+ messages in thread
* [001/251] powerpc/smp: Section mismatch from smp_release_cpus to __initdata spinning_secondaries
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [002/251] ALSA: hda - Cache the MUX selection for generic HDMI Steven Rostedt
` (249 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Chen Gang, Benjamin Herrenschmidt
[-- Attachment #1: 0001-powerpc-smp-Section-mismatch-from-smp_release_cpus-t.patch --]
[-- Type: text/plain, Size: 2079 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Chen Gang <gang.chen@asianux.com>
[ Upstream commit 8246aca7058f3f2c2ae503081777965cd8df7b90 ]
the smp_release_cpus is a normal funciton and called in normal environments,
but it calls the __initdata spinning_secondaries.
need modify spinning_secondaries to match smp_release_cpus.
the related warning:
(the linker report boot_paca.33377, but it should be spinning_secondaries)
-----------------------------------------------------------------------------
WARNING: arch/powerpc/kernel/built-in.o(.text+0x23176): Section mismatch in reference from the function .smp_release_cpus() to the variable .init.data:boot_paca.33377
The function .smp_release_cpus() references
the variable __initdata boot_paca.33377.
This is often because .smp_release_cpus lacks a __initdata
annotation or the annotation of boot_paca.33377 is wrong.
WARNING: arch/powerpc/kernel/built-in.o(.text+0x231fe): Section mismatch in reference from the function .smp_release_cpus() to the variable .init.data:boot_paca.33377
The function .smp_release_cpus() references
the variable __initdata boot_paca.33377.
This is often because .smp_release_cpus lacks a __initdata
annotation or the annotation of boot_paca.33377 is wrong.
-----------------------------------------------------------------------------
Signed-off-by: Chen Gang <gang.chen@asianux.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/powerpc/kernel/setup_64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c
index 389bd4f..5c9eccc 100644
--- a/arch/powerpc/kernel/setup_64.c
+++ b/arch/powerpc/kernel/setup_64.c
@@ -76,7 +76,7 @@
#endif
int boot_cpuid = 0;
-int __initdata spinning_secondaries;
+int spinning_secondaries;
u64 ppc64_pft_size;
/* Pick defaults since we might want to patch instructions
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [002/251] ALSA: hda - Cache the MUX selection for generic HDMI
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
2013-09-11 4:27 ` [001/251] powerpc/smp: Section mismatch from smp_release_cpus to __initdata spinning_secondaries Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [003/251] ALSA: hda - Add new GPU codec ID to snd-hda Steven Rostedt
` (248 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Takashi Iwai
[-- Attachment #1: 0002-ALSA-hda-Cache-the-MUX-selection-for-generic-HDMI.patch --]
[-- Type: text/plain, Size: 1213 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit bddee96b5d0db869f47b195fe48c614ca824203c ]
When a selection to a converter MUX is changed in hdmi_pcm_open(), it
should be cached so that the given connection can be restored properly
at PM resume. We need just to replace the corresponding
snd_hda_codec_write() call with snd_hda_codec_write_cache().
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/pci/hda/patch_hdmi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
index 8f23374..38cb446 100644
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -908,7 +908,7 @@ static int hdmi_pcm_open(struct hda_pcm_stream *hinfo,
per_cvt->assigned = 1;
hinfo->nid = per_cvt->cvt_nid;
- snd_hda_codec_write(codec, per_pin->pin_nid, 0,
+ snd_hda_codec_write_cache(codec, per_pin->pin_nid, 0,
AC_VERB_SET_CONNECT_SEL,
mux_idx);
snd_hda_spdif_ctls_assign(codec, pin_idx, per_cvt->cvt_nid);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [003/251] ALSA: hda - Add new GPU codec ID to snd-hda
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
2013-09-11 4:27 ` [001/251] powerpc/smp: Section mismatch from smp_release_cpus to __initdata spinning_secondaries Steven Rostedt
2013-09-11 4:27 ` [002/251] ALSA: hda - Cache the MUX selection for generic HDMI Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [004/251] ALSA: seq-oss: Initialize MIDI clients asynchronously Steven Rostedt
` (247 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Andy Ritger, Aaron Plattner, Takashi Iwai
[-- Attachment #1: 0003-ALSA-hda-Add-new-GPU-codec-ID-to-snd-hda.patch --]
[-- Type: text/plain, Size: 1740 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Aaron Plattner <aplattner@nvidia.com>
[ Upstream commit d52392b1a80458c0510810789c7db4a39b88022a ]
Vendor ID 0x10de0060 is used by a yet-to-be-named GPU chip.
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/pci/hda/patch_hdmi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
index 38cb446..80a86b3 100644
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -1921,6 +1921,7 @@ static const struct hda_codec_preset snd_hda_preset_hdmi[] = {
{ .id = 0x10de0043, .name = "GPU 43 HDMI/DP", .patch = patch_generic_hdmi },
{ .id = 0x10de0044, .name = "GPU 44 HDMI/DP", .patch = patch_generic_hdmi },
{ .id = 0x10de0051, .name = "GPU 51 HDMI/DP", .patch = patch_generic_hdmi },
+{ .id = 0x10de0060, .name = "GPU 60 HDMI/DP", .patch = patch_generic_hdmi },
{ .id = 0x10de0067, .name = "MCP67 HDMI", .patch = patch_nvhdmi_2ch },
{ .id = 0x10de8001, .name = "MCP73 HDMI", .patch = patch_nvhdmi_2ch },
{ .id = 0x11069f80, .name = "VX900 HDMI/DP", .patch = patch_via_hdmi },
@@ -1973,6 +1974,7 @@ MODULE_ALIAS("snd-hda-codec-id:10de0042");
MODULE_ALIAS("snd-hda-codec-id:10de0043");
MODULE_ALIAS("snd-hda-codec-id:10de0044");
MODULE_ALIAS("snd-hda-codec-id:10de0051");
+MODULE_ALIAS("snd-hda-codec-id:10de0060");
MODULE_ALIAS("snd-hda-codec-id:10de0067");
MODULE_ALIAS("snd-hda-codec-id:10de8001");
MODULE_ALIAS("snd-hda-codec-id:11069f80");
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [004/251] ALSA: seq-oss: Initialize MIDI clients asynchronously
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (2 preceding siblings ...)
2013-09-11 4:27 ` [003/251] ALSA: hda - Add new GPU codec ID to snd-hda Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [005/251] ALSA: 6fire: Fix unlocked snd_pcm_stop() call Steven Rostedt
` (246 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Takashi Iwai
[-- Attachment #1: 0004-ALSA-seq-oss-Initialize-MIDI-clients-asynchronously.patch --]
[-- Type: text/plain, Size: 3079 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 256ca9c3ad5013ff8a8f165e5a82fab437628c8e ]
We've got bug reports that the module loading stuck on Debian system
with 3.10 kernel. The debugging session revealed that the initial
registration of OSS sequencer clients stuck at module loading time,
which involves again with request_module() at the init phase. This is
triggered only by special --install stuff Debian is using, but it's
still not good to have such loops.
As a workaround, call the registration part asynchronously. This is a
better approach irrespective of the hang fix, in anyway.
Reported-and-tested-by: Philipp Matthias Hahn <pmhahn@pmhahn.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/core/seq/oss/seq_oss_init.c | 16 +++++++++++++---
sound/core/seq/oss/seq_oss_midi.c | 2 +-
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c
index e3cb46f..b3f39b5 100644
--- a/sound/core/seq/oss/seq_oss_init.c
+++ b/sound/core/seq/oss/seq_oss_init.c
@@ -31,6 +31,7 @@
#include <linux/export.h>
#include <linux/moduleparam.h>
#include <linux/slab.h>
+#include <linux/workqueue.h>
/*
* common variables
@@ -60,6 +61,14 @@ static void free_devinfo(void *private);
#define call_ctl(type,rec) snd_seq_kernel_client_ctl(system_client, type, rec)
+/* call snd_seq_oss_midi_lookup_ports() asynchronously */
+static void async_call_lookup_ports(struct work_struct *work)
+{
+ snd_seq_oss_midi_lookup_ports(system_client);
+}
+
+static DECLARE_WORK(async_lookup_work, async_call_lookup_ports);
+
/*
* create sequencer client for OSS sequencer
*/
@@ -85,9 +94,6 @@ snd_seq_oss_create_client(void)
system_client = rc;
debug_printk(("new client = %d\n", rc));
- /* look up midi devices */
- snd_seq_oss_midi_lookup_ports(system_client);
-
/* create annoucement receiver port */
memset(port, 0, sizeof(*port));
strcpy(port->name, "Receiver");
@@ -115,6 +121,9 @@ snd_seq_oss_create_client(void)
}
rc = 0;
+ /* look up midi devices */
+ schedule_work(&async_lookup_work);
+
__error:
kfree(port);
return rc;
@@ -160,6 +169,7 @@ receive_announce(struct snd_seq_event *ev, int direct, void *private, int atomic
int
snd_seq_oss_delete_client(void)
{
+ cancel_work_sync(&async_lookup_work);
if (system_client >= 0)
snd_seq_delete_kernel_client(system_client);
diff --git a/sound/core/seq/oss/seq_oss_midi.c b/sound/core/seq/oss/seq_oss_midi.c
index 677dc84..862d8489 100644
--- a/sound/core/seq/oss/seq_oss_midi.c
+++ b/sound/core/seq/oss/seq_oss_midi.c
@@ -72,7 +72,7 @@ static int send_midi_event(struct seq_oss_devinfo *dp, struct snd_seq_event *ev,
* look up the existing ports
* this looks a very exhausting job.
*/
-int __init
+int
snd_seq_oss_midi_lookup_ports(int client)
{
struct snd_seq_client_info *clinfo;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [005/251] ALSA: 6fire: Fix unlocked snd_pcm_stop() call
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (3 preceding siblings ...)
2013-09-11 4:27 ` [004/251] ALSA: seq-oss: Initialize MIDI clients asynchronously Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [006/251] ALSA: ua101: " Steven Rostedt
` (245 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Takashi Iwai
[-- Attachment #1: 0005-ALSA-6fire-Fix-unlocked-snd_pcm_stop-call.patch --]
[-- Type: text/plain, Size: 1508 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 5b9ab3f7324a1b94a5a5a76d44cf92dfeb3b5e80 ]
snd_pcm_stop() must be called in the PCM substream lock context.
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/usb/6fire/pcm.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/sound/usb/6fire/pcm.c b/sound/usb/6fire/pcm.c
index c97d05f..3143d9c 100644
--- a/sound/usb/6fire/pcm.c
+++ b/sound/usb/6fire/pcm.c
@@ -639,17 +639,25 @@ int __devinit usb6fire_pcm_init(struct sfire_chip *chip)
void usb6fire_pcm_abort(struct sfire_chip *chip)
{
struct pcm_runtime *rt = chip->pcm;
+ unsigned long flags;
int i;
if (rt) {
rt->panic = true;
- if (rt->playback.instance)
+ if (rt->playback.instance) {
+ snd_pcm_stream_lock_irqsave(rt->playback.instance, flags);
snd_pcm_stop(rt->playback.instance,
SNDRV_PCM_STATE_XRUN);
- if (rt->capture.instance)
+ snd_pcm_stream_unlock_irqrestore(rt->playback.instance, flags);
+ }
+
+ if (rt->capture.instance) {
+ snd_pcm_stream_lock_irqsave(rt->capture.instance, flags);
snd_pcm_stop(rt->capture.instance,
SNDRV_PCM_STATE_XRUN);
+ snd_pcm_stream_unlock_irqrestore(rt->capture.instance, flags);
+ }
for (i = 0; i < PCM_N_URBS; i++) {
usb_poison_urb(&rt->in_urbs[i].instance);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [006/251] ALSA: ua101: Fix unlocked snd_pcm_stop() call
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (4 preceding siblings ...)
2013-09-11 4:27 ` [005/251] ALSA: 6fire: Fix unlocked snd_pcm_stop() call Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [007/251] ALSA: pxa2xx: " Steven Rostedt
` (244 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Clemens Ladisch, Takashi Iwai
[-- Attachment #1: 0006-ALSA-ua101-Fix-unlocked-snd_pcm_stop-call.patch --]
[-- Type: text/plain, Size: 1629 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 9538aa46c2427d6782aa10036c4da4c541605e0e ]
snd_pcm_stop() must be called in the PCM substream lock context.
Cc: <stable@vger.kernel.org>
Acked-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/usb/misc/ua101.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/sound/usb/misc/ua101.c b/sound/usb/misc/ua101.c
index 8b81cb5..d97d35d 100644
--- a/sound/usb/misc/ua101.c
+++ b/sound/usb/misc/ua101.c
@@ -613,14 +613,24 @@ static int start_usb_playback(struct ua101 *ua)
static void abort_alsa_capture(struct ua101 *ua)
{
- if (test_bit(ALSA_CAPTURE_RUNNING, &ua->states))
+ unsigned long flags;
+
+ if (test_bit(ALSA_CAPTURE_RUNNING, &ua->states)) {
+ snd_pcm_stream_lock_irqsave(ua->capture.substream, flags);
snd_pcm_stop(ua->capture.substream, SNDRV_PCM_STATE_XRUN);
+ snd_pcm_stream_unlock_irqrestore(ua->capture.substream, flags);
+ }
}
static void abort_alsa_playback(struct ua101 *ua)
{
- if (test_bit(ALSA_PLAYBACK_RUNNING, &ua->states))
+ unsigned long flags;
+
+ if (test_bit(ALSA_PLAYBACK_RUNNING, &ua->states)) {
+ snd_pcm_stream_lock_irqsave(ua->playback.substream, flags);
snd_pcm_stop(ua->playback.substream, SNDRV_PCM_STATE_XRUN);
+ snd_pcm_stream_unlock_irqrestore(ua->playback.substream, flags);
+ }
}
static int set_stream_hw(struct ua101 *ua, struct snd_pcm_substream *substream,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [007/251] ALSA: pxa2xx: Fix unlocked snd_pcm_stop() call
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (5 preceding siblings ...)
2013-09-11 4:27 ` [006/251] ALSA: ua101: " Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [008/251] ALSA: atiixp: " Steven Rostedt
` (243 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Mark Brown, Takashi Iwai
[-- Attachment #1: 0007-ALSA-pxa2xx-Fix-unlocked-snd_pcm_stop-call.patch --]
[-- Type: text/plain, Size: 1039 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 46f6c1aaf790be9ea3c8ddfc8f235a5f677d08e2 ]
snd_pcm_stop() must be called in the PCM substream lock context.
Cc: <stable@vger.kernel.org>
Acked-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/arm/pxa2xx-pcm-lib.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/arm/pxa2xx-pcm-lib.c b/sound/arm/pxa2xx-pcm-lib.c
index 76e0d56..823359e 100644
--- a/sound/arm/pxa2xx-pcm-lib.c
+++ b/sound/arm/pxa2xx-pcm-lib.c
@@ -166,7 +166,9 @@ void pxa2xx_pcm_dma_irq(int dma_ch, void *dev_id)
} else {
printk(KERN_ERR "%s: DMA error on channel %d (DCSR=%#x)\n",
rtd->params->name, dma_ch, dcsr);
+ snd_pcm_stream_lock(substream);
snd_pcm_stop(substream, SNDRV_PCM_STATE_XRUN);
+ snd_pcm_stream_unlock(substream);
}
}
EXPORT_SYMBOL(pxa2xx_pcm_dma_irq);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [008/251] ALSA: atiixp: Fix unlocked snd_pcm_stop() call
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (6 preceding siblings ...)
2013-09-11 4:27 ` [007/251] ALSA: pxa2xx: " Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [009/251] ALSA: asihpi: " Steven Rostedt
` (242 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Takashi Iwai
[-- Attachment #1: 0008-ALSA-atiixp-Fix-unlocked-snd_pcm_stop-call.patch --]
[-- Type: text/plain, Size: 1518 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit cc7282b8d5abbd48c81d1465925d464d9e3eaa8f ]
snd_pcm_stop() must be called in the PCM substream lock context.
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/pci/atiixp.c | 2 ++
sound/pci/atiixp_modem.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/sound/pci/atiixp.c b/sound/pci/atiixp.c
index 31020d2..1231353 100644
--- a/sound/pci/atiixp.c
+++ b/sound/pci/atiixp.c
@@ -688,7 +688,9 @@ static void snd_atiixp_xrun_dma(struct atiixp *chip, struct atiixp_dma *dma)
if (! dma->substream || ! dma->running)
return;
snd_printdd("atiixp: XRUN detected (DMA %d)\n", dma->ops->type);
+ snd_pcm_stream_lock(dma->substream);
snd_pcm_stop(dma->substream, SNDRV_PCM_STATE_XRUN);
+ snd_pcm_stream_unlock(dma->substream);
}
/*
diff --git a/sound/pci/atiixp_modem.c b/sound/pci/atiixp_modem.c
index 79e204e..3662140 100644
--- a/sound/pci/atiixp_modem.c
+++ b/sound/pci/atiixp_modem.c
@@ -638,7 +638,9 @@ static void snd_atiixp_xrun_dma(struct atiixp_modem *chip,
if (! dma->substream || ! dma->running)
return;
snd_printdd("atiixp-modem: XRUN detected (DMA %d)\n", dma->ops->type);
+ snd_pcm_stream_lock(dma->substream);
snd_pcm_stop(dma->substream, SNDRV_PCM_STATE_XRUN);
+ snd_pcm_stream_unlock(dma->substream);
}
/*
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [009/251] ALSA: asihpi: Fix unlocked snd_pcm_stop() call
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (7 preceding siblings ...)
2013-09-11 4:27 ` [008/251] ALSA: atiixp: " Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [010/251] ALSA: usx2y: " Steven Rostedt
` (241 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Takashi Iwai
[-- Attachment #1: 0009-ALSA-asihpi-Fix-unlocked-snd_pcm_stop-call.patch --]
[-- Type: text/plain, Size: 1013 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 60478295d6876619f8f47f6d1a5c25eaade69ee3 ]
snd_pcm_stop() must be called in the PCM substream lock context.
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/pci/asihpi/asihpi.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/pci/asihpi/asihpi.c b/sound/pci/asihpi/asihpi.c
index e8de831..05093bd 100644
--- a/sound/pci/asihpi/asihpi.c
+++ b/sound/pci/asihpi/asihpi.c
@@ -769,7 +769,10 @@ static void snd_card_asihpi_timer_function(unsigned long data)
s->number);
ds->drained_count++;
if (ds->drained_count > 20) {
+ unsigned long flags;
+ snd_pcm_stream_lock_irqsave(s, flags);
snd_pcm_stop(s, SNDRV_PCM_STATE_XRUN);
+ snd_pcm_stream_unlock_irqrestore(s, flags);
continue;
}
} else {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [010/251] ALSA: usx2y: Fix unlocked snd_pcm_stop() call
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (8 preceding siblings ...)
2013-09-11 4:27 ` [009/251] ALSA: asihpi: " Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [011/251] libata: skip SRST for all SIMG [34]7x port-multipliers Steven Rostedt
` (240 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Takashi Iwai
[-- Attachment #1: 0010-ALSA-usx2y-Fix-unlocked-snd_pcm_stop-call.patch --]
[-- Type: text/plain, Size: 1176 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 5be1efb4c2ed79c3d7c0cbcbecae768377666e84 ]
snd_pcm_stop() must be called in the PCM substream lock context.
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/usb/usx2y/usbusx2yaudio.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sound/usb/usx2y/usbusx2yaudio.c b/sound/usb/usx2y/usbusx2yaudio.c
index 520ef96..43d337d 100644
--- a/sound/usb/usx2y/usbusx2yaudio.c
+++ b/sound/usb/usx2y/usbusx2yaudio.c
@@ -273,7 +273,11 @@ static void usX2Y_clients_stop(struct usX2Ydev *usX2Y)
struct snd_usX2Y_substream *subs = usX2Y->subs[s];
if (subs) {
if (atomic_read(&subs->state) >= state_PRERUNNING) {
+ unsigned long flags;
+
+ snd_pcm_stream_lock_irqsave(subs->pcm_substream, flags);
snd_pcm_stop(subs->pcm_substream, SNDRV_PCM_STATE_XRUN);
+ snd_pcm_stream_unlock_irqrestore(subs->pcm_substream, flags);
}
for (u = 0; u < NRURBS; u++) {
struct urb *urb = subs->urb[u];
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [011/251] libata: skip SRST for all SIMG [34]7x port-multipliers
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (9 preceding siblings ...)
2013-09-11 4:27 ` [010/251] ALSA: usx2y: " Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [012/251] ata_piix: IDE-mode SATA patch for Intel Coleto Creek DeviceIDs Steven Rostedt
` (239 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Tejun Heo, H. Peter Anvin
[-- Attachment #1: 0011-libata-skip-SRST-for-all-SIMG-34-7x-port-multipliers.patch --]
[-- Type: text/plain, Size: 3245 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
[ Upstream commit 7a87718d92760fc688628ad6a430643dafa16f1f ]
For some reason, a lot of port-multipliers have issues with softreset.
SIMG [34]7x series port-multipliers have been quite erratic in this
regard. I recall that it was better with some firmware revisions and
the current list of quirks worked fine for a while. I think it got
worse with later firmwares or maybe my test coverage wasn't good
enough. Anyways, HPA is reporting that his 3726 setup suffers SRST
failures and then the PMP gets confused and fails to probe the last
port.
The hope was that we try to stick to the standard as much as possible
and soonish the PMPs and their firmwares will improve in quality, so
the quirk list was kept to minimum. Well, it seems like that's never
gonna happen.
Let's set NO_SRST for all [34]7x PMPs so that whatever remaining
userbase of the device suffer the least. Maybe we should do the same
for 57xx's but unfortunately I don't have any device left to test and
I'm not even sure 57xx's have ever been made widely available, so
let's leave those alone for now.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: "H. Peter Anvin" <hpa@zytor.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/ata/libata-pmp.c | 33 +++++++++++++++++----------------
1 file changed, 17 insertions(+), 16 deletions(-)
diff --git a/drivers/ata/libata-pmp.c b/drivers/ata/libata-pmp.c
index 61c59ee..1c41722 100644
--- a/drivers/ata/libata-pmp.c
+++ b/drivers/ata/libata-pmp.c
@@ -389,9 +389,13 @@ static void sata_pmp_quirks(struct ata_port *ap)
/* link reports offline after LPM */
link->flags |= ATA_LFLAG_NO_LPM;
- /* Class code report is unreliable. */
+ /*
+ * Class code report is unreliable and SRST times
+ * out under certain configurations.
+ */
if (link->pmp < 5)
- link->flags |= ATA_LFLAG_ASSUME_ATA;
+ link->flags |= ATA_LFLAG_NO_SRST |
+ ATA_LFLAG_ASSUME_ATA;
/* port 5 is for SEMB device and it doesn't like SRST */
if (link->pmp == 5)
@@ -399,20 +403,17 @@ static void sata_pmp_quirks(struct ata_port *ap)
ATA_LFLAG_ASSUME_SEMB;
}
} else if (vendor == 0x1095 && devid == 0x4723) {
- /* sil4723 quirks */
- ata_for_each_link(link, ap, EDGE) {
- /* link reports offline after LPM */
- link->flags |= ATA_LFLAG_NO_LPM;
-
- /* class code report is unreliable */
- if (link->pmp < 2)
- link->flags |= ATA_LFLAG_ASSUME_ATA;
-
- /* the config device at port 2 locks up on SRST */
- if (link->pmp == 2)
- link->flags |= ATA_LFLAG_NO_SRST |
- ATA_LFLAG_ASSUME_ATA;
- }
+ /*
+ * sil4723 quirks
+ *
+ * Link reports offline after LPM. Class code report is
+ * unreliable. SIMG PMPs never got SRST reliable and the
+ * config device at port 2 locks up on SRST.
+ */
+ ata_for_each_link(link, ap, EDGE)
+ link->flags |= ATA_LFLAG_NO_LPM |
+ ATA_LFLAG_NO_SRST |
+ ATA_LFLAG_ASSUME_ATA;
} else if (vendor == 0x1095 && devid == 0x4726) {
/* sil4726 quirks */
ata_for_each_link(link, ap, EDGE) {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [012/251] ata_piix: IDE-mode SATA patch for Intel Coleto Creek DeviceIDs
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (10 preceding siblings ...)
2013-09-11 4:27 ` [011/251] libata: skip SRST for all SIMG [34]7x port-multipliers Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [013/251] i2c-piix4: Add AMD CZ SMBus device ID Steven Rostedt
` (238 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Seth Heasley, Tejun Heo
[-- Attachment #1: 0012-ata_piix-IDE-mode-SATA-patch-for-Intel-Coleto-Creek-.patch --]
[-- Type: text/plain, Size: 1102 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Seth Heasley <seth.heasley@intel.com>
[ Upstream commit c7e8695bfa0611b39493a9dfe8bab9f63f9809bd ]
This patch adds the IDE-mode SATA DeviceIDs for the Intel Coleto Creek PCH.
Signed-off-by: Seth Heasley <seth.heasley@intel.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/ata/ata_piix.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/ata/ata_piix.c b/drivers/ata/ata_piix.c
index 80c44c30..1cecf06 100644
--- a/drivers/ata/ata_piix.c
+++ b/drivers/ata/ata_piix.c
@@ -344,6 +344,8 @@ static const struct pci_device_id piix_pci_tbl[] = {
/* SATA Controller IDE (BayTrail) */
{ 0x8086, 0x0F20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_byt },
{ 0x8086, 0x0F21, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_byt },
+ /* SATA Controller IDE (Coleto Creek) */
+ { 0x8086, 0x23a6, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
{ } /* terminate list */
};
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [013/251] i2c-piix4: Add AMD CZ SMBus device ID
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (11 preceding siblings ...)
2013-09-11 4:27 ` [012/251] ata_piix: IDE-mode SATA patch for Intel Coleto Creek DeviceIDs Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [014/251] ASoC: s6000: Fix unlocked snd_pcm_stop() call Steven Rostedt
` (237 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Shane Huang, Bjorn Helgaas, Tejun Heo, Jean Delvare
[-- Attachment #1: 0013-i2c-piix4-Add-AMD-CZ-SMBus-device-ID.patch --]
[-- Type: text/plain, Size: 2627 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Shane Huang <shane.huang@amd.com>
[ Upstream commit b996ac90f595dda271cbd858b136b45557fc1a57 ]
To add AMD CZ SMBus controller device ID.
[bhelgaas: drop pci_ids.h update]
Signed-off-by: Shane Huang <shane.huang@amd.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Jean Delvare <khali@linux-fr.org>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
Documentation/i2c/busses/i2c-piix4 | 2 +-
drivers/i2c/busses/Kconfig | 1 +
drivers/i2c/busses/i2c-piix4.c | 3 ++-
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/Documentation/i2c/busses/i2c-piix4 b/Documentation/i2c/busses/i2c-piix4
index 1e6634f..a370b20 100644
--- a/Documentation/i2c/busses/i2c-piix4
+++ b/Documentation/i2c/busses/i2c-piix4
@@ -13,7 +13,7 @@ Supported adapters:
* AMD SP5100 (SB700 derivative found on some server mainboards)
Datasheet: Publicly available at the AMD website
http://support.amd.com/us/Embedded_TechDocs/44413.pdf
- * AMD Hudson-2
+ * AMD Hudson-2, CZ
Datasheet: Not publicly available
* Standard Microsystems (SMSC) SLC90E66 (Victory66) southbridge
Datasheet: Publicly available at the SMSC website http://www.smsc.com
diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig
index 970a161..8f81b11 100644
--- a/drivers/i2c/busses/Kconfig
+++ b/drivers/i2c/busses/Kconfig
@@ -137,6 +137,7 @@ config I2C_PIIX4
ATI SB700/SP5100
ATI SB800
AMD Hudson-2
+ AMD CZ
Serverworks OSB4
Serverworks CSB5
Serverworks CSB6
diff --git a/drivers/i2c/busses/i2c-piix4.c b/drivers/i2c/busses/i2c-piix4.c
index 8bbd6ec..a216d9d 100644
--- a/drivers/i2c/busses/i2c-piix4.c
+++ b/drivers/i2c/busses/i2c-piix4.c
@@ -22,7 +22,7 @@
Intel PIIX4, 440MX
Serverworks OSB4, CSB5, CSB6, HT-1000, HT-1100
ATI IXP200, IXP300, IXP400, SB600, SB700/SP5100, SB800
- AMD Hudson-2
+ AMD Hudson-2, CZ
SMSC Victory66
Note: we assume there can only be one device, with one or more
@@ -523,6 +523,7 @@ static DEFINE_PCI_DEVICE_TABLE(piix4_ids) = {
{ PCI_DEVICE(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_IXP400_SMBUS) },
{ PCI_DEVICE(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_SBX00_SMBUS) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_HUDSON2_SMBUS) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, 0x790b) },
{ PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
PCI_DEVICE_ID_SERVERWORKS_OSB4) },
{ PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [014/251] ASoC: s6000: Fix unlocked snd_pcm_stop() call
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (12 preceding siblings ...)
2013-09-11 4:27 ` [013/251] i2c-piix4: Add AMD CZ SMBus device ID Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [015/251] ASoC: sglt5000: Fix SGTL5000_PLL_FRAC_DIV_MASK Steven Rostedt
` (236 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Mark Brown, Takashi Iwai
[-- Attachment #1: 0014-ASoC-s6000-Fix-unlocked-snd_pcm_stop-call.patch --]
[-- Type: text/plain, Size: 1025 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 61be2b9a18ec70f3cbe3deef7a5f77869c71b5ae ]
snd_pcm_stop() must be called in the PCM substream lock context.
Cc: <stable@vger.kernel.org>
Acked-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/soc/s6000/s6000-pcm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/soc/s6000/s6000-pcm.c b/sound/soc/s6000/s6000-pcm.c
index 716da86..17f9348 100644
--- a/sound/soc/s6000/s6000-pcm.c
+++ b/sound/soc/s6000/s6000-pcm.c
@@ -128,7 +128,9 @@ static irqreturn_t s6000_pcm_irq(int irq, void *data)
substream->runtime &&
snd_pcm_running(substream)) {
dev_dbg(pcm->dev, "xrun\n");
+ snd_pcm_stream_lock(substream);
snd_pcm_stop(substream, SNDRV_PCM_STATE_XRUN);
+ snd_pcm_stream_unlock(substream);
ret = IRQ_HANDLED;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [015/251] ASoC: sglt5000: Fix SGTL5000_PLL_FRAC_DIV_MASK
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (13 preceding siblings ...)
2013-09-11 4:27 ` [014/251] ASoC: s6000: Fix unlocked snd_pcm_stop() call Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [016/251] md/raid10: fix two bugs affecting RAID10 reshape Steven Rostedt
` (235 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Oskar Schirmer, Fabio Estevam, Mark Brown
[-- Attachment #1: 0015-ASoC-sglt5000-Fix-SGTL5000_PLL_FRAC_DIV_MASK.patch --]
[-- Type: text/plain, Size: 1187 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Fabio Estevam <fabio.estevam@freescale.com>
[ Upstream commit 5c78dfe87ea04b501ee000a7f03b9432ac9d008c ]
SGTL5000_PLL_FRAC_DIV_MASK is used to mask bits 0-10 (11 bits in total) of
register CHIP_PLL_CTRL, so fix the mask to accomodate all this bit range.
Reported-by: Oskar Schirmer <oskar@scara.com>
Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/soc/codecs/sgtl5000.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/sgtl5000.h b/sound/soc/codecs/sgtl5000.h
index 8a9f435..d3a68bb 100644
--- a/sound/soc/codecs/sgtl5000.h
+++ b/sound/soc/codecs/sgtl5000.h
@@ -347,7 +347,7 @@
#define SGTL5000_PLL_INT_DIV_MASK 0xf800
#define SGTL5000_PLL_INT_DIV_SHIFT 11
#define SGTL5000_PLL_INT_DIV_WIDTH 5
-#define SGTL5000_PLL_FRAC_DIV_MASK 0x0700
+#define SGTL5000_PLL_FRAC_DIV_MASK 0x07ff
#define SGTL5000_PLL_FRAC_DIV_SHIFT 0
#define SGTL5000_PLL_FRAC_DIV_WIDTH 11
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [016/251] md/raid10: fix two bugs affecting RAID10 reshape.
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (14 preceding siblings ...)
2013-09-11 4:27 ` [015/251] ASoC: sglt5000: Fix SGTL5000_PLL_FRAC_DIV_MASK Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [017/251] tick: Prevent uncontrolled switch to oneshot mode Steven Rostedt
` (234 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: NeilBrown
[-- Attachment #1: 0016-md-raid10-fix-two-bugs-affecting-RAID10-reshape.patch --]
[-- Type: text/plain, Size: 1567 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: NeilBrown <neilb@suse.de>
[ Upstream commit 78eaa0d4cbcdb345992fa3dd22b3bcbb473cc064 ]
1/ If a RAID10 is being reshaped to a fewer number of devices
and is stopped while this is ongoing, then when the array is
reassembled the 'mirrors' array will be allocated too small.
This will lead to an access error or memory corruption.
2/ A sanity test for a reshaping RAID10 array is restarted
is slightly incorrect.
Due to the first bug, this is suitable for any -stable
kernel since 3.5 where this code was introduced.
Cc: stable@vger.kernel.org (v3.5+)
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/md/raid10.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index cd7394b..e2d5778 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -3434,7 +3434,7 @@ static struct r10conf *setup_conf(struct mddev *mddev)
/* FIXME calc properly */
conf->mirrors = kzalloc(sizeof(struct raid10_info)*(mddev->raid_disks +
- max(0,mddev->delta_disks)),
+ max(0,-mddev->delta_disks)),
GFP_KERNEL);
if (!conf->mirrors)
goto out;
@@ -3578,7 +3578,7 @@ static int run(struct mddev *mddev)
conf->geo.far_offset == 0)
goto out_free_conf;
if (conf->prev.far_copies != 1 &&
- conf->geo.far_offset == 0)
+ conf->prev.far_offset == 0)
goto out_free_conf;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [017/251] tick: Prevent uncontrolled switch to oneshot mode
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (15 preceding siblings ...)
2013-09-11 4:27 ` [016/251] md/raid10: fix two bugs affecting RAID10 reshape Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [018/251] clocksource: dw_apb: Fix error check Steven Rostedt
` (233 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Stephen Boyd, Mark Rutland, Thomas Gleixner
[-- Attachment #1: 0017-tick-Prevent-uncontrolled-switch-to-oneshot-mode.patch --]
[-- Type: text/plain, Size: 3066 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 1f73a9806bdd07a5106409bbcab3884078bd34fe ]
When the system switches from periodic to oneshot mode, the broadcast
logic causes a possibility that a CPU which has not yet switched to
oneshot mode puts its own clock event device into oneshot mode without
updating the state and the timer handler.
CPU0 CPU1
per cpu tickdev is in periodic mode
and switched to broadcast
Switch to oneshot mode
tick_broadcast_switch_to_oneshot()
cpumask_copy(tick_oneshot_broacast_mask,
tick_broadcast_mask);
broadcast device mode = oneshot
Timer interrupt
irq_enter()
tick_check_oneshot_broadcast()
dev->set_mode(ONESHOT);
tick_handle_periodic()
if (dev->mode == ONESHOT)
dev->next_event += period;
FAIL.
We fail, because dev->next_event contains KTIME_MAX, if the device was
in periodic mode before the uncontrolled switch to oneshot happened.
We must copy the broadcast bits over to the oneshot mask, because
otherwise a CPU which relies on the broadcast would not been woken up
anymore after the broadcast device switched to oneshot mode.
So we need to verify in tick_check_oneshot_broadcast() whether the CPU
has already switched to oneshot mode. If not, leave the device
untouched and let the CPU switch controlled into oneshot mode.
This is a long standing bug, which was never noticed, because the main
user of the broadcast x86 cannot run into that scenario, AFAICT. The
nonarchitected timer mess of ARM creates a gazillion of differently
broken abominations which trigger the shortcomings of that broadcast
code, which better had never been necessary in the first place.
Reported-and-tested-by: Stehle Vincent-B46079 <B46079@freescale.com>
Reviewed-by: Stephen Boyd <sboyd@codeaurora.org>
Cc: John Stultz <john.stultz@linaro.org>,
Cc: Mark Rutland <mark.rutland@arm.com>
Link: http://lkml.kernel.org/r/alpine.DEB.2.02.1307012153060.4013@ionos.tec.linutronix.de
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
kernel/time/tick-broadcast.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c
index 239a323..f8961bf 100644
--- a/kernel/time/tick-broadcast.c
+++ b/kernel/time/tick-broadcast.c
@@ -400,7 +400,15 @@ void tick_check_oneshot_broadcast(int cpu)
if (cpumask_test_cpu(cpu, to_cpumask(tick_broadcast_oneshot_mask))) {
struct tick_device *td = &per_cpu(tick_cpu_device, cpu);
- clockevents_set_mode(td->evtdev, CLOCK_EVT_MODE_ONESHOT);
+ /*
+ * We might be in the middle of switching over from
+ * periodic to oneshot. If the CPU has not yet
+ * switched over, leave the device alone.
+ */
+ if (td->mode == TICKDEV_MODE_ONESHOT) {
+ clockevents_set_mode(td->evtdev,
+ CLOCK_EVT_MODE_ONESHOT);
+ }
}
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [018/251] clocksource: dw_apb: Fix error check
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (16 preceding siblings ...)
2013-09-11 4:27 ` [017/251] tick: Prevent uncontrolled switch to oneshot mode Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [019/251] rt2x00: read 5GHz TX power values from the correct offset Steven Rostedt
` (232 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Baruch Siach, Daniel Lezcano
[-- Attachment #1: 0018-clocksource-dw_apb-Fix-error-check.patch --]
[-- Type: text/plain, Size: 1125 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Baruch Siach <baruch@tkos.co.il>
[ Upstream commit 1a33bd2be705cbb3f57d7223b60baea441039307 ]
irq_of_parse_and_map() returns 0 on error, while the code checks for NO_IRQ.
This breaks on platforms that have NO_IRQ != 0.
Cc: <stable@vger.kernel.org>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/clocksource/dw_apb_timer_of.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clocksource/dw_apb_timer_of.c b/drivers/clocksource/dw_apb_timer_of.c
index f7dba5b..929e7ce 100644
--- a/drivers/clocksource/dw_apb_timer_of.c
+++ b/drivers/clocksource/dw_apb_timer_of.c
@@ -44,7 +44,7 @@ static void add_clockevent(struct device_node *event_timer)
u32 irq, rate;
irq = irq_of_parse_and_map(event_timer, 0);
- if (irq == NO_IRQ)
+ if (irq == 0)
panic("No IRQ for clock event timer");
timer_get_base_and_rate(event_timer, &iobase, &rate);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [019/251] rt2x00: read 5GHz TX power values from the correct offset
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (17 preceding siblings ...)
2013-09-11 4:27 ` [018/251] clocksource: dw_apb: Fix error check Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [020/251] ath9k_hw: Assign default xlna config for AR9485 Steven Rostedt
` (231 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Gabor Juhos, Stanislaw Gruszka, Gertjan van Wingerde, John W. Linville
[-- Attachment #1: 0019-rt2x00-read-5GHz-TX-power-values-from-the-correct-of.patch --]
[-- Type: text/plain, Size: 2855 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <juhosg@openwrt.org>
[ Upstream commit 0a6f3a8ebaf13407523c2c7d575b4ca2debd23ba ]
The current code uses the same index value both
for the channel information array and for the TX
power table. The index starts from 14, however the
index of the TX power table must start from zero.
Fix it, in order to get the correct TX power value
for a given channel.
The changes in rt61pci.c and rt73usb.c are compile
tested only.
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
Cc: stable@vger.kernel.org
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/rt2x00/rt2800lib.c | 4 ++--
drivers/net/wireless/rt2x00/rt61pci.c | 3 ++-
drivers/net/wireless/rt2x00/rt73usb.c | 3 ++-
3 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c
index 6c85ba5..fe0e278 100644
--- a/drivers/net/wireless/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/rt2x00/rt2800lib.c
@@ -4980,8 +4980,8 @@ int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev)
default_power2 = rt2x00_eeprom_addr(rt2x00dev, EEPROM_TXPOWER_A2);
for (i = 14; i < spec->num_channels; i++) {
- info[i].default_power1 = default_power1[i];
- info[i].default_power2 = default_power2[i];
+ info[i].default_power1 = default_power1[i - 14];
+ info[i].default_power2 = default_power2[i - 14];
}
}
diff --git a/drivers/net/wireless/rt2x00/rt61pci.c b/drivers/net/wireless/rt2x00/rt61pci.c
index b8ec961..7e475a9 100644
--- a/drivers/net/wireless/rt2x00/rt61pci.c
+++ b/drivers/net/wireless/rt2x00/rt61pci.c
@@ -2822,7 +2822,8 @@ static int rt61pci_probe_hw_mode(struct rt2x00_dev *rt2x00dev)
tx_power = rt2x00_eeprom_addr(rt2x00dev, EEPROM_TXPOWER_A_START);
for (i = 14; i < spec->num_channels; i++) {
info[i].max_power = MAX_TXPOWER;
- info[i].default_power1 = TXPOWER_FROM_DEV(tx_power[i]);
+ info[i].default_power1 =
+ TXPOWER_FROM_DEV(tx_power[i - 14]);
}
}
diff --git a/drivers/net/wireless/rt2x00/rt73usb.c b/drivers/net/wireless/rt2x00/rt73usb.c
index 248436c..55d30ba 100644
--- a/drivers/net/wireless/rt2x00/rt73usb.c
+++ b/drivers/net/wireless/rt2x00/rt73usb.c
@@ -2167,7 +2167,8 @@ static int rt73usb_probe_hw_mode(struct rt2x00_dev *rt2x00dev)
tx_power = rt2x00_eeprom_addr(rt2x00dev, EEPROM_TXPOWER_A_START);
for (i = 14; i < spec->num_channels; i++) {
info[i].max_power = MAX_TXPOWER;
- info[i].default_power1 = TXPOWER_FROM_DEV(tx_power[i]);
+ info[i].default_power1 =
+ TXPOWER_FROM_DEV(tx_power[i - 14]);
}
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [020/251] ath9k_hw: Assign default xlna config for AR9485
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (18 preceding siblings ...)
2013-09-11 4:27 ` [019/251] rt2x00: read 5GHz TX power values from the correct offset Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [021/251] ath9k: Do not assign noise for NULL caldata Steven Rostedt
` (230 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sujith Manoharan, John W. Linville
[-- Attachment #1: 0020-ath9k_hw-Assign-default-xlna-config-for-AR9485.patch --]
[-- Type: text/plain, Size: 2126 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Sujith Manoharan <c_manoha@qca.qualcomm.com>
[ Upstream commit 30d5b709da23f4ab9836c7f66d2d2e780a69cf12 ]
For AR9485 boards with XLNA, the default gpio config
is not set correctly, fix this.
Cc: stable@vger.kernel.org
Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 8 ++++++--
drivers/net/wireless/ath/ath9k/ar9003_phy.h | 2 ++
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
index d066f25..e8e3929 100644
--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
@@ -3562,7 +3562,7 @@ static u16 ar9003_hw_ant_ctrl_chain_get(struct ath_hw *ah, int chain,
static void ar9003_hw_ant_ctrl_apply(struct ath_hw *ah, bool is2ghz)
{
int chain;
- u32 regval;
+ u32 regval, value;
u32 ant_div_ctl1;
static const u32 switch_chain_reg[AR9300_MAX_CHAINS] = {
AR_PHY_SWITCH_CHAIN_0,
@@ -3570,7 +3570,11 @@ static void ar9003_hw_ant_ctrl_apply(struct ath_hw *ah, bool is2ghz)
AR_PHY_SWITCH_CHAIN_2,
};
- u32 value = ar9003_hw_ant_ctrl_common_get(ah, is2ghz);
+ if (AR_SREV_9485(ah) && (ar9003_hw_get_rx_gain_idx(ah) == 0))
+ ath9k_hw_cfg_output(ah, AR9300_EXT_LNA_CTL_GPIO_AR9485,
+ AR_GPIO_OUTPUT_MUX_AS_PCIE_ATTENTION_LED);
+
+ value = ar9003_hw_ant_ctrl_common_get(ah, is2ghz);
if (AR_SREV_9462(ah)) {
REG_RMW_FIELD(ah, AR_PHY_SWITCH_COM,
diff --git a/drivers/net/wireless/ath/ath9k/ar9003_phy.h b/drivers/net/wireless/ath/ath9k/ar9003_phy.h
index 84d3d49..3dead81 100644
--- a/drivers/net/wireless/ath/ath9k/ar9003_phy.h
+++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.h
@@ -339,6 +339,8 @@
#define AR_PHY_CCA_NOM_VAL_9330_2GHZ -118
+#define AR9300_EXT_LNA_CTL_GPIO_AR9485 9
+
/*
* AGC Field Definitions
*/
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [021/251] ath9k: Do not assign noise for NULL caldata
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (19 preceding siblings ...)
2013-09-11 4:27 ` [020/251] ath9k_hw: Assign default xlna config for AR9485 Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [022/251] aacraid: Fix for arrays are going offline in the system. System hangs Steven Rostedt
` (229 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sujith Manoharan, John W. Linville
[-- Attachment #1: 0021-ath9k-Do-not-assign-noise-for-NULL-caldata.patch --]
[-- Type: text/plain, Size: 1233 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Sujith Manoharan <c_manoha@qca.qualcomm.com>
[ Upstream commit d3bcb7b24bbf09fde8405770e676fe0c11c79662 ]
ah->noise is maintained globally and not per-channel. This
is updated in the reset() routine after the NF history has been
filled for the *current channel*, just before switching to
the new channel. There is no need to do it inside getnf(), since
ah->noise must contain a value for the new channel.
Cc: stable@vger.kernel.org
Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/ath/ath9k/calib.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath9k/calib.c b/drivers/net/wireless/ath/ath9k/calib.c
index e5cceb0..00960b7 100644
--- a/drivers/net/wireless/ath/ath9k/calib.c
+++ b/drivers/net/wireless/ath/ath9k/calib.c
@@ -388,7 +388,6 @@ bool ath9k_hw_getnf(struct ath_hw *ah, struct ath9k_channel *chan)
if (!caldata) {
chan->noisefloor = nf;
- ah->noise = ath9k_hw_getchan_noise(ah, chan);
return false;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [022/251] aacraid: Fix for arrays are going offline in the system. System hangs
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (20 preceding siblings ...)
2013-09-11 4:27 ` [021/251] ath9k: Do not assign noise for NULL caldata Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [023/251] zfcp: fix adapter (re)open recovery while link to SAN is down Steven Rostedt
` (228 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Mahesh Rajashekhara, James Bottomley
[-- Attachment #1: 0022-aacraid-Fix-for-arrays-are-going-offline-in-the-syst.patch --]
[-- Type: text/plain, Size: 1533 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
[ Upstream commit c5bebd829dd95602c15f8da8cc50fa938b5e0254 ]
One of the customer had reported that the set of raid logical arrays will
become unavailable (I/O offline) after a long hours of IO stress test. The OS
wouldn`t be accessible afterwards and require a hard reset.
This driver patch has a fix for race condition between the doorbell and the
circular buffer. The driver is modified to do an extra read after clearing the
doorbell in case there had been a completion posted during the small timing
window.
With this fix, we ran IO stress for ~13 days. There were no IO failures.
Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/scsi/aacraid/src.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/scsi/aacraid/src.c b/drivers/scsi/aacraid/src.c
index 3b021ec..e34418f 100644
--- a/drivers/scsi/aacraid/src.c
+++ b/drivers/scsi/aacraid/src.c
@@ -93,6 +93,9 @@ static irqreturn_t aac_src_intr_message(int irq, void *dev_id)
int send_it = 0;
extern int aac_sync_mode;
+ src_writel(dev, MUnit.ODR_C, bellbits);
+ src_readl(dev, MUnit.ODR_C);
+
if (!aac_sync_mode) {
src_writel(dev, MUnit.ODR_C, bellbits);
src_readl(dev, MUnit.ODR_C);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [023/251] zfcp: fix adapter (re)open recovery while link to SAN is down
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (21 preceding siblings ...)
2013-09-11 4:27 ` [022/251] aacraid: Fix for arrays are going offline in the system. System hangs Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [024/251] zfcp: block queue limits with data router Steven Rostedt
` (227 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Daniel Hansel, Steffen Maier, James Bottomley
[-- Attachment #1: 0023-zfcp-fix-adapter-re-open-recovery-while-link-to-SAN-.patch --]
[-- Type: text/plain, Size: 1947 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Daniel Hansel <daniel.hansel@linux.vnet.ibm.com>
[ Upstream commit f76ccaac4f82c463a037aa4a1e4ccb85c7011814 ]
FCP device remains in status ERP_FAILED when device is switched online
or adapter recovery is triggered while link to SAN is down.
When Exchange Configuration Data command returns the FSF status
FSF_EXCHANGE_CONFIG_DATA_INCOMPLETE it aborts the exchange process.
The only retries are done during the common error recovery procedure
(i.e. max. 3 retries with 8sec sleep between) and remains in status
ERP_FAILED with QDIO down.
This commit reverts the commit 0df138476c8306478d6e726f044868b4bccf411c
(zfcp: Fix adapter activation on link down).
When FSF status FSF_EXCHANGE_CONFIG_DATA_INCOMPLETE is received the
adapter recovery will be finished without any retries. QDIO will be
up now and status changes such as LINK UP will be received now.
Signed-off-by: Daniel Hansel <daniel.hansel@linux.vnet.ibm.com>
Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org> #2.6.37+
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/s390/scsi/zfcp_fsf.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/s390/scsi/zfcp_fsf.c b/drivers/s390/scsi/zfcp_fsf.c
index 48f875f..e3f4dab 100644
--- a/drivers/s390/scsi/zfcp_fsf.c
+++ b/drivers/s390/scsi/zfcp_fsf.c
@@ -563,6 +563,10 @@ static void zfcp_fsf_exchange_config_data_handler(struct zfcp_fsf_req *req)
fc_host_port_type(shost) = FC_PORTTYPE_UNKNOWN;
adapter->hydra_version = 0;
+ /* avoids adapter shutdown to be able to recognize
+ * events such as LINK UP */
+ atomic_set_mask(ZFCP_STATUS_ADAPTER_XCONFIG_OK,
+ &adapter->status);
zfcp_fsf_link_down_info_eval(req,
&qtcb->header.fsf_status_qual.link_down_info);
break;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [024/251] zfcp: block queue limits with data router
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (22 preceding siblings ...)
2013-09-11 4:27 ` [023/251] zfcp: fix adapter (re)open recovery while link to SAN is down Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [025/251] zfcp: status read buffers on first adapter open with link down Steven Rostedt
` (226 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Steffen Maier, Martin Peschke, James Bottomley
[-- Attachment #1: 0024-zfcp-block-queue-limits-with-data-router.patch --]
[-- Type: text/plain, Size: 2837 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Steffen Maier <maier@linux.vnet.ibm.com>
[ Upstream commit 5fea4291deacd80188b996d2f555fc6a1940e5d4 ]
Commit 86a9668a8d29ea711613e1cb37efa68e7c4db564
"[SCSI] zfcp: support for hardware data router"
reduced the initial block queue limits in the scsi_host_template to the
absolute minimum and adjusted them later on. However, the adjustment was
too late for the BSG devices of Scsi_Host and fc_host.
Therefore, ioctl(..., SG_IO, ...) with request or response size > 4kB to a
BSG device of an fc_host or a Scsi_Host fails with EINVAL. As a result,
users of such ioctl such as HBA_SendCTPassThru() in libzfcphbaapi return
with error HBA_STATUS_ERROR.
Initialize the block queue limits in zfcp_scsi_host_template to the
greatest common denominator (GCD).
While we cannot exploit the slightly enlarged maximum request size with
data router, this should be neglectible. Doing so also avoids running into
trouble after live guest relocation (LGR) / migration from a data router
FCP device to an FCP device that does not support data router. In that
case, zfcp would figure out the new limits on adapter recovery, but the
fc_host and Scsi_Host (plus in fact all sdevs) still exist with the old and
now too large queue limits.
It should also OK, not to use half the size as in the DIX case, because
fc_host and Scsi_Host do not transport FCP requests including SCSI commands
using protection data.
Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Reviewed-by: Martin Peschke <mpeschke@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org> #3.2+
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/s390/scsi/zfcp_scsi.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c
index 7b31e3f..7b35364 100644
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -3,7 +3,7 @@
*
* Interface to Linux SCSI midlayer.
*
- * Copyright IBM Corp. 2002, 2010
+ * Copyright IBM Corp. 2002, 2013
*/
#define KMSG_COMPONENT "zfcp"
@@ -311,8 +311,12 @@ static struct scsi_host_template zfcp_scsi_host_template = {
.proc_name = "zfcp",
.can_queue = 4096,
.this_id = -1,
- .sg_tablesize = 1, /* adjusted later */
- .max_sectors = 8, /* adjusted later */
+ .sg_tablesize = (((QDIO_MAX_ELEMENTS_PER_BUFFER - 1)
+ * ZFCP_QDIO_MAX_SBALS_PER_REQ) - 2),
+ /* GCD, adjusted later */
+ .max_sectors = (((QDIO_MAX_ELEMENTS_PER_BUFFER - 1)
+ * ZFCP_QDIO_MAX_SBALS_PER_REQ) - 2) * 8,
+ /* GCD, adjusted later */
.dma_boundary = ZFCP_QDIO_SBALE_LEN - 1,
.cmd_per_lun = 1,
.use_clustering = 1,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [025/251] zfcp: status read buffers on first adapter open with link down
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (23 preceding siblings ...)
2013-09-11 4:27 ` [024/251] zfcp: block queue limits with data router Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [026/251] mpt2sas: fix firmware failure with wrong task attribute Steven Rostedt
` (225 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Steffen Maier, James Bottomley
[-- Attachment #1: 0025-zfcp-status-read-buffers-on-first-adapter-open-with-.patch --]
[-- Type: text/plain, Size: 5060 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Steffen Maier <maier@linux.vnet.ibm.com>
[ Upstream commit 9edf7d75ee5f21663a0183d21f702682d0ef132f ]
Commit 64deb6efdc5504ce97b5c1c6f281fffbc150bd93
"[SCSI] zfcp: Use status_read_buf_num provided by FCP channel"
started using a value returned by the channel but only evaluated the value
if the fabric link is up.
Commit 8d88cf3f3b9af4713642caeb221b6d6a42019001
"[SCSI] zfcp: Update status read mempool"
introduced mempool resizings based on the above value.
On setting an FCP device online for the very first time since boot, a new
zeroed adapter object is allocated. If the link is down, the number of
status read requests remains zero. Since just the config data exchange is
incomplete, we proceed with adapter open recovery. However, we
unconditionally call mempool_resize with adapter->stat_read_buf_num == 0 in
this case.
This causes a kernel message "kernel BUG at mm/mempool.c:131!" in process
"zfcperp<FCP-device-bus-ID>" with last function mempool_resize in Krnl PSW
and zfcp_erp_thread in the Call Trace.
Don't evaluate channel values which are invalid on link down. The number of
status read requests is always valid, evaluated, and set to a positive
minimum greater than zero. The adapter open recovery can proceed and the
channel has status read buffers to inform us on a future link up event.
While we are not aware of any other code path that could result in mempool
resize attempts of size zero, we still also initialize the number of status
read buffers to be posted to a static minimum number on adapter object
allocation.
Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org> #2.6.35+
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/s390/scsi/zfcp_aux.c | 5 ++++-
drivers/s390/scsi/zfcp_fsf.c | 23 ++++++++++++++++-------
2 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/drivers/s390/scsi/zfcp_aux.c b/drivers/s390/scsi/zfcp_aux.c
index f6adde4..3743ac9 100644
--- a/drivers/s390/scsi/zfcp_aux.c
+++ b/drivers/s390/scsi/zfcp_aux.c
@@ -3,7 +3,7 @@
*
* Module interface and handling of zfcp data structures.
*
- * Copyright IBM Corp. 2002, 2010
+ * Copyright IBM Corp. 2002, 2013
*/
/*
@@ -23,6 +23,7 @@
* Christof Schmitt
* Martin Petermann
* Sven Schuetz
+ * Steffen Maier
*/
#define KMSG_COMPONENT "zfcp"
@@ -415,6 +416,8 @@ struct zfcp_adapter *zfcp_adapter_enqueue(struct ccw_device *ccw_device)
adapter->dma_parms.max_segment_size = ZFCP_QDIO_SBALE_LEN;
adapter->ccw_device->dev.dma_parms = &adapter->dma_parms;
+ adapter->stat_read_buf_num = FSF_STATUS_READS_RECOM;
+
if (!zfcp_scsi_adapter_register(adapter))
return adapter;
diff --git a/drivers/s390/scsi/zfcp_fsf.c b/drivers/s390/scsi/zfcp_fsf.c
index e3f4dab..961e327 100644
--- a/drivers/s390/scsi/zfcp_fsf.c
+++ b/drivers/s390/scsi/zfcp_fsf.c
@@ -3,7 +3,7 @@
*
* Implementation of FSF commands.
*
- * Copyright IBM Corp. 2002, 2010
+ * Copyright IBM Corp. 2002, 2013
*/
#define KMSG_COMPONENT "zfcp"
@@ -483,12 +483,8 @@ static int zfcp_fsf_exchange_config_evaluate(struct zfcp_fsf_req *req)
fc_host_port_name(shost) = nsp->fl_wwpn;
fc_host_node_name(shost) = nsp->fl_wwnn;
- fc_host_port_id(shost) = ntoh24(bottom->s_id);
- fc_host_speed(shost) =
- zfcp_fsf_convert_portspeed(bottom->fc_link_speed);
fc_host_supported_classes(shost) = FC_COS_CLASS2 | FC_COS_CLASS3;
- adapter->hydra_version = bottom->adapter_type;
adapter->timer_ticks = bottom->timer_interval & ZFCP_FSF_TIMER_INT_MASK;
adapter->stat_read_buf_num = max(bottom->status_read_buf_num,
(u16)FSF_STATUS_READS_RECOM);
@@ -496,6 +492,19 @@ static int zfcp_fsf_exchange_config_evaluate(struct zfcp_fsf_req *req)
if (fc_host_permanent_port_name(shost) == -1)
fc_host_permanent_port_name(shost) = fc_host_port_name(shost);
+ zfcp_scsi_set_prot(adapter);
+
+ /* no error return above here, otherwise must fix call chains */
+ /* do not evaluate invalid fields */
+ if (req->qtcb->header.fsf_status == FSF_EXCHANGE_CONFIG_DATA_INCOMPLETE)
+ return 0;
+
+ fc_host_port_id(shost) = ntoh24(bottom->s_id);
+ fc_host_speed(shost) =
+ zfcp_fsf_convert_portspeed(bottom->fc_link_speed);
+
+ adapter->hydra_version = bottom->adapter_type;
+
switch (bottom->fc_topology) {
case FSF_TOPO_P2P:
adapter->peer_d_id = ntoh24(bottom->peer_d_id);
@@ -517,8 +526,6 @@ static int zfcp_fsf_exchange_config_evaluate(struct zfcp_fsf_req *req)
return -EIO;
}
- zfcp_scsi_set_prot(adapter);
-
return 0;
}
@@ -569,6 +576,8 @@ static void zfcp_fsf_exchange_config_data_handler(struct zfcp_fsf_req *req)
&adapter->status);
zfcp_fsf_link_down_info_eval(req,
&qtcb->header.fsf_status_qual.link_down_info);
+ if (zfcp_fsf_exchange_config_evaluate(req))
+ return;
break;
default:
zfcp_erp_adapter_shutdown(adapter, 0, "fsecdh3");
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [026/251] mpt2sas: fix firmware failure with wrong task attribute
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (24 preceding siblings ...)
2013-09-11 4:27 ` [025/251] zfcp: status read buffers on first adapter open with link down Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [027/251] b43: ensue that BCMA is "y" when B43 is "y" Steven Rostedt
` (224 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sreekanth Reddy, James Bottomley
[-- Attachment #1: 0026-mpt2sas-fix-firmware-failure-with-wrong-task-attribu.patch --]
[-- Type: text/plain, Size: 1365 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Sreekanth Reddy <Sreekanth.Reddy@lsi.com>
[ Upstream commit 48ba2efc382f94fae16ca8ca011e5961a81ad1ea ]
When SCSI command is received with task attribute not set, set it to SIMPLE.
Previously it is set to untagged. This causes the firmware to fail the commands.
Signed-off-by: Sreekanth Reddy <Sreekanth.Reddy@lsi.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/scsi/mpt2sas/mpt2sas_scsih.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/scsi/mpt2sas/mpt2sas_scsih.c b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
index b1ebd6f..8718f10 100644
--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
+++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
@@ -3995,11 +3995,7 @@ _scsih_qcmd_lck(struct scsi_cmnd *scmd, void (*done)(struct scsi_cmnd *))
else
mpi_control |= MPI2_SCSIIO_CONTROL_SIMPLEQ;
} else
-/* MPI Revision I (UNIT = 0xA) - removed MPI2_SCSIIO_CONTROL_UNTAGGED */
-/* mpi_control |= MPI2_SCSIIO_CONTROL_UNTAGGED;
- */
- mpi_control |= (0x500);
-
+ mpi_control |= MPI2_SCSIIO_CONTROL_SIMPLEQ;
} else
mpi_control |= MPI2_SCSIIO_CONTROL_SIMPLEQ;
/* Make sure Device is not raid volume.
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [027/251] b43: ensue that BCMA is "y" when B43 is "y"
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (25 preceding siblings ...)
2013-09-11 4:27 ` [026/251] mpt2sas: fix firmware failure with wrong task attribute Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [028/251] printk: Fix rq->lock vs logbuf_lock unlock lock inversion Steven Rostedt
` (223 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Randy Dunlap, Hauke Mehrtens, John W. Linville
[-- Attachment #1: 0027-b43-ensue-that-BCMA-is-y-when-B43-is-y.patch --]
[-- Type: text/plain, Size: 1457 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Hauke Mehrtens <hauke@hauke-m.de>
[ Upstream commit 693026ef2e751fd94d2e6c71028e68343cc875d5 ]
When b43 gets build into the kernel and it should use bcma we have to
ensure that bcma was also build into the kernel and not as a module.
In this patch this is also done for SSB, although you can not
build b43 without ssb support for now.
This fixes a build problem reported by Randy Dunlap in
5187EB95.2060605@infradead.org
Reported-By: Randy Dunlap <rdunlap@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/b43/Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/b43/Kconfig b/drivers/net/wireless/b43/Kconfig
index 3876c7e..af40211 100644
--- a/drivers/net/wireless/b43/Kconfig
+++ b/drivers/net/wireless/b43/Kconfig
@@ -28,7 +28,7 @@ config B43
config B43_BCMA
bool "Support for BCMA bus"
- depends on B43 && BCMA
+ depends on B43 && (BCMA = y || BCMA = B43)
default y
config B43_BCMA_EXTRA
@@ -39,7 +39,7 @@ config B43_BCMA_EXTRA
config B43_SSB
bool
- depends on B43 && SSB
+ depends on B43 && (SSB = y || SSB = B43)
default y
# Auto-select SSB PCI-HOST support, if possible
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [028/251] printk: Fix rq->lock vs logbuf_lock unlock lock inversion
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (26 preceding siblings ...)
2013-09-11 4:27 ` [027/251] b43: ensue that BCMA is "y" when B43 is "y" Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [029/251] uprobes: Fix return value in error handling path Steven Rostedt
` (222 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: ybu, Peter Zijlstra, Thomas Gleixner
[-- Attachment #1: 0028-printk-Fix-rq-lock-vs-logbuf_lock-unlock-lock-invers.patch --]
[-- Type: text/plain, Size: 1297 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "Bu, Yitian" <ybu@qti.qualcomm.com>
[ Upstream commit dbda92d16f8655044e082930e4e9d244b87fde77 ]
commit 07354eb1a74d1 ("locking printk: Annotate logbuf_lock as raw")
reintroduced a lock inversion problem which was fixed in commit
0b5e1c5255 ("printk: Release console_sem after logbuf_lock"). This
happened probably when fixing up patch rejects.
Restore the ordering and unlock logbuf_lock before releasing
console_sem.
Signed-off-by: ybu <ybu@qti.qualcomm.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/E807E903FE6CBE4D95E420FBFCC273B827413C@nasanexd01h.na.qualcomm.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
kernel/printk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/printk.c b/kernel/printk.c
index 2d3fc0e..74a3afb 100644
--- a/kernel/printk.c
+++ b/kernel/printk.c
@@ -1364,9 +1364,9 @@ static int console_trylock_for_printk(unsigned int cpu)
}
}
logbuf_cpu = UINT_MAX;
+ raw_spin_unlock(&logbuf_lock);
if (wake)
up(&console_sem);
- raw_spin_unlock(&logbuf_lock);
return retval;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [029/251] uprobes: Fix return value in error handling path
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (27 preceding siblings ...)
2013-09-11 4:27 ` [028/251] printk: Fix rq->lock vs logbuf_lock unlock lock inversion Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [030/251] svcrpc: fix handling of too-short rpcs Steven Rostedt
` (221 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Frederic Weisbecker, srikar, zhangwei(Jovi)
[-- Attachment #1: 0029-uprobes-Fix-return-value-in-error-handling-path.patch --]
[-- Type: text/plain, Size: 1319 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "zhangwei(Jovi)" <jovi.zhangwei@huawei.com>
[ Upstream commit fa44063f9ef163c3a4c8d8c0465bb8a056b42035 ]
When wrong argument is passed into uprobe_events it does not return
an error:
[root@jovi tracing]# echo 'p:myprobe /bin/bash' > uprobe_events
[root@jovi tracing]#
The proper response is:
[root@jovi tracing]# echo 'p:myprobe /bin/bash' > uprobe_events
-bash: echo: write error: Invalid argument
Link: http://lkml.kernel.org/r/51B964FF.5000106@huawei.com
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: <srikar@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org # 3.5+
Signed-off-by: zhangwei(Jovi) <jovi.zhangwei@huawei.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
kernel/trace/trace_uprobe.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
index 03003cd..77dccfc 100644
--- a/kernel/trace/trace_uprobe.c
+++ b/kernel/trace/trace_uprobe.c
@@ -243,8 +243,10 @@ static int create_trace_uprobe(int argc, char **argv)
return -EINVAL;
}
arg = strchr(argv[1], ':');
- if (!arg)
+ if (!arg) {
+ ret = -EINVAL;
goto fail_address_parse;
+ }
*arg++ = '\0';
filename = argv[1];
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [030/251] svcrpc: fix handling of too-short rpcs
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (28 preceding siblings ...)
2013-09-11 4:27 ` [029/251] uprobes: Fix return value in error handling path Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [031/251] iommu/amd: Only unmap large pages from the first pte Steven Rostedt
` (220 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: stable, J. Bruce Fields
[-- Attachment #1: 0030-svcrpc-fix-handling-of-too-short-rpc-s.patch --]
[-- Type: text/plain, Size: 1301 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "J. Bruce Fields" <bfields@redhat.com>
[ Upstream commit cf3aa02cb4a0c5af5557dd47f15a08a7df33182a ]
If we detect that an rpc is too short, we abort and close the
connection. Except, there's a bug here: we're leaving sk_datalen
nonzero without leaving any pages in the sk_pages array. The most
likely result of the inconsistency is a subsequent crash in
svc_tcp_clear_pages.
Also demote the BUG_ON in svc_tcp_clear_pages to a WARN.
Cc: stable@kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/sunrpc/svcsock.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index 998aa8c..da0980a 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -963,7 +963,10 @@ static void svc_tcp_clear_pages(struct svc_sock *svsk)
len = svsk->sk_tcplen - sizeof(rpc_fraghdr);
npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
for (i = 0; i < npages; i++) {
- BUG_ON(svsk->sk_pages[i] == NULL);
+ if (svsk->sk_pages[i] == NULL) {
+ WARN_ON_ONCE(1);
+ continue;
+ }
put_page(svsk->sk_pages[i]);
svsk->sk_pages[i] = NULL;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [031/251] iommu/amd: Only unmap large pages from the first pte
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (29 preceding siblings ...)
2013-09-11 4:27 ` [030/251] svcrpc: fix handling of too-short rpcs Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [032/251] staging: line6: Fix unlocked snd_pcm_stop() call Steven Rostedt
` (219 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Alex Williamson, Joerg Roedel
[-- Attachment #1: 0031-iommu-amd-Only-unmap-large-pages-from-the-first-pte.patch --]
[-- Type: text/plain, Size: 1982 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Alex Williamson <alex.williamson@redhat.com>
[ Upstream commit 60d0ca3cfd199b6612bbbbf4999a3470dad38bb1 ]
If we use a large mapping, the expectation is that only unmaps from
the first pte in the superpage are supported. Unmaps from offsets
into the superpage should fail (ie. return zero sized unmap). In the
current code, unmapping from an offset clears the size of the full
mapping starting from an offset. For instance, if we map a 16k
physically contiguous range at IOVA 0x0 with a large page, then
attempt to unmap 4k at offset 12k, 4 ptes are cleared (12k - 28k) and
the unmap returns 16k unmapped. This potentially incorrectly clears
valid mappings and confuses drivers like VFIO that use the unmap size
to release pinned pages.
Fix by refusing to unmap from offsets into the page.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Joerg Roedel <joro@8bytes.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/iommu/amd_iommu.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
index e5c773d..28bf5f3 100644
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -1376,6 +1376,10 @@ static unsigned long iommu_unmap_page(struct protection_domain *dom,
/* Large PTE found which maps this address */
unmap_size = PTE_PAGE_SIZE(*pte);
+
+ /* Only unmap from the first pte in the page */
+ if ((unmap_size - 1) & bus_addr)
+ break;
count = PAGE_SIZE_PTE_COUNT(unmap_size);
for (i = 0; i < count; i++)
pte[i] = 0ULL;
@@ -1385,7 +1389,7 @@ static unsigned long iommu_unmap_page(struct protection_domain *dom,
unmapped += unmap_size;
}
- BUG_ON(!is_power_of_2(unmapped));
+ BUG_ON(unmapped && !is_power_of_2(unmapped));
return unmapped;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [032/251] staging: line6: Fix unlocked snd_pcm_stop() call
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (30 preceding siblings ...)
2013-09-11 4:27 ` [031/251] iommu/amd: Only unmap large pages from the first pte Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [033/251] perf: Clone child context from parent context pmu Steven Rostedt
` (218 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Takashi Iwai
[-- Attachment #1: 0032-staging-line6-Fix-unlocked-snd_pcm_stop-call.patch --]
[-- Type: text/plain, Size: 1098 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 86f0b5b86d142b9323432fef078a6cf0fb5dda74 ]
snd_pcm_stop() must be called in the PCM substream lock context.
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/staging/line6/pcm.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/line6/pcm.c b/drivers/staging/line6/pcm.c
index 5e319e3..01f00fd 100644
--- a/drivers/staging/line6/pcm.c
+++ b/drivers/staging/line6/pcm.c
@@ -378,8 +378,11 @@ static int snd_line6_pcm_free(struct snd_device *device)
*/
static void pcm_disconnect_substream(struct snd_pcm_substream *substream)
{
- if (substream->runtime && snd_pcm_running(substream))
+ if (substream->runtime && snd_pcm_running(substream)) {
+ snd_pcm_stream_lock_irq(substream);
snd_pcm_stop(substream, SNDRV_PCM_STATE_DISCONNECTED);
+ snd_pcm_stream_unlock_irq(substream);
+ }
}
/*
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [033/251] perf: Clone child context from parent context pmu
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (31 preceding siblings ...)
2013-09-11 4:27 ` [032/251] staging: line6: Fix unlocked snd_pcm_stop() call Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [034/251] perf: Remove WARN_ON_ONCE() check in __perf_event_enable() for valid scenario Steven Rostedt
` (217 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Vince Weaver, Jiri Olsa, Corey Ashford, Frederic Weisbecker,
Ingo Molnar, Namhyung Kim, Paul Mackerras,
Arnaldo Carvalho de Melo, stable, Peter Zijlstra, Ingo Molnar
[-- Attachment #1: 0033-perf-Clone-child-context-from-parent-context-pmu.patch --]
[-- Type: text/plain, Size: 3781 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jiri Olsa <jolsa@redhat.com>
[ Upstream commit 734df5ab549ca44f40de0f07af1c8803856dfb18 ]
Currently when the child context for inherited events is
created, it's based on the pmu object of the first event
of the parent context.
This is wrong for the following scenario:
- HW context having HW and SW event
- HW event got removed (closed)
- SW event stays in HW context as the only event
and its pmu is used to clone the child context
The issue starts when the cpu context object is touched
based on the pmu context object (__get_cpu_context). In
this case the HW context will work with SW cpu context
ending up with following WARN below.
Fixing this by using parent context pmu object to clone
from child context.
Addresses the following warning reported by Vince Weaver:
[ 2716.472065] ------------[ cut here ]------------
[ 2716.476035] WARNING: at kernel/events/core.c:2122 task_ctx_sched_out+0x3c/0x)
[ 2716.476035] Modules linked in: nfsd auth_rpcgss oid_registry nfs_acl nfs locn
[ 2716.476035] CPU: 0 PID: 3164 Comm: perf_fuzzer Not tainted 3.10.0-rc4 #2
[ 2716.476035] Hardware name: AOpen DE7000/nMCP7ALPx-DE R1.06 Oct.19.2012, BI2
[ 2716.476035] 0000000000000000 ffffffff8102e215 0000000000000000 ffff88011fc18
[ 2716.476035] ffff8801175557f0 0000000000000000 ffff880119fda88c ffffffff810ad
[ 2716.476035] ffff880119fda880 ffffffff810af02a 0000000000000009 ffff880117550
[ 2716.476035] Call Trace:
[ 2716.476035] [<ffffffff8102e215>] ? warn_slowpath_common+0x5b/0x70
[ 2716.476035] [<ffffffff810ab2bd>] ? task_ctx_sched_out+0x3c/0x5f
[ 2716.476035] [<ffffffff810af02a>] ? perf_event_exit_task+0xbf/0x194
[ 2716.476035] [<ffffffff81032a37>] ? do_exit+0x3e7/0x90c
[ 2716.476035] [<ffffffff810cd5ab>] ? __do_fault+0x359/0x394
[ 2716.476035] [<ffffffff81032fe6>] ? do_group_exit+0x66/0x98
[ 2716.476035] [<ffffffff8103dbcd>] ? get_signal_to_deliver+0x479/0x4ad
[ 2716.476035] [<ffffffff810ac05c>] ? __perf_event_task_sched_out+0x230/0x2d1
[ 2716.476035] [<ffffffff8100205d>] ? do_signal+0x3c/0x432
[ 2716.476035] [<ffffffff810abbf9>] ? ctx_sched_in+0x43/0x141
[ 2716.476035] [<ffffffff810ac2ca>] ? perf_event_context_sched_in+0x7a/0x90
[ 2716.476035] [<ffffffff810ac311>] ? __perf_event_task_sched_in+0x31/0x118
[ 2716.476035] [<ffffffff81050dd9>] ? mmdrop+0xd/0x1c
[ 2716.476035] [<ffffffff81051a39>] ? finish_task_switch+0x7d/0xa6
[ 2716.476035] [<ffffffff81002473>] ? do_notify_resume+0x20/0x5d
[ 2716.476035] [<ffffffff813654f5>] ? retint_signal+0x3d/0x78
[ 2716.476035] ---[ end trace 827178d8a5966c3d ]---
Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Cc: Corey Ashford <cjashfor@linux.vnet.ibm.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/1373384651-6109-1-git-send-email-jolsa@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
kernel/events/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index b1a7801..073e5b9 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -7002,7 +7002,7 @@ inherit_task_group(struct perf_event *event, struct task_struct *parent,
* child.
*/
- child_ctx = alloc_perf_context(event->pmu, child);
+ child_ctx = alloc_perf_context(parent_ctx->pmu, child);
if (!child_ctx)
return -ENOMEM;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [034/251] perf: Remove WARN_ON_ONCE() check in __perf_event_enable() for valid scenario
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (32 preceding siblings ...)
2013-09-11 4:27 ` [033/251] perf: Clone child context from parent context pmu Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [035/251] perf: Fix perf_lock_task_context() vs RCU Steven Rostedt
` (216 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Vince Weaver, Jiri Olsa, Peter Zijlstra, Corey Ashford,
Frederic Weisbecker, Ingo Molnar, Namhyung Kim, Paul Mackerras,
Arnaldo Carvalho de Melo, stable, Peter Zijlstra, Ingo Molnar
[-- Attachment #1: 0034-perf-Remove-WARN_ON_ONCE-check-in-__perf_event_enabl.patch --]
[-- Type: text/plain, Size: 4262 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jiri Olsa <jolsa@redhat.com>
[ Upstream commit 06f417968beac6e6b614e17b37d347aa6a6b1d30 ]
The '!ctx->is_active' check has a valid scenario, so
there's no need for the warning.
The reason is that there's a time window between the
'ctx->is_active' check in the perf_event_enable() function
and the __perf_event_enable() function having:
- IRQs on
- ctx->lock unlocked
where the task could be killed and 'ctx' deactivated by
perf_event_exit_task(), ending up with the warning below.
So remove the WARN_ON_ONCE() check and add comments to
explain it all.
This addresses the following warning reported by Vince Weaver:
[ 324.983534] ------------[ cut here ]------------
[ 324.984420] WARNING: at kernel/events/core.c:1953 __perf_event_enable+0x187/0x190()
[ 324.984420] Modules linked in:
[ 324.984420] CPU: 19 PID: 2715 Comm: nmi_bug_snb Not tainted 3.10.0+ #246
[ 324.984420] Hardware name: Supermicro X8DTN/X8DTN, BIOS 4.6.3 01/08/2010
[ 324.984420] 0000000000000009 ffff88043fce3ec8 ffffffff8160ea0b ffff88043fce3f00
[ 324.984420] ffffffff81080ff0 ffff8802314fdc00 ffff880231a8f800 ffff88043fcf7860
[ 324.984420] 0000000000000286 ffff880231a8f800 ffff88043fce3f10 ffffffff8108103a
[ 324.984420] Call Trace:
[ 324.984420] <IRQ> [<ffffffff8160ea0b>] dump_stack+0x19/0x1b
[ 324.984420] [<ffffffff81080ff0>] warn_slowpath_common+0x70/0xa0
[ 324.984420] [<ffffffff8108103a>] warn_slowpath_null+0x1a/0x20
[ 324.984420] [<ffffffff81134437>] __perf_event_enable+0x187/0x190
[ 324.984420] [<ffffffff81130030>] remote_function+0x40/0x50
[ 324.984420] [<ffffffff810e51de>] generic_smp_call_function_single_interrupt+0xbe/0x130
[ 324.984420] [<ffffffff81066a47>] smp_call_function_single_interrupt+0x27/0x40
[ 324.984420] [<ffffffff8161fd2f>] call_function_single_interrupt+0x6f/0x80
[ 324.984420] <EOI> [<ffffffff816161a1>] ? _raw_spin_unlock_irqrestore+0x41/0x70
[ 324.984420] [<ffffffff8113799d>] perf_event_exit_task+0x14d/0x210
[ 324.984420] [<ffffffff810acd04>] ? switch_task_namespaces+0x24/0x60
[ 324.984420] [<ffffffff81086946>] do_exit+0x2b6/0xa40
[ 324.984420] [<ffffffff8161615c>] ? _raw_spin_unlock_irq+0x2c/0x30
[ 324.984420] [<ffffffff81087279>] do_group_exit+0x49/0xc0
[ 324.984420] [<ffffffff81096854>] get_signal_to_deliver+0x254/0x620
[ 324.984420] [<ffffffff81043057>] do_signal+0x57/0x5a0
[ 324.984420] [<ffffffff8161a164>] ? __do_page_fault+0x2a4/0x4e0
[ 324.984420] [<ffffffff8161665c>] ? retint_restore_args+0xe/0xe
[ 324.984420] [<ffffffff816166cd>] ? retint_signal+0x11/0x84
[ 324.984420] [<ffffffff81043605>] do_notify_resume+0x65/0x80
[ 324.984420] [<ffffffff81616702>] retint_signal+0x46/0x84
[ 324.984420] ---[ end trace 442ec2f04db3771a ]---
Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Suggested-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Corey Ashford <cjashfor@linux.vnet.ibm.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/1373384651-6109-2-git-send-email-jolsa@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
kernel/events/core.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 073e5b9..63ffeb0 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -1708,7 +1708,16 @@ static int __perf_event_enable(void *info)
struct perf_cpu_context *cpuctx = __get_cpu_context(ctx);
int err;
- if (WARN_ON_ONCE(!ctx->is_active))
+ /*
+ * There's a time window between 'ctx->is_active' check
+ * in perf_event_enable function and this place having:
+ * - IRQs on
+ * - ctx->lock unlocked
+ *
+ * where the task could be killed and 'ctx' deactivated
+ * by perf_event_exit_task.
+ */
+ if (!ctx->is_active)
return -EINVAL;
raw_spin_lock(&ctx->lock);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [035/251] perf: Fix perf_lock_task_context() vs RCU
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (33 preceding siblings ...)
2013-09-11 4:27 ` [034/251] perf: Remove WARN_ON_ONCE() check in __perf_event_enable() for valid scenario Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [036/251] tracing: Fix irqs-off tag display in syscall tracing Steven Rostedt
` (215 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jiri Olsa, stable, Peter Zijlstra, Ingo Molnar
[-- Attachment #1: 0035-perf-Fix-perf_lock_task_context-vs-RCU.patch --]
[-- Type: text/plain, Size: 2883 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 058ebd0eba3aff16b144eabf4510ed9510e1416e ]
Jiri managed to trigger this warning:
[] ======================================================
[] [ INFO: possible circular locking dependency detected ]
[] 3.10.0+ #228 Tainted: G W
[] -------------------------------------------------------
[] p/6613 is trying to acquire lock:
[] (rcu_node_0){..-...}, at: [<ffffffff810ca797>] rcu_read_unlock_special+0xa7/0x250
[]
[] but task is already holding lock:
[] (&ctx->lock){-.-...}, at: [<ffffffff810f2879>] perf_lock_task_context+0xd9/0x2c0
[]
[] which lock already depends on the new lock.
[]
[] the existing dependency chain (in reverse order) is:
[]
[] -> #4 (&ctx->lock){-.-...}:
[] -> #3 (&rq->lock){-.-.-.}:
[] -> #2 (&p->pi_lock){-.-.-.}:
[] -> #1 (&rnp->nocb_gp_wq[1]){......}:
[] -> #0 (rcu_node_0){..-...}:
Paul was quick to explain that due to preemptible RCU we cannot call
rcu_read_unlock() while holding scheduler (or nested) locks when part
of the read side critical section was preemptible.
Therefore solve it by making the entire RCU read side non-preemptible.
Also pull out the retry from under the non-preempt to play nice with RT.
Reported-by: Jiri Olsa <jolsa@redhat.com>
Helped-out-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: <stable@kernel.org>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
kernel/events/core.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 63ffeb0..18ab244b 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -723,8 +723,18 @@ perf_lock_task_context(struct task_struct *task, int ctxn, unsigned long *flags)
{
struct perf_event_context *ctx;
- rcu_read_lock();
retry:
+ /*
+ * One of the few rules of preemptible RCU is that one cannot do
+ * rcu_read_unlock() while holding a scheduler (or nested) lock when
+ * part of the read side critical section was preemptible -- see
+ * rcu_read_unlock_special().
+ *
+ * Since ctx->lock nests under rq->lock we must ensure the entire read
+ * side critical section is non-preemptible.
+ */
+ preempt_disable();
+ rcu_read_lock();
ctx = rcu_dereference(task->perf_event_ctxp[ctxn]);
if (ctx) {
/*
@@ -740,6 +750,8 @@ retry:
raw_spin_lock_irqsave(&ctx->lock, *flags);
if (ctx != rcu_dereference(task->perf_event_ctxp[ctxn])) {
raw_spin_unlock_irqrestore(&ctx->lock, *flags);
+ rcu_read_unlock();
+ preempt_enable();
goto retry;
}
@@ -749,6 +761,7 @@ retry:
}
}
rcu_read_unlock();
+ preempt_enable();
return ctx;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [036/251] tracing: Fix irqs-off tag display in syscall tracing
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (34 preceding siblings ...)
2013-09-11 4:27 ` [035/251] perf: Fix perf_lock_task_context() vs RCU Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [037/251] writeback: Fix periodic writeback after fs mount Steven Rostedt
` (214 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: zhangwei(Jovi)
[-- Attachment #1: 0036-tracing-Fix-irqs-off-tag-display-in-syscall-tracing.patch --]
[-- Type: text/plain, Size: 4775 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "zhangwei(Jovi)" <jovi.zhangwei@huawei.com>
[ Upstream commit 11034ae9c20f4057a6127fc965906417978e69b2 ]
All syscall tracing irqs-off tags are wrong, the syscall enter entry doesn't
disable irqs.
[root@jovi tracing]#echo "syscalls:sys_enter_open" > set_event
[root@jovi tracing]# cat trace
# tracer: nop
#
# entries-in-buffer/entries-written: 13/13 #P:2
#
# _-----=> irqs-off
# / _----=> need-resched
# | / _---=> hardirq/softirq
# || / _--=> preempt-depth
# ||| / delay
# TASK-PID CPU# |||| TIMESTAMP FUNCTION
# | | | |||| | |
irqbalance-513 [000] d... 56115.496766: sys_open(filename: 804e1a6, flags: 0, mode: 1b6)
irqbalance-513 [000] d... 56115.497008: sys_open(filename: 804e1bb, flags: 0, mode: 1b6)
sendmail-771 [000] d... 56115.827982: sys_open(filename: b770e6d1, flags: 0, mode: 1b6)
The reason is syscall tracing doesn't record irq_flags into buffer.
The proper display is:
[root@jovi tracing]#echo "syscalls:sys_enter_open" > set_event
[root@jovi tracing]# cat trace
# tracer: nop
#
# entries-in-buffer/entries-written: 14/14 #P:2
#
# _-----=> irqs-off
# / _----=> need-resched
# | / _---=> hardirq/softirq
# || / _--=> preempt-depth
# ||| / delay
# TASK-PID CPU# |||| TIMESTAMP FUNCTION
# | | | |||| | |
irqbalance-514 [001] .... 46.213921: sys_open(filename: 804e1a6, flags: 0, mode: 1b6)
irqbalance-514 [001] .... 46.214160: sys_open(filename: 804e1bb, flags: 0, mode: 1b6)
<...>-920 [001] .... 47.307260: sys_open(filename: 4e82a0c5, flags: 80000, mode: 0)
Link: http://lkml.kernel.org/r/1365564393-10972-3-git-send-email-jovi.zhangwei@huawei.com
Cc: stable@vger.kernel.org # 2.6.35
Signed-off-by: zhangwei(Jovi) <jovi.zhangwei@huawei.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
kernel/trace/trace_syscalls.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
index 6b245f64..52b2b9f 100644
--- a/kernel/trace/trace_syscalls.c
+++ b/kernel/trace/trace_syscalls.c
@@ -303,6 +303,8 @@ void ftrace_syscall_enter(void *ignore, struct pt_regs *regs, long id)
struct syscall_metadata *sys_data;
struct ring_buffer_event *event;
struct ring_buffer *buffer;
+ unsigned long irq_flags;
+ int pc;
int size;
int syscall_nr;
@@ -318,8 +320,11 @@ void ftrace_syscall_enter(void *ignore, struct pt_regs *regs, long id)
size = sizeof(*entry) + sizeof(unsigned long) * sys_data->nb_args;
+ local_save_flags(irq_flags);
+ pc = preempt_count();
+
event = trace_current_buffer_lock_reserve(&buffer,
- sys_data->enter_event->event.type, size, 0, 0);
+ sys_data->enter_event->event.type, size, irq_flags, pc);
if (!event)
return;
@@ -329,7 +334,8 @@ void ftrace_syscall_enter(void *ignore, struct pt_regs *regs, long id)
if (!filter_current_check_discard(buffer, sys_data->enter_event,
entry, event))
- trace_current_buffer_unlock_commit(buffer, event, 0, 0);
+ trace_current_buffer_unlock_commit(buffer, event,
+ irq_flags, pc);
}
void ftrace_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
@@ -338,6 +344,8 @@ void ftrace_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
struct syscall_metadata *sys_data;
struct ring_buffer_event *event;
struct ring_buffer *buffer;
+ unsigned long irq_flags;
+ int pc;
int syscall_nr;
syscall_nr = syscall_get_nr(current, regs);
@@ -350,8 +358,12 @@ void ftrace_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
if (!sys_data)
return;
+ local_save_flags(irq_flags);
+ pc = preempt_count();
+
event = trace_current_buffer_lock_reserve(&buffer,
- sys_data->exit_event->event.type, sizeof(*entry), 0, 0);
+ sys_data->exit_event->event.type, sizeof(*entry),
+ irq_flags, pc);
if (!event)
return;
@@ -361,7 +373,8 @@ void ftrace_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
if (!filter_current_check_discard(buffer, sys_data->exit_event,
entry, event))
- trace_current_buffer_unlock_commit(buffer, event, 0, 0);
+ trace_current_buffer_unlock_commit(buffer, event,
+ irq_flags, pc);
}
int reg_event_syscall_enter(struct ftrace_event_call *call)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [037/251] writeback: Fix periodic writeback after fs mount
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (35 preceding siblings ...)
2013-09-11 4:27 ` [036/251] tracing: Fix irqs-off tag display in syscall tracing Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [038/251] neighbour: fix a race in neigh_destroy() Steven Rostedt
` (213 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Bert De Jonghe, Jan Kara, Jens Axboe
[-- Attachment #1: 0037-writeback-Fix-periodic-writeback-after-fs-mount.patch --]
[-- Type: text/plain, Size: 2160 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
[ Upstream commit a5faeaf9109578e65e1a32e2a3e76c8b47e7dcb6 ]
Code in blkdev.c moves a device inode to default_backing_dev_info when
the last reference to the device is put and moves the device inode back
to its bdi when the first reference is acquired. This includes moving to
wb.b_dirty list if the device inode is dirty. The code however doesn't
setup timer to wake corresponding flusher thread and while wb.b_dirty
list is non-empty __mark_inode_dirty() will not set it up either. Thus
periodic writeback is effectively disabled until a sync(2) call which can
lead to unexpected data loss in case of crash or power failure.
Fix the problem by setting up a timer for periodic writeback in case we
add the first dirty inode to wb.b_dirty list in bdev_inode_switch_bdi().
Reported-by: Bert De Jonghe <Bert.DeJonghe@amplidata.com>
CC: stable@vger.kernel.org # >= 3.0
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/block_dev.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/block_dev.c b/fs/block_dev.c
index daaca3d..41f6594 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -57,17 +57,24 @@ static void bdev_inode_switch_bdi(struct inode *inode,
struct backing_dev_info *dst)
{
struct backing_dev_info *old = inode->i_data.backing_dev_info;
+ bool wakeup_bdi = false;
if (unlikely(dst == old)) /* deadlock avoidance */
return;
bdi_lock_two(&old->wb, &dst->wb);
spin_lock(&inode->i_lock);
inode->i_data.backing_dev_info = dst;
- if (inode->i_state & I_DIRTY)
+ if (inode->i_state & I_DIRTY) {
+ if (bdi_cap_writeback_dirty(dst) && !wb_has_dirty_io(&dst->wb))
+ wakeup_bdi = true;
list_move(&inode->i_wb_list, &dst->wb.b_dirty);
+ }
spin_unlock(&inode->i_lock);
spin_unlock(&old->wb.list_lock);
spin_unlock(&dst->wb.list_lock);
+
+ if (wakeup_bdi)
+ bdi_wakeup_thread_delayed(dst);
}
sector_t blkdev_max_block(struct block_device *bdev)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [038/251] neighbour: fix a race in neigh_destroy()
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (36 preceding siblings ...)
2013-09-11 4:27 ` [037/251] writeback: Fix periodic writeback after fs mount Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [039/251] x25: Fix broken locking in ioctl error paths Steven Rostedt
` (212 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Joe Jin, Eric Dumazet, David S. Miller
[-- Attachment #1: 0038-neighbour-fix-a-race-in-neigh_destroy.patch --]
[-- Type: text/plain, Size: 2630 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <eric.dumazet@gmail.com>
[ Upstream commit c9ab4d85de222f3390c67aedc9c18a50e767531e ]
There is a race in neighbour code, because neigh_destroy() uses
skb_queue_purge(&neigh->arp_queue) without holding neighbour lock,
while other parts of the code assume neighbour rwlock is what
protects arp_queue
Convert all skb_queue_purge() calls to the __skb_queue_purge() variant
Use __skb_queue_head_init() instead of skb_queue_head_init()
to make clear we do not use arp_queue.lock
And hold neigh->lock in neigh_destroy() to close the race.
Reported-by: Joe Jin <joe.jin@oracle.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/core/neighbour.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 058bb1e..f7ffed1 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -239,7 +239,7 @@ static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev)
we must kill timers etc. and move
it to safe state.
*/
- skb_queue_purge(&n->arp_queue);
+ __skb_queue_purge(&n->arp_queue);
n->arp_queue_len_bytes = 0;
n->output = neigh_blackhole;
if (n->nud_state & NUD_VALID)
@@ -302,7 +302,7 @@ static struct neighbour *neigh_alloc(struct neigh_table *tbl, struct net_device
if (!n)
goto out_entries;
- skb_queue_head_init(&n->arp_queue);
+ __skb_queue_head_init(&n->arp_queue);
rwlock_init(&n->lock);
seqlock_init(&n->ha_lock);
n->updated = n->used = now;
@@ -724,7 +724,9 @@ void neigh_destroy(struct neighbour *neigh)
if (neigh_del_timer(neigh))
pr_warn("Impossible event\n");
- skb_queue_purge(&neigh->arp_queue);
+ write_lock_bh(&neigh->lock);
+ __skb_queue_purge(&neigh->arp_queue);
+ write_unlock_bh(&neigh->lock);
neigh->arp_queue_len_bytes = 0;
if (dev->netdev_ops->ndo_neigh_destroy)
@@ -870,7 +872,7 @@ static void neigh_invalidate(struct neighbour *neigh)
neigh->ops->error_report(neigh, skb);
write_lock(&neigh->lock);
}
- skb_queue_purge(&neigh->arp_queue);
+ __skb_queue_purge(&neigh->arp_queue);
neigh->arp_queue_len_bytes = 0;
}
@@ -1222,7 +1224,7 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
write_lock_bh(&neigh->lock);
}
- skb_queue_purge(&neigh->arp_queue);
+ __skb_queue_purge(&neigh->arp_queue);
neigh->arp_queue_len_bytes = 0;
}
out:
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [039/251] x25: Fix broken locking in ioctl error paths.
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (37 preceding siblings ...)
2013-09-11 4:27 ` [038/251] neighbour: fix a race in neigh_destroy() Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [040/251] vti: remove duplicated code to fix a memory leak Steven Rostedt
` (211 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Dave Jones, David S. Miller
[-- Attachment #1: 0039-x25-Fix-broken-locking-in-ioctl-error-paths.patch --]
[-- Type: text/plain, Size: 1906 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Dave Jones <davej@redhat.com>
[ Upstream commit 4ccb93ce7439b63c31bc7597bfffd13567fa483d ]
Two of the x25 ioctl cases have error paths that break out of the function without
unlocking the socket, leading to this warning:
================================================
[ BUG: lock held when returning to user space! ]
3.10.0-rc7+ #36 Not tainted
------------------------------------------------
trinity-child2/31407 is leaving the kernel with locks still held!
1 lock held by trinity-child2/31407:
#0: (sk_lock-AF_X25){+.+.+.}, at: [<ffffffffa024b6da>] x25_ioctl+0x8a/0x740 [x25]
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/x25/af_x25.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index a306bc6..b943e3e 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -1586,11 +1586,11 @@ out_cud_release:
case SIOCX25CALLACCPTAPPRV: {
rc = -EINVAL;
lock_sock(sk);
- if (sk->sk_state != TCP_CLOSE)
- break;
- clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
+ if (sk->sk_state == TCP_CLOSE) {
+ clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
+ rc = 0;
+ }
release_sock(sk);
- rc = 0;
break;
}
@@ -1598,14 +1598,15 @@ out_cud_release:
rc = -EINVAL;
lock_sock(sk);
if (sk->sk_state != TCP_ESTABLISHED)
- break;
+ goto out_sendcallaccpt_release;
/* must call accptapprv above */
if (test_bit(X25_ACCPT_APPRV_FLAG, &x25->flags))
- break;
+ goto out_sendcallaccpt_release;
x25_write_internal(sk, X25_CALL_ACCEPTED);
x25->state = X25_STATE_3;
- release_sock(sk);
rc = 0;
+out_sendcallaccpt_release:
+ release_sock(sk);
break;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [040/251] vti: remove duplicated code to fix a memory leak
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (38 preceding siblings ...)
2013-09-11 4:27 ` [039/251] x25: Fix broken locking in ioctl error paths Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [041/251] l2tp: add missing .owner to struct pppox_proto Steven Rostedt
` (210 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Stephen Hemminger, Saurabh Mohan, David S. Miller, Cong Wang
[-- Attachment #1: 0040-vti-remove-duplicated-code-to-fix-a-memory-leak.patch --]
[-- Type: text/plain, Size: 1490 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Cong Wang <amwang@redhat.com>
[ Upstream commit ab6c7a0a43c2eaafa57583822b619b22637b49c7 ]
vti module allocates dev->tstats twice: in vti_fb_tunnel_init()
and in vti_tunnel_init(), this lead to a memory leak of
dev->tstats.
Just remove the duplicated operations in vti_fb_tunnel_init().
(candidate for -stable)
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: Saurabh Mohan <saurabh.mohan@vyatta.com>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/ipv4/ip_vti.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index bf89b21..ab37b31 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -664,17 +664,10 @@ static int __net_init vti_fb_tunnel_init(struct net_device *dev)
struct iphdr *iph = &tunnel->parms.iph;
struct vti_net *ipn = net_generic(dev_net(dev), vti_net_id);
- tunnel->dev = dev;
- strcpy(tunnel->parms.name, dev->name);
-
iph->version = 4;
iph->protocol = IPPROTO_IPIP;
iph->ihl = 5;
- dev->tstats = alloc_percpu(struct pcpu_tstats);
- if (!dev->tstats)
- return -ENOMEM;
-
dev_hold(dev);
rcu_assign_pointer(ipn->tunnels_wc[0], tunnel);
return 0;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [041/251] l2tp: add missing .owner to struct pppox_proto
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (39 preceding siblings ...)
2013-09-11 4:27 ` [040/251] vti: remove duplicated code to fix a memory leak Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [042/251] ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data Steven Rostedt
` (209 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Wei Yongjun, David S. Miller
[-- Attachment #1: 0041-l2tp-add-missing-.owner-to-struct-pppox_proto.patch --]
[-- Type: text/plain, Size: 995 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
[ Upstream commit e1558a93b61962710733dc8c11a2bc765607f1cd ]
Add missing .owner of struct pppox_proto. This prevents the
module from being removed from underneath its users.
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/l2tp/l2tp_ppp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 955195c..feca60c 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1837,7 +1837,8 @@ static const struct proto_ops pppol2tp_ops = {
static const struct pppox_proto pppol2tp_proto = {
.create = pppol2tp_create,
- .ioctl = pppol2tp_ioctl
+ .ioctl = pppol2tp_ioctl,
+ .owner = THIS_MODULE,
};
#ifdef CONFIG_L2TP_V3
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [042/251] ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (40 preceding siblings ...)
2013-09-11 4:27 ` [041/251] l2tp: add missing .owner to struct pppox_proto Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [043/251] ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size Steven Rostedt
` (208 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Dave Jones, YOSHIFUJI Hideaki, Hannes Frederic Sowa, David S. Miller
[-- Attachment #1: 0042-ipv6-call-udp_push_pending_frames-when-uncorking-a-s.patch --]
[-- Type: text/plain, Size: 5790 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
[ Upstream commit 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 ]
We accidentally call down to ip6_push_pending_frames when uncorking
pending AF_INET data on a ipv6 socket. This results in the following
splat (from Dave Jones):
skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:126!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth
+netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c
CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37
task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000
RIP: 0010:[<ffffffff816e759c>] [<ffffffff816e759c>] skb_panic+0x63/0x65
RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282
RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006
RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520
RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800
R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800
FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Stack:
ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4
ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6
ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0
Call Trace:
[<ffffffff8159a9aa>] skb_push+0x3a/0x40
[<ffffffff816765f6>] ip6_push_pending_frames+0x1f6/0x4d0
[<ffffffff810b756b>] ? mark_held_locks+0xbb/0x140
[<ffffffff81694919>] udp_v6_push_pending_frames+0x2b9/0x3d0
[<ffffffff81694660>] ? udplite_getfrag+0x20/0x20
[<ffffffff8162092a>] udp_lib_setsockopt+0x1aa/0x1f0
[<ffffffff811cc5e7>] ? fget_light+0x387/0x4f0
[<ffffffff816958a4>] udpv6_setsockopt+0x34/0x40
[<ffffffff815949f4>] sock_common_setsockopt+0x14/0x20
[<ffffffff81593c31>] SyS_setsockopt+0x71/0xd0
[<ffffffff816f5d54>] tracesys+0xdd/0xe2
Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55
RIP [<ffffffff816e759c>] skb_panic+0x63/0x65
RSP <ffff8801e6431de8>
This patch adds a check if the pending data is of address family AF_INET
and directly calls udp_push_ending_frames from udp_v6_push_pending_frames
if that is the case.
This bug was found by Dave Jones with trinity.
(Also move the initialization of fl6 below the AF_INET check, even if
not strictly necessary.)
Cc: Dave Jones <davej@redhat.com>
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
include/net/udp.h | 1 +
net/ipv4/udp.c | 3 ++-
net/ipv6/udp.c | 7 ++++++-
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/include/net/udp.h b/include/net/udp.h
index 065f379..ad99eed 100644
--- a/include/net/udp.h
+++ b/include/net/udp.h
@@ -181,6 +181,7 @@ extern int udp_get_port(struct sock *sk, unsigned short snum,
extern void udp_err(struct sk_buff *, u32);
extern int udp_sendmsg(struct kiocb *iocb, struct sock *sk,
struct msghdr *msg, size_t len);
+extern int udp_push_pending_frames(struct sock *sk);
extern void udp_flush_pending_frames(struct sock *sk);
extern int udp_rcv(struct sk_buff *skb);
extern int udp_ioctl(struct sock *sk, int cmd, unsigned long arg);
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index ee4b36a..79336ce 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -774,7 +774,7 @@ send:
/*
* Push out all pending data as one UDP datagram. Socket is locked.
*/
-static int udp_push_pending_frames(struct sock *sk)
+int udp_push_pending_frames(struct sock *sk)
{
struct udp_sock *up = udp_sk(sk);
struct inet_sock *inet = inet_sk(sk);
@@ -793,6 +793,7 @@ out:
up->pending = 0;
return err;
}
+EXPORT_SYMBOL(udp_push_pending_frames);
int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
size_t len)
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 08a1878..4328d31 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -955,11 +955,16 @@ static int udp_v6_push_pending_frames(struct sock *sk)
struct udphdr *uh;
struct udp_sock *up = udp_sk(sk);
struct inet_sock *inet = inet_sk(sk);
- struct flowi6 *fl6 = &inet->cork.fl.u.ip6;
+ struct flowi6 *fl6;
int err = 0;
int is_udplite = IS_UDPLITE(sk);
__wsum csum = 0;
+ if (up->pending == AF_INET)
+ return udp_push_pending_frames(sk);
+
+ fl6 = &inet->cork.fl.u.ip6;
+
/* Grab the skbuff where UDP header space exists. */
if ((skb = skb_peek(&sk->sk_write_queue)) == NULL)
goto out;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [043/251] ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (41 preceding siblings ...)
2013-09-11 4:27 ` [042/251] ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [044/251] virtio: support unlocked queue poll Steven Rostedt
` (207 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Gao feng, YOSHIFUJI Hideaki, Hannes Frederic Sowa, David S. Miller
[-- Attachment #1: 0043-ipv6-ip6_append_data_mtu-did-not-care-about-pmtudisc.patch --]
[-- Type: text/plain, Size: 7104 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
[ Upstream commit 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ]
If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track
of this when appending the second frame on a corked socket. This results
in the following splat:
[37598.993962] ------------[ cut here ]------------
[37598.994008] kernel BUG at net/core/skbuff.c:2064!
[37598.994008] invalid opcode: 0000 [#1] SMP
[37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat
+nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi
+scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm
[37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc
+dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video
[37598.994008] CPU 0
[37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG
[37598.994008] RIP: 0010:[<ffffffff815443a5>] [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
[37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202
[37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0
[37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00
[37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040
[37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8
[37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000
[37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000
[37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0
[37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0)
[37598.994008] Stack:
[37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8
[37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200
[37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4
[37598.994008] Call Trace:
[37598.994008] [<ffffffff815fc21f>] ip6_append_data+0xccf/0xfe0
[37598.994008] [<ffffffff8158d9f0>] ? ip_copy_metadata+0x1a0/0x1a0
[37598.994008] [<ffffffff81661f66>] ? _raw_spin_lock_bh+0x16/0x40
[37598.994008] [<ffffffff8161548d>] udpv6_sendmsg+0x1ed/0xc10
[37598.994008] [<ffffffff812a2845>] ? sock_has_perm+0x75/0x90
[37598.994008] [<ffffffff815c3693>] inet_sendmsg+0x63/0xb0
[37598.994008] [<ffffffff812a2973>] ? selinux_socket_sendmsg+0x23/0x30
[37598.994008] [<ffffffff8153a450>] sock_sendmsg+0xb0/0xe0
[37598.994008] [<ffffffff810135d1>] ? __switch_to+0x181/0x4a0
[37598.994008] [<ffffffff8153d97d>] sys_sendto+0x12d/0x180
[37598.994008] [<ffffffff810dfb64>] ? __audit_syscall_entry+0x94/0xf0
[37598.994008] [<ffffffff81020ed1>] ? syscall_trace_enter+0x231/0x240
[37598.994008] [<ffffffff8166a7e7>] tracesys+0xdd/0xe2
[37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48
[37598.994008] RIP [<ffffffff815443a5>] skb_copy_and_csum_bits+0x325/0x330
[37598.994008] RSP <ffff88003670da18>
[37599.007323] ---[ end trace d69f6a17f8ac8eee ]---
While there, also check if path mtu discovery is activated for this
socket. The logic was adapted from ip6_append_data when first writing
on the corked socket.
This bug was introduced with commit
0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec
fragment").
v2:
a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE.
b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao
feng, thanks!).
c) Change mtu to unsigned int, else we get a warning about
non-matching types because of the min()-macro type-check.
Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/ipv6/ip6_output.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index a26d44c..c088717 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1182,11 +1182,12 @@ static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src,
return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL;
}
-static void ip6_append_data_mtu(int *mtu,
+static void ip6_append_data_mtu(unsigned int *mtu,
int *maxfraglen,
unsigned int fragheaderlen,
struct sk_buff *skb,
- struct rt6_info *rt)
+ struct rt6_info *rt,
+ bool pmtuprobe)
{
if (!(rt->dst.flags & DST_XFRM_TUNNEL)) {
if (skb == NULL) {
@@ -1198,7 +1199,9 @@ static void ip6_append_data_mtu(int *mtu,
* this fragment is not first, the headers
* space is regarded as data space.
*/
- *mtu = dst_mtu(rt->dst.path);
+ *mtu = min(*mtu, pmtuprobe ?
+ rt->dst.dev->mtu :
+ dst_mtu(rt->dst.path));
}
*maxfraglen = ((*mtu - fragheaderlen) & ~7)
+ fragheaderlen - sizeof(struct frag_hdr);
@@ -1215,11 +1218,10 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
struct ipv6_pinfo *np = inet6_sk(sk);
struct inet_cork *cork;
struct sk_buff *skb, *skb_prev = NULL;
- unsigned int maxfraglen, fragheaderlen;
+ unsigned int maxfraglen, fragheaderlen, mtu;
int exthdrlen;
int dst_exthdrlen;
int hh_len;
- int mtu;
int copy;
int err;
int offset = 0;
@@ -1381,7 +1383,9 @@ alloc_new_skb:
/* update mtu and maxfraglen if necessary */
if (skb == NULL || skb_prev == NULL)
ip6_append_data_mtu(&mtu, &maxfraglen,
- fragheaderlen, skb, rt);
+ fragheaderlen, skb, rt,
+ np->pmtudisc ==
+ IPV6_PMTUDISC_PROBE);
skb_prev = skb;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [044/251] virtio: support unlocked queue poll
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (42 preceding siblings ...)
2013-09-11 4:27 ` [043/251] ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [045/251] virtio_net: fix race in RX VQ processing Steven Rostedt
` (206 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Michael S. Tsirkin, David S. Miller
[-- Attachment #1: 0044-virtio-support-unlocked-queue-poll.patch --]
[-- Type: text/plain, Size: 4247 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "Michael S. Tsirkin" <mst@redhat.com>
[ Upstream commit cc229884d3f77ec3b1240e467e0236c3e0647c0c ]
This adds a way to check ring empty state after enable_cb outside any
locks. Will be used by virtio_net.
Note: there's room for more optimization: caller is likely to have a
memory barrier already, which means we might be able to get rid of a
barrier here. Deferring this optimization until we do some
benchmarking.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/virtio/virtio_ring.c | 54 +++++++++++++++++++++++++++++++++---------
include/linux/virtio.h | 4 ++++
2 files changed, 47 insertions(+), 11 deletions(-)
diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index 5aa43c3..bdac497 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -491,16 +491,18 @@ EXPORT_SYMBOL_GPL(virtqueue_disable_cb);
* virtqueue_enable_cb - restart callbacks after disable_cb.
* @vq: the struct virtqueue we're talking about.
*
- * This re-enables callbacks; it returns "false" if there are pending
- * buffers in the queue, to detect a possible race between the driver
- * checking for more work, and enabling callbacks.
+ * This re-enables callbacks; it returns current queue state
+ * in an opaque unsigned value. This value should be later tested by
+ * virtqueue_poll, to detect a possible race between the driver checking for
+ * more work, and enabling callbacks.
*
* Caller must ensure we don't call this with other virtqueue
* operations at the same time (except where noted).
*/
-bool virtqueue_enable_cb(struct virtqueue *_vq)
+unsigned virtqueue_enable_cb_prepare(struct virtqueue *_vq)
{
struct vring_virtqueue *vq = to_vvq(_vq);
+ u16 last_used_idx;
START_USE(vq);
@@ -510,15 +512,45 @@ bool virtqueue_enable_cb(struct virtqueue *_vq)
* either clear the flags bit or point the event index at the next
* entry. Always do both to keep code simple. */
vq->vring.avail->flags &= ~VRING_AVAIL_F_NO_INTERRUPT;
- vring_used_event(&vq->vring) = vq->last_used_idx;
+ vring_used_event(&vq->vring) = last_used_idx = vq->last_used_idx;
+ END_USE(vq);
+ return last_used_idx;
+}
+EXPORT_SYMBOL_GPL(virtqueue_enable_cb_prepare);
+
+/**
+ * virtqueue_poll - query pending used buffers
+ * @vq: the struct virtqueue we're talking about.
+ * @last_used_idx: virtqueue state (from call to virtqueue_enable_cb_prepare).
+ *
+ * Returns "true" if there are pending used buffers in the queue.
+ *
+ * This does not need to be serialized.
+ */
+bool virtqueue_poll(struct virtqueue *_vq, unsigned last_used_idx)
+{
+ struct vring_virtqueue *vq = to_vvq(_vq);
+
virtio_mb(vq);
- if (unlikely(more_used(vq))) {
- END_USE(vq);
- return false;
- }
+ return (u16)last_used_idx != vq->vring.used->idx;
+}
+EXPORT_SYMBOL_GPL(virtqueue_poll);
- END_USE(vq);
- return true;
+/**
+ * virtqueue_enable_cb - restart callbacks after disable_cb.
+ * @vq: the struct virtqueue we're talking about.
+ *
+ * This re-enables callbacks; it returns "false" if there are pending
+ * buffers in the queue, to detect a possible race between the driver
+ * checking for more work, and enabling callbacks.
+ *
+ * Caller must ensure we don't call this with other virtqueue
+ * operations at the same time (except where noted).
+ */
+bool virtqueue_enable_cb(struct virtqueue *_vq)
+{
+ unsigned last_used_idx = virtqueue_enable_cb_prepare(_vq);
+ return !virtqueue_poll(_vq, last_used_idx);
}
EXPORT_SYMBOL_GPL(virtqueue_enable_cb);
diff --git a/include/linux/virtio.h b/include/linux/virtio.h
index a1ba8bb..765a133 100644
--- a/include/linux/virtio.h
+++ b/include/linux/virtio.h
@@ -44,6 +44,10 @@ void virtqueue_disable_cb(struct virtqueue *vq);
bool virtqueue_enable_cb(struct virtqueue *vq);
+unsigned virtqueue_enable_cb_prepare(struct virtqueue *vq);
+
+bool virtqueue_poll(struct virtqueue *vq, unsigned);
+
bool virtqueue_enable_cb_delayed(struct virtqueue *vq);
void *virtqueue_detach_unused_buf(struct virtqueue *vq);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [045/251] virtio_net: fix race in RX VQ processing
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (43 preceding siblings ...)
2013-09-11 4:27 ` [044/251] virtio: support unlocked queue poll Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [046/251] sunvnet: vnet_port_remove must call unregister_netdev Steven Rostedt
` (205 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jason Wang, Michael S. Tsirkin, David S. Miller
[-- Attachment #1: 0045-virtio_net-fix-race-in-RX-VQ-processing.patch --]
[-- Type: text/plain, Size: 2236 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "Michael S. Tsirkin" <mst@redhat.com>
[ Upstream commit cbdadbbf0c790f79350a8f36029208944c5487d0 ]
virtio net called virtqueue_enable_cq on RX path after napi_complete, so
with NAPI_STATE_SCHED clear - outside the implicit napi lock.
This violates the requirement to synchronize virtqueue_enable_cq wrt
virtqueue_add_buf. In particular, used event can move backwards,
causing us to lose interrupts.
In a debug build, this can trigger panic within START_USE.
Jason Wang reports that he can trigger the races artificially,
by adding udelay() in virtqueue_enable_cb() after virtio_mb().
However, we must call napi_complete to clear NAPI_STATE_SCHED before
polling the virtqueue for used buffers, otherwise napi_schedule_prep in
a callback will fail, causing us to lose RX events.
To fix, call virtqueue_enable_cb_prepare with NAPI_STATE_SCHED
set (under napi lock), later call virtqueue_poll with
NAPI_STATE_SCHED clear (outside the lock).
Reported-by: Jason Wang <jasowang@redhat.com>
Tested-by: Jason Wang <jasowang@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/virtio_net.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 83d2b0c..fc04222 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -528,7 +528,7 @@ static int virtnet_poll(struct napi_struct *napi, int budget)
{
struct virtnet_info *vi = container_of(napi, struct virtnet_info, napi);
void *buf;
- unsigned int len, received = 0;
+ unsigned int r, len, received = 0;
again:
while (received < budget &&
@@ -545,8 +545,9 @@ again:
/* Out of packets? */
if (received < budget) {
+ r = virtqueue_enable_cb_prepare(vi->rvq);
napi_complete(napi);
- if (unlikely(!virtqueue_enable_cb(vi->rvq)) &&
+ if (unlikely(virtqueue_poll(vi->rvq, r)) &&
napi_schedule_prep(napi)) {
virtqueue_disable_cb(vi->rvq);
__napi_schedule(napi);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [046/251] sunvnet: vnet_port_remove must call unregister_netdev
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (44 preceding siblings ...)
2013-09-11 4:27 ` [045/251] virtio_net: fix race in RX VQ processing Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [047/251] ifb: fix rcu_sched self-detected stalls Steven Rostedt
` (204 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Dave Kleikamp, David S. Miller
[-- Attachment #1: 0046-sunvnet-vnet_port_remove-must-call-unregister_netdev.patch --]
[-- Type: text/plain, Size: 960 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Dave Kleikamp <dave.kleikamp@oracle.com>
[ Upstream commit aabb9875d02559ab9b928cd6f259a5cc4c21a589 ]
The missing call to unregister_netdev() leaves the interface active
after the driver is unloaded by rmmod.
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/ethernet/sun/sunvnet.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c
index a108db3..1d68059 100644
--- a/drivers/net/ethernet/sun/sunvnet.c
+++ b/drivers/net/ethernet/sun/sunvnet.c
@@ -1243,6 +1243,8 @@ static int vnet_port_remove(struct vio_dev *vdev)
dev_set_drvdata(&vdev->dev, NULL);
kfree(port);
+
+ unregister_netdev(vp->dev);
}
return 0;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [047/251] ifb: fix rcu_sched self-detected stalls
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (45 preceding siblings ...)
2013-09-11 4:27 ` [046/251] sunvnet: vnet_port_remove must call unregister_netdev Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [048/251] tuntap: correctly linearize skb when zerocopy is used Steven Rostedt
` (203 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Ding Tianhong, David S. Miller
[-- Attachment #1: 0047-ifb-fix-rcu_sched-self-detected-stalls.patch --]
[-- Type: text/plain, Size: 1353 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: dingtianhong <dingtianhong@huawei.com>
[ Upstream commit 440d57bc5ff55ec1efb3efc9cbe9420b4bbdfefa ]
According to the commit 16b0dc29c1af9df341428f4c49ada4f626258082
(dummy: fix rcu_sched self-detected stalls)
Eric Dumazet fix the problem in dummy, but the ifb will occur the
same problem like the dummy modules.
Trying to "modprobe ifb numifbs=30000" triggers :
INFO: rcu_sched self-detected stall on CPU
After this splat, RTNL is locked and reboot is needed.
We must call cond_resched() to avoid this, even holding RTNL.
Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/ifb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c
index 344dceb..04ab337 100644
--- a/drivers/net/ifb.c
+++ b/drivers/net/ifb.c
@@ -291,8 +291,10 @@ static int __init ifb_init_module(void)
rtnl_lock();
err = __rtnl_link_register(&ifb_link_ops);
- for (i = 0; i < numifbs && !err; i++)
+ for (i = 0; i < numifbs && !err; i++) {
err = ifb_init_one(i);
+ cond_resched();
+ }
if (err)
__rtnl_link_unregister(&ifb_link_ops);
rtnl_unlock();
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [048/251] tuntap: correctly linearize skb when zerocopy is used
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (46 preceding siblings ...)
2013-09-11 4:27 ` [047/251] ifb: fix rcu_sched self-detected stalls Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [049/251] macvtap: " Steven Rostedt
` (202 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Michael S. Tsirkin, Jason Wang, David S. Miller
[-- Attachment #1: 0048-tuntap-correctly-linearize-skb-when-zerocopy-is-used.patch --]
[-- Type: text/plain, Size: 2049 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jason Wang <jasowang@redhat.com>
[ Upstream commit 3dd5c3308e8b671e8e8882ba972f51cefbe9fd0d ]
Userspace may produce vectors greater than MAX_SKB_FRAGS. When we try to
linearize parts of the skb to let the rest of iov to be fit in
the frags, we need count copylen into linear when calling tun_alloc_skb()
instead of partly counting it into data_len. Since this breaks
zerocopy_sg_from_iovec() since its inner counter assumes nr_frags should
be zero at beginning. This cause nr_frags to be increased wrongly without
setting the correct frags.
This bug were introduced from 0690899b4d4501b3505be069b9a687e68ccbe15b
(tun: experimental zero copy tx support)
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/tun.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index ef7710f..ad08dee 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -692,7 +692,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, void *msg_control,
{
struct tun_pi pi = { 0, cpu_to_be16(ETH_P_IP) };
struct sk_buff *skb;
- size_t len = total_len, align = NET_SKB_PAD;
+ size_t len = total_len, align = NET_SKB_PAD, linear;
struct virtio_net_hdr gso = { 0 };
int offset = 0;
int copylen;
@@ -755,10 +755,14 @@ static ssize_t tun_get_user(struct tun_struct *tun, void *msg_control,
copylen = gso.hdr_len;
if (!copylen)
copylen = GOODCOPY_LEN;
- } else
+ linear = copylen;
+ } else {
copylen = len;
+ linear = gso.hdr_len;
+ }
skb = tun_alloc_skb(tun, align, copylen, gso.hdr_len, noblock);
+ skb = tun_alloc_skb(tun, align, copylen, linear, noblock);
if (IS_ERR(skb)) {
if (PTR_ERR(skb) != -EAGAIN)
tun->dev->stats.rx_dropped++;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [049/251] macvtap: correctly linearize skb when zerocopy is used
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (47 preceding siblings ...)
2013-09-11 4:27 ` [048/251] tuntap: correctly linearize skb when zerocopy is used Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [050/251] ipv6: in case of link failure remove route directly instead of letting it expire Steven Rostedt
` (201 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Michael S. Tsirkin, Jason Wang, David S. Miller
[-- Attachment #1: 0049-macvtap-correctly-linearize-skb-when-zerocopy-is-use.patch --]
[-- Type: text/plain, Size: 1952 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jason Wang <jasowang@redhat.com>
[ Upstream commit 61d46bf979d5cd7c164709a80ad5676a35494aae ]
Userspace may produce vectors greater than MAX_SKB_FRAGS. When we try to
linearize parts of the skb to let the rest of iov to be fit in
the frags, we need count copylen into linear when calling macvtap_alloc_skb()
instead of partly counting it into data_len. Since this breaks
zerocopy_sg_from_iovec() since its inner counter assumes nr_frags should
be zero at beginning. This cause nr_frags to be increased wrongly without
setting the correct frags.
This bug were introduced from b92946e2919134ebe2a4083e4302236295ea2a73
(macvtap: zerocopy: validate vectors before building skb).
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/macvtap.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
index 0f0f9ce..28c8ad9 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -656,6 +656,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
int vnet_hdr_len = 0;
int copylen = 0;
bool zerocopy = false;
+ size_t linear;
if (q->flags & IFF_VNET_HDR) {
vnet_hdr_len = q->vnet_hdr_sz;
@@ -710,11 +711,14 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
copylen = vnet_hdr.hdr_len;
if (!copylen)
copylen = GOODCOPY_LEN;
- } else
+ linear = copylen;
+ } else {
copylen = len;
+ linear = vnet_hdr.hdr_len;
+ }
skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen,
- vnet_hdr.hdr_len, noblock, &err);
+ linear, noblock, &err);
if (!skb)
goto err;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [050/251] ipv6: in case of link failure remove route directly instead of letting it expire
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (48 preceding siblings ...)
2013-09-11 4:27 ` [049/251] macvtap: " Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [051/251] 9p: fix off by one causing access violations and memory corruption Steven Rostedt
` (200 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Nicolas Dichtel, YOSHIFUJI Hideaki, Hannes Frederic Sowa,
David S. Miller
[-- Attachment #1: 0050-ipv6-in-case-of-link-failure-remove-route-directly-i.patch --]
[-- Type: text/plain, Size: 5533 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
[ Upstream commit 1eb4f758286884e7566627164bca4c4a16952a83 ]
We could end up expiring a route which is part of an ecmp route set. Doing
so would invalidate the rt->rt6i_nsiblings calculations and could provoke
the following panic:
[ 80.144667] ------------[ cut here ]------------
[ 80.145172] kernel BUG at net/ipv6/ip6_fib.c:733!
[ 80.145172] invalid opcode: 0000 [#1] SMP
[ 80.145172] Modules linked in: 8021q nf_conntrack_netbios_ns nf_conntrack_broadcast ipt_MASQUERADE ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables
+snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_page_alloc snd_timer virtio_balloon snd soundcore i2c_piix4 i2c_core virtio_net virtio_blk
[ 80.145172] CPU: 1 PID: 786 Comm: ping6 Not tainted 3.10.0+ #118
[ 80.145172] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 80.145172] task: ffff880117fa0000 ti: ffff880118770000 task.ti: ffff880118770000
[ 80.145172] RIP: 0010:[<ffffffff815f3b5d>] [<ffffffff815f3b5d>] fib6_add+0x75d/0x830
[ 80.145172] RSP: 0018:ffff880118771798 EFLAGS: 00010202
[ 80.145172] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011350e480
[ 80.145172] RDX: ffff88011350e238 RSI: 0000000000000004 RDI: ffff88011350f738
[ 80.145172] RBP: ffff880118771848 R08: ffff880117903280 R09: 0000000000000001
[ 80.145172] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88011350f680
[ 80.145172] R13: ffff880117903280 R14: ffff880118771890 R15: ffff88011350ef90
[ 80.145172] FS: 00007f02b5127740(0000) GS:ffff88011fd00000(0000) knlGS:0000000000000000
[ 80.145172] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 80.145172] CR2: 00007f981322a000 CR3: 00000001181b1000 CR4: 00000000000006e0
[ 80.145172] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 80.145172] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 80.145172] Stack:
[ 80.145172] 0000000000000001 ffff880100000000 ffff880100000000 ffff880117903280
[ 80.145172] 0000000000000000 ffff880119a4cf00 0000000000000400 00000000000007fa
[ 80.145172] 0000000000000000 0000000000000000 0000000000000000 ffff88011350f680
[ 80.145172] Call Trace:
[ 80.145172] [<ffffffff815eeceb>] ? rt6_bind_peer+0x4b/0x90
[ 80.145172] [<ffffffff815ed985>] __ip6_ins_rt+0x45/0x70
[ 80.145172] [<ffffffff815eee35>] ip6_ins_rt+0x35/0x40
[ 80.145172] [<ffffffff815ef1e4>] ip6_pol_route.isra.44+0x3a4/0x4b0
[ 80.145172] [<ffffffff815ef34a>] ip6_pol_route_output+0x2a/0x30
[ 80.145172] [<ffffffff81616077>] fib6_rule_action+0xd7/0x210
[ 80.145172] [<ffffffff815ef320>] ? ip6_pol_route_input+0x30/0x30
[ 80.145172] [<ffffffff81553026>] fib_rules_lookup+0xc6/0x140
[ 80.145172] [<ffffffff81616374>] fib6_rule_lookup+0x44/0x80
[ 80.145172] [<ffffffff815ef320>] ? ip6_pol_route_input+0x30/0x30
[ 80.145172] [<ffffffff815edea3>] ip6_route_output+0x73/0xb0
[ 80.145172] [<ffffffff815dfdf3>] ip6_dst_lookup_tail+0x2c3/0x2e0
[ 80.145172] [<ffffffff813007b1>] ? list_del+0x11/0x40
[ 80.145172] [<ffffffff81082a4c>] ? remove_wait_queue+0x3c/0x50
[ 80.145172] [<ffffffff815dfe4d>] ip6_dst_lookup_flow+0x3d/0xa0
[ 80.145172] [<ffffffff815fda77>] rawv6_sendmsg+0x267/0xc20
[ 80.145172] [<ffffffff815a8a83>] inet_sendmsg+0x63/0xb0
[ 80.145172] [<ffffffff8128eb93>] ? selinux_socket_sendmsg+0x23/0x30
[ 80.145172] [<ffffffff815218d6>] sock_sendmsg+0xa6/0xd0
[ 80.145172] [<ffffffff81524a68>] SYSC_sendto+0x128/0x180
[ 80.145172] [<ffffffff8109825c>] ? update_curr+0xec/0x170
[ 80.145172] [<ffffffff81041d09>] ? kvm_clock_get_cycles+0x9/0x10
[ 80.145172] [<ffffffff810afd1e>] ? __getnstimeofday+0x3e/0xd0
[ 80.145172] [<ffffffff8152509e>] SyS_sendto+0xe/0x10
[ 80.145172] [<ffffffff8164efd9>] system_call_fastpath+0x16/0x1b
[ 80.145172] Code: fe ff ff 41 f6 45 2a 06 0f 85 ca fe ff ff 49 8b 7e 08 4c 89 ee e8 94 ef ff ff e9 b9 fe ff ff 48 8b 82 28 05 00 00 e9 01 ff ff ff <0f> 0b 49 8b 54 24 30 0d 00 00 40 00 89 83 14 01 00 00 48 89 53
[ 80.145172] RIP [<ffffffff815f3b5d>] fib6_add+0x75d/0x830
[ 80.145172] RSP <ffff880118771798>
[ 80.387413] ---[ end trace 02f20b7a8b81ed95 ]---
[ 80.390154] Kernel panic - not syncing: Fatal exception in interrupt
Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/ipv6/route.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 103880b..bba556f 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1076,10 +1076,13 @@ static void ip6_link_failure(struct sk_buff *skb)
rt = (struct rt6_info *) skb_dst(skb);
if (rt) {
- if (rt->rt6i_flags & RTF_CACHE)
- rt6_update_expires(rt, 0);
- else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT))
+ if (rt->rt6i_flags & RTF_CACHE) {
+ dst_hold(&rt->dst);
+ if (ip6_del_rt(rt))
+ dst_free(&rt->dst);
+ } else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT)) {
rt->rt6i_node->fn_sernum = -1;
+ }
}
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [051/251] 9p: fix off by one causing access violations and memory corruption
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (49 preceding siblings ...)
2013-09-11 4:27 ` [050/251] ipv6: in case of link failure remove route directly instead of letting it expire Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:27 ` [052/251] dummy: fix oops when loading the dummy failed Steven Rostedt
` (199 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sasha Levin, David S. Miller
[-- Attachment #1: 0051-9p-fix-off-by-one-causing-access-violations-and-memo.patch --]
[-- Type: text/plain, Size: 3682 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Sasha Levin <sasha.levin@oracle.com>
[ Upstream commit 110ecd69a9feea82a152bbf9b12aba57e6396883 ]
p9_release_pages() would attempt to dereference one value past the end of
pages[]. This would cause the following crashes:
[ 6293.171817] BUG: unable to handle kernel paging request at ffff8807c96f3000
[ 6293.174146] IP: [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
[ 6293.176447] PGD 79c5067 PUD 82c1e3067 PMD 82c197067 PTE 80000007c96f3060
[ 6293.180060] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 6293.180060] Modules linked in:
[ 6293.180060] CPU: 62 PID: 174043 Comm: modprobe Tainted: G W 3.10.0-next-20130710-sasha #3954
[ 6293.180060] task: ffff8807b803b000 ti: ffff880787dde000 task.ti: ffff880787dde000
[ 6293.180060] RIP: 0010:[<ffffffff8412793b>] [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
[ 6293.214316] RSP: 0000:ffff880787ddfc28 EFLAGS: 00010202
[ 6293.214316] RAX: 0000000000000001 RBX: ffff8807c96f2ff8 RCX: 0000000000000000
[ 6293.222017] RDX: ffff8807b803b000 RSI: 0000000000000001 RDI: ffffea001c7e3d40
[ 6293.222017] RBP: ffff880787ddfc48 R08: 0000000000000000 R09: 0000000000000000
[ 6293.222017] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001
[ 6293.222017] R13: 0000000000000001 R14: ffff8807cc50c070 R15: ffff8807cc50c070
[ 6293.222017] FS: 00007f572641d700(0000) GS:ffff8807f3600000(0000) knlGS:0000000000000000
[ 6293.256784] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 6293.256784] CR2: ffff8807c96f3000 CR3: 00000007c8e81000 CR4: 00000000000006e0
[ 6293.256784] Stack:
[ 6293.256784] ffff880787ddfcc8 ffff880787ddfcc8 0000000000000000 ffff880787ddfcc8
[ 6293.256784] ffff880787ddfd48 ffffffff84128be8 ffff880700000002 0000000000000001
[ 6293.256784] ffff8807b803b000 ffff880787ddfce0 0000100000000000 0000000000000000
[ 6293.256784] Call Trace:
[ 6293.256784] [<ffffffff84128be8>] p9_virtio_zc_request+0x598/0x630
[ 6293.256784] [<ffffffff8115c610>] ? wake_up_bit+0x40/0x40
[ 6293.256784] [<ffffffff841209b1>] p9_client_zc_rpc+0x111/0x3a0
[ 6293.256784] [<ffffffff81174b78>] ? sched_clock_cpu+0x108/0x120
[ 6293.256784] [<ffffffff84122a21>] p9_client_read+0xe1/0x2c0
[ 6293.256784] [<ffffffff81708a90>] v9fs_file_read+0x90/0xc0
[ 6293.256784] [<ffffffff812bd073>] vfs_read+0xc3/0x130
[ 6293.256784] [<ffffffff811a78bd>] ? trace_hardirqs_on+0xd/0x10
[ 6293.256784] [<ffffffff812bd5a2>] SyS_read+0x62/0xa0
[ 6293.256784] [<ffffffff841a1a00>] tracesys+0xdd/0xe2
[ 6293.256784] Code: 66 90 48 89 fb 41 89 f5 48 8b 3f 48 85 ff 74 29 85 f6 74 25 45 31 e4 66 0f 1f 84 00 00 00 00 00 e8 eb 14 12 fd 41 ff c4 49 63 c4 <48> 8b 3c c3 48 85 ff 74 05 45 39 e5 75 e7 48 83 c4 08 5b 41 5c
[ 6293.256784] RIP [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
[ 6293.256784] RSP <ffff880787ddfc28>
[ 6293.256784] CR2: ffff8807c96f3000
[ 6293.256784] ---[ end trace 50822ee72cd360fc ]---
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/9p/trans_common.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/9p/trans_common.c b/net/9p/trans_common.c
index de8df957..2ee3879 100644
--- a/net/9p/trans_common.c
+++ b/net/9p/trans_common.c
@@ -24,11 +24,11 @@
*/
void p9_release_pages(struct page **pages, int nr_pages)
{
- int i = 0;
- while (pages[i] && nr_pages--) {
- put_page(pages[i]);
- i++;
- }
+ int i;
+
+ for (i = 0; i < nr_pages; i++)
+ if (pages[i])
+ put_page(pages[i]);
}
EXPORT_SYMBOL(p9_release_pages);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [052/251] dummy: fix oops when loading the dummy failed
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (50 preceding siblings ...)
2013-09-11 4:27 ` [051/251] 9p: fix off by one causing access violations and memory corruption Steven Rostedt
@ 2013-09-11 4:27 ` Steven Rostedt
2013-09-11 4:28 ` [053/251] ifb: fix oops when loading the ifb failed Steven Rostedt
` (198 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:27 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Tan Xiaojun, Ding Tianhong, David S. Miller
[-- Attachment #1: 0052-dummy-fix-oops-when-loading-the-dummy-failed.patch --]
[-- Type: text/plain, Size: 3767 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: dingtianhong <dingtianhong@huawei.com>
[ Upstream commit 2c8a01894a12665d8059fad8f0a293c98a264121 ]
We rename the dummy in modprobe.conf like this:
install dummy0 /sbin/modprobe -o dummy0 --ignore-install dummy
install dummy1 /sbin/modprobe -o dummy1 --ignore-install dummy
We got oops when we run the command:
modprobe dummy0
modprobe dummy1
------------[ cut here ]------------
[ 3302.187584] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
[ 3302.195411] IP: [<ffffffff813fe62a>] __rtnl_link_unregister+0x9a/0xd0
[ 3302.201844] PGD 85c94a067 PUD 8517bd067 PMD 0
[ 3302.206305] Oops: 0002 [#1] SMP
[ 3302.299737] task: ffff88105ccea300 ti: ffff880eba4a0000 task.ti: ffff880eba4a0000
[ 3302.307186] RIP: 0010:[<ffffffff813fe62a>] [<ffffffff813fe62a>] __rtnl_link_unregister+0x9a/0xd0
[ 3302.316044] RSP: 0018:ffff880eba4a1dd8 EFLAGS: 00010246
[ 3302.321332] RAX: 0000000000000000 RBX: ffffffff81a9d738 RCX: 0000000000000002
[ 3302.328436] RDX: 0000000000000000 RSI: ffffffffa04d602c RDI: ffff880eba4a1dd8
[ 3302.335541] RBP: ffff880eba4a1e18 R08: dead000000200200 R09: dead000000100100
[ 3302.342644] R10: 0000000000000080 R11: 0000000000000003 R12: ffffffff81a9d788
[ 3302.349748] R13: ffffffffa04d7020 R14: ffffffff81a9d670 R15: ffff880eba4a1dd8
[ 3302.364910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3302.370630] CR2: 0000000000000008 CR3: 000000085e15e000 CR4: 00000000000427e0
[ 3302.377734] DR0: 0000000000000003 DR1: 00000000000000b0 DR2: 0000000000000001
[ 3302.384838] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 3302.391940] Stack:
[ 3302.393944] ffff880eba4a1dd8 ffff880eba4a1dd8 ffff880eba4a1e18 ffffffffa04d70c0
[ 3302.401350] 00000000ffffffef ffffffffa01a8000 0000000000000000 ffffffff816111c8
[ 3302.408758] ffff880eba4a1e48 ffffffffa01a80be ffff880eba4a1e48 ffffffffa04d70c0
[ 3302.416164] Call Trace:
[ 3302.418605] [<ffffffffa01a8000>] ? 0xffffffffa01a7fff
[ 3302.423727] [<ffffffffa01a80be>] dummy_init_module+0xbe/0x1000 [dummy0]
[ 3302.430405] [<ffffffffa01a8000>] ? 0xffffffffa01a7fff
[ 3302.435535] [<ffffffff81000322>] do_one_initcall+0x152/0x1b0
[ 3302.441263] [<ffffffff810ab24b>] do_init_module+0x7b/0x200
[ 3302.446824] [<ffffffff810ad3d2>] load_module+0x4e2/0x530
[ 3302.452215] [<ffffffff8127ae40>] ? ddebug_dyndbg_boot_param_cb+0x60/0x60
[ 3302.458979] [<ffffffff810ad5f1>] SyS_init_module+0xd1/0x130
[ 3302.464627] [<ffffffff814b9652>] system_call_fastpath+0x16/0x1b
[ 3302.490090] RIP [<ffffffff813fe62a>] __rtnl_link_unregister+0x9a/0xd0
[ 3302.496607] RSP <ffff880eba4a1dd8>
[ 3302.500084] CR2: 0000000000000008
[ 3302.503466] ---[ end trace 8342d49cd49f78ed ]---
The reason is that when loading dummy, if __rtnl_link_register() return failed,
the init_module should return and avoid take the wrong path.
Signed-off-by: Tan Xiaojun <tanxiaojun@huawei.com>
Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/dummy.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c
index c260af5..1f3ff91 100644
--- a/drivers/net/dummy.c
+++ b/drivers/net/dummy.c
@@ -175,6 +175,8 @@ static int __init dummy_init_module(void)
rtnl_lock();
err = __rtnl_link_register(&dummy_link_ops);
+ if (err < 0)
+ goto out;
for (i = 0; i < numdummies && !err; i++) {
err = dummy_init_one();
@@ -182,6 +184,8 @@ static int __init dummy_init_module(void)
}
if (err < 0)
__rtnl_link_unregister(&dummy_link_ops);
+
+out:
rtnl_unlock();
return err;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [053/251] ifb: fix oops when loading the ifb failed
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (51 preceding siblings ...)
2013-09-11 4:27 ` [052/251] dummy: fix oops when loading the dummy failed Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [054/251] atl1e: fix dma mapping warnings Steven Rostedt
` (197 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Ding Tianhong, David S. Miller
[-- Attachment #1: 0053-ifb-fix-oops-when-loading-the-ifb-failed.patch --]
[-- Type: text/plain, Size: 1095 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: dingtianhong <dingtianhong@huawei.com>
[ Upstream commit f2966cd5691058b8674a20766525bedeaea9cbcf ]
If __rtnl_link_register() return faild when loading the ifb, it will
take the wrong path and get oops, so fix it just like dummy.
Signed-off-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/ifb.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c
index 04ab337..635d01c 100644
--- a/drivers/net/ifb.c
+++ b/drivers/net/ifb.c
@@ -290,6 +290,8 @@ static int __init ifb_init_module(void)
rtnl_lock();
err = __rtnl_link_register(&ifb_link_ops);
+ if (err < 0)
+ goto out;
for (i = 0; i < numifbs && !err; i++) {
err = ifb_init_one(i);
@@ -297,6 +299,8 @@ static int __init ifb_init_module(void)
}
if (err)
__rtnl_link_unregister(&ifb_link_ops);
+
+out:
rtnl_unlock();
return err;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [054/251] atl1e: fix dma mapping warnings
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (52 preceding siblings ...)
2013-09-11 4:28 ` [053/251] ifb: fix oops when loading the ifb failed Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [055/251] skb: report completion status for zero copy skbs Steven Rostedt
` (196 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Neil Horman, Jay Cliburn, Chris Snook, David S. Miller
[-- Attachment #1: 0054-atl1e-fix-dma-mapping-warnings.patch --]
[-- Type: text/plain, Size: 6119 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Neil Horman <nhorman@tuxdriver.com>
[ Upstream commit 352900b583b2852152a1e05ea0e8b579292e731e ]
Recently had this backtrace reported:
WARNING: at lib/dma-debug.c:937 check_unmap+0x47d/0x930()
Hardware name: System Product Name
ATL1E 0000:02:00.0: DMA-API: device driver failed to check map error[device
address=0x00000000cbfd1000] [size=90 bytes] [mapped as single]
Modules linked in: xt_conntrack nf_conntrack ebtable_filter ebtables
ip6table_filter ip6_tables snd_hda_codec_hdmi snd_hda_codec_realtek iTCO_wdt
iTCO_vendor_support snd_hda_intel acpi_cpufreq mperf coretemp btrfs zlib_deflate
snd_hda_codec snd_hwdep microcode raid6_pq libcrc32c snd_seq usblp serio_raw xor
snd_seq_device joydev snd_pcm snd_page_alloc snd_timer snd lpc_ich i2c_i801
soundcore mfd_core atl1e asus_atk0110 ata_generic pata_acpi radeon i2c_algo_bit
drm_kms_helper ttm drm i2c_core pata_marvell uinput
Pid: 314, comm: systemd-journal Not tainted 3.9.0-0.rc6.git2.3.fc19.x86_64 #1
Call Trace:
<IRQ> [<ffffffff81069106>] warn_slowpath_common+0x66/0x80
[<ffffffff8106916c>] warn_slowpath_fmt+0x4c/0x50
[<ffffffff8138151d>] check_unmap+0x47d/0x930
[<ffffffff810ad048>] ? sched_clock_cpu+0xa8/0x100
[<ffffffff81381a2f>] debug_dma_unmap_page+0x5f/0x70
[<ffffffff8137ce30>] ? unmap_single+0x20/0x30
[<ffffffffa01569a1>] atl1e_intr+0x3a1/0x5b0 [atl1e]
[<ffffffff810d53fd>] ? trace_hardirqs_off+0xd/0x10
[<ffffffff81119636>] handle_irq_event_percpu+0x56/0x390
[<ffffffff811199ad>] handle_irq_event+0x3d/0x60
[<ffffffff8111cb6a>] handle_fasteoi_irq+0x5a/0x100
[<ffffffff8101c36f>] handle_irq+0xbf/0x150
[<ffffffff811dcb2f>] ? file_sb_list_del+0x3f/0x50
[<ffffffff81073b10>] ? irq_enter+0x50/0xa0
[<ffffffff8172738d>] do_IRQ+0x4d/0xc0
[<ffffffff811dcb2f>] ? file_sb_list_del+0x3f/0x50
[<ffffffff8171c6b2>] common_interrupt+0x72/0x72
<EOI> [<ffffffff810db5b2>] ? lock_release+0xc2/0x310
[<ffffffff8109ea04>] lg_local_unlock_cpu+0x24/0x50
[<ffffffff811dcb2f>] file_sb_list_del+0x3f/0x50
[<ffffffff811dcb6d>] fput+0x2d/0xc0
[<ffffffff811d8ea1>] filp_close+0x61/0x90
[<ffffffff811fae4d>] __close_fd+0x8d/0x150
[<ffffffff811d8ef0>] sys_close+0x20/0x50
[<ffffffff81725699>] system_call_fastpath+0x16/0x1b
The usual straighforward failure to check for dma_mapping_error after a map
operation is completed.
This patch should fix it, the reporter wandered off after filing this bz:
https://bugzilla.redhat.com/show_bug.cgi?id=954170
and I don't have hardware to test, but the fix is pretty straightforward, so I
figured I'd post it for review.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Jay Cliburn <jcliburn@gmail.com>
CC: Chris Snook <chris.snook@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 28 ++++++++++++++++++++---
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
index 8f6b054..4d84939 100644
--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
+++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
@@ -1669,8 +1669,8 @@ check_sum:
return 0;
}
-static void atl1e_tx_map(struct atl1e_adapter *adapter,
- struct sk_buff *skb, struct atl1e_tpd_desc *tpd)
+static int atl1e_tx_map(struct atl1e_adapter *adapter,
+ struct sk_buff *skb, struct atl1e_tpd_desc *tpd)
{
struct atl1e_tpd_desc *use_tpd = NULL;
struct atl1e_tx_buffer *tx_buffer = NULL;
@@ -1681,6 +1681,7 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter,
u16 nr_frags;
u16 f;
int segment;
+ int ring_start = adapter->tx_ring.next_to_use;
nr_frags = skb_shinfo(skb)->nr_frags;
segment = (tpd->word3 >> TPD_SEGMENT_EN_SHIFT) & TPD_SEGMENT_EN_MASK;
@@ -1693,6 +1694,9 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter,
tx_buffer->length = map_len;
tx_buffer->dma = pci_map_single(adapter->pdev,
skb->data, hdr_len, PCI_DMA_TODEVICE);
+ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma))
+ return -ENOSPC;
+
ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_SINGLE);
mapped_len += map_len;
use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma);
@@ -1719,6 +1723,13 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter,
tx_buffer->dma =
pci_map_single(adapter->pdev, skb->data + mapped_len,
map_len, PCI_DMA_TODEVICE);
+
+ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) {
+ /* Reset the tx rings next pointer */
+ adapter->tx_ring.next_to_use = ring_start;
+ return -ENOSPC;
+ }
+
ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_SINGLE);
mapped_len += map_len;
use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma);
@@ -1754,6 +1765,13 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter,
(i * MAX_TX_BUF_LEN),
tx_buffer->length,
DMA_TO_DEVICE);
+
+ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) {
+ /* Reset the ring next to use pointer */
+ adapter->tx_ring.next_to_use = ring_start;
+ return -ENOSPC;
+ }
+
ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_PAGE);
use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma);
use_tpd->word2 = (use_tpd->word2 & (~TPD_BUFLEN_MASK)) |
@@ -1771,6 +1789,7 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter,
/* The last buffer info contain the skb address,
so it will be free after unmap */
tx_buffer->skb = skb;
+ return 0;
}
static void atl1e_tx_queue(struct atl1e_adapter *adapter, u16 count,
@@ -1838,10 +1857,13 @@ static netdev_tx_t atl1e_xmit_frame(struct sk_buff *skb,
return NETDEV_TX_OK;
}
- atl1e_tx_map(adapter, skb, tpd);
+ if (atl1e_tx_map(adapter, skb, tpd))
+ goto out;
+
atl1e_tx_queue(adapter, tpd_req, tpd);
netdev->trans_start = jiffies; /* NETIF_F_LLTX driver :( */
+out:
spin_unlock_irqrestore(&adapter->tx_lock, flags);
return NETDEV_TX_OK;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [055/251] skb: report completion status for zero copy skbs
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (53 preceding siblings ...)
2013-09-11 4:28 ` [054/251] atl1e: fix dma mapping warnings Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [056/251] tuntap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS Steven Rostedt
` (195 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Michael S. Tsirkin, David S. Miller
[-- Attachment #1: 0055-skb-report-completion-status-for-zero-copy-skbs.patch --]
[-- Type: text/plain, Size: 3496 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "Michael S. Tsirkin" <mst@redhat.com>
[ Upstream commit e19d6763cc300fcb706bd291b24ac06be71e1ce6 ]
Even if skb is marked for zero copy, net core might still decide
to copy it later which is somewhat slower than a copy in user context:
besides copying the data we need to pin/unpin the pages.
Add a parameter reporting such cases through zero copy callback:
if this happens a lot, device can take this into account
and switch to copying in user context.
This patch updates all users but ignores the passed value for now:
it will be used by follow-up patches.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/vhost/vhost.c | 2 +-
drivers/vhost/vhost.h | 2 +-
include/linux/skbuff.h | 4 +++-
net/core/skbuff.c | 4 ++--
4 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index ef82a0d..c0492d7 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -1600,7 +1600,7 @@ void vhost_ubuf_put_and_wait(struct vhost_ubuf_ref *ubufs)
kfree(ubufs);
}
-void vhost_zerocopy_callback(struct ubuf_info *ubuf)
+void vhost_zerocopy_callback(struct ubuf_info *ubuf, bool status)
{
struct vhost_ubuf_ref *ubufs = ubuf->ctx;
struct vhost_virtqueue *vq = ubufs->vq;
diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
index 1125af3..2de4ce2 100644
--- a/drivers/vhost/vhost.h
+++ b/drivers/vhost/vhost.h
@@ -191,7 +191,7 @@ bool vhost_enable_notify(struct vhost_dev *, struct vhost_virtqueue *);
int vhost_log_write(struct vhost_virtqueue *vq, struct vhost_log *log,
unsigned int log_num, u64 len);
-void vhost_zerocopy_callback(struct ubuf_info *);
+void vhost_zerocopy_callback(struct ubuf_info *, bool);
int vhost_zerocopy_signal_used(struct vhost_virtqueue *vq);
#define vq_err(vq, fmt, ...) do { \
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index adab092..a45dd48 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -235,11 +235,13 @@ enum {
/*
* The callback notifies userspace to release buffers when skb DMA is done in
* lower device, the skb last reference should be 0 when calling this.
+ * The zerocopy_success argument is true if zero copy transmit occurred,
+ * false on data copy or out of memory error caused by data copy attempt.
* The ctx field is used to track device context.
* The desc field is used to track userspace buffer index.
*/
struct ubuf_info {
- void (*callback)(struct ubuf_info *);
+ void (*callback)(struct ubuf_info *, bool zerocopy_success);
void *ctx;
unsigned long desc;
};
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 043139d01..eaad7a7 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -505,7 +505,7 @@ static void skb_release_data(struct sk_buff *skb)
uarg = skb_shinfo(skb)->destructor_arg;
if (uarg->callback)
- uarg->callback(uarg);
+ uarg->callback(uarg, true);
}
if (skb_has_frag_list(skb))
@@ -783,7 +783,7 @@ int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask)
for (i = 0; i < num_frags; i++)
skb_frag_unref(skb, i);
- uarg->callback(uarg);
+ uarg->callback(uarg, false);
/* skb frags point to kernel buffers */
for (i = num_frags - 1; i >= 0; i--) {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [056/251] tuntap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (54 preceding siblings ...)
2013-09-11 4:28 ` [055/251] skb: report completion status for zero copy skbs Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [057/251] macvtap: " Steven Rostedt
` (194 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Michael S. Tsirkin, Jason Wang, David S. Miller
[-- Attachment #1: 0056-tuntap-do-not-zerocopy-if-iov-needs-more-pages-than-.patch --]
[-- Type: text/plain, Size: 3836 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jason Wang <jasowang@redhat.com>
[ Upstream commit 885291761dba2bfe04df4c0f7bb75e4c920ab82e ]
We try to linearize part of the skb when the number of iov is greater than
MAX_SKB_FRAGS. This is not enough since each single vector may occupy more than
one pages, so zerocopy_sg_fromiovec() may still fail and may break the guest
network.
Solve this problem by calculate the pages needed for iov before trying to do
zerocopy and switch to use copy instead of zerocopy if it needs more than
MAX_SKB_FRAGS.
This is done through introducing a new helper to count the pages for iov, and
call uarg->callback() manually when switching from zerocopy to copy to notify
vhost.
We can do further optimization on top.
The bug were introduced from commit 0690899b4d4501b3505be069b9a687e68ccbe15b
(tun: experimental zero copy tx support)
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/tun.c | 63 +++++++++++++++++++++++++++++++++--------------------
1 file changed, 39 insertions(+), 24 deletions(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index ad08dee..9ab7b34 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -685,6 +685,30 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from,
return 0;
}
+
+static unsigned long iov_pages(const struct iovec *iv, int offset,
+ unsigned long nr_segs)
+{
+ unsigned long seg, base;
+ int pages = 0, len, size;
+
+ while (nr_segs && (offset >= iv->iov_len)) {
+ offset -= iv->iov_len;
+ ++iv;
+ --nr_segs;
+ }
+
+ for (seg = 0; seg < nr_segs; seg++) {
+ base = (unsigned long)iv[seg].iov_base + offset;
+ len = iv[seg].iov_len - offset;
+ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT;
+ pages += size;
+ offset = 0;
+ }
+
+ return pages;
+}
+
/* Get packet from user space buffer */
static ssize_t tun_get_user(struct tun_struct *tun, void *msg_control,
const struct iovec *iv, size_t total_len,
@@ -731,32 +755,18 @@ static ssize_t tun_get_user(struct tun_struct *tun, void *msg_control,
return -EINVAL;
}
- if (msg_control)
- zerocopy = true;
-
- if (zerocopy) {
- /* Userspace may produce vectors with count greater than
- * MAX_SKB_FRAGS, so we need to linearize parts of the skb
- * to let the rest of data to be fit in the frags.
- */
- if (count > MAX_SKB_FRAGS) {
- copylen = iov_length(iv, count - MAX_SKB_FRAGS);
- if (copylen < offset)
- copylen = 0;
- else
- copylen -= offset;
- } else
- copylen = 0;
- /* There are 256 bytes to be copied in skb, so there is enough
- * room for skb expand head in case it is used.
+ if (msg_control) {
+ /* There are 256 bytes to be copied in skb, so there is
+ * enough room for skb expand head in case it is used.
* The rest of the buffer is mapped from userspace.
*/
- if (copylen < gso.hdr_len)
- copylen = gso.hdr_len;
- if (!copylen)
- copylen = GOODCOPY_LEN;
+ copylen = gso.hdr_len ? gso.hdr_len : GOODCOPY_LEN;
linear = copylen;
- } else {
+ if (iov_pages(iv, offset + copylen, count) <= MAX_SKB_FRAGS)
+ zerocopy = true;
+ }
+
+ if (!zerocopy) {
copylen = len;
linear = gso.hdr_len;
}
@@ -771,8 +781,13 @@ static ssize_t tun_get_user(struct tun_struct *tun, void *msg_control,
if (zerocopy)
err = zerocopy_sg_from_iovec(skb, iv, offset, count);
- else
+ else {
err = skb_copy_datagram_from_iovec(skb, 0, iv, offset, len);
+ if (!err && msg_control) {
+ struct ubuf_info *uarg = msg_control;
+ uarg->callback(uarg, false);
+ }
+ }
if (err) {
tun->dev->stats.rx_dropped++;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [057/251] macvtap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (55 preceding siblings ...)
2013-09-11 4:28 ` [056/251] tuntap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [058/251] vlan: mask vlan prio bits Steven Rostedt
` (193 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Michael S. Tsirkin, Jason Wang, David S. Miller
[-- Attachment #1: 0057-macvtap-do-not-zerocopy-if-iov-needs-more-pages-than.patch --]
[-- Type: text/plain, Size: 3840 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jason Wang <jasowang@redhat.com>
[ Upstream commit ece793fcfc417b3925844be88a6a6dc82ae8f7c6 ]
We try to linearize part of the skb when the number of iov is greater than
MAX_SKB_FRAGS. This is not enough since each single vector may occupy more than
one pages, so zerocopy_sg_fromiovec() may still fail and may break the guest
network.
Solve this problem by calculate the pages needed for iov before trying to do
zerocopy and switch to use copy instead of zerocopy if it needs more than
MAX_SKB_FRAGS.
This is done through introducing a new helper to count the pages for iov, and
call uarg->callback() manually when switching from zerocopy to copy to notify
vhost.
We can do further optimization on top.
This bug were introduced from b92946e2919134ebe2a4083e4302236295ea2a73
(macvtap: zerocopy: validate vectors before building skb).
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/macvtap.c | 62 +++++++++++++++++++++++++++++--------------------
1 file changed, 37 insertions(+), 25 deletions(-)
diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
index 28c8ad9..43d3ed8 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -642,6 +642,28 @@ static int macvtap_skb_to_vnet_hdr(const struct sk_buff *skb,
return 0;
}
+static unsigned long iov_pages(const struct iovec *iv, int offset,
+ unsigned long nr_segs)
+{
+ unsigned long seg, base;
+ int pages = 0, len, size;
+
+ while (nr_segs && (offset >= iv->iov_len)) {
+ offset -= iv->iov_len;
+ ++iv;
+ --nr_segs;
+ }
+
+ for (seg = 0; seg < nr_segs; seg++) {
+ base = (unsigned long)iv[seg].iov_base + offset;
+ len = iv[seg].iov_len - offset;
+ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT;
+ pages += size;
+ offset = 0;
+ }
+
+ return pages;
+}
/* Get packet from user space buffer */
static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
@@ -688,31 +710,15 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
if (unlikely(count > UIO_MAXIOV))
goto err;
- if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY))
- zerocopy = true;
-
- if (zerocopy) {
- /* Userspace may produce vectors with count greater than
- * MAX_SKB_FRAGS, so we need to linearize parts of the skb
- * to let the rest of data to be fit in the frags.
- */
- if (count > MAX_SKB_FRAGS) {
- copylen = iov_length(iv, count - MAX_SKB_FRAGS);
- if (copylen < vnet_hdr_len)
- copylen = 0;
- else
- copylen -= vnet_hdr_len;
- }
- /* There are 256 bytes to be copied in skb, so there is enough
- * room for skb expand head in case it is used.
- * The rest buffer is mapped from userspace.
- */
- if (copylen < vnet_hdr.hdr_len)
- copylen = vnet_hdr.hdr_len;
- if (!copylen)
- copylen = GOODCOPY_LEN;
+ if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY)) {
+ copylen = vnet_hdr.hdr_len ? vnet_hdr.hdr_len : GOODCOPY_LEN;
linear = copylen;
- } else {
+ if (iov_pages(iv, vnet_hdr_len + copylen, count)
+ <= MAX_SKB_FRAGS)
+ zerocopy = true;
+ }
+
+ if (!zerocopy) {
copylen = len;
linear = vnet_hdr.hdr_len;
}
@@ -724,9 +730,15 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
if (zerocopy)
err = zerocopy_sg_from_iovec(skb, iv, vnet_hdr_len, count);
- else
+ else {
err = skb_copy_datagram_from_iovec(skb, 0, iv, vnet_hdr_len,
len);
+ if (!err && m && m->msg_control) {
+ struct ubuf_info *uarg = m->msg_control;
+ uarg->callback(uarg, false);
+ }
+ }
+
if (err)
goto err_kfree;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [058/251] vlan: mask vlan prio bits
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (56 preceding siblings ...)
2013-09-11 4:28 ` [057/251] macvtap: " Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [059/251] vlan: fix a race in egress prio management Steven Rostedt
` (192 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Steinar H. Gunderson, Eric Dumazet, David S. Miller
[-- Attachment #1: 0058-vlan-mask-vlan-prio-bits.patch --]
[-- Type: text/plain, Size: 3473 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d4b812dea4a236f729526facf97df1a9d18e191c ]
In commit 48cc32d38a52d0b68f91a171a8d00531edc6a46e
("vlan: don't deliver frames for unknown vlans to protocols")
Florian made sure we set pkt_type to PACKET_OTHERHOST
if the vlan id is set and we could find a vlan device for this
particular id.
But we also have a problem if prio bits are set.
Steinar reported an issue on a router receiving IPv6 frames with a
vlan tag of 4000 (id 0, prio 2), and tunneled into a sit device,
because skb->vlan_tci is set.
Forwarded frame is completely corrupted : We can see (8100:4000)
being inserted in the middle of IPv6 source address :
16:48:00.780413 IP6 2001:16d8:8100:4000:ee1c:0:9d9:bc87 >
9f94:4d95:2001:67c:29f4::: ICMP6, unknown icmp6 type (0), length 64
0x0000: 0000 0029 8000 c7c3 7103 0001 a0ae e651
0x0010: 0000 0000 ccce 0b00 0000 0000 1011 1213
0x0020: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223
0x0030: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233
It seems we are not really ready to properly cope with this right now.
We can probably do better in future kernels :
vlan_get_ingress_priority() should be a netdev property instead of
a per vlan_dev one.
For stable kernels, lets clear vlan_tci to fix the bugs.
Reported-by: Steinar H. Gunderson <sesse@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
include/linux/if_vlan.h | 3 +--
net/8021q/vlan_core.c | 2 +-
net/core/dev.c | 11 +++++++++--
3 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
index 9b0c614..fef94f5 100644
--- a/include/linux/if_vlan.h
+++ b/include/linux/if_vlan.h
@@ -82,9 +82,8 @@ static inline int is_vlan_dev(struct net_device *dev)
}
#define vlan_tx_tag_present(__skb) ((__skb)->vlan_tci & VLAN_TAG_PRESENT)
-#define vlan_tx_nonzero_tag_present(__skb) \
- (vlan_tx_tag_present(__skb) && ((__skb)->vlan_tci & VLAN_VID_MASK))
#define vlan_tx_tag_get(__skb) ((__skb)->vlan_tci & ~VLAN_TAG_PRESENT)
+#define vlan_tx_tag_get_id(__skb) ((__skb)->vlan_tci & VLAN_VID_MASK)
#if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index fe29a64..d5f07cb 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -8,7 +8,7 @@
bool vlan_do_receive(struct sk_buff **skbp)
{
struct sk_buff *skb = *skbp;
- u16 vlan_id = skb->vlan_tci & VLAN_VID_MASK;
+ u16 vlan_id = vlan_tx_tag_get_id(skb);
struct net_device *vlan_dev;
struct vlan_pcpu_stats *rx_stats;
diff --git a/net/core/dev.c b/net/core/dev.c
index 9b5e388..1012a02 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3317,8 +3317,15 @@ ncls:
}
}
- if (vlan_tx_nonzero_tag_present(skb))
- skb->pkt_type = PACKET_OTHERHOST;
+ if (unlikely(vlan_tx_tag_present(skb))) {
+ if (vlan_tx_tag_get_id(skb))
+ skb->pkt_type = PACKET_OTHERHOST;
+ /* Note: we might in the future use prio bits
+ * and set skb->priority like in vlan_do_receive()
+ * For the time being, just ignore Priority Code Point
+ */
+ skb->vlan_tci = 0;
+ }
/* deliver only exact match when indicated */
null_or_dev = deliver_exact ? skb->dev : NULL;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [059/251] vlan: fix a race in egress prio management
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (57 preceding siblings ...)
2013-09-11 4:28 ` [058/251] vlan: mask vlan prio bits Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [060/251] MIPS: Oceton: Fix build error Steven Rostedt
` (191 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Eric Dumazet, Patrick McHardy, David S. Miller
[-- Attachment #1: 0059-vlan-fix-a-race-in-egress-prio-management.patch --]
[-- Type: text/plain, Size: 1704 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 3e3aac497513c669e1c62c71e1d552ea85c1d974 ]
egress_priority_map[] hash table updates are protected by rtnl,
and we never remove elements until device is dismantled.
We have to make sure that before inserting an new element in hash table,
all its fields are committed to memory or else another cpu could
find corrupt values and crash.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/8021q/vlan_dev.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index a841735..52457f5 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -73,6 +73,8 @@ vlan_dev_get_egress_qos_mask(struct net_device *dev, struct sk_buff *skb)
{
struct vlan_priority_tci_mapping *mp;
+ smp_rmb(); /* coupled with smp_wmb() in vlan_dev_set_egress_priority() */
+
mp = vlan_dev_priv(dev)->egress_priority_map[(skb->priority & 0xF)];
while (mp) {
if (mp->priority == skb->priority) {
@@ -248,6 +250,11 @@ int vlan_dev_set_egress_priority(const struct net_device *dev,
np->next = mp;
np->priority = skb_prio;
np->vlan_qos = vlan_qos;
+ /* Before inserting this element in hash table, make sure all its fields
+ * are committed to memory.
+ * coupled with smp_rmb() in vlan_dev_get_egress_qos_mask()
+ */
+ smp_wmb();
vlan->egress_priority_map[skb_prio & 0xF] = np;
if (vlan_qos)
vlan->nr_egress_mappings++;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [060/251] MIPS: Oceton: Fix build error.
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (58 preceding siblings ...)
2013-09-11 4:28 ` [059/251] vlan: fix a race in egress prio management Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [061/251] RAPIDIO: IDT_GEN2: " Steven Rostedt
` (190 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Ralf Baechle
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: 0060-MIPS-Oceton-Fix-build-error.patch --]
[-- Type: text/plain, Size: 1573 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Ralf Baechle <ralf@linux-mips.org>
[ Upstream commit 39205750efa6d335fac4f9bcd32b49c7e71c12b7 ]
If CONFIG_CAVIUM_OCTEON_LOCK_L2_TLB, CONFIG_CAVIUM_OCTEON_LOCK_L2_EXCEPTION,
CONFIG_CAVIUM_OCTEON_LOCK_L2_LOW_LEVEL_INTERRUPT and
CONFIG_CAVIUM_OCTEON_LOCK_L2_INTERRUPT are all undefined:
arch/mips/cavium-octeon/setup.c: In function ‘prom_init’:
arch/mips/cavium-octeon/setup.c:715:12: error: unused variable ‘ebase’ [-Werror=unused-variable]
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/mips/cavium-octeon/setup.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/mips/cavium-octeon/setup.c b/arch/mips/cavium-octeon/setup.c
index 919b0fb..19ce979 100644
--- a/arch/mips/cavium-octeon/setup.c
+++ b/arch/mips/cavium-octeon/setup.c
@@ -6,6 +6,7 @@
* Copyright (C) 2004-2007 Cavium Networks
* Copyright (C) 2008 Wind River Systems
*/
+#include <linux/compiler.h>
#include <linux/init.h>
#include <linux/console.h>
#include <linux/delay.h>
@@ -504,7 +505,7 @@ void __init prom_init(void)
if (cvmx_read_csr(CVMX_L2D_FUS3) & (3ull << 34)) {
pr_info("Skipping L2 locking due to reduced L2 cache size\n");
} else {
- uint32_t ebase = read_c0_ebase() & 0x3ffff000;
+ uint32_t __maybe_unused ebase = read_c0_ebase() & 0x3ffff000;
#ifdef CONFIG_CAVIUM_OCTEON_LOCK_L2_TLB
/* TLB refill */
cvmx_l2c_lock_mem_region(ebase, 0x100);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [061/251] RAPIDIO: IDT_GEN2: Fix build error.
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (59 preceding siblings ...)
2013-09-11 4:28 ` [060/251] MIPS: Oceton: Fix build error Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [062/251] megaraid_sas: fix memory leak if SGL has zero length entries Steven Rostedt
` (189 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Ralf Baechle, Alexandre Bounine
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: 0061-RAPIDIO-IDT_GEN2-Fix-build-error.patch --]
[-- Type: text/plain, Size: 1219 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Ralf Baechle <ralf@linux-mips.org>
[ Upstream commit 27f62b9f294b7e2019c94c385abda43a0af6bb8b ]
CC drivers/rapidio/switches/idt_gen2.o
drivers/rapidio/switches/idt_gen2.c: In function ‘idtg2_show_errlog’:
drivers/rapidio/switches/idt_gen2.c:379:30: error: ‘PAGE_SIZE’ undeclared (first use in this function)
drivers/rapidio/switches/idt_gen2.c:379:30: note: each undeclared identifier is reported only once for each function it appears in
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Acked-by: Alexandre Bounine <alexandre.bounine@idt.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/rapidio/switches/idt_gen2.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/rapidio/switches/idt_gen2.c b/drivers/rapidio/switches/idt_gen2.c
index 809b7a3..5d3b0f0 100644
--- a/drivers/rapidio/switches/idt_gen2.c
+++ b/drivers/rapidio/switches/idt_gen2.c
@@ -15,6 +15,8 @@
#include <linux/rio_drv.h>
#include <linux/rio_ids.h>
#include <linux/delay.h>
+
+#include <asm/page.h>
#include "../rio.h"
#define LOCAL_RTE_CONF_DESTID_SEL 0x010070
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [062/251] megaraid_sas: fix memory leak if SGL has zero length entries
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (60 preceding siblings ...)
2013-09-11 4:28 ` [061/251] RAPIDIO: IDT_GEN2: " Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` Steven Rostedt
` (188 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Bjørn Mork, Adam Radford, James Bottomley
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: 0062-megaraid_sas-fix-memory-leak-if-SGL-has-zero-length-.patch --]
[-- Type: text/plain, Size: 1601 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
[ Upstream commit 7a6a731bd00ca90d0e250867c3b9c05b5ff0fa49 ]
commit 98cb7e44 ([SCSI] megaraid_sas: Sanity check user
supplied length before passing it to dma_alloc_coherent())
introduced a memory leak. Memory allocated for entries
following zero length SGL entries will not be freed.
Reference: http://bugs.debian.org/688198
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Cc: <stable@vger.kernel.org>
Acked-by: Adam Radford <aradford@gmail.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/scsi/megaraid/megaraid_sas_base.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index ed38454..d525297 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -4817,10 +4817,12 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance,
sense, sense_handle);
}
- for (i = 0; i < ioc->sge_count && kbuff_arr[i]; i++) {
- dma_free_coherent(&instance->pdev->dev,
- kern_sge32[i].length,
- kbuff_arr[i], kern_sge32[i].phys_addr);
+ for (i = 0; i < ioc->sge_count; i++) {
+ if (kbuff_arr[i])
+ dma_free_coherent(&instance->pdev->dev,
+ kern_sge32[i].length,
+ kbuff_arr[i],
+ kern_sge32[i].phys_addr);
}
megasas_return_cmd(instance, cmd);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [063/251] lib/Kconfig.debug: Restrict FRAME_POINTER for MIPS
@ 2013-09-11 4:28 ` Steven Rostedt
0 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Markos Chandras, Steven J. Hill, linux-mips, Ralf Baechle
[-- Attachment #1: 0063-lib-Kconfig.debug-Restrict-FRAME_POINTER-for-MIPS.patch --]
[-- Type: text/plain, Size: 1541 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Markos Chandras <markos.chandras@imgtec.com>
[ Upstream commit 25c87eae1725ed77a8b44d782a86abdc279b4ede ]
FAULT_INJECTION_STACKTRACE_FILTER selects FRAME_POINTER but
that symbol is not available for MIPS.
Fixes the following problem on a randconfig:
warning: (LOCKDEP && FAULT_INJECTION_STACKTRACE_FILTER && LATENCYTOP &&
KMEMCHECK) selects FRAME_POINTER which has unmet direct dependencies
(DEBUG_KERNEL && (CRIS || M68K || FRV || UML || AVR32 || SUPERH || BLACKFIN ||
MN10300 || METAG) || ARCH_WANT_FRAME_POINTERS)
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Acked-by: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: linux-mips@linux-mips.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Patchwork: https://patchwork.linux-mips.org/patch/5441/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
---
lib/Kconfig.debug | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 2403a63..89a657a 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1242,7 +1242,7 @@ config FAULT_INJECTION_STACKTRACE_FILTER
depends on FAULT_INJECTION_DEBUG_FS && STACKTRACE_SUPPORT
depends on !X86_64
select STACKTRACE
- select FRAME_POINTER if !PPC && !S390 && !MICROBLAZE && !ARM_UNWIND
+ select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE && !ARM_UNWIND
help
Provide stacktrace filter for fault-injection capabilities
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [063/251] lib/Kconfig.debug: Restrict FRAME_POINTER for MIPS
@ 2013-09-11 4:28 ` Steven Rostedt
0 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Markos Chandras, Steven J. Hill, linux-mips, Ralf Baechle
[-- Attachment #1: 0063-lib-Kconfig.debug-Restrict-FRAME_POINTER-for-MIPS.patch --]
[-- Type: text/plain, Size: 1539 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Markos Chandras <markos.chandras@imgtec.com>
[ Upstream commit 25c87eae1725ed77a8b44d782a86abdc279b4ede ]
FAULT_INJECTION_STACKTRACE_FILTER selects FRAME_POINTER but
that symbol is not available for MIPS.
Fixes the following problem on a randconfig:
warning: (LOCKDEP && FAULT_INJECTION_STACKTRACE_FILTER && LATENCYTOP &&
KMEMCHECK) selects FRAME_POINTER which has unmet direct dependencies
(DEBUG_KERNEL && (CRIS || M68K || FRV || UML || AVR32 || SUPERH || BLACKFIN ||
MN10300 || METAG) || ARCH_WANT_FRAME_POINTERS)
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Acked-by: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: linux-mips@linux-mips.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Patchwork: https://patchwork.linux-mips.org/patch/5441/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
---
lib/Kconfig.debug | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 2403a63..89a657a 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1242,7 +1242,7 @@ config FAULT_INJECTION_STACKTRACE_FILTER
depends on FAULT_INJECTION_DEBUG_FS && STACKTRACE_SUPPORT
depends on !X86_64
select STACKTRACE
- select FRAME_POINTER if !PPC && !S390 && !MICROBLAZE && !ARM_UNWIND
+ select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE && !ARM_UNWIND
help
Provide stacktrace filter for fault-injection capabilities
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [064/251] usb: serial: option: blacklist ONDA MT689DC QMI interface
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (62 preceding siblings ...)
2013-09-11 4:28 ` Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [065/251] usb: serial: option: add Olivetti Olicard 200 Steven Rostedt
` (186 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: enrico Mioso, Greg Kroah-Hartman
[-- Attachment #1: 0064-usb-serial-option-blacklist-ONDA-MT689DC-QMI-interfa.patch --]
[-- Type: text/plain, Size: 1509 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Enrico Mioso <mrkiko.rs@gmail.com>
[ Upstream commit 3d1a69e726406ab662ab88fa30a3a05ed404334d ]
Prevent the option driver from binding itself to the QMI/WWAN interface, making
it unusable by the proper driver.
Signed-off-by: enrico Mioso <mrkiko.rs@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/option.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 27adfce..8b4ea07 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -805,7 +805,8 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0017, 0xff, 0xff, 0xff),
.driver_info = (kernel_ulong_t)&net_intf3_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0018, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0019, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0019, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0020, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0021, 0xff, 0xff, 0xff),
.driver_info = (kernel_ulong_t)&net_intf4_blacklist },
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [065/251] usb: serial: option: add Olivetti Olicard 200
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (63 preceding siblings ...)
2013-09-11 4:28 ` [064/251] usb: serial: option: blacklist ONDA MT689DC QMI interface Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [066/251] usb: serial: option.c: remove ONDA MT825UP product ID fromdriver Steven Rostedt
` (185 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Dan Williams, Greg Kroah-Hartman
[-- Attachment #1: 0065-usb-serial-option-add-Olivetti-Olicard-200.patch --]
[-- Type: text/plain, Size: 1660 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Dan Williams <dcbw@redhat.com>
[ Upstream commit 4cf76df06ecc852633ed927d91e01c83c33bc331 ]
Speaks AT on interfaces 5 (command & PPP) and 3 (secondary), other
interface protocols are unknown.
Signed-off-by: Dan Williams <dcbw@redhat.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/option.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 8b4ea07..ce7a65e 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -348,6 +348,7 @@ static void option_instat_callback(struct urb *urb);
#define OLIVETTI_VENDOR_ID 0x0b3c
#define OLIVETTI_PRODUCT_OLICARD100 0xc000
#define OLIVETTI_PRODUCT_OLICARD145 0xc003
+#define OLIVETTI_PRODUCT_OLICARD200 0xc005
/* Celot products */
#define CELOT_VENDOR_ID 0x211f
@@ -1241,6 +1242,7 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD100) },
{ USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD145) },
+ { USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD200) },
{ USB_DEVICE(CELOT_VENDOR_ID, CELOT_PRODUCT_CT680M) }, /* CT-650 CDMA 450 1xEVDO modem */
{ USB_DEVICE(ONDA_VENDOR_ID, ONDA_MT825UP) }, /* ONDA MT825UP modem */
{ USB_DEVICE_AND_INTERFACE_INFO(SAMSUNG_VENDOR_ID, SAMSUNG_PRODUCT_GT_B3730, USB_CLASS_CDC_DATA, 0x00, 0x00) }, /* Samsung GT-B3730 LTE USB modem.*/
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [066/251] usb: serial: option.c: remove ONDA MT825UP product ID fromdriver
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (64 preceding siblings ...)
2013-09-11 4:28 ` [065/251] usb: serial: option: add Olivetti Olicard 200 Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [067/251] USB: option: add D-Link DWM-152/C1 and DWM-156/C1 Steven Rostedt
` (184 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Enrico Mioso, Greg Kroah-Hartman
[-- Attachment #1: 0066-usb-serial-option.c-remove-ONDA-MT825UP-product-ID-f.patch --]
[-- Type: text/plain, Size: 1994 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Enrico Mioso <mrkiko.rs@gmail.com>
[ Upstream commit 878c69aae986ae97084458c0183a8c0a059865b1 ]
Some (very few) early devices like mine, where not exposting a proper CDC
descriptor. This was fixed with an immediate firmware update from the vendor,
and pre-installed on newer devices.
So actual devices can be driven by cdc_acm.c + cdc_ether.c.
Signed-off-by: Enrico Mioso <mrkiko.rs@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/option.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index ce7a65e..e142114 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -354,12 +354,6 @@ static void option_instat_callback(struct urb *urb);
#define CELOT_VENDOR_ID 0x211f
#define CELOT_PRODUCT_CT680M 0x6801
-/* ONDA Communication vendor id */
-#define ONDA_VENDOR_ID 0x1ee8
-
-/* ONDA MT825UP HSDPA 14.2 modem */
-#define ONDA_MT825UP 0x000b
-
/* Samsung products */
#define SAMSUNG_VENDOR_ID 0x04e8
#define SAMSUNG_PRODUCT_GT_B3730 0x6889
@@ -1244,7 +1238,6 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD145) },
{ USB_DEVICE(OLIVETTI_VENDOR_ID, OLIVETTI_PRODUCT_OLICARD200) },
{ USB_DEVICE(CELOT_VENDOR_ID, CELOT_PRODUCT_CT680M) }, /* CT-650 CDMA 450 1xEVDO modem */
- { USB_DEVICE(ONDA_VENDOR_ID, ONDA_MT825UP) }, /* ONDA MT825UP modem */
{ USB_DEVICE_AND_INTERFACE_INFO(SAMSUNG_VENDOR_ID, SAMSUNG_PRODUCT_GT_B3730, USB_CLASS_CDC_DATA, 0x00, 0x00) }, /* Samsung GT-B3730 LTE USB modem.*/
{ USB_DEVICE(YUGA_VENDOR_ID, YUGA_PRODUCT_CEM600) },
{ USB_DEVICE(YUGA_VENDOR_ID, YUGA_PRODUCT_CEM610) },
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [067/251] USB: option: add D-Link DWM-152/C1 and DWM-156/C1
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (65 preceding siblings ...)
2013-09-11 4:28 ` [066/251] usb: serial: option.c: remove ONDA MT825UP product ID fromdriver Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [068/251] usb: serial: cp210x: Add USB ID for Netgear Switches embedded serial adapter Steven Rostedt
` (183 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Alexandr Ivanov, Greg Kroah-Hartman
[-- Attachment #1: 0067-USB-option-add-D-Link-DWM-152-C1-and-DWM-156-C1.patch --]
[-- Type: text/plain, Size: 3544 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "Alexandr \\\\\\\"Sky\\\\\\\" Ivanov" <alexandr.sky@gmail.com>
[ Upstream commit ca24763588844b14f019ffc45c7df6d9e8f932c5 ]
Adding support for D-Link DWM-152/C1 and DWM-156/C1 devices.
DWM-152/C1:
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 6 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=07d1 ProdID=3e01 Rev= 0.00
S: Product=USB Configuration
S: SerialNumber=1234567890ABCDEF
C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=2ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
DWM-156/C1:
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 8 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=07d1 ProdID=3e02 Rev= 0.00
S: Product=DataCard Device
S: SerialNumber=1234567890ABCDEF
C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=2ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Signed-off-by: Alexandr Ivanov <alexandr.sky@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/option.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index e142114..d53681f 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1311,6 +1311,8 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d02, 0xff, 0x00, 0x00) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x02, 0x01) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [068/251] usb: serial: cp210x: Add USB ID for Netgear Switches embedded serial adapter
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (66 preceding siblings ...)
2013-09-11 4:28 ` [067/251] USB: option: add D-Link DWM-152/C1 and DWM-156/C1 Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [069/251] USB: cp210x: add MMB and PI ZigBee USB Device Support Steven Rostedt
` (182 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Luiz Angelo Daros de Luca, Greg Kroah-Hartman
[-- Attachment #1: 0068-usb-serial-cp210x-Add-USB-ID-for-Netgear-Switches-em.patch --]
[-- Type: text/plain, Size: 1595 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Luiz Angelo Daros de Luca <luizluca@gmail.com>
[ Upstream commit 90625070c4253377025878c4e82feed8b35c7116 ]
This adds NetGear Managed Switch M4100 series, M5300 series, M7100 series
USB ID (0846:0110) to the cp210x driver. Without this, the serial
adapter is not recognized in Linux. Description was obtained from
an Netgear Eng.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/cp210x.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index 5ad932d..5e64f6c 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -60,6 +60,7 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x0489, 0xE000) }, /* Pirelli Broadband S.p.A, DP-L10 SIP/GSM Mobile */
{ USB_DEVICE(0x0489, 0xE003) }, /* Pirelli Broadband S.p.A, DP-L10 SIP/GSM Mobile */
{ USB_DEVICE(0x0745, 0x1000) }, /* CipherLab USB CCD Barcode Scanner 1000 */
+ { USB_DEVICE(0x0846, 0x1100) }, /* NetGear Managed Switch M4100 series, M5300 series, M7100 series */
{ USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */
{ USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */
{ USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [069/251] USB: cp210x: add MMB and PI ZigBee USB Device Support
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (67 preceding siblings ...)
2013-09-11 4:28 ` [068/251] usb: serial: cp210x: Add USB ID for Netgear Switches embedded serial adapter Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [070/251] usb: cp210x support SEL C662 Vendor/Device Steven Rostedt
` (181 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sami Rahman, Greg Kroah-Hartman
[-- Attachment #1: 0069-USB-cp210x-add-MMB-and-PI-ZigBee-USB-Device-Support.patch --]
[-- Type: text/plain, Size: 1513 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Sami Rahman <sami.rahman@mmbresearch.com>
[ Upstream commit 7681156982026ebf7eafd7301eb0374d7648d068 ]
Added support for MMB Networks and Planet Innovation Ingeni ZigBee USB
devices using customized Silicon Labs' CP210x.c USB to UART bridge
drivers with PIDs: 88A4, 88A5.
Signed-off-by: Sami Rahman <sami.rahman@mmbresearch.com>
Tested-by: Sami Rahman <sami.rahman@mmbresearch.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/cp210x.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index 5e64f6c..5abb19a 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -124,6 +124,8 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
{ USB_DEVICE(0x10C4, 0x8664) }, /* AC-Services CAN-IF */
{ USB_DEVICE(0x10C4, 0x8665) }, /* AC-Services OBD-IF */
+ { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */
+ { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
{ USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
{ USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
{ USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [070/251] usb: cp210x support SEL C662 Vendor/Device
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (68 preceding siblings ...)
2013-09-11 4:28 ` [069/251] USB: cp210x: add MMB and PI ZigBee USB Device Support Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [071/251] PM / Sleep: avoid autosleep in shutdown progress Steven Rostedt
` (180 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Barry Grussling, Greg Kroah-Hartman
[-- Attachment #1: 0070-usb-cp210x-support-SEL-C662-Vendor-Device.patch --]
[-- Type: text/plain, Size: 1313 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Barry Grussling <barry@grussling.com>
[ Upstream commit b579fa52f6be0b4157ca9cc5e94d44a2c89a7e95 ]
This patch adds support for the Schweitzer Engineering Laboratories
C662 USB cable based off the CP210x driver.
Signed-off-by: Barry Grussling <barry@grussling.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/cp210x.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index 5abb19a..e257c51 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -156,6 +156,7 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x17F4, 0xAAAA) }, /* Wavesense Jazz blood glucose meter */
{ USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */
{ USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */
+ { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
{ USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service Cable */
{ USB_DEVICE(0x1E29, 0x0102) }, /* Festo CPX-USB */
{ USB_DEVICE(0x1E29, 0x0501) }, /* Festo CMSP */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [071/251] PM / Sleep: avoid autosleep in shutdown progress
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (69 preceding siblings ...)
2013-09-11 4:28 ` [070/251] usb: cp210x support SEL C662 Vendor/Device Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [072/251] lockd: protect nlm_blocked access in nlmsvc_retry_blocked Steven Rostedt
` (179 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Liu ShuoX, Rafael J. Wysocki
[-- Attachment #1: 0071-PM-Sleep-avoid-autosleep-in-shutdown-progress.patch --]
[-- Type: text/plain, Size: 1604 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Liu ShuoX <shuox.liu@intel.com>
[ Upstream commit e5248a111bf4048a9f3fab1a9c94c4630a10592a ]
Prevent automatic system suspend from happening during system
shutdown by making try_to_suspend() check system_state and return
immediately if it is not SYSTEM_RUNNING.
This prevents the following breakage from happening (scenario from
Zhang Yanmin):
Kernel starts shutdown and calls all device driver's shutdown
callback. When a driver's shutdown is called, the last wakelock is
released and suspend-to-ram starts. However, as some driver's shut
down callbacks already shut down devices and disabled runtime pm,
the suspend-to-ram calls driver's suspend callback without noticing
that device is already off and causes crash.
[rjw: Changelog]
Signed-off-by: Liu ShuoX <shuox.liu@intel.com>
Cc: 3.5+ <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
kernel/power/autosleep.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/power/autosleep.c b/kernel/power/autosleep.c
index ca304046..ab79ecb 100644
--- a/kernel/power/autosleep.c
+++ b/kernel/power/autosleep.c
@@ -32,7 +32,8 @@ static void try_to_suspend(struct work_struct *work)
mutex_lock(&autosleep_lock);
- if (!pm_save_wakeup_count(initial_count)) {
+ if (!pm_save_wakeup_count(initial_count) ||
+ system_state != SYSTEM_RUNNING) {
mutex_unlock(&autosleep_lock);
goto out;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [072/251] lockd: protect nlm_blocked access in nlmsvc_retry_blocked
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (70 preceding siblings ...)
2013-09-11 4:28 ` [071/251] PM / Sleep: avoid autosleep in shutdown progress Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` Steven Rostedt
` (178 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Bryan Schumaker, David Jeffery, J. Bruce Fields
[-- Attachment #1: 0072-lockd-protect-nlm_blocked-access-in-nlmsvc_retry_blo.patch --]
[-- Type: text/plain, Size: 2085 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: David Jeffery <djeffery@redhat.com>
[ Upstream commit 1c327d962fc420aea046c16215a552710bde8231 ]
In nlmsvc_retry_blocked, the check that the list is non-empty and acquiring
the pointer of the first entry is unprotected by any lock. This allows a rare
race condition when there is only one entry on the list. A function such as
nlmsvc_grant_callback() can be called, which will temporarily remove the entry
from the list. Between the list_empty() and list_entry(),the list may become
empty, causing an invalid pointer to be used as an nlm_block, leading to a
possible crash.
This patch adds the nlm_block_lock around these calls to prevent concurrent
use of the nlm_blocked list.
This was a regression introduced by
f904be9cc77f361d37d71468b13ff3d1a1823dea "lockd: Mostly remove BKL from
the server".
Cc: Bryan Schumaker <bjschuma@netapp.com>
Cc: stable@vger.kernel.org
Signed-off-by: David Jeffery <djeffery@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/lockd/svclock.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/lockd/svclock.c b/fs/lockd/svclock.c
index 8d80c99..57a3922 100644
--- a/fs/lockd/svclock.c
+++ b/fs/lockd/svclock.c
@@ -939,6 +939,7 @@ nlmsvc_retry_blocked(void)
unsigned long timeout = MAX_SCHEDULE_TIMEOUT;
struct nlm_block *block;
+ spin_lock(&nlm_blocked_lock);
while (!list_empty(&nlm_blocked) && !kthread_should_stop()) {
block = list_entry(nlm_blocked.next, struct nlm_block, b_list);
@@ -948,6 +949,7 @@ nlmsvc_retry_blocked(void)
timeout = block->b_when - jiffies;
break;
}
+ spin_unlock(&nlm_blocked_lock);
dprintk("nlmsvc_retry_blocked(%p, when=%ld)\n",
block, block->b_when);
@@ -957,7 +959,9 @@ nlmsvc_retry_blocked(void)
retry_deferred_block(block);
} else
nlmsvc_grant_blocked(block);
+ spin_lock(&nlm_blocked_lock);
}
+ spin_unlock(&nlm_blocked_lock);
return timeout;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [073/251] hrtimers: Move SMP function call to thread context
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:27 ` [002/251] ALSA: hda - Cache the MUX selection for generic HDMI Steven Rostedt
` (249 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Sasha Levin, David Vrabel, Ingo Molnar, Konrad Wilk, John Stultz,
xen-devel, Thomas Gleixner
[-- Attachment #1: 0073-hrtimers-Move-SMP-function-call-to-thread-context.patch --]
[-- Type: text/plain, Size: 2943 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 5ec2481b7b47a4005bb446d176e5d0257400c77d ]
smp_call_function_* must not be called from softirq context.
But clock_was_set() which calls on_each_cpu() is called from softirq
context to implement a delayed clock_was_set() for the timer interrupt
handler. Though that almost never gets invoked. A recent change in the
resume code uses the softirq based delayed clock_was_set to support
Xens resume mechanism.
linux-next contains a new warning which warns if smp_call_function_*
is called from softirq context which gets triggered by that Xen
change.
Fix this by moving the delayed clock_was_set() call to a work context.
Reported-and-tested-by: Artem Savkov <artem.savkov@gmail.com>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: H. Peter Anvin <hpa@zytor.com>,
Cc: Konrad Wilk <konrad.wilk@oracle.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: xen-devel@lists.xen.org
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
kernel/hrtimer.c | 28 +++++++++++++---------------
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
index e3999c2..e522f9a 100644
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -719,17 +719,20 @@ static int hrtimer_switch_to_hres(void)
return 1;
}
+static void clock_was_set_work(struct work_struct *work)
+{
+ clock_was_set();
+}
+
+static DECLARE_WORK(hrtimer_work, clock_was_set_work);
+
/*
- * Called from timekeeping code to reprogramm the hrtimer interrupt
- * device. If called from the timer interrupt context we defer it to
- * softirq context.
+ * Called from timekeeping and resume code to reprogramm the hrtimer
+ * interrupt device on all cpus.
*/
void clock_was_set_delayed(void)
{
- struct hrtimer_cpu_base *cpu_base = &__get_cpu_var(hrtimer_bases);
-
- cpu_base->clock_was_set = 1;
- __raise_softirq_irqoff(HRTIMER_SOFTIRQ);
+ schedule_work(&hrtimer_work);
}
#else
@@ -779,8 +782,10 @@ void hrtimers_resume(void)
WARN_ONCE(!irqs_disabled(),
KERN_INFO "hrtimers_resume() called with IRQs enabled!");
+ /* Retrigger on the local CPU */
retrigger_next_event(NULL);
- timerfd_clock_was_set();
+ /* And schedule a retrigger for all others */
+ clock_was_set_delayed();
}
static inline void timer_stats_hrtimer_set_start_info(struct hrtimer *timer)
@@ -1416,13 +1421,6 @@ void hrtimer_peek_ahead_timers(void)
static void run_hrtimer_softirq(struct softirq_action *h)
{
- struct hrtimer_cpu_base *cpu_base = &__get_cpu_var(hrtimer_bases);
-
- if (cpu_base->clock_was_set) {
- cpu_base->clock_was_set = 0;
- clock_was_set();
- }
-
hrtimer_peek_ahead_timers();
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [073/251] hrtimers: Move SMP function call to thread context
@ 2013-09-11 4:28 ` Steven Rostedt
0 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: xen-devel, John Stultz, David Vrabel, Sasha Levin,
Thomas Gleixner, Ingo Molnar
[-- Attachment #1: 0073-hrtimers-Move-SMP-function-call-to-thread-context.patch --]
[-- Type: text/plain, Size: 2941 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 5ec2481b7b47a4005bb446d176e5d0257400c77d ]
smp_call_function_* must not be called from softirq context.
But clock_was_set() which calls on_each_cpu() is called from softirq
context to implement a delayed clock_was_set() for the timer interrupt
handler. Though that almost never gets invoked. A recent change in the
resume code uses the softirq based delayed clock_was_set to support
Xens resume mechanism.
linux-next contains a new warning which warns if smp_call_function_*
is called from softirq context which gets triggered by that Xen
change.
Fix this by moving the delayed clock_was_set() call to a work context.
Reported-and-tested-by: Artem Savkov <artem.savkov@gmail.com>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: H. Peter Anvin <hpa@zytor.com>,
Cc: Konrad Wilk <konrad.wilk@oracle.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: xen-devel@lists.xen.org
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
kernel/hrtimer.c | 28 +++++++++++++---------------
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
index e3999c2..e522f9a 100644
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -719,17 +719,20 @@ static int hrtimer_switch_to_hres(void)
return 1;
}
+static void clock_was_set_work(struct work_struct *work)
+{
+ clock_was_set();
+}
+
+static DECLARE_WORK(hrtimer_work, clock_was_set_work);
+
/*
- * Called from timekeeping code to reprogramm the hrtimer interrupt
- * device. If called from the timer interrupt context we defer it to
- * softirq context.
+ * Called from timekeeping and resume code to reprogramm the hrtimer
+ * interrupt device on all cpus.
*/
void clock_was_set_delayed(void)
{
- struct hrtimer_cpu_base *cpu_base = &__get_cpu_var(hrtimer_bases);
-
- cpu_base->clock_was_set = 1;
- __raise_softirq_irqoff(HRTIMER_SOFTIRQ);
+ schedule_work(&hrtimer_work);
}
#else
@@ -779,8 +782,10 @@ void hrtimers_resume(void)
WARN_ONCE(!irqs_disabled(),
KERN_INFO "hrtimers_resume() called with IRQs enabled!");
+ /* Retrigger on the local CPU */
retrigger_next_event(NULL);
- timerfd_clock_was_set();
+ /* And schedule a retrigger for all others */
+ clock_was_set_delayed();
}
static inline void timer_stats_hrtimer_set_start_info(struct hrtimer *timer)
@@ -1416,13 +1421,6 @@ void hrtimer_peek_ahead_timers(void)
static void run_hrtimer_softirq(struct softirq_action *h)
{
- struct hrtimer_cpu_base *cpu_base = &__get_cpu_var(hrtimer_bases);
-
- if (cpu_base->clock_was_set) {
- cpu_base->clock_was_set = 0;
- clock_was_set();
- }
-
hrtimer_peek_ahead_timers();
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [074/251] ALSA: usb-audio: 6fire: return correct XRUN indication
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (72 preceding siblings ...)
2013-09-11 4:28 ` Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [075/251] mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots Steven Rostedt
` (176 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Eldad Zack, Takashi Iwai
[-- Attachment #1: 0074-ALSA-usb-audio-6fire-return-correct-XRUN-indication.patch --]
[-- Type: text/plain, Size: 1067 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Eldad Zack <eldad@fogrefinery.com>
[ Upstream commit be2f93a4c4981b3646b6f98f477154411b8516cb ]
Return SNDRV_PCM_POS_XRUN (snd_pcm_uframes_t) instead of
SNDRV_PCM_STATE_XRUN (snd_pcm_state_t) from the pointer
function of 6fire, as expected by snd_pcm_update_hw_ptr0().
Caught by sparse.
Signed-off-by: Eldad Zack <eldad@fogrefinery.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/usb/6fire/pcm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/6fire/pcm.c b/sound/usb/6fire/pcm.c
index 3143d9c..7c4f311 100644
--- a/sound/usb/6fire/pcm.c
+++ b/sound/usb/6fire/pcm.c
@@ -540,7 +540,7 @@ static snd_pcm_uframes_t usb6fire_pcm_pointer(
snd_pcm_uframes_t ret;
if (rt->panic || !sub)
- return SNDRV_PCM_STATE_XRUN;
+ return SNDRV_PCM_POS_XRUN;
spin_lock_irqsave(&sub->lock, flags);
ret = sub->dma_off;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [075/251] mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (73 preceding siblings ...)
2013-09-11 4:28 ` [074/251] ALSA: usb-audio: 6fire: return correct XRUN indication Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [076/251] iscsi-target: Fix tfc_tpg_nacl_auth_cit configfs length overflow Steven Rostedt
` (175 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Vineet Gupta, Mel Gorman, Hugh Dickins, Rik van Riel,
David Rientjes, Peter Zijlstra, Catalin Marinas, Max Filippov,
Andrew Morton
[-- Attachment #1: 0075-mm-fix-the-TLB-range-flushed-when-__tlb_remove_page-.patch --]
[-- Type: text/plain, Size: 1831 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
[ Upstream commit e6c495a96ce02574e765d5140039a64c8d4e8c9e ]
zap_pte_range loops from @addr to @end. In the middle, if it runs out of
batching slots, TLB entries needs to be flushed for @start to @interim,
NOT @interim to @end.
Since ARC port doesn't use page free batching I can't test it myself but
this seems like the right thing to do.
Observed this when working on a fix for the issue at thread:
http://www.spinics.net/lists/linux-arch/msg21736.html
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Hugh Dickins <hughd@google.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
mm/memory.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/mm/memory.c b/mm/memory.c
index 06ff7fb..e526880 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1106,6 +1106,7 @@ static unsigned long zap_pte_range(struct mmu_gather *tlb,
spinlock_t *ptl;
pte_t *start_pte;
pte_t *pte;
+ unsigned long range_start = addr;
again:
init_rss_vec(rss);
@@ -1211,12 +1212,14 @@ again:
force_flush = 0;
#ifdef HAVE_GENERIC_MMU_GATHER
- tlb->start = addr;
- tlb->end = end;
+ tlb->start = range_start;
+ tlb->end = addr;
#endif
tlb_flush_mmu(tlb);
- if (addr != end)
+ if (addr != end) {
+ range_start = addr;
goto again;
+ }
}
return addr;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [076/251] iscsi-target: Fix tfc_tpg_nacl_auth_cit configfs length overflow
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (74 preceding siblings ...)
2013-09-11 4:28 ` [075/251] mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [077/251] USB: storage: Add MicroVault Flash Drive to unusual_devs Steven Rostedt
` (174 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Joern Engel, Nicholas Bellinger
[-- Attachment #1: 0076-iscsi-target-Fix-tfc_tpg_nacl_auth_cit-configfs-leng.patch --]
[-- Type: text/plain, Size: 1269 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?J=C3=B6rn=20Engel?= <joern@logfs.org>
[ Upstream commit 0fbfc46fb0b2f543a8b539e94c6c293ebc0b05a6 ]
This patch fixes a potential buffer overflow while processing
iscsi_node_auth input for configfs attributes within NodeACL
tfc_tpg_nacl_auth_cit context.
Signed-off-by: Joern Engel <joern@logfs.org>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/target/iscsi/iscsi_target_configfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c
index a7b25e7..73adddc 100644
--- a/drivers/target/iscsi/iscsi_target_configfs.c
+++ b/drivers/target/iscsi/iscsi_target_configfs.c
@@ -393,7 +393,7 @@ static ssize_t __iscsi_##prefix##_store_##name( \
if (!capable(CAP_SYS_ADMIN)) \
return -EPERM; \
\
- snprintf(auth->name, PAGE_SIZE, "%s", page); \
+ snprintf(auth->name, sizeof(auth->name), "%s", page); \
if (!strncmp("NULL", auth->name, 4)) \
auth->naf_flags &= ~flags; \
else \
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [077/251] USB: storage: Add MicroVault Flash Drive to unusual_devs
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (75 preceding siblings ...)
2013-09-11 4:28 ` [076/251] iscsi-target: Fix tfc_tpg_nacl_auth_cit configfs length overflow Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [078/251] ASoC: max98088 - fix element type of the register cache Steven Rostedt
` (173 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Ren Bigcren, Matthew Dharm, Oskar Andero, Greg Kroah-Hartman
[-- Attachment #1: 0077-USB-storage-Add-MicroVault-Flash-Drive-to-unusual_de.patch --]
[-- Type: text/plain, Size: 1404 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Ren Bigcren <bigcren.ren@sonymobile.com>
[ Upstream commit e7a6121f4929c17215f0cdca3726f4bf3e4e9529 ]
The device report an error capacity when read_capacity_16().
Using read_capacity_10() can get the correct capacity.
Signed-off-by: Ren Bigcren <bigcren.ren@sonymobile.com>
Cc: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
Signed-off-by: Oskar Andero <oskar.andero@sonymobile.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/storage/unusual_devs.h | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
index 3561322..a9e9a96 100644
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -657,6 +657,13 @@ UNUSUAL_DEV( 0x054c, 0x016a, 0x0000, 0x9999,
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_FIX_INQUIRY ),
+/* Submitted by Ren Bigcren <bigcren.ren@sonymobile.com> */
+UNUSUAL_DEV( 0x054c, 0x02a5, 0x0100, 0x0100,
+ "Sony Corp.",
+ "MicroVault Flash Drive",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_READ_CAPACITY_16 ),
+
/* floppy reports multiple luns */
UNUSUAL_DEV( 0x055d, 0x2020, 0x0000, 0x0210,
"SAMSUNG",
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [078/251] ASoC: max98088 - fix element type of the register cache.
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (76 preceding siblings ...)
2013-09-11 4:28 ` [077/251] USB: storage: Add MicroVault Flash Drive to unusual_devs Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [079/251] ASoC: wm8962: Remove remaining direct register cache accesses Steven Rostedt
` (172 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Chih-Chung Chang, Dylan Reid, Mark Brown
[-- Attachment #1: 0078-ASoC-max98088-fix-element-type-of-the-register-cache.patch --]
[-- Type: text/plain, Size: 1198 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Chih-Chung Chang <chihchung@chromium.org>
[ Upstream commit cb6f66a2d278e57a6c9d8fb59bd9ebd8ab3965c2 ]
The registers of max98088 are 8 bits, not 16 bits. This bug causes the
contents of registers to be overwritten with bad values when the codec
is suspended and then resumed.
Signed-off-by: Chih-Chung Chang <chihchung@chromium.org>
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Signed-off-by: Mark Brown <broonie@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/soc/codecs/max98088.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/max98088.c b/sound/soc/codecs/max98088.c
index 4790568..8df4597 100644
--- a/sound/soc/codecs/max98088.c
+++ b/sound/soc/codecs/max98088.c
@@ -1594,7 +1594,7 @@ static int max98088_dai2_digital_mute(struct snd_soc_dai *codec_dai, int mute)
static void max98088_sync_cache(struct snd_soc_codec *codec)
{
- u16 *reg_cache = codec->reg_cache;
+ u8 *reg_cache = codec->reg_cache;
int i;
if (!codec->cache_sync)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [079/251] ASoC: wm8962: Remove remaining direct register cache accesses
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (77 preceding siblings ...)
2013-09-11 4:28 ` [078/251] ASoC: max98088 - fix element type of the register cache Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [080/251] ARM: 7722/1: zImage: Convert 32bits memory size and address from ATAG to 64bits DTB Steven Rostedt
` (171 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Nicolin Chen, Mark Brown
[-- Attachment #1: 0079-ASoC-wm8962-Remove-remaining-direct-register-cache-a.patch --]
[-- Type: text/plain, Size: 2677 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <b42378@freescale.com>
[ Upstream commit 2e7ee15ced914e109a1a5b6dfcd463d846a13bd5 ]
Also fix return values for headphone switch updates.
Signed-off-by: Nicolin Chen <b42378@freescale.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/soc/codecs/wm8962.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c
index ce67200..df24c54 100644
--- a/sound/soc/codecs/wm8962.c
+++ b/sound/soc/codecs/wm8962.c
@@ -1600,7 +1600,6 @@ static int wm8962_put_hp_sw(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
- u16 *reg_cache = codec->reg_cache;
int ret;
/* Apply the update (if any) */
@@ -1609,16 +1608,19 @@ static int wm8962_put_hp_sw(struct snd_kcontrol *kcontrol,
return 0;
/* If the left PGA is enabled hit that VU bit... */
- if (snd_soc_read(codec, WM8962_PWR_MGMT_2) & WM8962_HPOUTL_PGA_ENA)
- return snd_soc_write(codec, WM8962_HPOUTL_VOLUME,
- reg_cache[WM8962_HPOUTL_VOLUME]);
+ ret = snd_soc_read(codec, WM8962_PWR_MGMT_2);
+ if (ret & WM8962_HPOUTL_PGA_ENA) {
+ snd_soc_write(codec, WM8962_HPOUTL_VOLUME,
+ snd_soc_read(codec, WM8962_HPOUTL_VOLUME));
+ return 1;
+ }
/* ...otherwise the right. The VU is stereo. */
- if (snd_soc_read(codec, WM8962_PWR_MGMT_2) & WM8962_HPOUTR_PGA_ENA)
- return snd_soc_write(codec, WM8962_HPOUTR_VOLUME,
- reg_cache[WM8962_HPOUTR_VOLUME]);
+ if (ret & WM8962_HPOUTR_PGA_ENA)
+ snd_soc_write(codec, WM8962_HPOUTR_VOLUME,
+ snd_soc_read(codec, WM8962_HPOUTR_VOLUME));
- return 0;
+ return 1;
}
/* The VU bits for the speakers are in a different register to the mute
@@ -3378,7 +3380,6 @@ static int wm8962_probe(struct snd_soc_codec *codec)
int ret;
struct wm8962_priv *wm8962 = snd_soc_codec_get_drvdata(codec);
struct wm8962_pdata *pdata = dev_get_platdata(codec->dev);
- u16 *reg_cache = codec->reg_cache;
int i, trigger, irq_pol;
bool dmicclk, dmicdat;
@@ -3436,8 +3437,9 @@ static int wm8962_probe(struct snd_soc_codec *codec)
/* Put the speakers into mono mode? */
if (pdata->spk_mono)
- reg_cache[WM8962_CLASS_D_CONTROL_2]
- |= WM8962_SPK_MONO;
+ snd_soc_update_bits(codec, WM8962_CLASS_D_CONTROL_2,
+ WM8962_SPK_MONO_MASK, WM8962_SPK_MONO);
+
/* Micbias setup, detection enable and detection
* threasholds. */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [080/251] ARM: 7722/1: zImage: Convert 32bits memory size and address from ATAG to 64bits DTB
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (78 preceding siblings ...)
2013-09-11 4:28 ` [079/251] ASoC: wm8962: Remove remaining direct register cache accesses Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [081/251] isci: Fix a race condition in the SSP task management path Steven Rostedt
` (170 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Gregory CLEMENT, Nicolas Pitre, Russell King
[-- Attachment #1: 0080-ARM-7722-1-zImage-Convert-32bits-memory-size-and-add.patch --]
[-- Type: text/plain, Size: 3905 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Gregory CLEMENT <gregory.clement@free-electrons.com>
[ Upstream commit faefd550c45d8d314e8f260f21565320355c947f ]
When CONFIG_ARM_APPENDED_DTB is selected, if the bootloader provides
an ATAG_MEM it replaces the memory size and the memory address in the
memory node of the device tree. In the case of a system which can
handle more than 4GB, the memory node cell size is 4: each data
(memory size and memory address) are 64 bits and then use 2 cells.
The current code in atags_to_fdt.c made the assumption of a cell size
of 2 (one cell for the memory size and one cell for the memory
address), this leads to an improper write of the data and ends with a
boot hang.
This patch writes the memory size and the memory address on the memory
node in the device tree depending of the size of the memory node (32
bits or 64 bits).
It has been tested in the 2 cases:
- with a dtb using skeleton.dtsi
- and with a dtb using skeleton64.dtsi
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/boot/compressed/atags_to_fdt.c | 44 ++++++++++++++++++++++++++-----
1 file changed, 38 insertions(+), 6 deletions(-)
diff --git a/arch/arm/boot/compressed/atags_to_fdt.c b/arch/arm/boot/compressed/atags_to_fdt.c
index aabc02a..d1153c8 100644
--- a/arch/arm/boot/compressed/atags_to_fdt.c
+++ b/arch/arm/boot/compressed/atags_to_fdt.c
@@ -53,6 +53,17 @@ static const void *getprop(const void *fdt, const char *node_path,
return fdt_getprop(fdt, offset, property, len);
}
+static uint32_t get_cell_size(const void *fdt)
+{
+ int len;
+ uint32_t cell_size = 1;
+ const uint32_t *size_len = getprop(fdt, "/", "#size-cells", &len);
+
+ if (size_len)
+ cell_size = fdt32_to_cpu(*size_len);
+ return cell_size;
+}
+
static void merge_fdt_bootargs(void *fdt, const char *fdt_cmdline)
{
char cmdline[COMMAND_LINE_SIZE];
@@ -95,9 +106,11 @@ static void merge_fdt_bootargs(void *fdt, const char *fdt_cmdline)
int atags_to_fdt(void *atag_list, void *fdt, int total_space)
{
struct tag *atag = atag_list;
- uint32_t mem_reg_property[2 * NR_BANKS];
+ /* In the case of 64 bits memory size, need to reserve 2 cells for
+ * address and size for each bank */
+ uint32_t mem_reg_property[2 * 2 * NR_BANKS];
int memcount = 0;
- int ret;
+ int ret, memsize;
/* make sure we've got an aligned pointer */
if ((u32)atag_list & 0x3)
@@ -137,8 +150,25 @@ int atags_to_fdt(void *atag_list, void *fdt, int total_space)
continue;
if (!atag->u.mem.size)
continue;
- mem_reg_property[memcount++] = cpu_to_fdt32(atag->u.mem.start);
- mem_reg_property[memcount++] = cpu_to_fdt32(atag->u.mem.size);
+ memsize = get_cell_size(fdt);
+
+ if (memsize == 2) {
+ /* if memsize is 2, that means that
+ * each data needs 2 cells of 32 bits,
+ * so the data are 64 bits */
+ uint64_t *mem_reg_prop64 =
+ (uint64_t *)mem_reg_property;
+ mem_reg_prop64[memcount++] =
+ cpu_to_fdt64(atag->u.mem.start);
+ mem_reg_prop64[memcount++] =
+ cpu_to_fdt64(atag->u.mem.size);
+ } else {
+ mem_reg_property[memcount++] =
+ cpu_to_fdt32(atag->u.mem.start);
+ mem_reg_property[memcount++] =
+ cpu_to_fdt32(atag->u.mem.size);
+ }
+
} else if (atag->hdr.tag == ATAG_INITRD2) {
uint32_t initrd_start, initrd_size;
initrd_start = atag->u.initrd.start;
@@ -150,8 +180,10 @@ int atags_to_fdt(void *atag_list, void *fdt, int total_space)
}
}
- if (memcount)
- setprop(fdt, "/memory", "reg", mem_reg_property, 4*memcount);
+ if (memcount) {
+ setprop(fdt, "/memory", "reg", mem_reg_property,
+ 4 * memcount * memsize);
+ }
return fdt_pack(fdt);
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [081/251] isci: Fix a race condition in the SSP task management path
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (79 preceding siblings ...)
2013-09-11 4:28 ` [080/251] ARM: 7722/1: zImage: Convert 32bits memory size and address from ATAG to 64bits DTB Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [082/251] sd: fix crash when UA received on DIF enabled device Steven Rostedt
` (169 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jeff Skirvin, Lukasz Dorau, James Bottomley
[-- Attachment #1: 0081-isci-Fix-a-race-condition-in-the-SSP-task-management.patch --]
[-- Type: text/plain, Size: 2381 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jeff Skirvin <jeffrey.d.skirvin@intel.com>
[ Upstream commit 96f15f29038e58e1b0a96483e2b369ff446becf1 ]
This commit fixes a race condition in the isci driver abort task and SSP
device task management path. The race is caused when an I/O termination
in the SCU hardware is necessary because of an SSP target timeout condition,
and the check of the I/O end state races against the HW-termination-driven
end state. The failure of the race meant that no TMF was sent to the device
to clean-up the pending I/O.
Signed-off-by: Jeff Skirvin <jeffrey.d.skirvin@intel.com>
Reviewed-by: Lukasz Dorau <lukasz.dorau@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/scsi/isci/task.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/isci/task.c b/drivers/scsi/isci/task.c
index 6bc74eb..efd9e9e 100644
--- a/drivers/scsi/isci/task.c
+++ b/drivers/scsi/isci/task.c
@@ -491,6 +491,7 @@ int isci_task_abort_task(struct sas_task *task)
struct isci_tmf tmf;
int ret = TMF_RESP_FUNC_FAILED;
unsigned long flags;
+ int target_done_already = 0;
/* Get the isci_request reference from the task. Note that
* this check does not depend on the pending request list
@@ -505,9 +506,11 @@ int isci_task_abort_task(struct sas_task *task)
/* If task is already done, the request isn't valid */
if (!(task->task_state_flags & SAS_TASK_STATE_DONE) &&
(task->task_state_flags & SAS_TASK_AT_INITIATOR) &&
- old_request)
+ old_request) {
idev = isci_get_device(task->dev->lldd_dev);
-
+ target_done_already = test_bit(IREQ_COMPLETE_IN_TARGET,
+ &old_request->flags);
+ }
spin_unlock(&task->task_state_lock);
spin_unlock_irqrestore(&ihost->scic_lock, flags);
@@ -561,7 +564,7 @@ int isci_task_abort_task(struct sas_task *task)
if (task->task_proto == SAS_PROTOCOL_SMP ||
sas_protocol_ata(task->task_proto) ||
- test_bit(IREQ_COMPLETE_IN_TARGET, &old_request->flags) ||
+ target_done_already ||
test_bit(IDEV_GONE, &idev->flags)) {
spin_unlock_irqrestore(&ihost->scic_lock, flags);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [082/251] sd: fix crash when UA received on DIF enabled device
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (80 preceding siblings ...)
2013-09-11 4:28 ` [081/251] isci: Fix a race condition in the SSP task management path Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [083/251] qla2xxx: Properly set the tagging for commands Steven Rostedt
` (168 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Ewan D. Milne, Martin K. Petersen, James Bottomley
[-- Attachment #1: 0082-sd-fix-crash-when-UA-received-on-DIF-enabled-device.patch --]
[-- Type: text/plain, Size: 2464 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "Ewan D. Milne" <emilne@redhat.com>
[ Upstream commit 085b513f97d8d799d28491239be4b451bcd8c2c5 ]
sd_prep_fn will allocate a larger CDB for the command via mempool_alloc
for devices using DIF type 2 protection. This CDB was being freed
in sd_done, which results in a kernel crash if the command is retried
due to a UNIT ATTENTION. This change moves the code to free the larger
CDB into sd_unprep_fn instead, which is invoked after the request is
complete.
It is no longer necessary to call scsi_print_command separately for
this case as the ->cmnd will no longer be NULL in the normal code path.
Also removed conditional test for DIF type 2 when freeing the larger
CDB because the protection_type could have been changed via sysfs while
the command was executing.
Signed-off-by: Ewan D. Milne <emilne@redhat.com>
Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/scsi/sd.c | 22 +++++++---------------
1 file changed, 7 insertions(+), 15 deletions(-)
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index a2ecd324..e157a93 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -673,10 +673,17 @@ static int scsi_setup_flush_cmnd(struct scsi_device *sdp, struct request *rq)
static void sd_unprep_fn(struct request_queue *q, struct request *rq)
{
+ struct scsi_cmnd *SCpnt = rq->special;
+
if (rq->cmd_flags & REQ_DISCARD) {
free_page((unsigned long)rq->buffer);
rq->buffer = NULL;
}
+ if (SCpnt->cmnd != rq->cmd) {
+ mempool_free(SCpnt->cmnd, sd_cdb_pool);
+ SCpnt->cmnd = NULL;
+ SCpnt->cmd_len = 0;
+ }
}
/**
@@ -1540,21 +1547,6 @@ static int sd_done(struct scsi_cmnd *SCpnt)
if (rq_data_dir(SCpnt->request) == READ && scsi_prot_sg_count(SCpnt))
sd_dif_complete(SCpnt, good_bytes);
- if (scsi_host_dif_capable(sdkp->device->host, sdkp->protection_type)
- == SD_DIF_TYPE2_PROTECTION && SCpnt->cmnd != SCpnt->request->cmd) {
-
- /* We have to print a failed command here as the
- * extended CDB gets freed before scsi_io_completion()
- * is called.
- */
- if (result)
- scsi_print_command(SCpnt);
-
- mempool_free(SCpnt->cmnd, sd_cdb_pool);
- SCpnt->cmnd = NULL;
- SCpnt->cmd_len = 0;
- }
-
return good_bytes;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [083/251] qla2xxx: Properly set the tagging for commands.
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (81 preceding siblings ...)
2013-09-11 4:28 ` [082/251] sd: fix crash when UA received on DIF enabled device Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [084/251] usb: host: xhci: Enable XHCI_SPURIOUS_SUCCESS for all controllers with xhci 1.0 Steven Rostedt
` (167 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jack Hill, Saurav Kashyap, Giridhar Malavali, James Bottomley
[-- Attachment #1: 0083-qla2xxx-Properly-set-the-tagging-for-commands.patch --]
[-- Type: text/plain, Size: 1907 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Saurav Kashyap <saurav.kashyap@qlogic.com>
[ Upstream commit c3ccb1d7cf4c4549151876dd37c0944a682fd9e1 ]
This fixes a regression where Xyratex controllers and disks were lost by the
driver:
https://bugzilla.kernel.org/show_bug.cgi?id=59601
Reported-by: Jack Hill <jackhill@jackhill.us>
Signed-off-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
Signed-off-by: Giridhar Malavali <giridhar.malavali@qlogic.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/scsi/qla2xxx/qla_iocb.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/qla2xxx/qla_iocb.c b/drivers/scsi/qla2xxx/qla_iocb.c
index 70dbf53..f2254d2 100644
--- a/drivers/scsi/qla2xxx/qla_iocb.c
+++ b/drivers/scsi/qla2xxx/qla_iocb.c
@@ -424,6 +424,8 @@ qla2x00_start_scsi(srb_t *sp)
__constant_cpu_to_le16(CF_SIMPLE_TAG);
break;
}
+ } else {
+ cmd_pkt->control_flags = __constant_cpu_to_le16(CF_SIMPLE_TAG);
}
/* Load SCSI command packet. */
@@ -1353,11 +1355,11 @@ qla24xx_build_scsi_crc_2_iocbs(srb_t *sp, struct cmd_type_crc_2 *cmd_pkt,
fcp_cmnd->task_attribute = TSK_ORDERED;
break;
default:
- fcp_cmnd->task_attribute = 0;
+ fcp_cmnd->task_attribute = TSK_SIMPLE;
break;
}
} else {
- fcp_cmnd->task_attribute = 0;
+ fcp_cmnd->task_attribute = TSK_SIMPLE;
}
cmd_pkt->fcp_rsp_dseg_len = 0; /* Let response come in status iocb */
@@ -1563,7 +1565,12 @@ qla24xx_start_scsi(srb_t *sp)
case ORDERED_QUEUE_TAG:
cmd_pkt->task = TSK_ORDERED;
break;
+ default:
+ cmd_pkt->task = TSK_SIMPLE;
+ break;
}
+ } else {
+ cmd_pkt->task = TSK_SIMPLE;
}
/* Load SCSI command packet. */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [084/251] usb: host: xhci: Enable XHCI_SPURIOUS_SUCCESS for all controllers with xhci 1.0
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (82 preceding siblings ...)
2013-09-11 4:28 ` [083/251] qla2xxx: Properly set the tagging for commands Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [085/251] xhci: fix null pointer dereference on ring_doorbell_for_active_rings Steven Rostedt
` (166 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: George Cherian, Sarah Sharp
[-- Attachment #1: 0084-usb-host-xhci-Enable-XHCI_SPURIOUS_SUCCESS-for-all-c.patch --]
[-- Type: text/plain, Size: 3376 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: George Cherian <george.cherian@ti.com>
[ Upstream commit 07f3cb7c28bf3f4dd80bfb136cf45810c46ac474 ]
Xhci controllers with hci_version > 0.96 gives spurious success
events on short packet completion. During webcam capture the
"ERROR Transfer event TRB DMA ptr not part of current TD" was observed.
The same application works fine with synopsis controllers hci_version 0.96.
The same issue is seen with Intel Pantherpoint xhci controller. So enabling
this quirk in xhci_gen_setup if controller verion is greater than 0.96.
For xhci-pci move the quirk to much generic place xhci_gen_setup.
Note from Sarah:
The xHCI 1.0 spec changed how hardware handles short packets. The HW
will notify SW of the TRB where the short packet occurred, and it will
also give a successful status for the last TRB in a TD (the one with the
IOC flag set). On the second successful status, that warning will be
triggered in the driver.
Software is now supposed to not assume the TD is not completed until it
gets that last successful status. That means we have a slight race
condition, although it should have little practical impact. This patch
papers over that issue.
It's on my long-term to-do list to fix this race condition, but it is a
much more involved patch that will probably be too big for stable. This
patch is needed for stable to avoid serious log spam.
This patch should be backported to kernels as old as 3.0, that
contain the commit ad808333d8201d53075a11bc8dd83b81f3d68f0b "Intel xhci:
Ignore spurious successful event."
The patch will have to be modified for kernels older than 3.2, since
that kernel added the xhci_gen_setup function for xhci platform devices.
The correct conflict resolution for kernels older than 3.2 is to set
XHCI_SPURIOUS_SUCCESS in xhci_pci_quirks for all xHCI 1.0 hosts.
Signed-off-by: George Cherian <george.cherian@ti.com>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/host/xhci-pci.c | 1 -
drivers/usb/host/xhci.c | 7 +++++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
index cd0fc48..aecfc58 100644
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -93,7 +93,6 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
}
if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
pdev->device == PCI_DEVICE_ID_INTEL_PANTHERPOINT_XHCI) {
- xhci->quirks |= XHCI_SPURIOUS_SUCCESS;
xhci->quirks |= XHCI_EP_LIMIT_QUIRK;
xhci->limit_active_eps = 64;
xhci->quirks |= XHCI_SW_BW_CHECKING;
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 2c117ec..bb8b3a5 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -4654,6 +4654,13 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks)
get_quirks(dev, xhci);
+ /* In xhci controllers which follow xhci 1.0 spec gives a spurious
+ * success event after a short transfer. This quirk will ignore such
+ * spurious event.
+ */
+ if (xhci->hci_version > 0x96)
+ xhci->quirks |= XHCI_SPURIOUS_SUCCESS;
+
/* Make sure the HC is halted. */
retval = xhci_halt(xhci);
if (retval)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [085/251] xhci: fix null pointer dereference on ring_doorbell_for_active_rings
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (83 preceding siblings ...)
2013-09-11 4:28 ` [084/251] usb: host: xhci: Enable XHCI_SPURIOUS_SUCCESS for all controllers with xhci 1.0 Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [086/251] xhci: Avoid NULL pointer deref when host dies Steven Rostedt
` (165 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Oleksij Rempel, Sarah Sharp
[-- Attachment #1: 0085-xhci-fix-null-pointer-dereference-on-ring_doorbell_f.patch --]
[-- Type: text/plain, Size: 1464 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <linux@rempel-privat.de>
[ Upstream commit d66eaf9f89502971fddcb0de550b01fa6f409d83 ]
in some cases where device is attched to xhci port and do not responding,
for example ath9k_htc with stalled firmware, kernel will
crash on ring_doorbell_for_active_rings.
This patch check if pointer exist before it is used.
This patch should be backported to kernels as old as 2.6.35, that
contain the commit e9df17eb1408cfafa3d1844bfc7f22c7237b31b8 "USB: xhci:
Correct assumptions about number of rings per endpoint"
Signed-off-by: Oleksij Rempel <linux@rempel-privat.de>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/host/xhci-ring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 8848616..21a01ac 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -434,7 +434,7 @@ static void ring_doorbell_for_active_rings(struct xhci_hcd *xhci,
/* A ring has pending URBs if its TD list is not empty */
if (!(ep->ep_state & EP_HAS_STREAMS)) {
- if (!(list_empty(&ep->ring->td_list)))
+ if (ep->ring && !(list_empty(&ep->ring->td_list)))
xhci_ring_ep_doorbell(xhci, slot_id, ep_index, 0);
return;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [086/251] xhci: Avoid NULL pointer deref when host dies.
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (84 preceding siblings ...)
2013-09-11 4:28 ` [085/251] xhci: fix null pointer dereference on ring_doorbell_for_active_rings Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [087/251] USB: EHCI: Fix resume signalling on remote wakeup Steven Rostedt
` (164 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sarah Sharp, Vincent Thiele
[-- Attachment #1: 0086-xhci-Avoid-NULL-pointer-deref-when-host-dies.patch --]
[-- Type: text/plain, Size: 2701 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Sarah Sharp <sarah.a.sharp@linux.intel.com>
[ Upstream commit 203a86613fb3bf2767335659513fa98563a3eb71 ]
When the host controller fails to respond to an Enable Slot command, and
the host fails to respond to the register write to abort the command
ring, the xHCI driver will assume the host is dead, and call
usb_hc_died().
The USB device's slot_id is still set to zero, and the pointer stored at
xhci->devs[0] will always be NULL. The call to xhci_check_args in
xhci_free_dev should have caught the NULL virt_dev pointer.
However, xhci_free_dev is designed to free the xhci_virt_device
structures, even if the host is dead, so that we don't leak kernel
memory. xhci_free_dev checks the return value from the generic
xhci_check_args function. If the return value is -ENODEV, it carries on
trying to free the virtual device.
The issue is that xhci_check_args looks at the host controller state
before it looks at the xhci_virt_device pointer. It will return -ENIVAL
because the host is dead, and xhci_free_dev will ignore the return
value, and happily dereference the NULL xhci_virt_device pointer.
The fix is to make sure that xhci_check_args checks the xhci_virt_device
pointer before it checks the host state.
See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1203453 for
further details. This patch doesn't solve the underlying issue, but
will ensure we don't see any more NULL pointer dereferences because of
the issue.
This patch should be backported to kernels as old as 3.1, that
contain the commit 7bd89b4017f46a9b92853940fd9771319acb578a "xhci: Don't
submit commands or URBs to halted hosts."
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Reported-by: Vincent Thiele <vincentthiele@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/host/xhci.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index bb8b3a5..a37f20d 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -1152,9 +1152,6 @@ static int xhci_check_args(struct usb_hcd *hcd, struct usb_device *udev,
}
xhci = hcd_to_xhci(hcd);
- if (xhci->xhc_state & XHCI_STATE_HALTED)
- return -ENODEV;
-
if (check_virt_dev) {
if (!udev->slot_id || !xhci->devs[udev->slot_id]) {
printk(KERN_DEBUG "xHCI %s called with unaddressed "
@@ -1170,6 +1167,9 @@ static int xhci_check_args(struct usb_hcd *hcd, struct usb_device *udev,
}
}
+ if (xhci->xhc_state & XHCI_STATE_HALTED)
+ return -ENODEV;
+
return 1;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [087/251] USB: EHCI: Fix resume signalling on remote wakeup
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (85 preceding siblings ...)
2013-09-11 4:28 ` [086/251] xhci: Avoid NULL pointer deref when host dies Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [088/251] USB: mos7840: fix memory leak in open Steven Rostedt
` (163 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Roger Quadros, Alan Stern, Greg Kroah-Hartman
[-- Attachment #1: 0087-USB-EHCI-Fix-resume-signalling-on-remote-wakeup.patch --]
[-- Type: text/plain, Size: 1389 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Roger Quadros <rogerq@ti.com>
[ Upstream commit 47a64a13d54f6c669b00542848d5550be3d3310e ]
Set the ehci->resuming flag for the port we receive a remote
wakeup on so that resume signalling can be completed.
Without this, the root hub timer will not fire again to check
if the resume was completed and there will be a never-ending wait on
on the port.
This effect is only observed if the HUB IRQ IN does not come after we
have initiated the port resume.
Signed-off-by: Roger Quadros <rogerq@ti.com>
Cc: stable <stable@vger.kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/host/ehci-hub.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c
index c788022..20a6b75 100644
--- a/drivers/usb/host/ehci-hub.c
+++ b/drivers/usb/host/ehci-hub.c
@@ -830,6 +830,7 @@ static int ehci_hub_control (
/* resume signaling for 20 msec */
ehci->reset_done[wIndex] = jiffies
+ msecs_to_jiffies(20);
+ set_bit(wIndex, &ehci->resuming_ports);
/* check the port again */
mod_timer(&ehci_to_hcd(ehci)->rh_timer,
ehci->reset_done[wIndex]);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [088/251] USB: mos7840: fix memory leak in open
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (86 preceding siblings ...)
2013-09-11 4:28 ` [087/251] USB: EHCI: Fix resume signalling on remote wakeup Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [089/251] usb: dwc3: fix wrong bit mask in dwc3_event_type Steven Rostedt
` (162 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Johan Hovold, Greg Kroah-Hartman
[-- Attachment #1: 0088-USB-mos7840-fix-memory-leak-in-open.patch --]
[-- Type: text/plain, Size: 3122 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Johan Hovold <jhovold@gmail.com>
[ Upstream commit 5f8a2e68b679b41cc8e9b642f2f5aa45dd678641 ]
Allocated urbs and buffers were never freed on errors in open.
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/mos7840.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index 3193d25..15cc47d 100644
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -972,20 +972,20 @@ static int mos7840_open(struct tty_struct *tty, struct usb_serial_port *port)
status = mos7840_get_reg_sync(port, mos7840_port->SpRegOffset, &Data);
if (status < 0) {
dbg("Reading Spreg failed");
- return -1;
+ goto err;
}
Data |= 0x80;
status = mos7840_set_reg_sync(port, mos7840_port->SpRegOffset, Data);
if (status < 0) {
dbg("writing Spreg failed");
- return -1;
+ goto err;
}
Data &= ~0x80;
status = mos7840_set_reg_sync(port, mos7840_port->SpRegOffset, Data);
if (status < 0) {
dbg("writing Spreg failed");
- return -1;
+ goto err;
}
/* End of block to be checked */
@@ -994,7 +994,7 @@ static int mos7840_open(struct tty_struct *tty, struct usb_serial_port *port)
&Data);
if (status < 0) {
dbg("Reading Controlreg failed");
- return -1;
+ goto err;
}
Data |= 0x08; /* Driver done bit */
Data |= 0x20; /* rx_disable */
@@ -1002,7 +1002,7 @@ static int mos7840_open(struct tty_struct *tty, struct usb_serial_port *port)
mos7840_port->ControlRegOffset, Data);
if (status < 0) {
dbg("writing Controlreg failed");
- return -1;
+ goto err;
}
/* do register settings here */
/* Set all regs to the device default values. */
@@ -1013,21 +1013,21 @@ static int mos7840_open(struct tty_struct *tty, struct usb_serial_port *port)
status = mos7840_set_uart_reg(port, INTERRUPT_ENABLE_REGISTER, Data);
if (status < 0) {
dbg("disabling interrupts failed");
- return -1;
+ goto err;
}
/* Set FIFO_CONTROL_REGISTER to the default value */
Data = 0x00;
status = mos7840_set_uart_reg(port, FIFO_CONTROL_REGISTER, Data);
if (status < 0) {
dbg("Writing FIFO_CONTROL_REGISTER failed");
- return -1;
+ goto err;
}
Data = 0xcf;
status = mos7840_set_uart_reg(port, FIFO_CONTROL_REGISTER, Data);
if (status < 0) {
dbg("Writing FIFO_CONTROL_REGISTER failed");
- return -1;
+ goto err;
}
Data = 0x03;
@@ -1181,6 +1181,15 @@ static int mos7840_open(struct tty_struct *tty, struct usb_serial_port *port)
serial, mos7840_port, port);
return 0;
+err:
+ for (j = 0; j < NUM_URBS; ++j) {
+ urb = mos7840_port->write_urb_pool[j];
+ if (!urb)
+ continue;
+ kfree(urb->transfer_buffer);
+ usb_free_urb(urb);
+ }
+ return status;
}
/*****************************************************************************
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [089/251] usb: dwc3: fix wrong bit mask in dwc3_event_type
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (87 preceding siblings ...)
2013-09-11 4:28 ` [088/251] USB: mos7840: fix memory leak in open Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [090/251] usb: dwc3: gadget: dont prevent gadget from being probed if we fail Steven Rostedt
` (161 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Huang Rui, Felipe Balbi
[-- Attachment #1: 0089-usb-dwc3-fix-wrong-bit-mask-in-dwc3_event_type.patch --]
[-- Type: text/plain, Size: 1602 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Huang Rui <ray.huang@amd.com>
[ Upstream commit 1974d494dea05ea227cb42f5e918828801e237aa ]
Per dwc3 2.50a spec, the is_devspec bit is used to distinguish the
Device Endpoint-Specific Event or Device-Specific Event (DEVT). If the
bit is 1, the event is represented Device-Specific Event, then use
[7:1] bits as Device Specific Event to marked the type. It has 7 bits,
and we can see the reserved8_31 variable name which means from 8 to 31
bits marked reserved, actually there are 24 bits not 25 bits between
that. And 1 + 7 + 24 = 32, the event size is 4 byes.
So in dwc3_event_type, the bit mask should be:
is_devspec [0] 1 bit
type [7:1] 7 bits
reserved8_31 [31:8] 24 bits
This patch should be backported to kernels as old as 3.2, that contain
the commit 72246da40f3719af3bfd104a2365b32537c27d83 "usb: Introduce
DesignWare USB3 DRD Driver".
Cc: <stable@vger.kernel.org>
Signed-off-by: Huang Rui <ray.huang@amd.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/dwc3/core.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
index 151eca8..06dffc8 100644
--- a/drivers/usb/dwc3/core.h
+++ b/drivers/usb/dwc3/core.h
@@ -728,8 +728,8 @@ struct dwc3 {
struct dwc3_event_type {
u32 is_devspec:1;
- u32 type:6;
- u32 reserved8_31:25;
+ u32 type:7;
+ u32 reserved8_31:24;
} __packed;
#define DWC3_DEPEVT_XFERCOMPLETE 0x01
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [090/251] usb: dwc3: gadget: dont prevent gadget from being probed if we fail
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (88 preceding siblings ...)
2013-09-11 4:28 ` [089/251] usb: dwc3: fix wrong bit mask in dwc3_event_type Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [091/251] USB: ti_usb_3410_5052: fix dynamic-id matching Steven Rostedt
` (160 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Felipe Balbi
[-- Attachment #1: 0090-usb-dwc3-gadget-don-t-prevent-gadget-from-being-prob.patch --]
[-- Type: text/plain, Size: 1003 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Felipe Balbi <balbi@ti.com>
[ Upstream commit cdcedd6981194e511cc206887db661d016069d68 ]
In case we fail our ->udc_start() callback, we
should be ready to accept another modprobe following
the failed one.
We had forgotten to clear dwc->gadget_driver back
to NULL and, because of that, we were preventing
gadget driver modprobe from being retried.
Cc: <stable@vger.kernel.org>
Signed-off-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/dwc3/gadget.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 8212dbb..234305a 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1558,6 +1558,7 @@ err1:
__dwc3_gadget_ep_disable(dwc->eps[0]);
err0:
+ dwc->gadget_driver = NULL;
spin_unlock_irqrestore(&dwc->lock, flags);
return ret;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [091/251] USB: ti_usb_3410_5052: fix dynamic-id matching
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (89 preceding siblings ...)
2013-09-11 4:28 ` [090/251] usb: dwc3: gadget: dont prevent gadget from being probed if we fail Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [093/251] usb: Clear both buffers when clearing a control transfer TT buffer Steven Rostedt
` (159 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Anders Hammarquist, Johan Hovold, Greg Kroah-Hartman
[-- Attachment #1: 0091-USB-ti_usb_3410_5052-fix-dynamic-id-matching.patch --]
[-- Type: text/plain, Size: 1391 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Johan Hovold <jhovold@gmail.com>
[ Upstream commit 1fad56424f5ad3ce4973505a357212b2e2282b3f ]
The driver failed to take the dynamic ids into account when determining
the device type and therefore all devices were detected as 2-port
devices when using the dynamic-id interface.
Match on the usb-serial-driver field instead of doing redundant id-table
searches.
Reported-by: Anders Hammarquist <iko@iko.pp.se>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/ti_usb_3410_5052.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c
index c7550bf..d654036 100644
--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -383,7 +383,7 @@ static int ti_startup(struct usb_serial *serial)
usb_set_serial_data(serial, tdev);
/* determine device type */
- if (usb_match_id(serial->interface, ti_id_table_3410))
+ if (serial->type == &ti_1port_device)
tdev->td_is_3410 = 1;
dbg("%s - device type is %s", __func__,
tdev->td_is_3410 ? "3410" : "5052");
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [093/251] usb: Clear both buffers when clearing a control transfer TT buffer.
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (90 preceding siblings ...)
2013-09-11 4:28 ` [091/251] USB: ti_usb_3410_5052: fix dynamic-id matching Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [094/251] staging: comedi: COMEDI_CANCEL ioctl should wake up read/write Steven Rostedt
` (158 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: William Gulland, Alan Stern, Greg Kroah-Hartman
[-- Attachment #1: 0093-usb-Clear-both-buffers-when-clearing-a-control-trans.patch --]
[-- Type: text/plain, Size: 1476 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: William Gulland <wgulland@google.com>
[ Upstream commit 2c7b871b9102c497ba8f972aa5d38532f05b654d ]
Control transfers have both IN and OUT (or SETUP) packets, so when
clearing TT buffers for a control transfer it's necessary to send
two HUB_CLEAR_TT_BUFFER requests to the hub.
Signed-off-by: William Gulland <wgulland@google.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/core/hub.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index fe7faf0..74ae3a5 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -711,6 +711,15 @@ resubmit:
static inline int
hub_clear_tt_buffer (struct usb_device *hdev, u16 devinfo, u16 tt)
{
+ /* Need to clear both directions for control ep */
+ if (((devinfo >> 11) & USB_ENDPOINT_XFERTYPE_MASK) ==
+ USB_ENDPOINT_XFER_CONTROL) {
+ int status = usb_control_msg(hdev, usb_sndctrlpipe(hdev, 0),
+ HUB_CLEAR_TT_BUFFER, USB_RT_PORT,
+ devinfo ^ 0x8000, tt, NULL, 0, 1000);
+ if (status)
+ return status;
+ }
return usb_control_msg(hdev, usb_sndctrlpipe(hdev, 0),
HUB_CLEAR_TT_BUFFER, USB_RT_PORT, devinfo,
tt, NULL, 0, 1000);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [094/251] staging: comedi: COMEDI_CANCEL ioctl should wake up read/write
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (91 preceding siblings ...)
2013-09-11 4:28 ` [093/251] usb: Clear both buffers when clearing a control transfer TT buffer Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [095/251] staging: android: logger: Correct write offset reset on error Steven Rostedt
` (157 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Ian Abbott, Greg Kroah-Hartman
[-- Attachment #1: 0094-staging-comedi-COMEDI_CANCEL-ioctl-should-wake-up-re.patch --]
[-- Type: text/plain, Size: 2334 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
[ Upstream commit 69acbaac303e8cb948801a9ddd0ac24e86cc4a1b ]
Comedi devices can do blocking read() or write() (or poll()) if an
asynchronous command has been set up, blocking for data (for read()) or
buffer space (for write()). Various events associated with the
asynchronous command will wake up the blocked reader or writer (or
poller). It is also possible to force the asynchronous command to
terminate by issuing a `COMEDI_CANCEL` ioctl. That shuts down the
asynchronous command, but does not currently wake up the blocked reader
or writer (or poller). If the blocked task could be woken up, it would
see that the command is no longer active and return. The caller of the
`COMEDI_CANCEL` ioctl could attempt to wake up the blocked task by
sending a signal, but that's a nasty workaround.
Change `do_cancel_ioctl()` to wake up the wait queue after it returns
from `do_cancel()`. `do_cancel()` can propagate an error return value
from the low-level comedi driver's cancel routine, but it always shuts
the command down regardless, so `do_cancel_ioctl()` can wake up he wait
queue regardless of the return value from `do_cancel()`.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/staging/comedi/comedi_fops.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 41dea18..d29b050 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -1470,6 +1470,7 @@ static int do_cancel_ioctl(struct comedi_device *dev, unsigned int arg,
void *file)
{
struct comedi_subdevice *s;
+ int ret;
if (arg >= dev->n_subdevices)
return -EINVAL;
@@ -1486,7 +1487,11 @@ static int do_cancel_ioctl(struct comedi_device *dev, unsigned int arg,
if (s->busy != file)
return -EBUSY;
- return do_cancel(dev, s);
+ ret = do_cancel(dev, s);
+ if (comedi_get_subdevice_runflags(s) & SRF_USER)
+ wake_up_interruptible(&s->async->wait_head);
+
+ return ret;
}
/*
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [095/251] staging: android: logger: Correct write offset reset on error
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (92 preceding siblings ...)
2013-09-11 4:28 ` [094/251] staging: comedi: COMEDI_CANCEL ioctl should wake up read/write Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [096/251] Btrfs: fix lock leak when resuming snapshot deletion Steven Rostedt
` (156 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Android Kernel Team, Bjorn Andersson, Greg Kroah-Hartman
[-- Attachment #1: 0095-staging-android-logger-Correct-write-offset-reset-on.patch --]
[-- Type: text/plain, Size: 1674 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Karlis Ogsts <karlis.ogsts@sonymobile.com>
[ Upstream commit 72bb99cfe9c57d2044445fb34bbc95b4c0bae6f2 ]
In the situation that a writer fails to copy data from userspace it will reset
the write offset to the value it had before it went to sleep. This discarding
any messages written while aquiring the mutex.
Therefore the reset offset needs to be retrieved after acquiring the mutex.
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@sonymobile.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/staging/android/logger.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/android/logger.c b/drivers/staging/android/logger.c
index f7b8237d5..e5b797c 100644
--- a/drivers/staging/android/logger.c
+++ b/drivers/staging/android/logger.c
@@ -359,7 +359,7 @@ static ssize_t logger_aio_write(struct kiocb *iocb, const struct iovec *iov,
unsigned long nr_segs, loff_t ppos)
{
struct logger_log *log = file_get_log(iocb->ki_filp);
- size_t orig = log->w_off;
+ size_t orig;
struct logger_entry header;
struct timespec now;
ssize_t ret = 0;
@@ -378,6 +378,8 @@ static ssize_t logger_aio_write(struct kiocb *iocb, const struct iovec *iov,
mutex_lock(&log->mutex);
+ orig = log->w_off;
+
/*
* Fix up any readers, pulling them forward to the first readable
* entry after (what will be) the new write offset. We do this now
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [096/251] Btrfs: fix lock leak when resuming snapshot deletion
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (93 preceding siblings ...)
2013-09-11 4:28 ` [095/251] staging: android: logger: Correct write offset reset on error Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [097/251] Btrfs: re-add root to dead root list if we stop dropping it Steven Rostedt
` (155 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Alex Lyakas, Josef Bacik
[-- Attachment #1: 0096-Btrfs-fix-lock-leak-when-resuming-snapshot-deletion.patch --]
[-- Type: text/plain, Size: 1405 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Josef Bacik <jbacik@fusionio.com>
[ Upstream commit fec386ac1428f9c0e672df952cbca5cebd4e4e2f ]
We aren't setting path->locks[level] when we resume a snapshot deletion which
means we won't unlock the buffer when we free the path. This causes deadlocks
if we happen to re-allocate the block before we've evicted the extent buffer
from cache. Thanks,
Cc: stable@vger.kernel.org
Reported-by: Alex Lyakas <alex.btrfs@zadarastorage.com>
Signed-off-by: Josef Bacik <jbacik@fusionio.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/btrfs/extent-tree.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 6d7b589..dcfce2a 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -7007,6 +7007,7 @@ int btrfs_drop_snapshot(struct btrfs_root *root,
while (1) {
btrfs_tree_lock(path->nodes[level]);
btrfs_set_lock_blocking(path->nodes[level]);
+ path->locks[level] = BTRFS_WRITE_LOCK_BLOCKING;
ret = btrfs_lookup_extent_info(trans, root,
path->nodes[level]->start,
@@ -7023,6 +7024,7 @@ int btrfs_drop_snapshot(struct btrfs_root *root,
break;
btrfs_tree_unlock(path->nodes[level]);
+ path->locks[level] = 0;
WARN_ON(wc->refs[level] != 1);
level--;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [097/251] Btrfs: re-add root to dead root list if we stop dropping it
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (94 preceding siblings ...)
2013-09-11 4:28 ` [096/251] Btrfs: fix lock leak when resuming snapshot deletion Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [098/251] xen-netfront: pull on receive skb may need to happen earlier Steven Rostedt
` (154 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Alex Lyakas, Josef Bacik
[-- Attachment #1: 0097-Btrfs-re-add-root-to-dead-root-list-if-we-stop-dropp.patch --]
[-- Type: text/plain, Size: 1969 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Josef Bacik <jbacik@fusionio.com>
[ Upstream commit d29a9f629e009c9b90e5859bce581070fd6247fc ]
If we stop dropping a root for whatever reason we need to add it back to the
dead root list so that we will re-start the dropping next transaction commit.
The other case this happens is if we recover a drop because we will add a root
without adding it to the fs radix tree, so we can leak it's root and commit root
extent buffer, adding this to the dead root list makes this cleanup happen.
Thanks,
Cc: stable@vger.kernel.org
Reported-by: Alex Lyakas <alex.btrfs@zadarastorage.com>
Signed-off-by: Josef Bacik <jbacik@fusionio.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/btrfs/extent-tree.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index dcfce2a..3b09565 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -6950,6 +6950,7 @@ int btrfs_drop_snapshot(struct btrfs_root *root,
int err = 0;
int ret;
int level;
+ bool root_dropped = false;
path = btrfs_alloc_path();
if (!path) {
@@ -7120,12 +7121,22 @@ int btrfs_drop_snapshot(struct btrfs_root *root,
free_extent_buffer(root->commit_root);
kfree(root);
}
+ root_dropped = true;
out_end_trans:
btrfs_end_transaction_throttle(trans, tree_root);
out_free:
kfree(wc);
btrfs_free_path(path);
out:
+ /*
+ * So if we need to stop dropping the snapshot for whatever reason we
+ * need to make sure to add it back to the dead root list so that we
+ * keep trying to do the work later. This also cleans up roots if we
+ * don't have it in the radix (like when we recover after a power fail
+ * or unmount) so we don't leak memory.
+ */
+ if (root_dropped == false)
+ btrfs_add_dead_root(root);
if (err)
btrfs_std_error(root->fs_info, err);
return err;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [098/251] xen-netfront: pull on receive skb may need to happen earlier
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (95 preceding siblings ...)
2013-09-11 4:28 ` [097/251] Btrfs: re-add root to dead root list if we stop dropping it Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [099/251] xen/blkback: Check device permissions before allowing OP_DISCARD Steven Rostedt
` (153 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jan Beulich, Wei Liu, Ian Campbell, David S. Miller
[-- Attachment #1: 0098-xen-netfront-pull-on-receive-skb-may-need-to-happen-.patch --]
[-- Type: text/plain, Size: 5124 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jan Beulich <JBeulich@suse.com>
[ Upstream commit 093b9c71b6e450e375f4646ba86faed0195ec7df ]
Due to commit 3683243b ("xen-netfront: use __pskb_pull_tail to ensure
linear area is big enough on RX") xennet_fill_frags() may end up
filling MAX_SKB_FRAGS + 1 fragments in a receive skb, and only reduce
the fragment count subsequently via __pskb_pull_tail(). That's a
result of xennet_get_responses() allowing a maximum of one more slot to
be consumed (and intermediately transformed into a fragment) if the
head slot has a size less than or equal to RX_COPY_THRESHOLD.
Hence we need to adjust xennet_fill_frags() to pull earlier if we
reached the maximum fragment count - due to the described behavior of
xennet_get_responses() this guarantees that at least the first fragment
will get completely consumed, and hence the fragment count reduced.
In order to not needlessly call __pskb_pull_tail() twice, make the
original call conditional upon the pull target not having been reached
yet, and defer the newly added one as much as possible (an alternative
would have been to always call the function right before the call to
xennet_fill_frags(), but that would imply more frequent cases of
needing to call it twice).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: stable@vger.kernel.org (3.6 onwards)
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/xen-netfront.c | 50 ++++++++++++--------------------------------
1 file changed, 13 insertions(+), 37 deletions(-)
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index ecac034..110c26c 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -275,8 +275,7 @@ no_skb:
break;
}
- __skb_fill_page_desc(skb, 0, page, 0, 0);
- skb_shinfo(skb)->nr_frags = 1;
+ skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE);
__skb_queue_tail(&np->rx_batch, skb);
}
@@ -771,7 +770,6 @@ static RING_IDX xennet_fill_frags(struct netfront_info *np,
struct sk_buff_head *list)
{
struct skb_shared_info *shinfo = skb_shinfo(skb);
- int nr_frags = shinfo->nr_frags;
RING_IDX cons = np->rx.rsp_cons;
struct sk_buff *nskb;
@@ -780,19 +778,21 @@ static RING_IDX xennet_fill_frags(struct netfront_info *np,
RING_GET_RESPONSE(&np->rx, ++cons);
skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0];
- __skb_fill_page_desc(skb, nr_frags,
- skb_frag_page(nfrag),
- rx->offset, rx->status);
+ if (shinfo->nr_frags == MAX_SKB_FRAGS) {
+ unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
- skb->data_len += rx->status;
+ BUG_ON(pull_to <= skb_headlen(skb));
+ __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+ }
+ BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS);
+
+ skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag),
+ rx->offset, rx->status, PAGE_SIZE);
skb_shinfo(nskb)->nr_frags = 0;
kfree_skb(nskb);
-
- nr_frags++;
}
- shinfo->nr_frags = nr_frags;
return cons;
}
@@ -878,7 +878,8 @@ static int handle_incoming_queue(struct net_device *dev,
while ((skb = __skb_dequeue(rxq)) != NULL) {
int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
- __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+ if (pull_to > skb_headlen(skb))
+ __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
/* Ethernet work: Delayed to here as it peeks the header. */
skb->protocol = eth_type_trans(skb, dev);
@@ -964,35 +965,10 @@ err:
skb_shinfo(skb)->frags[0].page_offset = rx->offset;
skb_frag_size_set(&skb_shinfo(skb)->frags[0], rx->status);
skb->data_len = rx->status;
+ skb->len += rx->status;
i = xennet_fill_frags(np, skb, &tmpq);
- /*
- * Truesize approximates the size of true data plus
- * any supervisor overheads. Adding hypervisor
- * overheads has been shown to significantly reduce
- * achievable bandwidth with the default receive
- * buffer size. It is therefore not wise to account
- * for it here.
- *
- * After alloc_skb(RX_COPY_THRESHOLD), truesize is set
- * to RX_COPY_THRESHOLD + the supervisor
- * overheads. Here, we add the size of the data pulled
- * in xennet_fill_frags().
- *
- * We also adjust for any unused space in the main
- * data area by subtracting (RX_COPY_THRESHOLD -
- * len). This is especially important with drivers
- * which split incoming packets into header and data,
- * using only 66 bytes of the main data area (see the
- * e1000 driver for example.) On such systems,
- * without this last adjustement, our achievable
- * receive throughout using the standard receive
- * buffer size was cut by 25%(!!!).
- */
- skb->truesize += skb->data_len - RX_COPY_THRESHOLD;
- skb->len += skb->data_len;
-
if (rx->flags & XEN_NETRXF_csum_blank)
skb->ip_summed = CHECKSUM_PARTIAL;
else if (rx->flags & XEN_NETRXF_data_validated)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [099/251] xen/blkback: Check device permissions before allowing OP_DISCARD
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (96 preceding siblings ...)
2013-09-11 4:28 ` [098/251] xen-netfront: pull on receive skb may need to happen earlier Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [100/251] md/raid5: fix interaction of replace and recovery Steven Rostedt
` (152 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jan Beulich, Ian Campbell, Konrad Rzeszutek Wilk
[-- Attachment #1: 0099-xen-blkback-Check-device-permissions-before-allowing.patch --]
[-- Type: text/plain, Size: 1943 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
[ Upstream commit 604c499cbbcc3d5fe5fb8d53306aa0fae1990109 ]
We need to make sure that the device is not RO or that
the request is not past the number of sectors we want to
issue the DISCARD operation for.
This fixes CVE-2013-2140.
Cc: stable@vger.kernel.org
Acked-by: Jan Beulich <JBeulich@suse.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
[v1: Made it pr_warn instead of pr_debug]
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/block/xen-blkback/blkback.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c
index 4fd1dea..4ed7bf9 100644
--- a/drivers/block/xen-blkback/blkback.c
+++ b/drivers/block/xen-blkback/blkback.c
@@ -399,7 +399,18 @@ static int dispatch_discard_io(struct xen_blkif *blkif,
int status = BLKIF_RSP_OKAY;
struct block_device *bdev = blkif->vbd.bdev;
unsigned long secure;
+ struct phys_req preq;
+
+ preq.sector_number = req->u.discard.sector_number;
+ preq.nr_sects = req->u.discard.nr_sectors;
+ err = xen_vbd_translate(&preq, blkif, WRITE);
+ if (err) {
+ pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n",
+ preq.sector_number,
+ preq.sector_number + preq.nr_sects, blkif->vbd.pdevice);
+ goto fail_response;
+ }
blkif->st_ds_req++;
xen_blkif_get(blkif);
@@ -410,7 +421,7 @@ static int dispatch_discard_io(struct xen_blkif *blkif,
err = blkdev_issue_discard(bdev, req->u.discard.sector_number,
req->u.discard.nr_sectors,
GFP_KERNEL, secure);
-
+fail_response:
if (err == -EOPNOTSUPP) {
pr_debug(DRV_PFX "discard op failed, not supported\n");
status = BLKIF_RSP_EOPNOTSUPP;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [100/251] md/raid5: fix interaction of replace and recovery.
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (97 preceding siblings ...)
2013-09-11 4:28 ` [099/251] xen/blkback: Check device permissions before allowing OP_DISCARD Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [101/251] md/raid10: remove use-after-free bug Steven Rostedt
` (151 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: qindehua, qindehua, NeilBrown
[-- Attachment #1: 0100-md-raid5-fix-interaction-of-replace-and-recovery.patch --]
[-- Type: text/plain, Size: 4151 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: NeilBrown <neilb@suse.de>
[ Upstream commit f94c0b6658c7edea8bc19d13be321e3860a3fa54 ]
If a device in a RAID4/5/6 is being replaced while another is being
recovered, then the writes to the replacement device currently don't
happen, resulting in corruption when the replacement completes and the
new drive takes over.
This is because the replacement writes are only triggered when
's.replacing' is set and not when the similar 's.sync' is set (which
is the case during resync and recovery - it means all devices need to
be read).
So schedule those writes when s.replacing is set as well.
In this case we cannot use "STRIPE_INSYNC" to record that the
replacement has happened as that is needed for recording that any
parity calculation is complete. So introduce STRIPE_REPLACED to
record if the replacement has happened.
For safety we should also check that STRIPE_COMPUTE_RUN is not set.
This has a similar effect to the "s.locked == 0" test. The latter
ensure that now IO has been flagged but not started. The former
checks if any parity calculation has been flagged by not started.
We must wait for both of these to complete before triggering the
'replace'.
Add a similar test to the subsequent check for "are we finished yet".
This possibly isn't needed (is subsumed in the STRIPE_INSYNC test),
but it makes it more obvious that the REPLACE will happen before we
think we are finished.
Finally if a NeedReplace device is not UPTODATE then that is an
error. We really must trigger a warning.
This bug was introduced in commit 9a3e1101b827a59ac9036a672f5fa8d5279d0fe2
(md/raid5: detect and handle replacements during recovery.)
which introduced replacement for raid5.
That was in 3.3-rc3, so any stable kernel since then would benefit
from this fix.
Cc: stable@vger.kernel.org (3.3+)
Reported-by: qindehua <13691222965@163.com>
Tested-by: qindehua <qindehua@163.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/md/raid5.c | 15 ++++++++++-----
drivers/md/raid5.h | 1 +
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
index 0689173..f94452d 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -3396,6 +3396,7 @@ static void handle_stripe(struct stripe_head *sh)
if (test_and_clear_bit(STRIPE_SYNC_REQUESTED, &sh->state)) {
set_bit(STRIPE_SYNCING, &sh->state);
clear_bit(STRIPE_INSYNC, &sh->state);
+ clear_bit(STRIPE_REPLACED, &sh->state);
}
clear_bit(STRIPE_DELAYED, &sh->state);
@@ -3535,19 +3536,23 @@ static void handle_stripe(struct stripe_head *sh)
handle_parity_checks5(conf, sh, &s, disks);
}
- if (s.replacing && s.locked == 0
- && !test_bit(STRIPE_INSYNC, &sh->state)) {
+ if ((s.replacing || s.syncing) && s.locked == 0
+ && !test_bit(STRIPE_COMPUTE_RUN, &sh->state)
+ && !test_bit(STRIPE_REPLACED, &sh->state)) {
/* Write out to replacement devices where possible */
for (i = 0; i < conf->raid_disks; i++)
- if (test_bit(R5_UPTODATE, &sh->dev[i].flags) &&
- test_bit(R5_NeedReplace, &sh->dev[i].flags)) {
+ if (test_bit(R5_NeedReplace, &sh->dev[i].flags)) {
+ WARN_ON(!test_bit(R5_UPTODATE, &sh->dev[i].flags));
set_bit(R5_WantReplace, &sh->dev[i].flags);
set_bit(R5_LOCKED, &sh->dev[i].flags);
s.locked++;
}
- set_bit(STRIPE_INSYNC, &sh->state);
+ if (s.replacing)
+ set_bit(STRIPE_INSYNC, &sh->state);
+ set_bit(STRIPE_REPLACED, &sh->state);
}
if ((s.syncing || s.replacing) && s.locked == 0 &&
+ !test_bit(STRIPE_COMPUTE_RUN, &sh->state) &&
test_bit(STRIPE_INSYNC, &sh->state)) {
md_done_sync(conf->mddev, STRIPE_SECTORS, 1);
clear_bit(STRIPE_SYNCING, &sh->state);
diff --git a/drivers/md/raid5.h b/drivers/md/raid5.h
index a9fc249..03f988b 100644
--- a/drivers/md/raid5.h
+++ b/drivers/md/raid5.h
@@ -309,6 +309,7 @@ enum {
STRIPE_SYNC_REQUESTED,
STRIPE_SYNCING,
STRIPE_INSYNC,
+ STRIPE_REPLACED,
STRIPE_PREREAD_ACTIVE,
STRIPE_DELAYED,
STRIPE_DEGRADED,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [101/251] md/raid10: remove use-after-free bug.
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (98 preceding siblings ...)
2013-09-11 4:28 ` [100/251] md/raid5: fix interaction of replace and recovery Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [102/251] libata: make it clear that sata_inic162x is experimental Steven Rostedt
` (150 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: NeilBrown
[-- Attachment #1: 0101-md-raid10-remove-use-after-free-bug.patch --]
[-- Type: text/plain, Size: 1777 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: NeilBrown <neilb@suse.de>
[ Upstream commit 0eb25bb027a100f5a9df8991f2f628e7d851bc1e ]
We always need to be careful when calling generic_make_request, as it
can start a chain of events which might free something that we are
using.
Here is one place I wasn't careful enough. If the wbio2 is not in
use, then it might get freed at the first generic_make_request call.
So perform all necessary tests first.
This bug was introduced in 3.3-rc3 (24afd80d99) and can cause an
oops, so fix is suitable for any -stable since then.
Cc: stable@vger.kernel.org (3.3+)
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/md/raid10.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index e2d5778..f40decb 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -2155,12 +2155,18 @@ static void recovery_request_write(struct mddev *mddev, struct r10bio *r10_bio)
d = r10_bio->devs[1].devnum;
wbio = r10_bio->devs[1].bio;
wbio2 = r10_bio->devs[1].repl_bio;
+ /* Need to test wbio2->bi_end_io before we call
+ * generic_make_request as if the former is NULL,
+ * the latter is free to free wbio2.
+ */
+ if (wbio2 && !wbio2->bi_end_io)
+ wbio2 = NULL;
if (wbio->bi_end_io) {
atomic_inc(&conf->mirrors[d].rdev->nr_pending);
md_sync_acct(conf->mirrors[d].rdev->bdev, wbio->bi_size >> 9);
generic_make_request(wbio);
}
- if (wbio2 && wbio2->bi_end_io) {
+ if (wbio2) {
atomic_inc(&conf->mirrors[d].replacement->nr_pending);
md_sync_acct(conf->mirrors[d].replacement->bdev,
wbio2->bi_size >> 9);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [102/251] libata: make it clear that sata_inic162x is experimental
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (99 preceding siblings ...)
2013-09-11 4:28 ` [101/251] md/raid10: remove use-after-free bug Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [103/251] svcrdma: underflow issue in decode_write_list() Steven Rostedt
` (149 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Tejun Heo, Martin Braure de Calignon, Ben Hutchings
[-- Attachment #1: 0102-libata-make-it-clear-that-sata_inic162x-is-experimen.patch --]
[-- Type: text/plain, Size: 2734 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
[ Upstream commit bb9696192826a7d9279caf872e95b41bc26c7eff ]
sata_inic162x never reached a state where it's reliable enough for
production use and data corruption is a relatively common occurrence.
Make the driver generate warning about the issues and mark the Kconfig
option as experimental.
If the situation doesn't improve, we'd be better off making it depend
on CONFIG_BROKEN. Let's wait for several cycles and see if the kernel
message draws any attention.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Martin Braure de Calignon <braurede@free.fr>
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Reported-by: risc4all@yahoo.com
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/ata/Kconfig | 2 +-
drivers/ata/sata_inic162x.c | 14 ++++++++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/ata/Kconfig b/drivers/ata/Kconfig
index 27cecd3..79ba92e 100644
--- a/drivers/ata/Kconfig
+++ b/drivers/ata/Kconfig
@@ -93,7 +93,7 @@ config SATA_FSL
If unsure, say N.
config SATA_INIC162X
- tristate "Initio 162x SATA support"
+ tristate "Initio 162x SATA support (Very Experimental)"
depends on PCI
help
This option enables support for Initio 162x Serial ATA.
diff --git a/drivers/ata/sata_inic162x.c b/drivers/ata/sata_inic162x.c
index dc35f4d..4d238c8 100644
--- a/drivers/ata/sata_inic162x.c
+++ b/drivers/ata/sata_inic162x.c
@@ -6,6 +6,18 @@
*
* This file is released under GPL v2.
*
+ * **** WARNING ****
+ *
+ * This driver never worked properly and unfortunately data corruption is
+ * relatively common. There isn't anyone working on the driver and there's
+ * no support from the vendor. Do not use this driver in any production
+ * environment.
+ *
+ * http://thread.gmane.org/gmane.linux.debian.devel.bugs.rc/378525/focus=54491
+ * https://bugzilla.kernel.org/show_bug.cgi?id=60565
+ *
+ * *****************
+ *
* This controller is eccentric and easily locks up if something isn't
* right. Documentation is available at initio's website but it only
* documents registers (not programming model).
@@ -809,6 +821,8 @@ static int inic_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
ata_print_version_once(&pdev->dev, DRV_VERSION);
+ dev_alert(&pdev->dev, "inic162x support is broken with common data corruption issues and will be disabled by default, contact linux-ide@vger.kernel.org if in production use\n");
+
/* alloc host */
host = ata_host_alloc_pinfo(&pdev->dev, ppi, NR_PORTS);
hpriv = devm_kzalloc(&pdev->dev, sizeof(*hpriv), GFP_KERNEL);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [103/251] svcrdma: underflow issue in decode_write_list()
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (100 preceding siblings ...)
2013-09-11 4:28 ` [102/251] libata: make it clear that sata_inic162x is experimental Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [104/251] powerpc/modules: Module CRC relocation fix causes perf issues Steven Rostedt
` (148 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Dan Carpenter, J. Bruce Fields
[-- Attachment #1: 0103-svcrdma-underflow-issue-in-decode_write_list.patch --]
[-- Type: text/plain, Size: 2644 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit b2781e1021525649c0b33fffd005ef219da33926 ]
My static checker marks everything from ntohl() as untrusted and it
complains we could have an underflow problem doing:
return (u32 *)&ary->wc_array[nchunks];
Also on 32 bit systems the upper bound check could overflow.
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/net/sunrpc/xprtrdma/svc_rdma_marshal.c b/net/sunrpc/xprtrdma/svc_rdma_marshal.c
index 8d2eddd..65b1462 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_marshal.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_marshal.c
@@ -98,6 +98,7 @@ void svc_rdma_rcl_chunk_counts(struct rpcrdma_read_chunk *ch,
*/
static u32 *decode_write_list(u32 *va, u32 *vaend)
{
+ unsigned long start, end;
int nchunks;
struct rpcrdma_write_array *ary =
@@ -113,9 +114,12 @@ static u32 *decode_write_list(u32 *va, u32 *vaend)
return NULL;
}
nchunks = ntohl(ary->wc_nchunks);
- if (((unsigned long)&ary->wc_array[0] +
- (sizeof(struct rpcrdma_write_chunk) * nchunks)) >
- (unsigned long)vaend) {
+
+ start = (unsigned long)&ary->wc_array[0];
+ end = (unsigned long)vaend;
+ if (nchunks < 0 ||
+ nchunks > (SIZE_MAX - start) / sizeof(struct rpcrdma_write_chunk) ||
+ (start + (sizeof(struct rpcrdma_write_chunk) * nchunks)) > end) {
dprintk("svcrdma: ary=%p, wc_nchunks=%d, vaend=%p\n",
ary, nchunks, vaend);
return NULL;
@@ -129,6 +133,7 @@ static u32 *decode_write_list(u32 *va, u32 *vaend)
static u32 *decode_reply_array(u32 *va, u32 *vaend)
{
+ unsigned long start, end;
int nchunks;
struct rpcrdma_write_array *ary =
(struct rpcrdma_write_array *)va;
@@ -143,9 +148,12 @@ static u32 *decode_reply_array(u32 *va, u32 *vaend)
return NULL;
}
nchunks = ntohl(ary->wc_nchunks);
- if (((unsigned long)&ary->wc_array[0] +
- (sizeof(struct rpcrdma_write_chunk) * nchunks)) >
- (unsigned long)vaend) {
+
+ start = (unsigned long)&ary->wc_array[0];
+ end = (unsigned long)vaend;
+ if (nchunks < 0 ||
+ nchunks > (SIZE_MAX - start) / sizeof(struct rpcrdma_write_chunk) ||
+ (start + (sizeof(struct rpcrdma_write_chunk) * nchunks)) > end) {
dprintk("svcrdma: ary=%p, wc_nchunks=%d, vaend=%p\n",
ary, nchunks, vaend);
return NULL;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [104/251] powerpc/modules: Module CRC relocation fix causes perf issues
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (101 preceding siblings ...)
2013-09-11 4:28 ` [103/251] svcrdma: underflow issue in decode_write_list() Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [105/251] nfsd: nfsd_open: when dentry_open returns an error do not propagate as struct file Steven Rostedt
` (147 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Anton Blanchard, stable, Rusty Russell, Benjamin Herrenschmidt
[-- Attachment #1: 0104-powerpc-modules-Module-CRC-relocation-fix-causes-per.patch --]
[-- Type: text/plain, Size: 2746 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Anton Blanchard <anton@samba.org>
[ Upstream commit 0e0ed6406e61434d3f38fb58aa8464ec4722b77e ]
Module CRCs are implemented as absolute symbols that get resolved by
a linker script. We build an intermediate .o that contains an
unresolved symbol for each CRC. genksysms parses this .o, calculates
the CRCs and writes a linker script that "resolves" the symbols to
the calculated CRC.
Unfortunately the ppc64 relocatable kernel sees these CRCs as symbols
that need relocating and relocates them at boot. Commit d4703aef
(module: handle ppc64 relocating kcrctabs when CONFIG_RELOCATABLE=y)
added a hook to reverse the bogus relocations. Part of this patch
created a symbol at 0x0:
# head -2 /proc/kallsyms
0000000000000000 T reloc_start
c000000000000000 T .__start
This reloc_start symbol is causing lots of confusion to perf. It
thinks reloc_start is a massive function that stretches from 0x0 to
0xc000000000000000 and we get various cryptic errors out of perf,
including:
problem incrementing symbol count, skipping event
This patch removes the reloc_start linker script label and instead
defines it as PHYSICAL_START. We also need to wrap it with
CONFIG_PPC64 because the ppc32 kernel can set a non zero
PHYSICAL_START at compile time and we wouldn't want to subtract
it from the CRCs in that case.
Signed-off-by: Anton Blanchard <anton@samba.org>
Cc: <stable@kernel.org>
Acked-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/powerpc/include/asm/module.h | 5 ++---
arch/powerpc/kernel/vmlinux.lds.S | 3 ---
2 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/arch/powerpc/include/asm/module.h b/arch/powerpc/include/asm/module.h
index 0192a4e..80de64b 100644
--- a/arch/powerpc/include/asm/module.h
+++ b/arch/powerpc/include/asm/module.h
@@ -87,10 +87,9 @@ struct exception_table_entry;
void sort_ex_table(struct exception_table_entry *start,
struct exception_table_entry *finish);
-#ifdef CONFIG_MODVERSIONS
+#if defined(CONFIG_MODVERSIONS) && defined(CONFIG_PPC64)
#define ARCH_RELOCATES_KCRCTAB
-
-extern const unsigned long reloc_start[];
+#define reloc_start PHYSICAL_START
#endif
#endif /* __KERNEL__ */
#endif /* _ASM_POWERPC_MODULE_H */
diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S
index 65d1c08..7703569 100644
--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -38,9 +38,6 @@ jiffies = jiffies_64 + 4;
#endif
SECTIONS
{
- . = 0;
- reloc_start = .;
-
. = KERNELBASE;
/*
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [105/251] nfsd: nfsd_open: when dentry_open returns an error do not propagate as struct file
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (102 preceding siblings ...)
2013-09-11 4:28 ` [104/251] powerpc/modules: Module CRC relocation fix causes perf issues Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [106/251] ACPI / memhotplug: Fix a stale pointer in error path Steven Rostedt
` (146 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Harshula Jayasuriya, J. Bruce Fields
[-- Attachment #1: 0105-nfsd-nfsd_open-when-dentry_open-returns-an-error-do-.patch --]
[-- Type: text/plain, Size: 3841 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Harshula Jayasuriya <harshula@redhat.com>
[ Upstream commit e4daf1ffbe6cc3b12aab4d604e627829e93e9914 ]
The following call chain:
------------------------------------------------------------
nfs4_get_vfs_file
- nfsd_open
- dentry_open
- do_dentry_open
- __get_file_write_access
- get_write_access
- return atomic_inc_unless_negative(&inode->i_writecount) ? 0 : -ETXTBSY;
------------------------------------------------------------
can result in the following state:
------------------------------------------------------------
struct nfs4_file {
...
fi_fds = {0xffff880c1fa65c80, 0xffffffffffffffe6, 0x0},
fi_access = {{
counter = 0x1
}, {
counter = 0x0
}},
...
------------------------------------------------------------
1) First time around, in nfs4_get_vfs_file() fp->fi_fds[O_WRONLY] is
NULL, hence nfsd_open() is called where we get status set to an error
and fp->fi_fds[O_WRONLY] to -ETXTBSY. Thus we do not reach
nfs4_file_get_access() and fi_access[O_WRONLY] is not incremented.
2) Second time around, in nfs4_get_vfs_file() fp->fi_fds[O_WRONLY] is
NOT NULL (-ETXTBSY), so nfsd_open() is NOT called, but
nfs4_file_get_access() IS called and fi_access[O_WRONLY] is incremented.
Thus we leave a landmine in the form of the nfs4_file data structure in
an incorrect state.
3) Eventually, when __nfs4_file_put_access() is called it finds
fi_access[O_WRONLY] being non-zero, it decrements it and calls
nfs4_file_put_fd() which tries to fput -ETXTBSY.
------------------------------------------------------------
...
[exception RIP: fput+0x9]
RIP: ffffffff81177fa9 RSP: ffff88062e365c90 RFLAGS: 00010282
RAX: ffff880c2b3d99cc RBX: ffff880c2b3d9978 RCX: 0000000000000002
RDX: dead000000100101 RSI: 0000000000000001 RDI: ffffffffffffffe6
RBP: ffff88062e365c90 R8: ffff88041fe797d8 R9: ffff88062e365d58
R10: 0000000000000008 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#9 [ffff88062e365c98] __nfs4_file_put_access at ffffffffa0562334 [nfsd]
#10 [ffff88062e365cc8] nfs4_file_put_access at ffffffffa05623ab [nfsd]
#11 [ffff88062e365ce8] free_generic_stateid at ffffffffa056634d [nfsd]
#12 [ffff88062e365d18] release_open_stateid at ffffffffa0566e4b [nfsd]
#13 [ffff88062e365d38] nfsd4_close at ffffffffa0567401 [nfsd]
#14 [ffff88062e365d88] nfsd4_proc_compound at ffffffffa0557f28 [nfsd]
#15 [ffff88062e365dd8] nfsd_dispatch at ffffffffa054543e [nfsd]
#16 [ffff88062e365e18] svc_process_common at ffffffffa04ba5a4 [sunrpc]
#17 [ffff88062e365e98] svc_process at ffffffffa04babe0 [sunrpc]
#18 [ffff88062e365eb8] nfsd at ffffffffa0545b62 [nfsd]
#19 [ffff88062e365ee8] kthread at ffffffff81090886
#20 [ffff88062e365f48] kernel_thread at ffffffff8100c14a
------------------------------------------------------------
Cc: stable@vger.kernel.org
Signed-off-by: Harshula Jayasuriya <harshula@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/nfsd/vfs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index a9269f1..1db47bc 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -802,9 +802,10 @@ nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type,
flags = O_WRONLY|O_LARGEFILE;
}
*filp = dentry_open(&path, flags, current_cred());
- if (IS_ERR(*filp))
+ if (IS_ERR(*filp)) {
host_err = PTR_ERR(*filp);
- else {
+ *filp = NULL;
+ } else {
host_err = ima_file_check(*filp, may_flags);
if (may_flags & NFSD_MAY_64BIT_COOKIE)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [106/251] ACPI / memhotplug: Fix a stale pointer in error path
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (103 preceding siblings ...)
2013-09-11 4:28 ` [105/251] nfsd: nfsd_open: when dentry_open returns an error do not propagate as struct file Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [107/251] dm mpath: fix ioctl deadlock when no paths Steven Rostedt
` (145 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Toshi Kani, Yasuaki Ishimatsu, Rafael J. Wysocki
[-- Attachment #1: 0106-ACPI-memhotplug-Fix-a-stale-pointer-in-error-path.patch --]
[-- Type: text/plain, Size: 1351 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Toshi Kani <toshi.kani@hp.com>
[ Upstream commit d19f503e22316a84c39bc19445e0e4fdd49b3532 ]
device->driver_data needs to be cleared when releasing its data,
mem_device, in an error path of acpi_memory_device_add().
The function evaluates the _CRS of memory device objects, and fails
when it gets an unexpected resource or cannot allocate memory. A
kernel crash or data corruption may occur when the kernel accesses
the stale pointer.
Signed-off-by: Toshi Kani <toshi.kani@hp.com>
Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
Cc: 2.6.32+ <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/acpi/acpi_memhotplug.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/acpi/acpi_memhotplug.c b/drivers/acpi/acpi_memhotplug.c
index 24c807f..f16ffd4 100644
--- a/drivers/acpi/acpi_memhotplug.c
+++ b/drivers/acpi/acpi_memhotplug.c
@@ -442,6 +442,7 @@ static int acpi_memory_device_add(struct acpi_device *device)
/* Get the range from the _CRS */
result = acpi_memory_get_device_resources(mem_device);
if (result) {
+ device->driver_data = NULL;
kfree(mem_device);
return result;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [107/251] dm mpath: fix ioctl deadlock when no paths
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (104 preceding siblings ...)
2013-09-11 4:28 ` [106/251] ACPI / memhotplug: Fix a stale pointer in error path Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [108/251] dm verity: fix inability to use a few specific devices sizes Steven Rostedt
` (144 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Hannes Reinecke, Mike Snitzer, Alasdair G Kergon
[-- Attachment #1: 0107-dm-mpath-fix-ioctl-deadlock-when-no-paths.patch --]
[-- Type: text/plain, Size: 2645 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Hannes Reinecke <hare@suse.de>
[ Upstream commit 6c182cd88d179cbbd06f4f8a8a19b6977940753f ]
When multipath needs to retry an ioctl the reference to the
current live table needs to be dropped. Otherwise a deadlock
occurs when all paths are down:
- dm_blk_ioctl takes a reference to the current table
and spins in multipath_ioctl().
- A new table is being loaded, but upon resume the process
hangs in dm_table_destroy() waiting for references to
drop to zero.
With this patch the reference to the old table is dropped
prior to retry, thereby avoiding the deadlock.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Cc: Mike Snitzer <snitzer@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/md/dm-mpath.c | 8 ++------
drivers/md/dm.c | 9 ++++++++-
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
index 034233e..4fc70c8 100644
--- a/drivers/md/dm-mpath.c
+++ b/drivers/md/dm-mpath.c
@@ -1561,7 +1561,6 @@ static int multipath_ioctl(struct dm_target *ti, unsigned int cmd,
unsigned long flags;
int r;
-again:
bdev = NULL;
mode = 0;
r = 0;
@@ -1579,7 +1578,7 @@ again:
}
if ((pgpath && m->queue_io) || (!pgpath && m->queue_if_no_path))
- r = -EAGAIN;
+ r = -ENOTCONN;
else if (!bdev)
r = -EIO;
@@ -1591,11 +1590,8 @@ again:
if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT)
r = scsi_verify_blk_ioctl(NULL, cmd);
- if (r == -EAGAIN && !fatal_signal_pending(current)) {
+ if (r == -ENOTCONN && !fatal_signal_pending(current))
queue_work(kmultipathd, &m->process_queued_ios);
- msleep(10);
- goto again;
- }
return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg);
}
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index 4256200..dd0a1a8 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -414,10 +414,12 @@ static int dm_blk_ioctl(struct block_device *bdev, fmode_t mode,
unsigned int cmd, unsigned long arg)
{
struct mapped_device *md = bdev->bd_disk->private_data;
- struct dm_table *map = dm_get_live_table(md);
+ struct dm_table *map;
struct dm_target *tgt;
int r = -ENOTTY;
+retry:
+ map = dm_get_live_table(md);
if (!map || !dm_table_get_size(map))
goto out;
@@ -438,6 +440,11 @@ static int dm_blk_ioctl(struct block_device *bdev, fmode_t mode,
out:
dm_table_put(map);
+ if (r == -ENOTCONN) {
+ msleep(10);
+ goto retry;
+ }
+
return r;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [108/251] dm verity: fix inability to use a few specific devices sizes
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (105 preceding siblings ...)
2013-09-11 4:28 ` [107/251] dm mpath: fix ioctl deadlock when no paths Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [109/251] drm/radeon: fix endian issues with DP handling (v3) Steven Rostedt
` (143 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Mikulas Patocka, Milan Broz, Alasdair G Kergon
[-- Attachment #1: 0108-dm-verity-fix-inability-to-use-a-few-specific-device.patch --]
[-- Type: text/plain, Size: 2511 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
[ Upstream commit b1bf2de07271932326af847a3c6a01fdfd29d4be ]
Fix a boundary condition that caused failure for certain device sizes.
The problem is reported at
http://code.google.com/p/cryptsetup/issues/detail?id=160
For certain device sizes the number of hashes at a specific level was
calculated incorrectly.
It happens for example for a device with data and metadata block size 4096
that has 16385 blocks and algorithm sha256.
The user can test if he is affected by this bug by running the
"veritysetup verify" command and also by activating the dm-verity kernel
driver and reading the whole block device. If it passes without an error,
then the user is not affected.
The condition for the bug is:
Split the total number of data blocks (data_block_bits) into bit strings,
each string has hash_per_block_bits bits. hash_per_block_bits is
rounddown(log2(metadata_block_size/hash_digest_size)). Equivalently, you
can say that you convert data_blocks_bits to 2^hash_per_block_bits base.
If there some zero bit string below the most significant bit string and at
least one bit below this zero bit string is set, then the bug happens.
The same bug exists in the userspace veritysetup tool, so you must use
fixed veritysetup too if you want to use devices that are affected by
this boundary condition.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org # 3.4+
Cc: Milan Broz <gmazyland@gmail.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/md/dm-verity.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/md/dm-verity.c b/drivers/md/dm-verity.c
index dd5ba3b..30b364c 100644
--- a/drivers/md/dm-verity.c
+++ b/drivers/md/dm-verity.c
@@ -842,9 +842,8 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
for (i = v->levels - 1; i >= 0; i--) {
sector_t s;
v->hash_level_block[i] = hash_position;
- s = verity_position_at_level(v, v->data_blocks, i);
- s = (s >> v->hash_per_block_bits) +
- !!(s & ((1 << v->hash_per_block_bits) - 1));
+ s = (v->data_blocks + ((sector_t)1 << ((i + 1) * v->hash_per_block_bits)) - 1)
+ >> ((i + 1) * v->hash_per_block_bits);
if (hash_position + s < hash_position) {
ti->error = "Hash device offset overflow";
r = -E2BIG;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [109/251] drm/radeon: fix endian issues with DP handling (v3)
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (106 preceding siblings ...)
2013-09-11 4:28 ` [108/251] dm verity: fix inability to use a few specific devices sizes Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [110/251] drm/radeon: fix combios tables on older cards Steven Rostedt
` (142 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Alex Deucher, Dong He
[-- Attachment #1: 0109-drm-radeon-fix-endian-issues-with-DP-handling-v3.patch --]
[-- Type: text/plain, Size: 2799 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit 34be8c9af7b8728465963740fc11136ae90dfc36 ]
The atom interpreter expects data in LE format, so
swap the message buffer as apprioriate.
v2: properly handle non-dw aligned byte counts.
v3: properly handle remainder
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: Dong He <hedonghust@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/gpu/drm/radeon/atombios_dp.c | 43 ++++++++++++++++++++++++++++++----
1 file changed, 39 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/radeon/atombios_dp.c b/drivers/gpu/drm/radeon/atombios_dp.c
index 3623b98..a0b5e1e 100644
--- a/drivers/gpu/drm/radeon/atombios_dp.c
+++ b/drivers/gpu/drm/radeon/atombios_dp.c
@@ -45,6 +45,41 @@ static char *pre_emph_names[] = {
};
/***** radeon AUX functions *****/
+
+/* Atom needs data in little endian format
+ * so swap as appropriate when copying data to
+ * or from atom. Note that atom operates on
+ * dw units.
+ */
+static void radeon_copy_swap(u8 *dst, u8 *src, u8 num_bytes, bool to_le)
+{
+#ifdef __BIG_ENDIAN
+ u8 src_tmp[20], dst_tmp[20]; /* used for byteswapping */
+ u32 *dst32, *src32;
+ int i;
+
+ memcpy(src_tmp, src, num_bytes);
+ src32 = (u32 *)src_tmp;
+ dst32 = (u32 *)dst_tmp;
+ if (to_le) {
+ for (i = 0; i < ((num_bytes + 3) / 4); i++)
+ dst32[i] = cpu_to_le32(src32[i]);
+ memcpy(dst, dst_tmp, num_bytes);
+ } else {
+ u8 dws = num_bytes & ~3;
+ for (i = 0; i < ((num_bytes + 3) / 4); i++)
+ dst32[i] = le32_to_cpu(src32[i]);
+ memcpy(dst, dst_tmp, dws);
+ if (num_bytes % 4) {
+ for (i = 0; i < (num_bytes % 4); i++)
+ dst[dws+i] = dst_tmp[dws+i];
+ }
+ }
+#else
+ memcpy(dst, src, num_bytes);
+#endif
+}
+
union aux_channel_transaction {
PROCESS_AUX_CHANNEL_TRANSACTION_PS_ALLOCATION v1;
PROCESS_AUX_CHANNEL_TRANSACTION_PARAMETERS_V2 v2;
@@ -66,10 +101,10 @@ static int radeon_process_aux_ch(struct radeon_i2c_chan *chan,
base = (unsigned char *)(rdev->mode_info.atom_context->scratch + 1);
- memcpy(base, send, send_bytes);
+ radeon_copy_swap(base, send, send_bytes, true);
- args.v1.lpAuxRequest = 0 + 4;
- args.v1.lpDataOut = 16 + 4;
+ args.v1.lpAuxRequest = cpu_to_le16((u16)(0 + 4));
+ args.v1.lpDataOut = cpu_to_le16((u16)(16 + 4));
args.v1.ucDataOutLen = 0;
args.v1.ucChannelID = chan->rec.i2c_id;
args.v1.ucDelay = delay / 10;
@@ -103,7 +138,7 @@ static int radeon_process_aux_ch(struct radeon_i2c_chan *chan,
recv_bytes = recv_size;
if (recv && recv_size)
- memcpy(recv, base + 16, recv_bytes);
+ radeon_copy_swap(recv, base + 16, recv_bytes, false);
return recv_bytes;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [110/251] drm/radeon: fix combios tables on older cards
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (107 preceding siblings ...)
2013-09-11 4:28 ` [109/251] drm/radeon: fix endian issues with DP handling (v3) Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [111/251] drm/radeon: improve dac adjust heuristics for legacy pdac Steven Rostedt
` (141 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Mark Kettenis, Alex Deucher
[-- Attachment #1: 0110-drm-radeon-fix-combios-tables-on-older-cards.patch --]
[-- Type: text/plain, Size: 9411 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Mark Kettenis <kettenis@openbsd.org>
[ Upstream commit cef1d00cd56f600121ad121875655ad410a001b8 ]
Noticed that my old Radeon 7500 hung after printing
drm: GPU not posted. posting now...
when it wasn't selected as the primary card the BIOS. Some digging
revealed that it was hanging in combios_parse_mmio_table() while
parsing the ASIC INIT 3 table. Looking at the BIOS ROM for the card,
it becomes obvious that there is no ASIC INIT 3 table in the BIOS.
The code is just processing random garbage. No surprise it hangs!
Why do I say that there is no ASIC INIT 3 table is the BIOS? This
table is found through the MISC INFO table. The MISC INFO table can
be found at offset 0x5e in the COMBIOS header. But the header is
smaller than that. The COMBIOS header starts at offset 0x126. The
standard PCI Data Structure (the bit that starts with 'PCIR') lives at
offset 0x180. That means that the COMBIOS header can not be larger
than 0x5a bytes and therefore cannot contain a MISC INFO table.
I looked at a dozen or so BIOS images, some my own, some downloaded from:
<http://www.techpowerup.com/vgabios/index.php?manufacturer=ATI&page=1>
It is fairly obvious that the size of the COMBIOS header can be found
at offset 0x6 of the header. Not sure if it is a 16-bit number or
just an 8-bit number, but that doesn't really matter since the tables
seems to be always smaller than 256 bytes.
So I think combios_get_table_offset() should check if the requested
table is present. This can be done by checking the offset against the
size of the header. See the diff below. The diff is against the WIP
OpenBSD codebase that roughly corresponds to Linux 3.8.13 at this
point. But I don't think this bit of the code changed much since
then.
For what it is worth:
Signed-off-by: Mark Kettenis <kettenis@openbsd.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/gpu/drm/radeon/radeon_combios.c | 145 +++++++++----------------------
1 file changed, 41 insertions(+), 104 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_combios.c b/drivers/gpu/drm/radeon/radeon_combios.c
index f75247d..16bd2a2 100644
--- a/drivers/gpu/drm/radeon/radeon_combios.c
+++ b/drivers/gpu/drm/radeon/radeon_combios.c
@@ -147,7 +147,7 @@ static uint16_t combios_get_table_offset(struct drm_device *dev,
enum radeon_combios_table_offset table)
{
struct radeon_device *rdev = dev->dev_private;
- int rev;
+ int rev, size;
uint16_t offset = 0, check_offset;
if (!rdev->bios)
@@ -156,174 +156,106 @@ static uint16_t combios_get_table_offset(struct drm_device *dev,
switch (table) {
/* absolute offset tables */
case COMBIOS_ASIC_INIT_1_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0xc);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0xc;
break;
case COMBIOS_BIOS_SUPPORT_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x14);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x14;
break;
case COMBIOS_DAC_PROGRAMMING_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x2a);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x2a;
break;
case COMBIOS_MAX_COLOR_DEPTH_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x2c);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x2c;
break;
case COMBIOS_CRTC_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x2e);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x2e;
break;
case COMBIOS_PLL_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x30);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x30;
break;
case COMBIOS_TV_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x32);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x32;
break;
case COMBIOS_DFP_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x34);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x34;
break;
case COMBIOS_HW_CONFIG_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x36);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x36;
break;
case COMBIOS_MULTIMEDIA_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x38);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x38;
break;
case COMBIOS_TV_STD_PATCH_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x3e);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x3e;
break;
case COMBIOS_LCD_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x40);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x40;
break;
case COMBIOS_MOBILE_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x42);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x42;
break;
case COMBIOS_PLL_INIT_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x46);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x46;
break;
case COMBIOS_MEM_CONFIG_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x48);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x48;
break;
case COMBIOS_SAVE_MASK_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x4a);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x4a;
break;
case COMBIOS_HARDCODED_EDID_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x4c);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x4c;
break;
case COMBIOS_ASIC_INIT_2_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x4e);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x4e;
break;
case COMBIOS_CONNECTOR_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x50);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x50;
break;
case COMBIOS_DYN_CLK_1_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x52);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x52;
break;
case COMBIOS_RESERVED_MEM_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x54);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x54;
break;
case COMBIOS_EXT_TMDS_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x58);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x58;
break;
case COMBIOS_MEM_CLK_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x5a);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x5a;
break;
case COMBIOS_EXT_DAC_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x5c);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x5c;
break;
case COMBIOS_MISC_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x5e);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x5e;
break;
case COMBIOS_CRT_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x60);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x60;
break;
case COMBIOS_INTEGRATED_SYSTEM_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x62);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x62;
break;
case COMBIOS_COMPONENT_VIDEO_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x64);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x64;
break;
case COMBIOS_FAN_SPEED_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x66);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x66;
break;
case COMBIOS_OVERDRIVE_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x68);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x68;
break;
case COMBIOS_OEM_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x6a);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x6a;
break;
case COMBIOS_DYN_CLK_2_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x6c);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x6c;
break;
case COMBIOS_POWER_CONNECTOR_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x6e);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x6e;
break;
case COMBIOS_I2C_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x70);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x70;
break;
/* relative offset tables */
case COMBIOS_ASIC_INIT_3_TABLE: /* offset from misc info */
@@ -439,11 +371,16 @@ static uint16_t combios_get_table_offset(struct drm_device *dev,
}
break;
default:
+ check_offset = 0;
break;
}
- return offset;
+ size = RBIOS8(rdev->bios_header_start + 0x6);
+ /* check absolute offset tables */
+ if (table < COMBIOS_ASIC_INIT_3_TABLE && check_offset && check_offset < size)
+ offset = RBIOS16(rdev->bios_header_start + check_offset);
+ return offset;
}
bool radeon_combios_check_hardcoded_edid(struct radeon_device *rdev)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [111/251] drm/radeon: improve dac adjust heuristics for legacy pdac
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (108 preceding siblings ...)
2013-09-11 4:28 ` [110/251] drm/radeon: fix combios tables on older cards Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [112/251] drm/i915: fix long-standing SNB regression in power consumption after resume v2 Steven Rostedt
` (140 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Alex Deucher
[-- Attachment #1: 0111-drm-radeon-improve-dac-adjust-heuristics-for-legacy-.patch --]
[-- Type: text/plain, Size: 1156 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit 03ed8cf9b28d886c64c7e705c7bb1a365fd8fb95 ]
Hopefully avoid more quirks in the future due to bogus
vbios dac data.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/gpu/drm/radeon/radeon_combios.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_combios.c b/drivers/gpu/drm/radeon/radeon_combios.c
index 16bd2a2..9a762f9 100644
--- a/drivers/gpu/drm/radeon/radeon_combios.c
+++ b/drivers/gpu/drm/radeon/radeon_combios.c
@@ -902,8 +902,10 @@ struct radeon_encoder_primary_dac *radeon_combios_get_primary_dac_info(struct
dac = RBIOS8(dac_info + 0x3) & 0xf;
p_dac->ps2_pdac_adj = (bg << 8) | (dac);
}
- /* if the values are all zeros, use the table */
- if (p_dac->ps2_pdac_adj)
+ /* if the values are zeros, use the table */
+ if ((dac == 0) || (bg == 0))
+ found = 0;
+ else
found = 1;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [112/251] drm/i915: fix long-standing SNB regression in power consumption after resume v2
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (109 preceding siblings ...)
2013-09-11 4:28 ` [111/251] drm/radeon: improve dac adjust heuristics for legacy pdac Steven Rostedt
@ 2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:29 ` [113/251] drm/radeon/atom: initialize more atom interpretor elements to 0 Steven Rostedt
` (139 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:28 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Konstantin Khlebnikov, Daniel Vetter, Chris Wilson, Jesse Barnes
[-- Attachment #1: 0112-drm-i915-fix-long-standing-SNB-regression-in-power-c.patch --]
[-- Type: text/plain, Size: 3435 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Konstantin Khlebnikov <khlebnikov@openvz.org>
[ Upstream commit 7dcd2677ea912573d9ed4bcd629b0023b2d11505 ]
This patch fixes regression in power consumtion of sandy bridge gpu, which
exists since v3.6 Sometimes after resuming from s2ram gpu starts thinking that
it's extremely busy. After that it never reaches rc6 state.
Bug exists since kernel v3.6:
commit b4ae3f22d238617ca11610b29fde16cf8c0bc6e0
Author: Jesse Barnes <jbarnes@virtuousgeek.org>
Date: Thu Jun 14 11:04:48 2012 -0700
drm/i915: load boot context at driver init time
For some reason RC6 is already enabled at the beginning of resuming process.
Following initliaztion breaks some internal state and confuses RPS engine.
This patch disables RC6 at the beginnig of resume and initialization.
I've rearranged initialization sequence, because intel_disable_gt_powersave()
needs initialized force_wake_get/put and some locks from the dev_priv.
Note: The culprit in the initialization sequence seems to be the write
to MBCTL added in the above mentioned commit. The first version of
this patch just held a forcewake reference across the clock gating
init functions, which seems to have been enought to gather quite a few
positive test reports. But since that smelled a bit like ad-hoc
duct-tape v2 now just disables rps/rc6 across the entire hw setup.
References: https://bugs.freedesktop.org/show_bug.cgi?id=54089
References: https://bugzilla.kernel.org/show_bug.cgi?id=58971
References: https://patchwork.kernel.org/patch/2827634/ (patch v1)
Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
[danvet: Add note about v1 vs. v2 of this patch and use standard
layout for the commit citation. Also add the tested-bys from v1 and a
cc: stable.]
Cc: stable@vger.kernel.org (Note: tiny conflict due to the addition of
the backlight lock in 3.11)
Tested-by: Alexander Kaltsas <alexkaltsas@gmail.com> (v1)
Tested-by: rocko <rockorequin@hotmail.com> (v1)
Tested-by: JohnMB <johnmbryant@sky.com> (v1)
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
---
drivers/gpu/drm/i915/i915_dma.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
index 0969a7c..4c6e9dd 100644
--- a/drivers/gpu/drm/i915/i915_dma.c
+++ b/drivers/gpu/drm/i915/i915_dma.c
@@ -1465,6 +1465,11 @@ int i915_driver_load(struct drm_device *dev, unsigned long flags)
dev_priv->dev = dev;
dev_priv->info = info;
+ spin_lock_init(&dev_priv->irq_lock);
+ spin_lock_init(&dev_priv->error_lock);
+ spin_lock_init(&dev_priv->rps_lock);
+ spin_lock_init(&dev_priv->dpio_lock);
+
if (i915_get_bridge_dev(dev)) {
ret = -EIO;
goto free_priv;
@@ -1585,11 +1590,6 @@ int i915_driver_load(struct drm_device *dev, unsigned long flags)
if (!IS_I945G(dev) && !IS_I945GM(dev))
pci_enable_msi(dev->pdev);
- spin_lock_init(&dev_priv->irq_lock);
- spin_lock_init(&dev_priv->error_lock);
- spin_lock_init(&dev_priv->rps_lock);
- spin_lock_init(&dev_priv->dpio_lock);
-
if (IS_IVYBRIDGE(dev) || IS_HASWELL(dev))
dev_priv->num_pipe = 3;
else if (IS_MOBILE(dev) || !IS_GEN2(dev))
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [113/251] drm/radeon/atom: initialize more atom interpretor elements to 0
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (110 preceding siblings ...)
2013-09-11 4:28 ` [112/251] drm/i915: fix long-standing SNB regression in power consumption after resume v2 Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [114/251] USB: serial: ftdi_sio: add more RT Systems ftdi devices Steven Rostedt
` (138 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Alex Deucher
[-- Attachment #1: 0113-drm-radeon-atom-initialize-more-atom-interpretor-ele.patch --]
[-- Type: text/plain, Size: 1424 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit 42a21826dc54583cdb79cc8477732e911ac9c376 ]
The ProcessAuxChannel table on some rv635 boards assumes
the divmul members are initialized to 0 otherwise we get
an invalid fb offset since it has a bad mask set when
setting the fb base. While here initialize all the
atom interpretor elements to 0.
Fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=60639
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/gpu/drm/radeon/atom.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/radeon/atom.c b/drivers/gpu/drm/radeon/atom.c
index 43672b6..daa1e34 100644
--- a/drivers/gpu/drm/radeon/atom.c
+++ b/drivers/gpu/drm/radeon/atom.c
@@ -1222,12 +1222,17 @@ int atom_execute_table(struct atom_context *ctx, int index, uint32_t * params)
int r;
mutex_lock(&ctx->mutex);
+ /* reset data block */
+ ctx->data_block = 0;
/* reset reg block */
ctx->reg_block = 0;
/* reset fb window */
ctx->fb_base = 0;
/* reset io mode */
ctx->io_mode = ATOM_IO_MM;
+ /* reset divmul */
+ ctx->divmul[0] = 0;
+ ctx->divmul[1] = 0;
r = atom_execute_table_locked(ctx, index, params);
mutex_unlock(&ctx->mutex);
return r;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [114/251] USB: serial: ftdi_sio: add more RT Systems ftdi devices
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (111 preceding siblings ...)
2013-09-11 4:29 ` [113/251] drm/radeon/atom: initialize more atom interpretor elements to 0 Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [115/251] livelock avoidance in sget() Steven Rostedt
` (137 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Rick Farina (Zero_Chaos), Greg Kroah-Hartman
[-- Attachment #1: 0114-USB-serial-ftdi_sio-add-more-RT-Systems-ftdi-devices.patch --]
[-- Type: text/plain, Size: 5893 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "Rick Farina (Zero_Chaos)" <zerochaos@gentoo.org>
[ Upstream commit fed1f1ed90bce42ea010e2904cbc04e7b8304940 ]
RT Systems makes many usb serial cables based on the ftdi_sio driver for
programming various amateur radios. This patch is a full listing of
their current product offerings and should allow these cables to all
be recognized.
Signed-off-by: Rick Farina (Zero_Chaos) <zerochaos@gentoo.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/ftdi_sio.c | 31 ++++++++++++++++++++++++++++---
drivers/usb/serial/ftdi_sio_ids.h | 34 +++++++++++++++++++++++++++++-----
2 files changed, 57 insertions(+), 8 deletions(-)
diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c
index 5c3e249..710302ea 100644
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -741,9 +741,34 @@ static struct usb_device_id id_table_combined [] = {
{ USB_DEVICE(FTDI_VID, FTDI_NDI_AURORA_SCU_PID),
.driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk },
{ USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) },
- { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_SERIAL_VX7_PID) },
- { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_CT29B_PID) },
- { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_RTS01_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S03_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_59_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57A_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57B_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_29A_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_29B_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_29F_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_62B_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S01_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_63_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_29C_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_81B_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_82B_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_K5D_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_K4Y_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_K5G_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S05_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_60_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_61_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_62_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_63B_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_64_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_65_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_92_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_92D_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_W5R_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_A5R_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_PW1_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_MAXSTREAM_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_PHI_FISCO_PID) },
{ USB_DEVICE(TML_VID, TML_USB_SERIAL_PID) },
diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h
index 1e4bff5..b98e44a 100644
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -808,11 +808,35 @@
/*
* RT Systems programming cables for various ham radios
*/
-#define RTSYSTEMS_VID 0x2100 /* Vendor ID */
-#define RTSYSTEMS_SERIAL_VX7_PID 0x9e52 /* Serial converter for VX-7 Radios using FT232RL */
-#define RTSYSTEMS_CT29B_PID 0x9e54 /* CT29B Radio Cable */
-#define RTSYSTEMS_RTS01_PID 0x9e57 /* USB-RTS01 Radio Cable */
-
+#define RTSYSTEMS_VID 0x2100 /* Vendor ID */
+#define RTSYSTEMS_USB_S03_PID 0x9001 /* RTS-03 USB to Serial Adapter */
+#define RTSYSTEMS_USB_59_PID 0x9e50 /* USB-59 USB to 8 pin plug */
+#define RTSYSTEMS_USB_57A_PID 0x9e51 /* USB-57A USB to 4pin 3.5mm plug */
+#define RTSYSTEMS_USB_57B_PID 0x9e52 /* USB-57B USB to extended 4pin 3.5mm plug */
+#define RTSYSTEMS_USB_29A_PID 0x9e53 /* USB-29A USB to 3.5mm stereo plug */
+#define RTSYSTEMS_USB_29B_PID 0x9e54 /* USB-29B USB to 6 pin mini din */
+#define RTSYSTEMS_USB_29F_PID 0x9e55 /* USB-29F USB to 6 pin modular plug */
+#define RTSYSTEMS_USB_62B_PID 0x9e56 /* USB-62B USB to 8 pin mini din plug*/
+#define RTSYSTEMS_USB_S01_PID 0x9e57 /* USB-RTS01 USB to 3.5 mm stereo plug*/
+#define RTSYSTEMS_USB_63_PID 0x9e58 /* USB-63 USB to 9 pin female*/
+#define RTSYSTEMS_USB_29C_PID 0x9e59 /* USB-29C USB to 4 pin modular plug*/
+#define RTSYSTEMS_USB_81B_PID 0x9e5A /* USB-81 USB to 8 pin mini din plug*/
+#define RTSYSTEMS_USB_82B_PID 0x9e5B /* USB-82 USB to 2.5 mm stereo plug*/
+#define RTSYSTEMS_USB_K5D_PID 0x9e5C /* USB-K5D USB to 8 pin modular plug*/
+#define RTSYSTEMS_USB_K4Y_PID 0x9e5D /* USB-K4Y USB to 2.5/3.5 mm plugs*/
+#define RTSYSTEMS_USB_K5G_PID 0x9e5E /* USB-K5G USB to 8 pin modular plug*/
+#define RTSYSTEMS_USB_S05_PID 0x9e5F /* USB-RTS05 USB to 2.5 mm stereo plug*/
+#define RTSYSTEMS_USB_60_PID 0x9e60 /* USB-60 USB to 6 pin din*/
+#define RTSYSTEMS_USB_61_PID 0x9e61 /* USB-61 USB to 6 pin mini din*/
+#define RTSYSTEMS_USB_62_PID 0x9e62 /* USB-62 USB to 8 pin mini din*/
+#define RTSYSTEMS_USB_63B_PID 0x9e63 /* USB-63 USB to 9 pin female*/
+#define RTSYSTEMS_USB_64_PID 0x9e64 /* USB-64 USB to 9 pin male*/
+#define RTSYSTEMS_USB_65_PID 0x9e65 /* USB-65 USB to 9 pin female null modem*/
+#define RTSYSTEMS_USB_92_PID 0x9e66 /* USB-92 USB to 12 pin plug*/
+#define RTSYSTEMS_USB_92D_PID 0x9e67 /* USB-92D USB to 12 pin plug data*/
+#define RTSYSTEMS_USB_W5R_PID 0x9e68 /* USB-W5R USB to 8 pin modular plug*/
+#define RTSYSTEMS_USB_A5R_PID 0x9e69 /* USB-A5R USB to 8 pin modular plug*/
+#define RTSYSTEMS_USB_PW1_PID 0x9e6A /* USB-PW1 USB to 8 pin modular plug*/
/*
* Physik Instrumente
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [115/251] livelock avoidance in sget()
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (112 preceding siblings ...)
2013-09-11 4:29 ` [114/251] USB: serial: ftdi_sio: add more RT Systems ftdi devices Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [116/251] xen/evtchn: avoid a deadlock when unbinding an event channel Steven Rostedt
` (136 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Al Viro
[-- Attachment #1: 0115-livelock-avoidance-in-sget.patch --]
[-- Type: text/plain, Size: 3795 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit acfec9a5a892f98461f52ed5770de99a3e571ae2 ]
Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about
to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive,
->s_active is 1. Along comes two more processes, trying to mount the same
thing; sget() in each is picking that superblock, bumping ->s_count and
trying to grab ->s_umount. ->s_active is 3 now. Original mount(2)
finally gets to deactivate_locked_super() on failure; ->s_active is 2,
superblock is still ->fs_supers because shutdown will *not* happen until
->s_active hits 0. ->s_umount is dropped and now we have two processes
chasing each other:
s_active = 2, A acquired ->s_umount, B blocked
A sees that the damn thing is stillborn, does deactivate_locked_super()
s_active = 1, A drops ->s_umount, B gets it
A restarts the search and finds the same superblock. And bumps it ->s_active.
s_active = 2, B holds ->s_umount, A blocked on trying to get it
... and we are in the earlier situation with A and B switched places.
The root cause, of course, is that ->s_active should not grow until we'd
got MS_BORN. Then failing ->mount() will have deactivate_locked_super()
shut the damn thing down. Fortunately, it's easy to do - the key point
is that grab_super() is called only for superblocks currently on ->fs_supers,
so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and
bump ->s_active; we must never increment ->s_count for superblocks past
->kill_sb(), but grab_super() is never called for those.
The bug is pretty old; we would've caught it by now, if not for accidental
exclusion between sget() for block filesystems; the things like cgroup or
e.g. mtd-based filesystems don't have anything of that sort, so they get
bitten. The right way to deal with that is obviously to fix sget()...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/super.c | 25 ++++++++++---------------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/fs/super.c b/fs/super.c
index 0902cfa..7b6e4e5 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -349,19 +349,19 @@ EXPORT_SYMBOL(deactivate_super);
* and want to turn it into a full-blown active reference. grab_super()
* is called with sb_lock held and drops it. Returns 1 in case of
* success, 0 if we had failed (superblock contents was already dead or
- * dying when grab_super() had been called).
+ * dying when grab_super() had been called). Note that this is only
+ * called for superblocks not in rundown mode (== ones still on ->fs_supers
+ * of their type), so increment of ->s_count is OK here.
*/
static int grab_super(struct super_block *s) __releases(sb_lock)
{
- if (atomic_inc_not_zero(&s->s_active)) {
- spin_unlock(&sb_lock);
- return 1;
- }
- /* it's going away */
s->s_count++;
spin_unlock(&sb_lock);
- /* wait for it to die */
down_write(&s->s_umount);
+ if ((s->s_flags & MS_BORN) && atomic_inc_not_zero(&s->s_active)) {
+ put_super(s);
+ return 1;
+ }
up_write(&s->s_umount);
put_super(s);
return 0;
@@ -493,11 +493,6 @@ retry:
destroy_super(s);
s = NULL;
}
- down_write(&old->s_umount);
- if (unlikely(!(old->s_flags & MS_BORN))) {
- deactivate_locked_super(old);
- goto retry;
- }
return old;
}
}
@@ -691,10 +686,10 @@ restart:
if (hlist_unhashed(&sb->s_instances))
continue;
if (sb->s_bdev == bdev) {
- if (grab_super(sb)) /* drops sb_lock */
- return sb;
- else
+ if (!grab_super(sb))
goto restart;
+ up_write(&sb->s_umount);
+ return sb;
}
}
spin_unlock(&sb_lock);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [116/251] xen/evtchn: avoid a deadlock when unbinding an event channel
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (113 preceding siblings ...)
2013-09-11 4:29 ` [115/251] livelock avoidance in sget() Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [117/251] radeon kms: do not flush uninitialized hotplug work Steven Rostedt
` (135 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: David Vrabel, Konrad Rzeszutek Wilk
[-- Attachment #1: 0116-xen-evtchn-avoid-a-deadlock-when-unbinding-an-event-.patch --]
[-- Type: text/plain, Size: 3393 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: David Vrabel <david.vrabel@citrix.com>
[ Upstream commit 179fbd5a45f0d4034cc6fd37b8d367a3b79663c4 ]
Unbinding an event channel (either with the ioctl or when the evtchn
device is closed) may deadlock because disable_irq() is called with
port_user_lock held which is also locked by the interrupt handler.
Think of the IOCTL_EVTCHN_UNBIND is being serviced, the routine has
just taken the lock, and an interrupt happens. The evtchn_interrupt
is invoked, tries to take the lock and spins forever.
A quick glance at the code shows that the spinlock is a local IRQ
variant. Unfortunately that does not help as "disable_irq() waits for
the interrupt handler on all CPUs to stop running. If the irq occurs
on another VCPU, it tries to take port_user_lock and can't because
the unbind ioctl is holding it." (from David). Hence we cannot
depend on the said spinlock to protect us. We could make it a system
wide IRQ disable spinlock but there is a better way.
We can piggyback on the fact that the existence of the spinlock is
to make get_port_user() checks be up-to-date. And we can alter those
checks to not depend on the spin lock (as it's protected by u->bind_mutex
in the ioctl) and can remove the unnecessary locking (this is
IOCTL_EVTCHN_UNBIND) path.
In the interrupt handler we cannot use the mutex, but we do not
need it.
"The unbind disables the irq before making the port user stale, so when
you clear it you are guaranteed that the interrupt handler that might
use that port cannot be running." (from David).
Hence this patch removes the spinlock usage on the teardown path
and piggybacks on disable_irq happening before we muck with the
get_port_user() data. This ensures that the interrupt handler will
never run on stale data.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
[v1: Expanded the commit description a bit]
---
drivers/xen/evtchn.c | 21 ++-------------------
1 file changed, 2 insertions(+), 19 deletions(-)
diff --git a/drivers/xen/evtchn.c b/drivers/xen/evtchn.c
index b1f60a0..8eb68c9 100644
--- a/drivers/xen/evtchn.c
+++ b/drivers/xen/evtchn.c
@@ -367,18 +367,12 @@ static long evtchn_ioctl(struct file *file,
if (unbind.port >= NR_EVENT_CHANNELS)
break;
- spin_lock_irq(&port_user_lock);
-
rc = -ENOTCONN;
- if (get_port_user(unbind.port) != u) {
- spin_unlock_irq(&port_user_lock);
+ if (get_port_user(unbind.port) != u)
break;
- }
disable_irq(irq_from_evtchn(unbind.port));
- spin_unlock_irq(&port_user_lock);
-
evtchn_unbind_from_user(u, unbind.port);
rc = 0;
@@ -478,26 +472,15 @@ static int evtchn_release(struct inode *inode, struct file *filp)
int i;
struct per_user_data *u = filp->private_data;
- spin_lock_irq(&port_user_lock);
-
- free_page((unsigned long)u->ring);
-
for (i = 0; i < NR_EVENT_CHANNELS; i++) {
if (get_port_user(i) != u)
continue;
disable_irq(irq_from_evtchn(i));
- }
-
- spin_unlock_irq(&port_user_lock);
-
- for (i = 0; i < NR_EVENT_CHANNELS; i++) {
- if (get_port_user(i) != u)
- continue;
-
evtchn_unbind_from_user(get_port_user(i), i);
}
+ free_page((unsigned long)u->ring);
kfree(u->name);
kfree(u);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [117/251] radeon kms: do not flush uninitialized hotplug work
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (114 preceding siblings ...)
2013-09-11 4:29 ` [116/251] xen/evtchn: avoid a deadlock when unbinding an event channel Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 9:06 ` Sergey Senozhatsky
2013-09-11 4:29 ` [118/251] x86: Fix /proc/mtrr with base/size more than 44bits Steven Rostedt
` (134 subsequent siblings)
250 siblings, 1 reply; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sergey Senozhatsky, Alex Deucher
[-- Attachment #1: 0117-radeon-kms-do-not-flush-uninitialized-hotplug-work.patch --]
[-- Type: text/plain, Size: 5288 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
[ Upstream commit a01c34f72e7cd2624570818f579b5ab464f93de2 ]
Fix a warning from lockdep caused by calling flush_work() for
uninitialized hotplug work. Initialize hotplug_work, audio_work
and reset_work upon successful radeon_irq_kms_init() completion
and thus perform hotplug flush_work only when rdev->irq.installed
is true.
[ 4.790019] [drm] Loading CEDAR Microcode
[ 4.790943] r600_cp: Failed to load firmware "radeon/CEDAR_smc.bin"
[ 4.791152] [drm:evergreen_startup] *ERROR* Failed to load firmware!
[ 4.791330] radeon 0000:01:00.0: disabling GPU acceleration
[ 4.792633] INFO: trying to register non-static key.
[ 4.792792] the code is fine but needs lockdep annotation.
[ 4.792953] turning off the locking correctness validator.
[ 4.793114] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 3.11.0-rc0-dbg-10676-gfe56456-dirty #1816
[ 4.793314] Hardware name: Acer Aspire 5741G /Aspire 5741G , BIOS V1.20 02/08/2011
[ 4.793507] ffffffff821fd810 ffff8801530b9a18 ffffffff8160434e 0000000000000002
[ 4.794155] ffff8801530b9ad8 ffffffff810b8404 ffff8801530b0798 ffff8801530b0000
[ 4.794789] ffff8801530b9b00 0000000000000046 00000000000004c0 ffffffff00000000
[ 4.795418] Call Trace:
[ 4.795573] [<ffffffff8160434e>] dump_stack+0x4e/0x82
[ 4.795731] [<ffffffff810b8404>] __lock_acquire+0x1a64/0x1d30
[ 4.795893] [<ffffffff814a87f0>] ? dev_vprintk_emit+0x50/0x60
[ 4.796034] [<ffffffff810b8fb4>] lock_acquire+0xa4/0x200
[ 4.796216] [<ffffffff8106cd75>] ? flush_work+0x5/0x280
[ 4.796375] [<ffffffff8106cdad>] flush_work+0x3d/0x280
[ 4.796520] [<ffffffff8106cd75>] ? flush_work+0x5/0x280
[ 4.796682] [<ffffffff810b659d>] ? trace_hardirqs_on_caller+0xfd/0x1c0
[ 4.796862] [<ffffffff8131d775>] ? delay_tsc+0x95/0xf0
[ 4.797024] [<ffffffff8141bb8b>] radeon_irq_kms_fini+0x2b/0x70
[ 4.797186] [<ffffffff814557c9>] evergreen_init+0x2a9/0x2e0
[ 4.797347] [<ffffffff813ebb1f>] radeon_device_init+0x5ef/0x700
[ 4.797511] [<ffffffff81335bc7>] ? pci_find_capability+0x47/0x50
[ 4.797672] [<ffffffff813edaed>] radeon_driver_load_kms+0x8d/0x150
[ 4.797843] [<ffffffff813ce426>] drm_get_pci_dev+0x166/0x280
[ 4.798007] [<ffffffff8116cff5>] ? kfree+0xf5/0x2e0
[ 4.798168] [<ffffffff813ea298>] ? radeon_pci_probe+0x98/0xd0
[ 4.798329] [<ffffffff813ea2aa>] radeon_pci_probe+0xaa/0xd0
[ 4.798489] [<ffffffff81339404>] pci_device_probe+0x84/0xe0
[ 4.798644] [<ffffffff814ac7d6>] driver_probe_device+0x76/0x240
[ 4.798805] [<ffffffff814aca73>] __driver_attach+0x93/0xa0
[ 4.798948] [<ffffffff814ac9e0>] ? __device_attach+0x40/0x40
[ 4.799126] [<ffffffff814aa82b>] bus_for_each_dev+0x6b/0xb0
[ 4.799272] [<ffffffff814ac2be>] driver_attach+0x1e/0x20
[ 4.799434] [<ffffffff814abec0>] bus_add_driver+0x1f0/0x280
[ 4.799596] [<ffffffff814ad0e4>] driver_register+0x74/0x150
[ 4.799758] [<ffffffff8133923d>] __pci_register_driver+0x5d/0x60
[ 4.799936] [<ffffffff81d16efc>] ? ttm_init+0x67/0x67
[ 4.800081] [<ffffffff813ce655>] drm_pci_init+0x115/0x130
[ 4.800243] [<ffffffff81d16efc>] ? ttm_init+0x67/0x67
[ 4.800405] [<ffffffff81d16f98>] radeon_init+0x9c/0xba
[ 4.800586] [<ffffffff810002ca>] do_one_initcall+0xfa/0x150
[ 4.800746] [<ffffffff81073f60>] ? parse_args+0x120/0x330
[ 4.800909] [<ffffffff81cdafae>] kernel_init_freeable+0x111/0x191
[ 4.801052] [<ffffffff81cda87a>] ? do_early_param+0x88/0x88
[ 4.801233] [<ffffffff815fb670>] ? rest_init+0x140/0x140
[ 4.801393] [<ffffffff815fb67e>] kernel_init+0xe/0x180
[ 4.801556] [<ffffffff8160dcac>] ret_from_fork+0x7c/0xb0
[ 4.801718] [<ffffffff815fb670>] ? rest_init+0x140/0x140
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/gpu/drm/radeon/radeon_irq_kms.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c
index 443bd49..4bc6be5 100644
--- a/drivers/gpu/drm/radeon/radeon_irq_kms.c
+++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c
@@ -243,9 +243,6 @@ int radeon_irq_kms_init(struct radeon_device *rdev)
{
int r = 0;
- INIT_WORK(&rdev->hotplug_work, radeon_hotplug_work_func);
- INIT_WORK(&rdev->audio_work, r600_audio_update_hdmi);
-
spin_lock_init(&rdev->irq.lock);
r = drm_vblank_init(rdev->ddev, rdev->num_crtc);
if (r) {
@@ -267,6 +264,10 @@ int radeon_irq_kms_init(struct radeon_device *rdev)
rdev->irq.installed = false;
return r;
}
+
+ INIT_WORK(&rdev->hotplug_work, radeon_hotplug_work_func);
+ INIT_WORK(&rdev->audio_work, r600_audio_update_hdmi);
+
DRM_INFO("radeon: irq initialized.\n");
return 0;
}
@@ -286,8 +287,8 @@ void radeon_irq_kms_fini(struct radeon_device *rdev)
rdev->irq.installed = false;
if (rdev->msi_enabled)
pci_disable_msi(rdev->pdev);
+ flush_work_sync(&rdev->hotplug_work);
}
- flush_work_sync(&rdev->hotplug_work);
}
/**
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [118/251] x86: Fix /proc/mtrr with base/size more than 44bits
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (115 preceding siblings ...)
2013-09-11 4:29 ` [117/251] radeon kms: do not flush uninitialized hotplug work Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [119/251] ARM: poison the vectors page Steven Rostedt
` (133 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Yinghai Lu, H. Peter Anvin
[-- Attachment #1: 0118-x86-Fix-proc-mtrr-with-base-size-more-than-44bits.patch --]
[-- Type: text/plain, Size: 8365 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Yinghai Lu <yinghai@kernel.org>
[ Upstream commit d5c78673b1b28467354c2c30c3d4f003666ff385 ]
On one sytem that mtrr range is more then 44bits, in dmesg we have
[ 0.000000] MTRR default type: write-back
[ 0.000000] MTRR fixed ranges enabled:
[ 0.000000] 00000-9FFFF write-back
[ 0.000000] A0000-BFFFF uncachable
[ 0.000000] C0000-DFFFF write-through
[ 0.000000] E0000-FFFFF write-protect
[ 0.000000] MTRR variable ranges enabled:
[ 0.000000] 0 [000080000000-0000FFFFFFFF] mask 3FFF80000000 uncachable
[ 0.000000] 1 [380000000000-38FFFFFFFFFF] mask 3F0000000000 uncachable
[ 0.000000] 2 [000099000000-000099FFFFFF] mask 3FFFFF000000 write-through
[ 0.000000] 3 [00009A000000-00009AFFFFFF] mask 3FFFFF000000 write-through
[ 0.000000] 4 [381FFA000000-381FFBFFFFFF] mask 3FFFFE000000 write-through
[ 0.000000] 5 [381FFC000000-381FFC0FFFFF] mask 3FFFFFF00000 write-through
[ 0.000000] 6 [0000AD000000-0000ADFFFFFF] mask 3FFFFF000000 write-through
[ 0.000000] 7 [0000BD000000-0000BDFFFFFF] mask 3FFFFF000000 write-through
[ 0.000000] 8 disabled
[ 0.000000] 9 disabled
but /proc/mtrr report wrong:
reg00: base=0x080000000 ( 2048MB), size= 2048MB, count=1: uncachable
reg01: base=0x80000000000 (8388608MB), size=1048576MB, count=1: uncachable
reg02: base=0x099000000 ( 2448MB), size= 16MB, count=1: write-through
reg03: base=0x09a000000 ( 2464MB), size= 16MB, count=1: write-through
reg04: base=0x81ffa000000 (8519584MB), size= 32MB, count=1: write-through
reg05: base=0x81ffc000000 (8519616MB), size= 1MB, count=1: write-through
reg06: base=0x0ad000000 ( 2768MB), size= 16MB, count=1: write-through
reg07: base=0x0bd000000 ( 3024MB), size= 16MB, count=1: write-through
reg08: base=0x09b000000 ( 2480MB), size= 16MB, count=1: write-combining
so bit 44 and bit 45 get cut off.
We have problems in arch/x86/kernel/cpu/mtrr/generic.c::generic_get_mtrr().
1. for base, we miss cast base_lo to 64bit before shifting.
Fix that by adding u64 casting.
2. for size, it only can handle 44 bits aka 32bits + page_shift
Fix that with 64bit mask instead of 32bit mask_lo, then range could be
more than 44bits.
At the same time, we need to update size_or_mask for old cpus that does
support cpuid 0x80000008 to get phys_addr. Need to set high 32bits
to all 1s, otherwise will not get correct size for them.
Also fix mtrr_add_page: it should check base and (base + size - 1)
instead of base and size, as base and size could be small but
base + size could bigger enough to be out of boundary. We can
use boot_cpu_data.x86_phys_bits directly to avoid size_or_mask.
So When are we going to have size more than 44bits? that is 16TiB.
after patch we have right ouput:
reg00: base=0x080000000 ( 2048MB), size= 2048MB, count=1: uncachable
reg01: base=0x380000000000 (58720256MB), size=1048576MB, count=1: uncachable
reg02: base=0x099000000 ( 2448MB), size= 16MB, count=1: write-through
reg03: base=0x09a000000 ( 2464MB), size= 16MB, count=1: write-through
reg04: base=0x381ffa000000 (58851232MB), size= 32MB, count=1: write-through
reg05: base=0x381ffc000000 (58851264MB), size= 1MB, count=1: write-through
reg06: base=0x0ad000000 ( 2768MB), size= 16MB, count=1: write-through
reg07: base=0x0bd000000 ( 3024MB), size= 16MB, count=1: write-through
reg08: base=0x09b000000 ( 2480MB), size= 16MB, count=1: write-combining
-v2: simply checking in mtrr_add_page according to hpa.
[ hpa: This probably wants to go into -stable only after having sat in
mainline for a bit. It is not a regression. ]
Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Link: http://lkml.kernel.org/r/1371162815-29931-1-git-send-email-yinghai@kernel.org
Cc: <stable@vger.kernel.org>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/x86/kernel/cpu/mtrr/generic.c | 21 +++++++++++----------
arch/x86/kernel/cpu/mtrr/main.c | 16 +++++++++-------
2 files changed, 20 insertions(+), 17 deletions(-)
diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c
index e9fe907..5ac2152 100644
--- a/arch/x86/kernel/cpu/mtrr/generic.c
+++ b/arch/x86/kernel/cpu/mtrr/generic.c
@@ -510,8 +510,9 @@ generic_get_free_region(unsigned long base, unsigned long size, int replace_reg)
static void generic_get_mtrr(unsigned int reg, unsigned long *base,
unsigned long *size, mtrr_type *type)
{
- unsigned int mask_lo, mask_hi, base_lo, base_hi;
- unsigned int tmp, hi;
+ u32 mask_lo, mask_hi, base_lo, base_hi;
+ unsigned int hi;
+ u64 tmp, mask;
/*
* get_mtrr doesn't need to update mtrr_state, also it could be called
@@ -532,18 +533,18 @@ static void generic_get_mtrr(unsigned int reg, unsigned long *base,
rdmsr(MTRRphysBase_MSR(reg), base_lo, base_hi);
/* Work out the shifted address mask: */
- tmp = mask_hi << (32 - PAGE_SHIFT) | mask_lo >> PAGE_SHIFT;
- mask_lo = size_or_mask | tmp;
+ tmp = (u64)mask_hi << (32 - PAGE_SHIFT) | mask_lo >> PAGE_SHIFT;
+ mask = size_or_mask | tmp;
/* Expand tmp with high bits to all 1s: */
- hi = fls(tmp);
+ hi = fls64(tmp);
if (hi > 0) {
- tmp |= ~((1<<(hi - 1)) - 1);
+ tmp |= ~((1ULL<<(hi - 1)) - 1);
- if (tmp != mask_lo) {
+ if (tmp != mask) {
printk(KERN_WARNING "mtrr: your BIOS has configured an incorrect mask, fixing it.\n");
add_taint(TAINT_FIRMWARE_WORKAROUND);
- mask_lo = tmp;
+ mask = tmp;
}
}
@@ -551,8 +552,8 @@ static void generic_get_mtrr(unsigned int reg, unsigned long *base,
* This works correctly if size is a power of two, i.e. a
* contiguous range:
*/
- *size = -mask_lo;
- *base = base_hi << (32 - PAGE_SHIFT) | base_lo >> PAGE_SHIFT;
+ *size = -mask;
+ *base = (u64)base_hi << (32 - PAGE_SHIFT) | base_lo >> PAGE_SHIFT;
*type = base_lo & 0xff;
out_put_cpu:
diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c
index 6b96110..87f918e 100644
--- a/arch/x86/kernel/cpu/mtrr/main.c
+++ b/arch/x86/kernel/cpu/mtrr/main.c
@@ -305,7 +305,8 @@ int mtrr_add_page(unsigned long base, unsigned long size,
return -EINVAL;
}
- if (base & size_or_mask || size & size_or_mask) {
+ if ((base | (base + size - 1)) >>
+ (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) {
pr_warning("mtrr: base or size exceeds the MTRR width\n");
return -EINVAL;
}
@@ -583,6 +584,7 @@ static struct syscore_ops mtrr_syscore_ops = {
int __initdata changed_by_mtrr_cleanup;
+#define SIZE_OR_MASK_BITS(n) (~((1ULL << ((n) - PAGE_SHIFT)) - 1))
/**
* mtrr_bp_init - initialize mtrrs on the boot CPU
*
@@ -600,7 +602,7 @@ void __init mtrr_bp_init(void)
if (cpu_has_mtrr) {
mtrr_if = &generic_mtrr_ops;
- size_or_mask = 0xff000000; /* 36 bits */
+ size_or_mask = SIZE_OR_MASK_BITS(36);
size_and_mask = 0x00f00000;
phys_addr = 36;
@@ -619,7 +621,7 @@ void __init mtrr_bp_init(void)
boot_cpu_data.x86_mask == 0x4))
phys_addr = 36;
- size_or_mask = ~((1ULL << (phys_addr - PAGE_SHIFT)) - 1);
+ size_or_mask = SIZE_OR_MASK_BITS(phys_addr);
size_and_mask = ~size_or_mask & 0xfffff00000ULL;
} else if (boot_cpu_data.x86_vendor == X86_VENDOR_CENTAUR &&
boot_cpu_data.x86 == 6) {
@@ -627,7 +629,7 @@ void __init mtrr_bp_init(void)
* VIA C* family have Intel style MTRRs,
* but don't support PAE
*/
- size_or_mask = 0xfff00000; /* 32 bits */
+ size_or_mask = SIZE_OR_MASK_BITS(32);
size_and_mask = 0;
phys_addr = 32;
}
@@ -637,21 +639,21 @@ void __init mtrr_bp_init(void)
if (cpu_has_k6_mtrr) {
/* Pre-Athlon (K6) AMD CPU MTRRs */
mtrr_if = mtrr_ops[X86_VENDOR_AMD];
- size_or_mask = 0xfff00000; /* 32 bits */
+ size_or_mask = SIZE_OR_MASK_BITS(32);
size_and_mask = 0;
}
break;
case X86_VENDOR_CENTAUR:
if (cpu_has_centaur_mcr) {
mtrr_if = mtrr_ops[X86_VENDOR_CENTAUR];
- size_or_mask = 0xfff00000; /* 32 bits */
+ size_or_mask = SIZE_OR_MASK_BITS(32);
size_and_mask = 0;
}
break;
case X86_VENDOR_CYRIX:
if (cpu_has_cyrix_arr) {
mtrr_if = mtrr_ops[X86_VENDOR_CYRIX];
- size_or_mask = 0xfff00000; /* 32 bits */
+ size_or_mask = SIZE_OR_MASK_BITS(32);
size_and_mask = 0;
}
break;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [119/251] ARM: poison the vectors page
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (116 preceding siblings ...)
2013-09-11 4:29 ` [118/251] x86: Fix /proc/mtrr with base/size more than 44bits Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [120/251] ARM: poison memory between kuser helpers Steven Rostedt
` (132 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Russell King
[-- Attachment #1: 0119-ARM-poison-the-vectors-page.patch --]
[-- Type: text/plain, Size: 1808 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@arm.linux.org.uk>
[ Upstream commit f928d4f2a86f46b030fa0850385b4391fc2b5918 ]
Fill the empty regions of the vectors page with an exception generating
instruction. This ensures that any inappropriate branch to the vector
page is appropriately trapped, rather than just encountering some code
to execute. (The vectors page was filled with zero before, which
corresponds with the "andeq r0, r0, r0" instruction - a no-op.)
Cc: <stable@vger.kernel.org>
Acked-by Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/kernel/traps.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
index b0179b8..a4f84b0 100644
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -824,10 +824,20 @@ void __init early_trap_init(void *vectors_base)
extern char __vectors_start[], __vectors_end[];
extern char __kuser_helper_start[], __kuser_helper_end[];
int kuser_sz = __kuser_helper_end - __kuser_helper_start;
+ unsigned i;
vectors_page = vectors_base;
/*
+ * Poison the vectors page with an undefined instruction. This
+ * instruction is chosen to be undefined for both ARM and Thumb
+ * ISAs. The Thumb version is an undefined instruction with a
+ * branch back to the undefined instruction.
+ */
+ for (i = 0; i < PAGE_SIZE / sizeof(u32); i++)
+ ((u32 *)vectors_base)[i] = 0xe7fddef1;
+
+ /*
* Copy the vectors, stubs and kuser helpers (in entry-armv.S)
* into the vector page, mapped at 0xffff0000, and ensure these
* are visible to the instruction stream.
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [120/251] ARM: poison memory between kuser helpers
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (117 preceding siblings ...)
2013-09-11 4:29 ` [119/251] ARM: poison the vectors page Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [121/251] ARM: move vector stubs Steven Rostedt
` (131 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Nicolas Pitre, Russell King
[-- Attachment #1: 0120-ARM-poison-memory-between-kuser-helpers.patch --]
[-- Type: text/plain, Size: 1945 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@arm.linux.org.uk>
[ Upstream commit 5b43e7a383d69381ffe53423e46dd0fafae07da3 ]
Poison the memory between each kuser helper. This ensures that any
branch between the kuser helpers will be appropriately trapped.
Cc: <stable@vger.kernel.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/kernel/entry-armv.S | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
index 0f82098..9c80c1d 100644
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -784,6 +784,17 @@ ENDPROC(__switch_to)
#endif
.endm
+ .macro kuser_pad, sym, size
+ .if (. - \sym) & 3
+ .rept 4 - (. - \sym) & 3
+ .byte 0
+ .endr
+ .endif
+ .rept (\size - (. - \sym)) / 4
+ .word 0xe7fddef1
+ .endr
+ .endm
+
.align 5
.globl __kuser_helper_start
__kuser_helper_start:
@@ -874,18 +885,13 @@ kuser_cmpxchg64_fixup:
#error "incoherent kernel configuration"
#endif
- /* pad to next slot */
- .rept (16 - (. - __kuser_cmpxchg64)/4)
- .word 0
- .endr
-
- .align 5
+ kuser_pad __kuser_cmpxchg64, 64
__kuser_memory_barrier: @ 0xffff0fa0
smp_dmb arm
usr_ret lr
- .align 5
+ kuser_pad __kuser_memory_barrier, 32
__kuser_cmpxchg: @ 0xffff0fc0
@@ -958,13 +964,14 @@ kuser_cmpxchg32_fixup:
#endif
- .align 5
+ kuser_pad __kuser_cmpxchg, 32
__kuser_get_tls: @ 0xffff0fe0
ldr r0, [pc, #(16 - 8)] @ read TLS, set in kuser_get_tls_init
usr_ret lr
mrc p15, 0, r0, c13, c0, 3 @ 0xffff0fe8 hardware TLS code
- .rep 4
+ kuser_pad __kuser_get_tls, 16
+ .rep 3
.word 0 @ 0xffff0ff0 software TLS value, then
.endr @ pad up to __kuser_helper_version
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [121/251] ARM: move vector stubs
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (118 preceding siblings ...)
2013-09-11 4:29 ` [120/251] ARM: poison memory between kuser helpers Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [122/251] ARM: use linker magic for vectors and " Steven Rostedt
` (130 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Nicolas Pitre, Russell King
[-- Attachment #1: 0121-ARM-move-vector-stubs.patch --]
[-- Type: text/plain, Size: 5835 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@arm.linux.org.uk>
[ Upstream commit 19accfd373847ac3d10623c5d20f948846299741 ]
Move the machine vector stubs into the page above the vector page,
which we can prevent from being visible to userspace. Also move
the reset stub, and place the swi vector at a location that the
'ldr' can get to it.
This hides pointers into the kernel which could give valuable
information to attackers, and reduces the number of exploitable
instructions at a fixed address.
Cc: <stable@vger.kernel.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/Kconfig | 3 ++-
arch/arm/kernel/entry-armv.S | 50 ++++++++++++++++++++----------------------
arch/arm/kernel/traps.c | 4 ++--
arch/arm/mm/mmu.c | 10 ++++++++-
4 files changed, 37 insertions(+), 30 deletions(-)
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 589bdba..ca5e665 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -183,7 +183,8 @@ config VECTORS_BASE
default DRAM_BASE if REMAP_VECTORS_TO_RAM
default 0x00000000
help
- The base address of exception vectors.
+ The base address of exception vectors. This must be two pages
+ in size.
config ARM_PATCH_PHYS_VIRT
bool "Patch physical to virtual translations at runtime" if EMBEDDED
diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
index 9c80c1d..a4af8e8 100644
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -986,9 +986,9 @@ __kuser_helper_end:
/*
* Vector stubs.
*
- * This code is copied to 0xffff0200 so we can use branches in the
- * vectors, rather than ldr's. Note that this code must not
- * exceed 0x300 bytes.
+ * This code is copied to 0xffff1000 so we can use branches in the
+ * vectors, rather than ldr's. Note that this code must not exceed
+ * a page size.
*
* Common stub entry macro:
* Enter in IRQ mode, spsr = SVC/USR CPSR, lr = SVC/USR PC
@@ -1037,6 +1037,15 @@ ENDPROC(vector_\name)
.globl __stubs_start
__stubs_start:
+ @ This must be the first word
+ .word vector_swi
+
+vector_rst:
+ ARM( swi SYS_ERROR0 )
+ THUMB( svc #0 )
+ THUMB( nop )
+ b vector_und
+
/*
* Interrupt dispatcher
*/
@@ -1131,6 +1140,16 @@ __stubs_start:
.align 5
/*=============================================================================
+ * Address exception handler
+ *-----------------------------------------------------------------------------
+ * These aren't too critical.
+ * (they're not supposed to happen, and won't happen in 32-bit data mode).
+ */
+
+vector_addrexcptn:
+ b vector_addrexcptn
+
+/*=============================================================================
* Undefined FIQs
*-----------------------------------------------------------------------------
* Enter in FIQ mode, spsr = ANY CPSR, lr = ANY PC
@@ -1143,35 +1162,14 @@ __stubs_start:
vector_fiq:
subs pc, lr, #4
-/*=============================================================================
- * Address exception handler
- *-----------------------------------------------------------------------------
- * These aren't too critical.
- * (they're not supposed to happen, and won't happen in 32-bit data mode).
- */
-
-vector_addrexcptn:
- b vector_addrexcptn
-
-/*
- * We group all the following data together to optimise
- * for CPUs with separate I & D caches.
- */
- .align 5
-
-.LCvswi:
- .word vector_swi
-
.globl __stubs_end
__stubs_end:
- .equ stubs_offset, __vectors_start + 0x200 - __stubs_start
+ .equ stubs_offset, __vectors_start + 0x1000 - __stubs_start
.globl __vectors_start
__vectors_start:
- ARM( swi SYS_ERROR0 )
- THUMB( svc #0 )
- THUMB( nop )
+ W(b) vector_rst + stubs_offset
W(b) vector_und + stubs_offset
W(ldr) pc, .LCvswi + stubs_offset
W(b) vector_pabt + stubs_offset
diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
index a4f84b0..366aa93 100644
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -843,7 +843,7 @@ void __init early_trap_init(void *vectors_base)
* are visible to the instruction stream.
*/
memcpy((void *)vectors, __vectors_start, __vectors_end - __vectors_start);
- memcpy((void *)vectors + 0x200, __stubs_start, __stubs_end - __stubs_start);
+ memcpy((void *)vectors + 0x1000, __stubs_start, __stubs_end - __stubs_start);
memcpy((void *)vectors + 0x1000 - kuser_sz, __kuser_helper_start, kuser_sz);
/*
@@ -858,6 +858,6 @@ void __init early_trap_init(void *vectors_base)
memcpy((void *)(vectors + KERN_SIGRETURN_CODE - CONFIG_VECTORS_BASE),
sigreturn_codes, sizeof(sigreturn_codes));
- flush_icache_range(vectors, vectors + PAGE_SIZE);
+ flush_icache_range(vectors, vectors + PAGE_SIZE * 2);
modify_domain(DOMAIN_USER, DOMAIN_CLIENT);
}
diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
index c2fa21d..889f3de 100644
--- a/arch/arm/mm/mmu.c
+++ b/arch/arm/mm/mmu.c
@@ -1080,7 +1080,7 @@ static void __init devicemaps_init(struct machine_desc *mdesc)
/*
* Allocate the vector page early.
*/
- vectors = early_alloc(PAGE_SIZE);
+ vectors = early_alloc(PAGE_SIZE * 2);
early_trap_init(vectors);
@@ -1130,10 +1130,18 @@ static void __init devicemaps_init(struct machine_desc *mdesc)
if (!vectors_high()) {
map.virtual = 0;
+ map.length = PAGE_SIZE * 2;
map.type = MT_LOW_VECTORS;
create_mapping(&map);
}
+ /* Now create a kernel read-only mapping */
+ map.pfn += 1;
+ map.virtual = 0xffff0000 + PAGE_SIZE;
+ map.length = PAGE_SIZE;
+ map.type = MT_LOW_VECTORS;
+ create_mapping(&map);
+
/*
* Ask the machine support to map in the statically mapped devices.
*/
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [122/251] ARM: use linker magic for vectors and vector stubs
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (119 preceding siblings ...)
2013-09-11 4:29 ` [121/251] ARM: move vector stubs Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [123/251] ARM: update FIQ support for relocation of vectors Steven Rostedt
` (129 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Nicolas Pitre, Russell King
[-- Attachment #1: 0122-ARM-use-linker-magic-for-vectors-and-vector-stubs.patch --]
[-- Type: text/plain, Size: 2680 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@arm.linux.org.uk>
[ Upstream commit b9b32bf70f2fb710b07c94e13afbc729afe221da ]
Use linker magic to create the vectors and vector stubs: we can tell the
linker to place them at an appropriate VMA, but keep the LMA within the
kernel. This gets rid of some unnecessary symbol manipulation, and
have the linker calculate the relocations appropriately.
Cc: <stable@vger.kernel.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/kernel/entry-armv.S | 28 ++++++++++------------------
arch/arm/kernel/vmlinux.lds.S | 17 +++++++++++++++++
2 files changed, 27 insertions(+), 18 deletions(-)
diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
index a4af8e8..c19779f 100644
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -1035,7 +1035,7 @@ ENDPROC(vector_\name)
1:
.endm
- .globl __stubs_start
+ .section .stubs, "ax", %progbits
__stubs_start:
@ This must be the first word
.word vector_swi
@@ -1162,24 +1162,16 @@ vector_addrexcptn:
vector_fiq:
subs pc, lr, #4
- .globl __stubs_end
-__stubs_end:
-
- .equ stubs_offset, __vectors_start + 0x1000 - __stubs_start
-
- .globl __vectors_start
+ .section .vectors, "ax", %progbits
__vectors_start:
- W(b) vector_rst + stubs_offset
- W(b) vector_und + stubs_offset
- W(ldr) pc, .LCvswi + stubs_offset
- W(b) vector_pabt + stubs_offset
- W(b) vector_dabt + stubs_offset
- W(b) vector_addrexcptn + stubs_offset
- W(b) vector_irq + stubs_offset
- W(b) vector_fiq + stubs_offset
-
- .globl __vectors_end
-__vectors_end:
+ W(b) vector_rst
+ W(b) vector_und
+ W(ldr) pc, __vectors_start + 0x1000
+ W(b) vector_pabt
+ W(b) vector_dabt
+ W(b) vector_addrexcptn
+ W(b) vector_irq
+ W(b) vector_fiq
.data
diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
index 36ff15b..2f8f92e 100644
--- a/arch/arm/kernel/vmlinux.lds.S
+++ b/arch/arm/kernel/vmlinux.lds.S
@@ -137,6 +137,23 @@ SECTIONS
. = ALIGN(PAGE_SIZE);
__init_begin = .;
#endif
+ /*
+ * The vectors and stubs are relocatable code, and the
+ * only thing that matters is their relative offsets
+ */
+ __vectors_start = .;
+ .vectors 0 : AT(__vectors_start) {
+ *(.vectors)
+ }
+ . = __vectors_start + SIZEOF(.vectors);
+ __vectors_end = .;
+
+ __stubs_start = .;
+ .stubs 0x1000 : AT(__stubs_start) {
+ *(.stubs)
+ }
+ . = __stubs_start + SIZEOF(.stubs);
+ __stubs_end = .;
INIT_TEXT_SECTION(8)
.exit.text : {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [123/251] ARM: update FIQ support for relocation of vectors
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (120 preceding siblings ...)
2013-09-11 4:29 ` [122/251] ARM: use linker magic for vectors and " Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [124/251] ARM: allow kuser helpers to be removed from the vector page Steven Rostedt
` (128 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Nicolas Pitre, Russell King
[-- Attachment #1: 0123-ARM-update-FIQ-support-for-relocation-of-vectors.patch --]
[-- Type: text/plain, Size: 2430 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@arm.linux.org.uk>
[ Upstream commit e39e3f3ebfef03450cf7bfa7a974a8c61f7980c8 ]
FIQ should no longer copy the FIQ code into the user visible vector
page. Instead, it should use the hidden page. This change makes
that happen.
Cc: <stable@vger.kernel.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/kernel/entry-armv.S | 3 +++
arch/arm/kernel/fiq.c | 19 ++++++++++++++-----
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
index c19779f..4c28aff 100644
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -1162,6 +1162,9 @@ vector_addrexcptn:
vector_fiq:
subs pc, lr, #4
+ .globl vector_fiq_offset
+ .equ vector_fiq_offset, vector_fiq
+
.section .vectors, "ax", %progbits
__vectors_start:
W(b) vector_rst
diff --git a/arch/arm/kernel/fiq.c b/arch/arm/kernel/fiq.c
index 2adda11..25442f4 100644
--- a/arch/arm/kernel/fiq.c
+++ b/arch/arm/kernel/fiq.c
@@ -47,6 +47,11 @@
#include <asm/irq.h>
#include <asm/traps.h>
+#define FIQ_OFFSET ({ \
+ extern void *vector_fiq_offset; \
+ (unsigned)&vector_fiq_offset; \
+ })
+
static unsigned long no_fiq_insn;
/* Default reacquire function
@@ -80,13 +85,16 @@ int show_fiq_list(struct seq_file *p, int prec)
void set_fiq_handler(void *start, unsigned int length)
{
#if defined(CONFIG_CPU_USE_DOMAINS)
- memcpy((void *)0xffff001c, start, length);
+ void *base = (void *)0xffff0000;
#else
- memcpy(vectors_page + 0x1c, start, length);
+ void *base = vectors_page;
#endif
- flush_icache_range(0xffff001c, 0xffff001c + length);
+ unsigned offset = FIQ_OFFSET;
+
+ memcpy(base + offset, start, length);
+ flush_icache_range(0xffff0000 + offset, 0xffff0000 + offset + length);
if (!vectors_high())
- flush_icache_range(0x1c, 0x1c + length);
+ flush_icache_range(offset, offset + length);
}
int claim_fiq(struct fiq_handler *f)
@@ -144,6 +152,7 @@ EXPORT_SYMBOL(disable_fiq);
void __init init_FIQ(int start)
{
- no_fiq_insn = *(unsigned long *)0xffff001c;
+ unsigned offset = FIQ_OFFSET;
+ no_fiq_insn = *(unsigned long *)(0xffff0000 + offset);
fiq_start = start;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [124/251] ARM: allow kuser helpers to be removed from the vector page
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (121 preceding siblings ...)
2013-09-11 4:29 ` [123/251] ARM: update FIQ support for relocation of vectors Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [125/251] ARM: make vectors page inaccessible from userspace Steven Rostedt
` (127 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Nicolas Pitre, Russell King
[-- Attachment #1: 0124-ARM-allow-kuser-helpers-to-be-removed-from-the-vecto.patch --]
[-- Type: text/plain, Size: 5809 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@arm.linux.org.uk>
[ Upstream commit f6f91b0d9fd971c630cef908dde8fe8795aefbf8 ]
Provide a kernel configuration option to allow the kernel user helpers
to be removed from the vector page, thereby preventing their use with
ROP (return orientated programming) attacks. This option is only
visible for CPU architectures which natively support all the operations
which kernel user helpers would normally provide, and must be enabled
with caution.
Cc: <stable@vger.kernel.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/kernel/entry-armv.S | 3 +++
arch/arm/kernel/traps.c | 23 ++++++++++++++---------
arch/arm/mm/Kconfig | 34 ++++++++++++++++++++++++++++++++++
3 files changed, 51 insertions(+), 9 deletions(-)
diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
index 4c28aff..5492d72 100644
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -795,6 +795,7 @@ ENDPROC(__switch_to)
.endr
.endm
+#ifdef CONFIG_KUSER_HELPERS
.align 5
.globl __kuser_helper_start
__kuser_helper_start:
@@ -981,6 +982,8 @@ __kuser_helper_version: @ 0xffff0ffc
.globl __kuser_helper_end
__kuser_helper_end:
+#endif
+
THUMB( .thumb )
/*
diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
index 366aa93..1392beb 100644
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -807,23 +807,32 @@ void __init trap_init(void)
return;
}
-static void __init kuser_get_tls_init(unsigned long vectors)
+#ifdef CONFIG_KUSER_HELPERS
+static void __init kuser_init(void *vectors)
{
+ extern char __kuser_helper_start[], __kuser_helper_end[];
+ int kuser_sz = __kuser_helper_end - __kuser_helper_start;
+
+ memcpy(vectors + 0x1000 - kuser_sz, __kuser_helper_start, kuser_sz);
+
/*
* vectors + 0xfe0 = __kuser_get_tls
* vectors + 0xfe8 = hardware TLS instruction at 0xffff0fe8
*/
if (tls_emu || has_tls_reg)
- memcpy((void *)vectors + 0xfe0, (void *)vectors + 0xfe8, 4);
+ memcpy(vectors + 0xfe0, vectors + 0xfe8, 4);
+}
+#else
+static void __init kuser_init(void *vectors)
+{
}
+#endif
void __init early_trap_init(void *vectors_base)
{
unsigned long vectors = (unsigned long)vectors_base;
extern char __stubs_start[], __stubs_end[];
extern char __vectors_start[], __vectors_end[];
- extern char __kuser_helper_start[], __kuser_helper_end[];
- int kuser_sz = __kuser_helper_end - __kuser_helper_start;
unsigned i;
vectors_page = vectors_base;
@@ -844,12 +853,8 @@ void __init early_trap_init(void *vectors_base)
*/
memcpy((void *)vectors, __vectors_start, __vectors_end - __vectors_start);
memcpy((void *)vectors + 0x1000, __stubs_start, __stubs_end - __stubs_start);
- memcpy((void *)vectors + 0x1000 - kuser_sz, __kuser_helper_start, kuser_sz);
- /*
- * Do processor specific fixups for the kuser helpers
- */
- kuser_get_tls_init(vectors);
+ kuser_init(vectors_base);
/*
* Copy signal return handlers into the vector page, and
diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
index 101b968..8d194df 100644
--- a/arch/arm/mm/Kconfig
+++ b/arch/arm/mm/Kconfig
@@ -400,24 +400,28 @@ config CPU_32v3
select TLS_REG_EMUL if SMP || !MMU
select NEEDS_SYSCALL_FOR_CMPXCHG if SMP
select CPU_USE_DOMAINS if MMU
+ select NEED_KUSER_HELPERS
config CPU_32v4
bool
select TLS_REG_EMUL if SMP || !MMU
select NEEDS_SYSCALL_FOR_CMPXCHG if SMP
select CPU_USE_DOMAINS if MMU
+ select NEED_KUSER_HELPERS
config CPU_32v4T
bool
select TLS_REG_EMUL if SMP || !MMU
select NEEDS_SYSCALL_FOR_CMPXCHG if SMP
select CPU_USE_DOMAINS if MMU
+ select NEED_KUSER_HELPERS
config CPU_32v5
bool
select TLS_REG_EMUL if SMP || !MMU
select NEEDS_SYSCALL_FOR_CMPXCHG if SMP
select CPU_USE_DOMAINS if MMU
+ select NEED_KUSER_HELPERS
config CPU_32v6
bool
@@ -735,6 +739,7 @@ config CPU_BPREDICT_DISABLE
config TLS_REG_EMUL
bool
+ select NEED_KUSER_HELPERS
help
An SMP system using a pre-ARMv6 processor (there are apparently
a few prototypes like that in existence) and therefore access to
@@ -742,11 +747,40 @@ config TLS_REG_EMUL
config NEEDS_SYSCALL_FOR_CMPXCHG
bool
+ select NEED_KUSER_HELPERS
help
SMP on a pre-ARMv6 processor? Well OK then.
Forget about fast user space cmpxchg support.
It is just not possible.
+config NEED_KUSER_HELPERS
+ bool
+
+config KUSER_HELPERS
+ bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS
+ default y
+ help
+ Warning: disabling this option may break user programs.
+
+ Provide kuser helpers in the vector page. The kernel provides
+ helper code to userspace in read only form at a fixed location
+ in the high vector page to allow userspace to be independent of
+ the CPU type fitted to the system. This permits binaries to be
+ run on ARMv4 through to ARMv7 without modification.
+
+ However, the fixed address nature of these helpers can be used
+ by ROP (return orientated programming) authors when creating
+ exploits.
+
+ If all of the binaries and libraries which run on your platform
+ are built specifically for your platform, and make no use of
+ these helpers, then you can turn this option off. However,
+ when such an binary or library is run, it will receive a SIGILL
+ signal, which will terminate the program.
+
+ Say N here only if you are absolutely certain that you do not
+ need these helpers; otherwise, the safe option is to say Y.
+
config DMA_CACHE_RWFO
bool "Enable read/write for ownership DMA cache maintenance"
depends on CPU_V6K && SMP
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [125/251] ARM: make vectors page inaccessible from userspace
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (122 preceding siblings ...)
2013-09-11 4:29 ` [124/251] ARM: allow kuser helpers to be removed from the vector page Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [126/251] powerpc/windfarm: Fix noisy slots-fan on Xserve (rm31) Steven Rostedt
` (126 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Russell King
[-- Attachment #1: 0125-ARM-make-vectors-page-inaccessible-from-userspace.patch --]
[-- Type: text/plain, Size: 2477 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Russell King <rmk+kernel@arm.linux.org.uk>
[ Upstream commit a5463cd3435475386cbbe7b06e01292ac169d36f ]
If kuser helpers are not provided by the kernel, disable user access to
the vectors page. With the kuser helpers gone, there is no reason for
this page to be visible to userspace.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/include/asm/page.h | 2 ++
arch/arm/kernel/process.c | 7 ++++++-
arch/arm/mm/mmu.c | 4 ++++
3 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/arch/arm/include/asm/page.h b/arch/arm/include/asm/page.h
index ecf9019..5c35852 100644
--- a/arch/arm/include/asm/page.h
+++ b/arch/arm/include/asm/page.h
@@ -142,7 +142,9 @@ extern void __cpu_copy_user_highpage(struct page *to, struct page *from,
#define clear_page(page) memset((void *)(page), 0, PAGE_SIZE)
extern void copy_page(void *to, const void *from);
+#ifdef CONFIG_KUSER_HELPERS
#define __HAVE_ARCH_GATE_AREA 1
+#endif
#ifdef CONFIG_ARM_LPAE
#include <asm/pgtable-3level-types.h>
diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
index 693b744..427ddbc 100644
--- a/arch/arm/kernel/process.c
+++ b/arch/arm/kernel/process.c
@@ -508,6 +508,7 @@ unsigned long arch_randomize_brk(struct mm_struct *mm)
}
#ifdef CONFIG_MMU
+#ifdef CONFIG_KUSER_HELPERS
/*
* The vectors page is always readable from user space for the
* atomic helpers and the signal restart code. Insert it into the
@@ -540,9 +541,13 @@ int in_gate_area_no_mm(unsigned long addr)
{
return in_gate_area(NULL, addr);
}
+#define is_gate_vma(vma) ((vma) = &gate_vma)
+#else
+#define is_gate_vma(vma) 0
+#endif
const char *arch_vma_name(struct vm_area_struct *vma)
{
- return (vma == &gate_vma) ? "[vectors]" : NULL;
+ return is_gate_vma(vma) ? "[vectors]" : NULL;
}
#endif
diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
index 889f3de..50d4aff 100644
--- a/arch/arm/mm/mmu.c
+++ b/arch/arm/mm/mmu.c
@@ -1125,7 +1125,11 @@ static void __init devicemaps_init(struct machine_desc *mdesc)
map.pfn = __phys_to_pfn(virt_to_phys(vectors));
map.virtual = 0xffff0000;
map.length = PAGE_SIZE;
+#ifdef CONFIG_KUSER_HELPERS
map.type = MT_HIGH_VECTORS;
+#else
+ map.type = MT_LOW_VECTORS;
+#endif
create_mapping(&map);
if (!vectors_high()) {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [126/251] powerpc/windfarm: Fix noisy slots-fan on Xserve (rm31)
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (123 preceding siblings ...)
2013-09-11 4:29 ` [125/251] ARM: make vectors page inaccessible from userspace Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [127/251] ARM: 7790/1: Fix deferred mm switch on VIVT processors Steven Rostedt
` (125 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Aaro Koskinen, Benjamin Herrenschmidt
[-- Attachment #1: 0126-powerpc-windfarm-Fix-noisy-slots-fan-on-Xserve-rm31.patch --]
[-- Type: text/plain, Size: 1668 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Aaro Koskinen <aaro.koskinen@iki.fi>
[ Upstream commit fe956a1d4081ce1a959f87df397a15e252201f10 ]
slots-fan on G5 Xserve is always running at full speed with windfarm_rm31
driver, resulting in a very high acoustic noise level. It seems the fan
parameters are incorrect, and have been copied from the Drive Bay fan
(RPM, not present on rm31) of the legacy therm_pm72 driver. This patch
changes the parameters to match the Slots fan (PWM) of therm_pm72. With
the patch, slots-fan speed drops from 99% to 19% during normal use,
and slots-temp settle to ~42'C.
Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
CC: <stable@vger.kernel.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/macintosh/windfarm_rm31.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/macintosh/windfarm_rm31.c b/drivers/macintosh/windfarm_rm31.c
index 3eca6d4..e13d9fd 100644
--- a/drivers/macintosh/windfarm_rm31.c
+++ b/drivers/macintosh/windfarm_rm31.c
@@ -439,15 +439,15 @@ static void backside_setup_pid(void)
/* Slots fan */
static const struct wf_pid_param slots_param = {
- .interval = 5,
- .history_len = 2,
- .gd = 30 << 20,
- .gp = 5 << 20,
- .gr = 0,
- .itarget = 40 << 16,
- .additive = 1,
- .min = 300,
- .max = 4000,
+ .interval = 1,
+ .history_len = 20,
+ .gd = 0,
+ .gp = 0,
+ .gr = 0x00100000,
+ .itarget = 3200000,
+ .additive = 0,
+ .min = 20,
+ .max = 100,
};
static void slots_fan_tick(void)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [127/251] ARM: 7790/1: Fix deferred mm switch on VIVT processors
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (124 preceding siblings ...)
2013-09-11 4:29 ` [126/251] powerpc/windfarm: Fix noisy slots-fan on Xserve (rm31) Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [128/251] ALSA: compress: fix the return value for SNDRV_COMPRESS_VERSION Steven Rostedt
` (124 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Catalin Marinas, Marc Kleine-Budde, Russell King
[-- Attachment #1: 0127-ARM-7790-1-Fix-deferred-mm-switch-on-VIVT-processors.patch --]
[-- Type: text/plain, Size: 3683 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Catalin Marinas <catalin.marinas@arm.com>
[ Upstream commit bdae73cd374e28db544fdd9b77de689a36e3c129 ]
As of commit b9d4d42ad9 (ARM: Remove __ARCH_WANT_INTERRUPTS_ON_CTXSW on
pre-ARMv6 CPUs), the mm switching on VIVT processors is done in the
finish_arch_post_lock_switch() function to avoid whole cache flushing
with interrupts disabled. The need for deferred mm switch is stored as a
thread flag (TIF_SWITCH_MM). However, with preemption enabled, we can
have another thread switch before finish_arch_post_lock_switch(). If the
new thread has the same mm as the previous 'next' thread, the scheduler
will not call switch_mm() and the TIF_SWITCH_MM flag won't be set for
the new thread.
This patch moves the switch pending flag to the mm_context_t structure
since this is specific to the mm rather than thread.
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Reported-by: Marc Kleine-Budde <mkl@pengutronix.de>
Tested-by: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: <stable@vger.kernel.org> # 3.5+
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/include/asm/mmu.h | 2 ++
arch/arm/include/asm/mmu_context.h | 20 ++++++++++++++++----
arch/arm/include/asm/thread_info.h | 1 -
3 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/arch/arm/include/asm/mmu.h b/arch/arm/include/asm/mmu.h
index 1496565..49122c4 100644
--- a/arch/arm/include/asm/mmu.h
+++ b/arch/arm/include/asm/mmu.h
@@ -7,6 +7,8 @@ typedef struct {
#ifdef CONFIG_CPU_HAS_ASID
unsigned int id;
raw_spinlock_t id_lock;
+#else
+ int switch_pending;
#endif
unsigned int kvm_seq;
} mm_context_t;
diff --git a/arch/arm/include/asm/mmu_context.h b/arch/arm/include/asm/mmu_context.h
index 0306bc6..549f1c6 100644
--- a/arch/arm/include/asm/mmu_context.h
+++ b/arch/arm/include/asm/mmu_context.h
@@ -121,7 +121,7 @@ static inline void check_and_switch_context(struct mm_struct *mm,
* on non-ASID CPUs, the old mm will remain valid until the
* finish_arch_post_lock_switch() call.
*/
- set_ti_thread_flag(task_thread_info(tsk), TIF_SWITCH_MM);
+ mm->context.switch_pending = 1;
else
cpu_switch_mm(mm->pgd, mm);
}
@@ -130,9 +130,21 @@ static inline void check_and_switch_context(struct mm_struct *mm,
finish_arch_post_lock_switch
static inline void finish_arch_post_lock_switch(void)
{
- if (test_and_clear_thread_flag(TIF_SWITCH_MM)) {
- struct mm_struct *mm = current->mm;
- cpu_switch_mm(mm->pgd, mm);
+ struct mm_struct *mm = current->mm;
+
+ if (mm && mm->context.switch_pending) {
+ /*
+ * Preemption must be disabled during cpu_switch_mm() as we
+ * have some stateful cache flush implementations. Check
+ * switch_pending again in case we were preempted and the
+ * switch to this mm was already done.
+ */
+ preempt_disable();
+ if (mm->context.switch_pending) {
+ mm->context.switch_pending = 0;
+ cpu_switch_mm(mm->pgd, mm);
+ }
+ preempt_enable_no_resched();
}
}
diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
index af7b0bd..86682b1 100644
--- a/arch/arm/include/asm/thread_info.h
+++ b/arch/arm/include/asm/thread_info.h
@@ -153,7 +153,6 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
#define TIF_MEMDIE 18 /* is terminating due to OOM killer */
#define TIF_RESTORE_SIGMASK 20
#define TIF_SECCOMP 21
-#define TIF_SWITCH_MM 22 /* deferred switch_mm */
#define _TIF_SIGPENDING (1 << TIF_SIGPENDING)
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [128/251] ALSA: compress: fix the return value for SNDRV_COMPRESS_VERSION
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (125 preceding siblings ...)
2013-09-11 4:29 ` [127/251] ARM: 7790/1: Fix deferred mm switch on VIVT processors Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [129/251] serial/mxs-auart: fix race condition in interrupt handler Steven Rostedt
` (123 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Haynes, Vinod Koul, Takashi Iwai
[-- Attachment #1: 0128-ALSA-compress-fix-the-return-value-for-SNDRV_COMPRES.patch --]
[-- Type: text/plain, Size: 1253 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Vinod Koul <vinod.koul@intel.com>
[ Upstream commit a8d30608eaed6cc759b8e2e8a8bbbb42591f797f ]
the return value of SNDRV_COMPRESS_VERSION always return default -ENOTTY as the
return value was never updated for this call
assign return value from put_user()
Reported-by: Haynes <hgeorge@codeaurora.org>
CC: stable@vger.kernel.org
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/core/compress_offload.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
index d5103f7..20f55e2 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -582,7 +582,7 @@ static long snd_compr_ioctl(struct file *f, unsigned int cmd, unsigned long arg)
mutex_lock(&stream->device->lock);
switch (_IOC_NR(cmd)) {
case _IOC_NR(SNDRV_COMPRESS_IOCTL_VERSION):
- put_user(SNDRV_COMPRESS_VERSION,
+ retval = put_user(SNDRV_COMPRESS_VERSION,
(int __user *)arg) ? -EFAULT : 0;
break;
case _IOC_NR(SNDRV_COMPRESS_GET_CAPS):
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [129/251] serial/mxs-auart: fix race condition in interrupt handler
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (126 preceding siblings ...)
2013-09-11 4:29 ` [128/251] ALSA: compress: fix the return value for SNDRV_COMPRESS_VERSION Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [130/251] serial/mxs-auart: increase time to wait for transmitter to become idle Steven Rostedt
` (122 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Uwe Kleine-König, Greg Kroah-Hartman
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: 0129-serial-mxs-auart-fix-race-condition-in-interrupt-han.patch --]
[-- Type: text/plain, Size: 2055 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
[ Upstream commit d970d7fe65adff5efe75b4a73c4ffc9be57089f7 ]
The handler needs to ack the pending events before actually handling them.
Otherwise a new event might come in after it it considered non-pending or
handled and is acked then without being handled. So this event is only
noticed when the next interrupt happens.
Without this patch an i.MX28 based machine running an rt-patched kernel
regularly hangs during boot.
Cc: stable@vger.kernel.org # v2.6.39+
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/tty/serial/mxs-auart.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
index 3a667ee..634be9b 100644
--- a/drivers/tty/serial/mxs-auart.c
+++ b/drivers/tty/serial/mxs-auart.c
@@ -381,11 +381,18 @@ static void mxs_auart_settermios(struct uart_port *u,
static irqreturn_t mxs_auart_irq_handle(int irq, void *context)
{
- u32 istatus, istat;
+ u32 istat;
struct mxs_auart_port *s = context;
u32 stat = readl(s->port.membase + AUART_STAT);
- istatus = istat = readl(s->port.membase + AUART_INTR);
+ istat = readl(s->port.membase + AUART_INTR);
+
+ /* ack irq */
+ writel(istat & (AUART_INTR_RTIS
+ | AUART_INTR_TXIS
+ | AUART_INTR_RXIS
+ | AUART_INTR_CTSMIS),
+ s->port.membase + AUART_INTR_CLR);
if (istat & AUART_INTR_CTSMIS) {
uart_handle_cts_change(&s->port, stat & AUART_STAT_CTS);
@@ -404,12 +411,6 @@ static irqreturn_t mxs_auart_irq_handle(int irq, void *context)
istat &= ~AUART_INTR_TXIS;
}
- writel(istatus & (AUART_INTR_RTIS
- | AUART_INTR_TXIS
- | AUART_INTR_RXIS
- | AUART_INTR_CTSMIS),
- s->port.membase + AUART_INTR_CLR);
-
return IRQ_HANDLED;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [130/251] serial/mxs-auart: increase time to wait for transmitter to become idle
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (127 preceding siblings ...)
2013-09-11 4:29 ` [129/251] serial/mxs-auart: fix race condition in interrupt handler Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [131/251] USB: mos7840: fix race in register handling Steven Rostedt
` (121 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Uwe Kleine-König, Greg Kroah-Hartman
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: 0130-serial-mxs-auart-increase-time-to-wait-for-transmitt.patch --]
[-- Type: text/plain, Size: 2729 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
[ Upstream commit 079a036f4283e2b0e5c26080b8c5112bc0cc1831 ]
Without this patch the driver waits ~1 ms for the UART to become idle. At
115200n8 this time is (theoretically) enough to transfer 11.5 characters
(= 115200 bits/s / (10 Bits/char) * 1ms). As the mxs-auart has a fifo size
of 16 characters the clock is gated too early. The problem is worse for
lower baud rates.
This only happens to really shut down the transmitter in the middle of a
transfer if /dev/ttyAPPx isn't opened in userspace (e.g. by a getty) but
was at least once (because the bootloader doesn't disable the transmitter).
So increase the timeout to 20 ms which should be enough for 9600n8, too.
Moreover skip gating the clock if the timeout is elapsed.
Cc: stable@vger.kernel.org # v2.6.39+
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/tty/serial/mxs-auart.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
index 634be9b..647609d 100644
--- a/drivers/tty/serial/mxs-auart.c
+++ b/drivers/tty/serial/mxs-auart.c
@@ -550,7 +550,7 @@ auart_console_write(struct console *co, const char *str, unsigned int count)
struct mxs_auart_port *s;
struct uart_port *port;
unsigned int old_ctrl0, old_ctrl2;
- unsigned int to = 1000;
+ unsigned int to = 20000;
if (co->index > MXS_AUART_PORTS || co->index < 0)
return;
@@ -571,18 +571,23 @@ auart_console_write(struct console *co, const char *str, unsigned int count)
uart_console_write(port, str, count, mxs_auart_console_putchar);
- /*
- * Finally, wait for transmitter to become empty
- * and restore the TCR
- */
+ /* Finally, wait for transmitter to become empty ... */
while (readl(port->membase + AUART_STAT) & AUART_STAT_BUSY) {
+ udelay(1);
if (!to--)
break;
- udelay(1);
}
- writel(old_ctrl0, port->membase + AUART_CTRL0);
- writel(old_ctrl2, port->membase + AUART_CTRL2);
+ /*
+ * ... and restore the TCR if we waited long enough for the transmitter
+ * to be idle. This might keep the transmitter enabled although it is
+ * unused, but that is better than to disable it while it is still
+ * transmitting.
+ */
+ if (!(readl(port->membase + AUART_STAT) & AUART_STAT_BUSY)) {
+ writel(old_ctrl0, port->membase + AUART_CTRL0);
+ writel(old_ctrl2, port->membase + AUART_CTRL2);
+ }
clk_disable(s->clk);
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [131/251] USB: mos7840: fix race in register handling
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (128 preceding siblings ...)
2013-09-11 4:29 ` [130/251] serial/mxs-auart: increase time to wait for transmitter to become idle Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [132/251] USB: mos7840: fix device-type detection Steven Rostedt
` (120 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Johan Hovold, Greg Kroah-Hartman
[-- Attachment #1: 0131-USB-mos7840-fix-race-in-register-handling.patch --]
[-- Type: text/plain, Size: 2691 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Johan Hovold <jhovold@gmail.com>
[ Upstream commit d8a083cc746664916d9d36ed9e4d08a29525f245 ]
Fix race in mos7840_get_reg which unconditionally manipulated the
control urb (which may already be in use) by adding a control-urb busy
flag.
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/mos7840.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index 15cc47d..2e218ee 100644
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -187,6 +187,10 @@
#define LED_ON_MS 500
#define LED_OFF_MS 500
+enum mos7840_flag {
+ MOS7840_FLAG_CTRL_BUSY,
+};
+
static int device_type;
static const struct usb_device_id id_table[] = {
@@ -247,6 +251,8 @@ struct moschip_port {
bool led_flag;
struct timer_list led_timer1; /* Timer for LED on */
struct timer_list led_timer2; /* Timer for LED off */
+
+ unsigned long flags;
};
static bool debug;
@@ -507,11 +513,11 @@ static void mos7840_control_callback(struct urb *urb)
/* this urb is terminated, clean up */
dbg("%s - urb shutting down with status: %d", __func__,
status);
- return;
+ goto out;
default:
dbg("%s - nonzero urb status received: %d", __func__,
status);
- return;
+ goto out;
}
dbg("%s urb buffer size is %d", __func__, urb->actual_length);
@@ -524,6 +530,8 @@ static void mos7840_control_callback(struct urb *urb)
mos7840_handle_new_msr(mos7840_port, regval);
else if (mos7840_port->MsrLsr == 1)
mos7840_handle_new_lsr(mos7840_port, regval);
+out:
+ clear_bit_unlock(MOS7840_FLAG_CTRL_BUSY, &mos7840_port->flags);
}
static int mos7840_get_reg(struct moschip_port *mcs, __u16 Wval, __u16 reg,
@@ -534,6 +542,9 @@ static int mos7840_get_reg(struct moschip_port *mcs, __u16 Wval, __u16 reg,
unsigned char *buffer = mcs->ctrl_buf;
int ret;
+ if (test_and_set_bit_lock(MOS7840_FLAG_CTRL_BUSY, &mcs->flags))
+ return -EBUSY;
+
dr->bRequestType = MCS_RD_RTYPE;
dr->bRequest = MCS_RDREQ;
dr->wValue = cpu_to_le16(Wval); /* 0 */
@@ -545,6 +556,9 @@ static int mos7840_get_reg(struct moschip_port *mcs, __u16 Wval, __u16 reg,
mos7840_control_callback, mcs);
mcs->control_urb->transfer_buffer_length = 2;
ret = usb_submit_urb(mcs->control_urb, GFP_ATOMIC);
+ if (ret)
+ clear_bit_unlock(MOS7840_FLAG_CTRL_BUSY, &mcs->flags);
+
return ret;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [132/251] USB: mos7840: fix device-type detection
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (129 preceding siblings ...)
2013-09-11 4:29 ` [131/251] USB: mos7840: fix race in register handling Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [133/251] USB: mos7840: fix race in led handling Steven Rostedt
` (119 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Johan Hovold, Greg Kroah-Hartman
[-- Attachment #1: 0132-USB-mos7840-fix-device-type-detection.patch --]
[-- Type: text/plain, Size: 4684 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Johan Hovold <jhovold@gmail.com>
[ Upstream commit 40c24f2893ba0ba7df485871f6aac0c197ceef5b ]
Fix race in device-type detection introduced by commit 0eafe4de ("USB:
serial: mos7840: add support for MCS7810 devices") which used a static
variable to hold the device type.
Move type detection to probe and use serial data to store the device
type.
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/mos7840.c | 75 ++++++++++++++++++++----------------------
1 file changed, 35 insertions(+), 40 deletions(-)
diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index 2e218ee..ed55ac0 100644
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -191,8 +191,6 @@ enum mos7840_flag {
MOS7840_FLAG_CTRL_BUSY,
};
-static int device_type;
-
static const struct usb_device_id id_table[] = {
{USB_DEVICE(USB_VENDOR_ID_MOSCHIP, MOSCHIP_DEVICE_ID_7840)},
{USB_DEVICE(USB_VENDOR_ID_MOSCHIP, MOSCHIP_DEVICE_ID_7820)},
@@ -893,18 +891,6 @@ static void mos7840_bulk_out_data_callback(struct urb *urb)
/************************************************************************/
/* D R I V E R T T Y I N T E R F A C E F U N C T I O N S */
/************************************************************************/
-#ifdef MCSSerialProbe
-static int mos7840_serial_probe(struct usb_serial *serial,
- const struct usb_device_id *id)
-{
-
- /*need to implement the mode_reg reading and updating\
- structures usb_serial_ device_type\
- (i.e num_ports, num_bulkin,bulkout etc) */
- /* Also we can update the changes attach */
- return 1;
-}
-#endif
/*****************************************************************************
* mos7840_open
@@ -2415,38 +2401,48 @@ static int mos7810_check(struct usb_serial *serial)
return 0;
}
-static int mos7840_calc_num_ports(struct usb_serial *serial)
+static int mos7840_probe(struct usb_serial *serial,
+ const struct usb_device_id *id)
{
- __u16 data = 0x00;
+ u16 product = serial->dev->descriptor.idProduct;
u8 *buf;
- int mos7840_num_ports;
+ int device_type;
+
+ if (product == MOSCHIP_DEVICE_ID_7810 ||
+ product == MOSCHIP_DEVICE_ID_7820) {
+ device_type = product;
+ goto out;
+ }
buf = kzalloc(VENDOR_READ_LENGTH, GFP_KERNEL);
- if (buf) {
- usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0),
+ if (!buf)
+ return -ENOMEM;
+
+ usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0),
MCS_RDREQ, MCS_RD_RTYPE, 0, GPIO_REGISTER, buf,
VENDOR_READ_LENGTH, MOS_WDR_TIMEOUT);
- data = *buf;
- kfree(buf);
- }
- if (serial->dev->descriptor.idProduct == MOSCHIP_DEVICE_ID_7810 ||
- serial->dev->descriptor.idProduct == MOSCHIP_DEVICE_ID_7820) {
- device_type = serial->dev->descriptor.idProduct;
- } else {
- /* For a MCS7840 device GPIO0 must be set to 1 */
- if ((data & 0x01) == 1)
- device_type = MOSCHIP_DEVICE_ID_7840;
- else if (mos7810_check(serial))
- device_type = MOSCHIP_DEVICE_ID_7810;
- else
- device_type = MOSCHIP_DEVICE_ID_7820;
- }
+ /* For a MCS7840 device GPIO0 must be set to 1 */
+ if (buf[0] & 0x01)
+ device_type = MOSCHIP_DEVICE_ID_7840;
+ else if (mos7810_check(serial))
+ device_type = MOSCHIP_DEVICE_ID_7810;
+ else
+ device_type = MOSCHIP_DEVICE_ID_7820;
+
+ kfree(buf);
+out:
+ usb_set_serial_data(serial, (void *)device_type);
+
+ return 0;
+}
+
+static int mos7840_calc_num_ports(struct usb_serial *serial)
+{
+ int device_type = (int)usb_get_serial_data(serial);
+ int mos7840_num_ports;
mos7840_num_ports = (device_type >> 4) & 0x000F;
- serial->num_bulk_in = mos7840_num_ports;
- serial->num_bulk_out = mos7840_num_ports;
- serial->num_ports = mos7840_num_ports;
return mos7840_num_ports;
}
@@ -2454,6 +2450,7 @@ static int mos7840_calc_num_ports(struct usb_serial *serial)
static int mos7840_port_probe(struct usb_serial_port *port)
{
struct usb_serial *serial = port->serial;
+ int device_type = (int)usb_get_serial_data(serial);
struct moschip_port *mos7840_port;
int status;
int pnum;
@@ -2744,9 +2741,7 @@ static struct usb_serial_driver moschip7840_4port_device = {
.throttle = mos7840_throttle,
.unthrottle = mos7840_unthrottle,
.calc_num_ports = mos7840_calc_num_ports,
-#ifdef MCSSerialProbe
- .probe = mos7840_serial_probe,
-#endif
+ .probe = mos7840_probe,
.ioctl = mos7840_ioctl,
.set_termios = mos7840_set_termios,
.break_ctl = mos7840_break,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [133/251] USB: mos7840: fix race in led handling
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (130 preceding siblings ...)
2013-09-11 4:29 ` [132/251] USB: mos7840: fix device-type detection Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [134/251] USB: mos7840: fix pointer casts Steven Rostedt
` (118 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Johan Hovold, Greg Kroah-Hartman
[-- Attachment #1: 0133-USB-mos7840-fix-race-in-led-handling.patch --]
[-- Type: text/plain, Size: 5768 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Johan Hovold <jhovold@gmail.com>
[ Upstream commit 05cf0dec5ccc696a7636c84b265b477173498156 ]
Fix race in LED handling introduced by commit 0eafe4de ("USB: serial:
mos7840: add support for MCS7810 devices") which reused the port control
urb for manipulating the LED without making sure that the urb is not
already in use. This could lead to the control urb being manipulated
while in flight.
Fix by adding a dedicated LED urb and ctrlrequest along with a LED-busy
flag to handle concurrency.
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/mos7840.c | 59 ++++++++++++++++++++++++++----------------
1 file changed, 37 insertions(+), 22 deletions(-)
diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index ed55ac0..4e82a95 100644
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -189,6 +189,7 @@
enum mos7840_flag {
MOS7840_FLAG_CTRL_BUSY,
+ MOS7840_FLAG_LED_BUSY,
};
static const struct usb_device_id id_table[] = {
@@ -246,9 +247,10 @@ struct moschip_port {
/* For device(s) with LED indicator */
bool has_led;
- bool led_flag;
struct timer_list led_timer1; /* Timer for LED on */
struct timer_list led_timer2; /* Timer for LED off */
+ struct urb *led_urb;
+ struct usb_ctrlrequest *led_dr;
unsigned long flags;
};
@@ -583,7 +585,7 @@ static void mos7840_set_led_async(struct moschip_port *mcs, __u16 wval,
__u16 reg)
{
struct usb_device *dev = mcs->port->serial->dev;
- struct usb_ctrlrequest *dr = mcs->dr;
+ struct usb_ctrlrequest *dr = mcs->led_dr;
dr->bRequestType = MCS_WR_RTYPE;
dr->bRequest = MCS_WRREQ;
@@ -591,10 +593,10 @@ static void mos7840_set_led_async(struct moschip_port *mcs, __u16 wval,
dr->wIndex = cpu_to_le16(reg);
dr->wLength = cpu_to_le16(0);
- usb_fill_control_urb(mcs->control_urb, dev, usb_sndctrlpipe(dev, 0),
+ usb_fill_control_urb(mcs->led_urb, dev, usb_sndctrlpipe(dev, 0),
(unsigned char *)dr, NULL, 0, mos7840_set_led_callback, NULL);
- usb_submit_urb(mcs->control_urb, GFP_ATOMIC);
+ usb_submit_urb(mcs->led_urb, GFP_ATOMIC);
}
static void mos7840_set_led_sync(struct usb_serial_port *port, __u16 reg,
@@ -620,7 +622,19 @@ static void mos7840_led_flag_off(unsigned long arg)
{
struct moschip_port *mcs = (struct moschip_port *) arg;
- mcs->led_flag = false;
+ clear_bit_unlock(MOS7840_FLAG_LED_BUSY, &mcs->flags);
+}
+
+static void mos7840_led_activity(struct usb_serial_port *port)
+{
+ struct moschip_port *mos7840_port = usb_get_serial_port_data(port);
+
+ if (test_and_set_bit_lock(MOS7840_FLAG_LED_BUSY, &mos7840_port->flags))
+ return;
+
+ mos7840_set_led_async(mos7840_port, 0x0301, MODEM_CONTROL_REGISTER);
+ mod_timer(&mos7840_port->led_timer1,
+ jiffies + msecs_to_jiffies(LED_ON_MS));
}
/*****************************************************************************
@@ -830,14 +844,8 @@ static void mos7840_bulk_in_callback(struct urb *urb)
return;
}
- /* Turn on LED */
- if (mos7840_port->has_led && !mos7840_port->led_flag) {
- mos7840_port->led_flag = true;
- mos7840_set_led_async(mos7840_port, 0x0301,
- MODEM_CONTROL_REGISTER);
- mod_timer(&mos7840_port->led_timer1,
- jiffies + msecs_to_jiffies(LED_ON_MS));
- }
+ if (mos7840_port->has_led)
+ mos7840_led_activity(port);
mos7840_port->read_urb_busy = true;
retval = usb_submit_urb(mos7840_port->read_urb, GFP_ATOMIC);
@@ -1576,13 +1584,8 @@ static int mos7840_write(struct tty_struct *tty, struct usb_serial_port *port,
data1 = urb->transfer_buffer;
dbg("bulkout endpoint is %d", port->bulk_out_endpointAddress);
- /* Turn on LED */
- if (mos7840_port->has_led && !mos7840_port->led_flag) {
- mos7840_port->led_flag = true;
- mos7840_set_led_sync(port, MODEM_CONTROL_REGISTER, 0x0301);
- mod_timer(&mos7840_port->led_timer1,
- jiffies + msecs_to_jiffies(LED_ON_MS));
- }
+ if (mos7840_port->has_led)
+ mos7840_led_activity(port);
/* send it down the pipe */
status = usb_submit_urb(urb, GFP_ATOMIC);
@@ -2653,6 +2656,14 @@ static int mos7840_port_probe(struct usb_serial_port *port)
if (device_type == MOSCHIP_DEVICE_ID_7810) {
mos7840_port->has_led = true;
+ mos7840_port->led_urb = usb_alloc_urb(0, GFP_KERNEL);
+ mos7840_port->led_dr = kmalloc(sizeof(*mos7840_port->led_dr),
+ GFP_KERNEL);
+ if (!mos7840_port->led_urb || !mos7840_port->led_dr) {
+ status = -ENOMEM;
+ goto error;
+ }
+
init_timer(&mos7840_port->led_timer1);
mos7840_port->led_timer1.function = mos7840_led_off;
mos7840_port->led_timer1.expires =
@@ -2668,8 +2679,6 @@ static int mos7840_port_probe(struct usb_serial_port *port)
mos7840_port->led_timer2.data =
(unsigned long)mos7840_port;
- mos7840_port->led_flag = false;
-
/* Turn off LED */
mos7840_set_led_sync(port,
MODEM_CONTROL_REGISTER, 0x0300);
@@ -2695,6 +2704,8 @@ static int mos7840_port_probe(struct usb_serial_port *port)
}
return 0;
error:
+ kfree(mos7840_port->led_dr);
+ usb_free_urb(mos7840_port->led_urb);
kfree(mos7840_port->dr);
kfree(mos7840_port->ctrl_buf);
usb_free_urb(mos7840_port->control_urb);
@@ -2715,6 +2726,10 @@ static int mos7840_port_remove(struct usb_serial_port *port)
del_timer_sync(&mos7840_port->led_timer1);
del_timer_sync(&mos7840_port->led_timer2);
+
+ usb_kill_urb(mos7840_port->led_urb);
+ usb_free_urb(mos7840_port->led_urb);
+ kfree(mos7840_port->led_dr);
}
usb_kill_urb(mos7840_port->control_urb);
usb_free_urb(mos7840_port->control_urb);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [134/251] USB: mos7840: fix pointer casts
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (131 preceding siblings ...)
2013-09-11 4:29 ` [133/251] USB: mos7840: fix race in led handling Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [135/251] iwlwifi: add DELL SKU for 5150 HMC Steven Rostedt
` (117 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Johan Hovold, Greg Kroah-Hartman
[-- Attachment #1: 0134-USB-mos7840-fix-pointer-casts.patch --]
[-- Type: text/plain, Size: 1843 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Johan Hovold <jhovold@gmail.com>
[ Upstream commit 683a0e4d7971c3186dc4d429027debfe309129aa ]
Silence compiler warnings on 64-bit systems introduced by commit
05cf0dec ("USB: mos7840: fix race in led handling") which uses the
usb-serial data pointer to temporarily store the device type during
probe but failed to add the required casts.
[gregkh - change uintptr_t to unsigned long]
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/mos7840.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index 4e82a95..ebb3429 100644
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -2435,14 +2435,14 @@ static int mos7840_probe(struct usb_serial *serial,
kfree(buf);
out:
- usb_set_serial_data(serial, (void *)device_type);
+ usb_set_serial_data(serial, (void *)(unsigned long)device_type);
return 0;
}
static int mos7840_calc_num_ports(struct usb_serial *serial)
{
- int device_type = (int)usb_get_serial_data(serial);
+ int device_type = (unsigned long)usb_get_serial_data(serial);
int mos7840_num_ports;
mos7840_num_ports = (device_type >> 4) & 0x000F;
@@ -2453,7 +2453,7 @@ static int mos7840_calc_num_ports(struct usb_serial *serial)
static int mos7840_port_probe(struct usb_serial_port *port)
{
struct usb_serial *serial = port->serial;
- int device_type = (int)usb_get_serial_data(serial);
+ int device_type = (unsigned long)usb_get_serial_data(serial);
struct moschip_port *mos7840_port;
int status;
int pnum;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [135/251] iwlwifi: add DELL SKU for 5150 HMC
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (132 preceding siblings ...)
2013-09-11 4:29 ` [134/251] USB: mos7840: fix pointer casts Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [136/251] ath9k_htc: do some initial hardware configuration Steven Rostedt
` (116 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Emmanuel Grumbach, Johannes Berg
[-- Attachment #1: 0135-iwlwifi-add-DELL-SKU-for-5150-HMC.patch --]
[-- Type: text/plain, Size: 1369 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
[ Upstream commit a1923f1d4723e5757cefdd60f7c7ab30e472007a ]
This SKU was missing in the list of supported devices
https://bugzilla.kernel.org/show_bug.cgi?id=60577
Cc: <stable@vger.kernel.org> [all versions]
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/iwlwifi/pcie/drv.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/iwlwifi/pcie/drv.c b/drivers/net/wireless/iwlwifi/pcie/drv.c
index f4c3500..71e887c 100644
--- a/drivers/net/wireless/iwlwifi/pcie/drv.c
+++ b/drivers/net/wireless/iwlwifi/pcie/drv.c
@@ -132,6 +132,7 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_card_ids) = {
{IWL_PCI_DEVICE(0x423C, 0x1306, iwl5150_abg_cfg)}, /* Half Mini Card */
{IWL_PCI_DEVICE(0x423C, 0x1221, iwl5150_agn_cfg)}, /* Mini Card */
{IWL_PCI_DEVICE(0x423C, 0x1321, iwl5150_agn_cfg)}, /* Half Mini Card */
+ {IWL_PCI_DEVICE(0x423C, 0x1326, iwl5150_abg_cfg)}, /* Half Mini Card */
{IWL_PCI_DEVICE(0x423D, 0x1211, iwl5150_agn_cfg)}, /* Mini Card */
{IWL_PCI_DEVICE(0x423D, 0x1311, iwl5150_agn_cfg)}, /* Half Mini Card */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [136/251] ath9k_htc: do some initial hardware configuration
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (133 preceding siblings ...)
2013-09-11 4:29 ` [135/251] iwlwifi: add DELL SKU for 5150 HMC Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [137/251] nl80211: fix mgmt tx status and testmode reporting for netns Steven Rostedt
` (115 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Bo Shi, Oleksij Rempel, John W. Linville
[-- Attachment #1: 0136-ath9k_htc-do-some-initial-hardware-configuration.patch --]
[-- Type: text/plain, Size: 1551 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Oleksij Rempel <linux@rempel-privat.de>
[ Upstream commit dc2a87f519a4d8cb376ab54f22b6b98a943b51ce ]
Currently we configure harwdare and clock, only after
interface start. In this case, if we reload module or
reboot PC without configuring adapter, firmware will freeze.
There is no software way to reset adpter.
This patch add initial configuration and set it in
disabled state, to avoid this freeze. Behaviour of this patch
should be similar to: ifconfig wlan0 up; ifconfig wlan0 down.
Bug: https://github.com/qca/open-ath9k-htc-firmware/issues/1
Tested-by: Bo Shi <cnshibo@gmail.com>
Signed-off-by: Oleksij Rempel <linux@rempel-privat.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/ath/ath9k/htc_drv_init.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
index 01248b9..4303173 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
@@ -824,6 +824,7 @@ static int ath9k_init_device(struct ath9k_htc_priv *priv,
if (error != 0)
goto err_rx;
+ ath9k_hw_disable(priv->ah);
#ifdef CONFIG_MAC80211_LEDS
/* must be initialized before ieee80211_register_hw */
priv->led_cdev.default_trigger = ieee80211_create_tpt_led_trigger(priv->hw,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [137/251] nl80211: fix mgmt tx status and testmode reporting for netns
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (134 preceding siblings ...)
2013-09-11 4:29 ` [136/251] ath9k_htc: do some initial hardware configuration Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [138/251] mac80211: fix duplicate retransmission detection Steven Rostedt
` (114 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Michal Kazior, Johannes Berg
[-- Attachment #1: 0137-nl80211-fix-mgmt-tx-status-and-testmode-reporting-fo.patch --]
[-- Type: text/plain, Size: 1747 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Michal Kazior <michal.kazior@tieto.com>
[ Upstream commit a0ec570f4f69c4cb700d743a915096c2c8f56a99 ]
These two events were sent to the default network
namespace.
This caused AP mode in a non-default netns to not
work correctly. Mgmt tx status was multicasted to
a different (default) netns instead of the one the
AP was in.
Cc: stable@vger.kernel.org
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/wireless/nl80211.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 1e37dbf..79ad33d 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -5542,12 +5542,14 @@ EXPORT_SYMBOL(cfg80211_testmode_alloc_event_skb);
void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp)
{
+ struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
void *hdr = ((void **)skb->cb)[1];
struct nlattr *data = ((void **)skb->cb)[2];
nla_nest_end(skb, data);
genlmsg_end(skb, hdr);
- genlmsg_multicast(skb, 0, nl80211_testmode_mcgrp.id, gfp);
+ genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), skb, 0,
+ nl80211_testmode_mcgrp.id, gfp);
}
EXPORT_SYMBOL(cfg80211_testmode_event);
#endif
@@ -8378,7 +8380,8 @@ void nl80211_send_mgmt_tx_status(struct cfg80211_registered_device *rdev,
genlmsg_end(msg, hdr);
- genlmsg_multicast(msg, 0, nl80211_mlme_mcgrp.id, gfp);
+ genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
+ nl80211_mlme_mcgrp.id, gfp);
return;
nla_put_failure:
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [138/251] mac80211: fix duplicate retransmission detection
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (135 preceding siblings ...)
2013-09-11 4:29 ` [137/251] nl80211: fix mgmt tx status and testmode reporting for netns Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [139/251] mac80211: fix ethtool stats for non-station interfaces Steven Rostedt
` (113 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Johannes Berg
[-- Attachment #1: 0138-mac80211-fix-duplicate-retransmission-detection.patch --]
[-- Type: text/plain, Size: 1972 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 6b0f32745dcfba01d7be33acd1b40306c7a914c6 ]
The duplicate retransmission detection code in mac80211
erroneously attempts to do the check for every frame,
even frames that don't have a sequence control field or
that don't use it (QoS-Null frames.)
This is problematic because it causes the code to access
data beyond the end of the SKB and depending on the data
there will drop packets erroneously.
Correct the code to not do duplicate detection for such
frames.
I found this error while testing AP powersave, it lead
to retransmitted PS-Poll frames being dropped entirely
as the data beyond the end of the SKB was always zero.
Cc: stable@vger.kernel.org [all versions]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/mac80211/rx.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index bd11c1c..56515ef 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -805,8 +805,14 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
- /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */
- if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) {
+ /*
+ * Drop duplicate 802.11 retransmissions
+ * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
+ */
+ if (rx->skb->len >= 24 && rx->sta &&
+ !ieee80211_is_ctl(hdr->frame_control) &&
+ !ieee80211_is_qos_nullfunc(hdr->frame_control) &&
+ !is_multicast_ether_addr(hdr->addr1)) {
if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
rx->sta->last_seq_ctrl[rx->seqno_idx] ==
hdr->seq_ctrl)) {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [139/251] mac80211: fix ethtool stats for non-station interfaces
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (136 preceding siblings ...)
2013-09-11 4:29 ` [138/251] mac80211: fix duplicate retransmission detection Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [140/251] ixgbe: Fix Tx Hang issue with lldpad on 82598EB Steven Rostedt
` (112 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Johannes Berg
[-- Attachment #1: 0139-mac80211-fix-ethtool-stats-for-non-station-interface.patch --]
[-- Type: text/plain, Size: 1091 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes@sipsolutions.net>
[ Upstream commit e13bae4f807401729b3f27c7e882a96b8b292809 ]
As reported in https://bugzilla.kernel.org/show_bug.cgi?id=60514,
the station loop never initialises 'sinfo' and therefore adds up
a stack values, leaking stack information (the number of times it
adds values is easily obtained another way.)
Fix this by initialising the sinfo for each station to add.
Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/mac80211/cfg.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index bb8d96b..cf9523e 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -554,6 +554,8 @@ static void ieee80211_get_et_stats(struct wiphy *wiphy,
if (sta->sdata->dev != dev)
continue;
+ sinfo.filled = 0;
+ sta_set_sinfo(sta, &sinfo);
i = 0;
ADD_STA_STATS(sta);
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [140/251] ixgbe: Fix Tx Hang issue with lldpad on 82598EB
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (137 preceding siblings ...)
2013-09-11 4:29 ` [139/251] mac80211: fix ethtool stats for non-station interfaces Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [141/251] Bluetooth: ath3k: dont use stack memory for DMA Steven Rostedt
` (111 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jacob Keller, Phil Schmitt, Jack Morgan, Jeff Kirsher, David S. Miller
[-- Attachment #1: 0140-ixgbe-Fix-Tx-Hang-issue-with-lldpad-on-82598EB.patch --]
[-- Type: text/plain, Size: 1543 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jacob Keller <jacob.e.keller@intel.com>
[ Upstream commit 1eb9ac14c34a948bf1538bfb9034e8ab29099a64 ]
This patch fixes an issue with the 82598EB device, where lldpad is causing Tx
Hangs on the card as soon as it attempts to configure DCB for the device. The
adapter will continually Tx hang and reset in a loop.
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Cc: Stable <stable@vger.kernel.org>
Tested-by: Phil Schmitt <phillip.j.schmitt@intel.com>
Tested-by: Jack Morgan <jack.morgan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_82598.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_82598.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_82598.c
index 87592b4..b3c05de 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_82598.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_82598.c
@@ -108,9 +108,8 @@ s32 ixgbe_dcb_config_tx_desc_arbiter_82598(struct ixgbe_hw *hw,
/* Enable arbiter */
reg &= ~IXGBE_DPMCS_ARBDIS;
- /* Enable DFP and Recycle mode */
- reg |= (IXGBE_DPMCS_TDPAC | IXGBE_DPMCS_TRM);
reg |= IXGBE_DPMCS_TSOEF;
+
/* Configure Max TSO packet size 34KB including payload and headers */
reg |= (0x4 << IXGBE_DPMCS_MTSOS_SHIFT);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [141/251] Bluetooth: ath3k: dont use stack memory for DMA
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (138 preceding siblings ...)
2013-09-11 4:29 ` [140/251] ixgbe: Fix Tx Hang issue with lldpad on 82598EB Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [142/251] Bluetooth: Add support for Mediatek Bluetooth device [0e8d:763f] Steven Rostedt
` (110 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Stanislaw Gruszka, Gustavo Padovan
[-- Attachment #1: 0141-Bluetooth-ath3k-don-t-use-stack-memory-for-DMA.patch --]
[-- Type: text/plain, Size: 2294 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <sgruszka@redhat.com>
[ Upstream commit 517828a87994f41af6ae5a0f96f0f069f05baa81 ]
Memory allocated by vmalloc (including stack) can not be used for DMA,
i.e. data pointer on usb_control_msg() should not point to stack memory.
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=977558
Reported-and-tested-by: Andy Lawrence <dr.diesel@gmail.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/bluetooth/ath3k.c | 38 +++++++++++++++++++++++++++++---------
1 file changed, 29 insertions(+), 9 deletions(-)
diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
index b0395b0..e224a48 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -176,24 +176,44 @@ error:
static int ath3k_get_state(struct usb_device *udev, unsigned char *state)
{
- int pipe = 0;
+ int ret, pipe = 0;
+ char *buf;
+
+ buf = kmalloc(sizeof(*buf), GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
pipe = usb_rcvctrlpipe(udev, 0);
- return usb_control_msg(udev, pipe, ATH3K_GETSTATE,
- USB_TYPE_VENDOR | USB_DIR_IN, 0, 0,
- state, 0x01, USB_CTRL_SET_TIMEOUT);
+ ret = usb_control_msg(udev, pipe, ATH3K_GETSTATE,
+ USB_TYPE_VENDOR | USB_DIR_IN, 0, 0,
+ buf, sizeof(*buf), USB_CTRL_SET_TIMEOUT);
+
+ *state = *buf;
+ kfree(buf);
+
+ return ret;
}
static int ath3k_get_version(struct usb_device *udev,
struct ath3k_version *version)
{
- int pipe = 0;
+ int ret, pipe = 0;
+ struct ath3k_version *buf;
+ const int size = sizeof(*buf);
+
+ buf = kmalloc(size, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
pipe = usb_rcvctrlpipe(udev, 0);
- return usb_control_msg(udev, pipe, ATH3K_GETVERSION,
- USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, version,
- sizeof(struct ath3k_version),
- USB_CTRL_SET_TIMEOUT);
+ ret = usb_control_msg(udev, pipe, ATH3K_GETVERSION,
+ USB_TYPE_VENDOR | USB_DIR_IN, 0, 0,
+ buf, size, USB_CTRL_SET_TIMEOUT);
+
+ memcpy(version, buf, size);
+ kfree(buf);
+
+ return ret;
}
static int ath3k_load_fwfile(struct usb_device *udev,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [142/251] Bluetooth: Add support for Mediatek Bluetooth device [0e8d:763f]
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (139 preceding siblings ...)
2013-09-11 4:29 ` [141/251] Bluetooth: ath3k: dont use stack memory for DMA Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [143/251] rt2x00: fix stop queue Steven Rostedt
` (109 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Cho, Yu-Chen, Gustavo Padovan, John W. Linville
[-- Attachment #1: 0142-Bluetooth-Add-support-for-Mediatek-Bluetooth-device-.patch --]
[-- Type: text/plain, Size: 2681 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "Cho, Yu-Chen" <acho@suse.com>
[ Upstream commit 178c059e7640aa8e50213400c6f3dde00189d979 ]
This patch adds support for Mediatek Bluetooth device
T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
D: Ver= 2.01 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0e8d ProdID=763f Rev= 1.00
S: Manufacturer=MediaTek
S: Product=BT
S: SerialNumber=1.0
C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=450mA
A: FirstIf#= 0 IfCount= 2 Cls=ff(vend.) Sub=ff Prot=ff
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=125us
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=125us
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
I: If#= 1 Alt= 6 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms
Signed-off-by: Cho, Yu-Chen <acho@suse.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/bluetooth/btusb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 30ac56b..2d139a6 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -55,6 +55,9 @@ static struct usb_device_id btusb_table[] = {
/* Apple-specific (Broadcom) devices */
{ USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) },
+ /* MediaTek MT76x0E */
+ { USB_DEVICE(0x0e8d, 0x763f) },
+
/* Broadcom SoftSailing reporting vendor specific */
{ USB_DEVICE(0x0a5c, 0x21e1) },
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [143/251] rt2x00: fix stop queue
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (140 preceding siblings ...)
2013-09-11 4:29 ` [142/251] Bluetooth: Add support for Mediatek Bluetooth device [0e8d:763f] Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [144/251] mwifiex: Add missing endian conversion Steven Rostedt
` (108 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Stanislaw Gruszka, John W. Linville
[-- Attachment #1: 0143-rt2x00-fix-stop-queue.patch --]
[-- Type: text/plain, Size: 2593 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <stf_xl@wp.pl>
[ Upstream commit e2288b66fe7ff0288382b2af671b4da558b44472 ]
Since we clear QUEUE_STARTED in rt2x00queue_stop_queue(), following
call to rt2x00queue_pause_queue() reduce to noop, i.e we do not
stop queue in mac80211.
To fix that introduce rt2x00queue_pause_queue_nocheck() function,
which will stop queue in mac80211 directly.
Note that rt2x00_start_queue() explicitly set QUEUE_PAUSED bit.
Note also that reordering operations i.e. first call to
rt2x00queue_pause_queue() and then clear QUEUE_STARTED bit, will race
with rt2x00queue_unpause_queue(), so calling ieee80211_stop_queue()
directly is the only available solution to fix the problem without
major rework.
Cc: stable@vger.kernel.org
Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/rt2x00/rt2x00queue.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
index f7e74a0..cff62c0 100644
--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
@@ -875,13 +875,8 @@ void rt2x00queue_index_inc(struct queue_entry *entry, enum queue_index index)
spin_unlock_irqrestore(&queue->index_lock, irqflags);
}
-void rt2x00queue_pause_queue(struct data_queue *queue)
+void rt2x00queue_pause_queue_nocheck(struct data_queue *queue)
{
- if (!test_bit(DEVICE_STATE_PRESENT, &queue->rt2x00dev->flags) ||
- !test_bit(QUEUE_STARTED, &queue->flags) ||
- test_and_set_bit(QUEUE_PAUSED, &queue->flags))
- return;
-
switch (queue->qid) {
case QID_AC_VO:
case QID_AC_VI:
@@ -897,6 +892,15 @@ void rt2x00queue_pause_queue(struct data_queue *queue)
break;
}
}
+void rt2x00queue_pause_queue(struct data_queue *queue)
+{
+ if (!test_bit(DEVICE_STATE_PRESENT, &queue->rt2x00dev->flags) ||
+ !test_bit(QUEUE_STARTED, &queue->flags) ||
+ test_and_set_bit(QUEUE_PAUSED, &queue->flags))
+ return;
+
+ rt2x00queue_pause_queue_nocheck(queue);
+}
EXPORT_SYMBOL_GPL(rt2x00queue_pause_queue);
void rt2x00queue_unpause_queue(struct data_queue *queue)
@@ -958,7 +962,7 @@ void rt2x00queue_stop_queue(struct data_queue *queue)
return;
}
- rt2x00queue_pause_queue(queue);
+ rt2x00queue_pause_queue_nocheck(queue);
queue->rt2x00dev->ops->lib->stop_queue(queue);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [144/251] mwifiex: Add missing endian conversion.
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (141 preceding siblings ...)
2013-09-11 4:29 ` [143/251] rt2x00: fix stop queue Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [145/251] zram: avoid invalid memory access in zram_exit() Steven Rostedt
` (107 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Tomasz Moń, Bing Zhao, John W. Linville
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: 0144-mwifiex-Add-missing-endian-conversion.patch --]
[-- Type: text/plain, Size: 1311 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: =?UTF-8?q?Tomasz=20Mo=C5=84?= <desowin@gmail.com>
[ Upstream commit 83e612f632c3897be29ef02e0472f6d63e258378 ]
Both type and pkt_len variables are in host endian and these should be in
Little Endian in the payload.
Signed-off-by: Tomasz Moń <desowin@gmail.com>
Acked-by: Bing Zhao <bzhao@marvell.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/mwifiex/sdio.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mwifiex/sdio.c b/drivers/net/wireless/mwifiex/sdio.c
index 82cf0fa..821d9d2 100644
--- a/drivers/net/wireless/mwifiex/sdio.c
+++ b/drivers/net/wireless/mwifiex/sdio.c
@@ -1455,8 +1455,8 @@ static int mwifiex_sdio_host_to_card(struct mwifiex_adapter *adapter,
/* Allocate buffer and copy payload */
blk_size = MWIFIEX_SDIO_BLOCK_SIZE;
buf_block_len = (pkt_len + blk_size - 1) / blk_size;
- *(u16 *) &payload[0] = (u16) pkt_len;
- *(u16 *) &payload[2] = type;
+ *(__le16 *)&payload[0] = cpu_to_le16((u16)pkt_len);
+ *(__le16 *)&payload[2] = cpu_to_le16(type);
/*
* This is SDIO specific header
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [145/251] zram: avoid invalid memory access in zram_exit()
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (142 preceding siblings ...)
2013-09-11 4:29 ` [144/251] mwifiex: Add missing endian conversion Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [146/251] zram: use zram->lock to protect zram_free_page() in swap free notify path Steven Rostedt
` (106 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jiang Liu, Greg Kroah-Hartman
[-- Attachment #1: 0145-zram-avoid-invalid-memory-access-in-zram_exit.patch --]
[-- Type: text/plain, Size: 1398 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jiang Liu <liuj97@gmail.com>
[ Upstream commit 6030ea9b35971a4200062f010341ab832e878ac9 ]
Memory for zram->disk object may have already been freed after returning
from destroy_device(zram), then it's unsafe for zram_reset_device(zram)
to access zram->disk again.
We can't solve this bug by flipping the order of destroy_device(zram)
and zram_reset_device(zram), that will cause deadlock issues to the
zram sysfs handler.
So fix it by holding an extra reference to zram->disk before calling
destroy_device(zram).
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/staging/zram/zram_drv.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
index 6edefde..38a1b44 100644
--- a/drivers/staging/zram/zram_drv.c
+++ b/drivers/staging/zram/zram_drv.c
@@ -771,9 +771,11 @@ static void __exit zram_exit(void)
for (i = 0; i < num_devices; i++) {
zram = &zram_devices[i];
+ get_disk(zram->disk);
destroy_device(zram);
if (zram->init_done)
zram_reset_device(zram);
+ put_disk(zram->disk);
}
unregister_blkdev(zram_major, "zram");
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [146/251] zram: use zram->lock to protect zram_free_page() in swap free notify path
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (143 preceding siblings ...)
2013-09-11 4:29 ` [145/251] zram: avoid invalid memory access in zram_exit() Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 8:42 ` Luis Henriques
2013-09-11 4:29 ` [147/251] zram: destroy all devices on error recovery path in zram_init() Steven Rostedt
` (105 subsequent siblings)
250 siblings, 1 reply; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jiang Liu, Greg Kroah-Hartman
[-- Attachment #1: 0146-zram-use-zram-lock-to-protect-zram_free_page-in-swap.patch --]
[-- Type: text/plain, Size: 2281 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jiang Liu <liuj97@gmail.com>
[ Upstream commit 57ab048532c0d975538cebd4456491b5c34248f4 ]
zram_slot_free_notify() is free-running without any protection from
concurrent operations. So there are race conditions between
zram_bvec_read()/zram_bvec_write() and zram_slot_free_notify(),
and possible consequences include:
1) Trigger BUG_ON(!handle) on zram_bvec_write() side.
2) Access to freed pages on zram_bvec_read() side.
3) Break some fields (bad_compress, good_compress, pages_stored)
in zram->stats if the swap layer makes concurrently call to
zram_slot_free_notify().
So enhance zram_slot_free_notify() to acquire writer lock on zram->lock
before calling zram_free_page().
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/staging/zram/zram_drv.c | 2 ++
drivers/staging/zram/zram_drv.h | 5 +++--
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
index 38a1b44..4322baf 100644
--- a/drivers/staging/zram/zram_drv.c
+++ b/drivers/staging/zram/zram_drv.c
@@ -622,7 +622,9 @@ static void zram_slot_free_notify(struct block_device *bdev,
struct zram *zram;
zram = bdev->bd_disk->private_data;
+ down_write(&zram->lock);
zram_free_page(zram, index);
+ up_write(&zram->lock);
zram_stat64_inc(zram, &zram->stats.notify_free);
}
diff --git a/drivers/staging/zram/zram_drv.h b/drivers/staging/zram/zram_drv.h
index 572c0b1..a6eb5d9 100644
--- a/drivers/staging/zram/zram_drv.h
+++ b/drivers/staging/zram/zram_drv.h
@@ -92,8 +92,9 @@ struct zram {
void *compress_buffer;
struct table *table;
spinlock_t stat64_lock; /* protect 64-bit stats */
- struct rw_semaphore lock; /* protect compression buffers and table
- * against concurrent read and writes */
+ struct rw_semaphore lock; /* protect compression buffers, table,
+ * 32bit stat counters against concurrent
+ * notifications, reads and writes */
struct request_queue *queue;
struct gendisk *disk;
int init_done;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [147/251] zram: destroy all devices on error recovery path in zram_init()
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (144 preceding siblings ...)
2013-09-11 4:29 ` [146/251] zram: use zram->lock to protect zram_free_page() in swap free notify path Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [148/251] zram: avoid double free in function zram_bvec_write() Steven Rostedt
` (104 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jiang Liu, Minchan Kim, Jerome Marchand, Greg Kroah-Hartman
[-- Attachment #1: 0147-zram-destroy-all-devices-on-error-recovery-path-in-z.patch --]
[-- Type: text/plain, Size: 2164 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jiang Liu <liuj97@gmail.com>
[ Upstream commit 39a9b8ac9333e4268ecff7da6c9d1ab3823ff243 ]
On error recovery path of zram_init(), it leaks the zram device object
causing the failure. So change create_device() to free allocated
resources on error path.
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
Acked-by: Minchan Kim <minchan@kernel.org>
Acked-by: Jerome Marchand <jmarchan@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/staging/zram/zram_drv.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
index 4322baf..5047bfe 100644
--- a/drivers/staging/zram/zram_drv.c
+++ b/drivers/staging/zram/zram_drv.c
@@ -635,7 +635,7 @@ static const struct block_device_operations zram_devops = {
static int create_device(struct zram *zram, int device_id)
{
- int ret = 0;
+ int ret = -ENOMEM;
init_rwsem(&zram->lock);
init_rwsem(&zram->init_lock);
@@ -645,7 +645,6 @@ static int create_device(struct zram *zram, int device_id)
if (!zram->queue) {
pr_err("Error allocating disk queue for device %d\n",
device_id);
- ret = -ENOMEM;
goto out;
}
@@ -655,11 +654,9 @@ static int create_device(struct zram *zram, int device_id)
/* gendisk structure */
zram->disk = alloc_disk(1);
if (!zram->disk) {
- blk_cleanup_queue(zram->queue);
pr_warn("Error allocating disk structure for device %d\n",
device_id);
- ret = -ENOMEM;
- goto out;
+ goto out_free_queue;
}
zram->disk->major = zram_major;
@@ -688,11 +685,17 @@ static int create_device(struct zram *zram, int device_id)
&zram_disk_attr_group);
if (ret < 0) {
pr_warn("Error creating sysfs group");
- goto out;
+ goto out_free_disk;
}
zram->init_done = 0;
+ return 0;
+out_free_disk:
+ del_gendisk(zram->disk);
+ put_disk(zram->disk);
+out_free_queue:
+ blk_cleanup_queue(zram->queue);
out:
return ret;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [148/251] zram: avoid double free in function zram_bvec_write()
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (145 preceding siblings ...)
2013-09-11 4:29 ` [147/251] zram: destroy all devices on error recovery path in zram_init() Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [149/251] zram: avoid access beyond the zram device Steven Rostedt
` (103 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jiang Liu, Minchan Kim, Greg Kroah-Hartman
[-- Attachment #1: 0148-zram-avoid-double-free-in-function-zram_bvec_write.patch --]
[-- Type: text/plain, Size: 1132 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jiang Liu <liuj97@gmail.com>
[ Upstream commit 65c484609a3b25c35e4edcd5f2c38f98f5226093 ]
When doing a patial write and the whole page is filled with zero,
zram_bvec_write() will free uncmem twice.
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
Acked-by: Minchan Kim <minchan@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/staging/zram/zram_drv.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
index 5047bfe..35b6a44 100644
--- a/drivers/staging/zram/zram_drv.c
+++ b/drivers/staging/zram/zram_drv.c
@@ -327,8 +327,6 @@ static int zram_bvec_write(struct zram *zram, struct bio_vec *bvec, u32 index,
if (page_zero_filled(uncmem)) {
kunmap_atomic(user_mem);
- if (is_partial_io(bvec))
- kfree(uncmem);
zram_stat_inc(&zram->stats.pages_zero);
zram_set_flag(zram, index, ZRAM_ZERO);
ret = 0;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [149/251] zram: avoid access beyond the zram device
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (146 preceding siblings ...)
2013-09-11 4:29 ` [148/251] zram: avoid double free in function zram_bvec_write() Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [150/251] zram: protect sysfs handler from invalid memory access Steven Rostedt
` (102 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jiang Liu, Greg Kroah-Hartman
[-- Attachment #1: 0149-zram-avoid-access-beyond-the-zram-device.patch --]
[-- Type: text/plain, Size: 1835 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jiang Liu <liuj97@gmail.com>
[ Upstream commit 12a7ad3b810e77137d0caf97a6dd97591e075b30 ]
Function valid_io_request() should verify the entire request are within
the zram device address range. Otherwise it may cause invalid memory
access when accessing/modifying zram->meta->table[index] because the
'index' is out of range. Then it may access non-exist memory, randomly
modify memory belong to other subsystems, which is hard to track down.
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/staging/zram/zram_drv.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
index 35b6a44..3a79d70 100644
--- a/drivers/staging/zram/zram_drv.c
+++ b/drivers/staging/zram/zram_drv.c
@@ -466,13 +466,20 @@ out:
*/
static inline int valid_io_request(struct zram *zram, struct bio *bio)
{
- if (unlikely(
- (bio->bi_sector >= (zram->disksize >> SECTOR_SHIFT)) ||
- (bio->bi_sector & (ZRAM_SECTOR_PER_LOGICAL_BLOCK - 1)) ||
- (bio->bi_size & (ZRAM_LOGICAL_BLOCK_SIZE - 1)))) {
+ u64 start, end, bound;
+ /* unaligned request */
+ if (unlikely(bio->bi_sector & (ZRAM_SECTOR_PER_LOGICAL_BLOCK - 1)))
+ return 0;
+ if (unlikely(bio->bi_size & (ZRAM_LOGICAL_BLOCK_SIZE - 1)))
+ return 0;
+
+ start = bio->bi_sector;
+ end = start + (bio->bi_size >> SECTOR_SHIFT);
+ bound = zram->disksize >> SECTOR_SHIFT;
+ /* out of range range */
+ if (unlikely(start >= bound || end >= bound || start > end))
return 0;
- }
/* I/O request is valid */
return 1;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [150/251] zram: protect sysfs handler from invalid memory access
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (147 preceding siblings ...)
2013-09-11 4:29 ` [149/251] zram: avoid access beyond the zram device Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [151/251] ACPI / battery: Fix parsing _BIX return value Steven Rostedt
` (101 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jiang Liu, Minchan Kim, Greg Kroah-Hartman
[-- Attachment #1: 0150-zram-protect-sysfs-handler-from-invalid-memory-acces.patch --]
[-- Type: text/plain, Size: 1337 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jiang Liu <liuj97@gmail.com>
[ Upstream commit 5863e10b441e7ea4b492f930f1be180a97d026f3 ]
Use zram->init_lock to protect access to zram->meta, otherwise it
may cause invalid memory access if zram->meta has been freed by
zram_reset_device().
This issue may be triggered by:
Thread 1:
while true; do cat mem_used_total; done
Thread 2:
while true; do echo 8M > disksize; echo 1 > reset; done
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
Acked-by: Minchan Kim <minchan@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/staging/zram/zram_sysfs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/staging/zram/zram_sysfs.c b/drivers/staging/zram/zram_sysfs.c
index edb0ed4..5e07628 100644
--- a/drivers/staging/zram/zram_sysfs.c
+++ b/drivers/staging/zram/zram_sysfs.c
@@ -186,8 +186,10 @@ static ssize_t mem_used_total_show(struct device *dev,
u64 val = 0;
struct zram *zram = dev_to_zram(dev);
+ down_read(&zram->init_lock);
if (zram->init_done)
val = zs_get_total_size_bytes(zram->mem_pool);
+ up_read(&zram->init_lock);
return sprintf(buf, "%llu\n", val);
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [151/251] ACPI / battery: Fix parsing _BIX return value
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (148 preceding siblings ...)
2013-09-11 4:29 ` [150/251] zram: protect sysfs handler from invalid memory access Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [152/251] fanotify: info leak in copy_event_to_user() Steven Rostedt
` (100 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Lan Tianyu, Rafael J. Wysocki
[-- Attachment #1: 0151-ACPI-battery-Fix-parsing-_BIX-return-value.patch --]
[-- Type: text/plain, Size: 1855 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Lan Tianyu <tianyu.lan@intel.com>
[ Upstream commit 016d5baad04269e8559332df05f89bd95b52d6ad ]
The _BIX method returns extended battery info as a package.
According the ACPI spec (ACPI 5, Section 10.2.2.2), the first member
of that package should be "Revision". However, the current ACPI
battery driver treats the first member as "Power Unit" which should
be the second member. This causes the result of _BIX return data
parsing to be incorrect.
Fix this by adding a new member called 'revision' to struct
acpi_battery and adding the offsetof() information on it to
extended_info_offsets[] as the first row.
[rjw: Changelog]
Reported-and-tested-by: Jan Hoffmann <jan.christian.hoffmann@gmail.com>
References: http://bugzilla.kernel.org/show_bug.cgi?id=60519
Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
Cc: 2.6.34+ <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/acpi/battery.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
index 7efaeaa..7663df7 100644
--- a/drivers/acpi/battery.c
+++ b/drivers/acpi/battery.c
@@ -117,6 +117,7 @@ struct acpi_battery {
struct acpi_device *device;
struct notifier_block pm_nb;
unsigned long update_time;
+ int revision;
int rate_now;
int capacity_now;
int voltage_now;
@@ -359,6 +360,7 @@ static struct acpi_offsets info_offsets[] = {
};
static struct acpi_offsets extended_info_offsets[] = {
+ {offsetof(struct acpi_battery, revision), 0},
{offsetof(struct acpi_battery, power_unit), 0},
{offsetof(struct acpi_battery, design_capacity), 0},
{offsetof(struct acpi_battery, full_charge_capacity), 0},
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [152/251] fanotify: info leak in copy_event_to_user()
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (149 preceding siblings ...)
2013-09-11 4:29 ` [151/251] ACPI / battery: Fix parsing _BIX return value Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [153/251] cgroup: fix umount vs cgroup_cfts_commit() race Steven Rostedt
` (99 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Dan Carpenter, Eric Paris, Al Viro, Andrew Morton
[-- Attachment #1: 0152-fanotify-info-leak-in-copy_event_to_user.patch --]
[-- Type: text/plain, Size: 1296 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit de1e0c40aceb9d5bff09c3a3b97b2f1b178af53f ]
The ->reserved field isn't cleared so we leak one byte of stack
information to userspace.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Eric Paris <eparis@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/notify/fanotify/fanotify_user.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index d438036..b670659 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -116,6 +116,7 @@ static int fill_event_metadata(struct fsnotify_group *group,
metadata->event_len = FAN_EVENT_METADATA_LEN;
metadata->metadata_len = FAN_EVENT_METADATA_LEN;
metadata->vers = FANOTIFY_METADATA_VERSION;
+ metadata->reserved = 0;
metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS;
metadata->pid = pid_vnr(event->tgid);
if (unlikely(event->mask & FAN_Q_OVERFLOW))
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [153/251] cgroup: fix umount vs cgroup_cfts_commit() race
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (150 preceding siblings ...)
2013-09-11 4:29 ` [152/251] fanotify: info leak in copy_event_to_user() Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [154/251] x86, fpu: correct the asm constraints for fxsave, unbreak mxcsr.daz Steven Rostedt
` (98 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Li Zefan, Tejun Heo
[-- Attachment #1: 0153-cgroup-fix-umount-vs-cgroup_cfts_commit-race.patch --]
[-- Type: text/plain, Size: 1886 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Li Zefan <lizefan@huawei.com>
[ Upstream commit 084457f284abf6789d90509ee11dae383842b23b ]
cgroup_cfts_commit() uses dget() to keep cgroup alive after cgroup_mutex
is dropped, but dget() won't prevent cgroupfs from being umounted. When
the race happens, vfs will see some dentries with non-zero refcnt while
umount is in process.
Keep running this:
mount -t cgroup -o blkio xxx /cgroup
umount /cgroup
And this:
modprobe cfq-iosched
rmmod cfs-iosched
After a while, the BUG() in shrink_dcache_for_umount_subtree() may
be triggered:
BUG: Dentry xxx{i=0,n=blkio.yyy} still in use (1) [umount of cgroup cgroup]
Signed-off-by: Li Zefan <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
kernel/cgroup.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 9cf9102..79e528f 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2761,13 +2761,17 @@ static void cgroup_cfts_commit(struct cgroup_subsys *ss,
{
LIST_HEAD(pending);
struct cgroup *cgrp, *n;
+ struct super_block *sb = ss->root->sb;
/* %NULL @cfts indicates abort and don't bother if @ss isn't attached */
- if (cfts && ss->root != &rootnode) {
+ if (cfts && ss->root != &rootnode &&
+ atomic_inc_not_zero(&sb->s_active)) {
list_for_each_entry(cgrp, &ss->root->allcg_list, allcg_node) {
dget(cgrp->dentry);
list_add_tail(&cgrp->cft_q_node, &pending);
}
+ } else {
+ sb = NULL;
}
mutex_unlock(&cgroup_mutex);
@@ -2790,6 +2794,9 @@ static void cgroup_cfts_commit(struct cgroup_subsys *ss,
dput(cgrp->dentry);
}
+ if (sb)
+ deactivate_super(sb);
+
mutex_unlock(&cgroup_cft_mutex);
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [154/251] x86, fpu: correct the asm constraints for fxsave, unbreak mxcsr.daz
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (151 preceding siblings ...)
2013-09-11 4:29 ` [153/251] cgroup: fix umount vs cgroup_cfts_commit() race Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [155/251] userns: limit the maximum depth of user_namespace->parent chain Steven Rostedt
` (97 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: H. Peter Anvin
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: 0154-x86-fpu-correct-the-asm-constraints-for-fxsave-unbre.patch --]
[-- Type: text/plain, Size: 1496 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "H.J. Lu" <hjl.tools@gmail.com>
[ Upstream commit eaa5a990191d204ba0f9d35dbe5505ec2cdd1460 ]
GCC will optimize mxcsr_feature_mask_init in arch/x86/kernel/i387.c:
memset(&fx_scratch, 0, sizeof(struct i387_fxsave_struct));
asm volatile("fxsave %0" : : "m" (fx_scratch));
mask = fx_scratch.mxcsr_mask;
if (mask == 0)
mask = 0x0000ffbf;
to
memset(&fx_scratch, 0, sizeof(struct i387_fxsave_struct));
asm volatile("fxsave %0" : : "m" (fx_scratch));
mask = 0x0000ffbf;
since asm statement doesn’t say it will update fx_scratch. As the
result, the DAZ bit will be cleared. This patch fixes it. This bug
dates back to at least kernel 2.6.12.
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/x86/kernel/i387.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c
index f250431..6c5a7dc 100644
--- a/arch/x86/kernel/i387.c
+++ b/arch/x86/kernel/i387.c
@@ -132,7 +132,7 @@ static void __cpuinit mxcsr_feature_mask_init(void)
clts();
if (cpu_has_fxsr) {
memset(&fx_scratch, 0, sizeof(struct i387_fxsave_struct));
- asm volatile("fxsave %0" : : "m" (fx_scratch));
+ asm volatile("fxsave %0" : "+m" (fx_scratch));
mask = fx_scratch.mxcsr_mask;
if (mask == 0)
mask = 0x0000ffbf;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [155/251] userns: limit the maximum depth of user_namespace->parent chain
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (152 preceding siblings ...)
2013-09-11 4:29 ` [154/251] x86, fpu: correct the asm constraints for fxsave, unbreak mxcsr.daz Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [156/251] x86/iommu/vt-d: Expand interrupt remapping quirk to cover x58 chipset Steven Rostedt
` (96 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Andy Lutomirski, Oleg Nesterov
[-- Attachment #1: 0155-userns-limit-the-maximum-depth-of-user_namespace-par.patch --]
[-- Type: text/plain, Size: 1658 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
[ Upstream commit 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 ]
Ensure that user_namespace->parent chain can't grow too much.
Currently we use the hardroded 32 as limit.
Reported-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
include/linux/user_namespace.h | 1 +
kernel/user_namespace.c | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 4e72922..4eea4ce 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -22,6 +22,7 @@ struct user_namespace {
struct uid_gid_map gid_map;
struct kref kref;
struct user_namespace *parent;
+ int level;
kuid_t owner;
kgid_t group;
};
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index a74dc5b..5242e83 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -39,6 +39,9 @@ int create_user_ns(struct cred *new)
kuid_t owner = new->euid;
kgid_t group = new->egid;
+ if (parent_ns->level > 32)
+ return -EUSERS;
+
/*
* Verify that we can not violate the policy of which files
* may be accessed that is specified by the root directory,
@@ -62,6 +65,7 @@ int create_user_ns(struct cred *new)
kref_init(&ns->kref);
ns->parent = parent_ns;
+ ns->level = parent_ns->level + 1;
ns->owner = owner;
ns->group = group;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [156/251] x86/iommu/vt-d: Expand interrupt remapping quirk to cover x58 chipset
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (153 preceding siblings ...)
2013-09-11 4:29 ` [155/251] userns: limit the maximum depth of user_namespace->parent chain Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [157/251] arcnet: cleanup sizeof parameter Steven Rostedt
` (95 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Neil Horman, Jan Beulich, Donald Dutile, Joerg Roedel,
Andrew Cooper, Malcolm Crossley, Prarit Bhargava, Don Zickus,
Ingo Molnar
[-- Attachment #1: 0156-x86-iommu-vt-d-Expand-interrupt-remapping-quirk-to-c.patch --]
[-- Type: text/plain, Size: 3147 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Neil Horman <nhorman@tuxdriver.com>
[ Upstream commit 803075dba31c17af110e1d9a915fe7262165b213 ]
Recently we added an early quirk to detect 5500/5520 chipsets
with early revisions that had problems with irq draining with
interrupt remapping enabled:
commit 03bbcb2e7e292838bb0244f5a7816d194c911d62
Author: Neil Horman <nhorman@tuxdriver.com>
Date: Tue Apr 16 16:38:32 2013 -0400
iommu/vt-d: add quirk for broken interrupt remapping on 55XX chipsets
It turns out this same problem is present in the intel X58
chipset as well. See errata 69 here:
http://www.intel.com/content/www/us/en/chipsets/x58-express-specification-update.html
This patch extends the pci early quirk so that the chip
devices/revisions specified in the above update are also covered
in the same way:
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Donald Dutile <ddutile@redhat.com>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Malcolm Crossley <malcolm.crossley@citrix.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Cc: Don Zickus <dzickus@redhat.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/1374059639-8631-1-git-send-email-nhorman@tuxdriver.com
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
[ Small edits. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
arch/x86/kernel/early-quirks.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/early-quirks.c b/arch/x86/kernel/early-quirks.c
index 94ab6b9..63bdb29 100644
--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -196,15 +196,23 @@ static void __init ati_bugs_contd(int num, int slot, int func)
static void __init intel_remapping_check(int num, int slot, int func)
{
u8 revision;
+ u16 device;
+ device = read_pci_config_16(num, slot, func, PCI_DEVICE_ID);
revision = read_pci_config_byte(num, slot, func, PCI_REVISION_ID);
/*
- * Revision 0x13 of this chipset supports irq remapping
- * but has an erratum that breaks its behavior, flag it as such
+ * Revision 13 of all triggering devices id in this quirk have
+ * a problem draining interrupts when irq remapping is enabled,
+ * and should be flagged as broken. Additionally revisions 0x12
+ * and 0x22 of device id 0x3405 has this problem.
*/
if (revision == 0x13)
set_irq_remapping_broken();
+ else if ((device == 0x3405) &&
+ ((revision == 0x12) ||
+ (revision == 0x22)))
+ set_irq_remapping_broken();
}
@@ -239,6 +247,8 @@ static struct chipset early_qrk[] __initdata = {
PCI_CLASS_SERIAL_SMBUS, PCI_ANY_ID, 0, ati_bugs_contd },
{ PCI_VENDOR_ID_INTEL, 0x3403, PCI_CLASS_BRIDGE_HOST,
PCI_BASE_CLASS_BRIDGE, 0, intel_remapping_check },
+ { PCI_VENDOR_ID_INTEL, 0x3405, PCI_CLASS_BRIDGE_HOST,
+ PCI_BASE_CLASS_BRIDGE, 0, intel_remapping_check },
{ PCI_VENDOR_ID_INTEL, 0x3406, PCI_CLASS_BRIDGE_HOST,
PCI_BASE_CLASS_BRIDGE, 0, intel_remapping_check },
{}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [157/251] arcnet: cleanup sizeof parameter
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (154 preceding siblings ...)
2013-09-11 4:29 ` [156/251] x86/iommu/vt-d: Expand interrupt remapping quirk to cover x58 chipset Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [158/251] sysctl net: Keep tcp_syn_retries inside the boundary Steven Rostedt
` (94 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Dan Carpenter, David S. Miller
[-- Attachment #1: 0157-arcnet-cleanup-sizeof-parameter.patch --]
[-- Type: text/plain, Size: 1144 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 087d273caf4f7d3f2159256f255f1f432bc84a5b ]
This patch doesn't change the compiled code because ARC_HDR_SIZE is 4
and sizeof(int) is 4, but the intent was to use the header size and not
the sizeof the header size.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/arcnet/arcnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/arcnet/arcnet.c b/drivers/net/arcnet/arcnet.c
index a746ba2..a956053 100644
--- a/drivers/net/arcnet/arcnet.c
+++ b/drivers/net/arcnet/arcnet.c
@@ -1007,7 +1007,7 @@ static void arcnet_rx(struct net_device *dev, int bufnum)
soft = &pkt.soft.rfc1201;
- lp->hw.copy_from_card(dev, bufnum, 0, &pkt, sizeof(ARC_HDR_SIZE));
+ lp->hw.copy_from_card(dev, bufnum, 0, &pkt, ARC_HDR_SIZE);
if (pkt.hard.offset[0]) {
ofs = pkt.hard.offset[0];
length = 256 - ofs;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [158/251] sysctl net: Keep tcp_syn_retries inside the boundary
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (155 preceding siblings ...)
2013-09-11 4:29 ` [157/251] arcnet: cleanup sizeof parameter Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [159/251] ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup Steven Rostedt
` (93 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Michal Tesar, David S. Miller
[-- Attachment #1: 0158-sysctl-net-Keep-tcp_syn_retries-inside-the-boundary.patch --]
[-- Type: text/plain, Size: 1405 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Michal Tesar <mtesar@redhat.com>
[ Upstream commit 651e92716aaae60fc41b9652f54cb6803896e0da ]
Limit the min/max value passed to the
/proc/sys/net/ipv4/tcp_syn_retries.
Signed-off-by: Michal Tesar <mtesar@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/ipv4/sysctl_net_ipv4.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 1b5ce96..335f18d 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -35,6 +35,8 @@ static int tcp_adv_win_scale_min = -31;
static int tcp_adv_win_scale_max = 31;
static int ip_ttl_min = 1;
static int ip_ttl_max = 255;
+static int tcp_syn_retries_min = 1;
+static int tcp_syn_retries_max = MAX_TCP_SYNCNT;
static int ip_ping_group_range_min[] = { 0, 0 };
static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX };
@@ -277,7 +279,9 @@ static struct ctl_table ipv4_table[] = {
.data = &sysctl_tcp_syn_retries,
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &tcp_syn_retries_min,
+ .extra2 = &tcp_syn_retries_max
},
{
.procname = "tcp_synack_retries",
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [159/251] ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (156 preceding siblings ...)
2013-09-11 4:29 ` [158/251] sysctl net: Keep tcp_syn_retries inside the boundary Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [160/251] net_sched: Fix stack info leak in cbq_dump_wrr() Steven Rostedt
` (92 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Srivatsa S. Bhat, Hannes Frederic Sowa, David S. Miller
[-- Attachment #1: 0159-ipv6-take-rtnl_lock-and-mark-mrt6-table-as-freed-on-.patch --]
[-- Type: text/plain, Size: 4523 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
[ Upstream commit 905a6f96a1b18e490a75f810d733ced93c39b0e5 ]
Otherwise we end up dereferencing the already freed net->ipv6.mrt pointer
which leads to a panic (from Srivatsa S. Bhat):
BUG: unable to handle kernel paging request at ffff882018552020
IP: [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
PGD 290a067 PUD 207ffe0067 PMD 207ff1d067 PTE 8000002018552060
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
Modules linked in: ebtable_nat ebtables nfs fscache nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT xt_CHECKSUM iptable_mangle iptable_filter ip_tables nfsd lockd nfs_acl exportfs auth_rpcgss autofs4 sunrpc 8021q garp bridge stp llc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter
+ip6_tables ipv6 vfat fat vhost_net macvtap macvlan vhost tun kvm_intel kvm uinput iTCO_wdt iTCO_vendor_support cdc_ether usbnet mii microcode i2c_i801 i2c_core lpc_ich mfd_core shpchp ioatdma dca mlx4_core be2net wmi acpi_cpufreq mperf ext4 jbd2 mbcache dm_mirror dm_region_hash dm_log dm_mod
CPU: 0 PID: 7 Comm: kworker/u33:0 Not tainted 3.11.0-rc1-ea45e-a #4
Hardware name: IBM -[8737R2A]-/00Y2738, BIOS -[B2E120RUS-1.20]- 11/30/2012
Workqueue: netns cleanup_net
task: ffff8810393641c0 ti: ffff881039366000 task.ti: ffff881039366000
RIP: 0010:[<ffffffffa0366b02>] [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
RSP: 0018:ffff881039367bd8 EFLAGS: 00010286
RAX: ffff881039367fd8 RBX: ffff882018552000 RCX: dead000000200200
RDX: 0000000000000000 RSI: ffff881039367b68 RDI: ffff881039367b68
RBP: ffff881039367bf8 R08: ffff881039367b68 R09: 2222222222222222
R10: 2222222222222222 R11: 2222222222222222 R12: ffff882015a7a040
R13: ffff882014eb89c0 R14: ffff8820289e2800 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88103fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff882018552020 CR3: 0000000001c0b000 CR4: 00000000000407f0
Stack:
ffff881039367c18 ffff882014eb89c0 ffff882015e28c00 0000000000000000
ffff881039367c18 ffffffffa034d9d1 ffff8820289e2800 ffff882014eb89c0
ffff881039367c58 ffffffff815bdecb ffffffff815bddf2 ffff882014eb89c0
Call Trace:
[<ffffffffa034d9d1>] rawv6_close+0x21/0x40 [ipv6]
[<ffffffff815bdecb>] inet_release+0xfb/0x220
[<ffffffff815bddf2>] ? inet_release+0x22/0x220
[<ffffffffa032686f>] inet6_release+0x3f/0x50 [ipv6]
[<ffffffff8151c1d9>] sock_release+0x29/0xa0
[<ffffffff81525520>] sk_release_kernel+0x30/0x70
[<ffffffffa034f14b>] icmpv6_sk_exit+0x3b/0x80 [ipv6]
[<ffffffff8152fff9>] ops_exit_list+0x39/0x60
[<ffffffff815306fb>] cleanup_net+0xfb/0x1a0
[<ffffffff81075e3a>] process_one_work+0x1da/0x610
[<ffffffff81075dc9>] ? process_one_work+0x169/0x610
[<ffffffff81076390>] worker_thread+0x120/0x3a0
[<ffffffff81076270>] ? process_one_work+0x610/0x610
[<ffffffff8107da2e>] kthread+0xee/0x100
[<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
[<ffffffff8162a99c>] ret_from_fork+0x7c/0xb0
[<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
Code: 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 4c 8b 67 30 49 89 fd e8 db 3c 1e e1 49 8b 9c 24 90 08 00 00 48 85 db 74 06 <4c> 39 6b 20 74 20 bb f3 ff ff ff e8 8e 3c 1e e1 89 d8 4c 8b 65
RIP [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
RSP <ffff881039367bd8>
CR2: ffff882018552020
Reported-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Tested-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/ipv6/ip6mr.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 4532973..964e3ae 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -256,10 +256,12 @@ static void __net_exit ip6mr_rules_exit(struct net *net)
{
struct mr6_table *mrt, *next;
+ rtnl_lock();
list_for_each_entry_safe(mrt, next, &net->ipv6.mr6_tables, list) {
list_del(&mrt->list);
ip6mr_free_table(mrt);
}
+ rtnl_unlock();
fib_rules_unregister(net->ipv6.mr6_rules_ops);
}
#else
@@ -286,7 +288,10 @@ static int __net_init ip6mr_rules_init(struct net *net)
static void __net_exit ip6mr_rules_exit(struct net *net)
{
+ rtnl_lock();
ip6mr_free_table(net->ipv6.mrt6);
+ net->ipv6.mrt6 = NULL;
+ rtnl_unlock();
}
#endif
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [160/251] net_sched: Fix stack info leak in cbq_dump_wrr().
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (157 preceding siblings ...)
2013-09-11 4:29 ` [159/251] ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [161/251] af_key: more info leaks in pfkey messages Steven Rostedt
` (91 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: David S. Miller
[-- Attachment #1: 0160-net_sched-Fix-stack-info-leak-in-cbq_dump_wrr.patch --]
[-- Type: text/plain, Size: 955 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "David S. Miller" <davem@davemloft.net>
[ Upstream commit a0db856a95a29efb1c23db55c02d9f0ff4f0db48 ]
Make sure the reserved fields, and padding (if any), are
fully initialized.
Based upon a patch by Dan Carpenter and feedback from
Joe Perches.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/sched/sch_cbq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c
index 611d5e9..823f07f 100644
--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -1469,6 +1469,7 @@ static int cbq_dump_wrr(struct sk_buff *skb, struct cbq_class *cl)
unsigned char *b = skb_tail_pointer(skb);
struct tc_cbq_wrropt opt;
+ memset(&opt, 0, sizeof(opt));
opt.flags = 0;
opt.allot = cl->allot;
opt.priority = cl->priority + 1;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [161/251] af_key: more info leaks in pfkey messages
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (158 preceding siblings ...)
2013-09-11 4:29 ` [160/251] net_sched: Fix stack info leak in cbq_dump_wrr() Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [162/251] atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring Steven Rostedt
` (90 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Mathias Krause, Dan Carpenter, Steffen Klassert, David S. Miller
[-- Attachment #1: 0161-af_key-more-info-leaks-in-pfkey-messages.patch --]
[-- Type: text/plain, Size: 1944 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit ff862a4668dd6dba962b1d2d8bd344afa6375683 ]
This is inspired by a5cc68f3d6 "af_key: fix info leaks in notify
messages". There are some struct members which don't get initialized
and could disclose small amounts of private information.
Acked-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/key/af_key.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 34e4185..5c6b2f0 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2072,6 +2072,7 @@ static int pfkey_xfrm_policy2msg(struct sk_buff *skb, const struct xfrm_policy *
pol->sadb_x_policy_type = IPSEC_POLICY_NONE;
}
pol->sadb_x_policy_dir = dir+1;
+ pol->sadb_x_policy_reserved = 0;
pol->sadb_x_policy_id = xp->index;
pol->sadb_x_policy_priority = xp->priority;
@@ -3106,7 +3107,9 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
pol->sadb_x_policy_dir = dir+1;
+ pol->sadb_x_policy_reserved = 0;
pol->sadb_x_policy_id = xp->index;
+ pol->sadb_x_policy_priority = xp->priority;
/* Set sadb_comb's. */
if (x->id.proto == IPPROTO_AH)
@@ -3494,6 +3497,7 @@ static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
pol->sadb_x_policy_dir = dir + 1;
+ pol->sadb_x_policy_reserved = 0;
pol->sadb_x_policy_id = 0;
pol->sadb_x_policy_priority = 0;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [162/251] atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (159 preceding siblings ...)
2013-09-11 4:29 ` [161/251] af_key: more info leaks in pfkey messages Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [163/251] net_sched: info leak in atm_tc_dump_class() Steven Rostedt
` (89 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Eric Dumazet, Luis Henriques, Neil Horman, David S. Miller
[-- Attachment #1: 0162-atl1c-Fix-misuse-of-netdev_alloc_skb-in-refilling-rx.patch --]
[-- Type: text/plain, Size: 4633 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7b70176421993866e616f1cbc4d0dd4054f1bf78 ]
On Mon, 2013-07-29 at 08:30 -0700, Eric Dumazet wrote:
> On Mon, 2013-07-29 at 13:09 +0100, Luis Henriques wrote:
>
> >
> > I confirm that I can't reproduce the issue using this patch.
> >
>
> Thanks, I'll send a polished patch, as this one had an error if
> build_skb() returns NULL (in case sk_buff allocation fails)
Please try the following patch : It should use 2K frags instead of 4K
for normal 1500 mtu
Thanks !
[PATCH] atl1c: use custom skb allocator
We had reports ( https://bugzilla.kernel.org/show_bug.cgi?id=54021 )
that using high order pages for skb allocations is problematic for atl1c
We do not know exactly what the problem is, but we suspect that crossing
4K pages is not well supported by this hardware.
Use a custom allocator, using page allocator and 2K fragments for
optimal stack behavior. We might make this allocator generic
in future kernels.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Luis Henriques <luis.henriques@canonical.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/ethernet/atheros/atl1c/atl1c.h | 3 ++
drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 40 ++++++++++++++++++++++-
2 files changed, 42 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c.h b/drivers/net/ethernet/atheros/atl1c/atl1c.h
index b2bf324..0f05565 100644
--- a/drivers/net/ethernet/atheros/atl1c/atl1c.h
+++ b/drivers/net/ethernet/atheros/atl1c/atl1c.h
@@ -520,6 +520,9 @@ struct atl1c_adapter {
struct net_device *netdev;
struct pci_dev *pdev;
struct napi_struct napi;
+ struct page *rx_page;
+ unsigned int rx_page_offset;
+ unsigned int rx_frag_size;
struct atl1c_hw hw;
struct atl1c_hw_stats hw_stats;
struct mii_if_info mii; /* MII interface info */
diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
index 1bf5bbf..033226b 100644
--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
@@ -482,10 +482,15 @@ static int atl1c_set_mac_addr(struct net_device *netdev, void *p)
static void atl1c_set_rxbufsize(struct atl1c_adapter *adapter,
struct net_device *dev)
{
+ unsigned int head_size;
int mtu = dev->mtu;
adapter->rx_buffer_len = mtu > AT_RX_BUF_SIZE ?
roundup(mtu + ETH_HLEN + ETH_FCS_LEN + VLAN_HLEN, 8) : AT_RX_BUF_SIZE;
+
+ head_size = SKB_DATA_ALIGN(adapter->rx_buffer_len + NET_SKB_PAD) +
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+ adapter->rx_frag_size = roundup_pow_of_two(head_size);
}
static netdev_features_t atl1c_fix_features(struct net_device *netdev,
@@ -953,6 +958,10 @@ static void atl1c_free_ring_resources(struct atl1c_adapter *adapter)
kfree(adapter->tpd_ring[0].buffer_info);
adapter->tpd_ring[0].buffer_info = NULL;
}
+ if (adapter->rx_page) {
+ put_page(adapter->rx_page);
+ adapter->rx_page = NULL;
+ }
}
/**
@@ -1642,6 +1651,35 @@ static inline void atl1c_rx_checksum(struct atl1c_adapter *adapter,
skb_checksum_none_assert(skb);
}
+static struct sk_buff *atl1c_alloc_skb(struct atl1c_adapter *adapter)
+{
+ struct sk_buff *skb;
+ struct page *page;
+
+ if (adapter->rx_frag_size > PAGE_SIZE)
+ return netdev_alloc_skb(adapter->netdev,
+ adapter->rx_buffer_len);
+
+ page = adapter->rx_page;
+ if (!page) {
+ adapter->rx_page = page = alloc_page(GFP_ATOMIC);
+ if (unlikely(!page))
+ return NULL;
+ adapter->rx_page_offset = 0;
+ }
+
+ skb = build_skb(page_address(page) + adapter->rx_page_offset,
+ adapter->rx_frag_size);
+ if (likely(skb)) {
+ adapter->rx_page_offset += adapter->rx_frag_size;
+ if (adapter->rx_page_offset >= PAGE_SIZE)
+ adapter->rx_page = NULL;
+ else
+ get_page(page);
+ }
+ return skb;
+}
+
static int atl1c_alloc_rx_buffer(struct atl1c_adapter *adapter)
{
struct atl1c_rfd_ring *rfd_ring = &adapter->rfd_ring;
@@ -1662,7 +1700,7 @@ static int atl1c_alloc_rx_buffer(struct atl1c_adapter *adapter)
while (next_info->flags & ATL1C_BUFFER_FREE) {
rfd_desc = ATL1C_RFD_DESC(rfd_ring, rfd_next_to_use);
- skb = netdev_alloc_skb(adapter->netdev, adapter->rx_buffer_len);
+ skb = atl1c_alloc_skb(adapter);
if (unlikely(!skb)) {
if (netif_msg_rx_err(adapter))
dev_warn(&pdev->dev, "alloc rx buffer failed\n");
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [163/251] net_sched: info leak in atm_tc_dump_class()
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (160 preceding siblings ...)
2013-09-11 4:29 ` [162/251] atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [164/251] ndisc: Add missing inline to ndisc_addr_option_pad Steven Rostedt
` (88 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Dan Carpenter, Jiri Pirko, David S. Miller
[-- Attachment #1: 0163-net_sched-info-leak-in-atm_tc_dump_class.patch --]
[-- Type: text/plain, Size: 1013 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 8cb3b9c3642c0263d48f31d525bcee7170eedc20 ]
The "pvc" struct has a hole after pvc.sap_family which is not cleared.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/sched/sch_atm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c
index ca8e0a5..1f9c314 100644
--- a/net/sched/sch_atm.c
+++ b/net/sched/sch_atm.c
@@ -605,6 +605,7 @@ static int atm_tc_dump_class(struct Qdisc *sch, unsigned long cl,
struct sockaddr_atmpvc pvc;
int state;
+ memset(&pvc, 0, sizeof(pvc));
pvc.sap_family = AF_ATMPVC;
pvc.sap_addr.itf = flow->vcc->dev ? flow->vcc->dev->number : -1;
pvc.sap_addr.vpi = flow->vcc->vpi;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [164/251] ndisc: Add missing inline to ndisc_addr_option_pad
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (161 preceding siblings ...)
2013-09-11 4:29 ` [163/251] net_sched: info leak in atm_tc_dump_class() Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [165/251] 8139cp: Add dma_mapping_error checking Steven Rostedt
` (87 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Joe Perches, David S. Miller
[-- Attachment #1: 0164-ndisc-Add-missing-inline-to-ndisc_addr_option_pad.patch --]
[-- Type: text/plain, Size: 952 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Joe Perches <joe@perches.com>
[ Upstream commit d9d10a30964504af834d8d250a0c76d4ae91eb1e ]
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
include/net/ndisc.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/ndisc.h b/include/net/ndisc.h
index 826a541..9761757 100644
--- a/include/net/ndisc.h
+++ b/include/net/ndisc.h
@@ -118,7 +118,7 @@ extern struct ndisc_options *ndisc_parse_options(u8 *opt, int opt_len,
* if RFC 3831 IPv6-over-Fibre Channel is ever implemented it may
* also need a pad of 2.
*/
-static int ndisc_addr_option_pad(unsigned short type)
+static inline int ndisc_addr_option_pad(unsigned short type)
{
switch (type) {
case ARPHRD_INFINIBAND: return 2;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [165/251] 8139cp: Add dma_mapping_error checking
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (162 preceding siblings ...)
2013-09-11 4:29 ` [164/251] ndisc: Add missing inline to ndisc_addr_option_pad Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [166/251] Dont attempt to send extended INQUIRY command if skip_vpd_pages is set Steven Rostedt
` (86 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Neil Horman, David S. Miller, Francois Romieu
[-- Attachment #1: 0165-8139cp-Add-dma_mapping_error-checking.patch --]
[-- Type: text/plain, Size: 4649 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Neil Horman <nhorman@tuxdriver.com>
[ Upstream commit cf3c4c03060b688cbc389ebc5065ebcce5653e96 ]
Self explanitory dma_mapping_error addition to the 8139 driver, based on this:
https://bugzilla.redhat.com/show_bug.cgi?id=947250
It showed several backtraces arising for dma_map_* usage without checking the
return code on the mapping. Add the check and abort the rx/tx operation if its
failed. Untested as I have no hardware and the reporter has wandered off, but
seems pretty straightforward.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/ethernet/realtek/8139cp.c | 48 ++++++++++++++++++++++++++++++---
1 file changed, 45 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c
index dd3371b..e933d57 100644
--- a/drivers/net/ethernet/realtek/8139cp.c
+++ b/drivers/net/ethernet/realtek/8139cp.c
@@ -478,7 +478,7 @@ rx_status_loop:
while (1) {
u32 status, len;
- dma_addr_t mapping;
+ dma_addr_t mapping, new_mapping;
struct sk_buff *skb, *new_skb;
struct cp_desc *desc;
const unsigned buflen = cp->rx_buf_sz;
@@ -520,6 +520,13 @@ rx_status_loop:
goto rx_next;
}
+ new_mapping = dma_map_single(&cp->pdev->dev, new_skb->data, buflen,
+ PCI_DMA_FROMDEVICE);
+ if (dma_mapping_error(&cp->pdev->dev, new_mapping)) {
+ dev->stats.rx_dropped++;
+ goto rx_next;
+ }
+
dma_unmap_single(&cp->pdev->dev, mapping,
buflen, PCI_DMA_FROMDEVICE);
@@ -531,12 +538,11 @@ rx_status_loop:
skb_put(skb, len);
- mapping = dma_map_single(&cp->pdev->dev, new_skb->data, buflen,
- PCI_DMA_FROMDEVICE);
cp->rx_skb[rx_tail] = new_skb;
cp_rx_skb(cp, skb, desc);
rx++;
+ mapping = new_mapping;
rx_next:
cp->rx_ring[rx_tail].opts2 = 0;
@@ -707,6 +713,22 @@ static inline u32 cp_tx_vlan_tag(struct sk_buff *skb)
TxVlanTag | swab16(vlan_tx_tag_get(skb)) : 0x00;
}
+static void unwind_tx_frag_mapping(struct cp_private *cp, struct sk_buff *skb,
+ int first, int entry_last)
+{
+ int frag, index;
+ struct cp_desc *txd;
+ skb_frag_t *this_frag;
+ for (frag = 0; frag+first < entry_last; frag++) {
+ index = first+frag;
+ cp->tx_skb[index] = NULL;
+ txd = &cp->tx_ring[index];
+ this_frag = &skb_shinfo(skb)->frags[frag];
+ dma_unmap_single(&cp->pdev->dev, le64_to_cpu(txd->addr),
+ skb_frag_size(this_frag), PCI_DMA_TODEVICE);
+ }
+}
+
static netdev_tx_t cp_start_xmit (struct sk_buff *skb,
struct net_device *dev)
{
@@ -740,6 +762,9 @@ static netdev_tx_t cp_start_xmit (struct sk_buff *skb,
len = skb->len;
mapping = dma_map_single(&cp->pdev->dev, skb->data, len, PCI_DMA_TODEVICE);
+ if (dma_mapping_error(&cp->pdev->dev, mapping))
+ goto out_dma_error;
+
txd->opts2 = opts2;
txd->addr = cpu_to_le64(mapping);
wmb();
@@ -777,6 +802,9 @@ static netdev_tx_t cp_start_xmit (struct sk_buff *skb,
first_len = skb_headlen(skb);
first_mapping = dma_map_single(&cp->pdev->dev, skb->data,
first_len, PCI_DMA_TODEVICE);
+ if (dma_mapping_error(&cp->pdev->dev, first_mapping))
+ goto out_dma_error;
+
cp->tx_skb[entry] = skb;
entry = NEXT_TX(entry);
@@ -790,6 +818,11 @@ static netdev_tx_t cp_start_xmit (struct sk_buff *skb,
mapping = dma_map_single(&cp->pdev->dev,
skb_frag_address(this_frag),
len, PCI_DMA_TODEVICE);
+ if (dma_mapping_error(&cp->pdev->dev, mapping)) {
+ unwind_tx_frag_mapping(cp, skb, first_entry, entry);
+ goto out_dma_error;
+ }
+
eor = (entry == (CP_TX_RING_SIZE - 1)) ? RingEnd : 0;
ctrl = eor | len | DescOwn;
@@ -848,11 +881,16 @@ static netdev_tx_t cp_start_xmit (struct sk_buff *skb,
if (TX_BUFFS_AVAIL(cp) <= (MAX_SKB_FRAGS + 1))
netif_stop_queue(dev);
+out_unlock:
spin_unlock_irqrestore(&cp->lock, intr_flags);
cpw8(TxPoll, NormalTxPoll);
return NETDEV_TX_OK;
+out_dma_error:
+ kfree_skb(skb);
+ cp->dev->stats.tx_dropped++;
+ goto out_unlock;
}
/* Set or clear the multicast filter for this adaptor.
@@ -1023,6 +1061,10 @@ static int cp_refill_rx(struct cp_private *cp)
mapping = dma_map_single(&cp->pdev->dev, skb->data,
cp->rx_buf_sz, PCI_DMA_FROMDEVICE);
+ if (dma_mapping_error(&cp->pdev->dev, mapping)) {
+ kfree_skb(skb);
+ goto err_out;
+ }
cp->rx_skb[i] = skb;
cp->rx_ring[i].opts2 = 0;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [166/251] Dont attempt to send extended INQUIRY command if skip_vpd_pages is set
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (163 preceding siblings ...)
2013-09-11 4:29 ` [165/251] 8139cp: Add dma_mapping_error checking Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [167/251] megaraid_sas: megaraid_sas driver init fails in kdump kernel Steven Rostedt
` (85 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Martin K. Petersen, Alan Stern, Stuart Foster, James Bottomley
[-- Attachment #1: 0166-Don-t-attempt-to-send-extended-INQUIRY-command-if-sk.patch --]
[-- Type: text/plain, Size: 1128 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "Martin K. Petersen" <martin.petersen@oracle.com>
[ Upstream commit 7562523e84ddc742fe1f9db8bd76b01acca89f6b ]
If a device has the skip_vpd_pages flag set we should simply fail the
scsi_get_vpd_page() call.
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Stuart Foster <smf.linux@ntlworld.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/scsi/scsi.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
index 2936b44..5dba497 100644
--- a/drivers/scsi/scsi.c
+++ b/drivers/scsi/scsi.c
@@ -1030,6 +1030,9 @@ int scsi_get_vpd_page(struct scsi_device *sdev, u8 page, unsigned char *buf,
{
int i, result;
+ if (sdev->skip_vpd_pages)
+ goto fail;
+
/* Ask for all the pages supported by this device */
result = scsi_vpd_inquiry(sdev, buf, 0, buf_len);
if (result)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [167/251] megaraid_sas: megaraid_sas driver init fails in kdump kernel
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (164 preceding siblings ...)
2013-09-11 4:29 ` [166/251] Dont attempt to send extended INQUIRY command if skip_vpd_pages is set Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [168/251] ext4: make sure group number is bumped after a inode allocation race Steven Rostedt
` (84 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sumit Saxena, Kashyap Desai, James Bottomley
[-- Attachment #1: 0167-megaraid_sas-megaraid_sas-driver-init-fails-in-kdump.patch --]
[-- Type: text/plain, Size: 2133 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: "Sumit.Saxena@lsi.com" <Sumit.Saxena@lsi.com>
[ Upstream commit 6431f5d7c6025f8b007af06ea090de308f7e6881 ]
Problem: When Hardware IOMMU is on, megaraid_sas driver initialization fails
in kdump kernel with LSI MegaRAID controller(device id-0x73).
Actually this issue needs fix in firmware, but for firmware running in field,
this driver fix is proposed to resolve the issue. At firmware initialization
time, if firmware does not come to ready state, driver will reset the adapter
and retry for firmware transition to ready state unconditionally(not only
executed for kdump kernel).
Signed-off-by: Sumit Saxena <sumit.saxena@lsi.com>
Signed-off-by: Kashyap Desai <kashyap.desai@lsi.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/scsi/megaraid/megaraid_sas_base.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
index d525297..7593e28 100644
--- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -3493,11 +3493,21 @@ static int megasas_init_fw(struct megasas_instance *instance)
break;
}
- /*
- * We expect the FW state to be READY
- */
- if (megasas_transition_to_ready(instance, 0))
- goto fail_ready_state;
+ if (megasas_transition_to_ready(instance, 0)) {
+ atomic_set(&instance->fw_reset_no_pci_access, 1);
+ instance->instancet->adp_reset
+ (instance, instance->reg_set);
+ atomic_set(&instance->fw_reset_no_pci_access, 0);
+ dev_info(&instance->pdev->dev,
+ "megasas: FW restarted successfully from %s!\n",
+ __func__);
+
+ /*waitting for about 30 second before retry*/
+ ssleep(30);
+
+ if (megasas_transition_to_ready(instance, 0))
+ goto fail_ready_state;
+ }
/* Check if MSI-X is supported while in ready state */
msix_enable = (instance->instancet->read_fw_status_reg(reg_set) &
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [168/251] ext4: make sure group number is bumped after a inode allocation race
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (165 preceding siblings ...)
2013-09-11 4:29 ` [167/251] megaraid_sas: megaraid_sas driver init fails in kdump kernel Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [169/251] regmap: Add missing header for !CONFIG_REGMAP stubs Steven Rostedt
` (83 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Theodore Tso
[-- Attachment #1: 0168-ext4-make-sure-group-number-is-bumped-after-a-inode-.patch --]
[-- Type: text/plain, Size: 1844 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
[ Upstream commit a34eb503742fd25155fd6cff6163daacead9fbc3 ]
When we try to allocate an inode, and there is a race between two
CPU's trying to grab the same inode, _and_ this inode is the last free
inode in the block group, make sure the group number is bumped before
we continue searching the rest of the block groups. Otherwise, we end
up searching the current block group twice, and we end up skipping
searching the last block group. So in the unlikely situation where
almost all of the inodes are allocated, it's possible that we will
return ENOSPC even though there might be free inodes in that last
block group.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/ext4/ialloc.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
index c690ff9..16481bd 100644
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -706,11 +706,8 @@ repeat_in_this_group:
ino = ext4_find_next_zero_bit((unsigned long *)
inode_bitmap_bh->b_data,
EXT4_INODES_PER_GROUP(sb), ino);
- if (ino >= EXT4_INODES_PER_GROUP(sb)) {
- if (++group == ngroups)
- group = 0;
- continue;
- }
+ if (ino >= EXT4_INODES_PER_GROUP(sb))
+ goto next_group;
if (group == 0 && (ino+1) < EXT4_FIRST_INO(sb)) {
ext4_error(sb, "reserved inode found cleared - "
"inode=%lu", ino + 1);
@@ -728,6 +725,9 @@ repeat_in_this_group:
goto got; /* we grabbed the inode! */
if (ino < EXT4_INODES_PER_GROUP(sb))
goto repeat_in_this_group;
+next_group:
+ if (++group == ngroups)
+ group = 0;
}
err = -ENOSPC;
goto out;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [169/251] regmap: Add missing header for !CONFIG_REGMAP stubs
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (166 preceding siblings ...)
2013-09-11 4:29 ` [168/251] ext4: make sure group number is bumped after a inode allocation race Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [170/251] hwmon: (adt7470) Fix incorrect return code check Steven Rostedt
` (82 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Mateusz Krawczuk, Kyungmin Park, Mark Brown, stable
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: 0169-regmap-Add-missing-header-for-CONFIG_REGMAP-stubs.patch --]
[-- Type: text/plain, Size: 1310 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Mateusz Krawczuk <m.krawczuk@partner.samsung.com>
[ Upstream commit 49ccc142f9cbc33fdda18e8fa90c1c5b4a79c0ad ]
regmap.h requires linux/err.h if CONFIG_REGMAP is not defined. Without it I get
error.
CC drivers/media/platform/exynos4-is/fimc-reg.o
In file included from drivers/media/platform/exynos4-is/fimc-reg.c:14:0:
include/linux/regmap.h: In function ‘regmap_write’:
include/linux/regmap.h:525:10: error: ‘EINVAL’ undeclared (first use in this function)
include/linux/regmap.h:525:10: note: each undeclared identifier is reported only once for each function it appears in
Signed-off-by: Mateusz Krawczuk <m.krawczuk@partner.samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Cc: stable@kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
include/linux/regmap.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/regmap.h b/include/linux/regmap.h
index 7f7e00d..519d5f2 100644
--- a/include/linux/regmap.h
+++ b/include/linux/regmap.h
@@ -15,6 +15,7 @@
#include <linux/list.h>
#include <linux/rbtree.h>
+#include <linux/err.h>
struct module;
struct device;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [170/251] hwmon: (adt7470) Fix incorrect return code check
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (167 preceding siblings ...)
2013-09-11 4:29 ` [169/251] regmap: Add missing header for !CONFIG_REGMAP stubs Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [171/251] tracing: Fix fields of struct trace_iterator that are zeroed by mistake Steven Rostedt
` (81 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Curt Brune, Guenter Roeck
[-- Attachment #1: 0170-hwmon-adt7470-Fix-incorrect-return-code-check.patch --]
[-- Type: text/plain, Size: 1630 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Curt Brune <curt@cumulusnetworks.com>
[ Upstream commit 93d783bcca69bfacc8dc739d8a050498402587b5 ]
In adt7470_write_word_data(), which writes two bytes using
i2c_smbus_write_byte_data(), the return codes are incorrectly AND-ed
together when they should be OR-ed together.
The return code of i2c_smbus_write_byte_data() is zero for success.
The upshot is only the first byte was ever written to the hardware.
The 2nd byte was never written out.
I noticed that trying to set the fan speed limits was not working
correctly on my system. Setting the fan speed limits is the only
code that uses adt7470_write_word_data(). After making the change
the limit settings work and the alarms work also.
Signed-off-by: Curt Brune <curt@cumulusnetworks.com>
Cc: stable@vger.kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/hwmon/adt7470.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hwmon/adt7470.c b/drivers/hwmon/adt7470.c
index 54ec8905..034085d 100644
--- a/drivers/hwmon/adt7470.c
+++ b/drivers/hwmon/adt7470.c
@@ -215,7 +215,7 @@ static inline int adt7470_write_word_data(struct i2c_client *client, u8 reg,
u16 value)
{
return i2c_smbus_write_byte_data(client, reg, value & 0xFF)
- && i2c_smbus_write_byte_data(client, reg + 1, value >> 8);
+ || i2c_smbus_write_byte_data(client, reg + 1, value >> 8);
}
static void adt7470_init_client(struct i2c_client *client)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [171/251] tracing: Fix fields of struct trace_iterator that are zeroed by mistake
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (168 preceding siblings ...)
2013-09-11 4:29 ` [170/251] hwmon: (adt7470) Fix incorrect return code check Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:29 ` [172/251] ALSA: usb-audio: do not trust too-big wMaxPacketSize values Steven Rostedt
` (80 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Andrew Vagin
[-- Attachment #1: 0171-tracing-Fix-fields-of-struct-trace_iterator-that-are.patch --]
[-- Type: text/plain, Size: 2216 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Andrew Vagin <avagin@openvz.org>
[ Upstream commit ed5467da0e369e65b247b99eb6403cb79172bcda ]
tracing_read_pipe zeros all fields bellow "seq". The declaration contains
a comment about that, but it doesn't help.
The first field is "snapshot", it's true when current open file is
snapshot. Looks obvious, that it should not be zeroed.
The second field is "started". It was converted from cpumask_t to
cpumask_var_t (v2.6.28-4983-g4462344), in other words it was
converted from cpumask to pointer on cpumask.
Currently the reference on "started" memory is lost after the first read
from tracing_read_pipe and a proper object will never be freed.
The "started" is never dereferenced for trace_pipe, because trace_pipe
can't have the TRACE_FILE_ANNOTATE options.
Link: http://lkml.kernel.org/r/1375463803-3085183-1-git-send-email-avagin@openvz.org
Cc: stable@vger.kernel.org # 2.6.30
Signed-off-by: Andrew Vagin <avagin@openvz.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
include/linux/ftrace_event.h | 4 +++-
kernel/trace/trace.c | 1 +
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/linux/ftrace_event.h b/include/linux/ftrace_event.h
index 642928c..86e6806 100644
--- a/include/linux/ftrace_event.h
+++ b/include/linux/ftrace_event.h
@@ -71,6 +71,8 @@ struct trace_iterator {
/* trace_seq for __print_flags() and __print_symbolic() etc. */
struct trace_seq tmp_seq;
+ cpumask_var_t started;
+
/* The below is zeroed out in pipe_read */
struct trace_seq seq;
struct trace_entry *ent;
@@ -83,7 +85,7 @@ struct trace_iterator {
loff_t pos;
long idx;
- cpumask_var_t started;
+ /* All new field here will be zeroed out in pipe_read */
};
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index a3e9083..0686c13 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3542,6 +3542,7 @@ waitagain:
memset(&iter->seq, 0,
sizeof(struct trace_iterator) -
offsetof(struct trace_iterator, seq));
+ cpumask_clear(iter->started);
iter->pos = -1;
trace_event_read_lock();
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [172/251] ALSA: usb-audio: do not trust too-big wMaxPacketSize values
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (169 preceding siblings ...)
2013-09-11 4:29 ` [171/251] tracing: Fix fields of struct trace_iterator that are zeroed by mistake Steven Rostedt
@ 2013-09-11 4:29 ` Steven Rostedt
2013-09-11 4:30 ` [173/251] ALSA: 6fire: fix DMA issues with URB transfer_buffer usage Steven Rostedt
` (79 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:29 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: James Stone, Clemens Ladisch, Takashi Iwai
[-- Attachment #1: 0172-ALSA-usb-audio-do-not-trust-too-big-wMaxPacketSize-v.patch --]
[-- Type: text/plain, Size: 2204 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Clemens Ladisch <clemens@ladisch.de>
[ Upstream commit 57e6dae1087bbaa6b33d3dd8a8e90b63888939a3 ]
The driver used to assume that the streaming endpoint's wMaxPacketSize
value would be an indication of how much data the endpoint expects or
sends, and compute the number of packets per URB using this value.
However, the Focusrite Scarlett 2i4 declares a value of 1024 bytes,
while only about 88 or 44 bytes are be actually used. This discrepancy
would result in URBs with far too few packets, which would not work
correctly on the EHCI driver.
To get correct URBs, use wMaxPacketSize only as an upper limit on the
packet size.
Reported-by: James Stone <jamesmstone@gmail.com>
Tested-by: James Stone <jamesmstone@gmail.com>
Cc: <stable@vger.kernel.org> # 2.6.35+
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/usb/endpoint.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index eafc889..38e9583 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -599,17 +599,16 @@ static int data_ep_set_params(struct snd_usb_endpoint *ep,
ep->stride = frame_bits >> 3;
ep->silence_value = format == SNDRV_PCM_FORMAT_U8 ? 0x80 : 0;
- /* calculate max. frequency */
- if (ep->maxpacksize) {
+ /* assume max. frequency is 25% higher than nominal */
+ ep->freqmax = ep->freqn + (ep->freqn >> 2);
+ maxsize = ((ep->freqmax + 0xffff) * (frame_bits >> 3))
+ >> (16 - ep->datainterval);
+ /* but wMaxPacketSize might reduce this */
+ if (ep->maxpacksize && ep->maxpacksize < maxsize) {
/* whatever fits into a max. size packet */
maxsize = ep->maxpacksize;
ep->freqmax = (maxsize / (frame_bits >> 3))
<< (16 - ep->datainterval);
- } else {
- /* no max. packet size: just take 25% higher than nominal */
- ep->freqmax = ep->freqn + (ep->freqn >> 2);
- maxsize = ((ep->freqmax + 0xffff) * (frame_bits >> 3))
- >> (16 - ep->datainterval);
}
if (ep->fill_max)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [173/251] ALSA: 6fire: fix DMA issues with URB transfer_buffer usage
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (170 preceding siblings ...)
2013-09-11 4:29 ` [172/251] ALSA: usb-audio: do not trust too-big wMaxPacketSize values Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [174/251] virtio: console: fix race with port unplug and open/close Steven Rostedt
` (78 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jussi Kivilinna, Torsten Schenk, Takashi Iwai
[-- Attachment #1: 0173-ALSA-6fire-fix-DMA-issues-with-URB-transfer_buffer-u.patch --]
[-- Type: text/plain, Size: 3396 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
[ Upstream commit ddb6b5a964371e8e52e696b2b258bda144c8bd3f ]
Patch fixes 6fire not to use stack as URB transfer_buffer. URB buffers need to
be DMA-able, which stack is not. Furthermore, transfer_buffer should not be
allocated as part of larger device structure because DMA coherency issues and
patch fixes this issue too.
Cc: stable@vger.kernel.org
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Tested-by: Torsten Schenk <torsten.schenk@zoho.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/usb/6fire/comm.c | 38 +++++++++++++++++++++++++++++++++-----
sound/usb/6fire/comm.h | 2 +-
2 files changed, 34 insertions(+), 6 deletions(-)
diff --git a/sound/usb/6fire/comm.c b/sound/usb/6fire/comm.c
index 6c3d531..8e68be7 100644
--- a/sound/usb/6fire/comm.c
+++ b/sound/usb/6fire/comm.c
@@ -110,19 +110,37 @@ static int usb6fire_comm_send_buffer(u8 *buffer, struct usb_device *dev)
static int usb6fire_comm_write8(struct comm_runtime *rt, u8 request,
u8 reg, u8 value)
{
- u8 buffer[13]; /* 13: maximum length of message */
+ u8 *buffer;
+ int ret;
+
+ /* 13: maximum length of message */
+ buffer = kmalloc(13, GFP_KERNEL);
+ if (!buffer)
+ return -ENOMEM;
usb6fire_comm_init_buffer(buffer, 0x00, request, reg, value, 0x00);
- return usb6fire_comm_send_buffer(buffer, rt->chip->dev);
+ ret = usb6fire_comm_send_buffer(buffer, rt->chip->dev);
+
+ kfree(buffer);
+ return ret;
}
static int usb6fire_comm_write16(struct comm_runtime *rt, u8 request,
u8 reg, u8 vl, u8 vh)
{
- u8 buffer[13]; /* 13: maximum length of message */
+ u8 *buffer;
+ int ret;
+
+ /* 13: maximum length of message */
+ buffer = kmalloc(13, GFP_KERNEL);
+ if (!buffer)
+ return -ENOMEM;
usb6fire_comm_init_buffer(buffer, 0x00, request, reg, vl, vh);
- return usb6fire_comm_send_buffer(buffer, rt->chip->dev);
+ ret = usb6fire_comm_send_buffer(buffer, rt->chip->dev);
+
+ kfree(buffer);
+ return ret;
}
int __devinit usb6fire_comm_init(struct sfire_chip *chip)
@@ -135,6 +153,12 @@ int __devinit usb6fire_comm_init(struct sfire_chip *chip)
if (!rt)
return -ENOMEM;
+ rt->receiver_buffer = kzalloc(COMM_RECEIVER_BUFSIZE, GFP_KERNEL);
+ if (!rt->receiver_buffer) {
+ kfree(rt);
+ return -ENOMEM;
+ }
+
rt->serial = 1;
rt->chip = chip;
usb_init_urb(urb);
@@ -152,6 +176,7 @@ int __devinit usb6fire_comm_init(struct sfire_chip *chip)
urb->interval = 1;
ret = usb_submit_urb(urb, GFP_KERNEL);
if (ret < 0) {
+ kfree(rt->receiver_buffer);
kfree(rt);
snd_printk(KERN_ERR PREFIX "cannot create comm data receiver.");
return ret;
@@ -170,6 +195,9 @@ void usb6fire_comm_abort(struct sfire_chip *chip)
void usb6fire_comm_destroy(struct sfire_chip *chip)
{
- kfree(chip->comm);
+ struct comm_runtime *rt = chip->comm;
+
+ kfree(rt->receiver_buffer);
+ kfree(rt);
chip->comm = NULL;
}
diff --git a/sound/usb/6fire/comm.h b/sound/usb/6fire/comm.h
index d2af0a5..fca24e3 100644
--- a/sound/usb/6fire/comm.h
+++ b/sound/usb/6fire/comm.h
@@ -24,7 +24,7 @@ struct comm_runtime {
struct sfire_chip *chip;
struct urb receiver;
- u8 receiver_buffer[COMM_RECEIVER_BUFSIZE];
+ u8 *receiver_buffer;
u8 serial; /* urb serial */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [174/251] virtio: console: fix race with port unplug and open/close
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (171 preceding siblings ...)
2013-09-11 4:30 ` [173/251] ALSA: 6fire: fix DMA issues with URB transfer_buffer usage Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [175/251] virtio: console: fix race in port_fops_open() and port unplug Steven Rostedt
` (77 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Mateusz Guzik, Amit Shah, Rusty Russell
[-- Attachment #1: 0174-virtio-console-fix-race-with-port-unplug-and-open-cl.patch --]
[-- Type: text/plain, Size: 1957 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Amit Shah <amit.shah@redhat.com>
[ Upstream commit 057b82be3ca3d066478e43b162fc082930a746c9 ]
There's a window between find_port_by_devt() returning a port and us
taking a kref on the port, where the port could get unplugged. Fix it
by taking the reference in find_port_by_devt() itself.
Problem reported and analyzed by Mateusz Guzik.
CC: <stable@vger.kernel.org>
Reported-by: Mateusz Guzik <mguzik@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/char/virtio_console.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index d2f7eb0..abca6eb 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -257,9 +257,12 @@ static struct port *find_port_by_devt_in_portdev(struct ports_device *portdev,
unsigned long flags;
spin_lock_irqsave(&portdev->ports_lock, flags);
- list_for_each_entry(port, &portdev->ports, list)
- if (port->cdev->dev == dev)
+ list_for_each_entry(port, &portdev->ports, list) {
+ if (port->cdev->dev == dev) {
+ kref_get(&port->kref);
goto out;
+ }
+ }
port = NULL;
out:
spin_unlock_irqrestore(&portdev->ports_lock, flags);
@@ -793,14 +796,10 @@ static int port_fops_open(struct inode *inode, struct file *filp)
struct port *port;
int ret;
+ /* We get the port with a kref here */
port = find_port_by_devt(cdev->dev);
filp->private_data = port;
- /* Prevent against a port getting hot-unplugged at the same time */
- spin_lock_irq(&port->portdev->ports_lock);
- kref_get(&port->kref);
- spin_unlock_irq(&port->portdev->ports_lock);
-
/*
* Don't allow opening of console port devices -- that's done
* via /dev/hvc
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [175/251] virtio: console: fix race in port_fops_open() and port unplug
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (172 preceding siblings ...)
2013-09-11 4:30 ` [174/251] virtio: console: fix race with port unplug and open/close Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [176/251] virtio: console: clean up port data immediately at time of unplug Steven Rostedt
` (76 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Amit Shah, Rusty Russell
[-- Attachment #1: 0175-virtio-console-fix-race-in-port_fops_open-and-port-u.patch --]
[-- Type: text/plain, Size: 1298 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Amit Shah <amit.shah@redhat.com>
[ Upstream commit 671bdea2b9f210566610603ecbb6584c8a201c8c ]
Between open() being called and processed, the port can be unplugged.
Check if this happened, and bail out.
A simple test script to reproduce this is:
while true; do for i in $(seq 1 100); do echo $i > /dev/vport0p3; done; done;
This opens and closes the port a lot of times; unplugging the port while
this is happening triggers the bug.
CC: <stable@vger.kernel.org>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/char/virtio_console.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index abca6eb..a57cc3b 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -798,6 +798,10 @@ static int port_fops_open(struct inode *inode, struct file *filp)
/* We get the port with a kref here */
port = find_port_by_devt(cdev->dev);
+ if (!port) {
+ /* Port was unplugged before we could proceed */
+ return -ENXIO;
+ }
filp->private_data = port;
/*
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [176/251] virtio: console: clean up port data immediately at time of unplug
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (173 preceding siblings ...)
2013-09-11 4:30 ` [175/251] virtio: console: fix race in port_fops_open() and port unplug Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [177/251] virtio: console: fix raising SIGIO after port unplug Steven Rostedt
` (75 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: chayang, YOGANANTH SUBRAMANIAN, FuXiangChun, Qunfang Zhang,
Sibiao Luo, Amit Shah, Rusty Russell
[-- Attachment #1: 0176-virtio-console-clean-up-port-data-immediately-at-tim.patch --]
[-- Type: text/plain, Size: 5071 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Amit Shah <amit.shah@redhat.com>
[ Upstream commit ea3768b4386a8d1790f4cc9a35de4f55b92d6442 ]
We used to keep the port's char device structs and the /sys entries
around till the last reference to the port was dropped. This is
actually unnecessary, and resulted in buggy behaviour:
1. Open port in guest
2. Hot-unplug port
3. Hot-plug a port with the same 'name' property as the unplugged one
This resulted in hot-plug being unsuccessful, as a port with the same
name already exists (even though it was unplugged).
This behaviour resulted in a warning message like this one:
-------------------8<---------------------------------------
WARNING: at fs/sysfs/dir.c:512 sysfs_add_one+0xc9/0x130() (Not tainted)
Hardware name: KVM
sysfs: cannot create duplicate filename
'/devices/pci0000:00/0000:00:04.0/virtio0/virtio-ports/vport0p1'
Call Trace:
[<ffffffff8106b607>] ? warn_slowpath_common+0x87/0xc0
[<ffffffff8106b6f6>] ? warn_slowpath_fmt+0x46/0x50
[<ffffffff811f2319>] ? sysfs_add_one+0xc9/0x130
[<ffffffff811f23e8>] ? create_dir+0x68/0xb0
[<ffffffff811f2469>] ? sysfs_create_dir+0x39/0x50
[<ffffffff81273129>] ? kobject_add_internal+0xb9/0x260
[<ffffffff812733d8>] ? kobject_add_varg+0x38/0x60
[<ffffffff812734b4>] ? kobject_add+0x44/0x70
[<ffffffff81349de4>] ? get_device_parent+0xf4/0x1d0
[<ffffffff8134b389>] ? device_add+0xc9/0x650
-------------------8<---------------------------------------
Instead of relying on guest applications to release all references to
the ports, we should go ahead and unregister the port from all the core
layers. Any open/read calls on the port will then just return errors,
and an unplug/plug operation on the host will succeed as expected.
This also caused buggy behaviour in case of the device removal (not just
a port): when the device was removed (which means all ports on that
device are removed automatically as well), the ports with active
users would clean up only when the last references were dropped -- and
it would be too late then to be referencing char device pointers,
resulting in oopses:
-------------------8<---------------------------------------
PID: 6162 TASK: ffff8801147ad500 CPU: 0 COMMAND: "cat"
#0 [ffff88011b9d5a90] machine_kexec at ffffffff8103232b
#1 [ffff88011b9d5af0] crash_kexec at ffffffff810b9322
#2 [ffff88011b9d5bc0] oops_end at ffffffff814f4a50
#3 [ffff88011b9d5bf0] die at ffffffff8100f26b
#4 [ffff88011b9d5c20] do_general_protection at ffffffff814f45e2
#5 [ffff88011b9d5c50] general_protection at ffffffff814f3db5
[exception RIP: strlen+2]
RIP: ffffffff81272ae2 RSP: ffff88011b9d5d00 RFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff880118901c18 RCX: 0000000000000000
RDX: ffff88011799982c RSI: 00000000000000d0 RDI: 3a303030302f3030
RBP: ffff88011b9d5d38 R8: 0000000000000006 R9: ffffffffa0134500
R10: 0000000000001000 R11: 0000000000001000 R12: ffff880117a1cc10
R13: 00000000000000d0 R14: 0000000000000017 R15: ffffffff81aff700
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#6 [ffff88011b9d5d00] kobject_get_path at ffffffff8126dc5d
#7 [ffff88011b9d5d40] kobject_uevent_env at ffffffff8126e551
#8 [ffff88011b9d5dd0] kobject_uevent at ffffffff8126e9eb
#9 [ffff88011b9d5de0] device_del at ffffffff813440c7
-------------------8<---------------------------------------
So clean up when we have all the context, and all that's left to do when
the references to the port have dropped is to free up the port struct
itself.
CC: <stable@vger.kernel.org>
Reported-by: chayang <chayang@redhat.com>
Reported-by: YOGANANTH SUBRAMANIAN <anantyog@in.ibm.com>
Reported-by: FuXiangChun <xfu@redhat.com>
Reported-by: Qunfang Zhang <qzhang@redhat.com>
Reported-by: Sibiao Luo <sluo@redhat.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/char/virtio_console.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index a57cc3b..e6a51da 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1261,14 +1261,6 @@ static void remove_port(struct kref *kref)
port = container_of(kref, struct port, kref);
- sysfs_remove_group(&port->dev->kobj, &port_attribute_group);
- device_destroy(pdrvdata.class, port->dev->devt);
- cdev_del(port->cdev);
-
- kfree(port->name);
-
- debugfs_remove(port->debugfs_file);
-
kfree(port);
}
@@ -1322,6 +1314,14 @@ static void unplug_port(struct port *port)
*/
port->portdev = NULL;
+ sysfs_remove_group(&port->dev->kobj, &port_attribute_group);
+ device_destroy(pdrvdata.class, port->dev->devt);
+ cdev_del(port->cdev);
+
+ kfree(port->name);
+
+ debugfs_remove(port->debugfs_file);
+
/*
* Locks around here are not necessary - a port can't be
* opened after we removed the port struct from ports_list
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [177/251] virtio: console: fix raising SIGIO after port unplug
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (174 preceding siblings ...)
2013-09-11 4:30 ` [176/251] virtio: console: clean up port data immediately at time of unplug Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [178/251] virtio: console: return -ENODEV on all read operations after unplug Steven Rostedt
` (74 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Amit Shah, Rusty Russell
[-- Attachment #1: 0177-virtio-console-fix-raising-SIGIO-after-port-unplug.patch --]
[-- Type: text/plain, Size: 1587 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Amit Shah <amit.shah@redhat.com>
[ Upstream commit 92d3453815fbe74d539c86b60dab39ecdf01bb99 ]
SIGIO should be sent when a port gets unplugged. It should only be sent
to prcesses that have the port opened, and have asked for SIGIO to be
delivered. We were clearing out guest_connected before calling
send_sigio_to_port(), resulting in a sigio not getting sent to
processes.
Fix by setting guest_connected to false after invoking the sigio
function.
CC: <stable@vger.kernel.org>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/char/virtio_console.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index e6a51da..4df55cb 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1290,12 +1290,14 @@ static void unplug_port(struct port *port)
spin_unlock_irq(&port->portdev->ports_lock);
if (port->guest_connected) {
+ /* Let the app know the port is going down. */
+ send_sigio_to_port(port);
+
+ /* Do this after sigio is actually sent */
port->guest_connected = false;
port->host_connected = false;
- wake_up_interruptible(&port->waitqueue);
- /* Let the app know the port is going down. */
- send_sigio_to_port(port);
+ wake_up_interruptible(&port->waitqueue);
}
if (is_console_port(port)) {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [178/251] virtio: console: return -ENODEV on all read operations after unplug
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (175 preceding siblings ...)
2013-09-11 4:30 ` [177/251] virtio: console: fix raising SIGIO after port unplug Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [179/251] drm/cirrus: Invalidate page tables when pinning a BO Steven Rostedt
` (73 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Amit Shah, Rusty Russell
[-- Attachment #1: 0178-virtio-console-return-ENODEV-on-all-read-operations-.patch --]
[-- Type: text/plain, Size: 1771 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Amit Shah <amit.shah@redhat.com>
[ Upstream commit 96f97a83910cdb9d89d127c5ee523f8fc040a804 ]
If a port gets unplugged while a user is blocked on read(), -ENODEV is
returned. However, subsequent read()s returned 0, indicating there's no
host-side connection (but not indicating the device went away).
This also happened when a port was unplugged and the user didn't have
any blocking operation pending. If the user didn't monitor the SIGIO
signal, they won't have a chance to find out if the port went away.
Fix by returning -ENODEV on all read()s after the port gets unplugged.
write() already behaves this way.
CC: <stable@vger.kernel.org>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/char/virtio_console.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 4df55cb..edb2ecb 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -637,6 +637,10 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf,
port = filp->private_data;
+ /* Port is hot-unplugged. */
+ if (!port->guest_connected)
+ return -ENODEV;
+
if (!port_has_data(port)) {
/*
* If nothing's connected on the host just return 0 in
@@ -653,7 +657,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf,
if (ret < 0)
return ret;
}
- /* Port got hot-unplugged. */
+ /* Port got hot-unplugged while we were waiting above. */
if (!port->guest_connected)
return -ENODEV;
/*
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [179/251] drm/cirrus: Invalidate page tables when pinning a BO
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (176 preceding siblings ...)
2013-09-11 4:30 ` [178/251] virtio: console: return -ENODEV on all read operations after unplug Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [180/251] drm/mgag200: " Steven Rostedt
` (72 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Michal Srb, Dave Airlie
[-- Attachment #1: 0179-drm-cirrus-Invalidate-page-tables-when-pinning-a-BO.patch --]
[-- Type: text/plain, Size: 1305 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Michal Srb <msrb@suse.com>
[ Upstream commit 109a51598869a39fdcec2d49672a9a39b6d89481 ]
This is a cirrus version of Egbert Eich's patch for mgag200.
Without bo.bdev->dev_mapping set, the ttm_bo_unmap_virtual_locked
called from ttm_bo_handle_move_mem returns with no effect. If any
application accessed the memory before it was moved, it will
access wrong memory next time. This causes crashes when changing
resolution down.
Signed-off-by: Michal Srb <msrb@suse.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/gpu/drm/cirrus/cirrus_ttm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/cirrus/cirrus_ttm.c b/drivers/gpu/drm/cirrus/cirrus_ttm.c
index d4b1b1d..d57bcc8 100644
--- a/drivers/gpu/drm/cirrus/cirrus_ttm.c
+++ b/drivers/gpu/drm/cirrus/cirrus_ttm.c
@@ -353,6 +353,7 @@ int cirrus_bo_create(struct drm_device *dev, int size, int align,
cirrusbo->gem.driver_private = NULL;
cirrusbo->bo.bdev = &cirrus->ttm.bdev;
+ cirrusbo->bo.bdev->dev_mapping = dev->dev_mapping;
cirrus_ttm_placement(cirrusbo, TTM_PL_FLAG_VRAM | TTM_PL_FLAG_SYSTEM);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [180/251] drm/mgag200: Invalidate page tables when pinning a BO
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (177 preceding siblings ...)
2013-09-11 4:30 ` [179/251] drm/cirrus: Invalidate page tables when pinning a BO Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [181/251] drm/ast: invalidate " Steven Rostedt
` (71 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Egbert Eich, Dave Airlie
[-- Attachment #1: 0180-drm-mgag200-Invalidate-page-tables-when-pinning-a-BO.patch --]
[-- Type: text/plain, Size: 1399 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Egbert Eich <eich@suse.com>
[ Upstream commit ecaac1c866bcda4780a963b3d18cd310d971aea3 ]
When a BO gets pinned the placement may get changed. If the memory is
mapped into user space and user space has already accessed the mapped
range the page tables are set up but now point to the wrong memory.
Set bo.mdev->dev_mapping in mgag200_bo_create() to make sure that
ttm_bo_unmap_virtual() called from ttm_bo_handle_move_mem() will take
care of this.
v2: Don't call ttm_bo_unmap_virtual() in mgag200_bo_pin(), fix comment.
Signed-off-by: Egbert Eich <eich@suse.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/gpu/drm/mgag200/mgag200_ttm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/mgag200/mgag200_ttm.c b/drivers/gpu/drm/mgag200/mgag200_ttm.c
index a707394..95b5377 100644
--- a/drivers/gpu/drm/mgag200/mgag200_ttm.c
+++ b/drivers/gpu/drm/mgag200/mgag200_ttm.c
@@ -347,6 +347,7 @@ int mgag200_bo_create(struct drm_device *dev, int size, int align,
mgabo->gem.driver_private = NULL;
mgabo->bo.bdev = &mdev->ttm.bdev;
+ mgabo->bo.bdev->dev_mapping = dev->dev_mapping;
mgag200_ttm_placement(mgabo, TTM_PL_FLAG_VRAM | TTM_PL_FLAG_SYSTEM);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [181/251] drm/ast: invalidate page tables when pinning a BO
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (178 preceding siblings ...)
2013-09-11 4:30 ` [180/251] drm/mgag200: " Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [182/251] ext4: allow the mount options nodelalloc and data=journal Steven Rostedt
` (70 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Dave Airlie
[-- Attachment #1: 0181-drm-ast-invalidate-page-tables-when-pinning-a-BO.patch --]
[-- Type: text/plain, Size: 913 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Dave Airlie <airlied@redhat.com>
[ Upstream commit 3ac65259328324de323dc006b52ff7c1a5b18d19 ]
same fix as cirrus and mgag200.
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/gpu/drm/ast/ast_ttm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/ast/ast_ttm.c b/drivers/gpu/drm/ast/ast_ttm.c
index 2a6027c..566934c 100644
--- a/drivers/gpu/drm/ast/ast_ttm.c
+++ b/drivers/gpu/drm/ast/ast_ttm.c
@@ -348,6 +348,7 @@ int ast_bo_create(struct drm_device *dev, int size, int align,
astbo->gem.driver_private = NULL;
astbo->bo.bdev = &ast->ttm.bdev;
+ astbo->bo.bdev->dev_mapping = dev->dev_mapping;
ast_ttm_placement(astbo, TTM_PL_FLAG_VRAM | TTM_PL_FLAG_SYSTEM);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [182/251] ext4: allow the mount options nodelalloc and data=journal
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (179 preceding siblings ...)
2013-09-11 4:30 ` [181/251] drm/ast: invalidate " Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [183/251] ext4: fix mount/remount error messages for incompatible mount options Steven Rostedt
` (69 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Piotr Sarna, Theodore Tso
[-- Attachment #1: 0182-ext4-allow-the-mount-options-nodelalloc-and-data-jou.patch --]
[-- Type: text/plain, Size: 1397 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
[ Upstream commit 59d9fa5c2e9086db11aa287bb4030151d0095a17 ]
Commit 26092bf ("ext4: use a table-driven handler for mount options")
wrongly disallows the specifying the mount options nodelalloc and
data=journal simultaneously. This is incorrect; it should have only
disallowed the combination of delalloc and data=journal
simultaneously.
Reported-by: Piotr Sarna <p.sarna@partner.samsung.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/ext4/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index f9b129c..ec3f293 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1422,7 +1422,7 @@ static const struct mount_opts {
{Opt_discard, EXT4_MOUNT_DISCARD, MOPT_SET},
{Opt_nodiscard, EXT4_MOUNT_DISCARD, MOPT_CLEAR},
{Opt_delalloc, EXT4_MOUNT_DELALLOC, MOPT_SET | MOPT_EXPLICIT},
- {Opt_nodelalloc, EXT4_MOUNT_DELALLOC, MOPT_CLEAR | MOPT_EXPLICIT},
+ {Opt_nodelalloc, EXT4_MOUNT_DELALLOC, MOPT_CLEAR},
{Opt_journal_checksum, EXT4_MOUNT_JOURNAL_CHECKSUM, MOPT_SET},
{Opt_journal_async_commit, (EXT4_MOUNT_JOURNAL_ASYNC_COMMIT |
EXT4_MOUNT_JOURNAL_CHECKSUM), MOPT_SET},
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [183/251] ext4: fix mount/remount error messages for incompatible mount options
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (180 preceding siblings ...)
2013-09-11 4:30 ` [182/251] ext4: allow the mount options nodelalloc and data=journal Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [184/251] cifs: extend the buffer length enought for sprintf() using Steven Rostedt
` (68 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Piotr Sarna, Bartlomiej Zolnierkiewicz, Kyungmin Park, Theodore Tso
[-- Attachment #1: 0183-ext4-fix-mount-remount-error-messages-for-incompatib.patch --]
[-- Type: text/plain, Size: 2395 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Piotr Sarna <p.sarna@partner.samsung.com>
[ Upstream commit 6ae6514b33f941d3386da0dfbe2942766eab1577 ]
Commit 5688978 ("ext4: improve handling of conflicting mount options")
introduced incorrect messages shown while choosing wrong mount options.
First of all, both cases of incorrect mount options,
"data=journal,delalloc" and "data=journal,dioread_nolock" result in
the same error message.
Secondly, the problem above isn't solved for remount option: the
mismatched parameter is simply ignored. Moreover, ext4_msg states
that remount with options "data=journal,delalloc" succeeded, which is
not true.
To fix it up, I added a simple check after parse_options() call to
ensure that data=journal and delalloc/dioread_nolock parameters are
not present at the same time.
Signed-off-by: Piotr Sarna <p.sarna@partner.samsung.com>
Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/ext4/super.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index ec3f293..7099a33 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3405,7 +3405,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
}
if (test_opt(sb, DIOREAD_NOLOCK)) {
ext4_msg(sb, KERN_ERR, "can't mount with "
- "both data=journal and delalloc");
+ "both data=journal and dioread_nolock");
goto failed_mount;
}
if (test_opt(sb, DELALLOC))
@@ -4583,6 +4583,21 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data)
goto restore_opts;
}
+ if (test_opt(sb, DATA_FLAGS) == EXT4_MOUNT_JOURNAL_DATA) {
+ if (test_opt2(sb, EXPLICIT_DELALLOC)) {
+ ext4_msg(sb, KERN_ERR, "can't mount with "
+ "both data=journal and delalloc");
+ err = -EINVAL;
+ goto restore_opts;
+ }
+ if (test_opt(sb, DIOREAD_NOLOCK)) {
+ ext4_msg(sb, KERN_ERR, "can't mount with "
+ "both data=journal and dioread_nolock");
+ err = -EINVAL;
+ goto restore_opts;
+ }
+ }
+
if (sbi->s_mount_flags & EXT4_MF_FS_ABORTED)
ext4_abort(sb, "Abort forced by user");
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [184/251] cifs: extend the buffer length enought for sprintf() using
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (181 preceding siblings ...)
2013-09-11 4:30 ` [183/251] ext4: fix mount/remount error messages for incompatible mount options Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [185/251] zram: allow request end to coincide with disksize Steven Rostedt
` (67 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Chen Gang, Jeff Layton, Shirish Pargaonkar, Scott Lovenberg,
Steve French
[-- Attachment #1: 0184-cifs-extend-the-buffer-length-enought-for-sprintf-us.patch --]
[-- Type: text/plain, Size: 3961 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Chen Gang <gang.chen@asianux.com>
[ Upstream commit 057d6332b24a4497c55a761c83c823eed9e3f23b ]
For cifs_set_cifscreds() in "fs/cifs/connect.c", 'desc' buffer length
is 'CIFSCREDS_DESC_SIZE' (56 is less than 256), and 'ses->domainName'
length may be "255 + '\0'".
The related sprintf() may cause memory overflow, so need extend related
buffer enough to hold all things.
It is also necessary to be sure of 'ses->domainName' must be less than
256, and define the related macro instead of hard code number '256'.
Signed-off-by: Chen Gang <gang.chen@asianux.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Reviewed-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Reviewed-by: Scott Lovenberg <scott.lovenberg@gmail.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/cifs/cifsencrypt.c | 2 +-
fs/cifs/cifsglob.h | 1 +
fs/cifs/connect.c | 7 ++++---
fs/cifs/sess.c | 6 +++---
4 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
index 9caf0c6..c6828ae 100644
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -369,7 +369,7 @@ find_domain_name(struct cifs_ses *ses, const struct nls_table *nls_cp)
if (blobptr + attrsize > blobend)
break;
if (type == NTLMSSP_AV_NB_DOMAIN_NAME) {
- if (!attrsize)
+ if (!attrsize || attrsize >= CIFS_MAX_DOMAINNAME_LEN)
break;
if (!ses->domainName) {
ses->domainName =
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 977dc0e..4af59dc 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -42,6 +42,7 @@
#define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1)
#define MAX_SERVER_SIZE 15
#define MAX_SHARE_SIZE 80
+#define CIFS_MAX_DOMAINNAME_LEN 256 /* max domain name length */
#define MAX_USERNAME_SIZE 256 /* reasonable maximum for current servers */
#define MAX_PASSWORD_SIZE 512 /* max for windows seems to be 256 wide chars */
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 487db09..8239cba 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1611,7 +1611,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname,
if (string == NULL)
goto out_nomem;
- if (strnlen(string, 256) == 256) {
+ if (strnlen(string, CIFS_MAX_DOMAINNAME_LEN)
+ == CIFS_MAX_DOMAINNAME_LEN) {
printk(KERN_WARNING "CIFS: domain name too"
" long\n");
goto cifs_parse_mount_err;
@@ -2298,8 +2299,8 @@ cifs_put_smb_ses(struct cifs_ses *ses)
#ifdef CONFIG_KEYS
-/* strlen("cifs:a:") + INET6_ADDRSTRLEN + 1 */
-#define CIFSCREDS_DESC_SIZE (7 + INET6_ADDRSTRLEN + 1)
+/* strlen("cifs:a:") + CIFS_MAX_DOMAINNAME_LEN + 1 */
+#define CIFSCREDS_DESC_SIZE (7 + CIFS_MAX_DOMAINNAME_LEN + 1)
/* Populate username and pw fields from keyring if possible */
static int
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 382c06d..673db0b 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -198,7 +198,7 @@ static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
bytes_ret = 0;
} else
bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr, ses->domainName,
- 256, nls_cp);
+ CIFS_MAX_DOMAINNAME_LEN, nls_cp);
bcc_ptr += 2 * bytes_ret;
bcc_ptr += 2; /* account for null terminator */
@@ -256,8 +256,8 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
/* copy domain */
if (ses->domainName != NULL) {
- strncpy(bcc_ptr, ses->domainName, 256);
- bcc_ptr += strnlen(ses->domainName, 256);
+ strncpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
+ bcc_ptr += strnlen(ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
} /* else we will send a null domain name
so the server will default to its own domain */
*bcc_ptr = 0;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [185/251] zram: allow request end to coincide with disksize
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (182 preceding siblings ...)
2013-09-11 4:30 ` [184/251] cifs: extend the buffer length enought for sprintf() using Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [186/251] debugfs: debugfs_remove_recursive() must not rely on list_empty(d_subdirs) Steven Rostedt
` (66 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sergey Senozhatsky, Greg Kroah-Hartman
[-- Attachment #1: 0185-zram-allow-request-end-to-coincide-with-disksize.patch --]
[-- Type: text/plain, Size: 1432 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
[ Upstream commit 75c7caf5a052ffd8db3312fa7864ee2d142890c4 ]
Pass valid_io_request() checks if request end coincides with disksize
(end equals bound), only fail if we attempt to read beyond the bound.
mkfs.ext2 produces numerous errors:
[ 2164.632747] quiet_error: 1 callbacks suppressed
[ 2164.633260] Buffer I/O error on device zram0, logical block 153599
[ 2164.633265] lost page write due to I/O error on zram0
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/staging/zram/zram_drv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
index 3a79d70..b9b3342 100644
--- a/drivers/staging/zram/zram_drv.c
+++ b/drivers/staging/zram/zram_drv.c
@@ -478,7 +478,7 @@ static inline int valid_io_request(struct zram *zram, struct bio *bio)
end = start + (bio->bi_size >> SECTOR_SHIFT);
bound = zram->disksize >> SECTOR_SHIFT;
/* out of range range */
- if (unlikely(start >= bound || end >= bound || start > end))
+ if (unlikely(start >= bound || end > bound || start > end))
return 0;
/* I/O request is valid */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [186/251] debugfs: debugfs_remove_recursive() must not rely on list_empty(d_subdirs)
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (183 preceding siblings ...)
2013-09-11 4:30 ` [185/251] zram: allow request end to coincide with disksize Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [187/251] reiserfs: fix deadlock in umount Steven Rostedt
` (65 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Greg Kroah-Hartman, Oleg Nesterov
[-- Attachment #1: 0186-debugfs-debugfs_remove_recursive-must-not-rely-on-li.patch --]
[-- Type: text/plain, Size: 4691 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
[ Upstream commit 776164c1faac4966ab14418bb0922e1820da1d19 ]
debugfs_remove_recursive() is wrong,
1. it wrongly assumes that !list_empty(d_subdirs) means that this
dir should be removed.
This is not that bad by itself, but:
2. if d_subdirs does not becomes empty after __debugfs_remove()
it gives up and silently fails, it doesn't even try to remove
other entries.
However ->d_subdirs can be non-empty because it still has the
already deleted !debugfs_positive() entries.
3. simple_release_fs() is called even if __debugfs_remove() fails.
Suppose we have
dir1/
dir2/
file2
file1
and someone opens dir1/dir2/file2.
Now, debugfs_remove_recursive(dir1/dir2) succeeds, and dir1/dir2 goes
away.
But debugfs_remove_recursive(dir1) silently fails and doesn't remove
this directory. Because it tries to delete (the already deleted)
dir1/dir2/file2 again and then fails due to "Avoid infinite loop"
logic.
Test-case:
#!/bin/sh
cd /sys/kernel/debug/tracing
echo 'p:probe/sigprocmask sigprocmask' >> kprobe_events
sleep 1000 < events/probe/sigprocmask/id &
echo -n >| kprobe_events
[ -d events/probe ] && echo "ERR!! failed to rm probe"
And after that it is not possible to create another probe entry.
With this patch debugfs_remove_recursive() skips !debugfs_positive()
files although this is not strictly needed. The most important change
is that it does not try to make ->d_subdirs empty, it simply scans
the whole list(s) recursively and removes as much as possible.
Link: http://lkml.kernel.org/r/20130726151256.GC19472@redhat.com
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/debugfs/inode.c | 69 +++++++++++++++++-----------------------------------
1 file changed, 22 insertions(+), 47 deletions(-)
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 4733eab..327b802 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -524,8 +524,7 @@ EXPORT_SYMBOL_GPL(debugfs_remove);
*/
void debugfs_remove_recursive(struct dentry *dentry)
{
- struct dentry *child;
- struct dentry *parent;
+ struct dentry *child, *next, *parent;
if (IS_ERR_OR_NULL(dentry))
return;
@@ -535,61 +534,37 @@ void debugfs_remove_recursive(struct dentry *dentry)
return;
parent = dentry;
+ down:
mutex_lock(&parent->d_inode->i_mutex);
+ list_for_each_entry_safe(child, next, &parent->d_subdirs, d_u.d_child) {
+ if (!debugfs_positive(child))
+ continue;
- while (1) {
- /*
- * When all dentries under "parent" has been removed,
- * walk up the tree until we reach our starting point.
- */
- if (list_empty(&parent->d_subdirs)) {
- mutex_unlock(&parent->d_inode->i_mutex);
- if (parent == dentry)
- break;
- parent = parent->d_parent;
- mutex_lock(&parent->d_inode->i_mutex);
- }
- child = list_entry(parent->d_subdirs.next, struct dentry,
- d_u.d_child);
- next_sibling:
-
- /*
- * If "child" isn't empty, walk down the tree and
- * remove all its descendants first.
- */
+ /* perhaps simple_empty(child) makes more sense */
if (!list_empty(&child->d_subdirs)) {
mutex_unlock(&parent->d_inode->i_mutex);
parent = child;
- mutex_lock(&parent->d_inode->i_mutex);
- continue;
+ goto down;
}
- __debugfs_remove(child, parent);
- if (parent->d_subdirs.next == &child->d_u.d_child) {
- /*
- * Try the next sibling.
- */
- if (child->d_u.d_child.next != &parent->d_subdirs) {
- child = list_entry(child->d_u.d_child.next,
- struct dentry,
- d_u.d_child);
- goto next_sibling;
- }
-
- /*
- * Avoid infinite loop if we fail to remove
- * one dentry.
- */
- mutex_unlock(&parent->d_inode->i_mutex);
- break;
- }
- simple_release_fs(&debugfs_mount, &debugfs_mount_count);
+ up:
+ if (!__debugfs_remove(child, parent))
+ simple_release_fs(&debugfs_mount, &debugfs_mount_count);
}
- parent = dentry->d_parent;
+ mutex_unlock(&parent->d_inode->i_mutex);
+ child = parent;
+ parent = parent->d_parent;
mutex_lock(&parent->d_inode->i_mutex);
- __debugfs_remove(dentry, parent);
+
+ if (child != dentry) {
+ next = list_entry(child->d_u.d_child.next, struct dentry,
+ d_u.d_child);
+ goto up;
+ }
+
+ if (!__debugfs_remove(child, parent))
+ simple_release_fs(&debugfs_mount, &debugfs_mount_count);
mutex_unlock(&parent->d_inode->i_mutex);
- simple_release_fs(&debugfs_mount, &debugfs_mount_count);
}
EXPORT_SYMBOL_GPL(debugfs_remove_recursive);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [187/251] reiserfs: fix deadlock in umount
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (184 preceding siblings ...)
2013-09-11 4:30 ` [186/251] debugfs: debugfs_remove_recursive() must not rely on list_empty(d_subdirs) Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` Steven Rostedt
` (64 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Al Viro
[-- Attachment #1: 0187-reiserfs-fix-deadlock-in-umount.patch --]
[-- Type: text/plain, Size: 7067 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 672fe15d091ce76d6fb98e489962e9add7c1ba4c ]
Since remove_proc_entry() started to wait for IO in progress (i.e.
since 2007 or so), the locking in fs/reiserfs/proc.c became wrong;
if procfs read happens between the moment when umount() locks the
victim superblock and removal of /proc/fs/reiserfs/<device>/*,
we'll get a deadlock - read will wait for s_umount (in sget(),
called by r_start()), while umount will wait in remove_proc_entry()
for that read to finish, holding s_umount all along.
Fortunately, the same change allows a much simpler race avoidance -
all we need to do is remove the procfs entries in the very beginning
of reiserfs ->kill_sb(); that'll guarantee that pointer to superblock
will remain valid for the duration for procfs IO, so we don't need
sget() to keep the sucker alive. As the matter of fact, we can
get rid of the home-grown iterator completely, and use single_open()
instead.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/reiserfs/procfs.c | 92 +++++++++++---------------------------------------
fs/reiserfs/super.c | 3 +-
2 files changed, 20 insertions(+), 75 deletions(-)
diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c
index e60e870..d700e3f 100644
--- a/fs/reiserfs/procfs.c
+++ b/fs/reiserfs/procfs.c
@@ -19,12 +19,13 @@
/*
* LOCKING:
*
- * We rely on new Alexander Viro's super-block locking.
+ * These guys are evicted from procfs as the very first step in ->kill_sb().
*
*/
-static int show_version(struct seq_file *m, struct super_block *sb)
+static int show_version(struct seq_file *m, void *unused)
{
+ struct super_block *sb = m->private;
char *format;
if (REISERFS_SB(sb)->s_properties & (1 << REISERFS_3_6)) {
@@ -66,8 +67,9 @@ static int show_version(struct seq_file *m, struct super_block *sb)
#define DJP( x ) le32_to_cpu( jp -> x )
#define JF( x ) ( r -> s_journal -> x )
-static int show_super(struct seq_file *m, struct super_block *sb)
+static int show_super(struct seq_file *m, void *unused)
{
+ struct super_block *sb = m->private;
struct reiserfs_sb_info *r = REISERFS_SB(sb);
seq_printf(m, "state: \t%s\n"
@@ -128,8 +130,9 @@ static int show_super(struct seq_file *m, struct super_block *sb)
return 0;
}
-static int show_per_level(struct seq_file *m, struct super_block *sb)
+static int show_per_level(struct seq_file *m, void *unused)
{
+ struct super_block *sb = m->private;
struct reiserfs_sb_info *r = REISERFS_SB(sb);
int level;
@@ -186,8 +189,9 @@ static int show_per_level(struct seq_file *m, struct super_block *sb)
return 0;
}
-static int show_bitmap(struct seq_file *m, struct super_block *sb)
+static int show_bitmap(struct seq_file *m, void *unused)
{
+ struct super_block *sb = m->private;
struct reiserfs_sb_info *r = REISERFS_SB(sb);
seq_printf(m, "free_block: %lu\n"
@@ -218,8 +222,9 @@ static int show_bitmap(struct seq_file *m, struct super_block *sb)
return 0;
}
-static int show_on_disk_super(struct seq_file *m, struct super_block *sb)
+static int show_on_disk_super(struct seq_file *m, void *unused)
{
+ struct super_block *sb = m->private;
struct reiserfs_sb_info *sb_info = REISERFS_SB(sb);
struct reiserfs_super_block *rs = sb_info->s_rs;
int hash_code = DFL(s_hash_function_code);
@@ -261,8 +266,9 @@ static int show_on_disk_super(struct seq_file *m, struct super_block *sb)
return 0;
}
-static int show_oidmap(struct seq_file *m, struct super_block *sb)
+static int show_oidmap(struct seq_file *m, void *unused)
{
+ struct super_block *sb = m->private;
struct reiserfs_sb_info *sb_info = REISERFS_SB(sb);
struct reiserfs_super_block *rs = sb_info->s_rs;
unsigned int mapsize = le16_to_cpu(rs->s_v1.s_oid_cursize);
@@ -291,8 +297,9 @@ static int show_oidmap(struct seq_file *m, struct super_block *sb)
return 0;
}
-static int show_journal(struct seq_file *m, struct super_block *sb)
+static int show_journal(struct seq_file *m, void *unused)
{
+ struct super_block *sb = m->private;
struct reiserfs_sb_info *r = REISERFS_SB(sb);
struct reiserfs_super_block *rs = r->s_rs;
struct journal_params *jp = &rs->s_v1.s_journal;
@@ -383,85 +390,24 @@ static int show_journal(struct seq_file *m, struct super_block *sb)
return 0;
}
-/* iterator */
-static int test_sb(struct super_block *sb, void *data)
-{
- return data == sb;
-}
-
-static int set_sb(struct super_block *sb, void *data)
-{
- return -ENOENT;
-}
-
-static void *r_start(struct seq_file *m, loff_t * pos)
-{
- struct proc_dir_entry *de = m->private;
- struct super_block *s = de->parent->data;
- loff_t l = *pos;
-
- if (l)
- return NULL;
-
- if (IS_ERR(sget(&reiserfs_fs_type, test_sb, set_sb, 0, s)))
- return NULL;
-
- up_write(&s->s_umount);
- return s;
-}
-
-static void *r_next(struct seq_file *m, void *v, loff_t * pos)
-{
- ++*pos;
- if (v)
- deactivate_super(v);
- return NULL;
-}
-
-static void r_stop(struct seq_file *m, void *v)
-{
- if (v)
- deactivate_super(v);
-}
-
-static int r_show(struct seq_file *m, void *v)
-{
- struct proc_dir_entry *de = m->private;
- int (*show) (struct seq_file *, struct super_block *) = de->data;
- return show(m, v);
-}
-
-static const struct seq_operations r_ops = {
- .start = r_start,
- .next = r_next,
- .stop = r_stop,
- .show = r_show,
-};
-
static int r_open(struct inode *inode, struct file *file)
{
- int ret = seq_open(file, &r_ops);
-
- if (!ret) {
- struct seq_file *m = file->private_data;
- m->private = PDE(inode);
- }
- return ret;
+ return single_open(file, PDE(inode)->data,
+ PDE(inode)->parent->data);
}
static const struct file_operations r_file_operations = {
.open = r_open,
.read = seq_read,
.llseek = seq_lseek,
- .release = seq_release,
- .owner = THIS_MODULE,
+ .release = single_release,
};
static struct proc_dir_entry *proc_info_root = NULL;
static const char proc_info_root_name[] = "fs/reiserfs";
static void add_file(struct super_block *sb, char *name,
- int (*func) (struct seq_file *, struct super_block *))
+ int (*func) (struct seq_file *, void *))
{
proc_create_data(name, 0, REISERFS_SB(sb)->procdir,
&r_file_operations, func);
diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
index 4300030..cd4b149 100644
--- a/fs/reiserfs/super.c
+++ b/fs/reiserfs/super.c
@@ -499,6 +499,7 @@ int remove_save_link(struct inode *inode, int truncate)
static void reiserfs_kill_sb(struct super_block *s)
{
if (REISERFS_SB(s)) {
+ reiserfs_proc_info_done(s);
/*
* Force any pending inode evictions to occur now. Any
* inodes to be removed that have extended attributes
@@ -554,8 +555,6 @@ static void reiserfs_put_super(struct super_block *s)
REISERFS_SB(s)->reserved_blocks);
}
- reiserfs_proc_info_done(s);
-
reiserfs_write_unlock(s);
mutex_destroy(&REISERFS_SB(s)->lock);
kfree(s->s_fs_info);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [188/251] nsp32: use mdelay instead of large udelay constants
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:27 ` [002/251] ALSA: hda - Cache the MUX selection for generic HDMI Steven Rostedt
` (249 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Arnd Bergmann, GOTO Masanori, YOKOTA Hiroshi,
James E.J. Bottomley, linux-scsi
[-- Attachment #1: 0188-nsp32-use-mdelay-instead-of-large-udelay-constants.patch --]
[-- Type: text/plain, Size: 1165 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit b497ceb964a80ebada3b9b3cea4261409039e25a ]
ARM cannot handle udelay for more than 2 miliseconds, so we
should use mdelay instead for those.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: GOTO Masanori <gotom@debian.or.jp>
Cc: YOKOTA Hiroshi <yokota@netlab.is.tsukuba.ac.jp>
Cc: "James E.J. Bottomley" <JBottomley@parallels.com>
Cc: linux-scsi@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/scsi/nsp32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/nsp32.c b/drivers/scsi/nsp32.c
index 62b6168..e705ed3 100644
--- a/drivers/scsi/nsp32.c
+++ b/drivers/scsi/nsp32.c
@@ -2926,7 +2926,7 @@ static void nsp32_do_bus_reset(nsp32_hw_data *data)
* reset SCSI bus
*/
nsp32_write1(base, SCSI_BUS_CONTROL, BUSCTL_RST);
- udelay(RESET_HOLD_TIME);
+ mdelay(RESET_HOLD_TIME / 1000);
nsp32_write1(base, SCSI_BUS_CONTROL, 0);
for(i = 0; i < 5; i++) {
intrdat = nsp32_read2(base, IRQ_STATUS); /* dummy read */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [188/251] nsp32: use mdelay instead of large udelay constants
@ 2013-09-11 4:30 ` Steven Rostedt
0 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Arnd Bergmann, GOTO Masanori, YOKOTA Hiroshi,
James E.J. Bottomley, linux-scsi
[-- Attachment #1: 0188-nsp32-use-mdelay-instead-of-large-udelay-constants.patch --]
[-- Type: text/plain, Size: 1163 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit b497ceb964a80ebada3b9b3cea4261409039e25a ]
ARM cannot handle udelay for more than 2 miliseconds, so we
should use mdelay instead for those.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: GOTO Masanori <gotom@debian.or.jp>
Cc: YOKOTA Hiroshi <yokota@netlab.is.tsukuba.ac.jp>
Cc: "James E.J. Bottomley" <JBottomley@parallels.com>
Cc: linux-scsi@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/scsi/nsp32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/nsp32.c b/drivers/scsi/nsp32.c
index 62b6168..e705ed3 100644
--- a/drivers/scsi/nsp32.c
+++ b/drivers/scsi/nsp32.c
@@ -2926,7 +2926,7 @@ static void nsp32_do_bus_reset(nsp32_hw_data *data)
* reset SCSI bus
*/
nsp32_write1(base, SCSI_BUS_CONTROL, BUSCTL_RST);
- udelay(RESET_HOLD_TIME);
+ mdelay(RESET_HOLD_TIME / 1000);
nsp32_write1(base, SCSI_BUS_CONTROL, 0);
for(i = 0; i < 5; i++) {
intrdat = nsp32_read2(base, IRQ_STATUS); /* dummy read */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [189/251] mtd: omap2: allow bulding as a module
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (186 preceding siblings ...)
2013-09-11 4:30 ` Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` Steven Rostedt
` (62 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Arnd Bergmann, Tony Lindgren, David Woodhouse, Artem Bityutskiy,
Afzal Mohammed, Russell King, linux-mtd
[-- Attachment #1: 0189-mtd-omap2-allow-bulding-as-a-module.patch --]
[-- Type: text/plain, Size: 1535 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 930d800bded771b26d9944c47810829130ff7c8c ]
The omap2 nand device driver calls into the the elm code, which can
be a loadable module, and in that case it cannot be built-in itself.
I can see no reason why the omap2 driver cannot also be a module,
so let's make the option "tristate" in Kconfig to fix this allmodconfig
build error:
ERROR: "elm_config" [drivers/mtd/nand/omap2.ko] undefined!
ERROR: "elm_decode_bch_error_page" [drivers/mtd/nand/omap2.ko] undefined!
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Tony Lindgren <tony@atomide.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Cc: Afzal Mohammed <afzal@ti.com>
Cc: Russell King <rmk+kernel@arm.linux.org.uk>
Cc: linux-mtd@lists.infradead.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/mtd/nand/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/nand/Kconfig b/drivers/mtd/nand/Kconfig
index 8ca4176..bd773e2 100644
--- a/drivers/mtd/nand/Kconfig
+++ b/drivers/mtd/nand/Kconfig
@@ -117,7 +117,7 @@ config MTD_NAND_OMAP2
config MTD_NAND_OMAP_BCH
depends on MTD_NAND && MTD_NAND_OMAP2 && ARCH_OMAP3
- bool "Enable support for hardware BCH error correction"
+ tristate "Enable support for hardware BCH error correction"
default n
select BCH
select BCH_CONST_PARAMS
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [190/251] MIPS: Expose missing pci_io{map,unmap} declarations
@ 2013-09-11 4:30 ` Steven Rostedt
0 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Markos Chandras, Steven J. Hill, linux-mips, Ralf Baechle
[-- Attachment #1: 0190-MIPS-Expose-missing-pci_io-map-unmap-declarations.patch --]
[-- Type: text/plain, Size: 2579 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Markos Chandras <markos.chandras@imgtec.com>
[ Upstream commit 78857614104a26cdada4c53eea104752042bf5a1 ]
The GENERIC_PCI_IOMAP does not depend on CONFIG_PCI so move
it to the CONFIG_MIPS symbol so it's always selected for MIPS.
This fixes the missing pci_iomap declaration for MIPS.
Moreover, the pci_iounmap function was not defined in the
io.h header file if the CONFIG_PCI symbol is not set,
but it should since MIPS is not using CONFIG_GENERIC_IOMAP.
This fixes the following problem on a allyesconfig:
drivers/net/ethernet/3com/3c59x.c:1031:2: error: implicit declaration of
function 'pci_iomap' [-Werror=implicit-function-declaration]
drivers/net/ethernet/3com/3c59x.c:1044:3: error: implicit declaration of
function 'pci_iounmap' [-Werror=implicit-function-declaration]
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Acked-by: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: linux-mips@linux-mips.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Patchwork: https://patchwork.linux-mips.org/patch/5478/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
---
arch/mips/Kconfig | 2 +-
arch/mips/include/asm/io.h | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index faf6528..5367804 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -26,6 +26,7 @@ config MIPS
select HAVE_GENERIC_HARDIRQS
select GENERIC_IRQ_PROBE
select GENERIC_IRQ_SHOW
+ select GENERIC_PCI_IOMAP
select HAVE_ARCH_JUMP_LABEL
select ARCH_WANT_IPC_PARSE_VERSION
select IRQ_FORCED_THREADING
@@ -2392,7 +2393,6 @@ config PCI
bool "Support for PCI controller"
depends on HW_HAS_PCI
select PCI_DOMAINS
- select GENERIC_PCI_IOMAP
select NO_GENERIC_PCI_IOPORT_MAP
help
Find out whether you have a PCI motherboard. PCI is the name of a
diff --git a/arch/mips/include/asm/io.h b/arch/mips/include/asm/io.h
index 29d9c23..98ca652 100644
--- a/arch/mips/include/asm/io.h
+++ b/arch/mips/include/asm/io.h
@@ -169,6 +169,11 @@ static inline void * isa_bus_to_virt(unsigned long address)
extern void __iomem * __ioremap(phys_t offset, phys_t size, unsigned long flags);
extern void __iounmap(const volatile void __iomem *addr);
+#ifndef CONFIG_PCI
+struct pci_dev;
+static inline void pci_iounmap(struct pci_dev *dev, void __iomem *addr) {}
+#endif
+
static inline void __iomem * __ioremap_mode(phys_t offset, unsigned long size,
unsigned long flags)
{
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [190/251] MIPS: Expose missing pci_io{map,unmap} declarations
@ 2013-09-11 4:30 ` Steven Rostedt
0 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Markos Chandras, Steven J. Hill, linux-mips, Ralf Baechle
[-- Attachment #1: 0190-MIPS-Expose-missing-pci_io-map-unmap-declarations.patch --]
[-- Type: text/plain, Size: 2577 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Markos Chandras <markos.chandras@imgtec.com>
[ Upstream commit 78857614104a26cdada4c53eea104752042bf5a1 ]
The GENERIC_PCI_IOMAP does not depend on CONFIG_PCI so move
it to the CONFIG_MIPS symbol so it's always selected for MIPS.
This fixes the missing pci_iomap declaration for MIPS.
Moreover, the pci_iounmap function was not defined in the
io.h header file if the CONFIG_PCI symbol is not set,
but it should since MIPS is not using CONFIG_GENERIC_IOMAP.
This fixes the following problem on a allyesconfig:
drivers/net/ethernet/3com/3c59x.c:1031:2: error: implicit declaration of
function 'pci_iomap' [-Werror=implicit-function-declaration]
drivers/net/ethernet/3com/3c59x.c:1044:3: error: implicit declaration of
function 'pci_iounmap' [-Werror=implicit-function-declaration]
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Acked-by: Steven J. Hill <Steven.Hill@imgtec.com>
Cc: linux-mips@linux-mips.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Patchwork: https://patchwork.linux-mips.org/patch/5478/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
---
arch/mips/Kconfig | 2 +-
arch/mips/include/asm/io.h | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index faf6528..5367804 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -26,6 +26,7 @@ config MIPS
select HAVE_GENERIC_HARDIRQS
select GENERIC_IRQ_PROBE
select GENERIC_IRQ_SHOW
+ select GENERIC_PCI_IOMAP
select HAVE_ARCH_JUMP_LABEL
select ARCH_WANT_IPC_PARSE_VERSION
select IRQ_FORCED_THREADING
@@ -2392,7 +2393,6 @@ config PCI
bool "Support for PCI controller"
depends on HW_HAS_PCI
select PCI_DOMAINS
- select GENERIC_PCI_IOMAP
select NO_GENERIC_PCI_IOPORT_MAP
help
Find out whether you have a PCI motherboard. PCI is the name of a
diff --git a/arch/mips/include/asm/io.h b/arch/mips/include/asm/io.h
index 29d9c23..98ca652 100644
--- a/arch/mips/include/asm/io.h
+++ b/arch/mips/include/asm/io.h
@@ -169,6 +169,11 @@ static inline void * isa_bus_to_virt(unsigned long address)
extern void __iomem * __ioremap(phys_t offset, phys_t size, unsigned long flags);
extern void __iounmap(const volatile void __iomem *addr);
+#ifndef CONFIG_PCI
+struct pci_dev;
+static inline void pci_iounmap(struct pci_dev *dev, void __iomem *addr) {}
+#endif
+
static inline void __iomem * __ioremap_mode(phys_t offset, unsigned long size,
unsigned long flags)
{
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [191/251] perf/x86: Fix intel QPI uncore event definitions
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (188 preceding siblings ...)
2013-09-11 4:30 ` Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [192/251] perf/arm: Fix armpmu_map_hw_event() Steven Rostedt
` (60 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: John McCalpin, Vince Weaver, zheng.z.yan, Peter Zijlstra,
Arnaldo Carvalho de Melo, Paul Mackerras, stable, Ingo Molnar
[-- Attachment #1: 0191-perf-x86-Fix-intel-QPI-uncore-event-definitions.patch --]
[-- Type: text/plain, Size: 2964 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Vince Weaver <vincent.weaver@maine.edu>
[ Upstream commit c9601247f8f3fdc18aed7ed7e490e8dfcd07f122 ]
John McCalpin reports that the "drs_data" and "ncb_data" QPI
uncore events are missing the "extra bit" and always return zero
values unless the bit is properly set.
More details from him:
According to the Xeon E5-2600 Product Family Uncore Performance
Monitoring Guide, Table 2-94, about 1/2 of the QPI Link Layer events
(including the ones that "perf" calls "drs_data" and "ncb_data") require
that the "extra bit" be set.
This was confusing for a while -- a note at the bottom of page 94 says
that the "extra bit" is bit 16 of the control register.
Unfortunately, Table 2-86 clearly says that bit 16 is reserved and must
be zero. Looking around a bit, I found that bit 21 appears to be the
correct "extra bit", and further investigation shows that "perf" actually
agrees with me:
[root@c560-003.stampede]# cat /sys/bus/event_source/devices/uncore_qpi_0/format/event
config:0-7,21
So the command
# perf -e "uncore_qpi_0/event=drs_data/"
Is the same as
# perf -e "uncore_qpi_0/event=0x02,umask=0x08/"
While it should be
# perf -e "uncore_qpi_0/event=0x102,umask=0x08/"
I confirmed that this last version gives results that agree with the
amount of data that I expected the STREAM benchmark to move across the QPI
link in the second (cross-chip) test of the original script.
Reported-by: John McCalpin <mccalpin@tacc.utexas.edu>
Signed-off-by: Vince Weaver <vincent.weaver@maine.edu>
Cc: zheng.z.yan@intel.com
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Cc: Paul Mackerras <paulus@samba.org>
Cc: <stable@kernel.org>
Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1308021037280.26119@vincent-weaver-1.um.maine.edu
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
index 0c0957d..4e5f47a 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
@@ -313,8 +313,8 @@ static struct uncore_event_desc snbep_uncore_imc_events[] = {
static struct uncore_event_desc snbep_uncore_qpi_events[] = {
INTEL_UNCORE_EVENT_DESC(clockticks, "event=0x14"),
INTEL_UNCORE_EVENT_DESC(txl_flits_active, "event=0x00,umask=0x06"),
- INTEL_UNCORE_EVENT_DESC(drs_data, "event=0x02,umask=0x08"),
- INTEL_UNCORE_EVENT_DESC(ncb_data, "event=0x03,umask=0x04"),
+ INTEL_UNCORE_EVENT_DESC(drs_data, "event=0x102,umask=0x08"),
+ INTEL_UNCORE_EVENT_DESC(ncb_data, "event=0x103,umask=0x04"),
{ /* end: all zeroes */ },
};
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [192/251] perf/arm: Fix armpmu_map_hw_event()
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (189 preceding siblings ...)
2013-09-11 4:30 ` [191/251] perf/x86: Fix intel QPI uncore event definitions Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [193/251] x86 get_unmapped_area(): use proper mmap base for bottom-up direction Steven Rostedt
` (59 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: stable, Ingo Molnar
[-- Attachment #1: 0192-perf-arm-Fix-armpmu_map_hw_event.patch --]
[-- Type: text/plain, Size: 1166 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Stephen Boyd <sboyd@codeaurora.org>
[ Upstream commit b88a2595b6d8aedbd275c07dfa784657b4f757eb ]
Fix constraint check in armpmu_map_hw_event().
Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
Cc: <stable@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/kernel/perf_event.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
index 5770b9d..22a022a 100644
--- a/arch/arm/kernel/perf_event.c
+++ b/arch/arm/kernel/perf_event.c
@@ -106,7 +106,12 @@ armpmu_map_cache_event(const unsigned (*cache_map)
static int
armpmu_map_event(const unsigned (*event_map)[PERF_COUNT_HW_MAX], u64 config)
{
- int mapping = (*event_map)[config];
+ int mapping;
+
+ if (config >= PERF_COUNT_HW_MAX)
+ return -ENOENT;
+
+ mapping = (*event_map)[config];
return mapping == HW_OP_UNSUPPORTED ? -ENOENT : mapping;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [193/251] x86 get_unmapped_area(): use proper mmap base for bottom-up direction
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (190 preceding siblings ...)
2013-09-11 4:30 ` [192/251] perf/arm: Fix armpmu_map_hw_event() Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [194/251] fs/proc/task_mmu.c: fix buffer overflow in add_page_map() Steven Rostedt
` (58 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Michel Lespinasse, Oleg Nesterov, Rik van Riel, Ingo Molnar,
Adrian Sendroiu, Andrew Morton
[-- Attachment #1: 0193-x86-get_unmapped_area-use-proper-mmap-base-for-botto.patch --]
[-- Type: text/plain, Size: 2271 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Radu Caragea <sinaelgl@gmail.com>
[ Upstream commit df54d6fa54275ce59660453e29d1228c2b45a826 ]
When the stack is set to unlimited, the bottomup direction is used for
mmap-ings but the mmap_base is not used and thus effectively renders
ASLR for mmapings along with PIE useless.
Cc: Michel Lespinasse <walken@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Rik van Riel <riel@redhat.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Cc: Adrian Sendroiu <molecula2788@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/x86/kernel/sys_x86_64.c | 2 +-
arch/x86/mm/mmap.c | 2 +-
include/linux/sched.h | 1 +
3 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
index b4d3c39..2145c1b 100644
--- a/arch/x86/kernel/sys_x86_64.c
+++ b/arch/x86/kernel/sys_x86_64.c
@@ -115,7 +115,7 @@ static void find_start_end(unsigned long flags, unsigned long *begin,
*begin = new_begin;
}
} else {
- *begin = TASK_UNMAPPED_BASE;
+ *begin = mmap_legacy_base();
*end = TASK_SIZE;
}
}
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 845df68..c1af323 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -98,7 +98,7 @@ static unsigned long mmap_base(void)
* Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
* does, but not when emulating X86_32
*/
-static unsigned long mmap_legacy_base(void)
+unsigned long mmap_legacy_base(void)
{
if (mmap_is_ia32())
return TASK_UNMAPPED_BASE;
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 46bac3e..8c00159 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -388,6 +388,7 @@ extern int sysctl_max_map_count;
#include <linux/aio.h>
#ifdef CONFIG_MMU
+extern unsigned long mmap_legacy_base(void);
extern void arch_pick_mmap_layout(struct mm_struct *mm);
extern unsigned long
arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [194/251] fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (191 preceding siblings ...)
2013-09-11 4:30 ` [193/251] x86 get_unmapped_area(): use proper mmap base for bottom-up direction Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [195/251] elevator: Fix a race in elevator switching Steven Rostedt
` (57 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Yonghua Zheng, Andrew Morton
[-- Attachment #1: 0194-fs-proc-task_mmu.c-fix-buffer-overflow-in-add_page_m.patch --]
[-- Type: text/plain, Size: 2320 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: yonghua zheng <younghua.zheng@gmail.com>
[ Upstream commit 8c8296223f3abb142be8fc31711b18a704c0e7d8 ]
Recently we met quite a lot of random kernel panic issues after enabling
CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something
to do with following bug in pagemap:
In struct pagemapread:
struct pagemapread {
int pos, len;
pagemap_entry_t *buffer;
bool v2;
};
pos is number of PM_ENTRY_BYTES in buffer, but len is the size of
buffer, it is a mistake to compare pos and len in add_page_map() for
checking buffer is full or not, and this can lead to buffer overflow and
random kernel panic issue.
Correct len to be total number of PM_ENTRY_BYTES in buffer.
[akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition]
Signed-off-by: Yonghua Zheng <younghua.zheng@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/proc/task_mmu.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 4540b8f..1868fe1 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -693,14 +693,14 @@ typedef struct {
} pagemap_entry_t;
struct pagemapread {
- int pos, len;
+ int pos, len; /* units: PM_ENTRY_BYTES, not bytes */
pagemap_entry_t *buffer;
};
#define PAGEMAP_WALK_SIZE (PMD_SIZE)
#define PAGEMAP_WALK_MASK (PMD_MASK)
-#define PM_ENTRY_BYTES sizeof(u64)
+#define PM_ENTRY_BYTES sizeof(pagemap_entry_t)
#define PM_STATUS_BITS 3
#define PM_STATUS_OFFSET (64 - PM_STATUS_BITS)
#define PM_STATUS_MASK (((1LL << PM_STATUS_BITS) - 1) << PM_STATUS_OFFSET)
@@ -939,8 +939,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
if (!count)
goto out_task;
- pm.len = PM_ENTRY_BYTES * (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
- pm.buffer = kmalloc(pm.len, GFP_TEMPORARY);
+ pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
+ pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY);
ret = -ENOMEM;
if (!pm.buffer)
goto out_task;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [195/251] elevator: Fix a race in elevator switching
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (192 preceding siblings ...)
2013-09-11 4:30 ` [194/251] fs/proc/task_mmu.c: fix buffer overflow in add_page_map() Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [196/251] iwl4965: set power mode early Steven Rostedt
` (56 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jianpeng Ma, Jens Axboe
[-- Attachment #1: 0195-elevator-Fix-a-race-in-elevator-switching.patch --]
[-- Type: text/plain, Size: 7373 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jianpeng Ma <majianpeng@gmail.com>
[ Upstream commit d50235b7bc3ee0a0427984d763ea7534149531b4 ]
There's a race between elevator switching and normal io operation.
Because the allocation of struct elevator_queue and struct elevator_data
don't in a atomic operation.So there are have chance to use NULL
->elevator_data.
For example:
Thread A: Thread B
blk_queu_bio elevator_switch
spin_lock_irq(q->queue_block) elevator_alloc
elv_merge elevator_init_fn
Because call elevator_alloc, it can't hold queue_lock and the
->elevator_data is NULL.So at the same time, threadA call elv_merge and
nedd some info of elevator_data.So the crash happened.
Move the elevator_alloc into func elevator_init_fn, it make the
operations in a atomic operation.
Using the follow method can easy reproduce this bug
1:dd if=/dev/sdb of=/dev/null
2:while true;do echo noop > scheduler;echo deadline > scheduler;done
The test method also use this method.
Signed-off-by: Jianpeng Ma <majianpeng@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
block/cfq-iosched.c | 17 ++++++++++++++---
block/deadline-iosched.c | 16 +++++++++++++---
block/elevator.c | 25 +++++--------------------
block/noop-iosched.c | 17 ++++++++++++++---
include/linux/elevator.h | 6 +++++-
5 files changed, 51 insertions(+), 30 deletions(-)
diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c
index fb52df9..1bde45f 100644
--- a/block/cfq-iosched.c
+++ b/block/cfq-iosched.c
@@ -3959,18 +3959,28 @@ static void cfq_exit_queue(struct elevator_queue *e)
kfree(cfqd);
}
-static int cfq_init_queue(struct request_queue *q)
+static int cfq_init_queue(struct request_queue *q, struct elevator_type *e)
{
struct cfq_data *cfqd;
struct blkcg_gq *blkg __maybe_unused;
int i, ret;
+ struct elevator_queue *eq;
+
+ eq = elevator_alloc(q, e);
+ if (!eq)
+ return -ENOMEM;
cfqd = kmalloc_node(sizeof(*cfqd), GFP_KERNEL | __GFP_ZERO, q->node);
- if (!cfqd)
+ if (!cfqd) {
+ kobject_put(&eq->kobj);
return -ENOMEM;
+ }
+ eq->elevator_data = cfqd;
cfqd->queue = q;
- q->elevator->elevator_data = cfqd;
+ spin_lock_irq(q->queue_lock);
+ q->elevator = eq;
+ spin_unlock_irq(q->queue_lock);
/* Init root service tree */
cfqd->grp_service_tree = CFQ_RB_ROOT;
@@ -4044,6 +4054,7 @@ static int cfq_init_queue(struct request_queue *q)
out_free:
kfree(cfqd);
+ kobject_put(&eq->kobj);
return ret;
}
diff --git a/block/deadline-iosched.c b/block/deadline-iosched.c
index 599b12e..20a1efc 100644
--- a/block/deadline-iosched.c
+++ b/block/deadline-iosched.c
@@ -337,13 +337,21 @@ static void deadline_exit_queue(struct elevator_queue *e)
/*
* initialize elevator private data (deadline_data).
*/
-static int deadline_init_queue(struct request_queue *q)
+static int deadline_init_queue(struct request_queue *q, struct elevator_type *e)
{
struct deadline_data *dd;
+ struct elevator_queue *eq;
+
+ eq = elevator_alloc(q, e);
+ if (!eq)
+ return -ENOMEM;
dd = kmalloc_node(sizeof(*dd), GFP_KERNEL | __GFP_ZERO, q->node);
- if (!dd)
+ if (!dd) {
+ kobject_put(&eq->kobj);
return -ENOMEM;
+ }
+ eq->elevator_data = dd;
INIT_LIST_HEAD(&dd->fifo_list[READ]);
INIT_LIST_HEAD(&dd->fifo_list[WRITE]);
@@ -355,7 +363,9 @@ static int deadline_init_queue(struct request_queue *q)
dd->front_merges = 1;
dd->fifo_batch = fifo_batch;
- q->elevator->elevator_data = dd;
+ spin_lock_irq(q->queue_lock);
+ q->elevator = eq;
+ spin_unlock_irq(q->queue_lock);
return 0;
}
diff --git a/block/elevator.c b/block/elevator.c
index 6a55d41..ac6316c 100644
--- a/block/elevator.c
+++ b/block/elevator.c
@@ -138,7 +138,7 @@ __setup("elevator=", elevator_setup);
static struct kobj_type elv_ktype;
-static struct elevator_queue *elevator_alloc(struct request_queue *q,
+struct elevator_queue *elevator_alloc(struct request_queue *q,
struct elevator_type *e)
{
struct elevator_queue *eq;
@@ -166,6 +166,7 @@ err:
elevator_put(e);
return NULL;
}
+EXPORT_SYMBOL(elevator_alloc);
static void elevator_release(struct kobject *kobj)
{
@@ -213,16 +214,7 @@ int elevator_init(struct request_queue *q, char *name)
}
}
- q->elevator = elevator_alloc(q, e);
- if (!q->elevator)
- return -ENOMEM;
-
- err = e->ops.elevator_init_fn(q);
- if (err) {
- kobject_put(&q->elevator->kobj);
- return err;
- }
-
+ err = e->ops.elevator_init_fn(q, e);
return 0;
}
EXPORT_SYMBOL(elevator_init);
@@ -897,16 +889,9 @@ static int elevator_switch(struct request_queue *q, struct elevator_type *new_e)
spin_unlock_irq(q->queue_lock);
/* allocate, init and register new elevator */
- err = -ENOMEM;
- q->elevator = elevator_alloc(q, new_e);
- if (!q->elevator)
- goto fail_init;
-
- err = new_e->ops.elevator_init_fn(q);
- if (err) {
- kobject_put(&q->elevator->kobj);
+ err = new_e->ops.elevator_init_fn(q, new_e);
+ if (err)
goto fail_init;
- }
if (registered) {
err = elv_register_queue(q);
diff --git a/block/noop-iosched.c b/block/noop-iosched.c
index 5d1bf70..3de89d4 100644
--- a/block/noop-iosched.c
+++ b/block/noop-iosched.c
@@ -59,16 +59,27 @@ noop_latter_request(struct request_queue *q, struct request *rq)
return list_entry(rq->queuelist.next, struct request, queuelist);
}
-static int noop_init_queue(struct request_queue *q)
+static int noop_init_queue(struct request_queue *q, struct elevator_type *e)
{
struct noop_data *nd;
+ struct elevator_queue *eq;
+
+ eq = elevator_alloc(q, e);
+ if (!eq)
+ return -ENOMEM;
nd = kmalloc_node(sizeof(*nd), GFP_KERNEL, q->node);
- if (!nd)
+ if (!nd) {
+ kobject_put(&eq->kobj);
return -ENOMEM;
+ }
+ eq->elevator_data = nd;
INIT_LIST_HEAD(&nd->queue);
- q->elevator->elevator_data = nd;
+
+ spin_lock_irq(q->queue_lock);
+ q->elevator = eq;
+ spin_unlock_irq(q->queue_lock);
return 0;
}
diff --git a/include/linux/elevator.h b/include/linux/elevator.h
index c03af76..20ae95b 100644
--- a/include/linux/elevator.h
+++ b/include/linux/elevator.h
@@ -6,6 +6,7 @@
#ifdef CONFIG_BLOCK
struct io_cq;
+struct elevator_type;
typedef int (elevator_merge_fn) (struct request_queue *, struct request **,
struct bio *);
@@ -34,7 +35,8 @@ typedef void (elevator_put_req_fn) (struct request *);
typedef void (elevator_activate_req_fn) (struct request_queue *, struct request *);
typedef void (elevator_deactivate_req_fn) (struct request_queue *, struct request *);
-typedef int (elevator_init_fn) (struct request_queue *);
+typedef int (elevator_init_fn) (struct request_queue *,
+ struct elevator_type *e);
typedef void (elevator_exit_fn) (struct elevator_queue *);
struct elevator_ops
@@ -151,6 +153,8 @@ extern int elevator_init(struct request_queue *, char *);
extern void elevator_exit(struct elevator_queue *);
extern int elevator_change(struct request_queue *, const char *);
extern bool elv_rq_merge_ok(struct request *, struct bio *);
+extern struct elevator_queue *elevator_alloc(struct request_queue *,
+ struct elevator_type *);
/*
* Helper functions.
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [196/251] iwl4965: set power mode early
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (193 preceding siblings ...)
2013-09-11 4:30 ` [195/251] elevator: Fix a race in elevator switching Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [197/251] iwl4965: reset firmware after rfkill off Steven Rostedt
` (55 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Stanislaw Gruszka, John W. Linville
[-- Attachment #1: 0196-iwl4965-set-power-mode-early.patch --]
[-- Type: text/plain, Size: 1448 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <sgruszka@redhat.com>
[ Upstream commit eca396d7a5bdcc1fd67b1b12f737c213ac78a6f4 ]
If device was put into a sleep and system was restarted or module
reloaded, we have to wake device up before sending other commands.
Otherwise it will fail to start with Microcode error.
Cc: stable@vger.kernel.org
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/iwlegacy/4965-mac.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c b/drivers/net/wireless/iwlegacy/4965-mac.c
index 34f61a0..ab56f92 100644
--- a/drivers/net/wireless/iwlegacy/4965-mac.c
+++ b/drivers/net/wireless/iwlegacy/4965-mac.c
@@ -5285,6 +5285,9 @@ il4965_alive_start(struct il_priv *il)
il->active_rate = RATES_MASK;
+ il_power_update_mode(il, true);
+ D_INFO("Updated power mode\n");
+
if (il_is_associated(il)) {
struct il_rxon_cmd *active_rxon =
(struct il_rxon_cmd *)&il->active;
@@ -5315,9 +5318,6 @@ il4965_alive_start(struct il_priv *il)
D_INFO("ALIVE processing complete.\n");
wake_up(&il->wait_command_queue);
- il_power_update_mode(il, true);
- D_INFO("Updated power mode\n");
-
return;
restart:
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [197/251] iwl4965: reset firmware after rfkill off
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (194 preceding siblings ...)
2013-09-11 4:30 ` [196/251] iwl4965: set power mode early Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 7:46 ` Stanislaw Gruszka
2013-09-11 4:30 ` [198/251] can: pcan_usb: fix wrong memcpy() bytes length Steven Rostedt
` (54 subsequent siblings)
250 siblings, 1 reply; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Stanislaw Gruszka, John W. Linville
[-- Attachment #1: 0197-iwl4965-reset-firmware-after-rfkill-off.patch --]
[-- Type: text/plain, Size: 2100 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <sgruszka@redhat.com>
[ Upstream commit 788f7a56fce1bcb2067b62b851a086fca48a0056 ]
Using rfkill switch can make firmware unstable, what cause various
Microcode errors and kernel warnings. Reseting firmware just after
rfkill off (radio on) helped with that.
Resolve:
https://bugzilla.redhat.com/show_bug.cgi?id=977053
Reported-and-tested-by: Justin Pearce <whitefox@guardianfox.net>
Cc: stable@vger.kernel.org
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/iwlegacy/4965-mac.c | 10 +++++-----
drivers/net/wireless/iwlegacy/common.c | 1 +
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c b/drivers/net/wireless/iwlegacy/4965-mac.c
index ab56f92..f6624b8 100644
--- a/drivers/net/wireless/iwlegacy/4965-mac.c
+++ b/drivers/net/wireless/iwlegacy/4965-mac.c
@@ -4411,12 +4411,12 @@ il4965_irq_tasklet(struct il_priv *il)
* is killed. Hence update the killswitch state here. The
* rfkill handler will care about restarting if needed.
*/
- if (!test_bit(S_ALIVE, &il->status)) {
- if (hw_rf_kill)
- set_bit(S_RFKILL, &il->status);
- else
- clear_bit(S_RFKILL, &il->status);
+ if (hw_rf_kill) {
+ set_bit(S_RFKILL, &il->status);
+ } else {
+ clear_bit(S_RFKILL, &il->status);
wiphy_rfkill_set_hw_state(il->hw->wiphy, hw_rf_kill);
+ il_force_reset(il, true);
}
handled |= CSR_INT_BIT_RF_KILL;
diff --git a/drivers/net/wireless/iwlegacy/common.c b/drivers/net/wireless/iwlegacy/common.c
index 0370403..3d26831 100644
--- a/drivers/net/wireless/iwlegacy/common.c
+++ b/drivers/net/wireless/iwlegacy/common.c
@@ -4658,6 +4658,7 @@ il_force_reset(struct il_priv *il, bool external)
return 0;
}
+EXPORT_SYMBOL(il_force_reset);
int
il_mac_change_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [198/251] can: pcan_usb: fix wrong memcpy() bytes length
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (195 preceding siblings ...)
2013-09-11 4:30 ` [197/251] iwl4965: reset firmware after rfkill off Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [199/251] genetlink: fix family dump race Steven Rostedt
` (53 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Stephane Grosjean, Marc Kleine-Budde, David S. Miller
[-- Attachment #1: 0198-can-pcan_usb-fix-wrong-memcpy-bytes-length.patch --]
[-- Type: text/plain, Size: 1433 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Stephane Grosjean <s.grosjean@peak-system.com>
[ Upstream commit 3c322a56b01695df15c70bfdc2d02e0ccd80654e ]
Fix possibly wrong memcpy() bytes length since some CAN records received from
PCAN-USB could define a DLC field in range [9..15].
In that case, the real DLC value MUST be used to move forward the record pointer
but, only 8 bytes max. MUST be copied into the data field of the struct
can_frame object of the skb given to the network core.
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/can/usb/peak_usb/pcan_usb.c b/drivers/net/can/usb/peak_usb/pcan_usb.c
index 25723d8..925ab8e 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb.c
@@ -649,7 +649,7 @@ static int pcan_usb_decode_data(struct pcan_usb_msg_context *mc, u8 status_len)
if ((mc->ptr + rec_len) > mc->end)
goto decode_failed;
- memcpy(cf->data, mc->ptr, rec_len);
+ memcpy(cf->data, mc->ptr, cf->can_dlc);
mc->ptr += rec_len;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [199/251] genetlink: fix family dump race
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (196 preceding siblings ...)
2013-09-11 4:30 ` [198/251] can: pcan_usb: fix wrong memcpy() bytes length Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 6:50 ` Berg, Johannes
2013-09-11 4:30 ` [200/251] cfg80211: fix P2P GO interface teardown Steven Rostedt
` (52 subsequent siblings)
250 siblings, 1 reply; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Andrei Otcheretianski, Johannes Berg, David S. Miller
[-- Attachment #1: 0199-genetlink-fix-family-dump-race.patch --]
[-- Type: text/plain, Size: 1854 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 58ad436fcf49810aa006016107f494c9ac9013db ]
When dumping generic netlink families, only the first dump call
is locked with genl_lock(), which protects the list of families,
and thus subsequent calls can access the data without locking,
racing against family addition/removal. This can cause a crash.
Fix it - the locking needs to be conditional because the first
time around it's already locked.
A similar bug was reported to me on an old kernel (3.4.47) but
the exact scenario that happened there is no longer possible,
on those kernels the first round wasn't locked either. Looking
at the current code I found the race described above, which had
also existed on the old kernel.
Cc: stable@vger.kernel.org
Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/netlink/genetlink.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index 42556ce..17e7104 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -749,6 +749,10 @@ static int ctrl_dumpfamily(struct sk_buff *skb, struct netlink_callback *cb)
struct net *net = sock_net(skb->sk);
int chains_to_skip = cb->args[0];
int fams_to_skip = cb->args[1];
+ bool need_locking = chains_to_skip || fams_to_skip;
+
+ if (need_locking)
+ genl_lock();
for (i = chains_to_skip; i < GENL_FAM_TAB_SIZE; i++) {
n = 0;
@@ -770,6 +774,9 @@ errout:
cb->args[0] = i;
cb->args[1] = n;
+ if (need_locking)
+ genl_unlock();
+
return skb->len;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [200/251] cfg80211: fix P2P GO interface teardown
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (197 preceding siblings ...)
2013-09-11 4:30 ` [199/251] genetlink: fix family dump race Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [201/251] ASoC: cs42l52: Reorder Min/Max and update to SX_TLV for Beep Volume Steven Rostedt
` (51 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Ilan Peer, Emmanuel Grumbach, Johannes Berg
[-- Attachment #1: 0200-cfg80211-fix-P2P-GO-interface-teardown.patch --]
[-- Type: text/plain, Size: 1251 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 74418edec915d0f446debebde08d170c7b8ba0ee ]
When a P2P GO interface goes down, cfg80211 doesn't properly
tear it down, leading to warnings later. Add the GO interface
type to the enumeration to tear it down like AP interfaces.
Otherwise, we leave it pending and mac80211's state can get
very confused, leading to warnings later.
Cc: stable@vger.kernel.org
Reported-by: Ilan Peer <ilan.peer@intel.com>
Tested-by: Ilan Peer <ilan.peer@intel.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/wireless/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/wireless/core.c b/net/wireless/core.c
index a10901b..250e0a6 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -846,6 +846,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
cfg80211_leave_mesh(rdev, dev);
break;
case NL80211_IFTYPE_AP:
+ case NL80211_IFTYPE_P2P_GO:
cfg80211_stop_ap(rdev, dev);
break;
default:
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [201/251] ASoC: cs42l52: Reorder Min/Max and update to SX_TLV for Beep Volume
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (198 preceding siblings ...)
2013-09-11 4:30 ` [200/251] cfg80211: fix P2P GO interface teardown Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [202/251] ASoC: tegra: fix Tegra30 I2S capture parameter setup Steven Rostedt
` (50 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Brian Austin, Mark Brown, stable
[-- Attachment #1: 0201-ASoC-cs42l52-Reorder-Min-Max-and-update-to-SX_TLV-fo.patch --]
[-- Type: text/plain, Size: 1305 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Brian Austin <brian.austin@cirrus.com>
[ Upstream commit e2c98a8bba958045bde861fe1d66be54315c7790 ]
Beep Volume Min/Max was backwards.
Change to SOC_SONGLE_SX_TLV for correct volume representation
Signed-off-by: Brian Austin <brian.austin@cirrus.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Cc: stable@kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/soc/codecs/cs42l52.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/cs42l52.c b/sound/soc/codecs/cs42l52.c
index d34aa42..c05e6b2 100644
--- a/sound/soc/codecs/cs42l52.c
+++ b/sound/soc/codecs/cs42l52.c
@@ -450,7 +450,7 @@ static const struct snd_kcontrol_new cs42l52_snd_controls[] = {
SOC_ENUM("Beep Pitch", beep_pitch_enum),
SOC_ENUM("Beep on Time", beep_ontime_enum),
SOC_ENUM("Beep off Time", beep_offtime_enum),
- SOC_SINGLE_TLV("Beep Volume", CS42L52_BEEP_VOL, 0, 0x1f, 0x07, hl_tlv),
+ SOC_SINGLE_SX_TLV("Beep Volume", CS42L52_BEEP_VOL, 0, 0x07, 0x1f, hl_tlv),
SOC_SINGLE("Beep Mixer Switch", CS42L52_BEEP_TONE_CTL, 5, 1, 1),
SOC_ENUM("Beep Treble Corner Freq", beep_treble_enum),
SOC_ENUM("Beep Bass Corner Freq", beep_bass_enum),
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [202/251] ASoC: tegra: fix Tegra30 I2S capture parameter setup
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (199 preceding siblings ...)
2013-09-11 4:30 ` [201/251] ASoC: cs42l52: Reorder Min/Max and update to SX_TLV for Beep Volume Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [203/251] ALSA: 6fire: make buffers DMA-able (pcm) Steven Rostedt
` (49 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Stephen Warren, Mark Brown
[-- Attachment #1: 0202-ASoC-tegra-fix-Tegra30-I2S-capture-parameter-setup.patch --]
[-- Type: text/plain, Size: 1383 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Stephen Warren <swarren@nvidia.com>
[ Upstream commit c90c0d7a96e634a73ef1580f1d20993606545647 ]
The Tegra30 I2S driver was writing the AHUB interface parameters to the
playback path register rather than the capture path register. This
caused the capture parameters not to be configured at all, so if
capturing using non-HW-default parameters (e.g. 16-bit stereo rather
than 8-bit mono) the audio would be corrupted.
With this fixed, audio capture from an analog microphone works correctly
on the Cardhu board.
Cc: stable@vger.kernel.org
Signed-off-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: Mark Brown <broonie@linaro.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/soc/tegra/tegra30_i2s.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/tegra/tegra30_i2s.c b/sound/soc/tegra/tegra30_i2s.c
index 4418422..b56721a8 100644
--- a/sound/soc/tegra/tegra30_i2s.c
+++ b/sound/soc/tegra/tegra30_i2s.c
@@ -227,7 +227,7 @@ static int tegra30_i2s_hw_params(struct snd_pcm_substream *substream,
reg = TEGRA30_I2S_CIF_RX_CTRL;
} else {
val |= TEGRA30_AUDIOCIF_CTRL_DIRECTION_TX;
- reg = TEGRA30_I2S_CIF_RX_CTRL;
+ reg = TEGRA30_I2S_CIF_TX_CTRL;
}
regmap_write(i2s->regmap, reg, val);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [203/251] ALSA: 6fire: make buffers DMA-able (pcm)
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (200 preceding siblings ...)
2013-09-11 4:30 ` [202/251] ASoC: tegra: fix Tegra30 I2S capture parameter setup Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [204/251] ALSA: 6fire: make buffers DMA-able (midi) Steven Rostedt
` (48 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Torsten Schenk, Takashi Iwai
[-- Attachment #1: 0203-ALSA-6fire-make-buffers-DMA-able-pcm.patch --]
[-- Type: text/plain, Size: 3191 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Torsten Schenk <torsten.schenk@zoho.com>
[ Upstream commit 5ece263f1d93fba8d992e67e3ab8a71acf674db9 ]
Patch makes pcm buffers DMA-able by allocating each one separately.
Signed-off-by: Torsten Schenk <torsten.schenk@zoho.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/usb/6fire/pcm.c | 41 ++++++++++++++++++++++++++++++++++++++++-
sound/usb/6fire/pcm.h | 2 +-
2 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/sound/usb/6fire/pcm.c b/sound/usb/6fire/pcm.c
index 7c4f311..51e3f62f 100644
--- a/sound/usb/6fire/pcm.c
+++ b/sound/usb/6fire/pcm.c
@@ -578,6 +578,33 @@ static void __devinit usb6fire_pcm_init_urb(struct pcm_urb *urb,
urb->instance.number_of_packets = PCM_N_PACKETS_PER_URB;
}
+static int usb6fire_pcm_buffers_init(struct pcm_runtime *rt)
+{
+ int i;
+
+ for (i = 0; i < PCM_N_URBS; i++) {
+ rt->out_urbs[i].buffer = kzalloc(PCM_N_PACKETS_PER_URB
+ * PCM_MAX_PACKET_SIZE, GFP_KERNEL);
+ if (!rt->out_urbs[i].buffer)
+ return -ENOMEM;
+ rt->in_urbs[i].buffer = kzalloc(PCM_N_PACKETS_PER_URB
+ * PCM_MAX_PACKET_SIZE, GFP_KERNEL);
+ if (!rt->in_urbs[i].buffer)
+ return -ENOMEM;
+ }
+ return 0;
+}
+
+static void usb6fire_pcm_buffers_destroy(struct pcm_runtime *rt)
+{
+ int i;
+
+ for (i = 0; i < PCM_N_URBS; i++) {
+ kfree(rt->out_urbs[i].buffer);
+ kfree(rt->in_urbs[i].buffer);
+ }
+}
+
int __devinit usb6fire_pcm_init(struct sfire_chip *chip)
{
int i;
@@ -589,6 +616,13 @@ int __devinit usb6fire_pcm_init(struct sfire_chip *chip)
if (!rt)
return -ENOMEM;
+ ret = usb6fire_pcm_buffers_init(rt);
+ if (ret) {
+ usb6fire_pcm_buffers_destroy(rt);
+ kfree(rt);
+ return ret;
+ }
+
rt->chip = chip;
rt->stream_state = STREAM_DISABLED;
rt->rate = ARRAY_SIZE(rates);
@@ -610,6 +644,7 @@ int __devinit usb6fire_pcm_init(struct sfire_chip *chip)
ret = snd_pcm_new(chip->card, "DMX6FireUSB", 0, 1, 1, &pcm);
if (ret < 0) {
+ usb6fire_pcm_buffers_destroy(rt);
kfree(rt);
snd_printk(KERN_ERR PREFIX "cannot create pcm instance.\n");
return ret;
@@ -625,6 +660,7 @@ int __devinit usb6fire_pcm_init(struct sfire_chip *chip)
snd_dma_continuous_data(GFP_KERNEL),
MAX_BUFSIZE, MAX_BUFSIZE);
if (ret) {
+ usb6fire_pcm_buffers_destroy(rt);
kfree(rt);
snd_printk(KERN_ERR PREFIX
"error preallocating pcm buffers.\n");
@@ -669,6 +705,9 @@ void usb6fire_pcm_abort(struct sfire_chip *chip)
void usb6fire_pcm_destroy(struct sfire_chip *chip)
{
- kfree(chip->pcm);
+ struct pcm_runtime *rt = chip->pcm;
+
+ usb6fire_pcm_buffers_destroy(rt);
+ kfree(rt);
chip->pcm = NULL;
}
diff --git a/sound/usb/6fire/pcm.h b/sound/usb/6fire/pcm.h
index 3104301..84610cf 100644
--- a/sound/usb/6fire/pcm.h
+++ b/sound/usb/6fire/pcm.h
@@ -32,7 +32,7 @@ struct pcm_urb {
struct urb instance;
struct usb_iso_packet_descriptor packets[PCM_N_PACKETS_PER_URB];
/* END DO NOT SEPARATE */
- u8 buffer[PCM_N_PACKETS_PER_URB * PCM_MAX_PACKET_SIZE];
+ u8 *buffer;
struct pcm_urb *peer;
};
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [204/251] ALSA: 6fire: make buffers DMA-able (midi)
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (201 preceding siblings ...)
2013-09-11 4:30 ` [203/251] ALSA: 6fire: make buffers DMA-able (pcm) Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [205/251] ALSA: hda - Add a fixup for Gateway LT27 Steven Rostedt
` (47 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Torsten Schenk, Takashi Iwai
[-- Attachment #1: 0204-ALSA-6fire-make-buffers-DMA-able-midi.patch --]
[-- Type: text/plain, Size: 2453 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Torsten Schenk <torsten.schenk@zoho.com>
[ Upstream commit 4c2aee0032b70083dafebd733ed9c774633b2fa3 ]
Patch makes midi output buffer DMA-able by allocating it separately.
Signed-off-by: Torsten Schenk <torsten.schenk@zoho.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/usb/6fire/midi.c | 16 +++++++++++++++-
sound/usb/6fire/midi.h | 6 +-----
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/sound/usb/6fire/midi.c b/sound/usb/6fire/midi.c
index f0e5179..0c09867 100644
--- a/sound/usb/6fire/midi.c
+++ b/sound/usb/6fire/midi.c
@@ -19,6 +19,10 @@
#include "chip.h"
#include "comm.h"
+enum {
+ MIDI_BUFSIZE = 64
+};
+
static void usb6fire_midi_out_handler(struct urb *urb)
{
struct midi_runtime *rt = urb->context;
@@ -156,6 +160,12 @@ int __devinit usb6fire_midi_init(struct sfire_chip *chip)
if (!rt)
return -ENOMEM;
+ rt->out_buffer = kzalloc(MIDI_BUFSIZE, GFP_KERNEL);
+ if (!rt->out_buffer) {
+ kfree(rt);
+ return -ENOMEM;
+ }
+
rt->chip = chip;
rt->in_received = usb6fire_midi_in_received;
rt->out_buffer[0] = 0x80; /* 'send midi' command */
@@ -169,6 +179,7 @@ int __devinit usb6fire_midi_init(struct sfire_chip *chip)
ret = snd_rawmidi_new(chip->card, "6FireUSB", 0, 1, 1, &rt->instance);
if (ret < 0) {
+ kfree(rt->out_buffer);
kfree(rt);
snd_printk(KERN_ERR PREFIX "unable to create midi.\n");
return ret;
@@ -197,6 +208,9 @@ void usb6fire_midi_abort(struct sfire_chip *chip)
void usb6fire_midi_destroy(struct sfire_chip *chip)
{
- kfree(chip->midi);
+ struct midi_runtime *rt = chip->midi;
+
+ kfree(rt->out_buffer);
+ kfree(rt);
chip->midi = NULL;
}
diff --git a/sound/usb/6fire/midi.h b/sound/usb/6fire/midi.h
index 5114ecc..d101ecb 100644
--- a/sound/usb/6fire/midi.h
+++ b/sound/usb/6fire/midi.h
@@ -16,10 +16,6 @@
#include "common.h"
-enum {
- MIDI_BUFSIZE = 64
-};
-
struct midi_runtime {
struct sfire_chip *chip;
struct snd_rawmidi *instance;
@@ -32,7 +28,7 @@ struct midi_runtime {
struct snd_rawmidi_substream *out;
struct urb out_urb;
u8 out_serial; /* serial number of out packet */
- u8 out_buffer[MIDI_BUFSIZE];
+ u8 *out_buffer;
int buffer_offset;
void (*in_received)(struct midi_runtime *rt, u8 *data, int length);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [205/251] ALSA: hda - Add a fixup for Gateway LT27
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (202 preceding siblings ...)
2013-09-11 4:30 ` [204/251] ALSA: 6fire: make buffers DMA-able (midi) Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [206/251] usb: add two quirky touchscreen Steven Rostedt
` (46 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Nathanael D. Noblet, Takashi Iwai
[-- Attachment #1: 0205-ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch --]
[-- Type: text/plain, Size: 1305 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 1801928e0f99d94c55e33c584c5eb2ff5e246ee6 ]
Gateway LT27 needs a fixup for the inverted digital mic.
Reported-by: "Nathanael D. Noblet" <nathanael@gnat.ca>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index dd7f1db..6d31bc8 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6863,6 +6863,7 @@ static const struct snd_pci_quirk alc662_fixup_tbl[] = {
SND_PCI_QUIRK(0x1025, 0x0308, "Acer Aspire 8942G", ALC662_FIXUP_ASPIRE),
SND_PCI_QUIRK(0x1025, 0x031c, "Gateway NV79", ALC662_FIXUP_SKU_IGNORE),
SND_PCI_QUIRK(0x1025, 0x0349, "eMachines eM250", ALC662_FIXUP_INV_DMIC),
+ SND_PCI_QUIRK(0x1025, 0x034a, "Gateway LT27", ALC662_FIXUP_INV_DMIC),
SND_PCI_QUIRK(0x1025, 0x038b, "Acer Aspire 8943G", ALC662_FIXUP_ASPIRE),
SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT),
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [206/251] usb: add two quirky touchscreen
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (203 preceding siblings ...)
2013-09-11 4:30 ` [205/251] ALSA: hda - Add a fixup for Gateway LT27 Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [207/251] USB: ti_usb_3410_5052: fix big-endian firmware handling Steven Rostedt
` (45 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Oliver Neukum, Greg Kroah-Hartman
[-- Attachment #1: 0206-usb-add-two-quirky-touchscreen.patch --]
[-- Type: text/plain, Size: 1212 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.de>
[ Upstream commit 304ab4ab079a8ed03ce39f1d274964a532db036b ]
These devices tend to become unresponsive after S3
Signed-off-by: Oliver Neukum <oneukum@suse.de>
CC: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/core/quirks.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
index 6af23f2..9ee154b 100644
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -75,6 +75,12 @@ static const struct usb_device_id usb_quirk_list[] = {
{ USB_DEVICE(0x04d8, 0x000c), .driver_info =
USB_QUIRK_CONFIG_INTF_STRINGS },
+ /* CarrolTouch 4000U */
+ { USB_DEVICE(0x04e7, 0x0009), .driver_info = USB_QUIRK_RESET_RESUME },
+
+ /* CarrolTouch 4500U */
+ { USB_DEVICE(0x04e7, 0x0030), .driver_info = USB_QUIRK_RESET_RESUME },
+
/* Samsung Android phone modem - ID conflict with SPH-I500 */
{ USB_DEVICE(0x04e8, 0x6601), .driver_info =
USB_QUIRK_CONFIG_INTF_STRINGS },
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [207/251] USB: ti_usb_3410_5052: fix big-endian firmware handling
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (204 preceding siblings ...)
2013-09-11 4:30 ` [206/251] usb: add two quirky touchscreen Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [208/251] USB: mos7840: fix big-endian probe Steven Rostedt
` (44 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Johan Hovold, Greg Kroah-Hartman
[-- Attachment #1: 0207-USB-ti_usb_3410_5052-fix-big-endian-firmware-handlin.patch --]
[-- Type: text/plain, Size: 1777 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Johan Hovold <jhovold@gmail.com>
[ Upstream commit e877dd2f2581628b7119df707d4cf03d940cff49 ]
Fix endianess bugs in firmware handling introduced by commits cb7a7c6a
("ti_usb_3410_5052: add Multi-Tech modem support") and 05a3d905
("ti_usb_3410_5052: support alternate firmware") which made the driver
use the wrong firmware for certain devices on big-endian machines.
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/ti_usb_3410_5052.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c
index d654036..33e3cb9 100644
--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -1639,14 +1639,15 @@ static int ti_download_firmware(struct ti_device *tdev)
char buf[32];
/* try ID specific firmware first, then try generic firmware */
- sprintf(buf, "ti_usb-v%04x-p%04x.fw", dev->descriptor.idVendor,
- dev->descriptor.idProduct);
+ sprintf(buf, "ti_usb-v%04x-p%04x.fw",
+ le16_to_cpu(dev->descriptor.idVendor),
+ le16_to_cpu(dev->descriptor.idProduct));
status = request_firmware(&fw_p, buf, &dev->dev);
if (status != 0) {
buf[0] = '\0';
- if (dev->descriptor.idVendor == MTS_VENDOR_ID) {
- switch (dev->descriptor.idProduct) {
+ if (le16_to_cpu(dev->descriptor.idVendor) == MTS_VENDOR_ID) {
+ switch (le16_to_cpu(dev->descriptor.idProduct)) {
case MTS_CDMA_PRODUCT_ID:
strcpy(buf, "mts_cdma.fw");
break;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [208/251] USB: mos7840: fix big-endian probe
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (205 preceding siblings ...)
2013-09-11 4:30 ` [207/251] USB: ti_usb_3410_5052: fix big-endian firmware handling Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [209/251] USB: mos7720: fix broken control requests Steven Rostedt
` (43 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: kbuild test robot, Johan Hovold, Greg Kroah-Hartman
[-- Attachment #1: 0208-USB-mos7840-fix-big-endian-probe.patch --]
[-- Type: text/plain, Size: 1254 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Johan Hovold <jhovold@gmail.com>
[ Upstream commit d551ec9b690f3de65b0091a2e767f1382adc792d ]
Fix bug in device-type detection on big-endian machines originally
introduced by commit 0eafe4de ("USB: serial: mos7840: add support for
MCS7810 devices") which always matched on little-endian product ids.
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/mos7840.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index ebb3429..dc46df5 100644
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -2407,7 +2407,7 @@ static int mos7810_check(struct usb_serial *serial)
static int mos7840_probe(struct usb_serial *serial,
const struct usb_device_id *id)
{
- u16 product = serial->dev->descriptor.idProduct;
+ u16 product = le16_to_cpu(serial->dev->descriptor.idProduct);
u8 *buf;
int device_type;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [209/251] USB: mos7720: fix broken control requests
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (206 preceding siblings ...)
2013-09-11 4:30 ` [208/251] USB: mos7840: fix big-endian probe Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [210/251] USB: keyspan: fix null-deref at disconnect and release Steven Rostedt
` (42 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Johan Hovold, Greg Kroah-Hartman
[-- Attachment #1: 0209-USB-mos7720-fix-broken-control-requests.patch --]
[-- Type: text/plain, Size: 2724 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Johan Hovold <jhovold@gmail.com>
[ Upstream commit ef6c8c1d733e244f0499035be0dabe1f4ed98c6f ]
The parallel-port code of the drivers used a stack allocated
control-request buffer for asynchronous (and possibly deferred) control
requests. This not only violates the no-DMA-from-stack requirement but
could also lead to corrupt control requests being submitted.
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/mos7720.c | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
index b691404..3d3b53d 100644
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -97,6 +97,7 @@ struct urbtracker {
struct list_head urblist_entry;
struct kref ref_count;
struct urb *urb;
+ struct usb_ctrlrequest *setup;
};
enum mos7715_pp_modes {
@@ -278,6 +279,7 @@ static void destroy_urbtracker(struct kref *kref)
struct mos7715_parport *mos_parport = urbtrack->mos_parport;
usb_free_urb(urbtrack->urb);
+ kfree(urbtrack->setup);
kfree(urbtrack);
kref_put(&mos_parport->ref_count, destroy_mos_parport);
}
@@ -360,7 +362,6 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
struct urbtracker *urbtrack;
int ret_val;
unsigned long flags;
- struct usb_ctrlrequest setup;
struct usb_serial *serial = mos_parport->serial;
struct usb_device *usbdev = serial->dev;
@@ -378,14 +379,20 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
kfree(urbtrack);
return -ENOMEM;
}
- setup.bRequestType = (__u8)0x40;
- setup.bRequest = (__u8)0x0e;
- setup.wValue = get_reg_value(reg, dummy);
- setup.wIndex = get_reg_index(reg);
- setup.wLength = 0;
+ urbtrack->setup = kmalloc(sizeof(*urbtrack->setup), GFP_KERNEL);
+ if (!urbtrack->setup) {
+ usb_free_urb(urbtrack->urb);
+ kfree(urbtrack);
+ return -ENOMEM;
+ }
+ urbtrack->setup->bRequestType = (__u8)0x40;
+ urbtrack->setup->bRequest = (__u8)0x0e;
+ urbtrack->setup->wValue = get_reg_value(reg, dummy);
+ urbtrack->setup->wIndex = get_reg_index(reg);
+ urbtrack->setup->wLength = 0;
usb_fill_control_urb(urbtrack->urb, usbdev,
usb_sndctrlpipe(usbdev, 0),
- (unsigned char *)&setup,
+ (unsigned char *)urbtrack->setup,
NULL, 0, async_complete, urbtrack);
kref_init(&urbtrack->ref_count);
INIT_LIST_HEAD(&urbtrack->urblist_entry);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [210/251] USB: keyspan: fix null-deref at disconnect and release
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (207 preceding siblings ...)
2013-09-11 4:30 ` [209/251] USB: mos7720: fix broken control requests Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [211/251] USB-Serial: Fix error handling of usb_wwan Steven Rostedt
` (41 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Johan Hovold, Greg Kroah-Hartman
[-- Attachment #1: 0210-USB-keyspan-fix-null-deref-at-disconnect-and-release.patch --]
[-- Type: text/plain, Size: 1163 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Johan Hovold <jhovold@gmail.com>
[ Upstream commit ff8a43c10f1440f07a5faca0c1556921259f7f76 ]
Make sure to fail properly if the device is not accepted during attach
in order to avoid null-pointer derefs (of missing interface private
data) at disconnect or release.
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/keyspan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
index caf85ab..c9e3455 100644
--- a/drivers/usb/serial/keyspan.c
+++ b/drivers/usb/serial/keyspan.c
@@ -2389,7 +2389,7 @@ static int keyspan_startup(struct usb_serial *serial)
if (d_details == NULL) {
dev_err(&serial->dev->dev, "%s - unknown product id %x\n",
__func__, le16_to_cpu(serial->dev->descriptor.idProduct));
- return 1;
+ return -ENODEV;
}
/* Setup private data for serial driver */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [211/251] USB-Serial: Fix error handling of usb_wwan
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (208 preceding siblings ...)
2013-09-11 4:30 ` [210/251] USB: keyspan: fix null-deref at disconnect and release Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [212/251] wusbcore: fix kernel panic when disconnecting a wireless USB->serial device Steven Rostedt
` (40 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Matt Burtch, Greg Kroah-Hartman
[-- Attachment #1: 0211-USB-Serial-Fix-error-handling-of-usb_wwan.patch --]
[-- Type: text/plain, Size: 1784 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Matt Burtch <matt@grid-net.com>
[ Upstream commit 6c1ee66a0b2bdbd64c078fba684d640cf2fd38a9 ]
This fixes an issue where the bulk-in urb used for incoming data transfer
is not resubmitted if the packet recieved contains an error status. This
results in the driver locking until the port is closed and re-opened.
Tested on a custom board with a Cinterion GSM module.
Signed-off-by: Matt Burtch <matt@grid-net.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/serial/usb_wwan.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/usb/serial/usb_wwan.c b/drivers/usb/serial/usb_wwan.c
index 188b5b3..5e9e1df 100644
--- a/drivers/usb/serial/usb_wwan.c
+++ b/drivers/usb/serial/usb_wwan.c
@@ -299,18 +299,18 @@ static void usb_wwan_indat_callback(struct urb *urb)
tty_kref_put(tty);
}
- /* Resubmit urb so we continue receiving */
- err = usb_submit_urb(urb, GFP_ATOMIC);
- if (err) {
- if (err != -EPERM) {
- printk(KERN_ERR "%s: resubmit read urb failed. "
- "(%d)", __func__, err);
- /* busy also in error unless we are killed */
- usb_mark_last_busy(port->serial->dev);
- }
- } else {
+ }
+ /* Resubmit urb so we continue receiving */
+ err = usb_submit_urb(urb, GFP_ATOMIC);
+ if (err) {
+ if (err != -EPERM) {
+ printk(KERN_ERR "%s: resubmit read urb failed. (%d)\n",
+ __func__, err);
+ /* busy also in error unless we are killed */
usb_mark_last_busy(port->serial->dev);
}
+ } else {
+ usb_mark_last_busy(port->serial->dev);
}
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [212/251] wusbcore: fix kernel panic when disconnecting a wireless USB->serial device
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (209 preceding siblings ...)
2013-09-11 4:30 ` [211/251] USB-Serial: Fix error handling of usb_wwan Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [213/251] ARM: 7809/1: perf: fix event validation for software group leaders Steven Rostedt
` (39 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Thomas Pugliese, Greg Kroah-Hartman
[-- Attachment #1: 0212-wusbcore-fix-kernel-panic-when-disconnecting-a-wirel.patch --]
[-- Type: text/plain, Size: 2326 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Thomas Pugliese <thomas.pugliese@gmail.com>
[ Upstream commit ec58fad1feb76c323ef47efff1d1e8660ed4644c ]
This patch fixes a kernel panic that can occur when disconnecting a
wireless USB->serial device. When the serial device disconnects, the
device cleanup procedure ends up calling usb_hcd_disable_endpoint on the
serial device's endpoints. The wusbcore uses the ABORT_RPIPE command to
abort all transfers on the given endpoint but it does not properly give
back the URBs when the transfer results return from the HWA. This patch
prevents the transfer result processing code from bailing out when it sees
a WA_XFER_STATUS_ABORTED result code so that these urbs are flushed
properly by usb_hcd_disable_endpoint. It also updates wa_urb_dequeue to
handle the case where the endpoint has already been cleaned up when
usb_kill_urb is called which is where the panic originally occurred.
Signed-off-by: Thomas Pugliese <thomas.pugliese@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/usb/wusbcore/wa-xfer.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
index 57c01ab..1ebc17e 100644
--- a/drivers/usb/wusbcore/wa-xfer.c
+++ b/drivers/usb/wusbcore/wa-xfer.c
@@ -1110,6 +1110,12 @@ int wa_urb_dequeue(struct wahc *wa, struct urb *urb)
}
spin_lock_irqsave(&xfer->lock, flags);
rpipe = xfer->ep->hcpriv;
+ if (rpipe == NULL) {
+ pr_debug("%s: xfer id 0x%08X has no RPIPE. %s",
+ __func__, wa_xfer_id(xfer),
+ "Probably already aborted.\n" );
+ goto out_unlock;
+ }
/* Check the delayed list -> if there, release and complete */
spin_lock_irqsave(&wa->xfer_list_lock, flags2);
if (!list_empty(&xfer->list_node) && xfer->seg == NULL)
@@ -1493,8 +1499,7 @@ static void wa_xfer_result_cb(struct urb *urb)
break;
}
usb_status = xfer_result->bTransferStatus & 0x3f;
- if (usb_status == WA_XFER_STATUS_ABORTED
- || usb_status == WA_XFER_STATUS_NOT_FOUND)
+ if (usb_status == WA_XFER_STATUS_NOT_FOUND)
/* taken care of already */
break;
xfer_id = xfer_result->dwTransferID;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [213/251] ARM: 7809/1: perf: fix event validation for software group leaders
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (210 preceding siblings ...)
2013-09-11 4:30 ` [212/251] wusbcore: fix kernel panic when disconnecting a wireless USB->serial device Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [214/251] m68k/atari: ARAnyM - Fix NatFeat module support Steven Rostedt
` (38 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Vince Weaver, Mark Rutland, Will Deacon, Russell King
[-- Attachment #1: 0213-ARM-7809-1-perf-fix-event-validation-for-software-gr.patch --]
[-- Type: text/plain, Size: 1887 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Will Deacon <will.deacon@arm.com>
[ Upstream commit c95eb3184ea1a3a2551df57190c81da695e2144b ]
It is possible to construct an event group with a software event as a
group leader and then subsequently add a hardware event to the group.
This results in the event group being validated by adding all members
of the group to a fake PMU and attempting to allocate each event on
their respective PMU.
Unfortunately, for software events wthout a corresponding arm_pmu, this
results in a kernel crash attempting to dereference the ->get_event_idx
function pointer.
This patch fixes the problem by checking explicitly for software events
and ignoring those in event validation (since they can always be
scheduled). We will probably want to revisit this for 3.12, since the
validation checks don't appear to work correctly when dealing with
multiple hardware PMUs anyway.
Cc: <stable@vger.kernel.org>
Reported-by: Vince Weaver <vincent.weaver@maine.edu>
Tested-by: Vince Weaver <vincent.weaver@maine.edu>
Tested-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/kernel/perf_event.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
index 22a022a..7cdecea 100644
--- a/arch/arm/kernel/perf_event.c
+++ b/arch/arm/kernel/perf_event.c
@@ -321,6 +321,9 @@ validate_event(struct pmu_hw_events *hw_events,
struct hw_perf_event fake_event = event->hw;
struct pmu *leader_pmu = event->group_leader->pmu;
+ if (is_software_event(event))
+ return 1;
+
if (event->pmu != leader_pmu || event->state < PERF_EVENT_STATE_OFF)
return 1;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [214/251] m68k/atari: ARAnyM - Fix NatFeat module support
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (211 preceding siblings ...)
2013-09-11 4:30 ` [213/251] ARM: 7809/1: perf: fix event validation for software group leaders Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [215/251] jbd2: Fix use after free after error in jbd2_journal_dirty_metadata() Steven Rostedt
` (37 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Thorsten Glaser, Geert Uytterhoeven
[-- Attachment #1: 0214-m68k-atari-ARAnyM-Fix-NatFeat-module-support.patch --]
[-- Type: text/plain, Size: 2335 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert@linux-m68k.org>
[ Upstream commit e8184e10f89736a23ea6eea8e24cd524c5c513d2 ]
As pointed out by Andreas Schwab, pointers passed to ARAnyM NatFeat calls
should be physical addresses, not virtual addresses.
Fortunately on Atari, physical and virtual kernel addresses are the same,
as long as normal kernel memory is concerned, so this usually worked fine
without conversion.
But for modules, pointers to literal strings are located in vmalloc()ed
memory. Depending on the version of ARAnyM, this causes the nf_get_id()
call to just fail, or worse, crash ARAnyM itself with e.g.
Gotcha! Illegal memory access. Atari PC = $968c
This is a big issue for distro kernels, who want to have all drivers as
loadable modules in an initrd.
Add a wrapper for nf_get_id() that copies the literal to the stack to
work around this issue.
Reported-by: Thorsten Glaser <tg@debian.org>
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/m68k/emu/natfeat.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/arch/m68k/emu/natfeat.c b/arch/m68k/emu/natfeat.c
index 2291a7d..fa277ae 100644
--- a/arch/m68k/emu/natfeat.c
+++ b/arch/m68k/emu/natfeat.c
@@ -18,9 +18,11 @@
#include <asm/machdep.h>
#include <asm/natfeat.h>
+extern long nf_get_id2(const char *feature_name);
+
asm("\n"
-" .global nf_get_id,nf_call\n"
-"nf_get_id:\n"
+" .global nf_get_id2,nf_call\n"
+"nf_get_id2:\n"
" .short 0x7300\n"
" rts\n"
"nf_call:\n"
@@ -29,12 +31,25 @@ asm("\n"
"1: moveq.l #0,%d0\n"
" rts\n"
" .section __ex_table,\"a\"\n"
-" .long nf_get_id,1b\n"
+" .long nf_get_id2,1b\n"
" .long nf_call,1b\n"
" .previous");
-EXPORT_SYMBOL_GPL(nf_get_id);
EXPORT_SYMBOL_GPL(nf_call);
+long nf_get_id(const char *feature_name)
+{
+ /* feature_name may be in vmalloc()ed memory, so make a copy */
+ char name_copy[32];
+ size_t n;
+
+ n = strlcpy(name_copy, feature_name, sizeof(name_copy));
+ if (n >= sizeof(name_copy))
+ return 0;
+
+ return nf_get_id2(name_copy);
+}
+EXPORT_SYMBOL_GPL(nf_get_id);
+
void nfprint(const char *fmt, ...)
{
static char buf[256];
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [215/251] jbd2: Fix use after free after error in jbd2_journal_dirty_metadata()
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (212 preceding siblings ...)
2013-09-11 4:30 ` [214/251] m68k/atari: ARAnyM - Fix NatFeat module support Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [216/251] ACPI: add _STA evaluation at do_acpi_find_child() Steven Rostedt
` (36 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sage Weil, Jan Kara, Theodore Tso
[-- Attachment #1: 0215-jbd2-Fix-use-after-free-after-error-in-jbd2_journal_.patch --]
[-- Type: text/plain, Size: 1757 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
[ Upstream commit 91aa11fae1cf8c2fd67be0609692ea9741cdcc43 ]
When jbd2_journal_dirty_metadata() returns error,
__ext4_handle_dirty_metadata() stops the handle. However callers of this
function do not count with that fact and still happily used now freed
handle. This use after free can result in various issues but very likely
we oops soon.
The motivation of adding __ext4_journal_stop() into
__ext4_handle_dirty_metadata() in commit 9ea7a0df seems to be only to
improve error reporting. So replace __ext4_journal_stop() with
ext4_journal_abort_handle() which was there before that commit and add
WARN_ON_ONCE() to dump stack to provide useful information.
Reported-by: Sage Weil <sage@inktank.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org # 3.2+
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/ext4/ext4_jbd2.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c
index b4323ba..6d7abb1 100644
--- a/fs/ext4/ext4_jbd2.c
+++ b/fs/ext4/ext4_jbd2.c
@@ -109,10 +109,10 @@ int __ext4_handle_dirty_metadata(const char *where, unsigned int line,
if (ext4_handle_valid(handle)) {
err = jbd2_journal_dirty_metadata(handle, bh);
- if (err) {
- /* Errors can only happen if there is a bug */
- handle->h_err = err;
- __ext4_journal_stop(where, line, handle);
+ /* Errors can only happen if there is a bug */
+ if (WARN_ON_ONCE(err)) {
+ ext4_journal_abort_handle(where, line, __func__, bh,
+ handle, err);
}
} else {
if (inode)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [216/251] ACPI: add _STA evaluation at do_acpi_find_child()
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (213 preceding siblings ...)
2013-09-11 4:30 ` [215/251] jbd2: Fix use after free after error in jbd2_journal_dirty_metadata() Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [217/251] xen/smp: initialize IPI vectors before marking CPU online Steven Rostedt
` (35 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jeff Wu, Rafael J. Wysocki
[-- Attachment #1: 0216-ACPI-add-_STA-evaluation-at-do_acpi_find_child.patch --]
[-- Type: text/plain, Size: 2294 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jeff Wu <zlinuxkernel@gmail.com>
[ Upstream commit c7d9ca90aa9497f0b6e301ec67c52dd4b57a7852 ]
Once do_acpi_find_child() has found the first matching handle, it
makes the acpi_get_child() loop stop and return that handle. On some
platforms, though, there are multiple devices with the same value of
"_ADR" in the same namespace scope, and if one of them is enabled,
the others will be disabled. For example:
Address : 0x1FFFF ; path : SB_PCI0.SATA.DEV0
Address : 0x1FFFF ; path : SB_PCI0.SATA.DEV1
Address : 0x1FFFF ; path : SB_PCI0.SATA.DEV2
If DEV0 and DEV1 are disabled and DEV2 is enabled, the handle of DEV2
should be returned, but actually the function always returns the
handle of DEV0.
To address that issue, make do_acpi_find_child() evaluate _STA to
check the device status. If a matching device object exists, but is
disabled, acpi_get_child() will continue to walk the namespace in the
hope of finding an enabled one. If one is found, its handle will be
returned, but otherwise the function will return the handle of the
disabled object found before (in case it is enabled going forward).
[rjw: Changelog]
Signed-off-by: Jeff Wu <zlinuxkernel@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/acpi/glue.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/glue.c b/drivers/acpi/glue.c
index 6eff12f..a166b9d 100644
--- a/drivers/acpi/glue.c
+++ b/drivers/acpi/glue.c
@@ -91,13 +91,15 @@ static int acpi_find_bridge_device(struct device *dev, acpi_handle * handle)
static acpi_status do_acpi_find_child(acpi_handle handle, u32 lvl_not_used,
void *addr_p, void **ret_p)
{
- unsigned long long addr;
+ unsigned long long addr, sta;
acpi_status status;
status = acpi_evaluate_integer(handle, METHOD_NAME__ADR, NULL, &addr);
if (ACPI_SUCCESS(status) && addr == *((u64 *)addr_p)) {
*ret_p = handle;
- return AE_CTRL_TERMINATE;
+ status = acpi_bus_get_status_handle(handle, &sta);
+ if (ACPI_SUCCESS(status) && (sta & ACPI_STA_DEVICE_ENABLED))
+ return AE_CTRL_TERMINATE;
}
return AE_OK;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [217/251] xen/smp: initialize IPI vectors before marking CPU online
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (214 preceding siblings ...)
2013-09-11 4:30 ` [216/251] ACPI: add _STA evaluation at do_acpi_find_child() Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [218/251] zd1201: do not use stack as URB transfer_buffer Steven Rostedt
` (34 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Srivatsa S. Bhat, Konrad Rzeszutek Wilk
[-- Attachment #1: 0217-xen-smp-initialize-IPI-vectors-before-marking-CPU-on.patch --]
[-- Type: text/plain, Size: 6304 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Chuck Anderson <chuck.anderson@oracle.com>
[ Upstream commit fc78d343fa74514f6fd117b5ef4cd27e4ac30236 ]
An older PVHVM guest (v3.0 based) crashed during vCPU hot-plug with:
kernel BUG at drivers/xen/events.c:1328!
RCU has detected that a CPU has not entered a quiescent state within the
grace period. It needs to send the CPU a reschedule IPI if it is not
offline. rcu_implicit_offline_qs() does this check:
/*
* If the CPU is offline, it is in a quiescent state. We can
* trust its state not to change because interrupts are disabled.
*/
if (cpu_is_offline(rdp->cpu)) {
rdp->offline_fqs++;
return 1;
}
Else the CPU is online. Send it a reschedule IPI.
The CPU is in the middle of being hot-plugged and has been marked online
(!cpu_is_offline()). See start_secondary():
set_cpu_online(smp_processor_id(), true);
...
per_cpu(cpu_state, smp_processor_id()) = CPU_ONLINE;
start_secondary() then waits for the CPU bringing up the hot-plugged CPU to
mark it as active:
/*
* Wait until the cpu which brought this one up marked it
* online before enabling interrupts. If we don't do that then
* we can end up waking up the softirq thread before this cpu
* reached the active state, which makes the scheduler unhappy
* and schedule the softirq thread on the wrong cpu. This is
* only observable with forced threaded interrupts, but in
* theory it could also happen w/o them. It's just way harder
* to achieve.
*/
while (!cpumask_test_cpu(smp_processor_id(), cpu_active_mask))
cpu_relax();
/* enable local interrupts */
local_irq_enable();
The CPU being hot-plugged will be marked active after it has been fully
initialized by the CPU managing the hot-plug. In the Xen PVHVM case
xen_smp_intr_init() is called to set up the hot-plugged vCPU's
XEN_RESCHEDULE_VECTOR.
The hot-plugging CPU is marked online, not marked active and does not have
its IPI vectors set up. rcu_implicit_offline_qs() sees the hot-plugging
cpu is !cpu_is_offline() and tries to send it a reschedule IPI:
This will lead to:
kernel BUG at drivers/xen/events.c:1328!
xen_send_IPI_one()
xen_smp_send_reschedule()
rcu_implicit_offline_qs()
rcu_implicit_dynticks_qs()
force_qs_rnp()
force_quiescent_state()
__rcu_process_callbacks()
rcu_process_callbacks()
__do_softirq()
call_softirq()
do_softirq()
irq_exit()
xen_evtchn_do_upcall()
because xen_send_IPI_one() will attempt to use an uninitialized IRQ for
the XEN_RESCHEDULE_VECTOR.
There is at least one other place that has caused the same crash:
xen_smp_send_reschedule()
wake_up_idle_cpu()
add_timer_on()
clocksource_watchdog()
call_timer_fn()
run_timer_softirq()
__do_softirq()
call_softirq()
do_softirq()
irq_exit()
xen_evtchn_do_upcall()
xen_hvm_callback_vector()
clocksource_watchdog() uses cpu_online_mask to pick the next CPU to handle
a watchdog timer:
/*
* Cycle through CPUs to check if the CPUs stay synchronized
* to each other.
*/
next_cpu = cpumask_next(raw_smp_processor_id(), cpu_online_mask);
if (next_cpu >= nr_cpu_ids)
next_cpu = cpumask_first(cpu_online_mask);
watchdog_timer.expires += WATCHDOG_INTERVAL;
add_timer_on(&watchdog_timer, next_cpu);
This resulted in an attempt to send an IPI to a hot-plugging CPU that
had not initialized its reschedule vector. One option would be to make
the RCU code check to not check for CPU offline but for CPU active.
As becoming active is done after a CPU is online (in older kernels).
But Srivatsa pointed out that "the cpu_active vs cpu_online ordering has been
completely reworked - in the online path, cpu_active is set *before* cpu_online,
and also, in the cpu offline path, the cpu_active bit is reset in the CPU_DYING
notification instead of CPU_DOWN_PREPARE." Drilling in this the bring-up
path: "[brought up CPU].. send out a CPU_STARTING notification, and in response
to that, the scheduler sets the CPU in the cpu_active_mask. Again, this mask
is better left to the scheduler alone, since it has the intelligence to use it
judiciously."
The conclusion was that:
"
1. At the IPI sender side:
It is incorrect to send an IPI to an offline CPU (cpu not present in
the cpu_online_mask). There are numerous places where we check this
and warn/complain.
2. At the IPI receiver side:
It is incorrect to let the world know of our presence (by setting
ourselves in global bitmasks) until our initialization steps are complete
to such an extent that we can handle the consequences (such as
receiving interrupts without crashing the sender etc.)
" (from Srivatsa)
As the native code enables the interrupts at some point we need to be
able to service them. In other words a CPU must have valid IPI vectors
if it has been marked online.
It doesn't need to handle the IPI (interrupts may be disabled) but needs
to have valid IPI vectors because another CPU may find it in cpu_online_mask
and attempt to send it an IPI.
This patch will change the order of the Xen vCPU bring-up functions so that
Xen vectors have been set up before start_secondary() is called.
It also will not continue to bring up a Xen vCPU if xen_smp_intr_init() fails
to initialize it.
Orabug 13823853
Signed-off-by Chuck Anderson <chuck.anderson@oracle.com>
Acked-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/x86/xen/smp.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
index 76bce6e..72701ac 100644
--- a/arch/x86/xen/smp.c
+++ b/arch/x86/xen/smp.c
@@ -663,8 +663,15 @@ static void __init xen_hvm_smp_prepare_cpus(unsigned int max_cpus)
static int __cpuinit xen_hvm_cpu_up(unsigned int cpu, struct task_struct *tidle)
{
int rc;
- rc = native_cpu_up(cpu, tidle);
- WARN_ON (xen_smp_intr_init(cpu));
+ /*
+ * xen_smp_intr_init() needs to run before native_cpu_up()
+ * so that IPI vectors are set up on the booting CPU before
+ * it is marked online in native_cpu_up().
+ */
+ rc = xen_smp_intr_init(cpu);
+ WARN_ON(rc);
+ if (!rc)
+ rc = native_cpu_up(cpu, tidle);
return rc;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [218/251] zd1201: do not use stack as URB transfer_buffer
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (215 preceding siblings ...)
2013-09-11 4:30 ` [217/251] xen/smp: initialize IPI vectors before marking CPU online Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [219/251] xen/events: initialize local per-cpu mask for all possible events Steven Rostedt
` (33 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jussi Kivilinna, John W. Linville
[-- Attachment #1: 0218-zd1201-do-not-use-stack-as-URB-transfer_buffer.patch --]
[-- Type: text/plain, Size: 1251 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
[ Upstream commit 1206ff4ff9d2ef7468a355328bc58ac6ebf5be44 ]
Patch fixes zd1201 not to use stack as URB transfer_buffer. URB buffers need
to be DMA-able, which stack is not.
Patch is only compile tested.
Cc: stable@vger.kernel.org
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/zd1201.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
index 48273dd..4312eca 100644
--- a/drivers/net/wireless/zd1201.c
+++ b/drivers/net/wireless/zd1201.c
@@ -98,10 +98,12 @@ static int zd1201_fw_upload(struct usb_device *dev, int apfw)
goto exit;
err = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), 0x4,
- USB_DIR_IN | 0x40, 0,0, &ret, sizeof(ret), ZD1201_FW_TIMEOUT);
+ USB_DIR_IN | 0x40, 0, 0, buf, sizeof(ret), ZD1201_FW_TIMEOUT);
if (err < 0)
goto exit;
+ memcpy(&ret, buf, sizeof(ret));
+
if (ret & 0x80) {
err = -EIO;
goto exit;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [219/251] xen/events: initialize local per-cpu mask for all possible events
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (216 preceding siblings ...)
2013-09-11 4:30 ` [218/251] zd1201: do not use stack as URB transfer_buffer Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [220/251] ARM: davinci: nand: specify ecc strength Steven Rostedt
` (32 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: David Vrabel, Konrad Rzeszutek Wilk
[-- Attachment #1: 0219-xen-events-initialize-local-per-cpu-mask-for-all-pos.patch --]
[-- Type: text/plain, Size: 1671 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: David Vrabel <david.vrabel@citrix.com>
[ Upstream commit 84ca7a8e45dafb49cd5ca90a343ba033e2885c17 ]
The sizeof() argument in init_evtchn_cpu_bindings() is incorrect
resulting in only the first 64 (or 32 in 32-bit guests) ports having
their bindings being initialized to VCPU 0.
In most cases this does not cause a problem as request_irq() will set
the irq affinity which will set the correct local per-cpu mask.
However, if the request_irq() is called on a VCPU other than 0, there
is a window between the unmasking of the event and the affinity being
set were an event may be lost because it is not locally unmasked on
any VCPU. If request_irq() is called on VCPU 0 then local irqs are
disabled during the window and the race does not occur.
Fix this by initializing all NR_EVENT_CHANNEL bits in the local
per-cpu masks.
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
CC: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/xen/events.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/xen/events.c b/drivers/xen/events.c
index 99c5345..3987f6f 100644
--- a/drivers/xen/events.c
+++ b/drivers/xen/events.c
@@ -324,7 +324,7 @@ static void init_evtchn_cpu_bindings(void)
for_each_possible_cpu(i)
memset(per_cpu(cpu_evtchn_mask, i),
- (i == 0) ? ~0 : 0, sizeof(*per_cpu(cpu_evtchn_mask, i)));
+ (i == 0) ? ~0 : 0, NR_EVENT_CHANNELS/8);
}
static inline void clear_evtchn(int port)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [220/251] ARM: davinci: nand: specify ecc strength
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (217 preceding siblings ...)
2013-09-11 4:30 ` [219/251] xen/events: initialize local per-cpu mask for all possible events Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [221/251] ARM: at91/DT: fix at91sam9n12ek memory node Steven Rostedt
` (31 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Holger Freyther, Sekhar Nori, Kevin Hilman
[-- Attachment #1: 0220-ARM-davinci-nand-specify-ecc-strength.patch --]
[-- Type: text/plain, Size: 3063 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Sekhar Nori <nsekhar@ti.com>
[ Upstream commit acd36357edc08649e85ff15dc4ed62353c912eff ]
Starting with kernel v3.5, it is mandatory
to specify ECC strength when using hardware
ECC. Without this, kernel panics with a warning
of the sort:
Driver must set ecc.strength when using hardware ECC
------------[ cut here ]------------
kernel BUG at drivers/mtd/nand/nand_base.c:3519!
Fix this by specifying ECC strength for the boards
which were missing this.
Reported-by: Holger Freyther <holger@freyther.de>
Cc: <stable@vger.kernel.org> #v3.5+
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Kevin Hilman <khilman@linaro.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/mach-davinci/board-dm355-leopard.c | 1 +
arch/arm/mach-davinci/board-dm644x-evm.c | 1 +
arch/arm/mach-davinci/board-dm646x-evm.c | 1 +
arch/arm/mach-davinci/board-neuros-osd2.c | 1 +
4 files changed, 4 insertions(+)
diff --git a/arch/arm/mach-davinci/board-dm355-leopard.c b/arch/arm/mach-davinci/board-dm355-leopard.c
index 8e77032..eeeb81f 100644
--- a/arch/arm/mach-davinci/board-dm355-leopard.c
+++ b/arch/arm/mach-davinci/board-dm355-leopard.c
@@ -75,6 +75,7 @@ static struct davinci_nand_pdata davinci_nand_data = {
.parts = davinci_nand_partitions,
.nr_parts = ARRAY_SIZE(davinci_nand_partitions),
.ecc_mode = NAND_ECC_HW_SYNDROME,
+ .ecc_bits = 4,
.bbt_options = NAND_BBT_USE_FLASH,
};
diff --git a/arch/arm/mach-davinci/board-dm644x-evm.c b/arch/arm/mach-davinci/board-dm644x-evm.c
index d34ed55..87a904f 100644
--- a/arch/arm/mach-davinci/board-dm644x-evm.c
+++ b/arch/arm/mach-davinci/board-dm644x-evm.c
@@ -152,6 +152,7 @@ static struct davinci_nand_pdata davinci_evm_nandflash_data = {
.parts = davinci_evm_nandflash_partition,
.nr_parts = ARRAY_SIZE(davinci_evm_nandflash_partition),
.ecc_mode = NAND_ECC_HW,
+ .ecc_bits = 1,
.bbt_options = NAND_BBT_USE_FLASH,
.timing = &davinci_evm_nandflash_timing,
};
diff --git a/arch/arm/mach-davinci/board-dm646x-evm.c b/arch/arm/mach-davinci/board-dm646x-evm.c
index 958679a..5d4b51f 100644
--- a/arch/arm/mach-davinci/board-dm646x-evm.c
+++ b/arch/arm/mach-davinci/board-dm646x-evm.c
@@ -89,6 +89,7 @@ static struct davinci_nand_pdata davinci_nand_data = {
.parts = davinci_nand_partitions,
.nr_parts = ARRAY_SIZE(davinci_nand_partitions),
.ecc_mode = NAND_ECC_HW,
+ .ecc_bits = 1,
.options = 0,
};
diff --git a/arch/arm/mach-davinci/board-neuros-osd2.c b/arch/arm/mach-davinci/board-neuros-osd2.c
index f6b9fc7..58d902a 100644
--- a/arch/arm/mach-davinci/board-neuros-osd2.c
+++ b/arch/arm/mach-davinci/board-neuros-osd2.c
@@ -88,6 +88,7 @@ static struct davinci_nand_pdata davinci_ntosd2_nandflash_data = {
.parts = davinci_ntosd2_nandflash_partition,
.nr_parts = ARRAY_SIZE(davinci_ntosd2_nandflash_partition),
.ecc_mode = NAND_ECC_HW,
+ .ecc_bits = 1,
.bbt_options = NAND_BBT_USE_FLASH,
};
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [221/251] ARM: at91/DT: fix at91sam9n12ek memory node
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (218 preceding siblings ...)
2013-09-11 4:30 ` [220/251] ARM: davinci: nand: specify ecc strength Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [222/251] ARM: 7816/1: CONFIG_KUSER_HELPERS: fix help text Steven Rostedt
` (30 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Nicolas Ferre
[-- Attachment #1: 0221-ARM-at91-DT-fix-at91sam9n12ek-memory-node.patch --]
[-- Type: text/plain, Size: 1061 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Nicolas Ferre <nicolas.ferre@atmel.com>
[ Upstream commit a57603ca2871ee0773b00839c1ea35c4a2d3eeb0 ]
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Cc: stable <stable@vger.kernel.org> # 3.5+
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/boot/dts/at91sam9n12ek.dts | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm/boot/dts/at91sam9n12ek.dts b/arch/arm/boot/dts/at91sam9n12ek.dts
index f4e43e3..84d8bdb 100644
--- a/arch/arm/boot/dts/at91sam9n12ek.dts
+++ b/arch/arm/boot/dts/at91sam9n12ek.dts
@@ -14,11 +14,11 @@
compatible = "atmel,at91sam9n12ek", "atmel,at91sam9n12", "atmel,at91sam9";
chosen {
- bootargs = "mem=128M console=ttyS0,115200 root=/dev/mtdblock1 rw rootfstype=jffs2";
+ bootargs = "console=ttyS0,115200 root=/dev/mtdblock1 rw rootfstype=jffs2";
};
memory {
- reg = <0x20000000 0x10000000>;
+ reg = <0x20000000 0x8000000>;
};
clocks {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [222/251] ARM: 7816/1: CONFIG_KUSER_HELPERS: fix help text
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (219 preceding siblings ...)
2013-09-11 4:30 ` [221/251] ARM: at91/DT: fix at91sam9n12ek memory node Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [223/251] drm/i915: Invalidate TLBs for the rings after a reset Steven Rostedt
` (29 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Nicolas Pitre, Russell King
[-- Attachment #1: 0222-ARM-7816-1-CONFIG_KUSER_HELPERS-fix-help-text.patch --]
[-- Type: text/plain, Size: 1926 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Nicolas Pitre <nicolas.pitre@linaro.org>
[ Upstream commit ac124504ecf6b20a2457d873d0728a8b991a5b0c ]
Commit f6f91b0d9fd9 ("ARM: allow kuser helpers to be removed from the
vector page") introduced some help text for the CONFIG_KUSER_HELPERS
option which is rather contradictory.
Let's fix that, and improve it a little.
Cc: <stable@vger.kernel.org>
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/arm/mm/Kconfig | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
index 8d194df..6c5a533 100644
--- a/arch/arm/mm/Kconfig
+++ b/arch/arm/mm/Kconfig
@@ -768,15 +768,18 @@ config KUSER_HELPERS
the CPU type fitted to the system. This permits binaries to be
run on ARMv4 through to ARMv7 without modification.
+ See Documentation/arm/kernel_user_helpers.txt for details.
+
However, the fixed address nature of these helpers can be used
by ROP (return orientated programming) authors when creating
exploits.
If all of the binaries and libraries which run on your platform
are built specifically for your platform, and make no use of
- these helpers, then you can turn this option off. However,
- when such an binary or library is run, it will receive a SIGILL
- signal, which will terminate the program.
+ these helpers, then you can turn this option off to hinder
+ such exploits. However, in that case, if a binary or library
+ relying on those helpers is run, it will receive a SIGILL signal,
+ which will terminate the program.
Say N here only if you are absolutely certain that you do not
need these helpers; otherwise, the safe option is to say Y.
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [223/251] drm/i915: Invalidate TLBs for the rings after a reset
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (220 preceding siblings ...)
2013-09-11 4:30 ` [222/251] ARM: 7816/1: CONFIG_KUSER_HELPERS: fix help text Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [224/251] of: fdt: fix memory initialization for expanded DT Steven Rostedt
` (28 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Thiago Macieira, Chris Wilson, Daniel Vetter
[-- Attachment #1: 0223-drm-i915-Invalidate-TLBs-for-the-rings-after-a-reset.patch --]
[-- Type: text/plain, Size: 2650 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Chris Wilson <chris@chris-wilson.co.uk>
[ Upstream commit 884020bf3d2a3787a1cc6df902e98e0eec60330b ]
After any "soft gfx reset" we must manually invalidate the TLBs
associated with each ring. Empirically, it seems that a
suspend/resume or D3-D0 cycle count as a "soft reset". The symptom is
that the hardware would fail to note the new address for its status
page, and so it would continue to write the shadow registers and
breadcrumbs into the old physical address (now used by something
completely different, scary). Whereas the driver would read the new
status page and never see any progress, it would appear that the GPU
hung immediately upon resume.
Based on a patch by naresh kumar kachhi <naresh.kumar.kacchi@intel.com>
Reported-by: Thiago Macieira <thiago@kde.org>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=64725
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Tested-by: Thiago Macieira <thiago@kde.org>
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/gpu/drm/i915/i915_reg.h | 2 ++
drivers/gpu/drm/i915/intel_ringbuffer.c | 12 ++++++++++++
2 files changed, 14 insertions(+)
diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
index 3814aa3..bbdb976 100644
--- a/drivers/gpu/drm/i915/i915_reg.h
+++ b/drivers/gpu/drm/i915/i915_reg.h
@@ -575,6 +575,8 @@
will not assert AGPBUSY# and will only
be delivered when out of C3. */
#define INSTPM_FORCE_ORDERING (1<<7) /* GEN6+ */
+#define INSTPM_TLB_INVALIDATE (1<<9)
+#define INSTPM_SYNC_FLUSH (1<<5)
#define ACTHD 0x020c8
#define FW_BLC 0x020d8
#define FW_BLC2 0x020dc
diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c b/drivers/gpu/drm/i915/intel_ringbuffer.c
index e2a73b3..77ee475 100644
--- a/drivers/gpu/drm/i915/intel_ringbuffer.c
+++ b/drivers/gpu/drm/i915/intel_ringbuffer.c
@@ -793,6 +793,18 @@ void intel_ring_setup_status_page(struct intel_ring_buffer *ring)
I915_WRITE(mmio, (u32)ring->status_page.gfx_addr);
POSTING_READ(mmio);
+
+ /* Flush the TLB for this page */
+ if (INTEL_INFO(dev)->gen >= 6) {
+ u32 reg = RING_INSTPM(ring->mmio_base);
+ I915_WRITE(reg,
+ _MASKED_BIT_ENABLE(INSTPM_TLB_INVALIDATE |
+ INSTPM_SYNC_FLUSH));
+ if (wait_for((I915_READ(reg) & INSTPM_SYNC_FLUSH) == 0,
+ 1000))
+ DRM_ERROR("%s: wait for SyncFlush to complete for TLB invalidation timed out\n",
+ ring->name);
+ }
}
static int
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [224/251] of: fdt: fix memory initialization for expanded DT
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (221 preceding siblings ...)
2013-09-11 4:30 ` [223/251] drm/i915: Invalidate TLBs for the rings after a reset Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [225/251] nilfs2: remove double bio_put() in nilfs_end_bio_write() for BIO_EOPNOTSUPP error Steven Rostedt
` (27 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Wladislav Wiebe, Alexander Sverdlin, Rob Herring
[-- Attachment #1: 0224-of-fdt-fix-memory-initialization-for-expanded-DT.patch --]
[-- Type: text/plain, Size: 2057 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Wladislav Wiebe <wladislav.kw@gmail.com>
[ Upstream commit 9e40127526e857fa3f29d51e83277204fbdfc6ba ]
Already existing property flags are filled wrong for properties created from
initial FDT. This could cause problems if this DYNAMIC device-tree functions
are used later, i.e. properties are attached/detached/replaced. Simply dumping
flags from the running system show, that some initial static (not allocated via
kzmalloc()) nodes are marked as dynamic.
I putted some debug extensions to property_proc_show(..) :
..
+ if (OF_IS_DYNAMIC(pp))
+ pr_err("DEBUG: xxx : OF_IS_DYNAMIC\n");
+ if (OF_IS_DETACHED(pp))
+ pr_err("DEBUG: xxx : OF_IS_DETACHED\n");
when you operate on the nodes (e.g.: ~$ cat /proc/device-tree/*some_node*) you
will see that those flags are filled wrong, basically in most cases it will dump
a DYNAMIC or DETACHED status, which is in not true.
(BTW. this OF_IS_DETACHED is a own define for debug purposes which which just
make a test_bit(OF_DETACHED, &x->_flags)
If nodes are dynamic kernel is allowed to kfree() them. But it will crash
attempting to do so on the nodes from FDT -- they are not allocated via
kzmalloc().
Signed-off-by: Wladislav Wiebe <wladislav.kw@gmail.com>
Acked-by: Alexander Sverdlin <alexander.sverdlin@nsn.com>
Cc: stable@vger.kernel.org
Signed-off-by: Rob Herring <rob.herring@calxeda.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/of/fdt.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 91a375f..17fad3b 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -390,6 +390,8 @@ static void __unflatten_device_tree(struct boot_param_header *blob,
mem = (unsigned long)
dt_alloc(size + 4, __alignof__(struct device_node));
+ memset((void *)mem, 0, size);
+
((__be32 *)mem)[size / 4] = cpu_to_be32(0xdeadbeef);
pr_debug(" unflattening %lx...\n", mem);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [225/251] nilfs2: remove double bio_put() in nilfs_end_bio_write() for BIO_EOPNOTSUPP error
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (222 preceding siblings ...)
2013-09-11 4:30 ` [224/251] of: fdt: fix memory initialization for expanded DT Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [226/251] nilfs2: fix issue with counting number of bio requests for BIO_EOPNOTSUPP error detection Steven Rostedt
` (26 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Vyacheslav Dubeyko, Dan Carpenter, Ryusuke Konishi, Andrew Morton
[-- Attachment #1: 0225-nilfs2-remove-double-bio_put-in-nilfs_end_bio_write-.patch --]
[-- Type: text/plain, Size: 1349 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Vyacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit 2df37a19c686c2d7c4e9b4ce1505b5141e3e5552 ]
Remove double call of bio_put() in nilfs_end_bio_write() for the case of
BIO_EOPNOTSUPP error detection. The issue was found by Dan Carpenter
and he suggests first version of the fix too.
Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Tested-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/nilfs2/segbuf.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/nilfs2/segbuf.c b/fs/nilfs2/segbuf.c
index dc9a913..5bacf46 100644
--- a/fs/nilfs2/segbuf.c
+++ b/fs/nilfs2/segbuf.c
@@ -345,8 +345,7 @@ static void nilfs_end_bio_write(struct bio *bio, int err)
if (err == -EOPNOTSUPP) {
set_bit(BIO_EOPNOTSUPP, &bio->bi_flags);
- bio_put(bio);
- /* to be detected by submit_seg_bio() */
+ /* to be detected by nilfs_segbuf_submit_bio() */
}
if (!uptodate)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [226/251] nilfs2: fix issue with counting number of bio requests for BIO_EOPNOTSUPP error detection
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (223 preceding siblings ...)
2013-09-11 4:30 ` [225/251] nilfs2: remove double bio_put() in nilfs_end_bio_write() for BIO_EOPNOTSUPP error Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [227/251] drivers/platform/olpc/olpc-ec.c: initialise earlier Steven Rostedt
` (25 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Vyacheslav Dubeyko, Dan Carpenter, Ryusuke Konishi, Andrew Morton
[-- Attachment #1: 0226-nilfs2-fix-issue-with-counting-number-of-bio-request.patch --]
[-- Type: text/plain, Size: 1795 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Vyacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit 4bf93b50fd04118ac7f33a3c2b8a0a1f9fa80bc9 ]
Fix the issue with improper counting number of flying bio requests for
BIO_EOPNOTSUPP error detection case.
The sb_nbio must be incremented exactly the same number of times as
complete() function was called (or will be called) because
nilfs_segbuf_wait() will call wail_for_completion() for the number of
times set to sb_nbio:
do {
wait_for_completion(&segbuf->sb_bio_event);
} while (--segbuf->sb_nbio > 0);
Two functions complete() and wait_for_completion() must be called the
same number of times for the same sb_bio_event. Otherwise,
wait_for_completion() will hang or leak.
Signed-off-by: Vyacheslav Dubeyko <slava@dubeyko.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Tested-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/nilfs2/segbuf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nilfs2/segbuf.c b/fs/nilfs2/segbuf.c
index 5bacf46..2d8be51 100644
--- a/fs/nilfs2/segbuf.c
+++ b/fs/nilfs2/segbuf.c
@@ -376,12 +376,12 @@ static int nilfs_segbuf_submit_bio(struct nilfs_segment_buffer *segbuf,
bio->bi_private = segbuf;
bio_get(bio);
submit_bio(mode, bio);
+ segbuf->sb_nbio++;
if (bio_flagged(bio, BIO_EOPNOTSUPP)) {
bio_put(bio);
err = -EOPNOTSUPP;
goto failed;
}
- segbuf->sb_nbio++;
bio_put(bio);
wi->bio = NULL;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [227/251] drivers/platform/olpc/olpc-ec.c: initialise earlier
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (224 preceding siblings ...)
2013-09-11 4:30 ` [226/251] nilfs2: fix issue with counting number of bio requests for BIO_EOPNOTSUPP error detection Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [228/251] sata_fsl: save irqs while coalescing Steven Rostedt
` (24 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Daniel Drake, Andres Salomon, Paul Fox, Thomas Gleixner, Andrew Morton
[-- Attachment #1: 0227-drivers-platform-olpc-olpc-ec.c-initialise-earlier.patch --]
[-- Type: text/plain, Size: 1973 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Daniel Drake <dsd@laptop.org>
[ Upstream commit 93dbc1b3b506e16c1f6d5b5dcfe756a85cb1dc58 ]
Being a low-level component, various drivers (e.g. olpc-battery) assume
that it is ok to communicate with the OLPC Embedded Controller during
probe. Therefore the OLPC EC driver must be initialised before other
drivers try to use it. This was the case until it was recently moved
out of arch/x86 and restructured around commits ac2504151f5a ("Platform:
OLPC: turn EC driver into a platform_driver") and 85f90cf6ca56 ("x86:
OLPC: switch over to using new EC driver on x86").
Use arch_initcall so that olpc-ec is readied earlier, matching the
previous behaviour.
Fixes a regression introduced in Linux-3.6 where various drivers such as
olpc-battery and olpc-xo1-sci failed to load due to an inability to
communicate with the EC. The user-visible effect was a lack of battery
monitoring, missing ebook/lid switch input devices, etc.
Signed-off-by: Daniel Drake <dsd@laptop.org>
Cc: Andres Salomon <dilinger@queued.net>
Cc: Paul Fox <pgf@laptop.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/platform/olpc/olpc-ec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/olpc/olpc-ec.c b/drivers/platform/olpc/olpc-ec.c
index 0f9f859..f911952 100644
--- a/drivers/platform/olpc/olpc-ec.c
+++ b/drivers/platform/olpc/olpc-ec.c
@@ -330,7 +330,7 @@ static int __init olpc_ec_init_module(void)
return platform_driver_register(&olpc_ec_plat_driver);
}
-module_init(olpc_ec_init_module);
+arch_initcall(olpc_ec_init_module);
MODULE_AUTHOR("Andres Salomon <dilinger@queued.net>");
MODULE_LICENSE("GPL");
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [228/251] sata_fsl: save irqs while coalescing
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (225 preceding siblings ...)
2013-09-11 4:30 ` [227/251] drivers/platform/olpc/olpc-ec.c: initialise earlier Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [229/251] Hostap: copying wrong data prism2_ioctl_giwaplist() Steven Rostedt
` (23 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Anthony Foiani, Tejun Heo
[-- Attachment #1: 0228-sata_fsl-save-irqs-while-coalescing.patch --]
[-- Type: text/plain, Size: 5992 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Anthony Foiani <anthony.foiani@gmail.com>
[ Upstream commit 99bbdfa6bdcb4bdf5be914a48e9b46941bf30819 ]
Before this patch, I was seeing the following lockdep splat on my
MPC8315 (PPC32) target:
[ 9.086051] =================================
[ 9.090393] [ INFO: inconsistent lock state ]
[ 9.094744] 3.9.7-ajf-gc39503d #1 Not tainted
[ 9.099087] ---------------------------------
[ 9.103432] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
[ 9.109431] scsi_eh_1/39 [HC1[1]:SC0[0]:HE0:SE1] takes:
[ 9.114642] (&(&host->lock)->rlock){?.+...}, at: [<c02f4168>] sata_fsl_interrupt+0x50/0x250
[ 9.123137] {HARDIRQ-ON-W} state was registered at:
[ 9.128004] [<c006cdb8>] lock_acquire+0x90/0xf4
[ 9.132737] [<c043ef04>] _raw_spin_lock+0x34/0x4c
[ 9.137645] [<c02f3560>] fsl_sata_set_irq_coalescing+0x68/0x100
[ 9.143750] [<c02f36a0>] sata_fsl_init_controller+0xa8/0xc0
[ 9.149505] [<c02f3f10>] sata_fsl_probe+0x17c/0x2e8
[ 9.154568] [<c02acc90>] driver_probe_device+0x90/0x248
[ 9.159987] [<c02acf0c>] __driver_attach+0xc4/0xc8
[ 9.164964] [<c02aae74>] bus_for_each_dev+0x5c/0xa8
[ 9.170028] [<c02ac218>] bus_add_driver+0x100/0x26c
[ 9.175091] [<c02ad638>] driver_register+0x88/0x198
[ 9.180155] [<c0003a24>] do_one_initcall+0x58/0x1b4
[ 9.185226] [<c05aeeac>] kernel_init_freeable+0x118/0x1c0
[ 9.190823] [<c0004110>] kernel_init+0x18/0x108
[ 9.195542] [<c000f6b8>] ret_from_kernel_thread+0x64/0x6c
[ 9.201142] irq event stamp: 160
[ 9.204366] hardirqs last enabled at (159): [<c043f778>] _raw_spin_unlock_irq+0x30/0x50
[ 9.212469] hardirqs last disabled at (160): [<c000f414>] reenable_mmu+0x30/0x88
[ 9.219867] softirqs last enabled at (144): [<c002ae5c>] __do_softirq+0x168/0x218
[ 9.227435] softirqs last disabled at (137): [<c002b0d4>] irq_exit+0xa8/0xb4
[ 9.234481]
[ 9.234481] other info that might help us debug this:
[ 9.240995] Possible unsafe locking scenario:
[ 9.240995]
[ 9.246898] CPU0
[ 9.249337] ----
[ 9.251776] lock(&(&host->lock)->rlock);
[ 9.255878] <Interrupt>
[ 9.258492] lock(&(&host->lock)->rlock);
[ 9.262765]
[ 9.262765] *** DEADLOCK ***
[ 9.262765]
[ 9.268684] no locks held by scsi_eh_1/39.
[ 9.272767]
[ 9.272767] stack backtrace:
[ 9.277117] Call Trace:
[ 9.279589] [cfff9da0] [c0008504] show_stack+0x48/0x150 (unreliable)
[ 9.285972] [cfff9de0] [c0447d5c] print_usage_bug.part.35+0x268/0x27c
[ 9.292425] [cfff9e10] [c006ace4] mark_lock+0x2ac/0x658
[ 9.297660] [cfff9e40] [c006b7e4] __lock_acquire+0x754/0x1840
[ 9.303414] [cfff9ee0] [c006cdb8] lock_acquire+0x90/0xf4
[ 9.308745] [cfff9f20] [c043ef04] _raw_spin_lock+0x34/0x4c
[ 9.314250] [cfff9f30] [c02f4168] sata_fsl_interrupt+0x50/0x250
[ 9.320187] [cfff9f70] [c0079ff0] handle_irq_event_percpu+0x90/0x254
[ 9.326547] [cfff9fc0] [c007a1fc] handle_irq_event+0x48/0x78
[ 9.332220] [cfff9fe0] [c007c95c] handle_level_irq+0x9c/0x104
[ 9.337981] [cfff9ff0] [c000d978] call_handle_irq+0x18/0x28
[ 9.343568] [cc7139f0] [c000608c] do_IRQ+0xf0/0x1a8
[ 9.348464] [cc713a20] [c000fc8c] ret_from_except+0x0/0x14
[ 9.353983] --- Exception: 501 at _raw_spin_unlock_irq+0x40/0x50
[ 9.353983] LR = _raw_spin_unlock_irq+0x30/0x50
[ 9.364839] [cc713af0] [c043db10] wait_for_common+0xac/0x188
[ 9.370513] [cc713b30] [c02ddee4] ata_exec_internal_sg+0x2b0/0x4f0
[ 9.376699] [cc713be0] [c02de18c] ata_exec_internal+0x68/0xa8
[ 9.382454] [cc713c20] [c02de4b8] ata_dev_read_id+0x158/0x594
[ 9.388205] [cc713ca0] [c02ec244] ata_eh_recover+0xd88/0x13d0
[ 9.393962] [cc713d20] [c02f2520] sata_pmp_error_handler+0xc0/0x8ac
[ 9.400234] [cc713dd0] [c02ecdc8] ata_scsi_port_error_handler+0x464/0x5e8
[ 9.407023] [cc713e10] [c02ecfd0] ata_scsi_error+0x84/0xb8
[ 9.412528] [cc713e40] [c02c4974] scsi_error_handler+0xd8/0x47c
[ 9.418457] [cc713eb0] [c004737c] kthread+0xa8/0xac
[ 9.423355] [cc713f40] [c000f6b8] ret_from_kernel_thread+0x64/0x6c
This fix was suggested by Bhushan Bharat <R65777@freescale.com>, and
was discussed in email at:
http://linuxppc.10917.n7.nabble.com/MPC8315-reboot-failure-lockdep-splat-possibly-related-tp75162.html
Same patch successfully tested with 3.9.7. linux-next compiled but
not tested on hardware.
This patch is based off linux-next tag next-20130819
(which is commit 66a01bae29d11916c09f9f5a937cafe7d402e4a5 )
Signed-off-by: Anthony Foiani <anthony.foiani@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/ata/sata_fsl.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c
index d6577b9..a3f0bbd 100644
--- a/drivers/ata/sata_fsl.c
+++ b/drivers/ata/sata_fsl.c
@@ -290,6 +290,7 @@ static void fsl_sata_set_irq_coalescing(struct ata_host *host,
{
struct sata_fsl_host_priv *host_priv = host->private_data;
void __iomem *hcr_base = host_priv->hcr_base;
+ unsigned long flags;
if (count > ICC_MAX_INT_COUNT_THRESHOLD)
count = ICC_MAX_INT_COUNT_THRESHOLD;
@@ -302,12 +303,12 @@ static void fsl_sata_set_irq_coalescing(struct ata_host *host,
(count > ICC_MIN_INT_COUNT_THRESHOLD))
ticks = ICC_SAFE_INT_TICKS;
- spin_lock(&host->lock);
+ spin_lock_irqsave(&host->lock, flags);
iowrite32((count << 24 | ticks), hcr_base + ICC);
intr_coalescing_count = count;
intr_coalescing_ticks = ticks;
- spin_unlock(&host->lock);
+ spin_unlock_irqrestore(&host->lock, flags);
DPRINTK("intrrupt coalescing, count = 0x%x, ticks = %x\n",
intr_coalescing_count, intr_coalescing_ticks);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [229/251] Hostap: copying wrong data prism2_ioctl_giwaplist()
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (226 preceding siblings ...)
2013-09-11 4:30 ` [228/251] sata_fsl: save irqs while coalescing Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [230/251] libata: apply behavioral quirks to sil3826 PMP Steven Rostedt
` (22 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Dan Carpenter, John W. Linville
[-- Attachment #1: 0229-Hostap-copying-wrong-data-prism2_ioctl_giwaplist.patch --]
[-- Type: text/plain, Size: 1401 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 909bd5926d474e275599094acad986af79671ac9 ]
We want the data stored in "addr" and "qual", but the extra ampersands
mean we are copying stack data instead.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/hostap/hostap_ioctl.c b/drivers/net/wireless/hostap/hostap_ioctl.c
index 18054d9..dbec2ff 100644
--- a/drivers/net/wireless/hostap/hostap_ioctl.c
+++ b/drivers/net/wireless/hostap/hostap_ioctl.c
@@ -522,9 +522,9 @@ static int prism2_ioctl_giwaplist(struct net_device *dev,
data->length = prism2_ap_get_sta_qual(local, addr, qual, IW_MAX_AP, 1);
- memcpy(extra, &addr, sizeof(struct sockaddr) * data->length);
+ memcpy(extra, addr, sizeof(struct sockaddr) * data->length);
data->flags = 1; /* has quality information */
- memcpy(extra + sizeof(struct sockaddr) * data->length, &qual,
+ memcpy(extra + sizeof(struct sockaddr) * data->length, qual,
sizeof(struct iw_quality) * data->length);
kfree(addr);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [230/251] libata: apply behavioral quirks to sil3826 PMP
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (227 preceding siblings ...)
2013-09-11 4:30 ` [229/251] Hostap: copying wrong data prism2_ioctl_giwaplist() Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [231/251] iwlwifi: dvm: fix calling ieee80211_chswitch_done() with NULL Steven Rostedt
` (21 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Terry Suereth, Tejun Heo
[-- Attachment #1: 0230-libata-apply-behavioral-quirks-to-sil3826-PMP.patch --]
[-- Type: text/plain, Size: 2469 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Terry Suereth <terry.suereth@gmail.com>
[ Upstream commit 8ffff94d20b7eb446e848e0046107d51b17a20a8 ]
Fixing support for the Silicon Image 3826 port multiplier, by applying
to it the same quirks applied to the Silicon Image 3726. Specifically
fixes the repeated timeout/reset process which previously afflicted
the 3726, as described from line 290. Slightly based on notes from:
https://bugzilla.redhat.com/show_bug.cgi?id=890237
Signed-off-by: Terry Suereth <terry.suereth@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/ata/libata-pmp.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/ata/libata-pmp.c b/drivers/ata/libata-pmp.c
index 1c41722..20fd337 100644
--- a/drivers/ata/libata-pmp.c
+++ b/drivers/ata/libata-pmp.c
@@ -289,24 +289,24 @@ static int sata_pmp_configure(struct ata_device *dev, int print_info)
/* Disable sending Early R_OK.
* With "cached read" HDD testing and multiple ports busy on a SATA
- * host controller, 3726 PMP will very rarely drop a deferred
+ * host controller, 3x26 PMP will very rarely drop a deferred
* R_OK that was intended for the host. Symptom will be all
* 5 drives under test will timeout, get reset, and recover.
*/
- if (vendor == 0x1095 && devid == 0x3726) {
+ if (vendor == 0x1095 && (devid == 0x3726 || devid == 0x3826)) {
u32 reg;
err_mask = sata_pmp_read(&ap->link, PMP_GSCR_SII_POL, ®);
if (err_mask) {
rc = -EIO;
- reason = "failed to read Sil3726 Private Register";
+ reason = "failed to read Sil3x26 Private Register";
goto fail;
}
reg &= ~0x1;
err_mask = sata_pmp_write(&ap->link, PMP_GSCR_SII_POL, reg);
if (err_mask) {
rc = -EIO;
- reason = "failed to write Sil3726 Private Register";
+ reason = "failed to write Sil3x26 Private Register";
goto fail;
}
}
@@ -383,8 +383,8 @@ static void sata_pmp_quirks(struct ata_port *ap)
u16 devid = sata_pmp_gscr_devid(gscr);
struct ata_link *link;
- if (vendor == 0x1095 && devid == 0x3726) {
- /* sil3726 quirks */
+ if (vendor == 0x1095 && (devid == 0x3726 || devid == 0x3826)) {
+ /* sil3x26 quirks */
ata_for_each_link(link, ap, EDGE) {
/* link reports offline after LPM */
link->flags |= ATA_LFLAG_NO_LPM;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [231/251] iwlwifi: dvm: fix calling ieee80211_chswitch_done() with NULL
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (228 preceding siblings ...)
2013-09-11 4:30 ` [230/251] libata: apply behavioral quirks to sil3826 PMP Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [232/251] iwlwifi: pcie: disable L1 Active after pci_enable_device Steven Rostedt
` (20 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Lukasz Jagiello, Stanislaw Gruszka, Emmanuel Grumbach, Johannes Berg
[-- Attachment #1: 0231-iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with.patch --]
[-- Type: text/plain, Size: 2553 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <sgruszka@redhat.com>
[ Upstream commit 9186a1fd9ed190739423db84bc344d258ef3e3d7 ]
If channel switch is pending and we remove interface we can
crash like showed below due to passing NULL vif to mac80211:
BUG: unable to handle kernel paging request at fffffffffffff8cc
IP: [<ffffffff8130924d>] strnlen+0xd/0x40
Call Trace:
[<ffffffff8130ad2e>] string.isra.3+0x3e/0xd0
[<ffffffff8130bf99>] vsnprintf+0x219/0x640
[<ffffffff8130c481>] vscnprintf+0x11/0x30
[<ffffffff81061585>] vprintk_emit+0x115/0x4f0
[<ffffffff81657bd5>] printk+0x61/0x63
[<ffffffffa048987f>] ieee80211_chswitch_done+0xaf/0xd0 [mac80211]
[<ffffffffa04e7b34>] iwl_chswitch_done+0x34/0x40 [iwldvm]
[<ffffffffa04f83c3>] iwlagn_commit_rxon+0x2a3/0xdc0 [iwldvm]
[<ffffffffa04ebc50>] ? iwlagn_set_rxon_chain+0x180/0x2c0 [iwldvm]
[<ffffffffa04e5e76>] iwl_set_mode+0x36/0x40 [iwldvm]
[<ffffffffa04e5f0d>] iwlagn_mac_remove_interface+0x8d/0x1b0 [iwldvm]
[<ffffffffa0459b3d>] ieee80211_do_stop+0x29d/0x7f0 [mac80211]
This is because we nulify ctx->vif in iwlagn_mac_remove_interface()
before calling some other functions that teardown interface. To fix
just check ctx->vif on iwl_chswitch_done(). We should not call
ieee80211_chswitch_done() as channel switch works were already canceled
by mac80211 in ieee80211_do_stop() -> ieee80211_mgd_stop().
Resolve:
https://bugzilla.redhat.com/show_bug.cgi?id=979581
Cc: stable@vger.kernel.org
Reported-by: Lukasz Jagiello <jagiello.lukasz@gmail.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/iwlwifi/dvm/mac80211.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/iwlwifi/dvm/mac80211.c b/drivers/net/wireless/iwlwifi/dvm/mac80211.c
index 7a2cf52..515376d 100644
--- a/drivers/net/wireless/iwlwifi/dvm/mac80211.c
+++ b/drivers/net/wireless/iwlwifi/dvm/mac80211.c
@@ -941,7 +941,10 @@ void iwl_chswitch_done(struct iwl_priv *priv, bool is_success)
if (test_bit(STATUS_EXIT_PENDING, &priv->status))
return;
- if (test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status))
+ if (!test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status))
+ return;
+
+ if (ctx->vif)
ieee80211_chswitch_done(ctx->vif, is_success);
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [232/251] iwlwifi: pcie: disable L1 Active after pci_enable_device
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (229 preceding siblings ...)
2013-09-11 4:30 ` [231/251] iwlwifi: dvm: fix calling ieee80211_chswitch_done() with NULL Steven Rostedt
@ 2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:31 ` [233/251] zfcp: fix lock imbalance by reworking request queue locking Steven Rostedt
` (19 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Arjan van de Ven, Emmanuel Grumbach, Johannes Berg
[-- Attachment #1: 0232-iwlwifi-pcie-disable-L1-Active-after-pci_enable_devi.patch --]
[-- Type: text/plain, Size: 1814 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
[ Upstream commit eabc4ac5d7606a57ee2b7308cb7323ea8f60183b ]
As Arjan pointed out, we mustn't do anything related to PCI
configuration until the device is properly enabled with
pci_enable_device().
Cc: stable@vger.kernel.org
Reported-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/iwlwifi/pcie/trans.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c
index dbeebef..d7eeb96 100644
--- a/drivers/net/wireless/iwlwifi/pcie/trans.c
+++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
@@ -2100,16 +2100,16 @@ struct iwl_trans *iwl_trans_pcie_alloc(struct pci_dev *pdev,
spin_lock_init(&trans_pcie->irq_lock);
init_waitqueue_head(&trans_pcie->ucode_write_waitq);
- /* W/A - seems to solve weird behavior. We need to remove this if we
- * don't want to stay in L1 all the time. This wastes a lot of power */
- pci_disable_link_state(pdev, PCIE_LINK_STATE_L0S | PCIE_LINK_STATE_L1 |
- PCIE_LINK_STATE_CLKPM);
-
if (pci_enable_device(pdev)) {
err = -ENODEV;
goto out_no_pci;
}
+ /* W/A - seems to solve weird behavior. We need to remove this if we
+ * don't want to stay in L1 all the time. This wastes a lot of power */
+ pci_disable_link_state(pdev, PCIE_LINK_STATE_L0S | PCIE_LINK_STATE_L1 |
+ PCIE_LINK_STATE_CLKPM);
+
pci_set_master(pdev);
err = pci_set_dma_mask(pdev, DMA_BIT_MASK(36));
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [233/251] zfcp: fix lock imbalance by reworking request queue locking
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (230 preceding siblings ...)
2013-09-11 4:30 ` [232/251] iwlwifi: pcie: disable L1 Active after pci_enable_device Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [234/251] zfcp: fix schedule-inside-lock in scsi_device list loops Steven Rostedt
` (18 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Mikulas Patocka, Heiko Carstens, Martin Peschke, Steffen Maier,
James Bottomley
[-- Attachment #1: 0233-zfcp-fix-lock-imbalance-by-reworking-request-queue-l.patch --]
[-- Type: text/plain, Size: 5949 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Martin Peschke <mpeschke@linux.vnet.ibm.com>
[ Upstream commit d79ff142624e1be080ad8d09101f7004d79c36e1 ]
This patch adds wait_event_interruptible_lock_irq_timeout(), which is a
straight-forward descendant of wait_event_interruptible_timeout() and
wait_event_interruptible_lock_irq().
The zfcp driver used to call wait_event_interruptible_timeout()
in combination with some intricate and error-prone locking. Using
wait_event_interruptible_lock_irq_timeout() as a replacement
nicely cleans up that locking.
This rework removes a situation that resulted in a locking imbalance
in zfcp_qdio_sbal_get():
BUG: workqueue leaked lock or atomic: events/1/0xffffff00/10
last function: zfcp_fc_wka_port_offline+0x0/0xa0 [zfcp]
It was introduced by commit c2af7545aaff3495d9bf9a7608c52f0af86fb194
"[SCSI] zfcp: Do not wait for SBALs on stopped queue", which had a new
code path related to ZFCP_STATUS_ADAPTER_QDIOUP that took an early exit
without a required lock being held. The problem occured when a
special, non-SCSI I/O request was being submitted in process context,
when the adapter's queues had been torn down. In this case the bug
surfaced when the Fibre Channel port connection for a well-known address
was closed during a concurrent adapter shut-down procedure, which is a
rare constellation.
This patch also fixes these warnings from the sparse tool (make C=1):
drivers/s390/scsi/zfcp_qdio.c:224:12: warning: context imbalance in
'zfcp_qdio_sbal_check' - wrong count at exit
drivers/s390/scsi/zfcp_qdio.c:244:5: warning: context imbalance in
'zfcp_qdio_sbal_get' - unexpected unlock
Last but not least, we get rid of that crappy lock-unlock-lock
sequence at the beginning of the critical section.
It is okay to call zfcp_erp_adapter_reopen() with req_q_lock held.
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Peschke <mpeschke@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org #2.6.35+
Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/s390/scsi/zfcp_qdio.c | 8 ++----
include/linux/wait.h | 57 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 59 insertions(+), 6 deletions(-)
diff --git a/drivers/s390/scsi/zfcp_qdio.c b/drivers/s390/scsi/zfcp_qdio.c
index 50b5615..925fb1f 100644
--- a/drivers/s390/scsi/zfcp_qdio.c
+++ b/drivers/s390/scsi/zfcp_qdio.c
@@ -224,11 +224,9 @@ int zfcp_qdio_sbals_from_sg(struct zfcp_qdio *qdio, struct zfcp_qdio_req *q_req,
static int zfcp_qdio_sbal_check(struct zfcp_qdio *qdio)
{
- spin_lock_irq(&qdio->req_q_lock);
if (atomic_read(&qdio->req_q_free) ||
!(atomic_read(&qdio->adapter->status) & ZFCP_STATUS_ADAPTER_QDIOUP))
return 1;
- spin_unlock_irq(&qdio->req_q_lock);
return 0;
}
@@ -246,9 +244,8 @@ int zfcp_qdio_sbal_get(struct zfcp_qdio *qdio)
{
long ret;
- spin_unlock_irq(&qdio->req_q_lock);
- ret = wait_event_interruptible_timeout(qdio->req_q_wq,
- zfcp_qdio_sbal_check(qdio), 5 * HZ);
+ ret = wait_event_interruptible_lock_irq_timeout(qdio->req_q_wq,
+ zfcp_qdio_sbal_check(qdio), qdio->req_q_lock, 5 * HZ);
if (!(atomic_read(&qdio->adapter->status) & ZFCP_STATUS_ADAPTER_QDIOUP))
return -EIO;
@@ -262,7 +259,6 @@ int zfcp_qdio_sbal_get(struct zfcp_qdio *qdio)
zfcp_erp_adapter_reopen(qdio->adapter, 0, "qdsbg_1");
}
- spin_lock_irq(&qdio->req_q_lock);
return -EIO;
}
diff --git a/include/linux/wait.h b/include/linux/wait.h
index 6c6c20e..e4683e0 100644
--- a/include/linux/wait.h
+++ b/include/linux/wait.h
@@ -571,6 +571,63 @@ do { \
__wait_event_killable(wq, condition, __ret); \
__ret; \
})
+#define __wait_event_interruptible_lock_irq_timeout(wq, condition, \
+ lock, ret) \
+do { \
+ DEFINE_WAIT(__wait); \
+ \
+ for (;;) { \
+ prepare_to_wait(&wq, &__wait, TASK_INTERRUPTIBLE); \
+ if (condition) \
+ break; \
+ if (signal_pending(current)) { \
+ ret = -ERESTARTSYS; \
+ break; \
+ } \
+ spin_unlock_irq(&lock); \
+ ret = schedule_timeout(ret); \
+ spin_lock_irq(&lock); \
+ if (!ret) \
+ break; \
+ } \
+ finish_wait(&wq, &__wait); \
+} while (0)
+
+/**
+ * wait_event_interruptible_lock_irq_timeout - sleep until a condition gets true or a timeout elapses.
+ * The condition is checked under the lock. This is expected
+ * to be called with the lock taken.
+ * @wq: the waitqueue to wait on
+ * @condition: a C expression for the event to wait for
+ * @lock: a locked spinlock_t, which will be released before schedule()
+ * and reacquired afterwards.
+ * @timeout: timeout, in jiffies
+ *
+ * The process is put to sleep (TASK_INTERRUPTIBLE) until the
+ * @condition evaluates to true or signal is received. The @condition is
+ * checked each time the waitqueue @wq is woken up.
+ *
+ * wake_up() has to be called after changing any variable that could
+ * change the result of the wait condition.
+ *
+ * This is supposed to be called while holding the lock. The lock is
+ * dropped before going to sleep and is reacquired afterwards.
+ *
+ * The function returns 0 if the @timeout elapsed, -ERESTARTSYS if it
+ * was interrupted by a signal, and the remaining jiffies otherwise
+ * if the condition evaluated to true before the timeout elapsed.
+ */
+#define wait_event_interruptible_lock_irq_timeout(wq, condition, lock, \
+ timeout) \
+({ \
+ int __ret = timeout; \
+ \
+ if (!(condition)) \
+ __wait_event_interruptible_lock_irq_timeout( \
+ wq, condition, lock, __ret); \
+ __ret; \
+})
+
/*
* These are the old interfaces to sleep waiting for an event.
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [234/251] zfcp: fix schedule-inside-lock in scsi_device list loops
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (231 preceding siblings ...)
2013-09-11 4:31 ` [233/251] zfcp: fix lock imbalance by reworking request queue locking Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [235/251] sg: Fix user memory corruption when SG_IO is interrupted by a signal Steven Rostedt
` (17 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Christian Borntraeger, Martin Peschke, Steffen Maier, James Bottomley
[-- Attachment #1: 0234-zfcp-fix-schedule-inside-lock-in-scsi_device-list-lo.patch --]
[-- Type: text/plain, Size: 6812 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Martin Peschke <mpeschke@linux.vnet.ibm.com>
[ Upstream commit 924dd584b198a58aa7cb3efefd8a03326550ce8f ]
BUG: sleeping function called from invalid context at kernel/workqueue.c:2752
in_atomic(): 1, irqs_disabled(): 1, pid: 360, name: zfcperp0.0.1700
CPU: 1 Not tainted 3.9.3+ #69
Process zfcperp0.0.1700 (pid: 360, task: 0000000075b7e080, ksp: 000000007476bc30)
<snip>
Call Trace:
([<00000000001165de>] show_trace+0x106/0x154)
[<00000000001166a0>] show_stack+0x74/0xf4
[<00000000006ff646>] dump_stack+0xc6/0xd4
[<000000000017f3a0>] __might_sleep+0x128/0x148
[<000000000015ece8>] flush_work+0x54/0x1f8
[<00000000001630de>] __cancel_work_timer+0xc6/0x128
[<00000000005067ac>] scsi_device_dev_release_usercontext+0x164/0x23c
[<0000000000161816>] execute_in_process_context+0x96/0xa8
[<00000000004d33d8>] device_release+0x60/0xc0
[<000000000048af48>] kobject_release+0xa8/0x1c4
[<00000000004f4bf2>] __scsi_iterate_devices+0xfa/0x130
[<000003ff801b307a>] zfcp_erp_strategy+0x4da/0x1014 [zfcp]
[<000003ff801b3caa>] zfcp_erp_thread+0xf6/0x2b0 [zfcp]
[<000000000016b75a>] kthread+0xf2/0xfc
[<000000000070c9de>] kernel_thread_starter+0x6/0xc
[<000000000070c9d8>] kernel_thread_starter+0x0/0xc
Apparently, the ref_count for some scsi_device drops down to zero,
triggering device removal through execute_in_process_context(), while
the lldd error recovery thread iterates through a scsi device list.
Unfortunately, execute_in_process_context() decides to immediately
execute that device removal function, instead of scheduling asynchronous
execution, since it detects process context and thinks it is safe to do
so. But almost all calls to shost_for_each_device() in our lldd are
inside spin_lock_irq, even in thread context. Obviously, schedule()
inside spin_lock_irq sections is a bad idea.
Change the lldd to use the proper iterator function,
__shost_for_each_device(), in combination with required locking.
Occurences that need to be changed include all calls in zfcp_erp.c,
since those might be executed in zfcp error recovery thread context
with a lock held.
Other occurences of shost_for_each_device() in zfcp_fsf.c do not
need to be changed (no process context, no surrounding locking).
The problem was introduced in Linux 2.6.37 by commit
b62a8d9b45b971a67a0f8413338c230e3117dff5
"[SCSI] zfcp: Use SCSI device data zfcp_scsi_dev instead of zfcp_unit".
Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Martin Peschke <mpeschke@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org #2.6.37+
Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/s390/scsi/zfcp_erp.c | 29 ++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
index 92d3df6..e36fc02 100644
--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -102,10 +102,13 @@ static void zfcp_erp_action_dismiss_port(struct zfcp_port *port)
if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_INUSE)
zfcp_erp_action_dismiss(&port->erp_action);
- else
- shost_for_each_device(sdev, port->adapter->scsi_host)
+ else {
+ spin_lock(port->adapter->scsi_host->host_lock);
+ __shost_for_each_device(sdev, port->adapter->scsi_host)
if (sdev_to_zfcp(sdev)->port == port)
zfcp_erp_action_dismiss_lun(sdev);
+ spin_unlock(port->adapter->scsi_host->host_lock);
+ }
}
static void zfcp_erp_action_dismiss_adapter(struct zfcp_adapter *adapter)
@@ -592,9 +595,11 @@ static void _zfcp_erp_lun_reopen_all(struct zfcp_port *port, int clear,
{
struct scsi_device *sdev;
- shost_for_each_device(sdev, port->adapter->scsi_host)
+ spin_lock(port->adapter->scsi_host->host_lock);
+ __shost_for_each_device(sdev, port->adapter->scsi_host)
if (sdev_to_zfcp(sdev)->port == port)
_zfcp_erp_lun_reopen(sdev, clear, id, 0);
+ spin_unlock(port->adapter->scsi_host->host_lock);
}
static void zfcp_erp_strategy_followup_failed(struct zfcp_erp_action *act)
@@ -1435,8 +1440,10 @@ void zfcp_erp_set_adapter_status(struct zfcp_adapter *adapter, u32 mask)
atomic_set_mask(common_mask, &port->status);
read_unlock_irqrestore(&adapter->port_list_lock, flags);
- shost_for_each_device(sdev, adapter->scsi_host)
+ spin_lock_irqsave(adapter->scsi_host->host_lock, flags);
+ __shost_for_each_device(sdev, adapter->scsi_host)
atomic_set_mask(common_mask, &sdev_to_zfcp(sdev)->status);
+ spin_unlock_irqrestore(adapter->scsi_host->host_lock, flags);
}
/**
@@ -1470,11 +1477,13 @@ void zfcp_erp_clear_adapter_status(struct zfcp_adapter *adapter, u32 mask)
}
read_unlock_irqrestore(&adapter->port_list_lock, flags);
- shost_for_each_device(sdev, adapter->scsi_host) {
+ spin_lock_irqsave(adapter->scsi_host->host_lock, flags);
+ __shost_for_each_device(sdev, adapter->scsi_host) {
atomic_clear_mask(common_mask, &sdev_to_zfcp(sdev)->status);
if (clear_counter)
atomic_set(&sdev_to_zfcp(sdev)->erp_counter, 0);
}
+ spin_unlock_irqrestore(adapter->scsi_host->host_lock, flags);
}
/**
@@ -1488,16 +1497,19 @@ void zfcp_erp_set_port_status(struct zfcp_port *port, u32 mask)
{
struct scsi_device *sdev;
u32 common_mask = mask & ZFCP_COMMON_FLAGS;
+ unsigned long flags;
atomic_set_mask(mask, &port->status);
if (!common_mask)
return;
- shost_for_each_device(sdev, port->adapter->scsi_host)
+ spin_lock_irqsave(port->adapter->scsi_host->host_lock, flags);
+ __shost_for_each_device(sdev, port->adapter->scsi_host)
if (sdev_to_zfcp(sdev)->port == port)
atomic_set_mask(common_mask,
&sdev_to_zfcp(sdev)->status);
+ spin_unlock_irqrestore(port->adapter->scsi_host->host_lock, flags);
}
/**
@@ -1512,6 +1524,7 @@ void zfcp_erp_clear_port_status(struct zfcp_port *port, u32 mask)
struct scsi_device *sdev;
u32 common_mask = mask & ZFCP_COMMON_FLAGS;
u32 clear_counter = mask & ZFCP_STATUS_COMMON_ERP_FAILED;
+ unsigned long flags;
atomic_clear_mask(mask, &port->status);
@@ -1521,13 +1534,15 @@ void zfcp_erp_clear_port_status(struct zfcp_port *port, u32 mask)
if (clear_counter)
atomic_set(&port->erp_counter, 0);
- shost_for_each_device(sdev, port->adapter->scsi_host)
+ spin_lock_irqsave(port->adapter->scsi_host->host_lock, flags);
+ __shost_for_each_device(sdev, port->adapter->scsi_host)
if (sdev_to_zfcp(sdev)->port == port) {
atomic_clear_mask(common_mask,
&sdev_to_zfcp(sdev)->status);
if (clear_counter)
atomic_set(&sdev_to_zfcp(sdev)->erp_counter, 0);
}
+ spin_unlock_irqrestore(port->adapter->scsi_host->host_lock, flags);
}
/**
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [235/251] sg: Fix user memory corruption when SG_IO is interrupted by a signal
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (232 preceding siblings ...)
2013-09-11 4:31 ` [234/251] zfcp: fix schedule-inside-lock in scsi_device list loops Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [236/251] x86/xen: do not identity map UNUSABLE regions in the machine E820 Steven Rostedt
` (16 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Roland Dreier, David Milburn, Jens Axboe, James Bottomley
[-- Attachment #1: 0235-sg-Fix-user-memory-corruption-when-SG_IO-is-interrup.patch --]
[-- Type: text/plain, Size: 4733 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Roland Dreier <roland@purestorage.com>
[ Upstream commit 35dc248383bbab0a7203fca4d722875bc81ef091 ]
There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
leads to one process writing data into the address space of some other
random unrelated process if the ioctl is interrupted by a signal.
What happens is the following:
- A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
underlying SCSI command will transfer data from the SCSI device to
the buffer provided in the ioctl)
- Before the command finishes, a signal is sent to the process waiting
in the ioctl. This will end up waking up the sg_ioctl() code:
result = wait_event_interruptible(sfp->read_wait,
(srp_done(sfp, srp) || sdp->detached));
but neither srp_done() nor sdp->detached is true, so we end up just
setting srp->orphan and returning to userspace:
srp->orphan = 1;
write_unlock_irq(&sfp->rq_list_lock);
return result; /* -ERESTARTSYS because signal hit process */
At this point the original process is done with the ioctl and
blithely goes ahead handling the signal, reissuing the ioctl, etc.
- Eventually, the SCSI command issued by the first ioctl finishes and
ends up in sg_rq_end_io(). At the end of that function, we run through:
write_lock_irqsave(&sfp->rq_list_lock, iflags);
if (unlikely(srp->orphan)) {
if (sfp->keep_orphan)
srp->sg_io_owned = 0;
else
done = 0;
}
srp->done = done;
write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
if (likely(done)) {
/* Now wake up any sg_read() that is waiting for this
* packet.
*/
wake_up_interruptible(&sfp->read_wait);
kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
kref_put(&sfp->f_ref, sg_remove_sfp);
} else {
INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
schedule_work(&srp->ew.work);
}
Since srp->orphan *is* set, we set done to 0 (assuming the
userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
to run in a workqueue.
- In workqueue context we go through sg_rq_end_io_usercontext() ->
sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().
The key point here is that we are doing copy_to_user() on a
workqueue -- that is, we're on a kernel thread with current->mm
equal to whatever random previous user process was scheduled before
this kernel thread. So we end up copying whatever data the SCSI
command returned to the virtual address of the buffer passed into
the original ioctl, but it's quite likely we do this copying into a
different address space!
As suggested by James Bottomley <James.Bottomley@hansenpartnership.com>,
add a check for current->mm (which is NULL if we're on a kernel thread
without a real userspace address space) in bio_uncopy_user(), and skip
the copy if we're on a kernel thread.
There's no reason that I can think of for any caller of bio_uncopy_user()
to want to do copying on a kernel thread with a random active userspace
address space.
Huge thanks to Costa Sapuntzakis <costa@purestorage.com> for the
original pointer to this bug in the sg code.
Signed-off-by: Roland Dreier <roland@purestorage.com>
Tested-by: David Milburn <dmilburn@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: <stable@vger.kernel.org>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/bio.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/fs/bio.c b/fs/bio.c
index 71072ab..6e2a362 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -791,12 +791,22 @@ static int __bio_copy_iov(struct bio *bio, struct bio_vec *iovecs,
int bio_uncopy_user(struct bio *bio)
{
struct bio_map_data *bmd = bio->bi_private;
- int ret = 0;
+ struct bio_vec *bvec;
+ int ret = 0, i;
- if (!bio_flagged(bio, BIO_NULL_MAPPED))
- ret = __bio_copy_iov(bio, bmd->iovecs, bmd->sgvecs,
- bmd->nr_sgvecs, bio_data_dir(bio) == READ,
- 0, bmd->is_our_pages);
+ if (!bio_flagged(bio, BIO_NULL_MAPPED)) {
+ /*
+ * if we're in a workqueue, the request is orphaned, so
+ * don't copy into a random user address space, just free.
+ */
+ if (current->mm)
+ ret = __bio_copy_iov(bio, bmd->iovecs, bmd->sgvecs,
+ bmd->nr_sgvecs, bio_data_dir(bio) == READ,
+ 0, bmd->is_our_pages);
+ else if (bmd->is_our_pages)
+ __bio_for_each_segment(bvec, bio, i, 0)
+ __free_page(bvec->bv_page);
+ }
bio_free_map_data(bmd);
bio_put(bio);
return ret;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [236/251] x86/xen: do not identity map UNUSABLE regions in the machine E820
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (233 preceding siblings ...)
2013-09-11 4:31 ` [235/251] sg: Fix user memory corruption when SG_IO is interrupted by a signal Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [237/251] jfs: fix readdir cookie incompatibility with NFSv4 Steven Rostedt
` (15 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: David Vrabel, Konrad Rzeszutek Wilk
[-- Attachment #1: 0236-x86-xen-do-not-identity-map-UNUSABLE-regions-in-the-.patch --]
[-- Type: text/plain, Size: 3157 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: David Vrabel <david.vrabel@citrix.com>
[ Upstream commit 3bc38cbceb85881a8eb789ee1aa56678038b1909 ]
If there are UNUSABLE regions in the machine memory map, dom0 will
attempt to map them 1:1 which is not permitted by Xen and the kernel
will crash.
There isn't anything interesting in the UNUSABLE region that the dom0
kernel needs access to so we can avoid making the 1:1 mapping and
treat it as RAM.
We only do this for dom0, as that is where tboot case shows up.
A PV domU could have an UNUSABLE region in its pseudo-physical map
and would need to be handled in another patch.
This fixes a boot failure on hosts with tboot.
tboot marks a region in the e820 map as unusable and the dom0 kernel
would attempt to map this region and Xen does not permit unusable
regions to be mapped by guests.
(XEN) 0000000000000000 - 0000000000060000 (usable)
(XEN) 0000000000060000 - 0000000000068000 (reserved)
(XEN) 0000000000068000 - 000000000009e000 (usable)
(XEN) 0000000000100000 - 0000000000800000 (usable)
(XEN) 0000000000800000 - 0000000000972000 (unusable)
tboot marked this region as unusable.
(XEN) 0000000000972000 - 00000000cf200000 (usable)
(XEN) 00000000cf200000 - 00000000cf38f000 (reserved)
(XEN) 00000000cf38f000 - 00000000cf3ce000 (ACPI data)
(XEN) 00000000cf3ce000 - 00000000d0000000 (reserved)
(XEN) 00000000e0000000 - 00000000f0000000 (reserved)
(XEN) 00000000fe000000 - 0000000100000000 (reserved)
(XEN) 0000000100000000 - 0000000630000000 (usable)
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
[v1: Altered the patch and description with domU's with UNUSABLE regions]
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
arch/x86/xen/setup.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
index e2d62d6..8cf7449 100644
--- a/arch/x86/xen/setup.c
+++ b/arch/x86/xen/setup.c
@@ -313,6 +313,17 @@ static void xen_align_and_add_e820_region(u64 start, u64 size, int type)
e820_add_region(start, end - start, type);
}
+void xen_ignore_unusable(struct e820entry *list, size_t map_size)
+{
+ struct e820entry *entry;
+ unsigned int i;
+
+ for (i = 0, entry = list; i < map_size; i++, entry++) {
+ if (entry->type == E820_UNUSABLE)
+ entry->type = E820_RAM;
+ }
+}
+
/**
* machine_specific_memory_setup - Hook for machine specific memory setup.
**/
@@ -353,6 +364,17 @@ char * __init xen_memory_setup(void)
}
BUG_ON(rc);
+ /*
+ * Xen won't allow a 1:1 mapping to be created to UNUSABLE
+ * regions, so if we're using the machine memory map leave the
+ * region as RAM as it is in the pseudo-physical map.
+ *
+ * UNUSABLE regions in domUs are not handled and will need
+ * a patch in the future.
+ */
+ if (xen_initial_domain())
+ xen_ignore_unusable(map, memmap.nr_entries);
+
/* Make sure the Xen-supplied memory map is well-ordered. */
sanitize_e820_map(map, memmap.nr_entries, &memmap.nr_entries);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [237/251] jfs: fix readdir cookie incompatibility with NFSv4
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (234 preceding siblings ...)
2013-09-11 4:31 ` [236/251] x86/xen: do not identity map UNUSABLE regions in the machine E820 Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [238/251] ALSA: hda - Add inverted digital mic fixup for Acer Aspire One Steven Rostedt
` (14 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Dave Kleikamp, Christian Kujau
[-- Attachment #1: 0237-jfs-fix-readdir-cookie-incompatibility-with-NFSv4.patch --]
[-- Type: text/plain, Size: 3391 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Dave Kleikamp <dave.kleikamp@oracle.com>
[ Upstream commit 44512449c0ab368889dd13ae0031fba74ee7e1d2 ]
NFSv4 reserves readdir cookie values 0-2 for special entries (. and ..),
but jfs allows a value of 2 for a non-special entry. This incompatibility
can result in the nfs client reporting a readdir loop.
This patch doesn't change the value stored internally, but adds one to
the value exposed to the iterate method.
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Tested-by: Christian Kujau <lists@nerdbynature.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
fs/jfs/jfs_dtree.c | 31 +++++++++++++++++++++++--------
1 file changed, 23 insertions(+), 8 deletions(-)
diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 9197a1b..9f7c758 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -3047,6 +3047,14 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
dir_index = (u32) filp->f_pos;
+ /*
+ * NFSv4 reserves cookies 1 and 2 for . and .. so the value
+ * we return to the vfs is one greater than the one we use
+ * internally.
+ */
+ if (dir_index)
+ dir_index--;
+
if (dir_index > 1) {
struct dir_table_slot dirtab_slot;
@@ -3086,7 +3094,7 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
if (p->header.flag & BT_INTERNAL) {
jfs_err("jfs_readdir: bad index table");
DT_PUTPAGE(mp);
- filp->f_pos = -1;
+ filp->f_pos = DIREND;
return 0;
}
} else {
@@ -3094,7 +3102,7 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
/*
* self "."
*/
- filp->f_pos = 0;
+ filp->f_pos = 1;
if (filldir(dirent, ".", 1, 0, ip->i_ino,
DT_DIR))
return 0;
@@ -3102,7 +3110,7 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
/*
* parent ".."
*/
- filp->f_pos = 1;
+ filp->f_pos = 2;
if (filldir(dirent, "..", 2, 1, PARENT(ip), DT_DIR))
return 0;
@@ -3123,24 +3131,25 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
/*
* Legacy filesystem - OS/2 & Linux JFS < 0.3.6
*
- * pn = index = 0: First entry "."
- * pn = 0; index = 1: Second entry ".."
+ * pn = 0; index = 1: First entry "."
+ * pn = 0; index = 2: Second entry ".."
* pn > 0: Real entries, pn=1 -> leftmost page
* pn = index = -1: No more entries
*/
dtpos = filp->f_pos;
- if (dtpos == 0) {
+ if (dtpos < 2) {
/* build "." entry */
+ filp->f_pos = 1;
if (filldir(dirent, ".", 1, filp->f_pos, ip->i_ino,
DT_DIR))
return 0;
- dtoffset->index = 1;
+ dtoffset->index = 2;
filp->f_pos = dtpos;
}
if (dtoffset->pn == 0) {
- if (dtoffset->index == 1) {
+ if (dtoffset->index == 2) {
/* build ".." entry */
if (filldir(dirent, "..", 2, filp->f_pos,
@@ -3233,6 +3242,12 @@ int jfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
}
jfs_dirent->position = unique_pos++;
}
+ /*
+ * We add 1 to the index because we may
+ * use a value of 2 internally, and NFSv4
+ * doesn't like that.
+ */
+ jfs_dirent->position++;
} else {
jfs_dirent->position = dtpos;
len = min(d_namleft, DTLHDRDATALEN_LEGACY);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [238/251] ALSA: hda - Add inverted digital mic fixup for Acer Aspire One
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (235 preceding siblings ...)
2013-09-11 4:31 ` [237/251] jfs: fix readdir cookie incompatibility with NFSv4 Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [239/251] ALSA: opti9xx: Fix conflicting driver object name Steven Rostedt
` (13 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Nathanael D. Noblet, Takashi Iwai
[-- Attachment #1: 0238-ALSA-hda-Add-inverted-digital-mic-fixup-for-Acer-Asp.patch --]
[-- Type: text/plain, Size: 1219 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit d3d3835ce919438c00c5d1270d6f9d6ffea59d03 ]
Yet another entry, just use the existing fixup for this machine, too.
Reported-by: "Nathanael D. Noblet" <nathanael@gnat.ca>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 6d31bc8..d0bbdf9 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6860,6 +6860,7 @@ static const struct alc_fixup alc662_fixups[] = {
static const struct snd_pci_quirk alc662_fixup_tbl[] = {
SND_PCI_QUIRK(0x1019, 0x9087, "ECS", ALC662_FIXUP_ASUS_MODE2),
+ SND_PCI_QUIRK(0x1025, 0x022f, "Acer Aspire One", ALC662_FIXUP_INV_DMIC),
SND_PCI_QUIRK(0x1025, 0x0308, "Acer Aspire 8942G", ALC662_FIXUP_ASPIRE),
SND_PCI_QUIRK(0x1025, 0x031c, "Gateway NV79", ALC662_FIXUP_SKU_IGNORE),
SND_PCI_QUIRK(0x1025, 0x0349, "eMachines eM250", ALC662_FIXUP_INV_DMIC),
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [239/251] ALSA: opti9xx: Fix conflicting driver object name
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (236 preceding siblings ...)
2013-09-11 4:31 ` [238/251] ALSA: hda - Add inverted digital mic fixup for Acer Aspire One Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [240/251] powerpc: Work around gcc miscompilation of __pa() on 64-bit Steven Rostedt
` (12 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Takashi Iwai
[-- Attachment #1: 0239-ALSA-opti9xx-Fix-conflicting-driver-object-name.patch --]
[-- Type: text/plain, Size: 2008 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit fb615499f0ad28ed74201c1cdfddf9e64e205424 ]
The recent commit to delay the release of kobject triggered NULL
dereferences of opti9xx drivers. The cause is that all
snd-opti92x-ad1848, snd-opti92x-cs4231 and snd-opti93x drivers
register the PnP card driver with the very same name, and also
snd-opti92x-ad1848 and -cs4231 drivers register the ISA driver with
the same name, too. When these drivers are built in, quick
"register-release-and-re-register" actions occur, and this results in
Oops because of the same name is assigned to the kobject.
The fix is simply to assign individual names. As a bonus, by using
KBUILD_MODNAME, the patch reduces more lines than it adds.
The fix is based on the suggestion by Russell King.
Reported-and-tested-by: Fengguang Wu <fengguang.wu@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
sound/isa/opti9xx/opti92x-ad1848.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/sound/isa/opti9xx/opti92x-ad1848.c b/sound/isa/opti9xx/opti92x-ad1848.c
index f8fbe22..e7ec347 100644
--- a/sound/isa/opti9xx/opti92x-ad1848.c
+++ b/sound/isa/opti9xx/opti92x-ad1848.c
@@ -172,11 +172,7 @@ MODULE_DEVICE_TABLE(pnp_card, snd_opti9xx_pnpids);
#endif /* CONFIG_PNP */
-#ifdef OPTi93X
-#define DEV_NAME "opti93x"
-#else
-#define DEV_NAME "opti92x"
-#endif
+#define DEV_NAME KBUILD_MODNAME
static char * snd_opti9xx_names[] = {
"unknown",
@@ -1180,7 +1176,7 @@ static int snd_opti9xx_pnp_resume(struct pnp_card_link *pcard)
static struct pnp_card_driver opti9xx_pnpc_driver = {
.flags = PNP_DRIVER_RES_DISABLE,
- .name = "opti9xx",
+ .name = DEV_NAME,
.id_table = snd_opti9xx_pnpids,
.probe = snd_opti9xx_pnp_probe,
.remove = __devexit_p(snd_opti9xx_pnp_remove),
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [240/251] powerpc: Work around gcc miscompilation of __pa() on 64-bit
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (237 preceding siblings ...)
2013-09-11 4:31 ` [239/251] ALSA: opti9xx: Fix conflicting driver object name Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [241/251] powerpc: Dont Oops when accessing /proc/powerpc/lparcfg without hypervisor Steven Rostedt
` (11 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Paul Mackerras, Benjamin Herrenschmidt
[-- Attachment #1: 0240-powerpc-Work-around-gcc-miscompilation-of-__pa-on-64.patch --]
[-- Type: text/plain, Size: 2697 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Paul Mackerras <paulus@samba.org>
[ Upstream commit bdbc29c19b2633b1d9c52638fb732bcde7a2031a ]
On 64-bit, __pa(&static_var) gets miscompiled by recent versions of
gcc as something like:
addis 3,2,.LANCHOR1+4611686018427387904@toc@ha
addi 3,3,.LANCHOR1+4611686018427387904@toc@l
This ends up effectively ignoring the offset, since its bottom 32 bits
are zero, and means that the result of __pa() still has 0xC in the top
nibble. This happens with gcc 4.8.1, at least.
To work around this, for 64-bit we make __pa() use an AND operator,
and for symmetry, we make __va() use an OR operator. Using an AND
operator rather than a subtraction ends up with slightly shorter code
since it can be done with a single clrldi instruction, whereas it
takes three instructions to form the constant (-PAGE_OFFSET) and add
it on. (Note that MEMORY_START is always 0 on 64-bit.)
CC: <stable@vger.kernel.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/powerpc/Kconfig | 1 +
arch/powerpc/include/asm/page.h | 10 ++++++++++
2 files changed, 11 insertions(+)
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 352f416..3254335 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -973,6 +973,7 @@ config RELOCATABLE
must live at a different physical address than the primary
kernel.
+# This value must have zeroes in the bottom 60 bits otherwise lots will break
config PAGE_OFFSET
hex
default "0xc000000000000000"
diff --git a/arch/powerpc/include/asm/page.h b/arch/powerpc/include/asm/page.h
index f072e97..2e6c4e5a 100644
--- a/arch/powerpc/include/asm/page.h
+++ b/arch/powerpc/include/asm/page.h
@@ -211,9 +211,19 @@ extern long long virt_phys_offset;
#define __va(x) ((void *)(unsigned long)((phys_addr_t)(x) + VIRT_PHYS_OFFSET))
#define __pa(x) ((unsigned long)(x) - VIRT_PHYS_OFFSET)
#else
+#ifdef CONFIG_PPC64
+/*
+ * gcc miscompiles (unsigned long)(&static_var) - PAGE_OFFSET
+ * with -mcmodel=medium, so we use & and | instead of - and + on 64-bit.
+ */
+#define __va(x) ((void *)(unsigned long)((phys_addr_t)(x) | PAGE_OFFSET))
+#define __pa(x) ((unsigned long)(x) & 0x0fffffffffffffffUL)
+
+#else /* 32-bit, non book E */
#define __va(x) ((void *)(unsigned long)((phys_addr_t)(x) + PAGE_OFFSET - MEMORY_START))
#define __pa(x) ((unsigned long)(x) - PAGE_OFFSET + MEMORY_START)
#endif
+#endif
/*
* Unfortunately the PLT is in the BSS in the PPC32 ELF ABI,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [241/251] powerpc: Dont Oops when accessing /proc/powerpc/lparcfg without hypervisor
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (238 preceding siblings ...)
2013-09-11 4:31 ` [240/251] powerpc: Work around gcc miscompilation of __pa() on 64-bit Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [242/251] powerpc/hvsi: Increase handshake timeout from 200ms to 400ms Steven Rostedt
` (10 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Benjamin Herrenschmidt
[-- Attachment #1: 0241-powerpc-Don-t-Oops-when-accessing-proc-powerpc-lparc.patch --]
[-- Type: text/plain, Size: 2799 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
[ Upstream commit f5f6cbb61610b7bf9d9d96db9c3979d62a424bab ]
/proc/powerpc/lparcfg is an ancient facility (though still actively used)
which allows access to some informations relative to the partition when
running underneath a PAPR compliant hypervisor.
It makes no sense on non-pseries machines. However, currently, not only
can it be created on these if the kernel has pseries support, but accessing
it on such a machine will crash due to trying to do hypervisor calls.
In fact, it should also not do HV calls on older pseries that didn't have
an hypervisor either.
Finally, it has the plumbing to be a module but is a "bool" Kconfig option.
This fixes the whole lot by turning it into a machine_device_initcall
that is only created on pseries, and adding the necessary hypervisor
check before calling the H_GET_EM_PARMS hypercall
CC: <stable@vger.kernel.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
arch/powerpc/kernel/lparcfg.c | 23 +++++++++--------------
1 file changed, 9 insertions(+), 14 deletions(-)
diff --git a/arch/powerpc/kernel/lparcfg.c b/arch/powerpc/kernel/lparcfg.c
index f5725bc..7ebbae0 100644
--- a/arch/powerpc/kernel/lparcfg.c
+++ b/arch/powerpc/kernel/lparcfg.c
@@ -35,7 +35,13 @@
#include <asm/vdso_datapage.h>
#include <asm/vio.h>
#include <asm/mmu.h>
+#include <asm/machdep.h>
+
+/*
+ * This isn't a module but we expose that to userspace
+ * via /proc so leave the definitions here
+ */
#define MODULE_VERS "1.9"
#define MODULE_NAME "lparcfg"
@@ -419,7 +425,8 @@ static void parse_em_data(struct seq_file *m)
{
unsigned long retbuf[PLPAR_HCALL_BUFSIZE];
- if (plpar_hcall(H_GET_EM_PARMS, retbuf) == H_SUCCESS)
+ if (firmware_has_feature(FW_FEATURE_LPAR) &&
+ plpar_hcall(H_GET_EM_PARMS, retbuf) == H_SUCCESS)
seq_printf(m, "power_mode_data=%016lx\n", retbuf[0]);
}
@@ -678,7 +685,6 @@ static int lparcfg_open(struct inode *inode, struct file *file)
}
static const struct file_operations lparcfg_fops = {
- .owner = THIS_MODULE,
.read = seq_read,
.write = lparcfg_write,
.open = lparcfg_open,
@@ -704,15 +710,4 @@ static int __init lparcfg_init(void)
proc_ppc64_lparcfg = ent;
return 0;
}
-
-static void __exit lparcfg_cleanup(void)
-{
- if (proc_ppc64_lparcfg)
- remove_proc_entry("lparcfg", proc_ppc64_lparcfg->parent);
-}
-
-module_init(lparcfg_init);
-module_exit(lparcfg_cleanup);
-MODULE_DESCRIPTION("Interface for LPAR configuration data");
-MODULE_AUTHOR("Dave Engebretsen");
-MODULE_LICENSE("GPL");
+machine_device_initcall(pseries, lparcfg_init);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [242/251] powerpc/hvsi: Increase handshake timeout from 200ms to 400ms.
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (239 preceding siblings ...)
2013-09-11 4:31 ` [241/251] powerpc: Dont Oops when accessing /proc/powerpc/lparcfg without hypervisor Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [243/251] regmap: Add another missing header for !CONFIG_REGMAP stubs Steven Rostedt
` (9 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Eugene Surovegin, Benjamin Herrenschmidt
[-- Attachment #1: 0242-powerpc-hvsi-Increase-handshake-timeout-from-200ms-t.patch --]
[-- Type: text/plain, Size: 1437 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Eugene Surovegin <ebs@ebshome.net>
[ Upstream commit d220980b701d838560a70de691b53be007e99e78 ]
This solves a problem observed in kexec'ed kernel where 200ms timeout is
too short and bootconsole fails to initialize. Console did eventually
become workable but much later into the boot process.
Observed timeout was around 260ms, but I decided to make it a little bigger
for more reliability.
This has been tested on Power7 machine with Petitboot as a primary
bootloader and PowerNV firmware.
CC: <stable@vger.kernel.org>
Signed-off-by: Eugene Surovegin <surovegin@google.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/tty/hvc/hvsi_lib.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/hvc/hvsi_lib.c b/drivers/tty/hvc/hvsi_lib.c
index 59c135d..2c51419 100644
--- a/drivers/tty/hvc/hvsi_lib.c
+++ b/drivers/tty/hvc/hvsi_lib.c
@@ -341,8 +341,8 @@ void hvsilib_establish(struct hvsi_priv *pv)
pr_devel("HVSI@%x: ... waiting handshake\n", pv->termno);
- /* Try for up to 200s */
- for (timeout = 0; timeout < 20; timeout++) {
+ /* Try for up to 400ms */
+ for (timeout = 0; timeout < 40; timeout++) {
if (pv->established)
goto established;
if (!hvsi_get_packet(pv))
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [243/251] regmap: Add another missing header for !CONFIG_REGMAP stubs
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (240 preceding siblings ...)
2013-09-11 4:31 ` [242/251] powerpc/hvsi: Increase handshake timeout from 200ms to 400ms Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [244/251] drivers/base/memory.c: fix show_mem_removable() to handle missing sections Steven Rostedt
` (8 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Kevin Hilman, Mark Brown
[-- Attachment #1: 0243-regmap-Add-another-missing-header-for-CONFIG_REGMAP-.patch --]
[-- Type: text/plain, Size: 1024 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Kevin Hilman <khilman@linaro.org>
[ Upstream commit 3f0fa9a808f98fa10a18ba2a73f13d65fda990fb ]
The use of WARN_ON() needs the definitions from bug.h, without it
you can get:
include/linux/regmap.h: In function 'regmap_write':
include/linux/regmap.h:525:2: error: implicit declaration of function 'WARN_ONCE' [-Werror=implicit-function-declaration]
Signed-off-by: Kevin Hilman <khilman@linaro.org>
Signed-off-by: Mark Brown <broonie@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
include/linux/regmap.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/regmap.h b/include/linux/regmap.h
index 519d5f2..db23dde 100644
--- a/include/linux/regmap.h
+++ b/include/linux/regmap.h
@@ -16,6 +16,7 @@
#include <linux/list.h>
#include <linux/rbtree.h>
#include <linux/err.h>
+#include <linux/bug.h>
struct module;
struct device;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [244/251] drivers/base/memory.c: fix show_mem_removable() to handle missing sections
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (241 preceding siblings ...)
2013-09-11 4:31 ` [243/251] regmap: Add another missing header for !CONFIG_REGMAP stubs Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [245/251] workqueue: cond_resched() after processing each work item Steven Rostedt
` (7 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Russ Anderson, Greg Kroah-Hartman, Rafael J. Wysocki, Yinghai Lu,
Yasuaki Ishimatsu, Andrew Morton
[-- Attachment #1: 0244-drivers-base-memory.c-fix-show_mem_removable-to-hand.patch --]
[-- Type: text/plain, Size: 4026 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Russ Anderson <rja@sgi.com>
[ Upstream commit 21ea9f5ace3a7317cc3ba1fbc749758021a83136 ]
"cat /sys/devices/system/memory/memory*/removable" crashed the system.
The problem is that show_mem_removable() is passing a
bad pfn to is_mem_section_removable(), which causes
if (!node_online(page_to_nid(page)))
to blow up. Why is it passing in a bad pfn?
The reason is that show_mem_removable() will loop sections_per_block
times. sections_per_block is 16, but mem->section_count is 8,
indicating holes in this memory block. Checking that the memory section
is present before checking to see if the memory section is removable
fixes the problem.
harp5-sys:~ # cat /sys/devices/system/memory/memory*/removable
0
1
1
1
1
1
1
1
1
1
1
1
1
1
BUG: unable to handle kernel paging request at ffffea00c3200000
IP: [<ffffffff81117ed1>] is_pageblock_removable_nolock+0x1/0x90
PGD 83ffd4067 PUD 37bdfce067 PMD 0
Oops: 0000 [#1] SMP
Modules linked in: autofs4 binfmt_misc rdma_ucm rdma_cm iw_cm ib_addr ib_srp scsi_transport_srp scsi_tgt ib_ipoib ib_cm ib_uverbs ib_umad iw_cxgb3 cxgb3 mdio mlx4_en mlx4_ib ib_sa mlx4_core ib_mthca ib_mad ib_core fuse nls_iso8859_1 nls_cp437 vfat fat joydev loop hid_generic usbhid hid hwperf(O) numatools(O) dm_mod iTCO_wdt ipv6 iTCO_vendor_support igb i2c_i801 ioatdma i2c_algo_bit ehci_pci pcspkr lpc_ich i2c_core ehci_hcd ptp sg mfd_core dca rtc_cmos pps_core mperf button xhci_hcd sd_mod crc_t10dif usbcore usb_common scsi_dh_emc scsi_dh_hp_sw scsi_dh_alua scsi_dh_rdac scsi_dh gru(O) xvma(O) xfs crc32c libcrc32c thermal sata_nv processor piix mptsas mptscsih scsi_transport_sas mptbase megaraid_sas fan thermal_sys hwmon ext3 jbd ata_piix ahci libahci libata scsi_mod
CPU: 4 PID: 5991 Comm: cat Tainted: G O 3.11.0-rc5-rja-uv+ #10
Hardware name: SGI UV2000/ROMLEY, BIOS SGI UV 2000/3000 series BIOS 01/15/2013
task: ffff88081f034580 ti: ffff880820022000 task.ti: ffff880820022000
RIP: 0010:[<ffffffff81117ed1>] [<ffffffff81117ed1>] is_pageblock_removable_nolock+0x1/0x90
RSP: 0018:ffff880820023df8 EFLAGS: 00010287
RAX: 0000000000040000 RBX: ffffea00c3200000 RCX: 0000000000000004
RDX: ffffea00c30b0000 RSI: 00000000001c0000 RDI: ffffea00c3200000
RBP: ffff880820023e38 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000001 R12: ffffea00c33c0000
R13: 0000160000000000 R14: 6db6db6db6db6db7 R15: 0000000000000001
FS: 00007ffff7fb2700(0000) GS:ffff88083fc80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffea00c3200000 CR3: 000000081b954000 CR4: 00000000000407e0
Call Trace:
show_mem_removable+0x41/0x70
dev_attr_show+0x2a/0x60
sysfs_read_file+0xf7/0x1c0
vfs_read+0xc8/0x130
SyS_read+0x5d/0xa0
system_call_fastpath+0x16/0x1b
Signed-off-by: Russ Anderson <rja@sgi.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
Cc: Yinghai Lu <yinghai@kernel.org>
Reviewed-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/base/memory.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/base/memory.c b/drivers/base/memory.c
index 7dda4f7..d63a06b 100644
--- a/drivers/base/memory.c
+++ b/drivers/base/memory.c
@@ -154,6 +154,8 @@ static ssize_t show_mem_removable(struct device *dev,
container_of(dev, struct memory_block, dev);
for (i = 0; i < sections_per_block; i++) {
+ if (!present_section_nr(mem->start_section_nr + i))
+ continue;
pfn = section_nr_to_pfn(mem->start_section_nr + i);
ret &= is_mem_section_removable(pfn, PAGES_PER_SECTION);
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [245/251] workqueue: cond_resched() after processing each work item
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (242 preceding siblings ...)
2013-09-11 4:31 ` [244/251] drivers/base/memory.c: fix show_mem_removable() to handle missing sections Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [246/251] drm/vmwgfx: Split GMR2_REMAP commands if they are to large Steven Rostedt
` (6 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Tejun Heo, Jamie Liu
[-- Attachment #1: 0245-workqueue-cond_resched-after-processing-each-work-it.patch --]
[-- Type: text/plain, Size: 2136 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
[ Upstream commit b22ce2785d97423846206cceec4efee0c4afd980 ]
If !PREEMPT, a kworker running work items back to back can hog CPU.
This becomes dangerous when a self-requeueing work item which is
waiting for something to happen races against stop_machine. Such
self-requeueing work item would requeue itself indefinitely hogging
the kworker and CPU it's running on while stop_machine would wait for
that CPU to enter stop_machine while preventing anything else from
happening on all other CPUs. The two would deadlock.
Jamie Liu reports that this deadlock scenario exists around
scsi_requeue_run_queue() and libata port multiplier support, where one
port may exclude command processing from other ports. With the right
timing, scsi_requeue_run_queue() can end up requeueing itself trying
to execute an IO which is asked to be retried while another device has
an exclusive access, which in turn can't make forward progress due to
stop_machine.
Fix it by invoking cond_resched() after executing each work item.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Jamie Liu <jamieliu@google.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
References: http://thread.gmane.org/gmane.linux.kernel/1552567
Cc: stable@vger.kernel.org
--
kernel/workqueue.c | 9 +++++++++
1 file changed, 9 insertions(+)
---
kernel/workqueue.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 0352a81..ce44f31 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -2105,6 +2105,15 @@ __acquires(&gcwq->lock)
dump_stack();
}
+ /*
+ * The following prevents a kworker from hogging CPU on !PREEMPT
+ * kernels, where a requeueing work item waiting for something to
+ * happen could deadlock with stop_machine as such work item could
+ * indefinitely requeue itself while all other CPUs are trapped in
+ * stop_machine.
+ */
+ cond_resched();
+
spin_lock_irq(&gcwq->lock);
/* clear cpu intensive status */
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [246/251] drm/vmwgfx: Split GMR2_REMAP commands if they are to large
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (243 preceding siblings ...)
2013-09-11 4:31 ` [245/251] workqueue: cond_resched() after processing each work item Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [247/251] drm/i915: ivb: fix edp voltage swing reg val Steven Rostedt
` (5 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jakob Bornecrantz, Biran Paul, Zack Rusin, Dave Airlie
[-- Attachment #1: 0246-drm-vmwgfx-Split-GMR2_REMAP-commands-if-they-are-to-.patch --]
[-- Type: text/plain, Size: 3749 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Jakob Bornecrantz <jakob@vmware.com>
[ Upstream commit 6e4dcff3adbf25acb87e74500a58e3c07bdec40f ]
This fixes the piglit test texturing/max-texture-size
causing the VM to die due to a too large SVGA command.
Signed-off-by: Jakob Bornecrantz <jakob@vmware.com>
Reviewed-by: Biran Paul <brianp@vmware.com>
Reviewed-by: Zack Rusin <zackr@vmware.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++------------
1 file changed, 39 insertions(+), 19 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c b/drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c
index 21ee782..e1978a2 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c
@@ -29,7 +29,9 @@
#include "drmP.h"
#include "ttm/ttm_bo_driver.h"
-#define VMW_PPN_SIZE sizeof(unsigned long)
+#define VMW_PPN_SIZE (sizeof(unsigned long))
+/* A future safe maximum remap size. */
+#define VMW_PPN_PER_REMAP ((31 * 1024) / VMW_PPN_SIZE)
static int vmw_gmr2_bind(struct vmw_private *dev_priv,
struct page *pages[],
@@ -38,43 +40,61 @@ static int vmw_gmr2_bind(struct vmw_private *dev_priv,
{
SVGAFifoCmdDefineGMR2 define_cmd;
SVGAFifoCmdRemapGMR2 remap_cmd;
- uint32_t define_size = sizeof(define_cmd) + 4;
- uint32_t remap_size = VMW_PPN_SIZE * num_pages + sizeof(remap_cmd) + 4;
uint32_t *cmd;
uint32_t *cmd_orig;
+ uint32_t define_size = sizeof(define_cmd) + sizeof(*cmd);
+ uint32_t remap_num = num_pages / VMW_PPN_PER_REMAP + ((num_pages % VMW_PPN_PER_REMAP) > 0);
+ uint32_t remap_size = VMW_PPN_SIZE * num_pages + (sizeof(remap_cmd) + sizeof(*cmd)) * remap_num;
+ uint32_t remap_pos = 0;
+ uint32_t cmd_size = define_size + remap_size;
uint32_t i;
- cmd_orig = cmd = vmw_fifo_reserve(dev_priv, define_size + remap_size);
+ cmd_orig = cmd = vmw_fifo_reserve(dev_priv, cmd_size);
if (unlikely(cmd == NULL))
return -ENOMEM;
define_cmd.gmrId = gmr_id;
define_cmd.numPages = num_pages;
+ *cmd++ = SVGA_CMD_DEFINE_GMR2;
+ memcpy(cmd, &define_cmd, sizeof(define_cmd));
+ cmd += sizeof(define_cmd) / sizeof(*cmd);
+
+ /*
+ * Need to split the command if there are too many
+ * pages that goes into the gmr.
+ */
+
remap_cmd.gmrId = gmr_id;
remap_cmd.flags = (VMW_PPN_SIZE > sizeof(*cmd)) ?
SVGA_REMAP_GMR2_PPN64 : SVGA_REMAP_GMR2_PPN32;
- remap_cmd.offsetPages = 0;
- remap_cmd.numPages = num_pages;
- *cmd++ = SVGA_CMD_DEFINE_GMR2;
- memcpy(cmd, &define_cmd, sizeof(define_cmd));
- cmd += sizeof(define_cmd) / sizeof(uint32);
+ while (num_pages > 0) {
+ unsigned long nr = min(num_pages, (unsigned long)VMW_PPN_PER_REMAP);
+
+ remap_cmd.offsetPages = remap_pos;
+ remap_cmd.numPages = nr;
- *cmd++ = SVGA_CMD_REMAP_GMR2;
- memcpy(cmd, &remap_cmd, sizeof(remap_cmd));
- cmd += sizeof(remap_cmd) / sizeof(uint32);
+ *cmd++ = SVGA_CMD_REMAP_GMR2;
+ memcpy(cmd, &remap_cmd, sizeof(remap_cmd));
+ cmd += sizeof(remap_cmd) / sizeof(*cmd);
- for (i = 0; i < num_pages; ++i) {
- if (VMW_PPN_SIZE <= 4)
- *cmd = page_to_pfn(*pages++);
- else
- *((uint64_t *)cmd) = page_to_pfn(*pages++);
+ for (i = 0; i < nr; ++i) {
+ if (VMW_PPN_SIZE <= 4)
+ *cmd = page_to_pfn(*pages++);
+ else
+ *((uint64_t *)cmd) = page_to_pfn(*pages++);
- cmd += VMW_PPN_SIZE / sizeof(*cmd);
+ cmd += VMW_PPN_SIZE / sizeof(*cmd);
+ }
+
+ num_pages -= nr;
+ remap_pos += nr;
}
- vmw_fifo_commit(dev_priv, define_size + remap_size);
+ BUG_ON(cmd != cmd_orig + cmd_size / sizeof(*cmd));
+
+ vmw_fifo_commit(dev_priv, cmd_size);
return 0;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [247/251] drm/i915: ivb: fix edp voltage swing reg val
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (244 preceding siblings ...)
2013-09-11 4:31 ` [246/251] drm/vmwgfx: Split GMR2_REMAP commands if they are to large Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [248/251] SUNRPC: Fix memory corruption issue on 32-bit highmem systems Steven Rostedt
` (4 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Jeremy Moles, Imre Deak, Paulo Zanoni, Daniel Vetter
[-- Attachment #1: 0247-drm-i915-ivb-fix-edp-voltage-swing-reg-val.patch --]
[-- Type: text/plain, Size: 1725 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Imre Deak <imre.deak@intel.com>
[ Upstream commit 77fa4cbd5fa389e28419bbe8ac491b5fdd54840d ]
Fix the typo introduced in
commit 1a2eb4604b85c5efb343da8a4dcf41288fcfca85
Author: Keith Packard <keithp@keithp.com>
Date: Wed Nov 16 16:26:07 2011 -0800
drm/i915: Hook up Ivybridge eDP
This fixes eDP link-training failures and cases where all voltage swing
/pre-emphasis levels were tried and failed during clock recovery and -
as a fallback - we go on to do channel equalization with the last voltage
swing/pre-emphasis level which will succeed. Both issues can lead to a
blank screen.
v2:
- improve commit message
CC: stable@vger.kernel.org
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=64880
Tested-by: Jeremy Moles <cubicool@gmail.com>
Signed-off-by: Imre Deak <imre.deak@intel.com>
Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/gpu/drm/i915/i915_reg.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
index bbdb976..9d37a9d 100644
--- a/drivers/gpu/drm/i915/i915_reg.h
+++ b/drivers/gpu/drm/i915/i915_reg.h
@@ -4076,7 +4076,7 @@
#define EDP_LINK_TRAIN_600MV_0DB_IVB (0x30 <<22)
#define EDP_LINK_TRAIN_600MV_3_5DB_IVB (0x36 <<22)
#define EDP_LINK_TRAIN_800MV_0DB_IVB (0x38 <<22)
-#define EDP_LINK_TRAIN_800MV_3_5DB_IVB (0x33 <<22)
+#define EDP_LINK_TRAIN_800MV_3_5DB_IVB (0x3e <<22)
/* legacy values */
#define EDP_LINK_TRAIN_500MV_0DB_IVB (0x00 <<22)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [248/251] SUNRPC: Fix memory corruption issue on 32-bit highmem systems
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (245 preceding siblings ...)
2013-09-11 4:31 ` [247/251] drm/i915: ivb: fix edp voltage swing reg val Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [249/251] ath9k_htc: Restore skb headroom when returning skb to mac80211 Steven Rostedt
` (3 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Mark Young, Matt Craighead, Bruce Fields, Trond Myklebust
[-- Attachment #1: 0248-SUNRPC-Fix-memory-corruption-issue-on-32-bit-highmem.patch --]
[-- Type: text/plain, Size: 1885 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <Trond.Myklebust@netapp.com>
[ Upstream commit 347e2233b7667e336d9f671f1a52dfa3f0416e2c ]
Some architectures, such as ARM-32 do not return the same base address
when you call kmap_atomic() twice on the same page.
This causes problems for the memmove() call in the XDR helper routine
"_shift_data_right_pages()", since it defeats the detection of
overlapping memory ranges, and has been seen to corrupt memory.
The fix is to distinguish between the case where we're doing an
inter-page copy or not. In the former case of we know that the memory
ranges cannot possibly overlap, so we can additionally micro-optimise
by replacing memmove() with memcpy().
Reported-by: Mark Young <MYoung@nvidia.com>
Reported-by: Matt Craighead <mcraighead@nvidia.com>
Cc: Bruce Fields <bfields@fieldses.org>
Cc: stable@vger.kernel.org
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Tested-by: Matt Craighead <mcraighead@nvidia.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
net/sunrpc/xdr.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index 0afba1b..7e99acd 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -207,10 +207,13 @@ _shift_data_right_pages(struct page **pages, size_t pgto_base,
pgfrom_base -= copy;
vto = kmap_atomic(*pgto);
- vfrom = kmap_atomic(*pgfrom);
- memmove(vto + pgto_base, vfrom + pgfrom_base, copy);
+ if (*pgto != *pgfrom) {
+ vfrom = kmap_atomic(*pgfrom);
+ memcpy(vto + pgto_base, vfrom + pgfrom_base, copy);
+ kunmap_atomic(vfrom);
+ } else
+ memmove(vto + pgto_base, vto + pgfrom_base, copy);
flush_dcache_page(*pgto);
- kunmap_atomic(vfrom);
kunmap_atomic(vto);
} while ((len -= copy) != 0);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [249/251] ath9k_htc: Restore skb headroom when returning skb to mac80211
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (246 preceding siblings ...)
2013-09-11 4:31 ` [248/251] SUNRPC: Fix memory corruption issue on 32-bit highmem systems Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [250/251] ath9k: Enable PLL fix only for AR9340/AR9330 Steven Rostedt
` (2 subsequent siblings)
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Marc Kleine-Budde, Helmut Schaa, John W. Linville
[-- Attachment #1: 0249-ath9k_htc-Restore-skb-headroom-when-returning-skb-to.patch --]
[-- Type: text/plain, Size: 2106 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Helmut Schaa <helmut.schaa@googlemail.com>
[ Upstream commit d2e9fc141e2aa21f4b35ee27072d84e9aa6e2ba0 ]
ath9k_htc adds padding between the 802.11 header and the payload during
TX by moving the header. When handing the frame back to mac80211 for TX
status handling the header is not moved back into its original position.
This can result in a too small skb headroom when entering ath9k_htc
again (due to a soft retransmission for example) causing an
skb_under_panic oops.
Fix this by moving the 802.11 header back into its original position
before returning the frame to mac80211 as other drivers like rt2x00
or ath5k do.
Reported-by: Marc Kleine-Budde <mkl@blackshift.org>
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Tested-by: Marc Kleine-Budde <mkl@blackshift.org>
Signed-off-by: Marc Kleine-Budde <mkl@blackshift.org>
Cc: stable@vger.kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index 47e61d0..c1289b6 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -448,6 +448,7 @@ static void ath9k_htc_tx_process(struct ath9k_htc_priv *priv,
struct ieee80211_conf *cur_conf = &priv->hw->conf;
bool txok;
int slot;
+ int hdrlen, padsize;
slot = strip_drv_header(priv, skb);
if (slot < 0) {
@@ -504,6 +505,15 @@ send_mac80211:
ath9k_htc_tx_clear_slot(priv, slot);
+ /* Remove padding before handing frame back to mac80211 */
+ hdrlen = ieee80211_get_hdrlen_from_skb(skb);
+
+ padsize = hdrlen & 3;
+ if (padsize && skb->len > hdrlen + padsize) {
+ memmove(skb->data + padsize, skb->data, hdrlen);
+ skb_pull(skb, padsize);
+ }
+
/* Send status to mac80211 */
ieee80211_tx_status(priv->hw, skb);
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [250/251] ath9k: Enable PLL fix only for AR9340/AR9330
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (247 preceding siblings ...)
2013-09-11 4:31 ` [249/251] ath9k_htc: Restore skb headroom when returning skb to mac80211 Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:31 ` [251/251] target: Fix trailing ASCII space usage in INQUIRY vendor+model Steven Rostedt
2013-09-11 4:34 ` [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sujith Manoharan, John W. Linville
[-- Attachment #1: 0250-ath9k-Enable-PLL-fix-only-for-AR9340-AR9330.patch --]
[-- Type: text/plain, Size: 1549 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Sujith Manoharan <c_manoha@qca.qualcomm.com>
[ Upstream commit 19c361608ce3e73f352e323262f7e0a8264be3af ]
The PLL hang workaround is required only for AR9330 and
AR9340. This issue was first observed on an AP121 and the WAR
is enabled for AR9340 also (DB120 etc.), since it uses a PLL
design identical to AR9330. This is not required for AR9485 and AR9550.
Various bugs have been reported regarding this:
https://bugzilla.redhat.com/show_bug.cgi?id=997217
https://bugzilla.redhat.com/show_bug.cgi?id=994648
Cc: stable@vger.kernel.org
Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/ath/ath9k/main.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
index e032723..d0ed5c6 100644
--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -172,8 +172,7 @@ static void ath_restart_work(struct ath_softc *sc)
{
ieee80211_queue_delayed_work(sc->hw, &sc->tx_complete_work, 0);
- if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9485(sc->sc_ah) ||
- AR_SREV_9550(sc->sc_ah))
+ if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9330(sc->sc_ah))
ieee80211_queue_delayed_work(sc->hw, &sc->hw_pll_work,
msecs_to_jiffies(ATH_PLL_WORK_INTERVAL));
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* [251/251] target: Fix trailing ASCII space usage in INQUIRY vendor+model
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (248 preceding siblings ...)
2013-09-11 4:31 ` [250/251] ath9k: Enable PLL fix only for AR9340/AR9330 Steven Rostedt
@ 2013-09-11 4:31 ` Steven Rostedt
2013-09-11 4:34 ` [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:31 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Tomas Molota, Nicholas Bellinger
[-- Attachment #1: 0251-target-Fix-trailing-ASCII-space-usage-in-INQUIRY-ven.patch --]
[-- Type: text/plain, Size: 1743 bytes --]
3.6.11.9-rc1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
[ Upstream commit ee60bddba5a5f23e39598195d944aa0eb2d455e5 ]
This patch fixes spc_emulate_inquiry_std() to add trailing ASCII
spaces for INQUIRY vendor + model fields following SPC-4 text:
"ASCII data fields described as being left-aligned shall have any
unused bytes at the end of the field (i.e., highest offset) and
the unused bytes shall be filled with ASCII space characters (20h)."
This addresses a problem with Falconstor NSS multipathing.
Reported-by: Tomas Molota <tomas.molota@lightstorm.sk>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/target/target_core_spc.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/target/target_core_spc.c b/drivers/target/target_core_spc.c
index 6fd434d..290041b 100644
--- a/drivers/target/target_core_spc.c
+++ b/drivers/target/target_core_spc.c
@@ -100,9 +100,12 @@ static int spc_emulate_inquiry_std(struct se_cmd *cmd, char *buf)
buf[7] = 0x2; /* CmdQue=1 */
- snprintf(&buf[8], 8, "LIO-ORG");
- snprintf(&buf[16], 16, "%s", dev->se_sub_dev->t10_wwn.model);
- snprintf(&buf[32], 4, "%s", dev->se_sub_dev->t10_wwn.revision);
+ memcpy(&buf[8], "LIO-ORG ", 8);
+ memset(&buf[16], 0x20, 16);
+ memcpy(&buf[16], dev->se_sub_dev->t10_wwn.model,
+ min_t(size_t, strlen(dev->se_sub_dev->t10_wwn.model), 16));
+ memcpy(&buf[32], dev->se_sub_dev->t10_wwn.revision,
+ min_t(size_t, strlen(dev->se_sub_dev->t10_wwn.revision), 4));
buf[4] = 31; /* Set additional length to 31 */
return 0;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* Re: [000/251] 3.6.11.9-rc1-stable review
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
` (249 preceding siblings ...)
2013-09-11 4:31 ` [251/251] target: Fix trailing ASCII space usage in INQUIRY vendor+model Steven Rostedt
@ 2013-09-11 4:34 ` Steven Rostedt
250 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 4:34 UTC (permalink / raw)
To: Steven Rostedt; +Cc: linux-kernel, stable
diff --git a/Documentation/i2c/busses/i2c-piix4
b/Documentation/i2c/busses/i2c-piix4 index 1e6634f..a370b20 100644
--- a/Documentation/i2c/busses/i2c-piix4
+++ b/Documentation/i2c/busses/i2c-piix4
@@ -13,7 +13,7 @@ Supported adapters:
* AMD SP5100 (SB700 derivative found on some server mainboards)
Datasheet: Publicly available at the AMD website
http://support.amd.com/us/Embedded_TechDocs/44413.pdf
- * AMD Hudson-2
+ * AMD Hudson-2, CZ
Datasheet: Not publicly available
* Standard Microsystems (SMSC) SLC90E66 (Victory66) southbridge
Datasheet: Publicly available at the SMSC website
http://www.smsc.com diff --git a/Makefile b/Makefile
index 3d4cbd5..c0562c8 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
VERSION = 3
PATCHLEVEL = 6
SUBLEVEL = 11
-EXTRAVERSION = .8
+EXTRAVERSION = .9-rc1
NAME = Terrified Chipmunk
# *DOCUMENTATION*
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 589bdba..ca5e665 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -183,7 +183,8 @@ config VECTORS_BASE
default DRAM_BASE if REMAP_VECTORS_TO_RAM
default 0x00000000
help
- The base address of exception vectors.
+ The base address of exception vectors. This must be two
pages
+ in size.
config ARM_PATCH_PHYS_VIRT
bool "Patch physical to virtual translations at runtime" if
EMBEDDED diff --git a/arch/arm/boot/compressed/atags_to_fdt.c
b/arch/arm/boot/compressed/atags_to_fdt.c index aabc02a..d1153c8 100644
--- a/arch/arm/boot/compressed/atags_to_fdt.c
+++ b/arch/arm/boot/compressed/atags_to_fdt.c
@@ -53,6 +53,17 @@ static const void *getprop(const void *fdt, const
char *node_path, return fdt_getprop(fdt, offset, property, len);
}
+static uint32_t get_cell_size(const void *fdt)
+{
+ int len;
+ uint32_t cell_size = 1;
+ const uint32_t *size_len = getprop(fdt, "/", "#size-cells",
&len); +
+ if (size_len)
+ cell_size = fdt32_to_cpu(*size_len);
+ return cell_size;
+}
+
static void merge_fdt_bootargs(void *fdt, const char *fdt_cmdline)
{
char cmdline[COMMAND_LINE_SIZE];
@@ -95,9 +106,11 @@ static void merge_fdt_bootargs(void *fdt, const
char *fdt_cmdline) int atags_to_fdt(void *atag_list, void *fdt, int
total_space) {
struct tag *atag = atag_list;
- uint32_t mem_reg_property[2 * NR_BANKS];
+ /* In the case of 64 bits memory size, need to reserve 2 cells
for
+ * address and size for each bank */
+ uint32_t mem_reg_property[2 * 2 * NR_BANKS];
int memcount = 0;
- int ret;
+ int ret, memsize;
/* make sure we've got an aligned pointer */
if ((u32)atag_list & 0x3)
@@ -137,8 +150,25 @@ int atags_to_fdt(void *atag_list, void *fdt, int
total_space) continue;
if (!atag->u.mem.size)
continue;
- mem_reg_property[memcount++] =
cpu_to_fdt32(atag->u.mem.start);
- mem_reg_property[memcount++] =
cpu_to_fdt32(atag->u.mem.size);
+ memsize = get_cell_size(fdt);
+
+ if (memsize == 2) {
+ /* if memsize is 2, that means that
+ * each data needs 2 cells of 32 bits,
+ * so the data are 64 bits */
+ uint64_t *mem_reg_prop64 =
+ (uint64_t *)mem_reg_property;
+ mem_reg_prop64[memcount++] =
+
cpu_to_fdt64(atag->u.mem.start);
+ mem_reg_prop64[memcount++] =
+ cpu_to_fdt64(atag->u.mem.size);
+ } else {
+ mem_reg_property[memcount++] =
+
cpu_to_fdt32(atag->u.mem.start);
+ mem_reg_property[memcount++] =
+ cpu_to_fdt32(atag->u.mem.size);
+ }
+
} else if (atag->hdr.tag == ATAG_INITRD2) {
uint32_t initrd_start, initrd_size;
initrd_start = atag->u.initrd.start;
@@ -150,8 +180,10 @@ int atags_to_fdt(void *atag_list, void *fdt, int
total_space) }
}
- if (memcount)
- setprop(fdt, "/memory", "reg", mem_reg_property,
4*memcount);
+ if (memcount) {
+ setprop(fdt, "/memory", "reg", mem_reg_property,
+ 4 * memcount * memsize);
+ }
return fdt_pack(fdt);
}
diff --git a/arch/arm/boot/dts/at91sam9n12ek.dts
b/arch/arm/boot/dts/at91sam9n12ek.dts index f4e43e3..84d8bdb 100644
--- a/arch/arm/boot/dts/at91sam9n12ek.dts
+++ b/arch/arm/boot/dts/at91sam9n12ek.dts
@@ -14,11 +14,11 @@
compatible = "atmel,at91sam9n12ek", "atmel,at91sam9n12",
"atmel,at91sam9";
chosen {
- bootargs = "mem=128M console=ttyS0,115200
root=/dev/mtdblock1 rw rootfstype=jffs2";
+ bootargs = "console=ttyS0,115200 root=/dev/mtdblock1
rw rootfstype=jffs2"; };
memory {
- reg = <0x20000000 0x10000000>;
+ reg = <0x20000000 0x8000000>;
};
clocks {
diff --git a/arch/arm/include/asm/mmu.h b/arch/arm/include/asm/mmu.h
index 1496565..49122c4 100644
--- a/arch/arm/include/asm/mmu.h
+++ b/arch/arm/include/asm/mmu.h
@@ -7,6 +7,8 @@ typedef struct {
#ifdef CONFIG_CPU_HAS_ASID
unsigned int id;
raw_spinlock_t id_lock;
+#else
+ int switch_pending;
#endif
unsigned int kvm_seq;
} mm_context_t;
diff --git a/arch/arm/include/asm/mmu_context.h
b/arch/arm/include/asm/mmu_context.h index 0306bc6..549f1c6 100644
--- a/arch/arm/include/asm/mmu_context.h
+++ b/arch/arm/include/asm/mmu_context.h
@@ -121,7 +121,7 @@ static inline void check_and_switch_context(struct
mm_struct *mm,
* on non-ASID CPUs, the old mm will remain valid
until the
* finish_arch_post_lock_switch() call.
*/
- set_ti_thread_flag(task_thread_info(tsk),
TIF_SWITCH_MM);
+ mm->context.switch_pending = 1;
else
cpu_switch_mm(mm->pgd, mm);
}
@@ -130,9 +130,21 @@ static inline void check_and_switch_context(struct
mm_struct *mm, finish_arch_post_lock_switch
static inline void finish_arch_post_lock_switch(void)
{
- if (test_and_clear_thread_flag(TIF_SWITCH_MM)) {
- struct mm_struct *mm = current->mm;
- cpu_switch_mm(mm->pgd, mm);
+ struct mm_struct *mm = current->mm;
+
+ if (mm && mm->context.switch_pending) {
+ /*
+ * Preemption must be disabled during cpu_switch_mm()
as we
+ * have some stateful cache flush implementations.
Check
+ * switch_pending again in case we were preempted and
the
+ * switch to this mm was already done.
+ */
+ preempt_disable();
+ if (mm->context.switch_pending) {
+ mm->context.switch_pending = 0;
+ cpu_switch_mm(mm->pgd, mm);
+ }
+ preempt_enable_no_resched();
}
}
diff --git a/arch/arm/include/asm/page.h b/arch/arm/include/asm/page.h
index ecf9019..5c35852 100644
--- a/arch/arm/include/asm/page.h
+++ b/arch/arm/include/asm/page.h
@@ -142,7 +142,9 @@ extern void __cpu_copy_user_highpage(struct page
*to, struct page *from, #define clear_page(page) memset((void
*)(page), 0, PAGE_SIZE) extern void copy_page(void *to, const void
*from);
+#ifdef CONFIG_KUSER_HELPERS
#define __HAVE_ARCH_GATE_AREA 1
+#endif
#ifdef CONFIG_ARM_LPAE
#include <asm/pgtable-3level-types.h>
diff --git a/arch/arm/include/asm/thread_info.h
b/arch/arm/include/asm/thread_info.h index af7b0bd..86682b1 100644
--- a/arch/arm/include/asm/thread_info.h
+++ b/arch/arm/include/asm/thread_info.h
@@ -153,7 +153,6 @@ extern int vfp_restore_user_hwstate(struct user_vfp
__user *, #define TIF_MEMDIE 18 /* is terminating
due to OOM killer */ #define TIF_RESTORE_SIGMASK 20
#define TIF_SECCOMP 21
-#define TIF_SWITCH_MM 22 /* deferred switch_mm */
#define _TIF_SIGPENDING (1 << TIF_SIGPENDING)
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
index 0f82098..5492d72 100644
--- a/arch/arm/kernel/entry-armv.S
+++ b/arch/arm/kernel/entry-armv.S
@@ -784,6 +784,18 @@ ENDPROC(__switch_to)
#endif
.endm
+ .macro kuser_pad, sym, size
+ .if (. - \sym) & 3
+ .rept 4 - (. - \sym) & 3
+ .byte 0
+ .endr
+ .endif
+ .rept (\size - (. - \sym)) / 4
+ .word 0xe7fddef1
+ .endr
+ .endm
+
+#ifdef CONFIG_KUSER_HELPERS
.align 5
.globl __kuser_helper_start
__kuser_helper_start:
@@ -874,18 +886,13 @@ kuser_cmpxchg64_fixup:
#error "incoherent kernel configuration"
#endif
- /* pad to next slot */
- .rept (16 - (. - __kuser_cmpxchg64)/4)
- .word 0
- .endr
-
- .align 5
+ kuser_pad __kuser_cmpxchg64, 64
__kuser_memory_barrier: @ 0xffff0fa0
smp_dmb arm
usr_ret lr
- .align 5
+ kuser_pad __kuser_memory_barrier, 32
__kuser_cmpxchg: @ 0xffff0fc0
@@ -958,13 +965,14 @@ kuser_cmpxchg32_fixup:
#endif
- .align 5
+ kuser_pad __kuser_cmpxchg, 32
__kuser_get_tls: @ 0xffff0fe0
ldr r0, [pc, #(16 - 8)] @ read TLS, set in
kuser_get_tls_init usr_ret lr
mrc p15, 0, r0, c13, c0, 3 @ 0xffff0fe8 hardware
TLS code
- .rep 4
+ kuser_pad __kuser_get_tls, 16
+ .rep 3
.word 0 @ 0xffff0ff0 software
TLS value, then .endr @ pad up to
__kuser_helper_version
@@ -974,14 +982,16 @@
__kuser_helper_version: @
0xffff0ffc .globl __kuser_helper_end __kuser_helper_end:
+#endif
+
THUMB( .thumb )
/*
* Vector stubs.
*
- * This code is copied to 0xffff0200 so we can use branches in the
- * vectors, rather than ldr's. Note that this code must not
- * exceed 0x300 bytes.
+ * This code is copied to 0xffff1000 so we can use branches in the
+ * vectors, rather than ldr's. Note that this code must not exceed
+ * a page size.
*
* Common stub entry macro:
* Enter in IRQ mode, spsr = SVC/USR CPSR, lr = SVC/USR PC
@@ -1028,8 +1038,17 @@ ENDPROC(vector_\name)
1:
.endm
- .globl __stubs_start
+ .section .stubs, "ax", %progbits
__stubs_start:
+ @ This must be the first word
+ .word vector_swi
+
+vector_rst:
+ ARM( swi SYS_ERROR0 )
+ THUMB( svc #0 )
+ THUMB( nop )
+ b vector_und
+
/*
* Interrupt dispatcher
*/
@@ -1124,6 +1143,16 @@ __stubs_start:
.align 5
/*=============================================================================
+ * Address exception handler
+
*-----------------------------------------------------------------------------
+ * These aren't too critical.
+ * (they're not supposed to happen, and won't happen in 32-bit data
mode).
+ */
+
+vector_addrexcptn:
+ b vector_addrexcptn
+
+/*=============================================================================
* Undefined FIQs
*-----------------------------------------------------------------------------
* Enter in FIQ mode, spsr = ANY CPSR, lr = ANY PC
@@ -1136,45 +1165,19 @@ __stubs_start:
vector_fiq:
subs pc, lr, #4
-/*=============================================================================
- * Address exception handler
-
*-----------------------------------------------------------------------------
- * These aren't too critical.
- * (they're not supposed to happen, and won't happen in 32-bit data
mode).
- */
-
-vector_addrexcptn:
- b vector_addrexcptn
-
-/*
- * We group all the following data together to optimise
- * for CPUs with separate I & D caches.
- */
- .align 5
-
-.LCvswi:
- .word vector_swi
-
- .globl __stubs_end
-__stubs_end:
-
- .equ stubs_offset, __vectors_start + 0x200 -
__stubs_start
+ .globl vector_fiq_offset
+ .equ vector_fiq_offset, vector_fiq
- .globl __vectors_start
+ .section .vectors, "ax", %progbits
__vectors_start:
- ARM( swi SYS_ERROR0 )
- THUMB( svc #0 )
- THUMB( nop )
- W(b) vector_und + stubs_offset
- W(ldr) pc, .LCvswi + stubs_offset
- W(b) vector_pabt + stubs_offset
- W(b) vector_dabt + stubs_offset
- W(b) vector_addrexcptn + stubs_offset
- W(b) vector_irq + stubs_offset
- W(b) vector_fiq + stubs_offset
-
- .globl __vectors_end
-__vectors_end:
+ W(b) vector_rst
+ W(b) vector_und
+ W(ldr) pc, __vectors_start + 0x1000
+ W(b) vector_pabt
+ W(b) vector_dabt
+ W(b) vector_addrexcptn
+ W(b) vector_irq
+ W(b) vector_fiq
.data
diff --git a/arch/arm/kernel/fiq.c b/arch/arm/kernel/fiq.c
index 2adda11..25442f4 100644
--- a/arch/arm/kernel/fiq.c
+++ b/arch/arm/kernel/fiq.c
@@ -47,6 +47,11 @@
#include <asm/irq.h>
#include <asm/traps.h>
+#define FIQ_OFFSET ({ \
+ extern void *vector_fiq_offset; \
+ (unsigned)&vector_fiq_offset; \
+ })
+
static unsigned long no_fiq_insn;
/* Default reacquire function
@@ -80,13 +85,16 @@ int show_fiq_list(struct seq_file *p, int prec)
void set_fiq_handler(void *start, unsigned int length)
{
#if defined(CONFIG_CPU_USE_DOMAINS)
- memcpy((void *)0xffff001c, start, length);
+ void *base = (void *)0xffff0000;
#else
- memcpy(vectors_page + 0x1c, start, length);
+ void *base = vectors_page;
#endif
- flush_icache_range(0xffff001c, 0xffff001c + length);
+ unsigned offset = FIQ_OFFSET;
+
+ memcpy(base + offset, start, length);
+ flush_icache_range(0xffff0000 + offset, 0xffff0000 + offset +
length); if (!vectors_high())
- flush_icache_range(0x1c, 0x1c + length);
+ flush_icache_range(offset, offset + length);
}
int claim_fiq(struct fiq_handler *f)
@@ -144,6 +152,7 @@ EXPORT_SYMBOL(disable_fiq);
void __init init_FIQ(int start)
{
- no_fiq_insn = *(unsigned long *)0xffff001c;
+ unsigned offset = FIQ_OFFSET;
+ no_fiq_insn = *(unsigned long *)(0xffff0000 + offset);
fiq_start = start;
}
diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
index 5770b9d..7cdecea 100644
--- a/arch/arm/kernel/perf_event.c
+++ b/arch/arm/kernel/perf_event.c
@@ -106,7 +106,12 @@ armpmu_map_cache_event(const unsigned (*cache_map)
static int
armpmu_map_event(const unsigned (*event_map)[PERF_COUNT_HW_MAX], u64
config) {
- int mapping = (*event_map)[config];
+ int mapping;
+
+ if (config >= PERF_COUNT_HW_MAX)
+ return -ENOENT;
+
+ mapping = (*event_map)[config];
return mapping == HW_OP_UNSUPPORTED ? -ENOENT : mapping;
}
@@ -316,6 +321,9 @@ validate_event(struct pmu_hw_events *hw_events,
struct hw_perf_event fake_event = event->hw;
struct pmu *leader_pmu = event->group_leader->pmu;
+ if (is_software_event(event))
+ return 1;
+
if (event->pmu != leader_pmu || event->state <
PERF_EVENT_STATE_OFF) return 1;
diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
index 693b744..427ddbc 100644
--- a/arch/arm/kernel/process.c
+++ b/arch/arm/kernel/process.c
@@ -508,6 +508,7 @@ unsigned long arch_randomize_brk(struct mm_struct
*mm) }
#ifdef CONFIG_MMU
+#ifdef CONFIG_KUSER_HELPERS
/*
* The vectors page is always readable from user space for the
* atomic helpers and the signal restart code. Insert it into the
@@ -540,9 +541,13 @@ int in_gate_area_no_mm(unsigned long addr)
{
return in_gate_area(NULL, addr);
}
+#define is_gate_vma(vma) ((vma) = &gate_vma)
+#else
+#define is_gate_vma(vma) 0
+#endif
const char *arch_vma_name(struct vm_area_struct *vma)
{
- return (vma == &gate_vma) ? "[vectors]" : NULL;
+ return is_gate_vma(vma) ? "[vectors]" : NULL;
}
#endif
diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
index b0179b8..1392beb 100644
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -807,39 +807,54 @@ void __init trap_init(void)
return;
}
-static void __init kuser_get_tls_init(unsigned long vectors)
+#ifdef CONFIG_KUSER_HELPERS
+static void __init kuser_init(void *vectors)
{
+ extern char __kuser_helper_start[], __kuser_helper_end[];
+ int kuser_sz = __kuser_helper_end - __kuser_helper_start;
+
+ memcpy(vectors + 0x1000 - kuser_sz, __kuser_helper_start,
kuser_sz); +
/*
* vectors + 0xfe0 = __kuser_get_tls
* vectors + 0xfe8 = hardware TLS instruction at 0xffff0fe8
*/
if (tls_emu || has_tls_reg)
- memcpy((void *)vectors + 0xfe0, (void *)vectors +
0xfe8, 4);
+ memcpy(vectors + 0xfe0, vectors + 0xfe8, 4);
}
+#else
+static void __init kuser_init(void *vectors)
+{
+}
+#endif
void __init early_trap_init(void *vectors_base)
{
unsigned long vectors = (unsigned long)vectors_base;
extern char __stubs_start[], __stubs_end[];
extern char __vectors_start[], __vectors_end[];
- extern char __kuser_helper_start[], __kuser_helper_end[];
- int kuser_sz = __kuser_helper_end - __kuser_helper_start;
+ unsigned i;
vectors_page = vectors_base;
/*
+ * Poison the vectors page with an undefined instruction. This
+ * instruction is chosen to be undefined for both ARM and Thumb
+ * ISAs. The Thumb version is an undefined instruction with a
+ * branch back to the undefined instruction.
+ */
+ for (i = 0; i < PAGE_SIZE / sizeof(u32); i++)
+ ((u32 *)vectors_base)[i] = 0xe7fddef1;
+
+ /*
* Copy the vectors, stubs and kuser helpers (in entry-armv.S)
* into the vector page, mapped at 0xffff0000, and ensure these
* are visible to the instruction stream.
*/
memcpy((void *)vectors, __vectors_start, __vectors_end -
__vectors_start);
- memcpy((void *)vectors + 0x200, __stubs_start, __stubs_end -
__stubs_start);
- memcpy((void *)vectors + 0x1000 - kuser_sz,
__kuser_helper_start, kuser_sz);
+ memcpy((void *)vectors + 0x1000, __stubs_start, __stubs_end -
__stubs_start);
- /*
- * Do processor specific fixups for the kuser helpers
- */
- kuser_get_tls_init(vectors);
+ kuser_init(vectors_base);
/*
* Copy signal return handlers into the vector page, and
@@ -848,6 +863,6 @@ void __init early_trap_init(void *vectors_base)
memcpy((void *)(vectors + KERN_SIGRETURN_CODE -
CONFIG_VECTORS_BASE), sigreturn_codes, sizeof(sigreturn_codes));
- flush_icache_range(vectors, vectors + PAGE_SIZE);
+ flush_icache_range(vectors, vectors + PAGE_SIZE * 2);
modify_domain(DOMAIN_USER, DOMAIN_CLIENT);
}
diff --git a/arch/arm/kernel/vmlinux.lds.S
b/arch/arm/kernel/vmlinux.lds.S index 36ff15b..2f8f92e 100644
--- a/arch/arm/kernel/vmlinux.lds.S
+++ b/arch/arm/kernel/vmlinux.lds.S
@@ -137,6 +137,23 @@ SECTIONS
. = ALIGN(PAGE_SIZE);
__init_begin = .;
#endif
+ /*
+ * The vectors and stubs are relocatable code, and the
+ * only thing that matters is their relative offsets
+ */
+ __vectors_start = .;
+ .vectors 0 : AT(__vectors_start) {
+ *(.vectors)
+ }
+ . = __vectors_start + SIZEOF(.vectors);
+ __vectors_end = .;
+
+ __stubs_start = .;
+ .stubs 0x1000 : AT(__stubs_start) {
+ *(.stubs)
+ }
+ . = __stubs_start + SIZEOF(.stubs);
+ __stubs_end = .;
INIT_TEXT_SECTION(8)
.exit.text : {
diff --git a/arch/arm/mach-davinci/board-dm355-leopard.c
b/arch/arm/mach-davinci/board-dm355-leopard.c index 8e77032..eeeb81f
100644 --- a/arch/arm/mach-davinci/board-dm355-leopard.c
+++ b/arch/arm/mach-davinci/board-dm355-leopard.c
@@ -75,6 +75,7 @@ static struct davinci_nand_pdata davinci_nand_data = {
.parts = davinci_nand_partitions,
.nr_parts = ARRAY_SIZE(davinci_nand_partitions),
.ecc_mode = NAND_ECC_HW_SYNDROME,
+ .ecc_bits = 4,
.bbt_options = NAND_BBT_USE_FLASH,
};
diff --git a/arch/arm/mach-davinci/board-dm644x-evm.c
b/arch/arm/mach-davinci/board-dm644x-evm.c index d34ed55..87a904f 100644
--- a/arch/arm/mach-davinci/board-dm644x-evm.c
+++ b/arch/arm/mach-davinci/board-dm644x-evm.c
@@ -152,6 +152,7 @@ static struct davinci_nand_pdata
davinci_evm_nandflash_data = { .parts =
davinci_evm_nandflash_partition, .nr_parts =
ARRAY_SIZE(davinci_evm_nandflash_partition), .ecc_mode =
NAND_ECC_HW,
+ .ecc_bits = 1,
.bbt_options = NAND_BBT_USE_FLASH,
.timing = &davinci_evm_nandflash_timing,
};
diff --git a/arch/arm/mach-davinci/board-dm646x-evm.c
b/arch/arm/mach-davinci/board-dm646x-evm.c index 958679a..5d4b51f 100644
--- a/arch/arm/mach-davinci/board-dm646x-evm.c
+++ b/arch/arm/mach-davinci/board-dm646x-evm.c
@@ -89,6 +89,7 @@ static struct davinci_nand_pdata davinci_nand_data = {
.parts = davinci_nand_partitions,
.nr_parts = ARRAY_SIZE(davinci_nand_partitions),
.ecc_mode = NAND_ECC_HW,
+ .ecc_bits = 1,
.options = 0,
};
diff --git a/arch/arm/mach-davinci/board-neuros-osd2.c
b/arch/arm/mach-davinci/board-neuros-osd2.c index f6b9fc7..58d902a
100644 --- a/arch/arm/mach-davinci/board-neuros-osd2.c
+++ b/arch/arm/mach-davinci/board-neuros-osd2.c
@@ -88,6 +88,7 @@ static struct davinci_nand_pdata
davinci_ntosd2_nandflash_data = { .parts =
davinci_ntosd2_nandflash_partition, .nr_parts =
ARRAY_SIZE(davinci_ntosd2_nandflash_partition), .ecc_mode =
NAND_ECC_HW,
+ .ecc_bits = 1,
.bbt_options = NAND_BBT_USE_FLASH,
};
diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
index 101b968..6c5a533 100644
--- a/arch/arm/mm/Kconfig
+++ b/arch/arm/mm/Kconfig
@@ -400,24 +400,28 @@ config CPU_32v3
select TLS_REG_EMUL if SMP || !MMU
select NEEDS_SYSCALL_FOR_CMPXCHG if SMP
select CPU_USE_DOMAINS if MMU
+ select NEED_KUSER_HELPERS
config CPU_32v4
bool
select TLS_REG_EMUL if SMP || !MMU
select NEEDS_SYSCALL_FOR_CMPXCHG if SMP
select CPU_USE_DOMAINS if MMU
+ select NEED_KUSER_HELPERS
config CPU_32v4T
bool
select TLS_REG_EMUL if SMP || !MMU
select NEEDS_SYSCALL_FOR_CMPXCHG if SMP
select CPU_USE_DOMAINS if MMU
+ select NEED_KUSER_HELPERS
config CPU_32v5
bool
select TLS_REG_EMUL if SMP || !MMU
select NEEDS_SYSCALL_FOR_CMPXCHG if SMP
select CPU_USE_DOMAINS if MMU
+ select NEED_KUSER_HELPERS
config CPU_32v6
bool
@@ -735,6 +739,7 @@ config CPU_BPREDICT_DISABLE
config TLS_REG_EMUL
bool
+ select NEED_KUSER_HELPERS
help
An SMP system using a pre-ARMv6 processor (there are
apparently a few prototypes like that in existence) and therefore
access to @@ -742,11 +747,43 @@ config TLS_REG_EMUL
config NEEDS_SYSCALL_FOR_CMPXCHG
bool
+ select NEED_KUSER_HELPERS
help
SMP on a pre-ARMv6 processor? Well OK then.
Forget about fast user space cmpxchg support.
It is just not possible.
+config NEED_KUSER_HELPERS
+ bool
+
+config KUSER_HELPERS
+ bool "Enable kuser helpers in vector page"
if !NEED_KUSER_HELPERS
+ default y
+ help
+ Warning: disabling this option may break user programs.
+
+ Provide kuser helpers in the vector page. The kernel
provides
+ helper code to userspace in read only form at a fixed
location
+ in the high vector page to allow userspace to be independent
of
+ the CPU type fitted to the system. This permits binaries to
be
+ run on ARMv4 through to ARMv7 without modification.
+
+ See Documentation/arm/kernel_user_helpers.txt for details.
+
+ However, the fixed address nature of these helpers can be
used
+ by ROP (return orientated programming) authors when creating
+ exploits.
+
+ If all of the binaries and libraries which run on your
platform
+ are built specifically for your platform, and make no use of
+ these helpers, then you can turn this option off to hinder
+ such exploits. However, in that case, if a binary or library
+ relying on those helpers is run, it will receive a SIGILL
signal,
+ which will terminate the program.
+
+ Say N here only if you are absolutely certain that you do not
+ need these helpers; otherwise, the safe option is to say Y.
+
config DMA_CACHE_RWFO
bool "Enable read/write for ownership DMA cache maintenance"
depends on CPU_V6K && SMP
diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
index c2fa21d..50d4aff 100644
--- a/arch/arm/mm/mmu.c
+++ b/arch/arm/mm/mmu.c
@@ -1080,7 +1080,7 @@ static void __init devicemaps_init(struct
machine_desc *mdesc) /*
* Allocate the vector page early.
*/
- vectors = early_alloc(PAGE_SIZE);
+ vectors = early_alloc(PAGE_SIZE * 2);
early_trap_init(vectors);
@@ -1125,15 +1125,27 @@ static void __init devicemaps_init(struct
machine_desc *mdesc) map.pfn = __phys_to_pfn(virt_to_phys(vectors));
map.virtual = 0xffff0000;
map.length = PAGE_SIZE;
+#ifdef CONFIG_KUSER_HELPERS
map.type = MT_HIGH_VECTORS;
+#else
+ map.type = MT_LOW_VECTORS;
+#endif
create_mapping(&map);
if (!vectors_high()) {
map.virtual = 0;
+ map.length = PAGE_SIZE * 2;
map.type = MT_LOW_VECTORS;
create_mapping(&map);
}
+ /* Now create a kernel read-only mapping */
+ map.pfn += 1;
+ map.virtual = 0xffff0000 + PAGE_SIZE;
+ map.length = PAGE_SIZE;
+ map.type = MT_LOW_VECTORS;
+ create_mapping(&map);
+
/*
* Ask the machine support to map in the statically mapped
devices. */
diff --git a/arch/m68k/emu/natfeat.c b/arch/m68k/emu/natfeat.c
index 2291a7d..fa277ae 100644
--- a/arch/m68k/emu/natfeat.c
+++ b/arch/m68k/emu/natfeat.c
@@ -18,9 +18,11 @@
#include <asm/machdep.h>
#include <asm/natfeat.h>
+extern long nf_get_id2(const char *feature_name);
+
asm("\n"
-" .global nf_get_id,nf_call\n"
-"nf_get_id:\n"
+" .global nf_get_id2,nf_call\n"
+"nf_get_id2:\n"
" .short 0x7300\n"
" rts\n"
"nf_call:\n"
@@ -29,12 +31,25 @@ asm("\n"
"1: moveq.l #0,%d0\n"
" rts\n"
" .section __ex_table,\"a\"\n"
-" .long nf_get_id,1b\n"
+" .long nf_get_id2,1b\n"
" .long nf_call,1b\n"
" .previous");
-EXPORT_SYMBOL_GPL(nf_get_id);
EXPORT_SYMBOL_GPL(nf_call);
+long nf_get_id(const char *feature_name)
+{
+ /* feature_name may be in vmalloc()ed memory, so make a copy */
+ char name_copy[32];
+ size_t n;
+
+ n = strlcpy(name_copy, feature_name, sizeof(name_copy));
+ if (n >= sizeof(name_copy))
+ return 0;
+
+ return nf_get_id2(name_copy);
+}
+EXPORT_SYMBOL_GPL(nf_get_id);
+
void nfprint(const char *fmt, ...)
{
static char buf[256];
diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index faf6528..5367804 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -26,6 +26,7 @@ config MIPS
select HAVE_GENERIC_HARDIRQS
select GENERIC_IRQ_PROBE
select GENERIC_IRQ_SHOW
+ select GENERIC_PCI_IOMAP
select HAVE_ARCH_JUMP_LABEL
select ARCH_WANT_IPC_PARSE_VERSION
select IRQ_FORCED_THREADING
@@ -2392,7 +2393,6 @@ config PCI
bool "Support for PCI controller"
depends on HW_HAS_PCI
select PCI_DOMAINS
- select GENERIC_PCI_IOMAP
select NO_GENERIC_PCI_IOPORT_MAP
help
Find out whether you have a PCI motherboard. PCI is the name
of a diff --git a/arch/mips/cavium-octeon/setup.c
b/arch/mips/cavium-octeon/setup.c index 919b0fb..19ce979 100644
--- a/arch/mips/cavium-octeon/setup.c
+++ b/arch/mips/cavium-octeon/setup.c
@@ -6,6 +6,7 @@
* Copyright (C) 2004-2007 Cavium Networks
* Copyright (C) 2008 Wind River Systems
*/
+#include <linux/compiler.h>
#include <linux/init.h>
#include <linux/console.h>
#include <linux/delay.h>
@@ -504,7 +505,7 @@ void __init prom_init(void)
if (cvmx_read_csr(CVMX_L2D_FUS3) & (3ull << 34)) {
pr_info("Skipping L2 locking due to reduced L2 cache
size\n"); } else {
- uint32_t ebase = read_c0_ebase() & 0x3ffff000;
+ uint32_t __maybe_unused ebase = read_c0_ebase() &
0x3ffff000; #ifdef CONFIG_CAVIUM_OCTEON_LOCK_L2_TLB
/* TLB refill */
cvmx_l2c_lock_mem_region(ebase, 0x100);
diff --git a/arch/mips/include/asm/io.h b/arch/mips/include/asm/io.h
index 29d9c23..98ca652 100644
--- a/arch/mips/include/asm/io.h
+++ b/arch/mips/include/asm/io.h
@@ -169,6 +169,11 @@ static inline void * isa_bus_to_virt(unsigned long
address) extern void __iomem * __ioremap(phys_t offset, phys_t size,
unsigned long flags); extern void __iounmap(const volatile void __iomem
*addr);
+#ifndef CONFIG_PCI
+struct pci_dev;
+static inline void pci_iounmap(struct pci_dev *dev, void __iomem
*addr) {} +#endif
+
static inline void __iomem * __ioremap_mode(phys_t offset, unsigned
long size, unsigned long flags)
{
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 352f416..3254335 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -973,6 +973,7 @@ config RELOCATABLE
must live at a different physical address than the primary
kernel.
+# This value must have zeroes in the bottom 60 bits otherwise lots
will break config PAGE_OFFSET
hex
default "0xc000000000000000"
diff --git a/arch/powerpc/include/asm/module.h
b/arch/powerpc/include/asm/module.h index 0192a4e..80de64b 100644
--- a/arch/powerpc/include/asm/module.h
+++ b/arch/powerpc/include/asm/module.h
@@ -87,10 +87,9 @@ struct exception_table_entry;
void sort_ex_table(struct exception_table_entry *start,
struct exception_table_entry *finish);
-#ifdef CONFIG_MODVERSIONS
+#if defined(CONFIG_MODVERSIONS) && defined(CONFIG_PPC64)
#define ARCH_RELOCATES_KCRCTAB
-
-extern const unsigned long reloc_start[];
+#define reloc_start PHYSICAL_START
#endif
#endif /* __KERNEL__ */
#endif /* _ASM_POWERPC_MODULE_H */
diff --git a/arch/powerpc/include/asm/page.h
b/arch/powerpc/include/asm/page.h index f072e97..2e6c4e5a 100644
--- a/arch/powerpc/include/asm/page.h
+++ b/arch/powerpc/include/asm/page.h
@@ -211,9 +211,19 @@ extern long long virt_phys_offset;
#define __va(x) ((void *)(unsigned long)((phys_addr_t)(x) +
VIRT_PHYS_OFFSET)) #define __pa(x) ((unsigned long)(x) -
VIRT_PHYS_OFFSET) #else
+#ifdef CONFIG_PPC64
+/*
+ * gcc miscompiles (unsigned long)(&static_var) - PAGE_OFFSET
+ * with -mcmodel=medium, so we use & and | instead of - and + on
64-bit.
+ */
+#define __va(x) ((void *)(unsigned long)((phys_addr_t)(x) |
PAGE_OFFSET)) +#define __pa(x) ((unsigned long)(x) &
0x0fffffffffffffffUL) +
+#else /* 32-bit, non book E */
#define __va(x) ((void *)(unsigned long)((phys_addr_t)(x) +
PAGE_OFFSET - MEMORY_START)) #define __pa(x) ((unsigned long)(x) -
PAGE_OFFSET + MEMORY_START) #endif
+#endif
/*
* Unfortunately the PLT is in the BSS in the PPC32 ELF ABI,
diff --git a/arch/powerpc/kernel/lparcfg.c
b/arch/powerpc/kernel/lparcfg.c index f5725bc..7ebbae0 100644
--- a/arch/powerpc/kernel/lparcfg.c
+++ b/arch/powerpc/kernel/lparcfg.c
@@ -35,7 +35,13 @@
#include <asm/vdso_datapage.h>
#include <asm/vio.h>
#include <asm/mmu.h>
+#include <asm/machdep.h>
+
+/*
+ * This isn't a module but we expose that to userspace
+ * via /proc so leave the definitions here
+ */
#define MODULE_VERS "1.9"
#define MODULE_NAME "lparcfg"
@@ -419,7 +425,8 @@ static void parse_em_data(struct seq_file *m)
{
unsigned long retbuf[PLPAR_HCALL_BUFSIZE];
- if (plpar_hcall(H_GET_EM_PARMS, retbuf) == H_SUCCESS)
+ if (firmware_has_feature(FW_FEATURE_LPAR) &&
+ plpar_hcall(H_GET_EM_PARMS, retbuf) == H_SUCCESS)
seq_printf(m, "power_mode_data=%016lx\n", retbuf[0]);
}
@@ -678,7 +685,6 @@ static int lparcfg_open(struct inode *inode, struct
file *file) }
static const struct file_operations lparcfg_fops = {
- .owner = THIS_MODULE,
.read = seq_read,
.write = lparcfg_write,
.open = lparcfg_open,
@@ -704,15 +710,4 @@ static int __init lparcfg_init(void)
proc_ppc64_lparcfg = ent;
return 0;
}
-
-static void __exit lparcfg_cleanup(void)
-{
- if (proc_ppc64_lparcfg)
- remove_proc_entry("lparcfg",
proc_ppc64_lparcfg->parent); -}
-
-module_init(lparcfg_init);
-module_exit(lparcfg_cleanup);
-MODULE_DESCRIPTION("Interface for LPAR configuration data");
-MODULE_AUTHOR("Dave Engebretsen");
-MODULE_LICENSE("GPL");
+machine_device_initcall(pseries, lparcfg_init);
diff --git a/arch/powerpc/kernel/setup_64.c
b/arch/powerpc/kernel/setup_64.c index 389bd4f..5c9eccc 100644
--- a/arch/powerpc/kernel/setup_64.c
+++ b/arch/powerpc/kernel/setup_64.c
@@ -76,7 +76,7 @@
#endif
int boot_cpuid = 0;
-int __initdata spinning_secondaries;
+int spinning_secondaries;
u64 ppc64_pft_size;
/* Pick defaults since we might want to patch instructions
diff --git a/arch/powerpc/kernel/vmlinux.lds.S
b/arch/powerpc/kernel/vmlinux.lds.S index 65d1c08..7703569 100644
--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -38,9 +38,6 @@ jiffies = jiffies_64 + 4;
#endif
SECTIONS
{
- . = 0;
- reloc_start = .;
-
. = KERNELBASE;
/*
diff --git a/arch/x86/kernel/cpu/mtrr/generic.c
b/arch/x86/kernel/cpu/mtrr/generic.c index e9fe907..5ac2152 100644
--- a/arch/x86/kernel/cpu/mtrr/generic.c
+++ b/arch/x86/kernel/cpu/mtrr/generic.c
@@ -510,8 +510,9 @@ generic_get_free_region(unsigned long base,
unsigned long size, int replace_reg) static void
generic_get_mtrr(unsigned int reg, unsigned long *base, unsigned long
*size, mtrr_type *type) {
- unsigned int mask_lo, mask_hi, base_lo, base_hi;
- unsigned int tmp, hi;
+ u32 mask_lo, mask_hi, base_lo, base_hi;
+ unsigned int hi;
+ u64 tmp, mask;
/*
* get_mtrr doesn't need to update mtrr_state, also it could
be called @@ -532,18 +533,18 @@ static void generic_get_mtrr(unsigned
int reg, unsigned long *base, rdmsr(MTRRphysBase_MSR(reg), base_lo,
base_hi);
/* Work out the shifted address mask: */
- tmp = mask_hi << (32 - PAGE_SHIFT) | mask_lo >> PAGE_SHIFT;
- mask_lo = size_or_mask | tmp;
+ tmp = (u64)mask_hi << (32 - PAGE_SHIFT) | mask_lo >>
PAGE_SHIFT;
+ mask = size_or_mask | tmp;
/* Expand tmp with high bits to all 1s: */
- hi = fls(tmp);
+ hi = fls64(tmp);
if (hi > 0) {
- tmp |= ~((1<<(hi - 1)) - 1);
+ tmp |= ~((1ULL<<(hi - 1)) - 1);
- if (tmp != mask_lo) {
+ if (tmp != mask) {
printk(KERN_WARNING "mtrr: your BIOS has
configured an incorrect mask, fixing it.\n");
add_taint(TAINT_FIRMWARE_WORKAROUND);
- mask_lo = tmp;
+ mask = tmp;
}
}
@@ -551,8 +552,8 @@ static void generic_get_mtrr(unsigned int reg,
unsigned long *base,
* This works correctly if size is a power of two, i.e. a
* contiguous range:
*/
- *size = -mask_lo;
- *base = base_hi << (32 - PAGE_SHIFT) | base_lo >> PAGE_SHIFT;
+ *size = -mask;
+ *base = (u64)base_hi << (32 - PAGE_SHIFT) | base_lo >>
PAGE_SHIFT; *type = base_lo & 0xff;
out_put_cpu:
diff --git a/arch/x86/kernel/cpu/mtrr/main.c
b/arch/x86/kernel/cpu/mtrr/main.c index 6b96110..87f918e 100644
--- a/arch/x86/kernel/cpu/mtrr/main.c
+++ b/arch/x86/kernel/cpu/mtrr/main.c
@@ -305,7 +305,8 @@ int mtrr_add_page(unsigned long base, unsigned long
size, return -EINVAL;
}
- if (base & size_or_mask || size & size_or_mask) {
+ if ((base | (base + size - 1)) >>
+ (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) {
pr_warning("mtrr: base or size exceeds the MTRR
width\n"); return -EINVAL;
}
@@ -583,6 +584,7 @@ static struct syscore_ops mtrr_syscore_ops = {
int __initdata changed_by_mtrr_cleanup;
+#define SIZE_OR_MASK_BITS(n) (~((1ULL << ((n) - PAGE_SHIFT)) - 1))
/**
* mtrr_bp_init - initialize mtrrs on the boot CPU
*
@@ -600,7 +602,7 @@ void __init mtrr_bp_init(void)
if (cpu_has_mtrr) {
mtrr_if = &generic_mtrr_ops;
- size_or_mask = 0xff000000; /*
36 bits */
+ size_or_mask = SIZE_OR_MASK_BITS(36);
size_and_mask = 0x00f00000;
phys_addr = 36;
@@ -619,7 +621,7 @@ void __init mtrr_bp_init(void)
boot_cpu_data.x86_mask == 0x4))
phys_addr = 36;
- size_or_mask = ~((1ULL << (phys_addr -
PAGE_SHIFT)) - 1);
+ size_or_mask = SIZE_OR_MASK_BITS(phys_addr);
size_and_mask = ~size_or_mask &
0xfffff00000ULL; } else if (boot_cpu_data.x86_vendor ==
X86_VENDOR_CENTAUR && boot_cpu_data.x86 == 6) {
@@ -627,7 +629,7 @@ void __init mtrr_bp_init(void)
* VIA C* family have Intel style MTRRs,
* but don't support PAE
*/
- size_or_mask = 0xfff00000; /*
32 bits */
+ size_or_mask = SIZE_OR_MASK_BITS(32);
size_and_mask = 0;
phys_addr = 32;
}
@@ -637,21 +639,21 @@ void __init mtrr_bp_init(void)
if (cpu_has_k6_mtrr) {
/* Pre-Athlon (K6) AMD CPU MTRRs */
mtrr_if = mtrr_ops[X86_VENDOR_AMD];
- size_or_mask = 0xfff00000; /*
32 bits */
+ size_or_mask = SIZE_OR_MASK_BITS(32);
size_and_mask = 0;
}
break;
case X86_VENDOR_CENTAUR:
if (cpu_has_centaur_mcr) {
mtrr_if = mtrr_ops[X86_VENDOR_CENTAUR];
- size_or_mask = 0xfff00000; /*
32 bits */
+ size_or_mask = SIZE_OR_MASK_BITS(32);
size_and_mask = 0;
}
break;
case X86_VENDOR_CYRIX:
if (cpu_has_cyrix_arr) {
mtrr_if = mtrr_ops[X86_VENDOR_CYRIX];
- size_or_mask = 0xfff00000; /*
32 bits */
+ size_or_mask = SIZE_OR_MASK_BITS(32);
size_and_mask = 0;
}
break;
diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
b/arch/x86/kernel/cpu/perf_event_intel_uncore.c index 0c0957d..4e5f47a
100644 --- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
@@ -313,8 +313,8 @@ static struct uncore_event_desc
snbep_uncore_imc_events[] = { static struct uncore_event_desc
snbep_uncore_qpi_events[] = { INTEL_UNCORE_EVENT_DESC(clockticks,
"event=0x14"), INTEL_UNCORE_EVENT_DESC(txl_flits_active,
"event=0x00,umask=0x06"),
- INTEL_UNCORE_EVENT_DESC(drs_data,
"event=0x02,umask=0x08"),
- INTEL_UNCORE_EVENT_DESC(ncb_data,
"event=0x03,umask=0x04"),
+ INTEL_UNCORE_EVENT_DESC(drs_data,
"event=0x102,umask=0x08"),
+ INTEL_UNCORE_EVENT_DESC(ncb_data,
"event=0x103,umask=0x04"), { /* end: all zeroes */ },
};
diff --git a/arch/x86/kernel/early-quirks.c
b/arch/x86/kernel/early-quirks.c index 94ab6b9..63bdb29 100644
--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -196,15 +196,23 @@ static void __init ati_bugs_contd(int num, int
slot, int func) static void __init intel_remapping_check(int num, int
slot, int func) {
u8 revision;
+ u16 device;
+ device = read_pci_config_16(num, slot, func, PCI_DEVICE_ID);
revision = read_pci_config_byte(num, slot, func,
PCI_REVISION_ID);
/*
- * Revision 0x13 of this chipset supports irq remapping
- * but has an erratum that breaks its behavior, flag it as such
+ * Revision 13 of all triggering devices id in this quirk have
+ * a problem draining interrupts when irq remapping is enabled,
+ * and should be flagged as broken. Additionally revisions
0x12
+ * and 0x22 of device id 0x3405 has this problem.
*/
if (revision == 0x13)
set_irq_remapping_broken();
+ else if ((device == 0x3405) &&
+ ((revision == 0x12) ||
+ (revision == 0x22)))
+ set_irq_remapping_broken();
}
@@ -239,6 +247,8 @@ static struct chipset early_qrk[] __initdata = {
PCI_CLASS_SERIAL_SMBUS, PCI_ANY_ID, 0, ati_bugs_contd },
{ PCI_VENDOR_ID_INTEL, 0x3403, PCI_CLASS_BRIDGE_HOST,
PCI_BASE_CLASS_BRIDGE, 0, intel_remapping_check },
+ { PCI_VENDOR_ID_INTEL, 0x3405, PCI_CLASS_BRIDGE_HOST,
+ PCI_BASE_CLASS_BRIDGE, 0, intel_remapping_check },
{ PCI_VENDOR_ID_INTEL, 0x3406, PCI_CLASS_BRIDGE_HOST,
PCI_BASE_CLASS_BRIDGE, 0, intel_remapping_check },
{}
diff --git a/arch/x86/kernel/i387.c b/arch/x86/kernel/i387.c
index f250431..6c5a7dc 100644
--- a/arch/x86/kernel/i387.c
+++ b/arch/x86/kernel/i387.c
@@ -132,7 +132,7 @@ static void __cpuinit mxcsr_feature_mask_init(void)
clts();
if (cpu_has_fxsr) {
memset(&fx_scratch, 0, sizeof(struct
i387_fxsave_struct));
- asm volatile("fxsave %0" : : "m" (fx_scratch));
+ asm volatile("fxsave %0" : "+m" (fx_scratch));
mask = fx_scratch.mxcsr_mask;
if (mask == 0)
mask = 0x0000ffbf;
diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
index b4d3c39..2145c1b 100644
--- a/arch/x86/kernel/sys_x86_64.c
+++ b/arch/x86/kernel/sys_x86_64.c
@@ -115,7 +115,7 @@ static void find_start_end(unsigned long flags,
unsigned long *begin, *begin = new_begin;
}
} else {
- *begin = TASK_UNMAPPED_BASE;
+ *begin = mmap_legacy_base();
*end = TASK_SIZE;
}
}
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 845df68..c1af323 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -98,7 +98,7 @@ static unsigned long mmap_base(void)
* Bottom-up (legacy) layout on X86_32 did not support randomization,
X86_64
* does, but not when emulating X86_32
*/
-static unsigned long mmap_legacy_base(void)
+unsigned long mmap_legacy_base(void)
{
if (mmap_is_ia32())
return TASK_UNMAPPED_BASE;
diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
index e2d62d6..8cf7449 100644
--- a/arch/x86/xen/setup.c
+++ b/arch/x86/xen/setup.c
@@ -313,6 +313,17 @@ static void xen_align_and_add_e820_region(u64
start, u64 size, int type) e820_add_region(start, end - start, type);
}
+void xen_ignore_unusable(struct e820entry *list, size_t map_size)
+{
+ struct e820entry *entry;
+ unsigned int i;
+
+ for (i = 0, entry = list; i < map_size; i++, entry++) {
+ if (entry->type == E820_UNUSABLE)
+ entry->type = E820_RAM;
+ }
+}
+
/**
* machine_specific_memory_setup - Hook for machine specific memory
setup. **/
@@ -353,6 +364,17 @@ char * __init xen_memory_setup(void)
}
BUG_ON(rc);
+ /*
+ * Xen won't allow a 1:1 mapping to be created to UNUSABLE
+ * regions, so if we're using the machine memory map leave the
+ * region as RAM as it is in the pseudo-physical map.
+ *
+ * UNUSABLE regions in domUs are not handled and will need
+ * a patch in the future.
+ */
+ if (xen_initial_domain())
+ xen_ignore_unusable(map, memmap.nr_entries);
+
/* Make sure the Xen-supplied memory map is well-ordered. */
sanitize_e820_map(map, memmap.nr_entries, &memmap.nr_entries);
diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
index 76bce6e..72701ac 100644
--- a/arch/x86/xen/smp.c
+++ b/arch/x86/xen/smp.c
@@ -663,8 +663,15 @@ static void __init
xen_hvm_smp_prepare_cpus(unsigned int max_cpus) static int __cpuinit
xen_hvm_cpu_up(unsigned int cpu, struct task_struct *tidle) {
int rc;
- rc = native_cpu_up(cpu, tidle);
- WARN_ON (xen_smp_intr_init(cpu));
+ /*
+ * xen_smp_intr_init() needs to run before native_cpu_up()
+ * so that IPI vectors are set up on the booting CPU before
+ * it is marked online in native_cpu_up().
+ */
+ rc = xen_smp_intr_init(cpu);
+ WARN_ON(rc);
+ if (!rc)
+ rc = native_cpu_up(cpu, tidle);
return rc;
}
diff --git a/block/cfq-iosched.c b/block/cfq-iosched.c
index fb52df9..1bde45f 100644
--- a/block/cfq-iosched.c
+++ b/block/cfq-iosched.c
@@ -3959,18 +3959,28 @@ static void cfq_exit_queue(struct
elevator_queue *e) kfree(cfqd);
}
-static int cfq_init_queue(struct request_queue *q)
+static int cfq_init_queue(struct request_queue *q, struct
elevator_type *e) {
struct cfq_data *cfqd;
struct blkcg_gq *blkg __maybe_unused;
int i, ret;
+ struct elevator_queue *eq;
+
+ eq = elevator_alloc(q, e);
+ if (!eq)
+ return -ENOMEM;
cfqd = kmalloc_node(sizeof(*cfqd), GFP_KERNEL | __GFP_ZERO,
q->node);
- if (!cfqd)
+ if (!cfqd) {
+ kobject_put(&eq->kobj);
return -ENOMEM;
+ }
+ eq->elevator_data = cfqd;
cfqd->queue = q;
- q->elevator->elevator_data = cfqd;
+ spin_lock_irq(q->queue_lock);
+ q->elevator = eq;
+ spin_unlock_irq(q->queue_lock);
/* Init root service tree */
cfqd->grp_service_tree = CFQ_RB_ROOT;
@@ -4044,6 +4054,7 @@ static int cfq_init_queue(struct request_queue *q)
out_free:
kfree(cfqd);
+ kobject_put(&eq->kobj);
return ret;
}
diff --git a/block/deadline-iosched.c b/block/deadline-iosched.c
index 599b12e..20a1efc 100644
--- a/block/deadline-iosched.c
+++ b/block/deadline-iosched.c
@@ -337,13 +337,21 @@ static void deadline_exit_queue(struct
elevator_queue *e) /*
* initialize elevator private data (deadline_data).
*/
-static int deadline_init_queue(struct request_queue *q)
+static int deadline_init_queue(struct request_queue *q, struct
elevator_type *e) {
struct deadline_data *dd;
+ struct elevator_queue *eq;
+
+ eq = elevator_alloc(q, e);
+ if (!eq)
+ return -ENOMEM;
dd = kmalloc_node(sizeof(*dd), GFP_KERNEL | __GFP_ZERO,
q->node);
- if (!dd)
+ if (!dd) {
+ kobject_put(&eq->kobj);
return -ENOMEM;
+ }
+ eq->elevator_data = dd;
INIT_LIST_HEAD(&dd->fifo_list[READ]);
INIT_LIST_HEAD(&dd->fifo_list[WRITE]);
@@ -355,7 +363,9 @@ static int deadline_init_queue(struct request_queue
*q) dd->front_merges = 1;
dd->fifo_batch = fifo_batch;
- q->elevator->elevator_data = dd;
+ spin_lock_irq(q->queue_lock);
+ q->elevator = eq;
+ spin_unlock_irq(q->queue_lock);
return 0;
}
diff --git a/block/elevator.c b/block/elevator.c
index 6a55d41..ac6316c 100644
--- a/block/elevator.c
+++ b/block/elevator.c
@@ -138,7 +138,7 @@ __setup("elevator=", elevator_setup);
static struct kobj_type elv_ktype;
-static struct elevator_queue *elevator_alloc(struct request_queue *q,
+struct elevator_queue *elevator_alloc(struct request_queue *q,
struct elevator_type *e)
{
struct elevator_queue *eq;
@@ -166,6 +166,7 @@ err:
elevator_put(e);
return NULL;
}
+EXPORT_SYMBOL(elevator_alloc);
static void elevator_release(struct kobject *kobj)
{
@@ -213,16 +214,7 @@ int elevator_init(struct request_queue *q, char
*name) }
}
- q->elevator = elevator_alloc(q, e);
- if (!q->elevator)
- return -ENOMEM;
-
- err = e->ops.elevator_init_fn(q);
- if (err) {
- kobject_put(&q->elevator->kobj);
- return err;
- }
-
+ err = e->ops.elevator_init_fn(q, e);
return 0;
}
EXPORT_SYMBOL(elevator_init);
@@ -897,16 +889,9 @@ static int elevator_switch(struct request_queue
*q, struct elevator_type *new_e) spin_unlock_irq(q->queue_lock);
/* allocate, init and register new elevator */
- err = -ENOMEM;
- q->elevator = elevator_alloc(q, new_e);
- if (!q->elevator)
- goto fail_init;
-
- err = new_e->ops.elevator_init_fn(q);
- if (err) {
- kobject_put(&q->elevator->kobj);
+ err = new_e->ops.elevator_init_fn(q, new_e);
+ if (err)
goto fail_init;
- }
if (registered) {
err = elv_register_queue(q);
diff --git a/block/noop-iosched.c b/block/noop-iosched.c
index 5d1bf70..3de89d4 100644
--- a/block/noop-iosched.c
+++ b/block/noop-iosched.c
@@ -59,16 +59,27 @@ noop_latter_request(struct request_queue *q, struct
request *rq) return list_entry(rq->queuelist.next, struct request,
queuelist); }
-static int noop_init_queue(struct request_queue *q)
+static int noop_init_queue(struct request_queue *q, struct
elevator_type *e) {
struct noop_data *nd;
+ struct elevator_queue *eq;
+
+ eq = elevator_alloc(q, e);
+ if (!eq)
+ return -ENOMEM;
nd = kmalloc_node(sizeof(*nd), GFP_KERNEL, q->node);
- if (!nd)
+ if (!nd) {
+ kobject_put(&eq->kobj);
return -ENOMEM;
+ }
+ eq->elevator_data = nd;
INIT_LIST_HEAD(&nd->queue);
- q->elevator->elevator_data = nd;
+
+ spin_lock_irq(q->queue_lock);
+ q->elevator = eq;
+ spin_unlock_irq(q->queue_lock);
return 0;
}
diff --git a/drivers/acpi/acpi_memhotplug.c
b/drivers/acpi/acpi_memhotplug.c index 24c807f..f16ffd4 100644
--- a/drivers/acpi/acpi_memhotplug.c
+++ b/drivers/acpi/acpi_memhotplug.c
@@ -442,6 +442,7 @@ static int acpi_memory_device_add(struct
acpi_device *device) /* Get the range from the _CRS */
result = acpi_memory_get_device_resources(mem_device);
if (result) {
+ device->driver_data = NULL;
kfree(mem_device);
return result;
}
diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
index 7efaeaa..7663df7 100644
--- a/drivers/acpi/battery.c
+++ b/drivers/acpi/battery.c
@@ -117,6 +117,7 @@ struct acpi_battery {
struct acpi_device *device;
struct notifier_block pm_nb;
unsigned long update_time;
+ int revision;
int rate_now;
int capacity_now;
int voltage_now;
@@ -359,6 +360,7 @@ static struct acpi_offsets info_offsets[] = {
};
static struct acpi_offsets extended_info_offsets[] = {
+ {offsetof(struct acpi_battery, revision), 0},
{offsetof(struct acpi_battery, power_unit), 0},
{offsetof(struct acpi_battery, design_capacity), 0},
{offsetof(struct acpi_battery, full_charge_capacity), 0},
diff --git a/drivers/acpi/glue.c b/drivers/acpi/glue.c
index 6eff12f..a166b9d 100644
--- a/drivers/acpi/glue.c
+++ b/drivers/acpi/glue.c
@@ -91,13 +91,15 @@ static int acpi_find_bridge_device(struct device
*dev, acpi_handle * handle) static acpi_status
do_acpi_find_child(acpi_handle handle, u32 lvl_not_used, void *addr_p,
void **ret_p) {
- unsigned long long addr;
+ unsigned long long addr, sta;
acpi_status status;
status = acpi_evaluate_integer(handle, METHOD_NAME__ADR, NULL,
&addr); if (ACPI_SUCCESS(status) && addr == *((u64 *)addr_p)) {
*ret_p = handle;
- return AE_CTRL_TERMINATE;
+ status = acpi_bus_get_status_handle(handle, &sta);
+ if (ACPI_SUCCESS(status) && (sta &
ACPI_STA_DEVICE_ENABLED))
+ return AE_CTRL_TERMINATE;
}
return AE_OK;
}
diff --git a/drivers/ata/Kconfig b/drivers/ata/Kconfig
index 27cecd3..79ba92e 100644
--- a/drivers/ata/Kconfig
+++ b/drivers/ata/Kconfig
@@ -93,7 +93,7 @@ config SATA_FSL
If unsure, say N.
config SATA_INIC162X
- tristate "Initio 162x SATA support"
+ tristate "Initio 162x SATA support (Very Experimental)"
depends on PCI
help
This option enables support for Initio 162x Serial ATA.
diff --git a/drivers/ata/ata_piix.c b/drivers/ata/ata_piix.c
index 80c44c30..1cecf06 100644
--- a/drivers/ata/ata_piix.c
+++ b/drivers/ata/ata_piix.c
@@ -344,6 +344,8 @@ static const struct pci_device_id piix_pci_tbl[] = {
/* SATA Controller IDE (BayTrail) */
{ 0x8086, 0x0F20, PCI_ANY_ID, PCI_ANY_ID, 0, 0,
ich8_2port_sata_byt }, { 0x8086, 0x0F21, PCI_ANY_ID, PCI_ANY_ID, 0, 0,
ich8_2port_sata_byt },
+ /* SATA Controller IDE (Coleto Creek) */
+ { 0x8086, 0x23a6, PCI_ANY_ID, PCI_ANY_ID, 0, 0,
ich8_2port_sata }, { } /* terminate list */
};
diff --git a/drivers/ata/libata-pmp.c b/drivers/ata/libata-pmp.c
index 61c59ee..20fd337 100644
--- a/drivers/ata/libata-pmp.c
+++ b/drivers/ata/libata-pmp.c
@@ -289,24 +289,24 @@ static int sata_pmp_configure(struct ata_device
*dev, int print_info)
/* Disable sending Early R_OK.
* With "cached read" HDD testing and multiple ports busy on a
SATA
- * host controller, 3726 PMP will very rarely drop a deferred
+ * host controller, 3x26 PMP will very rarely drop a deferred
* R_OK that was intended for the host. Symptom will be all
* 5 drives under test will timeout, get reset, and recover.
*/
- if (vendor == 0x1095 && devid == 0x3726) {
+ if (vendor == 0x1095 && (devid == 0x3726 || devid == 0x3826)) {
u32 reg;
err_mask = sata_pmp_read(&ap->link, PMP_GSCR_SII_POL,
®); if (err_mask) {
rc = -EIO;
- reason = "failed to read Sil3726 Private
Register";
+ reason = "failed to read Sil3x26 Private
Register"; goto fail;
}
reg &= ~0x1;
err_mask = sata_pmp_write(&ap->link, PMP_GSCR_SII_POL,
reg); if (err_mask) {
rc = -EIO;
- reason = "failed to write Sil3726 Private
Register";
+ reason = "failed to write Sil3x26 Private
Register"; goto fail;
}
}
@@ -383,15 +383,19 @@ static void sata_pmp_quirks(struct ata_port *ap)
u16 devid = sata_pmp_gscr_devid(gscr);
struct ata_link *link;
- if (vendor == 0x1095 && devid == 0x3726) {
- /* sil3726 quirks */
+ if (vendor == 0x1095 && (devid == 0x3726 || devid == 0x3826)) {
+ /* sil3x26 quirks */
ata_for_each_link(link, ap, EDGE) {
/* link reports offline after LPM */
link->flags |= ATA_LFLAG_NO_LPM;
- /* Class code report is unreliable. */
+ /*
+ * Class code report is unreliable and SRST
times
+ * out under certain configurations.
+ */
if (link->pmp < 5)
- link->flags |= ATA_LFLAG_ASSUME_ATA;
+ link->flags |= ATA_LFLAG_NO_SRST |
+ ATA_LFLAG_ASSUME_ATA;
/* port 5 is for SEMB device and it doesn't
like SRST */ if (link->pmp == 5)
@@ -399,20 +403,17 @@ static void sata_pmp_quirks(struct ata_port *ap)
ATA_LFLAG_ASSUME_SEMB;
}
} else if (vendor == 0x1095 && devid == 0x4723) {
- /* sil4723 quirks */
- ata_for_each_link(link, ap, EDGE) {
- /* link reports offline after LPM */
- link->flags |= ATA_LFLAG_NO_LPM;
-
- /* class code report is unreliable */
- if (link->pmp < 2)
- link->flags |= ATA_LFLAG_ASSUME_ATA;
-
- /* the config device at port 2 locks up on
SRST */
- if (link->pmp == 2)
- link->flags |= ATA_LFLAG_NO_SRST |
- ATA_LFLAG_ASSUME_ATA;
- }
+ /*
+ * sil4723 quirks
+ *
+ * Link reports offline after LPM. Class code report
is
+ * unreliable. SIMG PMPs never got SRST reliable and
the
+ * config device at port 2 locks up on SRST.
+ */
+ ata_for_each_link(link, ap, EDGE)
+ link->flags |= ATA_LFLAG_NO_LPM |
+ ATA_LFLAG_NO_SRST |
+ ATA_LFLAG_ASSUME_ATA;
} else if (vendor == 0x1095 && devid == 0x4726) {
/* sil4726 quirks */
ata_for_each_link(link, ap, EDGE) {
diff --git a/drivers/ata/sata_fsl.c b/drivers/ata/sata_fsl.c
index d6577b9..a3f0bbd 100644
--- a/drivers/ata/sata_fsl.c
+++ b/drivers/ata/sata_fsl.c
@@ -290,6 +290,7 @@ static void fsl_sata_set_irq_coalescing(struct
ata_host *host, {
struct sata_fsl_host_priv *host_priv = host->private_data;
void __iomem *hcr_base = host_priv->hcr_base;
+ unsigned long flags;
if (count > ICC_MAX_INT_COUNT_THRESHOLD)
count = ICC_MAX_INT_COUNT_THRESHOLD;
@@ -302,12 +303,12 @@ static void fsl_sata_set_irq_coalescing(struct
ata_host *host, (count > ICC_MIN_INT_COUNT_THRESHOLD))
ticks = ICC_SAFE_INT_TICKS;
- spin_lock(&host->lock);
+ spin_lock_irqsave(&host->lock, flags);
iowrite32((count << 24 | ticks), hcr_base + ICC);
intr_coalescing_count = count;
intr_coalescing_ticks = ticks;
- spin_unlock(&host->lock);
+ spin_unlock_irqrestore(&host->lock, flags);
DPRINTK("intrrupt coalescing, count = 0x%x, ticks = %x\n",
intr_coalescing_count, intr_coalescing_ticks);
diff --git a/drivers/ata/sata_inic162x.c b/drivers/ata/sata_inic162x.c
index dc35f4d..4d238c8 100644
--- a/drivers/ata/sata_inic162x.c
+++ b/drivers/ata/sata_inic162x.c
@@ -6,6 +6,18 @@
*
* This file is released under GPL v2.
*
+ * **** WARNING ****
+ *
+ * This driver never worked properly and unfortunately data corruption
is
+ * relatively common. There isn't anyone working on the driver and
there's
+ * no support from the vendor. Do not use this driver in any
production
+ * environment.
+ *
+ *
http://thread.gmane.org/gmane.linux.debian.devel.bugs.rc/378525/focus=54491
+ * https://bugzilla.kernel.org/show_bug.cgi?id=60565
+ *
+ * *****************
+ *
* This controller is eccentric and easily locks up if something isn't
* right. Documentation is available at initio's website but it only
* documents registers (not programming model).
@@ -809,6 +821,8 @@ static int inic_init_one(struct pci_dev *pdev,
const struct pci_device_id *ent)
ata_print_version_once(&pdev->dev, DRV_VERSION);
+ dev_alert(&pdev->dev, "inic162x support is broken with common
data corruption issues and will be disabled by default, contact
linux-ide@vger.kernel.org if in production use\n"); + /* alloc host */
host = ata_host_alloc_pinfo(&pdev->dev, ppi, NR_PORTS);
hpriv = devm_kzalloc(&pdev->dev, sizeof(*hpriv), GFP_KERNEL);
diff --git a/drivers/base/memory.c b/drivers/base/memory.c
index 7dda4f7..d63a06b 100644
--- a/drivers/base/memory.c
+++ b/drivers/base/memory.c
@@ -154,6 +154,8 @@ static ssize_t show_mem_removable(struct device
*dev, container_of(dev, struct memory_block, dev);
for (i = 0; i < sections_per_block; i++) {
+ if (!present_section_nr(mem->start_section_nr + i))
+ continue;
pfn = section_nr_to_pfn(mem->start_section_nr + i);
ret &= is_mem_section_removable(pfn,
PAGES_PER_SECTION); }
diff --git a/drivers/block/xen-blkback/blkback.c
b/drivers/block/xen-blkback/blkback.c index 4fd1dea..4ed7bf9 100644
--- a/drivers/block/xen-blkback/blkback.c
+++ b/drivers/block/xen-blkback/blkback.c
@@ -399,7 +399,18 @@ static int dispatch_discard_io(struct xen_blkif
*blkif, int status = BLKIF_RSP_OKAY;
struct block_device *bdev = blkif->vbd.bdev;
unsigned long secure;
+ struct phys_req preq;
+
+ preq.sector_number = req->u.discard.sector_number;
+ preq.nr_sects = req->u.discard.nr_sectors;
+ err = xen_vbd_translate(&preq, blkif, WRITE);
+ if (err) {
+ pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu]
on dev=%04x\n",
+ preq.sector_number,
+ preq.sector_number + preq.nr_sects,
blkif->vbd.pdevice);
+ goto fail_response;
+ }
blkif->st_ds_req++;
xen_blkif_get(blkif);
@@ -410,7 +421,7 @@ static int dispatch_discard_io(struct xen_blkif
*blkif, err = blkdev_issue_discard(bdev, req->u.discard.sector_number,
req->u.discard.nr_sectors,
GFP_KERNEL, secure);
-
+fail_response:
if (err == -EOPNOTSUPP) {
pr_debug(DRV_PFX "discard op failed, not supported\n");
status = BLKIF_RSP_EOPNOTSUPP;
diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
index b0395b0..e224a48 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -176,24 +176,44 @@ error:
static int ath3k_get_state(struct usb_device *udev, unsigned char
*state) {
- int pipe = 0;
+ int ret, pipe = 0;
+ char *buf;
+
+ buf = kmalloc(sizeof(*buf), GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
pipe = usb_rcvctrlpipe(udev, 0);
- return usb_control_msg(udev, pipe, ATH3K_GETSTATE,
- USB_TYPE_VENDOR | USB_DIR_IN, 0, 0,
- state, 0x01, USB_CTRL_SET_TIMEOUT);
+ ret = usb_control_msg(udev, pipe, ATH3K_GETSTATE,
+ USB_TYPE_VENDOR | USB_DIR_IN, 0, 0,
+ buf, sizeof(*buf), USB_CTRL_SET_TIMEOUT);
+
+ *state = *buf;
+ kfree(buf);
+
+ return ret;
}
static int ath3k_get_version(struct usb_device *udev,
struct ath3k_version *version)
{
- int pipe = 0;
+ int ret, pipe = 0;
+ struct ath3k_version *buf;
+ const int size = sizeof(*buf);
+
+ buf = kmalloc(size, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
pipe = usb_rcvctrlpipe(udev, 0);
- return usb_control_msg(udev, pipe, ATH3K_GETVERSION,
- USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, version,
- sizeof(struct ath3k_version),
- USB_CTRL_SET_TIMEOUT);
+ ret = usb_control_msg(udev, pipe, ATH3K_GETVERSION,
+ USB_TYPE_VENDOR | USB_DIR_IN, 0, 0,
+ buf, size, USB_CTRL_SET_TIMEOUT);
+
+ memcpy(version, buf, size);
+ kfree(buf);
+
+ return ret;
}
static int ath3k_load_fwfile(struct usb_device *udev,
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 30ac56b..2d139a6 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -55,6 +55,9 @@ static struct usb_device_id btusb_table[] = {
/* Apple-specific (Broadcom) devices */
{ USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) },
+ /* MediaTek MT76x0E */
+ { USB_DEVICE(0x0e8d, 0x763f) },
+
/* Broadcom SoftSailing reporting vendor specific */
{ USB_DEVICE(0x0a5c, 0x21e1) },
diff --git a/drivers/char/virtio_console.c
b/drivers/char/virtio_console.c index d2f7eb0..edb2ecb 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -257,9 +257,12 @@ static struct port
*find_port_by_devt_in_portdev(struct ports_device *portdev, unsigned
long flags;
spin_lock_irqsave(&portdev->ports_lock, flags);
- list_for_each_entry(port, &portdev->ports, list)
- if (port->cdev->dev == dev)
+ list_for_each_entry(port, &portdev->ports, list) {
+ if (port->cdev->dev == dev) {
+ kref_get(&port->kref);
goto out;
+ }
+ }
port = NULL;
out:
spin_unlock_irqrestore(&portdev->ports_lock, flags);
@@ -634,6 +637,10 @@ static ssize_t port_fops_read(struct file *filp,
char __user *ubuf,
port = filp->private_data;
+ /* Port is hot-unplugged. */
+ if (!port->guest_connected)
+ return -ENODEV;
+
if (!port_has_data(port)) {
/*
* If nothing's connected on the host just return 0 in
@@ -650,7 +657,7 @@ static ssize_t port_fops_read(struct file *filp,
char __user *ubuf, if (ret < 0)
return ret;
}
- /* Port got hot-unplugged. */
+ /* Port got hot-unplugged while we were waiting above. */
if (!port->guest_connected)
return -ENODEV;
/*
@@ -793,14 +800,14 @@ static int port_fops_open(struct inode *inode,
struct file *filp) struct port *port;
int ret;
+ /* We get the port with a kref here */
port = find_port_by_devt(cdev->dev);
+ if (!port) {
+ /* Port was unplugged before we could proceed */
+ return -ENXIO;
+ }
filp->private_data = port;
- /* Prevent against a port getting hot-unplugged at the same
time */
- spin_lock_irq(&port->portdev->ports_lock);
- kref_get(&port->kref);
- spin_unlock_irq(&port->portdev->ports_lock);
-
/*
* Don't allow opening of console port devices -- that's done
* via /dev/hvc
@@ -1258,14 +1265,6 @@ static void remove_port(struct kref *kref)
port = container_of(kref, struct port, kref);
- sysfs_remove_group(&port->dev->kobj, &port_attribute_group);
- device_destroy(pdrvdata.class, port->dev->devt);
- cdev_del(port->cdev);
-
- kfree(port->name);
-
- debugfs_remove(port->debugfs_file);
-
kfree(port);
}
@@ -1295,12 +1294,14 @@ static void unplug_port(struct port *port)
spin_unlock_irq(&port->portdev->ports_lock);
if (port->guest_connected) {
+ /* Let the app know the port is going down. */
+ send_sigio_to_port(port);
+
+ /* Do this after sigio is actually sent */
port->guest_connected = false;
port->host_connected = false;
- wake_up_interruptible(&port->waitqueue);
- /* Let the app know the port is going down. */
- send_sigio_to_port(port);
+ wake_up_interruptible(&port->waitqueue);
}
if (is_console_port(port)) {
@@ -1319,6 +1320,14 @@ static void unplug_port(struct port *port)
*/
port->portdev = NULL;
+ sysfs_remove_group(&port->dev->kobj, &port_attribute_group);
+ device_destroy(pdrvdata.class, port->dev->devt);
+ cdev_del(port->cdev);
+
+ kfree(port->name);
+
+ debugfs_remove(port->debugfs_file);
+
/*
* Locks around here are not necessary - a port can't be
* opened after we removed the port struct from ports_list
diff --git a/drivers/clocksource/dw_apb_timer_of.c
b/drivers/clocksource/dw_apb_timer_of.c index f7dba5b..929e7ce 100644
--- a/drivers/clocksource/dw_apb_timer_of.c
+++ b/drivers/clocksource/dw_apb_timer_of.c
@@ -44,7 +44,7 @@ static void add_clockevent(struct device_node
*event_timer) u32 irq, rate;
irq = irq_of_parse_and_map(event_timer, 0);
- if (irq == NO_IRQ)
+ if (irq == 0)
panic("No IRQ for clock event timer");
timer_get_base_and_rate(event_timer, &iobase, &rate);
diff --git a/drivers/gpu/drm/ast/ast_ttm.c
b/drivers/gpu/drm/ast/ast_ttm.c index 2a6027c..566934c 100644
--- a/drivers/gpu/drm/ast/ast_ttm.c
+++ b/drivers/gpu/drm/ast/ast_ttm.c
@@ -348,6 +348,7 @@ int ast_bo_create(struct drm_device *dev, int size,
int align,
astbo->gem.driver_private = NULL;
astbo->bo.bdev = &ast->ttm.bdev;
+ astbo->bo.bdev->dev_mapping = dev->dev_mapping;
ast_ttm_placement(astbo, TTM_PL_FLAG_VRAM |
TTM_PL_FLAG_SYSTEM);
diff --git a/drivers/gpu/drm/cirrus/cirrus_ttm.c
b/drivers/gpu/drm/cirrus/cirrus_ttm.c index d4b1b1d..d57bcc8 100644
--- a/drivers/gpu/drm/cirrus/cirrus_ttm.c
+++ b/drivers/gpu/drm/cirrus/cirrus_ttm.c
@@ -353,6 +353,7 @@ int cirrus_bo_create(struct drm_device *dev, int
size, int align,
cirrusbo->gem.driver_private = NULL;
cirrusbo->bo.bdev = &cirrus->ttm.bdev;
+ cirrusbo->bo.bdev->dev_mapping = dev->dev_mapping;
cirrus_ttm_placement(cirrusbo, TTM_PL_FLAG_VRAM |
TTM_PL_FLAG_SYSTEM);
diff --git a/drivers/gpu/drm/i915/i915_dma.c
b/drivers/gpu/drm/i915/i915_dma.c index 0969a7c..4c6e9dd 100644
--- a/drivers/gpu/drm/i915/i915_dma.c
+++ b/drivers/gpu/drm/i915/i915_dma.c
@@ -1465,6 +1465,11 @@ int i915_driver_load(struct drm_device *dev,
unsigned long flags) dev_priv->dev = dev;
dev_priv->info = info;
+ spin_lock_init(&dev_priv->irq_lock);
+ spin_lock_init(&dev_priv->error_lock);
+ spin_lock_init(&dev_priv->rps_lock);
+ spin_lock_init(&dev_priv->dpio_lock);
+
if (i915_get_bridge_dev(dev)) {
ret = -EIO;
goto free_priv;
@@ -1585,11 +1590,6 @@ int i915_driver_load(struct drm_device *dev,
unsigned long flags) if (!IS_I945G(dev) && !IS_I945GM(dev))
pci_enable_msi(dev->pdev);
- spin_lock_init(&dev_priv->irq_lock);
- spin_lock_init(&dev_priv->error_lock);
- spin_lock_init(&dev_priv->rps_lock);
- spin_lock_init(&dev_priv->dpio_lock);
-
if (IS_IVYBRIDGE(dev) || IS_HASWELL(dev))
dev_priv->num_pipe = 3;
else if (IS_MOBILE(dev) || !IS_GEN2(dev))
diff --git a/drivers/gpu/drm/i915/i915_reg.h
b/drivers/gpu/drm/i915/i915_reg.h index 3814aa3..9d37a9d 100644
--- a/drivers/gpu/drm/i915/i915_reg.h
+++ b/drivers/gpu/drm/i915/i915_reg.h
@@ -575,6 +575,8 @@
will not assert AGPBUSY# and
will only be delivered when out of C3. */
#define INSTPM_FORCE_ORDERING
(1<<7) /* GEN6+ */ +#define INSTPM_TLB_INVALIDATE (1<<9)
+#define INSTPM_SYNC_FLUSH (1<<5)
#define ACTHD 0x020c8
#define FW_BLC 0x020d8
#define FW_BLC2 0x020dc
@@ -4074,7 +4076,7 @@
#define EDP_LINK_TRAIN_600MV_0DB_IVB (0x30 <<22)
#define EDP_LINK_TRAIN_600MV_3_5DB_IVB (0x36 <<22)
#define EDP_LINK_TRAIN_800MV_0DB_IVB (0x38 <<22)
-#define EDP_LINK_TRAIN_800MV_3_5DB_IVB (0x33 <<22)
+#define EDP_LINK_TRAIN_800MV_3_5DB_IVB (0x3e <<22)
/* legacy values */
#define EDP_LINK_TRAIN_500MV_0DB_IVB (0x00 <<22)
diff --git a/drivers/gpu/drm/i915/intel_ringbuffer.c
b/drivers/gpu/drm/i915/intel_ringbuffer.c index e2a73b3..77ee475 100644
--- a/drivers/gpu/drm/i915/intel_ringbuffer.c
+++ b/drivers/gpu/drm/i915/intel_ringbuffer.c
@@ -793,6 +793,18 @@ void intel_ring_setup_status_page(struct
intel_ring_buffer *ring)
I915_WRITE(mmio, (u32)ring->status_page.gfx_addr);
POSTING_READ(mmio);
+
+ /* Flush the TLB for this page */
+ if (INTEL_INFO(dev)->gen >= 6) {
+ u32 reg = RING_INSTPM(ring->mmio_base);
+ I915_WRITE(reg,
+ _MASKED_BIT_ENABLE(INSTPM_TLB_INVALIDATE |
+ INSTPM_SYNC_FLUSH));
+ if (wait_for((I915_READ(reg) & INSTPM_SYNC_FLUSH) == 0,
+ 1000))
+ DRM_ERROR("%s: wait for SyncFlush to complete
for TLB invalidation timed out\n",
+ ring->name);
+ }
}
static int
diff --git a/drivers/gpu/drm/mgag200/mgag200_ttm.c
b/drivers/gpu/drm/mgag200/mgag200_ttm.c index a707394..95b5377 100644
--- a/drivers/gpu/drm/mgag200/mgag200_ttm.c
+++ b/drivers/gpu/drm/mgag200/mgag200_ttm.c
@@ -347,6 +347,7 @@ int mgag200_bo_create(struct drm_device *dev, int
size, int align,
mgabo->gem.driver_private = NULL;
mgabo->bo.bdev = &mdev->ttm.bdev;
+ mgabo->bo.bdev->dev_mapping = dev->dev_mapping;
mgag200_ttm_placement(mgabo, TTM_PL_FLAG_VRAM |
TTM_PL_FLAG_SYSTEM);
diff --git a/drivers/gpu/drm/radeon/atom.c
b/drivers/gpu/drm/radeon/atom.c index 43672b6..daa1e34 100644
--- a/drivers/gpu/drm/radeon/atom.c
+++ b/drivers/gpu/drm/radeon/atom.c
@@ -1222,12 +1222,17 @@ int atom_execute_table(struct atom_context
*ctx, int index, uint32_t * params) int r;
mutex_lock(&ctx->mutex);
+ /* reset data block */
+ ctx->data_block = 0;
/* reset reg block */
ctx->reg_block = 0;
/* reset fb window */
ctx->fb_base = 0;
/* reset io mode */
ctx->io_mode = ATOM_IO_MM;
+ /* reset divmul */
+ ctx->divmul[0] = 0;
+ ctx->divmul[1] = 0;
r = atom_execute_table_locked(ctx, index, params);
mutex_unlock(&ctx->mutex);
return r;
diff --git a/drivers/gpu/drm/radeon/atombios_dp.c
b/drivers/gpu/drm/radeon/atombios_dp.c index 3623b98..a0b5e1e 100644
--- a/drivers/gpu/drm/radeon/atombios_dp.c
+++ b/drivers/gpu/drm/radeon/atombios_dp.c
@@ -45,6 +45,41 @@ static char *pre_emph_names[] = {
};
/***** radeon AUX functions *****/
+
+/* Atom needs data in little endian format
+ * so swap as appropriate when copying data to
+ * or from atom. Note that atom operates on
+ * dw units.
+ */
+static void radeon_copy_swap(u8 *dst, u8 *src, u8 num_bytes, bool
to_le) +{
+#ifdef __BIG_ENDIAN
+ u8 src_tmp[20], dst_tmp[20]; /* used for byteswapping */
+ u32 *dst32, *src32;
+ int i;
+
+ memcpy(src_tmp, src, num_bytes);
+ src32 = (u32 *)src_tmp;
+ dst32 = (u32 *)dst_tmp;
+ if (to_le) {
+ for (i = 0; i < ((num_bytes + 3) / 4); i++)
+ dst32[i] = cpu_to_le32(src32[i]);
+ memcpy(dst, dst_tmp, num_bytes);
+ } else {
+ u8 dws = num_bytes & ~3;
+ for (i = 0; i < ((num_bytes + 3) / 4); i++)
+ dst32[i] = le32_to_cpu(src32[i]);
+ memcpy(dst, dst_tmp, dws);
+ if (num_bytes % 4) {
+ for (i = 0; i < (num_bytes % 4); i++)
+ dst[dws+i] = dst_tmp[dws+i];
+ }
+ }
+#else
+ memcpy(dst, src, num_bytes);
+#endif
+}
+
union aux_channel_transaction {
PROCESS_AUX_CHANNEL_TRANSACTION_PS_ALLOCATION v1;
PROCESS_AUX_CHANNEL_TRANSACTION_PARAMETERS_V2 v2;
@@ -66,10 +101,10 @@ static int radeon_process_aux_ch(struct
radeon_i2c_chan *chan,
base = (unsigned char *)(rdev->mode_info.atom_context->scratch
+ 1);
- memcpy(base, send, send_bytes);
+ radeon_copy_swap(base, send, send_bytes, true);
- args.v1.lpAuxRequest = 0 + 4;
- args.v1.lpDataOut = 16 + 4;
+ args.v1.lpAuxRequest = cpu_to_le16((u16)(0 + 4));
+ args.v1.lpDataOut = cpu_to_le16((u16)(16 + 4));
args.v1.ucDataOutLen = 0;
args.v1.ucChannelID = chan->rec.i2c_id;
args.v1.ucDelay = delay / 10;
@@ -103,7 +138,7 @@ static int radeon_process_aux_ch(struct
radeon_i2c_chan *chan, recv_bytes = recv_size;
if (recv && recv_size)
- memcpy(recv, base + 16, recv_bytes);
+ radeon_copy_swap(recv, base + 16, recv_bytes, false);
return recv_bytes;
}
diff --git a/drivers/gpu/drm/radeon/radeon_combios.c
b/drivers/gpu/drm/radeon/radeon_combios.c index f75247d..9a762f9 100644
--- a/drivers/gpu/drm/radeon/radeon_combios.c
+++ b/drivers/gpu/drm/radeon/radeon_combios.c
@@ -147,7 +147,7 @@ static uint16_t combios_get_table_offset(struct
drm_device *dev, enum radeon_combios_table_offset table)
{
struct radeon_device *rdev = dev->dev_private;
- int rev;
+ int rev, size;
uint16_t offset = 0, check_offset;
if (!rdev->bios)
@@ -156,174 +156,106 @@ static uint16_t combios_get_table_offset(struct
drm_device *dev, switch (table) {
/* absolute offset tables */
case COMBIOS_ASIC_INIT_1_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0xc);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0xc;
break;
case COMBIOS_BIOS_SUPPORT_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x14);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x14;
break;
case COMBIOS_DAC_PROGRAMMING_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x2a);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x2a;
break;
case COMBIOS_MAX_COLOR_DEPTH_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x2c);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x2c;
break;
case COMBIOS_CRTC_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x2e);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x2e;
break;
case COMBIOS_PLL_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x30);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x30;
break;
case COMBIOS_TV_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x32);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x32;
break;
case COMBIOS_DFP_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x34);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x34;
break;
case COMBIOS_HW_CONFIG_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x36);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x36;
break;
case COMBIOS_MULTIMEDIA_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x38);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x38;
break;
case COMBIOS_TV_STD_PATCH_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x3e);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x3e;
break;
case COMBIOS_LCD_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x40);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x40;
break;
case COMBIOS_MOBILE_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x42);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x42;
break;
case COMBIOS_PLL_INIT_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x46);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x46;
break;
case COMBIOS_MEM_CONFIG_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x48);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x48;
break;
case COMBIOS_SAVE_MASK_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x4a);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x4a;
break;
case COMBIOS_HARDCODED_EDID_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x4c);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x4c;
break;
case COMBIOS_ASIC_INIT_2_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x4e);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x4e;
break;
case COMBIOS_CONNECTOR_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x50);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x50;
break;
case COMBIOS_DYN_CLK_1_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x52);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x52;
break;
case COMBIOS_RESERVED_MEM_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x54);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x54;
break;
case COMBIOS_EXT_TMDS_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x58);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x58;
break;
case COMBIOS_MEM_CLK_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x5a);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x5a;
break;
case COMBIOS_EXT_DAC_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x5c);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x5c;
break;
case COMBIOS_MISC_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x5e);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x5e;
break;
case COMBIOS_CRT_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x60);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x60;
break;
case COMBIOS_INTEGRATED_SYSTEM_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x62);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x62;
break;
case COMBIOS_COMPONENT_VIDEO_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x64);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x64;
break;
case COMBIOS_FAN_SPEED_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x66);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x66;
break;
case COMBIOS_OVERDRIVE_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x68);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x68;
break;
case COMBIOS_OEM_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x6a);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x6a;
break;
case COMBIOS_DYN_CLK_2_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x6c);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x6c;
break;
case COMBIOS_POWER_CONNECTOR_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x6e);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x6e;
break;
case COMBIOS_I2C_INFO_TABLE:
- check_offset = RBIOS16(rdev->bios_header_start + 0x70);
- if (check_offset)
- offset = check_offset;
+ check_offset = 0x70;
break;
/* relative offset tables */
case COMBIOS_ASIC_INIT_3_TABLE: /* offset from misc
info */ @@ -439,11 +371,16 @@ static uint16_t
combios_get_table_offset(struct drm_device *dev, }
break;
default:
+ check_offset = 0;
break;
}
- return offset;
+ size = RBIOS8(rdev->bios_header_start + 0x6);
+ /* check absolute offset tables */
+ if (table < COMBIOS_ASIC_INIT_3_TABLE && check_offset &&
check_offset < size)
+ offset = RBIOS16(rdev->bios_header_start +
check_offset);
+ return offset;
}
bool radeon_combios_check_hardcoded_edid(struct radeon_device *rdev)
@@ -965,8 +902,10 @@ struct radeon_encoder_primary_dac
*radeon_combios_get_primary_dac_info(struct dac = RBIOS8(dac_info +
0x3) & 0xf; p_dac->ps2_pdac_adj = (bg << 8) | (dac);
}
- /* if the values are all zeros, use the table */
- if (p_dac->ps2_pdac_adj)
+ /* if the values are zeros, use the table */
+ if ((dac == 0) || (bg == 0))
+ found = 0;
+ else
found = 1;
}
diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c
b/drivers/gpu/drm/radeon/radeon_irq_kms.c index 443bd49..4bc6be5 100644
--- a/drivers/gpu/drm/radeon/radeon_irq_kms.c
+++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c
@@ -243,9 +243,6 @@ int radeon_irq_kms_init(struct radeon_device *rdev)
{
int r = 0;
- INIT_WORK(&rdev->hotplug_work, radeon_hotplug_work_func);
- INIT_WORK(&rdev->audio_work, r600_audio_update_hdmi);
-
spin_lock_init(&rdev->irq.lock);
r = drm_vblank_init(rdev->ddev, rdev->num_crtc);
if (r) {
@@ -267,6 +264,10 @@ int radeon_irq_kms_init(struct radeon_device *rdev)
rdev->irq.installed = false;
return r;
}
+
+ INIT_WORK(&rdev->hotplug_work, radeon_hotplug_work_func);
+ INIT_WORK(&rdev->audio_work, r600_audio_update_hdmi);
+
DRM_INFO("radeon: irq initialized.\n");
return 0;
}
@@ -286,8 +287,8 @@ void radeon_irq_kms_fini(struct radeon_device *rdev)
rdev->irq.installed = false;
if (rdev->msi_enabled)
pci_disable_msi(rdev->pdev);
+ flush_work_sync(&rdev->hotplug_work);
}
- flush_work_sync(&rdev->hotplug_work);
}
/**
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c
b/drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c index 21ee782..e1978a2 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c
@@ -29,7 +29,9 @@
#include "drmP.h"
#include "ttm/ttm_bo_driver.h"
-#define VMW_PPN_SIZE sizeof(unsigned long)
+#define VMW_PPN_SIZE (sizeof(unsigned long))
+/* A future safe maximum remap size. */
+#define VMW_PPN_PER_REMAP ((31 * 1024) / VMW_PPN_SIZE)
static int vmw_gmr2_bind(struct vmw_private *dev_priv,
struct page *pages[],
@@ -38,43 +40,61 @@ static int vmw_gmr2_bind(struct vmw_private
*dev_priv, {
SVGAFifoCmdDefineGMR2 define_cmd;
SVGAFifoCmdRemapGMR2 remap_cmd;
- uint32_t define_size = sizeof(define_cmd) + 4;
- uint32_t remap_size = VMW_PPN_SIZE * num_pages +
sizeof(remap_cmd) + 4; uint32_t *cmd;
uint32_t *cmd_orig;
+ uint32_t define_size = sizeof(define_cmd) + sizeof(*cmd);
+ uint32_t remap_num = num_pages / VMW_PPN_PER_REMAP +
((num_pages % VMW_PPN_PER_REMAP) > 0);
+ uint32_t remap_size = VMW_PPN_SIZE * num_pages +
(sizeof(remap_cmd) + sizeof(*cmd)) * remap_num;
+ uint32_t remap_pos = 0;
+ uint32_t cmd_size = define_size + remap_size;
uint32_t i;
- cmd_orig = cmd = vmw_fifo_reserve(dev_priv, define_size +
remap_size);
+ cmd_orig = cmd = vmw_fifo_reserve(dev_priv, cmd_size);
if (unlikely(cmd == NULL))
return -ENOMEM;
define_cmd.gmrId = gmr_id;
define_cmd.numPages = num_pages;
+ *cmd++ = SVGA_CMD_DEFINE_GMR2;
+ memcpy(cmd, &define_cmd, sizeof(define_cmd));
+ cmd += sizeof(define_cmd) / sizeof(*cmd);
+
+ /*
+ * Need to split the command if there are too many
+ * pages that goes into the gmr.
+ */
+
remap_cmd.gmrId = gmr_id;
remap_cmd.flags = (VMW_PPN_SIZE > sizeof(*cmd)) ?
SVGA_REMAP_GMR2_PPN64 : SVGA_REMAP_GMR2_PPN32;
- remap_cmd.offsetPages = 0;
- remap_cmd.numPages = num_pages;
- *cmd++ = SVGA_CMD_DEFINE_GMR2;
- memcpy(cmd, &define_cmd, sizeof(define_cmd));
- cmd += sizeof(define_cmd) / sizeof(uint32);
+ while (num_pages > 0) {
+ unsigned long nr = min(num_pages, (unsigned
long)VMW_PPN_PER_REMAP); +
+ remap_cmd.offsetPages = remap_pos;
+ remap_cmd.numPages = nr;
- *cmd++ = SVGA_CMD_REMAP_GMR2;
- memcpy(cmd, &remap_cmd, sizeof(remap_cmd));
- cmd += sizeof(remap_cmd) / sizeof(uint32);
+ *cmd++ = SVGA_CMD_REMAP_GMR2;
+ memcpy(cmd, &remap_cmd, sizeof(remap_cmd));
+ cmd += sizeof(remap_cmd) / sizeof(*cmd);
- for (i = 0; i < num_pages; ++i) {
- if (VMW_PPN_SIZE <= 4)
- *cmd = page_to_pfn(*pages++);
- else
- *((uint64_t *)cmd) = page_to_pfn(*pages++);
+ for (i = 0; i < nr; ++i) {
+ if (VMW_PPN_SIZE <= 4)
+ *cmd = page_to_pfn(*pages++);
+ else
+ *((uint64_t *)cmd) =
page_to_pfn(*pages++);
- cmd += VMW_PPN_SIZE / sizeof(*cmd);
+ cmd += VMW_PPN_SIZE / sizeof(*cmd);
+ }
+
+ num_pages -= nr;
+ remap_pos += nr;
}
- vmw_fifo_commit(dev_priv, define_size + remap_size);
+ BUG_ON(cmd != cmd_orig + cmd_size / sizeof(*cmd));
+
+ vmw_fifo_commit(dev_priv, cmd_size);
return 0;
}
diff --git a/drivers/hwmon/adt7470.c b/drivers/hwmon/adt7470.c
index 54ec8905..034085d 100644
--- a/drivers/hwmon/adt7470.c
+++ b/drivers/hwmon/adt7470.c
@@ -215,7 +215,7 @@ static inline int adt7470_write_word_data(struct
i2c_client *client, u8 reg, u16 value)
{
return i2c_smbus_write_byte_data(client, reg, value & 0xFF)
- && i2c_smbus_write_byte_data(client, reg + 1, value >>
8);
+ || i2c_smbus_write_byte_data(client, reg + 1, value >>
8); }
static void adt7470_init_client(struct i2c_client *client)
diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig
index 970a161..8f81b11 100644
--- a/drivers/i2c/busses/Kconfig
+++ b/drivers/i2c/busses/Kconfig
@@ -137,6 +137,7 @@ config I2C_PIIX4
ATI SB700/SP5100
ATI SB800
AMD Hudson-2
+ AMD CZ
Serverworks OSB4
Serverworks CSB5
Serverworks CSB6
diff --git a/drivers/i2c/busses/i2c-piix4.c
b/drivers/i2c/busses/i2c-piix4.c index 8bbd6ec..a216d9d 100644
--- a/drivers/i2c/busses/i2c-piix4.c
+++ b/drivers/i2c/busses/i2c-piix4.c
@@ -22,7 +22,7 @@
Intel PIIX4, 440MX
Serverworks OSB4, CSB5, CSB6, HT-1000, HT-1100
ATI IXP200, IXP300, IXP400, SB600, SB700/SP5100, SB800
- AMD Hudson-2
+ AMD Hudson-2, CZ
SMSC Victory66
Note: we assume there can only be one device, with one or more
@@ -523,6 +523,7 @@ static DEFINE_PCI_DEVICE_TABLE(piix4_ids) = {
{ PCI_DEVICE(PCI_VENDOR_ID_ATI,
PCI_DEVICE_ID_ATI_IXP400_SMBUS) }, { PCI_DEVICE(PCI_VENDOR_ID_ATI,
PCI_DEVICE_ID_ATI_SBX00_SMBUS) }, { PCI_DEVICE(PCI_VENDOR_ID_AMD,
PCI_DEVICE_ID_AMD_HUDSON2_SMBUS) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, 0x790b) },
{ PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
PCI_DEVICE_ID_SERVERWORKS_OSB4) },
{ PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
index e5c773d..28bf5f3 100644
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -1376,6 +1376,10 @@ static unsigned long iommu_unmap_page(struct
protection_domain *dom,
/* Large PTE found which maps this address */
unmap_size = PTE_PAGE_SIZE(*pte);
+
+ /* Only unmap from the first pte in the page */
+ if ((unmap_size - 1) & bus_addr)
+ break;
count = PAGE_SIZE_PTE_COUNT(unmap_size);
for (i = 0; i < count; i++)
pte[i] = 0ULL;
@@ -1385,7 +1389,7 @@ static unsigned long iommu_unmap_page(struct
protection_domain *dom, unmapped += unmap_size;
}
- BUG_ON(!is_power_of_2(unmapped));
+ BUG_ON(unmapped && !is_power_of_2(unmapped));
return unmapped;
}
diff --git a/drivers/macintosh/windfarm_rm31.c
b/drivers/macintosh/windfarm_rm31.c index 3eca6d4..e13d9fd 100644
--- a/drivers/macintosh/windfarm_rm31.c
+++ b/drivers/macintosh/windfarm_rm31.c
@@ -439,15 +439,15 @@ static void backside_setup_pid(void)
/* Slots fan */
static const struct wf_pid_param slots_param = {
- .interval = 5,
- .history_len = 2,
- .gd = 30 << 20,
- .gp = 5 << 20,
- .gr = 0,
- .itarget = 40 << 16,
- .additive = 1,
- .min = 300,
- .max = 4000,
+ .interval = 1,
+ .history_len = 20,
+ .gd = 0,
+ .gp = 0,
+ .gr = 0x00100000,
+ .itarget = 3200000,
+ .additive = 0,
+ .min = 20,
+ .max = 100,
};
static void slots_fan_tick(void)
diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
index 034233e..4fc70c8 100644
--- a/drivers/md/dm-mpath.c
+++ b/drivers/md/dm-mpath.c
@@ -1561,7 +1561,6 @@ static int multipath_ioctl(struct dm_target *ti,
unsigned int cmd, unsigned long flags;
int r;
-again:
bdev = NULL;
mode = 0;
r = 0;
@@ -1579,7 +1578,7 @@ again:
}
if ((pgpath && m->queue_io) || (!pgpath &&
m->queue_if_no_path))
- r = -EAGAIN;
+ r = -ENOTCONN;
else if (!bdev)
r = -EIO;
@@ -1591,11 +1590,8 @@ again:
if (!r && ti->len != i_size_read(bdev->bd_inode) >>
SECTOR_SHIFT) r = scsi_verify_blk_ioctl(NULL, cmd);
- if (r == -EAGAIN && !fatal_signal_pending(current)) {
+ if (r == -ENOTCONN && !fatal_signal_pending(current))
queue_work(kmultipathd, &m->process_queued_ios);
- msleep(10);
- goto again;
- }
return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg);
}
diff --git a/drivers/md/dm-verity.c b/drivers/md/dm-verity.c
index dd5ba3b..30b364c 100644
--- a/drivers/md/dm-verity.c
+++ b/drivers/md/dm-verity.c
@@ -842,9 +842,8 @@ static int verity_ctr(struct dm_target *ti,
unsigned argc, char **argv) for (i = v->levels - 1; i >= 0; i--) {
sector_t s;
v->hash_level_block[i] = hash_position;
- s = verity_position_at_level(v, v->data_blocks, i);
- s = (s >> v->hash_per_block_bits) +
- !!(s & ((1 << v->hash_per_block_bits) - 1));
+ s = (v->data_blocks + ((sector_t)1 << ((i + 1) *
v->hash_per_block_bits)) - 1)
+ >> ((i + 1) *
v->hash_per_block_bits); if (hash_position + s < hash_position) {
ti->error = "Hash device offset overflow";
r = -E2BIG;
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index 4256200..dd0a1a8 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -414,10 +414,12 @@ static int dm_blk_ioctl(struct block_device
*bdev, fmode_t mode, unsigned int cmd, unsigned long arg)
{
struct mapped_device *md = bdev->bd_disk->private_data;
- struct dm_table *map = dm_get_live_table(md);
+ struct dm_table *map;
struct dm_target *tgt;
int r = -ENOTTY;
+retry:
+ map = dm_get_live_table(md);
if (!map || !dm_table_get_size(map))
goto out;
@@ -438,6 +440,11 @@ static int dm_blk_ioctl(struct block_device *bdev,
fmode_t mode, out:
dm_table_put(map);
+ if (r == -ENOTCONN) {
+ msleep(10);
+ goto retry;
+ }
+
return r;
}
diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index cd7394b..f40decb 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -2155,12 +2155,18 @@ static void recovery_request_write(struct mddev
*mddev, struct r10bio *r10_bio) d = r10_bio->devs[1].devnum;
wbio = r10_bio->devs[1].bio;
wbio2 = r10_bio->devs[1].repl_bio;
+ /* Need to test wbio2->bi_end_io before we call
+ * generic_make_request as if the former is NULL,
+ * the latter is free to free wbio2.
+ */
+ if (wbio2 && !wbio2->bi_end_io)
+ wbio2 = NULL;
if (wbio->bi_end_io) {
atomic_inc(&conf->mirrors[d].rdev->nr_pending);
md_sync_acct(conf->mirrors[d].rdev->bdev,
wbio->bi_size >> 9); generic_make_request(wbio);
}
- if (wbio2 && wbio2->bi_end_io) {
+ if (wbio2) {
atomic_inc(&conf->mirrors[d].replacement->nr_pending);
md_sync_acct(conf->mirrors[d].replacement->bdev,
wbio2->bi_size >> 9);
@@ -3434,7 +3440,7 @@ static struct r10conf *setup_conf(struct mddev
*mddev)
/* FIXME calc properly */
conf->mirrors = kzalloc(sizeof(struct
raid10_info)*(mddev->raid_disks +
-
max(0,mddev->delta_disks)),
+
max(0,-mddev->delta_disks)), GFP_KERNEL);
if (!conf->mirrors)
goto out;
@@ -3578,7 +3584,7 @@ static int run(struct mddev *mddev)
conf->geo.far_offset == 0)
goto out_free_conf;
if (conf->prev.far_copies != 1 &&
- conf->geo.far_offset == 0)
+ conf->prev.far_offset == 0)
goto out_free_conf;
}
diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
index 0689173..f94452d 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -3396,6 +3396,7 @@ static void handle_stripe(struct stripe_head *sh)
if (test_and_clear_bit(STRIPE_SYNC_REQUESTED, &sh->state)) {
set_bit(STRIPE_SYNCING, &sh->state);
clear_bit(STRIPE_INSYNC, &sh->state);
+ clear_bit(STRIPE_REPLACED, &sh->state);
}
clear_bit(STRIPE_DELAYED, &sh->state);
@@ -3535,19 +3536,23 @@ static void handle_stripe(struct stripe_head
*sh) handle_parity_checks5(conf, sh, &s, disks);
}
- if (s.replacing && s.locked == 0
- && !test_bit(STRIPE_INSYNC, &sh->state)) {
+ if ((s.replacing || s.syncing) && s.locked == 0
+ && !test_bit(STRIPE_COMPUTE_RUN, &sh->state)
+ && !test_bit(STRIPE_REPLACED, &sh->state)) {
/* Write out to replacement devices where possible */
for (i = 0; i < conf->raid_disks; i++)
- if (test_bit(R5_UPTODATE, &sh->dev[i].flags) &&
- test_bit(R5_NeedReplace,
&sh->dev[i].flags)) {
+ if (test_bit(R5_NeedReplace,
&sh->dev[i].flags)) {
+ WARN_ON(!test_bit(R5_UPTODATE,
&sh->dev[i].flags)); set_bit(R5_WantReplace, &sh->dev[i].flags);
set_bit(R5_LOCKED, &sh->dev[i].flags);
s.locked++;
}
- set_bit(STRIPE_INSYNC, &sh->state);
+ if (s.replacing)
+ set_bit(STRIPE_INSYNC, &sh->state);
+ set_bit(STRIPE_REPLACED, &sh->state);
}
if ((s.syncing || s.replacing) && s.locked == 0 &&
+ !test_bit(STRIPE_COMPUTE_RUN, &sh->state) &&
test_bit(STRIPE_INSYNC, &sh->state)) {
md_done_sync(conf->mddev, STRIPE_SECTORS, 1);
clear_bit(STRIPE_SYNCING, &sh->state);
diff --git a/drivers/md/raid5.h b/drivers/md/raid5.h
index a9fc249..03f988b 100644
--- a/drivers/md/raid5.h
+++ b/drivers/md/raid5.h
@@ -309,6 +309,7 @@ enum {
STRIPE_SYNC_REQUESTED,
STRIPE_SYNCING,
STRIPE_INSYNC,
+ STRIPE_REPLACED,
STRIPE_PREREAD_ACTIVE,
STRIPE_DELAYED,
STRIPE_DEGRADED,
diff --git a/drivers/mtd/nand/Kconfig b/drivers/mtd/nand/Kconfig
index 8ca4176..bd773e2 100644
--- a/drivers/mtd/nand/Kconfig
+++ b/drivers/mtd/nand/Kconfig
@@ -117,7 +117,7 @@ config MTD_NAND_OMAP2
config MTD_NAND_OMAP_BCH
depends on MTD_NAND && MTD_NAND_OMAP2 && ARCH_OMAP3
- bool "Enable support for hardware BCH error correction"
+ tristate "Enable support for hardware BCH error correction"
default n
select BCH
select BCH_CONST_PARAMS
diff --git a/drivers/net/arcnet/arcnet.c b/drivers/net/arcnet/arcnet.c
index a746ba2..a956053 100644
--- a/drivers/net/arcnet/arcnet.c
+++ b/drivers/net/arcnet/arcnet.c
@@ -1007,7 +1007,7 @@ static void arcnet_rx(struct net_device *dev, int
bufnum)
soft = &pkt.soft.rfc1201;
- lp->hw.copy_from_card(dev, bufnum, 0, &pkt,
sizeof(ARC_HDR_SIZE));
+ lp->hw.copy_from_card(dev, bufnum, 0, &pkt, ARC_HDR_SIZE);
if (pkt.hard.offset[0]) {
ofs = pkt.hard.offset[0];
length = 256 - ofs;
diff --git a/drivers/net/can/usb/peak_usb/pcan_usb.c
b/drivers/net/can/usb/peak_usb/pcan_usb.c index 25723d8..925ab8e 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb.c
@@ -649,7 +649,7 @@ static int pcan_usb_decode_data(struct
pcan_usb_msg_context *mc, u8 status_len) if ((mc->ptr + rec_len) >
mc->end) goto decode_failed;
- memcpy(cf->data, mc->ptr, rec_len);
+ memcpy(cf->data, mc->ptr, cf->can_dlc);
mc->ptr += rec_len;
}
diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c
index c260af5..1f3ff91 100644
--- a/drivers/net/dummy.c
+++ b/drivers/net/dummy.c
@@ -175,6 +175,8 @@ static int __init dummy_init_module(void)
rtnl_lock();
err = __rtnl_link_register(&dummy_link_ops);
+ if (err < 0)
+ goto out;
for (i = 0; i < numdummies && !err; i++) {
err = dummy_init_one();
@@ -182,6 +184,8 @@ static int __init dummy_init_module(void)
}
if (err < 0)
__rtnl_link_unregister(&dummy_link_ops);
+
+out:
rtnl_unlock();
return err;
diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c.h
b/drivers/net/ethernet/atheros/atl1c/atl1c.h index b2bf324..0f05565
100644 --- a/drivers/net/ethernet/atheros/atl1c/atl1c.h
+++ b/drivers/net/ethernet/atheros/atl1c/atl1c.h
@@ -520,6 +520,9 @@ struct atl1c_adapter {
struct net_device *netdev;
struct pci_dev *pdev;
struct napi_struct napi;
+ struct page *rx_page;
+ unsigned int rx_page_offset;
+ unsigned int rx_frag_size;
struct atl1c_hw hw;
struct atl1c_hw_stats hw_stats;
struct mii_if_info mii; /* MII interface info */
diff --git a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c index
1bf5bbf..033226b 100644 ---
a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +++
b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c @@ -482,10 +482,15 @@
static int atl1c_set_mac_addr(struct net_device *netdev, void *p)
static void atl1c_set_rxbufsize(struct atl1c_adapter *adapter, struct
net_device *dev) {
+ unsigned int head_size;
int mtu = dev->mtu;
adapter->rx_buffer_len = mtu > AT_RX_BUF_SIZE ?
roundup(mtu + ETH_HLEN + ETH_FCS_LEN + VLAN_HLEN, 8) :
AT_RX_BUF_SIZE; +
+ head_size = SKB_DATA_ALIGN(adapter->rx_buffer_len +
NET_SKB_PAD) +
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+ adapter->rx_frag_size = roundup_pow_of_two(head_size);
}
static netdev_features_t atl1c_fix_features(struct net_device *netdev,
@@ -953,6 +958,10 @@ static void atl1c_free_ring_resources(struct
atl1c_adapter *adapter) kfree(adapter->tpd_ring[0].buffer_info);
adapter->tpd_ring[0].buffer_info = NULL;
}
+ if (adapter->rx_page) {
+ put_page(adapter->rx_page);
+ adapter->rx_page = NULL;
+ }
}
/**
@@ -1642,6 +1651,35 @@ static inline void atl1c_rx_checksum(struct
atl1c_adapter *adapter, skb_checksum_none_assert(skb);
}
+static struct sk_buff *atl1c_alloc_skb(struct atl1c_adapter *adapter)
+{
+ struct sk_buff *skb;
+ struct page *page;
+
+ if (adapter->rx_frag_size > PAGE_SIZE)
+ return netdev_alloc_skb(adapter->netdev,
+ adapter->rx_buffer_len);
+
+ page = adapter->rx_page;
+ if (!page) {
+ adapter->rx_page = page = alloc_page(GFP_ATOMIC);
+ if (unlikely(!page))
+ return NULL;
+ adapter->rx_page_offset = 0;
+ }
+
+ skb = build_skb(page_address(page) + adapter->rx_page_offset,
+ adapter->rx_frag_size);
+ if (likely(skb)) {
+ adapter->rx_page_offset += adapter->rx_frag_size;
+ if (adapter->rx_page_offset >= PAGE_SIZE)
+ adapter->rx_page = NULL;
+ else
+ get_page(page);
+ }
+ return skb;
+}
+
static int atl1c_alloc_rx_buffer(struct atl1c_adapter *adapter)
{
struct atl1c_rfd_ring *rfd_ring = &adapter->rfd_ring;
@@ -1662,7 +1700,7 @@ static int atl1c_alloc_rx_buffer(struct
atl1c_adapter *adapter) while (next_info->flags & ATL1C_BUFFER_FREE) {
rfd_desc = ATL1C_RFD_DESC(rfd_ring, rfd_next_to_use);
- skb = netdev_alloc_skb(adapter->netdev,
adapter->rx_buffer_len);
+ skb = atl1c_alloc_skb(adapter);
if (unlikely(!skb)) {
if (netif_msg_rx_err(adapter))
dev_warn(&pdev->dev, "alloc rx buffer
failed\n"); diff --git
a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c index
8f6b054..4d84939 100644 ---
a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +++
b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c @@ -1669,8 +1669,8 @@
check_sum: return 0; }
-static void atl1e_tx_map(struct atl1e_adapter *adapter,
- struct sk_buff *skb, struct atl1e_tpd_desc *tpd)
+static int atl1e_tx_map(struct atl1e_adapter *adapter,
+ struct sk_buff *skb, struct atl1e_tpd_desc
*tpd) {
struct atl1e_tpd_desc *use_tpd = NULL;
struct atl1e_tx_buffer *tx_buffer = NULL;
@@ -1681,6 +1681,7 @@ static void atl1e_tx_map(struct atl1e_adapter
*adapter, u16 nr_frags;
u16 f;
int segment;
+ int ring_start = adapter->tx_ring.next_to_use;
nr_frags = skb_shinfo(skb)->nr_frags;
segment = (tpd->word3 >> TPD_SEGMENT_EN_SHIFT) &
TPD_SEGMENT_EN_MASK; @@ -1693,6 +1694,9 @@ static void
atl1e_tx_map(struct atl1e_adapter *adapter, tx_buffer->length = map_len;
tx_buffer->dma = pci_map_single(adapter->pdev,
skb->data, hdr_len,
PCI_DMA_TODEVICE);
+ if (dma_mapping_error(&adapter->pdev->dev,
tx_buffer->dma))
+ return -ENOSPC;
+
ATL1E_SET_PCIMAP_TYPE(tx_buffer,
ATL1E_TX_PCIMAP_SINGLE); mapped_len += map_len;
use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma);
@@ -1719,6 +1723,13 @@ static void atl1e_tx_map(struct atl1e_adapter
*adapter, tx_buffer->dma =
pci_map_single(adapter->pdev, skb->data +
mapped_len, map_len, PCI_DMA_TODEVICE);
+
+ if (dma_mapping_error(&adapter->pdev->dev,
tx_buffer->dma)) {
+ /* Reset the tx rings next pointer */
+ adapter->tx_ring.next_to_use = ring_start;
+ return -ENOSPC;
+ }
+
ATL1E_SET_PCIMAP_TYPE(tx_buffer,
ATL1E_TX_PCIMAP_SINGLE); mapped_len += map_len;
use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma);
@@ -1754,6 +1765,13 @@ static void atl1e_tx_map(struct atl1e_adapter
*adapter, (i * MAX_TX_BUF_LEN),
tx_buffer->length,
DMA_TO_DEVICE);
+
+ if (dma_mapping_error(&adapter->pdev->dev,
tx_buffer->dma)) {
+ /* Reset the ring next to use pointer
*/
+ adapter->tx_ring.next_to_use =
ring_start;
+ return -ENOSPC;
+ }
+
ATL1E_SET_PCIMAP_TYPE(tx_buffer,
ATL1E_TX_PCIMAP_PAGE); use_tpd->buffer_addr =
cpu_to_le64(tx_buffer->dma); use_tpd->word2 = (use_tpd->word2 &
(~TPD_BUFLEN_MASK)) | @@ -1771,6 +1789,7 @@ static void
atl1e_tx_map(struct atl1e_adapter *adapter, /* The last buffer info
contain the skb address, so it will be free after unmap */
tx_buffer->skb = skb;
+ return 0;
}
static void atl1e_tx_queue(struct atl1e_adapter *adapter, u16 count,
@@ -1838,10 +1857,13 @@ static netdev_tx_t atl1e_xmit_frame(struct
sk_buff *skb, return NETDEV_TX_OK;
}
- atl1e_tx_map(adapter, skb, tpd);
+ if (atl1e_tx_map(adapter, skb, tpd))
+ goto out;
+
atl1e_tx_queue(adapter, tpd_req, tpd);
netdev->trans_start = jiffies; /* NETIF_F_LLTX driver :( */
+out:
spin_unlock_irqrestore(&adapter->tx_lock, flags);
return NETDEV_TX_OK;
}
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_82598.c
b/drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_82598.c index
87592b4..b3c05de 100644 ---
a/drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_82598.c +++
b/drivers/net/ethernet/intel/ixgbe/ixgbe_dcb_82598.c @@ -108,9 +108,8
@@ s32 ixgbe_dcb_config_tx_desc_arbiter_82598(struct ixgbe_hw *hw,
/* Enable arbiter */
reg &= ~IXGBE_DPMCS_ARBDIS;
- /* Enable DFP and Recycle mode */
- reg |= (IXGBE_DPMCS_TDPAC | IXGBE_DPMCS_TRM);
reg |= IXGBE_DPMCS_TSOEF;
+
/* Configure Max TSO packet size 34KB including payload and
headers */ reg |= (0x4 << IXGBE_DPMCS_MTSOS_SHIFT);
diff --git a/drivers/net/ethernet/realtek/8139cp.c
b/drivers/net/ethernet/realtek/8139cp.c index dd3371b..e933d57 100644
--- a/drivers/net/ethernet/realtek/8139cp.c
+++ b/drivers/net/ethernet/realtek/8139cp.c
@@ -478,7 +478,7 @@ rx_status_loop:
while (1) {
u32 status, len;
- dma_addr_t mapping;
+ dma_addr_t mapping, new_mapping;
struct sk_buff *skb, *new_skb;
struct cp_desc *desc;
const unsigned buflen = cp->rx_buf_sz;
@@ -520,6 +520,13 @@ rx_status_loop:
goto rx_next;
}
+ new_mapping = dma_map_single(&cp->pdev->dev,
new_skb->data, buflen,
+ PCI_DMA_FROMDEVICE);
+ if (dma_mapping_error(&cp->pdev->dev, new_mapping)) {
+ dev->stats.rx_dropped++;
+ goto rx_next;
+ }
+
dma_unmap_single(&cp->pdev->dev, mapping,
buflen, PCI_DMA_FROMDEVICE);
@@ -531,12 +538,11 @@ rx_status_loop:
skb_put(skb, len);
- mapping = dma_map_single(&cp->pdev->dev,
new_skb->data, buflen,
- PCI_DMA_FROMDEVICE);
cp->rx_skb[rx_tail] = new_skb;
cp_rx_skb(cp, skb, desc);
rx++;
+ mapping = new_mapping;
rx_next:
cp->rx_ring[rx_tail].opts2 = 0;
@@ -707,6 +713,22 @@ static inline u32 cp_tx_vlan_tag(struct sk_buff
*skb) TxVlanTag | swab16(vlan_tx_tag_get(skb)) : 0x00;
}
+static void unwind_tx_frag_mapping(struct cp_private *cp, struct
sk_buff *skb,
+ int first, int entry_last)
+{
+ int frag, index;
+ struct cp_desc *txd;
+ skb_frag_t *this_frag;
+ for (frag = 0; frag+first < entry_last; frag++) {
+ index = first+frag;
+ cp->tx_skb[index] = NULL;
+ txd = &cp->tx_ring[index];
+ this_frag = &skb_shinfo(skb)->frags[frag];
+ dma_unmap_single(&cp->pdev->dev,
le64_to_cpu(txd->addr),
+ skb_frag_size(this_frag),
PCI_DMA_TODEVICE);
+ }
+}
+
static netdev_tx_t cp_start_xmit (struct sk_buff *skb,
struct net_device *dev)
{
@@ -740,6 +762,9 @@ static netdev_tx_t cp_start_xmit (struct sk_buff
*skb,
len = skb->len;
mapping = dma_map_single(&cp->pdev->dev, skb->data,
len, PCI_DMA_TODEVICE);
+ if (dma_mapping_error(&cp->pdev->dev, mapping))
+ goto out_dma_error;
+
txd->opts2 = opts2;
txd->addr = cpu_to_le64(mapping);
wmb();
@@ -777,6 +802,9 @@ static netdev_tx_t cp_start_xmit (struct sk_buff
*skb, first_len = skb_headlen(skb);
first_mapping = dma_map_single(&cp->pdev->dev,
skb->data, first_len, PCI_DMA_TODEVICE);
+ if (dma_mapping_error(&cp->pdev->dev, first_mapping))
+ goto out_dma_error;
+
cp->tx_skb[entry] = skb;
entry = NEXT_TX(entry);
@@ -790,6 +818,11 @@ static netdev_tx_t cp_start_xmit (struct sk_buff
*skb, mapping = dma_map_single(&cp->pdev->dev,
skb_frag_address(this_frag),
len,
PCI_DMA_TODEVICE);
+ if (dma_mapping_error(&cp->pdev->dev,
mapping)) {
+ unwind_tx_frag_mapping(cp, skb,
first_entry, entry);
+ goto out_dma_error;
+ }
+
eor = (entry == (CP_TX_RING_SIZE - 1)) ?
RingEnd : 0;
ctrl = eor | len | DescOwn;
@@ -848,11 +881,16 @@ static netdev_tx_t cp_start_xmit (struct sk_buff
*skb, if (TX_BUFFS_AVAIL(cp) <= (MAX_SKB_FRAGS + 1))
netif_stop_queue(dev);
+out_unlock:
spin_unlock_irqrestore(&cp->lock, intr_flags);
cpw8(TxPoll, NormalTxPoll);
return NETDEV_TX_OK;
+out_dma_error:
+ kfree_skb(skb);
+ cp->dev->stats.tx_dropped++;
+ goto out_unlock;
}
/* Set or clear the multicast filter for this adaptor.
@@ -1023,6 +1061,10 @@ static int cp_refill_rx(struct cp_private *cp)
mapping = dma_map_single(&cp->pdev->dev, skb->data,
cp->rx_buf_sz,
PCI_DMA_FROMDEVICE);
+ if (dma_mapping_error(&cp->pdev->dev, mapping)) {
+ kfree_skb(skb);
+ goto err_out;
+ }
cp->rx_skb[i] = skb;
cp->rx_ring[i].opts2 = 0;
diff --git a/drivers/net/ethernet/sun/sunvnet.c
b/drivers/net/ethernet/sun/sunvnet.c index a108db3..1d68059 100644
--- a/drivers/net/ethernet/sun/sunvnet.c
+++ b/drivers/net/ethernet/sun/sunvnet.c
@@ -1243,6 +1243,8 @@ static int vnet_port_remove(struct vio_dev *vdev)
dev_set_drvdata(&vdev->dev, NULL);
kfree(port);
+
+ unregister_netdev(vp->dev);
}
return 0;
}
diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c
index 344dceb..635d01c 100644
--- a/drivers/net/ifb.c
+++ b/drivers/net/ifb.c
@@ -290,11 +290,17 @@ static int __init ifb_init_module(void)
rtnl_lock();
err = __rtnl_link_register(&ifb_link_ops);
+ if (err < 0)
+ goto out;
- for (i = 0; i < numifbs && !err; i++)
+ for (i = 0; i < numifbs && !err; i++) {
err = ifb_init_one(i);
+ cond_resched();
+ }
if (err)
__rtnl_link_unregister(&ifb_link_ops);
+
+out:
rtnl_unlock();
return err;
diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
index 0f0f9ce..43d3ed8 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -642,6 +642,28 @@ static int macvtap_skb_to_vnet_hdr(const struct
sk_buff *skb, return 0;
}
+static unsigned long iov_pages(const struct iovec *iv, int offset,
+ unsigned long nr_segs)
+{
+ unsigned long seg, base;
+ int pages = 0, len, size;
+
+ while (nr_segs && (offset >= iv->iov_len)) {
+ offset -= iv->iov_len;
+ ++iv;
+ --nr_segs;
+ }
+
+ for (seg = 0; seg < nr_segs; seg++) {
+ base = (unsigned long)iv[seg].iov_base + offset;
+ len = iv[seg].iov_len - offset;
+ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >>
PAGE_SHIFT;
+ pages += size;
+ offset = 0;
+ }
+
+ return pages;
+}
/* Get packet from user space buffer */
static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr
*m, @@ -656,6 +678,7 @@ static ssize_t macvtap_get_user(struct
macvtap_queue *q, struct msghdr *m, int vnet_hdr_len = 0;
int copylen = 0;
bool zerocopy = false;
+ size_t linear;
if (q->flags & IFF_VNET_HDR) {
vnet_hdr_len = q->vnet_hdr_sz;
@@ -687,42 +710,35 @@ static ssize_t macvtap_get_user(struct
macvtap_queue *q, struct msghdr *m, if (unlikely(count > UIO_MAXIOV))
goto err;
- if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY))
- zerocopy = true;
+ if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY)) {
+ copylen = vnet_hdr.hdr_len ? vnet_hdr.hdr_len :
GOODCOPY_LEN;
+ linear = copylen;
+ if (iov_pages(iv, vnet_hdr_len + copylen, count)
+ <= MAX_SKB_FRAGS)
+ zerocopy = true;
+ }
- if (zerocopy) {
- /* Userspace may produce vectors with count greater
than
- * MAX_SKB_FRAGS, so we need to linearize parts of the
skb
- * to let the rest of data to be fit in the frags.
- */
- if (count > MAX_SKB_FRAGS) {
- copylen = iov_length(iv, count -
MAX_SKB_FRAGS);
- if (copylen < vnet_hdr_len)
- copylen = 0;
- else
- copylen -= vnet_hdr_len;
- }
- /* There are 256 bytes to be copied in skb, so there
is enough
- * room for skb expand head in case it is used.
- * The rest buffer is mapped from userspace.
- */
- if (copylen < vnet_hdr.hdr_len)
- copylen = vnet_hdr.hdr_len;
- if (!copylen)
- copylen = GOODCOPY_LEN;
- } else
+ if (!zerocopy) {
copylen = len;
+ linear = vnet_hdr.hdr_len;
+ }
skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen,
- vnet_hdr.hdr_len, noblock, &err);
+ linear, noblock, &err);
if (!skb)
goto err;
if (zerocopy)
err = zerocopy_sg_from_iovec(skb, iv, vnet_hdr_len,
count);
- else
+ else {
err = skb_copy_datagram_from_iovec(skb, 0, iv,
vnet_hdr_len, len);
+ if (!err && m && m->msg_control) {
+ struct ubuf_info *uarg = m->msg_control;
+ uarg->callback(uarg, false);
+ }
+ }
+
if (err)
goto err_kfree;
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index ef7710f..9ab7b34 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -685,6 +685,30 @@ static int zerocopy_sg_from_iovec(struct sk_buff
*skb, const struct iovec *from, return 0;
}
+
+static unsigned long iov_pages(const struct iovec *iv, int offset,
+ unsigned long nr_segs)
+{
+ unsigned long seg, base;
+ int pages = 0, len, size;
+
+ while (nr_segs && (offset >= iv->iov_len)) {
+ offset -= iv->iov_len;
+ ++iv;
+ --nr_segs;
+ }
+
+ for (seg = 0; seg < nr_segs; seg++) {
+ base = (unsigned long)iv[seg].iov_base + offset;
+ len = iv[seg].iov_len - offset;
+ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >>
PAGE_SHIFT;
+ pages += size;
+ offset = 0;
+ }
+
+ return pages;
+}
+
/* Get packet from user space buffer */
static ssize_t tun_get_user(struct tun_struct *tun, void *msg_control,
const struct iovec *iv, size_t total_len,
@@ -692,7 +716,7 @@ static ssize_t tun_get_user(struct tun_struct *tun,
void *msg_control, {
struct tun_pi pi = { 0, cpu_to_be16(ETH_P_IP) };
struct sk_buff *skb;
- size_t len = total_len, align = NET_SKB_PAD;
+ size_t len = total_len, align = NET_SKB_PAD, linear;
struct virtio_net_hdr gso = { 0 };
int offset = 0;
int copylen;
@@ -731,34 +755,24 @@ static ssize_t tun_get_user(struct tun_struct
*tun, void *msg_control, return -EINVAL;
}
- if (msg_control)
- zerocopy = true;
-
- if (zerocopy) {
- /* Userspace may produce vectors with count greater
than
- * MAX_SKB_FRAGS, so we need to linearize parts of the
skb
- * to let the rest of data to be fit in the frags.
- */
- if (count > MAX_SKB_FRAGS) {
- copylen = iov_length(iv, count -
MAX_SKB_FRAGS);
- if (copylen < offset)
- copylen = 0;
- else
- copylen -= offset;
- } else
- copylen = 0;
- /* There are 256 bytes to be copied in skb, so there
is enough
- * room for skb expand head in case it is used.
+ if (msg_control) {
+ /* There are 256 bytes to be copied in skb, so there is
+ * enough room for skb expand head in case it is used.
* The rest of the buffer is mapped from userspace.
*/
- if (copylen < gso.hdr_len)
- copylen = gso.hdr_len;
- if (!copylen)
- copylen = GOODCOPY_LEN;
- } else
+ copylen = gso.hdr_len ? gso.hdr_len : GOODCOPY_LEN;
+ linear = copylen;
+ if (iov_pages(iv, offset + copylen, count) <=
MAX_SKB_FRAGS)
+ zerocopy = true;
+ }
+
+ if (!zerocopy) {
copylen = len;
+ linear = gso.hdr_len;
+ }
skb = tun_alloc_skb(tun, align, copylen, gso.hdr_len, noblock);
+ skb = tun_alloc_skb(tun, align, copylen, linear, noblock);
if (IS_ERR(skb)) {
if (PTR_ERR(skb) != -EAGAIN)
tun->dev->stats.rx_dropped++;
@@ -767,8 +781,13 @@ static ssize_t tun_get_user(struct tun_struct
*tun, void *msg_control,
if (zerocopy)
err = zerocopy_sg_from_iovec(skb, iv, offset, count);
- else
+ else {
err = skb_copy_datagram_from_iovec(skb, 0, iv, offset,
len);
+ if (!err && msg_control) {
+ struct ubuf_info *uarg = msg_control;
+ uarg->callback(uarg, false);
+ }
+ }
if (err) {
tun->dev->stats.rx_dropped++;
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 83d2b0c..fc04222 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -528,7 +528,7 @@ static int virtnet_poll(struct napi_struct *napi,
int budget) {
struct virtnet_info *vi = container_of(napi, struct
virtnet_info, napi); void *buf;
- unsigned int len, received = 0;
+ unsigned int r, len, received = 0;
again:
while (received < budget &&
@@ -545,8 +545,9 @@ again:
/* Out of packets? */
if (received < budget) {
+ r = virtqueue_enable_cb_prepare(vi->rvq);
napi_complete(napi);
- if (unlikely(!virtqueue_enable_cb(vi->rvq)) &&
+ if (unlikely(virtqueue_poll(vi->rvq, r)) &&
napi_schedule_prep(napi)) {
virtqueue_disable_cb(vi->rvq);
__napi_schedule(napi);
diff --git a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c index d066f25..e8e3929
100644 --- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
@@ -3562,7 +3562,7 @@ static u16 ar9003_hw_ant_ctrl_chain_get(struct
ath_hw *ah, int chain, static void ar9003_hw_ant_ctrl_apply(struct
ath_hw *ah, bool is2ghz) {
int chain;
- u32 regval;
+ u32 regval, value;
u32 ant_div_ctl1;
static const u32 switch_chain_reg[AR9300_MAX_CHAINS] = {
AR_PHY_SWITCH_CHAIN_0,
@@ -3570,7 +3570,11 @@ static void ar9003_hw_ant_ctrl_apply(struct
ath_hw *ah, bool is2ghz) AR_PHY_SWITCH_CHAIN_2,
};
- u32 value = ar9003_hw_ant_ctrl_common_get(ah, is2ghz);
+ if (AR_SREV_9485(ah) && (ar9003_hw_get_rx_gain_idx(ah) == 0))
+ ath9k_hw_cfg_output(ah, AR9300_EXT_LNA_CTL_GPIO_AR9485,
+
AR_GPIO_OUTPUT_MUX_AS_PCIE_ATTENTION_LED); +
+ value = ar9003_hw_ant_ctrl_common_get(ah, is2ghz);
if (AR_SREV_9462(ah)) {
REG_RMW_FIELD(ah, AR_PHY_SWITCH_COM,
diff --git a/drivers/net/wireless/ath/ath9k/ar9003_phy.h
b/drivers/net/wireless/ath/ath9k/ar9003_phy.h index 84d3d49..3dead81
100644 --- a/drivers/net/wireless/ath/ath9k/ar9003_phy.h
+++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.h
@@ -339,6 +339,8 @@
#define AR_PHY_CCA_NOM_VAL_9330_2GHZ -118
+#define AR9300_EXT_LNA_CTL_GPIO_AR9485 9
+
/*
* AGC Field Definitions
*/
diff --git a/drivers/net/wireless/ath/ath9k/calib.c
b/drivers/net/wireless/ath/ath9k/calib.c index e5cceb0..00960b7 100644
--- a/drivers/net/wireless/ath/ath9k/calib.c
+++ b/drivers/net/wireless/ath/ath9k/calib.c
@@ -388,7 +388,6 @@ bool ath9k_hw_getnf(struct ath_hw *ah, struct
ath9k_channel *chan)
if (!caldata) {
chan->noisefloor = nf;
- ah->noise = ath9k_hw_getchan_noise(ah, chan);
return false;
}
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
b/drivers/net/wireless/ath/ath9k/htc_drv_init.c index 01248b9..4303173
100644 --- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
@@ -824,6 +824,7 @@ static int ath9k_init_device(struct ath9k_htc_priv
*priv, if (error != 0)
goto err_rx;
+ ath9k_hw_disable(priv->ah);
#ifdef CONFIG_MAC80211_LEDS
/* must be initialized before ieee80211_register_hw */
priv->led_cdev.default_trigger =
ieee80211_create_tpt_led_trigger(priv->hw, diff --git
a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c index 47e61d0..c1289b6
100644 --- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +++
b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c @@ -448,6 +448,7 @@
static void ath9k_htc_tx_process(struct ath9k_htc_priv *priv, struct
ieee80211_conf *cur_conf = &priv->hw->conf; bool txok;
int slot;
+ int hdrlen, padsize;
slot = strip_drv_header(priv, skb);
if (slot < 0) {
@@ -504,6 +505,15 @@ send_mac80211:
ath9k_htc_tx_clear_slot(priv, slot);
+ /* Remove padding before handing frame back to mac80211 */
+ hdrlen = ieee80211_get_hdrlen_from_skb(skb);
+
+ padsize = hdrlen & 3;
+ if (padsize && skb->len > hdrlen + padsize) {
+ memmove(skb->data + padsize, skb->data, hdrlen);
+ skb_pull(skb, padsize);
+ }
+
/* Send status to mac80211 */
ieee80211_tx_status(priv->hw, skb);
}
diff --git a/drivers/net/wireless/ath/ath9k/main.c
b/drivers/net/wireless/ath/ath9k/main.c index e032723..d0ed5c6 100644
--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -172,8 +172,7 @@ static void ath_restart_work(struct ath_softc *sc)
{
ieee80211_queue_delayed_work(sc->hw, &sc->tx_complete_work, 0);
- if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9485(sc->sc_ah) ||
- AR_SREV_9550(sc->sc_ah))
+ if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9330(sc->sc_ah))
ieee80211_queue_delayed_work(sc->hw, &sc->hw_pll_work,
msecs_to_jiffies(ATH_PLL_WORK_INTERVAL));
diff --git a/drivers/net/wireless/b43/Kconfig
b/drivers/net/wireless/b43/Kconfig index 3876c7e..af40211 100644
--- a/drivers/net/wireless/b43/Kconfig
+++ b/drivers/net/wireless/b43/Kconfig
@@ -28,7 +28,7 @@ config B43
config B43_BCMA
bool "Support for BCMA bus"
- depends on B43 && BCMA
+ depends on B43 && (BCMA = y || BCMA = B43)
default y
config B43_BCMA_EXTRA
@@ -39,7 +39,7 @@ config B43_BCMA_EXTRA
config B43_SSB
bool
- depends on B43 && SSB
+ depends on B43 && (SSB = y || SSB = B43)
default y
# Auto-select SSB PCI-HOST support, if possible
diff --git a/drivers/net/wireless/hostap/hostap_ioctl.c
b/drivers/net/wireless/hostap/hostap_ioctl.c index 18054d9..dbec2ff
100644 --- a/drivers/net/wireless/hostap/hostap_ioctl.c
+++ b/drivers/net/wireless/hostap/hostap_ioctl.c
@@ -522,9 +522,9 @@ static int prism2_ioctl_giwaplist(struct net_device
*dev,
data->length = prism2_ap_get_sta_qual(local, addr, qual,
IW_MAX_AP, 1);
- memcpy(extra, &addr, sizeof(struct sockaddr) * data->length);
+ memcpy(extra, addr, sizeof(struct sockaddr) * data->length);
data->flags = 1; /* has quality information */
- memcpy(extra + sizeof(struct sockaddr) * data->length, &qual,
+ memcpy(extra + sizeof(struct sockaddr) * data->length, qual,
sizeof(struct iw_quality) * data->length);
kfree(addr);
diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c
b/drivers/net/wireless/iwlegacy/4965-mac.c index 34f61a0..f6624b8 100644
--- a/drivers/net/wireless/iwlegacy/4965-mac.c
+++ b/drivers/net/wireless/iwlegacy/4965-mac.c
@@ -4411,12 +4411,12 @@ il4965_irq_tasklet(struct il_priv *il)
* is killed. Hence update the killswitch state here.
The
* rfkill handler will care about restarting if needed.
*/
- if (!test_bit(S_ALIVE, &il->status)) {
- if (hw_rf_kill)
- set_bit(S_RFKILL, &il->status);
- else
- clear_bit(S_RFKILL, &il->status);
+ if (hw_rf_kill) {
+ set_bit(S_RFKILL, &il->status);
+ } else {
+ clear_bit(S_RFKILL, &il->status);
wiphy_rfkill_set_hw_state(il->hw->wiphy,
hw_rf_kill);
+ il_force_reset(il, true);
}
handled |= CSR_INT_BIT_RF_KILL;
@@ -5285,6 +5285,9 @@ il4965_alive_start(struct il_priv *il)
il->active_rate = RATES_MASK;
+ il_power_update_mode(il, true);
+ D_INFO("Updated power mode\n");
+
if (il_is_associated(il)) {
struct il_rxon_cmd *active_rxon =
(struct il_rxon_cmd *)&il->active;
@@ -5315,9 +5318,6 @@ il4965_alive_start(struct il_priv *il)
D_INFO("ALIVE processing complete.\n");
wake_up(&il->wait_command_queue);
- il_power_update_mode(il, true);
- D_INFO("Updated power mode\n");
-
return;
restart:
diff --git a/drivers/net/wireless/iwlegacy/common.c
b/drivers/net/wireless/iwlegacy/common.c index 0370403..3d26831 100644
--- a/drivers/net/wireless/iwlegacy/common.c
+++ b/drivers/net/wireless/iwlegacy/common.c
@@ -4658,6 +4658,7 @@ il_force_reset(struct il_priv *il, bool external)
return 0;
}
+EXPORT_SYMBOL(il_force_reset);
int
il_mac_change_interface(struct ieee80211_hw *hw, struct ieee80211_vif
*vif, diff --git a/drivers/net/wireless/iwlwifi/dvm/mac80211.c
b/drivers/net/wireless/iwlwifi/dvm/mac80211.c index 7a2cf52..515376d
100644 --- a/drivers/net/wireless/iwlwifi/dvm/mac80211.c
+++ b/drivers/net/wireless/iwlwifi/dvm/mac80211.c
@@ -941,7 +941,10 @@ void iwl_chswitch_done(struct iwl_priv *priv, bool
is_success) if (test_bit(STATUS_EXIT_PENDING, &priv->status))
return;
- if (test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING,
&priv->status))
+ if (!test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING,
&priv->status))
+ return;
+
+ if (ctx->vif)
ieee80211_chswitch_done(ctx->vif, is_success);
}
diff --git a/drivers/net/wireless/iwlwifi/pcie/drv.c
b/drivers/net/wireless/iwlwifi/pcie/drv.c index f4c3500..71e887c 100644
--- a/drivers/net/wireless/iwlwifi/pcie/drv.c
+++ b/drivers/net/wireless/iwlwifi/pcie/drv.c
@@ -132,6 +132,7 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_card_ids) = {
{IWL_PCI_DEVICE(0x423C, 0x1306, iwl5150_abg_cfg)}, /* Half
Mini Card */ {IWL_PCI_DEVICE(0x423C, 0x1221, iwl5150_agn_cfg)}, /* Mini
Card */ {IWL_PCI_DEVICE(0x423C, 0x1321, iwl5150_agn_cfg)}, /* Half Mini
Card */
+ {IWL_PCI_DEVICE(0x423C, 0x1326, iwl5150_abg_cfg)}, /* Half
Mini Card */
{IWL_PCI_DEVICE(0x423D, 0x1211, iwl5150_agn_cfg)}, /* Mini
Card */ {IWL_PCI_DEVICE(0x423D, 0x1311, iwl5150_agn_cfg)}, /* Half Mini
Card */ diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c
b/drivers/net/wireless/iwlwifi/pcie/trans.c index dbeebef..d7eeb96
100644 --- a/drivers/net/wireless/iwlwifi/pcie/trans.c
+++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
@@ -2100,16 +2100,16 @@ struct iwl_trans *iwl_trans_pcie_alloc(struct
pci_dev *pdev, spin_lock_init(&trans_pcie->irq_lock);
init_waitqueue_head(&trans_pcie->ucode_write_waitq);
- /* W/A - seems to solve weird behavior. We need to remove this
if we
- * don't want to stay in L1 all the time. This wastes a lot of
power */
- pci_disable_link_state(pdev, PCIE_LINK_STATE_L0S |
PCIE_LINK_STATE_L1 |
- PCIE_LINK_STATE_CLKPM);
-
if (pci_enable_device(pdev)) {
err = -ENODEV;
goto out_no_pci;
}
+ /* W/A - seems to solve weird behavior. We need to remove this
if we
+ * don't want to stay in L1 all the time. This wastes a lot of
power */
+ pci_disable_link_state(pdev, PCIE_LINK_STATE_L0S |
PCIE_LINK_STATE_L1 |
+ PCIE_LINK_STATE_CLKPM);
+
pci_set_master(pdev);
err = pci_set_dma_mask(pdev, DMA_BIT_MASK(36));
diff --git a/drivers/net/wireless/mwifiex/sdio.c
b/drivers/net/wireless/mwifiex/sdio.c index 82cf0fa..821d9d2 100644
--- a/drivers/net/wireless/mwifiex/sdio.c
+++ b/drivers/net/wireless/mwifiex/sdio.c
@@ -1455,8 +1455,8 @@ static int mwifiex_sdio_host_to_card(struct
mwifiex_adapter *adapter, /* Allocate buffer and copy payload */
blk_size = MWIFIEX_SDIO_BLOCK_SIZE;
buf_block_len = (pkt_len + blk_size - 1) / blk_size;
- *(u16 *) &payload[0] = (u16) pkt_len;
- *(u16 *) &payload[2] = type;
+ *(__le16 *)&payload[0] = cpu_to_le16((u16)pkt_len);
+ *(__le16 *)&payload[2] = cpu_to_le16(type);
/*
* This is SDIO specific header
diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c
b/drivers/net/wireless/rt2x00/rt2800lib.c index 6c85ba5..fe0e278 100644
--- a/drivers/net/wireless/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/rt2x00/rt2800lib.c
@@ -4980,8 +4980,8 @@ int rt2800_probe_hw_mode(struct rt2x00_dev
*rt2x00dev) default_power2 = rt2x00_eeprom_addr(rt2x00dev,
EEPROM_TXPOWER_A2);
for (i = 14; i < spec->num_channels; i++) {
- info[i].default_power1 = default_power1[i];
- info[i].default_power2 = default_power2[i];
+ info[i].default_power1 = default_power1[i -
14];
+ info[i].default_power2 = default_power2[i -
14]; }
}
diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c
b/drivers/net/wireless/rt2x00/rt2x00queue.c index f7e74a0..cff62c0
100644 --- a/drivers/net/wireless/rt2x00/rt2x00queue.c
+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
@@ -875,13 +875,8 @@ void rt2x00queue_index_inc(struct queue_entry
*entry, enum queue_index index)
spin_unlock_irqrestore(&queue->index_lock, irqflags); }
-void rt2x00queue_pause_queue(struct data_queue *queue)
+void rt2x00queue_pause_queue_nocheck(struct data_queue *queue)
{
- if (!test_bit(DEVICE_STATE_PRESENT, &queue->rt2x00dev->flags)
||
- !test_bit(QUEUE_STARTED, &queue->flags) ||
- test_and_set_bit(QUEUE_PAUSED, &queue->flags))
- return;
-
switch (queue->qid) {
case QID_AC_VO:
case QID_AC_VI:
@@ -897,6 +892,15 @@ void rt2x00queue_pause_queue(struct data_queue
*queue) break;
}
}
+void rt2x00queue_pause_queue(struct data_queue *queue)
+{
+ if (!test_bit(DEVICE_STATE_PRESENT, &queue->rt2x00dev->flags)
||
+ !test_bit(QUEUE_STARTED, &queue->flags) ||
+ test_and_set_bit(QUEUE_PAUSED, &queue->flags))
+ return;
+
+ rt2x00queue_pause_queue_nocheck(queue);
+}
EXPORT_SYMBOL_GPL(rt2x00queue_pause_queue);
void rt2x00queue_unpause_queue(struct data_queue *queue)
@@ -958,7 +962,7 @@ void rt2x00queue_stop_queue(struct data_queue
*queue) return;
}
- rt2x00queue_pause_queue(queue);
+ rt2x00queue_pause_queue_nocheck(queue);
queue->rt2x00dev->ops->lib->stop_queue(queue);
diff --git a/drivers/net/wireless/rt2x00/rt61pci.c
b/drivers/net/wireless/rt2x00/rt61pci.c index b8ec961..7e475a9 100644
--- a/drivers/net/wireless/rt2x00/rt61pci.c
+++ b/drivers/net/wireless/rt2x00/rt61pci.c
@@ -2822,7 +2822,8 @@ static int rt61pci_probe_hw_mode(struct
rt2x00_dev *rt2x00dev) tx_power = rt2x00_eeprom_addr(rt2x00dev,
EEPROM_TXPOWER_A_START); for (i = 14; i < spec->num_channels; i++) {
info[i].max_power = MAX_TXPOWER;
- info[i].default_power1 =
TXPOWER_FROM_DEV(tx_power[i]);
+ info[i].default_power1 =
+ TXPOWER_FROM_DEV(tx_power[i -
14]); }
}
diff --git a/drivers/net/wireless/rt2x00/rt73usb.c
b/drivers/net/wireless/rt2x00/rt73usb.c index 248436c..55d30ba 100644
--- a/drivers/net/wireless/rt2x00/rt73usb.c
+++ b/drivers/net/wireless/rt2x00/rt73usb.c
@@ -2167,7 +2167,8 @@ static int rt73usb_probe_hw_mode(struct
rt2x00_dev *rt2x00dev) tx_power = rt2x00_eeprom_addr(rt2x00dev,
EEPROM_TXPOWER_A_START); for (i = 14; i < spec->num_channels; i++) {
info[i].max_power = MAX_TXPOWER;
- info[i].default_power1 =
TXPOWER_FROM_DEV(tx_power[i]);
+ info[i].default_power1 =
+ TXPOWER_FROM_DEV(tx_power[i -
14]); }
}
diff --git a/drivers/net/wireless/zd1201.c
b/drivers/net/wireless/zd1201.c index 48273dd..4312eca 100644
--- a/drivers/net/wireless/zd1201.c
+++ b/drivers/net/wireless/zd1201.c
@@ -98,10 +98,12 @@ static int zd1201_fw_upload(struct usb_device *dev,
int apfw) goto exit;
err = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), 0x4,
- USB_DIR_IN | 0x40, 0,0, &ret, sizeof(ret),
ZD1201_FW_TIMEOUT);
+ USB_DIR_IN | 0x40, 0, 0, buf, sizeof(ret),
ZD1201_FW_TIMEOUT); if (err < 0)
goto exit;
+ memcpy(&ret, buf, sizeof(ret));
+
if (ret & 0x80) {
err = -EIO;
goto exit;
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
index ecac034..110c26c 100644
--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -275,8 +275,7 @@ no_skb:
break;
}
- __skb_fill_page_desc(skb, 0, page, 0, 0);
- skb_shinfo(skb)->nr_frags = 1;
+ skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE);
__skb_queue_tail(&np->rx_batch, skb);
}
@@ -771,7 +770,6 @@ static RING_IDX xennet_fill_frags(struct
netfront_info *np, struct sk_buff_head *list)
{
struct skb_shared_info *shinfo = skb_shinfo(skb);
- int nr_frags = shinfo->nr_frags;
RING_IDX cons = np->rx.rsp_cons;
struct sk_buff *nskb;
@@ -780,19 +778,21 @@ static RING_IDX xennet_fill_frags(struct
netfront_info *np, RING_GET_RESPONSE(&np->rx, ++cons);
skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0];
- __skb_fill_page_desc(skb, nr_frags,
- skb_frag_page(nfrag),
- rx->offset, rx->status);
+ if (shinfo->nr_frags == MAX_SKB_FRAGS) {
+ unsigned int pull_to =
NETFRONT_SKB_CB(skb)->pull_to;
- skb->data_len += rx->status;
+ BUG_ON(pull_to <= skb_headlen(skb));
+ __pskb_pull_tail(skb, pull_to -
skb_headlen(skb));
+ }
+ BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS);
+
+ skb_add_rx_frag(skb, shinfo->nr_frags,
skb_frag_page(nfrag),
+ rx->offset, rx->status, PAGE_SIZE);
skb_shinfo(nskb)->nr_frags = 0;
kfree_skb(nskb);
-
- nr_frags++;
}
- shinfo->nr_frags = nr_frags;
return cons;
}
@@ -878,7 +878,8 @@ static int handle_incoming_queue(struct net_device
*dev, while ((skb = __skb_dequeue(rxq)) != NULL) {
int pull_to = NETFRONT_SKB_CB(skb)->pull_to;
- __pskb_pull_tail(skb, pull_to - skb_headlen(skb));
+ if (pull_to > skb_headlen(skb))
+ __pskb_pull_tail(skb, pull_to -
skb_headlen(skb));
/* Ethernet work: Delayed to here as it peeks the
header. */ skb->protocol = eth_type_trans(skb, dev);
@@ -964,35 +965,10 @@ err:
skb_shinfo(skb)->frags[0].page_offset = rx->offset;
skb_frag_size_set(&skb_shinfo(skb)->frags[0],
rx->status); skb->data_len = rx->status;
+ skb->len += rx->status;
i = xennet_fill_frags(np, skb, &tmpq);
- /*
- * Truesize approximates the size of true data plus
- * any supervisor overheads. Adding hypervisor
- * overheads has been shown to significantly reduce
- * achievable bandwidth with the default receive
- * buffer size. It is therefore not wise to account
- * for it here.
- *
- * After alloc_skb(RX_COPY_THRESHOLD), truesize is set
- * to RX_COPY_THRESHOLD + the supervisor
- * overheads. Here, we add the size of the data pulled
- * in xennet_fill_frags().
- *
- * We also adjust for any unused space in the main
- * data area by subtracting (RX_COPY_THRESHOLD -
- * len). This is especially important with drivers
- * which split incoming packets into header and data,
- * using only 66 bytes of the main data area (see the
- * e1000 driver for example.) On such systems,
- * without this last adjustement, our achievable
- * receive throughout using the standard receive
- * buffer size was cut by 25%(!!!).
- */
- skb->truesize += skb->data_len - RX_COPY_THRESHOLD;
- skb->len += skb->data_len;
-
if (rx->flags & XEN_NETRXF_csum_blank)
skb->ip_summed = CHECKSUM_PARTIAL;
else if (rx->flags & XEN_NETRXF_data_validated)
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 91a375f..17fad3b 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -390,6 +390,8 @@ static void __unflatten_device_tree(struct
boot_param_header *blob, mem = (unsigned long)
dt_alloc(size + 4, __alignof__(struct device_node));
+ memset((void *)mem, 0, size);
+
((__be32 *)mem)[size / 4] = cpu_to_be32(0xdeadbeef);
pr_debug(" unflattening %lx...\n", mem);
diff --git a/drivers/platform/olpc/olpc-ec.c
b/drivers/platform/olpc/olpc-ec.c index 0f9f859..f911952 100644
--- a/drivers/platform/olpc/olpc-ec.c
+++ b/drivers/platform/olpc/olpc-ec.c
@@ -330,7 +330,7 @@ static int __init olpc_ec_init_module(void)
return platform_driver_register(&olpc_ec_plat_driver);
}
-module_init(olpc_ec_init_module);
+arch_initcall(olpc_ec_init_module);
MODULE_AUTHOR("Andres Salomon <dilinger@queued.net>");
MODULE_LICENSE("GPL");
diff --git a/drivers/rapidio/switches/idt_gen2.c
b/drivers/rapidio/switches/idt_gen2.c index 809b7a3..5d3b0f0 100644
--- a/drivers/rapidio/switches/idt_gen2.c
+++ b/drivers/rapidio/switches/idt_gen2.c
@@ -15,6 +15,8 @@
#include <linux/rio_drv.h>
#include <linux/rio_ids.h>
#include <linux/delay.h>
+
+#include <asm/page.h>
#include "../rio.h"
#define LOCAL_RTE_CONF_DESTID_SEL 0x010070
diff --git a/drivers/s390/scsi/zfcp_aux.c b/drivers/s390/scsi/zfcp_aux.c
index f6adde4..3743ac9 100644
--- a/drivers/s390/scsi/zfcp_aux.c
+++ b/drivers/s390/scsi/zfcp_aux.c
@@ -3,7 +3,7 @@
*
* Module interface and handling of zfcp data structures.
*
- * Copyright IBM Corp. 2002, 2010
+ * Copyright IBM Corp. 2002, 2013
*/
/*
@@ -23,6 +23,7 @@
* Christof Schmitt
* Martin Petermann
* Sven Schuetz
+ * Steffen Maier
*/
#define KMSG_COMPONENT "zfcp"
@@ -415,6 +416,8 @@ struct zfcp_adapter *zfcp_adapter_enqueue(struct
ccw_device *ccw_device) adapter->dma_parms.max_segment_size =
ZFCP_QDIO_SBALE_LEN; adapter->ccw_device->dev.dma_parms =
&adapter->dma_parms;
+ adapter->stat_read_buf_num = FSF_STATUS_READS_RECOM;
+
if (!zfcp_scsi_adapter_register(adapter))
return adapter;
diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c
index 92d3df6..e36fc02 100644
--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -102,10 +102,13 @@ static void zfcp_erp_action_dismiss_port(struct
zfcp_port *port)
if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_INUSE)
zfcp_erp_action_dismiss(&port->erp_action);
- else
- shost_for_each_device(sdev, port->adapter->scsi_host)
+ else {
+ spin_lock(port->adapter->scsi_host->host_lock);
+ __shost_for_each_device(sdev, port->adapter->scsi_host)
if (sdev_to_zfcp(sdev)->port == port)
zfcp_erp_action_dismiss_lun(sdev);
+ spin_unlock(port->adapter->scsi_host->host_lock);
+ }
}
static void zfcp_erp_action_dismiss_adapter(struct zfcp_adapter
*adapter) @@ -592,9 +595,11 @@ static void
_zfcp_erp_lun_reopen_all(struct zfcp_port *port, int clear, {
struct scsi_device *sdev;
- shost_for_each_device(sdev, port->adapter->scsi_host)
+ spin_lock(port->adapter->scsi_host->host_lock);
+ __shost_for_each_device(sdev, port->adapter->scsi_host)
if (sdev_to_zfcp(sdev)->port == port)
_zfcp_erp_lun_reopen(sdev, clear, id, 0);
+ spin_unlock(port->adapter->scsi_host->host_lock);
}
static void zfcp_erp_strategy_followup_failed(struct zfcp_erp_action
*act) @@ -1435,8 +1440,10 @@ void zfcp_erp_set_adapter_status(struct
zfcp_adapter *adapter, u32 mask) atomic_set_mask(common_mask,
&port->status); read_unlock_irqrestore(&adapter->port_list_lock, flags);
- shost_for_each_device(sdev, adapter->scsi_host)
+ spin_lock_irqsave(adapter->scsi_host->host_lock, flags);
+ __shost_for_each_device(sdev, adapter->scsi_host)
atomic_set_mask(common_mask,
&sdev_to_zfcp(sdev)->status);
+ spin_unlock_irqrestore(adapter->scsi_host->host_lock, flags);
}
/**
@@ -1470,11 +1477,13 @@ void zfcp_erp_clear_adapter_status(struct
zfcp_adapter *adapter, u32 mask) }
read_unlock_irqrestore(&adapter->port_list_lock, flags);
- shost_for_each_device(sdev, adapter->scsi_host) {
+ spin_lock_irqsave(adapter->scsi_host->host_lock, flags);
+ __shost_for_each_device(sdev, adapter->scsi_host) {
atomic_clear_mask(common_mask,
&sdev_to_zfcp(sdev)->status); if (clear_counter)
atomic_set(&sdev_to_zfcp(sdev)->erp_counter,
0); }
+ spin_unlock_irqrestore(adapter->scsi_host->host_lock, flags);
}
/**
@@ -1488,16 +1497,19 @@ void zfcp_erp_set_port_status(struct zfcp_port
*port, u32 mask) {
struct scsi_device *sdev;
u32 common_mask = mask & ZFCP_COMMON_FLAGS;
+ unsigned long flags;
atomic_set_mask(mask, &port->status);
if (!common_mask)
return;
- shost_for_each_device(sdev, port->adapter->scsi_host)
+ spin_lock_irqsave(port->adapter->scsi_host->host_lock, flags);
+ __shost_for_each_device(sdev, port->adapter->scsi_host)
if (sdev_to_zfcp(sdev)->port == port)
atomic_set_mask(common_mask,
&sdev_to_zfcp(sdev)->status);
+ spin_unlock_irqrestore(port->adapter->scsi_host->host_lock,
flags); }
/**
@@ -1512,6 +1524,7 @@ void zfcp_erp_clear_port_status(struct zfcp_port
*port, u32 mask) struct scsi_device *sdev;
u32 common_mask = mask & ZFCP_COMMON_FLAGS;
u32 clear_counter = mask & ZFCP_STATUS_COMMON_ERP_FAILED;
+ unsigned long flags;
atomic_clear_mask(mask, &port->status);
@@ -1521,13 +1534,15 @@ void zfcp_erp_clear_port_status(struct
zfcp_port *port, u32 mask) if (clear_counter)
atomic_set(&port->erp_counter, 0);
- shost_for_each_device(sdev, port->adapter->scsi_host)
+ spin_lock_irqsave(port->adapter->scsi_host->host_lock, flags);
+ __shost_for_each_device(sdev, port->adapter->scsi_host)
if (sdev_to_zfcp(sdev)->port == port) {
atomic_clear_mask(common_mask,
&sdev_to_zfcp(sdev)->status);
if (clear_counter)
atomic_set(&sdev_to_zfcp(sdev)->erp_counter,
0); }
+ spin_unlock_irqrestore(port->adapter->scsi_host->host_lock,
flags); }
/**
diff --git a/drivers/s390/scsi/zfcp_fsf.c b/drivers/s390/scsi/zfcp_fsf.c
index 48f875f..961e327 100644
--- a/drivers/s390/scsi/zfcp_fsf.c
+++ b/drivers/s390/scsi/zfcp_fsf.c
@@ -3,7 +3,7 @@
*
* Implementation of FSF commands.
*
- * Copyright IBM Corp. 2002, 2010
+ * Copyright IBM Corp. 2002, 2013
*/
#define KMSG_COMPONENT "zfcp"
@@ -483,12 +483,8 @@ static int
zfcp_fsf_exchange_config_evaluate(struct zfcp_fsf_req *req)
fc_host_port_name(shost) = nsp->fl_wwpn;
fc_host_node_name(shost) = nsp->fl_wwnn;
- fc_host_port_id(shost) = ntoh24(bottom->s_id);
- fc_host_speed(shost) =
- zfcp_fsf_convert_portspeed(bottom->fc_link_speed);
fc_host_supported_classes(shost) = FC_COS_CLASS2 |
FC_COS_CLASS3;
- adapter->hydra_version = bottom->adapter_type;
adapter->timer_ticks = bottom->timer_interval &
ZFCP_FSF_TIMER_INT_MASK; adapter->stat_read_buf_num =
max(bottom->status_read_buf_num, (u16)FSF_STATUS_READS_RECOM);
@@ -496,6 +492,19 @@ static int
zfcp_fsf_exchange_config_evaluate(struct zfcp_fsf_req *req) if
(fc_host_permanent_port_name(shost) == -1)
fc_host_permanent_port_name(shost) = fc_host_port_name(shost);
+ zfcp_scsi_set_prot(adapter);
+
+ /* no error return above here, otherwise must fix call chains
*/
+ /* do not evaluate invalid fields */
+ if (req->qtcb->header.fsf_status ==
FSF_EXCHANGE_CONFIG_DATA_INCOMPLETE)
+ return 0;
+
+ fc_host_port_id(shost) = ntoh24(bottom->s_id);
+ fc_host_speed(shost) =
+ zfcp_fsf_convert_portspeed(bottom->fc_link_speed);
+
+ adapter->hydra_version = bottom->adapter_type;
+
switch (bottom->fc_topology) {
case FSF_TOPO_P2P:
adapter->peer_d_id = ntoh24(bottom->peer_d_id);
@@ -517,8 +526,6 @@ static int zfcp_fsf_exchange_config_evaluate(struct
zfcp_fsf_req *req) return -EIO;
}
- zfcp_scsi_set_prot(adapter);
-
return 0;
}
@@ -563,8 +570,14 @@ static void
zfcp_fsf_exchange_config_data_handler(struct zfcp_fsf_req *req)
fc_host_port_type(shost) = FC_PORTTYPE_UNKNOWN; adapter->hydra_version
= 0;
+ /* avoids adapter shutdown to be able to recognize
+ * events such as LINK UP */
+ atomic_set_mask(ZFCP_STATUS_ADAPTER_XCONFIG_OK,
+ &adapter->status);
zfcp_fsf_link_down_info_eval(req,
&qtcb->header.fsf_status_qual.link_down_info);
+ if (zfcp_fsf_exchange_config_evaluate(req))
+ return;
break;
default:
zfcp_erp_adapter_shutdown(adapter, 0, "fsecdh3");
diff --git a/drivers/s390/scsi/zfcp_qdio.c
b/drivers/s390/scsi/zfcp_qdio.c index 50b5615..925fb1f 100644
--- a/drivers/s390/scsi/zfcp_qdio.c
+++ b/drivers/s390/scsi/zfcp_qdio.c
@@ -224,11 +224,9 @@ int zfcp_qdio_sbals_from_sg(struct zfcp_qdio
*qdio, struct zfcp_qdio_req *q_req,
static int zfcp_qdio_sbal_check(struct zfcp_qdio *qdio)
{
- spin_lock_irq(&qdio->req_q_lock);
if (atomic_read(&qdio->req_q_free) ||
!(atomic_read(&qdio->adapter->status) &
ZFCP_STATUS_ADAPTER_QDIOUP)) return 1;
- spin_unlock_irq(&qdio->req_q_lock);
return 0;
}
@@ -246,9 +244,8 @@ int zfcp_qdio_sbal_get(struct zfcp_qdio *qdio)
{
long ret;
- spin_unlock_irq(&qdio->req_q_lock);
- ret = wait_event_interruptible_timeout(qdio->req_q_wq,
- zfcp_qdio_sbal_check(qdio), 5 * HZ);
+ ret = wait_event_interruptible_lock_irq_timeout(qdio->req_q_wq,
+ zfcp_qdio_sbal_check(qdio), qdio->req_q_lock, 5
* HZ);
if (!(atomic_read(&qdio->adapter->status) &
ZFCP_STATUS_ADAPTER_QDIOUP)) return -EIO;
@@ -262,7 +259,6 @@ int zfcp_qdio_sbal_get(struct zfcp_qdio *qdio)
zfcp_erp_adapter_reopen(qdio->adapter, 0, "qdsbg_1");
}
- spin_lock_irq(&qdio->req_q_lock);
return -EIO;
}
diff --git a/drivers/s390/scsi/zfcp_scsi.c
b/drivers/s390/scsi/zfcp_scsi.c index 7b31e3f..7b35364 100644
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -3,7 +3,7 @@
*
* Interface to Linux SCSI midlayer.
*
- * Copyright IBM Corp. 2002, 2010
+ * Copyright IBM Corp. 2002, 2013
*/
#define KMSG_COMPONENT "zfcp"
@@ -311,8 +311,12 @@ static struct scsi_host_template
zfcp_scsi_host_template = { .proc_name = "zfcp",
.can_queue = 4096,
.this_id = -1,
- .sg_tablesize = 1, /* adjusted later */
- .max_sectors = 8, /* adjusted later */
+ .sg_tablesize =
(((QDIO_MAX_ELEMENTS_PER_BUFFER - 1)
+ * ZFCP_QDIO_MAX_SBALS_PER_REQ) -
2),
+ /* GCD, adjusted later */
+ .max_sectors = (((QDIO_MAX_ELEMENTS_PER_BUFFER
- 1)
+ * ZFCP_QDIO_MAX_SBALS_PER_REQ) -
2) * 8,
+ /* GCD, adjusted later */
.dma_boundary = ZFCP_QDIO_SBALE_LEN - 1,
.cmd_per_lun = 1,
.use_clustering = 1,
diff --git a/drivers/scsi/aacraid/src.c b/drivers/scsi/aacraid/src.c
index 3b021ec..e34418f 100644
--- a/drivers/scsi/aacraid/src.c
+++ b/drivers/scsi/aacraid/src.c
@@ -93,6 +93,9 @@ static irqreturn_t aac_src_intr_message(int irq, void
*dev_id) int send_it = 0;
extern int aac_sync_mode;
+ src_writel(dev, MUnit.ODR_C, bellbits);
+ src_readl(dev, MUnit.ODR_C);
+
if (!aac_sync_mode) {
src_writel(dev, MUnit.ODR_C, bellbits);
src_readl(dev, MUnit.ODR_C);
diff --git a/drivers/scsi/isci/task.c b/drivers/scsi/isci/task.c
index 6bc74eb..efd9e9e 100644
--- a/drivers/scsi/isci/task.c
+++ b/drivers/scsi/isci/task.c
@@ -491,6 +491,7 @@ int isci_task_abort_task(struct sas_task *task)
struct isci_tmf tmf;
int ret = TMF_RESP_FUNC_FAILED;
unsigned long flags;
+ int target_done_already = 0;
/* Get the isci_request reference from the task. Note that
* this check does not depend on the pending request list
@@ -505,9 +506,11 @@ int isci_task_abort_task(struct sas_task *task)
/* If task is already done, the request isn't valid */
if (!(task->task_state_flags & SAS_TASK_STATE_DONE) &&
(task->task_state_flags & SAS_TASK_AT_INITIATOR) &&
- old_request)
+ old_request) {
idev = isci_get_device(task->dev->lldd_dev);
-
+ target_done_already = test_bit(IREQ_COMPLETE_IN_TARGET,
+ &old_request->flags);
+ }
spin_unlock(&task->task_state_lock);
spin_unlock_irqrestore(&ihost->scic_lock, flags);
@@ -561,7 +564,7 @@ int isci_task_abort_task(struct sas_task *task)
if (task->task_proto == SAS_PROTOCOL_SMP ||
sas_protocol_ata(task->task_proto) ||
- test_bit(IREQ_COMPLETE_IN_TARGET, &old_request->flags) ||
+ target_done_already ||
test_bit(IDEV_GONE, &idev->flags)) {
spin_unlock_irqrestore(&ihost->scic_lock, flags);
diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c
b/drivers/scsi/megaraid/megaraid_sas_base.c index ed38454..7593e28
100644 --- a/drivers/scsi/megaraid/megaraid_sas_base.c
+++ b/drivers/scsi/megaraid/megaraid_sas_base.c
@@ -3493,11 +3493,21 @@ static int megasas_init_fw(struct
megasas_instance *instance) break;
}
- /*
- * We expect the FW state to be READY
- */
- if (megasas_transition_to_ready(instance, 0))
- goto fail_ready_state;
+ if (megasas_transition_to_ready(instance, 0)) {
+ atomic_set(&instance->fw_reset_no_pci_access, 1);
+ instance->instancet->adp_reset
+ (instance, instance->reg_set);
+ atomic_set(&instance->fw_reset_no_pci_access, 0);
+ dev_info(&instance->pdev->dev,
+ "megasas: FW restarted successfully from
%s!\n",
+ __func__);
+
+ /*waitting for about 30 second before retry*/
+ ssleep(30);
+
+ if (megasas_transition_to_ready(instance, 0))
+ goto fail_ready_state;
+ }
/* Check if MSI-X is supported while in ready state */
msix_enable =
(instance->instancet->read_fw_status_reg(reg_set) & @@ -4817,10
+4827,12 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance,
sense, sense_handle); }
- for (i = 0; i < ioc->sge_count && kbuff_arr[i]; i++) {
- dma_free_coherent(&instance->pdev->dev,
- kern_sge32[i].length,
- kbuff_arr[i],
kern_sge32[i].phys_addr);
+ for (i = 0; i < ioc->sge_count; i++) {
+ if (kbuff_arr[i])
+ dma_free_coherent(&instance->pdev->dev,
+ kern_sge32[i].length,
+ kbuff_arr[i],
+ kern_sge32[i].phys_addr);
}
megasas_return_cmd(instance, cmd);
diff --git a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
b/drivers/scsi/mpt2sas/mpt2sas_scsih.c index b1ebd6f..8718f10 100644
--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
+++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
@@ -3995,11 +3995,7 @@ _scsih_qcmd_lck(struct scsi_cmnd *scmd, void
(*done)(struct scsi_cmnd *)) else
mpi_control |=
MPI2_SCSIIO_CONTROL_SIMPLEQ; } else
-/* MPI Revision I (UNIT = 0xA) - removed MPI2_SCSIIO_CONTROL_UNTAGGED
*/ -/* mpi_control |=
MPI2_SCSIIO_CONTROL_UNTAGGED;
- */
- mpi_control |= (0x500);
-
+ mpi_control |= MPI2_SCSIIO_CONTROL_SIMPLEQ;
} else
mpi_control |= MPI2_SCSIIO_CONTROL_SIMPLEQ;
/* Make sure Device is not raid volume.
diff --git a/drivers/scsi/nsp32.c b/drivers/scsi/nsp32.c
index 62b6168..e705ed3 100644
--- a/drivers/scsi/nsp32.c
+++ b/drivers/scsi/nsp32.c
@@ -2926,7 +2926,7 @@ static void nsp32_do_bus_reset(nsp32_hw_data
*data)
* reset SCSI bus
*/
nsp32_write1(base, SCSI_BUS_CONTROL, BUSCTL_RST);
- udelay(RESET_HOLD_TIME);
+ mdelay(RESET_HOLD_TIME / 1000);
nsp32_write1(base, SCSI_BUS_CONTROL, 0);
for(i = 0; i < 5; i++) {
intrdat = nsp32_read2(base, IRQ_STATUS); /* dummy read
*/ diff --git a/drivers/scsi/qla2xxx/qla_iocb.c
b/drivers/scsi/qla2xxx/qla_iocb.c index 70dbf53..f2254d2 100644
--- a/drivers/scsi/qla2xxx/qla_iocb.c
+++ b/drivers/scsi/qla2xxx/qla_iocb.c
@@ -424,6 +424,8 @@ qla2x00_start_scsi(srb_t *sp)
__constant_cpu_to_le16(CF_SIMPLE_TAG);
break;
}
+ } else {
+ cmd_pkt->control_flags =
__constant_cpu_to_le16(CF_SIMPLE_TAG); }
/* Load SCSI command packet. */
@@ -1353,11 +1355,11 @@ qla24xx_build_scsi_crc_2_iocbs(srb_t *sp,
struct cmd_type_crc_2 *cmd_pkt, fcp_cmnd->task_attribute = TSK_ORDERED;
break;
default:
- fcp_cmnd->task_attribute = 0;
+ fcp_cmnd->task_attribute = TSK_SIMPLE;
break;
}
} else {
- fcp_cmnd->task_attribute = 0;
+ fcp_cmnd->task_attribute = TSK_SIMPLE;
}
cmd_pkt->fcp_rsp_dseg_len = 0; /* Let response come in status
iocb */ @@ -1563,7 +1565,12 @@ qla24xx_start_scsi(srb_t *sp)
case ORDERED_QUEUE_TAG:
cmd_pkt->task = TSK_ORDERED;
break;
+ default:
+ cmd_pkt->task = TSK_SIMPLE;
+ break;
}
+ } else {
+ cmd_pkt->task = TSK_SIMPLE;
}
/* Load SCSI command packet. */
diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
index 2936b44..5dba497 100644
--- a/drivers/scsi/scsi.c
+++ b/drivers/scsi/scsi.c
@@ -1030,6 +1030,9 @@ int scsi_get_vpd_page(struct scsi_device *sdev,
u8 page, unsigned char *buf, {
int i, result;
+ if (sdev->skip_vpd_pages)
+ goto fail;
+
/* Ask for all the pages supported by this device */
result = scsi_vpd_inquiry(sdev, buf, 0, buf_len);
if (result)
diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index a2ecd324..e157a93 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -673,10 +673,17 @@ static int scsi_setup_flush_cmnd(struct
scsi_device *sdp, struct request *rq)
static void sd_unprep_fn(struct request_queue *q, struct request *rq)
{
+ struct scsi_cmnd *SCpnt = rq->special;
+
if (rq->cmd_flags & REQ_DISCARD) {
free_page((unsigned long)rq->buffer);
rq->buffer = NULL;
}
+ if (SCpnt->cmnd != rq->cmd) {
+ mempool_free(SCpnt->cmnd, sd_cdb_pool);
+ SCpnt->cmnd = NULL;
+ SCpnt->cmd_len = 0;
+ }
}
/**
@@ -1540,21 +1547,6 @@ static int sd_done(struct scsi_cmnd *SCpnt)
if (rq_data_dir(SCpnt->request) == READ &&
scsi_prot_sg_count(SCpnt)) sd_dif_complete(SCpnt, good_bytes);
- if (scsi_host_dif_capable(sdkp->device->host,
sdkp->protection_type)
- == SD_DIF_TYPE2_PROTECTION && SCpnt->cmnd !=
SCpnt->request->cmd) { -
- /* We have to print a failed command here as the
- * extended CDB gets freed before scsi_io_completion()
- * is called.
- */
- if (result)
- scsi_print_command(SCpnt);
-
- mempool_free(SCpnt->cmnd, sd_cdb_pool);
- SCpnt->cmnd = NULL;
- SCpnt->cmd_len = 0;
- }
-
return good_bytes;
}
diff --git a/drivers/staging/android/logger.c
b/drivers/staging/android/logger.c index f7b8237d5..e5b797c 100644
--- a/drivers/staging/android/logger.c
+++ b/drivers/staging/android/logger.c
@@ -359,7 +359,7 @@ static ssize_t logger_aio_write(struct kiocb *iocb,
const struct iovec *iov, unsigned long nr_segs, loff_t ppos)
{
struct logger_log *log = file_get_log(iocb->ki_filp);
- size_t orig = log->w_off;
+ size_t orig;
struct logger_entry header;
struct timespec now;
ssize_t ret = 0;
@@ -378,6 +378,8 @@ static ssize_t logger_aio_write(struct kiocb *iocb,
const struct iovec *iov,
mutex_lock(&log->mutex);
+ orig = log->w_off;
+
/*
* Fix up any readers, pulling them forward to the first
readable
* entry after (what will be) the new write offset. We do this
now diff --git a/drivers/staging/comedi/comedi_fops.c
b/drivers/staging/comedi/comedi_fops.c index 41dea18..d29b050 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -1470,6 +1470,7 @@ static int do_cancel_ioctl(struct comedi_device
*dev, unsigned int arg, void *file)
{
struct comedi_subdevice *s;
+ int ret;
if (arg >= dev->n_subdevices)
return -EINVAL;
@@ -1486,7 +1487,11 @@ static int do_cancel_ioctl(struct comedi_device
*dev, unsigned int arg, if (s->busy != file)
return -EBUSY;
- return do_cancel(dev, s);
+ ret = do_cancel(dev, s);
+ if (comedi_get_subdevice_runflags(s) & SRF_USER)
+ wake_up_interruptible(&s->async->wait_head);
+
+ return ret;
}
/*
diff --git a/drivers/staging/line6/pcm.c b/drivers/staging/line6/pcm.c
index 5e319e3..01f00fd 100644
--- a/drivers/staging/line6/pcm.c
+++ b/drivers/staging/line6/pcm.c
@@ -378,8 +378,11 @@ static int snd_line6_pcm_free(struct snd_device
*device) */
static void pcm_disconnect_substream(struct snd_pcm_substream
*substream) {
- if (substream->runtime && snd_pcm_running(substream))
+ if (substream->runtime && snd_pcm_running(substream)) {
+ snd_pcm_stream_lock_irq(substream);
snd_pcm_stop(substream, SNDRV_PCM_STATE_DISCONNECTED);
+ snd_pcm_stream_unlock_irq(substream);
+ }
}
/*
diff --git a/drivers/staging/zram/zram_drv.c
b/drivers/staging/zram/zram_drv.c index 6edefde..b9b3342 100644
--- a/drivers/staging/zram/zram_drv.c
+++ b/drivers/staging/zram/zram_drv.c
@@ -327,8 +327,6 @@ static int zram_bvec_write(struct zram *zram,
struct bio_vec *bvec, u32 index,
if (page_zero_filled(uncmem)) {
kunmap_atomic(user_mem);
- if (is_partial_io(bvec))
- kfree(uncmem);
zram_stat_inc(&zram->stats.pages_zero);
zram_set_flag(zram, index, ZRAM_ZERO);
ret = 0;
@@ -468,13 +466,20 @@ out:
*/
static inline int valid_io_request(struct zram *zram, struct bio *bio)
{
- if (unlikely(
- (bio->bi_sector >= (zram->disksize >> SECTOR_SHIFT)) ||
- (bio->bi_sector & (ZRAM_SECTOR_PER_LOGICAL_BLOCK - 1))
||
- (bio->bi_size & (ZRAM_LOGICAL_BLOCK_SIZE - 1)))) {
+ u64 start, end, bound;
+ /* unaligned request */
+ if (unlikely(bio->bi_sector & (ZRAM_SECTOR_PER_LOGICAL_BLOCK -
1)))
+ return 0;
+ if (unlikely(bio->bi_size & (ZRAM_LOGICAL_BLOCK_SIZE - 1)))
+ return 0;
+
+ start = bio->bi_sector;
+ end = start + (bio->bi_size >> SECTOR_SHIFT);
+ bound = zram->disksize >> SECTOR_SHIFT;
+ /* out of range range */
+ if (unlikely(start >= bound || end > bound || start > end))
return 0;
- }
/* I/O request is valid */
return 1;
@@ -622,7 +627,9 @@ static void zram_slot_free_notify(struct
block_device *bdev, struct zram *zram;
zram = bdev->bd_disk->private_data;
+ down_write(&zram->lock);
zram_free_page(zram, index);
+ up_write(&zram->lock);
zram_stat64_inc(zram, &zram->stats.notify_free);
}
@@ -633,7 +640,7 @@ static const struct block_device_operations
zram_devops = {
static int create_device(struct zram *zram, int device_id)
{
- int ret = 0;
+ int ret = -ENOMEM;
init_rwsem(&zram->lock);
init_rwsem(&zram->init_lock);
@@ -643,7 +650,6 @@ static int create_device(struct zram *zram, int
device_id) if (!zram->queue) {
pr_err("Error allocating disk queue for device %d\n",
device_id);
- ret = -ENOMEM;
goto out;
}
@@ -653,11 +659,9 @@ static int create_device(struct zram *zram, int
device_id) /* gendisk structure */
zram->disk = alloc_disk(1);
if (!zram->disk) {
- blk_cleanup_queue(zram->queue);
pr_warn("Error allocating disk structure for device
%d\n", device_id);
- ret = -ENOMEM;
- goto out;
+ goto out_free_queue;
}
zram->disk->major = zram_major;
@@ -686,11 +690,17 @@ static int create_device(struct zram *zram, int
device_id) &zram_disk_attr_group);
if (ret < 0) {
pr_warn("Error creating sysfs group");
- goto out;
+ goto out_free_disk;
}
zram->init_done = 0;
+ return 0;
+out_free_disk:
+ del_gendisk(zram->disk);
+ put_disk(zram->disk);
+out_free_queue:
+ blk_cleanup_queue(zram->queue);
out:
return ret;
}
@@ -771,9 +781,11 @@ static void __exit zram_exit(void)
for (i = 0; i < num_devices; i++) {
zram = &zram_devices[i];
+ get_disk(zram->disk);
destroy_device(zram);
if (zram->init_done)
zram_reset_device(zram);
+ put_disk(zram->disk);
}
unregister_blkdev(zram_major, "zram");
diff --git a/drivers/staging/zram/zram_drv.h
b/drivers/staging/zram/zram_drv.h index 572c0b1..a6eb5d9 100644
--- a/drivers/staging/zram/zram_drv.h
+++ b/drivers/staging/zram/zram_drv.h
@@ -92,8 +92,9 @@ struct zram {
void *compress_buffer;
struct table *table;
spinlock_t stat64_lock; /* protect 64-bit stats */
- struct rw_semaphore lock; /* protect compression buffers and
table
- * against concurrent read and
writes */
+ struct rw_semaphore lock; /* protect compression buffers,
table,
+ * 32bit stat counters against
concurrent
+ * notifications, reads and writes */
struct request_queue *queue;
struct gendisk *disk;
int init_done;
diff --git a/drivers/staging/zram/zram_sysfs.c
b/drivers/staging/zram/zram_sysfs.c index edb0ed4..5e07628 100644
--- a/drivers/staging/zram/zram_sysfs.c
+++ b/drivers/staging/zram/zram_sysfs.c
@@ -186,8 +186,10 @@ static ssize_t mem_used_total_show(struct device
*dev, u64 val = 0;
struct zram *zram = dev_to_zram(dev);
+ down_read(&zram->init_lock);
if (zram->init_done)
val = zs_get_total_size_bytes(zram->mem_pool);
+ up_read(&zram->init_lock);
return sprintf(buf, "%llu\n", val);
}
diff --git a/drivers/target/iscsi/iscsi_target_configfs.c
b/drivers/target/iscsi/iscsi_target_configfs.c index a7b25e7..73adddc
100644 --- a/drivers/target/iscsi/iscsi_target_configfs.c
+++ b/drivers/target/iscsi/iscsi_target_configfs.c
@@ -393,7 +393,7 @@ static ssize_t
__iscsi_##prefix##_store_##name( \ if
(!capable(CAP_SYS_ADMIN)) \
return -EPERM; \ \
- snprintf(auth->name, PAGE_SIZE, "%s",
page); \
+ snprintf(auth->name, sizeof(auth->name), "%s",
page); \ if (!strncmp("NULL", auth->name,
4)) \ auth->naf_flags &=
~flags; \
else \
diff --git a/drivers/target/target_core_spc.c
b/drivers/target/target_core_spc.c index 6fd434d..290041b 100644 ---
a/drivers/target/target_core_spc.c +++
b/drivers/target/target_core_spc.c @@ -100,9 +100,12 @@ static int
spc_emulate_inquiry_std(struct se_cmd *cmd, char *buf)
buf[7] = 0x2; /* CmdQue=1 */
- snprintf(&buf[8], 8, "LIO-ORG");
- snprintf(&buf[16], 16, "%s", dev->se_sub_dev->t10_wwn.model);
- snprintf(&buf[32], 4, "%s", dev->se_sub_dev->t10_wwn.revision);
+ memcpy(&buf[8], "LIO-ORG ", 8);
+ memset(&buf[16], 0x20, 16);
+ memcpy(&buf[16], dev->se_sub_dev->t10_wwn.model,
+ min_t(size_t, strlen(dev->se_sub_dev->t10_wwn.model),
16));
+ memcpy(&buf[32], dev->se_sub_dev->t10_wwn.revision,
+ min_t(size_t,
strlen(dev->se_sub_dev->t10_wwn.revision), 4)); buf[4] = 31; /* Set
additional length to 31 */
return 0;
diff --git a/drivers/tty/hvc/hvsi_lib.c b/drivers/tty/hvc/hvsi_lib.c
index 59c135d..2c51419 100644
--- a/drivers/tty/hvc/hvsi_lib.c
+++ b/drivers/tty/hvc/hvsi_lib.c
@@ -341,8 +341,8 @@ void hvsilib_establish(struct hvsi_priv *pv)
pr_devel("HVSI@%x: ... waiting handshake\n", pv->termno);
- /* Try for up to 200s */
- for (timeout = 0; timeout < 20; timeout++) {
+ /* Try for up to 400ms */
+ for (timeout = 0; timeout < 40; timeout++) {
if (pv->established)
goto established;
if (!hvsi_get_packet(pv))
diff --git a/drivers/tty/serial/mxs-auart.c
b/drivers/tty/serial/mxs-auart.c index 3a667ee..647609d 100644
--- a/drivers/tty/serial/mxs-auart.c
+++ b/drivers/tty/serial/mxs-auart.c
@@ -381,11 +381,18 @@ static void mxs_auart_settermios(struct uart_port
*u,
static irqreturn_t mxs_auart_irq_handle(int irq, void *context)
{
- u32 istatus, istat;
+ u32 istat;
struct mxs_auart_port *s = context;
u32 stat = readl(s->port.membase + AUART_STAT);
- istatus = istat = readl(s->port.membase + AUART_INTR);
+ istat = readl(s->port.membase + AUART_INTR);
+
+ /* ack irq */
+ writel(istat & (AUART_INTR_RTIS
+ | AUART_INTR_TXIS
+ | AUART_INTR_RXIS
+ | AUART_INTR_CTSMIS),
+ s->port.membase + AUART_INTR_CLR);
if (istat & AUART_INTR_CTSMIS) {
uart_handle_cts_change(&s->port, stat &
AUART_STAT_CTS); @@ -404,12 +411,6 @@ static irqreturn_t
mxs_auart_irq_handle(int irq, void *context) istat &= ~AUART_INTR_TXIS;
}
- writel(istatus & (AUART_INTR_RTIS
- | AUART_INTR_TXIS
- | AUART_INTR_RXIS
- | AUART_INTR_CTSMIS),
- s->port.membase + AUART_INTR_CLR);
-
return IRQ_HANDLED;
}
@@ -549,7 +550,7 @@ auart_console_write(struct console *co, const char
*str, unsigned int count) struct mxs_auart_port *s;
struct uart_port *port;
unsigned int old_ctrl0, old_ctrl2;
- unsigned int to = 1000;
+ unsigned int to = 20000;
if (co->index > MXS_AUART_PORTS || co->index < 0)
return;
@@ -570,18 +571,23 @@ auart_console_write(struct console *co, const
char *str, unsigned int count)
uart_console_write(port, str, count,
mxs_auart_console_putchar);
- /*
- * Finally, wait for transmitter to become empty
- * and restore the TCR
- */
+ /* Finally, wait for transmitter to become empty ... */
while (readl(port->membase + AUART_STAT) & AUART_STAT_BUSY) {
+ udelay(1);
if (!to--)
break;
- udelay(1);
}
- writel(old_ctrl0, port->membase + AUART_CTRL0);
- writel(old_ctrl2, port->membase + AUART_CTRL2);
+ /*
+ * ... and restore the TCR if we waited long enough for the
transmitter
+ * to be idle. This might keep the transmitter enabled
although it is
+ * unused, but that is better than to disable it while it is
still
+ * transmitting.
+ */
+ if (!(readl(port->membase + AUART_STAT) & AUART_STAT_BUSY)) {
+ writel(old_ctrl0, port->membase + AUART_CTRL0);
+ writel(old_ctrl2, port->membase + AUART_CTRL2);
+ }
clk_disable(s->clk);
}
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index fe7faf0..74ae3a5 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -711,6 +711,15 @@ resubmit:
static inline int
hub_clear_tt_buffer (struct usb_device *hdev, u16 devinfo, u16 tt)
{
+ /* Need to clear both directions for control ep */
+ if (((devinfo >> 11) & USB_ENDPOINT_XFERTYPE_MASK) ==
+ USB_ENDPOINT_XFER_CONTROL) {
+ int status = usb_control_msg(hdev,
usb_sndctrlpipe(hdev, 0),
+ HUB_CLEAR_TT_BUFFER, USB_RT_PORT,
+ devinfo ^ 0x8000, tt, NULL, 0, 1000);
+ if (status)
+ return status;
+ }
return usb_control_msg(hdev, usb_sndctrlpipe(hdev, 0),
HUB_CLEAR_TT_BUFFER, USB_RT_PORT,
devinfo, tt, NULL, 0, 1000);
diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
index 6af23f2..9ee154b 100644
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -75,6 +75,12 @@ static const struct usb_device_id usb_quirk_list[] =
{ { USB_DEVICE(0x04d8, 0x000c), .driver_info =
USB_QUIRK_CONFIG_INTF_STRINGS },
+ /* CarrolTouch 4000U */
+ { USB_DEVICE(0x04e7, 0x0009), .driver_info =
USB_QUIRK_RESET_RESUME }, +
+ /* CarrolTouch 4500U */
+ { USB_DEVICE(0x04e7, 0x0030), .driver_info =
USB_QUIRK_RESET_RESUME }, +
/* Samsung Android phone modem - ID conflict with SPH-I500 */
{ USB_DEVICE(0x04e8, 0x6601), .driver_info =
USB_QUIRK_CONFIG_INTF_STRINGS },
diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
index 151eca8..06dffc8 100644
--- a/drivers/usb/dwc3/core.h
+++ b/drivers/usb/dwc3/core.h
@@ -728,8 +728,8 @@ struct dwc3 {
struct dwc3_event_type {
u32 is_devspec:1;
- u32 type:6;
- u32 reserved8_31:25;
+ u32 type:7;
+ u32 reserved8_31:24;
} __packed;
#define DWC3_DEPEVT_XFERCOMPLETE 0x01
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 8212dbb..234305a 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1558,6 +1558,7 @@ err1:
__dwc3_gadget_ep_disable(dwc->eps[0]);
err0:
+ dwc->gadget_driver = NULL;
spin_unlock_irqrestore(&dwc->lock, flags);
return ret;
diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c
index c788022..20a6b75 100644
--- a/drivers/usb/host/ehci-hub.c
+++ b/drivers/usb/host/ehci-hub.c
@@ -830,6 +830,7 @@ static int ehci_hub_control (
/* resume signaling for 20 msec */
ehci->reset_done[wIndex] = jiffies
+ msecs_to_jiffies(20);
+ set_bit(wIndex, &ehci->resuming_ports);
/* check the port again */
mod_timer(&ehci_to_hcd(ehci)->rh_timer,
ehci->reset_done[wIndex]);
diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
index cd0fc48..aecfc58 100644
--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -93,7 +93,6 @@ static void xhci_pci_quirks(struct device *dev,
struct xhci_hcd *xhci) }
if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
pdev->device ==
PCI_DEVICE_ID_INTEL_PANTHERPOINT_XHCI) {
- xhci->quirks |= XHCI_SPURIOUS_SUCCESS;
xhci->quirks |= XHCI_EP_LIMIT_QUIRK;
xhci->limit_active_eps = 64;
xhci->quirks |= XHCI_SW_BW_CHECKING;
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 8848616..21a01ac 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -434,7 +434,7 @@ static void ring_doorbell_for_active_rings(struct
xhci_hcd *xhci,
/* A ring has pending URBs if its TD list is not empty */
if (!(ep->ep_state & EP_HAS_STREAMS)) {
- if (!(list_empty(&ep->ring->td_list)))
+ if (ep->ring && !(list_empty(&ep->ring->td_list)))
xhci_ring_ep_doorbell(xhci, slot_id, ep_index,
0); return;
}
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 2c117ec..a37f20d 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -1152,9 +1152,6 @@ static int xhci_check_args(struct usb_hcd *hcd,
struct usb_device *udev, }
xhci = hcd_to_xhci(hcd);
- if (xhci->xhc_state & XHCI_STATE_HALTED)
- return -ENODEV;
-
if (check_virt_dev) {
if (!udev->slot_id || !xhci->devs[udev->slot_id]) {
printk(KERN_DEBUG "xHCI %s called with
unaddressed " @@ -1170,6 +1167,9 @@ static int xhci_check_args(struct
usb_hcd *hcd, struct usb_device *udev, }
}
+ if (xhci->xhc_state & XHCI_STATE_HALTED)
+ return -ENODEV;
+
return 1;
}
@@ -4654,6 +4654,13 @@ int xhci_gen_setup(struct usb_hcd *hcd,
xhci_get_quirks_t get_quirks)
get_quirks(dev, xhci);
+ /* In xhci controllers which follow xhci 1.0 spec gives a
spurious
+ * success event after a short transfer. This quirk will
ignore such
+ * spurious event.
+ */
+ if (xhci->hci_version > 0x96)
+ xhci->quirks |= XHCI_SPURIOUS_SUCCESS;
+
/* Make sure the HC is halted. */
retval = xhci_halt(xhci);
if (retval)
diff --git a/drivers/usb/misc/sisusbvga/sisusb.c
b/drivers/usb/misc/sisusbvga/sisusb.c index dd573ab..7af163d 100644
--- a/drivers/usb/misc/sisusbvga/sisusb.c
+++ b/drivers/usb/misc/sisusbvga/sisusb.c
@@ -3247,6 +3247,7 @@ static const struct usb_device_id sisusb_table[]
= { { USB_DEVICE(0x0711, 0x0903) },
{ USB_DEVICE(0x0711, 0x0918) },
{ USB_DEVICE(0x0711, 0x0920) },
+ { USB_DEVICE(0x0711, 0x0950) },
{ USB_DEVICE(0x182d, 0x021c) },
{ USB_DEVICE(0x182d, 0x0269) },
{ }
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index 5ad932d..e257c51 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -60,6 +60,7 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x0489, 0xE000) }, /* Pirelli Broadband S.p.A,
DP-L10 SIP/GSM Mobile */ { USB_DEVICE(0x0489, 0xE003) }, /* Pirelli
Broadband S.p.A, DP-L10 SIP/GSM Mobile */ { USB_DEVICE(0x0745,
0x1000) }, /* CipherLab USB CCD Barcode Scanner 1000 */
+ { USB_DEVICE(0x0846, 0x1100) }, /* NetGear Managed Switch
M4100 series, M5300 series, M7100 series */ { USB_DEVICE(0x08e6,
0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */
{ USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC
Device */ { USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC
Bill/Voucher Acceptor */ @@ -123,6 +124,8 @@ static const struct
usb_device_id id_table[] = { { USB_DEVICE(0x10C4, 0x85F8) }, /*
Virtenio Preon32 */ { USB_DEVICE(0x10C4, 0x8664) }, /* AC-Services
CAN-IF */ { USB_DEVICE(0x10C4, 0x8665) }, /* AC-Services OBD-IF */
+ { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB
Device */
+ { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni
ZigBee USB Device */ { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs
factory default */ { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs
factory default */ { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs
factory default */ @@ -153,6 +156,7 @@ static const struct
usb_device_id id_table[] = { { USB_DEVICE(0x17F4, 0xAAAA) }, /*
Wavesense Jazz blood glucose meter */ { USB_DEVICE(0x1843,
0x0200) }, /* Vaisala USB Instrument Cable */ { USB_DEVICE(0x18EF,
0xE00F) }, /* ELV USB-I2C-Interface */
+ { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662
Cable */ { USB_DEVICE(0x1BE3, 0x07A6) }, /* WAGO 750-923 USB Service
Cable */ { USB_DEVICE(0x1E29, 0x0102) }, /* Festo CPX-USB */
{ USB_DEVICE(0x1E29, 0x0501) }, /* Festo CMSP */
diff --git a/drivers/usb/serial/ftdi_sio.c
b/drivers/usb/serial/ftdi_sio.c index 5c3e249..710302ea 100644
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -741,9 +741,34 @@ static struct usb_device_id id_table_combined [] =
{ { USB_DEVICE(FTDI_VID, FTDI_NDI_AURORA_SCU_PID),
.driver_info =
(kernel_ulong_t)&ftdi_NDI_device_quirk }, { USB_DEVICE(TELLDUS_VID,
TELLDUS_TELLSTICK_PID) },
- { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_SERIAL_VX7_PID) },
- { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_CT29B_PID) },
- { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_RTS01_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S03_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_59_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57A_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57B_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_29A_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_29B_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_29F_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_62B_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S01_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_63_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_29C_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_81B_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_82B_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_K5D_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_K4Y_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_K5G_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S05_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_60_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_61_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_62_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_63B_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_64_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_65_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_92_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_92D_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_W5R_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_A5R_PID) },
+ { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_PW1_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_MAXSTREAM_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_PHI_FISCO_PID) },
{ USB_DEVICE(TML_VID, TML_USB_SERIAL_PID) },
diff --git a/drivers/usb/serial/ftdi_sio_ids.h
b/drivers/usb/serial/ftdi_sio_ids.h index 1e4bff5..b98e44a 100644
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -808,11 +808,35 @@
/*
* RT Systems programming cables for various ham radios
*/
-#define RTSYSTEMS_VID 0x2100 /* Vendor
ID */ -#define RTSYSTEMS_SERIAL_VX7_PID 0x9e52 /* Serial
converter for VX-7 Radios using FT232RL */ -#define
RTSYSTEMS_CT29B_PID 0x9e54 /* CT29B Radio Cable
*/ -#define RTSYSTEMS_RTS01_PID 0x9e57 /*
USB-RTS01 Radio Cable */ - +#define RTSYSTEMS_VID
0x2100 /* Vendor ID */ +#define RTSYSTEMS_USB_S03_PID
0x9001 /* RTS-03 USB to Serial Adapter */ +#define
RTSYSTEMS_USB_59_PID 0x9e50 /* USB-59 USB to 8 pin plug
*/ +#define RTSYSTEMS_USB_57A_PID 0x9e51 /* USB-57A USB
to 4pin 3.5mm plug */ +#define RTSYSTEMS_USB_57B_PID
0x9e52 /* USB-57B USB to extended 4pin 3.5mm plug */ +#define
RTSYSTEMS_USB_29A_PID 0x9e53 /* USB-29A USB to 3.5mm
stereo plug */ +#define RTSYSTEMS_USB_29B_PID 0x9e54 /*
USB-29B USB to 6 pin mini din */ +#define RTSYSTEMS_USB_29F_PID
0x9e55 /* USB-29F USB to 6 pin modular plug */ +#define
RTSYSTEMS_USB_62B_PID 0x9e56 /* USB-62B USB to 8 pin mini
din plug*/ +#define RTSYSTEMS_USB_S01_PID 0x9e57 /*
USB-RTS01 USB to 3.5 mm stereo plug*/ +#define
RTSYSTEMS_USB_63_PID 0x9e58 /* USB-63 USB to 9 pin
female*/ +#define RTSYSTEMS_USB_29C_PID 0x9e59 /* USB-29C
USB to 4 pin modular plug*/ +#define RTSYSTEMS_USB_81B_PID
0x9e5A /* USB-81 USB to 8 pin mini din plug*/ +#define
RTSYSTEMS_USB_82B_PID 0x9e5B /* USB-82 USB to 2.5 mm
stereo plug*/ +#define RTSYSTEMS_USB_K5D_PID 0x9e5C /*
USB-K5D USB to 8 pin modular plug*/ +#define
RTSYSTEMS_USB_K4Y_PID 0x9e5D /* USB-K4Y USB to 2.5/3.5 mm
plugs*/ +#define RTSYSTEMS_USB_K5G_PID 0x9e5E /* USB-K5G
USB to 8 pin modular plug*/ +#define RTSYSTEMS_USB_S05_PID
0x9e5F /* USB-RTS05 USB to 2.5 mm stereo plug*/ +#define
RTSYSTEMS_USB_60_PID 0x9e60 /* USB-60 USB to 6 pin din*/
+#define RTSYSTEMS_USB_61_PID 0x9e61 /* USB-61 USB to 6
pin mini din*/ +#define RTSYSTEMS_USB_62_PID 0x9e62 /*
USB-62 USB to 8 pin mini din*/ +#define RTSYSTEMS_USB_63B_PID
0x9e63 /* USB-63 USB to 9 pin female*/ +#define
RTSYSTEMS_USB_64_PID 0x9e64 /* USB-64 USB to 9 pin male*/
+#define RTSYSTEMS_USB_65_PID 0x9e65 /* USB-65 USB to 9
pin female null modem*/ +#define RTSYSTEMS_USB_92_PID
0x9e66 /* USB-92 USB to 12 pin plug*/ +#define
RTSYSTEMS_USB_92D_PID 0x9e67 /* USB-92D USB to 12 pin
plug data*/ +#define RTSYSTEMS_USB_W5R_PID 0x9e68 /*
USB-W5R USB to 8 pin modular plug*/ +#define
RTSYSTEMS_USB_A5R_PID 0x9e69 /* USB-A5R USB to 8 pin
modular plug*/ +#define RTSYSTEMS_USB_PW1_PID 0x9e6A /*
USB-PW1 USB to 8 pin modular plug*/ /*
* Physik Instrumente
diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
index caf85ab..c9e3455 100644
--- a/drivers/usb/serial/keyspan.c
+++ b/drivers/usb/serial/keyspan.c
@@ -2389,7 +2389,7 @@ static int keyspan_startup(struct usb_serial
*serial) if (d_details == NULL) {
dev_err(&serial->dev->dev, "%s - unknown product id
%x\n", __func__, le16_to_cpu(serial->dev->descriptor.idProduct));
- return 1;
+ return -ENODEV;
}
/* Setup private data for serial driver */
diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
index b691404..3d3b53d 100644
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -97,6 +97,7 @@ struct urbtracker {
struct list_head urblist_entry;
struct kref ref_count;
struct urb *urb;
+ struct usb_ctrlrequest *setup;
};
enum mos7715_pp_modes {
@@ -278,6 +279,7 @@ static void destroy_urbtracker(struct kref *kref)
struct mos7715_parport *mos_parport = urbtrack->mos_parport;
usb_free_urb(urbtrack->urb);
+ kfree(urbtrack->setup);
kfree(urbtrack);
kref_put(&mos_parport->ref_count, destroy_mos_parport);
}
@@ -360,7 +362,6 @@ static int write_parport_reg_nonblock(struct
mos7715_parport *mos_parport, struct urbtracker *urbtrack;
int ret_val;
unsigned long flags;
- struct usb_ctrlrequest setup;
struct usb_serial *serial = mos_parport->serial;
struct usb_device *usbdev = serial->dev;
@@ -378,14 +379,20 @@ static int write_parport_reg_nonblock(struct
mos7715_parport *mos_parport, kfree(urbtrack);
return -ENOMEM;
}
- setup.bRequestType = (__u8)0x40;
- setup.bRequest = (__u8)0x0e;
- setup.wValue = get_reg_value(reg, dummy);
- setup.wIndex = get_reg_index(reg);
- setup.wLength = 0;
+ urbtrack->setup = kmalloc(sizeof(*urbtrack->setup),
GFP_KERNEL);
+ if (!urbtrack->setup) {
+ usb_free_urb(urbtrack->urb);
+ kfree(urbtrack);
+ return -ENOMEM;
+ }
+ urbtrack->setup->bRequestType = (__u8)0x40;
+ urbtrack->setup->bRequest = (__u8)0x0e;
+ urbtrack->setup->wValue = get_reg_value(reg, dummy);
+ urbtrack->setup->wIndex = get_reg_index(reg);
+ urbtrack->setup->wLength = 0;
usb_fill_control_urb(urbtrack->urb, usbdev,
usb_sndctrlpipe(usbdev, 0),
- (unsigned char *)&setup,
+ (unsigned char *)urbtrack->setup,
NULL, 0, async_complete, urbtrack);
kref_init(&urbtrack->ref_count);
INIT_LIST_HEAD(&urbtrack->urblist_entry);
diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index 3193d25..dc46df5 100644
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -187,7 +187,10 @@
#define LED_ON_MS 500
#define LED_OFF_MS 500
-static int device_type;
+enum mos7840_flag {
+ MOS7840_FLAG_CTRL_BUSY,
+ MOS7840_FLAG_LED_BUSY,
+};
static const struct usb_device_id id_table[] = {
{USB_DEVICE(USB_VENDOR_ID_MOSCHIP, MOSCHIP_DEVICE_ID_7840)},
@@ -244,9 +247,12 @@ struct moschip_port {
/* For device(s) with LED indicator */
bool has_led;
- bool led_flag;
struct timer_list led_timer1; /* Timer for LED on */
struct timer_list led_timer2; /* Timer for LED off */
+ struct urb *led_urb;
+ struct usb_ctrlrequest *led_dr;
+
+ unsigned long flags;
};
static bool debug;
@@ -507,11 +513,11 @@ static void mos7840_control_callback(struct urb
*urb) /* this urb is terminated, clean up */
dbg("%s - urb shutting down with status: %d", __func__,
status);
- return;
+ goto out;
default:
dbg("%s - nonzero urb status received: %d", __func__,
status);
- return;
+ goto out;
}
dbg("%s urb buffer size is %d", __func__, urb->actual_length);
@@ -524,6 +530,8 @@ static void mos7840_control_callback(struct urb
*urb) mos7840_handle_new_msr(mos7840_port, regval);
else if (mos7840_port->MsrLsr == 1)
mos7840_handle_new_lsr(mos7840_port, regval);
+out:
+ clear_bit_unlock(MOS7840_FLAG_CTRL_BUSY, &mos7840_port->flags);
}
static int mos7840_get_reg(struct moschip_port *mcs, __u16 Wval, __u16
reg, @@ -534,6 +542,9 @@ static int mos7840_get_reg(struct moschip_port
*mcs, __u16 Wval, __u16 reg, unsigned char *buffer = mcs->ctrl_buf;
int ret;
+ if (test_and_set_bit_lock(MOS7840_FLAG_CTRL_BUSY, &mcs->flags))
+ return -EBUSY;
+
dr->bRequestType = MCS_RD_RTYPE;
dr->bRequest = MCS_RDREQ;
dr->wValue = cpu_to_le16(Wval); /* 0 */
@@ -545,6 +556,9 @@ static int mos7840_get_reg(struct moschip_port
*mcs, __u16 Wval, __u16 reg, mos7840_control_callback, mcs);
mcs->control_urb->transfer_buffer_length = 2;
ret = usb_submit_urb(mcs->control_urb, GFP_ATOMIC);
+ if (ret)
+ clear_bit_unlock(MOS7840_FLAG_CTRL_BUSY, &mcs->flags);
+
return ret;
}
@@ -571,7 +585,7 @@ static void mos7840_set_led_async(struct
moschip_port *mcs, __u16 wval, __u16 reg)
{
struct usb_device *dev = mcs->port->serial->dev;
- struct usb_ctrlrequest *dr = mcs->dr;
+ struct usb_ctrlrequest *dr = mcs->led_dr;
dr->bRequestType = MCS_WR_RTYPE;
dr->bRequest = MCS_WRREQ;
@@ -579,10 +593,10 @@ static void mos7840_set_led_async(struct
moschip_port *mcs, __u16 wval, dr->wIndex = cpu_to_le16(reg);
dr->wLength = cpu_to_le16(0);
- usb_fill_control_urb(mcs->control_urb, dev,
usb_sndctrlpipe(dev, 0),
+ usb_fill_control_urb(mcs->led_urb, dev, usb_sndctrlpipe(dev,
0), (unsigned char *)dr, NULL, 0, mos7840_set_led_callback, NULL);
- usb_submit_urb(mcs->control_urb, GFP_ATOMIC);
+ usb_submit_urb(mcs->led_urb, GFP_ATOMIC);
}
static void mos7840_set_led_sync(struct usb_serial_port *port, __u16
reg, @@ -608,7 +622,19 @@ static void mos7840_led_flag_off(unsigned
long arg) {
struct moschip_port *mcs = (struct moschip_port *) arg;
- mcs->led_flag = false;
+ clear_bit_unlock(MOS7840_FLAG_LED_BUSY, &mcs->flags);
+}
+
+static void mos7840_led_activity(struct usb_serial_port *port)
+{
+ struct moschip_port *mos7840_port =
usb_get_serial_port_data(port); +
+ if (test_and_set_bit_lock(MOS7840_FLAG_LED_BUSY,
&mos7840_port->flags))
+ return;
+
+ mos7840_set_led_async(mos7840_port, 0x0301,
MODEM_CONTROL_REGISTER);
+ mod_timer(&mos7840_port->led_timer1,
+ jiffies + msecs_to_jiffies(LED_ON_MS));
}
/*****************************************************************************
@@ -818,14 +844,8 @@ static void mos7840_bulk_in_callback(struct urb
*urb) return;
}
- /* Turn on LED */
- if (mos7840_port->has_led && !mos7840_port->led_flag) {
- mos7840_port->led_flag = true;
- mos7840_set_led_async(mos7840_port, 0x0301,
- MODEM_CONTROL_REGISTER);
- mod_timer(&mos7840_port->led_timer1,
- jiffies + msecs_to_jiffies(LED_ON_MS));
- }
+ if (mos7840_port->has_led)
+ mos7840_led_activity(port);
mos7840_port->read_urb_busy = true;
retval = usb_submit_urb(mos7840_port->read_urb, GFP_ATOMIC);
@@ -879,18 +899,6 @@ static void mos7840_bulk_out_data_callback(struct
urb
*urb) /************************************************************************/ /*
D R I V E R T T Y I N T E R F A C E F U N C T I O N S
*/ /************************************************************************/
-#ifdef MCSSerialProbe -static int mos7840_serial_probe(struct
usb_serial *serial,
- const struct usb_device_id *id)
-{
-
- /*need to implement the mode_reg reading and updating\
- structures usb_serial_ device_type\
- (i.e num_ports, num_bulkin,bulkout etc) */
- /* Also we can update the changes attach */
- return 1;
-}
-#endif
/*****************************************************************************
* mos7840_open
@@ -972,20 +980,20 @@ static int mos7840_open(struct tty_struct *tty,
struct usb_serial_port *port) status = mos7840_get_reg_sync(port,
mos7840_port->SpRegOffset, &Data); if (status < 0) {
dbg("Reading Spreg failed");
- return -1;
+ goto err;
}
Data |= 0x80;
status = mos7840_set_reg_sync(port, mos7840_port->SpRegOffset,
Data); if (status < 0) {
dbg("writing Spreg failed");
- return -1;
+ goto err;
}
Data &= ~0x80;
status = mos7840_set_reg_sync(port, mos7840_port->SpRegOffset,
Data); if (status < 0) {
dbg("writing Spreg failed");
- return -1;
+ goto err;
}
/* End of block to be checked */
@@ -994,7 +1002,7 @@ static int mos7840_open(struct tty_struct *tty,
struct usb_serial_port *port) &Data);
if (status < 0) {
dbg("Reading Controlreg failed");
- return -1;
+ goto err;
}
Data |= 0x08; /* Driver done bit */
Data |= 0x20; /* rx_disable */
@@ -1002,7 +1010,7 @@ static int mos7840_open(struct tty_struct *tty,
struct usb_serial_port *port) mos7840_port->ControlRegOffset, Data);
if (status < 0) {
dbg("writing Controlreg failed");
- return -1;
+ goto err;
}
/* do register settings here */
/* Set all regs to the device default values. */
@@ -1013,21 +1021,21 @@ static int mos7840_open(struct tty_struct *tty,
struct usb_serial_port *port) status = mos7840_set_uart_reg(port,
INTERRUPT_ENABLE_REGISTER, Data); if (status < 0) {
dbg("disabling interrupts failed");
- return -1;
+ goto err;
}
/* Set FIFO_CONTROL_REGISTER to the default value */
Data = 0x00;
status = mos7840_set_uart_reg(port, FIFO_CONTROL_REGISTER,
Data); if (status < 0) {
dbg("Writing FIFO_CONTROL_REGISTER failed");
- return -1;
+ goto err;
}
Data = 0xcf;
status = mos7840_set_uart_reg(port, FIFO_CONTROL_REGISTER,
Data); if (status < 0) {
dbg("Writing FIFO_CONTROL_REGISTER failed");
- return -1;
+ goto err;
}
Data = 0x03;
@@ -1181,6 +1189,15 @@ static int mos7840_open(struct tty_struct *tty,
struct usb_serial_port *port) serial, mos7840_port, port);
return 0;
+err:
+ for (j = 0; j < NUM_URBS; ++j) {
+ urb = mos7840_port->write_urb_pool[j];
+ if (!urb)
+ continue;
+ kfree(urb->transfer_buffer);
+ usb_free_urb(urb);
+ }
+ return status;
}
/*****************************************************************************
@@ -1567,13 +1584,8 @@ static int mos7840_write(struct tty_struct *tty,
struct usb_serial_port *port, data1 = urb->transfer_buffer;
dbg("bulkout endpoint is %d", port->bulk_out_endpointAddress);
- /* Turn on LED */
- if (mos7840_port->has_led && !mos7840_port->led_flag) {
- mos7840_port->led_flag = true;
- mos7840_set_led_sync(port, MODEM_CONTROL_REGISTER,
0x0301);
- mod_timer(&mos7840_port->led_timer1,
- jiffies + msecs_to_jiffies(LED_ON_MS));
- }
+ if (mos7840_port->has_led)
+ mos7840_led_activity(port);
/* send it down the pipe */
status = usb_submit_urb(urb, GFP_ATOMIC);
@@ -2392,38 +2404,48 @@ static int mos7810_check(struct usb_serial
*serial) return 0;
}
-static int mos7840_calc_num_ports(struct usb_serial *serial)
+static int mos7840_probe(struct usb_serial *serial,
+ const struct usb_device_id *id)
{
- __u16 data = 0x00;
+ u16 product = le16_to_cpu(serial->dev->descriptor.idProduct);
u8 *buf;
- int mos7840_num_ports;
+ int device_type;
+
+ if (product == MOSCHIP_DEVICE_ID_7810 ||
+ product == MOSCHIP_DEVICE_ID_7820) {
+ device_type = product;
+ goto out;
+ }
buf = kzalloc(VENDOR_READ_LENGTH, GFP_KERNEL);
- if (buf) {
- usb_control_msg(serial->dev,
usb_rcvctrlpipe(serial->dev, 0),
+ if (!buf)
+ return -ENOMEM;
+
+ usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0),
MCS_RDREQ, MCS_RD_RTYPE, 0, GPIO_REGISTER, buf,
VENDOR_READ_LENGTH, MOS_WDR_TIMEOUT);
- data = *buf;
- kfree(buf);
- }
- if (serial->dev->descriptor.idProduct ==
MOSCHIP_DEVICE_ID_7810 ||
- serial->dev->descriptor.idProduct ==
MOSCHIP_DEVICE_ID_7820) {
- device_type = serial->dev->descriptor.idProduct;
- } else {
- /* For a MCS7840 device GPIO0 must be set to 1 */
- if ((data & 0x01) == 1)
- device_type = MOSCHIP_DEVICE_ID_7840;
- else if (mos7810_check(serial))
- device_type = MOSCHIP_DEVICE_ID_7810;
- else
- device_type = MOSCHIP_DEVICE_ID_7820;
- }
+ /* For a MCS7840 device GPIO0 must be set to 1 */
+ if (buf[0] & 0x01)
+ device_type = MOSCHIP_DEVICE_ID_7840;
+ else if (mos7810_check(serial))
+ device_type = MOSCHIP_DEVICE_ID_7810;
+ else
+ device_type = MOSCHIP_DEVICE_ID_7820;
+
+ kfree(buf);
+out:
+ usb_set_serial_data(serial, (void *)(unsigned
long)device_type); +
+ return 0;
+}
+
+static int mos7840_calc_num_ports(struct usb_serial *serial)
+{
+ int device_type = (unsigned long)usb_get_serial_data(serial);
+ int mos7840_num_ports;
mos7840_num_ports = (device_type >> 4) & 0x000F;
- serial->num_bulk_in = mos7840_num_ports;
- serial->num_bulk_out = mos7840_num_ports;
- serial->num_ports = mos7840_num_ports;
return mos7840_num_ports;
}
@@ -2431,6 +2453,7 @@ static int mos7840_calc_num_ports(struct
usb_serial *serial) static int mos7840_port_probe(struct
usb_serial_port *port) {
struct usb_serial *serial = port->serial;
+ int device_type = (unsigned long)usb_get_serial_data(serial);
struct moschip_port *mos7840_port;
int status;
int pnum;
@@ -2633,6 +2656,14 @@ static int mos7840_port_probe(struct
usb_serial_port *port) if (device_type == MOSCHIP_DEVICE_ID_7810) {
mos7840_port->has_led = true;
+ mos7840_port->led_urb = usb_alloc_urb(0,
GFP_KERNEL);
+ mos7840_port->led_dr =
kmalloc(sizeof(*mos7840_port->led_dr),
+
GFP_KERNEL);
+ if (!mos7840_port->led_urb
|| !mos7840_port->led_dr) {
+ status = -ENOMEM;
+ goto error;
+ }
+
init_timer(&mos7840_port->led_timer1);
mos7840_port->led_timer1.function =
mos7840_led_off; mos7840_port->led_timer1.expires =
@@ -2648,8 +2679,6 @@ static int mos7840_port_probe(struct
usb_serial_port *port) mos7840_port->led_timer2.data =
(unsigned
long)mos7840_port;
- mos7840_port->led_flag = false;
-
/* Turn off LED */
mos7840_set_led_sync(port,
MODEM_CONTROL_REGISTER,
0x0300); @@ -2675,6 +2704,8 @@ static int mos7840_port_probe(struct
usb_serial_port *port) }
return 0;
error:
+ kfree(mos7840_port->led_dr);
+ usb_free_urb(mos7840_port->led_urb);
kfree(mos7840_port->dr);
kfree(mos7840_port->ctrl_buf);
usb_free_urb(mos7840_port->control_urb);
@@ -2695,6 +2726,10 @@ static int mos7840_port_remove(struct
usb_serial_port *port)
del_timer_sync(&mos7840_port->led_timer1);
del_timer_sync(&mos7840_port->led_timer2);
+
+ usb_kill_urb(mos7840_port->led_urb);
+ usb_free_urb(mos7840_port->led_urb);
+ kfree(mos7840_port->led_dr);
}
usb_kill_urb(mos7840_port->control_urb);
usb_free_urb(mos7840_port->control_urb);
@@ -2721,9 +2756,7 @@ static struct usb_serial_driver
moschip7840_4port_device = { .throttle = mos7840_throttle,
.unthrottle = mos7840_unthrottle,
.calc_num_ports = mos7840_calc_num_ports,
-#ifdef MCSSerialProbe
- .probe = mos7840_serial_probe,
-#endif
+ .probe = mos7840_probe,
.ioctl = mos7840_ioctl,
.set_termios = mos7840_set_termios,
.break_ctl = mos7840_break,
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 27adfce..d53681f 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -348,17 +348,12 @@ static void option_instat_callback(struct urb
*urb); #define OLIVETTI_VENDOR_ID 0x0b3c
#define OLIVETTI_PRODUCT_OLICARD100 0xc000
#define OLIVETTI_PRODUCT_OLICARD145 0xc003
+#define OLIVETTI_PRODUCT_OLICARD200 0xc005
/* Celot products */
#define CELOT_VENDOR_ID 0x211f
#define CELOT_PRODUCT_CT680M 0x6801
-/* ONDA Communication vendor id */
-#define ONDA_VENDOR_ID 0x1ee8
-
-/* ONDA MT825UP HSDPA 14.2 modem */
-#define ONDA_MT825UP 0x000b
-
/* Samsung products */
#define SAMSUNG_VENDOR_ID 0x04e8
#define SAMSUNG_PRODUCT_GT_B3730 0x6889
@@ -805,7 +800,8 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0017, 0xff,
0xff, 0xff), .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0018, 0xff,
0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0019, 0xff,
0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0019, 0xff,
0xff, 0xff),
+ .driver_info = (kernel_ulong_t)&net_intf3_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0020, 0xff,
0xff, 0xff) }, { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0021,
0xff, 0xff, 0xff), .driver_info =
(kernel_ulong_t)&net_intf4_blacklist }, @@ -1240,8 +1236,8 @@ static
const struct usb_device_id option_ids[] = {
{ USB_DEVICE(OLIVETTI_VENDOR_ID,
OLIVETTI_PRODUCT_OLICARD100) }, { USB_DEVICE(OLIVETTI_VENDOR_ID,
OLIVETTI_PRODUCT_OLICARD145) },
+ { USB_DEVICE(OLIVETTI_VENDOR_ID,
OLIVETTI_PRODUCT_OLICARD200) }, { USB_DEVICE(CELOT_VENDOR_ID,
CELOT_PRODUCT_CT680M) }, /* CT-650 CDMA 450 1xEVDO modem */
- { USB_DEVICE(ONDA_VENDOR_ID, ONDA_MT825UP) }, /* ONDA MT825UP
modem */ { USB_DEVICE_AND_INTERFACE_INFO(SAMSUNG_VENDOR_ID,
SAMSUNG_PRODUCT_GT_B3730, USB_CLASS_CDC_DATA, 0x00, 0x00) }, /* Samsung
GT-B3730 LTE USB modem.*/ { USB_DEVICE(YUGA_VENDOR_ID,
YUGA_PRODUCT_CEM600) }, { USB_DEVICE(YUGA_VENDOR_ID,
YUGA_PRODUCT_CEM610) }, @@ -1315,6 +1311,8 @@ static const struct
usb_device_id option_ids[] = { { USB_DEVICE_AND_INTERFACE_INFO(0x2001,
0x7d02, 0xff, 0x00, 0x00) }, { USB_DEVICE_AND_INTERFACE_INFO(0x2001,
0x7d03, 0xff, 0x02, 0x01) }, { USB_DEVICE_AND_INTERFACE_INFO(0x2001,
0x7d03, 0xff, 0x00, 0x00) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff,
0xff) }, /* D-Link DWM-152/C1 */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff,
0xff) }, /* D-Link DWM-156/C1 */ { } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
diff --git a/drivers/usb/serial/ti_usb_3410_5052.c
b/drivers/usb/serial/ti_usb_3410_5052.c index c7550bf..33e3cb9 100644
--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -383,7 +383,7 @@ static int ti_startup(struct usb_serial *serial)
usb_set_serial_data(serial, tdev);
/* determine device type */
- if (usb_match_id(serial->interface, ti_id_table_3410))
+ if (serial->type == &ti_1port_device)
tdev->td_is_3410 = 1;
dbg("%s - device type is %s", __func__,
tdev->td_is_3410 ? "3410" : "5052");
@@ -1639,14 +1639,15 @@ static int ti_download_firmware(struct
ti_device *tdev) char buf[32];
/* try ID specific firmware first, then try generic firmware */
- sprintf(buf, "ti_usb-v%04x-p%04x.fw", dev->descriptor.idVendor,
- dev->descriptor.idProduct);
+ sprintf(buf, "ti_usb-v%04x-p%04x.fw",
+ le16_to_cpu(dev->descriptor.idVendor),
+ le16_to_cpu(dev->descriptor.idProduct));
status = request_firmware(&fw_p, buf, &dev->dev);
if (status != 0) {
buf[0] = '\0';
- if (dev->descriptor.idVendor == MTS_VENDOR_ID) {
- switch (dev->descriptor.idProduct) {
+ if (le16_to_cpu(dev->descriptor.idVendor) ==
MTS_VENDOR_ID) {
+ switch
(le16_to_cpu(dev->descriptor.idProduct)) { case MTS_CDMA_PRODUCT_ID:
strcpy(buf, "mts_cdma.fw");
break;
diff --git a/drivers/usb/serial/usb_wwan.c
b/drivers/usb/serial/usb_wwan.c index 188b5b3..5e9e1df 100644
--- a/drivers/usb/serial/usb_wwan.c
+++ b/drivers/usb/serial/usb_wwan.c
@@ -299,18 +299,18 @@ static void usb_wwan_indat_callback(struct urb
*urb) tty_kref_put(tty);
}
- /* Resubmit urb so we continue receiving */
- err = usb_submit_urb(urb, GFP_ATOMIC);
- if (err) {
- if (err != -EPERM) {
- printk(KERN_ERR "%s: resubmit read urb
failed. "
- "(%d)", __func__, err);
- /* busy also in error unless we are
killed */
- usb_mark_last_busy(port->serial->dev);
- }
- } else {
+ }
+ /* Resubmit urb so we continue receiving */
+ err = usb_submit_urb(urb, GFP_ATOMIC);
+ if (err) {
+ if (err != -EPERM) {
+ printk(KERN_ERR "%s: resubmit read urb failed.
(%d)\n",
+ __func__, err);
+ /* busy also in error unless we are killed */
usb_mark_last_busy(port->serial->dev);
}
+ } else {
+ usb_mark_last_busy(port->serial->dev);
}
}
diff --git a/drivers/usb/storage/unusual_devs.h
b/drivers/usb/storage/unusual_devs.h index 3561322..a9e9a96 100644
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -657,6 +657,13 @@ UNUSUAL_DEV( 0x054c, 0x016a, 0x0000, 0x9999,
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_FIX_INQUIRY ),
+/* Submitted by Ren Bigcren <bigcren.ren@sonymobile.com> */
+UNUSUAL_DEV( 0x054c, 0x02a5, 0x0100, 0x0100,
+ "Sony Corp.",
+ "MicroVault Flash Drive",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_READ_CAPACITY_16 ),
+
/* floppy reports multiple luns */
UNUSUAL_DEV( 0x055d, 0x2020, 0x0000, 0x0210,
"SAMSUNG",
diff --git a/drivers/usb/wusbcore/wa-xfer.c
b/drivers/usb/wusbcore/wa-xfer.c index 57c01ab..1ebc17e 100644
--- a/drivers/usb/wusbcore/wa-xfer.c
+++ b/drivers/usb/wusbcore/wa-xfer.c
@@ -1110,6 +1110,12 @@ int wa_urb_dequeue(struct wahc *wa, struct urb
*urb) }
spin_lock_irqsave(&xfer->lock, flags);
rpipe = xfer->ep->hcpriv;
+ if (rpipe == NULL) {
+ pr_debug("%s: xfer id 0x%08X has no RPIPE. %s",
+ __func__, wa_xfer_id(xfer),
+ "Probably already aborted.\n" );
+ goto out_unlock;
+ }
/* Check the delayed list -> if there, release and complete */
spin_lock_irqsave(&wa->xfer_list_lock, flags2);
if (!list_empty(&xfer->list_node) && xfer->seg == NULL)
@@ -1493,8 +1499,7 @@ static void wa_xfer_result_cb(struct urb *urb)
break;
}
usb_status = xfer_result->bTransferStatus & 0x3f;
- if (usb_status == WA_XFER_STATUS_ABORTED
- || usb_status == WA_XFER_STATUS_NOT_FOUND)
+ if (usb_status == WA_XFER_STATUS_NOT_FOUND)
/* taken care of already */
break;
xfer_id = xfer_result->dwTransferID;
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index ef82a0d..c0492d7 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -1600,7 +1600,7 @@ void vhost_ubuf_put_and_wait(struct
vhost_ubuf_ref *ubufs) kfree(ubufs);
}
-void vhost_zerocopy_callback(struct ubuf_info *ubuf)
+void vhost_zerocopy_callback(struct ubuf_info *ubuf, bool status)
{
struct vhost_ubuf_ref *ubufs = ubuf->ctx;
struct vhost_virtqueue *vq = ubufs->vq;
diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
index 1125af3..2de4ce2 100644
--- a/drivers/vhost/vhost.h
+++ b/drivers/vhost/vhost.h
@@ -191,7 +191,7 @@ bool vhost_enable_notify(struct vhost_dev *, struct
vhost_virtqueue *);
int vhost_log_write(struct vhost_virtqueue *vq, struct vhost_log *log,
unsigned int log_num, u64 len);
-void vhost_zerocopy_callback(struct ubuf_info *);
+void vhost_zerocopy_callback(struct ubuf_info *, bool);
int vhost_zerocopy_signal_used(struct vhost_virtqueue *vq);
#define vq_err(vq, fmt, ...) do { \
diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index 5aa43c3..bdac497 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -491,16 +491,18 @@ EXPORT_SYMBOL_GPL(virtqueue_disable_cb);
* virtqueue_enable_cb - restart callbacks after disable_cb.
* @vq: the struct virtqueue we're talking about.
*
- * This re-enables callbacks; it returns "false" if there are pending
- * buffers in the queue, to detect a possible race between the driver
- * checking for more work, and enabling callbacks.
+ * This re-enables callbacks; it returns current queue state
+ * in an opaque unsigned value. This value should be later tested by
+ * virtqueue_poll, to detect a possible race between the driver
checking for
+ * more work, and enabling callbacks.
*
* Caller must ensure we don't call this with other virtqueue
* operations at the same time (except where noted).
*/
-bool virtqueue_enable_cb(struct virtqueue *_vq)
+unsigned virtqueue_enable_cb_prepare(struct virtqueue *_vq)
{
struct vring_virtqueue *vq = to_vvq(_vq);
+ u16 last_used_idx;
START_USE(vq);
@@ -510,15 +512,45 @@ bool virtqueue_enable_cb(struct virtqueue *_vq)
* either clear the flags bit or point the event index at the
next
* entry. Always do both to keep code simple. */
vq->vring.avail->flags &= ~VRING_AVAIL_F_NO_INTERRUPT;
- vring_used_event(&vq->vring) = vq->last_used_idx;
+ vring_used_event(&vq->vring) = last_used_idx =
vq->last_used_idx;
+ END_USE(vq);
+ return last_used_idx;
+}
+EXPORT_SYMBOL_GPL(virtqueue_enable_cb_prepare);
+
+/**
+ * virtqueue_poll - query pending used buffers
+ * @vq: the struct virtqueue we're talking about.
+ * @last_used_idx: virtqueue state (from call to
virtqueue_enable_cb_prepare).
+ *
+ * Returns "true" if there are pending used buffers in the queue.
+ *
+ * This does not need to be serialized.
+ */
+bool virtqueue_poll(struct virtqueue *_vq, unsigned last_used_idx)
+{
+ struct vring_virtqueue *vq = to_vvq(_vq);
+
virtio_mb(vq);
- if (unlikely(more_used(vq))) {
- END_USE(vq);
- return false;
- }
+ return (u16)last_used_idx != vq->vring.used->idx;
+}
+EXPORT_SYMBOL_GPL(virtqueue_poll);
- END_USE(vq);
- return true;
+/**
+ * virtqueue_enable_cb - restart callbacks after disable_cb.
+ * @vq: the struct virtqueue we're talking about.
+ *
+ * This re-enables callbacks; it returns "false" if there are pending
+ * buffers in the queue, to detect a possible race between the driver
+ * checking for more work, and enabling callbacks.
+ *
+ * Caller must ensure we don't call this with other virtqueue
+ * operations at the same time (except where noted).
+ */
+bool virtqueue_enable_cb(struct virtqueue *_vq)
+{
+ unsigned last_used_idx = virtqueue_enable_cb_prepare(_vq);
+ return !virtqueue_poll(_vq, last_used_idx);
}
EXPORT_SYMBOL_GPL(virtqueue_enable_cb);
diff --git a/drivers/xen/events.c b/drivers/xen/events.c
index 99c5345..3987f6f 100644
--- a/drivers/xen/events.c
+++ b/drivers/xen/events.c
@@ -324,7 +324,7 @@ static void init_evtchn_cpu_bindings(void)
for_each_possible_cpu(i)
memset(per_cpu(cpu_evtchn_mask, i),
- (i == 0) ? ~0 : 0,
sizeof(*per_cpu(cpu_evtchn_mask, i)));
+ (i == 0) ? ~0 : 0, NR_EVENT_CHANNELS/8);
}
static inline void clear_evtchn(int port)
diff --git a/drivers/xen/evtchn.c b/drivers/xen/evtchn.c
index b1f60a0..8eb68c9 100644
--- a/drivers/xen/evtchn.c
+++ b/drivers/xen/evtchn.c
@@ -367,18 +367,12 @@ static long evtchn_ioctl(struct file *file,
if (unbind.port >= NR_EVENT_CHANNELS)
break;
- spin_lock_irq(&port_user_lock);
-
rc = -ENOTCONN;
- if (get_port_user(unbind.port) != u) {
- spin_unlock_irq(&port_user_lock);
+ if (get_port_user(unbind.port) != u)
break;
- }
disable_irq(irq_from_evtchn(unbind.port));
- spin_unlock_irq(&port_user_lock);
-
evtchn_unbind_from_user(u, unbind.port);
rc = 0;
@@ -478,26 +472,15 @@ static int evtchn_release(struct inode *inode,
struct file *filp) int i;
struct per_user_data *u = filp->private_data;
- spin_lock_irq(&port_user_lock);
-
- free_page((unsigned long)u->ring);
-
for (i = 0; i < NR_EVENT_CHANNELS; i++) {
if (get_port_user(i) != u)
continue;
disable_irq(irq_from_evtchn(i));
- }
-
- spin_unlock_irq(&port_user_lock);
-
- for (i = 0; i < NR_EVENT_CHANNELS; i++) {
- if (get_port_user(i) != u)
- continue;
-
evtchn_unbind_from_user(get_port_user(i), i);
}
+ free_page((unsigned long)u->ring);
kfree(u->name);
kfree(u);
diff --git a/fs/bio.c b/fs/bio.c
index 71072ab..6e2a362 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -791,12 +791,22 @@ static int __bio_copy_iov(struct bio *bio, struct
bio_vec *iovecs, int bio_uncopy_user(struct bio *bio)
{
struct bio_map_data *bmd = bio->bi_private;
- int ret = 0;
+ struct bio_vec *bvec;
+ int ret = 0, i;
- if (!bio_flagged(bio, BIO_NULL_MAPPED))
- ret = __bio_copy_iov(bio, bmd->iovecs, bmd->sgvecs,
- bmd->nr_sgvecs, bio_data_dir(bio)
== READ,
- 0, bmd->is_our_pages);
+ if (!bio_flagged(bio, BIO_NULL_MAPPED)) {
+ /*
+ * if we're in a workqueue, the request is orphaned, so
+ * don't copy into a random user address space, just
free.
+ */
+ if (current->mm)
+ ret = __bio_copy_iov(bio, bmd->iovecs,
bmd->sgvecs,
+ bmd->nr_sgvecs,
bio_data_dir(bio) == READ,
+ 0, bmd->is_our_pages);
+ else if (bmd->is_our_pages)
+ __bio_for_each_segment(bvec, bio, i, 0)
+ __free_page(bvec->bv_page);
+ }
bio_free_map_data(bmd);
bio_put(bio);
return ret;
diff --git a/fs/block_dev.c b/fs/block_dev.c
index daaca3d..41f6594 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -57,17 +57,24 @@ static void bdev_inode_switch_bdi(struct inode
*inode, struct backing_dev_info *dst)
{
struct backing_dev_info *old = inode->i_data.backing_dev_info;
+ bool wakeup_bdi = false;
if (unlikely(dst == old)) /* deadlock avoidance
*/ return;
bdi_lock_two(&old->wb, &dst->wb);
spin_lock(&inode->i_lock);
inode->i_data.backing_dev_info = dst;
- if (inode->i_state & I_DIRTY)
+ if (inode->i_state & I_DIRTY) {
+ if (bdi_cap_writeback_dirty(dst)
&& !wb_has_dirty_io(&dst->wb))
+ wakeup_bdi = true;
list_move(&inode->i_wb_list, &dst->wb.b_dirty);
+ }
spin_unlock(&inode->i_lock);
spin_unlock(&old->wb.list_lock);
spin_unlock(&dst->wb.list_lock);
+
+ if (wakeup_bdi)
+ bdi_wakeup_thread_delayed(dst);
}
sector_t blkdev_max_block(struct block_device *bdev)
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 6d7b589..3b09565 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -6950,6 +6950,7 @@ int btrfs_drop_snapshot(struct btrfs_root *root,
int err = 0;
int ret;
int level;
+ bool root_dropped = false;
path = btrfs_alloc_path();
if (!path) {
@@ -7007,6 +7008,7 @@ int btrfs_drop_snapshot(struct btrfs_root *root,
while (1) {
btrfs_tree_lock(path->nodes[level]);
btrfs_set_lock_blocking(path->nodes[level]);
+ path->locks[level] = BTRFS_WRITE_LOCK_BLOCKING;
ret = btrfs_lookup_extent_info(trans, root,
path->nodes[level]->start,
@@ -7023,6 +7025,7 @@ int btrfs_drop_snapshot(struct btrfs_root *root,
break;
btrfs_tree_unlock(path->nodes[level]);
+ path->locks[level] = 0;
WARN_ON(wc->refs[level] != 1);
level--;
}
@@ -7118,12 +7121,22 @@ int btrfs_drop_snapshot(struct btrfs_root *root,
free_extent_buffer(root->commit_root);
kfree(root);
}
+ root_dropped = true;
out_end_trans:
btrfs_end_transaction_throttle(trans, tree_root);
out_free:
kfree(wc);
btrfs_free_path(path);
out:
+ /*
+ * So if we need to stop dropping the snapshot for whatever
reason we
+ * need to make sure to add it back to the dead root list so
that we
+ * keep trying to do the work later. This also cleans up
roots if we
+ * don't have it in the radix (like when we recover after a
power fail
+ * or unmount) so we don't leak memory.
+ */
+ if (root_dropped == false)
+ btrfs_add_dead_root(root);
if (err)
btrfs_std_error(root->fs_info, err);
return err;
diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
index 9caf0c6..c6828ae 100644
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -369,7 +369,7 @@ find_domain_name(struct cifs_ses *ses, const struct
nls_table *nls_cp) if (blobptr + attrsize > blobend)
break;
if (type == NTLMSSP_AV_NB_DOMAIN_NAME) {
- if (!attrsize)
+ if (!attrsize || attrsize >=
CIFS_MAX_DOMAINNAME_LEN) break;
if (!ses->domainName) {
ses->domainName =
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 977dc0e..4af59dc 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -42,6 +42,7 @@
#define MAX_TREE_SIZE (2 + MAX_SERVER_SIZE + 1 + MAX_SHARE_SIZE + 1)
#define MAX_SERVER_SIZE 15
#define MAX_SHARE_SIZE 80
+#define CIFS_MAX_DOMAINNAME_LEN 256 /* max domain name length */
#define MAX_USERNAME_SIZE 256 /* reasonable maximum for current
servers */ #define MAX_PASSWORD_SIZE 512 /* max for windows
seems to be 256 wide chars */
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 487db09..8239cba 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -1611,7 +1611,8 @@ cifs_parse_mount_options(const char *mountdata,
const char *devname, if (string == NULL)
goto out_nomem;
- if (strnlen(string, 256) == 256) {
+ if (strnlen(string, CIFS_MAX_DOMAINNAME_LEN)
+ == CIFS_MAX_DOMAINNAME_LEN) {
printk(KERN_WARNING "CIFS: domain name
too" " long\n");
goto cifs_parse_mount_err;
@@ -2298,8 +2299,8 @@ cifs_put_smb_ses(struct cifs_ses *ses)
#ifdef CONFIG_KEYS
-/* strlen("cifs:a:") + INET6_ADDRSTRLEN + 1 */
-#define CIFSCREDS_DESC_SIZE (7 + INET6_ADDRSTRLEN + 1)
+/* strlen("cifs:a:") + CIFS_MAX_DOMAINNAME_LEN + 1 */
+#define CIFSCREDS_DESC_SIZE (7 + CIFS_MAX_DOMAINNAME_LEN + 1)
/* Populate username and pw fields from keyring if possible */
static int
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 382c06d..673db0b 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -198,7 +198,7 @@ static void unicode_domain_string(char **pbcc_area,
struct cifs_ses *ses, bytes_ret = 0;
} else
bytes_ret = cifs_strtoUTF16((__le16 *) bcc_ptr,
ses->domainName,
- 256, nls_cp);
+ CIFS_MAX_DOMAINNAME_LEN,
nls_cp); bcc_ptr += 2 * bytes_ret;
bcc_ptr += 2; /* account for null terminator */
@@ -256,8 +256,8 @@ static void ascii_ssetup_strings(char **pbcc_area,
struct cifs_ses *ses,
/* copy domain */
if (ses->domainName != NULL) {
- strncpy(bcc_ptr, ses->domainName, 256);
- bcc_ptr += strnlen(ses->domainName, 256);
+ strncpy(bcc_ptr, ses->domainName,
CIFS_MAX_DOMAINNAME_LEN);
+ bcc_ptr += strnlen(ses->domainName,
CIFS_MAX_DOMAINNAME_LEN); } /* else we will send a null domain name
so the server will default to its own domain */
*bcc_ptr = 0;
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 4733eab..327b802 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -524,8 +524,7 @@ EXPORT_SYMBOL_GPL(debugfs_remove);
*/
void debugfs_remove_recursive(struct dentry *dentry)
{
- struct dentry *child;
- struct dentry *parent;
+ struct dentry *child, *next, *parent;
if (IS_ERR_OR_NULL(dentry))
return;
@@ -535,61 +534,37 @@ void debugfs_remove_recursive(struct dentry
*dentry) return;
parent = dentry;
+ down:
mutex_lock(&parent->d_inode->i_mutex);
+ list_for_each_entry_safe(child, next, &parent->d_subdirs,
d_u.d_child) {
+ if (!debugfs_positive(child))
+ continue;
- while (1) {
- /*
- * When all dentries under "parent" has been removed,
- * walk up the tree until we reach our starting point.
- */
- if (list_empty(&parent->d_subdirs)) {
- mutex_unlock(&parent->d_inode->i_mutex);
- if (parent == dentry)
- break;
- parent = parent->d_parent;
- mutex_lock(&parent->d_inode->i_mutex);
- }
- child = list_entry(parent->d_subdirs.next, struct
dentry,
- d_u.d_child);
- next_sibling:
-
- /*
- * If "child" isn't empty, walk down the tree and
- * remove all its descendants first.
- */
+ /* perhaps simple_empty(child) makes more sense */
if (!list_empty(&child->d_subdirs)) {
mutex_unlock(&parent->d_inode->i_mutex);
parent = child;
- mutex_lock(&parent->d_inode->i_mutex);
- continue;
+ goto down;
}
- __debugfs_remove(child, parent);
- if (parent->d_subdirs.next == &child->d_u.d_child) {
- /*
- * Try the next sibling.
- */
- if (child->d_u.d_child.next !=
&parent->d_subdirs) {
- child =
list_entry(child->d_u.d_child.next,
- struct dentry,
- d_u.d_child);
- goto next_sibling;
- }
-
- /*
- * Avoid infinite loop if we fail to remove
- * one dentry.
- */
- mutex_unlock(&parent->d_inode->i_mutex);
- break;
- }
- simple_release_fs(&debugfs_mount,
&debugfs_mount_count);
+ up:
+ if (!__debugfs_remove(child, parent))
+ simple_release_fs(&debugfs_mount,
&debugfs_mount_count); }
- parent = dentry->d_parent;
+ mutex_unlock(&parent->d_inode->i_mutex);
+ child = parent;
+ parent = parent->d_parent;
mutex_lock(&parent->d_inode->i_mutex);
- __debugfs_remove(dentry, parent);
+
+ if (child != dentry) {
+ next = list_entry(child->d_u.d_child.next, struct
dentry,
+ d_u.d_child);
+ goto up;
+ }
+
+ if (!__debugfs_remove(child, parent))
+ simple_release_fs(&debugfs_mount,
&debugfs_mount_count); mutex_unlock(&parent->d_inode->i_mutex);
- simple_release_fs(&debugfs_mount, &debugfs_mount_count);
}
EXPORT_SYMBOL_GPL(debugfs_remove_recursive);
diff --git a/fs/ext4/ext4_jbd2.c b/fs/ext4/ext4_jbd2.c
index b4323ba..6d7abb1 100644
--- a/fs/ext4/ext4_jbd2.c
+++ b/fs/ext4/ext4_jbd2.c
@@ -109,10 +109,10 @@ int __ext4_handle_dirty_metadata(const char
*where, unsigned int line,
if (ext4_handle_valid(handle)) {
err = jbd2_journal_dirty_metadata(handle, bh);
- if (err) {
- /* Errors can only happen if there is a bug */
- handle->h_err = err;
- __ext4_journal_stop(where, line, handle);
+ /* Errors can only happen if there is a bug */
+ if (WARN_ON_ONCE(err)) {
+ ext4_journal_abort_handle(where, line,
__func__, bh,
+ handle, err);
}
} else {
if (inode)
diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
index c690ff9..16481bd 100644
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -706,11 +706,8 @@ repeat_in_this_group:
ino = ext4_find_next_zero_bit((unsigned long *)
inode_bitmap_bh->b_data,
EXT4_INODES_PER_GROUP(sb),
ino);
- if (ino >= EXT4_INODES_PER_GROUP(sb)) {
- if (++group == ngroups)
- group = 0;
- continue;
- }
+ if (ino >= EXT4_INODES_PER_GROUP(sb))
+ goto next_group;
if (group == 0 && (ino+1) < EXT4_FIRST_INO(sb)) {
ext4_error(sb, "reserved inode found cleared -
" "inode=%lu", ino + 1);
@@ -728,6 +725,9 @@ repeat_in_this_group:
goto got; /* we grabbed the inode! */
if (ino < EXT4_INODES_PER_GROUP(sb))
goto repeat_in_this_group;
+next_group:
+ if (++group == ngroups)
+ group = 0;
}
err = -ENOSPC;
goto out;
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index f9b129c..7099a33 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1422,7 +1422,7 @@ static const struct mount_opts {
{Opt_discard, EXT4_MOUNT_DISCARD, MOPT_SET},
{Opt_nodiscard, EXT4_MOUNT_DISCARD, MOPT_CLEAR},
{Opt_delalloc, EXT4_MOUNT_DELALLOC, MOPT_SET | MOPT_EXPLICIT},
- {Opt_nodelalloc, EXT4_MOUNT_DELALLOC, MOPT_CLEAR |
MOPT_EXPLICIT},
+ {Opt_nodelalloc, EXT4_MOUNT_DELALLOC, MOPT_CLEAR},
{Opt_journal_checksum, EXT4_MOUNT_JOURNAL_CHECKSUM, MOPT_SET},
{Opt_journal_async_commit, (EXT4_MOUNT_JOURNAL_ASYNC_COMMIT |
EXT4_MOUNT_JOURNAL_CHECKSUM),
MOPT_SET}, @@ -3405,7 +3405,7 @@ static int ext4_fill_super(struct
super_block *sb, void *data, int silent) }
if (test_opt(sb, DIOREAD_NOLOCK)) {
ext4_msg(sb, KERN_ERR, "can't mount with "
- "both data=journal and delalloc");
+ "both data=journal and
dioread_nolock"); goto failed_mount;
}
if (test_opt(sb, DELALLOC))
@@ -4583,6 +4583,21 @@ static int ext4_remount(struct super_block *sb,
int *flags, char *data) goto restore_opts;
}
+ if (test_opt(sb, DATA_FLAGS) == EXT4_MOUNT_JOURNAL_DATA) {
+ if (test_opt2(sb, EXPLICIT_DELALLOC)) {
+ ext4_msg(sb, KERN_ERR, "can't mount with "
+ "both data=journal and delalloc");
+ err = -EINVAL;
+ goto restore_opts;
+ }
+ if (test_opt(sb, DIOREAD_NOLOCK)) {
+ ext4_msg(sb, KERN_ERR, "can't mount with "
+ "both data=journal and
dioread_nolock");
+ err = -EINVAL;
+ goto restore_opts;
+ }
+ }
+
if (sbi->s_mount_flags & EXT4_MF_FS_ABORTED)
ext4_abort(sb, "Abort forced by user");
diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 9197a1b..9f7c758 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -3047,6 +3047,14 @@ int jfs_readdir(struct file *filp, void *dirent,
filldir_t filldir)
dir_index = (u32) filp->f_pos;
+ /*
+ * NFSv4 reserves cookies 1 and 2 for . and .. so the
value
+ * we return to the vfs is one greater than the one we
use
+ * internally.
+ */
+ if (dir_index)
+ dir_index--;
+
if (dir_index > 1) {
struct dir_table_slot dirtab_slot;
@@ -3086,7 +3094,7 @@ int jfs_readdir(struct file *filp, void *dirent,
filldir_t filldir) if (p->header.flag & BT_INTERNAL) {
jfs_err("jfs_readdir: bad index
table"); DT_PUTPAGE(mp);
- filp->f_pos = -1;
+ filp->f_pos = DIREND;
return 0;
}
} else {
@@ -3094,7 +3102,7 @@ int jfs_readdir(struct file *filp, void *dirent,
filldir_t filldir) /*
* self "."
*/
- filp->f_pos = 0;
+ filp->f_pos = 1;
if (filldir(dirent, ".", 1, 0,
ip->i_ino, DT_DIR))
return 0;
@@ -3102,7 +3110,7 @@ int jfs_readdir(struct file *filp, void *dirent,
filldir_t filldir) /*
* parent ".."
*/
- filp->f_pos = 1;
+ filp->f_pos = 2;
if (filldir(dirent, "..", 2, 1, PARENT(ip),
DT_DIR)) return 0;
@@ -3123,24 +3131,25 @@ int jfs_readdir(struct file *filp, void
*dirent, filldir_t filldir) /*
* Legacy filesystem - OS/2 & Linux JFS < 0.3.6
*
- * pn = index = 0: First entry "."
- * pn = 0; index = 1: Second entry ".."
+ * pn = 0; index = 1: First entry "."
+ * pn = 0; index = 2: Second entry ".."
* pn > 0: Real entries, pn=1 ->
leftmost page
* pn = index = -1: No more entries
*/
dtpos = filp->f_pos;
- if (dtpos == 0) {
+ if (dtpos < 2) {
/* build "." entry */
+ filp->f_pos = 1;
if (filldir(dirent, ".", 1, filp->f_pos,
ip->i_ino, DT_DIR))
return 0;
- dtoffset->index = 1;
+ dtoffset->index = 2;
filp->f_pos = dtpos;
}
if (dtoffset->pn == 0) {
- if (dtoffset->index == 1) {
+ if (dtoffset->index == 2) {
/* build ".." entry */
if (filldir(dirent, "..", 2,
filp->f_pos, @@ -3233,6 +3242,12 @@ int jfs_readdir(struct file *filp,
void *dirent, filldir_t filldir) }
jfs_dirent->position =
unique_pos++; }
+ /*
+ * We add 1 to the index because we may
+ * use a value of 2 internally, and
NFSv4
+ * doesn't like that.
+ */
+ jfs_dirent->position++;
} else {
jfs_dirent->position = dtpos;
len = min(d_namleft,
DTLHDRDATALEN_LEGACY); diff --git a/fs/lockd/svclock.c
b/fs/lockd/svclock.c index 8d80c99..57a3922 100644
--- a/fs/lockd/svclock.c
+++ b/fs/lockd/svclock.c
@@ -939,6 +939,7 @@ nlmsvc_retry_blocked(void)
unsigned long timeout = MAX_SCHEDULE_TIMEOUT;
struct nlm_block *block;
+ spin_lock(&nlm_blocked_lock);
while (!list_empty(&nlm_blocked) && !kthread_should_stop()) {
block = list_entry(nlm_blocked.next, struct nlm_block,
b_list);
@@ -948,6 +949,7 @@ nlmsvc_retry_blocked(void)
timeout = block->b_when - jiffies;
break;
}
+ spin_unlock(&nlm_blocked_lock);
dprintk("nlmsvc_retry_blocked(%p, when=%ld)\n",
block, block->b_when);
@@ -957,7 +959,9 @@ nlmsvc_retry_blocked(void)
retry_deferred_block(block);
} else
nlmsvc_grant_blocked(block);
+ spin_lock(&nlm_blocked_lock);
}
+ spin_unlock(&nlm_blocked_lock);
return timeout;
}
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index a9269f1..1db47bc 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -802,9 +802,10 @@ nfsd_open(struct svc_rqst *rqstp, struct svc_fh
*fhp, umode_t type, flags = O_WRONLY|O_LARGEFILE;
}
*filp = dentry_open(&path, flags, current_cred());
- if (IS_ERR(*filp))
+ if (IS_ERR(*filp)) {
host_err = PTR_ERR(*filp);
- else {
+ *filp = NULL;
+ } else {
host_err = ima_file_check(*filp, may_flags);
if (may_flags & NFSD_MAY_64BIT_COOKIE)
diff --git a/fs/nilfs2/segbuf.c b/fs/nilfs2/segbuf.c
index dc9a913..2d8be51 100644
--- a/fs/nilfs2/segbuf.c
+++ b/fs/nilfs2/segbuf.c
@@ -345,8 +345,7 @@ static void nilfs_end_bio_write(struct bio *bio,
int err)
if (err == -EOPNOTSUPP) {
set_bit(BIO_EOPNOTSUPP, &bio->bi_flags);
- bio_put(bio);
- /* to be detected by submit_seg_bio() */
+ /* to be detected by nilfs_segbuf_submit_bio() */
}
if (!uptodate)
@@ -377,12 +376,12 @@ static int nilfs_segbuf_submit_bio(struct
nilfs_segment_buffer *segbuf, bio->bi_private = segbuf;
bio_get(bio);
submit_bio(mode, bio);
+ segbuf->sb_nbio++;
if (bio_flagged(bio, BIO_EOPNOTSUPP)) {
bio_put(bio);
err = -EOPNOTSUPP;
goto failed;
}
- segbuf->sb_nbio++;
bio_put(bio);
wi->bio = NULL;
diff --git a/fs/notify/fanotify/fanotify_user.c
b/fs/notify/fanotify/fanotify_user.c index d438036..b670659 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -116,6 +116,7 @@ static int fill_event_metadata(struct
fsnotify_group *group, metadata->event_len = FAN_EVENT_METADATA_LEN;
metadata->metadata_len = FAN_EVENT_METADATA_LEN;
metadata->vers = FANOTIFY_METADATA_VERSION;
+ metadata->reserved = 0;
metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS;
metadata->pid = pid_vnr(event->tgid);
if (unlikely(event->mask & FAN_Q_OVERFLOW))
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 4540b8f..1868fe1 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -693,14 +693,14 @@ typedef struct {
} pagemap_entry_t;
struct pagemapread {
- int pos, len;
+ int pos, len; /* units: PM_ENTRY_BYTES, not
bytes */ pagemap_entry_t *buffer;
};
#define PAGEMAP_WALK_SIZE (PMD_SIZE)
#define PAGEMAP_WALK_MASK (PMD_MASK)
-#define PM_ENTRY_BYTES sizeof(u64)
+#define PM_ENTRY_BYTES sizeof(pagemap_entry_t)
#define PM_STATUS_BITS 3
#define PM_STATUS_OFFSET (64 - PM_STATUS_BITS)
#define PM_STATUS_MASK (((1LL << PM_STATUS_BITS) - 1) <<
PM_STATUS_OFFSET) @@ -939,8 +939,8 @@ static ssize_t
pagemap_read(struct file *file, char __user *buf, if (!count)
goto out_task;
- pm.len = PM_ENTRY_BYTES * (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
- pm.buffer = kmalloc(pm.len, GFP_TEMPORARY);
+ pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
+ pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY);
ret = -ENOMEM;
if (!pm.buffer)
goto out_task;
diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c
index e60e870..d700e3f 100644
--- a/fs/reiserfs/procfs.c
+++ b/fs/reiserfs/procfs.c
@@ -19,12 +19,13 @@
/*
* LOCKING:
*
- * We rely on new Alexander Viro's super-block locking.
+ * These guys are evicted from procfs as the very first step in
->kill_sb(). *
*/
-static int show_version(struct seq_file *m, struct super_block *sb)
+static int show_version(struct seq_file *m, void *unused)
{
+ struct super_block *sb = m->private;
char *format;
if (REISERFS_SB(sb)->s_properties & (1 << REISERFS_3_6)) {
@@ -66,8 +67,9 @@ static int show_version(struct seq_file *m, struct
super_block *sb) #define DJP( x ) le32_to_cpu( jp -> x )
#define JF( x ) ( r -> s_journal -> x )
-static int show_super(struct seq_file *m, struct super_block *sb)
+static int show_super(struct seq_file *m, void *unused)
{
+ struct super_block *sb = m->private;
struct reiserfs_sb_info *r = REISERFS_SB(sb);
seq_printf(m, "state: \t%s\n"
@@ -128,8 +130,9 @@ static int show_super(struct seq_file *m, struct
super_block *sb) return 0;
}
-static int show_per_level(struct seq_file *m, struct super_block *sb)
+static int show_per_level(struct seq_file *m, void *unused)
{
+ struct super_block *sb = m->private;
struct reiserfs_sb_info *r = REISERFS_SB(sb);
int level;
@@ -186,8 +189,9 @@ static int show_per_level(struct seq_file *m,
struct super_block *sb) return 0;
}
-static int show_bitmap(struct seq_file *m, struct super_block *sb)
+static int show_bitmap(struct seq_file *m, void *unused)
{
+ struct super_block *sb = m->private;
struct reiserfs_sb_info *r = REISERFS_SB(sb);
seq_printf(m, "free_block: %lu\n"
@@ -218,8 +222,9 @@ static int show_bitmap(struct seq_file *m, struct
super_block *sb) return 0;
}
-static int show_on_disk_super(struct seq_file *m, struct super_block
*sb) +static int show_on_disk_super(struct seq_file *m, void *unused)
{
+ struct super_block *sb = m->private;
struct reiserfs_sb_info *sb_info = REISERFS_SB(sb);
struct reiserfs_super_block *rs = sb_info->s_rs;
int hash_code = DFL(s_hash_function_code);
@@ -261,8 +266,9 @@ static int show_on_disk_super(struct seq_file *m,
struct super_block *sb) return 0;
}
-static int show_oidmap(struct seq_file *m, struct super_block *sb)
+static int show_oidmap(struct seq_file *m, void *unused)
{
+ struct super_block *sb = m->private;
struct reiserfs_sb_info *sb_info = REISERFS_SB(sb);
struct reiserfs_super_block *rs = sb_info->s_rs;
unsigned int mapsize = le16_to_cpu(rs->s_v1.s_oid_cursize);
@@ -291,8 +297,9 @@ static int show_oidmap(struct seq_file *m, struct
super_block *sb) return 0;
}
-static int show_journal(struct seq_file *m, struct super_block *sb)
+static int show_journal(struct seq_file *m, void *unused)
{
+ struct super_block *sb = m->private;
struct reiserfs_sb_info *r = REISERFS_SB(sb);
struct reiserfs_super_block *rs = r->s_rs;
struct journal_params *jp = &rs->s_v1.s_journal;
@@ -383,85 +390,24 @@ static int show_journal(struct seq_file *m,
struct super_block *sb) return 0;
}
-/* iterator */
-static int test_sb(struct super_block *sb, void *data)
-{
- return data == sb;
-}
-
-static int set_sb(struct super_block *sb, void *data)
-{
- return -ENOENT;
-}
-
-static void *r_start(struct seq_file *m, loff_t * pos)
-{
- struct proc_dir_entry *de = m->private;
- struct super_block *s = de->parent->data;
- loff_t l = *pos;
-
- if (l)
- return NULL;
-
- if (IS_ERR(sget(&reiserfs_fs_type, test_sb, set_sb, 0, s)))
- return NULL;
-
- up_write(&s->s_umount);
- return s;
-}
-
-static void *r_next(struct seq_file *m, void *v, loff_t * pos)
-{
- ++*pos;
- if (v)
- deactivate_super(v);
- return NULL;
-}
-
-static void r_stop(struct seq_file *m, void *v)
-{
- if (v)
- deactivate_super(v);
-}
-
-static int r_show(struct seq_file *m, void *v)
-{
- struct proc_dir_entry *de = m->private;
- int (*show) (struct seq_file *, struct super_block *) =
de->data;
- return show(m, v);
-}
-
-static const struct seq_operations r_ops = {
- .start = r_start,
- .next = r_next,
- .stop = r_stop,
- .show = r_show,
-};
-
static int r_open(struct inode *inode, struct file *file)
{
- int ret = seq_open(file, &r_ops);
-
- if (!ret) {
- struct seq_file *m = file->private_data;
- m->private = PDE(inode);
- }
- return ret;
+ return single_open(file, PDE(inode)->data,
+ PDE(inode)->parent->data);
}
static const struct file_operations r_file_operations = {
.open = r_open,
.read = seq_read,
.llseek = seq_lseek,
- .release = seq_release,
- .owner = THIS_MODULE,
+ .release = single_release,
};
static struct proc_dir_entry *proc_info_root = NULL;
static const char proc_info_root_name[] = "fs/reiserfs";
static void add_file(struct super_block *sb, char *name,
- int (*func) (struct seq_file *, struct
super_block *))
+ int (*func) (struct seq_file *, void *))
{
proc_create_data(name, 0, REISERFS_SB(sb)->procdir,
&r_file_operations, func);
diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
index 4300030..cd4b149 100644
--- a/fs/reiserfs/super.c
+++ b/fs/reiserfs/super.c
@@ -499,6 +499,7 @@ int remove_save_link(struct inode *inode, int
truncate) static void reiserfs_kill_sb(struct super_block *s)
{
if (REISERFS_SB(s)) {
+ reiserfs_proc_info_done(s);
/*
* Force any pending inode evictions to occur now. Any
* inodes to be removed that have extended attributes
@@ -554,8 +555,6 @@ static void reiserfs_put_super(struct super_block
*s) REISERFS_SB(s)->reserved_blocks);
}
- reiserfs_proc_info_done(s);
-
reiserfs_write_unlock(s);
mutex_destroy(&REISERFS_SB(s)->lock);
kfree(s->s_fs_info);
diff --git a/fs/super.c b/fs/super.c
index 0902cfa..7b6e4e5 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -349,19 +349,19 @@ EXPORT_SYMBOL(deactivate_super);
* and want to turn it into a full-blown active reference.
grab_super()
* is called with sb_lock held and drops it. Returns 1 in case
of
* success, 0 if we had failed (superblock contents was already
dead or
- * dying when grab_super() had been called).
+ * dying when grab_super() had been called). Note that this is
only
+ * called for superblocks not in rundown mode (== ones still on
->fs_supers
+ * of their type), so increment of ->s_count is OK here.
*/
static int grab_super(struct super_block *s) __releases(sb_lock)
{
- if (atomic_inc_not_zero(&s->s_active)) {
- spin_unlock(&sb_lock);
- return 1;
- }
- /* it's going away */
s->s_count++;
spin_unlock(&sb_lock);
- /* wait for it to die */
down_write(&s->s_umount);
+ if ((s->s_flags & MS_BORN) &&
atomic_inc_not_zero(&s->s_active)) {
+ put_super(s);
+ return 1;
+ }
up_write(&s->s_umount);
put_super(s);
return 0;
@@ -493,11 +493,6 @@ retry:
destroy_super(s);
s = NULL;
}
- down_write(&old->s_umount);
- if (unlikely(!(old->s_flags & MS_BORN))) {
- deactivate_locked_super(old);
- goto retry;
- }
return old;
}
}
@@ -691,10 +686,10 @@ restart:
if (hlist_unhashed(&sb->s_instances))
continue;
if (sb->s_bdev == bdev) {
- if (grab_super(sb)) /* drops sb_lock */
- return sb;
- else
+ if (!grab_super(sb))
goto restart;
+ up_write(&sb->s_umount);
+ return sb;
}
}
spin_unlock(&sb_lock);
diff --git a/include/linux/elevator.h b/include/linux/elevator.h
index c03af76..20ae95b 100644
--- a/include/linux/elevator.h
+++ b/include/linux/elevator.h
@@ -6,6 +6,7 @@
#ifdef CONFIG_BLOCK
struct io_cq;
+struct elevator_type;
typedef int (elevator_merge_fn) (struct request_queue *, struct
request **, struct bio *);
@@ -34,7 +35,8 @@ typedef void (elevator_put_req_fn) (struct request *);
typedef void (elevator_activate_req_fn) (struct request_queue *,
struct request *); typedef void (elevator_deactivate_req_fn) (struct
request_queue *, struct request *);
-typedef int (elevator_init_fn) (struct request_queue *);
+typedef int (elevator_init_fn) (struct request_queue *,
+ struct elevator_type *e);
typedef void (elevator_exit_fn) (struct elevator_queue *);
struct elevator_ops
@@ -151,6 +153,8 @@ extern int elevator_init(struct request_queue *,
char *); extern void elevator_exit(struct elevator_queue *);
extern int elevator_change(struct request_queue *, const char *);
extern bool elv_rq_merge_ok(struct request *, struct bio *);
+extern struct elevator_queue *elevator_alloc(struct request_queue *,
+ struct elevator_type *);
/*
* Helper functions.
diff --git a/include/linux/ftrace_event.h b/include/linux/ftrace_event.h
index 642928c..86e6806 100644
--- a/include/linux/ftrace_event.h
+++ b/include/linux/ftrace_event.h
@@ -71,6 +71,8 @@ struct trace_iterator {
/* trace_seq for __print_flags() and __print_symbolic() etc. */
struct trace_seq tmp_seq;
+ cpumask_var_t started;
+
/* The below is zeroed out in pipe_read */
struct trace_seq seq;
struct trace_entry *ent;
@@ -83,7 +85,7 @@ struct trace_iterator {
loff_t pos;
long idx;
- cpumask_var_t started;
+ /* All new field here will be zeroed out in pipe_read */
};
diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
index 9b0c614..fef94f5 100644
--- a/include/linux/if_vlan.h
+++ b/include/linux/if_vlan.h
@@ -82,9 +82,8 @@ static inline int is_vlan_dev(struct net_device *dev)
}
#define vlan_tx_tag_present(__skb) ((__skb)->vlan_tci &
VLAN_TAG_PRESENT) -#define vlan_tx_nonzero_tag_present(__skb) \
- (vlan_tx_tag_present(__skb) && ((__skb)->vlan_tci &
VLAN_VID_MASK)) #define vlan_tx_tag_get(__skb)
((__skb)->vlan_tci & ~VLAN_TAG_PRESENT) +#define
vlan_tx_tag_get_id(__skb) ((__skb)->vlan_tci & VLAN_VID_MASK)
#if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
diff --git a/include/linux/regmap.h b/include/linux/regmap.h
index 7f7e00d..db23dde 100644
--- a/include/linux/regmap.h
+++ b/include/linux/regmap.h
@@ -15,6 +15,8 @@
#include <linux/list.h>
#include <linux/rbtree.h>
+#include <linux/err.h>
+#include <linux/bug.h>
struct module;
struct device;
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 46bac3e..8c00159 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -388,6 +388,7 @@ extern int sysctl_max_map_count;
#include <linux/aio.h>
#ifdef CONFIG_MMU
+extern unsigned long mmap_legacy_base(void);
extern void arch_pick_mmap_layout(struct mm_struct *mm);
extern unsigned long
arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index adab092..a45dd48 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -235,11 +235,13 @@ enum {
/*
* The callback notifies userspace to release buffers when skb DMA is
done in
* lower device, the skb last reference should be 0 when calling this.
+ * The zerocopy_success argument is true if zero copy transmit
occurred,
+ * false on data copy or out of memory error caused by data copy
attempt.
* The ctx field is used to track device context.
* The desc field is used to track userspace buffer index.
*/
struct ubuf_info {
- void (*callback)(struct ubuf_info *);
+ void (*callback)(struct ubuf_info *, bool zerocopy_success);
void *ctx;
unsigned long desc;
};
diff --git a/include/linux/user_namespace.h
b/include/linux/user_namespace.h index 4e72922..4eea4ce 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -22,6 +22,7 @@ struct user_namespace {
struct uid_gid_map gid_map;
struct kref kref;
struct user_namespace *parent;
+ int level;
kuid_t owner;
kgid_t group;
};
diff --git a/include/linux/virtio.h b/include/linux/virtio.h
index a1ba8bb..765a133 100644
--- a/include/linux/virtio.h
+++ b/include/linux/virtio.h
@@ -44,6 +44,10 @@ void virtqueue_disable_cb(struct virtqueue *vq);
bool virtqueue_enable_cb(struct virtqueue *vq);
+unsigned virtqueue_enable_cb_prepare(struct virtqueue *vq);
+
+bool virtqueue_poll(struct virtqueue *vq, unsigned);
+
bool virtqueue_enable_cb_delayed(struct virtqueue *vq);
void *virtqueue_detach_unused_buf(struct virtqueue *vq);
diff --git a/include/linux/wait.h b/include/linux/wait.h
index 6c6c20e..e4683e0 100644
--- a/include/linux/wait.h
+++ b/include/linux/wait.h
@@ -571,6 +571,63 @@ do
{
\ __wait_event_killable(wq, condition, __ret); \
__ret;
\ }) +#define __wait_event_interruptible_lock_irq_timeout(wq,
condition, \
+ lock,
ret) \ +do
{
\
+
DEFINE_WAIT(__wait); \
+
\
+ for (;;)
{ \
+ prepare_to_wait(&wq, &__wait,
TASK_INTERRUPTIBLE); \
+ if
(condition) \
+
break; \
+ if (signal_pending(current))
{ \
+ ret =
-ERESTARTSYS; \
+
break; \
+ }
\
+
spin_unlock_irq(&lock); \
+ ret =
schedule_timeout(ret); \
+
spin_lock_irq(&lock); \
+ if
(!ret) \
+
break; \
+ }
\
+ finish_wait(&wq,
&__wait); \ +} while (0)
+
+/**
+ * wait_event_interruptible_lock_irq_timeout - sleep until a condition
gets true or a timeout elapses.
+ * The condition is checked under the lock. This is
expected
+ * to be called with the lock taken.
+ * @wq: the waitqueue to wait on
+ * @condition: a C expression for the event to wait for
+ * @lock: a locked spinlock_t, which will be released before schedule()
+ * and reacquired afterwards.
+ * @timeout: timeout, in jiffies
+ *
+ * The process is put to sleep (TASK_INTERRUPTIBLE) until the
+ * @condition evaluates to true or signal is received. The @condition
is
+ * checked each time the waitqueue @wq is woken up.
+ *
+ * wake_up() has to be called after changing any variable that could
+ * change the result of the wait condition.
+ *
+ * This is supposed to be called while holding the lock. The lock is
+ * dropped before going to sleep and is reacquired afterwards.
+ *
+ * The function returns 0 if the @timeout elapsed, -ERESTARTSYS if it
+ * was interrupted by a signal, and the remaining jiffies otherwise
+ * if the condition evaluated to true before the timeout elapsed.
+ */
+#define wait_event_interruptible_lock_irq_timeout(wq, condition,
lock, \
+
timeout) \
+({
\
+ int __ret =
timeout; \
+
\
+ if
(!(condition)) \
+
__wait_event_interruptible_lock_irq_timeout( \
+ wq, condition, lock,
__ret); \
+
__ret; \
+}) +
/*
* These are the old interfaces to sleep waiting for an event.
diff --git a/include/net/ndisc.h b/include/net/ndisc.h
index 826a541..9761757 100644
--- a/include/net/ndisc.h
+++ b/include/net/ndisc.h
@@ -118,7 +118,7 @@ extern struct ndisc_options *ndisc_parse_options(u8
*opt, int opt_len,
* if RFC 3831 IPv6-over-Fibre Channel is ever implemented it may
* also need a pad of 2.
*/
-static int ndisc_addr_option_pad(unsigned short type)
+static inline int ndisc_addr_option_pad(unsigned short type)
{
switch (type) {
case ARPHRD_INFINIBAND: return 2;
diff --git a/include/net/udp.h b/include/net/udp.h
index 065f379..ad99eed 100644
--- a/include/net/udp.h
+++ b/include/net/udp.h
@@ -181,6 +181,7 @@ extern int udp_get_port(struct sock *sk, unsigned
short snum, extern void udp_err(struct sk_buff *, u32);
extern int udp_sendmsg(struct kiocb *iocb, struct sock *sk,
struct msghdr *msg, size_t len);
+extern int udp_push_pending_frames(struct sock *sk);
extern void udp_flush_pending_frames(struct sock *sk);
extern int udp_rcv(struct sk_buff *skb);
extern int udp_ioctl(struct sock *sk, int cmd, unsigned long arg);
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 9cf9102..79e528f 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2761,13 +2761,17 @@ static void cgroup_cfts_commit(struct
cgroup_subsys *ss, {
LIST_HEAD(pending);
struct cgroup *cgrp, *n;
+ struct super_block *sb = ss->root->sb;
/* %NULL @cfts indicates abort and don't bother if @ss isn't
attached */
- if (cfts && ss->root != &rootnode) {
+ if (cfts && ss->root != &rootnode &&
+ atomic_inc_not_zero(&sb->s_active)) {
list_for_each_entry(cgrp, &ss->root->allcg_list,
allcg_node) { dget(cgrp->dentry);
list_add_tail(&cgrp->cft_q_node, &pending);
}
+ } else {
+ sb = NULL;
}
mutex_unlock(&cgroup_mutex);
@@ -2790,6 +2794,9 @@ static void cgroup_cfts_commit(struct
cgroup_subsys *ss, dput(cgrp->dentry);
}
+ if (sb)
+ deactivate_super(sb);
+
mutex_unlock(&cgroup_cft_mutex);
}
diff --git a/kernel/events/core.c b/kernel/events/core.c
index b1a7801..18ab244b 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -723,8 +723,18 @@ perf_lock_task_context(struct task_struct *task,
int ctxn, unsigned long *flags) {
struct perf_event_context *ctx;
- rcu_read_lock();
retry:
+ /*
+ * One of the few rules of preemptible RCU is that one cannot
do
+ * rcu_read_unlock() while holding a scheduler (or nested)
lock when
+ * part of the read side critical section was preemptible --
see
+ * rcu_read_unlock_special().
+ *
+ * Since ctx->lock nests under rq->lock we must ensure the
entire read
+ * side critical section is non-preemptible.
+ */
+ preempt_disable();
+ rcu_read_lock();
ctx = rcu_dereference(task->perf_event_ctxp[ctxn]);
if (ctx) {
/*
@@ -740,6 +750,8 @@ retry:
raw_spin_lock_irqsave(&ctx->lock, *flags);
if (ctx !=
rcu_dereference(task->perf_event_ctxp[ctxn]))
{ raw_spin_unlock_irqrestore(&ctx->lock, *flags);
+ rcu_read_unlock();
+ preempt_enable();
goto retry;
}
@@ -749,6 +761,7 @@ retry:
}
}
rcu_read_unlock();
+ preempt_enable();
return ctx;
}
@@ -1708,7 +1721,16 @@ static int __perf_event_enable(void *info)
struct perf_cpu_context *cpuctx = __get_cpu_context(ctx);
int err;
- if (WARN_ON_ONCE(!ctx->is_active))
+ /*
+ * There's a time window between 'ctx->is_active' check
+ * in perf_event_enable function and this place having:
+ * - IRQs on
+ * - ctx->lock unlocked
+ *
+ * where the task could be killed and 'ctx' deactivated
+ * by perf_event_exit_task.
+ */
+ if (!ctx->is_active)
return -EINVAL;
raw_spin_lock(&ctx->lock);
@@ -7002,7 +7024,7 @@ inherit_task_group(struct perf_event *event,
struct task_struct *parent,
* child.
*/
- child_ctx = alloc_perf_context(event->pmu, child);
+ child_ctx = alloc_perf_context(parent_ctx->pmu, child);
if (!child_ctx)
return -ENOMEM;
diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
index e3999c2..e522f9a 100644
--- a/kernel/hrtimer.c
+++ b/kernel/hrtimer.c
@@ -719,17 +719,20 @@ static int hrtimer_switch_to_hres(void)
return 1;
}
+static void clock_was_set_work(struct work_struct *work)
+{
+ clock_was_set();
+}
+
+static DECLARE_WORK(hrtimer_work, clock_was_set_work);
+
/*
- * Called from timekeeping code to reprogramm the hrtimer interrupt
- * device. If called from the timer interrupt context we defer it to
- * softirq context.
+ * Called from timekeeping and resume code to reprogramm the hrtimer
+ * interrupt device on all cpus.
*/
void clock_was_set_delayed(void)
{
- struct hrtimer_cpu_base *cpu_base =
&__get_cpu_var(hrtimer_bases); -
- cpu_base->clock_was_set = 1;
- __raise_softirq_irqoff(HRTIMER_SOFTIRQ);
+ schedule_work(&hrtimer_work);
}
#else
@@ -779,8 +782,10 @@ void hrtimers_resume(void)
WARN_ONCE(!irqs_disabled(),
KERN_INFO "hrtimers_resume() called with IRQs
enabled!");
+ /* Retrigger on the local CPU */
retrigger_next_event(NULL);
- timerfd_clock_was_set();
+ /* And schedule a retrigger for all others */
+ clock_was_set_delayed();
}
static inline void timer_stats_hrtimer_set_start_info(struct hrtimer
*timer) @@ -1416,13 +1421,6 @@ void hrtimer_peek_ahead_timers(void)
static void run_hrtimer_softirq(struct softirq_action *h)
{
- struct hrtimer_cpu_base *cpu_base =
&__get_cpu_var(hrtimer_bases); -
- if (cpu_base->clock_was_set) {
- cpu_base->clock_was_set = 0;
- clock_was_set();
- }
-
hrtimer_peek_ahead_timers();
}
diff --git a/kernel/power/autosleep.c b/kernel/power/autosleep.c
index ca304046..ab79ecb 100644
--- a/kernel/power/autosleep.c
+++ b/kernel/power/autosleep.c
@@ -32,7 +32,8 @@ static void try_to_suspend(struct work_struct *work)
mutex_lock(&autosleep_lock);
- if (!pm_save_wakeup_count(initial_count)) {
+ if (!pm_save_wakeup_count(initial_count) ||
+ system_state != SYSTEM_RUNNING) {
mutex_unlock(&autosleep_lock);
goto out;
}
diff --git a/kernel/printk.c b/kernel/printk.c
index 2d3fc0e..74a3afb 100644
--- a/kernel/printk.c
+++ b/kernel/printk.c
@@ -1364,9 +1364,9 @@ static int console_trylock_for_printk(unsigned
int cpu) }
}
logbuf_cpu = UINT_MAX;
+ raw_spin_unlock(&logbuf_lock);
if (wake)
up(&console_sem);
- raw_spin_unlock(&logbuf_lock);
return retval;
}
diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c
index 239a323..f8961bf 100644
--- a/kernel/time/tick-broadcast.c
+++ b/kernel/time/tick-broadcast.c
@@ -400,7 +400,15 @@ void tick_check_oneshot_broadcast(int cpu)
if (cpumask_test_cpu(cpu,
to_cpumask(tick_broadcast_oneshot_mask))) { struct tick_device *td =
&per_cpu(tick_cpu_device, cpu);
- clockevents_set_mode(td->evtdev,
CLOCK_EVT_MODE_ONESHOT);
+ /*
+ * We might be in the middle of switching over from
+ * periodic to oneshot. If the CPU has not yet
+ * switched over, leave the device alone.
+ */
+ if (td->mode == TICKDEV_MODE_ONESHOT) {
+ clockevents_set_mode(td->evtdev,
+ CLOCK_EVT_MODE_ONESHOT);
+ }
}
}
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index a3e9083..0686c13 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3542,6 +3542,7 @@ waitagain:
memset(&iter->seq, 0,
sizeof(struct trace_iterator) -
offsetof(struct trace_iterator, seq));
+ cpumask_clear(iter->started);
iter->pos = -1;
trace_event_read_lock();
diff --git a/kernel/trace/trace_syscalls.c
b/kernel/trace/trace_syscalls.c index 6b245f64..52b2b9f 100644
--- a/kernel/trace/trace_syscalls.c
+++ b/kernel/trace/trace_syscalls.c
@@ -303,6 +303,8 @@ void ftrace_syscall_enter(void *ignore, struct
pt_regs *regs, long id) struct syscall_metadata *sys_data;
struct ring_buffer_event *event;
struct ring_buffer *buffer;
+ unsigned long irq_flags;
+ int pc;
int size;
int syscall_nr;
@@ -318,8 +320,11 @@ void ftrace_syscall_enter(void *ignore, struct
pt_regs *regs, long id)
size = sizeof(*entry) + sizeof(unsigned long) *
sys_data->nb_args;
+ local_save_flags(irq_flags);
+ pc = preempt_count();
+
event = trace_current_buffer_lock_reserve(&buffer,
- sys_data->enter_event->event.type, size, 0, 0);
+ sys_data->enter_event->event.type, size,
irq_flags, pc); if (!event)
return;
@@ -329,7 +334,8 @@ void ftrace_syscall_enter(void *ignore, struct
pt_regs *regs, long id)
if (!filter_current_check_discard(buffer,
sys_data->enter_event, entry, event))
- trace_current_buffer_unlock_commit(buffer, event, 0,
0);
+ trace_current_buffer_unlock_commit(buffer, event,
+ irq_flags, pc);
}
void ftrace_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
@@ -338,6 +344,8 @@ void ftrace_syscall_exit(void *ignore, struct
pt_regs *regs, long ret) struct syscall_metadata *sys_data;
struct ring_buffer_event *event;
struct ring_buffer *buffer;
+ unsigned long irq_flags;
+ int pc;
int syscall_nr;
syscall_nr = syscall_get_nr(current, regs);
@@ -350,8 +358,12 @@ void ftrace_syscall_exit(void *ignore, struct
pt_regs *regs, long ret) if (!sys_data)
return;
+ local_save_flags(irq_flags);
+ pc = preempt_count();
+
event = trace_current_buffer_lock_reserve(&buffer,
- sys_data->exit_event->event.type,
sizeof(*entry), 0, 0);
+ sys_data->exit_event->event.type,
sizeof(*entry),
+ irq_flags, pc);
if (!event)
return;
@@ -361,7 +373,8 @@ void ftrace_syscall_exit(void *ignore, struct
pt_regs *regs, long ret)
if (!filter_current_check_discard(buffer, sys_data->exit_event,
entry, event))
- trace_current_buffer_unlock_commit(buffer, event, 0,
0);
+ trace_current_buffer_unlock_commit(buffer, event,
+ irq_flags, pc);
}
int reg_event_syscall_enter(struct ftrace_event_call *call)
diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
index 03003cd..77dccfc 100644
--- a/kernel/trace/trace_uprobe.c
+++ b/kernel/trace/trace_uprobe.c
@@ -243,8 +243,10 @@ static int create_trace_uprobe(int argc, char
**argv) return -EINVAL;
}
arg = strchr(argv[1], ':');
- if (!arg)
+ if (!arg) {
+ ret = -EINVAL;
goto fail_address_parse;
+ }
*arg++ = '\0';
filename = argv[1];
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index a74dc5b..5242e83 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -39,6 +39,9 @@ int create_user_ns(struct cred *new)
kuid_t owner = new->euid;
kgid_t group = new->egid;
+ if (parent_ns->level > 32)
+ return -EUSERS;
+
/*
* Verify that we can not violate the policy of which files
* may be accessed that is specified by the root directory,
@@ -62,6 +65,7 @@ int create_user_ns(struct cred *new)
kref_init(&ns->kref);
ns->parent = parent_ns;
+ ns->level = parent_ns->level + 1;
ns->owner = owner;
ns->group = group;
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 0352a81..ce44f31 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -2105,6 +2105,15 @@ __acquires(&gcwq->lock)
dump_stack();
}
+ /*
+ * The following prevents a kworker from hogging CPU
on !PREEMPT
+ * kernels, where a requeueing work item waiting for something
to
+ * happen could deadlock with stop_machine as such work item
could
+ * indefinitely requeue itself while all other CPUs are
trapped in
+ * stop_machine.
+ */
+ cond_resched();
+
spin_lock_irq(&gcwq->lock);
/* clear cpu intensive status */
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 2403a63..89a657a 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1242,7 +1242,7 @@ config FAULT_INJECTION_STACKTRACE_FILTER
depends on FAULT_INJECTION_DEBUG_FS && STACKTRACE_SUPPORT
depends on !X86_64
select STACKTRACE
- select FRAME_POINTER if !PPC && !S390 && !MICROBLAZE
&& !ARM_UNWIND
+ select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
&& !ARM_UNWIND help
Provide stacktrace filter for fault-injection capabilities
diff --git a/mm/memory.c b/mm/memory.c
index 06ff7fb..e526880 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1106,6 +1106,7 @@ static unsigned long zap_pte_range(struct
mmu_gather *tlb, spinlock_t *ptl;
pte_t *start_pte;
pte_t *pte;
+ unsigned long range_start = addr;
again:
init_rss_vec(rss);
@@ -1211,12 +1212,14 @@ again:
force_flush = 0;
#ifdef HAVE_GENERIC_MMU_GATHER
- tlb->start = addr;
- tlb->end = end;
+ tlb->start = range_start;
+ tlb->end = addr;
#endif
tlb_flush_mmu(tlb);
- if (addr != end)
+ if (addr != end) {
+ range_start = addr;
goto again;
+ }
}
return addr;
diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index fe29a64..d5f07cb 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -8,7 +8,7 @@
bool vlan_do_receive(struct sk_buff **skbp)
{
struct sk_buff *skb = *skbp;
- u16 vlan_id = skb->vlan_tci & VLAN_VID_MASK;
+ u16 vlan_id = vlan_tx_tag_get_id(skb);
struct net_device *vlan_dev;
struct vlan_pcpu_stats *rx_stats;
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index a841735..52457f5 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -73,6 +73,8 @@ vlan_dev_get_egress_qos_mask(struct net_device *dev,
struct sk_buff *skb) {
struct vlan_priority_tci_mapping *mp;
+ smp_rmb(); /* coupled with smp_wmb() in
vlan_dev_set_egress_priority() */ +
mp = vlan_dev_priv(dev)->egress_priority_map[(skb->priority &
0xF)]; while (mp) {
if (mp->priority == skb->priority) {
@@ -248,6 +250,11 @@ int vlan_dev_set_egress_priority(const struct
net_device *dev, np->next = mp;
np->priority = skb_prio;
np->vlan_qos = vlan_qos;
+ /* Before inserting this element in hash table, make sure all
its fields
+ * are committed to memory.
+ * coupled with smp_rmb() in vlan_dev_get_egress_qos_mask()
+ */
+ smp_wmb();
vlan->egress_priority_map[skb_prio & 0xF] = np;
if (vlan_qos)
vlan->nr_egress_mappings++;
diff --git a/net/9p/trans_common.c b/net/9p/trans_common.c
index de8df957..2ee3879 100644
--- a/net/9p/trans_common.c
+++ b/net/9p/trans_common.c
@@ -24,11 +24,11 @@
*/
void p9_release_pages(struct page **pages, int nr_pages)
{
- int i = 0;
- while (pages[i] && nr_pages--) {
- put_page(pages[i]);
- i++;
- }
+ int i;
+
+ for (i = 0; i < nr_pages; i++)
+ if (pages[i])
+ put_page(pages[i]);
}
EXPORT_SYMBOL(p9_release_pages);
diff --git a/net/core/dev.c b/net/core/dev.c
index 9b5e388..1012a02 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3317,8 +3317,15 @@ ncls:
}
}
- if (vlan_tx_nonzero_tag_present(skb))
- skb->pkt_type = PACKET_OTHERHOST;
+ if (unlikely(vlan_tx_tag_present(skb))) {
+ if (vlan_tx_tag_get_id(skb))
+ skb->pkt_type = PACKET_OTHERHOST;
+ /* Note: we might in the future use prio bits
+ * and set skb->priority like in vlan_do_receive()
+ * For the time being, just ignore Priority Code Point
+ */
+ skb->vlan_tci = 0;
+ }
/* deliver only exact match when indicated */
null_or_dev = deliver_exact ? skb->dev : NULL;
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 058bb1e..f7ffed1 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -239,7 +239,7 @@ static void neigh_flush_dev(struct neigh_table
*tbl, struct net_device *dev) we must kill timers etc. and move
it to safe state.
*/
- skb_queue_purge(&n->arp_queue);
+ __skb_queue_purge(&n->arp_queue);
n->arp_queue_len_bytes = 0;
n->output = neigh_blackhole;
if (n->nud_state & NUD_VALID)
@@ -302,7 +302,7 @@ static struct neighbour *neigh_alloc(struct
neigh_table *tbl, struct net_device if (!n)
goto out_entries;
- skb_queue_head_init(&n->arp_queue);
+ __skb_queue_head_init(&n->arp_queue);
rwlock_init(&n->lock);
seqlock_init(&n->ha_lock);
n->updated = n->used = now;
@@ -724,7 +724,9 @@ void neigh_destroy(struct neighbour *neigh)
if (neigh_del_timer(neigh))
pr_warn("Impossible event\n");
- skb_queue_purge(&neigh->arp_queue);
+ write_lock_bh(&neigh->lock);
+ __skb_queue_purge(&neigh->arp_queue);
+ write_unlock_bh(&neigh->lock);
neigh->arp_queue_len_bytes = 0;
if (dev->netdev_ops->ndo_neigh_destroy)
@@ -870,7 +872,7 @@ static void neigh_invalidate(struct neighbour
*neigh) neigh->ops->error_report(neigh, skb);
write_lock(&neigh->lock);
}
- skb_queue_purge(&neigh->arp_queue);
+ __skb_queue_purge(&neigh->arp_queue);
neigh->arp_queue_len_bytes = 0;
}
@@ -1222,7 +1224,7 @@ int neigh_update(struct neighbour *neigh, const
u8 *lladdr, u8 new,
write_lock_bh(&neigh->lock);
}
- skb_queue_purge(&neigh->arp_queue);
+ __skb_queue_purge(&neigh->arp_queue);
neigh->arp_queue_len_bytes = 0;
}
out:
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 043139d01..eaad7a7 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -505,7 +505,7 @@ static void skb_release_data(struct sk_buff *skb)
uarg = skb_shinfo(skb)->destructor_arg;
if (uarg->callback)
- uarg->callback(uarg);
+ uarg->callback(uarg, true);
}
if (skb_has_frag_list(skb))
@@ -783,7 +783,7 @@ int skb_copy_ubufs(struct sk_buff *skb, gfp_t
gfp_mask) for (i = 0; i < num_frags; i++)
skb_frag_unref(skb, i);
- uarg->callback(uarg);
+ uarg->callback(uarg, false);
/* skb frags point to kernel buffers */
for (i = num_frags - 1; i >= 0; i--) {
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index bf89b21..ab37b31 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -664,17 +664,10 @@ static int __net_init vti_fb_tunnel_init(struct
net_device *dev) struct iphdr *iph = &tunnel->parms.iph;
struct vti_net *ipn = net_generic(dev_net(dev), vti_net_id);
- tunnel->dev = dev;
- strcpy(tunnel->parms.name, dev->name);
-
iph->version = 4;
iph->protocol = IPPROTO_IPIP;
iph->ihl = 5;
- dev->tstats = alloc_percpu(struct pcpu_tstats);
- if (!dev->tstats)
- return -ENOMEM;
-
dev_hold(dev);
rcu_assign_pointer(ipn->tunnels_wc[0], tunnel);
return 0;
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 1b5ce96..335f18d 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -35,6 +35,8 @@ static int tcp_adv_win_scale_min = -31;
static int tcp_adv_win_scale_max = 31;
static int ip_ttl_min = 1;
static int ip_ttl_max = 255;
+static int tcp_syn_retries_min = 1;
+static int tcp_syn_retries_max = MAX_TCP_SYNCNT;
static int ip_ping_group_range_min[] = { 0, 0 };
static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX };
@@ -277,7 +279,9 @@ static struct ctl_table ipv4_table[] = {
.data = &sysctl_tcp_syn_retries,
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &tcp_syn_retries_min,
+ .extra2 = &tcp_syn_retries_max
},
{
.procname = "tcp_synack_retries",
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index ee4b36a..79336ce 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -774,7 +774,7 @@ send:
/*
* Push out all pending data as one UDP datagram. Socket is locked.
*/
-static int udp_push_pending_frames(struct sock *sk)
+int udp_push_pending_frames(struct sock *sk)
{
struct udp_sock *up = udp_sk(sk);
struct inet_sock *inet = inet_sk(sk);
@@ -793,6 +793,7 @@ out:
up->pending = 0;
return err;
}
+EXPORT_SYMBOL(udp_push_pending_frames);
int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr
*msg, size_t len)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index a26d44c..c088717 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1182,11 +1182,12 @@ static inline struct ipv6_rt_hdr
*ip6_rthdr_dup(struct ipv6_rt_hdr *src, return src ? kmemdup(src,
(src->hdrlen + 1) * 8, gfp) : NULL; }
-static void ip6_append_data_mtu(int *mtu,
+static void ip6_append_data_mtu(unsigned int *mtu,
int *maxfraglen,
unsigned int fragheaderlen,
struct sk_buff *skb,
- struct rt6_info *rt)
+ struct rt6_info *rt,
+ bool pmtuprobe)
{
if (!(rt->dst.flags & DST_XFRM_TUNNEL)) {
if (skb == NULL) {
@@ -1198,7 +1199,9 @@ static void ip6_append_data_mtu(int *mtu,
* this fragment is not first, the headers
* space is regarded as data space.
*/
- *mtu = dst_mtu(rt->dst.path);
+ *mtu = min(*mtu, pmtuprobe ?
+ rt->dst.dev->mtu :
+ dst_mtu(rt->dst.path));
}
*maxfraglen = ((*mtu - fragheaderlen) & ~7)
+ fragheaderlen - sizeof(struct
frag_hdr); @@ -1215,11 +1218,10 @@ int ip6_append_data(struct sock *sk,
int getfrag(void *from, char *to, struct ipv6_pinfo *np = inet6_sk(sk);
struct inet_cork *cork;
struct sk_buff *skb, *skb_prev = NULL;
- unsigned int maxfraglen, fragheaderlen;
+ unsigned int maxfraglen, fragheaderlen, mtu;
int exthdrlen;
int dst_exthdrlen;
int hh_len;
- int mtu;
int copy;
int err;
int offset = 0;
@@ -1381,7 +1383,9 @@ alloc_new_skb:
/* update mtu and maxfraglen if necessary */
if (skb == NULL || skb_prev == NULL)
ip6_append_data_mtu(&mtu, &maxfraglen,
- fragheaderlen,
skb, rt);
+ fragheaderlen,
skb, rt,
+ np->pmtudisc ==
+
IPV6_PMTUDISC_PROBE);
skb_prev = skb;
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 4532973..964e3ae 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -256,10 +256,12 @@ static void __net_exit ip6mr_rules_exit(struct
net *net) {
struct mr6_table *mrt, *next;
+ rtnl_lock();
list_for_each_entry_safe(mrt, next, &net->ipv6.mr6_tables,
list) { list_del(&mrt->list);
ip6mr_free_table(mrt);
}
+ rtnl_unlock();
fib_rules_unregister(net->ipv6.mr6_rules_ops);
}
#else
@@ -286,7 +288,10 @@ static int __net_init ip6mr_rules_init(struct net
*net)
static void __net_exit ip6mr_rules_exit(struct net *net)
{
+ rtnl_lock();
ip6mr_free_table(net->ipv6.mrt6);
+ net->ipv6.mrt6 = NULL;
+ rtnl_unlock();
}
#endif
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 103880b..bba556f 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1076,10 +1076,13 @@ static void ip6_link_failure(struct sk_buff
*skb)
rt = (struct rt6_info *) skb_dst(skb);
if (rt) {
- if (rt->rt6i_flags & RTF_CACHE)
- rt6_update_expires(rt, 0);
- else if (rt->rt6i_node && (rt->rt6i_flags &
RTF_DEFAULT))
+ if (rt->rt6i_flags & RTF_CACHE) {
+ dst_hold(&rt->dst);
+ if (ip6_del_rt(rt))
+ dst_free(&rt->dst);
+ } else if (rt->rt6i_node && (rt->rt6i_flags &
RTF_DEFAULT)) { rt->rt6i_node->fn_sernum = -1;
+ }
}
}
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 08a1878..4328d31 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -955,11 +955,16 @@ static int udp_v6_push_pending_frames(struct sock
*sk) struct udphdr *uh;
struct udp_sock *up = udp_sk(sk);
struct inet_sock *inet = inet_sk(sk);
- struct flowi6 *fl6 = &inet->cork.fl.u.ip6;
+ struct flowi6 *fl6;
int err = 0;
int is_udplite = IS_UDPLITE(sk);
__wsum csum = 0;
+ if (up->pending == AF_INET)
+ return udp_push_pending_frames(sk);
+
+ fl6 = &inet->cork.fl.u.ip6;
+
/* Grab the skbuff where UDP header space exists. */
if ((skb = skb_peek(&sk->sk_write_queue)) == NULL)
goto out;
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 34e4185..5c6b2f0 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2072,6 +2072,7 @@ static int pfkey_xfrm_policy2msg(struct sk_buff
*skb, const struct xfrm_policy * pol->sadb_x_policy_type =
IPSEC_POLICY_NONE; }
pol->sadb_x_policy_dir = dir+1;
+ pol->sadb_x_policy_reserved = 0;
pol->sadb_x_policy_id = xp->index;
pol->sadb_x_policy_priority = xp->priority;
@@ -3106,7 +3107,9 @@ static int pfkey_send_acquire(struct xfrm_state
*x, struct xfrm_tmpl *t, struct pol->sadb_x_policy_exttype =
SADB_X_EXT_POLICY; pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
pol->sadb_x_policy_dir = dir+1;
+ pol->sadb_x_policy_reserved = 0;
pol->sadb_x_policy_id = xp->index;
+ pol->sadb_x_policy_priority = xp->priority;
/* Set sadb_comb's. */
if (x->id.proto == IPPROTO_AH)
@@ -3494,6 +3497,7 @@ static int pfkey_send_migrate(const struct
xfrm_selector *sel, u8 dir, u8 type, pol->sadb_x_policy_exttype =
SADB_X_EXT_POLICY; pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
pol->sadb_x_policy_dir = dir + 1;
+ pol->sadb_x_policy_reserved = 0;
pol->sadb_x_policy_id = 0;
pol->sadb_x_policy_priority = 0;
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 955195c..feca60c 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1837,7 +1837,8 @@ static const struct proto_ops pppol2tp_ops = {
static const struct pppox_proto pppol2tp_proto = {
.create = pppol2tp_create,
- .ioctl = pppol2tp_ioctl
+ .ioctl = pppol2tp_ioctl,
+ .owner = THIS_MODULE,
};
#ifdef CONFIG_L2TP_V3
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index bb8d96b..cf9523e 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -554,6 +554,8 @@ static void ieee80211_get_et_stats(struct wiphy
*wiphy, if (sta->sdata->dev != dev)
continue;
+ sinfo.filled = 0;
+ sta_set_sinfo(sta, &sinfo);
i = 0;
ADD_STA_STATS(sta);
}
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index bd11c1c..56515ef 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -805,8 +805,14 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
struct ieee80211_hdr *hdr = (struct ieee80211_hdr
*)rx->skb->data; struct ieee80211_rx_status *status =
IEEE80211_SKB_RXCB(rx->skb);
- /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap.
9.2.9) */
- if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) {
+ /*
+ * Drop duplicate 802.11 retransmissions
+ * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and
recovery")
+ */
+ if (rx->skb->len >= 24 && rx->sta &&
+ !ieee80211_is_ctl(hdr->frame_control) &&
+ !ieee80211_is_qos_nullfunc(hdr->frame_control) &&
+ !is_multicast_ether_addr(hdr->addr1)) {
if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
rx->sta->last_seq_ctrl[rx->seqno_idx] ==
hdr->seq_ctrl)) {
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index 42556ce..17e7104 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -749,6 +749,10 @@ static int ctrl_dumpfamily(struct sk_buff *skb,
struct netlink_callback *cb) struct net *net = sock_net(skb->sk);
int chains_to_skip = cb->args[0];
int fams_to_skip = cb->args[1];
+ bool need_locking = chains_to_skip || fams_to_skip;
+
+ if (need_locking)
+ genl_lock();
for (i = chains_to_skip; i < GENL_FAM_TAB_SIZE; i++) {
n = 0;
@@ -770,6 +774,9 @@ errout:
cb->args[0] = i;
cb->args[1] = n;
+ if (need_locking)
+ genl_unlock();
+
return skb->len;
}
diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c
index ca8e0a5..1f9c314 100644
--- a/net/sched/sch_atm.c
+++ b/net/sched/sch_atm.c
@@ -605,6 +605,7 @@ static int atm_tc_dump_class(struct Qdisc *sch,
unsigned long cl, struct sockaddr_atmpvc pvc;
int state;
+ memset(&pvc, 0, sizeof(pvc));
pvc.sap_family = AF_ATMPVC;
pvc.sap_addr.itf = flow->vcc->dev ?
flow->vcc->dev->number : -1; pvc.sap_addr.vpi = flow->vcc->vpi;
diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c
index 611d5e9..823f07f 100644
--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -1469,6 +1469,7 @@ static int cbq_dump_wrr(struct sk_buff *skb,
struct cbq_class *cl) unsigned char *b = skb_tail_pointer(skb);
struct tc_cbq_wrropt opt;
+ memset(&opt, 0, sizeof(opt));
opt.flags = 0;
opt.allot = cl->allot;
opt.priority = cl->priority + 1;
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index 998aa8c..da0980a 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -963,7 +963,10 @@ static void svc_tcp_clear_pages(struct svc_sock
*svsk) len = svsk->sk_tcplen - sizeof(rpc_fraghdr);
npages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
for (i = 0; i < npages; i++) {
- BUG_ON(svsk->sk_pages[i] == NULL);
+ if (svsk->sk_pages[i] == NULL) {
+ WARN_ON_ONCE(1);
+ continue;
+ }
put_page(svsk->sk_pages[i]);
svsk->sk_pages[i] = NULL;
}
diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index 0afba1b..7e99acd 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -207,10 +207,13 @@ _shift_data_right_pages(struct page **pages,
size_t pgto_base, pgfrom_base -= copy;
vto = kmap_atomic(*pgto);
- vfrom = kmap_atomic(*pgfrom);
- memmove(vto + pgto_base, vfrom + pgfrom_base, copy);
+ if (*pgto != *pgfrom) {
+ vfrom = kmap_atomic(*pgfrom);
+ memcpy(vto + pgto_base, vfrom + pgfrom_base,
copy);
+ kunmap_atomic(vfrom);
+ } else
+ memmove(vto + pgto_base, vto + pgfrom_base,
copy); flush_dcache_page(*pgto);
- kunmap_atomic(vfrom);
kunmap_atomic(vto);
} while ((len -= copy) != 0);
diff --git a/net/sunrpc/xprtrdma/svc_rdma_marshal.c
b/net/sunrpc/xprtrdma/svc_rdma_marshal.c index 8d2eddd..65b1462 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_marshal.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_marshal.c
@@ -98,6 +98,7 @@ void svc_rdma_rcl_chunk_counts(struct
rpcrdma_read_chunk *ch, */
static u32 *decode_write_list(u32 *va, u32 *vaend)
{
+ unsigned long start, end;
int nchunks;
struct rpcrdma_write_array *ary =
@@ -113,9 +114,12 @@ static u32 *decode_write_list(u32 *va, u32 *vaend)
return NULL;
}
nchunks = ntohl(ary->wc_nchunks);
- if (((unsigned long)&ary->wc_array[0] +
- (sizeof(struct rpcrdma_write_chunk) * nchunks)) >
- (unsigned long)vaend) {
+
+ start = (unsigned long)&ary->wc_array[0];
+ end = (unsigned long)vaend;
+ if (nchunks < 0 ||
+ nchunks > (SIZE_MAX - start) / sizeof(struct
rpcrdma_write_chunk) ||
+ (start + (sizeof(struct rpcrdma_write_chunk) * nchunks)) >
end) { dprintk("svcrdma: ary=%p, wc_nchunks=%d, vaend=%p\n",
ary, nchunks, vaend);
return NULL;
@@ -129,6 +133,7 @@ static u32 *decode_write_list(u32 *va, u32 *vaend)
static u32 *decode_reply_array(u32 *va, u32 *vaend)
{
+ unsigned long start, end;
int nchunks;
struct rpcrdma_write_array *ary =
(struct rpcrdma_write_array *)va;
@@ -143,9 +148,12 @@ static u32 *decode_reply_array(u32 *va, u32 *vaend)
return NULL;
}
nchunks = ntohl(ary->wc_nchunks);
- if (((unsigned long)&ary->wc_array[0] +
- (sizeof(struct rpcrdma_write_chunk) * nchunks)) >
- (unsigned long)vaend) {
+
+ start = (unsigned long)&ary->wc_array[0];
+ end = (unsigned long)vaend;
+ if (nchunks < 0 ||
+ nchunks > (SIZE_MAX - start) / sizeof(struct
rpcrdma_write_chunk) ||
+ (start + (sizeof(struct rpcrdma_write_chunk) * nchunks)) >
end) { dprintk("svcrdma: ary=%p, wc_nchunks=%d, vaend=%p\n",
ary, nchunks, vaend);
return NULL;
diff --git a/net/wireless/core.c b/net/wireless/core.c
index a10901b..250e0a6 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -846,6 +846,7 @@ static int cfg80211_netdev_notifier_call(struct
notifier_block *nb, cfg80211_leave_mesh(rdev, dev);
break;
case NL80211_IFTYPE_AP:
+ case NL80211_IFTYPE_P2P_GO:
cfg80211_stop_ap(rdev, dev);
break;
default:
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 1e37dbf..79ad33d 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -5542,12 +5542,14 @@
EXPORT_SYMBOL(cfg80211_testmode_alloc_event_skb);
void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp)
{
+ struct cfg80211_registered_device *rdev = ((void
**)skb->cb)[0]; void *hdr = ((void **)skb->cb)[1];
struct nlattr *data = ((void **)skb->cb)[2];
nla_nest_end(skb, data);
genlmsg_end(skb, hdr);
- genlmsg_multicast(skb, 0, nl80211_testmode_mcgrp.id, gfp);
+ genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), skb, 0,
+ nl80211_testmode_mcgrp.id, gfp);
}
EXPORT_SYMBOL(cfg80211_testmode_event);
#endif
@@ -8378,7 +8380,8 @@ void nl80211_send_mgmt_tx_status(struct
cfg80211_registered_device *rdev,
genlmsg_end(msg, hdr);
- genlmsg_multicast(msg, 0, nl80211_mlme_mcgrp.id, gfp);
+ genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
+ nl80211_mlme_mcgrp.id, gfp);
return;
nla_put_failure:
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index a306bc6..b943e3e 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -1586,11 +1586,11 @@ out_cud_release:
case SIOCX25CALLACCPTAPPRV: {
rc = -EINVAL;
lock_sock(sk);
- if (sk->sk_state != TCP_CLOSE)
- break;
- clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
+ if (sk->sk_state == TCP_CLOSE) {
+ clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
+ rc = 0;
+ }
release_sock(sk);
- rc = 0;
break;
}
@@ -1598,14 +1598,15 @@ out_cud_release:
rc = -EINVAL;
lock_sock(sk);
if (sk->sk_state != TCP_ESTABLISHED)
- break;
+ goto out_sendcallaccpt_release;
/* must call accptapprv above */
if (test_bit(X25_ACCPT_APPRV_FLAG, &x25->flags))
- break;
+ goto out_sendcallaccpt_release;
x25_write_internal(sk, X25_CALL_ACCEPTED);
x25->state = X25_STATE_3;
- release_sock(sk);
rc = 0;
+out_sendcallaccpt_release:
+ release_sock(sk);
break;
}
diff --git a/sound/arm/pxa2xx-pcm-lib.c b/sound/arm/pxa2xx-pcm-lib.c
index 76e0d56..823359e 100644
--- a/sound/arm/pxa2xx-pcm-lib.c
+++ b/sound/arm/pxa2xx-pcm-lib.c
@@ -166,7 +166,9 @@ void pxa2xx_pcm_dma_irq(int dma_ch, void *dev_id)
} else {
printk(KERN_ERR "%s: DMA error on channel %d
(DCSR=%#x)\n", rtd->params->name, dma_ch, dcsr);
+ snd_pcm_stream_lock(substream);
snd_pcm_stop(substream, SNDRV_PCM_STATE_XRUN);
+ snd_pcm_stream_unlock(substream);
}
}
EXPORT_SYMBOL(pxa2xx_pcm_dma_irq);
diff --git a/sound/core/compress_offload.c
b/sound/core/compress_offload.c index d5103f7..20f55e2 100644
--- a/sound/core/compress_offload.c
+++ b/sound/core/compress_offload.c
@@ -582,7 +582,7 @@ static long snd_compr_ioctl(struct file *f,
unsigned int cmd, unsigned long arg) mutex_lock(&stream->device->lock);
switch (_IOC_NR(cmd)) {
case _IOC_NR(SNDRV_COMPRESS_IOCTL_VERSION):
- put_user(SNDRV_COMPRESS_VERSION,
+ retval = put_user(SNDRV_COMPRESS_VERSION,
(int __user *)arg) ? -EFAULT : 0;
break;
case _IOC_NR(SNDRV_COMPRESS_GET_CAPS):
diff --git a/sound/core/seq/oss/seq_oss_init.c
b/sound/core/seq/oss/seq_oss_init.c index e3cb46f..b3f39b5 100644
--- a/sound/core/seq/oss/seq_oss_init.c
+++ b/sound/core/seq/oss/seq_oss_init.c
@@ -31,6 +31,7 @@
#include <linux/export.h>
#include <linux/moduleparam.h>
#include <linux/slab.h>
+#include <linux/workqueue.h>
/*
* common variables
@@ -60,6 +61,14 @@ static void free_devinfo(void *private);
#define call_ctl(type,rec) snd_seq_kernel_client_ctl(system_client,
type, rec)
+/* call snd_seq_oss_midi_lookup_ports() asynchronously */
+static void async_call_lookup_ports(struct work_struct *work)
+{
+ snd_seq_oss_midi_lookup_ports(system_client);
+}
+
+static DECLARE_WORK(async_lookup_work, async_call_lookup_ports);
+
/*
* create sequencer client for OSS sequencer
*/
@@ -85,9 +94,6 @@ snd_seq_oss_create_client(void)
system_client = rc;
debug_printk(("new client = %d\n", rc));
- /* look up midi devices */
- snd_seq_oss_midi_lookup_ports(system_client);
-
/* create annoucement receiver port */
memset(port, 0, sizeof(*port));
strcpy(port->name, "Receiver");
@@ -115,6 +121,9 @@ snd_seq_oss_create_client(void)
}
rc = 0;
+ /* look up midi devices */
+ schedule_work(&async_lookup_work);
+
__error:
kfree(port);
return rc;
@@ -160,6 +169,7 @@ receive_announce(struct snd_seq_event *ev, int
direct, void *private, int atomic int
snd_seq_oss_delete_client(void)
{
+ cancel_work_sync(&async_lookup_work);
if (system_client >= 0)
snd_seq_delete_kernel_client(system_client);
diff --git a/sound/core/seq/oss/seq_oss_midi.c
b/sound/core/seq/oss/seq_oss_midi.c index 677dc84..862d8489 100644
--- a/sound/core/seq/oss/seq_oss_midi.c
+++ b/sound/core/seq/oss/seq_oss_midi.c
@@ -72,7 +72,7 @@ static int send_midi_event(struct seq_oss_devinfo
*dp, struct snd_seq_event *ev,
* look up the existing ports
* this looks a very exhausting job.
*/
-int __init
+int
snd_seq_oss_midi_lookup_ports(int client)
{
struct snd_seq_client_info *clinfo;
diff --git a/sound/isa/opti9xx/opti92x-ad1848.c
b/sound/isa/opti9xx/opti92x-ad1848.c index f8fbe22..e7ec347 100644
--- a/sound/isa/opti9xx/opti92x-ad1848.c
+++ b/sound/isa/opti9xx/opti92x-ad1848.c
@@ -172,11 +172,7 @@ MODULE_DEVICE_TABLE(pnp_card, snd_opti9xx_pnpids);
#endif /* CONFIG_PNP */
-#ifdef OPTi93X
-#define DEV_NAME "opti93x"
-#else
-#define DEV_NAME "opti92x"
-#endif
+#define DEV_NAME KBUILD_MODNAME
static char * snd_opti9xx_names[] = {
"unknown",
@@ -1180,7 +1176,7 @@ static int snd_opti9xx_pnp_resume(struct
pnp_card_link *pcard)
static struct pnp_card_driver opti9xx_pnpc_driver = {
.flags = PNP_DRIVER_RES_DISABLE,
- .name = "opti9xx",
+ .name = DEV_NAME,
.id_table = snd_opti9xx_pnpids,
.probe = snd_opti9xx_pnp_probe,
.remove = __devexit_p(snd_opti9xx_pnp_remove),
diff --git a/sound/pci/asihpi/asihpi.c b/sound/pci/asihpi/asihpi.c
index e8de831..05093bd 100644
--- a/sound/pci/asihpi/asihpi.c
+++ b/sound/pci/asihpi/asihpi.c
@@ -769,7 +769,10 @@ static void
snd_card_asihpi_timer_function(unsigned long data) s->number);
ds->drained_count++;
if (ds->drained_count > 20) {
+ unsigned long flags;
+ snd_pcm_stream_lock_irqsave(s,
flags); snd_pcm_stop(s, SNDRV_PCM_STATE_XRUN);
+
snd_pcm_stream_unlock_irqrestore(s, flags); continue;
}
} else {
diff --git a/sound/pci/atiixp.c b/sound/pci/atiixp.c
index 31020d2..1231353 100644
--- a/sound/pci/atiixp.c
+++ b/sound/pci/atiixp.c
@@ -688,7 +688,9 @@ static void snd_atiixp_xrun_dma(struct atiixp
*chip, struct atiixp_dma *dma) if (! dma->substream || ! dma->running)
return;
snd_printdd("atiixp: XRUN detected (DMA %d)\n",
dma->ops->type);
+ snd_pcm_stream_lock(dma->substream);
snd_pcm_stop(dma->substream, SNDRV_PCM_STATE_XRUN);
+ snd_pcm_stream_unlock(dma->substream);
}
/*
diff --git a/sound/pci/atiixp_modem.c b/sound/pci/atiixp_modem.c
index 79e204e..3662140 100644
--- a/sound/pci/atiixp_modem.c
+++ b/sound/pci/atiixp_modem.c
@@ -638,7 +638,9 @@ static void snd_atiixp_xrun_dma(struct atiixp_modem
*chip, if (! dma->substream || ! dma->running)
return;
snd_printdd("atiixp-modem: XRUN detected (DMA %d)\n",
dma->ops->type);
+ snd_pcm_stream_lock(dma->substream);
snd_pcm_stop(dma->substream, SNDRV_PCM_STATE_XRUN);
+ snd_pcm_stream_unlock(dma->substream);
}
/*
diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
index 8f23374..80a86b3 100644
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -908,7 +908,7 @@ static int hdmi_pcm_open(struct hda_pcm_stream
*hinfo, per_cvt->assigned = 1;
hinfo->nid = per_cvt->cvt_nid;
- snd_hda_codec_write(codec, per_pin->pin_nid, 0,
+ snd_hda_codec_write_cache(codec, per_pin->pin_nid, 0,
AC_VERB_SET_CONNECT_SEL,
mux_idx);
snd_hda_spdif_ctls_assign(codec, pin_idx, per_cvt->cvt_nid);
@@ -1921,6 +1921,7 @@ static const struct hda_codec_preset
snd_hda_preset_hdmi[] = { { .id = 0x10de0043, .name = "GPU 43
HDMI/DP", .patch = patch_generic_hdmi }, { .id =
0x10de0044, .name = "GPU 44 HDMI/DP", .patch =
patch_generic_hdmi }, { .id = 0x10de0051, .name = "GPU 51
HDMI/DP", .patch = patch_generic_hdmi }, +{ .id =
0x10de0060, .name = "GPU 60 HDMI/DP", .patch =
patch_generic_hdmi }, { .id = 0x10de0067, .name = "MCP67
HDMI", .patch = patch_nvhdmi_2ch }, { .id = 0x10de8001, .name =
"MCP73 HDMI", .patch = patch_nvhdmi_2ch }, { .id =
0x11069f80, .name = "VX900 HDMI/DP", .patch = patch_via_hdmi },
@@ -1973,6 +1974,7 @@ MODULE_ALIAS("snd-hda-codec-id:10de0042");
MODULE_ALIAS("snd-hda-codec-id:10de0043");
MODULE_ALIAS("snd-hda-codec-id:10de0044");
MODULE_ALIAS("snd-hda-codec-id:10de0051");
+MODULE_ALIAS("snd-hda-codec-id:10de0060");
MODULE_ALIAS("snd-hda-codec-id:10de0067");
MODULE_ALIAS("snd-hda-codec-id:10de8001");
MODULE_ALIAS("snd-hda-codec-id:11069f80"); diff --git
a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index
dd7f1db..d0bbdf9 100644 --- a/sound/pci/hda/patch_realtek.c +++
b/sound/pci/hda/patch_realtek.c @@ -6860,9 +6860,11 @@ static const
struct alc_fixup alc662_fixups[] = { static const struct snd_pci_quirk
alc662_fixup_tbl[] = { SND_PCI_QUIRK(0x1019, 0x9087, "ECS",
ALC662_FIXUP_ASUS_MODE2),
+ SND_PCI_QUIRK(0x1025, 0x022f, "Acer Aspire One",
ALC662_FIXUP_INV_DMIC), SND_PCI_QUIRK(0x1025, 0x0308, "Acer Aspire
8942G", ALC662_FIXUP_ASPIRE), SND_PCI_QUIRK(0x1025, 0x031c, "Gateway
NV79", ALC662_FIXUP_SKU_IGNORE), SND_PCI_QUIRK(0x1025, 0x0349,
"eMachines eM250", ALC662_FIXUP_INV_DMIC),
+ SND_PCI_QUIRK(0x1025, 0x034a, "Gateway LT27",
ALC662_FIXUP_INV_DMIC), SND_PCI_QUIRK(0x1025, 0x038b, "Acer Aspire
8943G", ALC662_FIXUP_ASPIRE), SND_PCI_QUIRK(0x103c, 0x1632, "HP
RP5800", ALC662_FIXUP_HP_RP5800), SND_PCI_QUIRK(0x1043, 0x8469, "ASUS
mobo", ALC662_FIXUP_NO_JACK_DETECT), diff --git
a/sound/soc/codecs/cs42l52.c b/sound/soc/codecs/cs42l52.c index
d34aa42..c05e6b2 100644 --- a/sound/soc/codecs/cs42l52.c
+++ b/sound/soc/codecs/cs42l52.c
@@ -450,7 +450,7 @@ static const struct snd_kcontrol_new
cs42l52_snd_controls[] = { SOC_ENUM("Beep Pitch", beep_pitch_enum),
SOC_ENUM("Beep on Time", beep_ontime_enum),
SOC_ENUM("Beep off Time", beep_offtime_enum),
- SOC_SINGLE_TLV("Beep Volume", CS42L52_BEEP_VOL, 0, 0x1f, 0x07,
hl_tlv),
+ SOC_SINGLE_SX_TLV("Beep Volume", CS42L52_BEEP_VOL, 0, 0x07,
0x1f, hl_tlv), SOC_SINGLE("Beep Mixer Switch", CS42L52_BEEP_TONE_CTL,
5, 1, 1), SOC_ENUM("Beep Treble Corner Freq", beep_treble_enum),
SOC_ENUM("Beep Bass Corner Freq", beep_bass_enum),
diff --git a/sound/soc/codecs/max98088.c b/sound/soc/codecs/max98088.c
index 4790568..8df4597 100644
--- a/sound/soc/codecs/max98088.c
+++ b/sound/soc/codecs/max98088.c
@@ -1594,7 +1594,7 @@ static int max98088_dai2_digital_mute(struct
snd_soc_dai *codec_dai, int mute)
static void max98088_sync_cache(struct snd_soc_codec *codec)
{
- u16 *reg_cache = codec->reg_cache;
+ u8 *reg_cache = codec->reg_cache;
int i;
if (!codec->cache_sync)
diff --git a/sound/soc/codecs/sgtl5000.h b/sound/soc/codecs/sgtl5000.h
index 8a9f435..d3a68bb 100644
--- a/sound/soc/codecs/sgtl5000.h
+++ b/sound/soc/codecs/sgtl5000.h
@@ -347,7 +347,7 @@
#define SGTL5000_PLL_INT_DIV_MASK 0xf800
#define SGTL5000_PLL_INT_DIV_SHIFT 11
#define SGTL5000_PLL_INT_DIV_WIDTH 5
-#define SGTL5000_PLL_FRAC_DIV_MASK 0x0700
+#define SGTL5000_PLL_FRAC_DIV_MASK 0x07ff
#define SGTL5000_PLL_FRAC_DIV_SHIFT 0
#define SGTL5000_PLL_FRAC_DIV_WIDTH 11
diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c
index ce67200..df24c54 100644
--- a/sound/soc/codecs/wm8962.c
+++ b/sound/soc/codecs/wm8962.c
@@ -1600,7 +1600,6 @@ static int wm8962_put_hp_sw(struct snd_kcontrol
*kcontrol, struct snd_ctl_elem_value *ucontrol)
{
struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol);
- u16 *reg_cache = codec->reg_cache;
int ret;
/* Apply the update (if any) */
@@ -1609,16 +1608,19 @@ static int wm8962_put_hp_sw(struct snd_kcontrol
*kcontrol, return 0;
/* If the left PGA is enabled hit that VU bit... */
- if (snd_soc_read(codec, WM8962_PWR_MGMT_2) &
WM8962_HPOUTL_PGA_ENA)
- return snd_soc_write(codec, WM8962_HPOUTL_VOLUME,
- reg_cache[WM8962_HPOUTL_VOLUME]);
+ ret = snd_soc_read(codec, WM8962_PWR_MGMT_2);
+ if (ret & WM8962_HPOUTL_PGA_ENA) {
+ snd_soc_write(codec, WM8962_HPOUTL_VOLUME,
+ snd_soc_read(codec,
WM8962_HPOUTL_VOLUME));
+ return 1;
+ }
/* ...otherwise the right. The VU is stereo. */
- if (snd_soc_read(codec, WM8962_PWR_MGMT_2) &
WM8962_HPOUTR_PGA_ENA)
- return snd_soc_write(codec, WM8962_HPOUTR_VOLUME,
- reg_cache[WM8962_HPOUTR_VOLUME]);
+ if (ret & WM8962_HPOUTR_PGA_ENA)
+ snd_soc_write(codec, WM8962_HPOUTR_VOLUME,
+ snd_soc_read(codec,
WM8962_HPOUTR_VOLUME));
- return 0;
+ return 1;
}
/* The VU bits for the speakers are in a different register to the mute
@@ -3378,7 +3380,6 @@ static int wm8962_probe(struct snd_soc_codec
*codec) int ret;
struct wm8962_priv *wm8962 = snd_soc_codec_get_drvdata(codec);
struct wm8962_pdata *pdata = dev_get_platdata(codec->dev);
- u16 *reg_cache = codec->reg_cache;
int i, trigger, irq_pol;
bool dmicclk, dmicdat;
@@ -3436,8 +3437,9 @@ static int wm8962_probe(struct snd_soc_codec
*codec)
/* Put the speakers into mono mode? */
if (pdata->spk_mono)
- reg_cache[WM8962_CLASS_D_CONTROL_2]
- |= WM8962_SPK_MONO;
+ snd_soc_update_bits(codec,
WM8962_CLASS_D_CONTROL_2,
+ WM8962_SPK_MONO_MASK, WM8962_SPK_MONO);
+
/* Micbias setup, detection enable and detection
* threasholds. */
diff --git a/sound/soc/s6000/s6000-pcm.c b/sound/soc/s6000/s6000-pcm.c
index 716da86..17f9348 100644
--- a/sound/soc/s6000/s6000-pcm.c
+++ b/sound/soc/s6000/s6000-pcm.c
@@ -128,7 +128,9 @@ static irqreturn_t s6000_pcm_irq(int irq, void
*data) substream->runtime &&
snd_pcm_running(substream)) {
dev_dbg(pcm->dev, "xrun\n");
+ snd_pcm_stream_lock(substream);
snd_pcm_stop(substream, SNDRV_PCM_STATE_XRUN);
+ snd_pcm_stream_unlock(substream);
ret = IRQ_HANDLED;
}
diff --git a/sound/soc/tegra/tegra30_i2s.c
b/sound/soc/tegra/tegra30_i2s.c index 4418422..b56721a8 100644
--- a/sound/soc/tegra/tegra30_i2s.c
+++ b/sound/soc/tegra/tegra30_i2s.c
@@ -227,7 +227,7 @@ static int tegra30_i2s_hw_params(struct
snd_pcm_substream *substream, reg = TEGRA30_I2S_CIF_RX_CTRL;
} else {
val |= TEGRA30_AUDIOCIF_CTRL_DIRECTION_TX;
- reg = TEGRA30_I2S_CIF_RX_CTRL;
+ reg = TEGRA30_I2S_CIF_TX_CTRL;
}
regmap_write(i2s->regmap, reg, val);
diff --git a/sound/usb/6fire/comm.c b/sound/usb/6fire/comm.c
index 6c3d531..8e68be7 100644
--- a/sound/usb/6fire/comm.c
+++ b/sound/usb/6fire/comm.c
@@ -110,19 +110,37 @@ static int usb6fire_comm_send_buffer(u8 *buffer,
struct usb_device *dev) static int usb6fire_comm_write8(struct
comm_runtime *rt, u8 request, u8 reg, u8 value)
{
- u8 buffer[13]; /* 13: maximum length of message */
+ u8 *buffer;
+ int ret;
+
+ /* 13: maximum length of message */
+ buffer = kmalloc(13, GFP_KERNEL);
+ if (!buffer)
+ return -ENOMEM;
usb6fire_comm_init_buffer(buffer, 0x00, request, reg, value,
0x00);
- return usb6fire_comm_send_buffer(buffer, rt->chip->dev);
+ ret = usb6fire_comm_send_buffer(buffer, rt->chip->dev);
+
+ kfree(buffer);
+ return ret;
}
static int usb6fire_comm_write16(struct comm_runtime *rt, u8 request,
u8 reg, u8 vl, u8 vh)
{
- u8 buffer[13]; /* 13: maximum length of message */
+ u8 *buffer;
+ int ret;
+
+ /* 13: maximum length of message */
+ buffer = kmalloc(13, GFP_KERNEL);
+ if (!buffer)
+ return -ENOMEM;
usb6fire_comm_init_buffer(buffer, 0x00, request, reg, vl, vh);
- return usb6fire_comm_send_buffer(buffer, rt->chip->dev);
+ ret = usb6fire_comm_send_buffer(buffer, rt->chip->dev);
+
+ kfree(buffer);
+ return ret;
}
int __devinit usb6fire_comm_init(struct sfire_chip *chip)
@@ -135,6 +153,12 @@ int __devinit usb6fire_comm_init(struct sfire_chip
*chip) if (!rt)
return -ENOMEM;
+ rt->receiver_buffer = kzalloc(COMM_RECEIVER_BUFSIZE,
GFP_KERNEL);
+ if (!rt->receiver_buffer) {
+ kfree(rt);
+ return -ENOMEM;
+ }
+
rt->serial = 1;
rt->chip = chip;
usb_init_urb(urb);
@@ -152,6 +176,7 @@ int __devinit usb6fire_comm_init(struct sfire_chip
*chip) urb->interval = 1;
ret = usb_submit_urb(urb, GFP_KERNEL);
if (ret < 0) {
+ kfree(rt->receiver_buffer);
kfree(rt);
snd_printk(KERN_ERR PREFIX "cannot create comm data
receiver."); return ret;
@@ -170,6 +195,9 @@ void usb6fire_comm_abort(struct sfire_chip *chip)
void usb6fire_comm_destroy(struct sfire_chip *chip)
{
- kfree(chip->comm);
+ struct comm_runtime *rt = chip->comm;
+
+ kfree(rt->receiver_buffer);
+ kfree(rt);
chip->comm = NULL;
}
diff --git a/sound/usb/6fire/comm.h b/sound/usb/6fire/comm.h
index d2af0a5..fca24e3 100644
--- a/sound/usb/6fire/comm.h
+++ b/sound/usb/6fire/comm.h
@@ -24,7 +24,7 @@ struct comm_runtime {
struct sfire_chip *chip;
struct urb receiver;
- u8 receiver_buffer[COMM_RECEIVER_BUFSIZE];
+ u8 *receiver_buffer;
u8 serial; /* urb serial */
diff --git a/sound/usb/6fire/midi.c b/sound/usb/6fire/midi.c
index f0e5179..0c09867 100644
--- a/sound/usb/6fire/midi.c
+++ b/sound/usb/6fire/midi.c
@@ -19,6 +19,10 @@
#include "chip.h"
#include "comm.h"
+enum {
+ MIDI_BUFSIZE = 64
+};
+
static void usb6fire_midi_out_handler(struct urb *urb)
{
struct midi_runtime *rt = urb->context;
@@ -156,6 +160,12 @@ int __devinit usb6fire_midi_init(struct sfire_chip
*chip) if (!rt)
return -ENOMEM;
+ rt->out_buffer = kzalloc(MIDI_BUFSIZE, GFP_KERNEL);
+ if (!rt->out_buffer) {
+ kfree(rt);
+ return -ENOMEM;
+ }
+
rt->chip = chip;
rt->in_received = usb6fire_midi_in_received;
rt->out_buffer[0] = 0x80; /* 'send midi' command */
@@ -169,6 +179,7 @@ int __devinit usb6fire_midi_init(struct sfire_chip
*chip)
ret = snd_rawmidi_new(chip->card, "6FireUSB", 0, 1, 1,
&rt->instance); if (ret < 0) {
+ kfree(rt->out_buffer);
kfree(rt);
snd_printk(KERN_ERR PREFIX "unable to create midi.\n");
return ret;
@@ -197,6 +208,9 @@ void usb6fire_midi_abort(struct sfire_chip *chip)
void usb6fire_midi_destroy(struct sfire_chip *chip)
{
- kfree(chip->midi);
+ struct midi_runtime *rt = chip->midi;
+
+ kfree(rt->out_buffer);
+ kfree(rt);
chip->midi = NULL;
}
diff --git a/sound/usb/6fire/midi.h b/sound/usb/6fire/midi.h
index 5114ecc..d101ecb 100644
--- a/sound/usb/6fire/midi.h
+++ b/sound/usb/6fire/midi.h
@@ -16,10 +16,6 @@
#include "common.h"
-enum {
- MIDI_BUFSIZE = 64
-};
-
struct midi_runtime {
struct sfire_chip *chip;
struct snd_rawmidi *instance;
@@ -32,7 +28,7 @@ struct midi_runtime {
struct snd_rawmidi_substream *out;
struct urb out_urb;
u8 out_serial; /* serial number of out packet */
- u8 out_buffer[MIDI_BUFSIZE];
+ u8 *out_buffer;
int buffer_offset;
void (*in_received)(struct midi_runtime *rt, u8 *data, int
length); diff --git a/sound/usb/6fire/pcm.c b/sound/usb/6fire/pcm.c
index c97d05f..51e3f62f 100644
--- a/sound/usb/6fire/pcm.c
+++ b/sound/usb/6fire/pcm.c
@@ -540,7 +540,7 @@ static snd_pcm_uframes_t usb6fire_pcm_pointer(
snd_pcm_uframes_t ret;
if (rt->panic || !sub)
- return SNDRV_PCM_STATE_XRUN;
+ return SNDRV_PCM_POS_XRUN;
spin_lock_irqsave(&sub->lock, flags);
ret = sub->dma_off;
@@ -578,6 +578,33 @@ static void __devinit usb6fire_pcm_init_urb(struct
pcm_urb *urb, urb->instance.number_of_packets = PCM_N_PACKETS_PER_URB;
}
+static int usb6fire_pcm_buffers_init(struct pcm_runtime *rt)
+{
+ int i;
+
+ for (i = 0; i < PCM_N_URBS; i++) {
+ rt->out_urbs[i].buffer = kzalloc(PCM_N_PACKETS_PER_URB
+ * PCM_MAX_PACKET_SIZE, GFP_KERNEL);
+ if (!rt->out_urbs[i].buffer)
+ return -ENOMEM;
+ rt->in_urbs[i].buffer = kzalloc(PCM_N_PACKETS_PER_URB
+ * PCM_MAX_PACKET_SIZE, GFP_KERNEL);
+ if (!rt->in_urbs[i].buffer)
+ return -ENOMEM;
+ }
+ return 0;
+}
+
+static void usb6fire_pcm_buffers_destroy(struct pcm_runtime *rt)
+{
+ int i;
+
+ for (i = 0; i < PCM_N_URBS; i++) {
+ kfree(rt->out_urbs[i].buffer);
+ kfree(rt->in_urbs[i].buffer);
+ }
+}
+
int __devinit usb6fire_pcm_init(struct sfire_chip *chip)
{
int i;
@@ -589,6 +616,13 @@ int __devinit usb6fire_pcm_init(struct sfire_chip
*chip) if (!rt)
return -ENOMEM;
+ ret = usb6fire_pcm_buffers_init(rt);
+ if (ret) {
+ usb6fire_pcm_buffers_destroy(rt);
+ kfree(rt);
+ return ret;
+ }
+
rt->chip = chip;
rt->stream_state = STREAM_DISABLED;
rt->rate = ARRAY_SIZE(rates);
@@ -610,6 +644,7 @@ int __devinit usb6fire_pcm_init(struct sfire_chip
*chip)
ret = snd_pcm_new(chip->card, "DMX6FireUSB", 0, 1, 1, &pcm);
if (ret < 0) {
+ usb6fire_pcm_buffers_destroy(rt);
kfree(rt);
snd_printk(KERN_ERR PREFIX "cannot create pcm
instance.\n"); return ret;
@@ -625,6 +660,7 @@ int __devinit usb6fire_pcm_init(struct sfire_chip
*chip) snd_dma_continuous_data(GFP_KERNEL),
MAX_BUFSIZE, MAX_BUFSIZE);
if (ret) {
+ usb6fire_pcm_buffers_destroy(rt);
kfree(rt);
snd_printk(KERN_ERR PREFIX
"error preallocating pcm buffers.\n");
@@ -639,17 +675,25 @@ int __devinit usb6fire_pcm_init(struct sfire_chip
*chip) void usb6fire_pcm_abort(struct sfire_chip *chip)
{
struct pcm_runtime *rt = chip->pcm;
+ unsigned long flags;
int i;
if (rt) {
rt->panic = true;
- if (rt->playback.instance)
+ if (rt->playback.instance) {
+
snd_pcm_stream_lock_irqsave(rt->playback.instance, flags);
snd_pcm_stop(rt->playback.instance, SNDRV_PCM_STATE_XRUN);
- if (rt->capture.instance)
+
snd_pcm_stream_unlock_irqrestore(rt->playback.instance, flags);
+ }
+
+ if (rt->capture.instance) {
+
snd_pcm_stream_lock_irqsave(rt->capture.instance, flags);
snd_pcm_stop(rt->capture.instance, SNDRV_PCM_STATE_XRUN);
+
snd_pcm_stream_unlock_irqrestore(rt->capture.instance, flags);
+ }
for (i = 0; i < PCM_N_URBS; i++) {
usb_poison_urb(&rt->in_urbs[i].instance);
@@ -661,6 +705,9 @@ void usb6fire_pcm_abort(struct sfire_chip *chip)
void usb6fire_pcm_destroy(struct sfire_chip *chip)
{
- kfree(chip->pcm);
+ struct pcm_runtime *rt = chip->pcm;
+
+ usb6fire_pcm_buffers_destroy(rt);
+ kfree(rt);
chip->pcm = NULL;
}
diff --git a/sound/usb/6fire/pcm.h b/sound/usb/6fire/pcm.h
index 3104301..84610cf 100644
--- a/sound/usb/6fire/pcm.h
+++ b/sound/usb/6fire/pcm.h
@@ -32,7 +32,7 @@ struct pcm_urb {
struct urb instance;
struct usb_iso_packet_descriptor
packets[PCM_N_PACKETS_PER_URB]; /* END DO NOT SEPARATE */
- u8 buffer[PCM_N_PACKETS_PER_URB * PCM_MAX_PACKET_SIZE];
+ u8 *buffer;
struct pcm_urb *peer;
};
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index eafc889..38e9583 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -599,17 +599,16 @@ static int data_ep_set_params(struct
snd_usb_endpoint *ep, ep->stride = frame_bits >> 3;
ep->silence_value = format == SNDRV_PCM_FORMAT_U8 ? 0x80 : 0;
- /* calculate max. frequency */
- if (ep->maxpacksize) {
+ /* assume max. frequency is 25% higher than nominal */
+ ep->freqmax = ep->freqn + (ep->freqn >> 2);
+ maxsize = ((ep->freqmax + 0xffff) * (frame_bits >> 3))
+ >> (16 - ep->datainterval);
+ /* but wMaxPacketSize might reduce this */
+ if (ep->maxpacksize && ep->maxpacksize < maxsize) {
/* whatever fits into a max. size packet */
maxsize = ep->maxpacksize;
ep->freqmax = (maxsize / (frame_bits >> 3))
<< (16 - ep->datainterval);
- } else {
- /* no max. packet size: just take 25% higher than
nominal */
- ep->freqmax = ep->freqn + (ep->freqn >> 2);
- maxsize = ((ep->freqmax + 0xffff) * (frame_bits >> 3))
- >> (16 - ep->datainterval);
}
if (ep->fill_max)
diff --git a/sound/usb/misc/ua101.c b/sound/usb/misc/ua101.c
index 8b81cb5..d97d35d 100644
--- a/sound/usb/misc/ua101.c
+++ b/sound/usb/misc/ua101.c
@@ -613,14 +613,24 @@ static int start_usb_playback(struct ua101 *ua)
static void abort_alsa_capture(struct ua101 *ua)
{
- if (test_bit(ALSA_CAPTURE_RUNNING, &ua->states))
+ unsigned long flags;
+
+ if (test_bit(ALSA_CAPTURE_RUNNING, &ua->states)) {
+ snd_pcm_stream_lock_irqsave(ua->capture.substream,
flags); snd_pcm_stop(ua->capture.substream, SNDRV_PCM_STATE_XRUN);
+
snd_pcm_stream_unlock_irqrestore(ua->capture.substream, flags);
+ }
}
static void abort_alsa_playback(struct ua101 *ua)
{
- if (test_bit(ALSA_PLAYBACK_RUNNING, &ua->states))
+ unsigned long flags;
+
+ if (test_bit(ALSA_PLAYBACK_RUNNING, &ua->states)) {
+ snd_pcm_stream_lock_irqsave(ua->playback.substream,
flags); snd_pcm_stop(ua->playback.substream, SNDRV_PCM_STATE_XRUN);
+
snd_pcm_stream_unlock_irqrestore(ua->playback.substream, flags);
+ }
}
static int set_stream_hw(struct ua101 *ua, struct snd_pcm_substream
*substream, diff --git a/sound/usb/usx2y/usbusx2yaudio.c
b/sound/usb/usx2y/usbusx2yaudio.c index 520ef96..43d337d 100644
--- a/sound/usb/usx2y/usbusx2yaudio.c
+++ b/sound/usb/usx2y/usbusx2yaudio.c
@@ -273,7 +273,11 @@ static void usX2Y_clients_stop(struct usX2Ydev
*usX2Y) struct snd_usX2Y_substream *subs = usX2Y->subs[s];
if (subs) {
if (atomic_read(&subs->state) >=
state_PRERUNNING) {
+ unsigned long flags;
+
+
snd_pcm_stream_lock_irqsave(subs->pcm_substream, flags);
snd_pcm_stop(subs->pcm_substream, SNDRV_PCM_STATE_XRUN);
+
snd_pcm_stream_unlock_irqrestore(subs->pcm_substream, flags); }
for (u = 0; u < NRURBS; u++) {
struct urb *urb = subs->urb[u];
^ permalink raw reply related [flat|nested] 271+ messages in thread
* RE: [199/251] genetlink: fix family dump race
2013-09-11 4:30 ` [199/251] genetlink: fix family dump race Steven Rostedt
@ 2013-09-11 6:50 ` Berg, Johannes
2013-09-11 12:25 ` Steven Rostedt
0 siblings, 1 reply; 271+ messages in thread
From: Berg, Johannes @ 2013-09-11 6:50 UTC (permalink / raw)
To: Steven Rostedt, linux-kernel, stable
Cc: Otcheretianski, Andrei, David S. Miller
> 3.6.11.9-rc1 stable review patch.
> If anyone has any objections, please let me know.
Yes, this patch is broken and we reverted it upstream.
johannes
--
Intel GmbH
Dornacher Strasse 1
85622 Feldkirchen/Muenchen, Deutschland
Sitz der Gesellschaft: Feldkirchen bei Muenchen
Geschaeftsfuehrer: Christian Lamprechter, Hannes Schwaderer, Douglas Lusk
Registergericht: Muenchen HRB 47456
Ust.-IdNr./VAT Registration No.: DE129385895
Citibank Frankfurt a.M. (BLZ 502 109 00) 600119052
^ permalink raw reply [flat|nested] 271+ messages in thread
* Re: [197/251] iwl4965: reset firmware after rfkill off
2013-09-11 4:30 ` [197/251] iwl4965: reset firmware after rfkill off Steven Rostedt
@ 2013-09-11 7:46 ` Stanislaw Gruszka
2013-09-11 12:32 ` Steven Rostedt
0 siblings, 1 reply; 271+ messages in thread
From: Stanislaw Gruszka @ 2013-09-11 7:46 UTC (permalink / raw)
To: Steven Rostedt; +Cc: linux-kernel, stable, John W. Linville
On Wed, Sep 11, 2013 at 12:30:24AM -0400, Steven Rostedt wrote:
> 3.6.11.9-rc1 stable review patch.
> If anyone has any objections, please let me know.
>
> ------------------
>
> From: Stanislaw Gruszka <sgruszka@redhat.com>
>
> [ Upstream commit 788f7a56fce1bcb2067b62b851a086fca48a0056 ]
This require follow up - upstream commit:
commit b2fcc0aee58a3435566dd6d8501a0b355552f28b
Author: Stanislaw Gruszka <sgruszka@redhat.com>
Date: Wed Aug 21 10:18:19 2013 +0200
iwl4965: fix rfkill set state regression
which seems to be missed on the set.
Stanislaw
^ permalink raw reply [flat|nested] 271+ messages in thread
* Re: [146/251] zram: use zram->lock to protect zram_free_page() in swap free notify path
2013-09-11 4:29 ` [146/251] zram: use zram->lock to protect zram_free_page() in swap free notify path Steven Rostedt
@ 2013-09-11 8:42 ` Luis Henriques
2013-09-12 1:20 ` Steven Rostedt
0 siblings, 1 reply; 271+ messages in thread
From: Luis Henriques @ 2013-09-11 8:42 UTC (permalink / raw)
To: Steven Rostedt; +Cc: linux-kernel, stable, Jiang Liu, Greg Kroah-Hartman
Steven Rostedt <rostedt@goodmis.org> writes:
> 3.6.11.9-rc1 stable review patch.
> If anyone has any objections, please let me know.
This commit seems to cause regressions [1]. There's a fix for it with
commit a0c516cbfc7452c8cbd564525fef66d9f20b46d1 but it doesn't apply
cleanly (it probably requires several other commits to be
backported). Thus, I am reverting it from the 3.5 extended stable
kernel.
[1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1215513
Cheers,
--
Luis
>
> ------------------
>
> From: Jiang Liu <liuj97@gmail.com>
>
> [ Upstream commit 57ab048532c0d975538cebd4456491b5c34248f4 ]
>
> zram_slot_free_notify() is free-running without any protection from
> concurrent operations. So there are race conditions between
> zram_bvec_read()/zram_bvec_write() and zram_slot_free_notify(),
> and possible consequences include:
> 1) Trigger BUG_ON(!handle) on zram_bvec_write() side.
> 2) Access to freed pages on zram_bvec_read() side.
> 3) Break some fields (bad_compress, good_compress, pages_stored)
> in zram->stats if the swap layer makes concurrently call to
> zram_slot_free_notify().
>
> So enhance zram_slot_free_notify() to acquire writer lock on zram->lock
> before calling zram_free_page().
>
> Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
> ---
> drivers/staging/zram/zram_drv.c | 2 ++
> drivers/staging/zram/zram_drv.h | 5 +++--
> 2 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
> index 38a1b44..4322baf 100644
> --- a/drivers/staging/zram/zram_drv.c
> +++ b/drivers/staging/zram/zram_drv.c
> @@ -622,7 +622,9 @@ static void zram_slot_free_notify(struct block_device *bdev,
> struct zram *zram;
>
> zram = bdev->bd_disk->private_data;
> + down_write(&zram->lock);
> zram_free_page(zram, index);
> + up_write(&zram->lock);
> zram_stat64_inc(zram, &zram->stats.notify_free);
> }
>
> diff --git a/drivers/staging/zram/zram_drv.h b/drivers/staging/zram/zram_drv.h
> index 572c0b1..a6eb5d9 100644
> --- a/drivers/staging/zram/zram_drv.h
> +++ b/drivers/staging/zram/zram_drv.h
> @@ -92,8 +92,9 @@ struct zram {
> void *compress_buffer;
> struct table *table;
> spinlock_t stat64_lock; /* protect 64-bit stats */
> - struct rw_semaphore lock; /* protect compression buffers and table
> - * against concurrent read and writes */
> + struct rw_semaphore lock; /* protect compression buffers, table,
> + * 32bit stat counters against concurrent
> + * notifications, reads and writes */
> struct request_queue *queue;
> struct gendisk *disk;
> int init_done;
^ permalink raw reply [flat|nested] 271+ messages in thread
* Re: [117/251] radeon kms: do not flush uninitialized hotplug work
2013-09-11 4:29 ` [117/251] radeon kms: do not flush uninitialized hotplug work Steven Rostedt
@ 2013-09-11 9:06 ` Sergey Senozhatsky
2013-09-11 12:37 ` Steven Rostedt
0 siblings, 1 reply; 271+ messages in thread
From: Sergey Senozhatsky @ 2013-09-11 9:06 UTC (permalink / raw)
To: Steven Rostedt; +Cc: linux-kernel, stable, Alex Deucher
On (09/11/13 00:29), Steven Rostedt wrote:
> 3.6.11.9-rc1 stable review patch.
> If anyone has any objections, please let me know.
>
Hello,
Steven, this patch makes r100_irq_process() unhappy and there
is additional fix on top of this patch.
upstream 27c505ca84e164ec66ad55dcf3f5befaac83f10a
I'll prepare a proper patch for stable.
-ss
> ------------------
>
> From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
>
> [ Upstream commit a01c34f72e7cd2624570818f579b5ab464f93de2 ]
>
> Fix a warning from lockdep caused by calling flush_work() for
> uninitialized hotplug work. Initialize hotplug_work, audio_work
> and reset_work upon successful radeon_irq_kms_init() completion
> and thus perform hotplug flush_work only when rdev->irq.installed
> is true.
>
> [ 4.790019] [drm] Loading CEDAR Microcode
> [ 4.790943] r600_cp: Failed to load firmware "radeon/CEDAR_smc.bin"
> [ 4.791152] [drm:evergreen_startup] *ERROR* Failed to load firmware!
> [ 4.791330] radeon 0000:01:00.0: disabling GPU acceleration
>
> [ 4.792633] INFO: trying to register non-static key.
> [ 4.792792] the code is fine but needs lockdep annotation.
> [ 4.792953] turning off the locking correctness validator.
>
> [ 4.793114] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 3.11.0-rc0-dbg-10676-gfe56456-dirty #1816
> [ 4.793314] Hardware name: Acer Aspire 5741G /Aspire 5741G , BIOS V1.20 02/08/2011
> [ 4.793507] ffffffff821fd810 ffff8801530b9a18 ffffffff8160434e 0000000000000002
> [ 4.794155] ffff8801530b9ad8 ffffffff810b8404 ffff8801530b0798 ffff8801530b0000
> [ 4.794789] ffff8801530b9b00 0000000000000046 00000000000004c0 ffffffff00000000
> [ 4.795418] Call Trace:
> [ 4.795573] [<ffffffff8160434e>] dump_stack+0x4e/0x82
> [ 4.795731] [<ffffffff810b8404>] __lock_acquire+0x1a64/0x1d30
> [ 4.795893] [<ffffffff814a87f0>] ? dev_vprintk_emit+0x50/0x60
> [ 4.796034] [<ffffffff810b8fb4>] lock_acquire+0xa4/0x200
> [ 4.796216] [<ffffffff8106cd75>] ? flush_work+0x5/0x280
> [ 4.796375] [<ffffffff8106cdad>] flush_work+0x3d/0x280
> [ 4.796520] [<ffffffff8106cd75>] ? flush_work+0x5/0x280
> [ 4.796682] [<ffffffff810b659d>] ? trace_hardirqs_on_caller+0xfd/0x1c0
> [ 4.796862] [<ffffffff8131d775>] ? delay_tsc+0x95/0xf0
> [ 4.797024] [<ffffffff8141bb8b>] radeon_irq_kms_fini+0x2b/0x70
> [ 4.797186] [<ffffffff814557c9>] evergreen_init+0x2a9/0x2e0
> [ 4.797347] [<ffffffff813ebb1f>] radeon_device_init+0x5ef/0x700
> [ 4.797511] [<ffffffff81335bc7>] ? pci_find_capability+0x47/0x50
> [ 4.797672] [<ffffffff813edaed>] radeon_driver_load_kms+0x8d/0x150
> [ 4.797843] [<ffffffff813ce426>] drm_get_pci_dev+0x166/0x280
> [ 4.798007] [<ffffffff8116cff5>] ? kfree+0xf5/0x2e0
> [ 4.798168] [<ffffffff813ea298>] ? radeon_pci_probe+0x98/0xd0
> [ 4.798329] [<ffffffff813ea2aa>] radeon_pci_probe+0xaa/0xd0
> [ 4.798489] [<ffffffff81339404>] pci_device_probe+0x84/0xe0
> [ 4.798644] [<ffffffff814ac7d6>] driver_probe_device+0x76/0x240
> [ 4.798805] [<ffffffff814aca73>] __driver_attach+0x93/0xa0
> [ 4.798948] [<ffffffff814ac9e0>] ? __device_attach+0x40/0x40
> [ 4.799126] [<ffffffff814aa82b>] bus_for_each_dev+0x6b/0xb0
> [ 4.799272] [<ffffffff814ac2be>] driver_attach+0x1e/0x20
> [ 4.799434] [<ffffffff814abec0>] bus_add_driver+0x1f0/0x280
> [ 4.799596] [<ffffffff814ad0e4>] driver_register+0x74/0x150
> [ 4.799758] [<ffffffff8133923d>] __pci_register_driver+0x5d/0x60
> [ 4.799936] [<ffffffff81d16efc>] ? ttm_init+0x67/0x67
> [ 4.800081] [<ffffffff813ce655>] drm_pci_init+0x115/0x130
> [ 4.800243] [<ffffffff81d16efc>] ? ttm_init+0x67/0x67
> [ 4.800405] [<ffffffff81d16f98>] radeon_init+0x9c/0xba
> [ 4.800586] [<ffffffff810002ca>] do_one_initcall+0xfa/0x150
> [ 4.800746] [<ffffffff81073f60>] ? parse_args+0x120/0x330
> [ 4.800909] [<ffffffff81cdafae>] kernel_init_freeable+0x111/0x191
> [ 4.801052] [<ffffffff81cda87a>] ? do_early_param+0x88/0x88
> [ 4.801233] [<ffffffff815fb670>] ? rest_init+0x140/0x140
> [ 4.801393] [<ffffffff815fb67e>] kernel_init+0xe/0x180
> [ 4.801556] [<ffffffff8160dcac>] ret_from_fork+0x7c/0xb0
> [ 4.801718] [<ffffffff815fb670>] ? rest_init+0x140/0x140
>
> Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
> ---
> drivers/gpu/drm/radeon/radeon_irq_kms.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c
> index 443bd49..4bc6be5 100644
> --- a/drivers/gpu/drm/radeon/radeon_irq_kms.c
> +++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c
> @@ -243,9 +243,6 @@ int radeon_irq_kms_init(struct radeon_device *rdev)
> {
> int r = 0;
>
> - INIT_WORK(&rdev->hotplug_work, radeon_hotplug_work_func);
> - INIT_WORK(&rdev->audio_work, r600_audio_update_hdmi);
> -
> spin_lock_init(&rdev->irq.lock);
> r = drm_vblank_init(rdev->ddev, rdev->num_crtc);
> if (r) {
> @@ -267,6 +264,10 @@ int radeon_irq_kms_init(struct radeon_device *rdev)
> rdev->irq.installed = false;
> return r;
> }
> +
> + INIT_WORK(&rdev->hotplug_work, radeon_hotplug_work_func);
> + INIT_WORK(&rdev->audio_work, r600_audio_update_hdmi);
> +
> DRM_INFO("radeon: irq initialized.\n");
> return 0;
> }
> @@ -286,8 +287,8 @@ void radeon_irq_kms_fini(struct radeon_device *rdev)
> rdev->irq.installed = false;
> if (rdev->msi_enabled)
> pci_disable_msi(rdev->pdev);
> + flush_work_sync(&rdev->hotplug_work);
> }
> - flush_work_sync(&rdev->hotplug_work);
> }
>
> /**
> --
> 1.7.10.4
>
>
^ permalink raw reply [flat|nested] 271+ messages in thread
* Re: [199/251] genetlink: fix family dump race
2013-09-11 6:50 ` Berg, Johannes
@ 2013-09-11 12:25 ` Steven Rostedt
0 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 12:25 UTC (permalink / raw)
To: Berg, Johannes
Cc: linux-kernel, stable, Otcheretianski, Andrei, David S. Miller
On Wed, 11 Sep 2013 06:50:10 +0000
"Berg, Johannes" <johannes.berg@intel.com> wrote:
> > 3.6.11.9-rc1 stable review patch.
> > If anyone has any objections, please let me know.
>
> Yes, this patch is broken and we reverted it upstream.
Thanks! I'll revert it.
-- Steve
^ permalink raw reply [flat|nested] 271+ messages in thread
* Re: [197/251] iwl4965: reset firmware after rfkill off
2013-09-11 7:46 ` Stanislaw Gruszka
@ 2013-09-11 12:32 ` Steven Rostedt
0 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 12:32 UTC (permalink / raw)
To: Stanislaw Gruszka; +Cc: linux-kernel, stable, John W. Linville
On Wed, 11 Sep 2013 09:46:00 +0200
Stanislaw Gruszka <sgruszka@redhat.com> wrote:
> On Wed, Sep 11, 2013 at 12:30:24AM -0400, Steven Rostedt wrote:
> > 3.6.11.9-rc1 stable review patch.
> > If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Stanislaw Gruszka <sgruszka@redhat.com>
> >
> > [ Upstream commit 788f7a56fce1bcb2067b62b851a086fca48a0056 ]
>
> This require follow up - upstream commit:
>
> commit b2fcc0aee58a3435566dd6d8501a0b355552f28b
> Author: Stanislaw Gruszka <sgruszka@redhat.com>
> Date: Wed Aug 21 10:18:19 2013 +0200
>
> iwl4965: fix rfkill set state regression
>
> which seems to be missed on the set.
>
Thanks! I added this:
>From 7bde0f4f59e18d5fceadeb6447addfb65ac6c539 Mon Sep 17 00:00:00 2001
From: Stanislaw Gruszka <sgruszka@redhat.com>
Date: Wed, 21 Aug 2013 10:18:19 +0200
Subject: [PATCH] iwl4965: fix rfkill set state regression
[ Upstream commit b2fcc0aee58a3435566dd6d8501a0b355552f28b ]
My current 3.11 fix:
commit 788f7a56fce1bcb2067b62b851a086fca48a0056
Author: Stanislaw Gruszka <sgruszka@redhat.com>
Date: Thu Aug 1 12:07:55 2013 +0200
iwl4965: reset firmware after rfkill off
broke rfkill notification to user-space . I missed that bug, because
I compiled without CONFIG_RFKILL, sorry about that.
Cc: stable@vger.kernel.org
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/net/wireless/iwlegacy/4965-mac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c b/drivers/net/wireless/iwlegacy/4965-mac.c
index f6624b8..167ddec 100644
--- a/drivers/net/wireless/iwlegacy/4965-mac.c
+++ b/drivers/net/wireless/iwlegacy/4965-mac.c
@@ -4415,9 +4415,9 @@ il4965_irq_tasklet(struct il_priv *il)
set_bit(S_RFKILL, &il->status);
} else {
clear_bit(S_RFKILL, &il->status);
- wiphy_rfkill_set_hw_state(il->hw->wiphy, hw_rf_kill);
il_force_reset(il, true);
}
+ wiphy_rfkill_set_hw_state(il->hw->wiphy, hw_rf_kill);
handled |= CSR_INT_BIT_RF_KILL;
}
--
1.7.10.4
-- Steve
^ permalink raw reply related [flat|nested] 271+ messages in thread
* Re: [117/251] radeon kms: do not flush uninitialized hotplug work
2013-09-11 9:06 ` Sergey Senozhatsky
@ 2013-09-11 12:37 ` Steven Rostedt
2013-09-11 13:12 ` Sergey Senozhatsky
2013-09-11 14:36 ` Sergey Senozhatsky
0 siblings, 2 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 12:37 UTC (permalink / raw)
To: Sergey Senozhatsky; +Cc: linux-kernel, stable, Alex Deucher
On Wed, 11 Sep 2013 12:06:49 +0300
Sergey Senozhatsky <sergey.senozhatsky@gmail.com> wrote:
> On (09/11/13 00:29), Steven Rostedt wrote:
> > 3.6.11.9-rc1 stable review patch.
> > If anyone has any objections, please let me know.
> >
>
> Hello,
> Steven, this patch makes r100_irq_process() unhappy and there
> is additional fix on top of this patch.
> upstream 27c505ca84e164ec66ad55dcf3f5befaac83f10a
Thanks!
>
> I'll prepare a proper patch for stable.
>
I took a crack at it. How's this look?
-- Steve
>From 39a678bf28d5c3e8266bd88ba1e831818102787e Mon Sep 17 00:00:00 2001
From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Date: Thu, 29 Aug 2013 12:29:35 +0300
Subject: [PATCH] radeon kms: fix uninitialised hotplug work usage in
r100_irq_process()
[ Upstream commit 27c505ca84e164ec66ad55dcf3f5befaac83f10a ]
Commit a01c34f72e7cd2624570818f579b5ab464f93de2 (radeon kms: do not
flush uninitialized hotplug work) moved work initialisation phase to
the last step of radeon_irq_kms_init(). Meelis Roos reported that this
causes problems on his machine because drm_irq_install() uses hotplug
work on r100.
hotplug work flushed in radeon_irq_kms_fini(), with two possible cases:
-- radeon_irq_kms_fini() call after successful radeon_irq_kms_init()
-- radeon_irq_kms_fini() call after unsuccessful (or not called at all)
radeon_irq_kms_init()
The latter one causes flush work on uninitialised hotplug work. Move
work initialisation before drm_irq_install(), but keep existing agreement
to flush hotplug work in radeon_irq_kms_fini() only for `irq.installed'
(successful radeon_irq_kms_init()) case.
WARNING: CPU: 0 PID: 243 at kernel/workqueue.c:1378 __queue_work+0x132/0x16d()
Call Trace:
[<c12319b3>] ? dump_stack+0xa/0x13
[<c1022600>] ? warn_slowpath_common+0x75/0x8a
[<c1031010>] ? __queue_work+0x132/0x16d
[<c1031010>] ? __queue_work+0x132/0x16d
[<c102269e>] ? warn_slowpath_null+0x1b/0x1f
[<c1031010>] ? __queue_work+0x132/0x16d
[<c103107b>] ? queue_work_on+0x30/0x40
[<f8aed3f3>] ? r100_irq_process+0x16d/0x1e6 [radeon]
[<f8ae77cf>] ? radeon_driver_irq_preinstall_kms+0xc2/0xc5 [radeon]
[<f8974d77>] ? drm_irq_install+0xb2/0x1ac [drm]
[<f897604d>] ? drm_vblank_init+0x196/0x1d2 [drm]
[<f8ae78d3>] ? radeon_irq_kms_init+0x33/0xc6 [radeon]
[<f8aef35a>] ? r100_startup+0x1a3/0x1d6 [radeon]
[<f8ad77c8>] ? radeon_ttm_init+0x26e/0x287 [radeon]
[<f8aef752>] ? r100_init+0x2b3/0x309 [radeon]
[<c118082e>] ? vga_client_register+0x39/0x40
[<f8ac535f>] ? radeon_device_init+0x54b/0x61b [radeon]
[<f8ac40fd>] ? cail_mc_write+0x13/0x13 [radeon]
[<f8ac6864>] ? radeon_driver_load_kms+0x82/0xda [radeon]
[<f8978bbd>] ? drm_get_pci_dev+0x136/0x22d [drm]
[<f8ac409b>] ? radeon_pci_probe+0x6c/0x86 [radeon]
[<c112acf6>] ? pci_device_probe+0x4c/0x83
[<c11846c7>] ? driver_probe_device+0x80/0x184
[<c112a848>] ? pci_match_id+0x18/0x36
[<c1184837>] ? __driver_attach+0x44/0x5f
[<c11833f4>] ? bus_for_each_dev+0x50/0x5a
[<c118433e>] ? driver_attach+0x14/0x16
[<c11847f3>] ? __device_attach+0x28/0x28
[<c1184045>] ? bus_add_driver+0xd6/0x1bf
[<c1184c22>] ? driver_register+0x78/0xcf
[<f8ba8000>] ? 0xf8ba7fff
[<c10003bf>] ? do_one_initcall+0x8b/0x121
[<c101e668>] ? change_page_attr_clear+0x2e/0x33
[<f8ba8000>] ? 0xf8ba7fff
[<c101e689>] ? set_memory_ro+0x1c/0x20
[<c104de94>] ? set_page_attributes+0x11/0x12
[<c104f6e1>] ? load_module+0x12fa/0x17e8
[<c107483b>] ? map_vm_area+0x22/0x31
[<c104fc36>] ? SyS_init_module+0x67/0x7d
[<c1234245>] ? sysenter_do_call+0x12/0x26
Reported-by: Meelis Roos <mroos@linux.ee>
Tested-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
---
drivers/gpu/drm/radeon/radeon_irq_kms.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c
index 4bc6be5..03acf67 100644
--- a/drivers/gpu/drm/radeon/radeon_irq_kms.c
+++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c
@@ -258,16 +258,18 @@ int radeon_irq_kms_init(struct radeon_device *rdev)
dev_info(rdev->dev, "radeon: using MSI.\n");
}
}
+
+ INIT_WORK(&rdev->hotplug_work, radeon_hotplug_work_func);
+ INIT_WORK(&rdev->audio_work, r600_audio_update_hdmi);
+
rdev->irq.installed = true;
r = drm_irq_install(rdev->ddev);
if (r) {
rdev->irq.installed = false;
+ flush_work(&rdev->hotplug_work);
return r;
}
- INIT_WORK(&rdev->hotplug_work, radeon_hotplug_work_func);
- INIT_WORK(&rdev->audio_work, r600_audio_update_hdmi);
-
DRM_INFO("radeon: irq initialized.\n");
return 0;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 271+ messages in thread
* Re: [117/251] radeon kms: do not flush uninitialized hotplug work
2013-09-11 12:37 ` Steven Rostedt
@ 2013-09-11 13:12 ` Sergey Senozhatsky
2013-09-11 14:36 ` Sergey Senozhatsky
1 sibling, 0 replies; 271+ messages in thread
From: Sergey Senozhatsky @ 2013-09-11 13:12 UTC (permalink / raw)
To: Steven Rostedt; +Cc: linux-kernel, stable, Alex Deucher
On (09/11/13 08:37), Steven Rostedt wrote:
> >
> > I'll prepare a proper patch for stable.
> >
>
> I took a crack at it. How's this look?
as far as I understand this is 27c505ca84e164ec66ad55dcf3f5befaac83f10a
on top of a01c34f72e7cd2624570818f579b5ab464f93de2 [both backported] with
moved flush_work_sync() in radeon_irq_kms_fini() to rdev->irq.installed == true
case (am I right?). if so, then looks good to me!
-ss
> -- Steve
>
> From 39a678bf28d5c3e8266bd88ba1e831818102787e Mon Sep 17 00:00:00 2001
> From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
> Date: Thu, 29 Aug 2013 12:29:35 +0300
> Subject: [PATCH] radeon kms: fix uninitialised hotplug work usage in
> r100_irq_process()
>
> [ Upstream commit 27c505ca84e164ec66ad55dcf3f5befaac83f10a ]
>
> Commit a01c34f72e7cd2624570818f579b5ab464f93de2 (radeon kms: do not
> flush uninitialized hotplug work) moved work initialisation phase to
> the last step of radeon_irq_kms_init(). Meelis Roos reported that this
> causes problems on his machine because drm_irq_install() uses hotplug
> work on r100.
>
> hotplug work flushed in radeon_irq_kms_fini(), with two possible cases:
> -- radeon_irq_kms_fini() call after successful radeon_irq_kms_init()
> -- radeon_irq_kms_fini() call after unsuccessful (or not called at all)
> radeon_irq_kms_init()
>
> The latter one causes flush work on uninitialised hotplug work. Move
> work initialisation before drm_irq_install(), but keep existing agreement
> to flush hotplug work in radeon_irq_kms_fini() only for `irq.installed'
> (successful radeon_irq_kms_init()) case.
>
> WARNING: CPU: 0 PID: 243 at kernel/workqueue.c:1378 __queue_work+0x132/0x16d()
> Call Trace:
> [<c12319b3>] ? dump_stack+0xa/0x13
> [<c1022600>] ? warn_slowpath_common+0x75/0x8a
> [<c1031010>] ? __queue_work+0x132/0x16d
> [<c1031010>] ? __queue_work+0x132/0x16d
> [<c102269e>] ? warn_slowpath_null+0x1b/0x1f
> [<c1031010>] ? __queue_work+0x132/0x16d
> [<c103107b>] ? queue_work_on+0x30/0x40
> [<f8aed3f3>] ? r100_irq_process+0x16d/0x1e6 [radeon]
> [<f8ae77cf>] ? radeon_driver_irq_preinstall_kms+0xc2/0xc5 [radeon]
> [<f8974d77>] ? drm_irq_install+0xb2/0x1ac [drm]
> [<f897604d>] ? drm_vblank_init+0x196/0x1d2 [drm]
> [<f8ae78d3>] ? radeon_irq_kms_init+0x33/0xc6 [radeon]
> [<f8aef35a>] ? r100_startup+0x1a3/0x1d6 [radeon]
> [<f8ad77c8>] ? radeon_ttm_init+0x26e/0x287 [radeon]
> [<f8aef752>] ? r100_init+0x2b3/0x309 [radeon]
> [<c118082e>] ? vga_client_register+0x39/0x40
> [<f8ac535f>] ? radeon_device_init+0x54b/0x61b [radeon]
> [<f8ac40fd>] ? cail_mc_write+0x13/0x13 [radeon]
> [<f8ac6864>] ? radeon_driver_load_kms+0x82/0xda [radeon]
> [<f8978bbd>] ? drm_get_pci_dev+0x136/0x22d [drm]
> [<f8ac409b>] ? radeon_pci_probe+0x6c/0x86 [radeon]
> [<c112acf6>] ? pci_device_probe+0x4c/0x83
> [<c11846c7>] ? driver_probe_device+0x80/0x184
> [<c112a848>] ? pci_match_id+0x18/0x36
> [<c1184837>] ? __driver_attach+0x44/0x5f
> [<c11833f4>] ? bus_for_each_dev+0x50/0x5a
> [<c118433e>] ? driver_attach+0x14/0x16
> [<c11847f3>] ? __device_attach+0x28/0x28
> [<c1184045>] ? bus_add_driver+0xd6/0x1bf
> [<c1184c22>] ? driver_register+0x78/0xcf
> [<f8ba8000>] ? 0xf8ba7fff
> [<c10003bf>] ? do_one_initcall+0x8b/0x121
> [<c101e668>] ? change_page_attr_clear+0x2e/0x33
> [<f8ba8000>] ? 0xf8ba7fff
> [<c101e689>] ? set_memory_ro+0x1c/0x20
> [<c104de94>] ? set_page_attributes+0x11/0x12
> [<c104f6e1>] ? load_module+0x12fa/0x17e8
> [<c107483b>] ? map_vm_area+0x22/0x31
> [<c104fc36>] ? SyS_init_module+0x67/0x7d
> [<c1234245>] ? sysenter_do_call+0x12/0x26
>
> Reported-by: Meelis Roos <mroos@linux.ee>
> Tested-by: Meelis Roos <mroos@linux.ee>
> Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
> ---
> drivers/gpu/drm/radeon/radeon_irq_kms.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c
> index 4bc6be5..03acf67 100644
> --- a/drivers/gpu/drm/radeon/radeon_irq_kms.c
> +++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c
> @@ -258,16 +258,18 @@ int radeon_irq_kms_init(struct radeon_device *rdev)
> dev_info(rdev->dev, "radeon: using MSI.\n");
> }
> }
> +
> + INIT_WORK(&rdev->hotplug_work, radeon_hotplug_work_func);
> + INIT_WORK(&rdev->audio_work, r600_audio_update_hdmi);
> +
> rdev->irq.installed = true;
> r = drm_irq_install(rdev->ddev);
> if (r) {
> rdev->irq.installed = false;
> + flush_work(&rdev->hotplug_work);
> return r;
> }
>
> - INIT_WORK(&rdev->hotplug_work, radeon_hotplug_work_func);
> - INIT_WORK(&rdev->audio_work, r600_audio_update_hdmi);
> -
> DRM_INFO("radeon: irq initialized.\n");
> return 0;
> }
> --
> 1.7.10.4
>
^ permalink raw reply [flat|nested] 271+ messages in thread
* Re: [117/251] radeon kms: do not flush uninitialized hotplug work
2013-09-11 12:37 ` Steven Rostedt
2013-09-11 13:12 ` Sergey Senozhatsky
@ 2013-09-11 14:36 ` Sergey Senozhatsky
2013-09-11 16:00 ` Greg KH
1 sibling, 1 reply; 271+ messages in thread
From: Sergey Senozhatsky @ 2013-09-11 14:36 UTC (permalink / raw)
To: Steven Rostedt; +Cc: linux-kernel, stable, Alex Deucher
This one on top of stable 3.6.11 git.
Thank you, Steven.
---
[ Upstream commit 27c505ca84e164ec66ad55dcf3f5befaac83f10a ]
Commit a01c34f72e7cd2624570818f579b5ab464f93de2 (radeon kms: do not
flush uninitialized hotplug work) moved work initialisation phase to
the last step of radeon_irq_kms_init(). Meelis Roos reported that this
causes problems on his machine because drm_irq_install() uses hotplug
work on r100.
hotplug work flushed in radeon_irq_kms_fini(), with two possible cases:
-- radeon_irq_kms_fini() call after successful radeon_irq_kms_init()
-- radeon_irq_kms_fini() call after unsuccessful (or not called at all)
radeon_irq_kms_init()
The latter one causes flush work on uninitialised hotplug work. Move
work initialisation before drm_irq_install(), but keep existing agreement
to flush hotplug work in radeon_irq_kms_fini() only for `irq.installed'
(successful radeon_irq_kms_init()) case.
WARNING: CPU: 0 PID: 243 at kernel/workqueue.c:1378 __queue_work+0x132/0x16d()
Call Trace:
[<c12319b3>] ? dump_stack+0xa/0x13
[<c1022600>] ? warn_slowpath_common+0x75/0x8a
[<c1031010>] ? __queue_work+0x132/0x16d
[<c1031010>] ? __queue_work+0x132/0x16d
[<c102269e>] ? warn_slowpath_null+0x1b/0x1f
[<c1031010>] ? __queue_work+0x132/0x16d
[<c103107b>] ? queue_work_on+0x30/0x40
[<f8aed3f3>] ? r100_irq_process+0x16d/0x1e6 [radeon]
[<f8ae77cf>] ? radeon_driver_irq_preinstall_kms+0xc2/0xc5 [radeon]
[<f8974d77>] ? drm_irq_install+0xb2/0x1ac [drm]
[<f897604d>] ? drm_vblank_init+0x196/0x1d2 [drm]
[<f8ae78d3>] ? radeon_irq_kms_init+0x33/0xc6 [radeon]
[<f8aef35a>] ? r100_startup+0x1a3/0x1d6 [radeon]
[<f8ad77c8>] ? radeon_ttm_init+0x26e/0x287 [radeon]
[<f8aef752>] ? r100_init+0x2b3/0x309 [radeon]
[<c118082e>] ? vga_client_register+0x39/0x40
[<f8ac535f>] ? radeon_device_init+0x54b/0x61b [radeon]
[<f8ac40fd>] ? cail_mc_write+0x13/0x13 [radeon]
[<f8ac6864>] ? radeon_driver_load_kms+0x82/0xda [radeon]
[<f8978bbd>] ? drm_get_pci_dev+0x136/0x22d [drm]
[<f8ac409b>] ? radeon_pci_probe+0x6c/0x86 [radeon]
[<c112acf6>] ? pci_device_probe+0x4c/0x83
[<c11846c7>] ? driver_probe_device+0x80/0x184
[<c112a848>] ? pci_match_id+0x18/0x36
[<c1184837>] ? __driver_attach+0x44/0x5f
[<c11833f4>] ? bus_for_each_dev+0x50/0x5a
[<c118433e>] ? driver_attach+0x14/0x16
[<c11847f3>] ? __device_attach+0x28/0x28
[<c1184045>] ? bus_add_driver+0xd6/0x1bf
[<c1184c22>] ? driver_register+0x78/0xcf
[<f8ba8000>] ? 0xf8ba7fff
[<c10003bf>] ? do_one_initcall+0x8b/0x121
[<c101e668>] ? change_page_attr_clear+0x2e/0x33
[<f8ba8000>] ? 0xf8ba7fff
[<c101e689>] ? set_memory_ro+0x1c/0x20
[<c104de94>] ? set_page_attributes+0x11/0x12
[<c104f6e1>] ? load_module+0x12fa/0x17e8
[<c107483b>] ? map_vm_area+0x22/0x31
[<c104fc36>] ? SyS_init_module+0x67/0x7d
[<c1234245>] ? sysenter_do_call+0x12/0x26
Reported-by: Meelis Roos <mroos@linux.ee>
Tested-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
---
drivers/gpu/drm/radeon/radeon_irq_kms.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c
index 443bd49..6be5d6b 100644
--- a/drivers/gpu/drm/radeon/radeon_irq_kms.c
+++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c
@@ -243,9 +243,6 @@ int radeon_irq_kms_init(struct radeon_device *rdev)
{
int r = 0;
- INIT_WORK(&rdev->hotplug_work, radeon_hotplug_work_func);
- INIT_WORK(&rdev->audio_work, r600_audio_update_hdmi);
-
spin_lock_init(&rdev->irq.lock);
r = drm_vblank_init(rdev->ddev, rdev->num_crtc);
if (r) {
@@ -261,10 +258,15 @@ int radeon_irq_kms_init(struct radeon_device *rdev)
dev_info(rdev->dev, "radeon: using MSI.\n");
}
}
+
+ INIT_WORK(&rdev->hotplug_work, radeon_hotplug_work_func);
+ INIT_WORK(&rdev->audio_work, r600_audio_update_hdmi);
+
rdev->irq.installed = true;
r = drm_irq_install(rdev->ddev);
if (r) {
rdev->irq.installed = false;
+ flush_work(&rdev->hotplug_work);
return r;
}
DRM_INFO("radeon: irq initialized.\n");
@@ -286,8 +288,8 @@ void radeon_irq_kms_fini(struct radeon_device *rdev)
rdev->irq.installed = false;
if (rdev->msi_enabled)
pci_disable_msi(rdev->pdev);
+ flush_work_sync(&rdev->hotplug_work);
}
- flush_work_sync(&rdev->hotplug_work);
}
/**
^ permalink raw reply related [flat|nested] 271+ messages in thread
* Re: [117/251] radeon kms: do not flush uninitialized hotplug work
2013-09-11 14:36 ` Sergey Senozhatsky
@ 2013-09-11 16:00 ` Greg KH
2013-09-11 16:13 ` Steven Rostedt
0 siblings, 1 reply; 271+ messages in thread
From: Greg KH @ 2013-09-11 16:00 UTC (permalink / raw)
To: Sergey Senozhatsky; +Cc: Steven Rostedt, linux-kernel, stable, Alex Deucher
On Wed, Sep 11, 2013 at 05:36:29PM +0300, Sergey Senozhatsky wrote:
> This one on top of stable 3.6.11 git.
What do you mean by this?
confused,
greg k-h
^ permalink raw reply [flat|nested] 271+ messages in thread
* Re: [117/251] radeon kms: do not flush uninitialized hotplug work
2013-09-11 16:00 ` Greg KH
@ 2013-09-11 16:13 ` Steven Rostedt
2013-09-11 18:48 ` Sergey Senozhatsky
0 siblings, 1 reply; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 16:13 UTC (permalink / raw)
To: Greg KH; +Cc: Sergey Senozhatsky, linux-kernel, stable, Alex Deucher
On Wed, 11 Sep 2013 09:00:16 -0700
Greg KH <gregkh@linuxfoundation.org> wrote:
> On Wed, Sep 11, 2013 at 05:36:29PM +0300, Sergey Senozhatsky wrote:
> > This one on top of stable 3.6.11 git.
>
> What do you mean by this?
>
It's for my stable branch. Although, 3.6.11.8 is a far cry from 3.6.11
and the patch does not apply.
-- Steve
^ permalink raw reply [flat|nested] 271+ messages in thread
* Re: [117/251] radeon kms: do not flush uninitialized hotplug work
2013-09-11 16:13 ` Steven Rostedt
@ 2013-09-11 18:48 ` Sergey Senozhatsky
2013-09-11 18:54 ` Steven Rostedt
0 siblings, 1 reply; 271+ messages in thread
From: Sergey Senozhatsky @ 2013-09-11 18:48 UTC (permalink / raw)
To: Steven Rostedt; +Cc: Greg KH, linux-kernel, stable, Alex Deucher
On (09/11/13 12:13), Steven Rostedt wrote:
> On Wed, 11 Sep 2013 09:00:16 -0700
> Greg KH <gregkh@linuxfoundation.org> wrote:
>
> > On Wed, Sep 11, 2013 at 05:36:29PM +0300, Sergey Senozhatsky wrote:
> > > This one on top of stable 3.6.11 git.
> >
> > What do you mean by this?
> >
I thought it was for linux-3.6.y stable branch. sorry, wrong
assumption.
>
> It's for my stable branch. Although, 3.6.11.8 is a far cry from 3.6.11
> and the patch does not apply.
>
oh... so, we were not talking about linux-3.6.y branch from
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git ?
a thousand apologies.
-ss
^ permalink raw reply [flat|nested] 271+ messages in thread
* Re: [117/251] radeon kms: do not flush uninitialized hotplug work
2013-09-11 18:48 ` Sergey Senozhatsky
@ 2013-09-11 18:54 ` Steven Rostedt
2013-09-11 20:40 ` Sergey Senozhatsky
0 siblings, 1 reply; 271+ messages in thread
From: Steven Rostedt @ 2013-09-11 18:54 UTC (permalink / raw)
To: Sergey Senozhatsky; +Cc: Greg KH, linux-kernel, stable, Alex Deucher
On Wed, 11 Sep 2013 21:48:39 +0300
Sergey Senozhatsky <sergey.senozhatsky@gmail.com> wrote:
> On (09/11/13 12:13), Steven Rostedt wrote:
> > On Wed, 11 Sep 2013 09:00:16 -0700
> > Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> > > On Wed, Sep 11, 2013 at 05:36:29PM +0300, Sergey Senozhatsky wrote:
> > > > This one on top of stable 3.6.11 git.
> > >
> > > What do you mean by this?
> > >
>
> I thought it was for linux-3.6.y stable branch. sorry, wrong
> assumption.
>
> >
> > It's for my stable branch. Although, 3.6.11.8 is a far cry from 3.6.11
> > and the patch does not apply.
> >
>
> oh... so, we were not talking about linux-3.6.y branch from
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git ?
>
> a thousand apologies.
>
Yeah, this is my extended stable, which is located in:
git://git.kernel.org/pub/scm/linux/kernel/git/rt/linux-stable-rt.git
v3.6-stable
I base the stable 3.6-rt patches off of this.
-- Steve
^ permalink raw reply [flat|nested] 271+ messages in thread
* Re: [117/251] radeon kms: do not flush uninitialized hotplug work
2013-09-11 18:54 ` Steven Rostedt
@ 2013-09-11 20:40 ` Sergey Senozhatsky
0 siblings, 0 replies; 271+ messages in thread
From: Sergey Senozhatsky @ 2013-09-11 20:40 UTC (permalink / raw)
To: Steven Rostedt; +Cc: Greg KH, linux-kernel, stable, Alex Deucher
On (09/11/13 14:54), Steven Rostedt wrote:
> > On (09/11/13 12:13), Steven Rostedt wrote:
> > > On Wed, 11 Sep 2013 09:00:16 -0700
> > > Greg KH <gregkh@linuxfoundation.org> wrote:
> > >
> > > > On Wed, Sep 11, 2013 at 05:36:29PM +0300, Sergey Senozhatsky wrote:
> > > > > This one on top of stable 3.6.11 git.
> > > >
> > > > What do you mean by this?
> > > >
> >
> > I thought it was for linux-3.6.y stable branch. sorry, wrong
> > assumption.
> >
> > >
> > > It's for my stable branch. Although, 3.6.11.8 is a far cry from 3.6.11
> > > and the patch does not apply.
> > >
> >
> > oh... so, we were not talking about linux-3.6.y branch from
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git ?
> >
> > a thousand apologies.
> >
>
> Yeah, this is my extended stable, which is located in:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/rt/linux-stable-rt.git
> v3.6-stable
Thanks.
Sure, I should have guessed :-) your patch looks good, sorry for inconvenience.
have a nice day,
-ss
>
> I base the stable 3.6-rt patches off of this.
>
> -- Steve
>
^ permalink raw reply [flat|nested] 271+ messages in thread
* Re: [146/251] zram: use zram->lock to protect zram_free_page() in swap free notify path
2013-09-11 8:42 ` Luis Henriques
@ 2013-09-12 1:20 ` Steven Rostedt
0 siblings, 0 replies; 271+ messages in thread
From: Steven Rostedt @ 2013-09-12 1:20 UTC (permalink / raw)
To: Luis Henriques; +Cc: linux-kernel, stable, Jiang Liu, Greg Kroah-Hartman
On Wed, 11 Sep 2013 09:42:42 +0100
Luis Henriques <luis.henriques@canonical.com> wrote:
> Steven Rostedt <rostedt@goodmis.org> writes:
>
> > 3.6.11.9-rc1 stable review patch.
> > If anyone has any objections, please let me know.
>
> This commit seems to cause regressions [1]. There's a fix for it with
> commit a0c516cbfc7452c8cbd564525fef66d9f20b46d1 but it doesn't apply
> cleanly (it probably requires several other commits to be
> backported). Thus, I am reverting it from the 3.5 extended stable
> kernel.
>
> [1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1215513
>
Thanks! I reverted it too.
-- Steve
^ permalink raw reply [flat|nested] 271+ messages in thread
end of thread, other threads:[~2013-09-12 5:44 UTC | newest]
Thread overview: 271+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-09-11 4:27 [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
2013-09-11 4:27 ` [001/251] powerpc/smp: Section mismatch from smp_release_cpus to __initdata spinning_secondaries Steven Rostedt
2013-09-11 4:27 ` [002/251] ALSA: hda - Cache the MUX selection for generic HDMI Steven Rostedt
2013-09-11 4:27 ` [003/251] ALSA: hda - Add new GPU codec ID to snd-hda Steven Rostedt
2013-09-11 4:27 ` [004/251] ALSA: seq-oss: Initialize MIDI clients asynchronously Steven Rostedt
2013-09-11 4:27 ` [005/251] ALSA: 6fire: Fix unlocked snd_pcm_stop() call Steven Rostedt
2013-09-11 4:27 ` [006/251] ALSA: ua101: " Steven Rostedt
2013-09-11 4:27 ` [007/251] ALSA: pxa2xx: " Steven Rostedt
2013-09-11 4:27 ` [008/251] ALSA: atiixp: " Steven Rostedt
2013-09-11 4:27 ` [009/251] ALSA: asihpi: " Steven Rostedt
2013-09-11 4:27 ` [010/251] ALSA: usx2y: " Steven Rostedt
2013-09-11 4:27 ` [011/251] libata: skip SRST for all SIMG [34]7x port-multipliers Steven Rostedt
2013-09-11 4:27 ` [012/251] ata_piix: IDE-mode SATA patch for Intel Coleto Creek DeviceIDs Steven Rostedt
2013-09-11 4:27 ` [013/251] i2c-piix4: Add AMD CZ SMBus device ID Steven Rostedt
2013-09-11 4:27 ` [014/251] ASoC: s6000: Fix unlocked snd_pcm_stop() call Steven Rostedt
2013-09-11 4:27 ` [015/251] ASoC: sglt5000: Fix SGTL5000_PLL_FRAC_DIV_MASK Steven Rostedt
2013-09-11 4:27 ` [016/251] md/raid10: fix two bugs affecting RAID10 reshape Steven Rostedt
2013-09-11 4:27 ` [017/251] tick: Prevent uncontrolled switch to oneshot mode Steven Rostedt
2013-09-11 4:27 ` [018/251] clocksource: dw_apb: Fix error check Steven Rostedt
2013-09-11 4:27 ` [019/251] rt2x00: read 5GHz TX power values from the correct offset Steven Rostedt
2013-09-11 4:27 ` [020/251] ath9k_hw: Assign default xlna config for AR9485 Steven Rostedt
2013-09-11 4:27 ` [021/251] ath9k: Do not assign noise for NULL caldata Steven Rostedt
2013-09-11 4:27 ` [022/251] aacraid: Fix for arrays are going offline in the system. System hangs Steven Rostedt
2013-09-11 4:27 ` [023/251] zfcp: fix adapter (re)open recovery while link to SAN is down Steven Rostedt
2013-09-11 4:27 ` [024/251] zfcp: block queue limits with data router Steven Rostedt
2013-09-11 4:27 ` [025/251] zfcp: status read buffers on first adapter open with link down Steven Rostedt
2013-09-11 4:27 ` [026/251] mpt2sas: fix firmware failure with wrong task attribute Steven Rostedt
2013-09-11 4:27 ` [027/251] b43: ensue that BCMA is "y" when B43 is "y" Steven Rostedt
2013-09-11 4:27 ` [028/251] printk: Fix rq->lock vs logbuf_lock unlock lock inversion Steven Rostedt
2013-09-11 4:27 ` [029/251] uprobes: Fix return value in error handling path Steven Rostedt
2013-09-11 4:27 ` [030/251] svcrpc: fix handling of too-short rpcs Steven Rostedt
2013-09-11 4:27 ` [031/251] iommu/amd: Only unmap large pages from the first pte Steven Rostedt
2013-09-11 4:27 ` [032/251] staging: line6: Fix unlocked snd_pcm_stop() call Steven Rostedt
2013-09-11 4:27 ` [033/251] perf: Clone child context from parent context pmu Steven Rostedt
2013-09-11 4:27 ` [034/251] perf: Remove WARN_ON_ONCE() check in __perf_event_enable() for valid scenario Steven Rostedt
2013-09-11 4:27 ` [035/251] perf: Fix perf_lock_task_context() vs RCU Steven Rostedt
2013-09-11 4:27 ` [036/251] tracing: Fix irqs-off tag display in syscall tracing Steven Rostedt
2013-09-11 4:27 ` [037/251] writeback: Fix periodic writeback after fs mount Steven Rostedt
2013-09-11 4:27 ` [038/251] neighbour: fix a race in neigh_destroy() Steven Rostedt
2013-09-11 4:27 ` [039/251] x25: Fix broken locking in ioctl error paths Steven Rostedt
2013-09-11 4:27 ` [040/251] vti: remove duplicated code to fix a memory leak Steven Rostedt
2013-09-11 4:27 ` [041/251] l2tp: add missing .owner to struct pppox_proto Steven Rostedt
2013-09-11 4:27 ` [042/251] ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data Steven Rostedt
2013-09-11 4:27 ` [043/251] ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size Steven Rostedt
2013-09-11 4:27 ` [044/251] virtio: support unlocked queue poll Steven Rostedt
2013-09-11 4:27 ` [045/251] virtio_net: fix race in RX VQ processing Steven Rostedt
2013-09-11 4:27 ` [046/251] sunvnet: vnet_port_remove must call unregister_netdev Steven Rostedt
2013-09-11 4:27 ` [047/251] ifb: fix rcu_sched self-detected stalls Steven Rostedt
2013-09-11 4:27 ` [048/251] tuntap: correctly linearize skb when zerocopy is used Steven Rostedt
2013-09-11 4:27 ` [049/251] macvtap: " Steven Rostedt
2013-09-11 4:27 ` [050/251] ipv6: in case of link failure remove route directly instead of letting it expire Steven Rostedt
2013-09-11 4:27 ` [051/251] 9p: fix off by one causing access violations and memory corruption Steven Rostedt
2013-09-11 4:27 ` [052/251] dummy: fix oops when loading the dummy failed Steven Rostedt
2013-09-11 4:28 ` [053/251] ifb: fix oops when loading the ifb failed Steven Rostedt
2013-09-11 4:28 ` [054/251] atl1e: fix dma mapping warnings Steven Rostedt
2013-09-11 4:28 ` [055/251] skb: report completion status for zero copy skbs Steven Rostedt
2013-09-11 4:28 ` [056/251] tuntap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS Steven Rostedt
2013-09-11 4:28 ` [057/251] macvtap: " Steven Rostedt
2013-09-11 4:28 ` [058/251] vlan: mask vlan prio bits Steven Rostedt
2013-09-11 4:28 ` [059/251] vlan: fix a race in egress prio management Steven Rostedt
2013-09-11 4:28 ` [060/251] MIPS: Oceton: Fix build error Steven Rostedt
2013-09-11 4:28 ` [061/251] RAPIDIO: IDT_GEN2: " Steven Rostedt
2013-09-11 4:28 ` [062/251] megaraid_sas: fix memory leak if SGL has zero length entries Steven Rostedt
2013-09-11 4:28 ` [063/251] lib/Kconfig.debug: Restrict FRAME_POINTER for MIPS Steven Rostedt
2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [064/251] usb: serial: option: blacklist ONDA MT689DC QMI interface Steven Rostedt
2013-09-11 4:28 ` [065/251] usb: serial: option: add Olivetti Olicard 200 Steven Rostedt
2013-09-11 4:28 ` [066/251] usb: serial: option.c: remove ONDA MT825UP product ID fromdriver Steven Rostedt
2013-09-11 4:28 ` [067/251] USB: option: add D-Link DWM-152/C1 and DWM-156/C1 Steven Rostedt
2013-09-11 4:28 ` [068/251] usb: serial: cp210x: Add USB ID for Netgear Switches embedded serial adapter Steven Rostedt
2013-09-11 4:28 ` [069/251] USB: cp210x: add MMB and PI ZigBee USB Device Support Steven Rostedt
2013-09-11 4:28 ` [070/251] usb: cp210x support SEL C662 Vendor/Device Steven Rostedt
2013-09-11 4:28 ` [071/251] PM / Sleep: avoid autosleep in shutdown progress Steven Rostedt
2013-09-11 4:28 ` [072/251] lockd: protect nlm_blocked access in nlmsvc_retry_blocked Steven Rostedt
2013-09-11 4:28 ` [073/251] hrtimers: Move SMP function call to thread context Steven Rostedt
2013-09-11 4:28 ` Steven Rostedt
2013-09-11 4:28 ` [074/251] ALSA: usb-audio: 6fire: return correct XRUN indication Steven Rostedt
2013-09-11 4:28 ` [075/251] mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots Steven Rostedt
2013-09-11 4:28 ` [076/251] iscsi-target: Fix tfc_tpg_nacl_auth_cit configfs length overflow Steven Rostedt
2013-09-11 4:28 ` [077/251] USB: storage: Add MicroVault Flash Drive to unusual_devs Steven Rostedt
2013-09-11 4:28 ` [078/251] ASoC: max98088 - fix element type of the register cache Steven Rostedt
2013-09-11 4:28 ` [079/251] ASoC: wm8962: Remove remaining direct register cache accesses Steven Rostedt
2013-09-11 4:28 ` [080/251] ARM: 7722/1: zImage: Convert 32bits memory size and address from ATAG to 64bits DTB Steven Rostedt
2013-09-11 4:28 ` [081/251] isci: Fix a race condition in the SSP task management path Steven Rostedt
2013-09-11 4:28 ` [082/251] sd: fix crash when UA received on DIF enabled device Steven Rostedt
2013-09-11 4:28 ` [083/251] qla2xxx: Properly set the tagging for commands Steven Rostedt
2013-09-11 4:28 ` [084/251] usb: host: xhci: Enable XHCI_SPURIOUS_SUCCESS for all controllers with xhci 1.0 Steven Rostedt
2013-09-11 4:28 ` [085/251] xhci: fix null pointer dereference on ring_doorbell_for_active_rings Steven Rostedt
2013-09-11 4:28 ` [086/251] xhci: Avoid NULL pointer deref when host dies Steven Rostedt
2013-09-11 4:28 ` [087/251] USB: EHCI: Fix resume signalling on remote wakeup Steven Rostedt
2013-09-11 4:28 ` [088/251] USB: mos7840: fix memory leak in open Steven Rostedt
2013-09-11 4:28 ` [089/251] usb: dwc3: fix wrong bit mask in dwc3_event_type Steven Rostedt
2013-09-11 4:28 ` [090/251] usb: dwc3: gadget: dont prevent gadget from being probed if we fail Steven Rostedt
2013-09-11 4:28 ` [091/251] USB: ti_usb_3410_5052: fix dynamic-id matching Steven Rostedt
2013-09-11 4:28 ` [093/251] usb: Clear both buffers when clearing a control transfer TT buffer Steven Rostedt
2013-09-11 4:28 ` [094/251] staging: comedi: COMEDI_CANCEL ioctl should wake up read/write Steven Rostedt
2013-09-11 4:28 ` [095/251] staging: android: logger: Correct write offset reset on error Steven Rostedt
2013-09-11 4:28 ` [096/251] Btrfs: fix lock leak when resuming snapshot deletion Steven Rostedt
2013-09-11 4:28 ` [097/251] Btrfs: re-add root to dead root list if we stop dropping it Steven Rostedt
2013-09-11 4:28 ` [098/251] xen-netfront: pull on receive skb may need to happen earlier Steven Rostedt
2013-09-11 4:28 ` [099/251] xen/blkback: Check device permissions before allowing OP_DISCARD Steven Rostedt
2013-09-11 4:28 ` [100/251] md/raid5: fix interaction of replace and recovery Steven Rostedt
2013-09-11 4:28 ` [101/251] md/raid10: remove use-after-free bug Steven Rostedt
2013-09-11 4:28 ` [102/251] libata: make it clear that sata_inic162x is experimental Steven Rostedt
2013-09-11 4:28 ` [103/251] svcrdma: underflow issue in decode_write_list() Steven Rostedt
2013-09-11 4:28 ` [104/251] powerpc/modules: Module CRC relocation fix causes perf issues Steven Rostedt
2013-09-11 4:28 ` [105/251] nfsd: nfsd_open: when dentry_open returns an error do not propagate as struct file Steven Rostedt
2013-09-11 4:28 ` [106/251] ACPI / memhotplug: Fix a stale pointer in error path Steven Rostedt
2013-09-11 4:28 ` [107/251] dm mpath: fix ioctl deadlock when no paths Steven Rostedt
2013-09-11 4:28 ` [108/251] dm verity: fix inability to use a few specific devices sizes Steven Rostedt
2013-09-11 4:28 ` [109/251] drm/radeon: fix endian issues with DP handling (v3) Steven Rostedt
2013-09-11 4:28 ` [110/251] drm/radeon: fix combios tables on older cards Steven Rostedt
2013-09-11 4:28 ` [111/251] drm/radeon: improve dac adjust heuristics for legacy pdac Steven Rostedt
2013-09-11 4:28 ` [112/251] drm/i915: fix long-standing SNB regression in power consumption after resume v2 Steven Rostedt
2013-09-11 4:29 ` [113/251] drm/radeon/atom: initialize more atom interpretor elements to 0 Steven Rostedt
2013-09-11 4:29 ` [114/251] USB: serial: ftdi_sio: add more RT Systems ftdi devices Steven Rostedt
2013-09-11 4:29 ` [115/251] livelock avoidance in sget() Steven Rostedt
2013-09-11 4:29 ` [116/251] xen/evtchn: avoid a deadlock when unbinding an event channel Steven Rostedt
2013-09-11 4:29 ` [117/251] radeon kms: do not flush uninitialized hotplug work Steven Rostedt
2013-09-11 9:06 ` Sergey Senozhatsky
2013-09-11 12:37 ` Steven Rostedt
2013-09-11 13:12 ` Sergey Senozhatsky
2013-09-11 14:36 ` Sergey Senozhatsky
2013-09-11 16:00 ` Greg KH
2013-09-11 16:13 ` Steven Rostedt
2013-09-11 18:48 ` Sergey Senozhatsky
2013-09-11 18:54 ` Steven Rostedt
2013-09-11 20:40 ` Sergey Senozhatsky
2013-09-11 4:29 ` [118/251] x86: Fix /proc/mtrr with base/size more than 44bits Steven Rostedt
2013-09-11 4:29 ` [119/251] ARM: poison the vectors page Steven Rostedt
2013-09-11 4:29 ` [120/251] ARM: poison memory between kuser helpers Steven Rostedt
2013-09-11 4:29 ` [121/251] ARM: move vector stubs Steven Rostedt
2013-09-11 4:29 ` [122/251] ARM: use linker magic for vectors and " Steven Rostedt
2013-09-11 4:29 ` [123/251] ARM: update FIQ support for relocation of vectors Steven Rostedt
2013-09-11 4:29 ` [124/251] ARM: allow kuser helpers to be removed from the vector page Steven Rostedt
2013-09-11 4:29 ` [125/251] ARM: make vectors page inaccessible from userspace Steven Rostedt
2013-09-11 4:29 ` [126/251] powerpc/windfarm: Fix noisy slots-fan on Xserve (rm31) Steven Rostedt
2013-09-11 4:29 ` [127/251] ARM: 7790/1: Fix deferred mm switch on VIVT processors Steven Rostedt
2013-09-11 4:29 ` [128/251] ALSA: compress: fix the return value for SNDRV_COMPRESS_VERSION Steven Rostedt
2013-09-11 4:29 ` [129/251] serial/mxs-auart: fix race condition in interrupt handler Steven Rostedt
2013-09-11 4:29 ` [130/251] serial/mxs-auart: increase time to wait for transmitter to become idle Steven Rostedt
2013-09-11 4:29 ` [131/251] USB: mos7840: fix race in register handling Steven Rostedt
2013-09-11 4:29 ` [132/251] USB: mos7840: fix device-type detection Steven Rostedt
2013-09-11 4:29 ` [133/251] USB: mos7840: fix race in led handling Steven Rostedt
2013-09-11 4:29 ` [134/251] USB: mos7840: fix pointer casts Steven Rostedt
2013-09-11 4:29 ` [135/251] iwlwifi: add DELL SKU for 5150 HMC Steven Rostedt
2013-09-11 4:29 ` [136/251] ath9k_htc: do some initial hardware configuration Steven Rostedt
2013-09-11 4:29 ` [137/251] nl80211: fix mgmt tx status and testmode reporting for netns Steven Rostedt
2013-09-11 4:29 ` [138/251] mac80211: fix duplicate retransmission detection Steven Rostedt
2013-09-11 4:29 ` [139/251] mac80211: fix ethtool stats for non-station interfaces Steven Rostedt
2013-09-11 4:29 ` [140/251] ixgbe: Fix Tx Hang issue with lldpad on 82598EB Steven Rostedt
2013-09-11 4:29 ` [141/251] Bluetooth: ath3k: dont use stack memory for DMA Steven Rostedt
2013-09-11 4:29 ` [142/251] Bluetooth: Add support for Mediatek Bluetooth device [0e8d:763f] Steven Rostedt
2013-09-11 4:29 ` [143/251] rt2x00: fix stop queue Steven Rostedt
2013-09-11 4:29 ` [144/251] mwifiex: Add missing endian conversion Steven Rostedt
2013-09-11 4:29 ` [145/251] zram: avoid invalid memory access in zram_exit() Steven Rostedt
2013-09-11 4:29 ` [146/251] zram: use zram->lock to protect zram_free_page() in swap free notify path Steven Rostedt
2013-09-11 8:42 ` Luis Henriques
2013-09-12 1:20 ` Steven Rostedt
2013-09-11 4:29 ` [147/251] zram: destroy all devices on error recovery path in zram_init() Steven Rostedt
2013-09-11 4:29 ` [148/251] zram: avoid double free in function zram_bvec_write() Steven Rostedt
2013-09-11 4:29 ` [149/251] zram: avoid access beyond the zram device Steven Rostedt
2013-09-11 4:29 ` [150/251] zram: protect sysfs handler from invalid memory access Steven Rostedt
2013-09-11 4:29 ` [151/251] ACPI / battery: Fix parsing _BIX return value Steven Rostedt
2013-09-11 4:29 ` [152/251] fanotify: info leak in copy_event_to_user() Steven Rostedt
2013-09-11 4:29 ` [153/251] cgroup: fix umount vs cgroup_cfts_commit() race Steven Rostedt
2013-09-11 4:29 ` [154/251] x86, fpu: correct the asm constraints for fxsave, unbreak mxcsr.daz Steven Rostedt
2013-09-11 4:29 ` [155/251] userns: limit the maximum depth of user_namespace->parent chain Steven Rostedt
2013-09-11 4:29 ` [156/251] x86/iommu/vt-d: Expand interrupt remapping quirk to cover x58 chipset Steven Rostedt
2013-09-11 4:29 ` [157/251] arcnet: cleanup sizeof parameter Steven Rostedt
2013-09-11 4:29 ` [158/251] sysctl net: Keep tcp_syn_retries inside the boundary Steven Rostedt
2013-09-11 4:29 ` [159/251] ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup Steven Rostedt
2013-09-11 4:29 ` [160/251] net_sched: Fix stack info leak in cbq_dump_wrr() Steven Rostedt
2013-09-11 4:29 ` [161/251] af_key: more info leaks in pfkey messages Steven Rostedt
2013-09-11 4:29 ` [162/251] atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring Steven Rostedt
2013-09-11 4:29 ` [163/251] net_sched: info leak in atm_tc_dump_class() Steven Rostedt
2013-09-11 4:29 ` [164/251] ndisc: Add missing inline to ndisc_addr_option_pad Steven Rostedt
2013-09-11 4:29 ` [165/251] 8139cp: Add dma_mapping_error checking Steven Rostedt
2013-09-11 4:29 ` [166/251] Dont attempt to send extended INQUIRY command if skip_vpd_pages is set Steven Rostedt
2013-09-11 4:29 ` [167/251] megaraid_sas: megaraid_sas driver init fails in kdump kernel Steven Rostedt
2013-09-11 4:29 ` [168/251] ext4: make sure group number is bumped after a inode allocation race Steven Rostedt
2013-09-11 4:29 ` [169/251] regmap: Add missing header for !CONFIG_REGMAP stubs Steven Rostedt
2013-09-11 4:29 ` [170/251] hwmon: (adt7470) Fix incorrect return code check Steven Rostedt
2013-09-11 4:29 ` [171/251] tracing: Fix fields of struct trace_iterator that are zeroed by mistake Steven Rostedt
2013-09-11 4:29 ` [172/251] ALSA: usb-audio: do not trust too-big wMaxPacketSize values Steven Rostedt
2013-09-11 4:30 ` [173/251] ALSA: 6fire: fix DMA issues with URB transfer_buffer usage Steven Rostedt
2013-09-11 4:30 ` [174/251] virtio: console: fix race with port unplug and open/close Steven Rostedt
2013-09-11 4:30 ` [175/251] virtio: console: fix race in port_fops_open() and port unplug Steven Rostedt
2013-09-11 4:30 ` [176/251] virtio: console: clean up port data immediately at time of unplug Steven Rostedt
2013-09-11 4:30 ` [177/251] virtio: console: fix raising SIGIO after port unplug Steven Rostedt
2013-09-11 4:30 ` [178/251] virtio: console: return -ENODEV on all read operations after unplug Steven Rostedt
2013-09-11 4:30 ` [179/251] drm/cirrus: Invalidate page tables when pinning a BO Steven Rostedt
2013-09-11 4:30 ` [180/251] drm/mgag200: " Steven Rostedt
2013-09-11 4:30 ` [181/251] drm/ast: invalidate " Steven Rostedt
2013-09-11 4:30 ` [182/251] ext4: allow the mount options nodelalloc and data=journal Steven Rostedt
2013-09-11 4:30 ` [183/251] ext4: fix mount/remount error messages for incompatible mount options Steven Rostedt
2013-09-11 4:30 ` [184/251] cifs: extend the buffer length enought for sprintf() using Steven Rostedt
2013-09-11 4:30 ` [185/251] zram: allow request end to coincide with disksize Steven Rostedt
2013-09-11 4:30 ` [186/251] debugfs: debugfs_remove_recursive() must not rely on list_empty(d_subdirs) Steven Rostedt
2013-09-11 4:30 ` [187/251] reiserfs: fix deadlock in umount Steven Rostedt
2013-09-11 4:30 ` [188/251] nsp32: use mdelay instead of large udelay constants Steven Rostedt
2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [189/251] mtd: omap2: allow bulding as a module Steven Rostedt
2013-09-11 4:30 ` [190/251] MIPS: Expose missing pci_io{map,unmap} declarations Steven Rostedt
2013-09-11 4:30 ` Steven Rostedt
2013-09-11 4:30 ` [191/251] perf/x86: Fix intel QPI uncore event definitions Steven Rostedt
2013-09-11 4:30 ` [192/251] perf/arm: Fix armpmu_map_hw_event() Steven Rostedt
2013-09-11 4:30 ` [193/251] x86 get_unmapped_area(): use proper mmap base for bottom-up direction Steven Rostedt
2013-09-11 4:30 ` [194/251] fs/proc/task_mmu.c: fix buffer overflow in add_page_map() Steven Rostedt
2013-09-11 4:30 ` [195/251] elevator: Fix a race in elevator switching Steven Rostedt
2013-09-11 4:30 ` [196/251] iwl4965: set power mode early Steven Rostedt
2013-09-11 4:30 ` [197/251] iwl4965: reset firmware after rfkill off Steven Rostedt
2013-09-11 7:46 ` Stanislaw Gruszka
2013-09-11 12:32 ` Steven Rostedt
2013-09-11 4:30 ` [198/251] can: pcan_usb: fix wrong memcpy() bytes length Steven Rostedt
2013-09-11 4:30 ` [199/251] genetlink: fix family dump race Steven Rostedt
2013-09-11 6:50 ` Berg, Johannes
2013-09-11 12:25 ` Steven Rostedt
2013-09-11 4:30 ` [200/251] cfg80211: fix P2P GO interface teardown Steven Rostedt
2013-09-11 4:30 ` [201/251] ASoC: cs42l52: Reorder Min/Max and update to SX_TLV for Beep Volume Steven Rostedt
2013-09-11 4:30 ` [202/251] ASoC: tegra: fix Tegra30 I2S capture parameter setup Steven Rostedt
2013-09-11 4:30 ` [203/251] ALSA: 6fire: make buffers DMA-able (pcm) Steven Rostedt
2013-09-11 4:30 ` [204/251] ALSA: 6fire: make buffers DMA-able (midi) Steven Rostedt
2013-09-11 4:30 ` [205/251] ALSA: hda - Add a fixup for Gateway LT27 Steven Rostedt
2013-09-11 4:30 ` [206/251] usb: add two quirky touchscreen Steven Rostedt
2013-09-11 4:30 ` [207/251] USB: ti_usb_3410_5052: fix big-endian firmware handling Steven Rostedt
2013-09-11 4:30 ` [208/251] USB: mos7840: fix big-endian probe Steven Rostedt
2013-09-11 4:30 ` [209/251] USB: mos7720: fix broken control requests Steven Rostedt
2013-09-11 4:30 ` [210/251] USB: keyspan: fix null-deref at disconnect and release Steven Rostedt
2013-09-11 4:30 ` [211/251] USB-Serial: Fix error handling of usb_wwan Steven Rostedt
2013-09-11 4:30 ` [212/251] wusbcore: fix kernel panic when disconnecting a wireless USB->serial device Steven Rostedt
2013-09-11 4:30 ` [213/251] ARM: 7809/1: perf: fix event validation for software group leaders Steven Rostedt
2013-09-11 4:30 ` [214/251] m68k/atari: ARAnyM - Fix NatFeat module support Steven Rostedt
2013-09-11 4:30 ` [215/251] jbd2: Fix use after free after error in jbd2_journal_dirty_metadata() Steven Rostedt
2013-09-11 4:30 ` [216/251] ACPI: add _STA evaluation at do_acpi_find_child() Steven Rostedt
2013-09-11 4:30 ` [217/251] xen/smp: initialize IPI vectors before marking CPU online Steven Rostedt
2013-09-11 4:30 ` [218/251] zd1201: do not use stack as URB transfer_buffer Steven Rostedt
2013-09-11 4:30 ` [219/251] xen/events: initialize local per-cpu mask for all possible events Steven Rostedt
2013-09-11 4:30 ` [220/251] ARM: davinci: nand: specify ecc strength Steven Rostedt
2013-09-11 4:30 ` [221/251] ARM: at91/DT: fix at91sam9n12ek memory node Steven Rostedt
2013-09-11 4:30 ` [222/251] ARM: 7816/1: CONFIG_KUSER_HELPERS: fix help text Steven Rostedt
2013-09-11 4:30 ` [223/251] drm/i915: Invalidate TLBs for the rings after a reset Steven Rostedt
2013-09-11 4:30 ` [224/251] of: fdt: fix memory initialization for expanded DT Steven Rostedt
2013-09-11 4:30 ` [225/251] nilfs2: remove double bio_put() in nilfs_end_bio_write() for BIO_EOPNOTSUPP error Steven Rostedt
2013-09-11 4:30 ` [226/251] nilfs2: fix issue with counting number of bio requests for BIO_EOPNOTSUPP error detection Steven Rostedt
2013-09-11 4:30 ` [227/251] drivers/platform/olpc/olpc-ec.c: initialise earlier Steven Rostedt
2013-09-11 4:30 ` [228/251] sata_fsl: save irqs while coalescing Steven Rostedt
2013-09-11 4:30 ` [229/251] Hostap: copying wrong data prism2_ioctl_giwaplist() Steven Rostedt
2013-09-11 4:30 ` [230/251] libata: apply behavioral quirks to sil3826 PMP Steven Rostedt
2013-09-11 4:30 ` [231/251] iwlwifi: dvm: fix calling ieee80211_chswitch_done() with NULL Steven Rostedt
2013-09-11 4:30 ` [232/251] iwlwifi: pcie: disable L1 Active after pci_enable_device Steven Rostedt
2013-09-11 4:31 ` [233/251] zfcp: fix lock imbalance by reworking request queue locking Steven Rostedt
2013-09-11 4:31 ` [234/251] zfcp: fix schedule-inside-lock in scsi_device list loops Steven Rostedt
2013-09-11 4:31 ` [235/251] sg: Fix user memory corruption when SG_IO is interrupted by a signal Steven Rostedt
2013-09-11 4:31 ` [236/251] x86/xen: do not identity map UNUSABLE regions in the machine E820 Steven Rostedt
2013-09-11 4:31 ` [237/251] jfs: fix readdir cookie incompatibility with NFSv4 Steven Rostedt
2013-09-11 4:31 ` [238/251] ALSA: hda - Add inverted digital mic fixup for Acer Aspire One Steven Rostedt
2013-09-11 4:31 ` [239/251] ALSA: opti9xx: Fix conflicting driver object name Steven Rostedt
2013-09-11 4:31 ` [240/251] powerpc: Work around gcc miscompilation of __pa() on 64-bit Steven Rostedt
2013-09-11 4:31 ` [241/251] powerpc: Dont Oops when accessing /proc/powerpc/lparcfg without hypervisor Steven Rostedt
2013-09-11 4:31 ` [242/251] powerpc/hvsi: Increase handshake timeout from 200ms to 400ms Steven Rostedt
2013-09-11 4:31 ` [243/251] regmap: Add another missing header for !CONFIG_REGMAP stubs Steven Rostedt
2013-09-11 4:31 ` [244/251] drivers/base/memory.c: fix show_mem_removable() to handle missing sections Steven Rostedt
2013-09-11 4:31 ` [245/251] workqueue: cond_resched() after processing each work item Steven Rostedt
2013-09-11 4:31 ` [246/251] drm/vmwgfx: Split GMR2_REMAP commands if they are to large Steven Rostedt
2013-09-11 4:31 ` [247/251] drm/i915: ivb: fix edp voltage swing reg val Steven Rostedt
2013-09-11 4:31 ` [248/251] SUNRPC: Fix memory corruption issue on 32-bit highmem systems Steven Rostedt
2013-09-11 4:31 ` [249/251] ath9k_htc: Restore skb headroom when returning skb to mac80211 Steven Rostedt
2013-09-11 4:31 ` [250/251] ath9k: Enable PLL fix only for AR9340/AR9330 Steven Rostedt
2013-09-11 4:31 ` [251/251] target: Fix trailing ASCII space usage in INQUIRY vendor+model Steven Rostedt
2013-09-11 4:34 ` [000/251] 3.6.11.9-rc1-stable review Steven Rostedt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.