commit 6723972ab0cedb96477d47fb197091b487921322 Author: Greg Kroah-Hartman Date: Thu Jan 17 08:51:56 2013 -0800 Linux 3.4.26 commit 828b18866ce0907fdb67afe143d5d851deb9fec6 Author: Alan Stern Date: Wed Nov 7 10:31:30 2012 -0500 USB: fix endpoint-disabling for failed config changes commit 36caff5d795429c572443894e8789c2150dd796b upstream. This patch (as1631) fixes a bug that shows up when a config change fails for a device under an xHCI controller. The controller needs to be told to disable the endpoints that have been enabled for the new config. The existing code does this, but before storing the information about which endpoints were enabled! As a result, any second attempt to install the new config is doomed to fail because xhci-hcd will refuse to enable an endpoint that is already enabled. The patch optimistically initializes the new endpoints' device structures before asking the device to switch to the new config. If the request fails then the endpoint information is already stored, so we can use usb_hcd_alloc_bandwidth() to disable the endpoints with no trouble. The rest of the error path is slightly more complex now; we have to disable the new interfaces and call put_device() rather than simply deallocating them. Signed-off-by: Alan Stern Reported-and-tested-by: Matthias Schniedermeyer CC: Sarah Sharp Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit ede3e03c6d28bc3aca30206995fec585031698af Author: Ian Abbott Date: Thu Jan 3 12:15:26 2013 +0000 staging: comedi: Kconfig: COMEDI_NI_AT_A2150 should select COMEDI_FC commit 34ffb33e09132401872fe79e95c30824ce194d23 upstream. The 'ni_at_a2150' module links to `cfc_write_to_buffer` in the 'comedi_fc' module, so selecting 'COMEDI_NI_AT_A2150' in the kernel config needs to also select 'COMEDI_FC'. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit c390e5a48ae714a6da89f16a8239e1751a285376 Author: Ian Abbott Date: Fri Mar 30 17:14:58 2012 +0100 staging: comedi: don't hijack hardware device private data commit c43435d7722134ed1fda58ce1025f41029bd58ad upstream. comedi_auto_config() associates a Comedi minor device number with an auto-configured hardware device and comedi_auto_unconfig() disassociates it. Currently, these use the hardware device's private data pointer to point to some allocated storage holding the minor device number. This is a bit of a waste of the hardware device's private data pointer, preventing it from being used for something more useful by the low-level comedi device drivers. For example, it would make more sense if comedi_usb_auto_config() was passed a pointer to the struct usb_interface instead of the struct usb_device, but this cannot be done currently because the low-level comedi drivers already use the private data pointer in the struct usb_interface for something more useful. This patch stops the comedi core hijacking the hardware device's private data pointer. Instead, comedi_auto_config() stores a pointer to the hardware device's struct device in the struct comedi_device_file_info associated with the minor device number, and comedi_auto_unconfig() calls new function comedi_find_board_minor() to recover the minor device number associated with the hardware device. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 359c4ea7baf79484cc3561f0040f9d5e367155fe Author: David Zafman Date: Mon Dec 3 19:14:05 2012 -0800 libceph: Unlock unprocessed pages in start_read() error path Function start_read() can get an error before processing all pages. It must not only release the remaining pages, but unlock them too. This fixes http://tracker.newdream.net/issues/3370 Signed-off-by: David Zafman Reviewed-by: Alex Elder (cherry picked from commit 8884d53dd63b1d9315b343564fcbe1ede004a99e) Signed-off-by: Greg Kroah-Hartman commit 57d93df8f18dbe66c0e2e1089ed2c120a9b980af Author: Yan, Zheng Date: Mon Nov 19 10:49:09 2012 +0800 ceph: call handle_cap_grant() for cap import message If client sends cap message that requests new max size during exporting caps, the exporting MDS will drop the message quietly. So the client may wait for the reply that updates the max size forever. call handle_cap_grant() for cap import message can avoid this issue. Signed-off-by: Yan, Zheng Signed-off-by: Sage Weil (cherry picked from commit 0e5e1774a92e6fe9c511585de8f078b4c4c68dbb) Signed-off-by: Greg Kroah-Hartman commit fbc8158351e8d34c499b61c422f3614dad6dc910 Author: Yan, Zheng Date: Mon Nov 19 10:49:08 2012 +0800 ceph: Fix __ceph_do_pending_vmtruncate we should set i_truncate_pending to 0 after page cache is truncated to i_truncate_size Signed-off-by: Yan, Zheng Signed-off-by: Sage Weil (cherry picked from commit a85f50b6ef93fbbb2ae932ce9b2376509d172796) Signed-off-by: Greg Kroah-Hartman commit ba647fd5c7ffc1a6433c8c90eedadf76a3df82fa Author: Yan, Zheng Date: Mon Nov 19 10:49:07 2012 +0800 ceph: Don't add dirty inode to dirty list if caps is in migration Add dirty inode to cap_dirty_migrating list instead, this can avoid ceph_flush_dirty_caps() entering infinite loop. Signed-off-by: Yan, Zheng Signed-off-by: Sage Weil (cherry picked from commit 0685235ffd9dbdb9ccbda587f8a3c83ad1d5a921) Signed-off-by: Greg Kroah-Hartman commit 42d519d12ef2d43a83b86cd2931c539045d07059 Author: Yan, Zheng Date: Mon Nov 19 10:49:06 2012 +0800 ceph: Fix infinite loop in __wake_requests __wake_requests() will enter infinite loop if we use it to wake requests in the session->s_waiting list. __wake_requests() deletes requests from the list and __do_request() adds requests back to the list. Signed-off-by: Yan, Zheng Signed-off-by: Sage Weil (cherry picked from commit ed75ec2cd19b47efcd292b6e23f58e56f4c5bc34) Signed-off-by: Greg Kroah-Hartman commit 7ae7b557aaaf1d50f04706b775341957f12bab10 Author: Yan, Zheng Date: Mon Nov 19 10:49:04 2012 +0800 ceph: Don't update i_max_size when handling non-auth cap The cap from non-auth mds doesn't have a meaningful max_size value. Signed-off-by: Yan, Zheng Signed-off-by: Sage Weil (cherry picked from commit 5e62ad30157d0da04cf40c6d1a2f4bc840948b9c) Signed-off-by: Greg Kroah-Hartman commit 3317122449a2ce5c0bba77e1f05b1df2ff716447 Author: Alex Elder Date: Fri Nov 16 09:29:16 2012 -0600 rbd: do not allow remove of mounted-on image There is no check in rbd_remove() to see if anybody holds open the image being removed. That's not cool. Add a simple open count that goes up and down with opens and closes (releases) of the device, and don't allow an rbd image to be removed if the count is non-zero. Protect the updates of the open count value with ctl_mutex to ensure the underlying rbd device doesn't get removed while concurrently being opened. Signed-off-by: Alex Elder Reviewed-by: Sage Weil (based on commit 42382b709bd1d143b9f0fa93e0a3a1f2f4210707) commit 1e411c66732294f5fb983323dafa7559796481f5 Author: Alex Elder Date: Wed Oct 10 21:19:13 2012 -0700 rbd: fix bug in rbd_dev_id_put() In rbd_dev_id_put(), there's a loop that's intended to determine the maximum device id in use. But it isn't doing that at all, the effect of how it's written is to simply use the just-put id number, which ignores whole purpose of this function. Fix the bug. Signed-off-by: Alex Elder Reviewed-by: Josh Durgin (cherry picked from commit b213e0b1a62637b2a9395a34349b13d73ca2b90a) Signed-off-by: Greg Kroah-Hartman commit f2ac87daff2e4a8c9fb8119a8e4badaac684a284 Author: Sage Weil Date: Mon Sep 24 21:02:47 2012 -0700 rbd: BUG on invalid layout This shouldn't actually be possible because the layout struct is constructed from the RBD header and validated then. [elder@inktank.com: converted BUG() call to equivalent rbd_assert()] Signed-off-by: Sage Weil Reviewed-by: Alex Elder (based on commit 6cae3717cddaf8e5e96e304733dca66e40d56f89) commit 50cda8f4439d715e080ced70d1e6d9ec07f95e6c Author: Alex Elder Date: Thu Dec 6 09:37:23 2012 -0600 rbd: remove linger unconditionally In __unregister_linger_request(), the request is being removed from the osd client's req_linger list only when the request has a non-null osd pointer. It should be done whether or not the request currently has an osd. This is most likely a non-issue because I believe the request will always have an osd when this function is called. Signed-off-by: Alex Elder Reviewed-by: Sage Weil (cherry picked from commit 61c74035626beb25a39b0273ccf7d75510bc36a1) Signed-off-by: Greg Kroah-Hartman commit 02585b8bdc988de82b45088a3f2092af2e6b2816 Author: Alex Elder Date: Thu Nov 29 08:37:03 2012 -0600 ceph: don't reference req after put In __unregister_request(), there is a call to list_del_init() referencing a request that was the subject of a call to ceph_osdc_put_request() on the previous line. This is not safe, because the request structure could have been freed by the time we reach the list_del_init(). Fix this by reversing the order of these lines. Signed-off-by: Alex Elder Reviewed-off-by: Sage Weil (cherry picked from commit 7d5f24812bd182a2471cb69c1c2baf0648332e1f) Signed-off-by: Greg Kroah-Hartman commit 31c46473d6a31ac1948c189624b472f26a6365e9 Author: Sage Weil Date: Wed Nov 28 12:28:24 2012 -0800 libceph: remove 'osdtimeout' option This would reset a connection with any OSD that had an outstanding request that was taking more than N seconds. The idea was that if the OSD was buggy, the client could compensate by resending the request. In reality, this only served to hide server bugs, and we haven't actually seen such a bug in quite a while. Moreover, the userspace client code never did this. More importantly, often the request is taking a long time because the OSD is trying to recover, or overloaded, and killing the connection and retrying would only make the situation worse by giving the OSD more work to do. Signed-off-by: Sage Weil Reviewed-by: Alex Elder (cherry picked from commit 83aff95eb9d60aff5497e9f44a2ae906b86d8e88) Signed-off-by: Greg Kroah-Hartman commit 87c7f759d1546a27d46d8cc2778ffecaa5f542c6 Author: Alex Elder Date: Fri Aug 10 13:12:07 2012 -0700 rbd: kill notify_timeout option The "notify_timeout" rbd device option is never used, so get rid of it. Signed-off-by: Alex Elder Reviewed-by: Yehuda Sadeh (cherry picked from commit 84d34dcc116e117a41c6fc8be13430529fc2d9e7) Signed-off-by: Greg Kroah-Hartman commit 5833a9132795681510a7dbd952696960763dc736 Author: Alex Elder Date: Fri Aug 10 13:12:07 2012 -0700 rbd: add read_only rbd map option Add the ability to map an rbd image read-only, by specifying either "read_only" or "ro" as an option on the rbd "command line." Also allow the inverse to be explicitly specified using "read_write" or "rw". Signed-off-by: Alex Elder Reviewed-by: Yehuda Sadeh (based on commit cc0538b62c839c2df7b9f8378bb37e3b35faa608) commit e4a4a559d2ba0d50059a85967b4c4c707863a65b Author: Alex Elder Date: Fri Aug 10 13:12:10 2012 -0700 rbd: kill create_snap sysfs entry Josh proposed the following change, and I don't think I could explain it any better than he did: From: Josh Durgin Date: Tue, 24 Jul 2012 14:22:11 -0700 To: ceph-devel Message-ID: <500F1203.9050605@inktank.com> From: Josh Durgin Right now the kernel still has one piece of rbd management duplicated from the rbd command line tool: snapshot creation. There's nothing special about snapshot creation that makes it advantageous to do from the kernel, so I'd like to remove the create_snap sysfs interface. That is, /sys/bus/rbd/devices//create_snap would be removed. Does anyone rely on the sysfs interface for creating rbd snapshots? If so, how hard would it be to replace with: rbd snap create pool/image@snap Is there any benefit to the sysfs interface that I'm missing? Josh This patch implements this proposal, removing the code that implements the "snap_create" sysfs interface for rbd images. As a result, quite a lot of other supporting code goes away. [elder@inktank.com: commented out rbd_req_sync_exec() to avoid warning] Suggested-by: Josh Durgin Signed-off-by: Alex Elder Reviewed-by: Josh Durgin (based on commit 02cdb02ceab1f3dd9ac2bc899fc51f0e0e744782) commit 3aa540b869b9bd734ec60246ae1dfe35ab3530e0 Author: Alex Elder Date: Fri Dec 7 09:57:58 2012 -0600 libceph: avoid using freed osd in __kick_osd_requests() If an osd has no requests and no linger requests, __reset_osd() will just remove it with a call to __remove_osd(). That drops a reference to the osd, and therefore the osd may have been free by the time __reset_osd() returns. That function offers no indication this may have occurred, and as a result the osd will continue to be used even when it's no longer valid. Change__reset_osd() so it returns an error (ENODEV) when it deletes the osd being reset. And change __kick_osd_requests() so it returns immediately (before referencing osd again) if __reset_osd() returns *any* error. Signed-off-by: Alex Elder Reviewed-by: Sage Weil (cherry picked from commit 685a7555ca69030739ddb57a47f0ea8ea80196a4) Signed-off-by: Greg Kroah-Hartman commit 9aaab33ec9b7b9cb745fc47dfe20b991ff468d72 Author: Sage Weil Date: Mon Oct 29 11:01:42 2012 -0700 libceph: fix osdmap decode error paths Ensure that we set the err value correctly so that we do not pass a 0 value to ERR_PTR and confuse the calling code. (In particular, osd_client.c handle_map() will BUG(!newmap)). Signed-off-by: Sage Weil Reviewed-by: Alex Elder (cherry picked from commit 0ed7285e0001b960c888e5455ae982025210ed3d) Signed-off-by: Greg Kroah-Hartman commit 7f5b160daddeaa55e441aca16010fab8299dfe9e Author: Sage Weil Date: Thu Dec 27 20:27:04 2012 -0600 libceph: fix protocol feature mismatch failure path We should not set con->state to CLOSED here; that happens in ceph_fault() in the caller, where it first asserts that the state is not yet CLOSED. Avoids a BUG when the features don't match. Since the fail_protocol() has become a trivial wrapper, replace calls to it with direct calls to reset_connection(). Signed-off-by: Sage Weil Reviewed-by: Alex Elder (cherry picked from commit 0fa6ebc600bc8e830551aee47a0e929e818a1868) Signed-off-by: Greg Kroah-Hartman commit 5bd9eb5a0891df0a806f265db504661fd558529c Author: Alex Elder Date: Wed Dec 26 10:43:57 2012 -0600 libceph: WARN, don't BUG on unexpected connection states A number of assertions in the ceph messenger are implemented with BUG_ON(), killing the system if connection's state doesn't match what's expected. At this point our state model is (evidently) not well understood enough for these assertions to trigger a BUG(). Convert all BUG_ON(con->state...) calls to be WARN_ON(con->state...) so we learn about these issues without killing the machine. We now recognize that a connection fault can occur due to a socket closure at any time, regardless of the state of the connection. So there is really nothing we can assert about the state of the connection at that point so eliminate that assertion. Reported-by: Ugis Tested-by: Ugis Signed-off-by: Alex Elder Reviewed-by: Sage Weil (cherry picked from commit 122070a2ffc91f87fe8e8493eb0ac61986c5557c) Signed-off-by: Greg Kroah-Hartman commit 1cc023b2653ad66b58970460165d0859943f41e7 Author: Alex Elder Date: Wed Dec 26 14:31:40 2012 -0600 libceph: always reset osds when kicking When ceph_osdc_handle_map() is called to process a new osd map, kick_requests() is called to ensure all affected requests are updated if necessary to reflect changes in the osd map. This happens in two cases: whenever an incremental map update is processed; and when a full map update (or the last one if there is more than one) gets processed. In the former case, the kick_requests() call is followed immediately by a call to reset_changed_osds() to ensure any connections to osds affected by the map change are reset. But for full map updates this isn't done. Both cases should be doing this osd reset. Rather than duplicating the reset_changed_osds() call, move it into the end of kick_requests(). Signed-off-by: Alex Elder Reviewed-by: Sage Weil (cherry picked from commit e6d50f67a6b1a6252a616e6e629473b5c4277218) Signed-off-by: Greg Kroah-Hartman commit a9ded438f7c08525df2ce19e8aeb112efd3090c9 Author: Alex Elder Date: Wed Dec 19 15:52:36 2012 -0600 libceph: move linger requests sooner in kick_requests() The kick_requests() function is called by ceph_osdc_handle_map() when an osd map change has been indicated. Its purpose is to re-queue any request whose target osd is different from what it was when it was originally sent. It is structured as two loops, one for incomplete but registered requests, and a second for handling completed linger requests. As a special case, in the first loop if a request marked to linger has not yet completed, it is moved from the request list to the linger list. This is as a quick and dirty way to have the second loop handle sending the request along with all the other linger requests. Because of the way it's done now, however, this quick and dirty solution can result in these incomplete linger requests never getting re-sent as desired. The problem lies in the fact that the second loop only arranges for a linger request to be sent if it appears its target osd has changed. This is the proper handling for *completed* linger requests (it avoids issuing the same linger request twice to the same osd). But although the linger requests added to the list in the first loop may have been sent, they have not yet completed, so they need to be re-sent regardless of whether their target osd has changed. The first required fix is we need to avoid calling __map_request() on any incomplete linger request. Otherwise the subsequent __map_request() call in the second loop will find the target osd has not changed and will therefore not re-send the request. Second, we need to be sure that a sent but incomplete linger request gets re-sent. If the target osd is the same with the new osd map as it was when the request was originally sent, this won't happen. This can be fixed through careful handling when we move these requests from the request list to the linger list, by unregistering the request *before* it is registered as a linger request. This works because a side-effect of unregistering the request is to make the request's r_osd pointer be NULL, and *that* will ensure the second loop actually re-sends the linger request. Processing of such a request is done at that point, so continue with the next one once it's been moved. Signed-off-by: Alex Elder Reviewed-by: Sage Weil (cherry picked from commit ab60b16d3c31b9bd9fd5b39f97dc42c52a50b67d) Signed-off-by: Greg Kroah-Hartman commit 0d3b9fff8bc11bc7d745c6b34c098b1c548fec65 Author: Alex Elder Date: Thu Dec 6 07:22:04 2012 -0600 libceph: register request before unregister linger In kick_requests(), we need to register the request before we unregister the linger request. Otherwise the unregister will reset the request's osd pointer to NULL. Signed-off-by: Alex Elder Reviewed-by: Sage Weil (cherry picked from commit c89ce05e0c5a01a256100ac6a6019f276bdd1ca6) Signed-off-by: Greg Kroah-Hartman commit 1d2522a000b6f6a0c836d586bbb39bacaae9b390 Author: Alex Elder Date: Mon Dec 17 12:23:48 2012 -0600 libceph: don't use rb_init_node() in ceph_osdc_alloc_request() The red-black node in the ceph osd request structure is initialized in ceph_osdc_alloc_request() using rbd_init_node(). We do need to initialize this, because in __unregister_request() we call RB_EMPTY_NODE(), which expects the node it's checking to have been initialized. But rb_init_node() is apparently overkill, and may in fact be on its way out. So use RB_CLEAR_NODE() instead. For a little more background, see this commit: 4c199a93 rbtree: empty nodes have no color" Signed-off-by: Alex Elder Reviewed-by: Sage Weil (cherry picked from commit a978fa20fb657548561dddbfb605fe43654f0825) Signed-off-by: Greg Kroah-Hartman commit 76fb865bcfeba57652edf054fd36aeed38ba5ceb Author: Alex Elder Date: Mon Dec 17 12:23:48 2012 -0600 libceph: init event->node in ceph_osdc_create_event() The red-black node node in the ceph osd event structure is not initialized in create_osdc_create_event(). Because this node can be the subject of a RB_EMPTY_NODE() call later on, we should ensure the node is initialized properly for that. Signed-off-by: Alex Elder Reviewed-by: Sage Weil (cherry picked from commit 3ee5234df68d253c415ba4f2db72ad250d9c21a9) Signed-off-by: Greg Kroah-Hartman commit 281c5d9e31a2411055bc750d81dd38d11131648e Author: Alex Elder Date: Thu Dec 6 07:22:04 2012 -0600 libceph: init osd->o_node in create_osd() The red-black node node in the ceph osd structure is not initialized in create_osd(). Because this node can be the subject of a RB_EMPTY_NODE() call later on, we should ensure the node is initialized properly for that. Add a call to RB_CLEAR_NODE() initialize it. Signed-off-by: Alex Elder Reviewed-by: Sage Weil (cherry picked from commit f407731d12214e7686819018f3a1e9d7b6f83a02) Signed-off-by: Greg Kroah-Hartman commit 6ea5c964ecc4037d4ae56694982be253bd821685 Author: Alex Elder Date: Fri Dec 14 16:47:41 2012 -0600 libceph: report connection fault with warning When a connection's socket disconnects, or if there's a protocol error of some kind on the connection, a fault is signaled and the connection is reset (closed and reopened, basically). We currently get an error message on the log whenever this occurs. A ceph connection will attempt to reestablish a socket connection repeatedly if a fault occurs. This means that these error messages will get repeatedly added to the log, which is undesirable. Change the error message to be a warning, so they don't get logged by default. Signed-off-by: Alex Elder Reviewed-by: Sage Weil (cherry picked from commit 28362986f8743124b3a0fda20a8ed3e80309cce1) Signed-off-by: Greg Kroah-Hartman commit 1c0bd4af222ba3a54bf3ba489127323079d0816d Author: Alex Elder Date: Fri Dec 7 19:50:07 2012 -0600 libceph: socket can close in any connection state A connection's socket can close for any reason, independent of the state of the connection (and without irrespective of the connection mutex). As a result, the connectino can be in pretty much any state at the time its socket is closed. Handle those other cases at the top of con_work(). Pull this whole block of code into a separate function to reduce the clutter. Signed-off-by: Alex Elder Reviewed-by: Sage Weil (cherry picked from commit 7bb21d68c535ad8be38e14a715632ae398b37ac1) Signed-off-by: Greg Kroah-Hartman commit b4659d8e7001600f06080f2b3f1922d0f4d96478 Author: Sage Weil Date: Mon Sep 24 21:01:02 2012 -0700 ceph: propagate layout error on osd request creation If we are creating an osd request and get an invalid layout, return an EINVAL to the caller. We switch up the return to have an error code instead of NULL implying -ENOMEM. Signed-off-by: Sage Weil Reviewed-by: Alex Elder (cherry picked from commit 6816282dab3a72efe8c0d182c1bc2960d87f4322) Signed-off-by: Greg Kroah-Hartman commit a871375b5548cbcd28c9b97040da7f6470a96a72 Author: Alex Elder Date: Fri Aug 10 13:12:07 2012 -0700 rbd: drop dev reference on error in rbd_open() If a read-only rbd device is opened for writing in rbd_open(), it returns without dropping the just-acquired device reference. Fix this by moving the read-only check before getting the reference. Signed-off-by: Alex Elder Reviewed-by: Yehuda Sadeh Reviewed-by: Josh Durgin (cherry picked from commit 340c7a2b2c9a2da640af28a8c196356484ac8b50) Signed-off-by: Greg Kroah-Hartman commit 2c130889f540f0bc6bc866d436b2ec3a23ea8f2b Author: Sage Weil Date: Tue Aug 21 15:55:25 2012 -0700 ceph: tolerate (and warn on) extraneous dentry from mds If the MDS gives us a dentry and we weren't prepared to handle it, WARN_ON_ONCE instead of crashing. Reported-by: Yan, Zheng Signed-off-by: Sage Weil Reviewed-by: Alex Elder (cherry picked from commit 6c5e50fa614fea5325a2973be06f7ec6f1055316) Signed-off-by: Greg Kroah-Hartman commit ca9a5e33a97a965378a2a0387fd8acf3a0144950 Author: Josh Durgin Date: Mon Dec 5 18:10:44 2011 -0800 rbd: send header version when notifying Previously the original header version was sent. Now, we update it when the header changes. Signed-off-by: Josh Durgin Reviewed-by: Alex Elder (cherry picked from commit a71b891bc7d77a070e723c8c53d1dd73cf931555) Signed-off-by: Greg Kroah-Hartman commit fc5eb627a897ac41581692abf60ffea874df2e55 Author: Josh Durgin Date: Mon Dec 5 14:03:05 2011 -0800 rbd: use reference counting for the snap context This prevents a race between requests with a given snap context and header updates that free it. The osd client was already expecting the snap context to be reference counted, since it get()s it in ceph_osdc_build_request and put()s it when the request completes. Also remove the second down_read()/up_read() on header_rwsem in rbd_do_request, which wasn't actually preventing this race or protecting any other data. Signed-off-by: Josh Durgin Reviewed-by: Alex Elder (cherry picked from commit d1d25646543134d756a02ffe4e02073faa761f2c) Signed-off-by: Greg Kroah-Hartman commit 894910deddfe36e66079bea42ae9d728b3f4b5cc Author: Josh Durgin Date: Mon Dec 5 10:41:28 2011 -0800 rbd: set image size when header is updated The image may have been resized. Signed-off-by: Josh Durgin Reviewed-by: Alex Elder (cherry picked from commit 93a24e084d67ba2fcb9a4c289135825b623ec864) Signed-off-by: Greg Kroah-Hartman commit 929333aa674e6c1b3026a3b3c8f27907e9a7de5b Author: Josh Durgin Date: Mon Dec 5 10:35:04 2011 -0800 rbd: expose the correct size of the device in sysfs If an image was mapped to a snapshot, the size of the head version would be shown. Protect capacity with header_rwsem, since it may change. Signed-off-by: Josh Durgin Reviewed-by: Alex Elder (cherry picked from commit a51aa0c042fa39946dd017d5f91a073300a71577) Signed-off-by: Greg Kroah-Hartman commit 7272b7d3db9160716acce4ae387cf98fd24ff820 Author: Josh Durgin Date: Mon Nov 21 17:13:54 2011 -0800 rbd: only reset capacity when pointing to head Snapshots cannot be resized, and the new capacity of head should not be reflected by the snapshot. Signed-off-by: Josh Durgin Reviewed-by: Alex Elder (cherry picked from commit 474ef7ce832d471148f63a9d07f67fc5564834f1) Signed-off-by: Greg Kroah-Hartman commit 95268c46ace4492b924abf6e82c6974c152bee29 Author: Josh Durgin Date: Mon Nov 21 18:14:25 2011 -0800 rbd: return errors for mapped but deleted snapshot When a snapshot is deleted, the OSD will return ENOENT when reading from it. This is normally interpreted as a hole by rbd, which will return zeroes. To minimize the time in which this can happen, stop requests early when we are notified that our snapshot no longer exists. [elder@inktank.com: updated __rbd_init_snaps_header() logic] Signed-off-by: Josh Durgin Reviewed-by: Alex Elder (cherry picked from commit e88a36ec961b8c1899c59c5e4ae35a318c0209d3) Signed-off-by: Greg Kroah-Hartman Conflicts: drivers/block/rbd.c commit a2d928ffc91d237f178d769943bc785f1a7f7435 Author: Sage Weil Date: Mon Jul 30 16:21:17 2012 -0700 ceph: close old con before reopening on mds reconnect When we detect a mds session reset, close the old ceph_connection before reopening it. This ensures we clean up the old socket properly and keep the ceph_connection state correct. Signed-off-by: Sage Weil Reviewed-by: Alex Elder Reviewed-by: Yehuda Sadeh (cherry picked from commit a53aab645c82f0146e35684b34692c69b5118121) Signed-off-by: Greg Kroah-Hartman commit 627e242990064e050cf09436c46d66ccf0f8a6b9 Author: Daniel Vetter Date: Mon Jan 7 10:27:13 2013 +0100 Revert "drm/i915: no lvds quirk for Zotac ZDBOX SD ID12/ID13" commit 48e858340dae43189a4e55647f6eac736766f828 upstream. This reverts commit 9756fe38d10b2bf90c81dc4d2f17d5632e135364. The bogus lvds output is actually a lvds->hdmi bridge, which we don't really support. But unconditionally disabling it breaks some existing setups. Reported-by: John Tapsell References: http://permalink.gmane.org/gmane.comp.freedesktop.xorg.drivers.intel/17237 Signed-off-by: Daniel Vetter Cc: Luis Henriques Signed-off-by: Greg Kroah-Hartman commit 7d17dc4851ad423a848e716354c9499c537fcb5b Author: Chris Wilson Date: Thu Sep 27 21:25:58 2012 +0100 drm/i915: Flush the pending flips on the CRTC before modification commit 5bb61643f6a70d48de9cfe91ad0fee0d618b6816 upstream. This was meant to be the purpose of the intel_crtc_wait_for_pending_flips() function which is called whilst preparing the CRTC for a modeset or before disabling. However, as Ville Syrjala pointed out, we set the pending flip notification on the old framebuffer that is no longer attached to the CRTC by the time we come to flush the pending operations. Instead, we can simply wait on the pending unpin work to be finished on this CRTC, knowning that the hardware has therefore finished modifying the registers, before proceeding with our direct access. Fixes i-g-t/flip_test on non-pch platforms. pch platforms simply schedule the flip immediately when the pipe is disabled, leading to other funny issues. Signed-off-by: Chris Wilson [danvet: Added i-g-t note and cc: stable] Signed-off-by: Daniel Vetter Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit 1d35b4e271f56cad111b7150a1de57954e441765 Author: Daniel Vetter Date: Tue Oct 2 17:54:35 2012 +0200 drm/i915: call drm_handle_vblank before finish_page_flip commit 74d44445afb9f50126eba052adeb89827cee88f3 upstream. ... since finish_page_flip needs the vblank timestamp generated in drm_handle_vblank. Somehow all the gmch platforms get it right, but all the pch platform irq handlers get is wrong. Hooray for copy& pasting! Currently this gets papered over by a gross hack in finish_page_flip. A second patch will remove that. Note that without this, the new timestamp sanity checks in flip_test occasionally get tripped up, hence the cc: stable tag. Reviewed-by: mario.kleiner@tuebingen.mpg.de Tested-by: Imre Deak Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: no loop over pipes in ivybridge_irq_handler(), so make a similar change to that in ironlake_irq_handler()] Signed-off-by: Ben Hutchings Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit 77f0c3b4713f398e28461c7bfd5fe69126a6edf7 Author: Ben Widawsky Date: Wed Oct 3 19:34:24 2012 -0700 drm/i915: Fix GT_MODE default value commit f8f2ac9a76b0f80a6763ca316116a7bab8486997 upstream. I can't even find how I figured this might be needed anymore. But sure enough, the value I'm reading back on platforms doesn't match what the docs recommends. It seemed to fix Chris' GT1 in limited testing as well. Tested-by: Chris Wilson Signed-off-by: Ben Widawsky Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: open-code _MASKED_BIT_{ENABLE,DISABLE}] Signed-off-by: Ben Hutchings Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit 0907a85413bbf79fcdb40c1d984d805f5840cbf9 Author: Eugeni Dodonov Date: Mon Jun 18 19:03:38 2012 -0300 drm/i915: prevent possible pin leak on error path commit ab3951eb74e7c33a2f5b7b64d72e82f1eea61571 upstream. We should not hit this under any sane conditions, but still, this does not looks right. Reported-by: Herton Ronaldo Krzesinski CC: Chris Wilson CC: Daniel Vetter Reviewed-by: Chris Wlison Signed-off-by: Eugeni Dodonov Signed-off-by: Daniel Vetter Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit 755a4897be165bc3b705ee6f83bda2253528b196 Author: Chris Wilson Date: Sat Sep 15 09:41:57 2012 +0100 drm/i915: Reduce a pin-leak BUG into a WARN commit 7e81a42e341a4f15d76624b7c02ffb21b085b56f upstream. Pin-leaks persist and we get the perennial bug reports of machine lockups to the BUG_ON(pin_count==MAX). If we instead loudly report that the object cannot be pinned at that time it should prevent the driver from locking up, and hopefully restore a semblance of working whilst still leaving us a OOPS to debug. Signed-off-by: Chris Wilson Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit d1879e35935a07a67420fab66a02ae3b4148960f Author: Jani Nikula Date: Wed Aug 29 14:08:42 2012 +0300 drm/i915: only enable sdvo hotplug irq if needed commit fcbc50da7753b210b4442ca9abc4efbd4e481f6e upstream. Avoid constant wakeups caused by noisy irq lines when we don't even care about the irq. This should be particularly useful for i945g/gm where the hotplug has been disabled: commit 768b107e4b3be0acf6f58e914afe4f337c00932b Author: Daniel Vetter Date: Fri May 4 11:29:56 2012 +0200 drm/i915: disable sdvo hotplug on i945g/gm v2: While at it, remove the bogus hotplug_active read, and do not mask hotplug_active[0] before checking whether the irq is needed, per discussion with Daniel on IRC. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=38442 Tested-by: Dominik Köppl Signed-off-by: Jani Nikula Signed-off-by: Daniel Vetter Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit 90877b10fb58e3ffa5add2a040d0f10d8ac67535 Author: Alex Deucher Date: Mon Aug 6 17:06:03 2012 -0400 drm/radeon: fix ordering in pll picking on dce4+ commit ecd67955fd4c8e66e4df312098989d5fa7da624c upstream. No functional change, but re-order the cases so they evaluate properly due to the way the DCE macros work. Noticed by kallisti5 on IRC. Signed-off-by: Alex Deucher Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit df2a959c0e03e58f4efebbc49b6065014e3798e4 Author: Chris Wilson Date: Fri May 11 18:01:33 2012 +0100 drm/i915: SDVO hotplug have different interrupt status bits for i915/i965/g4x commit 084b612ecf8e59973576b2f644e6949609c79375 upstream. Note that gen3 is the only platform where we've got the bit definitions right, hence the workaround of disabling sdvo hotplug support on i945g/gm is not due to misdiagnosis of broken hotplug irq handling ... Signed-off-by: Chris Wilson [danvet: add some blurb about sdvo hotplug fail on i945g/gm I've wondered about while reviewing.] Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: - Adjust context - Handle all three cases in i915_driver_irq_postinstall() as there are not separate functions for gen3 and gen4+ - Carry on using IS_SDVOB() in intel_sdvo_init()] Signed-off-by: Ben Hutchings Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit 64d3c4a1eaca2134821407f7e4c3de9bf3d6aba9 Author: Paulo Zanoni Date: Mon May 28 16:43:00 2012 -0300 drm/i915: add some barriers when changing DIPs commit 9d9740f099f2eaf309c4c9cbc0d732507140db28 upstream. On IVB and older, we basically have two registers: the control and the data register. We write a few consecutitve times to the control register, and we need these writes to arrive exactly in the specified order. Also, when we're changing the data register, we need to guarantee that anything written to the control register already arrived (since changing the control register can change where the data register points to). Also, we need to make sure all the writes to the data register happen exactly in the specified order, and we also *can't* read the data register during this process, since reading and/or writing it will change the place it points to. So invoke the "better safe than sorry" rule and just be careful and put barriers everywhere :) On HSW we still have a control register that we write many times, but we have many data registers. Demanded-by: Chris Wilson Signed-off-by: Paulo Zanoni Signed-off-by: Daniel Vetter [bwh: Backported to 3.2: - There are only two write_infoframe functions to be modified - The other VIDEO_DIP_CTL writes are in entirely different functions] Signed-off-by: Ben Hutchings Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit 3eafd581892bca5588762bb30d797c74f0441fac Author: Alex Deucher Date: Tue Jul 17 14:02:43 2012 -0400 drm/radeon: fix up pll selection on DCE5/6 commit 26fe45a0a76f165425f332a5aaa298f149f9db22 upstream. Selecting ATOM_PPLL_INVALID should be equivalent as the DCPLL or PPLL0 are already programmed for the DISPCLK, but the preferred method is to always specify the PLL selected. SetPixelClock will check the parameters and skip the programming if the PLL is already set up. Signed-off-by: Alex Deucher Reviewed-by: Christian König Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit 1478f45496fca13f42fb7f940908b5cd3bee105c Author: Daniel Vetter Date: Fri Apr 13 15:51:51 2012 +0200 drm/i915: don't pwrite tiled objects through the gtt commit c07496fa61f4c5cb2addd1c57f6b22fcaeea2eeb upstream. ... we will botch up the bit17 swizzling. Furthermore tiled pwrite is a (now) unused slowpath, so no one really cares. This fixes the last swizzling issues I have with i-g-t on my bit17 swizzling i915G. No regression, it's been broken since the dawn of gem, but it's nice for regression tracking when really _all_ i-g-t tests work. Actually this is not true, Chris Wilson noticed while reviewing this patch that the commit commit d9e86c0ee60f323e890484628f351bf50fa9a15d Author: Chris Wilson Date: Wed Nov 10 16:40:20 2010 +0000 drm/i915: Pipelined fencing [infrastructure] contained a functional change that broke things. Reviewed-by: Chris Wilson Signed-Off-by: Daniel Vetter [jcristau: adjust context for 3.4] Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit b834417b9134b533c79a12ff134da40b982d6b2f Author: Chris Wilson Date: Tue Apr 17 10:05:38 2012 +0100 drm/i915: Wait for all pending operations to the fb before disabling the pipe commit 0f91128d88bbb8b0a8e7bb93df2c40680871d45a upstream. During modeset we have to disable the pipe to reconfigure its timings and maybe its size. Userspace may have queued up command buffers that depend upon the pipe running in a certain configuration and so the commands may become confused across the modeset. At the moment, we use a less than satisfactory kick-scanline-waits should the GPU hang during the modeset. It should be more reliable to wait for the pending operations to complete first, even though we still have a window for userspace to submit a broken command buffer during the modeset. Signed-off-by: Chris Wilson Signed-off-by: Daniel Vetter Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit 392dcfdce12ee18d511c74132704c8749b149141 Author: Sean Paul Date: Fri Mar 16 12:43:22 2012 -0400 drm/i915: Add wait_for in init_ring_common commit f01db988ef6f6c70a6cc36ee71e4a98a68901229 upstream. I have seen a number of "blt ring initialization failed" messages where the ctl or start registers are not the correct value. Upon further inspection, if the code just waited a little bit, it would read the correct value. Adding the wait_for to these reads should eliminate the issue. Signed-off-by: Sean Paul Reviewed-by: Ben Widawsky Signed-off-by: Daniel Vetter Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit feef244d1742de63b5a7292883276ee6e11a06c5 Author: Takashi Iwai Date: Tue Mar 20 13:07:05 2012 +0100 drm/i915: Check VBIOS value for determining LVDS dual channel mode, too commit b03543857fd75876b96e10d4320b775e95041bb7 upstream. Currently i915 driver checks [PCH_]LVDS register bits to decide whether to set up the dual-link or the single-link mode. This relies implicitly on that BIOS initializes the register properly at boot. However, BIOS doesn't initialize it always. When the machine is booted with the closed lid, BIOS skips the LVDS reg initialization. This ends up in blank output on a machine with a dual-link LVDS when you open the lid after the boot. This patch adds a workaround for that problem by checking the initial LVDS register value in VBT. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=37742 Tested-By: Paulo Zanoni Reviewed-by: Rodrigo Vivi Reviewed-by: Adam Jackson Signed-off-by: Takashi Iwai Signed-off-by: Daniel Vetter Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit 2406e63c32cf6bf83f7f188ba0cb96bfa94dc6ec Author: Daniel Vetter Date: Mon Jun 4 11:18:15 2012 +0200 drm/i915: hold forcewake around ring hw init commit b7884eb45ec98c0d34c7f49005ae9d4b4b4e38f6 upstream. Empirical evidence suggests that we need to: On at least one ivb machine when running the hangman i-g-t test, the rings don't properly initialize properly - the RING_START registers seems to be stuck at all zeros. Holding forcewake around this register init sequences makes chip reset reliable again. Note that this is not the first such issue: commit f01db988ef6f6c70a6cc36ee71e4a98a68901229 Author: Sean Paul Date: Fri Mar 16 12:43:22 2012 -0400 drm/i915: Add wait_for in init_ring_common added delay loops to make RING_START and RING_CTL initialization reliable on the blt ring at boot-up. So I guess it won't hurt if we do this unconditionally for all force_wake needing gpus. To avoid copy&pasting of the HAS_FORCE_WAKE check I've added a new intel_info bit for that. v2: Fixup missing commas in static struct and properly handling the error case in init_ring_common, both noticed by Jani Nikula. Reported-and-tested-by: Yang Guang Reviewed-by: Eugeni Dodonov Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=50522 Signed-Off-by: Daniel Vetter [bwh: Backported to 3.2: - drop changes to Haswell device information - NEEDS_FORCE_WAKE didn't refer to Valley View anyway] Signed-off-by: Ben Hutchings [jcristau: further context adjustments for 3.4] Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit e99e7f74856e4aaf57753b2698d590966fa4022a Author: Jesse Barnes Date: Thu Mar 22 14:38:43 2012 -0700 drm/i915: move NEEDS_FORCE_WAKE to i915_drv.c commit b7d84096d3c45f4e397e913da4ce24ec9a32022e upstream. It's only used by the main read/write functions, so we can keep it with them. Signed-off-by: Jesse Barnes Acked-by: Ben Widawsky Signed-off-by: Daniel Vetter Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit 6148d57ee89d8ad89cd28a6f5803330c8601dfa6 Author: Daniel Vetter Date: Wed May 23 14:02:00 2012 +0200 drm/i915: fix up ivb plane 3 pageflips commit cb05d8dedefa3066bf5d74ef88c6ca6cf4bd1c87 upstream. Or at least plug another gapping hole. Apparrently hw desingers only moved the bit field, but did not bother ot re-enumerate the planes when adding support for a 3rd pipe. Discovered by i-g-t/flip_test. This may or may not fix the reference bugzilla, because that one smells like we have still larger fish to fry. v2: Fixup the impossible case to catch programming errors, noticed by Chris Wilson. References: https://bugs.freedesktop.org/show_bug.cgi?id=50069 Acked-by: Chris Wilson Tested-by: Eugeni Dodonov Eugeni Dodonov Signed-Off-by: Daniel Vetter Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit 0ab9c5b5d2ffed9550ca2aae49ef39bfc61d2d0b Author: Chris Wilson Date: Tue Apr 17 19:35:53 2012 +0100 drm/i915: Unpin the flip target if we fail to queue the flip commit 83d4092b0381e5dd6f312b2ec57121dcf0fcbade upstream. Signed-off-by: Chris Wilson Cc: Jesse Barnes Signed-off-by: Daniel Vetter Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit fd5f25462460a68f73ff8f90ac08535b01830d9a Author: Adam Jackson Date: Wed May 23 16:26:54 2012 -0400 drm/edid/quirks: ViewSonic VA2026w commit bc42aabc6a01b92b0f961d65671564e0e1cd7592 upstream. Entirely new class of fail for this one. The detailed timings are for normal CVT but the monitor really wanted CVT-R. Bugzilla: http://bugzilla.redhat/com/516471 Signed-off-by: Adam Jackson Signed-off-by: Dave Airlie Signed-off-by: Julien Cristau Signed-off-by: Greg Kroah-Hartman commit 7d609c8d07b74c0a5ef7b903a9ae918d73a9a039 Author: Alexander Graf Date: Sat Oct 6 03:56:35 2012 +0200 KVM: PPC: 44x: fix DCR read/write commit e43a028752fed049e4bd94ef895542f96d79fa74 upstream. When remembering the direction of a DCR transaction, we should write to the same variable that we interpret on later when doing vcpu_run again. Signed-off-by: Alexander Graf Signed-off-by: CAI Qian Signed-off-by: Greg Kroah-Hartman commit eb52d3018cd126254c64241e64936a6cfc0a82eb Author: Daniel Vetter Date: Sat Dec 8 12:58:33 2012 +0100 drm/i915: disable cpt phase pointer fdi rx workaround commit 539526b4137bc0e7a8806c38c8522f226814a0e6 upstream. We've originally added this in commit 291427f5fdadec6e4be2924172e83588880e1539 Author: Jesse Barnes Date: Fri Jul 29 12:42:37 2011 -0700 drm/i915: apply phase pointer override on SNB+ too and then copy-pasted it over to ivb/ppt. The w/a was originally added for ilk/ibx in commit 5b2adf897146edeac6a1e438fb67b5a53dbbdf34 Author: Jesse Barnes Date: Thu Oct 7 16:01:15 2010 -0700 drm/i915: add Ironlake clock gating workaround for FDI link training and fixed up a bit in commit 6f06ce184c765fd8d50669a8d12fdd566c920859 Author: Jesse Barnes Date: Tue Jan 4 15:09:38 2011 -0800 drm/i915: set phase sync pointer override enable before setting phase sync pointer It turns out that this w/a isn't actually required on cpt/ppt and positively harmful on ivb/ppt when using fdi B/C links - it results in a black screen occasionally, with seemingfully everything working as it should. The only failure indication I've found in the hw is that eventually (but not right after the modeset completes) a pipe underrun is signalled. Big thanks to Arthur Runyan for all the ideas for registers to check and changes to test, otherwise I couldn't ever have tracked this down! Reviewed-by: Jesse Barnes Cc: "Runyan, Arthur J" Signed-off-by: Daniel Vetter Signed-off-by: CAI Qian Signed-off-by: Greg Kroah-Hartman commit 8b564a8e7334a2ce7a691ec7fe21195475ae999f Author: Benjamin Marzinski Date: Wed Nov 7 00:38:06 2012 -0600 GFS2: Test bufdata with buffer locked and gfs2_log_lock held commit 96e5d1d3adf56f1c7eeb07258f6a1a0a7ae9c489 upstream. In gfs2_trans_add_bh(), gfs2 was testing if a there was a bd attached to the buffer without having the gfs2_log_lock held. It was then assuming it would stay attached for the rest of the function. However, without either the log lock being held of the buffer locked, __gfs2_ail_flush() could detach bd at any time. This patch moves the locking before the test. If there isn't a bd already attached, gfs2 can safely allocate one and attach it before locking. There is no way that the newly allocated bd could be on the ail list, and thus no way for __gfs2_ail_flush() to detach it. Signed-off-by: Benjamin Marzinski Signed-off-by: Steven Whitehouse [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 74abeffd733e53f83e94fc0d90c0a105af7c58ae Author: Sarah Sharp Date: Mon Dec 17 14:12:35 2012 -0800 xhci: Handle HS bulk/ctrl endpoints that don't NAK. commit 55c1945edaac94c5338a3647bc2e85ff75d9cf36 upstream. A high speed control or bulk endpoint may have bInterval set to zero, which means it does not NAK. If bInterval is non-zero, it means the endpoint NAKs at a rate of 2^(bInterval - 1). The xHCI code to compute the NAK interval does not handle the special case of zero properly. The current code unconditionally subtracts one from bInterval and uses it as an exponent. This causes a very large bInterval to be used, and warning messages like these will be printed: usb 1-1: ep 0x1 - rounding interval to 32768 microframes, ep desc says 0 microframes This may cause the xHCI host hardware to reject the Configure Endpoint command, which means the HS device will be unusable under xHCI ports. This patch should be backported to kernels as old as 2.6.31, that contain commit dfa49c4ad120a784ef1ff0717168aa79f55a483a "USB: xhci - fix math in xhci_get_endpoint_interval()". Reported-by: Vincent Pelletier Suggested-by: Alan Stern Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 7dd830b8315230e29f958fd0e039e9eecad28c5d Author: Oliver Neukum Date: Thu Nov 29 15:05:57 2012 +0100 USB: hub: handle claim of enabled remote wakeup after reset commit 07e72b95f5038cc82304b9a4a2eb7f9fc391ea68 upstream. Some touchscreens have buggy firmware which claims remote wakeup to be enabled after a reset. They nevertheless crash if the feature is cleared by the host. Add a check for reset resume before checking for an enabled remote wakeup feature. On compliant devices the feature must be cleared after a reset anyway. Signed-off-by: Oliver Neukum Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 4ceac47e41f4d587fa71a26dc87335d639a32520 Author: Sarah Sharp Date: Tue Nov 27 12:30:23 2012 -0800 xhci: Avoid "dead ports", add roothub port polling. commit c52804a472649b2e5005342308739434cbd51119 upstream. The USB core hub thread (khubd) is designed with external USB hubs in mind. It expects that if a port status change bit is set, the hub will continue to send a notification through the hub status data transfer. Basically, it expects hub notifications to be level-triggered. The xHCI host controller is designed to be edge-triggered on the logical 'OR' of all the port status change bits. When all port status change bits are clear, and a new change bit is set, the xHC will generate a Port Status Change Event. If another change bit is set in the same port status register before the first bit is cleared, it will not send another event. This means that the hub code may lose port status changes because of race conditions between clearing change bits. The user sees this as a "dead port" that doesn't react to device connects. The fix is to turn on port polling whenever a new change bit is set. Once the USB core issues a hub status request that shows that no change bits are set in any USB ports, turn off port polling. We can't allow the USB core to poll the roothub for port events during host suspend because if the PCI host is in D3cold, the port registers will be all f's. Instead, stop the port polling timer, and unconditionally restart it when the host resumes. If there are no port change bits set after the resume, the first call to hub_status_data will disable polling. This patch should be backported to stable kernels with the first xHCI support, 2.6.31 and newer, that include the commit 0f2a79300a1471cf92ab43af165ea13555c8b0a5 "USB: xhci: Root hub support." There will be merge conflicts because the check for HC_STATE_SUSPENDED was moved into xhci_suspend in 3.8. Signed-off-by: Sarah Sharp Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 9dbcaec830cd97f44a0b91b315844e0d7144746b Author: Sarah Sharp Date: Wed Nov 14 17:58:04 2012 -0800 USB: Handle warm reset failure on empty port. commit 65bdac5effd15d6af619b3b7218627ef4d84ed6a upstream. An empty port can transition to either Inactive or Compliance Mode if a newly connected USB 3.0 device fails to link train. In that case, we issue a warm reset. Some devices, such as John's Roseweil eusb3 enclosure, slip back into Compliance Mode after the warm reset. The current warm reset code does not check for device connect status on warm reset completion, and it incorrectly reports the warm reset succeeded. This causes the USB core to attempt to send a Set Address control transfer to a port in Compliance Mode, which will always fail. Make hub_port_wait_reset check the current connect status and link state after the warm reset completes. Return a failure status if the device is disconnected or the link state is Compliance Mode or SS.Inactive. Make hub_events disable the port if warm reset fails. This will disable the port, and then bring it back into the RxDetect state. Make the USB core ignore the connect change until the device reconnects. Note that this patch does NOT handle connected devices slipping into the Inactive state very well. This is a concern, because devices can go into the Inactive state on U1/U2 exit failure. However, the fix for that case is too large for stable, so it will be submitted in a separate patch. This patch should be backported to kernels as old as 3.2, contain the commit ID 75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine warm reset logic" Signed-off-by: Sarah Sharp Acked-by: Alan Stern Reported-by: John Covici Signed-off-by: Greg Kroah-Hartman commit 870826a75318bfee80967140ce3eb6b55e1e9759 Author: Sarah Sharp Date: Thu Nov 15 14:58:04 2012 -0800 USB: Ignore port state until reset completes. commit 4f43447e62b37ee19c82a13f72f35b1ca60a74d3 upstream. The port reset code bails out early if the current connect status is cleared (device disconnected). If we're issuing a hot reset, it may also look at the link state before the reset is finished. Section 10.14.2.6 of the USB 3.0 spec says that when a port enters the Error state or Resetting state, the port connection bit retains the value from the previous state. Therefore we can't trust it until the reset finishes. Also, the xHCI spec section 4.19.1.2.5 says software shall ignore the link state while the port is resetting, as it can be in an unknown state. The port state during reset is also unknown for USB 2.0 hubs. The hub sends a reset signal by driving the bus into an SE0 state. This overwhelms the "connect" signal from the device, so the port can't tell whether anything is connected or not. Fix the port reset code to ignore the port link state and current connect bit until the reset finishes, and USB_PORT_STAT_RESET is cleared. Remove the check for USB_PORT_STAT_C_BH_RESET in the warm reset case, because it's redundant. When the warm reset finishes, the port reset bit will be cleared at the same time USB_PORT_STAT_C_BH_RESET is set. Remove the now-redundant check for a cleared USB_PORT_STAT_RESET bit in the code to deal with the finished reset. This patch should be backported to all stable kernels. Signed-off-by: Sarah Sharp Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 7bcaf3b265ae4d197d265916268bceed044d289c Author: Sarah Sharp Date: Wed Nov 14 17:16:52 2012 -0800 USB: Increase reset timeout. commit 77c7f072c87fa951e9a74805febf26466f31170c upstream. John's NEC 0.96 xHCI host controller needs a longer timeout for a warm reset to complete. The logs show it takes 650ms to complete the warm reset, so extend the hub reset timeout to 800ms to be on the safe side. This commit should be backported to kernels as old as 3.2, that contain the commit 75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine warm reset logic". Signed-off-by: Sarah Sharp Acked-by: Alan Stern Reported-by: John Covici Signed-off-by: Greg Kroah-Hartman commit a723a6cf79aa2e283d5134adf2787b8a35e0b8f3 Author: Sarah Sharp Date: Wed Nov 14 16:42:32 2012 -0800 USB: Allow USB 3.0 ports to be disabled. commit 41e7e056cdc662f704fa9262e5c6e213b4ab45dd upstream. If hot and warm reset fails, or a port remains in the Compliance Mode, the USB core needs to be able to disable a USB 3.0 port. Unlike USB 2.0 ports, once the port is placed into the Disabled link state, it will not report any new device connects. To get device connect notifications, we need to put the link into the Disabled state, and then the RxDetect state. The xHCI driver needs to atomically clear all change bits on USB 3.0 port disable, so that we get Port Status Change Events for future port changes. We could technically do this in the USB core instead of in the xHCI roothub code, since the port state machine can't advance out of the disabled state until we set the link state to RxDetect. However, external USB 3.0 hubs don't need this code. They are level-triggered, not edge-triggered like xHCI, so they will continue to send interrupt events when any change bit is set. Therefore it doesn't make sense to put this code in the USB core. This patch is part of a series to fix several reports of infinite loops on device enumeration failure. This includes John, when he boots with a USB 3.0 device (Roseweil eusb3 enclosure) attached to his NEC 0.96 host controller. The fix requires warm reset support, so it does not make sense to backport this patch to stable kernels without warm reset support. This patch should be backported to kernels as old as 3.2, contain the commit ID 75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine warm reset logic" Signed-off-by: Sarah Sharp Acked-by: Alan Stern Reported-by: John Covici Signed-off-by: Greg Kroah-Hartman commit 36f037316ff169ca111917d6b1d2546d243a2f78 Author: Sarah Sharp Date: Wed Nov 14 16:10:49 2012 -0800 USB: Ignore xHCI Reset Device status. commit 8b8132bc3d1cc3d4c0687e4d638a482fa920d98a upstream. When the USB core finishes reseting a USB device, the xHCI driver sends a Reset Device command to the host. The xHC then updates its internal representation of the USB device to the 'Default' device state. If the device was already in the Default state, the xHC will complete the command with an error status. If a device needs to be reset several times during enumeration, the second reset will always fail because of the xHCI Reset Device command. This can cause issues during enumeration. For example, usb_reset_and_verify_device calls into hub_port_init in a loop. Say that on the first call into hub_port_init, the device is successfully reset, but doesn't respond to several set address control transfers. Then the port will be disabled, but the udev will remain in tact. usb_reset_and_verify_device will call into hub_port_init again. On the second call into hub_port_init, the device will be reset, and the xHCI driver will issue a Reset Device command. This command will fail (because the device is already in the Default state), and usb_reset_and_verify_device will fail. The port will be disabled, and the device won't be able to enumerate. Fix this by ignoring the return value of the HCD reset_device callback. This commit should be backported to kernels as old as 3.2, that contain the commit 75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine warm reset logic". Signed-off-by: Sarah Sharp Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 98e5587b9abe155e356d9eef3be6b1472c508c96 Author: Sarah Sharp Date: Wed Nov 14 15:58:52 2012 -0800 USB: Handle auto-transition from hot to warm reset. commit 1c7439c61fa6516419c32a9824976334ea969d47 upstream. USB 3.0 hubs and roothubs will automatically transition a failed hot reset to a warm (BH) reset. In that case, the warm reset change bit will be set, and the link state change bit may also be set. Change hub_port_finish_reset to unconditionally clear those change bits for USB 3.0 hubs. If these bits are not cleared, we may lose port change events from the roothub. This commit should be backported to kernels as old as 3.2, that contain the commit 75d7cf72ab9fa01dc70877aa5c68e8ef477229dc "usbcore: refine warm reset logic". Signed-off-by: Sarah Sharp Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit e5583b77083d74c988dfd8572cd8f7d246bf63ac Author: Marcin Slusarz Date: Tue Dec 18 20:30:47 2012 +0100 drm/nouveau: fix blank LVDS screen regression on pre-nv50 cards commit 92441b2263866c27ef48137be5aa6c8c692652fc upstream. Commit 2a44e499 ("drm/nouveau/disp: introduce proper init/fini, separate from create/destroy") started to call display init routines on pre-nv50 hardware on module load. But LVDS init code sets driver state in a way which prevents modesetting code from operating properly. nv04_display_init calls nv04_dfp_restore, which sets encoder->last_dpms to NV_DPMS_CLEARED. drm_crtc_helper_set_mode nv04_dfp_prepare nv04_lvds_dpms(DRM_MODE_DPMS_OFF) nv04_lvds_dpms checks last_dpms mode (which is NV_DPMS_CLEARED) and wrongly assumes it's a "powersaving mode", the new one (DRM_MODE_DPMS_OFF) is too, so it skips calling some crucial lvds scripts. Reported-by: Chris Paulson-Ellis Signed-off-by: Marcin Slusarz Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit 1353cac7123b29dc169e775a7f3cf20929d0ef72 Author: Sergei Shtylyov Date: Wed Nov 14 18:49:50 2012 +0300 usb: musb: core: print new line in the driver banner again commit 2ac788f705e5118dd45204e7a5bc8d5bb6873835 upstream. Commit 5c8a86e10a7c164f44537fabdc169fd8b4e7a440 (usb: musb: drop unneeded musb_debug trickery) erroneously removed '\n' from the driver's banner. Concatenate all the banner substrings while adding it back... Signed-off-by: Sergei Shtylyov Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 98bea5234411352182c84918640629fe05bf64b5 Author: Sebastian Andrzej Siewior Date: Tue Nov 20 13:23:15 2012 +0100 usb: gadget: dummy: fix enumeration with g_multi commit 1d16638e3b9cc195bac18a8fcbca748f33c1bc24 upstream. If we do have endpoints named like "ep-a" then bEndpointAddress is counted internally by the gadget framework. If we do have endpoints named like "ep-1" then bEndpointAddress is assigned from the digit after "ep-". If we do have both, then it is likely that after we used up the "generic" endpoints we will use the digits and thus assign one bEndpointAddress to multiple endpoints. This theory can be proofed by using the completely enabled g_multi. Without this patch, the mass storage won't enumerate and times out because it shares endpoints with RNDIS. This patch also adds fills up the endpoints list so we have in total endpoints 1 to 15 in + out available while some of them are restricted to certain types like BULK or ISO. Without this change the nokia gadget won't load because the system does not provide enough (BULK) endpoints but it did before ep-a - ep-f were removed. Signed-off-by: Sebastian Andrzej Siewior Acked-by: Alan Stern Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit b756d75a459f351e43d1d71295d5f6b94ec811c3 Author: Denis N Ladin Date: Wed Dec 26 18:29:44 2012 +0500 USB: cdc-acm: Add support for "PSC Scanning, Magellan 800i" commit 036915a7a402753c05b8d0529f5fd08805ab46d0 upstream. Adding support "PSC Scanning, Magellan 800i" in cdc-acm Very simple, but very necessary. Suitable for all versions of the kernel > 2.6 Signed-off-by: Denis N Ladin Acked-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 91d816cd00e5de594a1ec62893edbd9b84c5c252 Author: Tomasz Mloduchowski Date: Sun Jan 13 23:32:53 2013 +0100 usb: ftdi_sio: Crucible Technologies COMET Caller ID - pid added commit 8cf65dc386f3634a43312f436cc7a935476a40c4 upstream. Simple fix to add support for Crucible Technologies COMET Caller ID USB decoder - a device containing FTDI USB/Serial converter chip, handling 1200bps CallerID messages decoded from the phone line - adding correct USB PID is sufficient. Tested to apply cleanly and work flawlessly against 3.6.9, 3.7.0-rc8 and 3.8.0-rc3 on both amd64 and x86 arches. Signed-off-by: Tomasz Mloduchowski Signed-off-by: Greg Kroah-Hartman commit 1aaa39456c16f3f290811312d2ac81c0bdfdd1d8 Author: Bjørn Mork Date: Fri Dec 28 17:29:52 2012 +0100 USB: option: add Telekom Speedstick LTE II commit 5ec0085440ef8c2cf50002b34d5a504ee12aa2bf upstream. also known as Alcatel One Touch L100V LTE The driver description files gives these names to the vendor specific functions on this modem: Application1: VID_1BBB&PID_011E&MI_00 Application2: VID_1BBB&PID_011E&MI_01 Modem: VID_1BBB&PID_011E&MI_03 Ethernet: VID_1BBB&PID_011E&MI_04 Reported-by: Thomas Schäfer Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman commit 719d0cdd2c42bf0d272d285e89cb9ad4d2d01728 Author: Quentin.Li Date: Wed Dec 26 16:58:22 2012 +0800 USB: option: Add new MEDIATEK PID support commit 94a85b633829b946eef53fc1825d526312fb856f upstream. In option.c, add some new MEDIATEK PIDs support for MEDIATEK new products. This is a MEDIATEK inc. release patch. Signed-off-by: Quentin.Li Signed-off-by: Greg Kroah-Hartman commit b80a67da576ee645568ecc1305743662809090d4 Author: Bjørn Mork Date: Wed Dec 19 15:15:17 2012 +0100 USB: option: blacklist network interface on ZTE MF880 commit fab38246f318edcd0dcb8fd3852a47cf8938878a upstream. The driver description files gives these names to the vendor specific functions on this modem: diag: VID_19D2&PID_0284&MI_00 nmea: VID_19D2&PID_0284&MI_01 at: VID_19D2&PID_0284&MI_02 mdm: VID_19D2&PID_0284&MI_03 net: VID_19D2&PID_0284&MI_04 Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman commit d6e362f53991a42b64b5fac902274b328d817e47 Author: Dzianis Kahanovich Date: Mon Dec 3 16:06:26 2012 +0300 USB: option: add Nexpring NP10T terminal id commit ad86e58661b38b279b7519d4e49c7a19dc1654bb upstream. Hyundai Petatel Inc. Nexpring NP10T terminal (EV-DO rev.A USB modem) ID Signed-off-by: Denis Kaganovich Signed-off-by: Greg Kroah-Hartman commit 16fc9b0aa12763fb66e1bd702714c7e3da38cd0f Author: Larry Finger Date: Thu Dec 20 15:55:01 2012 -0600 b43: Fix firmware loading when driver is built into the kernel commit 5e20a4b53094651d80f856ff55a916b999dbb57a upstream. Recent versions of udev cause synchronous firmware loading from the probe routine to fail because the request to user space would time out. The original fix for b43 (commit 6b6fa58) moved the firmware load from the probe routine to a work queue, but it still used synchronous firmware loading. This method is OK when b43 is built as a module; however, it fails when the driver is compiled into the kernel. This version changes the code to load the initial firmware file using request_firmware_nowait(). A completion event is used to hold the work queue until that file is available. This driver reads several firmware files - the remainder can be read synchronously. On some test systems, the async read fails; however, a following synch read works, thus the async failure falls through to the sync try. Reported-and-Tested by: Felix Janda Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 99dd9a98065129261e24ad44f41b26e3a841f654 Author: Bing Zhao Date: Wed Jan 2 16:07:35 2013 -0800 mwifiex: check wait_event_interruptible return value commit 9c969d8ccb1e17bd20742f4ac9f00c1a64487234 upstream. wait_event_interruptible function returns -ERESTARTSYS if it's interrupted by a signal. Driver should check the return value and handle this case properly. In mwifiex_wait_queue_complete() routine, as we are now checking wait_event_interruptible return value, the condition check is not required. Also, we have removed mwifiex_cancel_pending_ioctl() call to avoid a chance of sending second command to FW by other path as soon as we clear current command node. FW can not handle two commands simultaneously. Signed-off-by: Bing Zhao Signed-off-by: Amitkumar Karwar Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 848842e67d24fed13a2aece3d03e235267e5a3a6 Author: Johannes Berg Date: Thu Dec 13 23:08:52 2012 +0100 mac80211: use del_timer_sync for final sta cleanup timer deletion commit a56f992cdabc63f56b4b142885deebebf936ff76 upstream. This is a very old bug, but there's nothing that prevents the timer from running while the module is being removed when we only do del_timer() instead of del_timer_sync(). The timer should normally not be running at this point, but it's not clearly impossible (or we could just remove this.) Tested-by: Ben Greear Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 5ca99e71a9a6cf33a217690f5d87bc0129d1effd Author: Stanislaw Gruszka Date: Tue Dec 11 10:48:23 2012 +0100 mac80211: fix ibss scanning commit 34bcf71502413f8903ade93746f2d0f04b937a78 upstream. Do not scan on no-IBSS and disabled channels in IBSS mode. Doing this can trigger Microcode errors on iwlwifi and iwlegacy drivers. Also rename ieee80211_request_internal_scan() function since it is only used in IBSS mode and simplify calling it from ieee80211_sta_find_ibss(). This patch should address: https://bugzilla.redhat.com/show_bug.cgi?id=883414 https://bugzilla.kernel.org/show_bug.cgi?id=49411 Reported-by: Jesse Kahtava Reported-by: Mikko Rapeli Signed-off-by: Stanislaw Gruszka Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 4a3b5681d6b64611375903695481641debd1c308 Author: Jerome Glisse Date: Tue Jan 8 18:41:01 2013 -0500 radeon/kms: force rn50 chip to always report connected on analog output commit 51861d4eebc2ddc25c77084343d060fa79f6e291 upstream. Those rn50 chip are often connected to console remoting hw and load detection often fails with those. Just don't try to load detect and report connect. Signed-off-by: Jerome Glisse Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 95afecc15423d5ceaeaf26b943cb8891f9e36e26 Author: Samuel Thibault Date: Mon Jan 7 22:03:51 2013 +0100 staging: speakup: avoid out-of-range access in synth_add() commit 6102c48bd421074a33e102f2ebda3724e8d275f9 upstream. Check that array index is in-bounds before accessing the synths[] array. Signed-off-by: Samuel Thibault Cc: Nickolai Zeldovich Signed-off-by: Greg Kroah-Hartman commit 16557f3521d980a2b88c53f9cf3c7d36fbb308a5 Author: Nickolai Zeldovich Date: Sat Jan 5 14:17:45 2013 -0500 staging: speakup: avoid out-of-range access in synth_init() commit ae428655b826f2755a8101b27beda42a275ef8ad upstream. Check that array index is in-bounds before accessing the synths[] array. Signed-off-by: Nickolai Zeldovich Cc: Samuel Thibault Signed-off-by: Greg Kroah-Hartman commit bef86636513cdbdbdd8eeb53ad4403a3e71e5e94 Author: Larry Finger Date: Sat Dec 29 11:36:53 2012 -0600 staging: r8712u: Add new device ID commit da849a92d3bafaf24d770e971c2c9e5c3f60b5d1 upstream. The ISY IWL 1000 USB WLAN stick with USB ID 050d:11f1 is a clone of the Belkin F7D1101 V1 device. Reported-by: Thomas Hartmann Signed-off-by: Larry Finger Cc: Thomas Hartmann Signed-off-by: Greg Kroah-Hartman commit 9a194265172c86fa49299c9fcce7fe9590d66220 Author: Ian Abbott Date: Fri Jan 4 11:33:21 2013 +0000 staging: comedi: comedi_test: fix race when cancelling command commit c0729eeefdcd76db338f635162bf0739fd2c5f6f upstream. Éric Piel reported a kernel oops in the "comedi_test" module. It was a NULL pointer dereference within `waveform_ai_interrupt()` (actually a timer function) that sometimes occurred when a running asynchronous command is cancelled (either by the `COMEDI_CANCEL` ioctl or by closing the device file). This seems to be a race between the caller of `waveform_ai_cancel()` which on return from that function goes and tears down the running command, and the timer function which uses the command. In particular, `async->cmd.chanlist` gets freed (and the pointer set to NULL) by `do_become_nonbusy()` in "comedi_fops.c" but a previously scheduled `waveform_ai_interrupt()` timer function will dereference that pointer regardless, leading to the oops. Fix it by replacing the `del_timer()` call in `waveform_ai_cancel()` with `del_timer_sync()`. Signed-off-by: Ian Abbott Reported-by: Éric Piel Signed-off-by: Greg Kroah-Hartman commit a72725d609f46f4099fb2f4bbfb128d2ce84074e Author: Éric Piel Date: Wed Dec 19 13:03:13 2012 +0100 staging: comedi: fix minimum AO period for NI 625x and NI 628x commit 34b55d8c48f4f76044d8f4d6ec3dc786cf210312 upstream. The minimum period was set to 357 ns, while the divider for these boards is 50 ns. This prevented to output at maximum speed as ni_ao_cmdtest() would return 357 but would not accept it. Not sure why it was set to 357 ns (this was done before the git history, which starts 5 years ago). My guess is that it comes from reading the specification stating a 2.8 MHz rate (~ 357 ns). The latest specification states a 2.86 MHz rate (~ 350 ns), which makes a lot more sense. Tested on a pci-6251. Signed-off-by: Éric Piel Acked-By: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit e7b67acb37508a8a173038a928816d9e826b6363 Author: Ian Abbott Date: Tue Dec 4 15:59:55 2012 +0000 staging: comedi: prevent auto-unconfig of manually configured devices commit 7d3135af399e92cf4c9bbc5f86b6c140aab3b88c upstream. When a low-level comedi driver auto-configures a device, a `struct comedi_dev_file_info` is allocated (as well as a `struct comedi_device`) by `comedi_alloc_board_minor()`. A pointer to the hardware `struct device` is stored as a cookie in the `struct comedi_dev_file_info`. When the low-level comedi driver auto-unconfigures the device, `comedi_auto_unconfig()` uses the cookie to find the `struct comedi_dev_file_info` so it can detach the comedi device from the driver, clean it up and free it. A problem arises if the user manually unconfigures and reconfigures the comedi device using the `COMEDI_DEVCONFIG` ioctl so that is no longer associated with the original hardware device. The problem is that the cookie is not cleared, so that a call to `comedi_auto_unconfig()` from the low-level driver will still find it, detach it, clean it up and free it. Stop this problem occurring by always clearing the `hardware_device` cookie in the `struct comedi_dev_file_info` whenever the `COMEDI_DEVCONFIG` ioctl call is successful. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman commit 1d757c9abbfb218c89d6b0586ff89b4032a3601d Author: Mike Dunn Date: Mon Jan 7 13:55:13 2013 -0800 ALSA: pxa27x: fix ac97 warm reset commit 3b4bc7bccc7857274705b05cf81a0c72cfd0b0dd upstream. This patch fixes some code that implements a work-around to a hardware bug in the ac97 controller on the pxa27x. A bug in the controller's warm reset functionality requires that the mfp used by the controller as the AC97_nRESET line be temporarily reconfigured as a generic output gpio (AF0) and manually held high for the duration of the warm reset cycle. This is what was done in the original code, but it was broken long ago by commit fb1bf8cd ([ARM] pxa: introduce processor specific pxa27x_assert_ac97reset()) which changed the mfp to a GPIO input instead of a high output. The fix requires the ac97 controller to obtain the gpio via gpio_request_one(), with arguments that configure the gpio as an output initially driven high. Tested on a palm treo 680 machine. Reportedly, this broken code only prevents a warm reset on hardware that lacks a pull-up on the line, which appears to be the case for me. Signed-off-by: Mike Dunn Signed-off-by: Igor Grinberg Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit b66c35dd91a7476f42134fb44250d24f68181c7b Author: Mike Dunn Date: Mon Jan 7 13:55:12 2013 -0800 ALSA: pxa27x: fix ac97 cold reset commit 41b645c8624df6ace020a8863ad1449d69140f7d upstream. Cold reset on the pxa27x currently fails and pxa2xx_ac97_try_cold_reset: cold reset timeout (GSR=0x44) appears in the kernel log. Through trial-and-error (the pxa270 developer's manual is mostly incoherent on the topic of ac97 reset), I got cold reset to complete by setting the WARM_RST bit in the GCR register (and later noticed that pxa3xx does this for cold reset as well). Also, a timeout loop is needed to wait for the reset to complete. Tested on a palm treo 680 machine. Signed-off-by: Mike Dunn Acked-by: Igor Grinberg Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit f9df20c6468862772f8f63b72b021f62a492548f Author: Hans de Goede Date: Fri Jan 11 12:08:58 2013 +0100 udldrmfb: udl_get_edid: drop unneeded i-- commit 7b4cf994e4c6ba48872bb25253cc393b7fb74c82 upstream. This is a left-over from when udl_get_edid returned the amount of bytes successfully read, which it no longer does. Signed-off-by: Hans de Goede Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit b756902ec26992d285937d1b706fc50c9743903d Author: Hans de Goede Date: Fri Jan 11 12:08:57 2013 +0100 udldrmfb: udl_get_edid: usb_control_msg buffer must not be on the stack commit 242187b362555849e8c971dfbbfd55f8bd9fa717 upstream. The buffer passed to usb_control_msg may end up in scatter-gather list, and may thus not be on the stack. Having it on the stack usually works on x86, but not on other archs. Signed-off-by: Hans de Goede Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit c876baa8a8eda4a9ffcc6bdc144bb9d0fc3397a0 Author: Hans de Goede Date: Fri Jan 11 12:08:56 2013 +0100 udldrmfb: Fix EDID not working with monitors with EDID extension blocks commit c930812fe5ebe725760422c9c351d1f6fde1502d upstream. udldrmfb only reads the main EDID block, and if that advertises extensions the drm_edid code expects them to be present, and starts reading beyond the buffer udldrmfb passes it. Although it may be possible to read more EDID info with the udl we simpy don't know how, and even if trial and error gets it working on one device, that is no guarantee it will work on other revisions. So this patch does a simple fix in the form of patching the EDID info to report 0 extension blocks, this fixes udldrmfb only doing 1024x768 on monitors with EDID extension blocks. Signed-off-by: Hans de Goede Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit d6ec6c9385c874cc8bdeba4346cf6275a6c811ca Author: Mark Brown Date: Fri Jan 4 21:06:08 2013 +0000 ASoC: wm5100: Remove DSP B and left justified formats commit 5f960294e2031d12f10c8488c3446fecbf59628d upstream. These are not supported Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 6d445a511e85a702a63197a2034c21c1461a1212 Author: Mark Brown Date: Fri Jan 4 10:48:10 2013 +0000 ASoC: wm2200: Remove DSP B and left justified AIF modes commit 0cc411b934c4317b363d1af993549f391852b980 upstream. These are not supported. Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit bc85643d2ff065c0303a1a0edfd748da4805295e Author: Axel Lin Date: Fri Dec 21 16:28:37 2012 +0800 ASoC: wm2200: Fix setting dai format in wm2200_set_fmt commit 2a5f431592343b78896013b055582f94c12a5049 upstream. According to the defines in wm2200.h: /* * R1284 (0x504) - Audio IF 1_5 */ We should not left shift 1 bit for fmt_val when setting dai format. Signed-off-by: Axel Lin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 4548554e7ca5192d5905a11219afb7de439b17d8 Author: Mark Brown Date: Fri Jan 4 21:18:12 2013 +0000 ASoC: wm2000: Fix sense of speech clarity enable commit 267f8fa2e1eef0612b2007e1f1846bcbc35cc1fa upstream. Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 48f678d27107d31f2ec9ac9c6230883dfaebccb1 Author: Marek Vasut Date: Sat Nov 24 06:15:57 2012 +0100 HID: add quirk for Freescale i.MX23 ROM recovery commit 436136cec650d661eb662fcb508a99878606d050 upstream. The USB recovery mode present in i.MX23 ROM emulates USB HID. It needs this quirk to behave properly. Even if the official branding of the chip is Freescale i.MX23, I named it Sigmatel STMP3780 since that's what the chip really is and it even reports itself as STMP3780. Signed-off-by: Marek Vasut Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit cbedcb6121561ec79d4cda359e834ca6229786a8 Author: Eric Wong Date: Tue Jan 1 21:20:27 2013 +0000 epoll: prevent missed events on EPOLL_CTL_MOD commit 128dd1759d96ad36c379240f8b9463e8acfd37a1 upstream. EPOLL_CTL_MOD sets the interest mask before calling f_op->poll() to ensure events are not missed. Since the modifications to the interest mask are not protected by the same lock as ep_poll_callback, we need to ensure the change is visible to other CPUs calling ep_poll_callback. We also need to ensure f_op->poll() has an up-to-date view of past events which occured before we modified the interest mask. So this barrier also pairs with the barrier in wq_has_sleeper(). This should guarantee either ep_poll_callback or f_op->poll() (or both) will notice the readiness of a recently-ready/modified item. This issue was encountered by Andreas Voellmy and Junchang(Jason) Wang in: http://thread.gmane.org/gmane.linux.kernel/1408782/ Signed-off-by: Eric Wong Cc: Hans Verkuil Cc: Jiri Olsa Cc: Jonathan Corbet Cc: Al Viro Cc: Davide Libenzi Cc: Hans de Goede Cc: Mauro Carvalho Chehab Cc: David Miller Cc: Eric Dumazet Cc: Andrew Morton Cc: Andreas Voellmy Tested-by: "Junchang(Jason) Wang" Cc: netdev@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ba1de754297ed6756f0a6281f3e41a0ef9ff0d77 Author: Mark Brown Date: Tue Dec 11 01:14:11 2012 +0900 regmap: debugfs: Avoid overflows for very small reads commit db04328c167ff8e7c57f4a3532214aeada3a82fd upstream. If count is less than the size of a register then we may hit integer wraparound when trying to move backwards to check if we're still in the buffer. Instead move the position forwards to check if it's still in the buffer, we are unlikely to be able to allocate a buffer sufficiently big to overflow here. Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit dc4a02c677c9667dcd7d118cee09a99ede9c64f4 Author: Zhang Rui Date: Tue Dec 4 23:23:16 2012 +0100 ACPI : do not use Lid and Sleep button for S5 wakeup commit b7e383046c2c7c13ad928cd7407eafff758ddd4b upstream. When system enters power off, the _PSW of Lid device is enabled. But this may cause the system to reboot instead of power off. A proper way to fix this is to always disable lid wakeup capability for S5. References: https://bugzilla.kernel.org/show_bug.cgi?id=35262 Signed-off-by: Zhang Rui Signed-off-by: Rafael J. Wysocki Cc: Joseph Salisbury Signed-off-by: Greg Kroah-Hartman commit a0f8b51494051c7bf5d994ac33d2b8ce7c0d5867 Author: Andre Przywara Date: Wed Oct 31 17:20:50 2012 +0100 x86, amd: Disable way access filter on Piledriver CPUs commit 2bbf0a1427c377350f001fbc6260995334739ad7 upstream. The Way Access Filter in recent AMD CPUs may hurt the performance of some workloads, caused by aliasing issues in the L1 cache. This patch disables it on the affected CPUs. The issue is similar to that one of last year: http://lkml.indiana.edu/hypermail/linux/kernel/1107.3/00041.html This new patch does not replace the old one, we just need another quirk for newer CPUs. The performance penalty without the patch depends on the circumstances, but is a bit less than the last year's 3%. The workloads affected would be those that access code from the same physical page under different virtual addresses, so different processes using the same libraries with ASLR or multiple instances of PIE-binaries. The code needs to be accessed simultaneously from both cores of the same compute unit. More details can be found here: http://developer.amd.com/Assets/SharedL1InstructionCacheonAMD15hCPU.pdf CPUs affected are anything with the core known as Piledriver. That includes the new parts of the AMD A-Series (aka Trinity) and the just released new CPUs of the FX-Series (aka Vishera). The model numbering is a bit odd here: FX CPUs have model 2, A-Series has model 10h, with possible extensions to 1Fh. Hence the range of model ids. Signed-off-by: Andre Przywara Link: http://lkml.kernel.org/r/1351700450-9277-1-git-send-email-osp@andrep.de Signed-off-by: H. Peter Anvin Signed-off-by: CAI Qian Signed-off-by: Greg Kroah-Hartman commit 9035b20988416173a48ad2f00190846faf15ccb7 Author: David Rientjes Date: Tue May 29 15:06:23 2012 -0700 thp, memcg: split hugepage for memcg oom on cow commit 1f1d06c34f7675026326cd9f39ff91e4555cf355 upstream. On COW, a new hugepage is allocated and charged to the memcg. If the system is oom or the charge to the memcg fails, however, the fault handler will return VM_FAULT_OOM which results in an oom kill. Instead, it's possible to fallback to splitting the hugepage so that the COW results only in an order-0 page being allocated and charged to the memcg which has a higher liklihood to succeed. This is expensive because the hugepage must be split in the page fault handler, but it is much better than unnecessarily oom killing a process. Signed-off-by: David Rientjes Cc: Andrea Arcangeli Cc: Johannes Weiner Acked-by: KAMEZAWA Hiroyuki Cc: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4faf067ae71be3d652e09c3119ce8125498cdf64 Author: Namjae Jeon Date: Wed Oct 10 00:09:12 2012 +0900 udf: don't increment lenExtents while writing to a hole commit fb719c59bdb4fca86ee1fd1f42ab3735ca12b6b2 upstream. Incrementing lenExtents even while writing to a hole is bad for performance as calls to udf_discard_prealloc and udf_truncate_tail_extent would not return from start if isize != lenExtents Signed-off-by: Namjae Jeon Signed-off-by: Ashish Sangwan Signed-off-by: Jan Kara Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman commit 8d00c77065819b747c6fc0b56234afea72f17332 Author: Namjae Jeon Date: Wed Oct 10 00:08:56 2012 +0900 udf: fix memory leak while allocating blocks during write commit 2fb7d99d0de3fd8ae869f35ab682581d8455887a upstream. Need to brelse the buffer_head stored in cur_epos and next_epos. Signed-off-by: Namjae Jeon Signed-off-by: Ashish Sangwan Signed-off-by: Jan Kara Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman commit a0e0e463b14280c8b5cb26114ac321d69c6f2aa5 Author: Ed Cashin Date: Sat Jan 12 06:43:35 2013 -0500 aoe: do not call bdi_init after blk_alloc_queue commit 0a41409c518083133e79015092585d68915865be upstream, but doesn't apply, so this version is different for older kernels than 3.7.x blk_alloc_queue has already done a bdi_init, so do not bdi_init again in aoeblk_gdalloc. The extra call causes list corruption in the per-CPU backing dev info stats lists. Affected users see console WARNINGs about list_del corruption on percpu_counter_destroy when doing "rmmod aoe" or "aoeflush -a" when AoE targets have been detected and initialized by the system. The patch below applies to v3.6.11, with its v47 aoe driver. It is expected to apply to all currently maintained stable kernels except 3.7.y. A related but different fix has been posted for 3.7.y. References: RedHat bugzilla ticket with original report https://bugzilla.redhat.com/show_bug.cgi?id=853064 LKML discussion of bug and fix http://thread.gmane.org/gmane.linux.kernel/1416336/focus=1416497 Reported-by: Josh Boyer Signed-off-by: Ed Cashin Signed-off-by: Greg Kroah-Hartman commit ed8e1a67302762d7a1e56e52ea00dc4a36c6cbf5 Author: Theodore Ts'o Date: Thu Dec 27 01:42:48 2012 -0500 ext4: lock i_mutex when truncating orphan inodes commit 721e3eba21e43532e438652dd8f1fcdfce3187e7 upstream. Commit c278531d39 added a warning when ext4_flush_unwritten_io() is called without i_mutex being taken. It had previously not been taken during orphan cleanup since races weren't possible at that point in the mount process, but as a result of this c278531d39, we will now see a kernel WARN_ON in this case. Take the i_mutex in ext4_orphan_cleanup() to suppress this warning. Reported-by: Alexander Beregalov Signed-off-by: "Theodore Ts'o" Reviewed-by: Zheng Liu Signed-off-by: Greg Kroah-Hartman commit bd06aeb0ff9b22598851276403a1e90f0b4c2d38 Author: Michael Tokarev Date: Tue Dec 25 14:08:16 2012 -0500 ext4: do not try to write superblock on ro remount w/o journal commit d096ad0f79a782935d2e06ae8fb235e8c5397775 upstream. When a journal-less ext4 filesystem is mounted on a read-only block device (blockdev --setro will do), each remount (for other, unrelated, flags, like suid=>nosuid etc) results in a series of scary messages from kernel telling about I/O errors on the device. This is becauese of the following code ext4_remount(): if (sbi->s_journal == NULL) ext4_commit_super(sb, 1); at the end of remount procedure, which forces writing (flushing) of a superblock regardless whenever it is dirty or not, if the filesystem is readonly or not, and whenever the device itself is readonly or not. We only need call ext4_commit_super when the file system had been previously mounted read/write. Thanks to Eric Sandeen for help in diagnosing this issue. Signed-off-By: Michael Tokarev Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit b5f0e251211531180989a32ba598968104562c84 Author: Jan Kara Date: Fri Dec 21 00:15:51 2012 -0500 jbd2: fix assertion failure in jbd2_journal_flush() commit d7961c7fa4d2e3c3f12be67e21ba8799b5a7238a upstream. The following race is possible between start_this_handle() and someone calling jbd2_journal_flush(). Process A Process B start_this_handle(). if (journal->j_barrier_count) # false if (!journal->j_running_transaction) { #true read_unlock(&journal->j_state_lock); jbd2_journal_lock_updates() jbd2_journal_flush() write_lock(&journal->j_state_lock); if (journal->j_running_transaction) { # false ... wait for committing trans ... write_unlock(&journal->j_state_lock); ... write_lock(&journal->j_state_lock); if (!journal->j_running_transaction) { # true jbd2_get_transaction(journal, new_transaction); write_unlock(&journal->j_state_lock); goto repeat; # eventually blocks on j_barrier_count > 0 ... J_ASSERT(!journal->j_running_transaction); # fails We fix the race by rechecking j_barrier_count after reacquiring j_state_lock in exclusive mode. Reported-by: yjwsignal@empal.com Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit e307ec213a97ddc33ac6921ba37246548245d027 Author: Jan Kara Date: Thu Dec 20 00:07:18 2012 -0500 ext4: check dioread_nolock on remount commit 261cb20cb2f0737a247aaf08dff7eb065e3e5b66 upstream. Currently we allow enabling dioread_nolock mount option on remount for filesystems where blocksize < PAGE_CACHE_SIZE. This isn't really supported so fix the bug by moving the check for blocksize != PAGE_CACHE_SIZE into parse_options(). Change the original PAGE_SIZE to PAGE_CACHE_SIZE along the way because that's what we are really interested in. Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Reviewed-by: Eric Sandeen Signed-off-by: Greg Kroah-Hartman commit cb832988d64ff38921359cce89093abc60f299b5 Author: Forrest Liu Date: Mon Dec 17 09:55:39 2012 -0500 ext4: fix extent tree corruption caused by hole punch commit c36575e663e302dbaa4d16b9c72d2c9a913a9aef upstream. When depth of extent tree is greater than 1, logical start value of interior node is not correctly updated in ext4_ext_rm_idx. Signed-off-by: Forrest Liu Signed-off-by: "Theodore Ts'o" Reviewed-by: Ashish Sangwan Signed-off-by: Greg Kroah-Hartman commit 2c3a3718da77839d08925a4705802f045faaea06 Author: Seth Forshee Date: Wed Dec 5 16:08:33 2012 -0600 samsung-laptop: Add quirk for broken acpi_video backlight on N250P commit e04c200f1f2de8eaa2f5af6d97e7e213a1abb424 upstream. BugLink: http://bugs.launchpad.net/bugs/1086921 Signed-off-by: Seth Forshee Signed-off-by: Matthew Garrett Signed-off-by: Greg Kroah-Hartman commit e80bd5af8e6dc699516696be47bd63b529acc268 Author: Lothar Waßmann Date: Thu Nov 22 13:49:14 2012 +0100 video: mxsfb: fix crash when unblanking the display commit 6c1ecba8d84841277d68140ef485335d5be28485 upstream. The VDCTRL4 register does not provide the MXS SET/CLR/TOGGLE feature. The write in mxsfb_disable_controller() sets the data_cnt for the LCD DMA to 0 which obviously means the max. count for the LCD DMA and leads to overwriting arbitrary memory when the display is unblanked. Signed-off-by: Lothar Waßmann Acked-by: Juergen Beisert Tested-by: Lauri Hintsala Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit fac3e9ef05d5ed0ab475bad3985ff017f5aa79be Author: Chris Verges Date: Fri Dec 21 01:58:34 2012 -0800 hwmon: (lm73} Detect and report i2c bus errors commit 0602934f302e016e2ea5dc6951681bfac77455ef upstream. If an LM73 device does not exist on an I2C bus, attempts to communicate with the device result in an error code returned from the i2c read/write functions. The current lm73 driver casts that return value from a s32 type to a s16 type, then converts it to a temperature in celsius. Because negative temperatures are valid, it is difficult to distinguish between an error code printed to the response buffer and a negative temperature recorded by the sensor. The solution is to evaluate the return value from the i2c functions before performing any temperature calculations. If the i2c function did not succeed, the error code should be passed back through the virtual file system layer instead of being printed into the response buffer. Before: $ cat /sys/class/hwmon/hwmon0/device/temp1_input -46 After: $ cat /sys/class/hwmon/hwmon0/device/temp1_input cat: read error: No such device or address Signed-off-by: Chris Verges Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit e239d2d4ea630ddec326a99252888b867d196f5b Author: Malcolm Priestley Date: Sun Nov 11 16:07:57 2012 +0000 staging: vt6656: 64bit fixes: vCommandTimerWait change calculation of timer. commit 70e227790d4ee4590023d8041a3485f8053593fc upstream. The timer appears to run too fast/race on 64 bit systems. Using msecs_to_jiffies seems to cause a deadlock on 64 bit. A calculation of (MSecond * HZ) / 1000 appears to run satisfactory. Change BSSIDInfoCount to u32. After this patch the driver can be successfully connect on little endian 64/32 bit systems. Signed-off-by: Malcolm Priestley Signed-off-by: Greg Kroah-Hartman commit 82b2729dac2da860dd30d46753ac18ba7ad8888f Author: Malcolm Priestley Date: Sun Nov 11 15:49:59 2012 +0000 staging: vt6656: 64bit fixes: key.c/h change unsigned long to u32 commit c0d05b305b00c698b0a8c1b3d46c9380bce9db45 upstream. Fixes long issues. Signed-off-by: Malcolm Priestley Signed-off-by: Greg Kroah-Hartman commit 4a3e24ba6b9f06ccfb1f583cad23dc6f508e1752 Author: Malcolm Priestley Date: Sun Nov 11 15:45:52 2012 +0000 staging: vt6656: 64 bit fixes: fix long warning messages. commit b4dc03af5513774277c9c36b12a25cd3f25f4404 upstream. Fixes long warning messages from patch [PATCH 08/14] staging: vt6656: 64 bit fixes : correct all type sizes Signed-off-by: Malcolm Priestley Signed-off-by: Greg Kroah-Hartman commit a17de003d22c2dc9ddce8278d3c2be740e15da43 Author: Malcolm Priestley Date: Sun Nov 11 15:41:25 2012 +0000 staging: vt6656: 64 bit fixes : correct all type sizes commit 7730492855a2f9c828599bcd8d62760f96d319e4 upstream. After this patch all BYTE/WORD/DWORD types can be replaced with the appropriate u sizes. Signed-off-by: Malcolm Priestley Signed-off-by: Greg Kroah-Hartman commit 27c1026faf863a716c5dcd61e479c10f215dce39 Author: Malcolm Priestley Date: Sun Nov 11 15:32:05 2012 +0000 staging: vt6656: 64 bit fixes: use u32 for QWORD definition. commit a552397d5e4ef0cc0bd3e9595d6acc9a3b381171 upstream. Size of long issues replace with u32. Signed-off-by: Malcolm Priestley Signed-off-by: Greg Kroah-Hartman commit 97e3cb7f7a27f4902fe75880149517713570da0e Author: Malcolm Priestley Date: Sun Oct 7 08:27:00 2012 +0100 staging: vt6656: [BUG] out of bound array reference in RFbSetPower. commit ab1dd9963137a1e122004d5378a581bf16ae9bc8 upstream. Calling RFbSetPower with uCH zero value will cause out of bound array reference. This causes 64 bit kernels to oops on boot. Note: Driver does not function on 64 bit kernels and should be blacklisted on them. Signed-off-by: Malcolm Priestley Signed-off-by: Greg Kroah-Hartman commit 61652b1acea31009aff707b975a171567095df81 Author: Alasdair G Kergon Date: Fri Dec 21 20:23:30 2012 +0000 dm ioctl: prevent unsafe change to dm_ioctl data_size commit e910d7ebecd1aac43125944a8641b6cb1a0dfabe upstream. Abort dm ioctl processing if userspace changes the data_size parameter after we validated it but before we finished copying the data buffer from userspace. The dm ioctl parameters are processed in the following sequence: 1. ctl_ioctl() calls copy_params(); 2. copy_params() makes a first copy of the fixed-sized portion of the userspace parameters into the local variable "tmp"; 3. copy_params() then validates tmp.data_size and allocates a new structure big enough to hold the complete data and copies the whole userspace buffer there; 4. ctl_ioctl() reads userspace data the second time and copies the whole buffer into the pointer "param"; 5. ctl_ioctl() reads param->data_size without any validation and stores it in the variable "input_param_size"; 6. "input_param_size" is further used as the authoritative size of the kernel buffer. The problem is that userspace code could change the contents of user memory between steps 2 and 4. In particular, the data_size parameter can be changed to an invalid value after the kernel has validated it. This lets userspace force the kernel to access invalid kernel memory. The fix is to ensure that the size has not changed at step 4. This patch shouldn't have a security impact because CAP_SYS_ADMIN is required to run this code, but it should be fixed anyway. Reported-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 38d67580f65e46ec13c65c8ebb0666134f167658 Author: Mikulas Patocka Date: Fri Dec 21 20:23:30 2012 +0000 dm persistent data: rename node to btree_node commit 550929faf89e2e2cdb3e9945ea87d383989274cf upstream. This patch fixes a compilation failure on sparc32 by renaming struct node. struct node is already defined in include/linux/node.h. On sparc32, it happens to be included through other dependencies and persistent-data doesn't compile because of conflicting declarations. Signed-off-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 4d7981bfc21f7b6ef48f9a819d2c9969ad6eea71 Author: Steven Rostedt Date: Thu Nov 29 22:31:16 2012 -0500 ring-buffer: Fix race between integrity check and readers commit 9366c1ba13fbc41bdb57702e75ca4382f209c82f upstream. The function rb_check_pages() was added to make sure the ring buffer's pages were sane. This check is done when the ring buffer size is modified as well as when the iterator is released (closing the "trace" file), as that was considered a non fast path and a good place to do a sanity check. The problem is that the check does not have any locks around it. If one process were to read the trace file, and another were to read the raw binary file, the check could happen while the reader is reading the file. The issues with this is that the check requires to clear the HEAD page before doing the full check and it restores it afterward. But readers require the HEAD page to exist before it can read the buffer, otherwise it gives a nasty warning and disables the buffer. By adding the reader lock around the check, this keeps the race from happening. Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 0d38a8789caf511e5b997caf76eb32fddbff051c Author: Tatyana Nikolova Date: Thu Dec 6 19:58:27 2012 +0000 RDMA/nes: Fix for terminate timer crash commit 7bfcfa51c35cdd2d37e0d70fc11790642dd11fb3 upstream. The terminate timer needs to be initialized just once. Signed-off-by: Tatyana Nikolova Signed-off-by: Roland Dreier Signed-off-by: CAI Qian Signed-off-by: Greg Kroah-Hartman commit e5ca2896f817ef43802387ae2f41a9c70e30ee86 Author: Tatyana Nikolova Date: Thu Dec 6 20:05:02 2012 +0000 RDMA/nes: Fix for crash when registering zero length MR for CQ commit 7d9c199a55200c9b9fcad08e150470d02fb385be upstream. Signed-off-by: Tatyana Nikolova Signed-off-by: Roland Dreier Signed-off-by: CAI Qian Signed-off-by: Greg Kroah-Hartman commit c7cde2b3d27a5417021d7fc6da0f7941eab63769 Author: Trond Myklebust Date: Thu Nov 8 10:01:26 2012 -0500 SUNRPC: Fix validity issues with rpc_pipefs sb->s_fs_info commit 642fe4d00db56d65060ce2fd4c105884414acb16 upstream. rpc_kill_sb() must defer calling put_net() until after the notifier has been called, since most (all?) of the notifier callbacks assume that sb->s_fs_info points to a valid net namespace. It also must not call put_net() if the call to rpc_fill_super was unsuccessful. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=48421 Signed-off-by: Trond Myklebust Cc: Stanislav Kinsbursky Signed-off-by: Greg Kroah-Hartman commit 297456d8fe2b141f0f05b5d6ff48a4cd0b5f5889 Author: Paulo Zanoni Date: Tue Nov 20 13:27:41 2012 -0200 drm/i915: make the panel fitter work on pipes B and C on IVB commit 13888d78c664a1f61d7b09d282f5916993827a40 upstream. I actually found this problem on Haswell, but then discovered Ivy Bridge also has it by reading the spec. I don't have the hardware to test this. Signed-off-by: Paulo Zanoni Reviewed-by: Damien Lespiau Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit 5df148ba552817a8d3eb9d2ace557deb178192e6 Author: Niels Ole Salscheider Date: Thu Jan 3 19:09:28 2013 +0100 drm/radeon: Properly handle DDC probe for DP bridges commit 0a9069d34918659bc8a89e21e69e60b2b83291a3 upstream. DDC information can be accessed using AUX CH Fixes failure to probe monitors on some systems with DP bridge chips. agd5f: minor fixes Signed-off-by: Niels Ole Salscheider Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit e4a5d6d17f6dff0174ba1c0b2041d73ec7d0c1dd Author: Alex Deucher Date: Thu Dec 20 21:19:32 2012 -0500 drm/radeon: add WAIT_UNTIL to evergreen VM safe reg list commit 668bbc81baf0f34df832d8aca5c7d5e19a493c68 upstream. It's used in a recent mesa commit: http://cgit.freedesktop.org/mesa/mesa/commit/?id=24b1206ab2dcd506aaac3ef656aebc8bc20cd27a and there may be some other cases in the future where it's required. Signed-off-by: Alex Deucher Reviewed-by: Jerome Glisse Signed-off-by: Greg Kroah-Hartman commit a98843e161b490b91fac1b7e0daa4ba9517bf65a Author: Alex Deucher Date: Tue Dec 4 16:50:28 2012 -0500 drm/radeon: fix eDP clk and lane setup for scaled modes commit 93927f9c1db5f55085457e820f0631064c7bfa34 upstream. Need to use the adjusted mode since we are sending native timing and using the scaler for non-native modes. Signed-off-by: Alex Deucher Reviewed-by: Jerome Glisse Signed-off-by: Greg Kroah-Hartman commit 16639bce521c713cf623ac4a4ff085c18a48674e Author: Woodhouse, David Date: Wed Dec 19 13:25:35 2012 +0000 intel-iommu: Free old page tables before creating superpage commit 6491d4d02893d9787ba67279595990217177b351 upstream. The dma_pte_free_pagetable() function will only free a page table page if it is asked to free the *entire* 2MiB range that it covers. So if a page table page was used for one or more small mappings, it's likely to end up still present in the page tables... but with no valid PTEs. This was fine when we'd only be repopulating it with 4KiB PTEs anyway but the same virtual address range can end up being reused for a *large-page* mapping. And in that case were were trying to insert the large page into the second-level page table, and getting a complaint from the sanity check in __domain_mapping() because there was already a corresponding entry. This was *relatively* harmless; it led to a memory leak of the old page table page, but no other ill-effects. Fix it by calling dma_pte_clear_range (hopefully redundant) and dma_pte_free_pagetable() before setting up the new large page. Signed-off-by: David Woodhouse Tested-by: Ravi Murty Tested-by: Sudeep Dutt Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9aba4c8888212a4a281107fec875eb1fd14cbb43 Author: Dan Williams Date: Fri Dec 14 13:10:50 2012 +0000 i2400m: add Intel 6150 device IDs commit 999a7c5776a0ed2133645fa7e008bec05bda9254 upstream. Add device IDs for WiMAX function of Intel 6150 cards. Signed-off-by: Dan Williams Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7e94f31b2b9c1a1e976a7123ca9b96dddb3eeaae Author: Alexey Khoroshilov Date: Mon Nov 5 22:40:14 2012 +0400 jffs2: hold erase_completion_lock on exit commit 2cbba75a56ea78e6876b4e2547a882f10b3fe72b upstream. Users of jffs2_do_reserve_space() expect they still held erase_completion_lock after call to it. But there is a path where jffs2_do_reserve_space() leaves erase_completion_lock unlocked. The patch fixes it. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 11d607dd94b7e1e4190f20581643555e620e3366 Author: Trond Myklebust Date: Mon Jan 7 14:30:46 2013 -0500 SUNRPC: Ensure we release the socket write lock if the rpc_task exits early commit 87ed50036b866db2ec2ba16b2a7aec4a2b0b7c39 upstream. If the rpc_task exits while holding the socket write lock before it has allocated an rpc slot, then the usual mechanism for releasing the write lock in xprt_release() is defeated. The problem occurs if the call to xprt_lock_write() initially fails, so that the rpc_task is put on the xprt->sending wait queue. If the task exits after being assigned the lock by __xprt_lock_write_func, but before it has retried the call to xprt_lock_and_alloc_slot(), then it calls xprt_release() while holding the write lock, but will immediately exit due to the test for task->tk_rqstp != NULL. Reported-by: Chris Perl Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit d5b319960ab9e0770b6ecae94045b512cd3029b7 Author: Trond Myklebust Date: Fri Jan 4 12:23:21 2013 -0500 SUNRPC: Ensure that we free the rpc_task after cleanups are done commit c6567ed1402c55e19b012e66a8398baec2a726f3 upstream. This patch ensures that we free the rpc_task after the cleanup callbacks are done in order to avoid a deadlock problem that can be triggered if the callback needs to wait for another workqueue item to complete. Signed-off-by: Trond Myklebust Cc: Weston Andros Adamson Cc: Tejun Heo Cc: Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 65ac5efcd7e36ddf4cbe7d9e7f844a016dba4f7d Author: Stanislav Kinsbursky Date: Mon Dec 17 20:18:52 2012 +0300 SUNRPC: continue run over clients list on PipeFS event instead of break commit cd6c5968582a273561464fe6b1e8cc8214be02df upstream. There are SUNRPC clients, which program doesn't have pipe_dir_name. These clients can be skipped on PipeFS events, because nothing have to be created or destroyed. But instead of breaking in case of such a client was found, search for suitable client over clients list have to be continued. Otherwise some clients could not be covered by PipeFS event handler. Signed-off-by: Stanislav Kinsbursky Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit b53673dcf8a31a4b2f41fdf2fa168b7c693fd7b3 Author: Wolfram Sang Date: Wed Dec 5 21:46:02 2012 +0100 mtd: nand: gpmi: reset BCH earlier, too, to avoid NAND startup problems commit 6f2a6a52560ad8d85710aabd92b7a3239b3a6b07 upstream. It could happen (1 out of 100 times) that NAND did not start up correctly after warm rebooting, so the kernel could not find the UBI or DMA timed out due to a stalled BCH. When resetting BCH together with GPMI, the issue could not be observed anymore (after 10000+ reboots). We probably need the consistent state already before sending any command to NAND, even when no ECC is needed. I chose to keep the extra reset for BCH when changing the flash layout to be on the safe side. Signed-off-by: Wolfram Sang Acked-by: Huang Shijie Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 272965fcdaf55d0930dbc594fdfd93cd13fcc8cd Author: Nathan Williams Date: Thu Nov 22 10:42:52 2012 +1100 mtd cs553x_nand: Initialise ecc.strength before nand_scan() commit d1f3b65d2d6fdb4bf0edd4b67e86e191af48daee upstream. Loading cs553x_nand with Hynix H27U1G8F2BTR NAND flash causes this bug: kernel BUG at drivers/mtd/nand/nand_base.c:3345! invalid opcode: 0000 [#1] Modules linked in: cs553x_nand(+) vfat fat usb_storage ehci_hcd usbcore usb_comr Pid: 436, comm: modprobe Not tainted 3.6.7 #1 EIP: 0060:[] EFLAGS: 00010296 CPU: 0 EIP is at nand_scan_tail+0x64c/0x69c EAX: 00000034 EBX: cea6ed98 ECX: 00000000 EDX: 00000000 ESI: cea6ec00 EDI: cea6ec00 EBP: 20000000 ESP: cdd17e48 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 CR0: 8005003b CR2: 0804e119 CR3: 0d850000 CR4: 00000090 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: ffff0ff0 DR7: 00000400 Process modprobe (pid: 436, ti=cdd16000 task=cdd1c320 task.ti=cdd16000) Stack: c12e962c c118f7ef 00000003 cea6ed98 d014b25c 20000000 fffff007 00000001 00000000 cdd53b00 d014b000 c1001021 cdd53b00 d01493c0 cdd53b00 cdd53b00 d01493c0 c1047f83 d014b4a0 00000000 cdd17f9c ce4be454 cdd17f48 cdd1c320 Call Trace: [] ? nand_scan+0x1b/0x4d [] ? init_module+0x25c/0x2de [cs553x_nand] [] ? 0xd014afff [] ? do_one_initcall+0x21/0x111 [] ? sys_init_module+0xe4/0x1261 [] ? task_work_run+0x36/0x43 [] ? syscall_call+0x7/0xb Code: fa ff ff c7 86 d8 00 00 00 01 00 00 00 e9 5f fc ff ff 68 f8 26 2e c1 e8 a7 EIP: [] nand_scan_tail+0x64c/0x69c SS:ESP 0068:cdd17e48 Initialising ecc.strength before the call to nand_scan() fixes this. Signed-off-by: Nathan Williams Acked-by: Brian Norris Acked-by: Mike Dunn Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman commit 6b4b4679f40d6d112eda435a9dde937bb41c9bfc Author: Theodore Ts'o Date: Thu Nov 29 21:21:22 2012 -0500 ext4: fix possible use after free with metadata csum commit aeb1e5d69a5be592e86a926be73efb38c55af404 upstream. Commit fa77dcfafeaa introduces block bitmap checksum calculation into ext4_new_inode() in the case that block group was uninitialized. However we brelse() the bitmap buffer before we attempt to checksum it so we have no guarantee that the buffer is still there. Fix this by releasing the buffer after the possible checksum computation. Signed-off-by: Lukas Czerner Signed-off-by: "Theodore Ts'o" Acked-by: Darrick J. Wong Signed-off-by: Greg Kroah-Hartman commit aadee0f004ac85d2afd1cd03279d3dc01363258c Author: Eugene Shatokhin Date: Thu Nov 8 15:11:11 2012 -0500 ext4: fix memory leak in ext4_xattr_set_acl()'s error path commit 24ec19b0ae83a385ad9c55520716da671274b96c upstream. In ext4_xattr_set_acl(), if ext4_journal_start() returns an error, posix_acl_release() will not be called for 'acl' which may result in a memory leak. This patch fixes that. Reviewed-by: Lukas Czerner Signed-off-by: Eugene Shatokhin Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit af713fb8e79809aa46f16de4f209245c39b9d7eb Author: Charles Keepax Date: Fri Nov 9 16:15:28 2012 +0000 mfd: Only unregister platform devices allocated by the mfd core commit b9fbb62eb61452d728c39b2e5020739c575aac53 upstream. mfd_remove_devices would iterate over all devices sharing a parent with an mfd device regardless of whether they were allocated by the mfd core or not. This especially caused problems when the device structure was not contained within a platform_device, because to_platform_device is used on each device pointer. This patch defines a device_type for mfd devices and checks this is present from mfd_remove_devices_fn before processing the device. Signed-off-by: Charles Keepax Tested-by: Peter Tyser Reviewed-by: Mark Brown Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 4bc4d7ec50d4811610197ee7707559022250724a Author: Mark Brown Date: Fri Nov 23 12:05:33 2012 +0900 mfd: wm8994: Add support for WM1811 rev E commit fee546ce8cfd9dea1f53175f627e17ef5ff05df4 upstream. This is supported identically to the previous revisions. Signed-off-by: Mark Brown Signed-off-by: Samuel Ortiz Signed-off-by: Greg Kroah-Hartman commit 28a63b67b3d52e40826d82425307e8f067551106 Author: Yi Zou Date: Mon Dec 10 17:04:00 2012 -0800 target/tcm_fc: fix the lockdep warning due to inconsistent lock state commit 9f4ad44b264f8bb61ffdd607148215566568430d upstream. The lockdep warning below is in theory correct but it will be in really weird rare situation that ends up that deadlock since the tcm fc session is hashed based the rport id. Nonetheless, the complaining below is about rcu callback that does the transport_deregister_session() is happening in softirq, where transport_register_session() that happens earlier is not. This triggers the lockdep warning below. So, just fix this to make lockdep happy by disabling the soft irq before calling transport_register_session() in ft_prli. BTW, this was found in FCoE VN2VN over two VMs, couple of create and destroy would get this triggered. v1: was enforcing register to be in softirq context which was not righ. See, http://www.spinics.net/lists/target-devel/msg03614.html v2: following comments from Roland&Nick (thanks), it seems we don't have to do transport_deregister_session() in rcu callback, so move it into ft_sess_free() but still do kfree() of the corresponding ft_sess struct in rcu callback to make sure the ft_sess is not freed till the rcu callback. ... [ 1328.370592] scsi2 : FCoE Driver [ 1328.383429] fcoe: No FDMI support. [ 1328.384509] host2: libfc: Link up on port (000000) [ 1328.934229] host2: Assigned Port ID 00a292 [ 1357.232132] host2: rport 00a393: Remove port [ 1357.232568] host2: rport 00a393: Port sending LOGO from Ready state [ 1357.233692] host2: rport 00a393: Delete port [ 1357.234472] host2: rport 00a393: work event 3 [ 1357.234969] host2: rport 00a393: callback ev 3 [ 1357.235979] host2: rport 00a393: Received a LOGO response closed [ 1357.236706] host2: rport 00a393: work delete [ 1357.237481] [ 1357.237631] ================================= [ 1357.238064] [ INFO: inconsistent lock state ] [ 1357.238450] 3.7.0-rc7-yikvm+ #3 Tainted: G O [ 1357.238450] --------------------------------- [ 1357.238450] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. [ 1357.238450] ksoftirqd/0/3 [HC0[0]:SC1[1]:HE0:SE0] takes: [ 1357.238450] (&(&se_tpg->session_lock)->rlock){+.?...}, at: [] transport_deregister_session+0x41/0x148 [target_core_mod] [ 1357.238450] {SOFTIRQ-ON-W} state was registered at: [ 1357.238450] [] mark_held_locks+0x6d/0x95 [ 1357.238450] [] trace_hardirqs_on_caller+0x12d/0x197 [ 1357.238450] [] trace_hardirqs_on+0xd/0xf [ 1357.238450] [] _raw_spin_unlock_irq+0x2d/0x45 [ 1357.238450] [] __transport_register_session+0xb8/0x122 [target_core_mod] [ 1357.238450] [] transport_register_session+0x44/0x5a [target_core_mod] [ 1357.238450] [] ft_prli+0x1e3/0x275 [tcm_fc] [ 1357.238450] [] fc_rport_recv_req+0x95e/0xdc5 [libfc] [ 1357.238450] [] fc_lport_recv_els_req+0xc4/0xd5 [libfc] [ 1357.238450] [] fc_lport_recv_req+0x12f/0x18f [libfc] [ 1357.238450] [] fc_exch_recv+0x8ba/0x981 [libfc] [ 1357.238450] [] fcoe_percpu_receive_thread+0x47a/0x4e2 [fcoe] [ 1357.238450] [] kthread+0xb1/0xb9 [ 1357.238450] [] ret_from_fork+0x7c/0xb0 [ 1357.238450] irq event stamp: 275411 [ 1357.238450] hardirqs last enabled at (275410): [] rcu_process_callbacks+0x229/0x42a [ 1357.238450] hardirqs last disabled at (275411): [] _raw_spin_lock_irqsave+0x22/0x8e [ 1357.238450] softirqs last enabled at (275394): [] __do_softirq+0x246/0x26f [ 1357.238450] softirqs last disabled at (275399): [] run_ksoftirqd+0x29/0x62 [ 1357.238450] [ 1357.238450] other info that might help us debug this: [ 1357.238450] Possible unsafe locking scenario: [ 1357.238450] [ 1357.238450] CPU0 [ 1357.238450] ---- [ 1357.238450] lock(&(&se_tpg->session_lock)->rlock); [ 1357.238450] [ 1357.238450] lock(&(&se_tpg->session_lock)->rlock); [ 1357.238450] [ 1357.238450] *** DEADLOCK *** [ 1357.238450] [ 1357.238450] no locks held by ksoftirqd/0/3. [ 1357.238450] [ 1357.238450] stack backtrace: [ 1357.238450] Pid: 3, comm: ksoftirqd/0 Tainted: G O 3.7.0-rc7-yikvm+ #3 [ 1357.238450] Call Trace: [ 1357.238450] [] print_usage_bug+0x1f5/0x206 [ 1357.238450] [] ? save_stack_trace+0x2c/0x49 [ 1357.238450] [] ? print_irq_inversion_bug.part.14+0x1ae/0x1ae [ 1357.238450] [] mark_lock+0x106/0x258 [ 1357.238450] [] __lock_acquire+0x2e7/0xe53 [ 1357.238450] [] ? pvclock_clocksource_read+0x48/0xb4 [ 1357.238450] [] ? rcu_process_gp_end+0xc0/0xc9 [ 1357.238450] [] ? transport_deregister_session+0x41/0x148 [target_core_mod] [ 1357.238450] [] lock_acquire+0x119/0x143 [ 1357.238450] [] ? transport_deregister_session+0x41/0x148 [target_core_mod] [ 1357.238450] [] _raw_spin_lock_irqsave+0x54/0x8e [ 1357.238450] [] ? transport_deregister_session+0x41/0x148 [target_core_mod] [ 1357.238450] [] transport_deregister_session+0x41/0x148 [target_core_mod] [ 1357.238450] [] ? rcu_process_callbacks+0x229/0x42a [ 1357.238450] [] ft_sess_rcu_free+0x17/0x24 [tcm_fc] [ 1357.238450] [] ? ft_sess_free+0x1b/0x1b [tcm_fc] [ 1357.238450] [] rcu_process_callbacks+0x260/0x42a [ 1357.238450] [] __do_softirq+0x13a/0x26f [ 1357.238450] [] ? __schedule+0x65f/0x68e [ 1357.238450] [] run_ksoftirqd+0x29/0x62 [ 1357.238450] [] smpboot_thread_fn+0x1a5/0x1aa [ 1357.238450] [] ? smpboot_unregister_percpu_thread+0x47/0x47 [ 1357.238450] [] kthread+0xb1/0xb9 [ 1357.238450] [] ? wait_for_common+0xbb/0x10a [ 1357.238450] [] ? __init_kthread_worker+0x59/0x59 [ 1357.238450] [] ret_from_fork+0x7c/0xb0 [ 1357.238450] [] ? __init_kthread_worker+0x59/0x59 [ 1417.440099] rport-2:0-0: blocked FC remote port time out: removing rport Signed-off-by: Yi Zou Cc: Open-FCoE Cc: Nicholas A. Bellinger Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 93269101285d5bfd18b1f3b7078a76ed87e7a834 Author: Xiaotian Feng Date: Thu Dec 13 16:12:18 2012 +0800 libata: fix Null pointer dereference on disk error commit 26cd4d65deba587f3cf2329b6869ce02bcbe68ec upstream. Following oops were observed when disk error happened: [ 4272.896937] sd 0:0:0:0: [sda] Unhandled error code [ 4272.896939] sd 0:0:0:0: [sda] Result: hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK [ 4272.896942] sd 0:0:0:0: [sda] CDB: Read(10): 28 00 00 5a de a7 00 00 08 00 [ 4272.896951] end_request: I/O error, dev sda, sector 5955239 [ 4291.574947] BUG: unable to handle kernel NULL pointer dereference at (null) [ 4291.658305] IP: [] ahci_activity_show+0x1/0x40 [ 4291.730090] PGD 76dbbc067 PUD 6c4fba067 PMD 0 [ 4291.783408] Oops: 0000 [#1] SMP [ 4291.822100] last sysfs file: /sys/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/sw_activity [ 4291.934235] CPU 9 [ 4291.958301] Pid: 27942, comm: hwinfo ...... ata_scsi_find_dev could return NULL, so ata_scsi_activity_{show,store} should check if atadev is NULL. Signed-off-by: Xiaotian Feng Cc: James Bottomley Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit d8876cb61d0bd9002cedcd720ce13ad7f2e32cf7 Author: Aaron Lu Date: Mon Dec 3 11:35:02 2012 +0800 libata: set dma_mode to 0xff in reset commit 5416912af75de9cba5d1c75b99a7888b0bbbd2fb upstream. ata_device->dma_mode's initial value is zero, which is not a valid dma mode, but ata_dma_enabled will return true for this value. This patch sets dma_mode to 0xff in reset function, so that ata_dma_enabled will not return true for this case, or it will cause problem for pata_acpi. The corrsponding bugzilla page is at: https://bugzilla.kernel.org/show_bug.cgi?id=49151 Reported-by: Phillip Wood Signed-off-by: Aaron Lu Tested-by: Szymon Janc Tested-by: Dutra Julio Acked-by: Alan Cox Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 4b693aca7e346fcff0ea5c1548e7b5545bfbfd04 Author: Mikael Pettersson Date: Sun Sep 16 20:53:43 2012 +0200 sata_promise: fix hardreset lockdep error commit 3100d49d3cd236443faae9d81137c81b22d36003 upstream. sata_promise's pdc_hard_reset_port() needs to serialize because it flips a port-specific bit in controller register that's shared by all ports. The code takes the ata host lock for this, but that's broken because an interrupt may arrive on our irq during the hard reset sequence, and that too will take the ata host lock. With lockdep enabled a big nasty warning is seen. Fixed by adding private state to the ata host structure, containing a second lock used only for serializing the hard reset sequences. This eliminated the lockdep warnings both on my test rig and on the original reporter's machine. Signed-off-by: Mikael Pettersson Tested-by: Adko Branil Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 370caef9e8e2800a759d9c29e2c4d41375bdad62 Author: Wei Yongjun Date: Fri Nov 23 12:07:39 2012 +0800 iscsit: use GFP_ATOMIC under spin lock commit 3c989d7603872bf878840f7ce3ea49b73bea4c6c upstream. The function iscsit_build_conn_drop_async_message() is called from iscsit_close_connection() with spin lock 'sess->conn_lock' held, so we should use GFP_ATOMIC instead of GFP_KERNEL. Signed-off-by: Wei Yongjun Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 2e4be18823cb686f1316ac856ce1fbc651dd28e1 Author: David Jeffery Date: Wed Nov 21 02:39:54 2012 -0500 SCSI: qla2xxx: Test and clear FCPORT_UPDATE_NEEDED atomically. commit a394aac88506159e047630fc90dc2242568382d8 upstream. When the qla2xxx driver loses access to multiple, remote ports, there is a race condition which can occur which will keep the request stuck on a scsi request queue indefinitely. This bad state occurred do to a race condition with how the FCPORT_UPDATE_NEEDED bit is set in qla2x00_schedule_rport_del(), and how it is cleared in qla2x00_do_dpc(). The problem port has its drport pointer set, but it has never been processed by the driver to inform the fc transport that the port has been lost. qla2x00_schedule_rport_del() sets drport, and then sets the FCPORT_UPDATE_NEEDED bit. In qla2x00_do_dpc(), the port lists are walked and any drport pointer is handled and the fc transport informed of the port loss, then the FCPORT_UPDATE_NEEDED bit is cleared. This leaves a race where the dpc thread is processing one port removal, another port removal is marked with a call to qla2x00_schedule_rport_del(), and the dpc thread clears the bit for both removals, even though only the first removal was actually handled. Until another event occurs to set FCPORT_UPDATE_NEEDED, the later port removal is never finished and qla2xxx stays in a bad state which causes requests to become stuck on request queues. This patch updates the driver to test and clear FCPORT_UPDATE_NEEDED atomically. This ensures the port state changes are processed and not lost. Signed-off-by: David Jeffery Signed-off-by: Chad Dupuis Signed-off-by: Saurav Kashyap Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit e21c4b90fb7881357c81a5f68d676747b7dddbb1 Author: Sasha Levin Date: Thu Nov 15 15:51:46 2012 -0500 SCSI: prevent stack buffer overflow in host_reset commit 072f19b4bea31cdd482d79f805413f2f9ac9e233 upstream. store_host_reset() has tried to re-invent the wheel to compare sysfs strings. Unfortunately it did so poorly and never bothered to check the input from userspace before overwriting stack with it, so something simple as: echo "WoopsieWoopsie" > /sys/devices/pseudo_0/adapter0/host0/scsi_host/host0/host_reset would result in: [ 316.310101] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81f5bac7 [ 316.310101] [ 316.320051] Pid: 6655, comm: sh Tainted: G W 3.7.0-rc5-next-20121114-sasha-00016-g5c9d68d-dirty #129 [ 316.320051] Call Trace: [ 316.340058] pps pps0: PPS event at 1352918752.620355751 [ 316.340062] pps pps0: capture assert seq #303 [ 316.320051] [] panic+0xcd/0x1f4 [ 316.320051] [] ? store_host_reset+0xd7/0x100 [ 316.320051] [] __stack_chk_fail+0x16/0x20 [ 316.320051] [] store_host_reset+0xd7/0x100 [ 316.320051] [] dev_attr_store+0x13/0x30 [ 316.320051] [] sysfs_write_file+0x101/0x170 [ 316.320051] [] vfs_write+0xb8/0x180 [ 316.320051] [] sys_write+0x50/0xa0 [ 316.320051] [] tracesys+0xe1/0xe6 Fix this by uninventing whatever was going on there and just use sysfs_streq. Bug introduced by 29443691 ("[SCSI] scsi: Added support for adapter and firmware reset"). [jejb: added necessary const to prevent compile warnings] Signed-off-by: Sasha Levin Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 3814b31a89b1fbb5c6f92c11c8371a2e4c97d2f1 Author: Xi Wang Date: Fri Nov 16 14:40:03 2012 -0500 SCSI: mvsas: fix undefined bit shift commit beecadea1b8d67f591b13f7099559f32f3fd601d upstream. The macro bit(n) is defined as ((u32)1 << n), and thus it doesn't work with n >= 32, such as in mvs_94xx_assign_reg_set(): if (i >= 32) { mvi->sata_reg_set |= bit(i); ... } The shift ((u32)1 << n) with n >= 32 also leads to undefined behavior. The result varies depending on the architecture. This patch changes bit(n) to do a 64-bit shift. It also simplifies mv_ffc64() using __ffs64(), since invoking ffz() with ~0 is undefined. Signed-off-by: Xi Wang Acked-by: Xiangliang Yu Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 8f735b2774f5e200a65c5fe9143fb431023a5267 Author: Jianpeng Ma Date: Sat Aug 4 10:34:14 2012 +0800 SCSI: mvsas: Fix oops when ata commond timeout. commit 95ab000388974d8ffef8257306b4be6e8778b768 upstream. Kernel message follows: [ 511.712011] sd 11:0:0:0: [sdf] command ffff8800a4e81400 timed out [ 511.712022] sas: Enter sas_scsi_recover_host busy: 1 failed: 1 [ 511.712024] sas: trying to find task 0xffff8800a4d24c80 [ 511.712026] sas: sas_scsi_find_task: aborting task 0xffff8800a4d24c80 [ 511.712029] drivers/scsi/mvsas/mv_sas.c 1631:mvs_abort_task() mvi=ffff8800b5300000 task=ffff8800a4d24c80 slot=ffff8800b5325038 slot_idx=x0 [ 511.712035] BUG: unable to handle kernel NULL pointer dereference at 0000000000000058 [ 511.712040] IP: [] _raw_spin_lock_irqsave+0xc/0x30 [ 511.712047] PGD 0 [ 511.712049] Oops: 0002 [#1] SMP [ 511.712052] Modules linked in: mvsas libsas scsi_transport_sas raid456 async_pq async_xor xor async_memcpy async_raid6_recov raid6_pq async_tx [last unloaded: mvsas] [ 511.712062] CPU 3 [ 511.712066] Pid: 7322, comm: scsi_eh_11 Not tainted 3.5.0+ #106 To Be Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M. [ 511.712068] RIP: 0010:[] [] _raw_spin_lock_irqsave+0xc/0x30 [ 511.712073] RSP: 0018:ffff880098d3bcb0 EFLAGS: 00010086 [ 511.712074] RAX: 0000000000000286 RBX: 0000000000000058 RCX: 00000000000000c3 [ 511.712076] RDX: 0000000000000100 RSI: 0000000000000046 RDI: 0000000000000058 [ 511.712078] RBP: ffff880098d3bcb0 R08: 000000000000000a R09: 0000000000000000 [ 511.712080] R10: 00000000000004e8 R11: 00000000000004e7 R12: ffff8800a4d24c80 [ 511.712082] R13: 0000000000000050 R14: ffff8800b5325038 R15: ffff8800a4eafe00 [ 511.712084] FS: 0000000000000000(0000) GS:ffff8800bdb80000(0000) knlGS:0000000000000000 [ 511.712086] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 511.712088] CR2: 0000000000000058 CR3: 00000000a4ce6000 CR4: 00000000000407e0 [ 511.712090] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 511.712091] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 511.712093] Process scsi_eh_11 (pid: 7322, threadinfo ffff880098d3a000, task ffff8800a61dde40) [ 511.712095] Stack: [ 511.712096] ffff880098d3bce0 ffffffff81060683 ffff880000000000 0000000000000000 [ 511.712099] ffff8800a4d24c80 ffff8800b5300000 ffff880098d3bcf0 ffffffffa0076a88 [ 511.712102] ffff880098d3bd50 ffffffffa0079bb5 ffff880000000000 ffff880000000018 [ 511.712106] Call Trace: [ 511.712110] [] complete+0x23/0x60 [ 511.712115] [] mvs_tmf_timedout+0x18/0x20 [mvsas] [ 511.712119] [] mvs_slot_complete+0x765/0x7d0 [mvsas] [ 511.712125] [] sas_scsi_recover_host+0x55d/0xdb0 [libsas] [ 511.712128] [] ? idle_balance+0xe0/0x130 [ 511.712133] [] scsi_error_handler+0xcc/0x470 [ 511.712136] [] ? __schedule+0x370/0x730 [ 511.712139] [] ? __wake_up_common+0x58/0x90 [ 511.712142] [] ? scsi_eh_get_sense+0x110/0x110 [ 511.712146] [] kthread+0x8e/0xa0 [ 511.712150] [] kernel_thread_helper+0x4/0x10 [ 511.712153] [] ? flush_kthread_work+0x120/0x120 [ 511.712156] [] ? gs_change+0xb/0xb [ 511.712157] Code: 8a 00 01 00 00 89 d0 f0 66 0f b1 0f 66 39 d0 0f 94 c0 0f b6 c0 5d c3 0f 1f 84 00 00 00 00 00 55 48 89 e5 9c 58 fa ba 00 01 00 00 66 0f c1 17 0f b6 ce 38 d1 74 11 0f 1f 84 00 00 00 00 00 f3 [ 511.712191] RIP [] _raw_spin_lock_irqsave+0xc/0x30 [ 511.712194] RSP [ 511.712196] CR2: 0000000000000058 [ 511.712198] ---[ end trace a781c7b1e65db92c ]--- Signed-off-by: Jianpeng Ma Signed-off-by: James Bottomley Cc: CAI Qian Signed-off-by: Greg Kroah-Hartman commit a565623f44aeafafc74a5763f765d5c8224bc4ad Author: Lars-Peter Clausen Date: Fri Dec 7 18:30:51 2012 +0100 ASoC: sigmadsp: Fix endianness conversion issue commit a3adb1432d7a3ad86bb17a1638e44414537e4118 upstream. The 'addr' field of the sigma_action struct is stored as big endian in the firmware file. Signed-off-by: Lars-Peter Clausen Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 2d2b65eeb598b687403aa0f06d4d7da97661958a Author: Stephan Gatzka Date: Wed Nov 28 20:04:32 2012 +0100 firewire: net: Fix handling of fragmented multicast/broadcast packets. commit 9d2373420900a39f5212a3b289331aa3535b1000 upstream. This patch fixes both the transmit and receive portion of sending fragmented mutlicast and broadcast packets. The transmit section was broken because the offset for INTFRAG and LASTFRAG packets were just miscalculated by IEEE1394_GASP_HDR_SIZE (which was reserved with skb_push() in fwnet_send_packet). The receive section was broken because in fwnet_incoming_packet is a call to fwnet_peer_find_by_node_id(). Called with generation == -1 it will not find a peer and the partial datagrams are associated to a peer. [Stefan R: The fix to use context->card->generation is not perfect. It relies on the IR tasklet which processes packets from the prior bus generation to run before the self-ID-complete worklet which sets the current card generation. Alas, there is no simple way of a race-free implementation. Let's do it this way for now.] Signed-off-by: Stephan Gatzka Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 5004c75870b05d2ffd5974d1fd681a5a1b0d9f4c Author: Felix Fietkau Date: Mon Dec 10 14:03:17 2012 +0100 ath9k_hw: Fix signal strength / channel noise reporting commit b7c0c238898d200e80487516e2b67aba2a522cc0 upstream. While AR_PHY_CCA_NOM_VAL_* does contain the expected internal noise floor for a chip measured in clean air, it refers to the lowest expected reading. Depending on the frequency, this measurement can vary by about 6db, thus causing a higher reported channel noise and signal strength. Factor in the 6db offset when converting internal noisefloor to channel noise. This patch makes the reported values more accurate for all chips without affecting NF calibration behavior. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 324b9bebea9e335c8588bf5eefdcca7d932508e6 Author: Gabor Juhos Date: Sun Dec 9 23:57:09 2012 +0100 ath9k: ar9003: fix OTP register offsets for AR9340 commit b3cd8021379306c0be6932e4d3b4b01efc681769 upstream. Trying to access the OTP memory on the AR9340 causes a data bus error like this: Data bus error, epc == 86e84164, ra == 86e84164 Oops[#1]: Cpu 0 $ 0 : 00000000 00000061 deadc0de 00000000 $ 4 : b8115f18 00015f18 00000007 00000004 $ 8 : 00000001 7c7c3c7c 7c7c7c7c 7c7c7c7c $12 : 7c7c3c7c 001f0041 00000000 7c7c7c3c $16 : 86ee0000 00015f18 00000000 00000007 $20 : 00000004 00000064 00000004 86d71c44 $24 : 00000000 86e6ca00 $28 : 86d70000 86d71b20 86ece0c0 86e84164 Hi : 00000000 Lo : 00000064 epc : 86e84164 ath9k_hw_wait+0x58/0xb0 [ath9k_hw] Tainted: G O ra : 86e84164 ath9k_hw_wait+0x58/0xb0 [ath9k_hw] Status: 1100d403 KERNEL EXL IE Cause : 4080801c PrId : 0001974c (MIPS 74Kc) Modules linked in: ath9k(O+) ath9k_common(O) ath9k_hw(O) ath(O) ar934x_nfc mac80211(O) usbcore usb_common scsi_mod nls_base nand nand_ecc nand_ids crc_ccitt cfg80211(O) compat(O) arc4 aes_generic crypto_blkcipher cryptomgr aead crypto_hash crypto_algapi ledtrig_timer ledtrig_default_on leds_gpio Process insmod (pid: 459, threadinfo=86d70000, task=87942140, tls=779ac440) Stack : 802fb500 000200da 804db150 804e0000 87816130 86ee0000 00010000 86d71b88 86d71bc0 00000004 00000003 86e9fcd0 80305300 0002c0d0 86e74c50 800b4c20 000003e8 00000001 00000000 86ee0000 000003ff 86e9fd64 80305300 80123938 fffffffc 00000004 000058bc 00000000 86ea0000 86ee0000 000001ff 878d6000 99999999 86e9fdc0 86ee0fcc 86e9e664 0000c0d0 86ee0000 0000700000007000 ... Call Trace: [<86e84164>] ath9k_hw_wait+0x58/0xb0 [ath9k_hw] [<86e9fcd0>] ath9k_hw_setup_statusring+0x16b8/0x1c7c [ath9k_hw] Code: 0000a812 0040f809 00000000 <00531024> 1054000b 24020001 0c05b5dc 2404000a 26520001 The cause of the error is that the OTP register offsets are different on the AR9340 than the actually used values. Signed-off-by: Gabor Juhos Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 867f263c648dee508e0cdd857a44f69a1bc2fad7 Author: Felix Fietkau Date: Thu Dec 6 18:40:11 2012 +0100 Revert "ath9k_hw: Update AR9003 high_power tx gain table" commit 9c170e068636deb3e3f96114034bb711675f0faa upstream. This reverts commit f74b9d365ddd33a375802b064f96a5d0e99af7c0. Turns out reverting commit a240dc7b3c7463bd60cf0a9b2a90f52f78aae0fd "ath9k_hw: Updated AR9003 tx gain table for 5GHz" was not enough to bring the tx power back to normal levels on devices like the Buffalo WZR-HP-G450H, this one needs to be reverted as well. This revert improves tx power by ~10 db on that device Signed-off-by: Felix Fietkau Cc: rmanohar@qca.qualcomm.com Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ce19422296fb5fb5997d81e1b0043d771def7996 Author: Laura Abbott Date: Fri Jan 11 14:31:51 2013 -0800 mm: use aligned zone start for pfn_to_bitidx calculation commit c060f943d0929f3e429c5d9522290584f6281d6e upstream. The current calculation in pfn_to_bitidx assumes that (pfn - zone->zone_start_pfn) >> pageblock_order will return the same bit for all pfn in a pageblock. If zone_start_pfn is not aligned to pageblock_nr_pages, this may not always be correct. Consider the following with pageblock order = 10, zone start 2MB: pfn | pfn - zone start | (pfn - zone start) >> page block order ---------------------------------------------------------------- 0x26000 | 0x25e00 | 0x97 0x26100 | 0x25f00 | 0x97 0x26200 | 0x26000 | 0x98 0x26300 | 0x26100 | 0x98 This means that calling {get,set}_pageblock_migratetype on a single page will not set the migratetype for the full block. Fix this by rounding down zone_start_pfn when doing the bitidx calculation. For our use case, the effects of this bug were mostly tied to the fact that CMA allocations would either take a long time or fail to happen. Depending on the driver using CMA, this could result in anything from visual glitches to application failures. Signed-off-by: Laura Abbott Acked-by: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c0b96525363543a1ba6a277546ebc26ad9a53aa1 Author: Jason Liu Date: Fri Jan 11 14:31:47 2013 -0800 mm: compaction: fix echo 1 > compact_memory return error issue commit 7964c06d66c76507d8b6b662bffea770c29ef0ce upstream. when run the folloing command under shell, it will return error sh/$ echo 1 > /proc/sys/vm/compact_memory sh/$ sh: write error: Bad address After strace, I found the following log: ... write(1, "1\n", 2) = 3 write(1, "", 4294967295) = -1 EFAULT (Bad address) write(2, "echo: write error: Bad address\n", 31echo: write error: Bad address ) = 31 This tells system return 3(COMPACT_COMPLETE) after write data to compact_memory. The fix is to make the system just return 0 instead 3(COMPACT_COMPLETE) from sysctl_compaction_handler after compaction_nodes finished. Signed-off-by: Jason Liu Suggested-by: David Rientjes Acked-by: Mel Gorman Cc: Rik van Riel Cc: Minchan Kim Cc: KAMEZAWA Hiroyuki Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b1ca420793e505d04f3a47a74651af7c037774b7 Author: Huacai Chen Date: Mon Aug 13 20:52:24 2012 +0800 MIPS: Fix poweroff failure when HOTPLUG_CPU configured. commit 8add1ecb81f541ef2fcb0b85a5470ad9ecfb4a84 upstream. When poweroff machine, kernel_power_off() call disable_nonboot_cpus(). And if we have HOTPLUG_CPU configured, disable_nonboot_cpus() is not an empty function but attempt to actually disable the nonboot cpus. Since system state is SYSTEM_POWER_OFF, play_dead() won't be called and thus disable_nonboot_cpus() hangs. Therefore, we make this patch to avoid poweroff failure. Signed-off-by: Huacai Chen Signed-off-by: Hongliang Tao Signed-off-by: Hua Yan Cc: Yong Zhang Cc: Fuxin Zhang Cc: Zhangjin Wu Patchwork: https://patchwork.linux-mips.org/patch/4211/ Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 4305c46a628974e21e7939893476e4e735cd603c Author: Sebastian Ott Date: Fri Nov 30 16:48:59 2012 +0100 s390/cio: fix pgid reserved check commit d99e79ec5574fc556c988f613ed6175f6de66f4a upstream. The check to whom a device is reserved is done by checking the path state of the affected channel paths. If it turns out that one path is flagged as reserved by someone else the whole device is marked as such. However the meaning of the RESVD_ELSE bit is that the addressed device is reserved to a different pathgroup (and not reserved to a different LPAR). If we do this test on a path which is currently not a member of the pathgroup we could erroneously mark the device as reserved to someone else. To fix this collect the reserved state for all potential members of the pathgroup and only mark the device as reserved if all of those potential members have the RESVD_ELSE bit set. Acked-by: Peter Oberparleiter Signed-off-by: Sebastian Ott Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 9d4c74b86237ac64376b92c54cf7b471e7e75f76 Author: Alex Williamson Date: Thu Nov 29 14:07:59 2012 -0700 KVM: Fix user memslot overlap check commit 5419369ed6bd4cf711fdda5e52a5999b940413f5 upstream. Prior to memory slot sorting this loop compared all of the user memory slots for overlap with new entries. With memory slot sorting, we're just checking some number of entries in the array that may or may not be user slots. Instead, walk all the slots with kvm_for_each_memslot, which has the added benefit of terminating early when we hit the first empty slot, and skip comparison to private slots. Signed-off-by: Alex Williamson Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 91534f7365982fa0c29192e73416dd798397310a Author: Gabor Juhos Date: Thu Dec 20 03:44:28 2012 +0000 powerpc: Add missing NULL terminator to avoid boot panic on PPC40x commit e6449c9b2d90c1bd9a5985bf05ddebfd1631cd6b upstream. The missing NULL terminator can cause a panic on PPC405 boards during boot: Linux/PowerPC load: console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs,jffs2 noinitrd init=/etc/preinit Finalizing device tree... flat tree at 0x6a5160 bootconsole [udbg0] enabled Page fault in user mode with in_atomic() = 1 mm = (null) NIP = c0275f50 MSR = fffffffe Oops: Weird page fault, sig: 11 [#1] PowerPC 40x Platform Modules linked in: NIP: c0275f50 LR: c0275f60 CTR: c0280000 REGS: c0275eb0 TRAP: 636f7265 Not tainted (3.7.1) MSR: fffffffe CR: c06a6190 XER: 00000001 TASK = c02662a8[0] 'swapper' THREAD: c0274000 GPR00: c0275ec0 c000c658 c027c4bf 00000000 c0275ee0 c000a0ec c020a1a8 c020a1f0 GPR08: c020f631 c020f404 c025f078 c025f080 c0275f10 Call Trace: ---[ end trace 31fd0ba7d8756001 ]--- Kernel panic - not syncing: Attempted to kill the idle task! The panic happens since commit 9597abe00c1bab2aedce6b49866bf6d1e81c9eed (sections: fix section conflicts in arch/powerpc), however the root cause of this is that the NULL terminator were not added in commit a4f740cf33f7f6c164bbde3c0cdbcc77b0c4997c (of/flattree: Add of_flat_dt_match() helper function). Signed-off-by: Gabor Juhos Cc: Grant Likely Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 23c4e04a835e6b538efc431e7310af9e924d6978 Author: Shan Hai Date: Thu Nov 8 15:57:49 2012 +0000 powerpc/vdso: Remove redundant locking in update_vsyscall_tz() commit ce73ec6db47af84d1466402781ae0872a9e7873c upstream. The locking in update_vsyscall_tz() is not only unnecessary because the vdso code copies the data unproteced in __kernel_gettimeofday() but also introduces a hard to reproduce race condition between update_vsyscall() and update_vsyscall_tz(), which causes user space process to loop forever in vdso code. The following patch removes the locking from update_vsyscall_tz(). Locking is not only unnecessary because the vdso code copies the data unprotected in __kernel_gettimeofday() but also erroneous because updating the tb_update_count is not atomic and introduces a hard to reproduce race condition between update_vsyscall() and update_vsyscall_tz(), which further causes user space process to loop forever in vdso code. The below scenario describes the race condition, x==0 Boot CPU other CPU proc_P: x==0 timer interrupt update_vsyscall x==1 x++;sync settimeofday update_vsyscall_tz x==2 x++;sync x==3 sync;x++ sync;x++ proc_P: x==3 (loops until x becomes even) Because the ++ operator would be implemented as three instructions and not atomic on powerpc. A similar change was made for x86 in commit 6c260d58634 ("x86: vdso: Remove bogus locking in update_vsyscall_tz") Signed-off-by: Shan Hai Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 55800cd51f64300f66c9c0e6eda015e1d6626a57 Author: Anton Blanchard Date: Sun Nov 11 19:01:05 2012 +0000 powerpc: Fix CONFIG_RELOCATABLE=y CONFIG_CRASH_DUMP=n build commit 11ee7e99f35ecb15f59b21da6a82d96d2cd3fcc8 upstream. If we build a kernel with CONFIG_RELOCATABLE=y CONFIG_CRASH_DUMP=n, the kernel fails when we run at a non zero offset. It turns out we were incorrectly wrapping some of the relocatable kernel code with CONFIG_CRASH_DUMP. Signed-off-by: Anton Blanchard Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 8fcd6a440a3d01216bd6d88ce00e7353b1813ec6 Author: Rafał Miłecki Date: Mon Dec 10 07:53:56 2012 +0100 bcma: mips: fix clearing device IRQ commit cbbc0138efe1dcd5426b8fc5d87741f5057aee72 upstream. We were using wrong IRQ number so clearing wasn't working at all. Depending on a platform this could result in a one device having two interrupts assigned. On BCM4706 this resulted in all IRQs being broken. Signed-off-by: Rafał Miłecki Cc: Hauke Mehrtens Acked-by: Hauke Mehrtens Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 2686f897e696630f02455b5fa269dd90312f5c8d Author: Felix Fietkau Date: Mon Dec 10 16:40:41 2012 +0100 ath5k: fix tx path skb leaks commit 596ab5ec3bf10a22be30d7cb1d903a4b83fd607c upstream. ieee80211_free_txskb() needs to be used instead of dev_kfree_skb_any for tx packets passed to the driver from mac80211 Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7e7791e17f932363b8194a68f531d11952861993 Author: Mark Brown Date: Tue Nov 20 10:02:06 2012 +0900 regulator: wm831x: Set the new rather than old value for DVS VSEL commit 13ae633cf729b0ecb677b75b04886ff8fada8fad upstream. Reported-by: Guennadi Liakhovetski Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman