6 years agoARM: tegra: paz00: update defconfig chromeos-ac100-3.0-exp
Marc Dietrich [Sat, 26 May 2012 14:08:57 +0000 (16:08 +0200)]
ARM: tegra: paz00: update defconfig

enables clockgating and nvec gpio driver

6 years agoasoc: alc5632: remove some hacks
Marc Dietrich [Sat, 26 May 2012 13:12:42 +0000 (15:12 +0200)]
asoc: alc5632: remove some hacks

remove some hacks from commit 95f9dbc.

Signed-off-by: Marc Dietrich <>
6 years agommc: tegra: pull mmc driver changes from android kernel
Allen Martin [Fri, 23 Sep 2011 00:06:30 +0000 (17:06 -0700)]
mmc: tegra: pull mmc driver changes from android kernel

Change-Id: I8152b3af3229f6295b6392f26be30126c53f1b7f

6 years agommc: host: sdhci-pltfm: Add suspend and resume hooks to sdhci platform
Colin Cross [Fri, 6 May 2011 04:47:55 +0000 (21:47 -0700)]
mmc: host: sdhci-pltfm: Add suspend and resume hooks to sdhci platform

Change-Id: I062fbe91d8af14366a92af1a27e9dab49869905c
Signed-off-by: Colin Cross <>
6 years agommc: Add "ignore mmc pm notify" functionality
Dmitry Shmidt [Thu, 7 Oct 2010 21:39:16 +0000 (14:39 -0700)]
mmc: Add "ignore mmc pm notify" functionality

Signed-off-by: Dmitry Shmidt <>
6 years agort2x00: Use GFP_KERNEL for rx buffer allocation on USB devices
Marc Dietrich [Fri, 20 Apr 2012 17:42:21 +0000 (19:42 +0200)]
rt2x00: Use GFP_KERNEL for rx buffer allocation on USB devices

Since the RX path on USB devices is handled in process context we can
use GFP_KERNEL for RX buffer allocation. This should reduce the
likelihood of allocation failures.

Signed-off-by: Helmut Schaa <>
Signed-off-by: Marc Dietrich <>
6 years agoASoC: tegra+alc5632: Swap MICBIAS1 and MIC1 dapm widgets
Andrey Danin [Fri, 25 May 2012 20:27:02 +0000 (00:27 +0400)]
ASoC: tegra+alc5632: Swap MICBIAS1 and MIC1 dapm widgets

MICBIAS1 is internal widget. If MICBIAS1 is connected to board driver
instead of MIC1 asoc core enables widgets even if capture stream isn't

Signed-off-by: Andrey Danin <>
6 years agoARM: tegra: paz00: add paz00 specific events
Marc Dietrich [Mon, 9 Apr 2012 19:27:05 +0000 (21:27 +0200)]
ARM: tegra: paz00: add paz00 specific events

This adds the LID switch and the POWER butten events, which are
controlled by the NVEC.

Signed-Off: Marc Dietrich <>

6 years agostaging: nvec: make events configurable
Marc Dietrich [Mon, 9 Apr 2012 19:23:02 +0000 (21:23 +0200)]
staging: nvec: make events configurable

This removes the hard coded events and adds platform support for
board file configurable events.

Signed-off-by: Marc Dietrich <>
6 years agostaging: nvec: cleanup the string mess
Marc Dietrich [Mon, 9 Apr 2012 18:38:03 +0000 (20:38 +0200)]
staging: nvec: cleanup the string mess

This uses the newly introduced NVEC_CALL to cleanup the various
command string in the nvec driver.

Signed-off-by: Marc Dietrich <>
6 years agostaging: nvec: add NVEC_CALL macro
Marc Dietrich [Mon, 9 Apr 2012 15:32:09 +0000 (17:32 +0200)]
staging: nvec: add NVEC_CALL macro

Add two helper macros to make nvec calls more readable. The first
one NVEC_CMD_STR assembles a nvec command string while the second
one sends a command string via asynchronous write.

Signed-off-by: Marc Dietrich <>
6 years agoMerge commit 'v3.0.27' into chromeos-ac100-3.0-exp
Marc Dietrich [Tue, 3 Apr 2012 17:32:10 +0000 (19:32 +0200)]
Merge commit 'v3.0.27' into chromeos-ac100-3.0-exp


6 years agoARM: tegra: paz00: cleanup regulators
Marc Dietrich [Tue, 3 Apr 2012 16:22:11 +0000 (18:22 +0200)]
ARM: tegra: paz00: cleanup regulators

These were mostly copied from harmony and therefore a bit wrong.
Especially, the external mmc has no regulator at all while the
internal mmc is connected to ldo5 and not ldo3. There is also no
regulator for the panel and most other stuff enabled in harmony.

Signed-off-by: Marc Dietrich <>
6 years agoLinux 3.0.27
Greg Kroah-Hartman [Mon, 2 Apr 2012 16:28:56 +0000 (09:28 -0700)]
Linux 3.0.27

6 years agoASPM: Fix pcie devices with non-pcie children
Matthew Garrett [Tue, 27 Mar 2012 14:17:41 +0000 (10:17 -0400)]
ASPM: Fix pcie devices with non-pcie children

commit c9651e70ad0aa499814817cbf3cc1d0b806ed3a1 upstream.

Since 3.2.12 and 3.3, some systems are failing to boot with a BUG_ON.
Some other systems using the pata_jmicron driver fail to boot because no
disks are detected.  Passing pcie_aspm=force on the kernel command line
works around it.

The cause: commit 4949be16822e ("PCI: ignore pre-1.1 ASPM quirking when
ASPM is disabled") changed the behaviour of pcie_aspm_sanity_check() to
always return 0 if aspm is disabled, in order to avoid cases where we
changed ASPM state on pre-PCIe 1.1 devices.

This skipped the secondary function of pcie_aspm_sanity_check which was
to avoid us enabling ASPM on devices that had non-PCIe children, causing
trouble later on.  Move the aspm_disabled check so we continue to honour
that scenario.

Addresses and

Reported-by: Romain Francoise <> # kernel panic
Reported-by: Chris Holland <> # disk detection trouble
Signed-off-by: Matthew Garrett <>
Tested-by: Hatem Masmoudi <> # Dell Latitude E5520
Tested-by: janek <> # pata_jmicron with JMB362/JMB363
[jn: with more symptoms in log message]
Signed-off-by: Jonathan Nieder <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoserial: sh-sci: fix a race of DMA submit_tx on transfer
Yoshii Takashi [Wed, 14 Mar 2012 07:14:43 +0000 (16:14 +0900)]
serial: sh-sci: fix a race of DMA submit_tx on transfer

commit 49d4bcaddca977fffdea8b0b71f6e5da96dac78e upstream.

When DMA is enabled, sh-sci transfer begins with
    if (cookie_tx < 0) schedule_work()
Then, starts DMA when wq scheduled, -- (A)
   cookie_tx = desc->submit_tx()
And finishes when DMA transfer ends, -- (B)
  cookie_tx = -EINVAL
  (possible another schedule_work())

This A to B sequence is not reentrant, since controlling variables
(for example, cookie_tx above) are not queues nor lists. So, they
must be invoked as A B A B..., otherwise results in kernel crash.

To ensure the sequence, sci_start_tx() seems to test if cookie_tx < 0
(represents "not used") to call schedule_work().
But cookie_tx will not be set (to a cookie, also means "used") until
in the middle of work queue scheduled function work_fn_tx().

This gap between the test and set allows the breakage of the sequence
under the very frequently call of uart_start().
Another gap between async_tx_ack() and another schedule_work() results
in the same issue, too.

This patch introduces a new condition "cookie_tx == 0" just to mark
it is "busy" and assign it within spin-locked region to fill the gaps.

Signed-off-by: Takashi Yoshii <>
Reviewed-by: Guennadi Liakhovetski <>
Signed-off-by: Paul Mundt <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agonfsd: don't allow zero length strings in cache_parse()
Dan Carpenter [Wed, 18 Jan 2012 09:56:02 +0000 (12:56 +0300)]
nfsd: don't allow zero length strings in cache_parse()

commit 6d8d17499810479eabd10731179c04b2ca22152f upstream.

There is no point in passing a zero length string here and quite a
few of that cache_parse() implementations will Oops if count is

Signed-off-by: Dan Carpenter <>
Signed-off-by: J. Bruce Fields <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agocompat: use sys_sendfile64() implementation for sendfile syscall
Chris Metcalf [Mon, 26 Mar 2012 20:26:12 +0000 (16:26 -0400)]
compat: use sys_sendfile64() implementation for sendfile syscall

commit 1631fcea8399da5e80a80084b3b8c5bfd99d21e7 upstream.

<asm-generic/unistd.h> was set up to use sys_sendfile() for the 32-bit
compat API instead of sys_sendfile64(), but in fact the right thing to
do is to use sys_sendfile64() in all cases.  The 32-bit sendfile64() API
in glibc uses the sendfile64 syscall, so it has to be capable of doing
full 64-bit operations.  But the sys_sendfile() kernel implementation
has a MAX_NON_LFS test in it which explicitly limits the offset to 2^32.
So, we need to use the sys_sendfile64() implementation in the kernel
for this case.

Acked-by: Arnd Bergmann <>
Signed-off-by: Chris Metcalf <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agox86, tls: Off by one limit check
Dan Carpenter [Sat, 24 Mar 2012 07:52:50 +0000 (10:52 +0300)]
x86, tls: Off by one limit check

commit 8f0750f19789cf352d7e24a6cc50f2ab1b4f1372 upstream.

These are used as offsets into an array of GDT_ENTRY_TLS_ENTRIES members
so GDT_ENTRY_TLS_ENTRIES is one past the end of the array.

Signed-off-by: Dan Carpenter <>
Signed-off-by: H. Peter Anvin <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agox86, tsc: Skip refined tsc calibration on systems with reliable TSC
Alok Kataria [Wed, 22 Feb 2012 02:19:55 +0000 (18:19 -0800)]
x86, tsc: Skip refined tsc calibration on systems with reliable TSC

commit 57779dc2b3b75bee05ef5d1ada47f615f7a13932 upstream.

While running the latest Linux as guest under VMware in highly
over-committed situations, we have seen cases when the refined TSC
algorithm fails to get a valid tsc_start value in
tsc_refine_calibration_work from multiple attempts. As a result the
kernel keeps on scheduling the tsc_irqwork task for later. Subsequently
after several attempts when it gets a valid start value it goes through
the refined calibration and either bails out or uses the new results.
Given that the kernel originally read the TSC frequency from the
platform, which is the best it can get, I don't think there is much
value in refining it.

So  for systems which get the TSC frequency from the platform we
should skip the refined tsc algorithm.

We can use the TSC_RELIABLE cpu cap flag to detect this, right now it is
set only on VMware and for Moorestown Penwell both of which have there
own TSC calibration methods.

Signed-off-by: Alok N Kataria <>
Cc: John Stultz <>
Cc: Dirk Brandewie <>
Cc: Alan Cox <>
[jstultz: Reworked to simply not schedule the refining work,
rather then scheduling the work and bombing out later]
Signed-off-by: John Stultz <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agolockd: fix arg parsing for grace_period and timeout.
NeilBrown [Tue, 7 Feb 2012 04:35:42 +0000 (15:35 +1100)]
lockd: fix arg parsing for grace_period and timeout.

commit de5b8e8e047534aac6bc9803f96e7257436aef9c upstream.

If you try to set grace_period or timeout via a module parameter
to lockd, and do this on a big-endian machine where

   sizeof(int) != sizeof(unsigned long)

it won't work.  This number given will be effectively shifted right
by the difference in those two sizes.

So cast kp->arg properly to get correct result.

Signed-off-by: NeilBrown <>
Signed-off-by: J. Bruce Fields <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoxfrm: Access the replay notify functions via the registered callbacks
Steffen Klassert [Wed, 21 Mar 2012 23:36:13 +0000 (23:36 +0000)]
xfrm: Access the replay notify functions via the registered callbacks

[ Upstream commit 1265fd616782ef03b98fd19f65c2b47fcd4ea11f ]

We call the wrong replay notify function when we use ESN replay
handling. This leads to the fact that we don't send notifications
if we use ESN. Fix this by calling the registered callbacks instead
of xfrm_replay_notify().

Signed-off-by: Steffen Klassert <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agosky2: override for PCI legacy power management
stephen hemminger [Wed, 21 Mar 2012 05:32:05 +0000 (05:32 +0000)]
sky2: override for PCI legacy power management

[ Upstream commit 5676cc7bfe1e388e87843f71daa229610385b41e ]

Some BIOS's don't setup power management correctly (what else is
new) and don't allow use of PCI Express power control. Add a special
exception module parameter to allow working around this issue.
Based on slightly different patch by Knut Petersen.

Reported-by: Arkadiusz Miskiewicz <>
Signed-off-by: Stephen Hemminger <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoRemove printk from rds_sendmsg
Dave Jones [Mon, 19 Mar 2012 13:01:07 +0000 (13:01 +0000)]
Remove printk from rds_sendmsg

[ Upstream commit a6506e1486181975d318344143aca722b2b91621 ]

no socket layer outputs a message for this error and neither should rds.

Signed-off-by: Dave Jones <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agonet: fix napi_reuse_skb() skb reserve
Eric Dumazet [Wed, 21 Mar 2012 06:58:03 +0000 (06:58 +0000)]
net: fix napi_reuse_skb() skb reserve

[ Upstream commit 2a2a459eeeff48640dc557548ce576d666ab06ed ]

napi->skb is allocated in napi_get_frags() using
netdev_alloc_skb_ip_align(), with a reserve of NET_SKB_PAD +

However, when such skb is recycled in napi_reuse_skb(), it ends with a
reserve of NET_IP_ALIGN which is suboptimal.

Signed-off-by: Eric Dumazet <>
Cc: Herbert Xu <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agonet: fix a potential rcu_read_lock() imbalance in rt6_fill_node()
Eric Dumazet [Tue, 27 Mar 2012 09:53:52 +0000 (09:53 +0000)]
net: fix a potential rcu_read_lock() imbalance in rt6_fill_node()

[ Upstream commit 94f826b8076e2cb92242061e92f21b5baa3eccc2 ]

Commit f2c31e32b378 (net: fix NULL dereferences in check_peer_redir() )
added a regression in rt6_fill_node(), leading to rcu_read_lock()

Thats because NLA_PUT() can make a jump to nla_put_failure label.

Fix this by using nla_put()

Many thanks to Ben Greear for his help

Reported-by: Ben Greear <>
Reported-by: Dave Jones <>
Signed-off-by: Eric Dumazet <>
Tested-by: Ben Greear <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agonet: bpf_jit: fix BPF_S_LDX_B_MSH compilation
Eric Dumazet [Sun, 18 Mar 2012 02:40:48 +0000 (02:40 +0000)]
net: bpf_jit: fix BPF_S_LDX_B_MSH compilation

[ Upstream commit dc72d99dabb870ca5bd6d9fff674be853bb4a88d ]

Matt Evans spotted that x86 bpf_jit was incorrectly handling negative
constant offsets in BPF_S_LDX_B_MSH instruction.

We need to abort JIT compilation like we do in common_load so that
filter uses the interpreter code and can call __load_pointer()


Thanks to Indan Zupancic to bring back this issue.

Reported-by: Matt Evans <>
Reported-by: Indan Zupancic <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoFix pppol2tp getsockname()
Benjamin LaHaise [Tue, 20 Mar 2012 03:57:54 +0000 (03:57 +0000)]
Fix pppol2tp getsockname()

[ Upstream commit bbdb32cb5b73597386913d052165423b9d736145 ]

While testing L2TP functionality, I came across a bug in getsockname().  The
IP address returned within the pppol2tp_addr's addr memember was not being
set to the IP  address in use.  This bug is caused by using inet_sk() on the
wrong socket (the L2TP socket rather than the underlying UDP socket), and was
likely introduced during the addition of L2TPv3 support.

Signed-off-by: Benjamin LaHaise <>
Signed-off-by: James Chapman <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agodrm/i915: suspend fbdev device around suspend/hibernate
Dave Airlie [Wed, 28 Mar 2012 09:48:49 +0000 (10:48 +0100)]
drm/i915: suspend fbdev device around suspend/hibernate

commit 3fa016a0b5c5237e9c387fc3249592b2cb5391c6 upstream.

Looking at hibernate overwriting I though it looked like a cursor,
so I tracked down this missing piece to stop the cursor blink
timer. I've no idea if this is sufficient to fix the hibernate
problems people are seeing, but please test it.

Both radeon and nouveau have done this for a long time.

I've run this personally all night hib/resume cycles with no fails.

Reviewed-by: Keith Packard <>
Reported-by: Petr Tesarik <>
Reported-by: Stanislaw Gruszka <>
Reported-by: Lots of misc segfaults after hibernate across the world.
Tested-by: Dave Airlie <>
Tested-by: Bojan Smojver <>
Tested-by: Andreas Hartmann <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoBluetooth: btusb: fix bInterval for high/super speed isochronous endpoints
Bing Zhao [Wed, 21 Dec 2011 02:19:00 +0000 (18:19 -0800)]
Bluetooth: btusb: fix bInterval for high/super speed isochronous endpoints

commit fa0fb93f2ac308a76fa64eb57c18511dadf97089 upstream.

For high-speed/super-speed isochronous endpoints, the bInterval
value is used as exponent, 2^(bInterval-1). Luckily we have
usb_fill_int_urb() function that handles it correctly. So we just
call this function to fill in the RX URB.

Cc: Marcel Holtmann <>
Signed-off-by: Bing Zhao <>
Acked-by: Marcel Holtmann <>
Signed-off-by: Gustavo F. Padovan <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agomodule: Remove module size limit
Sasha Levin [Tue, 31 Jan 2012 04:07:22 +0000 (23:07 -0500)]
module: Remove module size limit

commit f946eeb9313ff1470758e171a60fe7438a2ded3f upstream.

Module size was limited to 64MB, this was legacy limitation due to vmalloc()
which was removed a while ago.

Limiting module size to 64MB is both pointless and affects real world use

Cc: Tim Abbott <>
Signed-off-by: Sasha Levin <>
Signed-off-by: Rusty Russell <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoslub: Do not hold slub_lock when calling sysfs_slab_add()
Christoph Lameter [Tue, 17 Jan 2012 15:27:31 +0000 (09:27 -0600)]
slub: Do not hold slub_lock when calling sysfs_slab_add()

commit 66c4c35c6bc5a1a452b024cf0364635b28fd94e4 upstream.

sysfs_slab_add() calls various sysfs functions that actually may
end up in userspace doing all sorts of things.

Release the slub_lock after adding the kmem_cache structure to the list.
At that point the address of the kmem_cache is not known so we are
guaranteed exlusive access to the following modifications to the
kmem_cache structure.

If the sysfs_slab_add fails then reacquire the slub_lock to
remove the kmem_cache structure from the list.

Reported-by: Sasha Levin <>
Acked-by: Eric Dumazet <>
Signed-off-by: Christoph Lameter <>
Signed-off-by: Pekka Enberg <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoxfs: Fix oops on IO error during xlog_recover_process_iunlinks()
Jan Kara [Thu, 15 Mar 2012 09:34:02 +0000 (09:34 +0000)]
xfs: Fix oops on IO error during xlog_recover_process_iunlinks()

commit d97d32edcd732110758799ae60af725e5110b3dc upstream.

When an IO error happens during inode deletion run from
xlog_recover_process_iunlinks() filesystem gets shutdown. Thus any subsequent
attempt to read buffers fails. Code in xlog_recover_process_iunlinks() does not
count with the fact that read of a buffer which was read a while ago can
really fail which results in the oops on
  agi = XFS_BUF_TO_AGI(agibp);

Fix the problem by cleaning up the buffer handling in
xlog_recover_process_iunlinks() as suggested by Dave Chinner. We release buffer
lock but keep buffer reference to AG buffer. That is enough for buffer to stay
pinned in memory and we don't have to call xfs_read_agi() all the time.

Signed-off-by: Jan Kara <>
Reviewed-by: Dave Chinner <>
Signed-off-by: Ben Myers <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agobacklight: fix typo in tosa_lcd.c
Masanari Iida [Wed, 28 Mar 2012 21:42:56 +0000 (14:42 -0700)]
backlight: fix typo in tosa_lcd.c

commit 8da00edc1069f01c34510fa405dc15d96c090a3f upstream.

Fix typo in drivers/video/backlight/tosa_lcd.c
"tosa_lcd_reume" should be "tosa_lcd_resume".

Signed-off-by: Masanari Iida <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agodm exception store: fix init error path
Andrei Warkentin [Wed, 28 Mar 2012 17:41:22 +0000 (18:41 +0100)]
dm exception store: fix init error path

commit aadbe266f2f89ccc68b52f4effc7b3a8b29521ef upstream.

Call the correct exit function on failure in dm_exception_store_init.

Signed-off-by: Andrei Warkentin <>
Acked-by: Mike Snitzer <>
Signed-off-by: Alasdair G Kergon <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agodm crypt: add missing error handling
Mikulas Patocka [Wed, 28 Mar 2012 17:41:22 +0000 (18:41 +0100)]
dm crypt: add missing error handling

commit 72c6e7afc43e19f68a31dea204fc366624d6eee9 upstream.

Always set io->error to -EIO when an error is detected in dm-crypt.

There were cases where an error code would be set only if we finish
processing the last sector. If there were other encryption operations in
flight, the error would be ignored and bio would be returned with
success as if no error happened.

This bug is present in kcryptd_crypt_write_convert, kcryptd_crypt_read_convert
and kcryptd_async_done.

Signed-off-by: Mikulas Patocka <>
Reviewed-by: Milan Broz <>
Signed-off-by: Alasdair G Kergon <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agodm crypt: fix mempool deadlock
Mikulas Patocka [Wed, 28 Mar 2012 17:41:22 +0000 (18:41 +0100)]
dm crypt: fix mempool deadlock

commit aeb2deae2660a1773c83d3c6e9e6575daa3855d6 upstream.

This patch fixes a possible deadlock in dm-crypt's mempool use.

Currently, dm-crypt reserves a mempool of MIN_BIO_PAGES reserved pages.
It allocates first MIN_BIO_PAGES with non-failing allocation (the allocation
cannot fail and waits until the mempool is refilled). Further pages are
allocated with different gfp flags that allow failing.

Because allocations may be done in parallel, this code can deadlock. Example:
There are two processes, each tries to allocate MIN_BIO_PAGES and the processes
run simultaneously.
It may end up in a situation where each process allocates (MIN_BIO_PAGES / 2)
pages. The mempool is exhausted. Each process waits for more pages to be freed
to the mempool, which never happens.

To avoid this deadlock scenario, this patch changes the code so that only
the first page is allocated with non-failing gfp mask. Allocation of further
pages may fail.

Signed-off-by: Mikulas Patocka <>
Signed-off-by: Milan Broz <>
Signed-off-by: Alasdair G Kergon <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoudf: Fix deadlock in udf_release_file()
Jan Kara [Mon, 20 Feb 2012 16:49:56 +0000 (17:49 +0100)]
udf: Fix deadlock in udf_release_file()

commit a0391a3ae91d301c0e59368531a4de5f0b122bcf upstream.

udf_release_file() can be called from munmap() path with mmap_sem held.  Thus
we cannot take i_mutex there because that ranks above mmap_sem. Luckily,
i_mutex is not needed in udf_release_file() anymore since protection by
i_data_sem is enough to protect from races with write and truncate.

Reported-by: Al Viro <>
Reviewed-by: Namjae Jeon <>
Signed-off-by: Jan Kara <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agovfs: fix d_ancestor() case in d_materialize_unique
Michel Lespinasse [Tue, 27 Mar 2012 00:32:44 +0000 (17:32 -0700)]
vfs: fix d_ancestor() case in d_materialize_unique

commit b18dafc86bb879d2f38a1743985d7ceb283c2f4d upstream.

In d_materialise_unique() there are 3 subcases to the 'aliased dentry'
case; in two subcases the inode i_lock is properly released but this
does not occur in the -ELOOP subcase.

This seems to have been introduced by commit 1836750115f2 ("fix loop
checks in d_materialise_unique()").

Signed-off-by: Michel Lespinasse <>
[ Added a comment, and moved the unlock to where we generate the -ELOOP,
  which seems to be more natural.

  You probably can't actually trigger this without a buggy network file
  server - d_materialize_unique() is for finding aliases on non-local
  filesystems, and the d_ancestor() case is for a hardlinked directory

  But we should be robust in the case of such buggy servers anyway. ]
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoext4: check for zero length extent
Theodore Ts'o [Mon, 12 Mar 2012 03:30:16 +0000 (23:30 -0400)]
ext4: check for zero length extent

commit 31d4f3a2f3c73f279ff96a7135d7202ef6833f12 upstream.

Explicitly test for an extent whose length is zero, and flag that as a
corrupted extent.

This avoids a kernel BUG_ON assertion failure.

Tested: Without this patch, the file system image found in
tests/f_ext_zero_len/image.gz in the latest e2fsprogs sources causes a
kernel panic.  With this patch, an ext4 file system error is noted
instead, and the file system is marked as being corrupted.

Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoext4: ignore EXT4_INODE_JOURNAL_DATA flag with delalloc
Lukas Czerner [Mon, 20 Feb 2012 22:53:00 +0000 (17:53 -0500)]
ext4: ignore EXT4_INODE_JOURNAL_DATA flag with delalloc

commit 3d2b158262826e8b75bbbfb7b97010838dd92ac7 upstream.

Ext4 does not support data journalling with delayed allocation enabled.
We even do not allow to mount the file system with delayed allocation
and data journalling enabled, however it can be set via FS_IOC_SETFLAGS
so we can hit the inode with EXT4_INODE_JOURNAL_DATA set even on file
system mounted with delayed allocation (default) and that's where
problem arises. The easies way to reproduce this problem is with the
following set of commands:

 mkfs.ext4 /dev/sdd
 mount /dev/sdd /mnt/test1
 dd if=/dev/zero of=/mnt/test1/file bs=1M count=4
 chattr +j /mnt/test1/file
 dd if=/dev/zero of=/mnt/test1/file bs=1M count=4 conv=notrunc
 chattr -j /mnt/test1/file

Additionally it can be reproduced quite reliably with xfstests 272 and
269. In fact the above reproducer is a part of test 272.

To fix this we should ignore the EXT4_INODE_JOURNAL_DATA inode flag if
the file system is mounted with delayed allocation. This can be easily
done by fixing ext4_should_*_data() functions do ignore data journal
flag when delalloc is set (suggested by Ted). We also have to set the
appropriate address space operations for the inode (again, ignoring data
journal flag if delalloc enabled).

Additionally this commit introduces ext4_inode_journal_mode() function
because ext4_should_*_data() has already had a lot of common code and
this change is putting it all into one function so it is easier to

Successfully tested with xfstests in following configurations:

delalloc + data=ordered
delalloc + data=writeback
nodelalloc + data=ordered
nodelalloc + data=writeback
nodelalloc + data=journal

Signed-off-by: Lukas Czerner <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agojbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer
Eric Sandeen [Mon, 20 Feb 2012 22:53:01 +0000 (17:53 -0500)]
jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer

commit 15291164b22a357cb211b618adfef4fa82fc0de3 upstream.

journal_unmap_buffer()'s zap_buffer: code clears a lot of buffer head
state ala discard_buffer(), but does not touch _Delay or _Unwritten as
discard_buffer() does.

This can be problematic in some areas of the ext4 code which assume
that if they have found a buffer marked unwritten or delay, then it's
a live one.  Perhaps those spots should check whether it is mapped
as well, but if jbd2 is going to tear down a buffer, let's really
tear it down completely.

Without this I get some fsx failures on sub-page-block filesystems
up until v3.2, at which point 4e96b2dbbf1d7e81f22047a50f862555a6cb87cb
and 189e868fa8fdca702eb9db9d8afc46b5cb9144c9 make the failures go
away, because buried within that large change is some more flag
clearing.  I still think it's worth doing in jbd2, since
->invalidatepage leads here directly, and it's the right place
to clear away these flags.

Signed-off-by: Eric Sandeen <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoext4: flush any pending end_io requests before DIO reads w/dioread_nolock
Jiaying Zhang [Fri, 19 Aug 2011 23:13:32 +0000 (19:13 -0400)]
ext4: flush any pending end_io requests before DIO reads w/dioread_nolock

commit dccaf33fa37a1bc5d651baeb3bfeb6becb86597b upstream.

(backported to 3.0 by mjt)

There is a race between ext4 buffer write and direct_IO read with
dioread_nolock mount option enabled. The problem is that we clear
PageWriteback flag during end_io time but will do
uninitialized-to-initialized extent conversion later with dioread_nolock.
If an O_direct read request comes in during this period, ext4 will return
zero instead of the recently written data.

This patch checks whether there are any pending uninitialized-to-initialized
extent conversion requests before doing O_direct read to close the race.
Note that this is just a bandaid fix. The fundamental issue is that we
clear PageWriteback flag before we really complete an IO, which is
problem-prone. To fix the fundamental issue, we may need to implement an
extent tree cache that we can use to look up pending to-be-converted extents.

Signed-off-by: Jiaying Zhang <>
Signed-off-by: "Theodore Ts'o" <>
Cc: Jan Kara <>
Signed-off-by: Michael Tokarev <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoPM / Hibernate: Enable usermodehelpers in hibernate() error path
Srivatsa S. Bhat [Fri, 17 Feb 2012 22:39:51 +0000 (23:39 +0100)]
PM / Hibernate: Enable usermodehelpers in hibernate() error path

commit 05b4877f6a4f1ba4952d1222213d262bf8c132b7 upstream.

If create_basic_memory_bitmaps() fails, usermodehelpers are not re-enabled
before returning. Fix this. And while at it, reword the goto labels so that
they look more meaningful.

Signed-off-by: Srivatsa S. Bhat <>
Signed-off-by: Rafael J. Wysocki <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoe1000e: Avoid wrong check on TX hang
Jeff Kirsher [Fri, 18 Nov 2011 14:25:00 +0000 (14:25 +0000)]
e1000e: Avoid wrong check on TX hang

commit 09357b00255c233705b1cf6d76a8d147340545b8 upstream.

Based on the original patch submitted my Michael Wang
Descriptors may not be write-back while checking TX hang with flag
So when we detect hang, we just flush the descriptor and detect
again for once.

-v2 change 1 to true and 0 to false and remove extra ()

CC: Michael Wang <>
CC: Flavio Leitner <>
Acked-by: Jesse Brandeburg <>
Tested-by: Aaron Brown <>
Signed-off-by: Jeff Kirsher <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agopvrusb2: fix 7MHz & 8MHz DVB-T tuner support for HVR1900 rev D1F5
Michael Krufky [Tue, 7 Feb 2012 16:28:33 +0000 (13:28 -0300)]
pvrusb2: fix 7MHz & 8MHz DVB-T tuner support for HVR1900 rev D1F5

commit 9ab2393fc3e460cd2040de1483918eb17abb822f upstream.

The D1F5 revision of the WinTV HVR-1900 uses a tda18271c2 tuner
instead of a tda18271c1 tuner as used in revision D1E9. To
account for this, we must hardcode the frontend configuration
to use the same IF frequency configuration for both revisions
of the device.

6MHz DVB-T is unaffected by this issue, as the recommended
IF Frequency configuration for 6MHz DVB-T is the same on both
c1 and c2 revisions of the tda18271 tuner.

Signed-off-by: Michael Krufky <>
Cc: Mike Isely <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agolgdt330x: fix signedness error in i2c_read_demod_bytes()
Xi Wang [Tue, 14 Feb 2012 17:32:41 +0000 (14:32 -0300)]
lgdt330x: fix signedness error in i2c_read_demod_bytes()

commit 34817174fca0c5512c2d5b6ea0fc37a0337ce1d8 upstream.

The error handling in lgdt3303_read_status() and lgdt330x_read_ucblocks()
doesn't work, because i2c_read_demod_bytes() returns a u8 and (err < 0)
is always false.

        err = i2c_read_demod_bytes(state, 0x58, buf, 1);
        if (err < 0)
                return err;

Change the return type of i2c_read_demod_bytes() to int.  Also change
the return value on error to -EIO to make (err < 0) work.

Signed-off-by: Xi Wang <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agohwmon: (fam15h_power) Correct sign extension of running_avg_capture
Andreas Herrmann [Fri, 23 Mar 2012 09:02:17 +0000 (10:02 +0100)]
hwmon: (fam15h_power) Correct sign extension of running_avg_capture

commit fc0900cbda9243957d812cd6b4cc87965f9fe75f upstream.

Wrong bit was used for sign extension which caused wrong end results.
Thanks to Andre for spotting this bug.

Reported-by: Andre Przywara <>
Signed-off-by: Andreas Herrmann <>
Acked-by: Guenter Roeck <>
Signed-off-by: Jean Delvare <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoproc-ns: use d_set_d_op() API to set dentry ops in proc_ns_instantiate().
Pravin B Shelar [Fri, 23 Mar 2012 22:02:55 +0000 (15:02 -0700)]
proc-ns: use d_set_d_op() API to set dentry ops in proc_ns_instantiate().

commit 1b26c9b334044cff6d1d2698f2be41bc7d9a0864 upstream.

The namespace cleanup path leaks a dentry which holds a reference count
on a network namespace.  Keeping that network namespace from being freed
when the last user goes away.  Leaving things like vlan devices in the
leaked network namespace.

If you use ip netns add for much real work this problem becomes apparent
pretty quickly.  It light testing the problem hides because frequently
you simply don't notice the leak.

Use d_set_d_op() so that DCACHE_OP_* flags are set correctly.

This issue exists back to 3.0.

Acked-by: "Eric W. Biederman" <>
Reported-by: Justin Pettit <>
Signed-off-by: Pravin B Shelar <>
Signed-off-by: Jesse Gross <>
Cc: David Miller <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agox86-32: Fix endless loop when processing signals for kernel tasks
Dmitry Adamushko [Thu, 22 Mar 2012 20:39:25 +0000 (21:39 +0100)]
x86-32: Fix endless loop when processing signals for kernel tasks

commit 29a2e2836ff9ea65a603c89df217f4198973a74f upstream.

The problem occurs on !CONFIG_VM86 kernels [1] when a kernel-mode task
returns from a system call with a pending signal.

A real-life scenario is a child of 'khelper' returning from a failed
kernel_execve() in ____call_usermodehelper() [ kernel/kmod.c ].
kernel_execve() fails due to a pending SIGKILL, which is the result of
"kill -9 -1" (at least, busybox's init does it upon reboot).

The loop is as follows:

* syscall_exit_work:
 - work_pending:            // start_of_the_loop
 - work_notify_sig:
   - do_notify_resume()
     - do_signal()
       - if (!user_mode(regs)) return;
 - resume_userspace         // TIF_SIGPENDING is still set
 - work_pending             // so we call work_pending => goto
                            // start_of_the_loop

More information can be found in another LKML thread:,457826

[1] the problem was also seen on MIPS.

Signed-off-by: Dmitry Adamushko <>
Cc: Oleg Nesterov <>
Cc: Roland McGrath <>
Cc: Andrew Morton <>
Signed-off-by: H. Peter Anvin <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agousbnet: don't clear urb->dev in tx_complete [Thu, 22 Mar 2012 03:22:38 +0000 (03:22 +0000)]
usbnet: don't clear urb->dev in tx_complete

commit 5d5440a835710d09f0ef18da5000541ec98b537a upstream.

URB unlinking is always racing with its completion and tx_complete
may be called before or during running usb_unlink_urb, so tx_complete
must not clear urb->dev since it will be used in unlink path,
otherwise invalid memory accesses or usb device leak may be caused
inside usb_unlink_urb.

Cc: Alan Stern <>
Cc: Oliver Neukum <>
Signed-off-by: Ming Lei <>
Acked-by: Greg Kroah-Hartman <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agousbnet: increase URB reference count before usb_unlink_urb [Thu, 22 Mar 2012 03:22:18 +0000 (03:22 +0000)]
usbnet: increase URB reference count before usb_unlink_urb

commit 0956a8c20b23d429e79ff86d4325583fc06f9eb4 upstream.

Commit 4231d47e6fe69f061f96c98c30eaf9fb4c14b96d(net/usbnet: avoid
recursive locking in usbnet_stop()) fixes the recursive locking
problem by releasing the skb queue lock, but it makes usb_unlink_urb
racing with defer_bh, and the URB to being unlinked may be freed before
or during calling usb_unlink_urb, so use-after-free problem may be
triggerd inside usb_unlink_urb.

The patch fixes the use-after-free problem by increasing URB
reference count with skb queue lock held before calling
usb_unlink_urb, so the URB won't be freed until return from

Cc: Sebastian Andrzej Siewior <>
Cc: Alan Stern <>
Cc: Oliver Neukum <>
Reported-by: Dave Jones <>
Signed-off-by: Ming Lei <>
Acked-by: Greg Kroah-Hartman <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoSUNRPC: We must not use list_for_each_entry_safe() in rpc_wake_up()
Trond Myklebust [Mon, 19 Mar 2012 17:39:35 +0000 (13:39 -0400)]
SUNRPC: We must not use list_for_each_entry_safe() in rpc_wake_up()

commit 540a0f7584169651f485e8ab67461fcb06934e38 upstream.

The problem is that for the case of priority queues, we
have to assume that __rpc_remove_wait_queue_priority will move new
elements from the tk_wait.links lists into the queue->tasks[] list.
We therefore cannot use list_for_each_entry_safe() on queue->tasks[],
since that will skip these new tasks that __rpc_remove_wait_queue_priority
is adding.

Without this fix, rpc_wake_up and rpc_wake_up_status will both fail
to wake up all functions on priority wait queues, which can result
in some nasty hangs.

Reported-by: Andy Adamson <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoUBI: fix eraseblock picking criteria
Artem Bityutskiy [Wed, 7 Mar 2012 17:08:36 +0000 (19:08 +0200)]
UBI: fix eraseblock picking criteria

commit 7eb3aa65853e1b223bfc786b023b702018cb76c0 upstream.

The 'find_wl_entry()' function expects the maximum difference as the second
argument, not the maximum absolute value. So the "unknown" eraseblock picking
was incorrect, as Shmulik Ladkani spotted. This patch fixes the issue.

Reported-by: Shmulik Ladkani <>
Signed-off-by: Artem Bityutskiy <>
Reviewed-by: Shmulik Ladkani <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoUBI: fix error handling in ubi_scan()
Richard Weinberger [Mon, 30 Jan 2012 17:20:13 +0000 (18:20 +0100)]
UBI: fix error handling in ubi_scan()

commit a29852be492d61001d86c6ebf5fff9b93d7b4be9 upstream.

Two bad things can happen in ubi_scan():
1. If kmem_cache_create() fails we jump to out_si and call
   ubi_scan_destroy_si() which calls kmem_cache_destroy().
   But si->scan_leb_slab is NULL.
2. If process_eb() fails we jump to out_vidh, call
   kmem_cache_destroy() and ubi_scan_destroy_si() which calls
   again kmem_cache_destroy().

Signed-off-by: Richard Weinberger <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agocifs: fix issue mounting of DFS ROOT when redirecting from one domain controller...
Jeff Layton [Wed, 21 Mar 2012 10:30:40 +0000 (06:30 -0400)]
cifs: fix issue mounting of DFS ROOT when redirecting from one domain controller to the next

commit 1daaae8fa4afe3df78ca34e724ed7e8187e4eb32 upstream.

This patch fixes an issue when cifs_mount receives a
STATUS_BAD_NETWORK_NAME error during cifs_get_tcon but is able to
continue after an DFS ROOT referral. In this case, the return code
variable is not reset prior to trying to mount from the system referred
to. Thus, is_path_accessible is not executed and the final DFS referral
is not performed causing a mount error.

Use case: In DNS,  resolves to the secondary AD server Our primary domain controller is and has
a DFS redirection set up from \\ad1\share\Users to \\files\share\Users.
Mounting \\\share\Users fails.

Regression introduced by commit 724d9f1.

Reviewed-by: Pavel Shilovsky <
Signed-off-by: Thomas Hadig <>
Signed-off-by: Jeff Layton <>
Signed-off-by: Steve French <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoxfs: fix inode lookup race
Dave Chinner [Wed, 7 Mar 2012 04:50:25 +0000 (04:50 +0000)]
xfs: fix inode lookup race

commit f30d500f809eca67a21704347ab14bb35877b5ee upstream.

When we get concurrent lookups of the same inode that is not in the
per-AG inode cache, there is a race condition that triggers warnings
in unlock_new_inode() indicating that we are initialising an inode
that isn't in a the correct state for a new inode.

When we do an inode lookup via a file handle or a bulkstat, we don't
serialise lookups at a higher level through the dentry cache (i.e.
pathless lookup), and so we can get concurrent lookups of the same

The race condition is between the insertion of the inode into the
cache in the case of a cache miss and a concurrently lookup:

Thread 1 Thread 2
    lock radix tree
lock inode flags
XFS_INEW not set
unlock inode flags
use uninitialised inode
    lock inode flags
    set XFS_INEW
    unlock inode flags
    unlock radix tree
    inode flags = I_NEW
      WARNING as inode flags != I_NEW

This can lead to inode corruption, inode list corruption, etc, and
is generally a bad thing to occur.

Fix this by setting XFS_INEW before inserting the inode into the
radix tree. This will ensure any concurrent lookup will find the new
inode with XFS_INEW set and that forces the lookup to wait until the
XFS_INEW flag is removed before allowing the lookup to succeed.

Signed-off-by: Dave Chinner <>
Reviewed-by: Christoph Hellwig <>
Signed-off-by: Ben Myers <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoNFSv4: Return the delegation if the server returns NFS4ERR_OPENMODE
Trond Myklebust [Wed, 7 Mar 2012 21:39:06 +0000 (16:39 -0500)]
NFSv4: Return the delegation if the server returns NFS4ERR_OPENMODE

commit 3114ea7a24d3264c090556a2444fc6d2c06176d4 upstream.

If a setattr() fails because of an NFS4ERR_OPENMODE error, it is
probably due to us holding a read delegation. Ensure that the
recovery routines return that delegation in this case.

Reported-by: Miklos Szeredi <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoNFS: Properly handle the case where the delegation is revoked
Trond Myklebust [Tue, 6 Mar 2012 00:56:44 +0000 (19:56 -0500)]
NFS: Properly handle the case where the delegation is revoked

commit a1d0b5eebc4fd6e0edb02688b35f17f67f42aea5 upstream.

If we know that the delegation stateid is bad or revoked, we need to
remove that delegation as soon as possible, and then mark all the
stateids that relied on that delegation for recovery. We cannot use
the delegation as part of the recovery process.

Also note that NFSv4.1 uses a different error code (NFS4ERR_DELEG_REVOKED)
to indicate that the delegation was revoked.

Finally, ensure that setlk() and setattr() can both recover safely from
a revoked delegation.

Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoKVM: x86: fix missing checks in syscall emulation
Stephan Bärwolf [Thu, 12 Jan 2012 15:43:04 +0000 (16:43 +0100)]
KVM: x86: fix missing checks in syscall emulation

commit c2226fc9e87ba3da060e47333657cd6616652b84 upstream.

On hosts without this patch, 32bit guests will crash (and 64bit guests
may behave in a wrong way) for example by simply executing following

    [bits 32]
    global _start
    SECTION .text
    _start: syscall

(I tested it with winxp and linux - both always crashed)

    Disassembly of section .text:

    00000000 <_start>:
       0:   0f 05                   syscall

The reason seems a missing "invalid opcode"-trap (int6) for the
syscall opcode "0f05", which is not available on Intel CPUs
within non-longmodes, as also on some AMD CPUs within legacy-mode.
(depending on CPU vendor, MSR_EFER and cpuid)

Because previous mentioned OSs may not engage corresponding
syscall target-registers (STAR, LSTAR, CSTAR), they remain
NULL and (non trapping) syscalls are leading to multiple
faults and finally crashs.

Depending on the architecture (AMD or Intel) pretended by
guests, various checks according to vendor's documentation
are implemented to overcome the current issue and behave
like the CPUs physical counterparts.

[mtosatti: cleanup/beautify code]

Signed-off-by: Stephan Baerwolf <>
Signed-off-by: Marcelo Tosatti <>
Signed-off-by: Stefan Bader <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoKVM: x86: extend "struct x86_emulate_ops" with "get_cpuid"
Stephan Bärwolf [Thu, 12 Jan 2012 15:43:03 +0000 (16:43 +0100)]
KVM: x86: extend "struct x86_emulate_ops" with "get_cpuid"

commit bdb42f5afebe208eae90406959383856ae2caf2b upstream.

In order to be able to proceed checks on CPU-specific properties
within the emulator, function "get_cpuid" is introduced.
With "get_cpuid" it is possible to virtually call the guests
"cpuid"-opcode without changing the VM's context.

[mtosatti: cleanup/beautify code]

Signed-off-by: Stephan Baerwolf <>
Signed-off-by: Marcelo Tosatti <>
Signed-off-by: Stefan Bader <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agofirewire: ohci: fix too-early completion of IR multichannel buffers
Clemens Ladisch [Mon, 12 Mar 2012 20:45:47 +0000 (21:45 +0100)]
firewire: ohci: fix too-early completion of IR multichannel buffers

commit 0c0efbacab8d70700d13301e0ae7975783c0cb0a upstream.

handle_ir_buffer_fill() assumed that a completed descriptor would be
indicated by a non-zero transfer_status (as in most other descriptors).
However, this field is written by the controller as soon as (the end of)
the first packet has been written into the buffer.  As a consequence, if
we happen to run into such a descriptor when the interrupt handler is
executed after such a packet has completed, the descriptor would be
taken out of the list of active descriptors as soon as the buffer had
been partially filled, so the event for the buffer being completely
filled would never be sent.

To fix this, handle descriptors only when they have been completely
filled, i.e., when res_count == 0.  (This also matches the condition
that is reported by the controller with an interrupt.)

Signed-off-by: Clemens Ladisch <>
Signed-off-by: Stefan Richter <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agopata_legacy: correctly mask recovery field for HT6560B
Sergei Shtylyov [Thu, 19 Jan 2012 16:09:56 +0000 (19:09 +0300)]
pata_legacy: correctly mask recovery field for HT6560B

commit 9716387311c790de381214c03e7f1b72b91a8189 upstream.

According to the HT6560H datasheet, the recovery timing field is 4-bit wide,
with a value of 0 meaning 16 cycles. Correct obvious thinko in the recovery
field mask.

Signed-off-by: Sergei Shtylyov <>
Signed-off-by: Jeff Garzik <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoHID: add more hotkeys in Asus AIO keyboards
Keng-Yu Lin [Mon, 30 Jan 2012 06:25:45 +0000 (14:25 +0800)]
HID: add more hotkeys in Asus AIO keyboards

commit 6c30d5a53229aad22bb675e0bd6eb518ecaa4316 upstream.

Add support for the camera key. The hotkey for
Asus S.H.E(Super Hybrid Engine) mode is mapped to KEY_KEY_PROG1
just for notifying the userspace.

Signed-off-by: Keng-Yu Lin <>
Signed-off-by: Jiri Kosina <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoHID: add extra hotkeys in Asus AIO keyboards
Keng-Yu Lin [Thu, 2 Feb 2012 09:31:26 +0000 (10:31 +0100)]
HID: add extra hotkeys in Asus AIO keyboards

commit 3596bb929f2abd3433c2eaa5755fad48ac207af1 upstream.

The Asus All-In-One PC has a wireless keyboard with wifi toggle,
brightness up, brightness down and display off hotkeys.

This patch adds suppoort for these hotkeys.

Signed-off-by: Keng-Yu Lin <>
Signed-off-by: Jiri Kosina <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoBluetooth: Add AR30XX device ID on Asus laptops
Keng-Yu Lin [Wed, 30 Nov 2011 10:32:37 +0000 (18:32 +0800)]
Bluetooth: Add AR30XX device ID on Asus laptops

commit 6b6ba88b5bb8779156b21bb957520a448c3642e2 upstream.

The ID is found on Asus K54HR and K53U.
Blacklist the AR3011-based device ID [0489:e03d]
and add to ath3k.c for firmware loading.

Below is the output of usb-devices script:

Before the fiwmware loading:

T:  Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#=  3 Spd=12  MxCh= 0
D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=0489 ProdID=e03d Rev=00.01
C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I:  If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I:  If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

After the fiwmware loading:

T:  Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#=  5 Spd=12  MxCh= 0
D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=0cf3 ProdID=3005 Rev=00.01
C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I:  If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I:  If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

Signed-off-by: Keng-Yu Lin <>
Signed-off-by: Gustavo F. Padovan <>
Signed-off-by: Johan Hedberg <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agotarget: Fix 16-bit target ports for SET TARGET PORT GROUPS emulation
Roland Dreier [Fri, 24 Feb 2012 01:22:12 +0000 (17:22 -0800)]
target: Fix 16-bit target ports for SET TARGET PORT GROUPS emulation

commit 33395fb8a13731c7ef7b175dbf5a4d8a6738fe6c upstream.

The old code did (MSB << 8) & 0xff, which always evaluates to 0.  Just use
get_unaligned_be16() so we don't have to worry about whether our open-coded
version is correct or not.

Signed-off-by: Roland Dreier <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agotarget: Don't set WBUS16 or SYNC bits in INQUIRY response
Roland Dreier [Tue, 14 Feb 2012 00:18:16 +0000 (16:18 -0800)]
target: Don't set WBUS16 or SYNC bits in INQUIRY response

commit effc6cc8828257c32c37635e737f14fd6e19ecd7 upstream.

SPC-4 says about the WBUS16 and SYNC bits:

    The meanings of these fields are specific to SPI-5 (see 6.4.3).
    For SCSI transport protocols other than the SCSI Parallel
    Interface, these fields are reserved.

We don't have a SPI fabric module, so we should never set these bits.
(The comment was misleading, since it only mentioned Sync but the
actual code set WBUS16 too).

Signed-off-by: Roland Dreier <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agodrm/radeon/kms: add connector quirk for Fujitsu D3003-S2 board
Alex Deucher [Fri, 16 Mar 2012 16:22:10 +0000 (12:22 -0400)]
drm/radeon/kms: add connector quirk for Fujitsu D3003-S2 board

commit 4c1b2d2da3451f5c8dd59bd7e05bd9729d2aee05 upstream.

vbios lists DVI-I port as VGA and DVI-D.


Signed-off-by: Alex Deucher <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agodrm/radeon/kms: fix analog load detection on DVI-I connectors
Alex Deucher [Fri, 16 Mar 2012 16:22:09 +0000 (12:22 -0400)]
drm/radeon/kms: fix analog load detection on DVI-I connectors

commit e00e8b5e760cbbe9067daeae5454d67c44c8d035 upstream.

We digital encoders have a detect function as well (for
DP to VGA bridges), so we make sure we choose the analog
one here.


Signed-off-by: Alex Deucher <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agodrm/radeon: Restrict offset for legacy hardware cursor.
Michel Dänzer [Wed, 14 Mar 2012 16:12:41 +0000 (17:12 +0100)]
drm/radeon: Restrict offset for legacy hardware cursor.

commit c4353016dac10133fa5d8535af83f0c4845a2915 upstream.

The hardware only takes 27 bits for the offset, so larger offsets are
truncated, and the hardware cursor shows random bits other than the intended


Signed-off-by: Michel Dänzer <>
Reviewed-by: Alex Deucher <>
Signed-off-by: Dave Airlie <>
6 years agomd/raid1,raid10: avoid deadlock during resync/recovery.
NeilBrown [Mon, 19 Mar 2012 01:46:38 +0000 (12:46 +1100)]
md/raid1,raid10: avoid deadlock during resync/recovery.

commit d6b42dcb995e6acd7cc276774e751ffc9f0ef4bf upstream.

If RAID1 or RAID10 is used under LVM or some other stacking
block device, it is possible to enter a deadlock during
resync or recovery.
This can happen if the upper level block device creates
two requests to the RAID1 or RAID10.  The first request gets
processed, blocks recovery and queue requests for underlying
requests in current->bio_list.  A resync request then starts
which will wait for those requests and block new IO.

But then the second request to the RAID1/10 will be attempted
and it cannot progress until the resync request completes,
which cannot progress until the underlying device requests complete,
which are on a queue behind that second request.

So allow that second request to proceed even though there is
a resync request about to start.

This is suitable for any -stable kernel.

Reported-by: Ray Morris <>
Tested-by: Ray Morris <>
Signed-off-by: NeilBrown <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agomd/bitmap: ensure to load bitmap when creating via sysfs.
NeilBrown [Mon, 19 Mar 2012 01:46:37 +0000 (12:46 +1100)]
md/bitmap: ensure to load bitmap when creating via sysfs.

commit 4474ca42e2577563a919fd3ed782e2ec55bf11a2 upstream.

When commit 69e51b449d383e (md/bitmap:  separate out loading a bitmap...)
created bitmap_load, it missed calling it after bitmap_create when a
bitmap is created through the sysfs interface.
So if a bitmap is added this way, we don't allocate memory properly
and can crash.

This is suitable for any -stable release since 2.6.35.
Signed-off-by: NeilBrown <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agotcm_fc: Fix fc_exch memory leak in ft_send_resp_status
Nicholas Bellinger [Sat, 10 Mar 2012 07:45:38 +0000 (23:45 -0800)]
tcm_fc: Fix fc_exch memory leak in ft_send_resp_status

commit 031ed4d565b31880a4136bb7366bc89f5b1dba7d upstream.

This patch fixes a bug in tcm_fc where fc_exch memory from fc_exch_mgr->ep_pool
is currently being leaked by ft_send_resp_status() usage.  Following current
code in ft_queue_status() response path, using lport->tt.seq_send() needs to be
followed by a lport->tt.exch_done() in order to release fc_exch memory back into
libfc_em kmem_cache.

ft_send_resp_status() code is currently used in pre submit se_cmd ft_send_work()
error exceptions, TM request setup exceptions, and main TM response callback
path in ft_queue_tm_resp().  This bugfix addresses the leak in these cases.

Cc: Mark D Rustad <>
Cc: Kiran Patil <>
Cc: Robert Love <>
Cc: Andy Grover <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoudlfb: remove sysfs framebuffer device with USB .disconnect()
Kay Sievers [Sat, 28 Jan 2012 19:57:46 +0000 (19:57 +0000)]
udlfb: remove sysfs framebuffer device with USB .disconnect()

commit ce880cb860f36694d2cdebfac9e6ae18176fe4c4 upstream.

The USB graphics card driver delays the unregistering of the framebuffer
device to a workqueue, which breaks the userspace visible remove uevent
sequence. Recent userspace tools started to support USB graphics card
hotplug out-of-the-box and rely on proper events sent by the kernel.

The framebuffer device is a direct child of the USB interface which is
removed immediately after the USB .disconnect() callback. But the fb device
in /sys stays around until its final cleanup, at a time where all the parent
devices have been removed already.

To work around that, we remove the sysfs fb device directly in the USB
.disconnect() callback and leave only the cleanup of the internal fb
data to the delayed work.

 add      /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.2 (usb)
 add      /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.2/2-1.2:1.0 (usb)
 add      /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.2/2-1.2:1.0/graphics/fb0 (graphics)
 remove   /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.2/2-1.2:1.0 (usb)
 remove   /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.2 (usb)
 remove   /2-1.2:1.0/graphics/fb0 (graphics)

 add      /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.2 (usb)
 add      /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.2/2-1.2:1.0 (usb)
 add      /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.2/2-1.2:1.0/graphics/fb1 (graphics)
 remove   /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.2/2-1.2:1.0/graphics/fb1 (graphics)
 remove   /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.2/2-1.2:1.0 (usb)
 remove   /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.2 (usb)

Tested-by: Bernie Thompson <>
Acked-by: Bernie Thompson <>
Signed-off-by: Kay Sievers <>
Signed-off-by: Florian Tobias Schandinat <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agotcm_loop: Set residual field for SCSI commands
Roland Dreier [Tue, 14 Feb 2012 23:30:31 +0000 (15:30 -0800)]
tcm_loop: Set residual field for SCSI commands

commit 6cf3fa6918baab0c447f1206f1cef9166ad04864 upstream.

If the target core signals an over- or under-run, tcm_loop should call
scsi_set_resid() to tell the SCSI midlayer about the residual data length.

The difference can be seen by doing something like

    strace -eioctl sg_raw -r 1024 /dev/sda 8 0 0 0 1 0 > /dev/null

and looking at the "resid=" part of the SG_IO ioctl -- after this patch,
the field is correctly reported as 512.

Signed-off-by: Roland Dreier <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoASoC: pxa-ssp: atomically set stream active masks
Daniel Mack [Mon, 19 Mar 2012 08:12:53 +0000 (09:12 +0100)]
ASoC: pxa-ssp: atomically set stream active masks

commit 273b72c8ce6b28df6b49423d775c3e59072c73c5 upstream.

PXA's SSP engine fails to take its current channel phase into account
when enabling a stream while the engine is already running. This
results in randomly swapped left/right channels on either the record
or the playback side, depending on which one was enabled first.

The following patch fixes this by factoring out the bit field
modifications in question to a separate function that pauses the
engine temporarily, modifies the bits and kicks it off again
afterwards. Appearantly, a transition of SSCR0_SSE syncs both
directions properly.

The patch has been rolled out to quite a number of devices over the
last weeks and seems to fix the issue reliably.

Signed-off-by: Daniel Mack <>
Reported-and-tested-by: Sven Neumann <>
Signed-off-by: Mark Brown <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agohugetlbfs: avoid taking i_mutex from hugetlbfs_read()
Aneesh Kumar K.V [Wed, 21 Mar 2012 23:34:08 +0000 (16:34 -0700)]
hugetlbfs: avoid taking i_mutex from hugetlbfs_read()

commit a05b0855fd15504972dba2358e5faa172a1e50ba upstream.

Taking i_mutex in hugetlbfs_read() can result in deadlock with mmap as
explained below

 Thread A:
  read() on hugetlbfs
   hugetlbfs_read() called
    i_mutex grabbed
     hugetlbfs_read_actor() called
      __copy_to_user() called
       page fault is triggered
 Thread B, sharing address space with A:
  mmap() the same file
   ->mmap_sem is grabbed on task_B->mm->mmap_sem
    hugetlbfs_file_mmap() is called
     attempt to grab ->i_mutex and block waiting for A to give it up
 Thread A:
  pagefault handled blocked on attempt to grab task_A->mm->mmap_sem,
 which happens to be the same thing as task_B->mm->mmap_sem.  Block waiting
 for B to give it up.

AFAIU the i_mutex locking was added to hugetlbfs_read() as per to take
care of the race between truncate and read.  This patch fixes this by
looking at page->mapping under lock_page() (find_lock_page()) to ensure
that the inode didn't get truncated in the range during a parallel read.

Ideally we can extend the patch to make sure we don't increase i_size in
mmap.  But that will break userspace, because applications will now have
to use truncate(2) to increase i_size in hugetlbfs.

Based on the original patch from Hillf Danton.

Signed-off-by: Aneesh Kumar K.V <>
Cc: Hillf Danton <>
Cc: KAMEZAWA Hiroyuki <>
Cc: Al Viro <>
Cc: Hugh Dickins <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agobootmem/sparsemem: remove limit constraint in alloc_bootmem_section
Nishanth Aravamudan [Wed, 21 Mar 2012 23:34:07 +0000 (16:34 -0700)]
bootmem/sparsemem: remove limit constraint in alloc_bootmem_section

commit f5bf18fa22f8c41a13eb8762c7373eb3a93a7333 upstream.

While testing AMS (Active Memory Sharing) / CMO (Cooperative Memory
Overcommit) on powerpc, we tripped the following:

  kernel BUG at mm/bootmem.c:483!
  cpu 0x0: Vector: 700 (Program Check) at [c000000000c03940]
      pc: c000000000a62bd8: .alloc_bootmem_core+0x90/0x39c
      lr: c000000000a64bcc: .sparse_early_usemaps_alloc_node+0x84/0x29c
      sp: c000000000c03bc0
     msr: 8000000000021032
    current = 0xc000000000b0cce0
    paca    = 0xc000000001d80000
      pid   = 0, comm = swapper
  kernel BUG at mm/bootmem.c:483!
  enter ? for help
  [c000000000c03d50c000000000a64f10 .sparse_init+0x12c/0x28c
  [c000000000c03e20c000000000a474f4 .setup_arch+0x20c/0x294
  [c000000000c03ee0c000000000a4079c .start_kernel+0xb4/0x460
  [c000000000c03f90c000000000009670 .start_here_common+0x1c/0x2c

This is

        BUG_ON(limit && goal + size > limit);

and after some debugging, it seems that

goal = 0x7ffff000000
limit = 0x80000000000

and sparse_early_usemaps_alloc_node ->
sparse_early_usemaps_alloc_pgdat_section calls

return alloc_bootmem_section(usemap_size() * count, section_nr);

This is on a system with 8TB available via the AMS pool, and as a quirk
of AMS in firmware, all of that memory shows up in node 0.  So, we end
up with an allocation that will fail the goal/limit constraints.

In theory, we could "fall-back" to alloc_bootmem_node() in
sparse_early_usemaps_alloc_node(), but since we actually have HOTREMOVE
defined, we'll BUG_ON() instead.  A simple solution appears to be to
unconditionally remove the limit condition in alloc_bootmem_section,
meaning allocations are allowed to cross section boundaries (necessary
for systems of this size).

Johannes Weiner pointed out that if alloc_bootmem_section() no longer
guarantees section-locality, we need check_usemap_section_nr() to print
possible cross-dependencies between node descriptors and the usemaps
allocated through it.  That makes the two loops in
sparse_early_usemaps_alloc_node() identical, so re-factor the code a

[ code simplification]
Signed-off-by: Nishanth Aravamudan <>
Cc: Dave Hansen <>
Cc: Anton Blanchard <>
Cc: Paul Mackerras <>
Cc: Ben Herrenschmidt <>
Cc: Robert Jennings <>
Acked-by: Johannes Weiner <>
Acked-by: Mel Gorman <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agomm: thp: fix pmd_bad() triggering in code paths holding mmap_sem read mode
Andrea Arcangeli [Wed, 21 Mar 2012 23:33:42 +0000 (16:33 -0700)]
mm: thp: fix pmd_bad() triggering in code paths holding mmap_sem read mode

commit 1a5a9906d4e8d1976b701f889d8f35d54b928f25 upstream.

In some cases it may happen that pmd_none_or_clear_bad() is called with
the mmap_sem hold in read mode.  In those cases the huge page faults can
allocate hugepmds under pmd_none_or_clear_bad() and that can trigger a
false positive from pmd_bad() that will not like to see a pmd
materializing as trans huge.

It's not khugepaged causing the problem, khugepaged holds the mmap_sem
in write mode (and all those sites must hold the mmap_sem in read mode
to prevent pagetables to go away from under them, during code review it
seems vm86 mode on 32bit kernels requires that too unless it's
restricted to 1 thread per process or UP builds).  The race is only with
the huge pagefaults that can convert a pmd_none() into a

Effectively all these pmd_none_or_clear_bad() sites running with
mmap_sem in read mode are somewhat speculative with the page faults, and
the result is always undefined when they run simultaneously.  This is
probably why it wasn't common to run into this.  For example if the
madvise(MADV_DONTNEED) runs zap_page_range() shortly before the page
fault, the hugepage will not be zapped, if the page fault runs first it
will be zapped.

Altering pmd_bad() not to error out if it finds hugepmds won't be enough
to fix this, because zap_pmd_range would then proceed to call
zap_pte_range (which would be incorrect if the pmd become a

The simplest way to fix this is to read the pmd in the local stack
(regardless of what we read, no need of actual CPU barriers, only
compiler barrier needed), and be sure it is not changing under the code
that computes its value.  Even if the real pmd is changing under the
value we hold on the stack, we don't care.  If we actually end up in
zap_pte_range it means the pmd was not none already and it was not huge,
and it can't become huge from under us (khugepaged locking explained

All we need is to enforce that there is no way anymore that in a code
path like below, pmd_trans_huge can be false, but pmd_none_or_clear_bad
can run into a hugepmd.  The overhead of a barrier() is just a compiler
tweak and should not be measurable (I only added it for THP builds).  I
don't exclude different compiler versions may have prevented the race
too by caching the value of *pmd on the stack (that hasn't been
verified, but it wouldn't be impossible considering
pmd_none_or_clear_bad, pmd_bad, pmd_trans_huge, pmd_none are all inlines
and there's no external function called in between pmd_trans_huge and

if (pmd_trans_huge(*pmd)) {
if (next-addr != HPAGE_PMD_SIZE) {
split_huge_page_pmd(vma->vm_mm, pmd);
} else if (zap_huge_pmd(tlb, vma, pmd, addr))
/* fall through */
if (pmd_none_or_clear_bad(pmd))

Because this race condition could be exercised without special
privileges this was reported in CVE-2012-1179.

The race was identified and fully explained by Ulrich who debugged it.
I'm quoting his accurate explanation below, for reference.

====== start quote =======
      mapcount 0 page_mapcount 1
      kernel BUG at mm/huge_memory.c:1384!

    At some point prior to the panic, a "bad pmd ..." message similar to the
    following is logged on the console:

      mm/memory.c:145: bad pmd ffff8800376e1f98(80000000314000e7).

    The "bad pmd ..." message is logged by pmd_clear_bad() before it clears
    the page's PMD table entry.

        143 void pmd_clear_bad(pmd_t *pmd)
        144 {
    ->  145         pmd_ERROR(*pmd);
        146         pmd_clear(pmd);
        147 }

    After the PMD table entry has been cleared, there is an inconsistency
    between the actual number of PMD table entries that are mapping the page
    and the page's map count (_mapcount field in struct page). When the page
    is subsequently reclaimed, __split_huge_page() detects this inconsistency.

       1381         if (mapcount != page_mapcount(page))
       1382                 printk(KERN_ERR "mapcount %d page_mapcount %d\n",
       1383                        mapcount, page_mapcount(page));
    -> 1384         BUG_ON(mapcount != page_mapcount(page));

    The root cause of the problem is a race of two threads in a multithreaded
    process. Thread B incurs a page fault on a virtual address that has never
    been accessed (PMD entry is zero) while Thread A is executing an madvise()
    system call on a virtual address within the same 2 MB (huge page) range.

               virtual address space
              |                     |
              |                     |
            | |                     |
            | |                     |<-- B(fault)
            | |                     |
      2 MB  | |/////////////////////|-.
      huge <  |/////////////////////|  > A(range)
      page  | |/////////////////////|-'
            | |                     |
            | |                     |
              |                     |
              |                     |

    - Thread A is executing an madvise(..., MADV_DONTNEED) system call
      on the virtual address range "A(range)" shown in the picture.

      // Acquire the semaphore in shared mode.
        switch (behavior)
        case MADV_DONTNEED:
                         // Assume that this huge page has never been accessed.
                         // I.e. content of the PMD entry is zero (not mapped).
                         if (pmd_trans_huge(*pmd)) {
                             // We don't get here due to the above assumption.
                         // Assume that Thread B incurred a page fault and
             .---------> // sneaks in here as shown below.
             |           //
             |           if (pmd_none_or_clear_bad(pmd))
             |               {
             |                 if (unlikely(pmd_bad(*pmd)))
             |                     pmd_clear_bad
             |                     {
             |                       pmd_ERROR
             |                         // Log "bad pmd ..." message here.
             |                       pmd_clear
             |                         // Clear the page's PMD entry.
             |                         // Thread B incremented the map count
             |                         // in page_add_new_anon_rmap(), but
             |                         // now the page is no longer mapped
             |                         // by a PMD entry (-> inconsistency).
             |                     }
             |               }
    - Thread B is handling a page fault on virtual address "B(fault)" shown
      in the picture.

        // Acquire the semaphore in shared mode.
          if (pmd_none(*pmd) && transparent_hugepage_enabled(vma))
              // We get here due to the above assumption (PMD entry is zero).
                  // Allocate a new transparent huge page here.
                    // Here we increment the page's map count (starts at -1).
                    atomic_set(&page->_mapcount, 0)
                    // Here we set the page's PMD entry which will be cleared
                    // when Thread A calls pmd_clear_bad().

    The mmap_sem does not prevent the race because both threads are acquiring
    it in shared mode (down_read).  Thread B holds the page_table_lock while
    the page's map count and PMD table entry are updated.  However, Thread A
    does not synchronize on that lock.

====== end quote =======

[ checkpatch fixes]
Reported-by: Ulrich Obergfell <>
Signed-off-by: Andrea Arcangeli <>
Acked-by: Johannes Weiner <>
Cc: Mel Gorman <>
Cc: Hugh Dickins <>
Cc: Dave Jones <>
Acked-by: Larry Woodman <>
Acked-by: Rik van Riel <>
Cc: Mark Salter <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agox86/ioapic: Add register level checks to detect bogus io-apic entries
Suresh Siddha [Mon, 12 Mar 2012 18:36:33 +0000 (11:36 -0700)]
x86/ioapic: Add register level checks to detect bogus io-apic entries

commit 73d63d038ee9f769f5e5b46792d227fe20e442c5 upstream.

With the recent changes to clear_IO_APIC_pin() which tries to
clear remoteIRR bit explicitly, some of the users started to see
"Unable to reset IRR for apic .." messages.

Close look shows that these are related to bogus IO-APIC entries
which return's all 1's for their io-apic registers. And the
above mentioned error messages are benign. But kernel should
have ignored such io-apic's in the first place.

Check if register 0, 1, 2 of the listed io-apic are all 1's and
ignore such io-apic.

Reported-by: Álvaro Castillo <>
Tested-by: Jon Dufresne <>
Signed-off-by: Suresh Siddha <>
Cc: Josh Boyer <>
[ Performed minor cleanup of affected code. ]
Signed-off-by: Ingo Molnar <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoIB/iser: Post initial receive buffers before sending the final login request
Or Gerlitz [Mon, 5 Mar 2012 16:21:44 +0000 (18:21 +0200)]
IB/iser: Post initial receive buffers before sending the final login request

commit 89e984e2c2cd14f77ccb26c47726ac7f13b70ae8 upstream.

An iser target may send iscsi NO-OP PDUs as soon as it marks the iSER
iSCSI session as fully operative.  This means that there is window
where there are no posted receive buffers on the initiator side, so
it's possible for the iSER RC connection to break because of RNR NAK /
retry errors.  To fix this, rely on the flags bits in the login
request to have FFP (0x3) in the lower nibble as a marker for the
final login request, and post an initial chunk of receive buffers
before sending that login request instead of after getting the login

Signed-off-by: Or Gerlitz <>
Signed-off-by: Roland Dreier <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agop54spi: Release GPIO lines and IRQ on error in p54spi_probe
Max Filippov [Wed, 29 Feb 2012 20:40:08 +0000 (00:40 +0400)]
p54spi: Release GPIO lines and IRQ on error in p54spi_probe

commit 62ebeed8d00aef75eac4fd6c161cae75a41965ca upstream.

This makes it possible to reload driver if insmod has failed due to
missing firmware.

Signed-off-by: Max Filippov <>
Acked-by: Christian Lamparter <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agortc: Disable the alarm in the hardware (v2)
Rabin Vincent [Tue, 22 Nov 2011 10:03:14 +0000 (11:03 +0100)]
rtc: Disable the alarm in the hardware (v2)

commit 41c7f7424259ff11009449f87c95656f69f9b186 upstream.

Currently, the RTC code does not disable the alarm in the hardware.

This means that after a sequence such as the one below (the files are in the
RTC sysfs), the box will boot up after 2 minutes even though we've
asked for the alarm to be turned off.

# echo $((`cat since_epoch`)+120) > wakealarm
# echo 0 > wakealarm
# poweroff

Fix this by disabling the alarm when there are no timers to run.

The original version of this patch was reverted. This version
disables the irq directly instead of setting a disabled timer
in the future.

Cc: John Stultz <>
Signed-off-by: Rabin Vincent <>
[Merged in the second revision from Rabin]
Signed-off-by: John Stultz <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agogenirq: Fix incorrect check for forced IRQ thread handler
Alexander Gordeev [Fri, 9 Mar 2012 13:59:13 +0000 (14:59 +0100)]
genirq: Fix incorrect check for forced IRQ thread handler

commit 540b60e24f3f4781d80e47122f0c4486a03375b8 upstream.

We do not want a bitwise AND between boolean operands

Signed-off-by: Alexander Gordeev <>
Cc: Oleg Nesterov <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agogenirq: Fix long-term regression in genirq irq_set_irq_type() handling
Russell King [Mon, 5 Mar 2012 23:07:25 +0000 (15:07 -0800)]
genirq: Fix long-term regression in genirq irq_set_irq_type() handling

commit a09b659cd68c10ec6a30cb91ebd2c327fcd5bfe5 upstream.

In 2008, commit 0c5d1eb77a8be ("genirq: record trigger type") modified the
way set_irq_type() handles the 'no trigger' condition.  However, this has
an adverse effect on PCMCIA support on Intel StrongARM and probably PXA

PCMCIA has several status signals on the socket which can trigger
interrupts; some of these status signals depend on the card's mode
(whether it is configured in memory or IO mode).  For example, cards have
a 'Ready/IRQ' signal: in memory mode, this provides an indication to
PCMCIA that the card has finished its power up initialization.  In IO
mode, it provides the device interrupt signal.  Other status signals
switch between on-board battery status and loud speaker output.

In classical PCMCIA implementations, where you have a specific socket
controller, the controller provides a method to mask interrupts from the
socket, and importantly ignore any state transitions on the pins which
correspond with interrupts once masked.  This masking prevents unwanted
events caused by the removal and application of socket power being

However, on platforms where there is no socket controller, the PCMCIA
status and interrupt signals are routed to standard edge-triggered GPIOs.
These GPIOs can be configured to interrupt on rising edge, falling edge,
or never.  This is where the problems start.

Edge triggered interrupts are required to record events while disabled via
the usual methods of {free,request,disable,enable}_irq() to prevent
problems with dropped interrupts (eg, the 8390 driver uses disable_irq()
to defer the delivery of interrupts).  As a result, these interfaces can
not be used to implement the desired behaviour.

The side effect of this is that if the 'Ready/IRQ' GPIO is disabled via
disable_irq() on suspend, and enabled via enable_irq() after resume, we
will record the state transitions caused by powering events as valid
interrupts, and foward them to the card driver, which may attempt to
access a card which is not powered up.

This leads delays resume while drivers spin in their interrupt handlers,
and complaints from drivers before they realize what's happened.

Moreover, in the case of the 'Ready/IRQ' signal, this is requested and
freed by the card driver itself; the PCMCIA core has no idea whether the
interrupt is requested, and, therefore, whether a call to disable_irq()
would be valid.  (We tried this around 2.4.17 / 2.5.1 kernel era, and
ended up throwing it out because of this problem.)

Therefore, it was decided back in around 2002 to disable the edge
triggering instead, resulting in all state transitions on the GPIO being
ignored.  That's what we actually need the hardware to do.

The commit above changes this behaviour; it explicitly prevents the 'no
trigger' state being selected.

The reason that request_irq() does not accept the 'no trigger' state is
for compatibility with existing drivers which do not provide their desired
triggering configuration.  The set_irq_type() function is 'new' and not
used by non-trigger aware drivers.

Therefore, revert this change, and restore previously working platforms
back to their former state.

Signed-off-by: Russell King <>
Cc: Ingo Molnar <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agouevent: send events in correct order according to seqnum (v3)
Andrew Vagin [Wed, 7 Mar 2012 10:49:56 +0000 (14:49 +0400)]
uevent: send events in correct order according to seqnum (v3)

commit 7b60a18da393ed70db043a777fd9e6d5363077c4 upstream.

The queue handling in the udev daemon assumes that the events are

Before this patch uevent_seqnum is incremented under sequence_lock,
than an event is send uner uevent_sock_mutex. I want to say that code
contained a window between incrementing seqnum and sending an event.

This patch locks uevent_sock_mutex before incrementing uevent_seqnum.

v2: delete sequence_lock, uevent_seqnum is protected by uevent_sock_mutex
v3: unlock the mutex before the goto exit

Thanks for Kay for the comments.

Signed-off-by: Andrew Vagin <>
Tested-By: Kay Sievers <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agontp: Fix integer overflow when setting time
Sasha Levin [Thu, 15 Mar 2012 16:36:14 +0000 (12:36 -0400)]
ntp: Fix integer overflow when setting time

commit a078c6d0e6288fad6d83fb6d5edd91ddb7b6ab33 upstream.

'long secs' is passed as divisor to div_s64, which accepts a 32bit
divisor. On 64bit machines that value is trimmed back from 8 bytes
back to 4, causing a divide by zero when the number is bigger than
(1 << 32) - 1 and all 32 lower bits are 0.

Use div64_long() instead.

Signed-off-by: Sasha Levin <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agomath: Introduce div64_long
Sasha Levin [Thu, 15 Mar 2012 16:36:13 +0000 (12:36 -0400)]
math: Introduce div64_long

commit f910381a55cdaa097030291f272f6e6e4380c39a upstream.

Add a div64_long macro which is used to devide a 64bit number by a long (which
can be 4 bytes on 32bit systems and 8 bytes on 64bit systems).

Suggested-by: Thomas Gleixner <>
Signed-off-by: Sasha Levin <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agortlwifi: rtl8192ce: Fix loss of receive performance
Jingjun Wu [Sat, 3 Mar 2012 02:52:14 +0000 (20:52 -0600)]
rtlwifi: rtl8192ce: Fix loss of receive performance

commit a9b89e2567c743483e6354f64d7a7e3a8c101e9e upstream.

Driver rtl8192ce when used with the RTL8188CE device would start at about
20 Mbps on a 54 Mbps connection, but quickly drop to 1 Mbps. One of the
symptoms is that the AP would need to retransmit each packet 4 of 5 times
before the driver would acknowledge it. Recovery is possible only by
unloading and reloading the driver. This problem was reported at

The problem is due to a missing update of the gain setting.

Signed-off-by: Jingjun Wu <>
Signed-off-by: Larry Finger <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agortlwifi: rtl8192c: Prevent sleeping from invalid context in rtl8192cu
Larry Finger [Fri, 2 Mar 2012 21:23:36 +0000 (15:23 -0600)]
rtlwifi: rtl8192c: Prevent sleeping from invalid context in rtl8192cu

commit ebecdcc12fed5d3c81853dea61a0a78a5aefab52 upstream.

When driver rtl8192cu is used with the debug level set to 3 or greater,
the result is "sleeping function called from invalid context" due to
an rcu_read_lock() call in the DM refresh routine in driver rtl8192c.
This lock is not necessary as the USB driver does not use the struct
being protected, thus the lock is set only when a PCI interface is

This bug is reported in

Reported-by: Ronald Wahl <>
Tested-by: Ronald Wahl <>
Signed-off-by: Larry Finger <>
Cc: Ronald Wahl <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agortlwifi: Handle previous allocation failures when freeing device memory
Simon Graham [Wed, 8 Feb 2012 00:07:38 +0000 (18:07 -0600)]
rtlwifi: Handle previous allocation failures when freeing device memory

commit 7f66c2f93e5779625c10d262c84537427a2673ca upstream.

Handle previous allocation failures when freeing device memory

Signed-off-by: Simon Graham <>
Signed-off-by: Larry Finger <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agort2x00: Add support for D-Link DWA-127 to rt2800usb.
Gertjan van Wingerde [Sat, 11 Feb 2012 20:58:09 +0000 (21:58 +0100)]
rt2x00: Add support for D-Link DWA-127 to rt2800usb.

commit d42a179b941a9e4cc6cf41d0f3cbadd75fc48a89 upstream.

This is an RT3070 based device.

Reported-by: Mikhail Kryshen <>
Signed-off-by: Gertjan van Wingerde <>
Acked-by: Ivo van Doorn <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoUSB: serial: mos7840: Fixed MCS7820 device attach problem
Donald Lee [Wed, 14 Mar 2012 07:26:33 +0000 (15:26 +0800)]
USB: serial: mos7840: Fixed MCS7820 device attach problem

commit 093ea2d3a766cb8a4c4de57efec6c0a127a58792 upstream.

A MCS7820 device supports two serial ports and a MCS7840 device supports
four serial ports. Both devices use the same driver, but the attach function
in driver was unable to correctly handle the port numbers for MCS7820
device. This problem has been fixed in this patch and this fix has been
verified on x86 Linux kernel 3.2.9 with both MCS7820 and MCS7840 devices.

Signed-off-by: Donald Lee <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agousb: cp210x: Update to support CP2105 and multiple interface devices
Preston Fick [Fri, 24 Feb 2012 19:42:39 +0000 (13:42 -0600)]
usb: cp210x: Update to support CP2105 and multiple interface devices

commit a5360a53a7ccad5ed9ccef210b94fef13c6e5529 upstream.

This patch updates the cp210x driver to support CP210x multiple
interface devices devices from Silicon Labs. The existing driver
always sends control requests to interface 0, which is hardcoded in
the usb_control_msg function calls. This only allows for single
interface devices to be used, and causes a bug when using ports on an
interface other than 0 in the multiple interface devices.

Here are the changes included in this patch:
- Updated the device list to contain the Silicon Labs factory default
  VID/PID for multiple interface CP210x devices
- Created a cp210x_port_private struct created for each port on
  startup, this struct holds the interface number
- Added a cp210x_release function to clean up the cp210x_port_private
  memory created on startup
- Modified usb_get_config and usb_set_config to get a pointer to the
  cp210x_port_private struct, and use the interface number there in the
  usb_control_message wIndex param

Signed-off-by: Preston Fick <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agousb-serial: Add support for the Sealevel SeaLINK+8 2038-ROHS device
Scott Dial [Sat, 25 Feb 2012 00:04:09 +0000 (19:04 -0500)]
usb-serial: Add support for the Sealevel SeaLINK+8 2038-ROHS device

commit 6d161b99f875269ad4ffa44375e1e54bca6fd02e upstream.

This patch adds new device IDs to the ftdi_sio module to support
the new Sealevel SeaLINK+8 2038-ROHS device.

Signed-off-by: Scott Dial <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoUSB: qcserial: don't grab QMI port on Gobi 1000 devices
Dan Williams [Fri, 24 Feb 2012 19:08:43 +0000 (13:08 -0600)]
USB: qcserial: don't grab QMI port on Gobi 1000 devices

commit c192c8e71a2ded01170c1a992cd21aaedc822756 upstream.

Gobi 1000 devices have a different port layout, which wasn't respected
by the current driver, and thus it grabbed the QMI/net port.  In the
near future we'll be attaching another driver to the QMI/net port for
these devices (cdc-wdm and qmi_wwan) so make sure the qcserial driver
doesn't claim them.  This patch also prevents qcserial from binding to
interfaces 0 and 1 on 1K devices because those interfaces do not

Signed-off-by: Dan Williams <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoUSB: qcserial: add several new serial devices
Thomas Tuttle [Wed, 1 Feb 2012 21:07:17 +0000 (16:07 -0500)]
USB: qcserial: add several new serial devices

commit 2db4d87070e87d198ab630e66a898b45eff316d9 upstream.

Signed-off-by: Thomas Tuttle <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agousb: Fix build error due to dma_mask is not at pdev_archdata at ARM
Peter Chen [Thu, 16 Feb 2012 01:41:52 +0000 (09:41 +0800)]
usb: Fix build error due to dma_mask is not at pdev_archdata at ARM

commit e90fc3cb087ce5c5f81e814358222cd6d197b5db upstream.

When build platform with imx_v6_v7_defconfig, and after adding
USB Gadget support, it has below build error:

CC      drivers/usb/host/fsl-mph-dr-of.o
drivers/usb/host/fsl-mph-dr-of.c: In function 'fsl_usb2_device_register':
drivers/usb/host/fsl-mph-dr-of.c:97: error: 'struct pdev_archdata'
has no member named 'dma_mask'

It has discussed at:

For PowerPC, there is dma_mask at struct pdev_archdata, but there is
no dma_mask at struct pdev_archdata for ARM. The pdev_archdata is
related to specific platform, it should NOT be accessed by
cross platform drivers, like USB.

The code for pdev_archdata should be useless, as for PowerPC,
it has already gotten the value for pdev->dev.dma_mask at function
arch_setup_pdev_archdata of arch/powerpc/kernel/setup-common.c.

Tested-by: Ramneek Mehresh <>
Signed-off-by: Peter Chen <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agousb: fsl_udc_core: Fix scheduling while atomic dump message
Peter Chen [Thu, 16 Feb 2012 01:36:25 +0000 (09:36 +0800)]
usb: fsl_udc_core: Fix scheduling while atomic dump message

commit c5cc5ed86667d4ae74fe40ee4ed893f4b46aba05 upstream.

When loading g_ether gadget, there is below message:

[<80012248>] (dump_backtrace+0x0/0x10c) from [<803cb42c>] (dump_stack+0x18/0x1c)
r7:00000000 r6:80512000 r5:8052bef8 r4:80513f30
[<803cb414>] (dump_stack+0x0/0x1c) from [<8000feb4>] (show_regs+0x44/0x50)
[<8000fe70>] (show_regs+0x0/0x50) from [<8004c840>] (__schedule_bug+0x68/0x84)
r5:8052bef8 r4:80513f30
[<8004c7d8>] (__schedule_bug+0x0/0x84) from [<803cd0e4>] (__schedule+0x4b0/0x528)
r5:8052bef8 r4:809aad00
[<803ccc34>] (__schedule+0x0/0x528) from [<803cd214>] (_cond_resched+0x44/0x58)
[<803cd1d0>] (_cond_resched+0x0/0x58) from [<800a9488>] (dma_pool_alloc+0x184/0x250)
 r5:9f9b4000 r4:9fb4fb80
 [<800a9304>] (dma_pool_alloc+0x0/0x250) from [<802a8ad8>] (fsl_req_to_dtd+0xac/0x180)
[<802a8a2c>] (fsl_req_to_dtd+0x0/0x180) from [<802a8ce4>] (fsl_ep_queue+0x138/0x274)
[<802a8bac>] (fsl_ep_queue+0x0/0x274) from [<7f004328>] (composite_setup+0x2d4/0xfac [g_ether])
[<7f004054>] (composite_setup+0x0/0xfac [g_ether]) from [<802a9bb4>] (fsl_udc_irq+0x8dc/0xd38)
[<802a92d8>] (fsl_udc_irq+0x0/0xd38) from [<800704f8>] (handle_irq_event_percpu+0x54/0x188)
[<800704a4>] (handle_irq_event_percpu+0x0/0x188) from [<80070674>] (handle_irq_event+0x48/0x68)
[<8007062c>] (handle_irq_event+0x0/0x68) from [<800738ec>] (handle_level_irq+0xb4/0x138)
 r5:80514f94 r4:80514f40
 [<80073838>] (handle_level_irq+0x0/0x138) from [<8006ffa4>] (generic_handle_irq+0x38/0x44)
 r7:00000012 r6:80510b1c r5:80529860 r4:80512000
 [<8006ff6c>] (generic_handle_irq+0x0/0x44) from [<8000f4c4>] (handle_IRQ+0x54/0xb4)
[<8000f470>] (handle_IRQ+0x0/0xb4) from [<800085b8>] (tzic_handle_irq+0x64/0x94)
 r9:412fc085 r8:00000000 r7:80513f30 r6:00000001 r5:00000000
 [<80008554>] (tzic_handle_irq+0x0/0x94) from [<8000e680>] (__irq_svc+0x40/0x60)

The reason of above dump message is calling dma_poll_alloc with can-schedule
mem_flags at atomic context.

To fix this problem, below changes are made:
- fsl_req_to_dtd doesn't need to be protected by spin_lock_irqsave,
as struct usb_request can be access at process context. Move lock
to beginning of hardware visit (fsl_queue_td).
- Change the memory flag which using to allocate dTD descriptor buffer,
the memory flag can be from gadget layer.

It is tested at i.mx51 bbg board with g_mass_storage, g_ether, g_serial.

Signed-off-by: Peter Chen <>
Acked-by: Li Yang <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>