5 years agonetfilter: nf_conntrack: fix rt_gateway checks for H.323 helper
Julian Anastasov [Tue, 9 Oct 2012 13:00:47 +0000 (13:00 +0000)]
netfilter: nf_conntrack: fix rt_gateway checks for H.323 helper

commit bbb5823cf742a7e955f35c7d891e4e936944c33a upstream.

After the change "Adjust semantics of rt->rt_gateway"
(commit f8126f1d51) we should properly match the nexthop when
destinations are directly connected because rt_gateway can be 0.

The rt_gateway checks in H.323 helper try to avoid the creation
of an unnecessary expectation in this call-forwarding case:

However, the existing code fails to avoid that in many cases,
see this thread:

It seems it is not trivial to know from the kernel if two hosts
have to go through the firewall to communicate each other, which
is the main point of the call-forwarding filter code to avoid
creating unnecessary expectations.

So this patch just gets things the way they were as before
commit f8126f1d51.

Signed-off-by: Julian Anastasov <>
Signed-off-by: Pablo Neira Ayuso <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agonetfilter: xt_TEE: don't use destination address found in header
Eric Dumazet [Tue, 16 Oct 2012 22:33:29 +0000 (22:33 +0000)]
netfilter: xt_TEE: don't use destination address found in header

commit 2ad5b9e4bd314fc685086b99e90e5de3bc59e26b upstream.

Torsten Luettgert bisected TEE regression starting with commit
f8126f1d5136be1 (ipv4: Adjust semantics of rt->rt_gateway.)

The problem is that it tries to ARP-lookup the original destination
address of the forwarded packet, not the address of the gateway.

Fix this using FLOWI_FLAG_KNOWN_NH Julian added in commit
c92b96553a80c1 (ipv4: Add FLOWI_FLAG_KNOWN_NH), so that known
nexthop (info->gw.ip) has preference on resolving.

Reported-by: Torsten Luettgert <>
Bisected-by: Torsten Luettgert <>
Tested-by: Torsten Luettgert <>
Cc: Julian Anastasov <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: Pablo Neira Ayuso <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agonetfilter: nf_nat: don't check for port change on ICMP tuples
Ulrich Weber [Thu, 25 Oct 2012 05:34:45 +0000 (05:34 +0000)]
netfilter: nf_nat: don't check for port change on ICMP tuples

commit 38fe36a248ec3228f8e6507955d7ceb0432d2000 upstream.

ICMP tuples have id in src and type/code in dst.
So comparing src.u.all with dst.u.all will always fail here
and ip_xfrm_me_harder() is called for every ICMP packet,
even if there was no NAT.

Signed-off-by: Ulrich Weber <>
Signed-off-by: Pablo Neira Ayuso <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agor8169: allow multicast packets on sub-8168f chipset.
Nathan Walp [Thu, 1 Nov 2012 12:08:47 +0000 (12:08 +0000)]
r8169: allow multicast packets on sub-8168f chipset.

commit 0481776b7a70f09acf7d9d97c288c3a8403fbfe4 upstream.

RTL_GIGA_MAC_VER_35 includes no multicast hardware filter.

Signed-off-by: Nathan Walp <>
Suggested-by: Hayes Wang <>
Acked-by: Francois Romieu <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agor8169: Fix WoL on RTL8168d/8111d.
Cyril Brulebois [Wed, 31 Oct 2012 14:00:46 +0000 (14:00 +0000)]
r8169: Fix WoL on RTL8168d/8111d.

commit b00e69dee4ccbb3a19989e3d4f1385bc2e3406cd upstream.

This regression was spotted between Debian squeeze and Debian wheezy
kernels (respectively based on 2.6.32 and 3.2). More info about
Wake-on-LAN issues with Realtek's 816x chipsets can be found in the
following thread:

Probable regression from d4ed95d796e5126bba51466dc07e287cebc8bd19;
more chipsets are likely affected.

Tested on top of a 3.2.23 kernel.

Reported-by: Florent Fourcot <>
Tested-by: Florent Fourcot <>
Hinted-by: Francois Romieu <>
Signed-off-by: Cyril Brulebois <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotg3: unconditionally select HWMON support when tg3 is enabled.
Paul Gortmaker [Mon, 1 Oct 2012 15:43:49 +0000 (11:43 -0400)]
tg3: unconditionally select HWMON support when tg3 is enabled.

commit de0a41484c47d783dd4d442914815076aa2caac2 upstream.

There is the seldom used corner case where HWMON=m at the same
time as TIGON3=y (typically randconfigs) which will cause a link
fail like:

drivers/built-in.o: In function `tg3_close':
tg3.c:(.text+0x16bd86): undefined reference to `hwmon_device_unregister'
drivers/built-in.o: In function `tg3_hwmon_open':
tg3.c:(.text+0x16fc4b): undefined reference to `hwmon_device_register'
make[1]: *** [vmlinux] Error 1

Fix it as suggested by DaveM[1] by having the Kconfig logic simply
select HWMON when TIGON3 is selected.  This gets rid of all the
extra IS_ENABLED ifdeffery in tg3.c as a side benefit.


Reported-by: Benjamin Herrenschmidt <>
Cc: Michael Chan <>
Reported-by: Anisse Astier <>
Suggested-by: David S. Miller <>
Signed-off-by: Paul Gortmaker <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoSCSI: isci: Allow SSP tasks into the task management path.
Jeff Skirvin [Thu, 6 Sep 2012 04:36:47 +0000 (21:36 -0700)]
SCSI: isci: Allow SSP tasks into the task management path.

commit 54b46677757ff8d6c282305fc7710f466b63d6dc upstream.

This commit fixes a driver bug for SSP tasks that require task management
in the target after they complete in the SCU hardware.  The problem was
manifested in the function "isci_task_abort_task", which tests
to see if the sas_task.lldd_task is non-NULL before allowing task
management; this bug would always NULL lldd_task in the SCU I/O completion
path even if target management was required, which would prevent
task / target manangement from happening.

Note that in the case of SATA/STP targets, error recovery is provided by
the libata error handler which is why SATA/STP device recovery worked
correctly even though SSP handling did not.

Signed-off-by: Jeff Skirvin <>
Signed-off-by: James Bottomley <>
Cc: "Dorau, Lukasz" <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoxen/events: fix RCU warning, or Call idle notifier after irq_enter()
Mojiong Qiu [Tue, 6 Nov 2012 08:08:15 +0000 (16:08 +0800)]
xen/events: fix RCU warning, or Call idle notifier after irq_enter()

commit 772aebcefeff310f80e32b874988af0076cb799d upstream.

exit_idle() should be called after irq_enter(), otherwise it throws:

[ INFO: suspicious RCU usage. ]
3.6.5 #1 Not tainted
include/linux/rcupdate.h:725 rcu_read_lock() used illegally while idle!

other info that might help us debug this:

RCU used illegally from idle CPU!
rcu_scheduler_active = 1, debug_locks = 1
RCU used illegally from extended quiescent state!
1 lock held by swapper/0/0:
 #0:  (rcu_read_lock){......}, at: [<ffffffff810e9fe0>] __atomic_notifier_call_chain+0x0/0x140

stack backtrace:
Pid: 0, comm: swapper/0 Not tainted 3.6.5 #1
Call Trace:
 <IRQ>  [<ffffffff811259a2>] lockdep_rcu_suspicious+0xe2/0x130
 [<ffffffff810ea10c>] __atomic_notifier_call_chain+0x12c/0x140
 [<ffffffff810e9fe0>] ? atomic_notifier_chain_unregister+0x90/0x90
 [<ffffffff811216cd>] ? trace_hardirqs_off+0xd/0x10
 [<ffffffff810ea136>] atomic_notifier_call_chain+0x16/0x20
 [<ffffffff810777c3>] exit_idle+0x43/0x50
 [<ffffffff81568865>] xen_evtchn_do_upcall+0x25/0x50
 [<ffffffff81aa690e>] xen_do_hypervisor_callback+0x1e/0x30
 <EOI>  [<ffffffff810013aa>] ? hypercall_page+0x3aa/0x1000
 [<ffffffff810013aa>] ? hypercall_page+0x3aa/0x1000
 [<ffffffff81061540>] ? xen_safe_halt+0x10/0x20
 [<ffffffff81075cfa>] ? default_idle+0xba/0x570
 [<ffffffff810778af>] ? cpu_idle+0xdf/0x140
 [<ffffffff81a4d881>] ? rest_init+0x135/0x144
 [<ffffffff81a4d74c>] ? csum_partial_copy_generic+0x16c/0x16c
 [<ffffffff82520c45>] ? start_kernel+0x3db/0x3e8
 [<ffffffff8252066a>] ? repair_env_string+0x5a/0x5a
 [<ffffffff82520356>] ? x86_64_start_reservations+0x131/0x135
 [<ffffffff82524aca>] ? xen_start_kernel+0x465/0x46

Git commit 98ad1cc14a5c4fd658f9d72c6ba5c86dfd3ce0d5
Author: Frederic Weisbecker <>
Date:   Fri Oct 7 18:22:09 2011 +0200

    x86: Call idle notifier after irq_enter()

did this, but it missed the Xen code.

Signed-off-by: Mojiong Qiu <>
Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agor8169: use unlimited DMA burst for TX
Michal Schmidt [Sun, 9 Sep 2012 13:55:26 +0000 (13:55 +0000)]
r8169: use unlimited DMA burst for TX

commit aee77e4accbeb2c86b1d294cd84fec4a12dde3bd upstream.

The r8169 driver currently limits the DMA burst for TX to 1024 bytes. I have
a box where this prevents the interface from using the gigabit line to its full
potential. This patch solves the problem by setting TX_DMA_BURST to unlimited.

The box has an ASRock B75M motherboard with on-board RTL8168evl/8111evl
(XID 0c900880). TSO is enabled.

I used netperf (TCP_STREAM test) to measure the dependency of TX throughput
on MTU. I did it for three different values of TX_DMA_BURST ('5'=512, '6'=1024,
'7'=unlimited). This chart shows the results:

Interesting points:
 - With the current DMA burst limit (1024):
   - at the default MTU=1500 I get only 842 Mbit/s.
   - when going from small MTU, the performance rises monotonically with
     increasing MTU only up to a peak at MTU=1076 (908 MBit/s). Then there's
     a sudden drop to 762 MBit/s from which the throughput rises monotonically
     again with further MTU increases.
 - With a smaller DMA burst limit (512):
   - there's a similar peak at MTU=1076 and another one at MTU=564.
 - With unlimited DMA burst:
   - at the default MTU=1500 I get nice 940 Mbit/s.
   - the throughput rises monotonically with increasing MTU with no strange

Notice that the peaks occur at MTU sizes that are multiples of the DMA burst
limit plus 52. Why 52? Because:
  20 (IP header) + 20 (TCP header) + 12 (TCP options) = 52

The Realtek-provided r8168 driver (v8.032.00) uses unlimited TX DMA burst too,
except for CFG_METHOD_1 where the TX DMA burst is set to 512 bytes.
CFG_METHOD_1 appears to be the oldest MAC version of "RTL8168B/8111B",
i.e. RTL_GIGA_MAC_VER_11 in r8169. Not sure if this MAC version really needs
the smaller burst limit, or if any other versions have similar requirements.

Signed-off-by: Michal Schmidt <>
Acked-by: Francois Romieu <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoGFS2: Don't call file_accessed() with a shared glock
Benjamin Marzinski [Tue, 6 Nov 2012 06:49:28 +0000 (00:49 -0600)]
GFS2: Don't call file_accessed() with a shared glock

commit 3d1626889a64bd5a661544d582036a0a02104a60 upstream.

file_accessed() was being called by gfs2_mmap() with a shared glock. If it
needed to update the atime, it was crashing because it dirtied the inode in
gfs2_dirty_inode() without holding an exclusive lock. gfs2_dirty_inode()
checked if the caller was already holding a glock, but it didn't make sure that
the glock was in the exclusive state. Now, instead of calling file_accessed()
while holding the shared lock in gfs2_mmap(), file_accessed() is called after
grabbing and releasing the glock to update the inode.  If file_accessed() needs
to update the atime, it will grab an exclusive lock in gfs2_dirty_inode().

gfs2_dirty_inode() now also checks to make sure that if the calling process has
already locked the glock, it has an exclusive lock.

Signed-off-by: Benjamin Marzinski <>
Signed-off-by: Steven Whitehouse <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: usb-audio: Fix crash at re-preparing the PCM stream
Takashi Iwai [Tue, 20 Nov 2012 07:20:02 +0000 (08:20 +0100)]
ALSA: usb-audio: Fix crash at re-preparing the PCM stream

commit f58161ba1b05a968e5136824b5a16b714b6a5317 upstream.

There are bug reports of a crash with USB-audio devices when PCM
prepare is performed immediately after the stream is stopped via
trigger callback.  It turned out that the problem is that we don't
wait until all URBs are killed.

This patch adds a new function to synchronize the pending stop
operation on an endpoint, and calls in the prepare callback for
avoiding the crash above.


Reported-and-tested-by: Artem S. Tashkinov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotmpfs: change final i_blocks BUG to WARNING
Hugh Dickins [Fri, 16 Nov 2012 22:15:04 +0000 (14:15 -0800)]
tmpfs: change final i_blocks BUG to WARNING

commit 0f3c42f522dc1ad7e27affc0a4aa8c790bce0a66 upstream.

Under a particular load on one machine, I have hit shmem_evict_inode()'s
BUG_ON(inode->i_blocks), enough times to narrow it down to a particular
race between swapout and eviction.

It comes from the "if (freed > 0)" asymmetry in shmem_recalc_inode(),
and the lack of coherent locking between mapping's nrpages and shmem's
swapped count.  There's a window in shmem_writepage(), between lowering
nrpages in shmem_delete_from_page_cache() and then raising swapped
count, when the freed count appears to be +1 when it should be 0, and
then the asymmetry stops it from being corrected with -1 before hitting
the BUG.

One answer is coherent locking: using tree_lock throughout, without
info->lock; reasonable, but the raw_spin_lock in percpu_counter_add() on
used_blocks makes that messier than expected.  Another answer may be a
further effort to eliminate the weird shmem_recalc_inode() altogether,
but previous attempts at that failed.

So far undecided, but for now change the BUG_ON to WARN_ON: in usual
circumstances it remains a useful consistency check.

Signed-off-by: Hugh Dickins <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotcp: handle tcp_net_metrics_init() order-5 memory allocation failures
Eric Dumazet [Fri, 16 Nov 2012 05:31:53 +0000 (05:31 +0000)]
tcp: handle tcp_net_metrics_init() order-5 memory allocation failures

[ Upstream commit 976a702ac9eeacea09e588456ab165dc06f9ee83 ]

order-5 allocations can fail with current kernels, we should
try vmalloc() as well.

Reported-by: Julien Tinnes <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotcp: fix retransmission in repair mode
Andrew Vagin [Thu, 15 Nov 2012 04:03:17 +0000 (04:03 +0000)]
tcp: fix retransmission in repair mode

[ Upstream commit ec34232575083fd0f43d3a101e8ebb041b203761 ]

Currently if a socket was repaired with a few packet in a write queue,
a kernel bug may be triggered:

kernel BUG at net/ipv4/tcp_output.c:2330!
RIP: 0010:[<ffffffff8155784f>] tcp_retransmit_skb+0x5ff/0x610

According to the initial realization v3.4-rc2-963-gc0e88ff,
all skb-s should look like already posted. This patch fixes code
according with this sentence.

Here are three points, which were not done in the initial patch:
1. A tcp send head should not be changed
2. Initialize TSO state of a skb
3. Reset the retransmission time

This patch moves logic from tcp_sendmsg to tcp_write_xmit. A packet
passes the ussual way, but isn't sent to network. This patch solves
all described problems and handles tcp_sendpages.

Signed-off-by: Andrey Vagin <>
Cc: Pavel Emelyanov <>
Cc: "David S. Miller" <>
Cc: Alexey Kuznetsov <>
Cc: James Morris <>
Cc: Hideaki YOSHIFUJI <>
Cc: Patrick McHardy <>
Acked-by: Pavel Emelyanov <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agonet-rps: Fix brokeness causing OOO packets
Tom Herbert [Fri, 16 Nov 2012 09:04:15 +0000 (09:04 +0000)]
net-rps: Fix brokeness causing OOO packets

[ Upstream commit baefa31db2f2b13a05d1b81bdf2d20d487f58b0a ]

In commit c445477d74ab3779 which adds aRFS to the kernel, the CPU
selected for RFS is not set correctly when CPU is changing.
This is causing OOO packets and probably other issues.

Signed-off-by: Tom Herbert <>
Acked-by: Eric Dumazet <>
Acked-by: Ben Hutchings <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agonet: correct check in dev_addr_del()
Jiri Pirko [Wed, 14 Nov 2012 02:51:04 +0000 (02:51 +0000)]
net: correct check in dev_addr_del()

[ Upstream commit a652208e0b52c190e57f2a075ffb5e897fe31c3b ]

Check (ha->addr == dev->dev_addr) is always true because dev_addr_init()
sets this. Correct the check to behave properly on addr removal.

Signed-off-by: Jiri Pirko <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoipv6: setsockopt(IPIPPROTO_IPV6, IPV6_MINHOPCOUNT) forgot to set return value
Hannes Frederic Sowa [Sat, 10 Nov 2012 19:52:34 +0000 (19:52 +0000)]
ipv6: setsockopt(IPIPPROTO_IPV6, IPV6_MINHOPCOUNT) forgot to set return value

[ Upstream commit d4596bad2a713fcd0def492b1960e6d899d5baa8 ]

Cc: Stephen Hemminger <>
Signed-off-by: Hannes Frederic Sowa <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoipv4/ip_vti.c: VTI fix post-decryption forwarding
Saurabh Mohan [Thu, 15 Nov 2012 02:08:15 +0000 (18:08 -0800)]
ipv4/ip_vti.c: VTI fix post-decryption forwarding

[ Upstream commit b2942004fb5c9f3304b77e187b8a1977b3626c9b ]

With the latest kernel there are two things that must be done post decryption
 so that the packet are forwarded.
 1. Remove the mark from the packet. This will cause the packet to not match
 the ipsec-policy again. However doing this causes the post-decryption check to
 fail also and the packet will get dropped. (cat /proc/net/xfrm_stat).
 2. Remove the sp association in the skbuff so that no policy check is done on
 the packet for VTI tunnels.

Due to #2 above we must now do a security-policy check in the vti rcv path
prior to resetting the mark in the skbuff.

Signed-off-by: Saurabh Mohan <>
Reported-by: Ruben Herold <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoipv4: avoid undefined behavior in do_ip_setsockopt()
Xi Wang [Sun, 11 Nov 2012 11:20:01 +0000 (11:20 +0000)]
ipv4: avoid undefined behavior in do_ip_setsockopt()

[ Upstream commit 0c9f79be295c99ac7e4b569ca493d75fdcc19e4e ]

(1<<optname) is undefined behavior in C with a negative optname or
optname larger than 31.  In those cases the result of the shift is
not necessarily zero (e.g., on x86).

This patch simplifies the code with a switch statement on optname.
It also allows the compiler to generate better code (e.g., using a
64-bit mask).

Signed-off-by: Xi Wang <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agom68k: fix sigset_t accessor functions
Andreas Schwab [Sat, 17 Nov 2012 21:27:04 +0000 (22:27 +0100)]
m68k: fix sigset_t accessor functions

commit 34fa78b59c52d1db3513db4c1a999db26b2e9ac2 upstream.

The sigaddset/sigdelset/sigismember functions that are implemented with
bitfield insn cannot allow the sigset argument to be placed in a data
register since the sigset is wider than 32 bits.  Remove the "d"
constraint from the asm statements.

The effect of the bug is that sending RT signals does not work, the signal
number is truncated modulo 32.

Signed-off-by: Andreas Schwab <>
Signed-off-by: Geert Uytterhoeven <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoBluetooth: Fix having bogus entries in mgmt_read_index_list reply
Johan Hedberg [Fri, 19 Oct 2012 17:10:46 +0000 (20:10 +0300)]
Bluetooth: Fix having bogus entries in mgmt_read_index_list reply

commit 476e44cb19f1fbf2d5883dddcc0ce31b33b45915 upstream.

The mgmt_read_index_list uses one loop to calculate the max needed size
of its response with the help of an upper-bound of the controller count.
The second loop is more strict as it checks for HCI_SETUP (which might
have gotten set after the first loop) and could result in some indexes
being skipped. Because of this the function needs to readjust the event
length and index count after filling in the response array.

Signed-off-by: Johan Hedberg <>
Acked-by: Marcel Holtmann <>
Signed-off-by: Gustavo Padovan <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agowireless: allow 40 MHz on world roaming channels 12/13
Johannes Berg [Mon, 12 Nov 2012 09:51:34 +0000 (10:51 +0100)]
wireless: allow 40 MHz on world roaming channels 12/13

commit 43c771a1963ab461a2f194e3c97fded1d5fe262f upstream.

When in world roaming mode, allow 40 MHz to be used
on channels 12 and 13 so that an AP that is, e.g.,
using HT40+ on channel 9 (in the UK) can be used.

Reported-by: Eddie Chapman <>
Tested-by: Eddie Chapman <>
Acked-by: Luis R. Rodriguez <>
Signed-off-by: Johannes Berg <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoiwlwifi: handle DMA mapping failures
Johannes Berg [Sun, 4 Nov 2012 08:29:17 +0000 (09:29 +0100)]
iwlwifi: handle DMA mapping failures

commit 7c34158231b2eda8dcbd297be2bb1559e69cb433 upstream.

The RX replenish code doesn't handle DMA mapping failures,
which will cause issues if there actually is a failure. This
was reported by Shuah Khan who found a DMA mapping framework
warning ("device driver failed to check map error").

Reported-by: Shuah Khan <>
Reviewed-by: Emmanuel Grumbach <>
Signed-off-by: Johannes Berg <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomemcg: fix hotplugged memory zone oops
Hugh Dickins [Fri, 16 Nov 2012 22:14:54 +0000 (14:14 -0800)]
memcg: fix hotplugged memory zone oops

commit bea8c150a7efbc0f204e709b7274fe273f55e0d3 upstream.

When MEMCG is configured on (even when it's disabled by boot option),
when adding or removing a page to/from its lru list, the zone pointer
used for stats updates is nowadays taken from the struct lruvec.  (On
many configurations, calculating zone from page is slower.)

But we have no code to update all the lruvecs (per zone, per memcg) when
a memory node is hotadded.  Here's an extract from the oops which
results when running numactl to bind a program to a newly onlined node:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000f60
  IP:  __mod_zone_page_state+0x9/0x60
  Pid: 1219, comm: numactl Not tainted 3.6.0-rc5+ #180 Bochs Bochs
  Process numactl (pid: 1219, threadinfo ffff880039abc000, task ffff8800383c4ce0)
  Call Trace:

The natural solution might be to use a memcg callback whenever memory is
hotadded; but that solution has not been scoped out, and it happens that
we do have an easy location at which to update lruvec->zone.  The lruvec
pointer is discovered either by mem_cgroup_zone_lruvec() or by
mem_cgroup_page_lruvec(), and both of those do know the right zone.

So check and set lruvec->zone in those; and remove the inadequate
attempt to set lruvec->zone from lruvec_init(), which is called before
NODE_DATA(node) has been allocated in such cases.

Ah, there was one exceptionr.  For no particularly good reason,
mem_cgroup_force_empty_list() has its own code for deciding lruvec.
Change it to use the standard mem_cgroup_zone_lruvec() and
mem_cgroup_get_lru_size() too.  In fact it was already safe against such
an oops (the lru lists in danger could only be empty), but we're better
proofed against future changes this way.

I've marked this for stable (3.6) since we introduced the problem in 3.5
(now closed to stable); but I have no idea if this is the only fix
needed to get memory hotadd working with memcg in 3.6, and received no
answer when I enquired twice before.

Reported-by: Tang Chen <>
Signed-off-by: Hugh Dickins <>
Acked-by: Johannes Weiner <>
Acked-by: KAMEZAWA Hiroyuki <>
Cc: Konstantin Khlebnikov <>
Cc: Wen Congyang <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomemcg: oom: fix totalpages calculation for memory.swappiness==0
Michal Hocko [Fri, 16 Nov 2012 22:14:49 +0000 (14:14 -0800)]
memcg: oom: fix totalpages calculation for memory.swappiness==0

commit 9a5a8f19b43430752067ecaee62fc59e11e88fa6 upstream.

oom_badness() takes a totalpages argument which says how many pages are
available and it uses it as a base for the score calculation.  The value
is calculated by mem_cgroup_get_limit which considers both limit and
total_swap_pages (resp.  memsw portion of it).

This is usually correct but since fe35004fbf9e ("mm: avoid swapping out
with swappiness==0") we do not swap when swappiness is 0 which means
that we cannot really use up all the totalpages pages.  This in turn
confuses oom score calculation if the memcg limit is much smaller than
the available swap because the used memory (capped by the limit) is
negligible comparing to totalpages so the resulting score is too small
if adj!=0 (typically task with CAP_SYS_ADMIN or non zero oom_score_adj).
A wrong process might be selected as result.

The problem can be worked around by checking mem_cgroup_swappiness==0
and not considering swap at all in such a case.

Signed-off-by: Michal Hocko <>
Acked-by: David Rientjes <>
Acked-by: Johannes Weiner <>
Acked-by: KOSAKI Motohiro <>
Acked-by: KAMEZAWA Hiroyuki <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agottm: Clear the ttm page allocated from high memory zone correctly
Zhao Yakui [Tue, 13 Nov 2012 18:31:55 +0000 (18:31 +0000)]
ttm: Clear the ttm page allocated from high memory zone correctly

commit ac207ed2471150e06af0afc76e4becc701fa2733 upstream.

The TTM page can be allocated from high memory. In such case it is
wrong to use the page_address(page) as the virtual address for the high memory


Signed-off-by: Zhao Yakui <>
Reviewed-by: Thomas Hellstrom <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoKVM: x86: Fix invalid secondary exec controls in vmx_cpuid_update()
Takashi Iwai [Fri, 9 Nov 2012 14:20:17 +0000 (15:20 +0100)]
KVM: x86: Fix invalid secondary exec controls in vmx_cpuid_update()

commit 29282fde80d44e587f8c152b10049a56e61659f0 upstream.

The commit [ad756a16: KVM: VMX: Implement PCID/INVPCID for guests with
EPT] introduced the unconditional access to SECONDARY_VM_EXEC_CONTROL,
and this triggers kernel warnings like below on old CPUs:

    vmwrite error: reg 401e value a0568000 (err 12)
    Pid: 13649, comm: qemu-kvm Not tainted 3.7.0-rc4-test2+ #154
    Call Trace:
     [<ffffffffa0558d86>] vmwrite_error+0x27/0x29 [kvm_intel]
     [<ffffffffa054e8cb>] vmcs_writel+0x1b/0x20 [kvm_intel]
     [<ffffffffa054f114>] vmx_cpuid_update+0x74/0x170 [kvm_intel]
     [<ffffffffa03629b6>] kvm_vcpu_ioctl_set_cpuid2+0x76/0x90 [kvm]
     [<ffffffffa0341c67>] kvm_arch_vcpu_ioctl+0xc37/0xed0 [kvm]
     [<ffffffff81143f7c>] ? __vunmap+0x9c/0x110
     [<ffffffffa0551489>] ? vmx_vcpu_load+0x39/0x1a0 [kvm_intel]
     [<ffffffffa0340ee2>] ? kvm_arch_vcpu_load+0x52/0x1a0 [kvm]
     [<ffffffffa032dcd4>] ? vcpu_load+0x74/0xd0 [kvm]
     [<ffffffffa032deb0>] kvm_vcpu_ioctl+0x110/0x5e0 [kvm]
     [<ffffffffa032e93d>] ? kvm_dev_ioctl+0x4d/0x4a0 [kvm]
     [<ffffffff8117dc6f>] do_vfs_ioctl+0x8f/0x530
     [<ffffffff81139d76>] ? remove_vma+0x56/0x60
     [<ffffffff8113b708>] ? do_munmap+0x328/0x400
     [<ffffffff81187c8c>] ? fget_light+0x4c/0x100
     [<ffffffff8117e1a1>] sys_ioctl+0x91/0xb0
     [<ffffffff815a942d>] system_call_fastpath+0x1a/0x1f

This patch adds a check for the availability of secondary exec
control to avoid these warnings.

Signed-off-by: Takashi Iwai <>
Signed-off-by: Marcelo Tosatti <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotmpfs: fix shmem_getpage_gfp() VM_BUG_ON
Hugh Dickins [Fri, 16 Nov 2012 22:15:03 +0000 (14:15 -0800)]
tmpfs: fix shmem_getpage_gfp() VM_BUG_ON

commit 215c02bc33bbd5ff4d7379a909462d11f0103218 upstream.

Fuzzing with trinity hit the "impossible" VM_BUG_ON(error) (which Fedora
has converted to WARNING) in shmem_getpage_gfp():

  WARNING: at mm/shmem.c:1151 shmem_getpage_gfp+0xa5c/0xa70()
  Pid: 29795, comm: trinity-child4 Not tainted 3.7.0-rc2+ #49
  Call Trace:

Thanks to Johannes for pointing to truncation: free_swap_and_cache()
only does a trylock on the page, so the page lock we've held since
before confirming swap is not enough to protect against truncation.

What cleanup is needed in this case? Just delete_from_swap_cache(),
which takes care of the memcg uncharge.

Signed-off-by: Hugh Dickins <>
Reported-by: Dave Jones <>
Cc: Johannes Weiner <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/radeon: fix logic error in atombios_encoders.c
Alex Deucher [Wed, 14 Nov 2012 14:10:39 +0000 (09:10 -0500)]
drm/radeon: fix logic error in atombios_encoders.c

commit b9196395c905edec512dfd6690428084228c16ec upstream.


Reported-by: David Binderman <>
Signed-off-by: Alex Deucher <>
Reviewed-by: Michel Dänzer <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/i915/sdvo: clean up connectors on intel_sdvo_init() failures
Jani Nikula [Mon, 12 Nov 2012 16:31:35 +0000 (18:31 +0200)]
drm/i915/sdvo: clean up connectors on intel_sdvo_init() failures

commit d0ddfbd3d1346c1f481ec2289eef350cdba64b42 upstream.

Any failures in intel_sdvo_init() after the intel_sdvo_setup_output() call
left behind ghost connectors, attached (with a dangling pointer) to the
sdvo that has been cleaned up and freed. Properly destroy any connectors
attached to the encoder.

CC: Chris Wilson <>
Signed-off-by: Jani Nikula <>
[danvet: added a comment to explain why we need to clean up connectors
even when sdvo_output_setup fails.]
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: option: add Alcatel X220/X500D USB IDs
Dan Williams [Thu, 8 Nov 2012 17:56:53 +0000 (11:56 -0600)]
USB: option: add Alcatel X220/X500D USB IDs

commit c0bc3098871dd9b964f6b45ec1e4d70d87811744 upstream.

Signed-off-by: Dan Williams <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: option: add Novatel E362 and Dell Wireless 5800 USB IDs
Dan Williams [Thu, 8 Nov 2012 17:56:42 +0000 (11:56 -0600)]
USB: option: add Novatel E362 and Dell Wireless 5800 USB IDs

commit fcb21645f1bd86d2be29baf48aa1b298de52ccc7 upstream.

The Dell 5800 appears to be a simple rebrand of the Novatel E362.

Signed-off-by: Dan Williams <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: usb_wwan: fix bulk-urb allocation
Johan Hovold [Fri, 26 Oct 2012 16:44:20 +0000 (18:44 +0200)]
USB: usb_wwan: fix bulk-urb allocation

commit 8e493ca1767d4951ed1322abaa74d6edbca29918 upstream.

Make sure we do not allocate urbs if we do not have a bulk endpoint.

Legacy code used incorrect assumption to test for bulk endpoints.

Reported-by: Dan Carpenter <>
Signed-off-by: Johan Hovold <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: keyspan: fix typo causing GPF on open
Bjørn Mork [Sat, 10 Nov 2012 09:13:42 +0000 (10:13 +0100)]
USB: keyspan: fix typo causing GPF on open

commit f0e3e35c9049087172c65302b42da8fe7ebb63a8 upstream.

Commit f79b2d0f (USB: keyspan: fix NULL-pointer dereferences and
memory leaks) had a small typo which made the driver use wrong
offsets when mapping serial port private data.  This results in
in a GPF when the port is opened.

Reported-by: Richard <>
Signed-off-by: Bjørn Mork <>
Acked-by: Johan Hovold <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agos390/gup: add missing TASK_SIZE check to get_user_pages_fast()
Heiko Carstens [Mon, 22 Oct 2012 13:49:02 +0000 (15:49 +0200)]
s390/gup: add missing TASK_SIZE check to get_user_pages_fast()

commit d55c4c613fc4d4ad2ba0fc6fa2b57176d420f7e4 upstream.

When walking page tables we need to make sure that everything
is within bounds of the ASCE limit of the task's address space.
Otherwise we might calculate e.g. a pud pointer which is not
within a pud and dereference it.
So check against TASK_SIZE (which is the ASCE limit) before
walking page tables.

Reviewed-by: Gerald Schaefer <>
Signed-off-by: Heiko Carstens <>
Signed-off-by: Martin Schwidefsky <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoRevert "Staging: Android alarm: IOCTL command encoding fix"
Colin Cross [Thu, 8 Nov 2012 02:21:51 +0000 (18:21 -0800)]
Revert "Staging: Android alarm: IOCTL command encoding fix"

commit d38e0e3fed4f58bcddef4dc93a591dfe2f651cb0 upstream.

Commit 6bd4a5d96c08dc2380f8053b1bd4f879f55cd3c9 changed the
ANDROID_ALARM_GET_TIME ioctls from IOW to IOR.  While technically
correct, the _IOC_DIR bits are ignored by alarm_ioctl, so the
commit breaks a userspace ABI used by all existing Android devices
for a purely cosmetic reason.  Revert it.

Cc: Dae S. Kim <>
Signed-off-by: Colin Cross <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoARM: dt: tegra: fix length of pad control and mux registers
Pritesh Raithatha [Tue, 30 Oct 2012 10:07:09 +0000 (15:37 +0530)]
ARM: dt: tegra: fix length of pad control and mux registers

commit 322337b8fbd8c392246529d5db924820fc0c7381 upstream.

The reg property contains <base length> not <base last_offset>. Fix
the length values to be length not last_offset.

Signed-off-by: Pritesh Raithatha <>
Signed-off-by: Stephen Warren <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoARM: imx: ehci: fix host power mask bit
Christoph Fritz [Fri, 16 Nov 2012 14:39:24 +0000 (15:39 +0100)]
ARM: imx: ehci: fix host power mask bit

commit 3d5e2abe6e265acc5e1fda810301243e9bac92b2 upstream.

This patch sets HPM (Host power mask bit) to bit 16 according to i.MX
Reference Manual. Falsely it was set to bit 8, but this controls pull-up

Reported-by: Michael Burkey <>
Signed-off-by: Christoph Fritz <>
Acked-by: Eric Bénard <>
Signed-off-by: Sascha Hauer <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoi2c-mux-pinctrl: Fix probe error path
Guenter Roeck [Tue, 13 Nov 2012 21:27:19 +0000 (22:27 +0100)]
i2c-mux-pinctrl: Fix probe error path

commit aa1e3e81e75ceb3d977c3292cefafcd5179eb8b8 upstream.

When allocating the memory for i2c busses, the code checked the wrong
variable and thus never detected if there was a memory error.

Signed-off-by: Guenter Roeck <>
Signed-off-by: Jean Delvare <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoregulator: fix voltage check in regulator_is_supported_voltage()
Marek Szyprowski [Tue, 13 Nov 2012 08:48:51 +0000 (09:48 +0100)]
regulator: fix voltage check in regulator_is_supported_voltage()

commit f0f98b19e23d4426ca185e3d4ca80e6aff5ef51b upstream.

regulator_is_supported_voltage() should return true only if the voltage
of fixed/constant regulator is between min_uV and max_uV.

Signed-off-by: Marek Szyprowski <>
Signed-off-by: Mark Brown <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agopstore: Fix NULL pointer dereference in console writes
Colin Ian King [Wed, 14 Nov 2012 11:49:53 +0000 (11:49 +0000)]
pstore: Fix NULL pointer dereference in console writes

commit 70a6f46d7b0ec03653b9ab3f8063a9717a4a53ef upstream.

Passing a NULL id causes a NULL pointer deference in writers such as
erst_writer and efi_pstore_write because they expect to update this id.
Pass a dummy id instead.

This avoids a cascade of oopses caused when the initial
pstore_console_write passes a null which in turn causes writes to the
console causing further oopses in subsequent pstore_console_write calls.

Signed-off-by: Colin Ian King <>
Acked-by: Kees Cook <>
Signed-off-by: Anton Vorontsov <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUBIFS: introduce categorized lprops counter
Artem Bityutskiy [Wed, 10 Oct 2012 07:55:28 +0000 (10:55 +0300)]
UBIFS: introduce categorized lprops counter

commit 98a1eebda3cb2a84ecf1f219bb3a95769033d1bf upstream.

This commit is a preparation for a subsequent bugfix. We introduce a
counter for categorized lprops.

Signed-off-by: Artem Bityutskiy <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUBIFS: fix mounting problems after power cuts
Artem Bityutskiy [Tue, 9 Oct 2012 13:20:15 +0000 (16:20 +0300)]
UBIFS: fix mounting problems after power cuts

commit a28ad42a4a0c6f302f488f26488b8b37c9b30024 upstream.

This is a bugfix for a problem with the following symptoms:

1. A power cut happens
2. After reboot, we try to mount UBIFS
3. Mount fails with "No space left on device" error message

UBIFS complains like this:

UBIFS error (pid 28225): grab_empty_leb: could not find an empty LEB

The root cause of this problem is that when we mount, not all LEBs are
categorized. Only those which were read are. However, the
'ubifs_find_free_leb_for_idx()' function assumes that all LEBs were
categorized and 'c->freeable_cnt' is valid, which is a false assumption.

This patch fixes the problem by teaching 'ubifs_find_free_leb_for_idx()'
to always fall back to LPT scanning if no freeable LEBs were found.

This problem was reported by few people in the past, but Brent Taylor
was able to reproduce it and send me a flash image which cannot be mounted,
which made it easy to hunt the bug. Kudos to Brent.

Reported-by: Brent Taylor <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoASoC: core: Double control update err for snd_soc_put_volsw_sx
Mukund Navada [Fri, 9 Nov 2012 06:23:40 +0000 (11:53 +0530)]
ASoC: core: Double control update err for snd_soc_put_volsw_sx

commit d055852ee86703d48b0c571e94bd2eb33aa9b91d upstream.

snd_soc_put_volsw_sx function fails to update second control
if first control is updated by snd_soc_update_bits_locked.

Signed-off-by: Mukund Navada <>
Signed-off-by: Mark Brown <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoASoC: dapm: Use card_list during DAPM shutdown
Misael Lopez Cruz [Thu, 8 Nov 2012 18:03:12 +0000 (12:03 -0600)]
ASoC: dapm: Use card_list during DAPM shutdown

commit 445632ad6dda42f4d3f9df2569a852ca0d4ea608 upstream.

DAPM shutdown incorrectly uses "list" field of codec struct while
iterating over probed components (codec_dev_list). "list" field
refers to codecs registered in the system, "card_list" field is
used for probed components.

Signed-off-by: Misael Lopez Cruz <>
Signed-off-by: Liam Girdwood <>
Signed-off-by: Mark Brown <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoASoC: cs42l52: fix the return value of cs42l52_set_fmt()
Wei Yongjun [Wed, 7 Nov 2012 12:38:35 +0000 (20:38 +0800)]
ASoC: cs42l52: fix the return value of cs42l52_set_fmt()

commit 5c855c8e2be67f2d5a989ef1190098f924f9f820 upstream.

Fix the return value of cs42l52_set_fmt() when clock inversion is
not allowed and also remove the useless variable ret.

dpatch engine is used to auto generate this patch.

[We had been assigning to ret but then ignoring the value we assgined
-- broonie]

Signed-off-by: Wei Yongjun <>
Signed-off-by: Mark Brown <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoASoC: wm8978: pll incorrectly configured when codec is master
Eric Millbrandt [Fri, 2 Nov 2012 21:05:44 +0000 (17:05 -0400)]
ASoC: wm8978: pll incorrectly configured when codec is master

commit 55c6f4cb6ef49afbb86222c6a3ff85329199c729 upstream.

When MCLK is supplied externally and BCLK and LRC are configured as outputs
(codec is master), the PLL values are only calculated correctly on the first
transmission.  On subsequent transmissions, at differenct sample rates, the
wrong PLL values are used.  Test for f_opclk instead of f_pllout to determine
if the PLL values are needed.

Signed-off-by: Eric Millbrandt <>
Signed-off-by: Mark Brown <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: hda - Add a missing quirk entry for iMac 9,1
Takashi Iwai [Mon, 12 Nov 2012 09:07:36 +0000 (10:07 +0100)]
ALSA: hda - Add a missing quirk entry for iMac 9,1

commit 05193639ca977cc889668718adb38db6d585045b upstream.

This is another variant of iMac 9,1 with a different codec SSID.

Reported-and-tested-by: Everaldo Canuto <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: hda - Add new codec ALC668 and ALC900 (default name ALC1150)
Kailang Yang [Thu, 8 Nov 2012 09:25:37 +0000 (10:25 +0100)]
ALSA: hda - Add new codec ALC668 and ALC900 (default name ALC1150)

commit 19a62823eae453619604636082085812c14ee391 upstream.

Signed-off-by: Kailang Yang <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: hda - Improve HP depop when system enter to S3
Kailang Yang [Thu, 8 Nov 2012 09:23:18 +0000 (10:23 +0100)]
ALSA: hda - Improve HP depop when system enter to S3

commit 1387e2d12799e554df2f60e7ae7fe01384bcb96f upstream.

alc269_toggle_power_output() was only use in ALC269VB.  I rename it to

Signed-off-by: Kailang Yang <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: hda - Fix invalid connections in VT1802 codec
Takashi Iwai [Wed, 7 Nov 2012 09:37:48 +0000 (10:37 +0100)]
ALSA: hda - Fix invalid connections in VT1802 codec

commit ef4da45828603df57e5e21b8aa21a66ce309f79b upstream.

VT1802 codec provides the invalid connection lists of NID 0x24 and
0x33 containing the routes to a non-exist widget 0x3e.  This confuses
the auto-parser.  Fix it up in the driver by overriding these

Reported-by: Massimo Del Fedele <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: hda - Fix empty DAC filling in patch_via.c
Takashi Iwai [Wed, 7 Nov 2012 09:32:47 +0000 (10:32 +0100)]
ALSA: hda - Fix empty DAC filling in patch_via.c

commit 5b3761954dac2d1393beef8210eb8cee81d16b8d upstream.

In via_auto_fill_adc_nids(), the parser tries to fill dac_nids[] at
the point of the current line-out (i).  When no valid path is found
for this output, this results in dac = 0, thus it creates a hole in
dac_nids[].  This confuses is_empty_dac() and trims the detected DAC
in later reference.

This patch fixes the bug by appending DAC properly to dac_nids[] in

Reported-by: Massimo Del Fedele <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: hda - Force to reset IEC958 status bits for AD codecs
Takashi Iwai [Mon, 5 Nov 2012 11:32:46 +0000 (12:32 +0100)]
ALSA: hda - Force to reset IEC958 status bits for AD codecs

commit ae24c3191ba2ab03ec6b4be323e730e00404b4b6 upstream.

Several bug reports suggest that the forcibly resetting IEC958 status
bits is required for AD codecs to get the SPDIF output working
properly after changing streams.

Original fix credit to Javeed Shaikh.

Reported-by: Robin Kreis <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: HDA: Fix digital microphone on CS420x
Daniel J Blueman [Sun, 4 Nov 2012 05:19:03 +0000 (13:19 +0800)]
ALSA: HDA: Fix digital microphone on CS420x

commit 16337e028a6dae9fbdd718c0d42161540a668ff3 upstream.

Correctly enable the digital microphones with the right bits in the
right coeffecient registers on Cirrus CS4206/7 codecs. It also
prevents misconfiguring ADC1/2.

This fixes the digital mic on the Macbook Pro 10,1/Retina.

Based-on-patch-by: Alexander Stein <>
Signed-off-by: Daniel J Blueman <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: hda: Cirrus: Fix coefficient index for beep configuration
Alexander Stein [Thu, 1 Nov 2012 12:42:37 +0000 (13:42 +0100)]
ALSA: hda: Cirrus: Fix coefficient index for beep configuration

commit 5a83b4b5a391f07141b157ac9daa51c409e71ab5 upstream.

Signed-off-by: Alexander Stein <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoptp: update adjfreq callback description
Jacob Keller [Thu, 1 Nov 2012 12:30:16 +0000 (12:30 +0000)]
ptp: update adjfreq callback description

commit 87f4d7c1d36f44b0822053b7e5dedc31fdd0ab99 upstream.

This patch updates the adjfreq callback description to include a note that the
delta in ppb is always relative to the base frequency, and not to the current
frequency of the hardware clock.

Signed-off-by: Jacob Keller <>
CC: Richard Cochran <>
CC: John Stultz <>
Signed-off-by: Jeff Kirsher <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoARM: at91/AT91SAM9G45: fix crypto peripherals irq issue due to sparse irq support
Nicolas Royer [Tue, 6 Nov 2012 16:31:03 +0000 (17:31 +0100)]
ARM: at91/AT91SAM9G45: fix crypto peripherals irq issue due to sparse irq support

commit 097965ee447e5ccec9776f9b075e64cf7607e5eb upstream.

Spare irq support introduced by commit 8fe82a5 (ARM: at91: sparse irq support)
involves to add the NR_IRQS_LEGACY offset to irq number.

Signed-off-by: Nicolas Royer <>
Acked-by: Nicolas Ferre <>
Acked-by: Eric Bénard <>
Tested-by: Eric Bénard <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agocrypto: cryptd - disable softirqs in cryptd_queue_worker to prevent data corruption
Jussi Kivilinna [Sun, 21 Oct 2012 17:42:28 +0000 (20:42 +0300)]
crypto: cryptd - disable softirqs in cryptd_queue_worker to prevent data corruption

commit 9efade1b3e981f5064f9db9ca971b4dc7557ae42 upstream.

cryptd_queue_worker attempts to prevent simultaneous accesses to crypto
workqueue by cryptd_enqueue_request using preempt_disable/preempt_enable.
However cryptd_enqueue_request might be called from softirq context,
so add local_bh_disable/local_bh_enable to prevent data corruption and

Bug report at

 - Disable software interrupts instead of hardware interrupts

Reported-by: Gurucharan Shetty <>
Signed-off-by: Jussi Kivilinna <>
Signed-off-by: Herbert Xu <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agocifs: Do not lookup hashed negative dentry in cifs_atomic_open
Sachin Prabhu [Mon, 5 Nov 2012 11:39:32 +0000 (11:39 +0000)]
cifs: Do not lookup hashed negative dentry in cifs_atomic_open

commit 3798f47aa276b332c30da499cb4df4577e2f8872 upstream.

We do not need to lookup a hashed negative directory since we have
already revalidated it before and have found it to be fine.

This also prevents a crash in cifs_lookup() when it attempts to rehash
the already hashed negative lookup dentry.

The patch has been tested using the reproducer at

Reported-by: Vit Zahradka <>
Signed-off-by: Sachin Prabhu <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agocifs: fix potential buffer overrun in cifs.idmap handling code
Jeff Layton [Sat, 3 Nov 2012 13:37:28 +0000 (09:37 -0400)]
cifs: fix potential buffer overrun in cifs.idmap handling code

commit 36960e440ccf94349c09fb944930d3bfe4bc473f upstream.

The userspace cifs.idmap program generally works with the wbclient libs
to generate binary SIDs in userspace. That program defines the struct
that holds these values as having a max of 15 subauthorities. The kernel
idmapping code however limits that value to 5.

When the kernel copies those values around though, it doesn't sanity
check the num_subauths value handed back from userspace or from the
server. It's possible therefore for userspace to hand us back a bogus
num_subauths value (or one that's valid, but greater than 5) that could
cause the kernel to walk off the end of the cifs_sid->sub_auths array.

Fix this by defining a new routine for copying sids and using that in
all of the places that copy it. If we end up with a sid that's longer
than expected then this approach will just lop off the "extra" subauths,
but that's basically what the code does today already. Better approaches
might be to fix this code to reject SIDs with >5 subauths, or fix it
to handle the subauths array dynamically.

At the same time, change the kernel to check the length of the data
returned by userspace. If it's shorter than struct cifs_sid, reject it
and return -EIO. If that happens we'll end up with fields that are
basically uninitialized.

Long term, it might make sense to redefine cifs_sid using a flexarray at
the end, to allow for variable-length subauth lists, and teach the code
to handle the case where the subauths array being passed in from
userspace is shorter than 5 elements.

Note too, that I don't consider this a security issue since you'd need
a compromised cifs.idmap program. If you have that, you can do all sorts
of nefarious stuff. Still, this is probably reasonable for stable.

Reviewed-by: Shirish Pargaonkar <>
Signed-off-by: Jeff Layton <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agovirtio: Don't access index after unregister.
Cornelia Huck [Fri, 9 Nov 2012 04:24:12 +0000 (14:54 +1030)]
virtio: Don't access index after unregister.

commit 237242bddc99041e15a4ca51b8439657cadaff17 upstream.

Virtio wants to release used indices after the corresponding
virtio device has been unregistered. However, virtio does not
hold an extra reference, giving up its last reference with
device_unregister(), making accessing dev->index afterwards

I actually saw problems when testing my (not-yet-merged)
virtio-ccw code:

- device_add virtio-net,id=xxx
-> creates device virtio<n> with n>0

- device_del xxx
-> deletes virtio<n>, but calls ida_simple_remove with an
   index of 0

- device_add virtio-net,id=xxx
-> tries to add virtio0, which is still in use...

So let's save the index we want to release before calling

Signed-off-by: Cornelia Huck <>
Acked-by: Sjur Brændeland <>
Signed-off-by: Rusty Russell <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomodule: fix out-by-one error in kallsyms
Rusty Russell [Thu, 25 Oct 2012 00:19:25 +0000 (10:49 +1030)]
module: fix out-by-one error in kallsyms

commit 59ef28b1f14899b10d6b2682c7057ca00a9a3f47 upstream.

Masaki found and patched a kallsyms issue: the last symbol in a
module's symtab wasn't transferred.  This is because we manually copy
the zero'th entry (which is always empty) then copy the rest in a loop
starting at 1, though from src[0].  His fix was minimal, I prefer to
rewrite the loops in more standard form.

There are two loops: one to get the size, and one to copy.  Make these
identical: always count entry 0 and any defined symbol in an allocated
non-init section.

This bug exists since the following commit was introduced.
   module: reduce symbol table for loaded modules (v2)
   commit: 4a4962263f07d14660849ec134ee42b63e95ea9a

Reported-by: Masaki Kimura <>
Signed-off-by: Rusty Russell <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agofanotify: fix missing break
Eric Paris [Thu, 8 Nov 2012 23:53:37 +0000 (15:53 -0800)]
fanotify: fix missing break

commit 848561d368751a1c0f679b9f045a02944506a801 upstream.

Anders Blomdell noted in 2010 that Fanotify lost events and provided a
test case.  Eric Paris confirmed it was a bug and posted a fix to the

but never applied it.  Repeated attempts over time to actually get him
to apply it have never had a reply from anyone who has raised it

So apply it anyway

Signed-off-by: Alan Cox <>
Reported-by: Anders Blomdell <>
Cc: Eric Paris <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoPCI/PM: Fix proc config reg access for D3cold and bridge suspending
Huang Ying [Thu, 25 Oct 2012 01:36:03 +0000 (09:36 +0800)]
PCI/PM: Fix proc config reg access for D3cold and bridge suspending

commit b3c32c4f9565f93407921c0d8a4458042eb8998e upstream.

Peter reported that /proc/bus/pci/??/??.? does not work for 3.6.
This is because the device configuration space registers are
not accessible if the corresponding parent bridge is suspended or
the device is put into D3cold state.

This is the same as /sys/bus/pci/devices/0000:??:??.?/config access
issue.  So the function used to solve sysfs issue is used to solve
this issue.

This patch moves pci_config_pm_runtime_get()/_put() from pci/pci-sysfs.c
to pci/pci.c and makes them extern so they can be used by both the
sysfs and proc paths.

[bhelgaas: changelog, references, reporters]
Reported-by: Forrest Loomis <>
Reported-by: Peter <>
Reported-by: Micael Dias <>
Signed-off-by: Huang Ying <>
Signed-off-by: Bjorn Helgaas <>
Acked-by: Rafael J. Wysocki <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoPCI/PM: Resume device before shutdown
Huang Ying [Wed, 24 Oct 2012 06:54:14 +0000 (14:54 +0800)]
PCI/PM: Resume device before shutdown

commit 3ff2de9ba1a2e22e548979dbcd46e999b22c93d8 upstream.

Some actions during shutdown need device to be in D0 state, such as
MSI shutdown etc, so resume device before shutdown.

Without this patch, a device may not be enumerated after a kexec
because the corresponding bridge is not in D0, so that
configuration space of the device is not accessible.

Signed-off-by: Huang Ying <>
Signed-off-by: Bjorn Helgaas <>
Acked-by: Rafael J. Wysocki <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomac80211: call skb_dequeue/ieee80211_free_txskb instead of __skb_queue_purge
Felix Fietkau [Sat, 10 Nov 2012 02:44:14 +0000 (03:44 +0100)]
mac80211: call skb_dequeue/ieee80211_free_txskb instead of __skb_queue_purge

commit 1f98ab7fef48a2968f37f422c256c9fbd978c3f0 upstream.

Fixes more wifi status skb leaks, leading to hostapd/wpa_supplicant hangs.

Signed-off-by: Felix Fietkau <>
Signed-off-by: Johannes Berg <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomac80211: don't send null data packet when not associated
Johannes Berg [Thu, 8 Nov 2012 13:06:28 +0000 (14:06 +0100)]
mac80211: don't send null data packet when not associated

commit 20f544eea03db4b498942558b882d463ce575c3e upstream.

On resume or firmware recovery, mac80211 sends a null
data packet to see if the AP is still around and hasn't
disconnected us. However, it always does this even if
it wasn't even connected before, leading to a warning
in the new channel context code. Fix this by checking
that it's associated.

Reviewed-by: Emmanuel Grumbach <>
Signed-off-by: Johannes Berg <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomac80211: sync acccess to tx_filtered/ps_tx_buf queues
Arik Nemtsov [Mon, 5 Nov 2012 08:27:52 +0000 (10:27 +0200)]
mac80211: sync acccess to tx_filtered/ps_tx_buf queues

commit 987c285c2ae2e4e32aca3a9b3252d28171c75711 upstream.

These are accessed without a lock when ending STA PSM. If the
sta_cleanup timer accesses these lists at the same time, we might crash.

This may fix some mysterious crashes we had during

Signed-off-by: Arik Nemtsov <>
Signed-off-by: Ido Yariv <>
Signed-off-by: Johannes Berg <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoxfs: drop buffer io reference when a bad bio is built
Dave Chinner [Mon, 12 Nov 2012 11:09:46 +0000 (22:09 +1100)]
xfs: drop buffer io reference when a bad bio is built

commit d69043c42d8c6414fa28ad18d99973aa6c1c2e24 upstream.

Error handling in xfs_buf_ioapply_map() does not handle IO reference
counts correctly. We increment the b_io_remaining count before
building the bio, but then fail to decrement it in the failure case.
This leads to the buffer never running IO completion and releasing
the reference that the IO holds, so at unmount we can leak the
buffer. This leak is captured by this assert failure during unmount:

XFS: Assertion failed: atomic_read(&pag->pag_ref) == 0, file: fs/xfs/xfs_mount.c, line: 273

This is not a new bug - the b_io_remaining accounting has had this
problem for a long, long time - it's just very hard to get a
zero length bio being built by this code...

Further, the buffer IO error can be overwritten on a multi-segment
buffer by subsequent bio completions for partial sections of the
buffer. Hence we should only set the buffer error status if the
buffer is not already carrying an error status. This ensures that a
partial IO error on a multi-segment buffer will not be lost. This
part of the problem is a regression, however.

Signed-off-by: Dave Chinner <>
Reviewed-by: Mark Tinguely <>
Signed-off-by: Ben Myers <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agolibata-acpi: Fix NULL ptr derference in ata_acpi_dev_handle
Aaron Lu [Tue, 9 Oct 2012 07:37:48 +0000 (15:37 +0800)]
libata-acpi: Fix NULL ptr derference in ata_acpi_dev_handle

commit 60817a680b1bd3341b6909fab7d8a1fcc3a78369 upstream.

commit 6b66d95895c149cbc04d4fac5a2f5477c543a8ae didn't handle SATA PMP
case in ata_acpi_bind_device and will cause a NULL ptr dereference when
user attached a SATA drive to the PMP port. Fix this by checking PMP

This bug is reported by Dan van der Ster in the following bugzilla page:

Reported-by: Dan van der Ster <>
Tested-by: Dan van der Ster <>
Signed-off-by: Aaron Lu <>
Signed-off-by: Jeff Garzik <>
Tested-by: Simon <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomm: bugfix: set current->reclaim_state to NULL while returning from kswapd()
Takamori Yamaguchi [Thu, 8 Nov 2012 23:53:39 +0000 (15:53 -0800)]
mm: bugfix: set current->reclaim_state to NULL while returning from kswapd()

commit b0a8cc58e6b9aaae3045752059e5e6260c0b94bc upstream.

In kswapd(), set current->reclaim_state to NULL before returning, as
current->reclaim_state holds reference to variable on kswapd()'s stack.

In rare cases, while returning from kswapd() during memory offlining,
__free_slab() and freepages() can access the dangling pointer of

Signed-off-by: Takamori Yamaguchi <>
Signed-off-by: Aaditya Kumar <>
Acked-by: David Rientjes <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoLinux 3.6.7
Greg Kroah-Hartman [Sat, 17 Nov 2012 21:21:23 +0000 (13:21 -0800)]
Linux 3.6.7

5 years agoALSA: usb-audio: Fix mutex deadlock at disconnection
Takashi Iwai [Tue, 13 Nov 2012 10:22:48 +0000 (11:22 +0100)]
ALSA: usb-audio: Fix mutex deadlock at disconnection

commit 10e44239f67d0b6fb74006e61a7e883b8075247a upstream.

The recent change for USB-audio disconnection race fixes introduced a
mutex deadlock again.  There is a circular dependency between
chip->shutdown_rwsem and pcm->open_mutex, depicted like below, when a
device is opened during the disconnection operation:

A. snd_usb_audio_disconnect() ->
     card.c::register_mutex ->
       chip->shutdown_rwsem (write) ->
         snd_card_disconnect() ->
           pcm.c::register_mutex ->

B. snd_pcm_open() ->
     pcm->open_mutex ->
       snd_usb_pcm_open() ->
         chip->shutdown_rwsem (read)

Since the chip->shutdown_rwsem protection in the case A is required
only for turning on the chip->shutdown flag and it doesn't have to be
taken for the whole operation, we can reduce its window in

Reported-by: Jiri Slaby <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: Fix card refcount unbalance
Takashi Iwai [Thu, 8 Nov 2012 13:36:18 +0000 (14:36 +0100)]
ALSA: Fix card refcount unbalance

commit 8bb4d9ce08b0a92ca174e41d92c180328f86173f upstream.

There are uncovered cases whether the card refcount introduced by the
commit a0830dbd isn't properly increased or decreased:
- OSS PCM and mixer success paths
- When lookup function gets NULL

This patch fixes these places.


Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoxfs: fix buffer shudown reference count mismatch
Dave Chinner [Fri, 2 Nov 2012 03:23:12 +0000 (14:23 +1100)]
xfs: fix buffer shudown reference count mismatch

commit 03b1293edad462ad1ad62bcc5160c76758e450d5 upstream.

When we shut down the filesystem, we have to unpin and free all the
buffers currently active in the CIL. To do this we unpin and remove
them in one operation as a result of a failed iclogbuf write. For
buffers, we do this removal via a simultated IO completion of after
marking the buffer stale.

At the time we do this, we have two references to the buffer - the
active LRU reference and the buf log item.  The LRU reference is
removed by marking the buffer stale, and the active CIL reference is
by the xfs_buf_iodone() callback that is run by
xfs_buf_do_callbacks() during ioend processing (via the bp->b_iodone

However, ioend processing requires one more reference - that of the
IO that it is completing. We don't have this reference, so we free
the buffer prematurely and use it after it is freed. For buffers
marked with XBF_ASYNC, this leads to assert failures in
xfs_buf_rele() on debug kernels because the b_hold count is zero.

Fix this by making sure we take the necessary IO reference before
starting IO completion processing on the stale buffer, and set the
XBF_ASYNC flag to ensure that IO completion processing removes all
the active references from the buffer to ensure it is fully torn

Signed-off-by: Dave Chinner <>
Reviewed-by: Mark Tinguely <>
Signed-off-by: Ben Myers <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoxfs: fix reading of wrapped log data
Dave Chinner [Fri, 2 Nov 2012 00:38:44 +0000 (11:38 +1100)]
xfs: fix reading of wrapped log data

commit 6ce377afd1755eae5c93410ca9a1121dfead7b87 upstream.

Commit 4439647 ("xfs: reset buffer pointers before freeing them") in
3.0-rc1 introduced a regression when recovering log buffers that
wrapped around the end of log. The second part of the log buffer at
the start of the physical log was being read into the header buffer
rather than the data buffer, and hence recovery was seeing garbage
in the data buffer when it got to the region of the log buffer that
was incorrectly read.

Reported-by: Torsten Kaiser <>
Signed-off-by: Dave Chinner <>
Reviewed-by: Christoph Hellwig <>
Reviewed-by: Mark Tinguely <>
Signed-off-by: Ben Myers <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoGFS2: Test bufdata with buffer locked and gfs2_log_lock held
Benjamin Marzinski [Wed, 7 Nov 2012 06:38:06 +0000 (00:38 -0600)]
GFS2: Test bufdata with buffer locked and gfs2_log_lock held

commit 96e5d1d3adf56f1c7eeb07258f6a1a0a7ae9c489 upstream.

In gfs2_trans_add_bh(), gfs2 was testing if a there was a bd attached to the
buffer without having the gfs2_log_lock held. It was then assuming it would
stay attached for the rest of the function. However, without either the log
lock being held of the buffer locked, __gfs2_ail_flush() could detach bd at any
time.  This patch moves the locking before the test.  If there isn't a bd
already attached, gfs2 can safely allocate one and attach it before locking.
There is no way that the newly allocated bd could be on the ail list,
and thus no way for __gfs2_ail_flush() to detach it.

Signed-off-by: Benjamin Marzinski <>
Signed-off-by: Steven Whitehouse <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/radeon/si: add some missing regs to the VM reg checker
Alex Deucher [Thu, 8 Nov 2012 15:13:24 +0000 (10:13 -0500)]
drm/radeon/si: add some missing regs to the VM reg checker

commit f418b88aad0c42b4caf4d79a0cf8d14a5d0a2284 upstream.

This register is needed for streamout to work properly.

Signed-off-by: Alex Deucher <>
Reviewed-by: Michel Dänzer <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/radeon/cayman: add some missing regs to the VM reg checker
Alex Deucher [Thu, 8 Nov 2012 15:08:04 +0000 (10:08 -0500)]
drm/radeon/cayman: add some missing regs to the VM reg checker

commit 860fe2f05fa2eacac84368e23547ec8cf3cc6652 upstream.

These regs were being wronly rejected leading to rendering


Signed-off-by: Alex Deucher <>
Reviewed-by: Michel Dänzer <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/vmwgfx: Fix a case where the code would BUG when trying to pin GMR memory
Thomas Hellstrom [Fri, 9 Nov 2012 09:45:14 +0000 (10:45 +0100)]
drm/vmwgfx: Fix a case where the code would BUG when trying to pin GMR memory

commit afcc87aa6a233e52df73552dc1dc9ae3881b7cc8 upstream.

Signed-off-by: Thomas Hellstrom <>
Reviewed-by: Brian Paul <>
Reviewed-by: Dmitry Torokhov <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/vmwgfx: Fix hibernation device reset
Thomas Hellstrom [Fri, 9 Nov 2012 09:05:57 +0000 (10:05 +0100)]
drm/vmwgfx: Fix hibernation device reset

commit 95e8f6a21996c4cc2c4574b231c6e858b749dce3 upstream.

The device would not reset properly when resuming from hibernation.

Signed-off-by: Thomas Hellstrom <>
Reviewed-by: Brian Paul <>
Reviewed-by: Dmitry Torokhov <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agommc: sdhci: fix NULL dereference in sdhci_request() tuning
Chris Ball [Mon, 5 Nov 2012 19:29:49 +0000 (14:29 -0500)]
mmc: sdhci: fix NULL dereference in sdhci_request() tuning

commit 14efd957209461bbdf285bf0d67e931955d04a4c upstream.

Commit 473b095a72a9 ("mmc: sdhci: fix incorrect command used in tuning")
introduced a NULL dereference at resume-time if an SD 3.0 host controller
raises the SDHCI_NEEDS_TUNING flag while no card is inserted.  Seen on an
OLPC XO-4 with sdhci-pxav3, but presumably affects other controllers too.

Signed-off-by: Chris Ball <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agommc: sh_mmcif: fix use after free
Guennadi Liakhovetski [Tue, 23 Oct 2012 12:08:52 +0000 (14:08 +0200)]
mmc: sh_mmcif: fix use after free

commit a0d28ba01ebd048b4ba418142b37f5cf80e6d156 upstream.

A recent commit "mmc: sh_mmcif: fix clock management" has introduced a
use after free bug in sh_mmcif.c: in sh_mmcif_remove() the call to
mmc_free_host() frees private driver data, therefore using it afterwards
is a bug. Revert that hunk.

Signed-off-by: Guennadi Liakhovetski <>
Signed-off-by: Chris Ball <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agofutex: Handle futex_pi OWNER_DIED take over correctly
Thomas Gleixner [Tue, 23 Oct 2012 20:29:38 +0000 (22:29 +0200)]
futex: Handle futex_pi OWNER_DIED take over correctly

commit 59fa6245192159ab5e1e17b8e31f15afa9cff4bf upstream.

Siddhesh analyzed a failure in the take over of pi futexes in case the
owner died and provided a workaround.

The detailed problem analysis shows:

Futex F is initialized with PTHREAD_PRIO_INHERIT and

T1 lock_futex_pi(F);

T2 lock_futex_pi(F);
   --> T2 blocks on the futex and creates pi_state which is associated
       to T1.

T1 exits
   --> exit_robust_list() runs
       --> Futex F userspace value TID field is set to 0 and
           FUTEX_OWNER_DIED bit is set.

T3 lock_futex_pi(F);
   --> Succeeds due to the check for F's userspace TID field == 0
   --> Claims ownership of the futex and sets its own TID into the
       userspace TID field of futex F
   --> returns to user space

T1 --> exit_pi_state_list()
       --> Transfers pi_state to waiter T2 and wakes T2 via

T2 --> acquires pi_state->mutex and gains real ownership of the
   --> Claims ownership of the futex and sets its own TID into the
       userspace TID field of futex F
   --> returns to user space

T3 --> observes inconsistent state

This problem is independent of UP/SMP, preemptible/non preemptible
kernels, or process shared vs. private. The only difference is that
certain configurations are more likely to expose it.

So as Siddhesh correctly analyzed the following check in
futex_lock_pi_atomic() is the culprit:

if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) {

We check the userspace value for a TID value of 0 and take over the
futex unconditionally if that's true.

AFAICT this check is there as it is correct for a different corner
case of futexes: the WAITERS bit became stale.

Now the proposed change

- if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) {
+       if (unlikely(ownerdied ||
+                       !(curval & (FUTEX_TID_MASK | FUTEX_WAITERS)))) {

solves the problem, but it's not obvious why and it wreckages the
"stale WAITERS bit" case.

What happens is, that due to the WAITERS bit being set (T2 is blocked
on that futex) it enforces T3 to go through lookup_pi_state(), which
in the above case returns an existing pi_state and therefor forces T3
to legitimately fight with T2 over the ownership of the pi_state (via
pi_state->mutex). Probelm solved!

Though that does not work for the "WAITERS bit is stale" problem
because if lookup_pi_state() does not find existing pi_state it
returns -ERSCH (due to TID == 0) which causes futex_lock_pi() to
return -ESRCH to user space because the OWNER_DIED bit is not set.

Now there is a different solution to that problem. Do not look at the
user space value at all and enforce a lookup of possibly available
pi_state. If pi_state can be found, then the new incoming locker T3
blocks on that pi_state and legitimately races with T2 to acquire the
rt_mutex and the pi_state and therefor the proper ownership of the
user space futex.

lookup_pi_state() has the correct order of checks. It first tries to
find a pi_state associated with the user space futex and only if that
fails it checks for futex TID value = 0. If no pi_state is available
nothing can create new state at that point because this happens with
the hash bucket lock held.

So the above scenario changes to:

T1 lock_futex_pi(F);

T2 lock_futex_pi(F);
   --> T2 blocks on the futex and creates pi_state which is associated
       to T1.

T1 exits
   --> exit_robust_list() runs
       --> Futex F userspace value TID field is set to 0 and
           FUTEX_OWNER_DIED bit is set.

T3 lock_futex_pi(F);
   --> Finds pi_state and blocks on pi_state->rt_mutex

T1 --> exit_pi_state_list()
       --> Transfers pi_state to waiter T2 and wakes it via

T2 --> acquires pi_state->mutex and gains ownership of the pi_state
   --> Claims ownership of the futex and sets its own TID into the
       userspace TID field of futex F
   --> returns to user space

This covers all gazillion points on which T3 might come in between
T1's exit_robust_list() clearing the TID field and T2 fixing it up. It
also solves the "WAITERS bit stale" problem by forcing the take over.

Another benefit of changing the code this way is that it makes it less
dependent on untrusted user space values and therefor minimizes the
possible wreckage which might be inflicted.

As usual after staring for too long at the futex code my brain hurts
so much that I really want to ditch that whole optimization of
avoiding the syscall for the non contended case for PI futexes and rip
out the maze of corner case handling code. Unfortunately we can't as
user space relies on that existing behaviour, but at least thinking
about it helps me to preserve my mental sanity. Maybe we should
nevertheless :)

Reported-and-tested-by: Siddhesh Poyarekar <>
Acked-by: Darren Hart <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoipv6: send unsolicited neighbour advertisements to all-nodes
Hannes Frederic Sowa [Tue, 6 Nov 2012 16:18:41 +0000 (16:18 +0000)]
ipv6: send unsolicited neighbour advertisements to all-nodes

[ Upstream commit 60713a0ca7fd6651b951cc1b4dbd528d1fc0281b ]

As documented in RFC4861 (Neighbor Discovery for IP version 6) 7.2.6.,
unsolicited neighbour advertisements should be sent to the all-nodes
multicast address.

Signed-off-by: Hannes Frederic Sowa <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoaf-packet: fix oops when socket is not present
Eric Leblond [Tue, 6 Nov 2012 02:10:10 +0000 (02:10 +0000)]
af-packet: fix oops when socket is not present

[ Upstream commit a3d744e995d2b936c500585ae39d99ee251c89b4 ]

Due to a NULL dereference, the following patch is causing oops
in normal trafic condition:

commit c0de08d04215031d68fa13af36f347a6cfa252ca
Author: Eric Leblond <>
Date:   Thu Aug 16 22:02:58 2012 +0000

    af_packet: don't emit packet on orig fanout group

This buggy patch was a feature fix and has reached most stable

When skb->sk is NULL and when packet fanout is used, there is a
crash in match_fanout_group where skb->sk is accessed.
This patch fixes the issue by returning false as soon as the
socket is NULL: this correspond to the wanted behavior because
the kernel as to resend the skb to all the listening socket in
this case.

Signed-off-by: Eric Leblond <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agonet: inet_diag -- Return error code if protocol handler is missed
Cyrill Gorcunov [Sat, 3 Nov 2012 09:30:34 +0000 (09:30 +0000)]
net: inet_diag -- Return error code if protocol handler is missed

[ Upstream commit cacb6ba0f36ab14a507f4ee7697e8332899015d2 ]

We've observed that in case if UDP diag module is not
supported in kernel the netlink returns NLMSG_DONE without
notifying a caller that handler is missed.

This patch makes __inet_diag_dump to return error code instead.

So as example it become possible to detect such situation
and handle it gracefully on userspace level.

Signed-off-by: Cyrill Gorcunov <>
CC: David Miller <>
CC: Eric Dumazet <>
CC: Pavel Emelyanov <>
Acked-by: Pavel Emelyanov <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotcp-repair: Handle zero-length data put in rcv queue
Pavel Emelyanov [Mon, 29 Oct 2012 05:05:33 +0000 (05:05 +0000)]
tcp-repair: Handle zero-length data put in rcv queue

[ Upstream commit c454e6111d1ef4268fe98e87087216e51c2718c3 ]

When sending data into a tcp socket in repair state we should check
for the amount of data being 0 explicitly. Otherwise we'll have an skb
with seq == end_seq in rcv queue, but tcp doesn't expect this to happen
(in particular a warn_on in tcp_recvmsg shoots).

Signed-off-by: Pavel Emelyanov <>
Reported-by: Giorgos Mavrikas <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agol2tp: fix oops in l2tp_eth_create() error path
Tom Parkin [Mon, 29 Oct 2012 23:41:48 +0000 (23:41 +0000)]
l2tp: fix oops in l2tp_eth_create() error path

[ Upstream commit 789336360e0a2aeb9750c16ab704a02cbe035e9e ]

When creating an L2TPv3 Ethernet session, if register_netdev() should fail for
any reason (for example, automatic naming for "l2tpeth%d" interfaces hits the
32k-interface limit), the netdev is freed in the error path.  However, the
l2tp_eth_sess structure's dev pointer is left uncleared, and this results in
l2tp_eth_delete() then attempting to unregister the same netdev later in the
session teardown.  This results in an oops.

To avoid this, clear the session dev pointer in the error path.

Signed-off-by: Tom Parkin <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free
Peter Senna Tschudin [Sun, 28 Oct 2012 06:12:00 +0000 (06:12 +0000)]
drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before mdiobus_free

[ Upstream commit 57c10b61c84bfed68b1b317d6f507a392724b9c4 ]

Based on commit b27393aecf66199f5ddad37c302d3e0cfadbe6c0

Calling mdiobus_free without calling mdiobus_unregister causes
BUG_ON(). This patch fixes the issue.

The semantic patch that found this issue(
// <smpl>
expression E;
  ... when != mdiobus_unregister(E);

+ mdiobus_unregister(E);
// </smpl>

Signed-off-by: Peter Senna Tschudin <>
Tested-by: Roland Stigge <>
Tested-by: Alexandre Pereira da Silva <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agonet: fix divide by zero in tcp algorithm illinois
Jesper Dangaard Brouer [Wed, 31 Oct 2012 02:45:32 +0000 (02:45 +0000)]
net: fix divide by zero in tcp algorithm illinois

[ Upstream commit 8f363b77ee4fbf7c3bbcf5ec2c5ca482d396d664 ]

Reading TCP stats when using TCP Illinois congestion control algorithm
can cause a divide by zero kernel oops.

The division by zero occur in tcp_illinois_info() at:
 do_div(t, ca->cnt_rtt);
where ca->cnt_rtt can become zero (when rtt_reset is called)

Steps to Reproduce:
 1. Register tcp_illinois:
     # sysctl -w net.ipv4.tcp_congestion_control=illinois
 2. Monitor internal TCP information via command "ss -i"
     # watch -d ss -i
 3. Establish new TCP conn to machine

Either it fails at the initial conn, or else it needs to wait
for a loss or a reset.

This is only related to reading stats.  The function avg_delay() also
performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its
calling point in update_params().  Thus, simply fix tcp_illinois_info().

Function tcp_illinois_info() / get_info() is called without
socket lock.  Thus, eliminate any race condition on ca->cnt_rtt
by using a local stack variable.  Simply reuse info.tcpv_rttcnt,
as its already set to ca->cnt_rtt.
Function avg_delay() is not affected by this race condition, as
its called with the socket lock.

Cc: Petr Matousek <>
Signed-off-by: Jesper Dangaard Brouer <>
Acked-by: Eric Dumazet <>
Acked-by: Stephen Hemminger <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agonet: usb: Fix memory leak on Tx data path
Hemant Kumar [Thu, 25 Oct 2012 18:17:54 +0000 (18:17 +0000)]
net: usb: Fix memory leak on Tx data path

[ Upstream commit 39707c2a3ba5011038b363f84d37c8a98d2d9db1 ]

Driver anchors the tx urbs and defers the urb submission if
a transmit request comes when the interface is suspended.
Anchoring urb increments the urb reference count. These
deferred urbs are later accessed by calling usb_get_from_anchor()
for submission during interface resume. usb_get_from_anchor()
unanchors the urb but urb reference count remains same.
This causes the urb reference count to remain non-zero
after usb_free_urb() gets called and urb never gets freed.
Hence call usb_put_urb() after anchoring the urb to properly
balance the reference count for these deferred urbs. Also,
unanchor these deferred urbs during disconnect, to free them

Signed-off-by: Hemant Kumar <>
Acked-by: Oliver Neukum <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoipv6: Set default hoplimit as zero.
Li RongQing [Wed, 24 Oct 2012 06:01:18 +0000 (14:01 +0800)]
ipv6: Set default hoplimit as zero.

[ Upstream commit 14edd87dc67311556f1254a8f29cf4dd6cb5b7d1 ]

Commit a02e4b7dae4551(Demark default hoplimit as zero) only changes the
hoplimit checking condition and default value in ip6_dst_hoplimit, not
zeros all hoplimit default value.

Keep the zeroing ip6_template_metrics[RTAX_HOPLIMIT - 1] to force it as
const, cause as a37e6e344910(net: force dst_default_metrics to const

Signed-off-by: Li RongQing <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agonet: fix secpath kmemleak
Eric Dumazet [Mon, 22 Oct 2012 09:03:40 +0000 (09:03 +0000)]
net: fix secpath kmemleak

[ Upstream commit 3d861f661006606bf159fd6bd973e83dbf21d0f9 ]

Mike Kazantsev found 3.5 kernels and beyond were leaking memory,
and tracked the faulty commit to a1c7fff7e18f59e ("net:
netdev_alloc_skb() use build_skb()")

While this commit seems fine, it uncovered a bug introduced
in commit bad43ca8325 ("net: introduce skb_try_coalesce()), in function

If head is stolen, we free the sk_buff,
without removing references on secpath (skb->sp).

So IPsec + IP defrag/reassembly (using skb coalescing), or
TCP coalescing could leak secpath objects.

Fix this bug by calling skb_release_head_state(skb) to properly
release all possible references to linked objects.

Reported-by: Mike Kazantsev <>
Signed-off-by: Eric Dumazet <>
Bisected-by: Mike Kazantsev <>
Tested-by: Mike Kazantsev <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotcp: fix FIONREAD/SIOCINQ
Eric Dumazet [Thu, 18 Oct 2012 09:14:12 +0000 (09:14 +0000)]

[ Upstream commit a3374c42aa5f7237e87ff3b0622018636b0c847e ]

tcp_ioctl() tries to take into account if tcp socket received a FIN
to report correct number bytes in receive queue.

But its flaky because if the application ate the last skb,
we return 1 instead of 0.

Correct way to detect that FIN was received is to test SOCK_DONE.

Reported-by: Elliot Hughes <>
Signed-off-by: Eric Dumazet <>
Cc: Neal Cardwell <>
Cc: Tom Herbert <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agonetlink: use kfree_rcu() in netlink_release()
Eric Dumazet [Thu, 18 Oct 2012 03:21:55 +0000 (03:21 +0000)]
netlink: use kfree_rcu() in netlink_release()

[ Upstream commit 6d772ac5578f711d1ce7b03535d1c95bffb21dff ]

On some suspend/resume operations involving wimax device, we have
noticed some intermittent memory corruptions in netlink code.

Stéphane Marchesin tracked this corruption in netlink_update_listeners()
and suggested a patch.

It appears netlink_release() should use kfree_rcu() instead of kfree()
for the listeners structure as it may be used by other cpus using RCU

netlink_release() must set to NULL the listeners pointer when
it is about to be freed.

Also have to protect netlink_update_listeners() and
netlink_has_listeners() if listeners is NULL.

Add a nl_deref_protected() lockdep helper to properly document which
locks protects us.

Reported-by: Jonathan Kliegman <>
Signed-off-by: Eric Dumazet <>
Cc: Stéphane Marchesin <>
Cc: Sam Leffler <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoipv4: Fix flushing of cached routing informations
Steffen Klassert [Wed, 17 Oct 2012 21:17:44 +0000 (21:17 +0000)]
ipv4: Fix flushing of cached routing informations

[ Upstream commit 13d82bf50dce632355fcccafa4fe44a9b5e706d8 ]

Currently we can not flush cached pmtu/redirect informations via
the ipv4_sysctl_rtcache_flush sysctl. We need to check the rt_genid
of the old route and reset the nh exeption if the old route is
expired when we bind a new route to a nh exeption.

Signed-off-by: Steffen Klassert <>
Acked-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agosctp: fix call to SCTP_CMD_PROCESS_SACK in sctp_cmd_interpreter()
Zijie Pan [Mon, 15 Oct 2012 03:56:39 +0000 (03:56 +0000)]
sctp: fix call to SCTP_CMD_PROCESS_SACK in sctp_cmd_interpreter()

[ Upstream commit f6e80abeab928b7c47cc1fbf53df13b4398a2bec ]

Bug introduced by commit edfee0339e681a784ebacec7e8c2dc97dc6d2839
(sctp: check src addr when processing SACK to update transport state)

Signed-off-by: Zijie Pan <>
Signed-off-by: Nicolas Dichtel <>
Acked-by: Vlad Yasevich <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: Avoid endless sleep after disconnect
Takashi Iwai [Wed, 7 Nov 2012 11:39:56 +0000 (12:39 +0100)]
ALSA: Avoid endless sleep after disconnect

commit 0914f7961babbf28aaa2f19b453951fb4841c03f upstream.

When disconnect callback is called, each component should wake up
sleepers and check card->shutdown flag for avoiding the endless sleep
blocking the proper resource release.

Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: Add a reference counter to card instance
Takashi Iwai [Wed, 7 Nov 2012 11:39:55 +0000 (12:39 +0100)]
ALSA: Add a reference counter to card instance

commit a0830dbd4e42b38aefdf3fb61ba5019a1a99ea85 upstream.

For more strict protection for wild disconnections, a refcount is
introduced to the card instance, and let it up/down when an object is
referred via snd_lookup_*() in the open ops.

The free-after-last-close check is also changed to check this refcount
instead of the empty list, too.

Reported-by: Matthieu CASTET <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>