5 years agoahci: AHCI-mode SATA patch for Intel Avoton DeviceIDs
Seth Heasley [Fri, 25 Jan 2013 20:01:05 +0000 (12:01 -0800)]
ahci: AHCI-mode SATA patch for Intel Avoton DeviceIDs

commit 29e674dd5c8e781589f09c3ee139c80f6da274e4 upstream.

This patch adds the AHCI and RAID-mode SATA DeviceIDs for the Intel Avoton SOC.

Signed-off-by: Seth Heasley <>
Signed-off-by: Jeff Garzik <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoata_piix: Add Device IDs for Intel Wellsburg PCH
James Ralston [Sat, 9 Feb 2013 01:24:12 +0000 (17:24 -0800)]
ata_piix: Add Device IDs for Intel Wellsburg PCH

commit 3aee8bc52c415aba8148f144e5e5359b0fd75dd1 upstream.

This patch adds the IDE-mode SATA Device IDs for the Intel Wellsburg PCH

Signed-off-by: James Ralston <>
Signed-off-by: Jeff Garzik <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoata_piix: IDE-mode SATA patch for Intel Avoton DeviceIDs
Seth Heasley [Fri, 25 Jan 2013 19:57:05 +0000 (11:57 -0800)]
ata_piix: IDE-mode SATA patch for Intel Avoton DeviceIDs

commit aaa515277db9585eeb4fdeb4637b9f9df50a1dd9 upstream.

This patch adds the IDE-mode SATA DeviceIDs for the Intel Avoton SOC.

Signed-off-by: Seth Heasley <>
Signed-off-by: Jeff Garzik <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agostaging: comedi: check s->async for poll(), read() and write()
Ian Abbott [Wed, 27 Feb 2013 10:56:19 +0000 (10:56 +0000)]
staging: comedi: check s->async for poll(), read() and write()

commit cc400e185c07c15a42d2635995f422de5b94b696 upstream.

Some low-level comedi drivers (incorrectly) point `dev->read_subdev` or
`dev->write_subdev` to a subdevice that does not support asynchronous
commands.  Comedi's poll(), read() and write() file operation handlers
assume these subdevices do support asynchronous commands.  In
particular, they assume `s->async` is valid (where `s` points to the
read or write subdevice), which it won't be if it has been set
incorrectly.  This can lead to a NULL pointer dereference.

Check `s->async` is non-NULL in `comedi_poll()`, `comedi_read()` and
`comedi_write()` to avoid the bug.

Signed-off-by: Ian Abbott <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoACPI: Add DMI entry for Sony VGN-FW41E_H
Joseph Salisbury [Tue, 5 Feb 2013 00:16:29 +0000 (00:16 +0000)]
ACPI: Add DMI entry for Sony VGN-FW41E_H

commit 66f2fda93b67fa744d406e6dcf443f67bac204b6 upstream.

This patch adds a quirk to allow the Sony VGN-FW41E_H to suspend/resume

Signed-off-by: Joseph Salisbury <>
Signed-off-by: Rafael J. Wysocki <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoab8500_btemp: Demote initcall sequence
Rajanikanth H.V [Wed, 23 Jan 2013 04:26:45 +0000 (09:56 +0530)]
ab8500_btemp: Demote initcall sequence

commit eeb0751c99522a4d1bbcc7b6bc1460cd07d07488 upstream.

Power supply subsystem creates thermal zone device for the property
'POWER_SUPPLY_PROP_TEMP' which requires thermal subsystem to be ready
before 'ab8500 battery temperature monitor' driver is initialized. ab8500
btemp driver is initialized with subsys_initcall whereas thermal subsystem
is initialized with fs_initcall which causes
thermal_zone_device_register(...) to crash since the required structure
'thermal_class' is not initialized yet:

Unable to handle kernel NULL pointer dereference at virtual address 000000a4
pgd = c0004000
[000000a4] *pgd=00000000
Internal error: Oops: 5 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0    Tainted: G        W     (3.8.0-rc4-00001-g632fda8-dirty #1)
PC is at _raw_spin_lock+0x18/0x54
LR is at get_device_parent+0x50/0x1b8
pc : [<c02f1dd0>]    lr : [<c01cb248>]    psr: 60000013
sp : ef04bdc8  ip : 00000000  fp : c0446180
r10: ef216e38  r9 : c03af5d0  r8 : ef275c18
r7 : 00000000  r6 : c0476c14  r5 : ef275c18  r4 : ef095840
r3 : ef04a000  r2 : 00000001  r1 : 00000000  r0 : 000000a4
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
Control: 10c5787d  Table: 0000404a  DAC: 00000015
Process swapper/0 (pid: 1, stack limit = 0xef04a238)
Stack: (0xef04bdc8 to 0xef04c000)
[<c02f1dd0>] (_raw_spin_lock+0x18/0x54) from [<c01cb248>] (get_device_parent+0x50/0x1b8)
[<c01cb248>] (get_device_parent+0x50/0x1b8) from [<c01cb8d8>] (device_add+0xa4/0x574)
[<c01cb8d8>] (device_add+0xa4/0x574) from [<c020b91c>] (thermal_zone_device_register+0x118/0x938)
[<c020b91c>] (thermal_zone_device_register+0x118/0x938) from [<c0202030>] (power_supply_register+0x170/0x1f8)
[<c0202030>] (power_supply_register+0x170/0x1f8) from [<c02055ec>] (ab8500_btemp_probe+0x208/0x47c)
[<c02055ec>] (ab8500_btemp_probe+0x208/0x47c) from [<c01cf0dc>] (platform_drv_probe+0x14/0x18)
[<c01cf0dc>] (platform_drv_probe+0x14/0x18) from [<c01cde70>] (driver_probe_device+0x74/0x20c)
[<c01cde70>] (driver_probe_device+0x74/0x20c) from [<c01ce094>] (__driver_attach+0x8c/0x90)
[<c01ce094>] (__driver_attach+0x8c/0x90) from [<c01cc640>] (bus_for_each_dev+0x4c/0x80)
[<c01cc640>] (bus_for_each_dev+0x4c/0x80) from [<c01cd6b4>] (bus_add_driver+0x16c/0x23c)
[<c01cd6b4>] (bus_add_driver+0x16c/0x23c) from [<c01ce54c>] (driver_register+0x78/0x14c)
[<c01ce54c>] (driver_register+0x78/0x14c) from [<c00086ac>] (do_one_initcall+0xfc/0x164)
[<c00086ac>] (do_one_initcall+0xfc/0x164) from [<c02e89c8>] (kernel_init+0x120/0x2b8)
[<c02e89c8>] (kernel_init+0x120/0x2b8) from [<c000e358>] (ret_from_fork+0x14/0x3c)
Code: e3c3303f e5932004 e2822001 e5832004 (e1903f9f)
---[ end trace ed9df72941b5bada ]---

Signed-off-by: Rajanikanth H.V <>
Signed-off-by: Anton Vorontsov <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoab8500-chargalg: Only root should have write permission on sysfs file
Lee Jones [Thu, 17 Jan 2013 14:21:53 +0000 (14:21 +0000)]
ab8500-chargalg: Only root should have write permission on sysfs file

commit e3455002d04276c256a531f7175dce0f7d1cb78a upstream.

Only root should have write permission on sysfs file ab8500_chargalg/chargalg.

Signed-off-by: Lee Jones <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agobq27x00_battery: Fix bugs introduced with BQ27425 support
NeilBrown [Sun, 2 Dec 2012 09:34:21 +0000 (20:34 +1100)]
bq27x00_battery: Fix bugs introduced with BQ27425 support

commit bde83b9a6b44c1e0fd872e57ecc869cfcf88538f upstream.

commit a66f59ba2e994bf70274ef0513e24e0e7ae20c63

    bq27x00_battery: Add support for BQ27425 chip

introduced 2 bugs.

1/ 'chip' was set to BQ27425 unconditionally - breaking support for
   other devices;

2/ BQ27425 does not support cycle count, how the code still tries to
   get the cycle count for BQ27425, and now does it twice for other chips.

Signed-off-by: NeilBrown <>
Cc: Saranya Gopal <>
Signed-off-by: Anton Vorontsov <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agocgroup: fix exit() vs rmdir() race
Li Zefan [Thu, 24 Jan 2013 06:43:28 +0000 (14:43 +0800)]
cgroup: fix exit() vs rmdir() race

commit 71b5707e119653039e6e95213f00479668c79b75 upstream.

In cgroup_exit() put_css_set_taskexit() is called without any lock,
which might lead to accessing a freed cgroup:

thread1                           thread2
      /* not safe !! */

rcu_read_lock() can be used to make sure the cgroup is alive.

Signed-off-by: Li Zefan <>
Signed-off-by: Tejun Heo <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agocpuset: fix cpuset_print_task_mems_allowed() vs rename() race
Li Zefan [Fri, 25 Jan 2013 08:08:01 +0000 (16:08 +0800)]
cpuset: fix cpuset_print_task_mems_allowed() vs rename() race

commit 63f43f55c9bbc14f76b582644019b8a07dc8219a upstream.

rename() will change dentry->d_name. The result of this race can
be worse than seeing partially rewritten name, but we might access
a stale pointer because rename() will re-allocate memory to hold
a longer name.

It's safe in the protection of dentry->d_lock.

v2: check NULL dentry before acquiring dentry lock.

Signed-off-by: Li Zefan <>
Signed-off-by: Tejun Heo <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agopstore: Avoid deadlock in panic and emergency-restart path
Seiji Aguchi [Fri, 11 Jan 2013 18:09:41 +0000 (18:09 +0000)]
pstore: Avoid deadlock in panic and emergency-restart path

commit 9f244e9cfd70c7c0f82d3c92ce772ab2a92d9f64 upstream.


When pstore is in panic and emergency-restart paths, it may be blocked
in those paths because it simply takes spin_lock.

This is an example scenario which pstore may hang up in a panic path:

 - cpuA grabs psinfo->buf_lock
 - cpuB panics and calls smp_send_stop
 - smp_send_stop sends IRQ to cpuA
 - after 1 second, cpuB gives up on cpuA and sends an NMI instead
 - cpuA is now in an NMI handler while still holding buf_lock
 - cpuB is deadlocked

This case may happen if a firmware has a bug and
cpuA is stuck talking with it more than one second.

Also, this is a similar scenario in an emergency-restart path:

 - cpuA grabs psinfo->buf_lock and stucks in a firmware
 - cpuB kicks emergency-restart via either sysrq-b or hangcheck timer.
   And then, cpuB is deadlocked by taking psinfo->buf_lock again.


This patch avoids the deadlocking issues in both panic and emergency_restart
paths by introducing a function, is_non_blocking_path(), to check if a cpu
can be blocked in current path.

With this patch, pstore is not blocked even if another cpu has
taken a spin_lock, in those paths by changing from spin_lock_irqsave
to spin_trylock_irqsave.

In addition, according to a comment of emergency_restart() in kernel/sys.c,
spin_lock shouldn't be taken in an emergency_restart path to avoid
deadlock. This patch fits the comment below.

 *      emergency_restart - reboot the system
 *      Without shutting down any hardware or taking any locks
 *      reboot the system.  This is called when we know we are in
 *      trouble so this is our best effort to reboot.  This is
 *      safe to call in interrupt context.
void emergency_restart(void)

Signed-off-by: Seiji Aguchi <>
Acked-by: Don Zickus <>
Signed-off-by: Tony Luck <>
Cc: CAI Qian <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoworkqueue: consider work function when searching for busy work items
Tejun Heo [Tue, 18 Dec 2012 18:35:02 +0000 (10:35 -0800)]
workqueue: consider work function when searching for busy work items

commit a2c1c57be8d9fd5b716113c8991d3d702eeacf77 upstream.

To avoid executing the same work item concurrenlty, workqueue hashes
currently busy workers according to their current work items and looks
up the the table when it wants to execute a new work item.  If there
already is a worker which is executing the new work item, the new item
is queued to the found worker so that it gets executed only after the
current execution finishes.

Unfortunately, a work item may be freed while being executed and thus
recycled for different purposes.  If it gets recycled for a different
work item and queued while the previous execution is still in
progress, workqueue may make the new work item wait for the old one
although the two aren't really related in any way.

In extreme cases, this false dependency may lead to deadlock although
it's extremely unlikely given that there aren't too many self-freeing
work item users and they usually don't wait for other work items.

To alleviate the problem, record the current work function in each
busy worker and match it together with the work item address in
find_worker_executing_work().  While this isn't complete, it ensures
that unrelated work items don't interact with each other and in the
very unlikely case where a twisted wq user triggers it, it's always
onto itself making the culprit easy to spot.

Signed-off-by: Tejun Heo <>
Reported-by: Andrey Isakov <>
5 years agofuse: don't WARN when nlink is zero
Miklos Szeredi [Mon, 4 Feb 2013 14:57:42 +0000 (15:57 +0100)]
fuse: don't WARN when nlink is zero

commit dfca7cebc2679f3d129f8e680a8f199a7ad16e38 upstream.

drop_nlink() warns if nlink is already zero.  This is triggerable by a buggy
userspace filesystem.  The cure, I think, is worse than the disease so disable
the warning.

Reported-by: Tero Roponen <>
Signed-off-by: Miklos Szeredi <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoHID: clean up quirk for Sony RF receivers
Fernando Luis Vázquez Cao [Tue, 22 Jan 2013 06:20:38 +0000 (15:20 +0900)]
HID: clean up quirk for Sony RF receivers

commit 99d249021abd4341771523ed8dd7946276103432 upstream.

Document what the fix-up is does and make it more robust by ensuring
that it is only applied to the USB interface that corresponds to the
mouse (sony_report_fixup() is called once per interface during probing).

Signed-off-by: Fernando Luis Vazquez Cao <>
Signed-off-by: Jiri Kosina <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoHID: add support for Sony RF receiver with USB product id 0x0374
Fernando Luis Vázquez Cao [Tue, 15 Jan 2013 10:40:48 +0000 (19:40 +0900)]
HID: add support for Sony RF receiver with USB product id 0x0374

commit a464918419f94a0043d2f549d6defb4c3f69f68a upstream.

Some Vaio desktop computers, among them the VGC-LN51JGB multimedia PC, have
a RF receiver, multi-interface USB device 054c:0374, that is used to connect
a wireless keyboard and a wireless mouse.

The keyboard works flawlessly, but the mouse (VGP-WMS3 in my case) does not
seem to be generating any pointer events. The problem is that the mouse pointer
is wrongly declared as a constant non-data variable in the report descriptor
(see lsusb and usbhid-dump output below), with the consequence that it is
ignored by the HID code.

Add this device to the have-special-driver list and fix up the report
descriptor in the Sony-specific driver which happens to already have a fixup
for a similar firmware bug.

# lsusb -vd 054C:0374
Bus 003 Device 002: ID 054c:0374 Sony Corp.
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0         8
  idVendor           0x054c Sony Corp.
  idProduct          0x0374
  iSerial                 0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      1 Boot Interface Subclass
      bInterfaceProtocol      2 Mouse
      iInterface              2 RF Receiver
          Report Descriptor: (length is 100)
            Item(Global): Usage Page, data= [ 0x01 ] 1
                            Generic Desktop Controls
            Item(Local ): Usage, data= [ 0x30 ] 48
            Item(Local ): Usage, data= [ 0x31 ] 49
            Item(Global): Report Count, data= [ 0x02 ] 2
            Item(Global): Report Size, data= [ 0x08 ] 8
            Item(Global): Logical Minimum, data= [ 0x81 ] 129
            Item(Global): Logical Maximum, data= [ 0x7f ] 127
            Item(Main  ): Input, data= [ 0x07 ] 7
                            Constant Variable Relative No_Wrap Linear
                            Preferred_State No_Null_Position Non_Volatile Bitfield

# usbhid-dump
003:002:001:DESCRIPTOR         1357910009.758544
 05 01 09 02 A1 01 05 01 09 02 A1 02 85 01 09 01
 A1 00 05 09 19 01 29 05 95 05 75 01 15 00 25 01
 81 02 75 03 95 01 81 01 05 01 09 30 09 31 95 02
 75 08 15 81 25 7F 81 07 A1 02 85 01 09 38 35 00
 45 00 15 81 25 7F 95 01 75 08 81 06 C0 A1 02 85
 01 05 0C 15 81 25 7F 95 01 75 08 0A 38 02 81 06
 C0 C0 C0 C0

Signed-off-by: Fernando Luis Vazquez Cao <>
Signed-off-by: Jiri Kosina <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agosvcrpc: fix rpc server shutdown races
J. Bruce Fields [Sun, 10 Feb 2013 21:08:11 +0000 (16:08 -0500)]
svcrpc: fix rpc server shutdown races

commit cc630d9f476445927fca599f81182c7f06f79058 upstream.

Rewrite server shutdown to remove the assumption that there are no
longer any threads running (no longer true, for example, when shutting
down the service in one network namespace while it's still running in

Do that by doing what we'd do in normal circumstances: just CLOSE each
socket, then enqueue it.

Since there may not be threads to handle the resulting queued xprts,
also run a simplified version of the svc_recv() loop run by a server to
clean up any closed xprts afterwards.

Tested-by: Jason Tibbitts <>
Tested-by: Paweł Sikora <>
Acked-by: Stanislav Kinsbursky <>
Signed-off-by: J. Bruce Fields <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agosvcrpc: make svc_age_temp_xprts enqueue under sv_lock
J. Bruce Fields [Sun, 10 Feb 2013 16:33:48 +0000 (11:33 -0500)]
svcrpc: make svc_age_temp_xprts enqueue under sv_lock

commit e75bafbff2270993926abcc31358361db74a9bc2 upstream.

svc_age_temp_xprts expires xprts in a two-step process: first it takes
the sv_lock and moves the xprts to expire off their server-wide list
(sv_tempsocks or sv_permsocks) to a local list.  Then it drops the
sv_lock and enqueues and puts each one.

I see no reason for this: svc_xprt_enqueue() will take sp_lock, but the
sv_lock and sp_lock are not otherwise nested anywhere (and documentation
at the top of this file claims it's correct to nest these with sp_lock

Tested-by: Jason Tibbitts <>
Tested-by: Paweł Sikora <>
Signed-off-by: J. Bruce Fields <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agonfsd: Fix memleak
majianpeng [Tue, 29 Jan 2013 05:16:06 +0000 (13:16 +0800)]
nfsd: Fix memleak

commit 2d32b29a1c2830f7c42caa8258c714acd983961f upstream.

When free nfs-client, it must free the ->cl_stateids.

Signed-off-by: Jianpeng Ma <>
Signed-off-by: J. Bruce Fields <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoext4: fix free clusters calculation in bigalloc filesystem
Lukas Czerner [Fri, 22 Feb 2013 20:27:52 +0000 (15:27 -0500)]
ext4: fix free clusters calculation in bigalloc filesystem

commit 304e220f0879198b1f5309ad6f0be862b4009491 upstream.

ext4_has_free_clusters() should tell us whether there is enough free
clusters to allocate, however number of free clusters in the file system
is converted to blocks using EXT4_C2B() which is not only wrong use of
the macro (we should have used EXT4_NUM_B2C) but it's also completely
wrong concept since everything else is in cluster units.

Moreover when calculating number of root clusters we should be using
macro EXT4_NUM_B2C() instead of EXT4_B2C() otherwise the result might be
off by one. However r_blocks_count should always be a multiple of the
cluster ratio so doing a plain bit shift should be enough here. We
avoid using EXT4_B2C() because it's confusing.

As a result of the first problem number of free clusters is much bigger
than it should have been and ext4_has_free_clusters() would return 1 even
if there is really not enough free clusters available.

Fix this by removing the EXT4_C2B() conversion of free clusters and
using bit shift when calculating number of root clusters. This bug
affects number of xfstests tests covering file system ENOSPC situation
handling. With this patch most of the ENOSPC problems with bigalloc file
system disappear, especially the errors caused by delayed allocation not
having enough space when the actual allocation is finally requested.

Signed-off-by: Lukas Czerner <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoext4: fix xattr block allocation/release with bigalloc
Lukas Czerner [Mon, 18 Feb 2013 17:12:07 +0000 (12:12 -0500)]
ext4: fix xattr block allocation/release with bigalloc

commit 1231b3a1eb5740192aeebf5344dd6d6da000febf upstream.

Currently when new xattr block is created or released we we would call
dquot_free_block() or dquot_alloc_block() respectively, among the else
decrementing or incrementing the number of blocks assigned to the
inode by one block.

This however does not work for bigalloc file system because we always
allocate/free the whole cluster so we have to count with that in
dquot_free_block() and dquot_alloc_block() as well.

Use the clusters-to-blocks conversion EXT4_C2B() when passing number of
blocks to the dquot_alloc/free functions to fix the problem.

The problem has been revealed by xfstests #117 (and possibly others).

Signed-off-by: Lukas Czerner <>
Signed-off-by: "Theodore Ts'o" <>
Reviewed-by: Eric Sandeen <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoext4: fix race in ext4_mb_add_n_trim()
Niu Yawei [Sat, 2 Feb 2013 02:31:27 +0000 (21:31 -0500)]
ext4: fix race in ext4_mb_add_n_trim()

commit f1167009711032b0d747ec89a632a626c901a1ad upstream.

In ext4_mb_add_n_trim(), lg_prealloc_lock should be taken when
changing the lg_prealloc_list.

Signed-off-by: Niu Yawei <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoext4: release sysfs kobject when failing to enable quotas on mount
Theodore Ts'o [Fri, 25 Jan 2013 04:24:54 +0000 (23:24 -0500)]
ext4: release sysfs kobject when failing to enable quotas on mount

commit 72ba74508b2857e71d65fc93f0d6b684492fc740 upstream.

In addition, print the error returned from ext4_enable_quotas()

Signed-off-by: "Theodore Ts'o" <>
Reviewed-by: Carlos Maiolino <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoext4: check bh in ext4_read_block_bitmap()
Eryu Guan [Sat, 12 Jan 2013 21:33:25 +0000 (16:33 -0500)]
ext4: check bh in ext4_read_block_bitmap()

commit 15b49132fc972c63894592f218ea5a9a61b1a18f upstream.

Validate the bh pointer before using it, since
ext4_read_block_bitmap_nowait() might return NULL.

I've seen this in fsfuzz testing.

 EXT4-fs error (device loop0): ext4_read_block_bitmap_nowait:385: comm touch: Cannot get buffer for block bitmap - block_group = 0, block_bitmap = 3925999616
 BUG: unable to handle kernel NULL pointer dereference at           (null)
 IP: [<ffffffff8121de25>] ext4_wait_block_bitmap+0x25/0xe0
 Call Trace:
  [<ffffffff8121e1e5>] ext4_read_block_bitmap+0x35/0x60
  [<ffffffff8125e9c6>] ext4_free_blocks+0x236/0xb80
  [<ffffffff811d0d36>] ? __getblk+0x36/0x70
  [<ffffffff811d0a5f>] ? __find_get_block+0x8f/0x210
  [<ffffffff81191ef3>] ? kmem_cache_free+0x33/0x140
  [<ffffffff812678e5>] ext4_xattr_release_block+0x1b5/0x1d0
  [<ffffffff812679be>] ext4_xattr_delete_inode+0xbe/0x100
  [<ffffffff81222a7c>] ext4_free_inode+0x7c/0x4d0
  [<ffffffff812277b8>] ? ext4_mark_inode_dirty+0x88/0x230
  [<ffffffff8122993c>] ext4_evict_inode+0x32c/0x490
  [<ffffffff811b8cd7>] evict+0xa7/0x1c0
  [<ffffffff811b8ed3>] iput_final+0xe3/0x170
  [<ffffffff811b8f9e>] iput+0x3e/0x50
  [<ffffffff812316fd>] ext4_add_nondir+0x4d/0x90
  [<ffffffff81231d0b>] ext4_create+0xeb/0x170
  [<ffffffff811aae9c>] vfs_create+0xac/0xd0
  [<ffffffff811ac845>] lookup_open+0x185/0x1c0
  [<ffffffff8129e3b9>] ? selinux_inode_permission+0xa9/0x170
  [<ffffffff811acb54>] do_last+0x2d4/0x7a0
  [<ffffffff811af743>] path_openat+0xb3/0x480
  [<ffffffff8116a8a1>] ? handle_mm_fault+0x251/0x3b0
  [<ffffffff811afc49>] do_filp_open+0x49/0xa0
  [<ffffffff811bbaad>] ? __alloc_fd+0xdd/0x150
  [<ffffffff8119da28>] do_sys_open+0x108/0x1f0
  [<ffffffff8119db51>] sys_open+0x21/0x30
  [<ffffffff81618959>] system_call_fastpath+0x16/0x1b

Also fix comment for ext4_read_block_bitmap_nowait()

Signed-off-by: Eryu Guan <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoext4: return ENOMEM if sb_getblk() fails
Theodore Ts'o [Sat, 12 Jan 2013 21:19:36 +0000 (16:19 -0500)]
ext4: return ENOMEM if sb_getblk() fails

commit 860d21e2c585f7ee8a4ecc06f474fdc33c9474f4 upstream.

The only reason for sb_getblk() failing is if it can't allocate the
buffer_head.  So ENOMEM is more appropriate than EIO.  In addition,
make sure that the file system is marked as being inconsistent if
sb_getblk() fails.

Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomedia: rc: unlock on error in show_protocols()
Dan Carpenter [Tue, 27 Nov 2012 16:35:09 +0000 (13:35 -0300)]
media: rc: unlock on error in show_protocols()

commit 30ebc5e44d057a1619ad63fe32c8c1670c37c4b8 upstream.

We recently introduced a new return -ENODEV in this function but we need
to unlock before returning.

[ found two patches with the same fix. Merged SOB's/acks into one patch]
Acked-by: Herton R. Krzesinski <>
Signed-off-by: Dan Carpenter <>
Signed-off-by: Douglas Bagnall <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomedia: omap_vout: find_vma() needs ->mmap_sem held
Al Viro [Sun, 16 Dec 2012 19:04:46 +0000 (16:04 -0300)]
media: omap_vout: find_vma() needs ->mmap_sem held

commit 55ee64b30a38d688232e5eb2860467dddc493573 upstream.

Walking rbtree while it's modified is a Bad Idea(tm); besides,
the result of find_vma() can be freed just as it's getting returned
to caller.  Fortunately, it's easy to fix - just take ->mmap_sem a bit
earlier (and don't bother with find_vma() at all if virtp >= PAGE_OFFSET -
in that case we don't even look at its result).

While we are at it, what prevents VIDIOC_PREPARE_BUF calling
v4l_prepare_buf() -> (e.g) vb2_ioctl_prepare_buf() -> vb2_prepare_buf() ->
__buf_prepare() -> __qbuf_userptr() -> vb2_vmalloc_get_userptr() -> find_vma(),
AFAICS without having taken ->mmap_sem anywhere in process?  The code flow
is bloody convoluted and depends on a bunch of things done by initialization,
so I certainly might've missed something...

Signed-off-by: Al Viro <>
Cc: Sakari Ailus <>
Cc: Laurent Pinchart <>
Cc: Archit Taneja <>
Cc: Prabhakar Lad <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomedia: v4l: Reset subdev v4l2_dev field to NULL if registration fails
Laurent Pinchart [Sun, 25 Nov 2012 00:35:48 +0000 (21:35 -0300)]
media: v4l: Reset subdev v4l2_dev field to NULL if registration fails

commit 317efce991620adc589b3005b9baed433dcb2a56 upstream.

When subdev registration fails the subdev v4l2_dev field is left to a
non-NULL value. Later calls to v4l2_device_unregister_subdev() will
consider the subdev as registered and will module_put() the subdev
module without any matching module_get().
Fix this by setting the subdev v4l2_dev field to NULL in
v4l2_device_register_subdev() when the function fails.

Signed-off-by: Laurent Pinchart <>
Acked-by: Sylwester Nawrocki <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomedia: cx18/ivtv: fix regression: remove __init from a non-init function
Hans Verkuil [Sat, 9 Feb 2013 08:40:10 +0000 (05:40 -0300)]
media: cx18/ivtv: fix regression: remove __init from a non-init function

commit cfb046cb800ba306b211fbbe4ac633486e11055f upstream.

Commits 5e6e81b2890db3969527772a8350825a85c22d5c (cx18) and
2aebbf6737212265b917ed27c875c59d3037110a (ivtv) added an __init
annotation to the cx18-alsa-load and ivtv-alsa-load functions. However,
these functions are called *after* initialization by the main cx18/ivtv
driver. By that time the memory containing those functions is already
freed and your machine goes BOOM.

Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoext4: fix possible use-after-free with AIO
Jan Kara [Wed, 30 Jan 2013 03:48:17 +0000 (22:48 -0500)]
ext4: fix possible use-after-free with AIO

commit 091e26dfc156aeb3b73bc5c5f277e433ad39331c upstream.

Running AIO is pinning inode in memory using file reference. Once AIO
is completed using aio_complete(), file reference is put and inode can
be freed from memory. So we have to be sure that calling aio_complete()
is the last thing we do with the inode.

Reviewed-by: Carlos Maiolino <>
Acked-by: Jeff Moyer <>
Signed-off-by: Jan Kara <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agofs: Fix possible use-after-free with AIO
Jan Kara [Tue, 29 Jan 2013 23:28:01 +0000 (00:28 +0100)]
fs: Fix possible use-after-free with AIO

commit 54c807e71d5ac59dee56c685f2b66e27cd54c475 upstream.

Running AIO is pinning inode in memory using file reference. Once AIO
is completed using aio_complete(), file reference is put and inode can
be freed from memory. So we have to be sure that calling aio_complete()
is the last thing we do with the inode.

Acked-by: Jeff Moyer <>
CC: Christoph Hellwig <>
CC: Jens Axboe <>
CC: Jeff Moyer <>
Signed-off-by: Jan Kara <>
Signed-off-by: Al Viro <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agonbd: fsync and kill block device on shutdown
Paolo Bonzini [Thu, 28 Feb 2013 01:05:25 +0000 (17:05 -0800)]
nbd: fsync and kill block device on shutdown

commit 3a2d63f87989e01437ba994df5f297528c353d7d upstream.

There are two problems with shutdown in the NBD driver.

1: Receiving the NBD_DISCONNECT ioctl does not sync the filesystem.

   This patch adds the sync operation into __nbd_ioctl()'s
   NBD_DISCONNECT handler.  This is useful because BLKFLSBUF is restricted
   to processes that have CAP_SYS_ADMIN, and the NBD client may not
   possess it (fsync of the block device does not sync the filesystem,

2: Once we clear the socket we have no guarantee that later reads will
   come from the same backing storage.

   The patch adds calls to kill_bdev() in __nbd_ioctl()'s socket
   clearing code so the page cache is cleaned, lest reads that hit on the
   page cache will return stale data from the previously-accessible disk.


    # qemu-nbd -r -c/dev/nbd0 /dev/sr0
    # file -s /dev/nbd0
    /dev/stdin: # UDF filesystem data (version 1.5) etc.
    # qemu-nbd -d /dev/nbd0
    # qemu-nbd -r -c/dev/nbd0 /dev/sda
    # file -s /dev/nbd0
    /dev/stdin: # UDF filesystem data (version 1.5) etc.

While /dev/sda has:

    # file -s /dev/sda
    /dev/sda: x86 boot sector; etc.

Signed-off-by: Paolo Bonzini <>
Acked-by: Paul Clements <>
Cc: Alex Bligh <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agosysctl: fix null checking in bin_dn_node_address()
Xi Wang [Thu, 28 Feb 2013 01:05:21 +0000 (17:05 -0800)]
sysctl: fix null checking in bin_dn_node_address()

commit df1778be1a33edffa51d094eeda87c858ded6560 upstream.

The null check of `strchr() + 1' is broken, which is always non-null,
leading to OOB read.  Instead, check the result of strchr().

Signed-off-by: Xi Wang <>
Cc: "Eric W. Biederman" <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agofirewire: add minor number range check to fw_device_init()
Tejun Heo [Thu, 28 Feb 2013 01:04:04 +0000 (17:04 -0800)]
firewire: add minor number range check to fw_device_init()

commit 3bec60d511179853138836ae6e1b61fe34d9235f upstream.

fw_device_init() didn't check whether the allocated minor number isn't
too large.  Fail if it goes overflows MINORBITS.

Signed-off-by: Tejun Heo <>
Suggested-by: Stefan Richter <>
Acked-by: Stefan Richter <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoblock: fix synchronization and limit check in blk_alloc_devt()
Tejun Heo [Thu, 28 Feb 2013 01:03:56 +0000 (17:03 -0800)]
block: fix synchronization and limit check in blk_alloc_devt()

commit ce23bba842aee98092225d9576dba47c82352521 upstream.

idr allocation in blk_alloc_devt() wasn't synchronized against lookup
and removal, and its limit check was off by one - 1 << MINORBITS is
the number of minors allowed, not the maximum allowed minor.

Add locking and rename MAX_EXT_DEVT to NR_EXT_DEVT and fix limit

Signed-off-by: Tejun Heo <>
Acked-by: Jens Axboe <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoidr: fix a subtle bug in idr_get_next()
Tejun Heo [Thu, 28 Feb 2013 01:03:34 +0000 (17:03 -0800)]
idr: fix a subtle bug in idr_get_next()

commit 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 upstream.

The iteration logic of idr_get_next() is borrowed mostly verbatim from
idr_for_each().  It walks down the tree looking for the slot matching
the current ID.  If the matching slot is not found, the ID is
incremented by the distance of single slot at the given level and

The implementation assumes that during the whole iteration id is aligned
to the layer boundaries of the level closest to the leaf, which is true
for all iterations starting from zero or an existing element and thus is
fine for idr_for_each().

However, idr_get_next() may be given any point and if the starting id
hits in the middle of a non-existent layer, increment to the next layer
will end up skipping the same offset into it.  For example, an IDR with
IDs filled between [64, 127] would look like the following.

          [  0  64 ... ]
       /----/   |
       |        |
      NULL    [ 64 ... 127 ]

If idr_get_next() is called with 63 as the starting point, it will try
to follow down the pointer from 0.  As it is NULL, it will then try to
proceed to the next slot in the same level by adding the slot distance
at that level which is 64 - making the next try 127.  It goes around the
loop and finds and returns 127 skipping [64, 126].

Note that this bug also triggers in idr_for_each_entry() loop which
deletes during iteration as deletions can make layers go away leaving
the iteration with unaligned ID into missing layers.

Fix it by ensuring proceeding to the next slot doesn't carry over the
unaligned offset - ie.  use round_up(id + 1, slot_distance) instead of
id += slot_distance.

Signed-off-by: Tejun Heo <>
Reported-by: David Teigland <>
Cc: KAMEZAWA Hiroyuki <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoxen-blkback: use balloon pages for persistent grants
Roger Pau Monne [Thu, 14 Feb 2013 10:12:09 +0000 (11:12 +0100)]
xen-blkback: use balloon pages for persistent grants

commit 087ffecdaa1875cc683a7a5bc0695b3ebfce3bad upstream.

With current persistent grants implementation we are not freeing the
persistent grants after we disconnect the device. Since grant map
operations change the mfn of the allocated page, and we can no longer
pass it to __free_page without setting the mfn to a sane value, use
balloon grant pages instead, as the gntdev device does.

Signed-off-by: Roger Pau Monné <>
Cc: Konrad Rzeszutek Wilk <>
Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoxen-blkfront: drop the use of llist_for_each_entry_safe
Konrad Rzeszutek Wilk [Wed, 13 Feb 2013 18:01:55 +0000 (13:01 -0500)]
xen-blkfront: drop the use of llist_for_each_entry_safe

commit f84adf4921ae3115502f44ff467b04bf2f88cf04 upstream.

Replace llist_for_each_entry_safe with a while loop.

llist_for_each_entry_safe can trigger a bug in GCC 4.1, so it's best
to remove it and use a while loop and do the deletion manually.

Specifically this bug can be triggered by hot-unplugging a disk, either
by doing xm block-detach or by save/restore cycle.

BUG: unable to handle kernel paging request at fffffffffffffff0
IP: [<ffffffffa0047223>] blkif_free+0x63/0x130 [xen_blkfront]
The crash call trace is:
? blkif_free+0x63/0x130 [xen_blkfront]
blkfront_resume+0x46/0xa0 [xen_blkfront]

When drilling down to the assembler code, on newer GCC it does
        cmpq    $-16, %r12      #, persistent_gnt check
        je      .L30     #, out of the loop
... code in the loop
        testq   %r13, %r13      # n
        je      .L29     #, back to the top of the loop
        cmpq    $-16, %r12      #, persistent_gnt check
        movq    16(%r12), %r13  # <variable>, n
        jne     .L25     #, back to the top of the loop

While on GCC 4.1, it is:
... code in the loop
testq   %r13, %r13      # n
        je      .L78    #, back to the top of the loop
        movq    16(%rbx), %r13  # <variable>, n
        jmp     .L78    #, back to the top of the loop

Which basically means that the exit loop condition instead of

&(pos)->member != NULL;


which makes the loop unbound.

Since xen-blkfront is the only user of the llist_for_each_entry_safe
macro remove it from llist.h.

Orabug: 16263164
Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoxen/blkback: Don't trust the handle from the frontend.
Konrad Rzeszutek Wilk [Wed, 16 Jan 2013 16:36:23 +0000 (11:36 -0500)]
xen/blkback: Don't trust the handle from the frontend.

commit 01c681d4c70d64cb72142a2823f27c4146a02e63 upstream.

The 'handle' is the device that the request is from. For the life-time
of the ring we copy it from a request to a response so that the frontend
is not surprised by it. But we do not need it - when we start processing
I/Os we have our own 'struct phys_req' which has only most essential
information about the request. In fact the 'vbd_translate' ends up
over-writing the with a value from the backend.

This assignment of with the 'handle' value is superfluous
so lets not do it.

Acked-by: Jan Beulich <>
Acked-by: Ian Campbell <>
Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoxen-blkback: do not leak mode property
Jan Beulich [Thu, 20 Dec 2012 10:31:11 +0000 (10:31 +0000)]
xen-blkback: do not leak mode property

commit 9d092603cc306ee6edfe917bf9ab8beb5f32d7bc upstream.

"be->mode" is obtained from xenbus_read(), which does a kmalloc() for
the message body. The short string is never released, so do it along
with freeing "be" itself, and make sure the string isn't kept when
backend_changed() doesn't complete successfully (which made it
desirable to slightly re-structure that function, so that the error
cleanup can be done in one place).

Reported-by: Olaf Hering <>
Signed-off-by: Jan Beulich <>
Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoblock: fix ext_devt_idr handling
Tomas Henzl [Thu, 28 Feb 2013 01:03:32 +0000 (17:03 -0800)]
block: fix ext_devt_idr handling

commit 7b74e912785a11572da43292786ed07ada7e3e0c upstream.

While adding and removing a lot of disks disks and partitions this
sometimes shows up:

  WARNING: at fs/sysfs/dir.c:512 sysfs_add_one+0xc9/0x130() (Not tainted)
  Hardware name:
  sysfs: cannot create duplicate filename '/dev/block/259:751'
  Modules linked in: raid1 autofs4 bnx2fc cnic uio fcoe libfcoe libfc 8021q scsi_transport_fc scsi_tgt garp stp llc sunrpc cpufreq_ondemand powernow_k8 freq_table mperf ipv6 dm_mirror dm_region_hash dm_log power_meter microcode dcdbas serio_raw amd64_edac_mod edac_core edac_mce_amd i2c_piix4 i2c_core k10temp bnx2 sg ixgbe dca mdio ext4 mbcache jbd2 dm_round_robin sr_mod cdrom sd_mod crc_t10dif ata_generic pata_acpi pata_atiixp ahci mptsas mptscsih mptbase scsi_transport_sas dm_multipath dm_mod [last unloaded: scsi_wait_scan]
  Pid: 44103, comm: async/16 Not tainted 2.6.32-195.el6.x86_64 #1
  Call Trace:
    sd_open+0x81/0x1f0 [sd_mod]
    sd_probe_async+0x13b/0x210 [sd_mod]

This most likely happens because dev_t is freed while the number is
still used and idr_get_new() is not protected on every use.  The fix
adds a mutex where it wasn't before and moves the dev_t free function so
it is called after device del.

Signed-off-by: Tomas Henzl <>
Cc: Jens Axboe <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoocfs2: ac->ac_allow_chain_relink=0 won't disable group relink
Xiaowei.Hu [Thu, 28 Feb 2013 01:02:49 +0000 (17:02 -0800)]
ocfs2: ac->ac_allow_chain_relink=0 won't disable group relink

commit 309a85b6861fedbb48a22d45e0e079d1be993b3a upstream.

ocfs2_block_group_alloc_discontig() disables chain relink by setting
ac->ac_allow_chain_relink = 0 because it grabs clusters from multiple
cluster groups.

It doesn't keep the credits for all chain relink,but
ocfs2_claim_suballoc_bits overrides this in this call trace:
ocfs2_claim_suballoc_bits set ac->ac_allow_chain_relink = 1; then call
ocfs2_search_chain() one time and disable it again, and then we run out
of credits.

Fix is to allow relink by default and disable it in

Without this patch, End-users will run into a crash due to run out of
credits, backtrace like this:

  RIP: 0010:[<ffffffffa0808b14>]  [<ffffffffa0808b14>]
  jbd2_journal_dirty_metadata+0x164/0x170 [jbd2]
  RSP: 0018:ffff8801b919b5b8  EFLAGS: 00010246
  RAX: 0000000000000000 RBX: ffff88022139ddc0 RCX: ffff880159f652d0
  RDX: ffff880178aa3000 RSI: ffff880159f652d0 RDI: ffff880087f09bf8
  RBP: ffff8801b919b5e8 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000001e00 R11: 00000000000150b0 R12: ffff880159f652d0
  R13: ffff8801a0cae908 R14: ffff880087f09bf8 R15: ffff88018d177800
  FS:  00007fc9b0b6b6e0(0000) GS:ffff88022fd40000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
  CR2: 000000000040819c CR3: 0000000184017000 CR4: 00000000000006e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  Process dd (pid: 9945, threadinfo ffff8801b919a000, task ffff880149a264c0)
  Call Trace:
    ocfs2_journal_dirty+0x2f/0x70 [ocfs2]
    ocfs2_relink_block_group+0x111/0x480 [ocfs2]
    ocfs2_search_chain+0x455/0x9a0 [ocfs2]

Signed-off-by: Xiaowei.Hu <>
Reviewed-by: Srinivas Eeda <>
Cc: Mark Fasheh <>
Cc: Joel Becker <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoocfs2: fix ocfs2_init_security_and_acl() to initialize acl correctly
Jeff Liu [Thu, 28 Feb 2013 01:02:48 +0000 (17:02 -0800)]
ocfs2: fix ocfs2_init_security_and_acl() to initialize acl correctly

commit 32918dd9f19e5960af4cdfa41190bb843fb2247b upstream.

We need to re-initialize the security for a new reflinked inode with its
parent dirs if it isn't specified to be preserved for ocfs2_reflink().
However, the code logic is broken at ocfs2_init_security_and_acl()
although ocfs2_init_security_get() succeed.  As a result,
ocfs2_acl_init() does not involked and therefore the default ACL of
parent dir was missing on the new inode.

Note this was introduced by 9d8f13ba3 ("security: new
security_inode_init_security API adds function callback")

To reproduce:

    set default ACL for the parent dir(ocfs2 in this case):
    $ setfacl -m default:user:jeff:rwx ../ocfs2/
    $ getfacl ../ocfs2/
    # file: ../ocfs2/
    # owner: jeff
    # group: jeff

    $ touch a
    $ getfacl a
    # file: a
    # owner: jeff
    # group: jeff

Before patching, create reflink file b from a, the user
default ACL entry(user:jeff:rwx)was missing:

    $ ./ocfs2_reflink a b
    $ getfacl b
    # file: b
    # owner: jeff
    # group: jeff

In this case, the end user can also observed an error message at syslog:

  (ocfs2_reflink,3229,2):ocfs2_init_security_and_acl:7193 ERROR: status = 0

After applying this patch, create reflink file c from a:

    $ ./ocfs2_reflink a c
    $ getfacl c
    # file: c
    # owner: jeff
    # group: jeff
    user:jeff:rwx #effective:rw-
    group::r-x #effective:r--

Test program:
/* Usage: reflink <source> <dest> */
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>

static int
reflink_file(char const *src_name, char const *dst_name,
     bool preserve_attrs)
int fd;

struct reflink_arguments {
uint64_t old_path;
uint64_t new_path;
uint64_t preserve;

#  define OCFS2_IOC_REFLINK _IOW ('o', 4, struct reflink_arguments)
struct reflink_arguments args = {
.old_path = (unsigned long) src_name,
.new_path = (unsigned long) dst_name,
.preserve = preserve_attrs ? REFLINK_ATTR_PRESERVE :

fd = open(src_name, O_RDONLY);
if (fd < 0) {
fprintf(stderr, "Failed to open %s: %s\n",
src_name, strerror(errno));
return -1;

if (ioctl(fd, OCFS2_IOC_REFLINK, &args) < 0) {
fprintf(stderr, "Failed to reflink %s to %s: %s\n",
src_name, dst_name, strerror(errno));
return -1;

main(int argc, char *argv[])
if (argc != 3) {
fprintf(stdout, "Usage: %s source dest\n", argv[0]);
return 1;

return reflink_file(argv[1], argv[2], 0);

Signed-off-by: Jie Liu <>
Reviewed-by: Tao Ma <>
Cc: Mimi Zohar <>
Cc: Joel Becker <>
Cc: Mark Fasheh <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoocfs2: fix possible use-after-free with AIO
Jan Kara [Wed, 20 Feb 2013 02:16:39 +0000 (13:16 +1100)]
ocfs2: fix possible use-after-free with AIO

commit 9b171e0c74ca0549d0610990a862dd895870f04a upstream.

Running AIO is pinning inode in memory using file reference. Once AIO
is completed using aio_complete(), file reference is put and inode can
be freed from memory. So we have to be sure that calling aio_complete()
is the last thing we do with the inode.

Signed-off-by: Jan Kara <>
Acked-by: Jeff Moyer <>
Acked-by: Joel Becker <>
Cc: Mark Fasheh <>
Cc: Al Viro <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Al Viro <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotarget: Add missing mapped_lun bounds checking during make_mappedlun setup
Nicholas Bellinger [Tue, 19 Feb 2013 02:31:37 +0000 (18:31 -0800)]
target: Add missing mapped_lun bounds checking during make_mappedlun setup

commit fbbf8555a986ed31e54f006b6cc637ea4ff1425b upstream.

This patch adds missing bounds checking for the configfs provided
mapped_lun value during target_fabric_make_mappedlun() setup ahead
of se_lun_acl initialization.

This addresses a potential OOPs when using a mapped_lun value that
exceeds the hardcoded TRANSPORT_MAX_LUNS_PER_TPG-1 value within

Reported-by: Jan Engelhardt <>
Cc: Jan Engelhardt <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotarget: Fix lookup of dynamic NodeACLs during cached demo-mode operation
Nicholas Bellinger [Tue, 19 Feb 2013 02:00:33 +0000 (18:00 -0800)]
target: Fix lookup of dynamic NodeACLs during cached demo-mode operation

commit fcf29481fb8e106daad6688f2e898226ee928992 upstream.

This patch fixes a bug in core_tpg_check_initiator_node_acl() ->
core_tpg_get_initiator_node_acl() where a dynamically created
se_node_acl generated during session login would be skipped during
subsequent lookup due to the '!acl->dynamic_node_acl' check, causing
a new se_node_acl to be created with a duplicate ->initiatorname.

This would occur when a fabric endpoint was configured with
TFO->tpg_check_demo_mode()=1 + TPF->tpg_check_demo_mode_cache()=1
preventing the release of an existing se_node_acl during se_session

Also, drop the unnecessary usage of core_tpg_get_initiator_node_acl()
within core_dev_init_initiator_node_lun_acl() that originally
required the extra '!acl->dynamic_node_acl' check, and just pass
the configfs provided se_node_acl pointer instead.

Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agox86: Make sure we can boot in the case the BDA contains pure garbage
H. Peter Anvin [Wed, 27 Feb 2013 20:46:40 +0000 (12:46 -0800)]
x86: Make sure we can boot in the case the BDA contains pure garbage

commit 7c10093692ed2e6f318387d96b829320aa0ca64c upstream.

On non-BIOS platforms it is possible that the BIOS data area contains
garbage instead of being zeroed or something equivalent (firmware
people: we are talking of 1.5K here, so please do the sane thing.)

We need on the order of 20-30K of low memory in order to boot, which
may grow up to < 64K in the future.  We probably want to avoid the
lowest of the low memory.  At the same time, it seems extremely
unlikely that a legitimate EBDA would ever reach down to the 128K
(which would require it to be over half a megabyte in size.)  Thus,
pick 128K as the cutoff for "this is insane, ignore."  We may still
end up reserving a bunch of extra memory on the low megabyte, but that
is not really a major issue these days.  In the worst case we lose
512K of RAM.

This code really should be merged with trim_bios_range() in
arch/x86/kernel/setup.c, but that is a bigger patch for a later merge

Reported-by: Darren Hart <>
Signed-off-by: H. Peter Anvin <>
Cc: Matt Fleming <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodoc, kernel-parameters: Document 'console=hvc<n>'
Konrad Rzeszutek Wilk [Mon, 25 Feb 2013 20:54:09 +0000 (15:54 -0500)]
doc, kernel-parameters: Document 'console=hvc<n>'

commit a2fd6419174470f5ae6383f5037d0ee21ed9833f upstream.

Both the PowerPC hypervisor and Xen hypervisor can utilize the
hvc driver.

Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: H. Peter Anvin <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodoc, xen: Mention 'earlyprintk=xen' in the documentation.
Konrad Rzeszutek Wilk [Mon, 25 Feb 2013 20:54:08 +0000 (15:54 -0500)]
doc, xen: Mention 'earlyprintk=xen' in the documentation.

commit 2482a92e7d17187301d7313cfe5021b13393a0b4 upstream.

The earlyprintk for Xen PV guests utilizes a simple hypercall
(console_io) to provide output to Xen emergency console.

Note that the Xen hypervisor should be booted with 'loglevel=all'
to output said information.

Reported-by: H. Peter Anvin <>
Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: H. Peter Anvin <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agox86, efi: Make "noefi" really disable EFI runtime serivces
Matt Fleming [Wed, 20 Feb 2013 20:36:12 +0000 (20:36 +0000)]
x86, efi: Make "noefi" really disable EFI runtime serivces

commit fb834c7acc5e140cf4f9e86da93a66de8c0514da upstream.

commit 1de63d60cd5b ("efi: Clear EFI_RUNTIME_SERVICES rather than
EFI_BOOT by "noefi" boot parameter") attempted to make "noefi" true to
its documentation and disable EFI runtime services to prevent the
bricking bug described in commit e0094244e41c ("samsung-laptop:
Disable on EFI hardware"). However, it's not possible to clear
EFI_RUNTIME_SERVICES from an early param function because
EFI_RUNTIME_SERVICES is set in efi_init() *after* parse_early_param().

This resulted in "noefi" effectively becoming a no-op and no longer
providing users with a way to disable EFI, which is bad for those
users that have buggy machines.

Reported-by: Walt Nelson Jr <>
Cc: Satoru Takeuchi <>
Signed-off-by: Matt Fleming <>
Signed-off-by: H. Peter Anvin <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agox86/apic: Fix parsing of the 'lapic' cmdline option
Mathias Krause [Tue, 19 Feb 2013 19:47:07 +0000 (20:47 +0100)]
x86/apic: Fix parsing of the 'lapic' cmdline option

commit 27cf929845b10043f2257693c7d179a9e0b1980e upstream.

Including " lapic " in the kernel cmdline on an x86-64 kernel
makes it panic while parsing early params -- e.g. with no user
visible output.

Fix this bug by ensuring arg is non-NULL before passing it to

Reported-by: PaX Team <>
Signed-off-by: Mathias Krause <>
Acked-by: David Rientjes <>
Cc: Suresh Siddha <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoftrace: Call ftrace cleanup module notifier after all other notifiers
Steven Rostedt (Red Hat) [Wed, 13 Feb 2013 20:18:38 +0000 (15:18 -0500)]
ftrace: Call ftrace cleanup module notifier after all other notifiers

commit 8c189ea64eea01ca20d102ddb74d6936dd16c579 upstream.

Commit: c1bf08ac "ftrace: Be first to run code modification on modules"

changed ftrace module notifier's priority to INT_MAX in order to
process the ftrace nops before anything else could touch them
(namely kprobes). This was the correct thing to do.

Unfortunately, the ftrace module notifier also contains the ftrace
clean up code. As opposed to the set up code, this code should be
run *after* all the module notifiers have run in case a module is doing
correct clean-up and unregisters its ftrace hooks. Basically, ftrace
needs to do clean up on module removal, as it needs to know about code
being removed so that it doesn't try to modify that code. But after it
removes the module from its records, if a ftrace user tries to remove
a probe, that removal will fail due as the record of that code segment
no longer exists.

Nothing really bad happens if the probe removal is called after ftrace
did the clean up, but the ftrace removal function will return an error.
Correct code (such as kprobes) will produce a WARN_ON() if it fails
to remove the probe. As people get annoyed by frivolous warnings, it's
best to do the ftrace clean up after everything else.

By splitting the ftrace_module_notifier into two notifiers, one that
does the module load setup that is run at high priority, and the other
that is called for module clean up that is run at low priority, the
problem is solved.

Reported-by: Frank Ch. Eigler <>
Acked-by: Masami Hiramatsu <>
Signed-off-by: Steven Rostedt <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoposix-timer: Don't call idr_find() with out-of-range ID
Tejun Heo [Wed, 20 Feb 2013 23:24:12 +0000 (15:24 -0800)]
posix-timer: Don't call idr_find() with out-of-range ID

commit e182bb38d7db7494fa5dcd82da17fe0dedf60ecf upstream.

When idr_find() was fed a negative ID, it used to look up the ID
ignoring the sign bit before recent ("idr: remove MAX_IDR_MASK and
move left MAX_IDR_* into idr.c") patch. Now a negative ID triggers

__lock_timer() feeds timer_id from userland directly to idr_find()
without sanitizing it which can trigger the above malfunctions.  Add a
range check on @timer_id before invoking idr_find() in __lock_timer().

While timer_t is defined as int by all archs at the moment, Andrew
worries that it may be defined as a larger type later on.  Make the
test cover larger integers too so that it at least is guaranteed to
not return the wrong timer.

Note that WARN_ON_ONCE() in idr_find() on id < 0 is transitional
precaution while moving away from ignoring MSB.  Once it's gone we can
remove the guard as long as timer_t isn't larger than int.

Signed-off-by: Tejun Heo <>
Reported-by: Sasha Levin <>
Cc: Andrew Morton <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoiommu/amd: Initialize device table after dma_ops
Joerg Roedel [Wed, 6 Feb 2013 11:55:23 +0000 (12:55 +0100)]
iommu/amd: Initialize device table after dma_ops

commit f528d980c17b8714aedc918ba86e058af914d66b upstream.

When dma_ops are initialized the unity mappings are
created. The init_device_table_dma() function makes sure DMA
from all devices is blocked by default. This opens a short
window in time where DMA to unity mapped regions is blocked
by the IOMMU. Make sure this does not happen by initializing
the device table after dma_ops.

Signed-off-by: Joerg Roedel <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUBIFS: fix double free of ubifs_orphan objects
Adam Thomas [Sat, 2 Feb 2013 22:35:08 +0000 (22:35 +0000)]
UBIFS: fix double free of ubifs_orphan objects

commit 8afd500cb52a5d00bab4525dd5a560d199f979b9 upstream.

The last orphan in the dnext list has its dnext set to NULL. Because
of that, ubifs_delete_orphan assumes that it is not on the dnext list
and frees it immediately instead ignoring it as a second delete. The
orphan is later freed again by erase_deleted.

This change adds an explicit flag to ubifs_orphan indicating whether
it is pending delete.

Signed-off-by: Adam Thomas <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUBIFS: fix use of freed ubifs_orphan objects
Adam Thomas [Sat, 2 Feb 2013 22:32:31 +0000 (22:32 +0000)]
UBIFS: fix use of freed ubifs_orphan objects

commit 2928f0d0c5ebd6c9605c0d98207a44376387c298 upstream.

The last orphan in the cnext list has its cnext set to NULL. Because
of that, ubifs_delete_orphan assumes that it is not on the cnext list
and frees it immediately instead of adding it to the dnext list. The
freed orphan is later modified by write_orph_node.

This can cause various inconsistencies including directory entries
that cannot be removed and this error:

UBIFS error (pid 20685): layout_cnodes: LPT out of space at LEB 14:129009 needing 17, done_ltab 1, done_lsave 1

This is a regression introduced by
"7074e5eb UBIFS: remove invalid reference to list iterator variable".

This change adds an explicit flag to ubifs_orphan indicating whether
it is pending commit.

Signed-off-by: Adam Thomas <>
Reviewed-by: Adrian Hunter <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agob43: Fix lockdep splat on module unload
Larry Finger [Mon, 25 Feb 2013 06:09:24 +0000 (06:09 +0000)]
b43: Fix lockdep splat on module unload

commit 63a02ce1c5c59baa40b99756492e3ec8d6b51483 upstream.

On unload, b43 produces a lockdep warning that can be summarized in the
following way:

 [ INFO: possible circular locking dependency detected ]
 3.8.0-wl+ #117 Not tainted
 modprobe/5557 is trying to acquire lock:
  ((&wl->firmware_load)){+.+.+.}, at: [<ffffffff81062160>] flush_work+0x0/0x2a0

 but task is already holding lock:
  (rtnl_mutex){+.+.+.}, at: [<ffffffff813bd7d2>] rtnl_lock+0x12/0x20

 which lock already depends on the new lock.
 [ INFO: possible circular locking dependency detected ]

The full output is available at
To summarize, commit 6b6fa58 added a 'cancel_work_sync(&wl->firmware_load)'
call in the wrong place.

The fix is to move the cancel_work_sync() call to b43_bcma_remove() and
b43_ssb_remove(). Thanks to Johannes Berg and Michael Buesch for help in
diagnosing the log output.

Signed-off-by: Larry Finger <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agousb: dwc3: gadget: change HIRD threshold to 12
Felipe Balbi [Thu, 24 Jan 2013 09:56:11 +0000 (11:56 +0200)]
usb: dwc3: gadget: change HIRD threshold to 12

commit 1a947746dbe1486d0e305ab512ddf085b7874cb3 upstream.

First of all, that 28 value makes no sense as
HIRD threshold is a 4-bit value, second of all
it's causing issues for OMAP5.

Using 12 because commit cbc725b3 (usb: dwc3:
keep default hird threshold value as 4b1100)
had the intention of setting the maximum allowed
value of 0xc.

Also, original code has been wrong forever, so
this should be backported as far back as

Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agousb: dwc3: gadget: fix skip LINK_TRB on ISOC
Pratyush Anand [Mon, 14 Jan 2013 10:29:35 +0000 (15:59 +0530)]
usb: dwc3: gadget: fix skip LINK_TRB on ISOC

commit 915e202aeeb59e272992a6364c910aaef3073544 upstream.

When we reach to link trb, we just need to increase free_slot and then
calculate TRB. Return is not correct, as it will cause wrong TRB DMA
address to fetch in case of update transfer.

Signed-off-by: Pratyush Anand <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agousb: dwc3: gadget: fix isoc END TRANSFER Condition
Pratyush Anand [Mon, 14 Jan 2013 10:29:34 +0000 (15:59 +0530)]
usb: dwc3: gadget: fix isoc END TRANSFER Condition

commit cdc359dd87ab6c39a67dab724fd0b61c16e6f08b upstream.

There were still some corner cases where isoc transfer was not able to
restart, specially when missed isoc does not happen , and in fact gadget does
not queue any new request during giveback.

Cleanup function calls giveback first, which provides a way to queue
another request to gadget. But gadget did not had any data. So , it did
not call ep_queue. To twist it further, gadget did not queue till
cleanup for last queued TRB is called. If we ever reach this scenario,
we must call END TRANSFER, so that we receive a new  xfernotready with
information about current microframe number.

Also insure that there is no request submitted to core when issuing END

Signed-off-by: Pratyush Anand <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agousb: dwc3: gadget: fix missed isoc
Pratyush Anand [Mon, 14 Jan 2013 10:29:32 +0000 (15:59 +0530)]
usb: dwc3: gadget: fix missed isoc

commit 7efea86c2868b8fd9df65e589e33aebe498ce21d upstream.

There are two reasons to generate missed isoc.

1. when the host does not poll for all the data.
2. because of application-side delays that prevent all the data from
being transferred in programmed microframe.

Current code was able to handle first case only.  This patch handles
scenario 2 as well.Scenario 2 sometime may occur with complex gadget
application, however it can be easily reproduced for testing purpose as

a. use isoc binterval as 1 in f_sourcesink.
b. use pattern=0
c. introduce a delay of 150us deliberately in source_sink_complete, so
that after few frames it lands into scenario 2.
d. now run testusb 16 (isoc in  test). You will notice that if this
patch is not applied then isoc transfer is not able to recover after
first missed.

Current patch's approach is as under:

If missed isoc occurs and there is no request queued then issue END
TRANSFER, so that core generates next xfernotready and we will issue a
If there are still queued request then wait, do not issue either END or
UPDATE TRANSFER, just attach next request in request_list during giveback.
If any future queued request is successfully transferred then we will issue
UPDATE TRANSFER for all request in the request_list.

Signed-off-by: Pratyush Anand <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agousb: dwc3: Enable usb2 LPM only when connected as usb2.0
Pratyush Anand [Mon, 14 Jan 2013 10:29:31 +0000 (15:59 +0530)]
usb: dwc3: Enable usb2 LPM only when connected as usb2.0

commit 2b758350af19db9a5c98241cf222c2e211d7a912 upstream.

Synopsys says:
The HIRD Threshold field must be set to ‘0’ when the device core is
operating in super speed mode.

This patch implements above statement.

Acked-by: Paul Zimmerman <>
Signed-off-by: Pratyush Anand <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoquota: autoload the quota_v2 module for QFMT_VFS_V1 quota format
Theodore Ts'o [Fri, 25 Jan 2013 04:24:56 +0000 (23:24 -0500)]
quota: autoload the quota_v2 module for QFMT_VFS_V1 quota format

commit c3ad83d9efdfe6a86efd44945a781f00c879b7b4 upstream.

Otherwise, ext4 file systems with the quota featured enable will get a
very confusing "No such process" error message if the quota code is
built as a module and the quota_v2 module has not been loaded.

Signed-off-by: "Theodore Ts'o" <>
Reviewed-by: Carlos Maiolino <>
Acked-by: Jan Kara <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoIB/srp: Fail I/O requests if the transport is offline
Bart Van Assche [Thu, 21 Feb 2013 17:20:00 +0000 (17:20 +0000)]
IB/srp: Fail I/O requests if the transport is offline

commit 2ce19e72f4d570c87e025ee6fca4eae699a8b712 upstream.

If an SRP target is no longer reachable and srp_reset_host() fails to
reconnect then ib_srp will invoke scsi_remove_host().  That function
will invoke __scsi_remove_device() for each LUN.  And that last
function will change the device state from SDEV_TRANSPORT_OFFLINE into
SDEV_CANCEL.  Certain user space software, e.g. older versions of
multipathd, continue queueing I/O to SCSI devices that are in the

If these I/O requests are submitted as SG_IO that means that the
REQ_PREEMPT flag will be set and hence that these requests will be
passed to srp_queuecommand().  These requests will time out.  If new
requests are queued fast enough from user space these active requests
will prevent __scsi_remove_device() to finish.

Avoid this by failing I/O requests in the SDEV_CANCEL state if the
transport is offline.  Introduce a new variable to keep track of the
transport state instead of failing requests if (!target->connected ||
target->qp_in_error), so that the SCSI error handler has a chance to
retry commands after a transport layer failure occurred.

Signed-off-by: Bart Van Assche <>
Signed-off-by: Roland Dreier <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoIB/srp: Avoid endless SCSI error handling loop
Bart Van Assche [Thu, 21 Feb 2013 17:19:04 +0000 (17:19 +0000)]
IB/srp: Avoid endless SCSI error handling loop

commit c7c4e7ff8047e43c45628b85ac200582e9404c39 upstream.

If a SCSI command times out it is passed to the SCSI error
handler. The SCSI error handler will try to abort the commands that
timed out.  If aborting fails, a device reset will be attempted.  If
the device reset also fails a host reset will be attempted.  If the
host reset also fails the whole procedure will be repeated.

srp_abort() and srp_reset_device() fail for a QP in the error state.
srp_reset_host() fails after host removal has started.  Hence if the
SCSI error handler gets invoked after host removal has started and
with the QP in the error state an endless loop will be triggered.

Modify the SCSI error handling functions in ib_srp as follows:
- Abort SCSI commands properly even if the QP is in the error state.
- Make srp_reset_host() reset SCSI requests even after host removal
  has already started or if reconnecting fails.

Signed-off-by: Bart Van Assche <>
Acked-by: David Dillow <>
Signed-off-by: Roland Dreier <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoIB/srp: Avoid sending a task management function needlessly
Bart Van Assche [Thu, 21 Feb 2013 17:18:00 +0000 (17:18 +0000)]
IB/srp: Avoid sending a task management function needlessly

commit 3780d1f08856f692116bcf026e4acf1c521df1c7 upstream.

Do not send a task management function if sending will fail anyway
because either there is no RDMA/RC connection or the QP is in the
error state.

Signed-off-by: Bart Van Assche <>
Acked-by: David Dillow <>
Signed-off-by: Roland Dreier <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoIB/srp: Track connection state properly
Bart Van Assche [Thu, 21 Feb 2013 17:16:54 +0000 (17:16 +0000)]
IB/srp: Track connection state properly

commit e1b2f13aba9ff714d23ecd4a950e744ee7ad72e1 upstream.

Remove an assignment that incorrectly overwrites the connection state
update by srp_connect_target().

Signed-off-by: Bart Van Assche <>
Acked-by: David Dillow <>
Signed-off-by: Roland Dreier <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: emu10k1: Load firmware when it was already cached
Florian Zeitz [Mon, 25 Feb 2013 08:53:35 +0000 (09:53 +0100)]
ALSA: emu10k1: Load firmware when it was already cached

commit b56ddbe55a363eee4ff7410a97050dad08215f7c upstream.

This expands the regression fix from
The firmware also needs to be loaded when it was already cached.

Signed-off-by: Florian Zeitz <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: emu10k1: Fix regression in emu1010 firmware loading
Mihail Zenkov [Fri, 22 Feb 2013 11:25:27 +0000 (11:25 +0000)]
ALSA: emu10k1: Fix regression in emu1010 firmware loading

commit d28215996b0c3a900411769039aa3c54cf7008ab upstream.

This patch fix regression in emu1010 firmware loading after;a=commitdiff;h=b209c4dfcd960ab176d4746ab7dc442a3edb4575

I just revert small part of this commit. Tested on emu1212m pci.

Signed-off-by: Mihail Zenkov <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: hda - hdmi: Make jacks phantom, if they're not detectable
David Henningsson [Fri, 22 Feb 2013 09:16:28 +0000 (10:16 +0100)]
ALSA: hda - hdmi: Make jacks phantom, if they're not detectable

commit 30efd8debd1ef30be342d374f01e993509f5b76b upstream.

Just as for analog codecs, a jack that isn't suitable for detection
(in this case, NO_PRESENCE was set) should be a phantom Jack
instead of a normal one.

Thanks to Raymond Yau for spotting.

Signed-off-by: David Henningsson <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: bt87x: Make load_all parameter working again
Takashi Iwai [Mon, 25 Feb 2013 08:48:45 +0000 (09:48 +0100)]
ALSA: bt87x: Make load_all parameter working again

commit aacfddfdadb3540651d263245069631f341e953a upstream.

Along with a clean up commit [e9f66d9b9: ALSA: pci: clean up using
module_pci_driver()], bt87x driver lost the functionality of load_all
parameter.  This patch does a partial revert of the commit only for
bt87x.c to recover it.

Reported-by: Clemens Ladisch <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomm: do not grow the stack vma just because of an overrun on preceding vma
Linus Torvalds [Wed, 27 Feb 2013 16:36:04 +0000 (08:36 -0800)]
mm: do not grow the stack vma just because of an overrun on preceding vma

commit 09884964335e85e897876d17783c2ad33cf8a2e0 upstream.

The stack vma is designed to grow automatically (marked with VM_GROWSUP
or VM_GROWSDOWN depending on architecture) when an access is made beyond
the existing boundary.  However, particularly if you have not limited
your stack at all ("ulimit -s unlimited"), this can cause the stack to
grow even if the access was really just one past *another* segment.

And that's wrong, especially since we first grow the segment, but then
immediately later enforce the stack guard page on the last page of the
segment.  So _despite_ first growing the stack segment as a result of
the access, the kernel will then make the access cause a SIGSEGV anyway!

So do the same logic as the guard page check does, and consider an
access to within one page of the next segment to be a bad access, rather
than growing the stack to abut the next segment.

Reported-and-tested-by: Heiko Carstens <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoLinux 3.8.1
Greg Kroah-Hartman [Thu, 28 Feb 2013 13:39:14 +0000 (05:39 -0800)]
Linux 3.8.1

5 years agodrm/nv50/devinit: reverse the logic for running encoder init scripts
Ben Skeggs [Sat, 16 Feb 2013 02:10:38 +0000 (12:10 +1000)]
drm/nv50/devinit: reverse the logic for running encoder init scripts

commit ac8cc241a81941932da44993242e68c62e115ec7 upstream.

A single U encoder table can match multiple DCB entries, whereas the
reverse is not true and can lead to us not matching a DCB entry at
all, and fail to initialise some encoders.

Signed-off-by: Ben Skeggs <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/nouveau/bios: store a type/mask hash in parsed dcb data
Ben Skeggs [Sat, 16 Feb 2013 02:01:59 +0000 (12:01 +1000)]
drm/nouveau/bios: store a type/mask hash in parsed dcb data

commit 8e992c8d9eebc2bd3246252ee5c0422dbbbce7ae upstream.

Matches format used by a couple of other vbios tables, useful
to have laying around already calculated.

Signed-off-by: Ben Skeggs <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/nouveau/bios: parse external transmitter type if off-chip
Ben Skeggs [Tue, 12 Feb 2013 00:16:31 +0000 (10:16 +1000)]
drm/nouveau/bios: parse external transmitter type if off-chip

commit f3ed1048715f2edc10c4dda6148b60e93f6282ed upstream.

Signed-off-by: Ben Skeggs <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agousb: musb: ux500: use clk_prepare_enable and clk_disable_unprepare
Fabio Baltieri [Mon, 7 Jan 2013 16:47:41 +0000 (17:47 +0100)]
usb: musb: ux500: use clk_prepare_enable and clk_disable_unprepare

commit 99d17cfa3bbc6f4edb175f819af59c6b9e245e82 upstream.

This patch converts the module to use clk_prepare_enable and
clk_disable_unprepare variants as required by common clock framework.

Without this the system crash during probe function.

Signed-off-by: Fabio Baltieri <>
Acked-by: Linus Walleij <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agousb: musb: fix dependency on transceiver driver
Ming Lei [Fri, 4 Jan 2013 15:13:58 +0000 (23:13 +0800)]
usb: musb: fix dependency on transceiver driver

commit 25736e0c8269e9613aa6036fbc591818daa30d14 upstream.

This patch let glue driver return -EPROBE_DEFER if the transceiver
is not readly, so we can support defer probe on musb to fix the
below error on 3.7-rc5 if transceiver drivers are built as module:

[   19.052490] unable to find transceiver of type USB2 PHY
[   19.072052] HS USB OTG: no transceiver configured
[   19.076995] musb-hdrc musb_init_controller failed with status -19
[   19.089355] musb-hdrc: probe of rejects match -19
[   19.096771] driver: 'musb-omap2430': driver_bound: bound to device 'musb-omap2430'
[   19.105194] bus: 'platform': really_probe: bound device musb-omap2430 to driver musb-omap2430
[   19.174407] bus: 'platform': add driver twl4030_usb
[   19.179656] bus: 'platform': driver_probe_device: matched device twl4030_usb with driver twl4030_usb
[   19.202270] bus: 'platform': really_probe: probing driver twl4030_usb with device twl4030_usb
[   19.214172] twl4030_usb twl4030_usb: HW_CONDITIONS 0xc0/192; link 3
[   19.239624] musb-omap2430 musb-omap2430: musb core is not yet ready
[   19.246765] twl4030_usb twl4030_usb: Initialized TWL4030 USB module
[   19.254516] driver: 'twl4030_usb': driver_bound: bound to device 'twl4030_usb'
[   19.263580] bus: 'platform': really_probe: bound device twl4030_usb to driver twl4030_usb

Cc: Sebastian Andrzej Siewior <>
Signed-off-by: Ming Lei <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agousb: musb: core: fix failure path
Ming Lei [Fri, 4 Jan 2013 15:13:06 +0000 (23:13 +0800)]
usb: musb: core: fix failure path

commit 681d1e8761ca773967bce9bd1bb2896f07279551 upstream.

In the fail1~fail5 failure path, pm_runtime_disable() should
be called to avoid 'Unbalanced pm_runtime_enable' error in
next probe() which may be triggered by defer probe or next
'modprobe musb_hdrc'.

Cc: Sebastian Andrzej Siewior <>
Signed-off-by: Ming Lei <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: usb-storage: unusual_devs update for Super TOP SATA bridge
Josh Boyer [Thu, 14 Feb 2013 14:39:09 +0000 (09:39 -0500)]
USB: usb-storage: unusual_devs update for Super TOP SATA bridge

commit 18e03310b5caa6d11c1a8c61b982c37047693fba upstream.

The current entry in unusual_cypress.h for the Super TOP SATA bridge devices
seems to be causing corruption on newer revisions of this device.  This has
been reported in Arch Linux and Fedora.  The original patch was tested on
devices with bcdDevice of 1.60, whereas the newer devices report bcdDevice
as 2.20.  Limit the UNUSUAL_DEV entry to devices less than 2.20.

This fixes

The Arch Forum post on this is here:

Reported-by: Carsten S. <>
Tested-by: Carsten S. <>
Signed-off-by: Josh Boyer <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: storage: properly handle the endian issues of idProduct
fangxiaozhi [Thu, 7 Feb 2013 07:32:07 +0000 (15:32 +0800)]
USB: storage: properly handle the endian issues of idProduct

commit cd060956c5e97931c3909e4a808508469c0bb9f6 upstream.

1. The idProduct is little endian, so make sure its value to be
compatible with the current CPU. Make no break on big endian processors.

Signed-off-by: fangxiaozhi <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: ehci-omap: Fix autoloading of module
Roger Quadros [Thu, 14 Feb 2013 15:08:09 +0000 (17:08 +0200)]
USB: ehci-omap: Fix autoloading of module

commit 04753523266629b1cd0518091da1658755787198 upstream.

The module alias should be "ehci-omap" and not
"omap-ehci" to match the platform device name.
The omap-ehci module should now autoload correctly.

Signed-off-by: Roger Quadros <>
Acked-by: Alan Stern <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: option: add Huawei "ACM" devices using protocol = vendor
Bjørn Mork [Wed, 13 Feb 2013 22:41:34 +0000 (23:41 +0100)]
USB: option: add Huawei "ACM" devices using protocol = vendor

commit 1f3f687722fd9b29a0c2a85b4844e3b2a3585c63 upstream.

The USB device descriptor of one identity presented by a few
Huawei morphing devices have serial functions with class codes
02/02/ff, indicating CDC ACM with a vendor specific protocol. This
combination is often used for MSFT RNDIS functions, and the CDC
ACM class driver will therefore ignore such functions.

The CDC ACM class driver cannot support functions with only 2
endpoints.  The underlying serial functions of these modems are
also believed to be the same as for alternate device identities
already supported by the option driver. Letting the same driver
handle these functions independently of the current identity
ensures consistent handling and user experience.

There is no need to blacklist these devices in the rndis_host
driver. Huawei serial functions will either have only 2 endpoints
or a CDC ACM functional descriptor with bmCapabilities != 0, making
them correctly ignored as "non RNDIS" by that driver.

Signed-off-by: Bjørn Mork <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: option: add Yota / Megafon M100-1 4g modem
Bjørn Mork [Tue, 12 Feb 2013 12:42:24 +0000 (13:42 +0100)]
USB: option: add Yota / Megafon M100-1 4g modem

commit cd565279e51bedee1b2988e84f9b3bef485adeb6 upstream.

Interface layout:

 00 CD-ROM
 01 debug COM port
 02 AP control port
 03 modem
 04 usb-ethernet

Bus=01 Lev=02 Prnt=02 Port=01 Cnt=02 Dev#=  4 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=0408 ProdID=ea42 Rev= 0.00
S:  Manufacturer=Qualcomm, Incorporated
S:  Product=Qualcomm CDMA Technologies MSM
S:  SerialNumber=353568051xxxxxx
C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=84(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=86(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms

Signed-off-by: Bjørn Mork <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: option: add and update Alcatel modems
Bjørn Mork [Wed, 23 Jan 2013 09:44:36 +0000 (10:44 +0100)]
USB: option: add and update Alcatel modems

commit f8f0302bbcbd1b14655bef29f6996a2152be559d upstream.

Adding three currently unsupported modems based on information
from .inf driver files:

  Diag  VID_1BBB&PID_0052&MI_00
  AGPS  VID_1BBB&PID_0052&MI_01
  AT    VID_1BBB&PID_0052&MI_03
  Modem VID_1BBB&PID_0052&MI_05
  wwan  VID_1BBB&PID_0052&MI_06

  Diag  VID_1BBB&PID_00B6&MI_00
  AT    VID_1BBB&PID_00B6&MI_01
  Modem VID_1BBB&PID_00B6&MI_02
  wwan  VID_1BBB&PID_00B6&MI_03

  Diag  VID_1BBB&PID_00B7&MI_00
  AT    VID_1BBB&PID_00B7&MI_03
  Modem VID_1BBB&PID_00B7&MI_04
  wwan  VID_1BBB&PID_00B7&MI_05

Updating the blacklist info for the X060S_X200 and X220_X500D,
reserving interfaces for a wwan driver, based on

  wwan VID_1BBB&PID_0000&MI_04
  wwan VID_1BBB&PID_0017&MI_06

Signed-off-by: Bjørn Mork <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodca: check against empty dca_domains list before unregister provider
Maciej Sosnowski [Wed, 23 May 2012 15:27:07 +0000 (17:27 +0200)]
dca: check against empty dca_domains list before unregister provider

commit c419fcfd071cf34ba00f9f65282583772d2655e7 upstream.

When providers get blocked unregister_dca_providers() is called ending up
with dca_providers and dca_domain lists emptied. Dca should be prevented from
trying to unregister any provider if dca_domain list is found empty.

Reported-by: Jiang Liu <>
Tested-by: Gaohuai Han <>
Signed-off-by: Maciej Sosnowski <>
Signed-off-by: Dan Williams <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodma: sh: Don't use ENODEV for failing slave lookup
Guennadi Liakhovetski [Wed, 28 Nov 2012 06:49:47 +0000 (06:49 +0000)]
dma: sh: Don't use ENODEV for failing slave lookup

commit 7c1119bdd650fa58dad8157bc75c5fcf6ed97843 upstream.

If dmaengine driver's .device_alloc_chan_resources() method returns -ENODEV,
dma_request_channel() will decide, that the driver has been removed and will
remove the device from its list. To prevent this use ENXIO if a slave lookup

Reported-by: Kuninori Morimoto <>
Signed-off-by: Guennadi Liakhovetski <>
Signed-off-by: Vinod Koul <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agogpio: em: Use irq_domain_add_simple() to fix runtime error
Magnus Damm [Tue, 12 Feb 2013 15:56:13 +0000 (00:56 +0900)]
gpio: em: Use irq_domain_add_simple() to fix runtime error

commit c7886b18273b07042e25e8d3ba5c983837b84123 upstream.

Adjust the gpio-em.c driver to reconsider the pdata->irq_base
variable. Non-DT board code like for instance board-kzm9d.c
needs to operate of a static IRQ range for platform devices.

So this patch is updating the code to make use of the function
irq_domain_add_simple() instead of irq_domain_add_linear().

Fixes a EMEV2 / KZM9D runtime error caused by the following commit:
7385500 gpio/em: convert to linear IRQ domain

Signed-off-by: Magnus Damm <>
Tested-by: Simon Horman <>
Reported-by: Simon Horman <>
Signed-off-by: Linus Walleij <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: ehci-omap: Don't free gpios that we didn't request
Roger Quadros [Thu, 14 Feb 2013 15:08:08 +0000 (17:08 +0200)]
USB: ehci-omap: Don't free gpios that we didn't request

commit 428525f97153505e83983460a8d08a3210aa6b8a upstream.

This driver does not request any gpios so don't free them.
Fixes L3 bus error on multiple modprobe/rmmod of ehci_hcd
with ehci-omap in use.

Without this patch, EHCI will break on repeated insmod/rmmod
of ehci_hcd for all OMAP2+ platforms that use EHCI and
set 'phy_reset = true' in usbhs_omap_board_data.

board-3430sdp.c: .phy_reset  = true,
board-3630sdp.c: .phy_reset  = true,
board-am3517crane.c: .phy_reset  = true,
board-am3517evm.c: .phy_reset  = true,
board-cm-t3517.c: .phy_reset  = true,
board-cm-t35.c: .phy_reset  = true,
board-devkit8000.c: .phy_reset  = true,
board-igep0020.c: .phy_reset = true,
board-igep0020.c: .phy_reset = true,
board-omap3beagle.c: .phy_reset  = true,
board-omap3evm.c: .phy_reset  = true,
board-omap3pandora.c: .phy_reset  = true,
board-omap3stalker.c: .phy_reset = true,
board-omap3touchbook.c: .phy_reset  = true,
board-omap4panda.c: .phy_reset  = false,
board-overo.c: .phy_reset  = true,
board-zoom.c: .phy_reset = true,

Signed-off-by: Roger Quadros <>
Reviewed-by: Felipe Balbi <>
Acked-by: Alan Stern <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomac80211: always unblock CSA queue stop when disconnecting
Johannes Berg [Tue, 26 Feb 2013 21:37:57 +0000 (22:37 +0100)]
mac80211: always unblock CSA queue stop when disconnecting

Commit 5b36ebd8249f403c7edf7cf68d68e9a0d0f55243 upstream.

In some cases when disconnecting after (or during?) CSA
the queues might not recover, and then the only way to
recover is reloading the module.

Fix this by always unblocking the queue CSA reason when


Reported-by: Jan-Michael Brummer <>
Signed-off-by: Johannes Berg <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agovlan: adjust vlan_set_encap_proto() for its callers
Cong Wang [Thu, 21 Feb 2013 23:32:27 +0000 (23:32 +0000)]
vlan: adjust vlan_set_encap_proto() for its callers

[ Upstream commit da8c87241c26aac81a64c7e4d21d438a33018f4e ]

There are two places to call vlan_set_encap_proto():
vlan_untag() and __pop_vlan_tci().

vlan_untag() assumes skb->data points after mac addr, otherwise
the following code

        vhdr = (struct vlan_hdr *) skb->data;
        vlan_tci = ntohs(vhdr->h_vlan_TCI);
        __vlan_hwaccel_put_tag(skb, vlan_tci);

        skb_pull_rcsum(skb, VLAN_HLEN);

won't be correct. But __pop_vlan_tci() assumes points _before_
mac addr.

In vlan_set_encap_proto(), it looks for some magic L2 value
after mac addr:

        rawp = skb->data;
        if (*(unsigned short *) rawp == 0xFFFF)

Therefore __pop_vlan_tci() is obviously wrong.

A quick fix is avoiding using skb->data in vlan_set_encap_proto(),
use 'vhdr+1' is always correct in both cases.

Signed-off-by: Cong Wang <>
Cc: David S. Miller <>
Cc: Jesse Gross <>
Acked-by: Jesse Gross <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agosock_diag: Fix out-of-bounds access to sock_diag_handlers[]
Mathias Krause [Sat, 23 Feb 2013 01:13:47 +0000 (01:13 +0000)]
sock_diag: Fix out-of-bounds access to sock_diag_handlers[]

[ Upstream commit 6e601a53566d84e1ffd25e7b6fe0b6894ffd79c0 ]

Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY
with a family greater or equal then AF_MAX -- the array size of
sock_diag_handlers[]. The current code does not test for this
condition therefore is vulnerable to an out-of-bound access opening
doors for a privilege escalation.

Signed-off-by: Mathias Krause <>
Acked-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomlx4_en: fix allocation of CPU affinity reverse-map
Kleber Sacilotto de Souza [Fri, 22 Feb 2013 19:14:52 +0000 (19:14 +0000)]
mlx4_en: fix allocation of CPU affinity reverse-map

[ Upstream commit 3770699675dd1b8fc1e86ff369eb3cce44e10082 ]

The mlx4_en driver allocates the number of objects for the CPU affinity
reverse-map based on the number of rx rings of the device. However,
mlx4_assign_eq() calls irq_cpu_rmap_add() as many times as IRQ's are
assigned to EQ's, which can be as large as mlx4_dev->caps.comp_pool. If
caps.comp_pool is larger than rx_ring_num we will eventually hit the
BUG_ON() in cpu_rmap_add().

Fix this problem by allocating space for the maximum number of CPU
affinity reverse-map objects we might want to add.

Signed-off-by: Kleber Sacilotto de Souza <>
Acked-by: Amir Vadai <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomlx4_en: fix allocation of device tx_cq
Kleber Sacilotto de Souza [Fri, 22 Feb 2013 14:58:02 +0000 (14:58 +0000)]
mlx4_en: fix allocation of device tx_cq

[ Upstream commit 427a96252d8eee7b9bbafce15bd37fa3387ede55 ]

The memory to hold the network device tx_cq is not being allocated with
the correct size in mlx4_en_init_netdev(). It should use MAX_TX_RINGS
instead of MAX_RX_RINGS. This can cause problems if the number of tx
rings being used is greater than MAX_RX_RINGS.

Signed-off-by: Kleber Sacilotto de Souza <>
Acked-by: Amir Vadai <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotcp: fix SYN-data space mis-accounting
Yuchung Cheng [Fri, 22 Feb 2013 08:59:06 +0000 (08:59 +0000)]
tcp: fix SYN-data space mis-accounting

[ Upstream commit 1b63edd6ecc55c3a61b40297b49e2323783bddfd ]

In fast open the sender unncessarily reduces the space available
for data in SYN by 12 bytes.  This is because in the sender
incorrectly reserves space for TS option twice in tcp_send_syn_data():
tcp_mtu_to_mss() already accounts for TS option space. But it further
reserves MAX_TCP_OPTION_SPACE when computing the payload space.

Signed-off-by: Yuchung Cheng <>
Acked-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoipv4: fix error handling in icmp_protocol.
Li Wei [Thu, 21 Feb 2013 22:18:44 +0000 (22:18 +0000)]
ipv4: fix error handling in icmp_protocol.

[ Upstream commit 5b0520425e5ea81ba95ec486dd6bbb59a09fff0e ]

Now we handle icmp errors in each transport protocol's err_handler,
for icmp protocols, that is ping_err. Since this handler only care
of those icmp errors triggered by echo request, errors triggered
by echo reply(which sent by kernel) are sliently ignored.

So wrap ping_err() with icmp_err() to deal with those icmp errors.

Signed-off-by: Li Wei <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoipv6: use a stronger hash for tcp
Eric Dumazet [Thu, 21 Feb 2013 12:18:52 +0000 (12:18 +0000)]
ipv6: use a stronger hash for tcp

[ Upstream commit 08dcdbf6a7b9d14c2302c5bd0c5390ddf122f664 ]

It looks like its possible to open thousands of TCP IPv6
sessions on a server, all landing in a single slot of TCP hash
table. Incoming packets have to lookup sockets in a very
long list.

We should hash all bits from foreign IPv6 addresses, using
a salt and hash mix, not a simple XOR.

inet6_ehashfn() can also separately use the ports, instead
of xoring them.

Reported-by: Neal Cardwell <>
Signed-off-by: Eric Dumazet <>
Cc: Yuchung Cheng <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoipv4: fix a bug in ping_err().
Li Wei [Thu, 21 Feb 2013 00:09:54 +0000 (00:09 +0000)]
ipv4: fix a bug in ping_err().

[ Upstream commit b531ed61a2a2a77eeb2f7c88b49aa5ec7d9880d8 ]

We should get 'type' and 'code' from the outer ICMP header.

Signed-off-by: Li Wei <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoipv6: fix race condition regarding dst->expires and dst->from.
YOSHIFUJI Hideaki [Wed, 20 Feb 2013 00:29:08 +0000 (00:29 +0000)]
ipv6: fix race condition regarding dst->expires and dst->from.

[ Upstream commit ecd9883724b78cc72ed92c98bcb1a46c764fff21 ]

Eric Dumazet wrote:
| Some strange crashes happen in rt6_check_expired(), with access
| to random addresses.
| At first glance, it looks like the RTF_EXPIRES and
| stuff added in commit 1716a96101c49186b
| (ipv6: fix problem with expired dst cache)
| are racy : same dst could be manipulated at the same time
| on different cpus.
| At some point, our stack believes rt->dst.from contains a dst pointer,
| while its really a jiffie value (as rt->dst.expires shares the same area
| of memory)
| rt6_update_expires() should be fixed, or am I missing something ?
| CC Neil because of

Because we do not have any locks for dst_entry, we cannot change
essential structure in the entry; e.g., we cannot change reference
to other entity.

To fix this issue, split 'from' and 'expires' field in dst_entry
out of union.  Once it is 'from' is assigned in the constructor,
keep the reference until the very last stage of the life time of
the object.

Of course, it is unsafe to change 'from', so make rt6_set_from simple
just for fresh entries.

Reported-by: Eric Dumazet <>
Reported-by: Neil Horman <>
CC: Gao Feng <>
Signed-off-by: YOSHIFUJI Hideaki <>
Reviewed-by: Eric Dumazet <>
Reported-by: Steinar H. Gunderson <>
Reviewed-by: Neil Horman <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoppp: set qdisc_tx_busylock to avoid LOCKDEP splat
Eric Dumazet [Tue, 19 Feb 2013 18:42:03 +0000 (10:42 -0800)]
ppp: set qdisc_tx_busylock to avoid LOCKDEP splat

[ Upstream commit 303c07db487be59ae9fda10600ea65ca11c21497 ]

If a qdisc is installed on a ppp device, its possible to get
a lockdep splat under stress, because nested dev_queue_xmit() can
lock busylock a second time (on a different device, so its a false

Avoid this problem using a distinct lock_class_key for ppp

Reported-by: Yanko Kaneti <>
Tested-by: Yanko Kaneti <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoxfrm: release neighbor upon dst destruction
Romain KUNTZ [Mon, 18 Feb 2013 02:36:24 +0000 (02:36 +0000)]
xfrm: release neighbor upon dst destruction

[ Upstream commit 18cf0d0784b4a634472ed24d0d7ca1c721d93e90 ]

Neighbor is cloned in xfrm6_fill_dst but seems to never be released.
Neighbor entry should be released when XFRM6 dst entry is destroyed
in xfrm6_dst_destroy, otherwise references may be kept forever on
the device pointed by the neighbor entry.

I may not have understood all the subtleties of XFRM & dst so I would
be happy to receive comments on this patch.

Signed-off-by: Romain Kuntz <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>