commit d724b881b05d86182ba5343e0c13e0834bb6e7bf
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed Oct 31 10:11:22 2012 -0700
Linux 3.6.5
commit e8a8c5319cf390ab1895d78f6ffcd2c8038f0075
Author: Peng Tao <bergwolf@gmail.com>
Date: Fri Aug 24 00:27:53 2012 +0800
pnfsblock: fix non-aligned DIO write
commit 96c9eae638765c2bf2ca4f5a6325484f9bb69aa7 upstream.
For DIO writes, if it is not blocksize aligned, we need to do
internal serialization. It may slow down writers anyway. So we
just bail them out and resend to MDS.
Signed-off-by: Peng Tao <tao.peng@emc.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d1e1f0083e6cb81df51838f8a7824436edd96a95
Author: Peng Tao <bergwolf@gmail.com>
Date: Fri Aug 24 00:27:52 2012 +0800
pnfsblock: fix non-aligned DIO read
commit f742dc4a32587bff50b13dde9d8894b96851951a upstream.
For DIO read, if it is not sector aligned, we should reject it
and resend via MDS. Otherwise there might be data corruption.
Also teach bl_read_pagelist to handle partial page reads for DIO.
Signed-off-by: Peng Tao <tao.peng@emc.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2865269348c0cf5448544f971d1c64afe7cdbc98
Author: Yinghai Lu <yinghai@kernel.org>
Date: Mon Oct 22 16:35:18 2012 -0700
x86, mm: Use memblock memory loop instead of e820_RAM
commit 1f2ff682ac951ed82cc043cf140d2851084512df upstream.
We need to handle E820_RAM and E820_RESERVED_KERNEL at the same time.
Also memblock has page aligned range for ram, so we could avoid mapping
partial pages.
Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Link: http://lkml.kernel.org/r/CAE9FiQVZirvaBMFYRfXMmWEcHbKSicQEHz4VAwUv0xFCk51ZNw@mail.gmail.com
Acked-by: Jacob Shin <jacob.shin@amd.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 31fd7858aab67b6c4104cd7323a69f257a170572
Author: Olof Johansson <olof@lixom.net>
Date: Wed Oct 24 10:00:44 2012 -0700
x86: efi: Turn off efi_enabled after setup on mixed fw/kernel
commit 5189c2a7c7769ee9d037d76c1a7b8550ccf3481c upstream.
When 32-bit EFI is used with 64-bit kernel (or vice versa), turn off
efi_enabled once setup is done. Beyond setup, it is normally used to
determine if runtime services are available and we will have none.
This will resolve issues stemming from efivars modprobe panicking on a
32/64-bit setup, as well as some reboot issues on similar setups.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=45991
Reported-by: Marko Kohtala <marko.kohtala@gmail.com>
Reported-by: Maxim Kammerer <mk@dee.su>
Signed-off-by: Olof Johansson <olof@lixom.net>
Acked-by: Maarten Lankhorst <maarten.lankhorst@canonical.com>
Cc: Matthew Garrett <mjg@redhat.com>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c1f2d77769770f79d5dd9a8d7ab9615665343fd9
Author: Josh Triplett <josh@joshtriplett.org>
Date: Fri Sep 28 17:55:44 2012 -0700
efi: Defer freeing boot services memory until after ACPI init
commit 785107923a83d8456bbd8564e288a24d84109a46 upstream.
Some new ACPI 5.0 tables reference resources stored in boot services
memory, so keep that memory around until we have ACPI and can extract
data from it.
Signed-off-by: Josh Triplett <josh@joshtriplett.org>
Link: http://lkml.kernel.org/r/baaa6d44bdc4eb0c58e5d1b4ccd2c729f854ac55.1348876882.git.josh@joshtriplett.org
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Cc: Matt Fleming <matt@console-pimps.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 116f83b82e7272fec7f9f0f71376bdc67b159ae2
Author: Stanislaw Gruszka <sgruszka@redhat.com>
Date: Mon Oct 15 14:52:41 2012 +0200
cfg80211/mac80211: avoid state mishmash on deauth
commit 6863255bd0e48bc41ae5a066d5c771801e92735a upstream.
Avoid situation when we are on associate state in mac80211 and
on disassociate state in cfg80211. This can results on crash
during modules unload (like showed on this thread:
http://marc.info/?t=134373976300001&r=1&w=2) and possibly other
problems.
Reported-by: Pedro Francisco <pedrogfrancisco@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7c34784313937286fe71089203d62d6b3e534c93
Author: Yinghai Lu <yinghai@kernel.org>
Date: Thu Oct 25 15:45:26 2012 -0700
x86, mm: Undo incorrect revert in arch/x86/mm/init.c
commit f82f64dd9f485e13f29f369772d4a0e868e5633a upstream.
Commit
844ab6f9 x86, mm: Find_early_table_space based on ranges that are actually being mapped
added back some lines back wrongly that has been removed in commit
7b16bbf97 Revert "x86/mm: Fix the size calculation of mapping tables"
remove them again.
Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Link: http://lkml.kernel.org/r/CAE9FiQW_vuaYQbmagVnxT2DGsYc=9tNeAbdBq53sYkitPOwxSQ@mail.gmail.com
Acked-by: Jacob Shin <jacob.shin@amd.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 68386f3af67948d54f423c54a4384080e6b74810
Author: Jacob Shin <jacob.shin@amd.com>
Date: Wed Oct 24 14:24:44 2012 -0500
x86, mm: Find_early_table_space based on ranges that are actually being mapped
commit 844ab6f993b1d32eb40512503d35ff6ad0c57030 upstream.
Current logic finds enough space for direct mapping page tables from 0
to end. Instead, we only need to find enough space to cover mr[0].start
to mr[nr_range].end -- the range that is actually being mapped by
init_memory_mapping()
This is needed after 1bbbbe779aabe1f0768c2bf8f8c0a5583679b54a, to address
the panic reported here:
https://lkml.org/lkml/2012/10/20/160
https://lkml.org/lkml/2012/10/21/157
Signed-off-by: Jacob Shin <jacob.shin@amd.com>
Link: http://lkml.kernel.org/r/20121024195311.GB11779@jshin-Toonie
Tested-by: Tom Rini <trini@ti.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4ae29d121ef48cc7f3798e69bfde93742d83c760
Author: Felix Fietkau <nbd@openwrt.org>
Date: Wed Oct 17 13:50:43 2012 +0200
Revert "ath9k_hw: Updated AR9003 tx gain table for 5GHz"
commit 73b26df5fa1a6245d6fc982362518b620bc7c2fe upstream.
This reverts commit a240dc7b3c7463bd60cf0a9b2a90f52f78aae0fd.
This commit is reducing tx power by at least 10 db on some devices,
e.g. the Buffalo WZR-HP-G450H.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Cc: rmanohar@qca.qualcomm.com
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b1a9fec89349d9c41ff1ab519d4bfe2bb16814b8
Author: Andreas Herrmann <andreas.herrmann3@amd.com>
Date: Tue Oct 23 00:55:10 2012 +0200
cpufreq / powernow-k8: Remove usage of smp_processor_id() in preemptible code
commit e4df1cbcc1f329e53a1fff7450b2229e0addff20 upstream.
Commit 6889125b8b4e09c5e53e6ecab3433bed1ce198c9
(cpufreq/powernow-k8: workqueue user shouldn't migrate the kworker to another CPU)
causes powernow-k8 to trigger a preempt warning, e.g.:
BUG: using smp_processor_id() in preemptible [00000000] code: cpufreq/3776
caller is powernowk8_target+0x20/0x49
Pid: 3776, comm: cpufreq Not tainted 3.6.0 #9
Call Trace:
[<ffffffff8125b447>] debug_smp_processor_id+0xc7/0xe0
[<ffffffff814877e7>] powernowk8_target+0x20/0x49
[<ffffffff81482b02>] __cpufreq_driver_target+0x82/0x8a
[<ffffffff81484fc6>] cpufreq_governor_performance+0x4e/0x54
[<ffffffff81482c50>] __cpufreq_governor+0x8c/0xc9
[<ffffffff81482e6f>] __cpufreq_set_policy+0x1a9/0x21e
[<ffffffff814839af>] store_scaling_governor+0x16f/0x19b
[<ffffffff81484f16>] ? cpufreq_update_policy+0x124/0x124
[<ffffffff8162b4a5>] ? _raw_spin_unlock_irqrestore+0x2c/0x49
[<ffffffff81483640>] store+0x60/0x88
[<ffffffff811708c0>] sysfs_write_file+0xf4/0x130
[<ffffffff8111243b>] vfs_write+0xb5/0x151
[<ffffffff811126e0>] sys_write+0x4a/0x71
[<ffffffff816319a9>] system_call_fastpath+0x16/0x1b
Fix this by by always using work_on_cpu().
Signed-off-by: Andreas Herrmann <andreas.herrmann3@amd.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ceb80aec3793b4e34b84849c2823d052c91a855b
Author: Stanislav Yakovlev <stas.yakovlev@gmail.com>
Date: Mon Oct 15 14:14:32 2012 +0000
net/wireless: ipw2200: Fix panic occurring in ipw_handle_promiscuous_tx()
commit bf11315eeda510ea4fc1a2bf972d8155d31d89b4 upstream.
The driver does not count space of radiotap fields when allocating skb for
radiotap packet. This leads to kernel panic with the following call trace:
...
[67607.676067] [<c152f90f>] error_code+0x67/0x6c
[67607.676067] [<c142f831>] ? skb_put+0x91/0xa0
[67607.676067] [<f8cf5e5b>] ? ipw_handle_promiscuous_tx+0x16b/0x2d0 [ipw2200]
[67607.676067] [<f8cf5e5b>] ipw_handle_promiscuous_tx+0x16b/0x2d0 [ipw2200]
[67607.676067] [<f8cf899b>] ipw_net_hard_start_xmit+0x8b/0x90 [ipw2200]
[67607.676067] [<f8741c5a>] libipw_xmit+0x55a/0x980 [libipw]
[67607.676067] [<c143d3e8>] dev_hard_start_xmit+0x218/0x4d0
...
This bug was found by VittGam.
https://bugzilla.kernel.org/show_bug.cgi?id=43255
Signed-off-by: Stanislav Yakovlev <stas.yakovlev@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3814f2b04c026fb39dda34ad7184ab6796f97271
Author: Piotr Haber <phaber@broadcom.com>
Date: Thu Oct 11 14:05:15 2012 +0200
bcma: fix unregistration of cores
commit 1fffa905adffbf0d3767fc978ef09afb830275eb upstream.
When cores are unregistered, entries
need to be removed from cores list in a safe manner.
Reported-by: Stanislaw Gruszka <sgruszka@redhat.com>
Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Signed-off-by: Piotr Haber <phaber@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 44d127e0dd6e8eec8f351b766fa57ed69e18ea19
Author: Johannes Berg <johannes.berg@intel.com>
Date: Tue Sep 25 16:40:12 2012 +0200
iwlwifi: fix 6000 series channel switch command
commit 8f7b8db6e0557c8437adf9371e020cd89a7e85dc upstream.
The channel switch command for 6000 series devices
is larger than the maximum inline command size of
320 bytes. The command is therefore refused with a
warning. Fix this by allocating the command and
using the NOCOPY mechanism.
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fbec5144b1a52c0d81db87626e802a64fd5a9a24
Author: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Date: Sun Oct 21 19:58:30 2012 +0800
dmaengine: imx-dma: fix missing unlock on error in imxdma_xfer_desc()
commit 720dfd250e48a8c7fd1b2b8645955413989c4ee0 upstream.
Add the missing unlock on the error handling path in function
imxdma_xfer_desc().
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7a263f0c7f4acdb1b58cf0e59e6a941b819bd550
Author: Barry Song <Baohua.Song@csr.com>
Date: Thu Sep 27 16:36:10 2012 +0800
dmaengine: sirf: fix a typo in moving running dma_desc to active queue
commit 26fd12209c08fe947be1828896ef4ffc5bd0e6df upstream.
list_move_tail(&schan->queued, &schan->active) makes the list_empty(schan->queued)
undefined, we either should change it to:
list_move_tail(schan->queued.next, &schan->active)
or
list_move_tail(&sdesc->node, &schan->active)
Signed-off-by: Barry Song <Baohua.Song@csr.com>
Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4853c29c3cd5e7d5ea41bc5edd50e16b1882c294
Author: Barry Song <Baohua.Song@csr.com>
Date: Thu Sep 27 16:35:38 2012 +0800
dmaengine: sirf: fix a typo in dma_prep_interleaved
commit 5997e089e4c3a7f0958a8fb0a54ec2b5a6f06168 upstream.
either DEV_TO_MEM or MEM_TO_DEV is supported, so change
OR to AND.
Signed-off-by: Barry Song <Baohua.Song@csr.com>
Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cae2c0464b08ffc8b5632cc56049ae7d2b80506f
Author: Oleg Nesterov <oleg@redhat.com>
Date: Thu Oct 25 22:28:12 2012 +0200
freezer: exec should clear PF_NOFREEZE along with PF_KTHREAD
commit b40a79591ca918e7b91b0d9b6abd5d00f2e88c19 upstream.
flush_old_exec() clears PF_KTHREAD but forgets about PF_NOFREEZE.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 577269ce50791085217d945d2ce5ae4b6903f3b9
Author: Dan Williams <dcbw@redhat.com>
Date: Wed Oct 24 12:10:34 2012 +0000
qmi_wwan/cdc_ether: move Novatel 551 and E362 to qmi_wwan
commit f8295ec22cb0f1ee6849b862addbfa3ea9320755 upstream.
These devices provide QMI and ethernet functionality via a standard CDC
ethernet descriptor. But when driven by cdc_ether, the QMI
functionality is unavailable because only cdc_ether can claim the USB
interface. Thus blacklist the devices in cdc_ether and add their IDs to
qmi_wwan, which enables both QMI and ethernet simultaneously.
Signed-off-by: Dan Williams <dcbw@redhat.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7450d9b70adc4249cfb5575b35ccb11f4b58fd1f
Author: Johan Hedberg <johan.hedberg@intel.com>
Date: Thu Oct 11 16:26:06 2012 +0200
Bluetooth: SMP: Fix setting unknown auth_req bits
commit 065a13e2cc665f6547dc7e8a9d6b6565badf940a upstream.
When sending a pairing request or response we should not just blindly
copy the value that the remote device sent. Instead we should at least
make sure to mask out any unknown bits. This is particularly critical
from the upcoming LE Secure Connections feature perspective as
incorrectly indicating support for it (by copying the remote value)
would cause a failure to pair with devices that support it.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8668be75982558ff50873ec256abdc881a1d25ba
Author: Chris Metcalf <cmetcalf@tilera.com>
Date: Thu Oct 25 07:25:20 2012 +0000
tilegx: fix some issues in the SW TSO support
commit 3da3fff8006c608f19a51859d44ba47ca8b41461 upstream.
This change correctly computes the header length and data length in
the fragments to avoid a bug where we would end up with extremely
slow performance. Also adopt use of skb_frag_size() accessor.
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4ade7d2eedda437e2197b57e449a308e06f9bb4d
Author: Larry Finger <Larry.Finger@lwfinger.net>
Date: Wed Oct 24 08:57:16 2012 -0500
b43: Fix oops on unload when firmware not found
commit f89ff6441df06abc2d95f3ef67525923032d6283 upstream.
When b43 fails to find firmware when loaded, a subsequent unload will
oops due to calling ieee80211_unregister_hw() when the corresponding
register call was never made.
Commit 2d838bb608e2d1f6cb4280e76748cb812dc822e7 fixed the same problem
for b43legacy.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Tested-by: Markus Kanet <dvmailing@gmx.eu>
Cc: Markus Kanet <dvmailing@gmx.eu>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cbc71967da7f3643d668a28b26d830e672891ab0
Author: Felix Fietkau <nbd@openwrt.org>
Date: Wed Oct 10 22:40:23 2012 +0200
mac80211: use ieee80211_free_txskb in a few more places
commit d4fa14cd62bd078c8e3ef39283b9f237e5b2ff0f upstream.
Free tx status skbs when draining power save buffers, pending frames, or
when tearing down a vif.
Fixes remaining conditions that can lead to hostapd/wpa_supplicant hangs when
running out of socket write memory.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8f645c50b625f912ee7e62687cd88c468f92ac64
Author: Stanislaw Gruszka <sgruszka@redhat.com>
Date: Tue Oct 2 21:34:23 2012 +0200
mac80211: check if key has TKIP type before updating IV
commit 4045f72bcf3c293c7c5932ef001742d8bb5ded76 upstream.
This patch fix corruption which can manifest itself by following crash
when switching on rfkill switch with rt2x00 driver:
https://bugzilla.redhat.com/attachment.cgi?id=615362
Pointer key->u.ccmp.tfm of group key get corrupted in:
ieee80211_rx_h_michael_mic_verify():
/* update IV in key information to be able to detect replays */
rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32;
rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16;
because rt2x00 always set RX_FLAG_MMIC_STRIPPED, even if key is not TKIP.
We already check type of the key in different path in
ieee80211_rx_h_michael_mic_verify() function, so adding additional
check here is reasonable.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a52e181f56c22cd26444e61c0ac87222bd187564
Author: Johannes Berg <johannes.berg@intel.com>
Date: Mon Oct 1 15:52:00 2012 +0200
mac80211: connect with HT20 if HT40 is not permitted
commit 3a40414f826a8f1096d9b94c4a53ef91b25ba28d upstream.
Some changes to fix issues with HT40 APs in Korea
and follow-up changes to allow using HT40 even if
the local regulatory database disallows it caused
issues with iwlwifi (and could cause issues with
other devices); iwlwifi firmware would assert if
you tried to connect to an AP that has an invalid
configuration (e.g. using HT40- on channel 140.)
Fix this, while avoiding the "Korean AP" issue by
disabling HT40 and advertising HT20 to the AP
when connecting.
Reported-by: Florian Reitmeir <florian@reitmeir.org>
Tested-by: Florian Reitmeir <florian@reitmeir.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c5bb11c743f93a487b2e5806ede0cb14ca92c873
Author: Nicolas Ferre <nicolas.ferre@atmel.com>
Date: Wed Oct 24 16:19:47 2012 +0200
ARM: at91: fix external interrupt specification in board code
commit 69e7ea04c9365626c0963ff09bbaa3a1b49e293a upstream.
Since the switch to sparse irq, we have to add the NR_IRQS_LEGACY
offset to static irq numbers. It has been forgotten on these
SPI irq definitions in board code.
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Acked-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a009557c905f624b230c0d6f70cf41f3d9f5bd91
Author: Nicolas Ferre <nicolas.ferre@atmel.com>
Date: Wed Oct 24 16:09:57 2012 +0200
ARM: at91: fix external interrupts in non-DT case
commit 738a0fd752dc60e20beeda6f2f0f62e58dc0e344 upstream.
Management of external interrupts has changed but the
non-DT code has not integrated these changes.
Add a mask to pass external irq specification from SoC
specific code to the at91_aic_init() function.
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Acked-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 60b84696738cc3fb760c26f2569c53d0d1fb0c7d
Author: Ivan Shugov <ivan.shugov@gmail.com>
Date: Wed Oct 24 11:02:44 2012 +0200
ARM: at91: at91sam9g10: fix SOC type detection
commit 3d9a0183dd3423353e9e363bcc261c1220d05f9f upstream.
Newer at91sam9g10 SoC revision can't be detected, so the kernel can't boot with
this kind of kernel panic:
"AT91: Impossible to detect the SOC type"
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: Atmel AT91SAM9G10-EK
Ignoring tag cmdline (using the default kernel command line)
bootconsole [earlycon0] enabled
Memory policy: ECC disabled, Data cache writeback
Kernel panic - not syncing: AT91: Impossible to detect the SOC type
[<c00133d4>] (unwind_backtrace+0x0/0xe0) from [<c02366dc>] (panic+0x78/0x1cc)
[<c02366dc>] (panic+0x78/0x1cc) from [<c02fa35c>] (at91_map_io+0x90/0xc8)
[<c02fa35c>] (at91_map_io+0x90/0xc8) from [<c02f9860>] (paging_init+0x564/0x6d0)
[<c02f9860>] (paging_init+0x564/0x6d0) from [<c02f7914>] (setup_arch+0x464/0x704)
[<c02f7914>] (setup_arch+0x464/0x704) from [<c02f44f8>] (start_kernel+0x6c/0x2d4)
[<c02f44f8>] (start_kernel+0x6c/0x2d4) from [<20008040>] (0x20008040)
The reason for this is that the Debug Unit Chip ID Register has changed between
Engineering Sample and definitive revision of the SoC. Changing the check of
cidr to socid will address the problem. We do not integrate this check to the
list just above because we also have to make sure that the extended id is
disregarded.
Signed-off-by: Ivan Shugov <ivan.shugov@gmail.com>
[nicolas.ferre@atmel.com: change commit message]
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Acked-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e5c182965ed38c70f0e99574041898c1f5a14c45
Author: Bo Shen <voice.shen@atmel.com>
Date: Mon Oct 15 17:30:27 2012 +0800
ARM: at91/i2c: change id to let i2c-gpio work
commit 7840487cd6298f9f931103b558290d8d98d41c49 upstream.
The i2c core driver will turn the platform device ID to busnum
When using platfrom device ID as -1, it means dynamically assigned
the busnum. When writing code, we need to make sure the busnum,
and call i2c_register_board_info(int busnum, ...) to register device
if using -1, we do not know the value of busnum
In order to solve this issue, set the platform device ID as a fix number
Here using 0 to match the busnum used in i2c_regsiter_board_info()
Signed-off-by: Bo Shen <voice.shen@atmel.com>
Acked-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Acked-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9e9226a021af38ede5823b0610359dd817f35aa3
Author: Josh Wu <josh.wu@atmel.com>
Date: Fri Sep 14 17:01:29 2012 +0800
ARM: at91/tc: fix typo in the DT document
commit 11930c530f3edf81160e4962e363d579f5cdce7e upstream.
Signed-off-by: Josh Wu <josh.wu@atmel.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Acked-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4ecc39f837ce9a302bd35dc35576514036bdca01
Author: Heiko Stuebner <heiko@sntech.de>
Date: Wed Oct 17 16:47:11 2012 +0900
ARM: SAMSUNG: Add naming of s3c64xx-spi devices
commit 308b3afb97dc342e9c4f958d8b4c459ae0e22bd7 upstream.
Commit a5238e360b71 (spi: s3c64xx: move controller information into driver
data) introduced separate device names for the different subtypes of the
spi controller but forgot to set these in the relevant machines.
To fix this introduce a s3c64xx_spi_setname function and populate all
Samsung arches with the correct names. The function resides in a new
header, as the s3c64xx-spi.h contains driver platform data and should
therefore at some later point move out of the Samsung include dir.
Tested on a s3c2416-based machine.
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
[s.nawrocki@samsung.com: tested on mach-exynos]
Tested-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit de7dfdace5741d91cb273b29067ee22d125eab73
Author: Michael S. Tsirkin <mst@redhat.com>
Date: Wed Oct 24 20:37:51 2012 +0200
vhost: fix mergeable bufs on BE hosts
commit 910a578f7e9400a78a3b13aba0b4d2df16a2cb05 upstream.
We copy head count to a 16 bit field, this works by chance on LE but on
BE guest gets 0. Fix it up.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Alexander Graf <agraf@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b0bda710d6b48cdc54b902f6bce3470b42cfab6b
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 18:56:33 2012 +0200
USB: mos7840: remove invalid disconnect handling
commit e681b66f2e19fadbe8a7e2a17900978cb6bc921f upstream.
Remove private zombie flag used to signal disconnect and to prevent
control urb from being submitted from interrupt urb completion handler.
The control urb will not be re-submitted as both the control urb and the
interrupt urb is killed on disconnect.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ee52fcd83c615252a8118e146f8db61358ecdb4b
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 18:56:32 2012 +0200
USB: mos7840: remove NULL-urb submission
commit 28c3ae9a8cf45f439c9a0779ebd0256e2ae72813 upstream.
The private int_urb is never allocated so the submission from the
control completion handler will always fail. Remove this odd piece of
broken code.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit da0d04fd143824b6d2657c267a8a09517194370b
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 13:35:10 2012 +0200
USB: mos7840: fix port-device leak in error path
commit 3eb55cc4ed88eee3b5230f66abcdbd2a91639eda upstream.
The driver set the usb-serial port pointers to NULL on errors in attach,
effectively preventing usb-serial core from decrementing the port ref
counters and releasing the port devices and associated data.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f36791258f9c7da44ba15aa64f3eb284b67b9939
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 13:35:09 2012 +0200
USB: mos7840: fix urb leak at release
commit 65a4cdbb170e4ec1a7fa0e94936d47e24a17b0e8 upstream.
Make sure control urb is freed at release.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7e4d20169cdd2e9fb458d5d28b515397c112047f
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:19 2012 +0200
USB: sierra: fix port-data memory leak
commit f525c05babc7938cc1d4236550fd8a659fb05960 upstream.
Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.
Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.
Note also that urb-count for multi-port interfaces has not been changed
even though the usb-serial port number is now determined from the port
and interface minor numbers.
Compile-only tested.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 99ad30180d1a0de0fbe4adfd8d24085ac77e1a24
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:18 2012 +0200
USB: sierra: fix memory leak in probe error path
commit 084817d79399ab5ccab2f90a148b0369912a8369 upstream.
Move interface data allocation to attach so that it is deallocated on
errors in usb-serial probe.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d9b48922b9d6dc1c02586d36639a27917f3dbe46
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:17 2012 +0200
USB: sierra: fix memory leak in attach error path
commit 7e41f9bcdd2e813ea2a3c40db291d87ea06b559f upstream.
Make sure port private data is deallocated on errors in attach.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9fd041e480fa2da73eab4d4bbba1f5738b45dc8f
Author: Lennart Sorensen <lsorense@csclub.uwaterloo.ca>
Date: Wed Oct 24 10:23:09 2012 -0400
USB: serial: Fix memory leak in sierra_release()
commit f7bc5051667b74c3861f79eed98c60d5c3b883f7 upstream.
I found a memory leak in sierra_release() (well sierra_probe() I guess)
that looses 8 bytes each time the driver releases a device.
Signed-off-by: Len Sorensen <lsorense@csclub.uwaterloo.ca>
Acked-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 38e602db5db176e642d66ab7bffabec143edc2f3
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:10 2012 +0200
USB: quatech2: fix io after disconnect
commit 2f0295adf6438188c4cd0868f2b1976a2b034e1d upstream.
Make sure no control urb is submitted during close after a disconnect by
checking the disconnected flag.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f5c21b3815667aeae65a3ec56576294c5ed751e6
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:09 2012 +0200
USB: quatech2: fix close and disconnect urb handling
commit 8e512ab0b675da20e023439a5811e3f2554e6852 upstream.
Kill urbs unconditionally at close and disconnect.
Note that URB status is not valid outside of completion handler.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b7e9cee3e7062435521dd933ce2349a2d721e596
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:08 2012 +0200
USB: quatech2: fix port-data memory leaks
commit 40d04738491d7ac1aa708ba434ff3480ec9e1b96 upstream.
Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.
Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.
Note that this also fixes memory leaks in the error path of attach where
the write urbs were not freed on errors.
Make sure all interface-data deallocation is done in release by moving
the read urb deallocation from disconnect.
Note that the write urb is killed during close so that the call in
disconnect was superfluous.
Compile-only tested.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: Bill Pemberton <wfp5p@virginia.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 24496dfe837363e83d9f1dde5bd68372088e6f88
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:07 2012 +0200
USB: quatech2: fix memory leak in error path
commit b8a0055050b6294826171641b182c09f78f4cc63 upstream.
Fix memory leak in attach error path where the read urb was never freed.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: Bill Pemberton <wfp5p@virginia.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 89133c6f9cf825de28dff95aa4e933d5349b0101
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:05 2012 +0200
USB: mos7720: fix port-data memory leak
commit 4230af572f95b3115bba1ee6fb95681f3851ab26 upstream.
Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.
Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.
Note that this patch also fixes a second port-data memory leak in the
error path of attach, should parallel-port initialisation fail.
Compile-only tested.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bd0758d884d30c79e064db3b7d18cc1ae4899843
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:00 2012 +0200
USB: metro-usb: fix io after disconnect
commit 2ee44fbeac92c36e53779a57ee84cfee1affe418 upstream.
Make sure no control urb is submitted during close after a disconnect by
checking the disconnected flag.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 10899e1d571d11982a4bd57e2112d475429583fa
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:28:59 2012 +0200
USB: metro-usb: fix port-data memory leak
commit 50dde8686eec41bf3d7cbec7a6f76c073ab01903 upstream.
Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.
Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.
Note that the call to metrousb_clean (close) in shutdown was redundant.
Compile-only tested.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e16f68849ef8ccd4578047f306aface94176ea2a
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:12 2012 +0200
USB: opticon: fix memory leak in error path
commit acbf0e5263de563e25f7c104868e4490b9e72b13 upstream.
Fix memory leak in write error path.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f2eed28b4ba4b289f51567e19d7933be0348da55
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:11 2012 +0200
USB: opticon: fix DMA from stack
commit ea0dbebffe118724cd4df7d9b071ea8ee48d48f0 upstream.
Make sure to allocate the control-message buffer dynamically as some
platforms cannot do DMA from stack.
Note that only the first byte of the old buffer was used.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5cd933664edb0f9cb7f52c40219668267571bf40
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:02 2012 +0200
USB: whiteheat: fix port-data memory leak
commit c467206ed6bcce26c83d0435612cc4fee2527305 upstream.
Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.
Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.
Note that the fifth port (command port) is never registered as a
port device and thus should be handled in attach and release.
Compile-only tested.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: <support@connecttech.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 09d35f2c69e5f92db3ec0b8f3ce62be0c0bbacc2
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:01 2012 +0200
USB: whiteheat: fix memory leak in error path
commit c129197c99550d356cf5f69b046994dd53cd1b9d upstream.
Make sure command buffer is deallocated in case of errors during attach.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: <support@connecttech.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bf66cd30357174ed30c140f79b4016f4230a0066
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 15:42:41 2012 +0200
USB: qcserial: fix interface-data memory leak in error path
commit 961be09e1ead58509ed4bed0d5819a15d8613d8d upstream.
Move interface data allocation to attach so that it is deallocated
should usb-serial probe fail.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1968e8d84329760f4722c5c3951aec28b5ece59b
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:06 2012 +0200
USB: omninet: fix port-data memory leak
commit feffa7ca6008ab859dd7ab7448a5a899bf0aa98f upstream.
Fix port-data memory leak by replacing attach and release with
port_probe and port_remove.
Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.
Compile-only tested.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 789a4bbd28e4e5128a66a6e35117ef9392fed867
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:15 2012 +0200
USB: keyspan: fix NULL-pointer dereferences and memory leaks
commit f79b2d0fe81eecb412dc48e87a119afc690da8e9 upstream.
Fix NULL-pointer dereference at release by moving port data allocation
and deallocation to port_probe and port_remove.
Fix NULL-pointer dereference at disconnect by stopping port urbs at
port_remove.
Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer accessible at
disconnect or release.
Note that this patch also fixes port and interface-data memory leaks in
the error path of attach should port initialisation fail for any port.
Compile-only tested.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d16dbb330b8517c1df7e03c120cac572d726a5b6
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 15:42:40 2012 +0200
USB: option: fix interface-data memory leak in error path
commit c2dd4a8eac7821fed2c2d19e4607d0986b53b0fe upstream.
Move interface data allocation to attach so that it is deallocated
should usb-serial probe fail.
Note that the usb device id is stored at probe so that it can be used
in attach to determine send-setup blacklisting.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9e7922db1d38b0ee22355cda640c175bc4e5501a
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:14 2012 +0200
USB: mct_u232: fix broken close
commit 5260e458f5eff269a43e4f1e9c47186c57b88ddb upstream.
Make sure generic close is called at close.
The driver relies on the generic write implementation but did not call
generic close.
Note that the call to kill the read urb is not redundant, as mct_u232
uses an interrupt urb from the second port as the read urb and that
generic close therefore fails to kill it.
Compile-only tested.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 14e6c99bfc02a84d98ee77552a328855c1db31e5
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:13 2012 +0200
USB: mct_u232: fix port-data memory leak
commit a8f2ae7a3aa59079d7e7e1ddf5007f03532f458c upstream.
Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.
Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.
Note that the write waitqueue was initialised but never used.
Compile-only tested.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e830d9c15b2b6cbc557d213c52f8d1835002c66f
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 15:42:39 2012 +0200
USB: ipw: fix interface-data memory leak in error path
commit a997448c89905b80aa4022f734f03685e733d711 upstream.
Move interface data allocation to attach so that it is deallocated
should usb-serial probe fail.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8d7e8206ad00c040b2075184236c325cd1ba14a2
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:04 2012 +0200
USB: digi_acceleport: fix port-data memory leak
commit fb44ff854e148bc5c5982dad32da98b7a0989d2d upstream.
Fix port-data memory leak by moving port data allocation and
deallocation to port_probe and port_remove.
Since commit 0998d0631001288 (device-core: Ensure drvdata = NULL when no
driver is bound) the port private data is no longer freed at release as
it is no longer accessible.
Note that the oob port is never registered as a port device and should
thus be handled in attach and release.
Compile-only tested.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Cc: Peter Berger <pberger@brimson.com>
Cc: Al Borchers <alborchers@steinerpoint.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 226c125e2f5b479dc1fee67bbd3a84c90021c816
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:03 2012 +0200
USB: ch341: fix port-data memory leak
commit 456c5be56ed070a4d883c60b587bcc1c97a8cf3e upstream.
Fix port-data memory leak by moving port data allocation to port_probe
and actually implementing deallocation.
Note that this driver has never even bothered to try to deallocate it's
port data...
Compile-only tested.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 34a2ee3523326ee24676077b8c796719dfcf0efd
Author: Octavian Purdila <octavian.purdila@intel.com>
Date: Mon Oct 1 22:21:12 2012 +0300
usb hub: send clear_tt_buffer_complete events when canceling TT clear work
commit 3b6054da68f9b0d5ed6a7ed0f42a79e61904352c upstream.
There is a race condition in the USB hub code with regard to handling
TT clear requests that can get the HCD driver in a deadlock. Usually
when an TT clear request is scheduled it will be executed immediately:
<7>[ 6.077583] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us]
<3>[ 6.078041] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82
<7>[ 6.078299] hub_tt_work:731
<7>[ 9.309089] usb 2-1.5: link qh1-0e01/f4d506c0 start 0 [1/2 us]
<7>[ 9.324526] ehci_hcd 0000:00:1d.0: reused qh f4d4db00 schedule
<7>[ 9.324539] usb 2-1.3: link qh1-0e01/f4d4db00 start 0 [1/2 us]
<7>[ 9.341530] usb 1-1.1: link qh4-0e01/f397aec0 start 2 [1/2 us]
<7>[ 10.116159] usb 2-1.3: unlink qh1-0e01/f4d4db00 start 0 [1/2 us]
<3>[ 10.116459] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d82
<7>[ 10.116537] hub_tt_work:731
However, if a suspend operation is triggered before hub_tt_work is
scheduled, hub_quiesce will cancel the work without notifying the HCD
driver:
<3>[ 35.033941] usb 2-1: clear tt buffer port 3, a3 ep2 t04048d80
<5>[ 35.034022] sd 0:0:0:0: [sda] Stopping disk
<7>[ 35.034039] hub 2-1:1.0: hub_suspend
<7>[ 35.034067] usb 2-1: unlink qh256-0001/f3b1ab00 start 1 [1/0 us]
<7>[ 35.035085] hub 1-0:1.0: hub_suspend
<7>[ 35.035102] usb usb1: bus suspend, wakeup 0
<7>[ 35.035106] ehci_hcd 0000:00:1a.0: suspend root hub
<7>[ 35.035298] hub 2-0:1.0: hub_suspend
<7>[ 35.035313] usb usb2: bus suspend, wakeup 0
<7>[ 35.035315] ehci_hcd 0000:00:1d.0: suspend root hub
<6>[ 35.250017] PM: suspend of devices complete after 216.979 msecs
<6>[ 35.250822] PM: late suspend of devices complete after 0.799 msecs
<7>[ 35.252343] ehci_hcd 0000:00:1d.0: wakeup: 1
<7>[ 35.262923] ehci_hcd 0000:00:1d.0: --> PCI D3hot
<7>[ 35.263302] ehci_hcd 0000:00:1a.0: wakeup: 1
<7>[ 35.273912] ehci_hcd 0000:00:1a.0: --> PCI D3hot
<6>[ 35.274254] PM: noirq suspend of devices complete after 23.442 msecs
<6>[ 35.274975] ACPI: Preparing to enter system sleep state S3
<6>[ 35.292666] PM: Saving platform NVS memory
<7>[ 35.295030] Disabling non-boot CPUs ...
<6>[ 35.297351] CPU 1 is now offline
<6>[ 35.300345] CPU 2 is now offline
<6>[ 35.303929] CPU 3 is now offline
<7>[ 35.303931] lockdep: fixing up alternatives.
<6>[ 35.304825] Extended CMOS year: 2000
When the device will resume the EHCI driver will get stuck in
ehci_endpoint_disable waiting for the tt_clearing flag to reset:
<0>[ 47.610967] usb 2-1.3: **** DPM device timeout ****
<7>[ 47.610972] f2f11c60 00000092 f2f11c0c c10624a5 00000003 f4c6e880 c1c8a4c0 c1c8a4c0
<7>[ 47.610983] 15c55698 0000000b f56b34c0 f2a45b70 f4c6e880 00000082 f2a4602c f2f11c30
<7>[ 47.610993] c10787f8 f4cac000 f2a45b70 00000000 f4cac010 f2f11c58 00000046 00000001
<7>[ 47.611004] Call Trace:
<7>[ 47.611006] [<c10624a5>] ? sched_clock_cpu+0xf5/0x160
<7>[ 47.611019] [<c10787f8>] ? lock_release_holdtime.part.22+0x88/0xf0
<7>[ 47.611026] [<c103ed46>] ? lock_timer_base.isra.35+0x26/0x50
<7>[ 47.611034] [<c17592d3>] ? schedule_timeout+0x133/0x290
<7>[ 47.611044] [<c175b43e>] schedule+0x1e/0x50
<7>[ 47.611051] [<c17592d8>] schedule_timeout+0x138/0x290
<7>[ 47.611057] [<c10624a5>] ? sched_clock_cpu+0xf5/0x160
<7>[ 47.611063] [<c103e560>] ? usleep_range+0x40/0x40
<7>[ 47.611070] [<c1759445>] schedule_timeout_uninterruptible+0x15/0x20
<7>[ 47.611077] [<c14935f4>] ehci_endpoint_disable+0x64/0x160
<7>[ 47.611084] [<c147d1ee>] ? usb_hcd_flush_endpoint+0x10e/0x1d0
<7>[ 47.611092] [<c1165663>] ? sysfs_add_file+0x13/0x20
<7>[ 47.611100] [<c147d5a9>] usb_hcd_disable_endpoint+0x29/0x40
<7>[ 47.611107] [<c147fafc>] usb_disable_endpoint+0x5c/0x80
<7>[ 47.611111] [<c147fb57>] usb_disable_interface+0x37/0x50
<7>[ 47.611116] [<c1477650>] usb_reset_and_verify_device+0x4b0/0x640
<7>[ 47.611122] [<c1474665>] ? hub_port_status+0xb5/0x100
<7>[ 47.611129] [<c147a975>] usb_port_resume+0xd5/0x220
<7>[ 47.611136] [<c148877f>] generic_resume+0xf/0x30
<7>[ 47.611142] [<c14821a3>] usb_resume+0x133/0x180
<7>[ 47.611147] [<c1473b10>] ? usb_dev_thaw+0x10/0x10
<7>[ 47.611152] [<c1473b1d>] usb_dev_resume+0xd/0x10
<7>[ 47.611157] [<c13baa60>] dpm_run_callback+0x40/0xb0
<7>[ 47.611164] [<c13bdb03>] ? pm_runtime_enable+0x43/0x70
<7>[ 47.611171] [<c13bafc6>] device_resume+0x1a6/0x2c0
<7>[ 47.611177] [<c13ba940>] ? dpm_show_time+0xe0/0xe0
<7>[ 47.611183] [<c13bb0f9>] async_resume+0x19/0x40
<7>[ 47.611189] [<c10580c4>] async_run_entry_fn+0x64/0x160
<7>[ 47.611196] [<c104a244>] ? process_one_work+0x104/0x480
<7>[ 47.611203] [<c104a24c>] ? process_one_work+0x10c/0x480
<7>[ 47.611209] [<c104a2c0>] process_one_work+0x180/0x480
<7>[ 47.611215] [<c104a244>] ? process_one_work+0x104/0x480
<7>[ 47.611220] [<c1058060>] ? async_schedule+0x10/0x10
<7>[ 47.611226] [<c104c15c>] worker_thread+0x11c/0x2f0
<7>[ 47.611233] [<c104c040>] ? manage_workers.isra.27+0x1f0/0x1f0
<7>[ 47.611239] [<c10507f8>] kthread+0x78/0x80
<7>[ 47.611244] [<c1750000>] ? timer_cpu_notify+0xd6/0x20d
<7>[ 47.611253] [<c1050780>] ? __init_kthread_worker+0x60/0x60
<7>[ 47.611258] [<c176357e>] kernel_thread_helper+0x6/0xd
<7>[ 47.611283] ------------[ cut here ]------------
This patch changes hub_quiesce behavior to flush the TT clear work
instead of canceling it, to make sure that no TT clear request remains
uncompleted before suspend.
Signed-off-by: Octavian Purdila <octavian.purdila@intel.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d005b0ac883ef8bbd86aff81d48140ef107e50f5
Author: Johan Hovold <jhovold@gmail.com>
Date: Thu Oct 25 10:29:16 2012 +0200
USB: usb-wwan: fix multiple memory leaks in error paths
commit b8f0e82044c9ba40e92340c8a6d47d6bd6d819bc upstream.
Fix port-data memory leak in usb-serial probe error path by moving port
data allocation to port_probe.
Since commit a1028f0abf ("usb: usb_wwan: replace release and disconnect
with a port_remove hook") port data is deallocated in port_remove. This
leaves a possibility for memory leaks if usb-serial probe fails after
attach but before the port in question has been successfully registered.
Note that this patch also fixes two additional memory leaks in the error
path of attach should port initialisation fail for any port as the urbs
were never freed and neither was the data of any of the successfully
initialised ports.
Compile-only tested.
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8eb72a2087ba5959de22bf90b0df18cade29bb41
Author: Michael Shigorin <mike@osdn.org.ua>
Date: Mon Oct 22 12:18:56 2012 +0300
usb-storage: add unusual_devs entry for Casio EX-N1 digital camera
commit d7870af7e2e3a91b462075ec1ca669b482215187 upstream.
This commit sets removable subclass for Casio EX-N1 digital camera.
The patch has been tested within an ALT Linux kernel:
http://git.altlinux.org/people/led/packages/?p=kernel-image-3.0.git;a=commitdiff;h=c0fd891836e89fe0c93a4d536a59216d90e4e3e7
See also https://bugzilla.kernel.org/show_bug.cgi?id=49221
Signed-off-by: Oleksandr Chumachenko <ledest@gmail.com>
Signed-off-by: Michael Shigorin <mike@osdn.org.ua>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7fe28e296934557d1e1f5c91e29d3b93ab1a3dc5
Author: Anisse Astier <anisse@astier.eu>
Date: Tue Oct 9 12:22:37 2012 +0200
ehci: Add yet-another Lucid nohandoff pci quirk
commit 8daf8b6086f9d575200cd0aa3797e26137255609 upstream.
Board name changed on another shipping Lucid tablet.
Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1b1a523d438e5bae152aebaff6fb404cbbb3f97c
Author: Anisse Astier <anisse@astier.eu>
Date: Tue Oct 9 12:22:36 2012 +0200
ehci: fix Lucid nohandoff pci quirk to be more generic with BIOS versions
commit c323dc023b9501e5d09582ec7efd1d40a9001d99 upstream.
BIOS vendors keep changing the BIOS versions. Only match the beginning
of the string to match all Lucid tablets with board name M11JB.
Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2084022fc8385c62e45b1913923384c9ec890192
Author: K. Y. Srinivasan <kys@microsoft.com>
Date: Fri Oct 12 13:22:42 2012 -0700
Drivers: hv: Cleanup error handling in vmbus_open()
commit 1392550240aaa72ce3a094a38bd23525cd67ce60 upstream.
Fix a memory leak in the error handling path in the function vmbus_open().
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Reported-by: Jason Wang <jasowang@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3ed2bcc63a56f5b8983ecfc4de37fa70d7e2e380
Author: Peter Huewe <peterhuewe@gmx.de>
Date: Mon Sep 24 15:36:24 2012 +0900
extcon: unregister compat link on cleanup
commit 824a1bc045cef278aec15bef35d8d0b59ce77856 upstream.
Since extcon registers this compat link at device registration
(extcon_dev_register), we should probably remove them at deregistration/cleanup.
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
commit c5a2edcb66a0f15a5313b52dd68821ec387d8091
Author: Peter Huewe <peterhuewe@gmx.de>
Date: Mon Sep 24 15:32:31 2012 +0900
extcon: Unregister compat class at module unload to fix oops
commit 0dc77b6dabec8fd298392018cc0de5214af2dc43 upstream.
If you compile extcon with CONFIG_ANDROID and then load and unload the
module you get a simple oops as the driver does not unregister its
compat class and thus cannot register it again.
Full trace:
root@(none):~# modprobe extcon_class
root@(none):~# rmmod extcon_class
root@(none):~# modprobe extcon_class
------------[ cut here ]------------
WARNING: at fs/sysfs/dir.c:536 sysfs_add_one+0xde/0x100()
sysfs: cannot create duplicate filename '/class/switch'
Modules linked in: extcon_class(+) [last unloaded: extcon_class]
Call Trace:
9f451a00: [<602a58bc>] printk+0x0/0xa8
9f451a18: [<60039b43>] warn_slowpath_common+0x93/0xd0
9f451a28: [<6012c6de>] sysfs_add_one+0xde/0x100
9f451a50: [<601d3d90>] strcat+0x0/0x40
9f451a68: [<60039cdc>] warn_slowpath_fmt+0x9c/0xa0
9f451a90: [<6002fe32>] unblock_signals+0x0/0x84
9f451ab0: [<60039c40>] warn_slowpath_fmt+0x0/0xa0
9f451ac0: [<6002fe32>] unblock_signals+0x0/0x84
9f451ae8: [<6012bd97>] sysfs_pathname.isra.10+0x57/0x70
9f451b00: [<601d3d90>] strcat+0x0/0x40
9f451b18: [<6012bd97>] sysfs_pathname.isra.10+0x57/0x70
9f451b48: [<6012c6de>] sysfs_add_one+0xde/0x100
9f451b78: [<6012c96f>] create_dir+0x8f/0x100
9f451bc0: [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451bd8: [<6012cda6>] sysfs_create_dir+0xa6/0x1c0
9f451be8: [<601d89f1>] kvasprintf+0x81/0xa0
9f451bf8: [<601cf0f0>] kobject_get+0x0/0x50
9f451c18: [<601cf396>] kobject_add_internal+0x96/0x280
9f451c60: [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451c78: [<601cfb93>] kobject_add+0xd3/0x140
9f451cc0: [<601cfac0>] kobject_add+0x0/0x140
9f451cd0: [<6002fe32>] unblock_signals+0x0/0x84
9f451cf8: [<6002fffc>] set_signals+0x29/0x3f
9f451d28: [<600c1de1>] kmem_cache_alloc+0xe1/0x100
9f451d78: [<601cffa0>] kobject_create_and_add+0x50/0xa0
9f451da8: [<601fbe76>] class_compat_register+0x56/0x80
9f451dc8: [<a085d118>] create_extcon_class+0x88/0xd0 [extcon_class]
9f451de8: [<a0861010>] extcon_class_init+0x10/0x12 [extcon_class]
9f451df8: [<600189a8>] do_one_initcall+0x48/0x1f0
9f451e20: [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e30: [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e58: [<6007e3c3>] sys_init_module+0xa3/0x280
9f451e88: [<6001e2ad>] handle_syscall+0x8d/0x90
9f451ea8: [<60033370>] userspace+0x405/0x531
9f451ee8: [<6001e380>] copy_chunk_to_user+0x0/0x40
9f451ef8: [<6001e5cd>] do_op_one_page+0x14d/0x220
9f451fd8: [<6001a355>] fork_handler+0x95/0xa0
---[ end trace dd512cc03fe1c367 ]---
------------[ cut here ]------------
WARNING: at lib/kobject.c:196 kobject_add_internal+0x26e/0x280()
kobject_add_internal failed for switch with -EEXIST, don't try to
register things with the same name in the same directory.
Modules linked in: extcon_class(+) [last unloaded: extcon_class]
Call Trace:
9f451ad0: [<602a58bc>] printk+0x0/0xa8
9f451ae8: [<60039b43>] warn_slowpath_common+0x93/0xd0
9f451af8: [<601cf56e>] kobject_add_internal+0x26e/0x280
9f451b18: [<601cf140>] kobject_put+0x0/0x70
9f451b20: [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451b38: [<60039cdc>] warn_slowpath_fmt+0x9c/0xa0
9f451b88: [<60039c40>] warn_slowpath_fmt+0x0/0xa0
9f451bc0: [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451bd8: [<6012cda6>] sysfs_create_dir+0xa6/0x1c0
9f451be8: [<601d89f1>] kvasprintf+0x81/0xa0
9f451bf8: [<601cf0f0>] kobject_get+0x0/0x50
9f451c18: [<601cf56e>] kobject_add_internal+0x26e/0x280
9f451c60: [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451c78: [<601cfb93>] kobject_add+0xd3/0x140
9f451cc0: [<601cfac0>] kobject_add+0x0/0x140
9f451cd0: [<6002fe32>] unblock_signals+0x0/0x84
9f451cf8: [<6002fffc>] set_signals+0x29/0x3f
9f451d28: [<600c1de1>] kmem_cache_alloc+0xe1/0x100
9f451d78: [<601cffa0>] kobject_create_and_add+0x50/0xa0
9f451da8: [<601fbe76>] class_compat_register+0x56/0x80
9f451dc8: [<a085d118>] create_extcon_class+0x88/0xd0 [extcon_class]
9f451de8: [<a0861010>] extcon_class_init+0x10/0x12 [extcon_class]
9f451df8: [<600189a8>] do_one_initcall+0x48/0x1f0
9f451e20: [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e30: [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e58: [<6007e3c3>] sys_init_module+0xa3/0x280
9f451e88: [<6001e2ad>] handle_syscall+0x8d/0x90
9f451ea8: [<60033370>] userspace+0x405/0x531
9f451ee8: [<6001e380>] copy_chunk_to_user+0x0/0x40
9f451ef8: [<6001e5cd>] do_op_one_page+0x14d/0x220
9f451fd8: [<6001a355>] fork_handler+0x95/0xa0
---[ end trace dd512cc03fe1c368 ]---
kobject_create_and_add: kobject_add error: -17
------------[ cut here ]------------
WARNING: at drivers/extcon/extcon_class.c:545
create_extcon_class+0xbc/0xd0 [extcon_class]()
cannot allocate
Modules linked in: extcon_class(+) [last unloaded: extcon_class]
Call Trace:
9f451c80: [<602a58bc>] printk+0x0/0xa8
9f451c98: [<60039b43>] warn_slowpath_common+0x93/0xd0
9f451ca0: [<6002fe32>] unblock_signals+0x0/0x84
9f451ca8: [<a085d14c>] create_extcon_class+0xbc/0xd0 [extcon_class]
9f451cd0: [<a0861000>] extcon_class_init+0x0/0x12 [extcon_class]
9f451ce8: [<60039cdc>] warn_slowpath_fmt+0x9c/0xa0
9f451d20: [<6002fe32>] unblock_signals+0x0/0x84
9f451d28: [<60039c40>] warn_slowpath_fmt+0x0/0xa0
9f451d48: [<6002fffc>] set_signals+0x29/0x3f
9f451d58: [<601cf172>] kobject_put+0x32/0x70
9f451d78: [<600c22c3>] kfree+0xb3/0x100
9f451da8: [<601fbe9a>] class_compat_register+0x7a/0x80
9f451dc8: [<a085d14c>] create_extcon_class+0xbc/0xd0 [extcon_class]
9f451de8: [<a0861010>] extcon_class_init+0x10/0x12 [extcon_class]
9f451df8: [<600189a8>] do_one_initcall+0x48/0x1f0
9f451e20: [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e30: [<60061920>] blocking_notifier_call_chain+0x0/0x20
9f451e58: [<6007e3c3>] sys_init_module+0xa3/0x280
9f451e88: [<6001e2ad>] handle_syscall+0x8d/0x90
9f451ea8: [<60033370>] userspace+0x405/0x531
9f451ee8: [<6001e380>] copy_chunk_to_user+0x0/0x40
9f451ef8: [<6001e5cd>] do_op_one_page+0x14d/0x220
9f451fd8: [<6001a355>] fork_handler+0x95/0xa0
---[ end trace dd512cc03fe1c369 ]---
FATAL: Error inserting extcon_class
(/lib/modules/3.6.0-rc6-00178-g811315f/kernel/drivers/extcon/extcon_class.ko):
Cannot allocate memory
This patch fixes this.
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6c04efd97dd25596a1bf80cc1c518fe7e451cc1e
Author: Ian Abbott <abbotti@mev.co.uk>
Date: Wed Oct 3 16:25:18 2012 +0100
staging: comedi: amplc_pc236: fix possible NULL deref during detach
commit 2db012bd40b889d8e5483d3daa07af04c4c109d8 upstream.
`pc236_detach()` is called by the comedi core to clean up if either
`pc236_attach()` or `pc236_attach_pci()` returns an error. It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. This is a valid assumption if `pc236_attach()` fails, but not
if `pc236_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `pc236_detach()` and return early if it
is `NULL`. This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ec7fe3d6e91ff29ee3000e35f13f5eb3df2eca30
Author: Ian Abbott <abbotti@mev.co.uk>
Date: Wed Oct 3 16:25:17 2012 +0100
staging: comedi: amplc_pc236: fix invalid register access during detach
commit aaeb61a97b7159ebe30b18a422d04eeabfa8790b upstream.
`pc236_detach()` is called by the comedi core if it attempted to attach
a device and failed. `pc236_detach()` calls `pc236_intr_disable()` if
the comedi device private data pointer (`devpriv`) is non-null. This
test is insufficient as `pc236_intr_disable()` accesses hardware
registers and the attach routine may have failed before it has saved
their I/O base addresses.
Fix it by checking `dev->iobase` is non-zero before calling
`pc236_intr_disable()` as that means the I/O base addresses have been
saved and the hardware registers can be accessed. It also implies the
comedi device private data pointer is valid, so there is no need to
check it.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3792dd12ee4419bc276cd321c8f74506a37aa93d
Author: Ian Abbott <abbotti@mev.co.uk>
Date: Wed Oct 3 16:25:19 2012 +0100
staging: comedi: amplc_pc263: fix possible NULL deref during detach
commit 1d1171ffda585c1cab7bd7cf4bd8f8fd5923fb4a upstream.
`pc263_detach()` is called by the comedi core to clean up if either
`pc263_attach()` or `pc263_attach_pci()` returns an error. It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. This is a valid assumption if `pc263_attach()` fails, but not
if `pc263_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `pc263_detach()` and return early if it
is `NULL`. This is okay because no other resources need cleaning up in
this case.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6f9445326d4a262a863cc634fd377c5ca562e17d
Author: Ian Abbott <abbotti@mev.co.uk>
Date: Wed Oct 3 16:25:16 2012 +0100
staging: comedi: amplc_dio200: fix possible NULL deref during detach
commit dfb2540e91e1f63765bc3ff497ad0b714d774261 upstream.
`dio200_detach()` is called by the comedi core to clean up if either
`dio200_attach()` or `dio200_attach_pci()` return an error. It assigns
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. In the case of a previous call to `dio200_attach()` it won't
be `NULL` because the comedi core will have pointed it to one of the
elements of `dio200_boards[]`, but in the case of a previous call to
`dio200_attach_pci()` it could be `NULL`, leading to a null pointer
dereference.
Check that `thisboard` is valid at the top of `dio200_detach()` and
return early if it is `NULL`. This is okay because the only other thing
that could have been allocated is `dev->private` and that is freed by
the comedi core, not by this function.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9f275003e609824e738b22caef0020d5c4a4def5
Author: Ian Abbott <abbotti@mev.co.uk>
Date: Wed Oct 3 16:25:21 2012 +0100
staging: comedi: ni_labpc: fix possible NULL deref during detach
commit 922b67c1ac53014d80649a961a2fde700cd065d8 upstream.
`labpc_common_detach()` is called by the comedi core to clean up if
either `labpc_attach()` (including the one in the "ni_labpc_cs" module)
or `labpc_attach_pci()` returns an error. It assumes the `thisboard`
macro (expanding to `((struct labpc_board_struct *)dev->board_ptr)`) is
non-null. This is a valid assumption if `labpc_attach()` fails, but not
if `labpc_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `labpc_common_detach()` and return early
if it is `NULL`. This is okay because the only other thing that could
have been allocated is `dev->private` and that is freed by the comedi
core, not by this function.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8098a2e23e88e979566c78e68aec11fa21808df0
Author: Fred Brooks <nsaspook@nsaspook.com>
Date: Tue Oct 2 11:10:26 2012 +0100
staging: comedi: ni_daq_700: fix dio subdevice regression
commit 6681e63399926651cc29bcb9d92229b6f1cf1daa upstream.
Here is a small patch to fix a problem caused by a previous patch that
removed the callback function. The callback remove patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1de02225358988e8fd48d1dc3fd12336bbae258a
I finally booted my dev machine on the latest kernel (running Debian
here so it's still on 3.2 normally) to test the ni_daq_700 driver with
my test program and noticed this bug.
Shift the DIO_R read result to bits 8..15 Digital direction
configuration: channels 0-7 output, 8-15 input (8225 device emu as port
A output, port B input, port C N/A).
Signed-off-by: Fred Brooks <nsaspook@nsaspook.com>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d136f0fd47d9953139381c8af74976de86eeb224
Author: Ian Abbott <abbotti@mev.co.uk>
Date: Wed Oct 3 16:25:20 2012 +0100
staging: comedi: das08: fix possible NULL deref during detach
commit ee280d134f2e05e0172369a53fbe202dbfc527fa upstream.
`das08_detach()` is called by the comedi core to clean up if either
`das08_attach()` or `das08_attach_pci()` returns an error. It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null. This is a valid assumption if `das08_attach()` fails, but not
if `das08_attach_pci()` fails, leading to a possible NULL pointer
dereference.
Check `thisboard` at the top of `das08_detach()` and return early if it
is `NULL`. This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 88d5e653e2282bda43459dd577f3841f6ef140bf
Author: Nitin Gupta <ngupta@vflare.org>
Date: Wed Oct 10 17:42:18 2012 -0700
staging: zram: Fix handling of incompressible pages
commit c8f2f0db1d0294aaf37e8a85bea9bbc4aaf5c0fe upstream.
Change 130f315a (staging: zram: remove special handle of uncompressed page)
introduced a bug in the handling of incompressible pages which resulted in
memory allocation failure for such pages.
When a page expands on compression, say from 4K to 4K+30, we were trying to
do zsmalloc(pool, 4K+30). However, the maximum size which zsmalloc can
allocate is PAGE_SIZE (for obvious reasons), so such allocation requests
always return failure (0).
For a page that has compressed size larger than the original size (this may
happen with already compressed or random data), there is no point storing
the compressed version as that would take more space and would also require
time for decompression when needed again. So, the fix is to store any page,
whose compressed size exceeds a threshold (max_zpage_size), as-it-is i.e.
without compression. Memory required for storing this uncompressed page can
then be requested from zsmalloc which supports PAGE_SIZE sized allocations.
Lastly, the fix checks that we do not attempt to "decompress" the page which
we stored in the uncompressed form -- we just memcpy() out such pages.
Signed-off-by: Nitin Gupta <ngupta@vflare.org>
Reported-by: viechweg@gmail.com
Reported-by: paerley@gmail.com
Reported-by: wu.tommy@gmail.com
Acked-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e4c52c43352370daf54ba0cbe9476f593d89b0de
Author: Arve Hjønnevåg <arve@android.com>
Date: Tue Oct 16 15:29:55 2012 -0700
Staging: android: binder: Allow using highmem for binder buffers
commit 585650dcec88e704a19bb226a34b6a7166111623 upstream.
The default kernel mapping for the pages allocated for the binder
buffers is never used. Set the __GFP_HIGHMEM flag when allocating
these pages so we don't needlessly use low memory pages that may
be required elsewhere.
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ab261cc53424005d6d079320c4f73344c0a1750d
Author: Arve Hjønnevåg <arve@android.com>
Date: Tue Oct 16 15:29:54 2012 -0700
Staging: android: binder: Fix memory leak on thread/process exit
commit 675d66b0ed5fd170d6a44cf8dbb3fa56a5347bdb upstream.
If a thread or process exited while a reply, one-way transaction or
death notification was pending, the struct holding the pending work
was leaked.
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7886abd88bc7c4c145a2260844795604d569596b
Author: Geert Uytterhoeven <geert@linux-m68k.org>
Date: Sat Sep 29 22:23:19 2012 +0200
sysfs: sysfs_pathname/sysfs_add_one: Use strlcat() instead of strcat()
commit 66081a72517a131430dcf986775f3268aafcb546 upstream.
The warning check for duplicate sysfs entries can cause a buffer overflow
when printing the warning, as strcat() doesn't check buffer sizes.
Use strlcat() instead.
Since strlcat() doesn't return a pointer to the passed buffer, unlike
strcat(), I had to convert the nested concatenation in sysfs_add_one() to
an admittedly more obscure comma operator construct, to avoid emitting code
for the concatenation if CONFIG_BUG is disabled.
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 11c5035c9cfb7af7cfedd42e236d52f9c6bd1c49
Author: Oliver Neukum <oliver@neukum.org>
Date: Wed Oct 17 12:17:50 2012 +0200
xhci: endianness xhci_calculate_intel_u2_timeout
commit 966e7a854177097083683176ced871558b631a12 upstream.
An le16 is accessed without conversion.
This patch should be backported to kernels as old as 3.5, that contain
the commit e3567d2c15a7a8e2f992a5f7c7683453ca406d82 "xhci: Add Intel
U1/U2 timeout policy."
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 15e01c0ef27c323ac1a97ba50b3021eab33a96c9
Author: Oliver Neukum <oliver@neukum.org>
Date: Wed Oct 17 10:16:16 2012 +0200
xhci: fix integer overflow
commit 16b45fdf9c4e82f5d3bc53aa70737650e7c8d5ed upstream.
xhci_service_interval_to_ns() returns long long
to avoid an overflow. However, the type cast happens
too late. The fix is to force ULL from the beginning.
This patch should be backported to kernels as old as 3.5, that contain
the commit e3567d2c15a7a8e2f992a5f7c7683453ca406d82 "xhci: Add Intel
U1/U2 timeout policy."
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 288a8f85227007e326758197a3ad7cd56d66e3e3
Author: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Date: Tue Oct 16 13:17:43 2012 -0700
xhci: Fix potential NULL ptr deref in command cancellation.
commit 43a09f7fb01fa1e091416a2aa49b6c666458c1ee upstream.
The command cancellation code doesn't check whether find_trb_seg()
couldn't find the segment that contains the TRB to be canceled. This
could cause a NULL pointer deference later in the function when next_trb
is called. It's unlikely to happen unless something is wrong with the
command ring pointers, so add some debugging in case it happens.
This patch should be backported to stable kernels as old as 3.0, that
contain the commit b63f4053cc8aa22a98e3f9a97845afe6c15d0a0d "xHCI:
handle command after aborting the command ring".
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cb499284d1cf7de50b85fcfb3248bae2db090d14
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date: Wed Oct 24 08:53:35 2012 -0400
LOCKD: Clear ln->nsm_clnt only when ln->nsm_users is zero
commit e498daa81295d02f7359af313c2b7f87e1062207 upstream.
The current code is clearing it in all cases _except_ when zero.
Reported-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit eeaeb30f888f0872c029b441a69d67f43e712c80
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date: Tue Oct 23 17:50:07 2012 -0400
SUNRPC: Prevent races in xs_abort_connection()
commit 4bc1e68ed6a8b59be8a79eb719be515a55c7bc68 upstream.
The call to xprt_disconnect_done() that is triggered by a successful
connection reset will trigger another automatic wakeup of all tasks
on the xprt->pending rpc_wait_queue. In particular it will cause an
early wake up of the task that called xprt_connect().
All we really want to do here is clear all the socket-specific state
flags, so we split that functionality out of xs_sock_mark_closed()
into a helper that can be called by xs_abort_connection()
Reported-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Tested-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cafefcb3f8be77ef156b4b3bd52a5374b3533679
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date: Tue Oct 23 13:51:58 2012 -0400
LOCKD: fix races in nsm_client_get
commit a4ee8d978e47e79d536226dccb48991f70091168 upstream.
Commit e9406db20fecbfcab646bad157b4cfdc7cadddfb (lockd: per-net
NSM client creation and destruction helpers introduced) contains
a nasty race on initialisation of the per-net NSM client because
it doesn't check whether or not the client is set after grabbing
the nsm_create_mutex.
Reported-by: Nix <nix@esperi.org.uk>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2edc5969320d6e7f13d6d74e9bd3d8c0b8ec3684
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date: Tue Oct 23 11:40:02 2012 -0400
Revert "SUNRPC: Ensure we close the socket on EPIPE errors too..."
commit b9d2bb2ee537424a7f855e1f93eed44eb9ee0854 upstream.
This reverts commit 55420c24a0d4d1fce70ca713f84aa00b6b74a70e.
Now that we clear the connected flag when entering TCP_CLOSE_WAIT,
the deadlock described in this commit is no longer possible.
Instead, the resulting call to xs_tcp_shutdown() can interfere
with pending reconnection attempts.
Reported-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Tested-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a340197a85e4a27b3f974ffb6ab0308cc3f2edbc
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date: Tue Oct 23 11:35:47 2012 -0400
SUNRPC: Clear the connect flag when socket state is TCP_CLOSE_WAIT
commit d0bea455dd48da1ecbd04fedf00eb89437455fdc upstream.
This is needed to ensure that we call xprt_connect() upon the next
call to call_connect().
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Tested-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 27d32c280df4953e2a28f8c8ff2d9491effa3a4c
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date: Mon Oct 22 17:14:36 2012 -0400
SUNRPC: Get rid of the xs_error_report socket callback
commit f878b657ce8e7d3673afe48110ec208a29e38c4a upstream.
Chris Perl reports that we're seeing races between the wakeup call in
xs_error_report and the connect attempts. Basically, Chris has shown
that in certain circumstances, the call to xs_error_report causes the
rpc_task that is responsible for reconnecting to wake up early, thus
triggering a disconnect and retry.
Since the sk->sk_error_report() calls in the socket layer are always
followed by a tcp_done() in the cases where we care about waking up
the rpc_tasks, just let the state_change callbacks take responsibility
for those wake ups.
Reported-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Tested-by: Chris Perl <chris.perl@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b2cbf7d3826c2dc36ce2c0332befb2dd281960ea
Author: Jan Kara <jack@suse.cz>
Date: Thu Oct 25 13:37:31 2012 -0700
mm: fix XFS oops due to dirty pages without buffers on s390
commit ef5d437f71afdf4afdbab99213add99f4b1318fd upstream.
On s390 any write to a page (even from kernel itself) sets architecture
specific page dirty bit. Thus when a page is written to via buffered
write, HW dirty bit gets set and when we later map and unmap the page,
page_remove_rmap() finds the dirty bit and calls set_page_dirty().
Dirtying of a page which shouldn't be dirty can cause all sorts of
problems to filesystems. The bug we observed in practice is that
buffers from the page get freed, so when the page gets later marked as
dirty and writeback writes it, XFS crashes due to an assertion
BUG_ON(!PagePrivate(page)) in page_buffers() called from
xfs_count_page_state().
Similar problem can also happen when zero_user_segment() call from
xfs_vm_writepage() (or block_write_full_page() for that matter) set the
hardware dirty bit during writeback, later buffers get freed, and then
page unmapped.
Fix the issue by ignoring s390 HW dirty bit for page cache pages of
mappings with mapping_cap_account_dirty(). This is safe because for
such mappings when a page gets marked as writeable in PTE it is also
marked dirty in do_wp_page() or do_page_fault(). When the dirty bit is
cleared by clear_page_dirty_for_io(), the page gets writeprotected in
page_mkclean(). So pagecache page is writeable if and only if it is
dirty.
Thanks to Hugh Dickins for pointing out mapping has to have
mapping_cap_account_dirty() for things to work and proposing a cleaned
up variant of the patch.
The patch has survived about two hours of running fsx-linux on tmpfs
while heavily swapping and several days of running on out build machines
where the original problem was triggered.
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Hugh Dickins <hughd@google.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 40555316c4423bb20d98c747d32aea5503c463a2
Author: Yinghai Lu <yinghai@kernel.org>
Date: Mon Oct 22 16:35:18 2012 -0700
x86, mm: Trim memory in memblock to be page aligned
commit 6ede1fd3cb404c0016de6ac529df46d561bd558b upstream.
We will not map partial pages, so need to make sure memblock
allocation will not allocate those bytes out.
Also we will use for_each_mem_pfn_range() to loop to map memory
range to keep them consistent.
Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Link: http://lkml.kernel.org/r/CAE9FiQVZirvaBMFYRfXMmWEcHbKSicQEHz4VAwUv0xFCk51ZNw@mail.gmail.com
Acked-by: Jacob Shin <jacob.shin@amd.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8a9ff86ca1afa2381646774e4c5f10fb10996378
Author: Dave Young <dyoung@redhat.com>
Date: Thu Oct 18 14:33:23 2012 +0800
Revert "x86/mm: Fix the size calculation of mapping tables"
commit 7b16bbf97375d9fb7fc107b3f80afeb94a204e44 upstream.
Commit:
722bc6b16771 x86/mm: Fix the size calculation of mapping tables
Tried to address the issue that the first 2/4M should use 4k pages
if PSE enabled, but extra counts should only be valid for x86_32.
This commit caused a kdump regression: the kdump kernel hangs.
Work is in progress to fundamentally fix the various page table
initialization issues that we have, via the design suggested
by H. Peter Anvin, but it's not ready yet to be merged.
So, to get a working kdump revert to the last known working version,
which is the revert of this commit and of a followup fix (which was
incomplete):
bd2753b2dda7 x86/mm: Only add extra pages count for the first memory range during pre-allocation
Tested kdump on physical and virtual machines.
Signed-off-by: Dave Young <dyoung@redhat.com>
Acked-by: Yinghai Lu <yinghai@kernel.org>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Flavio Leitner <fbl@redhat.com>
Tested-by: Flavio Leitner <fbl@redhat.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Flavio Leitner <fbl@redhat.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: ianfang.cn@gmail.com
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e7ecfa878b2a49dbe28349d9529ee52777f86225
Author: Jan Beulich <JBeulich@suse.com>
Date: Thu Oct 4 14:48:10 2012 +0100
x86-64: Fix page table accounting
commit 876ee61aadf01aa0db981b5d249cbdd53dc28b5e upstream.
Commit 20167d3421a089a1bf1bd680b150dc69c9506810 ("x86-64: Fix
accounting in kernel_physical_mapping_init()") went a little too
far by entirely removing the counting of pre-populated page
tables: this should be done at boot time (to cover the page
tables set up in early boot code), but shouldn't be done during
memory hot add.
Hence, re-add the removed increments of "pages", but make them
and the one in phys_pte_init() conditional upon !after_bootmem.
Reported-Acked-and-Tested-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Link: http://lkml.kernel.org/r/506DAFBA020000780009FA8C@nat28.tlf.novell.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cd88996ecbb6f66edd1dbcd15c1219f3291a3733
Author: Will Deacon <will.deacon@arm.com>
Date: Fri Oct 19 17:53:01 2012 +0100
ARM: 7559/1: smp: switch away from the idmap before updating init_mm.mm_count
commit 5f40b909728ad784eb43aa309d3c4e9bdf050781 upstream.
When booting a secondary CPU, the primary CPU hands two sets of page
tables via the secondary_data struct:
(1) swapper_pg_dir: a normal, cacheable, shared (if SMP) mapping
of the kernel image (i.e. the tables used by init_mm).
(2) idmap_pgd: an uncached mapping of the .idmap.text ELF
section.
The idmap is generally used when enabling and disabling the MMU, which
includes early CPU boot. In this case, the secondary CPU switches to
swapper as soon as it enters C code:
struct mm_struct *mm = &init_mm;
unsigned int cpu = smp_processor_id();
/*
* All kernel threads share the same mm context; grab a
* reference and switch to it.
*/
atomic_inc(&mm->mm_count);
current->active_mm = mm;
cpumask_set_cpu(cpu, mm_cpumask(mm));
cpu_switch_mm(mm->pgd, mm);
This causes a problem on ARMv7, where the identity mapping is treated as
strongly-ordered leading to architecturally UNPREDICTABLE behaviour of
exclusive accesses, such as those used by atomic_inc.
This patch re-orders the secondary_start_kernel function so that we
switch to swapper before performing any exclusive accesses.
Reported-by: Gilles Chanteperdrix <gilles.chanteperdrix@xenomai.org>
Cc: David McKay <david.mckay@st.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e5982ed6b4de838a30c6dfaa255ffdcc8c5584f2
Author: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Date: Thu Oct 25 13:37:51 2012 -0700
genalloc: stop crashing the system when destroying a pool
commit eedce141cd2dad8d0cefc5468ef41898949a7031 upstream.
The genalloc code uses the bitmap API from include/linux/bitmap.h and
lib/bitmap.c, which is based on long values. Both bitmap_set from
lib/bitmap.c and bitmap_set_ll, which is the lockless version from
genalloc.c, use BITMAP_LAST_WORD_MASK to set the first bits in a long in
the bitmap.
That one uses (1 << bits) - 1, 0b111, if you are setting the first three
bits. This means that the API counts from the least significant bits
(LSB from now on) to the MSB. The LSB in the first long is bit 0, then.
The same works for the lookup functions.
The genalloc code uses longs for the bitmap, as it should. In
include/linux/genalloc.h, struct gen_pool_chunk has unsigned long
bits[0] as its last member. When allocating the struct, genalloc should
reserve enough space for the bitmap. This should be a proper number of
longs that can fit the amount of bits in the bitmap.
However, genalloc allocates an integer number of bytes that fit the
amount of bits, but may not be an integer amount of longs. 9 bytes, for
example, could be allocated for 70 bits.
This is a problem in itself if the Least Significat Bit in a long is in
the byte with the largest address, which happens in Big Endian machines.
This means genalloc is not allocating the byte in which it will try to
set or check for a bit.
This may end up in memory corruption, where genalloc will try to set the
bits it has not allocated. In fact, genalloc may not set these bits
because it may find them already set, because they were not zeroed since
they were not allocated. And that's what causes a BUG when
gen_pool_destroy is called and check for any set bits.
What really happens is that genalloc uses kmalloc_node with __GFP_ZERO
on gen_pool_add_virt. With SLAB and SLUB, this means the whole slab
will be cleared, not only the requested bytes. Since struct
gen_pool_chunk has a size that is a multiple of 8, and slab sizes are
multiples of 8, we get lucky and allocate and clear the right amount of
bytes.
Hower, this is not the case with SLOB or with older code that did memset
after allocating instead of using __GFP_ZERO.
So, a simple module as this (running 3.6.0), will cause a crash when
rmmod'ed.
[root@phantom-lp2 foo]# cat foo.c
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/init.h>
#include <linux/genalloc.h>
MODULE_LICENSE("GPL");
MODULE_VERSION("0.1");
static struct gen_pool *foo_pool;
static __init int foo_init(void)
{
int ret;
foo_pool = gen_pool_create(10, -1);
if (!foo_pool)
return -ENOMEM;
ret = gen_pool_add(foo_pool, 0xa0000000, 32 << 10, -1);
if (ret) {
gen_pool_destroy(foo_pool);
return ret;
}
return 0;
}
static __exit void foo_exit(void)
{
gen_pool_destroy(foo_pool);
}
module_init(foo_init);
module_exit(foo_exit);
[root@phantom-lp2 foo]# zcat /proc/config.gz | grep SLOB
CONFIG_SLOB=y
[root@phantom-lp2 foo]# insmod ./foo.ko
[root@phantom-lp2 foo]# rmmod foo
------------[ cut here ]------------
kernel BUG at lib/genalloc.c:243!
cpu 0x4: Vector: 700 (Program Check) at [c0000000bb0e7960]
pc: c0000000003cb50c: .gen_pool_destroy+0xac/0x110
lr: c0000000003cb4fc: .gen_pool_destroy+0x9c/0x110
sp: c0000000bb0e7be0
msr: 8000000000029032
current = 0xc0000000bb0e0000
paca = 0xc000000006d30e00 softe: 0 irq_happened: 0x01
pid = 13044, comm = rmmod
kernel BUG at lib/genalloc.c:243!
[c0000000bb0e7ca0] d000000004b00020 .foo_exit+0x20/0x38 [foo]
[c0000000bb0e7d20] c0000000000dff98 .SyS_delete_module+0x1a8/0x290
[c0000000bb0e7e30] c0000000000097d4 syscall_exit+0x0/0x94
--- Exception: c00 (System Call) at 000000800753d1a0
SP (fffd0b0e640) is in userspace
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
Cc: Benjamin Gaignard <benjamin.gaignard@stericsson.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 36fe350e99a78d973a2a82b6b7dbc01f52044790
Author: Jan Luebbe <jlu@pengutronix.de>
Date: Thu Oct 25 13:38:11 2012 -0700
drivers/rtc/rtc-imxdi.c: add missing spin lock initialization
commit fee0de7791f967c2c5f0d43eb7b7261761b45e64 upstream.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: Roland Stigge <stigge@antcom.de>
Cc: Grant Likely <grant.likely@secretlab.ca>
Tested-by: Roland Stigge <stigge@antcom.de>
Cc: Sascha Hauer <kernel@pengutronix.de>
Cc: Russell King <linux@arm.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8f86e6317334a1e220b1e4b77979a0fb7149f811
Author: Kees Cook <keescook@chromium.org>
Date: Thu Oct 25 13:38:16 2012 -0700
fs/compat_ioctl.c: VIDEO_SET_SPU_PALETTE missing error check
commit 12176503366885edd542389eed3aaf94be163fdb upstream.
The compat ioctl for VIDEO_SET_SPU_PALETTE was missing an error check
while converting ioctl arguments. This could lead to leaking kernel
stack contents into userspace.
Patch extracted from existing fix in grsecurity.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: David Miller <davem@davemloft.net>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: PaX Team <pageexec@freemail.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 73e75b4b4bd0ff7d2911165e9119306b95282c21
Author: Kees Cook <keescook@chromium.org>
Date: Thu Oct 25 13:38:14 2012 -0700
gen_init_cpio: avoid stack overflow when expanding
commit 20f1de659b77364d55d4e7fad2ef657e7730323f upstream.
Fix possible overflow of the buffer used for expanding environment
variables when building file list.
In the extremely unlikely case of an attacker having control over the
environment variables visible to gen_init_cpio, control over the
contents of the file gen_init_cpio parses, and gen_init_cpio was built
without compiler hardening, the attacker can gain arbitrary execution
control via a stack buffer overflow.
$ cat usr/crash.list
file foo ${BIG}${BIG}${BIG}${BIG}${BIG}${BIG} 0755 0 0
$ BIG=$(perl -e 'print "A" x 4096;') ./usr/gen_init_cpio usr/crash.list
*** buffer overflow detected ***: ./usr/gen_init_cpio terminated
This also replaces the space-indenting with tabs.
Patch based on existing fix extracted from grsecurity.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: PaX Team <pageexec@freemail.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f625bfd3fb3768dd116303e87799c40f1a4cd92e
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Fri Oct 26 10:05:07 2012 -0700
VFS: don't do protected {sym,hard}links by default
commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415 upstream.
In commit 800179c9b8a1 ("This adds symlink and hardlink restrictions to
the Linux VFS"), the new link protections were enabled by default, in
the hope that no actual application would care, despite it being
technically against legacy UNIX (and documented POSIX) behavior.
However, it does turn out to break some applications. It's rare, and
it's unfortunate, but it's unacceptable to break existing systems, so
we'll have to default to legacy behavior.
In particular, it has broken the way AFD distributes files, see
http://www.dwd.de/AFD/
along with some legacy scripts.
Distributions can end up setting this at initrd time or in system
scripts: if you have security problems due to link attacks during your
early boot sequence, you have bigger problems than some kernel sysctl
setting. Do:
echo 1 > /proc/sys/fs/protected_symlinks
echo 1 > /proc/sys/fs/protected_hardlinks
to re-enable the link protections.
Alternatively, we may at some point introduce a kernel config option
that sets these kinds of "more secure but not traditional" behavioural
options automatically.
Reported-by: Nick Bowler <nbowler@elliptictech.com>
Reported-by: Holger Kiehl <Holger.Kiehl@dwd.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 64d03fc009db65b2308c7e6319c58454f499632a
Author: Takashi Iwai <tiwai@suse.de>
Date: Sat Oct 20 10:55:21 2012 +0200
ALSA: hda - Fix silent headphone output from Toshiba P200
commit cb766404e6b8c566569eb9ada02ea45d28729864 upstream.
By some reason, Toshiba laptop doesn't like the EAPD turned up for the
headphone pin. Add a fix up code to force to turn down EAPD for NID
0x15.
Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=569991
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 92b0d35d9926aa5e17540928b18cc7a997ab78cc
Author: Stefán Freyr <stefan.freyr@gmail.com>
Date: Fri Oct 19 22:46:00 2012 +0200
ALSA: hda - add dock support for Thinkpad T430
commit 84f98fdf7865fbd35b312eb39ea91e5618c514c7 upstream.
I have a Lenovo ThinkPad T430 and an UltraBase Series 3 docking
station.
Without this patch, if I plug my headphones into the jack on the
computer, everything works fine. The computer speakers mute and the
audio is played in the headphones. However, if I plug into the docking
station headphone jack the computer speakers are muted but there is no
audio in the headphones.
Addresses https://bugs.launchpad.net/bugs/1060372
Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7eff2fdcdb9c78d8d2c9e27b223d67b4a9da3a5a
Author: Alex Deucher <alexander.deucher@amd.com>
Date: Fri Oct 19 13:27:04 2012 -0400
drm/radeon: add error output if VM CS fails on cayman
commit c71721324c612f7f040657ce9917d87f530f9784 upstream.
So we know why the CS was rejected.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1aafcaec30b2b4cfcab0472692426f46ab104ef9
Author: Alex Deucher <alexander.deucher@amd.com>
Date: Tue Oct 16 12:51:45 2012 -0400
drm/radeon: add some new SI PCI ids
commit b6aa22db7857ab7ed042d6c56b800bfc727cfdff upstream.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>