5 years agoMerge branch 'SLE11-SP2_EMBARGO' into SLE11-SP2
Bruce Rogers [Mon, 18 Mar 2013 16:34:16 +0000 (10:34 -0600)]
Merge branch 'SLE11-SP2_EMBARGO' into SLE11-SP2

suse-commit: 59d56d288e06dc734357a83b11dcdebbe25e83d2

5 years ago- patches.fixes/xfs-Fix-WARN_ON-delalloc-in-xfs_vm_releasepage.patch:
Jan Kara [Mon, 18 Mar 2013 16:21:58 +0000 (17:21 +0100)]
- patches.fixes/xfs-Fix-WARN_ON-delalloc-in-xfs_vm_releasepage.patch:
  xfs: Fix WARN_ON(delalloc) in xfs_vm_releasepage() (bnc#806631).

suse-commit: cf98fc672d5789dfd16546ee753e9a3dc2d17ea8

5 years ago- patches.drivers/alsa-sp2-hda-033-Support-mute-LED-on-HP-AiO-buttons:
Takashi Iwai [Mon, 18 Mar 2013 13:22:01 +0000 (14:22 +0100)]
- patches.drivers/alsa-sp2-hda-033-Support-mute-LED-on-HP-AiO-buttons:
  Refresh tags.

suse-commit: fc3a14f907c4457aff49a03098c3e859f7925a86

5 years ago- patches.fixes/block-use-i_size_write-in-bd_set_size: block:
Jeff Mahoney [Sun, 17 Mar 2013 13:51:26 +0000 (09:51 -0400)]
- patches.fixes/block-use-i_size_write-in-bd_set_size: block:
  use i_size_write() in bd_set_size() (bnc#809748).
- patches.fixes/loopdev-fix-a-deadlock: loopdev: fix a deadlock

suse-commit: ca0ac66a8a9f2765bddd53087478d822f198ce08

5 years ago- patches.drivers/alsa-sp2-hda-033-Support-mute-LED-on-HP-AiO-buttons:
Takashi Iwai [Fri, 15 Mar 2013 17:17:24 +0000 (18:17 +0100)]
- patches.drivers/alsa-sp2-hda-033-Support-mute-LED-on-HP-AiO-buttons:
  ALSA: hda - Support mute LED on HP AiO buttons (bnc#808991).

suse-commit: 643d727c55bf32e8d4aa33f13c5f27707523d9d3

5 years ago- patches.suse/supported-flag: fix mis-reported supported status (bnc#809493).
Jeff Mahoney [Fri, 15 Mar 2013 12:11:15 +0000 (08:11 -0400)]
- patches.suse/supported-flag: fix mis-reported supported status (bnc#809493).
- patches.suse/supported-flag-enterprise: Refresh.

suse-commit: bb4f65dea09d23553bf931f531f10da29832120a

5 years ago- patches.fixes/TTY-do-not-update-atime-mtime-on-read-write.patch:
Jiri Slaby [Fri, 15 Mar 2013 08:23:48 +0000 (09:23 +0100)]
- patches.fixes/TTY-do-not-update-atime-mtime-on-read-write.patch:
- patches.fixes/kvm-invalid-opcode-oops-on-SET_SREGS-with-OSXSAVE-bi.patch:
- patches.fixes/nfs-bitmap-size.fix: Refresh.

  Update upstream tags.

suse-commit: b4b8ffe006382c4d4658c83b93f7413ae97af1b3

5 years ago- patches.arch/kvm-convert-msr_kvm_system_time-to-use-gfn_to_hva_cache_init.patch:
Bruce Rogers [Thu, 14 Mar 2013 19:56:25 +0000 (13:56 -0600)]
- patches.arch/kvm-convert-msr_kvm_system_time-to-use-gfn_to_hva_cache_init.patch:
  KVM: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache_init
  (bnc#806980 CVE-2013-1797).
- patches.arch/kvm-fix-bounds-checking-in-ioapic-indirect-register-read.patch:
  KVM: Fix bounds checking in ioapic indirect register read
  (bnc#806980 CVE-2013-1798).
- patches.arch/kvm-fix-for-buffer-overflow-in-handling-of-msr_kvm_system_time.patch:
  KVM: Fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME
  (bnc#806980 CVE-2013-1796).
- patches.arch/kvm-introduce-kvm_read_guest_cached.patch: KVM:
  introduce kvm_read_guest_cached (bnc#806980).

suse-commit: b1445b742fc34efeb7b5c20203511318fd044899

5 years ago- patches.fixes/x86-numa-Add-constraints-check-for-nid-parameters.patch:
Mel Gorman [Thu, 14 Mar 2013 15:50:43 +0000 (15:50 +0000)]
- patches.fixes/x86-numa-Add-constraints-check-for-nid-parameters.patch:
  x86/numa: Add constraints check for nid parameters
  (Cope with negative SRAT distances (bnc#807853)).

suse-commit: 32623b6179f8d7ce6162d42ba2d2e85ae5c68fe8

5 years ago- patches.drivers/0001-cdc-wdm-fix-buffer-overflow.patch: Refresh.
Oliver Neukum [Thu, 14 Mar 2013 13:48:00 +0000 (14:48 +0100)]
- patches.drivers/0001-cdc-wdm-fix-buffer-overflow.patch: Refresh.
  Correct Git-Commit

suse-commit: fd835e1ab18c2579dcb99d61d6f09cf475ae5a39

5 years agoAdded CVE reference to patches.fixes/ext3-Fix-format-string-issues.patch
Jan Kara [Thu, 14 Mar 2013 10:43:29 +0000 (11:43 +0100)]
Added CVE reference to patches.fixes/ext3-Fix-format-string-issues.patch

suse-commit: 5eed66da8d1bbd5e1531efd17f92e4872104f235

5 years ago- patches.drivers/drm-i915-Periodically-sanity-check-power-management:
Takashi Iwai [Thu, 14 Mar 2013 07:50:02 +0000 (08:50 +0100)]
- patches.drivers/drm-i915-Periodically-sanity-check-power-management:
  drm/i915: Periodically sanity check power management
- patches.drivers/drm-i915-bounds-check-execbuffer-relocation-count:
  drm/i915: bounds check execbuffer relocation count

suse-commit: 8aa36b1788e0c7b27ab238b8b101a5fb905757a8

5 years ago- series.conf: disabled patches.arch/s390-64-03-kernel-inc-phys-mem.patch
John Jolly [Thu, 14 Mar 2013 06:50:22 +0000 (07:50 +0100)]
- series.conf: disabled patches.arch/s390-64-03-kernel-inc-phys-mem.patch
  due to excessive kabi break. (bnc#801720)

suse-commit: 3bf6ee5517cb928ee21b5cd4e55596ad758cda3a

5 years ago- patches.fixes/x86-64-Fix-memset-to-support-sizes-of-4Gb-and-above.patch:
Mel Gorman [Wed, 13 Mar 2013 14:22:54 +0000 (14:22 +0000)]
- patches.fixes/x86-64-Fix-memset-to-support-sizes-of-4Gb-and-above.patch:
  x86-64: Fix memset() to support sizes of 4Gb and above
  (Properly initialise memmap on large machines (bnc#802353)).

suse-commit: b36c083c4bed63dcc1c8a3ecaaa3f53e71d0eda7

5 years agoMerge branch 'SLE11-SP2' of ssh:// into SLE11-SP2
Jan Kara [Wed, 13 Mar 2013 14:32:46 +0000 (15:32 +0100)]
Merge branch 'SLE11-SP2' of ssh:// into SLE11-SP2

suse-commit: e445738b0a82884e0679083983bae7fdd3f20bda

5 years ago- patches.fixes/ext3-Fix-format-string-issues.patch: ext3:
Jan Kara [Wed, 13 Mar 2013 14:32:20 +0000 (15:32 +0100)]
- patches.fixes/ext3-Fix-format-string-issues.patch: ext3:
  Fix format string issues (bnc#809155).

suse-commit: e568e5cf0a444cead90af469045e3c9802226420

5 years ago- patches.drivers/DRM-i915-On-G45-enable-cursor-plane-briefly-after-enabling-the...
Egbert Eich [Tue, 5 Mar 2013 07:03:19 +0000 (02:03 -0500)]
- patches.drivers/DRM-i915-On-G45-enable-cursor-plane-briefly-after-enabling-the-display-plane.patch:
  DRM/i915: On G45 enable cursor plane briefly after enabling
  the display plane (bnc #753371) [backported from drm-intel-fixes].

suse-commit: c621eab77752a0f8d328110ea35a8506da86b035

5 years ago- patches.drivers/alsa-sp3-pre-695-Yet-another-fix-for-broken-HSW-HDMI-pin:
Takashi Iwai [Tue, 12 Mar 2013 16:37:42 +0000 (17:37 +0100)]
- patches.drivers/alsa-sp3-pre-695-Yet-another-fix-for-broken-HSW-HDMI-pin:
  Refresh.  Fix a superfluous incremental leading to the double
  array size (bnc#808966)

suse-commit: 2fc5ebc7e1227048269ff1a6911a9898cf944220

5 years ago- patches.arch/kvm-emulator-drop-rpl-check-from-linearize-function.patch:
Bruce Rogers [Thu, 7 Mar 2013 21:22:34 +0000 (14:22 -0700)]
- patches.arch/kvm-emulator-drop-rpl-check-from-linearize-function.patch:
  KVM: emulator: drop RPL check from linearize() function

suse-commit: 852688e7538d2277ebf59e36cbf8c8a1173e21ca

5 years agoMerge branch 'SLE11-SP2' of into SLE11-SP2
Oliver Neukum [Thu, 7 Mar 2013 17:03:35 +0000 (18:03 +0100)]
Merge branch 'SLE11-SP2' of into SLE11-SP2


suse-commit: 0ca126f9794604bfb9a69ebefffaa439b92fe571

5 years ago- patches.drivers/0001-USB-Don-t-use-EHCI-port-sempahore-for-USB-3.0-hubs.patch:
Oliver Neukum [Thu, 7 Mar 2013 16:49:53 +0000 (17:49 +0100)]
- patches.drivers/0001-USB-Don-t-use-EHCI-port-sempahore-for-USB-3.0-hubs.patch:
  USB: Don't use EHCI port sempahore for USB 3.0 hubs
- patches.drivers/0002-USB-Prepare-for-refactoring-by-adding-extra-udev-che.patch:
  USB: Prepare for refactoring by adding extra udev checks
- patches.drivers/0003-USB-Rip-out-recursive-call-on-warm-port-reset.patch:
  USB: Rip out recursive call on warm port reset (bnc#807560).
- patches.drivers/0004-USB-Fix-connected-device-switch-to-Inactive-state.patch:
  USB: Fix connected device switch to Inactive state (bnc#807560).
- patches.drivers/0005-modify-hub-to-detect-unplugs-in-all-states.patch:
  modify hub to detect unplugs in all states (bnc#807560).

suse-commit: bb5744ceddda01a852a916b218b06b78fa60803c

5 years ago- patches.fixes/mlx4-correct-call-to_ib_ah_attr.patch: Correct
Goldwyn Rodrigues [Wed, 6 Mar 2013 18:16:31 +0000 (19:16 +0100)]
- patches.fixes/mlx4-correct-call-to_ib_ah_attr.patch: Correct
  calls to to_ib_ah_attr() (bnc#806847).

suse-commit: 9164d70e15f80dbb17433986e866423ac5a371f6

5 years agoAdd bug id to a patch
NeilBrown [Tue, 5 Mar 2013 22:09:01 +0000 (09:09 +1100)]
Add bug id to a patch

suse-commit: 21dce8e40ec67d3c74d97e1fdac687c33ab085aa

5 years agoMerge branch 'scripts' into SLE11-SP2
Jiri Slaby [Tue, 5 Mar 2013 18:51:51 +0000 (19:51 +0100)]
Merge branch 'scripts' into SLE11-SP2

suse-commit: 893f668ea853d4386d2e00eb635ce84755f62009

5 years ago- Linux 3.0.68 (bnc#768052 bnc#802153 bnc#804154 CVE-2013-0871).
Jiri Slaby [Tue, 5 Mar 2013 11:15:21 +0000 (12:15 +0100)]
- Linux 3.0.68 (bnc#768052 bnc#802153 bnc#804154 CVE-2013-0871).
- patches.arch/x86_x2apic_use_phys_apic_mode_on_bios_request.patch:
- patches.fixes/ptrace-ensure-arch_ptrace-ptrace_request-can-never-r.patch:
- patches.fixes/ptrace-introduce-signal_wake_up_state-and-ptrace_sig.patch:
- patches.fixes/quota-autoload-the-quota_v2-module-for-qfmt_vfs_v1-quota-format:
- patches.fixes/wake_up_process-should-be-never-used-to-wakeup-a-TAS.patch:
- patches.rpmify/dca-check-against-empty-dca_domains-list-before-fix.patch:
- patches.rpmify/s390-kvm-Fix-store-status-for-ACRS-FPRS-fix.patch:

suse-commit: 37ad977610763749147463fe59ef1f571c77925c

5 years agoLinux 3.0.68
Greg Kroah-Hartman [Sun, 3 Mar 2013 22:09:28 +0000 (06:09 +0800)]
Linux 3.0.68

5 years agostaging: comedi: check s->async for poll(), read() and write()
Ian Abbott [Wed, 27 Feb 2013 10:56:19 +0000 (10:56 +0000)]
staging: comedi: check s->async for poll(), read() and write()

commit cc400e185c07c15a42d2635995f422de5b94b696 upstream.

Some low-level comedi drivers (incorrectly) point `dev->read_subdev` or
`dev->write_subdev` to a subdevice that does not support asynchronous
commands.  Comedi's poll(), read() and write() file operation handlers
assume these subdevices do support asynchronous commands.  In
particular, they assume `s->async` is valid (where `s` points to the
read or write subdevice), which it won't be if it has been set
incorrectly.  This can lead to a NULL pointer dereference.

Check `s->async` is non-NULL in `comedi_poll()`, `comedi_read()` and
`comedi_write()` to avoid the bug.

Signed-off-by: Ian Abbott <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agostaging: comedi: ni_labpc: set up command4 register *after* command3
Ian Abbott [Wed, 27 Feb 2013 12:52:46 +0000 (12:52 +0000)]
staging: comedi: ni_labpc: set up command4 register *after* command3

Commit 22056e2b46246d97ff0f7c6e21a77b8daa07f02c upstream.

Tuomas <tvainikk _at_ gmail _dot_ com> reported problems getting
meaningful output from a Lab-PC+ in differential mode for AI cmds, but
AI insn reads gave correct readings.  He tracked it down to two
problems, one of which is addressed by this patch.

It seems that writing to the command3 register after writing to the
command4 register in `labpc_ai_cmd()` messes up the differential
reference bit setting in the command4 register.  Set up the command4
register after the command3 register (as in `labpc_ai_rinsn()`) to avoid
the problem.

Thanks to Tuomas for suggesting the fix.

Signed-off-by: Ian Abbott <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agostaging: comedi: ni_labpc: correct differential channel sequence for AI commands
Ian Abbott [Wed, 27 Feb 2013 12:52:45 +0000 (12:52 +0000)]
staging: comedi: ni_labpc: correct differential channel sequence for AI commands

Commit 4c4bc25d0fa6beaf054c0b4c3b324487f266c820 upstream.

Tuomas <tvainikk _at_ gmail _dot_ com> reported problems getting
meaningful output from a Lab-PC+ in differential mode for AI cmds, but
AI insn reads gave correct readings.  He tracked it down to two
problems, one of which is addressed by this patch.

It seems the setting of the channel bits for particular scanning modes
was incorrect for differential mode.  (Only half the number of channels
are available in differential mode; comedi refers to them as channels 0,
1, 2 and 3, but the hardware documentation refers to them as channels 0,
2, 4 and 6.)  In differential mode, the setting of the channel enable
bits in the command1 register should depend on whether the scan enable
bit is set.  Effectively, we need to double the comedi channel number
when the scan enable bit is not set in differential mode.  The scan
enable bit gets set when the AI scan mode is `MODE_MULT_CHAN_UP` or
`MODE_MULT_CHAN_DOWN`, and gets cleared when the AI scan mode is
for whether the comedi channel number needs to be doubled in
differential mode is incorrect in `labpc_ai_cmd()`.  This patch corrects
the test.

Thanks to Tuomas for suggesting the fix.

Signed-off-by: Ian Abbott <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agos390/kvm: Fix store status for ACRS/FPRS fix
Jiri Slaby [Sun, 3 Mar 2013 22:09:07 +0000 (06:09 +0800)]
s390/kvm: Fix store status for ACRS/FPRS fix

In 3.0.67, commit 58c9ce6fad8e00d9726447f939fe7e78e2aec891 (s390/kvm:
Fix store status for ACRS/FPRS), upstream commit
15bc8d8457875f495c59d933b05770ba88d1eacb, added a call to
save_access_regs to save ACRS. But we do not have ARCS in kvm_run in
3.0 yet, so this results in:
arch/s390/kvm/kvm-s390.c: In function 'kvm_s390_vcpu_store_status':
arch/s390/kvm/kvm-s390.c:593: error: 'struct kvm_run' has no member named 's'

Fix it by saving guest_acrs which is where ARCS are in 3.0.

Signed-off-by: Jiri Slaby <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodca: check against empty dca_domains list before unregister provider fix
Jiri Slaby [Sun, 3 Mar 2013 22:09:07 +0000 (06:09 +0800)]
dca: check against empty dca_domains list before unregister provider fix

In 3.0.67, commit 7a9a20ea77e7508c795dead9ab2f6c98a617762d (dca: check
against empty dca_domains list before unregister provider), upstream
commit c419fcfd071cf34ba00f9f65282583772d2655e7, added a fail path to
unregister_dca_provider. It added there also a call to
raw_spin_unlock_irqrestore. But in 3.0, the lock is not raw, so this
results in:
drivers/dca/dca-core.c: In function 'unregister_dca_provider':
drivers/dca/dca-core.c:413: warning: passing argument 1 of '_raw_spin_unlock_irqrestore' from incompatible pointer type

Fix it by calling spin_unlock_irqrestore properly.

Signed-off-by: Jiri Slaby <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agocgroup: fix exit() vs rmdir() race
Li Zefan [Thu, 24 Jan 2013 06:43:28 +0000 (14:43 +0800)]
cgroup: fix exit() vs rmdir() race

commit 71b5707e119653039e6e95213f00479668c79b75 upstream.

In cgroup_exit() put_css_set_taskexit() is called without any lock,
which might lead to accessing a freed cgroup:

thread1                           thread2
      /* not safe !! */

rcu_read_lock() can be used to make sure the cgroup is alive.

Signed-off-by: Li Zefan <>
Signed-off-by: Tejun Heo <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agocpuset: fix cpuset_print_task_mems_allowed() vs rename() race
Li Zefan [Fri, 25 Jan 2013 08:08:01 +0000 (16:08 +0800)]
cpuset: fix cpuset_print_task_mems_allowed() vs rename() race

commit 63f43f55c9bbc14f76b582644019b8a07dc8219a upstream.

rename() will change dentry->d_name. The result of this race can
be worse than seeing partially rewritten name, but we might access
a stale pointer because rename() will re-allocate memory to hold
a longer name.

It's safe in the protection of dentry->d_lock.

v2: check NULL dentry before acquiring dentry lock.

Signed-off-by: Li Zefan <>
Signed-off-by: Tejun Heo <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agox86/apic: Work around boot failure on HP ProLiant DL980 G7 Server systems
Stoney Wang [Thu, 7 Feb 2013 18:53:02 +0000 (10:53 -0800)]
x86/apic: Work around boot failure on HP ProLiant DL980 G7 Server systems

commit cb214ede7657db458fd0b2a25ea0b28dbf900ebc upstream.

When a HP ProLiant DL980 G7 Server boots a regular kernel,
there will be intermittent lost interrupts which could
result in a hang or (in extreme cases) data loss.

The reason is that this system only supports x2apic physical
mode, while the kernel boots with a logical-cluster default

This bug can be worked around by specifying the "x2apic_phys" or
"nox2apic" boot option, but we want to handle this system
without requiring manual workarounds.

As all apicids are smaller than 255, BIOS need to pass the
control to the OS with xapic mode, according to x2apic-spec,
chapter 2.9.

Current code handle x2apic when BIOS pass with xapic mode

When user specifies x2apic_phys, or FADT indicates PHYSICAL:

1. During madt oem check, apic driver is set with xapic logical
   or xapic phys driver at first.

2. enable_IR_x2apic() will enable x2apic_mode.

3. if user specifies x2apic_phys on the boot line, x2apic_phys_probe()
   will install the correct x2apic phys driver and use x2apic phys mode.
   Otherwise it will skip the driver will let x2apic_cluster_probe to
   take over to install x2apic cluster driver (wrong one) even though FADT
   indicates PHYSICAL, because x2apic_phys_probe does not check

Add checking x2apic_fadt_phys in x2apic_phys_probe() to fix the

Signed-off-by: Stoney Wang <>
[ updated the changelog and simplified the code ]
Signed-off-by: Yinghai Lu <>
Signed-off-by: Zhang Lin-Bao <>
[ make a patch specially for 3.0.66]
Signed-off-by: Ingo Molnar <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agox86: Do not leak kernel page mapping locations
Kees Cook [Thu, 7 Feb 2013 17:44:13 +0000 (09:44 -0800)]
x86: Do not leak kernel page mapping locations

commit e575a86fdc50d013bf3ad3aa81d9100e8e6cc60d upstream.

Without this patch, it is trivial to determine kernel page
mappings by examining the error code reported to dmesg[1].
Instead, declare the entire kernel memory space as a violation
of a present page.

Additionally, since show_unhandled_signals is enabled by
default, switch branch hinting to the more realistic
expectation, and unobfuscate the setting of the PF_PROT bit to
improve readability.


Reported-by: Dan Rosenberg <>
Suggested-by: Brad Spengler <>
Signed-off-by: Kees Cook <>
Acked-by: H. Peter Anvin <>
Cc: Paul E. McKenney <>
Cc: Frederic Weisbecker <>
Cc: Eric W. Biederman <>
Cc: Linus Torvalds <>
Cc: Andrew Morton <>
Cc: Peter Zijlstra <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: CAI Qian <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agounbreak automounter support on 64-bit kernel with 32-bit userspace (v2)
Helge Deller [Mon, 4 Feb 2013 19:39:52 +0000 (19:39 +0000)]
unbreak automounter support on 64-bit kernel with 32-bit userspace (v2)

commit 4f4ffc3a5398ef9bdbb32db04756d7d34e356fcf upstream.

automount-support is broken on the parisc architecture, because the existing
#if list does not include a check for defined(__hppa__). The HPPA (parisc)
architecture is similiar to other 64bit Linux targets where we have to define
autofs_wqt_t (which is passed back and forth to user space) as int type which
has a size of 32bit across 32 and 64bit kernels.

During the discussion on the mailing list, H. Peter Anvin suggested to invert
the #if list since only specific platforms (specifically those who do not have
a 32bit userspace, like IA64 and Alpha) should have autofs_wqt_t as unsigned
long type.

This suggestion is probably the best way to go, since Arm64 (and maybe others?)
seems to have a non-working automounter. So in the long run even for other new
upcoming architectures this inverted check seem to be the best solution, since
it will not require them to change this #if again (unless they are 64bit only).

Signed-off-by: Helge Deller <>
Acked-by: H. Peter Anvin <>
Acked-by: Ian Kent <>
Acked-by: Catalin Marinas <>
CC: James Bottomley <>
CC: Rolf Eike Beer <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agowake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task
Oleg Nesterov [Tue, 19 Feb 2013 13:56:53 +0000 (14:56 +0100)]
wake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task

Upstream commit 9067ac85d533651b98c2ff903182a20cbb361fcb.

wake_up_process() should never wakeup a TASK_STOPPED/TRACED task.
Change it to use TASK_NORMAL and add the WARN_ON().

TASK_ALL has no other users, probably can be killed.

Signed-off-by: Oleg Nesterov <>
Signed-off-by: Linus Torvalds <>
Cc: Michal Hocko <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL
Oleg Nesterov [Tue, 19 Feb 2013 13:56:52 +0000 (14:56 +0100)]
ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL

Upstream commit 9899d11f654474d2d54ea52ceaa2a1f4db3abd68.

putreg() assumes that the tracee is not running and pt_regs_access() can
safely play with its stack.  However a killed tracee can return from
ptrace_stop() to the low-level asm code and do RESTORE_REST, this means
that debugger can actually read/modify the kernel stack until the tracee
does SAVE_REST again.

set_task_blockstep() can race with SIGKILL too and in some sense this
race is even worse, the very fact the tracee can be woken up breaks the

As Linus suggested we can clear TASK_WAKEKILL around the arch_ptrace()
call, this ensures that nobody can ever wakeup the tracee while the
debugger looks at it.  Not only this fixes the mentioned problems, we
can do some cleanups/simplifications in arch_ptrace() paths.

Probably ptrace_unfreeze_traced() needs more callers, for example it
makes sense to make the tracee killable for oom-killer before

While at it, add the comment into may_ptrace_stop() to explain why
ptrace_stop() still can't rely on SIGKILL and signal_pending_state().

Reported-by: Salman Qazi <>
Reported-by: Suleiman Souhlal <>
Suggested-by: Linus Torvalds <>
Signed-off-by: Oleg Nesterov <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Michal Hocko <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up()
Oleg Nesterov [Tue, 19 Feb 2013 13:56:51 +0000 (14:56 +0100)]
ptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up()

Upstream commit 910ffdb18a6408e14febbb6e4b6840fd2c928c82.

Cleanup and preparation for the next change.

signal_wake_up(resume => true) is overused. None of ptrace/jctl callers
actually want to wakeup a TASK_WAKEKILL task, but they can't specify the
necessary mask.

Turn signal_wake_up() into signal_wake_up_state(state), reintroduce
signal_wake_up() as a trivial helper, and add ptrace_signal_wake_up()
which adds __TASK_TRACED.

This way ptrace_signal_wake_up() can work "inside" ptrace_request()
even if the tracee doesn't have the TASK_WAKEKILL bit set.

Signed-off-by: Oleg Nesterov <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Michal Hocko <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agovhost: fix length for cross region descriptor
Michael S. Tsirkin [Mon, 26 Nov 2012 05:57:27 +0000 (05:57 +0000)]
vhost: fix length for cross region descriptor

commit bd97120fc3d1a11f3124c7c9ba1d91f51829eb85 upstream.

If a single descriptor crosses a region, the
second chunk length should be decremented
by size translated so far, instead it includes
the full descriptor length.

Signed-off-by: Michael S. Tsirkin <>
Acked-by: Jason Wang <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agosvcrpc: make svc_age_temp_xprts enqueue under sv_lock
J. Bruce Fields [Sun, 10 Feb 2013 16:33:48 +0000 (11:33 -0500)]
svcrpc: make svc_age_temp_xprts enqueue under sv_lock

commit e75bafbff2270993926abcc31358361db74a9bc2 upstream.

svc_age_temp_xprts expires xprts in a two-step process: first it takes
the sv_lock and moves the xprts to expire off their server-wide list
(sv_tempsocks or sv_permsocks) to a local list.  Then it drops the
sv_lock and enqueues and puts each one.

I see no reason for this: svc_xprt_enqueue() will take sp_lock, but the
sv_lock and sp_lock are not otherwise nested anywhere (and documentation
at the top of this file claims it's correct to nest these with sp_lock

Tested-by: Jason Tibbitts <>
Tested-by: Paweł Sikora <>
Signed-off-by: J. Bruce Fields <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoext4: fix race in ext4_mb_add_n_trim()
Niu Yawei [Sat, 2 Feb 2013 02:31:27 +0000 (21:31 -0500)]
ext4: fix race in ext4_mb_add_n_trim()

commit f1167009711032b0d747ec89a632a626c901a1ad upstream.

In ext4_mb_add_n_trim(), lg_prealloc_lock should be taken when
changing the lg_prealloc_list.

Signed-off-by: Niu Yawei <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomedia: rc: unlock on error in show_protocols()
Dan Carpenter [Tue, 27 Nov 2012 16:35:09 +0000 (13:35 -0300)]
media: rc: unlock on error in show_protocols()

commit 30ebc5e44d057a1619ad63fe32c8c1670c37c4b8 upstream.

We recently introduced a new return -ENODEV in this function but we need
to unlock before returning.

[ found two patches with the same fix. Merged SOB's/acks into one patch]
Acked-by: Herton R. Krzesinski <>
Signed-off-by: Dan Carpenter <>
Signed-off-by: Douglas Bagnall <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agosysctl: fix null checking in bin_dn_node_address()
Xi Wang [Thu, 28 Feb 2013 01:05:21 +0000 (17:05 -0800)]
sysctl: fix null checking in bin_dn_node_address()

commit df1778be1a33edffa51d094eeda87c858ded6560 upstream.

The null check of `strchr() + 1' is broken, which is always non-null,
leading to OOB read.  Instead, check the result of strchr().

Signed-off-by: Xi Wang <>
Cc: "Eric W. Biederman" <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agofirewire: add minor number range check to fw_device_init()
Tejun Heo [Thu, 28 Feb 2013 01:04:04 +0000 (17:04 -0800)]
firewire: add minor number range check to fw_device_init()

commit 3bec60d511179853138836ae6e1b61fe34d9235f upstream.

fw_device_init() didn't check whether the allocated minor number isn't
too large.  Fail if it goes overflows MINORBITS.

Signed-off-by: Tejun Heo <>
Suggested-by: Stefan Richter <>
Acked-by: Stefan Richter <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoidr: fix a subtle bug in idr_get_next()
Tejun Heo [Thu, 28 Feb 2013 01:03:34 +0000 (17:03 -0800)]
idr: fix a subtle bug in idr_get_next()

commit 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 upstream.

The iteration logic of idr_get_next() is borrowed mostly verbatim from
idr_for_each().  It walks down the tree looking for the slot matching
the current ID.  If the matching slot is not found, the ID is
incremented by the distance of single slot at the given level and

The implementation assumes that during the whole iteration id is aligned
to the layer boundaries of the level closest to the leaf, which is true
for all iterations starting from zero or an existing element and thus is
fine for idr_for_each().

However, idr_get_next() may be given any point and if the starting id
hits in the middle of a non-existent layer, increment to the next layer
will end up skipping the same offset into it.  For example, an IDR with
IDs filled between [64, 127] would look like the following.

          [  0  64 ... ]
       /----/   |
       |        |
      NULL    [ 64 ... 127 ]

If idr_get_next() is called with 63 as the starting point, it will try
to follow down the pointer from 0.  As it is NULL, it will then try to
proceed to the next slot in the same level by adding the slot distance
at that level which is 64 - making the next try 127.  It goes around the
loop and finds and returns 127 skipping [64, 126].

Note that this bug also triggers in idr_for_each_entry() loop which
deletes during iteration as deletions can make layers go away leaving
the iteration with unaligned ID into missing layers.

Fix it by ensuring proceeding to the next slot doesn't carry over the
unaligned offset - ie.  use round_up(id + 1, slot_distance) instead of
id += slot_distance.

Signed-off-by: Tejun Heo <>
Reported-by: David Teigland <>
Cc: KAMEZAWA Hiroyuki <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoxen-blkback: do not leak mode property
Jan Beulich [Thu, 20 Dec 2012 10:31:11 +0000 (10:31 +0000)]
xen-blkback: do not leak mode property

commit 9d092603cc306ee6edfe917bf9ab8beb5f32d7bc upstream.

"be->mode" is obtained from xenbus_read(), which does a kmalloc() for
the message body. The short string is never released, so do it along
with freeing "be" itself, and make sure the string isn't kept when
backend_changed() doesn't complete successfully (which made it
desirable to slightly re-structure that function, so that the error
cleanup can be done in one place).

Reported-by: Olaf Hering <>
Signed-off-by: Jan Beulich <>
Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoocfs2: ac->ac_allow_chain_relink=0 won't disable group relink
Xiaowei.Hu [Thu, 28 Feb 2013 01:02:49 +0000 (17:02 -0800)]
ocfs2: ac->ac_allow_chain_relink=0 won't disable group relink

commit 309a85b6861fedbb48a22d45e0e079d1be993b3a upstream.

ocfs2_block_group_alloc_discontig() disables chain relink by setting
ac->ac_allow_chain_relink = 0 because it grabs clusters from multiple
cluster groups.

It doesn't keep the credits for all chain relink,but
ocfs2_claim_suballoc_bits overrides this in this call trace:
ocfs2_claim_suballoc_bits set ac->ac_allow_chain_relink = 1; then call
ocfs2_search_chain() one time and disable it again, and then we run out
of credits.

Fix is to allow relink by default and disable it in

Without this patch, End-users will run into a crash due to run out of
credits, backtrace like this:

  RIP: 0010:[<ffffffffa0808b14>]  [<ffffffffa0808b14>]
  jbd2_journal_dirty_metadata+0x164/0x170 [jbd2]
  RSP: 0018:ffff8801b919b5b8  EFLAGS: 00010246
  RAX: 0000000000000000 RBX: ffff88022139ddc0 RCX: ffff880159f652d0
  RDX: ffff880178aa3000 RSI: ffff880159f652d0 RDI: ffff880087f09bf8
  RBP: ffff8801b919b5e8 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000001e00 R11: 00000000000150b0 R12: ffff880159f652d0
  R13: ffff8801a0cae908 R14: ffff880087f09bf8 R15: ffff88018d177800
  FS:  00007fc9b0b6b6e0(0000) GS:ffff88022fd40000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
  CR2: 000000000040819c CR3: 0000000184017000 CR4: 00000000000006e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  Process dd (pid: 9945, threadinfo ffff8801b919a000, task ffff880149a264c0)
  Call Trace:
    ocfs2_journal_dirty+0x2f/0x70 [ocfs2]
    ocfs2_relink_block_group+0x111/0x480 [ocfs2]
    ocfs2_search_chain+0x455/0x9a0 [ocfs2]

Signed-off-by: Xiaowei.Hu <>
Reviewed-by: Srinivas Eeda <>
Cc: Mark Fasheh <>
Cc: Joel Becker <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotarget: Add missing mapped_lun bounds checking during make_mappedlun setup
Nicholas Bellinger [Tue, 19 Feb 2013 02:31:37 +0000 (18:31 -0800)]
target: Add missing mapped_lun bounds checking during make_mappedlun setup

commit fbbf8555a986ed31e54f006b6cc637ea4ff1425b upstream.

This patch adds missing bounds checking for the configfs provided
mapped_lun value during target_fabric_make_mappedlun() setup ahead
of se_lun_acl initialization.

This addresses a potential OOPs when using a mapped_lun value that
exceeds the hardcoded TRANSPORT_MAX_LUNS_PER_TPG-1 value within

Reported-by: Jan Engelhardt <>
Cc: Jan Engelhardt <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agox86: Make sure we can boot in the case the BDA contains pure garbage
H. Peter Anvin [Wed, 27 Feb 2013 20:46:40 +0000 (12:46 -0800)]
x86: Make sure we can boot in the case the BDA contains pure garbage

commit 7c10093692ed2e6f318387d96b829320aa0ca64c upstream.

On non-BIOS platforms it is possible that the BIOS data area contains
garbage instead of being zeroed or something equivalent (firmware
people: we are talking of 1.5K here, so please do the sane thing.)

We need on the order of 20-30K of low memory in order to boot, which
may grow up to < 64K in the future.  We probably want to avoid the
lowest of the low memory.  At the same time, it seems extremely
unlikely that a legitimate EBDA would ever reach down to the 128K
(which would require it to be over half a megabyte in size.)  Thus,
pick 128K as the cutoff for "this is insane, ignore."  We may still
end up reserving a bunch of extra memory on the low megabyte, but that
is not really a major issue these days.  In the worst case we lose
512K of RAM.

This code really should be merged with trim_bios_range() in
arch/x86/kernel/setup.c, but that is a bigger patch for a later merge

Reported-by: Darren Hart <>
Signed-off-by: H. Peter Anvin <>
Cc: Matt Fleming <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodoc, kernel-parameters: Document 'console=hvc<n>'
Konrad Rzeszutek Wilk [Mon, 25 Feb 2013 20:54:09 +0000 (15:54 -0500)]
doc, kernel-parameters: Document 'console=hvc<n>'

commit a2fd6419174470f5ae6383f5037d0ee21ed9833f upstream.

Both the PowerPC hypervisor and Xen hypervisor can utilize the
hvc driver.

Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: H. Peter Anvin <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodoc, xen: Mention 'earlyprintk=xen' in the documentation.
Konrad Rzeszutek Wilk [Mon, 25 Feb 2013 20:54:08 +0000 (15:54 -0500)]
doc, xen: Mention 'earlyprintk=xen' in the documentation.

commit 2482a92e7d17187301d7313cfe5021b13393a0b4 upstream.

The earlyprintk for Xen PV guests utilizes a simple hypercall
(console_io) to provide output to Xen emergency console.

Note that the Xen hypervisor should be booted with 'loglevel=all'
to output said information.

Reported-by: H. Peter Anvin <>
Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: H. Peter Anvin <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoftrace: Call ftrace cleanup module notifier after all other notifiers
Steven Rostedt (Red Hat) [Wed, 13 Feb 2013 20:18:38 +0000 (15:18 -0500)]
ftrace: Call ftrace cleanup module notifier after all other notifiers

commit 8c189ea64eea01ca20d102ddb74d6936dd16c579 upstream.

Commit: c1bf08ac "ftrace: Be first to run code modification on modules"

changed ftrace module notifier's priority to INT_MAX in order to
process the ftrace nops before anything else could touch them
(namely kprobes). This was the correct thing to do.

Unfortunately, the ftrace module notifier also contains the ftrace
clean up code. As opposed to the set up code, this code should be
run *after* all the module notifiers have run in case a module is doing
correct clean-up and unregisters its ftrace hooks. Basically, ftrace
needs to do clean up on module removal, as it needs to know about code
being removed so that it doesn't try to modify that code. But after it
removes the module from its records, if a ftrace user tries to remove
a probe, that removal will fail due as the record of that code segment
no longer exists.

Nothing really bad happens if the probe removal is called after ftrace
did the clean up, but the ftrace removal function will return an error.
Correct code (such as kprobes) will produce a WARN_ON() if it fails
to remove the probe. As people get annoyed by frivolous warnings, it's
best to do the ftrace clean up after everything else.

By splitting the ftrace_module_notifier into two notifiers, one that
does the module load setup that is run at high priority, and the other
that is called for module clean up that is run at low priority, the
problem is solved.

Reported-by: Frank Ch. Eigler <>
Acked-by: Masami Hiramatsu <>
Signed-off-by: Steven Rostedt <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoposix-timer: Don't call idr_find() with out-of-range ID
Tejun Heo [Wed, 20 Feb 2013 23:24:12 +0000 (15:24 -0800)]
posix-timer: Don't call idr_find() with out-of-range ID

commit e182bb38d7db7494fa5dcd82da17fe0dedf60ecf upstream.

When idr_find() was fed a negative ID, it used to look up the ID
ignoring the sign bit before recent ("idr: remove MAX_IDR_MASK and
move left MAX_IDR_* into idr.c") patch. Now a negative ID triggers

__lock_timer() feeds timer_id from userland directly to idr_find()
without sanitizing it which can trigger the above malfunctions.  Add a
range check on @timer_id before invoking idr_find() in __lock_timer().

While timer_t is defined as int by all archs at the moment, Andrew
worries that it may be defined as a larger type later on.  Make the
test cover larger integers too so that it at least is guaranteed to
not return the wrong timer.

Note that WARN_ON_ONCE() in idr_find() on id < 0 is transitional
precaution while moving away from ignoring MSB.  Once it's gone we can
remove the guard as long as timer_t isn't larger than int.

Signed-off-by: Tejun Heo <>
Reported-by: Sasha Levin <>
Cc: Andrew Morton <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoiommu/amd: Initialize device table after dma_ops
Joerg Roedel [Wed, 6 Feb 2013 11:55:23 +0000 (12:55 +0100)]
iommu/amd: Initialize device table after dma_ops

commit f528d980c17b8714aedc918ba86e058af914d66b upstream.

When dma_ops are initialized the unity mappings are
created. The init_device_table_dma() function makes sure DMA
from all devices is blocked by default. This opens a short
window in time where DMA to unity mapped regions is blocked
by the IOMMU. Make sure this does not happen by initializing
the device table after dma_ops.

Signed-off-by: Joerg Roedel <>
Signed-off-by: Shuah Khan <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoquota: autoload the quota_v2 module for QFMT_VFS_V1 quota format
Theodore Ts'o [Fri, 25 Jan 2013 04:24:56 +0000 (23:24 -0500)]
quota: autoload the quota_v2 module for QFMT_VFS_V1 quota format

commit c3ad83d9efdfe6a86efd44945a781f00c879b7b4 upstream.

Otherwise, ext4 file systems with the quota featured enable will get a
very confusing "No such process" error message if the quota code is
built as a module and the quota_v2 module has not been loaded.

Signed-off-by: "Theodore Ts'o" <>
Reviewed-by: Carlos Maiolino <>
Acked-by: Jan Kara <>
Signed-off-by: Greg Kroah-Hartman <>
5 years ago- Update patches.suse/zcrypt-feed-hwrandom (bnc#806825).
Torsten Duwe [Fri, 1 Mar 2013 15:59:52 +0000 (16:59 +0100)]
- Update patches.suse/zcrypt-feed-hwrandom (bnc#806825).
  Allow zcrypt module unload even when the thread is
  blocked writing to a full random pool.

suse-commit: b1d6aa8c6a516ecde8eb5fc4ee24947f0cc12ef4

5 years ago- patches.drivers/0001-USB-move-usb_translate_errors-to-linux-usb.h.patch:
Oliver Neukum [Fri, 1 Mar 2013 12:05:41 +0000 (13:05 +0100)]
- patches.drivers/0001-USB-move-usb_translate_errors-to-linux-usb.h.patch:
  USB: move usb_translate_errors to linux/usb (bnc#806908).
- patches.drivers/0002-USB-add-EOPNOTSUPP-to-usb_translate_errors.patch:
  USB: add EOPNOTSUPP to usb_translate_errors (bnc#806908).
- patches.suse/0001-cdc-wdm-add-helper-to-preserve-kABI.patch:

suse-commit: d1a5364967206509ff62d040b7f38eaa641670c4

5 years ago- Linux 3.0.67 (bnc#578046, bnc#786814, bnc#806138, CVE-2013-1767,
Jiri Slaby [Thu, 28 Feb 2013 21:47:33 +0000 (22:47 +0100)]
- Linux 3.0.67 (bnc#578046, bnc#786814, bnc#806138, CVE-2013-1767,
- patches.rpmify/dca-check-against-empty-dca_domains-list-before-fix.patch:
  dca: check against empty dca_domains list before unregister
  provider fix.
- patches.rpmify/s390-kvm-Fix-store-status-for-ACRS-FPRS-fix.patch:
  s390/kvm: Fix store status for ACRS/FPRS fix.
- patches.kabi/kabi-restore-utf8s_to_utf16s.patch: kABI: restore
- patches.suse/msft-hv-0247-Staging-hv-move-hyperv-code-out-of-staging-directo.patch:
- patches.suse/msft-hv-0344-Drivers-hv-Support-the-newly-introduced-KVP-messag.patch:
- patches.suse/msft-hv-0361-hyperv-Add-support-for-setting-MAC-from-within-guest.patch:
- patches.suse/msft-hv-0374-Drivers-hv-kvp-Support-the-new-IP-injection-messages.patch:
- patches.fixes/ext4-add-missing-kfree-on-error-return-path-in-add_new_gdb:
- patches.fixes/ext4-free-resources-in-some-error-path-in-ext4_fill_super:
- patches.fixes/mm-mmu_notifier-have-mmu_notifiers-use-a-global-SRCU-so-they-may-safely-schedule.patch:
- patches.fixes/mm-mmu_notifier-make-the-mmu_notifier-srcu-static.patch:
- patches.fixes/mm-mmu_notifier_unregister-NULL-Pointer-deref-and-multiple---release-callouts.patch:
- patches.fixes/tmpfs-fix-use-after-free-of-mempolicy-object.patch:
- patches.suse/msft-hv-0261-NLS-improve-UTF8-UTF16-string-conversion-routine.patch:

suse-commit: 18e9ba02cb62b19cd10e1375d38b44052f8cd716

5 years ago- patches.drivers/0002-USB-cdc-wdm-sanitize-error-returns.patch:
Oliver Neukum [Fri, 1 Mar 2013 08:30:36 +0000 (09:30 +0100)]
- patches.drivers/0002-USB-cdc-wdm-sanitize-error-returns.patch:
  USB: cdc-wdm: sanitize error returns (bnc#806908).
- patches.drivers/0003-USB-cdc-wdm-cleanup-error-codes.patch:
  USB: cdc-wdm: cleanup error codes (bnc#806908).
- patches.suse/0001-cdc-wdm-add-helper-to-preserve-kABI.patch:
  cdc-wdm: add helper to preserve kABI (bnc#806908).

suse-commit: aea8c8a2e0908a1381c15b0941cb42600eee3e2d

5 years ago- patches.drivers/cxgb4i-remove-the-scsi-host-device-when-removing-device:
Torsten Duwe [Thu, 28 Feb 2013 15:54:14 +0000 (16:54 +0100)]
- patches.drivers/cxgb4i-remove-the-scsi-host-device-when-removing-device:
  cxgb4i: Remove the scsi host device when removing device

suse-commit: f453908a063a6c1ac5aaf644b67621d3f24fe8e7

5 years agoLinux 3.0.67
Greg Kroah-Hartman [Thu, 28 Feb 2013 14:33:32 +0000 (06:33 -0800)]
Linux 3.0.67

5 years agoUSB: usb-storage: unusual_devs update for Super TOP SATA bridge
Josh Boyer [Thu, 14 Feb 2013 14:39:09 +0000 (09:39 -0500)]
USB: usb-storage: unusual_devs update for Super TOP SATA bridge

commit 18e03310b5caa6d11c1a8c61b982c37047693fba upstream.

The current entry in unusual_cypress.h for the Super TOP SATA bridge devices
seems to be causing corruption on newer revisions of this device.  This has
been reported in Arch Linux and Fedora.  The original patch was tested on
devices with bcdDevice of 1.60, whereas the newer devices report bcdDevice
as 2.20.  Limit the UNUSUAL_DEV entry to devices less than 2.20.

This fixes

The Arch Forum post on this is here:

Reported-by: Carsten S. <>
Tested-by: Carsten S. <>
Signed-off-by: Josh Boyer <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: storage: properly handle the endian issues of idProduct
fangxiaozhi [Thu, 7 Feb 2013 07:32:07 +0000 (15:32 +0800)]
USB: storage: properly handle the endian issues of idProduct

commit cd060956c5e97931c3909e4a808508469c0bb9f6 upstream.

1. The idProduct is little endian, so make sure its value to be
compatible with the current CPU. Make no break on big endian processors.

Signed-off-by: fangxiaozhi <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: ehci-omap: Fix autoloading of module
Roger Quadros [Thu, 14 Feb 2013 15:08:09 +0000 (17:08 +0200)]
USB: ehci-omap: Fix autoloading of module

commit 04753523266629b1cd0518091da1658755787198 upstream.

The module alias should be "ehci-omap" and not
"omap-ehci" to match the platform device name.
The omap-ehci module should now autoload correctly.

Signed-off-by: Roger Quadros <>
Acked-by: Alan Stern <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: option: add Huawei "ACM" devices using protocol = vendor
Bjørn Mork [Wed, 13 Feb 2013 22:41:34 +0000 (23:41 +0100)]
USB: option: add Huawei "ACM" devices using protocol = vendor

commit 1f3f687722fd9b29a0c2a85b4844e3b2a3585c63 upstream.

The USB device descriptor of one identity presented by a few
Huawei morphing devices have serial functions with class codes
02/02/ff, indicating CDC ACM with a vendor specific protocol. This
combination is often used for MSFT RNDIS functions, and the CDC
ACM class driver will therefore ignore such functions.

The CDC ACM class driver cannot support functions with only 2
endpoints.  The underlying serial functions of these modems are
also believed to be the same as for alternate device identities
already supported by the option driver. Letting the same driver
handle these functions independently of the current identity
ensures consistent handling and user experience.

There is no need to blacklist these devices in the rndis_host
driver. Huawei serial functions will either have only 2 endpoints
or a CDC ACM functional descriptor with bmCapabilities != 0, making
them correctly ignored as "non RNDIS" by that driver.

Signed-off-by: Bjørn Mork <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: option: add Yota / Megafon M100-1 4g modem
Bjørn Mork [Tue, 12 Feb 2013 12:42:24 +0000 (13:42 +0100)]
USB: option: add Yota / Megafon M100-1 4g modem

commit cd565279e51bedee1b2988e84f9b3bef485adeb6 upstream.

Interface layout:

 00 CD-ROM
 01 debug COM port
 02 AP control port
 03 modem
 04 usb-ethernet

Bus=01 Lev=02 Prnt=02 Port=01 Cnt=02 Dev#=  4 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=0408 ProdID=ea42 Rev= 0.00
S:  Manufacturer=Qualcomm, Incorporated
S:  Product=Qualcomm CDMA Technologies MSM
S:  SerialNumber=353568051xxxxxx
C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=84(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=86(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms

Signed-off-by: Bjørn Mork <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: option: add and update Alcatel modems
Bjørn Mork [Wed, 23 Jan 2013 09:44:36 +0000 (10:44 +0100)]
USB: option: add and update Alcatel modems

commit f8f0302bbcbd1b14655bef29f6996a2152be559d upstream.

Adding three currently unsupported modems based on information
from .inf driver files:

  Diag  VID_1BBB&PID_0052&MI_00
  AGPS  VID_1BBB&PID_0052&MI_01
  AT    VID_1BBB&PID_0052&MI_03
  Modem VID_1BBB&PID_0052&MI_05
  wwan  VID_1BBB&PID_0052&MI_06

  Diag  VID_1BBB&PID_00B6&MI_00
  AT    VID_1BBB&PID_00B6&MI_01
  Modem VID_1BBB&PID_00B6&MI_02
  wwan  VID_1BBB&PID_00B6&MI_03

  Diag  VID_1BBB&PID_00B7&MI_00
  AT    VID_1BBB&PID_00B7&MI_03
  Modem VID_1BBB&PID_00B7&MI_04
  wwan  VID_1BBB&PID_00B7&MI_05

Updating the blacklist info for the X060S_X200 and X220_X500D,
reserving interfaces for a wwan driver, based on

  wwan VID_1BBB&PID_0000&MI_04
  wwan VID_1BBB&PID_0017&MI_06

Signed-off-by: Bjørn Mork <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodca: check against empty dca_domains list before unregister provider
Maciej Sosnowski [Wed, 23 May 2012 15:27:07 +0000 (17:27 +0200)]
dca: check against empty dca_domains list before unregister provider

commit c419fcfd071cf34ba00f9f65282583772d2655e7 upstream.

When providers get blocked unregister_dca_providers() is called ending up
with dca_providers and dca_domain lists emptied. Dca should be prevented from
trying to unregister any provider if dca_domain list is found empty.

Reported-by: Jiang Liu <>
Tested-by: Gaohuai Han <>
Signed-off-by: Maciej Sosnowski <>
Signed-off-by: Dan Williams <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoipv6: use a stronger hash for tcp
Eric Dumazet [Thu, 21 Feb 2013 12:18:52 +0000 (12:18 +0000)]
ipv6: use a stronger hash for tcp

[ Upstream commit 08dcdbf6a7b9d14c2302c5bd0c5390ddf122f664 ]

It looks like its possible to open thousands of TCP IPv6
sessions on a server, all landing in a single slot of TCP hash
table. Incoming packets have to lookup sockets in a very
long list.

We should hash all bits from foreign IPv6 addresses, using
a salt and hash mix, not a simple XOR.

inet6_ehashfn() can also separately use the ports, instead
of xoring them.

Reported-by: Neal Cardwell <>
Signed-off-by: Eric Dumazet <>
Cc: Yuchung Cheng <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoipv4: fix a bug in ping_err().
Li Wei [Thu, 21 Feb 2013 00:09:54 +0000 (00:09 +0000)]
ipv4: fix a bug in ping_err().

[ Upstream commit b531ed61a2a2a77eeb2f7c88b49aa5ec7d9880d8 ]

We should get 'type' and 'code' from the outer ICMP header.

Signed-off-by: Li Wei <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoxen-netback: cancel the credit timer when taking the vif down
David Vrabel [Thu, 14 Feb 2013 03:18:58 +0000 (03:18 +0000)]
xen-netback: cancel the credit timer when taking the vif down

[ Upstream commit 3e55f8b306cf305832a4ac78aa82e1b40e818ece ]

If the credit timer is left armed after calling
xen_netbk_remove_xenvif(), then it may fire and attempt to schedule
the vif which will then oops as vif->netbk == NULL.

This may happen both in the fatal error path and during normal
disconnection from the front end.

The sequencing during shutdown is critical to ensure that: a)
vif->netbk doesn't become unexpectedly NULL; and b) the net device/vif
is not freed.

1. Mark as unschedulable (netif_carrier_off()).
2. Synchronously cancel the timer.
3. Remove the vif from the schedule list.
4. Remove it from it netback thread group.
5. Wait for vif->refcnt to become 0.

Signed-off-by: David Vrabel <>
Acked-by: Ian Campbell <>
Reported-by: Christopher S. Aker <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoxen-netback: correctly return errors from netbk_count_requests()
David Vrabel [Thu, 14 Feb 2013 03:18:57 +0000 (03:18 +0000)]
xen-netback: correctly return errors from netbk_count_requests()

[ Upstream commit 35876b5ffc154c357476b2c3bdab10feaf4bd8f0 ]

netbk_count_requests() could detect an error, call
netbk_fatal_tx_error() but return 0.  The vif may then be used
afterwards (e.g., in a call to netbk_tx_error().

Since netbk_fatal_tx_error() could set vif->refcnt to 1, the vif may
be freed immediately after the call to netbk_fatal_tx_error() (e.g.,
if the vif is also removed).

Netback thread              Xenwatch thread
netbk_fatal_tx_err()        netback_remove()
netbk_tx_err() Oops!

Signed-off-by: Wei Liu <>
Signed-off-by: Jan Beulich <>
Signed-off-by: David Vrabel <>
Reported-by: Christopher S. Aker <>
Acked-by: Ian Campbell <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agobridge: set priority of STP packets
Stephen Hemminger [Mon, 11 Feb 2013 08:22:22 +0000 (08:22 +0000)]
bridge: set priority of STP packets

[ Upstream commit 547b4e718115eea74087e28d7fa70aec619200db ]

Spanning Tree Protocol packets should have always been marked as
control packets, this causes them to get queued in the high prirority
FIFO. As Radia Perlman mentioned in her LCA talk, STP dies if bridge
gets overloaded and can't communicate. This is a long-standing bug back
to the first versions of Linux bridge.

Signed-off-by: Stephen Hemminger <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agofb: Yet another band-aid for fixing lockdep mess
Takashi Iwai [Fri, 25 Jan 2013 00:28:18 +0000 (10:28 +1000)]
fb: Yet another band-aid for fixing lockdep mess

commit e93a9a868792ad71cdd09d75e5a02d8067473c4e upstream.

I've still got lockdep warnings even after Alan's patch, and it seems that
yet more band aids are required to paper over similar paths for
unbind_con_driver() and unregister_con_driver().  After this hack, lockdep
warnings are finally gone.

Signed-off-by: Takashi Iwai <>
Cc: Alan Cox <>
Cc: Florian Tobias Schandinat <>
Cc: Jiri Kosina <>
Tested-by: Sedat Dilek <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agofb: rework locking to fix lock ordering on takeover
Alan Cox [Fri, 25 Jan 2013 00:28:15 +0000 (10:28 +1000)]
fb: rework locking to fix lock ordering on takeover

commit 50e244cc793d511b86adea24972f3a7264cae114 upstream.

Adjust the console layer to allow a take over call where the caller
already holds the locks.  Make the fb layer lock in order.

This is partly a band aid, the fb layer is terminally confused about the
locking rules it uses for its notifiers it seems.

[ remove stray non-ascii char, tidy comment]
[ export do_take_over_console()]
[airlied: cleanup another non-ascii char]
Signed-off-by: Alan Cox <>
Cc: Florian Tobias Schandinat <>
Cc: Stephen Rothwell <>
Cc: Jiri Kosina <>
Tested-by: Sedat Dilek <>
Reviewed-by: Daniel Vetter <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agofbcon: don't lose the console font across generic->chip driver switch
Dave Airlie [Thu, 24 Jan 2013 06:12:41 +0000 (16:12 +1000)]
fbcon: don't lose the console font across generic->chip driver switch

commit ae1287865f5361fa138d4d3b1b6277908b54eac9 upstream.

If grub2 loads efifb/vesafb, then when systemd starts it can set the console
font on that framebuffer device, however when we then load the native KMS
driver, the first thing it does is tear down the generic framebuffer driver.

The thing is the generic code is doing the right thing, it frees the font
because otherwise it would leak memory. However we can assume that if you
are removing the generic firmware driver (vesa/efi/offb), that a new driver
*should* be loading soon after, so we effectively leak the font.

However the old code left a dangling pointer in vc-> and we
can now reuse that dangling pointer to load the font into the new
driver, now that we aren't freeing it.


Signed-off-by: Dave Airlie <>
Cc: Kay Sievers <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agopcmcia/vrc4171: Add missing spinlock init
Jean Delvare [Sun, 16 Dec 2012 21:00:50 +0000 (22:00 +0100)]
pcmcia/vrc4171: Add missing spinlock init

commit 811af9723859884f2f771f3174f3ddedab7c53b5 upstream.

It doesn't seem this spinlock was properly initialized. This bug was
introduced by commit 7a410e8d4d97457c8c381e2de9cdc7bd3306badc.

Signed-off-by: Jean Delvare <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoPurge existing TLB entries in set_pte_at and ptep_set_wrprotect
John David Anglin [Tue, 15 Jan 2013 00:45:00 +0000 (19:45 -0500)]
Purge existing TLB entries in set_pte_at and ptep_set_wrprotect

commit 7139bc1579901b53db7e898789e916ee2fb52d78 upstream.

This patch goes a long way toward fixing the minifail bug, and
it  significantly improves the stability of SMP machines such as
the rp3440.  When write  protecting a page for COW, we need to
purge the existing translation.  Otherwise, the COW break
doesn't occur as expected because the TLB may still have a stale entry
which allows writes.

[jejb: fix up checkpatch errors]
Signed-off-by: John David Anglin <>
Signed-off-by: James Bottomley <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agopowerpc/kexec: Disable hard IRQ before kexec
Phileas Fogg [Fri, 22 Feb 2013 23:32:19 +0000 (00:32 +0100)]
powerpc/kexec: Disable hard IRQ before kexec

commit 8520e443aa56cc157b015205ea53e7b9fc831291 upstream.

Disable hard IRQ before kexec a new kernel image.
Not doing it can result in corrupted data in the memory segments
reserved for the new kernel.

Signed-off-by: Phileas Fogg <>
Signed-off-by: Benjamin Herrenschmidt <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoARM: PXA3xx: program the CSMSADRCFG register
Igor Grinberg [Sun, 13 Jan 2013 11:49:47 +0000 (13:49 +0200)]
ARM: PXA3xx: program the CSMSADRCFG register

commit d107a204154ddd79339203c2deeb7433f0cf6777 upstream.

The Chip Select Configuration Register must be programmed to 0x2 in
order to achieve the correct behavior of the Static Memory Controller.

Without this patch devices wired to DFI and accessed through SMC cannot
be accessed after resume from S2.

Do not rely on the boot loader to program the CSMSADRCFG register by
programming it in the kernel smemc module.

Signed-off-by: Igor Grinberg <>
Acked-by: Eric Miao <>
Signed-off-by: Haojian Zhuang <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agostaging: vt6656: Fix URB submitted while active warning.
Malcolm Priestley [Wed, 30 Jan 2013 20:07:29 +0000 (20:07 +0000)]
staging: vt6656: Fix URB submitted while active warning.

commit ae5943de8c8c4438cbac5cda599ff0b88c224468 upstream.

This error happens because PIPEnsControlOut and PIPEnsControlIn unlock the
spin lock for delay, letting in another thread.

The patch moves the current MP_SET_FLAG to before filling
of sUsbCtlRequest for pControlURB and clears it in event of failing.

Any thread calling either function while fMP_CONTROL_READS or fMP_CONTROL_WRITES
flags set will return STATUS_FAILURE.

Signed-off-by: Malcolm Priestley <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agostaging: comedi: disallow COMEDI_DEVCONFIG on non-board minors
Ian Abbott [Mon, 28 Jan 2013 16:14:31 +0000 (16:14 +0000)]
staging: comedi: disallow COMEDI_DEVCONFIG on non-board minors

commit 754ab5c0e55dd118273ca2c217c4d95e9fbc8259 upstream.

Comedi has two sorts of minor devices:
(a) normal board minor devices in the range 0 to
COMEDI_NUM_BOARD_MINORS-1 inclusive; and
(b) special subdevice minor devices in the range COMEDI_NUM_BOARD_MINORS
upwards that are used to open the same underlying comedi device as the
normal board minor devices, but with non-default read and write
subdevices for asynchronous commands.

The special subdevice minor devices get created when a board supporting
asynchronous commands is attached to a normal board minor device, and
destroyed when the board is detached from the normal board minor device.
One way to attach or detach a board is by using the COMEDI_DEVCONFIG
ioctl.  This should only be used on normal board minors as the special
subdevice minors are too ephemeral.  In particular, the change
introduced in commit 7d3135af399e92cf4c9bbc5f86b6c140aab3b88c ("staging:
comedi: prevent auto-unconfig of manually configured devices") breaks
horribly for special subdevice minor devices.

Since there's no legitimate use for the COMEDI_DEVCONFIG ioctl on a
special subdevice minor device node, disallow it and return -ENOTTY.

Signed-off-by: Ian Abbott <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/i915: disable shared panel fitter for pipe
Mika Kuoppala [Fri, 8 Feb 2013 14:35:37 +0000 (16:35 +0200)]
drm/i915: disable shared panel fitter for pipe

commit 24a1f16de97c4cf0029d9acd04be06db32208726 upstream.

If encoder is switched off by BIOS, but the panel fitter is left on,
we never try to turn off the panel fitter and leave it still attached
to the pipe - which can cause blurry output elsewhere.

Based on work by Chris Wilson <>

Signed-off-by: Mika Kuoppala <>
Tested-by: Andreas Sturmlechner <>
[danvet: Remove the redundant HAS_PCH_SPLIT check and add a tiny
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoNLS: improve UTF8 -> UTF16 string conversion routine
Alan Stern [Thu, 17 Nov 2011 21:42:19 +0000 (16:42 -0500)]
NLS: improve UTF8 -> UTF16 string conversion routine

commit 0720a06a7518c9d0c0125bd5d1f3b6264c55c3dd upstream.

The utf8s_to_utf16s conversion routine needs to be improved.  Unlike
its utf16s_to_utf8s sibling, it doesn't accept arguments specifying
the maximum length of the output buffer or the endianness of its
16-bit output.

This patch (as1501) adds the two missing arguments, and adjusts the
only two places in the kernel where the function is called.  A
follow-on patch will add a third caller that does utilize the new

The two conversion routines are still annoyingly inconsistent in the
way they handle invalid byte combinations.  But that's a subject for a
different patch.

Signed-off-by: Alan Stern <>
CC: Clemens Ladisch <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/usb: bind driver to correct device
Dave Airlie [Thu, 7 Feb 2013 00:10:04 +0000 (10:10 +1000)]
drm/usb: bind driver to correct device

commit 9f23de52b64f7fb801fd76f3dd8651a0dc89187b upstream.

While looking at plymouth on udl I noticed that plymouth was trying
to use its fb plugin not its drm one, it was trying to drmOpen a driver called
usb not udl, noticed that we actually had out driver pointing at the wrong

Signed-off-by: Dave Airlie <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agosunvdc: Fix off-by-one in generic_request().
David S. Miller [Thu, 14 Feb 2013 19:49:01 +0000 (11:49 -0800)]
sunvdc: Fix off-by-one in generic_request().

[ Upstream commit f4d9605434c0fd4cc8639bf25cfc043418c52362 ]

The 'operations' bitmap corresponds one-for-one with the operation
codes, no adjustment is necessary.

Reported-by: Mark Kettenis <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoext4: add missing kfree() on error return path in add_new_gdb()
Dan Carpenter [Sat, 30 Jul 2011 16:58:41 +0000 (12:58 -0400)]
ext4: add missing kfree() on error return path in add_new_gdb()

commit c49bafa3842751b8955a962859f42d307673d75d upstream.

We added some more error handling in b40971426a "ext4: add error
checking to calls to ext4_handle_dirty_metadata()".  But we need to
call kfree() as well to avoid a memory leak.

Signed-off-by: Dan Carpenter <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Jeff Mahoney <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoext4: Free resources in some error path in ext4_fill_super
Tao Ma [Thu, 6 Oct 2011 16:10:11 +0000 (12:10 -0400)]
ext4: Free resources in some error path in ext4_fill_super

commit dcf2d804ed6ffe5e942b909ed5e5b74628be6ee4 upstream.

Some of the error path in ext4_fill_super don't release the
resouces properly. So this patch just try to release them
in the right way.

Signed-off-by: Tao Ma <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Jeff Mahoney <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: usb: Fix Processing Unit Descriptor parsers
Pawel Moll [Thu, 21 Feb 2013 01:55:50 +0000 (01:55 +0000)]
ALSA: usb: Fix Processing Unit Descriptor parsers

commit b531f81b0d70ffbe8d70500512483227cc532608 upstream.

Commit 99fc86450c439039d2ef88d06b222fd51a779176 "ALSA: usb-mixer:
parse descriptors with structs" introduced a set of useful parsers
for descriptors. Unfortunately the parses for the Processing Unit
Descriptor came with a very subtle bug...

Functions uac_processing_unit_iProcessing() and
uac_processing_unit_specific() were indexing the baSourceID array
forgetting the fields before the iProcessing and process-specific

The problem was observed with Sound Blaster Extigy mixer,
where nNrModes in Up/Down-mix Processing Unit Descriptor
was accessed at offset 10 of the descriptor (value 0)
instead of offset 15 (value 7). In result the resulting
control had interesting limit values:

Simple mixer control 'Channel Routing Mode Select',0
  Capabilities: volume volume-joined penum
  Playback channels: Mono
  Capture channels: Mono
  Limits: 0 - -1
  Mono: -1 [100%]

Fixed by starting from the bmControls, which was calculated
correctly, instead of baSourceID.

Now the mentioned control is fine:

Simple mixer control 'Channel Routing Mode Select',0
  Capabilities: volume volume-joined penum
  Playback channels: Mono
  Capture channels: Mono
  Limits: 0 - 6
  Mono: 0 [0%]

Signed-off-by: Pawel Moll <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: usb-audio: fix Roland A-PRO support
Clemens Ladisch [Thu, 31 Jan 2013 20:14:33 +0000 (21:14 +0100)]
ALSA: usb-audio: fix Roland A-PRO support

commit 7da58046482fceb17c4a0d4afefd9507ec56de7f upstream.

The quirk for the Roland/Cakewalk A-PRO keyboards accidentally used the
wrong interface number, which prevented the driver from attaching to the

Signed-off-by: Clemens Ladisch <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agop54usb: corrected USB ID for T-Com Sinus 154 data II
Tomasz Guszkowski [Tue, 5 Feb 2013 21:10:31 +0000 (22:10 +0100)]
p54usb: corrected USB ID for T-Com Sinus 154 data II

commit 008e33f733ca51acb2dd9d88ea878693b04d1d2a upstream.

Corrected USB ID for T-Com Sinus 154 data II. ISL3887-based. The
device was tested in managed mode with no security, WEP 128
bit and WPA-PSK (TKIP) with firmware (md5sum:
7d676323ac60d6e1a3b6d61e8c528248). It works.

Signed-off-by: Tomasz Guszkowski <>
Acked-By: Christian Lamparter <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoNLM: Ensure that we resend all pending blocking locks after a reclaim
Trond Myklebust [Tue, 19 Feb 2013 17:04:42 +0000 (12:04 -0500)]
NLM: Ensure that we resend all pending blocking locks after a reclaim

commit 666b3d803a511fbc9bc5e5ea8ce66010cf03ea13 upstream.

Currently, nlmclnt_lock will break out of the for(;;) loop when
the reclaimer wakes up the blocking lock thread by setting
nlm_lck_denied_grace_period. This causes the lock request to fail
with an ENOLCK error.
The intention was always to ensure that we resend the lock request
after the grace period has expired.

Reported-by: Wangyuan Zhang <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomm/fadvise.c: drain all pagevecs if POSIX_FADV_DONTNEED fails to discard all pages
Mel Gorman [Sat, 23 Feb 2013 00:35:59 +0000 (16:35 -0800)]
mm/fadvise.c: drain all pagevecs if POSIX_FADV_DONTNEED fails to discard all pages

commit 67d46b296a1ba1477c0df8ff3bc5e0167a0b0732 upstream.

Rob van der Heij reported the following (paraphrased) on private mail.

The scenario is that I want to avoid backups to fill up the page
cache and purge stuff that is more likely to be used again (this is
with s390x Linux on z/VM, so I don't give it as much memory that
we don't care anymore). So I have something with LD_PRELOAD that
intercepts the close() call (from tar, in this case) and issues
a posix_fadvise() just before closing the file.

This mostly works, except for small files (less than 14 pages)
that remains in page cache after the face.

Unfortunately Rob has not had a chance to test this exact patch but the
test program below should be reproducing the problem he described.

The issue is the per-cpu pagevecs for LRU additions.  If the pages are
added by one CPU but fadvise() is called on another then the pages
remain resident as the invalidate_mapping_pages() only drains the local
pagevecs via its call to pagevec_release().  The user-visible effect is
that a program that uses fadvise() properly is not obeyed.

A possible fix for this is to put the necessary smarts into
invalidate_mapping_pages() to globally drain the LRU pagevecs if a
pagevec page could not be discarded.  The downside with this is that an
inode cache shrink would send a global IPI and memory pressure
potentially causing global IPI storms is very undesirable.

Instead, this patch adds a check during fadvise(POSIX_FADV_DONTNEED) to
check if invalidate_mapping_pages() discarded all the requested pages.
If a subset of pages are discarded it drains the LRU pagevecs and tries
again.  If the second attempt fails, it assumes it is due to the pages
being mapped, locked or dirty and does not care.  With this patch, an
application using fadvise() correctly will be obeyed but there is a
downside that a malicious application can force the kernel to send
global IPIs and increase overhead.

If accepted, I would like this to be considered as a -stable candidate.
It's not an urgent issue but it's a system call that is not working as
advertised which is weak.

The following test program demonstrates the problem.  It should never
report that pages are still resident but will without this patch.  It
assumes that CPU 0 and 1 exist.

int main() {
int fd;
int pagesize = getpagesize();
ssize_t written = 0, expected;
char *buf;
unsigned char *vec;
int resident, i;
cpu_set_t set;

/* Prepare a buffer for writing */
expected = FILESIZE_PAGES * pagesize;
buf = malloc(expected + 1);
if (buf == NULL) {
buf[expected] = 0;
memset(buf, 'a', expected);

/* Prepare the mincore vec */
vec = malloc(FILESIZE_PAGES);
if (vec == NULL) {

/* Bind ourselves to CPU 0 */
CPU_SET(0, &set);
if (sched_setaffinity(getpid(), sizeof(set), &set) == -1) {

/* open file, unlink and write buffer */
fd = open("fadvise-test-file", O_CREAT|O_EXCL|O_RDWR);
if (fd == -1) {
while (written < expected) {
ssize_t this_write;
this_write = write(fd, buf + written, expected - written);

if (this_write == -1) {

written += this_write;

 * Force ourselves to another CPU. If fadvise only flushes the local
 * CPUs pagevecs then the fadvise will fail to discard all file pages
CPU_SET(1, &set);
if (sched_setaffinity(getpid(), sizeof(set), &set) == -1) {

/* sync and fadvise to discard the page cache */
if (posix_fadvise(fd, 0, expected, POSIX_FADV_DONTNEED) == -1) {

/* map the file and use mincore to see which parts of it are resident */
buf = mmap(NULL, expected, PROT_READ, MAP_SHARED, fd, 0);
if (buf == NULL) {
if (mincore(buf, expected, vec) == -1) {

/* Check residency */
for (i = 0, resident = 0; i < FILESIZE_PAGES; i++) {
if (vec[i])
if (resident != 0) {
printf("Nr unexpected pages resident: %d\n", resident);

munmap(buf, expected);

Signed-off-by: Mel Gorman <>
Reported-by: Rob van der Heij <>
Tested-by: Rob van der Heij <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotmpfs: fix use-after-free of mempolicy object
Greg Thelen [Sat, 23 Feb 2013 00:36:01 +0000 (16:36 -0800)]
tmpfs: fix use-after-free of mempolicy object

commit 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 upstream.

The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
option is not specified in the remount request.  A new policy can be
specified if mpol=M is given.

Before this patch remounting an mpol bound tmpfs without specifying
mpol= mount option in the remount request would set the filesystem's
mempolicy object to a freed mempolicy object.

To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
    # mkdir /tmp/x

    # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x

    # grep /tmp/x /proc/mounts
    nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0

    # mount -o remount,size=200M nodev /tmp/x

    # grep /tmp/x /proc/mounts
    nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
        # note ? garbage in mpol=... output above

    # dd if=/dev/zero of=/tmp/x/f count=1
        # panic here

    BUG: unable to handle kernel NULL pointer dereference at           (null)
    IP: [<          (null)>]           (null)
    Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
    Call Trace:

Non-debug kernels will not crash immediately because referencing the
dangling mpol will not cause a fault.  Instead the filesystem will
reference a freed mempolicy object, which will cause unpredictable

The problem boils down to a dropped mpol reference below if
shmem_parse_options() does not allocate a new mpol:

    config = *sbinfo
    shmem_parse_options(data, &config, true)
    sbinfo->mpol = config.mpol  /* BUG: saves unreferenced mpol */

This patch avoids the crash by not releasing the mempolicy if
shmem_parse_options() doesn't create a new mpol.

How far back does this issue go? I see it in both 2.6.36 and 3.3.  I did
not look back further.

Signed-off-by: Greg Thelen <>
Acked-by: Hugh Dickins <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrivers/video/backlight/adp88?0_bl.c: fix resume
Lars-Peter Clausen [Fri, 22 Feb 2013 00:44:04 +0000 (16:44 -0800)]
drivers/video/backlight/adp88?0_bl.c: fix resume

commit 5eb02c01bd1f3ef195989ab05e835e2b0711b5a9 upstream.

Clearing the NSTBY bit in the control register also automatically clears
the BLEN bit.  So we need to make sure to set it again during resume,
otherwise the backlight will stay off.

Signed-off-by: Lars-Peter Clausen <>
Acked-by: Michael Hennerich <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoocfs2: unlock super lock if lockres refresh failed
Junxiao Bi [Fri, 22 Feb 2013 00:42:45 +0000 (16:42 -0800)]
ocfs2: unlock super lock if lockres refresh failed

commit 3278bb748d2437eb1464765f36429e5d6aa91c38 upstream.

If lockres refresh failed, the super lock will never be released which
will cause some processes on other cluster nodes hung forever.

Signed-off-by: Junxiao Bi <>
Cc: Joel Becker <>
Cc: Mark Fasheh <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoinotify: remove broken mask checks causing unmount to be EINVAL
Jim Somerville [Fri, 22 Feb 2013 00:41:59 +0000 (16:41 -0800)]
inotify: remove broken mask checks causing unmount to be EINVAL

commit 676a0675cf9200ac047fb50825f80867b3bb733b upstream.

Running the command:

inotifywait -e unmount /mnt/disk

immediately aborts with a -EINVAL return code.  This is however a valid
parameter.  This abort occurs only if unmount is the sole event
parameter.  If other event parameters are supplied, then the unmount
event wait will work.

The problem was introduced by commit 44b350fc23e ("inotify: Fix mask
checks").  In that commit, it states:

The mask checks in inotify_update_existing_watch() and
inotify_new_watch() are useless because inotify_arg_to_mask()
sets FS_IN_IGNORED and FS_EVENT_ON_CHILD bits anyway.

But instead of removing the useless checks, it did this:

        mask = inotify_arg_to_mask(arg);
-       if (unlikely(!mask))
+       if (unlikely(!(mask & IN_ALL_EVENTS)))
                return -EINVAL;

The problem is that IN_ALL_EVENTS doesn't include IN_UNMOUNT, and other
parts of the code keep IN_UNMOUNT separate from IN_ALL_EVENTS.  So the
check should be:

if (unlikely(!(mask & (IN_ALL_EVENTS | IN_UNMOUNT))))

But inotify_arg_to_mask(arg) always sets the IN_UNMOUNT bit in the mask
anyway, so the check is always going to pass and thus should simply be
removed.  Also note that inotify_arg_to_mask completely controls what
mask bits get set from arg, there's no way for invalid bits to get
enabled there.

Lets fix it by simply removing the useless broken checks.

Signed-off-by: Jim Somerville <>
Signed-off-by: Paul Gortmaker <>
Cc: Jerome Marchand <>
Cc: John McCutchan <>
Cc: Robert Love <>
Cc: Eric Paris <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agos390/kvm: Fix store status for ACRS/FPRS
Christian Borntraeger [Fri, 25 Jan 2013 14:34:15 +0000 (15:34 +0100)]
s390/kvm: Fix store status for ACRS/FPRS

commit 15bc8d8457875f495c59d933b05770ba88d1eacb upstream.

On store status we need to copy the current state of registers
into a save area. Currently we might save stale versions:
The sie state descriptor doesnt have fields for guest ACRS,FPRS,
those registers are simply stored in the host registers. The host
program must copy these away if needed. We do that in vcpu_put/load.

If we now do a store status in KVM code between vcpu_put/load, the
saved values are not up-to-date. Lets collect the ACRS/FPRS before
saving them.

This also fixes some strange problems with hotplug and virtio-ccw,
since the low level machine check handler (on hotplug a machine check
will happen) will revalidate all registers with the content of the
save area.

Signed-off-by: Christian Borntraeger <>
Signed-off-by: Gleb Natapov <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoKVM: s390: Handle hosts not supporting s390-virtio.
Cornelia Huck [Fri, 14 Dec 2012 16:02:16 +0000 (17:02 +0100)]
KVM: s390: Handle hosts not supporting s390-virtio.

commit 55c171a6d90dc0574021f9c836127cfd1a7d2e30 upstream.

Running under a kvm host does not necessarily imply the presence of
a page mapped above the main memory with the virtio information;
however, the code includes a hard coded access to that page.

Instead, check for the presence of the page and exit gracefully
before we hit an addressing exception if it does not exist.

Reviewed-by: Marcelo Tosatti <>
Reviewed-by: Alexander Graf <>
Signed-off-by: Cornelia Huck <>
Signed-off-by: Gleb Natapov <>
Signed-off-by: Greg Kroah-Hartman <>