6 years agoLinux
Greg Kroah-Hartman [Tue, 3 Jan 2012 17:51:09 +0000 (09:51 -0800)]

6 years agoRevert "clockevents: Set noop handler in clockevents_exchange_device()"
Linus Torvalds [Fri, 30 Dec 2011 21:24:40 +0000 (13:24 -0800)]
Revert "clockevents: Set noop handler in clockevents_exchange_device()"

commit 3b87487ac5008072f138953b07505a7e3493327f upstream.

This reverts commit de28f25e8244c7353abed8de0c7792f5f883588c.

It results in resume problems for various people. See for example

and the fedora and ubuntu bug reports

which got bisected down to the stable version of this commit.

Reported-by: Jonathan Nieder <>
Reported-by: Phil Miller <>
Reported-by: Philip Langdale <>
Reported-by: Tim Gardner <>
Cc: Thomas Gleixner <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoLinux
Greg Kroah-Hartman [Wed, 21 Dec 2011 21:05:40 +0000 (13:05 -0800)]

6 years agoUSB: cdc-acm: add IDs for Motorola H24 HSPA USB module.
Krzysztof Hałasa [Mon, 12 Dec 2011 13:51:00 +0000 (14:51 +0100)]
USB: cdc-acm: add IDs for Motorola H24 HSPA USB module.

commit 6abff5dc4d5a2c90e597137ce8987e7fd439259b upstream.

Add USB IDs for Motorola H24 HSPA USB module.

Signed-off-by: Krzysztof Hałasa <>
Acked-by: Oliver Neukum <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoext4: avoid hangs in ext4_da_should_update_i_disksize()
Andrea Arcangeli [Wed, 14 Dec 2011 02:41:15 +0000 (21:41 -0500)]
ext4: avoid hangs in ext4_da_should_update_i_disksize()

commit ea51d132dbf9b00063169c1159bee253d9649224 upstream.

If the pte mapping in generic_perform_write() is unmapped between
iov_iter_fault_in_readable() and iov_iter_copy_from_user_atomic(), the
"copied" parameter to ->end_write can be zero. ext4 couldn't cope with
it with delayed allocations enabled. This skips the i_disksize
enlargement logic if copied is zero and no new data was appeneded to
the inode.

 gdb> bt
 #0  0xffffffff811afe80 in ext4_da_should_update_i_disksize (file=0xffff88003f606a80, mapping=0xffff88001d3824e0, pos=0x1\
 08000, len=0x1000, copied=0x0, page=0xffffea0000d792e8, fsdata=0x0) at fs/ext4/inode.c:2467
 #1  ext4_da_write_end (file=0xffff88003f606a80, mapping=0xffff88001d3824e0, pos=0x108000, len=0x1000, copied=0x0, page=0\
 xffffea0000d792e8, fsdata=0x0) at fs/ext4/inode.c:2512
 #2  0xffffffff810d97f1 in generic_perform_write (iocb=<value optimized out>, iov=<value optimized out>, nr_segs=<value o\
 ptimized out>, pos=0x108000, ppos=0xffff88001e26be40, count=<value optimized out>, written=0x0) at mm/filemap.c:2440
 #3  generic_file_buffered_write (iocb=<value optimized out>, iov=<value optimized out>, nr_segs=<value optimized out>, p\
 os=0x108000, ppos=0xffff88001e26be40, count=<value optimized out>, written=0x0) at mm/filemap.c:2482
 #4  0xffffffff810db5d1 in __generic_file_aio_write (iocb=0xffff88001e26bde8, iov=0xffff88001e26bec8, nr_segs=0x1, ppos=0\
 xffff88001e26be40) at mm/filemap.c:2600
 #5  0xffffffff810db853 in generic_file_aio_write (iocb=0xffff88001e26bde8, iov=0xffff88001e26bec8, nr_segs=<value optimi\
 zed out>, pos=<value optimized out>) at mm/filemap.c:2632
 #6  0xffffffff811a71aa in ext4_file_write (iocb=0xffff88001e26bde8, iov=0xffff88001e26bec8, nr_segs=0x1, pos=0x108000) a\
 t fs/ext4/file.c:136
 #7  0xffffffff811375aa in do_sync_write (filp=0xffff88003f606a80, buf=<value optimized out>, len=<value optimized out>, \
 ppos=0xffff88001e26bf48) at fs/read_write.c:406
 #8  0xffffffff81137e56 in vfs_write (file=0xffff88003f606a80, buf=0x1ec2960 <Address 0x1ec2960 out of bounds>, count=0x4\
 000, pos=0xffff88001e26bf48) at fs/read_write.c:435
 #9  0xffffffff8113816c in sys_write (fd=<value optimized out>, buf=0x1ec2960 <Address 0x1ec2960 out of bounds>, count=0x\
 4000) at fs/read_write.c:487
 #10 <signal handler called>
 #11 0x00007f120077a390 in __brk_reservation_fn_dmi_alloc__ ()
 #12 0x0000000000000000 in ?? ()
 gdb> print offset
 $22 = 0xffffffffffffffff
 gdb> print idx
 $23 = 0xffffffff
 gdb> print inode->i_blkbits
 $24 = 0xc
 gdb> up
 #1  ext4_da_write_end (file=0xffff88003f606a80, mapping=0xffff88001d3824e0, pos=0x108000, len=0x1000, copied=0x0, page=0\
 xffffea0000d792e8, fsdata=0x0) at fs/ext4/inode.c:2512
 2512                    if (ext4_da_should_update_i_disksize(page, end)) {
 gdb> print start
 $25 = 0x0
 gdb> print end
 $26 = 0xffffffffffffffff
 gdb> print pos
 $27 = 0x108000
 gdb> print new_i_size
 $28 = 0x108000
 gdb> print ((struct ext4_inode_info *)((char *)inode-((int)(&((struct ext4_inode_info *)0)->vfs_inode))))->i_disksize
 $29 = 0xd9000
 gdb> down
 2467            for (i = 0; i < idx; i++)
 gdb> print i
 $30 = 0xd44acbee

This is 100% reproducible with some autonuma development code tuned in
a very aggressive manner (not normal way even for knumad) which does
"exotic" changes to the ptes. It wouldn't normally trigger but I don't
see why it can't happen normally if the page is added to swap cache in
between the two faults leading to "copied" being zero (which then
hangs in ext4). So it should be fixed. Especially possible with lumpy
reclaim (albeit disabled if compaction is enabled) as that would
ignore the young bits in the ptes.

Signed-off-by: Andrea Arcangeli <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agooprofile, x86: Fix crash when unloading module (timer mode)
Robert Richter [Mon, 12 Dec 2011 23:40:36 +0000 (00:40 +0100)]
oprofile, x86: Fix crash when unloading module (timer mode)

Based on 97f7f81 oprofile, x86: Fix crash when unloading module (nmi timer
mode) upstream.

Fix for stable kernels v2.6.28.y to v2.6.34.y. This patch is for .32.

Oprofile crashs while unlaoding modules and if in timer mode. Timer
mode is the fallback if the architectural initialization fails. The
pointer variable model is then used uninitialzied during exit causing
a NULL pointer dereference.

It can be triggered with kernel parameters oprofile.timer=1 nolapic
used. Happens esp. in virtual machine environments.

oprofile: using timer interrupt.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
IP: [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile]
PGD 42ac5e067 PUD 42ac5d067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
last sysfs file: /sys/module/oprofile/refcnt
Modules linked in: oprofile(-)
Pid: 2245, comm: modprobe Not tainted #69 Anaheim
RIP: 0010:[<ffffffffa000251f>]  [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile]
RSP: 0018:ffff88042d4f9ec8  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffffffa0005590 RCX: ffff88042d4f9ea8
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffff88042d4f9ec8 R08: ffff88042d4f9ee8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000080
R13: 00000000fffffff5 R14: 0000000000000001 R15: 00000000006101e0
FS:  00007fef6ac9c700(0000) GS:ffff880028200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000028 CR3: 000000042ac60000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process modprobe (pid: 2245, threadinfo ffff88042d4f8000, task ffff88042cd66040)
 ffff88042d4f9ed8 ffffffffa0002096 ffff88042d4f9ee8 ffffffffa0003bbb
<0> ffff88042d4f9f78 ffffffff810748ad 656c69666f72706f 00007fff77a07800
<0> ffff88042d4f9f28 ffffffff81068414 000000000060f180 0000000000000000
Call Trace:
 [<ffffffffa0002096>] oprofile_arch_exit+0xe/0x10 [oprofile]
 [<ffffffffa0003bbb>] oprofile_exit+0x13/0x15 [oprofile]
 [<ffffffff810748ad>] sys_delete_module+0x1cd/0x244
 [<ffffffff81068414>] ? trace_hardirqs_on_caller+0x114/0x13f
 [<ffffffff8143ad47>] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [<ffffffff8100b13b>] system_call_fastpath+0x16/0x1b
Code: 48 c7 c7 90 4e 00 a0 e8 e7 15 22 e1 48 c7 c7 e0 4e 00 a0 e8 bd 18 22 e1 48 c7 c7 70 4e 00 a0 e8 94 4e 41 e1 48 8b 05 d1 39 00 00 <48> 8b 40 28 48 85 c0 74 02 ff d0 c9 c3 55 48 89 e5 e8 cb 88 00
RIP  [<ffffffffa000251f>] op_nmi_exit+0x3d/0x4a [oprofile]
 RSP <ffff88042d4f9ec8>
CR2: 0000000000000028
---[ end trace 18b12420ceb19193 ]---

Signed-off-by: Robert Richter <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agooprofile, x86: Fix nmi-unsafe callgraph support
Robert Richter [Mon, 12 Dec 2011 23:40:35 +0000 (00:40 +0100)]
oprofile, x86: Fix nmi-unsafe callgraph support

commit a0e3e70243f5b270bc3eca718f0a9fa5e6b8262e upstream.

Backport for stable kernel v2.6.32.y to v2.6.36.y.

Current oprofile's x86 callgraph support may trigger page faults
throwing the BUG_ON(in_nmi()) message below. This patch fixes this by
using the same nmi-safe copy-from-user code as in perf.

------------[ cut here ]------------
kernel BUG at .../arch/x86/kernel/traps.c:436!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:0a.0/0000:07:00.0/0000:08:04.0/net/eth0/broadcast
Modules linked in:

Pid: 8611, comm: opcontrol Not tainted 2.6.39-00007-gfe47ae7 #1 Advanced Micro Device Anaheim/Anaheim
RIP: 0010:[<ffffffff813e8e35>]  [<ffffffff813e8e35>] do_nmi+0x22/0x1ee
RSP: 0000:ffff88042fd47f28  EFLAGS: 00010002
RAX: ffff88042c0a7fd8 RBX: 0000000000000001 RCX: 00000000c0000101
RDX: 00000000ffff8804 RSI: ffffffffffffffff RDI: ffff88042fd47f58
RBP: ffff88042fd47f48 R08: 0000000000000004 R09: 0000000000001484
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88042fd47f58
R13: 0000000000000000 R14: ffff88042fd47d98 R15: 0000000000000020
FS:  00007fca25e56700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000074 CR3: 000000042d28b000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process opcontrol (pid: 8611, threadinfo ffff88042c0a6000, task ffff88042c532310)
 0000000000000000 0000000000000001 ffff88042c0a7fd8 0000000000000000
 ffff88042fd47de8 ffffffff813e897a 0000000000000020 ffff88042fd47d98
 0000000000000000 ffff88042c0a7fd8 ffff88042fd47de8 0000000000000074
Call Trace:
 [<ffffffff813e897a>] nmi+0x1a/0x20
 [<ffffffff813f08ab>] ? bad_to_user+0x25/0x771
Code: ff 59 5b 41 5c 41 5d c9 c3 55 65 48 8b 04 25 88 b5 00 00 48 89 e5 41 55 41 54 49 89 fc 53 48 83 ec 08 f6 80 47 e0 ff ff 04 74 04 <0f> 0b eb fe 81 80 44 e0 ff ff 00 00 01 04 65 ff 04 25 c4 0f 01
RIP  [<ffffffff813e8e35>] do_nmi+0x22/0x1ee
 RSP <ffff88042fd47f28>
---[ end trace ed6752185092104b ]---
Kernel panic - not syncing: Fatal exception in interrupt
Pid: 8611, comm: opcontrol Tainted: G      D     2.6.39-00007-gfe47ae7 #1
Call Trace:
 <NMI>  [<ffffffff813e5e0a>] panic+0x8c/0x188
 [<ffffffff813e915c>] oops_end+0x81/0x8e
 [<ffffffff8100403d>] die+0x55/0x5e
 [<ffffffff813e8c45>] do_trap+0x11c/0x12b
 [<ffffffff810023c8>] do_invalid_op+0x91/0x9a
 [<ffffffff813e8e35>] ? do_nmi+0x22/0x1ee
 [<ffffffff8131e6fa>] ? oprofile_add_sample+0x83/0x95
 [<ffffffff81321670>] ? op_amd_check_ctrs+0x4f/0x2cf
 [<ffffffff813ee4d5>] invalid_op+0x15/0x20
 [<ffffffff813e8e35>] ? do_nmi+0x22/0x1ee
 [<ffffffff813e8e7a>] ? do_nmi+0x67/0x1ee
 [<ffffffff813e897a>] nmi+0x1a/0x20
 [<ffffffff813f08ab>] ? bad_to_user+0x25/0x771

Cc: John Lumby <>
Cc: Maynard Johnson <>
Signed-off-by: Robert Richter <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoexport __get_user_pages_fast() function
Xiao Guangrong [Mon, 12 Dec 2011 23:40:34 +0000 (00:40 +0100)]
export __get_user_pages_fast() function

commit 45888a0c6edc305495b6bd72a30e66bc40b324c6 upstream.

Backport for stable kernel v2.6.32.y to v2.6.36.y.

Needed for next patch:

 oprofile, x86: Fix nmi-unsafe callgraph support

This function is used by KVM to pin process's page in the atomic context.

Define the 'weak' function to avoid other architecture not support it

Acked-by: Nick Piggin <>
Signed-off-by: Xiao Guangrong <>
Signed-off-by: Marcelo Tosatti <>
Signed-off-by: Robert Richter <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agohfs: fix hfs_find_init() sb->ext_tree NULL ptr oops
Phillip Lougher [Wed, 2 Nov 2011 20:38:01 +0000 (13:38 -0700)]
hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops

commit 434a964daa14b9db083ce20404a4a2add54d037a upstream.

Clement Lecigne reports a filesystem which causes a kernel oops in
hfs_find_init() trying to dereference sb->ext_tree which is NULL.

This proves to be because the filesystem has a corrupted MDB extent
record, where the extents file does not fit into the first three extents
in the file record (the first blocks).

In hfs_get_block() when looking up the blocks for the extent file
(HFS_EXT_CNID), it fails the first blocks special case, and falls
through to the extent code (which ultimately calls hfs_find_init())
which is in the process of being initialised.

Hfs avoids this scenario by always having the extents b-tree fitting
into the first blocks (the extents B-tree can't have overflow extents).

The fix is to check at mount time that the B-tree fits into first
blocks, i.e.  fail if HFS_I(inode)->alloc_blocks >=

Note, the existing commit 47f365eb57573 ("hfs: fix oops on mount with
corrupted btree extent records") becomes subsumed into this as a special
case, but only for the extents B-tree (HFS_EXT_CNID), it is perfectly
acceptable for the catalog B-Tree file to grow beyond three extents,
with the remaining extent descriptors in the extents overfow.

This fixes CVE-2011-2203

Reported-by: Clement LECIGNE <>
Signed-off-by: Phillip Lougher <>
Cc: Jeff Mahoney <>
Cc: Christoph Hellwig <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Cc: Moritz Mühlenhoff <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoMake TASKSTATS require root access
Linus Torvalds [Tue, 20 Sep 2011 00:04:37 +0000 (17:04 -0700)]
Make TASKSTATS require root access

commit 1a51410abe7d0ee4b1d112780f46df87d3621043 upstream.

Ok, this isn't optimal, since it means that 'iotop' needs admin
capabilities, and we may have to work on this some more.  But at the
same time it is very much not acceptable to let anybody just read
anybody elses IO statistics quite at this level.

Use of the GENL_ADMIN_PERM suggested by Johannes Berg as an alternative
to checking the capabilities by hand.

Reported-by: Vasiliy Kulikov <>
Cc: Johannes Berg <>
Acked-by: Balbir Singh <>
Signed-off-by: Linus Torvalds <>
Cc: Moritz Mühlenhoff <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agojbd/jbd2: validate sb->s_first in journal_get_superblock()
Eryu Guan [Tue, 1 Nov 2011 23:04:59 +0000 (19:04 -0400)]
jbd/jbd2: validate sb->s_first in journal_get_superblock()

commit 8762202dd0d6e46854f786bdb6fb3780a1625efe upstream.

I hit a J_ASSERT(blocknr != 0) failure in cleanup_journal_tail() when
mounting a fsfuzzed ext3 image. It turns out that the corrupted ext3
image has s_first = 0 in journal superblock, and the 0 is passed to
journal->j_head in journal_reset(), then to blocknr in
cleanup_journal_tail(), in the end the J_ASSERT failed.

So validate s_first after reading journal superblock from disk in
journal_get_superblock() to ensure s_first is valid.

The following script could reproduce it:

magic="c0 3b 39 98"

dd if=/dev/zero of=$img bs=1M count=8
mkfs -t $fstype -b $blocksize -F $img
filesize=`stat -c %s $img`
while [ $offset -lt $filesize ]
        if od -j $offset -N 4 -t x1 $img | grep -i "$magic";then
                echo "Found journal: $offset"
        offset=`echo "$offset+$blocksize" | bc`

if [ $found -ne 1 ];then
        echo "Magic \"$magic\" not found"
        exit 1

dd if=/dev/zero of=$img seek=$(($offset+23)) conv=notrunc bs=1 count=1

mkdir -p ./mnt
mount -o loop $img ./mnt

Cc: Jan Kara <>
Signed-off-by: Eryu Guan <>
Signed-off-by: "Theodore Ts'o" <>
Cc: Moritz Mühlenhoff <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agolinux/log2.h: Fix rounddown_pow_of_two(1)
Linus Torvalds [Tue, 13 Dec 2011 06:06:55 +0000 (22:06 -0800)]
linux/log2.h: Fix rounddown_pow_of_two(1)

commit 13c07b0286d340275f2d97adf085cecda37ede37 upstream.

Exactly like roundup_pow_of_two(1), the rounddown version was buggy for
the case of a compile-time constant '1' argument.  Probably because it
originated from the same code, sharing history with the roundup version
from before the bugfix (for that one, see commit 1a06a52ee1b0: "Fix

However, unlike the roundup version, the fix for rounddown is to just
remove the broken special case entirely.  It's simply not needed - the
generic code

    1UL << ilog2(n)

does the right thing for the constant '1' argment too.  The only reason
roundup needed that special case was because rounding up does so by
subtracting one from the argument (and then adding one to the result)
causing the obvious problems with "ilog2(0)".

But rounddown doesn't do any of that, since ilog2() naturally truncates
(ie "rounds down") to the right rounded down value.  And without the
ilog2(0) case, there's no reason for the special case that had the wrong

tl;dr: rounddown_pow_of_two(1) should be 1, not 0.

Acked-by: Dmitry Torokhov <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoxfrm: Fix key lengths for rfc3686(ctr(aes))
Tushar Gohad [Thu, 28 Jul 2011 10:36:20 +0000 (10:36 +0000)]
xfrm: Fix key lengths for rfc3686(ctr(aes))

commit 4203223a1aed862b4445fdcd260d6139603a51d9 upstream.

Fix the min and max bit lengths for AES-CTR (RFC3686) keys.
The number of bits in key spec is the key length (128/256)
plus 32 bits of nonce.

This change takes care of the "Invalid key length" errors
reported by setkey when specifying 288 bit keys for aes-ctr.

Signed-off-by: Tushar Gohad <>
Acked-by: Herbert Xu <>
Signed-off-by: David S. Miller <>
Signed-off-by: Calvin Owens <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agopercpu: fix chunk range calculation
Tejun Heo [Fri, 18 Nov 2011 18:55:35 +0000 (10:55 -0800)]
percpu: fix chunk range calculation

commit a855b84c3d8c73220d4d3cd392a7bee7c83de70e upstream.

Percpu allocator recorded the cpus which map to the first and last
units in pcpu_first/last_unit_cpu respectively and used them to
determine the address range of a chunk - e.g. it assumed that the
first unit has the lowest address in a chunk while the last unit has
the highest address.

This simply isn't true.  Groups in a chunk can have arbitrary positive
or negative offsets from the previous one and there is no guarantee
that the first unit occupies the lowest offset while the last one the

Fix it by actually comparing unit offsets to determine cpus occupying
the lowest and highest offsets.  Also, rename pcu_first/last_unit_cpu
to pcpu_low/high_unit_cpu to avoid confusion.

The chunk address range is used to flush cache on vmalloc area
map/unmap and decide whether a given address is in the first chunk by
per_cpu_ptr_to_phys() and the bug was discovered by invalid
per_cpu_ptr_to_phys() translation for crash_note.

Kudos to Dave Young for tracking down the problem.

Signed-off-by: Tejun Heo <>
Reported-by: WANG Cong <>
Reported-by: Dave Young <>
Tested-by: Dave Young <>
LKML-Reference: <>
Signed-off-by: Thomas Renninger <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agooprofile: Fix locking dependency in sync_start()
Robert Richter [Wed, 7 Dec 2011 17:30:11 +0000 (18:30 +0100)]
oprofile: Fix locking dependency in sync_start()

commit 130c5ce716c9bfd1c2a2ec840a746eb7ff9ce1e6 upstream.

This fixes the A->B/B->A locking dependency, see the warning below.

The function task_exit_notify() is called with (task_exit_notifier)
.rwsem set and then calls sync_buffer() which locks buffer_mutex. In
sync_start() the buffer_mutex was set to prevent notifier functions to
be started before sync_start() is finished. But when registering the
notifier, (task_exit_notifier).rwsem is locked too, but now in
different order than in sync_buffer(). In theory this causes a locking
dependency, what does not occur in practice since task_exit_notify()
is always called after the notifier is registered which means the lock
is already released.

However, after checking the notifier functions it turned out the
buffer_mutex in sync_start() is unnecessary. This is because
sync_buffer() may be called from the notifiers even if sync_start()
did not finish yet, the buffers are already allocated but empty. No
need to protect this with the mutex.

So we fix this theoretical locking dependency by removing buffer_mutex
in sync_start(). This is similar to the implementation before commit:

 750d857 oprofile: fix crash when accessing freed task structs

which introduced the locking dependency.

Lockdep warning:

oprofiled/4447 is trying to acquire lock:
 (buffer_mutex){+.+...}, at: [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile]

but task is already holding lock:
 ((task_exit_notifier).rwsem){++++..}, at: [<ffffffff81058026>] __blocking_notifier_call_chain+0x39/0x67

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 ((task_exit_notifier).rwsem){++++..}:
       [<ffffffff8106557f>] lock_acquire+0xf8/0x11e
       [<ffffffff81463a2b>] down_write+0x44/0x67
       [<ffffffff810581c0>] blocking_notifier_chain_register+0x52/0x8b
       [<ffffffff8105a6ac>] profile_event_register+0x2d/0x2f
       [<ffffffffa00013c1>] sync_start+0x47/0xc6 [oprofile]
       [<ffffffffa00001bb>] oprofile_setup+0x60/0xa5 [oprofile]
       [<ffffffffa00014e3>] event_buffer_open+0x59/0x8c [oprofile]
       [<ffffffff810cd3b9>] __dentry_open+0x1eb/0x308
       [<ffffffff810cd59d>] nameidata_to_filp+0x60/0x67
       [<ffffffff810daad6>] do_last+0x5be/0x6b2
       [<ffffffff810dbc33>] path_openat+0xc7/0x360
       [<ffffffff810dbfc5>] do_filp_open+0x3d/0x8c
       [<ffffffff810ccfd2>] do_sys_open+0x110/0x1a9
       [<ffffffff810cd09e>] sys_open+0x20/0x22
       [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b

-> #0 (buffer_mutex){+.+...}:
       [<ffffffff81064dfb>] __lock_acquire+0x1085/0x1711
       [<ffffffff8106557f>] lock_acquire+0xf8/0x11e
       [<ffffffff814634f0>] mutex_lock_nested+0x63/0x309
       [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile]
       [<ffffffffa0001226>] task_exit_notify+0x16/0x1a [oprofile]
       [<ffffffff81467b96>] notifier_call_chain+0x37/0x63
       [<ffffffff8105803d>] __blocking_notifier_call_chain+0x50/0x67
       [<ffffffff81058068>] blocking_notifier_call_chain+0x14/0x16
       [<ffffffff8105a718>] profile_task_exit+0x1a/0x1c
       [<ffffffff81039e8f>] do_exit+0x2a/0x6fc
       [<ffffffff8103a5e4>] do_group_exit+0x83/0xae
       [<ffffffff8103a626>] sys_exit_group+0x17/0x1b
       [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b

other info that might help us debug this:

1 lock held by oprofiled/4447:
 #0:  ((task_exit_notifier).rwsem){++++..}, at: [<ffffffff81058026>] __blocking_notifier_call_chain+0x39/0x67

stack backtrace:
Pid: 4447, comm: oprofiled Not tainted 2.6.39-00007-gcf4d8d4 #10
Call Trace:
 [<ffffffff81063193>] print_circular_bug+0xae/0xbc
 [<ffffffff81064dfb>] __lock_acquire+0x1085/0x1711
 [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile]
 [<ffffffff8106557f>] lock_acquire+0xf8/0x11e
 [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile]
 [<ffffffff81062627>] ? mark_lock+0x42f/0x552
 [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile]
 [<ffffffff814634f0>] mutex_lock_nested+0x63/0x309
 [<ffffffffa0000e55>] ? sync_buffer+0x31/0x3ec [oprofile]
 [<ffffffffa0000e55>] sync_buffer+0x31/0x3ec [oprofile]
 [<ffffffff81058026>] ? __blocking_notifier_call_chain+0x39/0x67
 [<ffffffff81058026>] ? __blocking_notifier_call_chain+0x39/0x67
 [<ffffffffa0001226>] task_exit_notify+0x16/0x1a [oprofile]
 [<ffffffff81467b96>] notifier_call_chain+0x37/0x63
 [<ffffffff8105803d>] __blocking_notifier_call_chain+0x50/0x67
 [<ffffffff81058068>] blocking_notifier_call_chain+0x14/0x16
 [<ffffffff8105a718>] profile_task_exit+0x1a/0x1c
 [<ffffffff81039e8f>] do_exit+0x2a/0x6fc
 [<ffffffff81465031>] ? retint_swapgs+0xe/0x13
 [<ffffffff8103a5e4>] do_group_exit+0x83/0xae
 [<ffffffff8103a626>] sys_exit_group+0x17/0x1b
 [<ffffffff8146ad4b>] system_call_fastpath+0x16/0x1b

Reported-by: Marcin Slusarz <>
Cc: Carl Love <>
Signed-off-by: Robert Richter <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agooprofile: Free potentially owned tasks in case of errors
Robert Richter [Wed, 7 Dec 2011 17:30:10 +0000 (18:30 +0100)]
oprofile: Free potentially owned tasks in case of errors

commit 6ac6519b93065625119a347be1cbcc1b89edb773 upstream.

After registering the task free notifier we possibly have tasks in our
dying_tasks list. Free them after unregistering the notifier in case
of an error.

Signed-off-by: Robert Richter <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoARM: davinci: dm646x evm: wrong register used in setup_vpif_input_channel_mode
Hans Verkuil [Mon, 14 Nov 2011 18:20:49 +0000 (19:20 +0100)]
ARM: davinci: dm646x evm: wrong register used in setup_vpif_input_channel_mode

commit 83713fc9373be2e943f82e9d36213708c6b0050e upstream.

The function setup_vpif_input_channel_mode() used the VSCLKDIS register
instead of VIDCLKCTL. This meant that when in HD mode videoport channel 0
used a different clock from channel 1.

Clearly a copy-and-paste error.

Signed-off-by: Hans Verkuil <>
Acked-by: Manjunath Hadli <>
Signed-off-by: Sekhar Nori <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoALSA: hda/realtek - Fix Oops in alc_mux_select()
Takashi Iwai [Fri, 2 Dec 2011 14:29:12 +0000 (15:29 +0100)]
ALSA: hda/realtek - Fix Oops in alc_mux_select()

commit cce4aa378a049f4275416ee6302dd24f37b289df upstream.

When no imux is available (e.g. a single capture source),
alc_auto_init_input_src() may trigger an Oops due to the access to -1.
Add a proper zero-check to avoid it.

Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoALSA: sis7019 - give slow codecs more time to reset
David Dillow [Fri, 2 Dec 2011 04:26:53 +0000 (23:26 -0500)]
ALSA: sis7019 - give slow codecs more time to reset

commit fc084e0b930d546872ab23667052499f7daf0fed upstream.

There are some AC97 codec and board combinations that have been observed
to take a very long time to respond after the cold reset has completed.
In one case, more than 350 ms was required. To allow users to have sound
on those platforms, we'll wait up to 500ms for the codec to become

As a board may have multiple codecs, with some faster than others to
reset, we add a module parameter to inform the driver which codecs
should be present.

Reported-by: KotCzarny <>
Signed-off-by: David Dillow <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoLinux
Greg Kroah-Hartman [Fri, 9 Dec 2011 17:24:23 +0000 (09:24 -0800)]

6 years agoclockevents: Set noop handler in clockevents_exchange_device()
Thomas Gleixner [Fri, 2 Dec 2011 15:02:45 +0000 (16:02 +0100)]
clockevents: Set noop handler in clockevents_exchange_device()

commit de28f25e8244c7353abed8de0c7792f5f883588c upstream.

If a device is shutdown, then there might be a pending interrupt,
which will be processed after we reenable interrupts, which causes the
original handler to be run. If the old handler is the (broadcast)
periodic handler the shutdown state might hang the kernel completely.

Signed-off-by: Thomas Gleixner <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agotick-broadcast: Stop active broadcast device when replacing it
Thomas Gleixner [Fri, 2 Dec 2011 11:34:16 +0000 (12:34 +0100)]
tick-broadcast: Stop active broadcast device when replacing it

commit c1be84309c58b1e7c6d626e28fba41a22b364c3d upstream.

When a better rated broadcast device is installed, then the current
active device is not disabled, which results in two running broadcast

Signed-off-by: Thomas Gleixner <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agogenirq: Fix race condition when stopping the irq thread
Ido Yariv [Thu, 1 Dec 2011 11:55:08 +0000 (13:55 +0200)]
genirq: Fix race condition when stopping the irq thread

commit 550acb19269d65f32e9ac4ddb26c2b2070e37f1c upstream.

In irq_wait_for_interrupt(), the should_stop member is verified before
setting the task's state to TASK_INTERRUPTIBLE and calling schedule().
In case kthread_stop sets should_stop and wakes up the process after
should_stop is checked by the irq thread but before the task's state
is changed, the irq thread might never exit:

kthread_stop                    irq_wait_for_interrupt
------------                    ----------------------

...                              while (!kthread_should_stop()) {
kthread->should_stop = 1;



Fix this by checking if the thread should stop after modifying the
task's state.

[ tglx: Simplified it a bit ]

Signed-off-by: Ido Yariv <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agooprofile, x86: Fix crash when unloading module (nmi timer mode)
Robert Richter [Mon, 10 Oct 2011 14:21:10 +0000 (16:21 +0200)]
oprofile, x86: Fix crash when unloading module (nmi timer mode)

commit 97f7f8189fe54e3cfe324ef9ad35064f3d2d3bff upstream.

If oprofile uses the nmi timer interrupt there is a crash while
unloading the module. The bug can be triggered with oprofile build as
module and kernel parameter nolapic set. This patch fixes this.

oprofile: using NMI timer interrupt.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: [<ffffffff8123c226>] unregister_syscore_ops+0x41/0x58
PGD 42dbca067 PUD 41da6a067 PMD 0
Oops: 0002 [#1] PREEMPT SMP
Modules linked in: oprofile(-) [last unloaded: oprofile]

Pid: 2518, comm: modprobe Not tainted 3.1.0-rc7-00019-gb2fb49d #19 Advanced Micro Device Anaheim/Anaheim
RIP: 0010:[<ffffffff8123c226>]  [<ffffffff8123c226>] unregister_syscore_ops+0x41/0x58
RSP: 0018:ffff88041ef71e98  EFLAGS: 00010296
RAX: 0000000000000000 RBX: ffffffffa0017100 RCX: dead000000200200
RDX: 0000000000000000 RSI: dead000000100100 RDI: ffffffff8178c620
RBP: ffff88041ef71ea8 R08: 0000000000000001 R09: 0000000000000082
R10: 0000000000000000 R11: ffff88041ef71de8 R12: 0000000000000080
R13: fffffffffffffff5 R14: 0000000000000001 R15: 0000000000610210
FS:  00007fc902f20700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000008 CR3: 000000041cdb6000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process modprobe (pid: 2518, threadinfo ffff88041ef70000, task ffff88041d348040)
 ffff88041ef71eb8 ffffffffa0017790 ffff88041ef71eb8 ffffffffa0013532
 ffff88041ef71ec8 ffffffffa00132d6 ffff88041ef71ed8 ffffffffa00159b2
 ffff88041ef71f78 ffffffff81073115 656c69666f72706f 0000000000610200
Call Trace:
 [<ffffffffa0013532>] op_nmi_exit+0x15/0x17 [oprofile]
 [<ffffffffa00132d6>] oprofile_arch_exit+0xe/0x10 [oprofile]
 [<ffffffffa00159b2>] oprofile_exit+0x1e/0x20 [oprofile]
 [<ffffffff81073115>] sys_delete_module+0x1c3/0x22f
 [<ffffffff811bf09e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [<ffffffff8148070b>] system_call_fastpath+0x16/0x1b
Code: 20 c6 78 81 e8 c5 cc 23 00 48 8b 13 48 8b 43 08 48 be 00 01 10 00 00 00 ad de 48 b9 00 02 20 00 00 00 ad de 48 c7 c7 20 c6 78 81
 89 42 08 48 89 10 48 89 33 48 89 4b 08 e8 a6 c0 23 00 5a 5b
RIP  [<ffffffff8123c226>] unregister_syscore_ops+0x41/0x58
 RSP <ffff88041ef71e98>
CR2: 0000000000000008
---[ end trace 43a541a52956b7b0 ]---

Signed-off-by: Robert Richter <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agox86/mpparse: Account for bus types other than ISA and PCI
Bjorn Helgaas [Sun, 25 Sep 2011 21:29:00 +0000 (15:29 -0600)]
x86/mpparse: Account for bus types other than ISA and PCI

commit 9e6866686bdf2dcf3aeb0838076237ede532dcc8 upstream.

In commit f8924e770e04 ("x86: unify mp_bus_info"), the 32-bit
and 64-bit versions of MP_bus_info were rearranged to match each
other better.  Unfortunately it introduced a regression: prior
to that change we used to always set the mp_bus_not_pci bit,
then clear it if we found a PCI bus.  After it, we set
mp_bus_not_pci for ISA buses, clear it for PCI buses, and leave
it alone otherwise.

In the cases of ISA and PCI, there's not much difference.  But
ISA is not the only non-PCI bus, so it's better to always set
mp_bus_not_pci and clear it only for PCI.

Without this change, Dan's Dell PowerEdge 4200 panics on boot
with a log indicating interrupt routing trouble unless the
"noapic" option is supplied.  With this change, the machine
boots reliably without "noapic".


Reported-bisected-and-tested-by: Dan McGrath <>
Signed-off-by: Bjorn Helgaas <>
Cc: Dan McGrath <>
Cc: Alexey Starikovskiy <>
[ clarified commit message]
Signed-off-by: Jonathan Nieder <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agosched, x86: Avoid unnecessary overflow in sched_clock
Salman Qazi [Tue, 15 Nov 2011 22:12:06 +0000 (14:12 -0800)]
sched, x86: Avoid unnecessary overflow in sched_clock

commit 4cecf6d401a01d054afc1e5f605bcbfe553cb9b9 upstream.

(Added the missing signed-off-by line)

In hundreds of days, the __cycles_2_ns calculation in sched_clock
has an overflow.  cyc * per_cpu(cyc2ns, cpu) exceeds 64 bits, causing
the final value to become zero.  We can solve this without losing
any precision.

We can decompose TSC into quotient and remainder of division by the
scale factor, and then use this to convert TSC into nanoseconds.

Signed-off-by: Salman Qazi <>
Acked-by: John Stultz <>
Reviewed-by: Paul Turner <>
Signed-off-by: Peter Zijlstra <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agocifs: fix cifs stable patch cifs-fix-oplock-break-handling-try-2.patch
Suresh Jayaraman [Fri, 2 Dec 2011 10:54:56 +0000 (16:24 +0530)]
cifs: fix cifs stable patch cifs-fix-oplock-break-handling-try-2.patch

The stable release added the upstream commit
12fed00de963433128b5366a21a55808fab2f756. However, one of the hunks of
the original patch seems missing from the stable backport which can be
found here:

This hunk corresponds to the change in is_valid_oplock_break() at

This patch backports the missing hunk and is against
linux-2.6.32.y stable kernel.

Cc: Steve French <>
Signed-off-by: Pavel Shilovsky <>
Signed-off-by: Suresh Jayaraman <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoSCSI: Silencing 'killing requests for dead queue'
Hannes Reinecke [Wed, 9 Nov 2011 07:39:24 +0000 (08:39 +0100)]
SCSI: Silencing 'killing requests for dead queue'

commit 745718132c3c7cac98a622b610e239dcd5217f71 upstream.

When we tear down a device we try to flush all outstanding
commands in scsi_free_queue(). However the check in
scsi_request_fn() is imperfect as it only signals that
we _might start_ aborting commands, not that we've actually
aborted some.
So move the printk inside the scsi_kill_request function,
this will also give us a hint about which commands are aborted.

Signed-off-by: Hannes Reinecke <>
Signed-off-by: James Bottomley <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoSCSI: scsi_lib: fix potential NULL dereference
Jiri Slaby [Wed, 23 Sep 2009 14:15:35 +0000 (16:15 +0200)]
SCSI: scsi_lib: fix potential NULL dereference

commit 03b147083a2f9a2a3fbbd2505fa88ffa3c6ab194 upstream.

Stanse found a potential NULL dereference in scsi_kill_request.

Instead of triggering BUG() in 'if (unlikely(cmd == NULL))' branch,
the kernel will Oops earlier on cmd dereference.

Move the dereferences after the if.

Signed-off-by: Jiri Slaby <>
Signed-off-by: James Bottomley <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoUSB: usb-storage: unusual_devs entry for Kingston DT 101 G2
Qinglin Ye [Wed, 23 Nov 2011 15:39:32 +0000 (23:39 +0800)]
USB: usb-storage: unusual_devs entry for Kingston DT 101 G2

commit cec28a5428793b6bc64e56687fb239759d6da74e upstream.

Kingston DT 101 G2 replies a wrong tag while transporting, add an
unusal_devs entry to ignore the tag validation.

Signed-off-by: Qinglin Ye <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agousb: option: add SIMCom SIM5218
Veli-Pekka Peltola [Thu, 24 Nov 2011 20:08:56 +0000 (22:08 +0200)]
usb: option: add SIMCom SIM5218

commit ec0cd94d881ca89cc9fb61d00d0f4b2b52e605b3 upstream.

Tested with SIM5218EVB-KIT evaluation kit.

Signed-off-by: Veli-Pekka Peltola <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agousb: ftdi_sio: add PID for Propox ISPcable III
Marcin Kościelnicki [Wed, 30 Nov 2011 16:01:04 +0000 (17:01 +0100)]
usb: ftdi_sio: add PID for Propox ISPcable III

commit 307369b0ca06b27b511b61714e335ddfccf19c4f upstream.

Signed-off-by: Marcin Kościelnicki <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoUSB: whci-hcd: fix endian conversion in qset_clear()
Dan Carpenter [Tue, 22 Nov 2011 07:28:31 +0000 (10:28 +0300)]
USB: whci-hcd: fix endian conversion in qset_clear()

commit 8746c83d538cab273d335acb2be226d096f4a5af upstream.

qset-> is an __le64 field and we should be using cpu_to_le64()
to fill it.

Signed-off-by: Dan Carpenter <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoStaging: comedi: fix signal handling in read and write
Federico Vaga [Sat, 29 Oct 2011 07:47:39 +0000 (09:47 +0200)]
Staging: comedi: fix signal handling in read and write

commit 6a9ce6b654e491981f6ef7e214cbd4f63e033848 upstream.

After sleeping on a wait queue, signal_pending(current) should be
checked (not before sleeping).

Acked-by: Alessandro Rubini <>
Signed-off-by: Federico Vaga <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agostaging: comedi: fix oops for USB DAQ devices.
Bernd Porr [Tue, 8 Nov 2011 21:23:03 +0000 (21:23 +0000)]
staging: comedi: fix oops for USB DAQ devices.

commit 3ffab428f40849ed5f21bcfd7285bdef7902f9ca upstream.

This fixes kernel oops when an USB DAQ device is plugged out while it's
communicating with the userspace software.

Signed-off-by: Bernd Porr <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agostaging: usbip: bugfix for deadlock
Bart Westgeest [Tue, 1 Nov 2011 19:01:28 +0000 (15:01 -0400)]
staging: usbip: bugfix for deadlock

commit 438957f8d4a84daa7fa5be6978ad5897a2e9e5e5 upstream.

Interrupts must be disabled prior to calling usb_hcd_unlink_urb_from_ep.
If interrupts are not disabled, it can potentially lead to a deadlock.
The deadlock is readily reproduceable on a slower (ARM based) device
such as the TI Pandaboard.

Signed-off-by: Bart Westgeest <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agogro: reset vlan_tci on reuse
Benjamin Poirier [Wed, 30 Nov 2011 12:47:18 +0000 (07:47 -0500)]
gro: reset vlan_tci on reuse

This one liner is part of upstream
commit 3701e51382a026cba10c60b03efabe534fba4ca4
Author: Jesse Gross <>

    vlan: Centralize handling of hardware acceleration.

The bulk of that commit is a rework of the hardware assisted vlan tagging
driver interface, and as such doesn't classify for -stable inclusion. The fix
that is needed is a part of that commit but can work independently of the

This patch can avoid panics on the 2.6.32.y -stable kernels and is in the same
spirit as mainline commits
66c46d7 gro: Reset dev pointer on reuse
6d152e2 gro: reset skb_iif on reuse
which are already in -stable.

For drivers using the vlan_gro_frags() interface, a packet with an invalid tci
leads to GRO_DROP and napi_reuse_skb(). The skb has to be sanitized before
being reused or we may send an skb with an invalid vlan_tci field up the stack
where it is not expected.

Signed-off-by: Benjamin Poirier <>
Cc: Jesse Gross <>
Acked-by: David S. Miller <>
6 years agonl80211: fix MAC address validation
Eliad Peller [Thu, 24 Nov 2011 16:13:56 +0000 (18:13 +0200)]
nl80211: fix MAC address validation

commit e007b857e88097c96c45620bf3b04a4e309053d1 upstream.

MAC addresses have a fixed length. The current
policy allows passing < ETH_ALEN bytes, which
might result in reading beyond the buffer.

Signed-off-by: Eliad Peller <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agop54spi: Fix workqueue deadlock
Michael Büsch [Wed, 16 Nov 2011 22:55:46 +0000 (23:55 +0100)]
p54spi: Fix workqueue deadlock

commit 2d1618170eb493d18f66f2ac03775409a6fb97c6 upstream.

priv->work must not be synced while priv->mutex is locked, because
the mutex is taken in the work handler.
Move cancel_work_sync down to after the device shutdown code.
This is safe, because the work handler checks fw_state and bails out
early in case of a race.

Signed-off-by: Michael Buesch <>
Acked-by: Christian Lamparter <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agop54spi: Add missing spin_lock_init
Michael Büsch [Wed, 16 Nov 2011 22:48:31 +0000 (23:48 +0100)]
p54spi: Add missing spin_lock_init

commit 32d3a3922d617a5a685a5e2d24b20d0e88f192a9 upstream.

The tx_lock is not initialized properly. Add spin_lock_init().

Signed-off-by: Michael Buesch <>
Acked-by: Christian Lamparter <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agotimekeeping: add arch_offset hook to ktime_get functions
Hector Palacios [Mon, 14 Nov 2011 10:15:25 +0000 (11:15 +0100)]
timekeeping: add arch_offset hook to ktime_get functions

commit d004e024058a0eaca097513ce62cbcf978913e0a upstream.

ktime_get and ktime_get_ts were calling timekeeping_get_ns()
but later they were not calling arch_gettimeoffset() so architectures
using this mechanism returned 0 ns when calling these functions.

This happened for example when running Busybox's ping which calls
syscall(__NR_clock_gettime, CLOCK_MONOTONIC, ts) which eventually
calls ktime_get. As a result the returned ping travel time was zero.

Signed-off-by: Hector Palacios <>
Signed-off-by: John Stultz <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoSUNRPC: Ensure we return EAGAIN in xs_nospace if congestion is cleared
Trond Myklebust [Tue, 22 Nov 2011 12:44:28 +0000 (14:44 +0200)]
SUNRPC: Ensure we return EAGAIN in xs_nospace if congestion is cleared

commit 24ca9a847791fd53d9b217330b15f3c285827a18 upstream.

By returning '0' instead of 'EAGAIN' when the tests in xs_nospace() fail
to find evidence of socket congestion, we are making the RPC engine believe
that the message was incorrectly sent and so it disconnects the socket
instead of just retrying.

The bug appears to have been introduced by commit
5e3771ce2d6a69e10fcc870cdf226d121d868491 (SUNRPC: Ensure that xs_nospace
return values are propagated).

Reported-by: Andrew Cooper <>
Signed-off-by: Trond Myklebust <>
Tested-by: Andrew Cooper <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoALSA: lx6464es - fix device communication via command bus
Tim Blechmann [Tue, 22 Nov 2011 10:15:45 +0000 (11:15 +0100)]
ALSA: lx6464es - fix device communication via command bus

commit a29878553a9a7b4c06f93c7e383527cf014d4ceb upstream.

commit 6175ddf06b6172046a329e3abfd9c901a43efd2e optimized the mem*io
functions that have been used to send commands to the device. these
optimizations somehow corrupted the communication with the lx6464es,
that resulted the device to be unusable with kernels after 2.6.33.

this patch emulates the memcpy_*_io functions via a loop to avoid these

Signed-off-by: Tim Blechmann <>
LKML-Reference: <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoARM: 7161/1: errata: no automatic store buffer drain
Will Deacon [Mon, 14 Nov 2011 16:24:58 +0000 (17:24 +0100)]
ARM: 7161/1: errata: no automatic store buffer drain

commit 11ed0ba1754841316d4095478944300acf19acc3 upstream.

This patch implements a workaround for PL310 erratum 769419. On
revisions of the PL310 prior to r3p2, the Store Buffer does not
automatically drain. This can cause normal, non-cacheable writes to be
retained when the memory system is idle, leading to suboptimal I/O
performance for drivers using coherent DMA.

This patch adds an optional wmb() call to the cpu_idle loop. On systems
with an outer cache, this causes an explicit flush of the store buffer.

Acked-by: Catalin Marinas <>
Tested-by: Marc Zyngier <>
Signed-off-by: Will Deacon <>
Signed-off-by: Russell King <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoPCI hotplug: shpchp: don't blindly claim non-AMD 0x7450 device IDs
Bjorn Helgaas [Tue, 23 Aug 2011 16:16:43 +0000 (10:16 -0600)]
PCI hotplug: shpchp: don't blindly claim non-AMD 0x7450 device IDs

commit 4cac2eb158c6da0c761689345c6cc5df788a6292 upstream.

Previously we claimed device ID 0x7450, regardless of the vendor, which is
clearly wrong.  Now we'll claim that device ID only for AMD.

I suspect this was just a typo in the original code, but it's possible this
change will break shpchp on non-7450 AMD bridges.  If so, we'll have to fix
them as we find them.

Reported-by: Ralf Jung <>
Cc: Joerg Roedel <>
Signed-off-by: Bjorn Helgaas <>
Signed-off-by: Jesse Barnes <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoeCryptfs: Extend array bounds for all filename chars
Tyler Hicks [Wed, 23 Nov 2011 17:31:24 +0000 (11:31 -0600)]
eCryptfs: Extend array bounds for all filename chars

commit 0f751e641a71157aa584c2a2e22fda52b52b8a56 upstream.

From mhalcrow's original commit message:

    Characters with ASCII values greater than the size of
    filename_rev_map[] are valid filename characters.
    ecryptfs_decode_from_filename() will access kernel memory beyond
    that array, and ecryptfs_parse_tag_70_packet() will then decrypt
    those characters. The attacker, using the FNEK of the crafted file,
    can then re-encrypt the characters to reveal the kernel memory past
    the end of the filename_rev_map[] array. I expect low security
    impact since this array is statically allocated in the text area,
    and the amount of memory past the array that is accessible is
    limited by the largest possible ASCII filename character.

This patch solves the issue reported by mhalcrow but with an
implementation suggested by Linus to simply extend the length of
filename_rev_map[] to 256. Characters greater than 0x7A are mapped to
0x00, which is how invalid characters less than 0x7A were previously
being handled.

Signed-off-by: Tyler Hicks <>
Reported-by: Michael Halcrow <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoi2c-algo-bit: Generate correct i2c address sequence for 10-bit target
Jeffrey (Sheng-Hui) Chu [Wed, 23 Nov 2011 10:33:07 +0000 (11:33 +0100)]
i2c-algo-bit: Generate correct i2c address sequence for 10-bit target

commit cc6bcf7d2ec2234e7b41770185e4dc826390185e upstream.

The wrong bits were put on the wire, fix that.

This fixes kernel bug #42562.

Signed-off-by: Sheng-Hui J. Chu <>
Signed-off-by: Jean Delvare <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoLinux
Greg Kroah-Hartman [Sat, 26 Nov 2011 17:12:06 +0000 (09:12 -0800)]

6 years agotty: icount changeover for other main devices
Alan Cox [Sun, 13 Nov 2011 15:25:20 +0000 (18:25 +0300)]
tty: icount changeover for other main devices

commit 0587102cf9f427c185bfdeb2cef41e13ee0264b1 upstream

Again basically cut and paste

Convert the main driver set to use the hooks for GICOUNT

Signed-off-by: Alan Cox <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Dan Carpenter <>
6 years agotty: Make tiocgicount a handler
Alan Cox [Sun, 13 Nov 2011 15:24:57 +0000 (18:24 +0300)]
tty: Make tiocgicount a handler

commit d281da7ff6f70efca0553c288bb883e8605b3862 upstream

Dan Rosenberg noted that various drivers return the struct with uncleared
fields. Instead of spending forever trying to stomp all the drivers that
get it wrong (and every new driver) do the job in one place.

This first patch adds the needed operations and hooks them up, including
the needed USB midlayer and serial core plumbing.

Signed-off-by: Alan Cox <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Dan Carpenter <>
6 years agoUSB: quirks: adding more quirky webcams to avoid squeaky audio
sordna [Fri, 28 Oct 2011 04:06:26 +0000 (21:06 -0700)]
USB: quirks: adding more quirky webcams to avoid squeaky audio

commit 0d145d7d4a241c321c832a810bb6edad18e2217b upstream.

The following patch contains additional affected webcam models, on top of the
patches commited to linux-next 2394d67e446bf616a0885167d5f0d397bdacfdfc
and 5b253d88cc6c65a23cefc457a5a4ef139913c5fc

Signed-off-by: sordna <>
Cc: Oliver Neukum <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoUSB: add quirk for Logitech C600 web cam
Josh Boyer [Wed, 26 Oct 2011 17:53:17 +0000 (13:53 -0400)]
USB: add quirk for Logitech C600 web cam

commit 60c71ca972a2dd3fd9d0165b405361c8ad48349b upstream.

We've had another report of the "chipmunk" sound on a Logitech C600 webcam.
This patch resolves the issue.

Signed-off-by: Josh Boyer <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agousb-storage: Accept 8020i-protocol commands longer than 12 bytes
Alan Stern [Tue, 25 Oct 2011 14:50:58 +0000 (10:50 -0400)]
usb-storage: Accept 8020i-protocol commands longer than 12 bytes

commit 2f640bf4c94324aeaa1b6385c10aab8c5ad1e1cf upstream.

The 8020i protocol (also 8070i and QIC-157) uses 12-byte commands;
shorter commands must be padded.  Simon Detheridge reports that his
3-TB USB disk drive claims to use the 8020i protocol (which is
normally meant for ATAPI devices like CD drives), and because of its
large size, the disk drive requires the use of 16-byte commands.
However the usb_stor_pad12_command() routine in usb-storage always
sets the command length to 12, making the drive impossible to use.

Since the SFF-8020i specification allows for 16-byte commands in
future extensions, we may as well accept them.  This patch (as1490)
changes usb_stor_pad12_command() to leave commands larger than 12
bytes alone rather than truncating them.

Signed-off-by: Alan Stern <>
Tested-by: Simon Detheridge <>
CC: Matthew Dharm <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoUSB: Fix Corruption issue in USB ftdi driver ftdi_sio.c
Andrew Worsley [Fri, 18 Nov 2011 12:13:33 +0000 (23:13 +1100)]
USB: Fix Corruption issue in USB ftdi driver ftdi_sio.c

commit b1ffb4c851f185e9051ba837c16d9b84ef688d26 upstream.

Fix for ftdi_set_termios() glitching output

ftdi_set_termios() is constantly setting the baud rate, data bits and parity
unnecessarily on every call, . When called while characters are being
transmitted can cause the FTDI chip to corrupt the serial port bit stream
output by stalling the output half a bit during the output of a character.
Simple fix by skipping this setting if the baud rate/data bits/parity are

Signed-off-by: Andrew Worsley <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoUSB: serial: pl2303: rm duplicate id
wangyanqing [Thu, 10 Nov 2011 06:04:08 +0000 (14:04 +0800)]
USB: serial: pl2303: rm duplicate id

commit 0c16595539b612fe948559433dda08ff96a8bdc7 upstream.

I get report from customer that his usb-serial
converter doesn't work well,it sometimes work,
but sometimes it doesn't.

The usb-serial converter's id:
vendor_id product_id
0x4348    0x5523

Then I search the usb-serial codes, and there are
two drivers announce support this device, pl2303
and ch341, commit 026dfaf1 cause it. Through many
times to test, ch341 works well with this device,
and pl2303 doesn't work quite often(it just work quite little).

ch341 works well with this device, so we doesn't
need pl2303 to support.I try to revert 026dfaf1 first,
but it failed. So I prepare this patch by hand to revert it.

Signed-off-by: Wang YanQing <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agokbuild: Fix passing -Wno-* options to gcc 4.4+
Michal Marek [Mon, 2 May 2011 10:51:15 +0000 (12:51 +0200)]
kbuild: Fix passing -Wno-* options to gcc 4.4+

commit 8417da6f2128008c431c7d130af6cd3d9079922e upstream.

Starting with 4.4, gcc will happily accept -Wno-<anything> in the
cc-option test and complain later when compiling a file that has some
other warning. This rather unexpected behavior is intentional as per, so work around it by testing for support of
the opposite option (without the no-). Introduce a new Makefile function
cc-disable-warning that does this and update two uses of cc-option in
the toplevel Makefile.

Reported-and-tested-by: Stephen Rothwell <>
Signed-off-by: Michal Marek <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoipv6: udp: fix the wrong headroom check
Shan Wei [Tue, 19 Apr 2011 22:52:49 +0000 (22:52 +0000)]
ipv6: udp: fix the wrong headroom check

commit a9cf73ea7ff78f52662c8658d93c226effbbedde upstream.

At this point, skb->data points to skb_transport_header.
So, headroom check is wrong.

For some case:bridge(UFO is on) + eth device(UFO is off),
there is no enough headroom for IPv6 frag head.
But headroom check is always false.

This will bring about data be moved to there prior to skb->head,
when adding IPv6 frag header to skb.

Signed-off-by: Shan Wei <>
Acked-by: Herbert Xu <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agomm: avoid null pointer access in vm_struct via /proc/vmallocinfo
Mitsuo Hayasaka [Thu, 10 Nov 2011 04:37:16 +0000 (13:37 +0900)]
mm: avoid null pointer access in vm_struct via /proc/vmallocinfo

commit f5252e009d5b87071a919221e4f6624184005368 upstream

The /proc/vmallocinfo shows information about vmalloc allocations in vmlist
that is a linklist of vm_struct. It, however, may access pages field of
vm_struct where a page was not allocated. This results in a null pointer
access and leads to a kernel panic.

Why this happen:
In __vmalloc_node() called from vmalloc(), newly allocated vm_struct
is added to vmlist at __get_vm_area_node() and then, some fields of
vm_struct such as nr_pages and pages are set at __vmalloc_area_node(). In
other words, it is added to vmlist before it is fully initialized. At the
same time, when the /proc/vmallocinfo is read, it accesses the pages field
of vm_struct according to the nr_pages field at show_numa_info(). Thus, a
null pointer access happens.

This patch adds newly allocated vm_struct to the vmlist *after* it is fully
initialized. So, it can avoid accessing the pages field with unallocated
page when show_numa_info() is called.

Signed-off-by: Mitsuo Hayasaka <>
Cc: Andrew Morton <>
Cc: David Rientjes <>
Cc: Namhyung Kim <>
Cc: "Paul E. McKenney" <>
Cc: Jeremy Fitzhardinge <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agogenirq: Add IRQF_RESUME_EARLY and resume such IRQs earlier
Ian Campbell [Wed, 9 Nov 2011 08:53:09 +0000 (08:53 +0000)]
genirq: Add IRQF_RESUME_EARLY and resume such IRQs earlier

commit 9bab0b7fbaceec47d32db51cd9e59c82fb071f5a upstream

This adds a mechanism to resume selected IRQs during syscore_resume
instead of dpm_resume_noirq.

Under Xen we need to resume IRQs associated with IPIs early enough
that the resched IPI is unmasked and we can therefore schedule
ourselves out of the stop_machine where the suspend/resume takes

This issue was introduced by 676dc3cf5bc3 "xen: Use IRQF_FORCE_RESUME".

Back ported to 2.6.32 (which lacks syscore support) by calling the relavant
resume function directly from sysdev_resume).

v2: Fixed non-x86 build errors.

Signed-off-by: Ian Campbell <>
Cc: Rafael J. Wysocki <>
Cc: Jeremy Fitzhardinge <>
Cc: xen-devel <>
Cc: Konrad Rzeszutek Wilk <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agodrm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
Chris Wilson [Tue, 15 Nov 2011 06:51:15 +0000 (09:51 +0300)]
drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow

commit 7dcd2499deab8f10011713c40bc2f309c9b65077 upstream

... and do the same for pread.

Signed-off-by: Chris Wilson <>
Signed-off-by: Dan Carpenter <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agodrm/i915: Sanity check pread/pwrite
Chris Wilson [Tue, 15 Nov 2011 06:39:33 +0000 (09:39 +0300)]
drm/i915: Sanity check pread/pwrite

commit ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 upstream.

Move the access control up from the fast paths, which are no longer
universally taken first, up into the caller. This then duplicates some
sanity checking along the slow paths, but is much simpler.
Tracked as CVE-2010-2962.

Reported-by: Kees Cook <>
Signed-off-by: Chris Wilson <>
Signed-off-by: Dan Carpenter <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoRevert "ALSA: hda: Fix quirk for Dell Inspiron 910"
Herton Ronaldo Krzesinski [Fri, 18 Nov 2011 12:50:56 +0000 (10:50 -0200)]
Revert "ALSA: hda: Fix quirk for Dell Inspiron 910"

This reverts commit fdb1e4e9d85b973679d56f23ccf9017ff85fd11f.

It was wrong included in 2.6.32 stable (was intended for 2.6.38+ in the
original commit changelog in Linus tree), and causes a regression on
2.6.32 (

Signed-off-by: Herton Ronaldo Krzesinski <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoRemove the old V4L1 v4lgrab.c file
Mauro Carvalho Chehab [Mon, 27 Dec 2010 11:27:05 +0000 (08:27 -0300)]
Remove the old V4L1 v4lgrab.c file

commit 55fe25b418640fad04190103274841b2c907bacd upstream.

This example file uses the old V4L1 API. It also doesn't use libv4l.
So, it is completely obsolete. A good example already exists at
v4l-utils (v4l2grab.c):

Reviewed-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agomd/raid5: abort any pending parity operations when array fails.
NeilBrown [Tue, 8 Nov 2011 05:22:01 +0000 (16:22 +1100)]
md/raid5: abort any pending parity operations when array fails.

commit 9a3f530f39f4490eaa18b02719fb74ce5f4d2d86 upstream.

When the number of failed devices exceeds the allowed number
we must abort any active parity operations (checks or updates) as they
are no longer meaningful, and can lead to a BUG_ON in

This bug was introduce by commit 6c0069c0ae9659e3a91b68eaed06a5c6c37f45c8
in 2.6.29.

Reported-by: Manish Katiyar <>
Tested-by: Manish Katiyar <>
Acked-by: Dan Williams <>
Signed-off-by: NeilBrown <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoASoC: wm8940: Properly set codec->dapm.bias_level
Axel Lin [Wed, 26 Oct 2011 01:53:41 +0000 (09:53 +0800)]
ASoC: wm8940: Properly set codec->dapm.bias_level

commit 5927f94700e860ae27ff24e7f3bc9e4f7b9922eb upstream.

Reported-by: Chris Paulson-Ellis <>
Signed-off-by: Axel Lin <>
Signed-off-by: Mark Brown <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agokbuild: Disable -Wunused-but-set-variable for gcc 4.6.0
Dave Jones [Thu, 21 Apr 2011 21:28:13 +0000 (17:28 -0400)]
kbuild: Disable -Wunused-but-set-variable for gcc 4.6.0

commit af0e5d565d2fffcd97d1e2d89669d627cc04e8b8 upstream.

Disable the new -Wunused-but-set-variable that was added in gcc 4.6.0
It produces more false positives than useful warnings.

This can still be enabled using W=1
[gregkh - No it can not for 2.6.32, but we don't care]

Signed-off-by: Dave Jones <>
Acked-by: Sam Ravnborg <>
Tested-by: Sam Ravnborg <>
Signed-off-by: Michal Marek <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agohfs: add sanity check for file name length
Dan Carpenter [Mon, 14 Nov 2011 14:52:08 +0000 (17:52 +0300)]
hfs: add sanity check for file name length

commit bc5b8a9003132ae44559edd63a1623b7b99dfb68 upstream.

On a corrupted file system the ->len field could be wrong leading to
a buffer overflow.

Reported-and-acked-by: Clement LECIGNE <>
Signed-off-by: Dan Carpenter <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoPM / Suspend: Off by one in pm_suspend()
Dan Carpenter [Wed, 21 Sep 2011 18:55:04 +0000 (20:55 +0200)]
PM / Suspend: Off by one in pm_suspend()

commit 528f7ce6e439edeac38f6b3f8561f1be129b5e91 upstream.

In enter_state() we use "state" as an offset for the pm_states[]
array.  The pm_states[] array only has PM_SUSPEND_MAX elements so
this test is off by one.

Signed-off-by: Dan Carpenter <>
Signed-off-by: Rafael J. Wysocki <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agomtd: mtdchar: add missing initializer on raw write
Peter Wippich [Mon, 6 Jun 2011 13:50:58 +0000 (15:50 +0200)]
mtd: mtdchar: add missing initializer on raw write

commit bf5140817b2d65faac9b32fc9057a097044ac35b upstream.

On writes in MODE_RAW the mtd_oob_ops struct is not sufficiently
initialized which may cause nandwrite to fail. With this patch
it is possible to write raw nand/oob data without additional ECC
(either for testing or when some sectors need different oob layout
e.g. bootloader) like
nandwrite  -n -r -o  /dev/mtd0 <myfile>

Signed-off-by: Peter Wippich <>
Tested-by: Ricard Wanderlof <>
Signed-off-by: Artem Bityutskiy <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agonetlink: validate NLA_MSECS length
Johannes Berg [Thu, 3 Nov 2011 00:07:32 +0000 (00:07 +0000)]
netlink: validate NLA_MSECS length

commit c30bc94758ae2a38a5eb31767c1985c0aae0950b upstream.

L2TP for example uses NLA_MSECS like this:
        [L2TP_ATTR_RECV_TIMEOUT]        = { .type = NLA_MSECS, },
        if (info->attrs[L2TP_ATTR_RECV_TIMEOUT])
                cfg.reorder_timeout = nla_get_msecs(info->attrs[L2TP_ATTR_RECV_TIMEOUT]);

As nla_get_msecs() is essentially nla_get_u64() plus the
conversion to a HZ-based value, this will not properly
reject attributes from userspace that aren't long enough
and might overrun the message.

Add NLA_MSECS to the attribute minlen array to check the
size properly.

Cc: Thomas Graf <>
Signed-off-by: Johannes Berg <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoNFS/sunrpc: don't use a credential with extra groups.
NeilBrown [Mon, 24 Oct 2011 23:25:49 +0000 (10:25 +1100)]
NFS/sunrpc: don't use a credential with extra groups.

commit dc6f55e9f8dac4b6479be67c5c9128ad37bb491f upstream.

The sunrpc layer keeps a cache of recently used credentials and
'unx_match' is used to find the credential which matches the current

However unx_match allows a match when the cached credential has extra
groups at the end of uc_gids list which are not in the process group list.

So if a process with a list of (say) 4 group accesses a file and gains
access because of the last group in the list, then another process
with the same uid and gid, and a gid list being the first tree of the
gids of the original process tries to access the file, it will be
granted access even though it shouldn't as the wrong rpc credential
will be used.

Signed-off-by: NeilBrown <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoMake scsi_free_queue() kill pending SCSI commands
Bart Van Assche [Fri, 23 Sep 2011 17:48:18 +0000 (19:48 +0200)]
Make scsi_free_queue() kill pending SCSI commands

commit 3308511c93e6ad0d3c58984ecd6e5e57f96b12c8 upstream.

Make sure that SCSI device removal via scsi_remove_host() does finish
all pending SCSI commands. Currently that's not the case and hence
removal of a SCSI host during I/O can cause a deadlock. See also
"blkdev_issue_discard() hangs forever if underlying storage device is
removed" ( See also

Signed-off-by: Bart Van Assche <>
Signed-off-by: James Bottomley <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agost: fix race in st_scsi_execute_end
Petr Uzel [Fri, 21 Oct 2011 11:31:09 +0000 (13:31 +0200)]
st: fix race in st_scsi_execute_end

commit c68bf8eeaa57c852e74adcf597237be149eef830 upstream.

The call to complete() in st_scsi_execute_end() wakes up sleeping thread
in write_behind_check(), which frees the st_request, thus invalidating
the pointer to the associated bio structure, which is then passed to the
blk_rq_unmap_user(). Fix by storing pointer to bio structure into
temporary local variable.

This bug is present since at least linux-2.6.32.

Signed-off-by: Petr Uzel <>
Reported-by: Juergen Groß <>
Reviewed-by: Jan Kara <>
Acked-by: Kai Mäkisara <>
Signed-off-by: James Bottomley <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoLinux
Greg Kroah-Hartman [Wed, 9 Nov 2011 00:02:43 +0000 (16:02 -0800)]

6 years agoRevert "powerpc/mpic: Fix problem that affinity is not updated"
Greg Kroah-Hartman [Tue, 8 Nov 2011 23:44:02 +0000 (15:44 -0800)]
Revert "powerpc/mpic: Fix problem that affinity is not updated"

This reverts commit 1badd98ea79b7b20fb4ddfea110d1bb99c33a55f.

It breaks the build on powerpc systems:

arch/powerpc/sysdev/mpic.c: In function 'irq_choose_cpu':
arch/powerpc/sysdev/mpic.c:574: error: passing argument 1 of '__cpus_equal' from incompatible pointer type

Reported-by: Jiri Slaby <>
Cc: Jiajun Wu <>
Cc: Li Yang <>
Cc: Benjamin Herrenschmidt <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoRevert "ASoC: wm8940: Properly set codec->dapm.bias_level"
Greg Kroah-Hartman [Tue, 8 Nov 2011 23:42:21 +0000 (15:42 -0800)]
Revert "ASoC: wm8940: Properly set codec->dapm.bias_level"

This reverts commit d85b1ce7fd0ecfdd43e8c3e67eb953900c209939.

It breaks the build and probably shouldn't be in the 2.6.32 kernel

Reported-by: Stefan Bader <>
Cc: Chris Paulson-Ellis <>
Cc: Axel Lin <>
Cc: Mark Brown <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoRevert "genirq: Add IRQF_RESUME_EARLY and resume such IRQs earlier"
Greg Kroah-Hartman [Tue, 8 Nov 2011 23:40:42 +0000 (15:40 -0800)]
Revert "genirq: Add IRQF_RESUME_EARLY and resume such IRQs earlier"

This reverts commit 0f12a6ad9fa3a03f2bcee36c9cb704821e244c40.

It causes too many build errors and needs to be done properly.

Reported-by: Jiri Slaby <>
Reported-by: Christoph Biedl <>
Cc: Ian Campbell <>
Cc: Rafael J. Wysocki <>
Cc: Jeremy Fitzhardinge <>
Cc: xen-devel <>
Cc: Konrad Rzeszutek Wilk <>
Cc: Thomas Gleixner <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoLinux
Greg Kroah-Hartman [Mon, 7 Nov 2011 20:58:56 +0000 (12:58 -0800)]

6 years agoUSB: Serial: Add PID(0xF7C0) to FTDI SIO driver for a zeitcontrol-device
Artur Zimmer [Wed, 10 Aug 2011 01:51:28 +0000 (03:51 +0200)]
USB: Serial: Add PID(0xF7C0) to FTDI SIO driver for a zeitcontrol-device

commit ce7e9065958191e6b7ca49d7ed0e1099c486d198 upstream.

Here is a patch for a new PID (zeitcontrol-device mifare-reader FT232BL(like FT232BM but lead free)).

Signed-off-by: Artur Zimmer <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoUSB: Serial: Add device ID for Sierra Wireless MC8305
Florian Echtler [Tue, 9 Aug 2011 11:37:49 +0000 (13:37 +0200)]
USB: Serial: Add device ID for Sierra Wireless MC8305

commit 2f1def2695c223b2aa325e5e47d0d64200a45d23 upstream.

A new device ID pair is added for Sierra Wireless MC8305.

Signed-off-by: Florian Echtler <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoext2,ext3,ext4: don't inherit APPEND_FL or IMMUTABLE_FL for new inodes
Theodore Ts'o [Wed, 31 Aug 2011 15:54:51 +0000 (11:54 -0400)]
ext2,ext3,ext4: don't inherit APPEND_FL or IMMUTABLE_FL for new inodes

commit 1cd9f0976aa4606db8d6e3dc3edd0aca8019372a upstream.

This doesn't make much sense, and it exposes a bug in the kernel where
attempts to create a new file in an append-only directory using
O_CREAT will fail (but still leave a zero-length file).  This was
discovered when xfstests #79 was generalized so it could run on all
file systems.

Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agodrivers/net/rionet.c: fix ethernet address macros for LE platforms
Alexandre Bounine [Wed, 2 Nov 2011 20:39:15 +0000 (13:39 -0700)]
drivers/net/rionet.c: fix ethernet address macros for LE platforms

commit e0c87bd95e8dad455c23bc56513af8dcb1737e55 upstream.

Modify Ethernet addess macros to be compatible with BE/LE platforms

Signed-off-by: Alexandre Bounine <>
Cc: Chul Kim <>
Cc: Kumar Gala <>
Cc: Matt Porter <>
Cc: Li Yang <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoext4: fix BUG_ON() in ext4_ext_insert_extent()
Zheng Liu [Fri, 28 Oct 2011 12:34:02 +0000 (20:34 +0800)]
ext4: fix BUG_ON() in ext4_ext_insert_extent()

Does not corrispond with a direct commit in Linus's tree as it was fixed
differently in the 3.0 release.

We will meet with a BUG_ON() if following script is run.

mkfs.ext4 -b 4096 /dev/sdb1 1000000
mount -t ext4 /dev/sdb1 /mnt/sdb1
fallocate -l 100M /mnt/sdb1/test
        dd if=/dev/zero of=/mnt/sdb1/test conv=notrunc bs=256k count=1
seek=`expr $i \* 2`
umount /mnt/sdb1
mount -t ext4 /dev/sdb1 /mnt/sdb1
dd if=/dev/zero of=/mnt/sdb1/test conv=notrunc bs=256k count=1 seek=341
umount /mnt/sdb1
mount /dev/sdb1 /mnt/sdb1
dd if=/dev/zero of=/mnt/sdb1/test conv=notrunc bs=256k count=1 seek=340

The reason is that it forgot to mark dirty when splitting two extents in
ext4_ext_convert_to_initialized(). Althrough ex has been updated in
memory, it is not dirtied both in ext4_ext_convert_to_initialized() and
ext4_ext_insert_extent(). The disk layout is corrupted. Then it will
meet with a BUG_ON() when writting at the start of that extent again.

Cc: "Theodore Ts'o" <>
Cc: Xiaoyun Mao <>
Cc: Yingbin Wang <>
Cc: Jia Wan <>
Signed-off-by: Zheng Liu <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agonet_sched: Fix qdisc_notify()
Eric Dumazet [Sat, 22 May 2010 20:37:44 +0000 (20:37 +0000)]
net_sched: Fix qdisc_notify()

commit 53b0f08042f04813cd1a7473dacd3edfacb28eb3 upstream.

Ben Pfaff reported a kernel oops and provided a test program to
reproduce it.

tc_fill_qdisc() should not be called for builtin qdisc, or it
dereference a NULL pointer to get device ifindex.

Fix is to always use tc_qdisc_dump_ignore() before calling

Reported-by: Ben Pfaff <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agonl80211: fix overflow in ssid_len
Luciano Coelho [Tue, 7 Jun 2011 17:42:26 +0000 (20:42 +0300)]
nl80211: fix overflow in ssid_len

commit 57a27e1d6a3bb9ad4efeebd3a8c71156d6207536 upstream.

When one of the SSID's length passed in a scan or sched_scan request
is larger than 255, there will be an overflow in the u8 that is used
to store the length before checking.  This causes the check to fail
and we overrun the buffer when copying the SSID.

Fix this by checking the nl80211 attribute length before copying it to
the struct.

This is a follow up for the previous commit
208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem

Reported-by: Ido Yariv <>
Signed-off-by: Luciano Coelho <>
Signed-off-by: John W. Linville <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoBluetooth: Prevent buffer overflow in l2cap config request
Dan Rosenberg [Fri, 24 Jun 2011 12:38:05 +0000 (08:38 -0400)]
Bluetooth: Prevent buffer overflow in l2cap config request

commit 7ac28817536797fd40e9646452183606f9e17f71 upstream.

A remote user can provide a small value for the command size field in
the command header of an l2cap configuration request, resulting in an
integer underflow when subtracting the size of the configuration request
header.  This results in copying a very large amount of data via
memcpy() and destroying the kernel heap.  Check for underflow.

Signed-off-by: Dan Rosenberg <>
Signed-off-by: Gustavo F. Padovan <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agovm: fix vm_pgoff wrap in upward expansion
Hugh Dickins [Tue, 10 May 2011 00:44:42 +0000 (17:44 -0700)]
vm: fix vm_pgoff wrap in upward expansion

commit 42c36f63ac1366ab0ecc2d5717821362c259f517 upstream.

Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed
the case of an expanding mapping causing vm_pgoff wrapping when you had
downward stack expansion.  But there was another case where IA64 and
PA-RISC expand mappings: upward expansion.

This fixes that case too.

Signed-off-by: Hugh Dickins <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agovm: fix vm_pgoff wrap in stack expansion
Linus Torvalds [Wed, 13 Apr 2011 15:07:28 +0000 (08:07 -0700)]
vm: fix vm_pgoff wrap in stack expansion

commit a626ca6a656450e9f4df91d0dda238fff23285f4 upstream.

Commit 982134ba6261 ("mm: avoid wrapping vm_pgoff in mremap()") fixed
the case of a expanding mapping causing vm_pgoff wrapping when you used
mremap.  But there was another case where we expand mappings hiding in
plain sight: the automatic stack expansion.

This fixes that case too.

This one also found by Robert Święcki, using his nasty system call
fuzzer tool.  Good job.

Reported-and-tested-by: Robert Święcki <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoBluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
Filip Palian [Thu, 12 May 2011 17:32:46 +0000 (19:32 +0200)]
Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.

commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f upstream.

Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
byte each. This byte in "cinfo" is copied to userspace uninitialized.

Signed-off-by: Filip Palian <>
Acked-by: Marcel Holtmann <>
Signed-off-by: Gustavo F. Padovan <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoNLM: Don't hang forever on NLM unlock requests
Trond Myklebust [Tue, 31 May 2011 19:15:34 +0000 (15:15 -0400)]
NLM: Don't hang forever on NLM unlock requests

commit 0b760113a3a155269a3fba93a409c640031dd68f upstream.

If the NLM daemon is killed on the NFS server, we can currently end up
hanging forever on an 'unlock' request, instead of aborting. Basically,
if the rpcbind request fails, or the server keeps returning garbage, we
really want to quit instead of retrying.

Tested-by: Vasily Averin <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agodeal with races in /proc/*/{syscall,stack,personality}
Al Viro [Wed, 23 Mar 2011 19:52:50 +0000 (15:52 -0400)]
deal with races in /proc/*/{syscall,stack,personality}

commit a9712bc12c40c172e393f85a9b2ba8db4bf59509 upstream.

All of those are rw-r--r-- and all are broken for suid - if you open
a file before the target does suid-root exec, you'll be still able
to access it.  For personality it's not a big deal, but for syscall
and stack it's a real problem.

Fix: check that task is tracable for you at the time of read().

Signed-off-by: Al Viro <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoscm: lower SCM_MAX_FD
Eric Dumazet [Tue, 23 Nov 2010 14:09:15 +0000 (14:09 +0000)]
scm: lower SCM_MAX_FD

commit bba14de98753cb6599a2dae0e520714b2153522d upstream.

Lower SCM_MAX_FD from 255 to 253 so that allocations for scm_fp_list are
halved. (commit f8d570a4 added two pointers in this structure)

scm_fp_dup() should not copy whole structure (and trigger kmemcheck
warnings), but only the used part. While we are at it, only allocate
needed size.

Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agothinkpad-acpi: module autoloading for newer Lenovo ThinkPads.
Manoj Iyer [Thu, 20 Oct 2011 18:50:25 +0000 (20:50 +0200)]
thinkpad-acpi: module autoloading for newer Lenovo ThinkPads.

commit 9fbdaeb4f4dd14a0caa9fc35c496d5440c251a3a upstream.

The newer Lenovo ThinkPads have HKEY HID of LEN0068 instead
of IBM0068. Added new HID so that thinkpad_acpi module will
auto load on these newer Lenovo ThinkPads.

Acked-by: Henrique de Moraes Holschuh <>
Signed-off-by: Manoj Iyer <>
Signed-off-by: Andy Lutomirski <>
Signed-off-by: Matthew Garrett <>
Signed-off-by: Bjørn Mork <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agokcore: fix test for end of list
Dan Carpenter [Tue, 23 Mar 2010 20:35:42 +0000 (13:35 -0700)]
kcore: fix test for end of list

commit 4fd2c20d964a8fb9861045f1022475c9d200d684 upstream.

"m" is never NULL here.  We need a different test for the end of list

Signed-off-by: Dan Carpenter <>
Acked-by: KAMEZAWA Hiroyuki <>
Acked-by: WANG Cong <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Cc: Leonardo Chiquitto <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agowatchdog: mtx1-wdt: fix build failure
Florian Fainelli [Mon, 17 Oct 2011 17:47:44 +0000 (19:47 +0200)]
watchdog: mtx1-wdt: fix build failure

Commit 6d86a0ee (watchdog: mtx1-wdt: request gpio before using it) was
backported from upstream. The patch is using a gpiolib call which is only
available in kernel 2.6.34+. Fix build by using the "old" gpiolib API

Signed-off-by: Florian Fainelli <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoRevert "MIPS: MTX-1: Make au1000_eth probe all PHY
Florian Fainelli [Mon, 17 Oct 2011 17:43:06 +0000 (19:43 +0200)]
Revert "MIPS: MTX-1: Make au1000_eth probe all PHY

Commit ec3eb823 was not applicable in 2.6.32 and introduces a build breakage.
Revert that commit since it is irrelevant for this kernel version.

Acked-by: Ralf Baechle <>
Signed-off-by: Florian Fainelli <>
6 years agoRevert "usb: musb: restore INDEX register in resume path"
Greg Kroah-Hartman [Wed, 2 Nov 2011 21:04:11 +0000 (14:04 -0700)]
Revert "usb: musb: restore INDEX register in resume path"

This reverts commit 262e2d9d559334e09bc80516132ea99d82f97b8c.

Turns out this breaks the build, and as such, really isn't needed for
the 2.6.32-stable branch at all.

Reported-by: Phil Carmody <>
Cc: Anand Gadiyar <>
Cc: Ajay Kumar Gupta <>
Cc: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agogenirq: Add IRQF_RESUME_EARLY and resume such IRQs earlier
Ian Campbell [Mon, 3 Oct 2011 14:37:00 +0000 (15:37 +0100)]
genirq: Add IRQF_RESUME_EARLY and resume such IRQs earlier

commit 9bab0b7fbaceec47d32db51cd9e59c82fb071f5a upstream

This adds a mechanism to resume selected IRQs during syscore_resume
instead of dpm_resume_noirq.

Under Xen we need to resume IRQs associated with IPIs early enough
that the resched IPI is unmasked and we can therefore schedule
ourselves out of the stop_machine where the suspend/resume takes

This issue was introduced by 676dc3cf5bc3 "xen: Use IRQF_FORCE_RESUME".

Back ported to 2.6.32 (which lacks syscore support) by calling the relavant
resume function directly from sysdev_resume).

Signed-off-by: Ian Campbell <>
Cc: Rafael J. Wysocki <>
Cc: Jeremy Fitzhardinge <>
Cc: xen-devel <>
Cc: Konrad Rzeszutek Wilk <>
Signed-off-by: Thomas Gleixner <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoKVM: x86: Reset tsc_timestamp on TSC writes
Philipp Hahn [Mon, 12 Sep 2011 15:52:51 +0000 (12:52 -0300)]
KVM: x86: Reset tsc_timestamp on TSC writes

There is no upstream commit ID for this patch since it is not a straight
backport from upstream. It is a fix only relevant to 2.6.32.y.

Since 1d5f066e0b63271b67eac6d3752f8aa96adcbddb from 2.6.37 was
back-ported to as ad2088cabe0fd7f633f38ba106025d33ed9a2105,
the following patch is needed to add the needed reset logic to 2.6.32 as

Bug #23257: Reset tsc_timestamp on TSC writes

vcpu->last_guest_tsc is updated in vcpu_enter_guest() and kvm_arch_vcpu_put()
by getting the last value of the TSC from the guest.
On reset, the SeaBIOS resets the TSC to 0, which triggers a bug on the next
call to kvm_write_guest_time(): Since vcpu->hw_clock.tsc_timestamp still
contains the old value before the reset, "max_kernel_ns = vcpu->last_guest_tsc
- vcpu->hw_clock.tsc_timestamp" gets negative. Since the variable is u64, it
 gets translated to a large positive value.

vcpu->last_guest_tsc        =209_328_760_015           ←
vcpu->last_kernel_ns        =9_333_179_830_643
kernel_ns                   =9_333_197_073_429
max_kernel_ns               =9_333_179_847_943         ←

vcpu->last_guest_tsc        =9_438_510_584             ←
vcpu->last_kernel_ns        =9_333_763_732_907
kernel_ns                   =9_336_910_990_771
max_kernel_ns               =6_148_296_831_006_663_830 ←

For completeness, here are the values for my 3 GHz CPU:
vcpu->hv_clock.tsc_shift         =-1
vcpu->hv_clock.tsc_to_system_mul =2_863_019_502

This makes the guest kernel crawl very slowly when clocksource=kvmclock is
used: sleeps take way longer than expected and don't match wall clock any more.
The times printed with printk() don't match real time and the reboot often
stalls for long times.

In linux-git this isn't a problem, since on every MSR_IA32_TSC write
vcpu->arch.hv_clock.tsc_timestamp is reset to 0, which disables above logic.
The code there is only in arch/x86/kvm/x86.c, since much of the kvm-clock
related code has been refactured for 2.6.37:
99e3e30a arch/x86/kvm/x86.c
        (Zachary Amsden            2010-08-19 22:07:17 -1000 1084)
        vcpu->arch.hv_clock.tsc_timestamp = 0;

Signed-off-by: Philipp Hahn <>
Signed-off-by: Marcelo Tosatti <>
Signed-off-by: Greg Kroah-Hartman <>
6 years agoxen/timer: Missing IRQF_NO_SUSPEND in timer code broke suspend.
Ian Campbell [Tue, 8 Feb 2011 14:03:31 +0000 (14:03 +0000)]
xen/timer: Missing IRQF_NO_SUSPEND in timer code broke suspend.

commit f611f2da99420abc973c32cdbddbf5c365d0a20c upstream.

The patches missed an indirect use of IRQF_NO_SUSPEND pulled in via
IRQF_TIMER. The following patch fixes the issue.

With this fixlet PV guest migration works just fine. I also booted the
entire series as a dom0 kernel and it appeared fine.

Signed-off-by: Ian Campbell <>
Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: Greg Kroah-Hartman <>