5 years agoACPI / cpuidle: Fix NULL pointer issues when cpuidle is disabled
Konrad Rzeszutek Wilk [Wed, 16 Jan 2013 22:40:07 +0000 (23:40 +0100)]
ACPI / cpuidle: Fix NULL pointer issues when cpuidle is disabled

commit b88a634a903d9670aa5f2f785aa890628ce0dece upstream.

If cpuidle is disabled, that means that:

per_cpu(acpi_cpuidle_device, pr->id)

is set to NULL as the acpi_processor_power_init ends up failing at

 retval = cpuidle_register_driver(&acpi_idle_driver)

(in acpi_processor_power_init) and never sets the per_cpu idle
device.  So when acpi_processor_hotplug on CPU online notification
tries to reference said device it crashes:

cpu 3 spinlock event irq 62
BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
IP: [<ffffffff81381013>] acpi_processor_setup_cpuidle_cx+0x3f/0x105
PGD a259b067 PUD ab38b067 PMD 0
Oops: 0002 [#1] SMP
odules linked in: dm_multipath dm_mod xen_evtchn iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi libcrc32c crc32c nouveau mxm_wmi wmi radeon ttm sg sr_mod sd_mod cdrom ata_generic ata_piix libata crc32c_intel scsi_mod atl1c i915 fbcon tileblit font bitblit softcursor drm_kms_helper video xen_blkfront xen_netfront fb_sys_fops sysimgblt sysfillrect syscopyarea xenfs xen_privcmd mperf
Pid: 3047, comm: bash Not tainted 3.8.0-rc3upstream-00250-g165c029 #1 MSI MS-7680/H61M-P23 (MS-7680)
RIP: e030:[<ffffffff81381013>]  [<ffffffff81381013>] acpi_processor_setup_cpuidle_cx+0x3f/0x105
RSP: e02b:ffff88001742dca8  EFLAGS: 00010202
RAX: 0000000000010be9 RBX: ffff8800a0a61800 RCX: ffff880105380000
RDX: 0000000000000003 RSI: 0000000000000200 RDI: ffff8800a0a61800
RBP: ffff88001742dce8 R08: ffffffff81812360 R09: 0000000000000200
R10: aaaaaaaaaaaaaaaa R11: 0000000000000001 R12: ffff8800a0a61800
R13: 00000000ffffff01 R14: 0000000000000000 R15: ffffffff81a907a0
FS:  00007fd6942f7700(0000) GS:ffff880105280000(0000) knlGS:0000000000000000
CS:  e033 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000004 CR3: 00000000a6773000 CR4: 0000000000042660
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process bash (pid: 3047, threadinfo ffff88001742c000, task ffff880017944000)
 0000000000000150 ffff880100f59e00 ffff88001742dcd8 ffff8800a0a61800
 0000000000000000 00000000ffffff01 0000000000000000 ffffffff81a907a0
 ffff88001742dd18 ffffffff813815b1 ffff88001742dd08 ffffffff810ae336
Call Trace:
 [<ffffffff813815b1>] acpi_processor_hotplug+0x7c/0x9f
 [<ffffffff810ae336>] ? schedule_delayed_work_on+0x16/0x20
 [<ffffffff8137ee8f>] acpi_cpu_soft_notify+0x90/0xca
 [<ffffffff8166023d>] notifier_call_chain+0x4d/0x70
 [<ffffffff810bc369>] __raw_notifier_call_chain+0x9/0x10
 [<ffffffff81094a4b>] __cpu_notify+0x1b/0x30
 [<ffffffff81652cf7>] _cpu_up+0x103/0x14b
 [<ffffffff81652e18>] cpu_up+0xd9/0xec
 [<ffffffff8164a254>] store_online+0x94/0xd0
 [<ffffffff814122fb>] dev_attr_store+0x1b/0x20
 [<ffffffff81216404>] sysfs_write_file+0xf4/0x170

This patch fixes it.

Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: Rafael J. Wysocki <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agocpufreq: Add module aliases for acpi-cpufreq
Matthew Garrett [Tue, 22 Jan 2013 21:33:46 +0000 (22:33 +0100)]
cpufreq: Add module aliases for acpi-cpufreq

commit efa17194581bdfca0986dabc178908bd7c21ba00 upstream.

The acpi core will call request_module("acpi-cpufreq") on subsystem init,
but this will fail if the module isn't available at that stage of boot.
Add some module aliases to ensure that udev can load the module on Intel
and AMD systems with the appropriate feature bits - I /think/ that this
will also work on VIA systems, but haven't verified that.

Signed-off-by: Matthew Garrett <>
Tested-by: Leonid Isaev <>
Acked-by: Borislav Petkov <>
Signed-off-by: Rafael J. Wysocki <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agopowernow-k8: Add a kconfig dependency on acpi-cpufreq
Borislav Petkov [Thu, 17 Jan 2013 23:19:37 +0000 (00:19 +0100)]
powernow-k8: Add a kconfig dependency on acpi-cpufreq

commit 631e8ac18fd59722e7ceb15fceeef3f368c250f9 upstream.

Andreas reports in
that with his Gentoo config, acpi-cpufreq wasn't enabled and
powernow-k8 couldn't handoff properly to acpi-cpufreq leading to
running without P-state support (i.e., cores are constantly in P0).

To alleaviate that, we need to make powernow-k8 depend on acpi-cpufreq
so that acpi-cpufreq is always present.

Reported-by: Andreas <>
Signed-off-by: Borislav Petkov <>
Signed-off-by: Rafael J. Wysocki <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomodule: fix missing module_mutex unlock
Linus Torvalds [Mon, 21 Jan 2013 04:22:58 +0000 (20:22 -0800)]
module: fix missing module_mutex unlock

commit ee61abb3223e28a1a14a8429c0319755d20d3e40 upstream.

Commit 1fb9341ac348 ("module: put modules in list much earlier") moved
some of the module initialization code around, and in the process
changed the exit paths too.  But for the duplicate export symbol error
case the change made the ddebug_cleanup path jump to after the module
mutex unlock, even though it happens with the mutex held.

Rusty has some patches to split this function up into some helper
functions, hopefully the mess of complex goto targets will go away

Reported-by: Dan Carpenter <>
Cc: Rusty Russell <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomodule: put modules in list much earlier.
Rusty Russell [Sat, 12 Jan 2013 02:57:34 +0000 (13:27 +1030)]
module: put modules in list much earlier.

commit 1fb9341ac34825aa40354e74d9a2c69df7d2c304 upstream.

Prarit's excellent bug report:
> In recent Fedora releases (F17 & F18) some users have reported seeing
> messages similar to
> [   15.478160] kvm: Could not allocate 304 bytes percpu data
> [   15.478174] PERCPU: allocation failed, size=304 align=32, alloc from
> reserved chunk failed
> during system boot.  In some cases, users have also reported seeing this
> message along with a failed load of other modules.
> What is happening is systemd is loading an instance of the kvm module for
> each cpu found (see commit e9bda3b).  When the module load occurs the kernel
> currently allocates the modules percpu data area prior to checking to see
> if the module is already loaded or is in the process of being loaded.  If
> the module is already loaded, or finishes load, the module loading code
> releases the current instance's module's percpu data.

Now we have a new state MODULE_STATE_UNFORMED, we can insert the
module into the list (and thus guarantee its uniqueness) before we
allocate the per-cpu region.

Reported-by: Prarit Bhargava <>
Signed-off-by: Rusty Russell <>
Tested-by: Prarit Bhargava <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomodule: add new state MODULE_STATE_UNFORMED.
Rusty Russell [Sat, 12 Jan 2013 01:08:44 +0000 (11:38 +1030)]
module: add new state MODULE_STATE_UNFORMED.

commit 0d21b0e3477395e7ff2acc269f15df6e6a8d356d upstream.

You should never look at such a module, so it's excised from all paths
which traverse the modules list.

We add the state at the end, to avoid gratuitous ABI break (ksplice).

Signed-off-by: Rusty Russell <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/i915: Implement WaDisableHiZPlanesWhenMSAAEnabled
Daniel Vetter [Fri, 14 Dec 2012 22:38:28 +0000 (23:38 +0100)]
drm/i915: Implement WaDisableHiZPlanesWhenMSAAEnabled

commit 4283908ef7f11a72c3b80dd4cf026f1a86429f82 upstream.

Quoting from Bspec, 3D_CHICKEN1, bit 10

This bit needs to be set always to "1", Project: DevSNB "

Reviewed-by: Rodrigo Vivi <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrivers/firmware/dmi_scan.c: fetch dmi version from SMBIOS if it exists
Zhenzhong Duan [Thu, 20 Dec 2012 23:05:14 +0000 (15:05 -0800)]
drivers/firmware/dmi_scan.c: fetch dmi version from SMBIOS if it exists

commit 9f9c9cbb60576a1518d0bf93fb8e499cffccf377 upstream.

The right dmi version is in SMBIOS if it's zero in DMI region

This issue was originally found from an oracle bug.
One customer noticed system UUID doesn't match between dmidecode & uek2.

 - HP ProLiant BL460c G6 :
   # cat /sys/devices/virtual/dmi/id/product_uuid
   # dmidecode | grep -i uuid
   UUID: 00000000-0000-484C-3031-4D5030333531

From SMBIOS 2.6 on, spec use little-endian encoding for UUID other than
network byte order.

So we need to get dmi version to distinguish.  If version is 0.0, the
real version is taken from the SMBIOS version.  This is part of original
kernel comment in code.

[ checkpatch fixes]
Signed-off-by: Zhenzhong Duan <>
Cc: Feng Jin <>
Cc: Jean Delvare <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Abdallah Chatila <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrivers/firmware/dmi_scan.c: check dmi version when get system uuid
Zhenzhong Duan [Thu, 20 Dec 2012 23:05:13 +0000 (15:05 -0800)]
drivers/firmware/dmi_scan.c: check dmi version when get system uuid

commit f1d8e614d74b09531b9a85e812485340f3df7b1c upstream.

As of version 2.6 of the SMBIOS specification, the first 3 fields of the
UUID are supposed to be little-endian encoded.

Also a minor fix to match variable meaning and mute

[ tweak code comment]
Signed-off-by: Zhenzhong Duan <>
Cc: Feng Jin <>
Cc: Jean Delvare <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Abdallah Chatila <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoSCSI: sd: Reshuffle init_sd to avoid crash
Joel D. Diaz [Wed, 10 Oct 2012 08:36:11 +0000 (10:36 +0200)]
SCSI: sd: Reshuffle init_sd to avoid crash

commit afd5e34b2bb34881d3a789e62486814a49b47faa upstream.

scsi_register_driver will register a prep_fn() function, which
in turn migh need to use the sd_cdp_pool for DIF.
Which hasn't been initialised at this point, leading to
a crash. So reshuffle the init_sd() and exit_sd() paths
to have the driver registered last.

Signed-off-by: Joel D. Diaz <>
Signed-off-by: Hannes Reinecke <>
Signed-off-by: James Bottomley <>
Cc: CAI Qian <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agousb: musb: cppi_dma: drop '__init' annotation
Sergei Shtylyov [Fri, 14 Dec 2012 18:30:27 +0000 (21:30 +0300)]
usb: musb: cppi_dma: drop '__init' annotation

commit 091a62c9b3d899d99dbf4e3dbebc8dfa3edbccdd upstream.

This patch fixes the following:

WARNING: vmlinux.o(.text+0x1e709c): Section mismatch in reference from the funct
ion dma_controller_create() to the function .init.text:cppi_controller_start()
The function dma_controller_create() references
the function __init cppi_controller_start().
This is often because dma_controller_create lacks a __init
annotation or the annotation of cppi_controller_start is wrong.

This warning is there due to the deficiency in the commit 07a67bbb (usb: musb:
Make dma_controller_create __devinit).

Since the start() method is only called from musb_init_controller() which is
not annotated, drop '__init' annotation from cppi_controller_start() and also
cppi_pool_init() since it gets called from that function, to avoid another
section mismatch warning...

Signed-off-by: Sergei Shtylyov <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agousb: gadget: FunctionFS: Fix missing braces in parse_opts
Benoit Goby [Wed, 9 Jan 2013 03:57:09 +0000 (19:57 -0800)]
usb: gadget: FunctionFS: Fix missing braces in parse_opts

commit b810075002c9f25a6da83cecda39d789000a04a9 upstream.

Add missing braces around an if block in ffs_fs_parse_opts. This broke
parsing the uid/gid mount options and causes mount to fail when using
uid/gid. This has been introduced by commit b9b73f7c (userns: Convert usb
functionfs to use kuid/kgid where appropriate) in 3.7.

Signed-off-by: Benoit Goby <>
Acked-by: Michal Nazarewicz <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agousb: dwc3: gadget: fix ep->maxburst for ep0
Pratyush Anand [Fri, 18 Jan 2013 11:23:56 +0000 (16:53 +0530)]
usb: dwc3: gadget: fix ep->maxburst for ep0

commit 6048e4c69d80600baba35856651056860d5d8f5a upstream.

dwc3_gadget_set_ep_config expects maxburst as incremented by 1. So, by
default initialize ep->maxburst to 1 for ep0.

Signed-off-by: Pratyush Anand <>
Signed-off-by: Felipe Balbi <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: UHCI: fix IRQ race during initialization
Alan Stern [Tue, 22 Jan 2013 16:37:35 +0000 (11:37 -0500)]
USB: UHCI: fix IRQ race during initialization

commit 0f815a0a700bc10547449bde6c106051a035a1b9 upstream.

This patch (as1644) fixes a race that occurs during startup in
uhci-hcd.  If the IRQ line is shared with other devices, it's possible
for the handler routine to be called before the data structures are
fully initialized.

The problem is fixed by adding a check to the IRQ handler routine.  If
the initialization hasn't finished yet, the routine will return

Signed-off-by: Alan Stern <>
Reported-by: Don Zickus <>
Tested-by: "Huang, Adrian (ISS Linux TW)" <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomedia: gspca_kinect: add Kinect for Windows USB id
Jacob Schloss [Sun, 9 Dec 2012 23:18:25 +0000 (20:18 -0300)]
media: gspca_kinect: add Kinect for Windows USB id

commit 98fd485795db064d0885150e2c0c7f296d8fe06e upstream.

Add the USB ID for the Kinect for Windows RGB camera so it can be used
with the gspca_kinect driver.

Signed-off-by: Jacob Schloss <>
Signed-off-by: Antonio Ospite <>
Signed-off-by: Hans de Goede <>
Signed-off-by: Mauro Carvalho Chehab <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoRevert "drivers/misc/ti-st: remove gpio handling"
Luciano Coelho [Mon, 21 Jan 2013 11:12:42 +0000 (13:12 +0200)]
Revert "drivers/misc/ti-st: remove gpio handling"

commit a7e2ca17039edb5f782be519eaf9d8ea500ba7cc upstream.

This reverts commit eccf2979b2c034b516e01b8a104c3739f7ef07d1.

The reason is that it broke TI WiLink shared transport on Panda.
Also, callback functions should not be added to board files anymore,
so revert to implementing the power functions in the driver itself.

Additionally, changed a variable name ('status' to 'err') so that this
revert compiles properly.

Acked-by: Tony Lindgren <>
Signed-off-by: Luciano Coelho <>
[changed "err" back to "status" to get it to build in 3.7 - gregkh]
Signed-off-by: Greg Kroah-Hartman <>
5 years agoPCI: shpchp: Use per-slot workqueues to avoid deadlock
Bjorn Helgaas [Fri, 11 Jan 2013 19:21:15 +0000 (12:21 -0700)]
PCI: shpchp: Use per-slot workqueues to avoid deadlock

commit f652e7d2916fe2fcf9e7d709aa5b7476b431e2dd upstream.

When we have an SHPC-capable bridge with a second SHPC-capable bridge
below it, pushing the upstream bridge's attention button causes a

The deadlock happens because we use the shpchp_wq workqueue to run
shpchp_pushbutton_thread(), which uses shpchp_disable_slot() to remove
devices below the upstream bridge.  When we remove the downstream bridge,
we call shpc_remove(), the shpchp driver's .remove() method.  That calls
flush_workqueue(shpchp_wq), which deadlocks because the
shpchp_pushbutton_thread() work item is still running.

This patch avoids the deadlock by creating a workqueue for every slot
and removing the single shared workqueue.

Here's the call path that leads to the deadlock:

    queue_work(shpchp_wq) # shpchp_pushbutton_thread

              shpc_remove # shpchp driver .remove method

This change is based on code inspection, since we don't have hardware
with this topology.

Based-on-patch-by: Yijing Wang <>
Signed-off-by: Bjorn Helgaas <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoPCI: shpchp: Handle push button event asynchronously
Bjorn Helgaas [Fri, 11 Jan 2013 19:07:22 +0000 (12:07 -0700)]
PCI: shpchp: Handle push button event asynchronously

commit d347e75847c1fb299c97736638f45e6ea39702d4 upstream.

Use non-ordered workqueue for attention button events.

Attention button events on each slot can be handled asynchronously. So
we should use non-ordered workqueue. This patch also removes ordered
workqueue in shpchp as a result.

486b10b9f4 ("PCI: pciehp: Handle push button event asynchronously") made
the same change to pciehp.  I split this out from a patch by Yijing Wang
<> so we fix one thing at a time and to make the
shpchp history correspond more closely with the pciehp history.

Signed-off-by: Bjorn Helgaas <>
CC: Kenji Kaneshige <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoPCI: pciehp: Use per-slot workqueues to avoid deadlock
Yijing Wang [Fri, 11 Jan 2013 02:15:54 +0000 (10:15 +0800)]
PCI: pciehp: Use per-slot workqueues to avoid deadlock

commit c2be6f93b383c873a4f9d521afa49b1b67d06085 upstream.

When we have a hotplug-capable PCIe port with a second hotplug-capable
PCIe port below it, removing the device below the upstream port causes
a deadlock.

The deadlock happens because we use the pciehp_wq workqueue to run
pciehp_power_thread(), which uses pciehp_disable_slot() to remove devices
below the upstream port.  When we remove the downstream PCIe port, we call
pciehp_remove(), the pciehp driver's .remove() method.  That calls
flush_workqueue(pciehp_wq), which deadlocks because the
pciehp_power_thread() work item is still running.

This patch avoids the deadlock by creating a workqueue for every PCIe port
and removing the single shared workqueue.

Here's the call path that leads to the deadlock:

    queue_work(pciehp_wq)                   # queue pciehp_power_thread

      pciehp_remove                 # pciehp driver .remove method

This is fairly urgent because it can be caused by simply unplugging a
Thunderbolt adapter, as reported by Daniel below.

[bhelgaas: changelog]
Reported-and-tested-by: Daniel J Blueman <>
Reviewed-by: Kenji Kaneshige <>
Signed-off-by: Yijing Wang <>
Signed-off-by: Bjorn Helgaas <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoPCI: Allow pcie_aspm=force even when FADT indicates it is unsupported
Colin Ian King [Tue, 27 Nov 2012 14:09:40 +0000 (14:09 +0000)]
PCI: Allow pcie_aspm=force even when FADT indicates it is unsupported

commit 9e16721498b0c3d3ebfa0b503c63d35c0a4c0642 upstream.

Right now using pcie_aspm=force will not enable ASPM if the FADT indicates
ASPM is unsupported.  However, the semantics of force should probably allow
for this, especially as they did before 3c076351c4 ("PCI: Rework ASPM
disable code")

This patch just skips the clearing of any ASPM setup that the firmware has
carried out on this bus if pcie_aspm=force is being used.

Signed-off-by: Colin Ian King <>
Signed-off-by: Bjorn Helgaas <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoPCI/AER: pci_get_domain_bus_and_slot() call missing required pci_dev_put()
Betty Dall [Sun, 13 Jan 2013 22:46:18 +0000 (15:46 -0700)]
PCI/AER: pci_get_domain_bus_and_slot() call missing required pci_dev_put()

commit a82b6af37d20bfe6e99a4d890f1cf1d89059929f upstream.

The function aer_recover_queue() calls pci_get_domain_bus_and_slot(), which
requires that the caller decrement the reference count with pci_dev_put().
This patch adds the missing call to pci_dev_put().

Signed-off-by: Betty Dall <>
Signed-off-by: Bjorn Helgaas <>
Reviewed-by: Shuah Khan <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoarm64: elf: fix core dumping to match what glibc expects
Will Deacon [Tue, 22 Jan 2013 15:34:40 +0000 (15:34 +0000)]
arm64: elf: fix core dumping to match what glibc expects

commit 9cf2b72b25f3f6a5a1a46a4f36037e66de52465c upstream.

The kernel's internal definition of ELF_NGREG uses struct pt_regs, which
means that we disagree with userspace on the size of coredumps since
glibc correctly uses the user-visible struct user_pt_regs.

This patch fixes our ELF_NGREG definition to use struct user_pt_regs
and introduces our own ELF_CORE_COPY_REGS to convert between the user
and kernel structure definitions.

Signed-off-by: Will Deacon <>
Signed-off-by: Catalin Marinas <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoarm64: makefile: fix uname munging when setting ARCH on native machine
Will Deacon [Fri, 18 Jan 2013 19:00:47 +0000 (19:00 +0000)]
arm64: makefile: fix uname munging when setting ARCH on native machine

commit f1b99392caf120d7533da260318fae0eb5053737 upstream.

By popular demand, arch/aarch64 is now known as arch/arm64. However,
uname -m (and indeed the GNU triplet) still use aarch64 as the machine

This patch fixes native builds of both the kernel and perf tools by
updating the relevant Makefiles to munge the output of uname -m and
set the ARCH variable appropriately.

Signed-off-by: Will Deacon <>
Signed-off-by: Catalin Marinas <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: hda - Add Conexant CX20755/20756/20757 codec IDs
Takashi Iwai [Mon, 21 Jan 2013 15:53:37 +0000 (16:53 +0100)]
ALSA: hda - Add Conexant CX20755/20756/20757 codec IDs

commit 42c364ace52ae6b4699105b39f2559c256b6cd4c upstream.

These are just compatible with other CX2075x codecs.

Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: hda - Fix mute led for another HP machine
David Henningsson [Fri, 18 Jan 2013 11:00:47 +0000 (12:00 +0100)]
ALSA: hda - Fix mute led for another HP machine

commit e04340375a314166e14519fca9e5b9e9394b2d7a upstream.

This machine also has the "HP_Mute_LED_0_A" string in DMI information.

Tested-by: Tammy Yang <>
Signed-off-by: David Henningsson <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agowake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task
Oleg Nesterov [Mon, 21 Jan 2013 19:48:17 +0000 (20:48 +0100)]
wake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task

commit 9067ac85d533651b98c2ff903182a20cbb361fcb upstream.

wake_up_process() should never wakeup a TASK_STOPPED/TRACED task.
Change it to use TASK_NORMAL and add the WARN_ON().

TASK_ALL has no other users, probably can be killed.

Signed-off-by: Oleg Nesterov <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL
Oleg Nesterov [Mon, 21 Jan 2013 19:48:00 +0000 (20:48 +0100)]
ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL

commit 9899d11f654474d2d54ea52ceaa2a1f4db3abd68 upstream.

putreg() assumes that the tracee is not running and pt_regs_access() can
safely play with its stack.  However a killed tracee can return from
ptrace_stop() to the low-level asm code and do RESTORE_REST, this means
that debugger can actually read/modify the kernel stack until the tracee
does SAVE_REST again.

set_task_blockstep() can race with SIGKILL too and in some sense this
race is even worse, the very fact the tracee can be woken up breaks the

As Linus suggested we can clear TASK_WAKEKILL around the arch_ptrace()
call, this ensures that nobody can ever wakeup the tracee while the
debugger looks at it.  Not only this fixes the mentioned problems, we
can do some cleanups/simplifications in arch_ptrace() paths.

Probably ptrace_unfreeze_traced() needs more callers, for example it
makes sense to make the tracee killable for oom-killer before

While at it, add the comment into may_ptrace_stop() to explain why
ptrace_stop() still can't rely on SIGKILL and signal_pending_state().

Reported-by: Salman Qazi <>
Reported-by: Suleiman Souhlal <>
Suggested-by: Linus Torvalds <>
Signed-off-by: Oleg Nesterov <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up()
Oleg Nesterov [Mon, 21 Jan 2013 19:47:41 +0000 (20:47 +0100)]
ptrace: introduce signal_wake_up_state() and ptrace_signal_wake_up()

commit 910ffdb18a6408e14febbb6e4b6840fd2c928c82 upstream.

Cleanup and preparation for the next change.

signal_wake_up(resume => true) is overused. None of ptrace/jctl callers
actually want to wakeup a TASK_WAKEKILL task, but they can't specify the
necessary mask.

Turn signal_wake_up() into signal_wake_up_state(state), reintroduce
signal_wake_up() as a trivial helper, and add ptrace_signal_wake_up()
which adds __TASK_TRACED.

This way ptrace_signal_wake_up() can work "inside" ptrace_request()
even if the tracee doesn't have the TASK_WAKEKILL bit set.

Signed-off-by: Oleg Nesterov <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoperf x86: revert 20b279 - require exclude_guest to use PEBS - kernel side
David Ahern [Sat, 29 Dec 2012 02:56:07 +0000 (19:56 -0700)]
perf x86: revert 20b279 - require exclude_guest to use PEBS - kernel side

commit a706d965dcfdff73bf2bad1c300f8119900714c7 upstream.

This patch is brought to you by the letter 'H'.

Commit 20b279 breaks compatiblity with older perf binaries when run with
precise modifier (:p or :pp) by requiring the exclude_guest attribute to be
set. Older binaries default exclude_guest to 0 (ie., wanting guest-based
samples) unless host only profiling is requested (:H modifier). The workaround
for older binaries is to add H to the modifier list (e.g., -e cycles:ppH -
toggles exclude_guest to 1). This was deemed unacceptable by Linus:

Between family in town and the fresh snow in Breckenridge there is no time left
to be working on the proper fix for this over the holidays. In the New Year I
have more pressing problems to resolve -- like some memory leaks in perf which
are proving to be elusive -- although the aforementioned snow is probably why
they are proving to be elusive. Either way I do not have any spare time to work
on this and from the time I have managed to spend on it the solution is more
difficult than just moving to a new exclude_guest flag (does not work) or
flipping the logic to include_guest (which is not as trivial as one would

So, two options: silently force exclude_guest on as suggested by Gleb which
means no impact to older perf binaries or revert the original patch which
caused the breakage.

This patch does the latter -- reverts the original patch that introduced the
regression. The problem can be revisited in the future as time allows.

Signed-off-by: David Ahern <>
Cc: Avi Kivity <>
Cc: Gleb Natapov <>
Cc: Ingo Molnar <>
Cc: Jiri Olsa <>
Cc: Linus Torvalds <>
Cc: Peter Zijlstra <>
Cc: Robert Richter <>
Signed-off-by: Arnaldo Carvalho de Melo <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agovfio-pci: Fix buffer overfill
Alex Williamson [Tue, 15 Jan 2013 17:45:26 +0000 (10:45 -0700)]
vfio-pci: Fix buffer overfill

commit ec1287e511320a2c9a02640b7ac02d5d79f56f08 upstream.

A read from a range hidden from the user (ex. MSI-X vector table)
attempts to fill the user buffer up to the end of the excluded range
instead of up to the requested count.  Fix it.

Signed-off-by: Alex Williamson <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoasync: fix __lowest_in_progress()
Tejun Heo [Wed, 23 Jan 2013 00:15:15 +0000 (16:15 -0800)]
async: fix __lowest_in_progress()

commit f56c3196f251012de9b3ebaff55732a9074fdaae upstream.

Commit 083b804c4d3e ("async: use workqueue for worker pool") made it
possible that async jobs are moved from pending to running out-of-order.
While pending async jobs will be queued and dispatched for execution in
the same order, nothing guarantees they'll enter "1) move self to the
running queue" of async_run_entry_fn() in the same order.

Before the conversion, async implemented its own worker pool.  An async
worker, upon being woken up, fetches the first item from the pending
list, which kept the executing lists sorted.  The conversion to
workqueue was done by adding work_struct to each async_entry and async
just schedules the work item.  The queueing and dispatching of such work
items are still in order but now each worker thread is associated with a
specific async_entry and moves that specific async_entry to the
executing list.  So, depending on which worker reaches that point
earlier, which is non-deterministic, we may end up moving an async_entry
with larger cookie before one with smaller one.

This broke __lowest_in_progress().  running->domain may not be properly
sorted and is not guaranteed to contain lower cookies than pending list
when not empty.  Fix it by ensuring sort-inserting to the running list
and always looking at both pending and running when trying to determine
the lowest cookie.

Over time, the async synchronization implementation became quite messy.
We better restructure it such that each async_entry is linked to two
lists - one global and one per domain - and not move it when execution
starts.  There's no reason to distinguish pending and running.  They
behave the same for synchronization purposes.

Signed-off-by: Tejun Heo <>
Cc: Arjan van de Ven <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agovirtio-blk: Don't free ida when disk is in use
Alexander Graf [Wed, 2 Jan 2013 05:07:17 +0000 (15:37 +1030)]
virtio-blk: Don't free ida when disk is in use

commit f4953fe6c4aeada2d5cafd78aa97587a46d2d8f9 upstream.

When a file system is mounted on a virtio-blk disk, we then remove it
and then reattach it, the reattached disk gets the same disk name and
ids as the hot removed one.

This leads to very nasty effects - mostly rendering the newly attached
device completely unusable.

Trying what happens when I do the same thing with a USB device, I saw
that the sd node simply doesn't get free'd when a device gets forcefully

Imitate the same behavior for vd devices. This way broken vd devices
simply are never free'd and newly attached ones keep working just fine.

Signed-off-by: Alexander Graf <>
Signed-off-by: Rusty Russell <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoevm: checking if removexattr is not a NULL
Dmitry Kasatkin [Fri, 18 Jan 2013 21:56:39 +0000 (23:56 +0200)]
evm: checking if removexattr is not a NULL

commit a67adb997419fb53540d4a4f79c6471c60bc69b6 upstream.

The following lines of code produce a kernel oops.

fchmod(fd, 0666);

[  139.922364] BUG: unable to handle kernel NULL pointer dereference at   (null)
[  139.924982] IP: [<  (null)>]   (null)
[  139.924982] *pde = 00000000
[  139.924982] Oops: 0000 [#5] SMP
[  139.924982] Modules linked in: fuse dm_crypt dm_mod i2c_piix4 serio_raw evdev binfmt_misc button
[  139.924982] Pid: 3070, comm: acpid Tainted: G      D      3.8.0-rc2-kds+ #465 Bochs Bochs
[  139.924982] EIP: 0060:[<00000000>] EFLAGS: 00010246 CPU: 0
[  139.924982] EIP is at 0x0
[  139.924982] EAX: cf5ef000 EBX: cf5ef000 ECX: c143d600 EDX: c15225f2
[  139.924982] ESI: cf4d2a1c EDI: cf4d2a1c EBP: cc02df10 ESP: cc02dee4
[  139.924982]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[  139.924982] CR0: 80050033 CR2: 00000000 CR3: 0c059000 CR4: 000006d0
[  139.924982] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[  139.924982] DR6: ffff0ff0 DR7: 00000400
[  139.924982] Process acpid (pid: 3070, ti=cc02c000 task=d7705340 task.ti=cc02c000)
[  139.924982] Stack:
[  139.924982]  c1203c88 00000000 cc02def4 cf4d2a1c ae21eefa 471b60d5 1083c1ba c26a5940
[  139.924982]  e891fb5e 00000041 00000004 cc02df1c c1203964 00000000 cc02df4c c10e20c3
[  139.924982]  00000002 00000000 00000000 22222222 c1ff2222 cf5ef000 00000000 d76efb08
[  139.924982] Call Trace:
[  139.924982]  [<c1203c88>] ? evm_update_evmxattr+0x5b/0x62
[  139.924982]  [<c1203964>] evm_inode_post_setattr+0x22/0x26
[  139.924982]  [<c10e20c3>] notify_change+0x25f/0x281
[  139.924982]  [<c10cbf56>] chmod_common+0x59/0x76
[  139.924982]  [<c10e27a1>] ? put_unused_fd+0x33/0x33
[  139.924982]  [<c10cca09>] sys_fchmod+0x39/0x5c
[  139.924982]  [<c13f4f30>] syscall_call+0x7/0xb
[  139.924982] Code:  Bad EIP value.

This happens because sockets do not define the removexattr operation.
Before removing the xattr, verify the removexattr function pointer is
not NULL.

Signed-off-by: Dmitry Kasatkin <>
Signed-off-by: Mimi Zohar <>
Signed-off-by: James Morris <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoftrace: Be first to run code modification on modules
Steven Rostedt [Fri, 14 Dec 2012 14:48:15 +0000 (09:48 -0500)]
ftrace: Be first to run code modification on modules

commit c1bf08ac26e92122faab9f6c32ea8aba94612dae upstream.

If some other kernel subsystem has a module notifier, and adds a kprobe
to a ftrace mcount point (now that kprobes work on ftrace points),
when the ftrace notifier runs it will fail and disable ftrace, as well
as kprobes that are attached to ftrace points.

Here's the error:

 WARNING: at kernel/trace/ftrace.c:1618 ftrace_bug+0x239/0x280()
 Hardware name: Bochs
 Modules linked in: fat(+) stap_56d28a51b3fe546293ca0700b10bcb29__8059(F) nfsv4 auth_rpcgss nfs dns_resolver fscache xt_nat iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack lockd sunrpc ppdev parport_pc parport microcode virtio_net i2c_piix4 drm_kms_helper ttm drm i2c_core [last unloaded: bid_shared]
 Pid: 8068, comm: modprobe Tainted: GF            3.7.0-0.rc8.git0.1.fc19.x86_64 #1
 Call Trace:
  [<ffffffff8105e70f>] warn_slowpath_common+0x7f/0xc0
  [<ffffffff81134106>] ? __probe_kernel_read+0x46/0x70
  [<ffffffffa0180000>] ? 0xffffffffa017ffff
  [<ffffffffa0180000>] ? 0xffffffffa017ffff
  [<ffffffff8105e76a>] warn_slowpath_null+0x1a/0x20
  [<ffffffff810fd189>] ftrace_bug+0x239/0x280
  [<ffffffff810fd626>] ftrace_process_locs+0x376/0x520
  [<ffffffff810fefb7>] ftrace_module_notify+0x47/0x50
  [<ffffffff8163912d>] notifier_call_chain+0x4d/0x70
  [<ffffffff810882f8>] __blocking_notifier_call_chain+0x58/0x80
  [<ffffffff81088336>] blocking_notifier_call_chain+0x16/0x20
  [<ffffffff810c2a23>] sys_init_module+0x73/0x220
  [<ffffffff8163d719>] system_call_fastpath+0x16/0x1b
 ---[ end trace 9ef46351e53bbf80 ]---
 ftrace failed to modify [<ffffffffa0180000>] init_once+0x0/0x20 [fat]
  actual: cc:bb:d2:4b:e1

A kprobe was added to the init_once() function in the fat module on load.
But this happened before ftrace could have touched the code. As ftrace
didn't run yet, the kprobe system had no idea it was a ftrace point and
simply added a breakpoint to the code (0xcc in the cc:bb:d2:4b:e1).

Then when ftrace went to modify the location from a call to mcount/fentry
into a nop, it didn't see a call op, but instead it saw the breakpoint op
and not knowing what to do with it, ftrace shut itself down.

The solution is to simply give the ftrace module notifier the max priority.
This should have been done regardless, as the core code ftrace modification
also happens very early on in boot up. This makes the module modification
closer to core modification.

Acked-by: Masami Hiramatsu <>
Reported-by: Frank Ch. Eigler <>
Signed-off-by: Steven Rostedt <>
5 years agolibata: replace sata_settings with devslp_timing
Shane Huang [Mon, 17 Dec 2012 15:18:59 +0000 (23:18 +0800)]
libata: replace sata_settings with devslp_timing

commit 803739d25c2343da6d2f95eebdcbc08bf67097d4 upstream.

NCQ capability was used to check availability of SATA Settings page
from Identify Device Data Log, which contains DevSlp timing variables.
It does not work on some HDDs and leads to error messages.

IDENTIFY word 78 bit 5(Hardware Feature Control) can't work either
because it is only the sufficient condition of Identify Device data
log, not the necessary condition.

This patch replaced ata_device->sata_settings with ->devslp_timing
to only save DevSlp timing variables(8 bytes), instead of the whole
SATA Settings page(512 bytes).


Reported-by: Borislav Petkov <>
Signed-off-by: Shane Huang <>
Signed-off-by: Jeff Garzik <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agolibata: ahci: Add support for Enmotus Bobcat device.
Hugh Daschbach [Fri, 4 Jan 2013 22:39:09 +0000 (14:39 -0800)]
libata: ahci: Add support for Enmotus Bobcat device.

commit 7f9c9f8e24590e7dcd26ca408458c43df5b83e61 upstream.

Silicon does not support standard AHCI BAR assignment.  Add
vendor/device exception to force BAR 2.

Signed-off-by: Hugh Daschbach <>
Signed-off-by: Jeff Garzik <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agolibata: ahci: Fix lack of command retry after a success error handler.
Bian Yu [Thu, 13 Dec 2012 03:26:58 +0000 (22:26 -0500)]
libata: ahci: Fix lack of command retry after a success error handler.

commit 1eaca39a84170b369fe61fb1da3c1e8606859e99 upstream.

It should be a mistake introduced by commit 8d899e70c1b3afff.

qc->flags can't be set AC_ERR_*

Signed-off-by: Bian Yu <>
Signed-off-by: Jeff Garzik <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/i915: Invalidate the relocation presumed_offsets along the slow path
Chris Wilson [Tue, 15 Jan 2013 16:17:54 +0000 (16:17 +0000)]
drm/i915: Invalidate the relocation presumed_offsets along the slow path

commit 262b6d363fcff16359c93bd58c297f961f6e6273 upstream.

In the slow path, we are forced to copy the relocations prior to
acquiring the struct mutex in order to handle pagefaults. We forgo
copying the new offsets back into the relocation entries in order to
prevent a recursive locking bug should we trigger a pagefault whilst
holding the mutex for the reservations of the execbuffer. Therefore, we
need to reset the presumed_offsets just in case the objects are rebound
back into their old locations after relocating for this exexbuffer - if
that were to happen we would assume the relocations were valid and leave
the actual pointers to the kernels dangling, instant hang.

Fixes regression from commit bcf50e2775bbc3101932d8e4ab8c7902aa4163b4
Author: Chris Wilson <>
Date:   Sun Nov 21 22:07:12 2010 +0000

    drm/i915: Handle pagefaults in execbuffer user relocations

Signed-off-by: Chris Wilson <>
Cc: Daniel Vetter <>
Signed-off-by: Daniel Vetter <>
5 years agoEnsure that kernel_init_freeable() is not inlined into non __init code
Vineet Gupta [Fri, 21 Dec 2012 06:55:44 +0000 (12:25 +0530)]
Ensure that kernel_init_freeable() is not inlined into non __init code

commit f80b0c904da93b9ad7db2fd9823dd701932df779 upstream.

Commit d6b2123802d "make sure that we always have a return path from
kernel_execve()" reshuffled kernel_init()/init_post() to ensure that
kernel_execve() has a caller to return to.

It removed __init annotation for kernel_init() and introduced/calls a
new routine kernel_init_freeable(). Latter however is inlined by any
reasonable compiler (ARC gcc 4.4 in this case), causing slight code

This patch forces kernel_init_freeable() as noinline reducing the .text

bloat-o-meter vmlinux vmlinux_new
add/remove: 1/0 grow/shrink: 0/1 up/down: 374/-334 (40)
function                        old     new   delta
kernel_init_freeable              -     374    +374 (.init.text)
kernel_init                     628     294    -334 (.text)

Signed-off-by: Al Viro <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomake sure that /linuxrc has std{in,out,err}
Al Viro [Sat, 19 Jan 2013 18:29:54 +0000 (13:29 -0500)]
make sure that /linuxrc has std{in,out,err}

commit 43b16820249396aea7eb57c747106e211e54bed5 upstream.

Signed-off-by: Al Viro <>
Cc: Barry Davis <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoLinux 3.7.4
Greg Kroah-Hartman [Mon, 21 Jan 2013 19:45:40 +0000 (11:45 -0800)]
Linux 3.7.4

5 years agopty: return EINVAL for TIOCGPTN for BSD ptys
Jiri Slaby [Fri, 11 Jan 2013 11:06:27 +0000 (12:06 +0100)]
pty: return EINVAL for TIOCGPTN for BSD ptys

commit ded2f295a36d17838fe97e80d7b6ea83381474f8 upstream.

Commit bbb63c514a3464342967237a51a21ea8f61ab951 (drivers:tty:fix up
ENOIOCTLCMD error handling) changed the default return value from tty
ioctl to be ENOTTY and not EINVAL. This is appropriate.

But in case of TIOCGPTN for the old BSD ptys glibc started failing
because it expects EINVAL to be returned. Only then it continues to
obtain the pts name the other way around.

So fix this case by explicit return of EINVAL in this case.

Signed-off-by: Jiri Slaby <>
Reported-by: Florian Westphal <>
Cc: Alan Cox <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agomxs: uart: fix setting RTS from software
Steffen Trumtrar [Thu, 13 Dec 2012 13:27:43 +0000 (14:27 +0100)]
mxs: uart: fix setting RTS from software

commit a6833214cfc6fa8a7c59426af77794cc190c6cfc upstream.

With the patch "serial: mxs-auart: fix the wrong RTS hardware flow control" the
mainline mxs-uart driver now sets RTSEN only when hardware flow control is
enabled via software. It is not possible any longer to set RTS manually via
software. However, the manual modification is a valid operation.
Regain the possibility to set RTS via software and only set RTSEN when hardware
flow control is explicitly enabled via settermios cflag CRTSCTS.

Signed-off-by: Steffen Trumtrar <>
Reviewed-by: Huang Shijie <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agostaging: vt6656: Fix inconsistent structure packing
Ben Hutchings [Mon, 14 Jan 2013 01:29:17 +0000 (01:29 +0000)]
staging: vt6656: Fix inconsistent structure packing

commit 1ee4c55fc9620451b2a825d793042a7e0775391b upstream.

vt6656 has several headers that use the #pragma pack(1) directive to
enable structure packing, but never disable it.  The layout of
structures defined in other headers can then depend on which order the
various headers are included in, breaking the One Definition Rule.

In practice this resulted in crashes on x86_64 until the order of header
inclusion was changed for some files in commit 11d404cb56ecd ('staging:
vt6656: fix headers and add cfg80211.').  But we need a proper fix that
won't be affected by future changes to the order of inclusion.

This removes the #pragma pack(1) directives and adds __packed to the
structure definitions for which packing appears to have been intended.

Reported-and-tested-by: Malcolm Priestley <>
Signed-off-by: Ben Hutchings <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agostaging: wlan-ng: Fix clamping of returned SSID length
Tormod Volden [Wed, 9 Jan 2013 21:23:32 +0000 (22:23 +0100)]
staging: wlan-ng: Fix clamping of returned SSID length

commit 811a37effdb11e54e1ff1ddaa944286c88f58487 upstream.

Commit 2e254212 broke listing of available network names, since it
clamped the length of the returned SSID to WLAN_BSSID_LEN (6) instead of

Signed-off-by: Tormod Volden <>
Signed-off-by: Greg Kroah-Hartman <>
5 years ago8250/16?50: Add support for Broadcom TruManage redirected serial port
Stephen Hurd [Thu, 17 Jan 2013 22:14:53 +0000 (14:14 -0800)]
8250/16?50: Add support for Broadcom TruManage redirected serial port

commit ebebd49a8eab5e9aa1b1f8f1614ccc3c2120f886 upstream.

Add support for the UART device present in Broadcom TruManage capable
NetXtreme chips (ie: 5761m 5762, and 5725).

This implementation has a hidden transmit FIFO, so running in single-byte
interrupt mode results in too many interrupts.  The UART_CAP_HFIFO
capability was added to track this.  It continues to reload the THR as long
as the THRE and TSRE bits are set in the LSR up to a specified limit (1024
is used here).

Signed-off-by: Stephen Hurd <>
Signed-off-by: Michael Chan <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotty: 8250_dw: Fix inverted arguments to serial_out in IRQ handler
Maxime Ripard [Mon, 14 Jan 2013 19:09:26 +0000 (20:09 +0100)]
tty: 8250_dw: Fix inverted arguments to serial_out in IRQ handler

commit 68e56cb3a068f9c30971c6117fbbd1e32918e49e upstream.

Signed-off-by: Maxime Ripard <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotty: serial: vt8500: fix return value check in vt8500_serial_probe()
Wei Yongjun [Sun, 2 Dec 2012 10:10:44 +0000 (05:10 -0500)]
tty: serial: vt8500: fix return value check in vt8500_serial_probe()

commit a6dd114e16cbc4410049a90a8a67b967333d108d upstream.

In case of error, function of_clk_get() returns ERR_PTR()
and never returns NULL. The NULL test in the return value
check should be replaced with IS_ERR().

Signed-off-by: Wei Yongjun <>
Acked-by: Tony Prisk <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoserial:ifx6x60:Delete SPI timer when shut down port
chao bi [Wed, 12 Dec 2012 03:40:56 +0000 (11:40 +0800)]
serial:ifx6x60:Delete SPI timer when shut down port

commit 014b9b4ce84281ccb3d723c792bed19815f3571a upstream.

When shut down SPI port, it's possible that MRDY has been asserted and a SPI
timer was activated waiting for SRDY assert, in the case, it needs to delete
this timer.

Signed-off-by: Chen Jun <>
Signed-off-by: channing <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: option: blacklist network interface on ONDA MT8205 4G LTE
Bjørn Mork [Thu, 17 Jan 2013 14:14:22 +0000 (15:14 +0100)]
USB: option: blacklist network interface on ONDA MT8205 4G LTE

Signed-off-by: Bjørn Mork <>
commit 2291dff02e5f8c708a46a7c4c888f2c467e26642 upstream.

The driver description files gives these names to the vendor specific
functions on this modem:

 Diag   VID_19D2&PID_0265&MI_00
 NMEA   VID_19D2&PID_0265&MI_01
 AT cmd VID_19D2&PID_0265&MI_02
 Modem  VID_19D2&PID_0265&MI_03
 Net    VID_19D2&PID_0265&MI_04

Signed-off-by: Bjørn Mork <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: option: add TP-LINK HSUPA Modem MA180
Bjørn Mork [Tue, 15 Jan 2013 09:29:49 +0000 (10:29 +0100)]
USB: option: add TP-LINK HSUPA Modem MA180

commit 99beb2e9687ffd61c92a9875141eabe6f57a71b9 upstream.

The driver description files gives these names to the vendor specific
functions on this modem:

 Diagnostics VID_2357&PID_0201&MI_00
 NMEA        VID_2357&PID_0201&MI_01
 Modem       VID_2357&PID_0201&MI_03
 Networkcard VID_2357&PID_0201&MI_04

Reported-by: Thomas Schäfer <>
Signed-off-by: Bjørn Mork <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoUSB: io_ti: Fix NULL dereference in chase_port()
Wolfgang Frisch [Thu, 17 Jan 2013 00:07:02 +0000 (01:07 +0100)]
USB: io_ti: Fix NULL dereference in chase_port()

commit 1ee0a224bc9aad1de496c795f96bc6ba2c394811 upstream.

The tty is NULL when the port is hanging up.
chase_port() needs to check for this.

This patch is intended for stable series.
The behavior was observed and tested in Linux 3.2 and 3.7.1.

Johan Hovold submitted a more elaborate patch for the mainline kernel.

[   56.277883] usb 1-1: edge_bulk_in_callback - nonzero read bulk status received: -84
[   56.278811] usb 1-1: USB disconnect, device number 3
[   56.278856] usb 1-1: edge_bulk_in_callback - stopping read!
[   56.279562] BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
[   56.280536] IP: [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[   56.281212] PGD 1dc1b067 PUD 1e0f7067 PMD 0
[   56.282085] Oops: 0002 [#1] SMP
[   56.282744] Modules linked in:
[   56.283512] CPU 1
[   56.283512] Pid: 25, comm: khubd Not tainted 3.7.1 #1 innotek GmbH VirtualBox/VirtualBox
[   56.283512] RIP: 0010:[<ffffffff8144e62a>]  [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[   56.283512] RSP: 0018:ffff88001fa99ab0  EFLAGS: 00010046
[   56.283512] RAX: 0000000000000046 RBX: 00000000000001c8 RCX: 0000000000640064
[   56.283512] RDX: 0000000000010000 RSI: ffff88001fa99b20 RDI: 00000000000001c8
[   56.283512] RBP: ffff88001fa99b20 R08: 0000000000000000 R09: 0000000000000000
[   56.283512] R10: 0000000000000000 R11: ffffffff812fcb4c R12: ffff88001ddf53c0
[   56.283512] R13: 0000000000000000 R14: 00000000000001c8 R15: ffff88001e19b9f4
[   56.283512] FS:  0000000000000000(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000
[   56.283512] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[   56.283512] CR2: 00000000000001c8 CR3: 000000001dc51000 CR4: 00000000000006e0
[   56.283512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   56.283512] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[   56.283512] Process khubd (pid: 25, threadinfo ffff88001fa98000, task ffff88001fa94f80)
[   56.283512] Stack:
[   56.283512]  0000000000000046 00000000000001c8 ffffffff810578ec ffffffff812fcb4c
[   56.283512]  ffff88001e19b980 0000000000002710 ffffffff812ffe81 0000000000000001
[   56.283512]  ffff88001fa94f80 0000000000000202 ffffffff00000001 0000000000000296
[   56.283512] Call Trace:
[   56.283512]  [<ffffffff810578ec>] ? add_wait_queue+0x12/0x3c
[   56.283512]  [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
[   56.283512]  [<ffffffff812ffe81>] ? chase_port+0x84/0x2d6
[   56.283512]  [<ffffffff81063f27>] ? try_to_wake_up+0x199/0x199
[   56.283512]  [<ffffffff81263a5c>] ? tty_ldisc_hangup+0x222/0x298
[   56.283512]  [<ffffffff81300171>] ? edge_close+0x64/0x129
[   56.283512]  [<ffffffff810612f7>] ? __wake_up+0x35/0x46
[   56.283512]  [<ffffffff8106135b>] ? should_resched+0x5/0x23
[   56.283512]  [<ffffffff81264916>] ? tty_port_shutdown+0x39/0x44
[   56.283512]  [<ffffffff812fcb4c>] ? usb_serial_port_work+0x28/0x28
[   56.283512]  [<ffffffff8125d38c>] ? __tty_hangup+0x307/0x351
[   56.283512]  [<ffffffff812e6ddc>] ? usb_hcd_flush_endpoint+0xde/0xed
[   56.283512]  [<ffffffff8144e625>] ? _raw_spin_lock_irqsave+0x14/0x35
[   56.283512]  [<ffffffff812fd361>] ? usb_serial_disconnect+0x57/0xc2
[   56.283512]  [<ffffffff812ea99b>] ? usb_unbind_interface+0x5c/0x131
[   56.283512]  [<ffffffff8128d738>] ? __device_release_driver+0x7f/0xd5
[   56.283512]  [<ffffffff8128d9cd>] ? device_release_driver+0x1a/0x25
[   56.283512]  [<ffffffff8128d393>] ? bus_remove_device+0xd2/0xe7
[   56.283512]  [<ffffffff8128b7a3>] ? device_del+0x119/0x167
[   56.283512]  [<ffffffff812e8d9d>] ? usb_disable_device+0x6a/0x180
[   56.283512]  [<ffffffff812e2ae0>] ? usb_disconnect+0x81/0xe6
[   56.283512]  [<ffffffff812e4435>] ? hub_thread+0x577/0xe82
[   56.283512]  [<ffffffff8144daa7>] ? __schedule+0x490/0x4be
[   56.283512]  [<ffffffff8105798f>] ? abort_exclusive_wait+0x79/0x79
[   56.283512]  [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
[   56.283512]  [<ffffffff812e3ebe>] ? usb_remote_wakeup+0x2f/0x2f
[   56.283512]  [<ffffffff810570b4>] ? kthread+0x81/0x89
[   56.283512]  [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
[   56.283512]  [<ffffffff8145387c>] ? ret_from_fork+0x7c/0xb0
[   56.283512]  [<ffffffff81057033>] ? __kthread_parkme+0x5c/0x5c
[   56.283512] Code: 8b 7c 24 08 e8 17 0b c3 ff 48 8b 04 24 48 83 c4 10 c3 53 48 89 fb 41 50 e8 e0 0a c3 ff 48 89 04 24 e8 e7 0a c3 ff ba 00 00 01 00
<f0> 0f c1 13 48 8b 04 24 89 d1 c1 ea 10 66 39 d1 74 07 f3 90 66
[   56.283512] RIP  [<ffffffff8144e62a>] _raw_spin_lock_irqsave+0x19/0x35
[   56.283512]  RSP <ffff88001fa99ab0>
[   56.283512] CR2: 00000000000001c8
[   56.283512] ---[ end trace 49714df27e1679ce ]---

Signed-off-by: Wolfgang Frisch <>
Cc: Johan Hovold <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoxen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.
Frediano Ziglio [Wed, 16 Jan 2013 12:00:55 +0000 (12:00 +0000)]
xen: Fix stack corruption in xen_failsafe_callback for 32bit PVOPS guests.

commit 9174adbee4a9a49d0139f5d71969852b36720809 upstream.

This fixes CVE-2013-0190 / XSA-40

There has been an error on the xen_failsafe_callback path for failed
iret, which causes the stack pointer to be wrong when entering the
iret_exc error path.  This can result in the kernel crashing.

In the classic kernel case, the relevant code looked a little like:

        popl %eax      # Error code from hypervisor
        jz 5f
        addl $16,%esp
        jmp iret_exc   # Hypervisor said iret fault
5:      addl $16,%esp
                       # Hypervisor said segment selector fault

Here, there are two identical addls on either option of a branch which
appears to have been optimised by hoisting it above the jz, and
converting it to an lea, which leaves the flags register unaffected.

In the PVOPS case, the code looks like:

        popl_cfi %eax         # Error from the hypervisor
        lea 16(%esp),%esp     # Add $16 before choosing fault path
        jz 5f
        addl $16,%esp         # Incorrectly adjust %esp again
        jmp iret_exc

It is possible unprivileged userspace applications to cause this
behaviour, for example by loading an LDT code selector, then changing
the code selector to be not-present.  At this point, there is a race
condition where it is possible for the hypervisor to return back to
userspace from an interrupt, fault on its own iret, and inject a
failsafe_callback into the kernel.

This bug has been present since the introduction of Xen PVOPS support
in commit 5ead97c84 (xen: Core Xen implementation), in 2.6.23.

Signed-off-by: Frediano Ziglio <>
Signed-off-by: Andrew Cooper <>
Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoxen/grant-table: correctly initialize grant table version 1
Matt Wilson [Tue, 15 Jan 2013 13:21:27 +0000 (13:21 +0000)]
xen/grant-table: correctly initialize grant table version 1

commit d0b4d64aadb9f4a90669848de9ef3819050a98cd upstream.

Commit 85ff6acb075a484780b3d763fdf41596d8fc0970 (xen/granttable: Grant
tables V2 implementation) changed the GREFS_PER_GRANT_FRAME macro from
a constant to a conditional expression. The expression depends on
grant_table_version being appropriately set. Unfortunately, at init
time grant_table_version will be 0. The GREFS_PER_GRANT_FRAME
conditional expression checks for "grant_table_version == 1", and
therefore returns the number of grant references per frame for v2.

This causes gnttab_init() to allocate fewer pages for gnttab_list, as
a frame can old half the number of v2 entries than v1 entries. After
gnttab_resume() is called, grant_table_version is appropriately
set. nr_init_grefs will then be miscalculated and gnttab_free_count
will hold a value larger than the actual number of free gref entries.

If a guest is heavily utilizing improperly initialized v1 grant
tables, memory corruption can occur. One common manifestation is
corruption of the vmalloc list, resulting in a poisoned pointer
derefrence when accessing /proc/meminfo or /proc/vmallocinfo:

[   40.770064] BUG: unable to handle kernel paging request at 0000200200001407
[   40.770083] IP: [<ffffffff811a6fb0>] get_vmalloc_info+0x70/0x110
[   40.770102] PGD 0
[   40.770107] Oops: 0000 [#1] SMP
[   40.770114] CPU 10

This patch introduces a static variable, grefs_per_grant_frame, to
cache the calculated value. gnttab_init() now calls
gnttab_request_version() early so that grant_table_version and
grefs_per_grant_frame can be appropriately set. A few BUG_ON()s have
been added to prevent this type of bug from reoccurring in the future.

Signed-off-by: Matt Wilson <>
Reviewed-and-Tested-by: Steven Noonan <>
Acked-by: Ian Campbell <>
Cc: Konrad Rzeszutek Wilk <>
Cc: Annie Li <>
Signed-off-by: Konrad Rzeszutek Wilk <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoigb: release already assigned MSI-X interrupts if setup fails
Stefan Assmann [Tue, 4 Dec 2012 06:00:17 +0000 (06:00 +0000)]
igb: release already assigned MSI-X interrupts if setup fails

commit 52285b762b3681669215bf1d17ca6143448ab7d3 upstream.

During MSI-X setup the system might run out of vectors. If this happens the
already assigned vectors for this NIC should be freed before trying the
disable MSI-X. Failing to do so results in the following oops.

kernel BUG at drivers/pci/msi.c:341!
Call Trace:
 [<ffffffff8128f39d>] pci_disable_msix+0x3d/0x60
 [<ffffffffa037d1ce>] igb_reset_interrupt_capability+0x27/0x5c [igb]
 [<ffffffffa037d229>] igb_clear_interrupt_scheme+0x26/0x2d [igb]
 [<ffffffffa0384268>] igb_request_irq+0x73/0x297 [igb]
 [<ffffffffa0384554>] __igb_open+0xc8/0x223 [igb]
 [<ffffffffa0384815>] igb_open+0x13/0x15 [igb]
 [<ffffffff8144592f>] __dev_open+0xbf/0x120
 [<ffffffff81443e51>] __dev_change_flags+0xa1/0x180
 [<ffffffff81445828>] dev_change_flags+0x28/0x70
 [<ffffffff814af537>] devinet_ioctl+0x5b7/0x620
 [<ffffffff814b01c8>] inet_ioctl+0x88/0xa0
 [<ffffffff8142e8a0>] sock_do_ioctl+0x30/0x70
 [<ffffffff8142ecf2>] sock_ioctl+0x72/0x270
 [<ffffffff8118062c>] do_vfs_ioctl+0x8c/0x340
 [<ffffffff81180981>] sys_ioctl+0xa1/0xb0
 [<ffffffff815161a9>] system_call_fastpath+0x16/0x1b
Code: 48 89 df e8 1f 40 ed ff 4d 39 e6 49 8b 45 10 75 b6 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f c9 c3 48 8b 7b 20 e8 3e 91 db ff eb ae <0f> 0b eb fe 0f 1f 84 00 00 00 00 00 55 48 89 e5 0f 1f 44 00 00
RIP  [<ffffffff8128e144>] free_msi_irqs+0x124/0x130
 RSP <ffff880037503bd8>

Signed-off-by: Stefan Assmann <>
Tested-by: Aaron Brown <>
Signed-off-by: Jeff Kirsher <>
Signed-off-by: Abdallah Chatila <>
5 years agointel-iommu: Prevent devices with RMRRs from being placed into SI Domain
Tom Mingarelli [Tue, 20 Nov 2012 19:43:17 +0000 (19:43 +0000)]
intel-iommu: Prevent devices with RMRRs from being placed into SI Domain

commit ea2447f700cab264019b52e2b417d689e052dcfd upstream.

This patch is to prevent non-USB devices that have RMRRs associated with them from
being placed into the SI Domain during init. This fixes the issue where the RMRR info
for devices being placed in and out of the SI Domain gets lost.

Signed-off-by: Thomas Mingarelli <>
Tested-by: Shuah Khan <>
Reviewed-by: Donald Dutile <>
Reviewed-by: Alex Williamson <>
Signed-off-by: Joerg Roedel <>
Cc: CAI Qian <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotarget: Add link_magic for fabric allow_link destination target_items
Nicholas Bellinger [Wed, 5 Dec 2012 07:43:57 +0000 (23:43 -0800)]
target: Add link_magic for fabric allow_link destination target_items

commit 0ff8754981261a80f4b77db2536dfea92c2d4539 upstream.

This patch adds [dev,lun]_link_magic value assignment + checks within generic
target_fabric_port_link() and target_fabric_mappedlun_link() code to ensure
destination config_item *target_item sent from configfs_symlink() ->
config_item_operations->allow_link() is the underlying se_device->dev_group
and se_lun->lun_group that we expect to symlink.

Reported-by: Sebastian Andrzej Siewior <>
Cc: Sebastian Andrzej Siewior <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: CAI Qian <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/radeon: fix a bogus kfree
Ilija Hadzic [Mon, 7 Jan 2013 23:21:58 +0000 (18:21 -0500)]
drm/radeon: fix a bogus kfree

commit a6b7e1a02b77ab8fe8775d20a88c53d8ba55482e upstream.

parser->chunks[.].kpage[.] is not always kmalloc-ed
by the parser initialization, so parser_fini should
not try to kfree it if it didn't allocate it.

This patch fixes a kernel oops that can be provoked
in UMS mode.

Signed-off-by: Ilija Hadzic <>
Signed-off-by: Alex Deucher <>
Signed-off-by: Shuah Khan <>
Cc: CAI Qian <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/radeon: fix NULL pointer dereference in UMS mode
Ilija Hadzic [Mon, 7 Jan 2013 23:21:57 +0000 (18:21 -0500)]
drm/radeon: fix NULL pointer dereference in UMS mode

commit ff4bd0827764e10a428a9d39e6814c5478863f94 upstream.

In UMS mode parser->rdev is NULL, so dereferencing
will cause an oops.

Signed-off-by: Ilija Hadzic <>
Signed-off-by: Alex Deucher <>
Cc: CAI Qian <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agousb: chipidea: Allow disabling streaming not only in udc mode
Fabio Estevam [Sat, 22 Dec 2012 11:24:11 +0000 (09:24 -0200)]
usb: chipidea: Allow disabling streaming not only in udc mode

commit 929473ea05db455ad88cdc081f2adc556b8dc48f upstream.

When running a scp transfer using a USB/Ethernet adapter the following crash

$ scp test.tar.gz fabio@
fabio@'s password:
test.tar.gz                                      0%    0     0.0KB/s   --:-- ETA
------------[ cut here ]------------
WARNING: at net/sched/sch_generic.c:255 dev_watchdog+0x2cc/0x2f0()
NETDEV WATCHDOG: eth0 (asix): transmit queue 0 timed out
Modules linked in:
[<80011c94>] (dump_backtrace+0x0/0x10c) from [<804d3a5c>] (dump_stack+0x18/0x1c)
 r6:000000ff r5:80412388 r4:80685dc0 r3:80696cc0
[<804d3a44>] (dump_stack+0x0/0x1c) from [<80021868>]
[<80021814>] (warn_slowpath_common+0x0/0x6c) from [<80021924>]

Setting SDIS (Stream Disable Mode- bit 4 of USBMODE register) fixes the problem.

However, in current code CI13XXX_DISABLE_STREAMING flag is only set in udc mode,
so allow disabling streaming also in host mode.

Tested on a mx6qsabrelite board.

Suggested-by: Peter Chen <>
Signed-off-by: Fabio Estevam <>
Reviewed-by: Peter Chen <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoext4: init pagevec in ext4_da_block_invalidatepages
Eric Sandeen [Thu, 15 Nov 2012 03:22:05 +0000 (22:22 -0500)]
ext4: init pagevec in ext4_da_block_invalidatepages

commit 66bea92c69477a75a5d37b9bfed5773c92a3c4b4 upstream.

ext4_da_block_invalidatepages is missing a pagevec_init(),
which means that pvec->cold contains random garbage.

This affects whether the page goes to the front or
back of the LRU when ->cold makes it to

Reviewed-by: Lukas Czerner <>
Reviewed-by: Carlos Maiolino <>
Signed-off-by: Eric Sandeen <>
Signed-off-by: "Theodore Ts'o" <>
Signed-off-by: CAI Qian <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: usb - fix race in creation of M-Audio Fast track pro driver
David Henningsson [Fri, 4 Jan 2013 16:02:18 +0000 (17:02 +0100)]
ALSA: usb - fix race in creation of M-Audio Fast track pro driver

commit b98ae2729dea161edc96c9d177459b6c28bcbba5 upstream.

A patch in the 3.2 kernel caused regression with hotplugging the
M-Audio Fast track pro, or sound after suspend. I don't have the
device so I haven't done a full analysis, but it seems userspace
(both udev and pulseaudio) got confused when a card was created,
immediately destroyed, and then created again.

However, at least one person in the bug report (martin djfun)
reports that this patch resolves the issue for him. It also leaves
a message in the log:
"snd-usb-audio: probe of 1-1.1:1.1 failed with error -5" which is
a bit misleading. It is better than non-working audio, but maybe
there's a more elegant solution?

Signed-off-by: David Henningsson <>
Signed-off-by: Takashi Iwai <>
Cc: CAI Qian <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agox86/Sandy Bridge: reserve pages when integrated graphics is present
Jesse Barnes [Wed, 14 Nov 2012 20:43:31 +0000 (20:43 +0000)]
x86/Sandy Bridge: reserve pages when integrated graphics is present

commit a9acc5365dbda29f7be2884efb63771dc24bd815 upstream.

SNB graphics devices have a bug that prevent them from accessing certain
memory ranges, namely anything below 1M and in the pages listed in the
table.  So reserve those at boot if set detect a SNB gfx device on the
CPU to avoid GPU hangs.

Stephane Marchesin had a similar patch to the page allocator awhile
back, but rather than reserving pages up front, it leaked them at
allocation time.

[ hpa: made a number of stylistic changes, marked arrays as static
  const, and made less verbose; use "memblock=debug" for full
  verbosity. ]

Signed-off-by: Jesse Barnes <>
Signed-off-by: H. Peter Anvin <>
Cc: CAI Qian <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agos390/time: fix sched_clock() overflow
Heiko Carstens [Mon, 14 Jan 2013 15:55:55 +0000 (16:55 +0100)]
s390/time: fix sched_clock() overflow

commit ed4f20943cd4c7b55105c04daedf8d63ab6d499c upstream.

Converting a 64 Bit TOD format value to nanoseconds means that the value
must be divided by 4.096. In order to achieve that we multiply with 125
and divide by 512.
When used within sched_clock() this triggers an overflow after appr.
417 days. Resulting in a sched_clock() return value that is much smaller
than previously and therefore may cause all sort of weird things in
subsystems that rely on a monotonic sched_clock() behaviour.

To fix this implement a tod_to_ns() helper function which converts TOD
values without overflow and call this function from both places that
open coded the conversion: sched_clock() and kvm_s390_handle_wait().

Reviewed-by: Martin Schwidefsky <>
Signed-off-by: Heiko Carstens <>
Signed-off-by: Martin Schwidefsky <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotarget: Release se_cmd when LUN lookup fails for TMR
Roland Dreier [Wed, 2 Jan 2013 20:47:59 +0000 (12:47 -0800)]
target: Release se_cmd when LUN lookup fails for TMR

commit 5a3b6fc0092c5f8dee7820064ee54d2631d48573 upstream.

When transport_lookup_tmr_lun() fails and we return a task management
response from target_complete_tmr_failure(), we need to call
transport_cmd_check_stop_to_fabric() to release the last ref to the
cmd after calling se_tfo->queue_tm_rsp(), or else we will never remove
the failed TMR from the session command list (and we'll end up waiting
forever when trying to tear down the session).

(nab: Fix minor compile breakage)

Signed-off-by: Roland Dreier <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotarget: Fix use-after-free in LUN RESET handling
Roland Dreier [Wed, 2 Jan 2013 20:47:58 +0000 (12:47 -0800)]
target: Fix use-after-free in LUN RESET handling

commit 72b59d6ee8adaa51f70377db0a1917ed489bead8 upstream.

If a backend IO takes a really long then an initiator might abort a
command, and then when it gives up on the abort, send a LUN reset too,
all before we process any of the original command or the abort.  (The
abort will wait for the backend IO to complete too)

When the backend IO final completes (or fails), the abort handling
will proceed and queue up a "return aborted status" operation.  Then,
while that's still pending, the LUN reset might find the original
command still on the LUN's list of commands and try to return aborted
status again, which leads to a use-after free when the first
se_tfo->queue_status call frees the command and then the second
se_tfo->queue_status call runs.

Fix this by removing a command from the LUN state_list when we first
are about to queue aborted status; we shouldn't do anything
LUN-related after we've started returning status, so this seems like
the correct thing to do.

Signed-off-by: Roland Dreier <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotarget: Fix missing CMD_T_ACTIVE bit regression for pending WRITEs
Roland Dreier [Wed, 2 Jan 2013 20:47:57 +0000 (12:47 -0800)]
target: Fix missing CMD_T_ACTIVE bit regression for pending WRITEs

commit e627c615553a356f6f70215ebb3933c6e057553e upstream.

This patch fixes a regression bug introduced during v3.6.x code with
the following commit to drop transport_add_cmd_to_queue(), which
originally re-set CMD_T_ACTIVE during pending WRITE I/O submission:

commit af8772926f019b7bddd7477b8de5f3b0f12bad21
Author: Christoph Hellwig <>
Date:   Sun Jul 8 15:58:49 2012 -0400

    target: replace the processing thread with a TMR work queue

The following sequence happens for write commands (or any other
commands with a data out phase):

 - The transport calls target_submit_cmd(), which sets CMD_T_ACTIVE in
   cmd->transport_state and sets cmd->t_state to TRANSPORT_NEW_CMD.
 - Things go on transport_generic_new_cmd(), which notices that the
   command needs to transfer data, so it sets cmd->t_state to
   TRANSPORT_WRITE_PENDING and calls transport_cmd_check_stop().
 - transport_cmd_check_stop() clears CMD_T_ACTIVE in cmd->transport_state
   and returns in the normal case.
 - Then we continue on to call ->se_tfo->write_pending().
 - The data comes back from the initiator, and the transport calls
   target_execute_cmd(), which sets cmd->t_state to TRANSPORT_PROCESSING
   and calls into the backend to actually write the data.

At this point, the backend might take a long time to complete the
command, since it has to do real IO.  If an abort request comes in for
this command at this point, it will not wait for the command to finish
since CMD_T_ACTIVE is not set.  Then when the command does finally
finish, we blow up with use-after-free.

Avoid this by setting CMD_T_ACTIVE in target_execute_cmd() so that
transport_wait_for_tasks() waits for the command to finish executing.
This matches the behavior from before commit 1389533ef944 ("target:
remove transport_generic_handle_data"), when data was signaled via
transport_generic_handle_data(), which set CMD_T_ACTIVE because it
called transport_add_cmd_to_queue().

Signed-off-by: Roland Dreier <>
Reported-by: Martin Svec <>
Cc: Christoph Hellwig <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotcm_fc: Do not report target role when target is not defined
Mark Rustad [Fri, 21 Dec 2012 18:58:19 +0000 (10:58 -0800)]
tcm_fc: Do not report target role when target is not defined

commit edec8dfefa1f372b2dd8197da555352e76a10c03 upstream.

Clear the target role when no target is provided for
the node performing a PRLI.

Signed-off-by: Mark Rustad <>
Reviewed-by: Bhanu Prakash Gollapudi <>
Acked by Robert Love <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotcm_fc: Do not indicate retry capability to initiators
Mark Rustad [Fri, 21 Dec 2012 18:58:14 +0000 (10:58 -0800)]
tcm_fc: Do not indicate retry capability to initiators

commit f2eeba214bcd0215b7f558cab6420e5fd153042b upstream.

When generating a PRLI response to an initiator, clear the
FCP_SPPF_RETRY bit in the response.

Signed-off-by: Mark Rustad <>
Reviewed-by: Bhanu Prakash Gollapudi <>
Acked by Robert Love <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agotarget: use correct sense code for LUN communication failure
Hannes Reinecke [Mon, 17 Dec 2012 08:53:32 +0000 (09:53 +0100)]
target: use correct sense code for LUN communication failure

commit 18a9df42d53fabfa43b78be1104838cc8b9762e1 upstream.

The ASC/ASCQ code for 'Logical Unit Communication failure' is
0x08/0x00; 0x80/0x00 is vendor specific.

Signed-off-by: Hannes Reinecke <>
Cc: Nicholas Bellinger <>
Signed-off-by: Nicholas Bellinger <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoarm64: mm: only wrprotect clean ptes if they are present
Will Deacon [Wed, 9 Jan 2013 11:08:10 +0000 (11:08 +0000)]
arm64: mm: only wrprotect clean ptes if they are present

commit 02522463c84748b3b8ad770f9424bcfa70a5b4c4 upstream.

Marking non-present ptes as read-only can corrupt file ptes, breaking
things like swap and file mappings.

This patch ensures that we only manipulate user pte bits when the pte
is marked present.

Signed-off-by: Will Deacon <>
Signed-off-by: Catalin Marinas <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agofirmware: make sure the fw file size is not 0
Luciano Coelho [Tue, 15 Jan 2013 08:43:43 +0000 (10:43 +0200)]
firmware: make sure the fw file size is not 0

commit 4adf07fba3bd64472921a01aae0e116f9f948b77 upstream.

If the requested firmware file size is 0 bytes in the filesytem, we
will try to vmalloc(0), which causes a warning:

  vmalloc: allocation failure: 0 bytes
  kworker/1:1: page allocation failure: order:0, mode:0xd2
    wl18xx_setup+0xb4/0x570 [wl18xx]
    wlcore_nvs_cb+0x64/0x9f8 [wlcore]

To fix this, check whether the file size is less than or equal to zero
in fw_read_file_contents().

Signed-off-by: Luciano Coelho <>
Acked-by: Ming Lei <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agosh: Fix FDPIC binary loader
Thomas Schwinge [Fri, 16 Nov 2012 09:46:20 +0000 (10:46 +0100)]
sh: Fix FDPIC binary loader

commit 4a71997a3279a339e7336ea5d0cd27282e2dea44 upstream.

Ensure that the aux table is properly initialized, even when optional features
are missing.  Without this, the FDPIC loader did not work.  This was meant to
be included in commit d5ab780305bb6d60a7b5a74f18cf84eb6ad153b1.

Signed-off-by: Thomas Schwinge <>
Signed-off-by: Paul Mundt <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoALSA: hda/hdmi - Work around "alsactl restore" errors
Takashi Iwai [Tue, 15 Jan 2013 13:44:41 +0000 (14:44 +0100)]
ALSA: hda/hdmi - Work around "alsactl restore" errors

commit 6f54c361329dbb67dac9de174e938992651d12d7 upstream.

When "alsactl restore" is performed on HDMI codecs, it tries to
restore the channel map value since the channel map controls are
writable.  But hdmi_chmap_ctl_put() returns -EBADFD when no PCM stream
is assigned yet, and this results in an error message from alsactl.
Although the error is harmless, it's certainly ugly and can be
regarded as a regression.

As a workaround, this patch changes the return code in such a case to
be zero for making others happy.  (A slight excuse is: when the chmap
is changed through the proper alsa-lib API, the PCM status is checked
there anyway, so we don't have to be too strict in the kernel side.)

Signed-off-by: Takashi Iwai <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoLinux 3.7.3
Greg Kroah-Hartman [Thu, 17 Jan 2013 16:47:40 +0000 (08:47 -0800)]
Linux 3.7.3

5 years agodrm/i915: Treat crtc->mode.clock == 0 as disabled
Chris Wilson [Mon, 7 Jan 2013 10:11:40 +0000 (10:11 +0000)]
drm/i915: Treat crtc->mode.clock == 0 as disabled

commit 3490ea5de6ac4af309c3df8a26a5cca61306334c upstream.

Prevent a divide-by-zero by consistently treating an 'active' CRTC
without a mode set as actually disabled.

This looks to have been first introduced with

commit 24929352481f085c5f85d4d4cbc919ddf106d381
Author: Daniel Vetter <>
Date:   Mon Jul 2 20:28:59 2012 +0200

    drm/i915: read out the modeset hw state at load and resume time

but then combined with

commit b0a2658acb5bf9ca86b4aab011b7106de3af0add
Author: Daniel Vetter <>
Date:   Tue Dec 18 09:37:54 2012 +0100

    drm/i915: don't disable disconnected outputs

it finally started oopsing.

Signed-off-by: Chris Wilson <>
Reported-and-tested-by: Alexey Zaytsev <>
Tested-by: Sedat Dilek <>
Cc: Daniel Vetter <>
Cc: Jesse Barnes <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoi915: ensure that VGA plane is disabled
Krzysztof Mazur [Wed, 19 Dec 2012 10:03:41 +0000 (11:03 +0100)]
i915: ensure that VGA plane is disabled

commit 0fde901f1ddd2ce0e380a6444f1fb7ca555859e9 upstream.

Some broken systems (like HP nc6120) in some cases, usually after LID
close/open, enable VGA plane, making display unusable (black screen on LVDS,
some strange mode on VGA output). We used to disable VGA plane only once at
startup. Now we also check, if VGA plane is still disabled while changing
mode, and fix that if something changed it.

Signed-off-by: Krzysztof Mazur <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agodrm/i915: force restore on lid open
Daniel Vetter [Fri, 23 Nov 2012 17:16:34 +0000 (18:16 +0100)]
drm/i915: force restore on lid open

commit 45e2b5f640b3766da3eda48f6c35f088155c06f3 upstream.

There seem to be indeed some awkwards machines around, mostly those
without OpRegion support, where the firmware changes the display hw
state behind our backs when closing the lid.

This force-restore logic has been originally introduced in

commit c1c7af60892070e4b82ad63bbfb95ae745056de0
Author: Jesse Barnes <>
Date:   Thu Sep 10 15:28:03 2009 -0700

    drm/i915: force mode set at lid open time

but after the modeset-rework we've disabled it in the vain hope that
it's no longer required:

commit 3b7a89fce3e3dc96b549d6d829387b4439044d0d
Author: Daniel Vetter <>
Date:   Mon Sep 17 22:27:21 2012 +0200

    drm/i915: fix OOPS in lid_notify

Alas, no.

Tested-by: Krzysztof Mazur <>
Reviewed-by: Jesse Barnes <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: CAI Qian <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agolibceph: Unlock unprocessed pages in start_read() error path
David Zafman [Tue, 4 Dec 2012 03:14:05 +0000 (19:14 -0800)]
libceph: Unlock unprocessed pages in start_read() error path

(cherry picked from commit 8884d53dd63b1d9315b343564fcbe1ede004a99e)

Function start_read() can get an error before processing all pages.
It must not only release the remaining pages, but unlock them too.

This fixes

Signed-off-by: David Zafman <>
Reviewed-by: Alex Elder <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoceph: call handle_cap_grant() for cap import message
Yan, Zheng [Mon, 19 Nov 2012 02:49:09 +0000 (10:49 +0800)]
ceph: call handle_cap_grant() for cap import message

(cherry picked from commit 0e5e1774a92e6fe9c511585de8f078b4c4c68dbb)

If client sends cap message that requests new max size during
exporting caps, the exporting MDS will drop the message quietly.
So the client may wait for the reply that updates the max size
forever. call handle_cap_grant() for cap import message can
avoid this issue.

Signed-off-by: Yan, Zheng <>
Signed-off-by: Sage Weil <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoceph: Fix __ceph_do_pending_vmtruncate
Yan, Zheng [Mon, 19 Nov 2012 02:49:08 +0000 (10:49 +0800)]
ceph: Fix __ceph_do_pending_vmtruncate

(cherry picked from commit a85f50b6ef93fbbb2ae932ce9b2376509d172796)

we should set i_truncate_pending to 0 after page cache is truncated
to i_truncate_size

Signed-off-by: Yan, Zheng <>
Signed-off-by: Sage Weil <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoceph: Don't add dirty inode to dirty list if caps is in migration
Yan, Zheng [Mon, 19 Nov 2012 02:49:07 +0000 (10:49 +0800)]
ceph: Don't add dirty inode to dirty list if caps is in migration

(cherry picked from commit 0685235ffd9dbdb9ccbda587f8a3c83ad1d5a921)

Add dirty inode to cap_dirty_migrating list instead, this can avoid
ceph_flush_dirty_caps() entering infinite loop.

Signed-off-by: Yan, Zheng <>
Signed-off-by: Sage Weil <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoceph: Fix infinite loop in __wake_requests
Yan, Zheng [Mon, 19 Nov 2012 02:49:06 +0000 (10:49 +0800)]
ceph: Fix infinite loop in __wake_requests

(cherry picked from commit ed75ec2cd19b47efcd292b6e23f58e56f4c5bc34)

__wake_requests() will enter infinite loop if we use it to wake
requests in the session->s_waiting list. __wake_requests() deletes
requests from the list and __do_request() adds requests back to
the list.

Signed-off-by: Yan, Zheng <>
Signed-off-by: Sage Weil <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoceph: Don't update i_max_size when handling non-auth cap
Yan, Zheng [Mon, 19 Nov 2012 02:49:04 +0000 (10:49 +0800)]
ceph: Don't update i_max_size when handling non-auth cap

(cherry picked from commit 5e62ad30157d0da04cf40c6d1a2f4bc840948b9c)

The cap from non-auth mds doesn't have a meaningful max_size value.

Signed-off-by: Yan, Zheng <>
Signed-off-by: Sage Weil <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agorbd: remove linger unconditionally
Alex Elder [Thu, 6 Dec 2012 15:37:23 +0000 (09:37 -0600)]
rbd: remove linger unconditionally

(cherry picked from commit 61c74035626beb25a39b0273ccf7d75510bc36a1)

In __unregister_linger_request(), the request is being removed
from the osd client's req_linger list only when the request
has a non-null osd pointer.  It should be done whether or not
the request currently has an osd.

This is most likely a non-issue because I believe the request
will always have an osd when this function is called.

Signed-off-by: Alex Elder <>
Reviewed-by: Sage Weil <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agorbd: get rid of RBD_MAX_SEG_NAME_LEN
Alex Elder [Fri, 9 Nov 2012 21:05:54 +0000 (15:05 -0600)]
rbd: get rid of RBD_MAX_SEG_NAME_LEN

(cherry picked from commit 2fd82b9e92c2a718ae81fc987b4468ceeee6979b)

RBD_MAX_SEG_NAME_LEN represents the maximum length of an rbd object
name (i.e., one of the objects providing storage backing an rbd

Another symbol, MAX_OBJ_NAME_SIZE, is used in the osd client code to
define the maximum length of any object name in an osd request.

Right now they disagree, with RBD_MAX_SEG_NAME_LEN being too big.

There's no real benefit at this point to defining the rbd object
name length limit separate from any other object name, so just
get rid of RBD_MAX_SEG_NAME_LEN and use MAX_OBJ_NAME_SIZE in its

Signed-off-by: Alex Elder <>
Reviewed-by: Sage Weil <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agorbd: do not allow remove of mounted-on image
Alex Elder [Fri, 16 Nov 2012 15:29:16 +0000 (09:29 -0600)]
rbd: do not allow remove of mounted-on image

(cherry picked from commit 42382b709bd1d143b9f0fa93e0a3a1f2f4210707)

There is no check in rbd_remove() to see if anybody holds open the
image being removed.  That's not cool.

Add a simple open count that goes up and down with opens and closes
(releases) of the device, and don't allow an rbd image to be removed
if the count is non-zero.

Protect the updates of the open count value with ctl_mutex to ensure
the underlying rbd device doesn't get removed while concurrently
being opened.

Signed-off-by: Alex Elder <>
Reviewed-by: Sage Weil <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agorbd: remove snapshots on error in rbd_add()
Alex Elder [Fri, 26 Oct 2012 04:34:40 +0000 (23:34 -0500)]
rbd: remove snapshots on error in rbd_add()

(cherry picked from commit 41f38c2b2f8b66b176a0e548ef06294343a7bfa2)

If rbd_dev_snaps_update() has ever been called for an rbd device
structure there could be snapshot structures on its snaps list.
In rbd_add(), this function is called but a subsequent error
path neglected to clean up any of these snapshots.

Add a call to rbd_remove_all_snaps() in the appropriate spot to
remedy this.  Change a couple of error labels to be a little
clearer while there.

Drop the leading underscores from the function name; there's nothing
special about that function that they might signify.  As suggested
in review, the leading underscores in __rbd_remove_snap_dev() have
been removed as well.

Signed-off-by: Alex Elder <>
Reviewed-by: Josh Durgin <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agorbd: increase maximum snapshot name length
Alex Elder [Tue, 3 Jul 2012 21:01:19 +0000 (16:01 -0500)]
rbd: increase maximum snapshot name length

(cherry picked from commit d4b125e9eb43babd14538ba61718e3db71a98d29)

Change RBD_MAX_SNAP_NAME_LEN to be based on NAME_MAX.  That is a
practical limit for the length of a snapshot name (based on the
presence of a directory using the name under /sys/bus/rbd to
represent the snapshot).

The /sys entry is created by prefixing it with "snap_"; define that
prefix symbolically, and take its length into account in defining
the snapshot name length limit.

Enforce the limit in rbd_add_parse_args().  Also delete a dout()
call in that function that was not meant to be committed.

Signed-off-by: Alex Elder <>
Reviewed-by: Dan Mick <>
Reviewed-by: Josh Durgin <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agorbd: fix read-only option name
Alex Elder [Mon, 22 Oct 2012 16:31:26 +0000 (11:31 -0500)]
rbd: fix read-only option name

(cherry picked from commit be466c1cc36621590ef17b05a6d342dfd33f7280)

The name of the "read-only" mapping option was inadvertently changed
in this commit:

    f84344f3 rbd: separate mapping info in rbd_dev

Revert that hunk to return it to what it should be.

Signed-off-by: Alex Elder <>
Reviewed-by: Dan Mick <>
Reviewed-by: Josh Durgin <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agorbd: zero return code in rbd_dev_image_id()
Alex Elder [Thu, 11 Oct 2012 04:19:13 +0000 (21:19 -0700)]
rbd: zero return code in rbd_dev_image_id()

(cherry picked from commit a0ea3a40fd20b8c66381f747c454f89d6d1f50d4)

When rbd_dev_probe() calls rbd_dev_image_id() it expects to get
a 0 return code if successful, but it is getting a positive value.

The reason is that rbd_dev_image_id() returns the value it gets from
rbd_req_sync_exec(), which returns the number of bytes read in as a
result of the request.  (This ultimately comes from
ceph_copy_from_page_vector() in rbd_req_sync_op()).

Force the return value to 0 when successful in rbd_dev_image_id().
Do the same in rbd_dev_v2_object_prefix().

Signed-off-by: Alex Elder <>
Reviewed-by: Josh Durgin <>
Reviewed-by: Dan Mick <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agorbd: fix bug in rbd_dev_id_put()
Alex Elder [Thu, 11 Oct 2012 04:19:13 +0000 (21:19 -0700)]
rbd: fix bug in rbd_dev_id_put()

(cherry picked from commit b213e0b1a62637b2a9395a34349b13d73ca2b90a)

In rbd_dev_id_put(), there's a loop that's intended to determine
the maximum device id in use.  But it isn't doing that at all,
the effect of how it's written is to simply use the just-put id
number, which ignores whole purpose of this function.

Fix the bug.

Signed-off-by: Alex Elder <>
Reviewed-by: Josh Durgin <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoceph: don't reference req after put
Alex Elder [Thu, 29 Nov 2012 14:37:03 +0000 (08:37 -0600)]
ceph: don't reference req after put

(cherry picked from commit 7d5f24812bd182a2471cb69c1c2baf0648332e1f)

In __unregister_request(), there is a call to list_del_init()
referencing a request that was the subject of a call to
ceph_osdc_put_request() on the previous line.  This is not
safe, because the request structure could have been freed
by the time we reach the list_del_init().

Fix this by reversing the order of these lines.

Signed-off-by: Alex Elder <>
Reviewed-off-by: Sage Weil <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agolibceph: remove 'osdtimeout' option
Sage Weil [Wed, 28 Nov 2012 20:28:24 +0000 (12:28 -0800)]
libceph: remove 'osdtimeout' option

(cherry picked from commit 83aff95eb9d60aff5497e9f44a2ae906b86d8e88)

This would reset a connection with any OSD that had an outstanding
request that was taking more than N seconds.  The idea was that if the
OSD was buggy, the client could compensate by resending the request.

In reality, this only served to hide server bugs, and we haven't
actually seen such a bug in quite a while.  Moreover, the userspace
client code never did this.

More importantly, often the request is taking a long time because the
OSD is trying to recover, or overloaded, and killing the connection
and retrying would only make the situation worse by giving the OSD
more work to do.

Signed-off-by: Sage Weil <>
Reviewed-by: Alex Elder <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agolibceph: avoid using freed osd in __kick_osd_requests()
Alex Elder [Fri, 7 Dec 2012 15:57:58 +0000 (09:57 -0600)]
libceph: avoid using freed osd in __kick_osd_requests()

(cherry picked from commit 685a7555ca69030739ddb57a47f0ea8ea80196a4)

If an osd has no requests and no linger requests, __reset_osd()
will just remove it with a call to __remove_osd().  That drops
a reference to the osd, and therefore the osd may have been free
by the time __reset_osd() returns.  That function offers no
indication this may have occurred, and as a result the osd will
continue to be used even when it's no longer valid.

Change__reset_osd() so it returns an error (ENODEV) when it
deletes the osd being reset.  And change __kick_osd_requests() so it
returns immediately (before referencing osd again) if __reset_osd()
returns *any* error.

Signed-off-by: Alex Elder <>
Reviewed-by: Sage Weil <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agolibceph: fix osdmap decode error paths
Sage Weil [Mon, 29 Oct 2012 18:01:42 +0000 (11:01 -0700)]
libceph: fix osdmap decode error paths

(cherry picked from commit 0ed7285e0001b960c888e5455ae982025210ed3d)

Ensure that we set the err value correctly so that we do not pass a 0
value to ERR_PTR and confuse the calling code.  (In particular,
osd_client.c handle_map() will BUG(!newmap)).

Signed-off-by: Sage Weil <>
Reviewed-by: Alex Elder <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agolibceph: fix protocol feature mismatch failure path
Sage Weil [Fri, 28 Dec 2012 02:27:04 +0000 (20:27 -0600)]
libceph: fix protocol feature mismatch failure path

(cherry picked from commit 0fa6ebc600bc8e830551aee47a0e929e818a1868)

We should not set con->state to CLOSED here; that happens in
ceph_fault() in the caller, where it first asserts that the state
is not yet CLOSED.  Avoids a BUG when the features don't match.

Since the fail_protocol() has become a trivial wrapper, replace
calls to it with direct calls to reset_connection().

Signed-off-by: Sage Weil <>
Reviewed-by: Alex Elder <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agoRevert "drm/i915: no lvds quirk for Zotac ZDBOX SD ID12/ID13"
Daniel Vetter [Mon, 7 Jan 2013 09:27:13 +0000 (10:27 +0100)]
Revert "drm/i915: no lvds quirk for Zotac ZDBOX SD ID12/ID13"

commit 48e858340dae43189a4e55647f6eac736766f828 upstream.

This reverts commit 9756fe38d10b2bf90c81dc4d2f17d5632e135364.

The bogus lvds output is actually a lvds->hdmi bridge, which we don't
really support. But unconditionally disabling it breaks some existing

Reported-by: John Tapsell <>
Signed-off-by: Daniel Vetter <>
Cc: Luis Henriques <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agolibceph: WARN, don't BUG on unexpected connection states
Alex Elder [Wed, 26 Dec 2012 16:43:57 +0000 (10:43 -0600)]
libceph: WARN, don't BUG on unexpected connection states

(cherry picked from commit 122070a2ffc91f87fe8e8493eb0ac61986c5557c)

A number of assertions in the ceph messenger are implemented with
BUG_ON(), killing the system if connection's state doesn't match
what's expected.  At this point our state model is (evidently) not
well understood enough for these assertions to trigger a BUG().
Convert all BUG_ON(con->state...) calls to be WARN_ON(con->state...)
so we learn about these issues without killing the machine.

We now recognize that a connection fault can occur due to a socket
closure at any time, regardless of the state of the connection.  So
there is really nothing we can assert about the state of the
connection at that point so eliminate that assertion.

Reported-by: Ugis <>
Tested-by: Ugis <>
Signed-off-by: Alex Elder <>
Reviewed-by: Sage Weil <>
Signed-off-by: Greg Kroah-Hartman <>
5 years agolibceph: always reset osds when kicking
Alex Elder [Wed, 26 Dec 2012 20:31:40 +0000 (14:31 -0600)]
libceph: always reset osds when kicking

(cherry picked from commit e6d50f67a6b1a6252a616e6e629473b5c4277218)

When ceph_osdc_handle_map() is called to process a new osd map,
kick_requests() is called to ensure all affected requests are
updated if necessary to reflect changes in the osd map.  This
happens in two cases:  whenever an incremental map update is
processed; and when a full map update (or the last one if there is
more than one) gets processed.

In the former case, the kick_requests() call is followed immediately
by a call to reset_changed_osds() to ensure any connections to osds
affected by the map change are reset.  But for full map updates
this isn't done.

Both cases should be doing this osd reset.

Rather than duplicating the reset_changed_osds() call, move it into
the end of kick_requests().

Signed-off-by: Alex Elder <>
Reviewed-by: Sage Weil <>
Signed-off-by: Greg Kroah-Hartman <>