2014-02-21 00:09:43

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 00/99] 3.13.5-stable review

This is the start of the stable review cycle for the 3.13.5 release.
There are 99 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sat Feb 22 23:51:00 UTC 2014.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.13.5-rc1.gz
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <[email protected]>
Linux 3.13.5-rc1

Borislav Petkov <[email protected]>
EDAC: Correct workqueue setup path

Borislav Petkov <[email protected]>
EDAC: Poll timeout cannot be zero, p2

Prarit Bhargava <[email protected]>
drivers/edac/edac_mc_sysfs.c: poll timeout cannot be zero

Paul Gortmaker <[email protected]>
genirq: Add missing irq_to_desc export for CONFIG_SPARSE_IRQ=n

Nicholas Bellinger <[email protected]>
target: Fix free-after-use regression in PR unregister

Steven Rostedt (Red Hat) <[email protected]>
ring-buffer: Fix first commit on sub-buffer having non-zero delta

Krzysztof Kozlowski <[email protected]>
power: max17040: Fix NULL pointer dereference when there is no platform_data

Mikulas Patocka <[email protected]>
time: Fix overflow when HZ is smaller than 60

Wolfram Sang <[email protected]>
i2c: mv64xxx: refactor message start to ensure proper initialization

Oleg Nesterov <[email protected]>
md/raid5: Fix CPU hotplug callback registration

NeilBrown <[email protected]>
md/raid1: restore ability for check and repair to fix read errors.

Thomas Gleixner <[email protected]>
tick: Clear broadcast pending bit when switching to oneshot

Dan Carpenter <[email protected]>
KVM: return an error code in kvm_vm_ioctl_register_coalesced_mmio()

Mike Marciniszyn <[email protected]>
IB/qib: Add missing serdes init sequence

Sudeep Dutt <[email protected]>
misc: mic: fix possible signed underflow (undefined behavior) in userspace API

Steven Noonan <[email protected]>
compiler/gcc4: Make quirk for asm_volatile_goto() unconditional

Mika Westerberg <[email protected]>
ACPI / hotplug / PCI: Relax the checking of _STA return values

Jens Axboe <[email protected]>
block: add cond_resched() to potentially long running ioctl discard loop

Martin K. Petersen <[email protected]>
block: Fix nr_vecs for inline integrity vectors

Tejun Heo <[email protected]>
block: __elv_next_request() shouldn't call into the elevator if bypassing

Jan Moskyto Matejka <[email protected]>
Modpost: fixed USB alias generation for ranges including 0x9 and 0xA

Sarah Sharp <[email protected]>
Revert "usbcore: set lpm_capable field for LPM capable root hubs"

Sarah Sharp <[email protected]>
Revert "usb: xhci: Link TRB must not occur within a USB payload burst"

Sarah Sharp <[email protected]>
Revert "xhci: Avoid infinite loop when sg urb requires too many trbs"

Sarah Sharp <[email protected]>
Revert "xhci: Set scatter-gather limit to avoid failed block writes."

Sarah Sharp <[email protected]>
xhci 1.0: Limit arbitrarily-aligned scatter gather.

Kristóf Ralovich <[email protected]>
USB: simple: add Dynastream ANT USB-m Stick device support

Raymond Wanyoike <[email protected]>
usb: option: blacklist ZTE MF667 net interface

Alan Stern <[email protected]>
usb-storage: enable multi-LUN scanning when needed

Alan Stern <[email protected]>
usb-storage: restrict bcdDevice range for Super Top in Cypress ATACB

Alan Stern <[email protected]>
usb-storage: add unusual-devs entry for BlackBerry 9000

Ulrich Hahn <[email protected]>
USB: ftdi_sio: add Tagsys RFID Reader IDs

Bjørn Mork <[email protected]>
usb: ftdi_sio: add Mindstorms EV3 console adapter

K. Y. Srinivasan <[email protected]>
Drivers: hv: vmbus: Don't timeout during the initial connection with host

K. Y. Srinivasan <[email protected]>
Drivers: hv: vmbus: Specify the target CPU that should receive notification

Martyn Welch <[email protected]>
VME: Correct read/write alignment algorithm

Alexander Usyskin <[email protected]>
mei: don't unset read cb ptr on reset

Alexander Usyskin <[email protected]>
mei: clear write cb from waiting list on reset

Takashi Iwai <[email protected]>
ALSA: hda - Fix mic capture on Sony VAIO Pro 11

David Henningsson <[email protected]>
ALSA: hda - Add a headset quirk for Dell XPS 13

Steven Rostedt (Red Hat) <[email protected]>
ftrace/x86: Use breakpoints for converting function graph caller

H. Peter Anvin <[email protected]>
x86, smap: smap_violation() is bogus if CONFIG_X86_SMAP is off

H. Peter Anvin <[email protected]>
x86, smap: Don't enable SMAP if CONFIG_X86_SMAP is disabled

Beomho Seo <[email protected]>
iio: ak8975: Fix calculation formula for convert micro tesla to gauss unit

Marcus Folkesson <[email protected]>
iio: adis16400: Set timestamp as the last element in chan_spec

Guenter Roeck <[email protected]>
iio: max1363: Use devm_regulator_get_optional for optional regulator

Hartmut Knaack <[email protected]>
staging:iio:ad799x fix typo in ad799x_events[]

Hartmut Knaack <[email protected]>
staging:iio:ad799x fix error_free_irq which was freeing an irq that may not have been requested

Julia Lawall <[email protected]>
staging:iio:impedance:ad5933: correct error check

H Hartley Sweeten <[email protected]>
staging: comedi: adv_pci1710: fix analog output readback value

Larry Finger <[email protected]>
staging: r8188eu: Fix typo in USB_DEVICE list

Cédric Dufour <[email protected]>
staging: lustre: fix quotactl permission denied (LU-4530)

Linus Walleij <[email protected]>
ARM: pxa: fix compilation problem on AM300EPD board

Bjørn Mork <[email protected]>
usb: qcserial: add Netgear Aircard 340U

Markus Pargmann <[email protected]>
serial: omap-serial: Move info message to probe function

Petr Písař <[email protected]>
vt: Fix secure clear screen

Alex Deucher <[email protected]>
drm/radeon/cik: use POLL_REG_MEM special op for sDMA HDP flush

Alex Deucher <[email protected]>
drm/radeon: consolidate sdma hdp flushing code for CIK

Mika Kuoppala <[email protected]>
drm/i915: Pair va_copy with va_end in i915_error_vprintf

Daniel Vetter <[email protected]>
drm/i915: Fix intel_pipe_to_cpu_transcoder for UMS

Imre Deak <[email protected]>
drm/i915: vlv: fix DP PHY lockup due to invalid PP sequencer setup

Christian König <[email protected]>
drm/radeon: fix UVD IRQ support on SI

Alex Deucher <[email protected]>
drm/radeon: fix UVD IRQ support on 7xx

Peter Hurley <[email protected]>
n_tty: Fix stale echo output

Hannes Reinecke <[email protected]>
tty: Set correct tty name in 'active' sysfs attribute

Lars Poeschel <[email protected]>
tty: n_gsm: Fix for modems with brk in modem status control

NeilBrown <[email protected]>
lockd: send correct lock when granting a delayed lock.

Doug Anderson <[email protected]>
hwmon: (ntc_thermistor) Avoid math overflow

Paul Bolle <[email protected]>
raw: test against runtime value of max_raw_minors

Qipan Li <[email protected]>
serial: sirf: fix kernel panic caused by unpaired spinlock

Axel Lin <[email protected]>
spi: nuc900: Set SPI_LSB_FIRST for master->mode_bits if hw->pdata->lsb is true

Kleber Sacilotto de Souza <[email protected]>
of: fix PCI bus match for PCIe slots

Anton Blanchard <[email protected]>
powerpc: Fix endian issues in kexec and crash dump code

Emmanuel Grumbach <[email protected]>
iwlwifi: mvm: BT Coex - disable BT when TXing probe request in scan

Oren Givon <[email protected]>
iwlwifi: add more 7265 HW IDs

Emmanuel Grumbach <[email protected]>
iwlwifi: mvm: print the version of the firmware when it asserts

Johannes Berg <[email protected]>
iwlwifi: mvm: disable scheduled scan

Emmanuel Grumbach <[email protected]>
iwlwifi: mvm: don't allow A band if SKU forbids it

Geert Uytterhoeven <[email protected]>
spi: Fix crash with double message finalisation on error handling

Pontus Fuchs <[email protected]>
nl80211: Reset split_start when netlink skb is exhausted

Martin Schwidefsky <[email protected]>
s390: fix kernel crash due to linkage stack instructions

Michael Holzheu <[email protected]>
s390/dump: Fix dump memory detection

Oleksij Rempel <[email protected]>
ar5523: fix usb id for Gigaset.

Sujith Manoharan <[email protected]>
ath9k: Do not support PowerSave by default

Oleksij Rempel <[email protected]>
ath9k_htc: Do not support PowerSave by default

Stanislaw Gruszka <[email protected]>
ath9k_htc: make ->sta_rc_update atomic for most calls

Johannes Berg <[email protected]>
mac80211: fix fragmentation code, particularly for encryption

Sujith Manoharan <[email protected]>
mac80211: Fix IBSS disconnect

Emmanuel Grumbach <[email protected]>
mac80211: release the channel in error path in start_ap

Eliad Peller <[email protected]>
mac80211: move roc cookie assignment earlier

Steve French <[email protected]>
retrieving CIFS ACLs when mounted with SMB2 fails dropping session

Steve French <[email protected]>
Add protocol specific operation for CIFS xattrs

Steve French <[email protected]>
CIFS: Fix SMB2 mounts so they don't try to set or get xattrs via cifs

Linus Walleij <[email protected]>
ARM: pxa: fix various compilation problems

Naoya Horiguchi <[email protected]>
mm/memory-failure.c: move refcount only in !MF_COUNT_INCREASED

Rafael Aquini <[email protected]>
mm: fix page leak at nfs_symlink()

Eric W. Biederman <[email protected]>
fs/file.c:fdtable: avoid triggering OOMs from alloc_fdmem

David Vrabel <[email protected]>
xen-blkfront: handle backend CLOSED without CLOSING

Mel Gorman <[email protected]>
xen: properly account for _PAGE_NUMA during xen pte translations


-------------

Diffstat:

Documentation/ABI/testing/sysfs-tty | 3 +-
Makefile | 4 +-
arch/arm/mach-pxa/am300epd.c | 1 +
arch/arm/mach-pxa/include/mach/balloon3.h | 2 +
arch/arm/mach-pxa/include/mach/corgi.h | 1 +
arch/arm/mach-pxa/include/mach/csb726.h | 2 +
arch/arm/mach-pxa/include/mach/gumstix.h | 1 +
arch/arm/mach-pxa/include/mach/idp.h | 1 +
arch/arm/mach-pxa/include/mach/palmld.h | 2 +
arch/arm/mach-pxa/include/mach/palmt5.h | 2 +
arch/arm/mach-pxa/include/mach/palmtc.h | 2 +
arch/arm/mach-pxa/include/mach/palmtx.h | 2 +
arch/arm/mach-pxa/include/mach/pcm027.h | 2 +
arch/arm/mach-pxa/include/mach/pcm990_baseboard.h | 1 +
arch/arm/mach-pxa/include/mach/poodle.h | 2 +
arch/arm/mach-pxa/include/mach/spitz.h | 2 +-
arch/arm/mach-pxa/include/mach/tosa.h | 2 +
arch/arm/mach-pxa/include/mach/trizeps4.h | 2 +
arch/powerpc/kernel/machine_kexec.c | 14 +++-
arch/powerpc/kernel/machine_kexec_64.c | 6 +-
arch/s390/kernel/head64.S | 7 +-
arch/s390/mm/page-states.c | 10 +++
arch/x86/include/asm/pgtable.h | 14 +++-
arch/x86/kernel/cpu/common.c | 7 +-
arch/x86/kernel/ftrace.c | 83 ++++++++++++---------
arch/x86/mm/fault.c | 14 ++--
arch/x86/xen/mmu.c | 4 +-
block/blk-lib.c | 8 ++
block/blk.h | 2 +-
drivers/block/xen-blkfront.c | 5 +-
drivers/char/raw.c | 2 +-
drivers/edac/edac_mc.c | 13 ++--
drivers/edac/edac_mc_sysfs.c | 10 ++-
drivers/edac/edac_module.h | 2 +-
drivers/gpu/drm/i915/i915_gpu_error.c | 5 +-
drivers/gpu/drm/i915/i915_irq.c | 3 +-
drivers/gpu/drm/i915/intel_dp.c | 10 ++-
drivers/gpu/drm/radeon/cik_sdma.c | 43 ++++++++---
drivers/gpu/drm/radeon/r600.c | 4 +
drivers/gpu/drm/radeon/si.c | 4 +
drivers/hv/connection.c | 13 +---
drivers/hwmon/ntc_thermistor.c | 6 +-
drivers/i2c/busses/i2c-mv64xxx.c | 33 ++++-----
drivers/iio/adc/max1363.c | 2 +-
drivers/iio/imu/adis16400.h | 1 +
drivers/iio/imu/adis16400_core.c | 10 +--
drivers/iio/magnetometer/ak8975.c | 16 ++--
drivers/infiniband/hw/qib/qib_iba7322.c | 5 ++
drivers/md/raid1.c | 13 +++-
drivers/md/raid5.c | 90 +++++++++++------------
drivers/misc/mei/client.c | 11 ++-
drivers/misc/mic/host/mic_virtio.c | 3 +-
drivers/net/wireless/ath/ar5523/ar5523.c | 2 +-
drivers/net/wireless/ath/ath9k/htc_drv_init.c | 8 +-
drivers/net/wireless/ath/ath9k/htc_drv_main.c | 25 ++++---
drivers/net/wireless/ath/ath9k/init.c | 8 +-
drivers/net/wireless/iwlwifi/iwl-nvm-parse.c | 5 ++
drivers/net/wireless/iwlwifi/mvm/mac80211.c | 2 +-
drivers/net/wireless/iwlwifi/mvm/scan.c | 3 +-
drivers/net/wireless/iwlwifi/mvm/utils.c | 2 +
drivers/net/wireless/iwlwifi/pcie/drv.c | 7 +-
drivers/of/address.c | 5 +-
drivers/pci/hotplug/acpiphp_glue.c | 15 +++-
drivers/power/max17040_battery.c | 5 +-
drivers/spi/spi-nuc900.c | 2 +
drivers/spi/spi.c | 4 +-
drivers/staging/comedi/drivers/adv_pci1710.c | 17 +++--
drivers/staging/iio/adc/ad799x_core.c | 5 +-
drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +-
drivers/staging/lustre/lustre/llite/dir.c | 2 +-
drivers/staging/rtl8188eu/os_dep/usb_intf.c | 2 +-
drivers/target/target_core_pr.c | 11 ++-
drivers/tty/n_gsm.c | 11 +++
drivers/tty/n_tty.c | 12 +--
drivers/tty/serial/omap-serial.c | 6 +-
drivers/tty/serial/sirfsoc_uart.c | 4 +-
drivers/tty/tty_io.c | 25 +++++--
drivers/tty/vt/vt.c | 2 +
drivers/usb/core/hcd.c | 1 -
drivers/usb/core/hub.c | 7 +-
drivers/usb/core/usb.h | 1 -
drivers/usb/host/xhci-ring.c | 54 +-------------
drivers/usb/host/xhci.c | 18 +++--
drivers/usb/host/xhci.h | 2 +-
drivers/usb/serial/ftdi_sio.c | 3 +
drivers/usb/serial/ftdi_sio_ids.h | 7 ++
drivers/usb/serial/option.c | 3 +-
drivers/usb/serial/qcserial.c | 3 +
drivers/usb/serial/usb-serial-simple.c | 3 +-
drivers/usb/storage/Kconfig | 4 +-
drivers/usb/storage/scsiglue.c | 6 ++
drivers/usb/storage/unusual_cypress.h | 2 +-
drivers/usb/storage/unusual_devs.h | 7 ++
drivers/vme/bridges/vme_ca91cx42.c | 4 +-
drivers/vme/bridges/vme_tsi148.c | 4 +-
fs/bio-integrity.c | 10 ++-
fs/cifs/cifsacl.c | 28 ++++++-
fs/cifs/cifsglob.h | 10 +++
fs/cifs/inode.c | 13 +++-
fs/cifs/smb1ops.c | 8 ++
fs/cifs/xattr.c | 64 ++++++++++------
fs/file.c | 2 +-
fs/lockd/svclock.c | 8 ++
fs/nfs/dir.c | 5 ++
include/linux/compiler-gcc4.h | 6 +-
include/linux/hyperv.h | 2 +-
include/linux/usb.h | 2 -
include/uapi/linux/mic_ioctl.h | 2 +-
kernel/irq/irqdesc.c | 1 +
kernel/time/jiffies.c | 6 ++
kernel/time/tick-broadcast.c | 1 +
kernel/trace/ring_buffer.c | 7 ++
mm/memory-failure.c | 6 +-
net/mac80211/cfg.c | 41 ++++++-----
net/mac80211/ibss.c | 5 +-
net/mac80211/tx.c | 2 +-
net/wireless/nl80211.c | 3 +-
scripts/mod/file2alias.c | 4 +-
sound/pci/hda/patch_realtek.c | 2 +
virt/kvm/coalesced_mmio.c | 8 +-
120 files changed, 679 insertions(+), 395 deletions(-)


2014-02-20 23:53:59

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 68/99] USB: ftdi_sio: add Tagsys RFID Reader IDs

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ulrich Hahn <[email protected]>

commit 76f24e3f39a1a94bab0d54e98899d64abcd9f69c upstream.

Adding two more IDs to the ftdi_sio usb serial driver.
It now connects Tagsys RFID readers.
There might be more IDs out there for other Tagsys models.

Signed-off-by: Ulrich Hahn <[email protected]>
Cc: Johan Hovold <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/usb/serial/ftdi_sio.c | 2 ++
drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
2 files changed, 8 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -193,6 +193,8 @@ static struct usb_device_id id_table_com
{ USB_DEVICE(INTERBIOMETRICS_VID, INTERBIOMETRICS_IOBOARD_PID) },
{ USB_DEVICE(INTERBIOMETRICS_VID, INTERBIOMETRICS_MINI_IOBOARD_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_SPROG_II) },
+ { USB_DEVICE(FTDI_VID, FTDI_TAGSYS_LP101_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_TAGSYS_P200X_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_LENZ_LIUSB_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_XF_632_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_XF_634_PID) },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -364,6 +364,12 @@
/* Sprog II (Andrew Crosland's SprogII DCC interface) */
#define FTDI_SPROG_II 0xF0C8

+/*
+ * Two of the Tagsys RFID Readers
+ */
+#define FTDI_TAGSYS_LP101_PID 0xF0E9 /* Tagsys L-P101 RFID*/
+#define FTDI_TAGSYS_P200X_PID 0xF0EE /* Tagsys Medio P200x RFID*/
+
/* an infrared receiver for user access control with IR tags */
#define FTDI_PIEGROUP_PID 0xF208 /* Product Id */


2014-02-20 23:54:03

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 69/99] usb-storage: add unusual-devs entry for BlackBerry 9000

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <[email protected]>

commit c5637e5119c43452a00e27c274356b072263ecbb upstream.

This patch adds an unusual-devs entry for the BlackBerry 9000. This
fixes Bugzilla #22442.

Signed-off-by: Alan Stern <[email protected]>
Reported-by: Moritz Moeller-Herrmann <[email protected]>
Tested-by: Moritz Moeller-Herrmann <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/usb/storage/unusual_devs.h | 7 +++++++
1 file changed, 7 insertions(+)

--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -1455,6 +1455,13 @@ UNUSUAL_DEV( 0x0f88, 0x042e, 0x0100, 0x0
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_FIX_CAPACITY ),

+/* Reported by Moritz Moeller-Herrmann <[email protected]> */
+UNUSUAL_DEV( 0x0fca, 0x8004, 0x0201, 0x0201,
+ "Research In Motion",
+ "BlackBerry Bold 9000",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_MAX_SECTORS_64 ),
+
/* Reported by Michael Stattmann <[email protected]> */
UNUSUAL_DEV( 0x0fce, 0xd008, 0x0000, 0x0000,
"Sony Ericsson",

2014-02-20 23:54:20

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 51/99] staging:iio:impedance:ad5933: correct error check

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Julia Lawall <[email protected]>

commit e9ed104de68c345c9a827225e93c74c6894613a9 upstream.

iio_kfifo_allocate returns NULL in case of error.

The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@@
expression *x;
identifier f;
statement S1,S2;
@@

*x = f(...);
if (x) { <+... when != if (...) S1 else S2
-ENOMEM ...+> }
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/iio/impedance-analyzer/ad5933.c
+++ b/drivers/staging/iio/impedance-analyzer/ad5933.c
@@ -629,7 +629,7 @@ static int ad5933_register_ring_funcs_an
struct iio_buffer *buffer;

buffer = iio_kfifo_allocate(indio_dev);
- if (buffer)
+ if (!buffer)
return -ENOMEM;

iio_device_attach_buffer(indio_dev, buffer);

2014-02-20 23:54:29

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 89/99] md/raid1: restore ability for check and repair to fix read errors.

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: NeilBrown <[email protected]>

commit 1877db75589a895bbdc4c4c3f23558e57b521141 upstream.

commit 30bc9b53878a9921b02e3b5bc4283ac1c6de102a
md/raid1: fix bio handling problems in process_checks()

Move the bio_reset() to a point before where BIO_UPTODATE is checked,
so that check now always report that the bio is uptodate, even if it is not.

This causes process_check() to sometimes treat read-errors as
successful matches so the good data isn't written out.

This patch preserves the flag until it is needed.

Bug was introduced in 3.11, but backported to 3.10-stable (as it fixed
an even worse bug). So suitable for any -stable since 3.10.

Reported-and-tested-by: Michael Tokarev <[email protected]>
Fixed: 30bc9b53878a9921b02e3b5bc4283ac1c6de102a
Signed-off-by: NeilBrown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/md/raid1.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)

--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -1952,11 +1952,15 @@ static int process_checks(struct r1bio *
for (i = 0; i < conf->raid_disks * 2; i++) {
int j;
int size;
+ int uptodate;
struct bio *b = r1_bio->bios[i];
if (b->bi_end_io != end_sync_read)
continue;
- /* fixup the bio for reuse */
+ /* fixup the bio for reuse, but preserve BIO_UPTODATE */
+ uptodate = test_bit(BIO_UPTODATE, &b->bi_flags);
bio_reset(b);
+ if (!uptodate)
+ clear_bit(BIO_UPTODATE, &b->bi_flags);
b->bi_vcnt = vcnt;
b->bi_size = r1_bio->sectors << 9;
b->bi_sector = r1_bio->sector +
@@ -1989,11 +1993,14 @@ static int process_checks(struct r1bio *
int j;
struct bio *pbio = r1_bio->bios[primary];
struct bio *sbio = r1_bio->bios[i];
+ int uptodate = test_bit(BIO_UPTODATE, &sbio->bi_flags);

if (sbio->bi_end_io != end_sync_read)
continue;
+ /* Now we can 'fixup' the BIO_UPTODATE flag */
+ set_bit(BIO_UPTODATE, &sbio->bi_flags);

- if (test_bit(BIO_UPTODATE, &sbio->bi_flags)) {
+ if (uptodate) {
for (j = vcnt; j-- ; ) {
struct page *p, *s;
p = pbio->bi_io_vec[j].bv_page;
@@ -2008,7 +2015,7 @@ static int process_checks(struct r1bio *
if (j >= 0)
atomic64_add(r1_bio->sectors, &mddev->resync_mismatches);
if (j < 0 || (test_bit(MD_RECOVERY_CHECK, &mddev->recovery)
- && test_bit(BIO_UPTODATE, &sbio->bi_flags))) {
+ && uptodate)) {
/* No need to write to this device. */
sbio->bi_end_io = NULL;
rdev_dec_pending(conf->mirrors[i].rdev, mddev);

2014-02-20 23:54:23

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 97/99] drivers/edac/edac_mc_sysfs.c: poll timeout cannot be zero

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Prarit Bhargava <[email protected]>

commit 79040cad3f8235937e229f1b9401ba36dd5ad69b upstream.

If you do

echo 0 > /sys/module/edac_core/parameters/edac_mc_poll_msec

the following stack trace is output because the edac module is not
designed to poll with a timeout of zero.

WARNING: CPU: 12 PID: 0 at lib/list_debug.c:33 __list_add+0xac/0xc0()
list_add corruption. prev->next should be next (ffff8808291dd1b8), but was (null). (prev=ffff8808286fe3f8).
Modules linked in: sg nfsv3 rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache cfg80211 rfkill x86_pkg_temp_thermal coretemp kvm_intel kvm ixgbe e1000e crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd iTCO_wdt ptp sb_edac iTCO_vendor_support pps_core mdio ipmi_devintf edac_core ioatdma microcode shpchp lpc_ich pcspkr i2c_i801 dca mfd_core ipmi_si wmi ipmi_msghandler nfsd auth_rpcgss nfs_acl lockd sunrpc xfs libcrc32c sd_mod sr_mod cdrom crc_t10dif crct10dif_common mgag200 syscopyarea sysfillrect sysimgblt isci i2c_algo_bit drm_kms_helper ttm drm libsas ahci libahci scsi_transport_sas libata i2c_core dm_mirror dm_region_hash dm_log dm_mod
CPU: 12 PID: 0 Comm: swapper/12 Not tainted 3.13.0+ #1
Hardware name: Intel Corporation LH Pass ........../SVRBD-ROW_T, BIOS SE5C600.86B.01.08.0003.022620131521 02/26/2013
Call Trace:
<IRQ>
__list_add+0xac/0xc0
__internal_add_timer+0xab/0x130
internal_add_timer+0x17/0x40
mod_timer_pinned+0xca/0x170
intel_pstate_timer_func+0x28a/0x380
call_timer_fn+0x36/0x100
run_timer_softirq+0x1ff/0x2f0
__do_softirq+0xf5/0x2e0
irq_exit+0x10d/0x120
smp_apic_timer_interrupt+0x45/0x60
apic_timer_interrupt+0x6d/0x80
<EOI>
cpuidle_idle_call+0xb9/0x1f0
arch_cpu_idle+0xe/0x30
cpu_startup_entry+0x9e/0x240
start_secondary+0x1e4/0x290

kernel BUG at kernel/timer.c:1084!
invalid opcode: 0000 [#1] SMP
Modules linked in: sg nfsv3 rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache cfg80211 rfkill x86_pkg_temp_thermal coretemp kvm_intel kvm ixgbe e1000e crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd iTCO_wdt ptp sb_edac iTCO_vendor_support pps_core mdio ipmi_devintf edac_core ioatdma microcode shpchp lpc_ich pcspkr i2c_i801 dca mfd_core ipmi_si wmi ipmi_msghandler nfsd auth_rpcgss nfs_acl lockd sunrpc xfs libcrc32c sd_mod sr_mod cdrom crc_t10dif crct10dif_common mgag200 syscopyarea sysfillrect sysimgblt isci i2c_algo_bit drm_kms_helper ttm drm libsas ahci libahci scsi_transport_sas libata i2c_core dm_mirror dm_region_hash dm_log dm_mod
CPU: 12 PID: 0 Comm: swapper/12 Tainted: G W 3.13.0+ #1
Hardware name: Intel Corporation LH Pass ........../SVRBD-ROW_T, BIOS SE5C600.86B.01.08.0003.022620131521 02/26/2013
Call Trace:
<IRQ>
run_timer_softirq+0x245/0x2f0
__do_softirq+0xf5/0x2e0
irq_exit+0x10d/0x120
smp_apic_timer_interrupt+0x45/0x60
apic_timer_interrupt+0x6d/0x80
<EOI>
cpuidle_idle_call+0xb9/0x1f0
arch_cpu_idle+0xe/0x30
cpu_startup_entry+0x9e/0x240
start_secondary+0x1e4/0x290
RIP cascade+0x93/0xa0

WARNING: CPU: 36 PID: 1154 at kernel/workqueue.c:1461 __queue_delayed_work+0xed/0x1a0()
Modules linked in: sg nfsv3 rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache cfg80211 rfkill x86_pkg_temp_thermal coretemp kvm_intel kvm ixgbe e1000e crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd iTCO_wdt ptp sb_edac iTCO_vendor_support pps_core mdio ipmi_devintf edac_core ioatdma microcode shpchp lpc_ich pcspkr i2c_i801 dca mfd_core ipmi_si wmi ipmi_msghandler nfsd auth_rpcgss nfs_acl lockd sunrpc xfs libcrc32c sd_mod sr_mod cdrom crc_t10dif crct10dif_common mgag200 syscopyarea sysfillrect sysimgblt isci i2c_algo_bit drm_kms_helper ttm drm libsas ahci libahci scsi_transport_sas libata i2c_core dm_mirror dm_region_hash dm_log dm_mod
CPU: 36 PID: 1154 Comm: kworker/u481:3 Tainted: G W 3.13.0+ #1
Hardware name: Intel Corporation LH Pass ........../SVRBD-ROW_T, BIOS SE5C600.86B.01.08.0003.022620131521 02/26/2013
Workqueue: edac-poller edac_mc_workq_function [edac_core]
Call Trace:
dump_stack+0x45/0x56
warn_slowpath_common+0x7d/0xa0
warn_slowpath_null+0x1a/0x20
__queue_delayed_work+0xed/0x1a0
queue_delayed_work_on+0x27/0x50
edac_mc_workq_function+0x72/0xa0 [edac_core]
process_one_work+0x17b/0x460
worker_thread+0x11b/0x400
kthread+0xd2/0xf0
ret_from_fork+0x7c/0xb0

This patch adds a range check in the edac_mc_poll_msec code to check for 0.

Signed-off-by: Prarit Bhargava <[email protected]>
Cc: Doug Thompson <[email protected]>
Cc: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/edac/edac_mc_sysfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/edac/edac_mc_sysfs.c
+++ b/drivers/edac/edac_mc_sysfs.c
@@ -61,7 +61,7 @@ static int edac_set_poll_msec(const char
ret = kstrtol(val, 0, &l);
if (ret)
return ret;
- if ((int)l != l)
+ if (!l || ((int)l != l))
return -EINVAL;
*((int *)kp->arg) = l;


2014-02-20 23:54:39

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 94/99] ring-buffer: Fix first commit on sub-buffer having non-zero delta

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (Red Hat)" <[email protected]>

commit d651aa1d68a2f0a7ee65697b04c6a92f8c0a12f2 upstream.

Each sub-buffer (buffer page) has a full 64 bit timestamp. The events on
that page use a 27 bit delta against that timestamp in order to save on
bits written to the ring buffer. If the time between events is larger than
what the 27 bits can hold, a "time extend" event is added to hold the
entire 64 bit timestamp again and the events after that hold a delta from
that timestamp.

As a "time extend" is always paired with an event, it is logical to just
allocate the event with the time extend, to make things a bit more efficient.

Unfortunately, when the pairing code was written, it removed the "delta = 0"
from the first commit on a page, causing the events on the page to be
slightly skewed.

Fixes: 69d1b839f7ee "ring-buffer: Bind time extend and data events together"
Signed-off-by: Steven Rostedt <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
kernel/trace/ring_buffer.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -2397,6 +2397,13 @@ __rb_reserve_next(struct ring_buffer_per
write &= RB_WRITE_MASK;
tail = write - length;

+ /*
+ * If this is the first commit on the page, then it has the same
+ * timestamp as the page itself.
+ */
+ if (!tail)
+ delta = 0;
+
/* See if we shot pass the end of this buffer page */
if (unlikely(write > BUF_PAGE_SIZE))
return rb_move_tail(cpu_buffer, length, tail,

2014-02-20 23:54:36

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 95/99] target: Fix free-after-use regression in PR unregister

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <[email protected]>

commit fc09149df6e20cfbb0bb86f10899607c321a31eb upstream.

This patch addresses a >= v3.11 free-after-use regression
in core_scsi3_emulate_pro_register() that was introduced
in the following commit:

commit bc118fe4c4a8cfa453491ba77c0a146a6d0e73e0
Author: Andy Grover <[email protected]>
Date: Thu May 16 10:41:04 2013 -0700

target: Further refactoring of core_scsi3_emulate_pro_register()

To avoid the free-after-use, save an type value before hand, and
only call core_scsi3_put_pr_reg() with a valid *pr_reg.

Reported-by: Dan Carpenter <[email protected]>
Cc: Andy Grover <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/target/target_core_pr.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/target/target_core_pr.c
+++ b/drivers/target/target_core_pr.c
@@ -2009,7 +2009,7 @@ core_scsi3_emulate_pro_register(struct s
struct t10_reservation *pr_tmpl = &dev->t10_pr;
unsigned char isid_buf[PR_REG_ISID_LEN], *isid_ptr = NULL;
sense_reason_t ret = TCM_NO_SENSE;
- int pr_holder = 0;
+ int pr_holder = 0, type;

if (!se_sess || !se_lun) {
pr_err("SPC-3 PR: se_sess || struct se_lun is NULL!\n");
@@ -2131,6 +2131,7 @@ core_scsi3_emulate_pro_register(struct s
ret = TCM_RESERVATION_CONFLICT;
goto out;
}
+ type = pr_reg->pr_res_type;

spin_lock(&pr_tmpl->registration_lock);
/*
@@ -2161,6 +2162,7 @@ core_scsi3_emulate_pro_register(struct s
* Release the calling I_T Nexus registration now..
*/
__core_scsi3_free_registration(cmd->se_dev, pr_reg, NULL, 1);
+ pr_reg = NULL;

/*
* From spc4r17, section 5.7.11.3 Unregistering
@@ -2174,8 +2176,8 @@ core_scsi3_emulate_pro_register(struct s
* RESERVATIONS RELEASED.
*/
if (pr_holder &&
- (pr_reg->pr_res_type == PR_TYPE_WRITE_EXCLUSIVE_REGONLY ||
- pr_reg->pr_res_type == PR_TYPE_EXCLUSIVE_ACCESS_REGONLY)) {
+ (type == PR_TYPE_WRITE_EXCLUSIVE_REGONLY ||
+ type == PR_TYPE_EXCLUSIVE_ACCESS_REGONLY)) {
list_for_each_entry(pr_reg_p,
&pr_tmpl->registration_list,
pr_reg_list) {
@@ -2194,7 +2196,8 @@ core_scsi3_emulate_pro_register(struct s
ret = core_scsi3_update_and_write_aptpl(dev, aptpl);

out:
- core_scsi3_put_pr_reg(pr_reg);
+ if (pr_reg)
+ core_scsi3_put_pr_reg(pr_reg);
return ret;
}


2014-02-20 23:54:34

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 86/99] IB/qib: Add missing serdes init sequence

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mike Marciniszyn <[email protected]>

commit 2f75e12c4457a9b3d042c0a0d748fa198dc2ffaf upstream.

Research has shown that commit a77fcf895046 ("IB/qib: Use a single
txselect module parameter for serdes tuning") missed a key serdes init
sequence.

This patch add that sequence.

Reviewed-by: Dennis Dalessandro <[email protected]>
Signed-off-by: Mike Marciniszyn <[email protected]>
Signed-off-by: Roland Dreier <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/infiniband/hw/qib/qib_iba7322.c | 5 +++++
1 file changed, 5 insertions(+)

--- a/drivers/infiniband/hw/qib/qib_iba7322.c
+++ b/drivers/infiniband/hw/qib/qib_iba7322.c
@@ -2395,6 +2395,11 @@ static int qib_7322_bringup_serdes(struc
qib_write_kreg_port(ppd, krp_ibcctrl_a, ppd->cpspec->ibcctrl_a);
qib_write_kreg(dd, kr_scratch, 0ULL);

+ /* ensure previous Tx parameters are not still forced */
+ qib_write_kreg_port(ppd, krp_tx_deemph_override,
+ SYM_MASK(IBSD_TX_DEEMPHASIS_OVERRIDE_0,
+ reset_tx_deemphasis_override));
+
if (qib_compat_ddr_negotiate) {
ppd->cpspec->ibdeltainprog = 1;
ppd->cpspec->ibsymsnap = read_7322_creg32_port(ppd,

2014-02-20 23:55:55

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 93/99] power: max17040: Fix NULL pointer dereference when there is no platform_data

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Krzysztof Kozlowski <[email protected]>

commit ac323d8d807060f7c95a685a9fe861e7b6300993 upstream.

Fix NULL pointer dereference of "chip->pdata" if platform_data was not
supplied to the driver.

The driver during probe stored the pointer to the platform_data:
chip->pdata = client->dev.platform_data;
Later it was dereferenced in max17040_get_online() and
max17040_get_status().

If platform_data was not supplied, the NULL pointer exception would
happen:

[ 6.626094] Unable to handle kernel of a at virtual address 00000000
[ 6.628557] pgd = c0004000
[ 6.632868] [00000000] *pgd=66262564
[ 6.634636] Unable to handle kernel paging request at virtual address e6262000
[ 6.642014] pgd = de468000
[ 6.644700] [e6262000] *pgd=00000000
[ 6.648265] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[ 6.653552] Modules linked in:
[ 6.656598] CPU: 0 PID: 31 Comm: kworker/0:1 Not tainted 3.10.14-02717-gc58b4b4 #505
[ 6.664334] Workqueue: events max17040_work
[ 6.668488] task: dfa11b80 ti: df9f6000 task.ti: df9f6000
[ 6.673873] PC is at show_pte+0x80/0xb8
[ 6.677687] LR is at show_pte+0x3c/0xb8
[ 6.681503] pc : [<c001b7b8>] lr : [<c001b774>] psr: 600f0113
[ 6.681503] sp : df9f7d58 ip : 600f0113 fp : 00000009
[ 6.692965] r10: 00000000 r9 : 00000000 r8 : dfa11b80
[ 6.698171] r7 : df9f7ea0 r6 : e6262000 r5 : 00000000 r4 : 00000000
[ 6.704680] r3 : 00000000 r2 : e6262000 r1 : 600f0193 r0 : c05b3750
[ 6.711194] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
[ 6.718485] Control: 10c53c7d Table: 5e46806a DAC: 00000015
[ 6.724218] Process kworker/0:1 (pid: 31, stack limit = 0xdf9f6238)
[ 6.730465] Stack: (0xdf9f7d58 to 0xdf9f8000)
[ 6.914325] [<c001b7b8>] (show_pte+0x80/0xb8) from [<c047107c>] (__do_kernel_fault.part.9+0x44/0x74)
[ 6.923425] [<c047107c>] (__do_kernel_fault.part.9+0x44/0x74) from [<c001bb7c>] (do_page_fault+0x2c4/0x360)
[ 6.933144] [<c001bb7c>] (do_page_fault+0x2c4/0x360) from [<c0008400>] (do_DataAbort+0x34/0x9c)
[ 6.941825] [<c0008400>] (do_DataAbort+0x34/0x9c) from [<c000e5d8>] (__dabt_svc+0x38/0x60)
[ 6.950058] Exception stack(0xdf9f7ea0 to 0xdf9f7ee8)
[ 6.955099] 7ea0: df0c1790 00000000 00000002 00000000 df0c1794 df0c1790 df0c1790 00000042
[ 6.963271] 7ec0: df0c1794 00000001 00000000 00000009 00000000 df9f7ee8 c0306268 c0306270
[ 6.971419] 7ee0: a00f0113 ffffffff
[ 6.974902] [<c000e5d8>] (__dabt_svc+0x38/0x60) from [<c0306270>] (max17040_work+0x8c/0x144)
[ 6.983317] [<c0306270>] (max17040_work+0x8c/0x144) from [<c003f364>] (process_one_work+0x138/0x440)
[ 6.992429] [<c003f364>] (process_one_work+0x138/0x440) from [<c003fa64>] (worker_thread+0x134/0x3b8)
[ 7.001628] [<c003fa64>] (worker_thread+0x134/0x3b8) from [<c00454bc>] (kthread+0xa4/0xb0)
[ 7.009875] [<c00454bc>] (kthread+0xa4/0xb0) from [<c000eb28>] (ret_from_fork+0x14/0x2c)
[ 7.017943] Code: e1a03005 e2422480 e0826104 e59f002c (e7922104)
[ 7.024017] ---[ end trace 73bc7006b9cc5c79 ]---

Signed-off-by: Krzysztof Kozlowski <[email protected]>
Fixes: c6f4a42de60b981dd210de01cd3e575835e3158e
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/power/max17040_battery.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/power/max17040_battery.c
+++ b/drivers/power/max17040_battery.c
@@ -148,7 +148,7 @@ static void max17040_get_online(struct i
{
struct max17040_chip *chip = i2c_get_clientdata(client);

- if (chip->pdata->battery_online)
+ if (chip->pdata && chip->pdata->battery_online)
chip->online = chip->pdata->battery_online();
else
chip->online = 1;
@@ -158,7 +158,8 @@ static void max17040_get_status(struct i
{
struct max17040_chip *chip = i2c_get_clientdata(client);

- if (!chip->pdata->charger_online || !chip->pdata->charger_enable) {
+ if (!chip->pdata || !chip->pdata->charger_online
+ || !chip->pdata->charger_enable) {
chip->status = POWER_SUPPLY_STATUS_UNKNOWN;
return;
}

2014-02-20 23:56:15

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 92/99] time: Fix overflow when HZ is smaller than 60

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mikulas Patocka <[email protected]>

commit 80d767d770fd9c697e434fd080c2db7b5c60c6dd upstream.

When compiling for the IA-64 ski emulator, HZ is set to 32 because the
emulation is slow and we don't want to waste too many cycles processing
timers. Alpha also has an option to set HZ to 32.

This causes integer underflow in
kernel/time/jiffies.c:
kernel/time/jiffies.c:66:2: warning: large integer implicitly truncated to unsigned type [-Woverflow]
.mult = NSEC_PER_JIFFY << JIFFIES_SHIFT, /* details above */
^

This patch reduces the JIFFIES_SHIFT value to avoid the overflow.

Signed-off-by: Mikulas Patocka <[email protected]>
Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1401241639100.23871@file01.intranet.prod.int.rdu2.redhat.com
Signed-off-by: Thomas Gleixner <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
kernel/time/jiffies.c | 6 ++++++
1 file changed, 6 insertions(+)

--- a/kernel/time/jiffies.c
+++ b/kernel/time/jiffies.c
@@ -51,7 +51,13 @@
* HZ shrinks, so values greater than 8 overflow 32bits when
* HZ=100.
*/
+#if HZ < 34
+#define JIFFIES_SHIFT 6
+#elif HZ < 67
+#define JIFFIES_SHIFT 7
+#else
#define JIFFIES_SHIFT 8
+#endif

static cycle_t jiffies_read(struct clocksource *cs)
{

2014-02-20 23:56:38

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 91/99] i2c: mv64xxx: refactor message start to ensure proper initialization

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Wolfram Sang <[email protected]>

commit 79970db213344b4a4034645db5ebfc31571f3fa3 upstream.

Because the offload mechanism can fall back to a standard transfer,
having two seperate initialization states is unfortunate. Let's just
have one state which does things consistently. This fixes a bug where
some preparation was missing when the fallback happened. And it makes
the code much easier to follow. To implement this, we put the check
if offload is possible at the top of the offload setup function.

Signed-off-by: Wolfram Sang <[email protected]>
Tested-by: Gregory CLEMENT <[email protected]>
Fixes: 930ab3d403ae (i2c: mv64xxx: Add I2C Transaction Generator support)
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/i2c/busses/i2c-mv64xxx.c | 33 ++++++++++++++-------------------
1 file changed, 14 insertions(+), 19 deletions(-)

--- a/drivers/i2c/busses/i2c-mv64xxx.c
+++ b/drivers/i2c/busses/i2c-mv64xxx.c
@@ -97,7 +97,6 @@ enum {
enum {
MV64XXX_I2C_ACTION_INVALID,
MV64XXX_I2C_ACTION_CONTINUE,
- MV64XXX_I2C_ACTION_OFFLOAD_SEND_START,
MV64XXX_I2C_ACTION_SEND_START,
MV64XXX_I2C_ACTION_SEND_RESTART,
MV64XXX_I2C_ACTION_OFFLOAD_RESTART,
@@ -204,6 +203,9 @@ static int mv64xxx_i2c_offload_msg(struc
unsigned long ctrl_reg;
struct i2c_msg *msg = drv_data->msgs;

+ if (!drv_data->offload_enabled)
+ return -EOPNOTSUPP;
+
drv_data->msg = msg;
drv_data->byte_posn = 0;
drv_data->bytes_left = msg->len;
@@ -433,8 +435,7 @@ mv64xxx_i2c_do_action(struct mv64xxx_i2c

drv_data->msgs++;
drv_data->num_msgs--;
- if (!(drv_data->offload_enabled &&
- mv64xxx_i2c_offload_msg(drv_data))) {
+ if (mv64xxx_i2c_offload_msg(drv_data) < 0) {
drv_data->cntl_bits |= MV64XXX_I2C_REG_CONTROL_START;
writel(drv_data->cntl_bits,
drv_data->reg_base + drv_data->reg_offsets.control);
@@ -458,15 +459,14 @@ mv64xxx_i2c_do_action(struct mv64xxx_i2c
drv_data->reg_base + drv_data->reg_offsets.control);
break;

- case MV64XXX_I2C_ACTION_OFFLOAD_SEND_START:
- if (!mv64xxx_i2c_offload_msg(drv_data))
- break;
- else
- drv_data->action = MV64XXX_I2C_ACTION_SEND_START;
- /* FALLTHRU */
case MV64XXX_I2C_ACTION_SEND_START:
- writel(drv_data->cntl_bits | MV64XXX_I2C_REG_CONTROL_START,
- drv_data->reg_base + drv_data->reg_offsets.control);
+ /* Can we offload this msg ? */
+ if (mv64xxx_i2c_offload_msg(drv_data) < 0) {
+ /* No, switch to standard path */
+ mv64xxx_i2c_prepare_for_io(drv_data, drv_data->msgs);
+ writel(drv_data->cntl_bits | MV64XXX_I2C_REG_CONTROL_START,
+ drv_data->reg_base + drv_data->reg_offsets.control);
+ }
break;

case MV64XXX_I2C_ACTION_SEND_ADDR_1:
@@ -625,15 +625,10 @@ mv64xxx_i2c_execute_msg(struct mv64xxx_i
unsigned long flags;

spin_lock_irqsave(&drv_data->lock, flags);
- if (drv_data->offload_enabled) {
- drv_data->action = MV64XXX_I2C_ACTION_OFFLOAD_SEND_START;
- drv_data->state = MV64XXX_I2C_STATE_WAITING_FOR_START_COND;
- } else {
- mv64xxx_i2c_prepare_for_io(drv_data, msg);

- drv_data->action = MV64XXX_I2C_ACTION_SEND_START;
- drv_data->state = MV64XXX_I2C_STATE_WAITING_FOR_START_COND;
- }
+ drv_data->action = MV64XXX_I2C_ACTION_SEND_START;
+ drv_data->state = MV64XXX_I2C_STATE_WAITING_FOR_START_COND;
+
drv_data->send_stop = is_last;
drv_data->block = 1;
mv64xxx_i2c_do_action(drv_data);

2014-02-20 23:56:58

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 88/99] tick: Clear broadcast pending bit when switching to oneshot

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Gleixner <[email protected]>

commit dd5fd9b91a77b4c9c28b7ef9c181b1a875820d0a upstream.

AMD systems which use the C1E workaround in the amd_e400_idle routine
trigger the WARN_ON_ONCE in the broadcast code when onlining a CPU.

The reason is that the idle routine of those AMD systems switches the
cpu into forced broadcast mode early on before the newly brought up
CPU can switch over to high resolution / NOHZ mode. The timer related
CPU1 bringup looks like this:

clockevent_register_device(local_apic);
tick_setup(local_apic);
...
idle()
tick_broadcast_on_off(FORCE);
tick_broadcast_oneshot_control(ENTER)
cpumask_set(cpu, broadcast_oneshot_mask);
halt();

Now the broadcast interrupt on CPU0 sets CPU1 in the
broadcast_pending_mask and wakes CPU1. So CPU1 continues:

local_apic_timer_interrupt()
tick_handle_periodic();
softirq()
tick_init_highres();
cpumask_clr(cpu, broadcast_oneshot_mask);

tick_broadcast_oneshot_control(ENTER)
WARN_ON(cpumask_test(cpu, broadcast_pending_mask);

So while we remove CPU1 from the broadcast_oneshot_mask when we switch
over to highres mode, we do not clear the pending bit, which then
triggers the warning when we go back to idle.

The reason why this is only visible on C1E affected AMD systems is
that the other machines enter the deep sleep states via
acpi_idle/intel_idle and exit the broadcast mode before executing the
remote triggered local_apic_timer_interrupt. So the pending bit is
already cleared when the switch over to highres mode is clearing the
oneshot mask.

The solution is simple: Clear the pending bit together with the mask
bit when we switch over to highres mode.

Stanislaw came up independently with the same patch by enforcing the
C1E workaround and debugging the fallout. I picked mine, because mine
has a changelog :)

Reported-by: poma <[email protected]>
Debugged-by: Stanislaw Gruszka <[email protected]>
Signed-off-by: Thomas Gleixner <[email protected]>
Cc: Olaf Hering <[email protected]>
Cc: Dave Jones <[email protected]>
Cc: Justin M. Forbes <[email protected]>
Cc: Josh Boyer <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Thomas Gleixner <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
kernel/time/tick-broadcast.c | 1 +
1 file changed, 1 insertion(+)

--- a/kernel/time/tick-broadcast.c
+++ b/kernel/time/tick-broadcast.c
@@ -756,6 +756,7 @@ out:
static void tick_broadcast_clear_oneshot(int cpu)
{
cpumask_clear_cpu(cpu, tick_broadcast_oneshot_mask);
+ cpumask_clear_cpu(cpu, tick_broadcast_pending_mask);
}

static void tick_broadcast_init_next_event(struct cpumask *mask,

2014-02-20 23:56:57

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 90/99] md/raid5: Fix CPU hotplug callback registration

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Oleg Nesterov <[email protected]>

commit 789b5e0315284463617e106baad360cb9e8db3ac upstream.

Subsystems that want to register CPU hotplug callbacks, as well as perform
initialization for the CPUs that are already online, often do it as shown
below:

get_online_cpus();

for_each_online_cpu(cpu)
init_cpu(cpu);

register_cpu_notifier(&foobar_cpu_notifier);

put_online_cpus();

This is wrong, since it is prone to ABBA deadlocks involving the
cpu_add_remove_lock and the cpu_hotplug.lock (when running concurrently
with CPU hotplug operations).

Interestingly, the raid5 code can actually prevent double initialization and
hence can use the following simplified form of callback registration:

register_cpu_notifier(&foobar_cpu_notifier);

get_online_cpus();

for_each_online_cpu(cpu)
init_cpu(cpu);

put_online_cpus();

A hotplug operation that occurs between registering the notifier and calling
get_online_cpus(), won't disrupt anything, because the code takes care to
perform the memory allocations only once.

So reorganize the code in raid5 this way to fix the deadlock with callback
registration.

Cc: [email protected]
Fixes: 36d1c6476be51101778882897b315bd928c8c7b5
Signed-off-by: Oleg Nesterov <[email protected]>
[Srivatsa: Fixed the unregister_cpu_notifier() deadlock, added the
free_scratch_buffer() helper to condense code further and wrote the changelog.]
Signed-off-by: Srivatsa S. Bhat <[email protected]>
Signed-off-by: NeilBrown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/md/raid5.c | 90 +++++++++++++++++++++++++----------------------------
1 file changed, 44 insertions(+), 46 deletions(-)

--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -5512,23 +5512,43 @@ raid5_size(struct mddev *mddev, sector_t
return sectors * (raid_disks - conf->max_degraded);
}

+static void free_scratch_buffer(struct r5conf *conf, struct raid5_percpu *percpu)
+{
+ safe_put_page(percpu->spare_page);
+ kfree(percpu->scribble);
+ percpu->spare_page = NULL;
+ percpu->scribble = NULL;
+}
+
+static int alloc_scratch_buffer(struct r5conf *conf, struct raid5_percpu *percpu)
+{
+ if (conf->level == 6 && !percpu->spare_page)
+ percpu->spare_page = alloc_page(GFP_KERNEL);
+ if (!percpu->scribble)
+ percpu->scribble = kmalloc(conf->scribble_len, GFP_KERNEL);
+
+ if (!percpu->scribble || (conf->level == 6 && !percpu->spare_page)) {
+ free_scratch_buffer(conf, percpu);
+ return -ENOMEM;
+ }
+
+ return 0;
+}
+
static void raid5_free_percpu(struct r5conf *conf)
{
- struct raid5_percpu *percpu;
unsigned long cpu;

if (!conf->percpu)
return;

- get_online_cpus();
- for_each_possible_cpu(cpu) {
- percpu = per_cpu_ptr(conf->percpu, cpu);
- safe_put_page(percpu->spare_page);
- kfree(percpu->scribble);
- }
#ifdef CONFIG_HOTPLUG_CPU
unregister_cpu_notifier(&conf->cpu_notify);
#endif
+
+ get_online_cpus();
+ for_each_possible_cpu(cpu)
+ free_scratch_buffer(conf, per_cpu_ptr(conf->percpu, cpu));
put_online_cpus();

free_percpu(conf->percpu);
@@ -5555,15 +5575,7 @@ static int raid456_cpu_notify(struct not
switch (action) {
case CPU_UP_PREPARE:
case CPU_UP_PREPARE_FROZEN:
- if (conf->level == 6 && !percpu->spare_page)
- percpu->spare_page = alloc_page(GFP_KERNEL);
- if (!percpu->scribble)
- percpu->scribble = kmalloc(conf->scribble_len, GFP_KERNEL);
-
- if (!percpu->scribble ||
- (conf->level == 6 && !percpu->spare_page)) {
- safe_put_page(percpu->spare_page);
- kfree(percpu->scribble);
+ if (alloc_scratch_buffer(conf, percpu)) {
pr_err("%s: failed memory allocation for cpu%ld\n",
__func__, cpu);
return notifier_from_errno(-ENOMEM);
@@ -5571,10 +5583,7 @@ static int raid456_cpu_notify(struct not
break;
case CPU_DEAD:
case CPU_DEAD_FROZEN:
- safe_put_page(percpu->spare_page);
- kfree(percpu->scribble);
- percpu->spare_page = NULL;
- percpu->scribble = NULL;
+ free_scratch_buffer(conf, per_cpu_ptr(conf->percpu, cpu));
break;
default:
break;
@@ -5586,40 +5595,29 @@ static int raid456_cpu_notify(struct not
static int raid5_alloc_percpu(struct r5conf *conf)
{
unsigned long cpu;
- struct page *spare_page;
- struct raid5_percpu __percpu *allcpus;
- void *scribble;
- int err;
+ int err = 0;

- allcpus = alloc_percpu(struct raid5_percpu);
- if (!allcpus)
+ conf->percpu = alloc_percpu(struct raid5_percpu);
+ if (!conf->percpu)
return -ENOMEM;
- conf->percpu = allcpus;
+
+#ifdef CONFIG_HOTPLUG_CPU
+ conf->cpu_notify.notifier_call = raid456_cpu_notify;
+ conf->cpu_notify.priority = 0;
+ err = register_cpu_notifier(&conf->cpu_notify);
+ if (err)
+ return err;
+#endif

get_online_cpus();
- err = 0;
for_each_present_cpu(cpu) {
- if (conf->level == 6) {
- spare_page = alloc_page(GFP_KERNEL);
- if (!spare_page) {
- err = -ENOMEM;
- break;
- }
- per_cpu_ptr(conf->percpu, cpu)->spare_page = spare_page;
- }
- scribble = kmalloc(conf->scribble_len, GFP_KERNEL);
- if (!scribble) {
- err = -ENOMEM;
+ err = alloc_scratch_buffer(conf, per_cpu_ptr(conf->percpu, cpu));
+ if (err) {
+ pr_err("%s: failed memory allocation for cpu%ld\n",
+ __func__, cpu);
break;
}
- per_cpu_ptr(conf->percpu, cpu)->scribble = scribble;
}
-#ifdef CONFIG_HOTPLUG_CPU
- conf->cpu_notify.notifier_call = raid456_cpu_notify;
- conf->cpu_notify.priority = 0;
- if (err == 0)
- err = register_cpu_notifier(&conf->cpu_notify);
-#endif
put_online_cpus();

return err;

2014-02-20 23:57:45

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 99/99] EDAC: Correct workqueue setup path

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Borislav Petkov <[email protected]>

commit cb6ef42e516cb8948f15e4b70dc03af8020050a2 upstream.

We're using edac_mc_workq_setup() both on the init path, when
we load an edac driver and when we change the polling period
(edac_mc_reset_delay_period) through /sys/.../edac_mc_poll_msec.

On that second path we don't need to init the workqueue which has been
initialized already.

Thanks to Tejun for workqueue insights.

Signed-off-by: Borislav Petkov <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/edac/edac_mc.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)

--- a/drivers/edac/edac_mc.c
+++ b/drivers/edac/edac_mc.c
@@ -559,7 +559,8 @@ static void edac_mc_workq_function(struc
*
* called with the mem_ctls_mutex held
*/
-static void edac_mc_workq_setup(struct mem_ctl_info *mci, unsigned msec)
+static void edac_mc_workq_setup(struct mem_ctl_info *mci, unsigned msec,
+ bool init)
{
edac_dbg(0, "\n");

@@ -567,7 +568,9 @@ static void edac_mc_workq_setup(struct m
if (mci->op_state != OP_RUNNING_POLL)
return;

- INIT_DELAYED_WORK(&mci->work, edac_mc_workq_function);
+ if (init)
+ INIT_DELAYED_WORK(&mci->work, edac_mc_workq_function);
+
mod_delayed_work(edac_workqueue, &mci->work, msecs_to_jiffies(msec));
}

@@ -611,7 +614,7 @@ void edac_mc_reset_delay_period(unsigned
list_for_each(item, &mc_devices) {
mci = list_entry(item, struct mem_ctl_info, link);

- edac_mc_workq_setup(mci, value);
+ edac_mc_workq_setup(mci, value, false);
}

mutex_unlock(&mem_ctls_mutex);
@@ -782,7 +785,7 @@ int edac_mc_add_mc(struct mem_ctl_info *
/* This instance is NOW RUNNING */
mci->op_state = OP_RUNNING_POLL;

- edac_mc_workq_setup(mci, edac_mc_get_poll_msec());
+ edac_mc_workq_setup(mci, edac_mc_get_poll_msec(), true);
} else {
mci->op_state = OP_RUNNING_INTERRUPT;
}

2014-02-20 23:58:00

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 96/99] genirq: Add missing irq_to_desc export for CONFIG_SPARSE_IRQ=n

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Paul Gortmaker <[email protected]>

commit 2c45aada341121438affc4cb8d5b4cfaa2813d3d upstream.

In allmodconfig builds for sparc and any other arch which does
not set CONFIG_SPARSE_IRQ, the following will be seen at modpost:

CC [M] lib/cpu-notifier-error-inject.o
CC [M] lib/pm-notifier-error-inject.o
ERROR: "irq_to_desc" [drivers/gpio/gpio-mcp23s08.ko] undefined!
make[2]: *** [__modpost] Error 1

This happens because commit 3911ff30f5 ("genirq: export
handle_edge_irq() and irq_to_desc()") added one export for it, but
there were actually two instances of it, in an if/else clause for
CONFIG_SPARSE_IRQ. Add the second one.

Signed-off-by: Paul Gortmaker <[email protected]>
Cc: Jiri Kosina <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Thomas Gleixner <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
kernel/irq/irqdesc.c | 1 +
1 file changed, 1 insertion(+)

--- a/kernel/irq/irqdesc.c
+++ b/kernel/irq/irqdesc.c
@@ -274,6 +274,7 @@ struct irq_desc *irq_to_desc(unsigned in
{
return (irq < NR_IRQS) ? irq_desc + irq : NULL;
}
+EXPORT_SYMBOL(irq_to_desc);

static void free_desc(unsigned int irq)
{

2014-02-20 23:57:59

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 98/99] EDAC: Poll timeout cannot be zero, p2

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Borislav Petkov <[email protected]>

commit 9da21b1509d8aa7ab4846722817d16c72d656c91 upstream.

Sanitize code even more to accept unsigned longs only and to not allow
polling intervals below 1 second as this is unnecessary and doesn't make
much sense anyway for polling errors.

Signed-off-by: Borislav Petkov <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Cc: Doug Thompson <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/edac/edac_mc.c | 4 ++--
drivers/edac/edac_mc_sysfs.c | 10 ++++++----
drivers/edac/edac_module.h | 2 +-
3 files changed, 9 insertions(+), 7 deletions(-)

--- a/drivers/edac/edac_mc.c
+++ b/drivers/edac/edac_mc.c
@@ -601,7 +601,7 @@ static void edac_mc_workq_teardown(struc
* user space has updated our poll period value, need to
* reset our workq delays
*/
-void edac_mc_reset_delay_period(int value)
+void edac_mc_reset_delay_period(unsigned long value)
{
struct mem_ctl_info *mci;
struct list_head *item;
@@ -611,7 +611,7 @@ void edac_mc_reset_delay_period(int valu
list_for_each(item, &mc_devices) {
mci = list_entry(item, struct mem_ctl_info, link);

- edac_mc_workq_setup(mci, (unsigned long) value);
+ edac_mc_workq_setup(mci, value);
}

mutex_unlock(&mem_ctls_mutex);
--- a/drivers/edac/edac_mc_sysfs.c
+++ b/drivers/edac/edac_mc_sysfs.c
@@ -52,18 +52,20 @@ int edac_mc_get_poll_msec(void)

static int edac_set_poll_msec(const char *val, struct kernel_param *kp)
{
- long l;
+ unsigned long l;
int ret;

if (!val)
return -EINVAL;

- ret = kstrtol(val, 0, &l);
+ ret = kstrtoul(val, 0, &l);
if (ret)
return ret;
- if (!l || ((int)l != l))
+
+ if (l < 1000)
return -EINVAL;
- *((int *)kp->arg) = l;
+
+ *((unsigned long *)kp->arg) = l;

/* notify edac_mc engine to reset the poll period */
edac_mc_reset_delay_period(l);
--- a/drivers/edac/edac_module.h
+++ b/drivers/edac/edac_module.h
@@ -52,7 +52,7 @@ extern void edac_device_workq_setup(stru
extern void edac_device_workq_teardown(struct edac_device_ctl_info *edac_dev);
extern void edac_device_reset_delay_period(struct edac_device_ctl_info
*edac_dev, unsigned long value);
-extern void edac_mc_reset_delay_period(int value);
+extern void edac_mc_reset_delay_period(unsigned long value);

extern void *edac_align_ptr(void **p, unsigned size, int n_elems);


2014-02-20 23:58:42

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 87/99] KVM: return an error code in kvm_vm_ioctl_register_coalesced_mmio()

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit aac5c4226e7136c331ed384c25d5560204da10a0 upstream.

If kvm_io_bus_register_dev() fails then it returns success but it should
return an error code.

I also did a little cleanup like removing an impossible NULL test.

Fixes: 2b3c246a682c ('KVM: Make coalesced mmio use a device per zone')
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
virt/kvm/coalesced_mmio.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)

--- a/virt/kvm/coalesced_mmio.c
+++ b/virt/kvm/coalesced_mmio.c
@@ -154,17 +154,13 @@ int kvm_vm_ioctl_register_coalesced_mmio
list_add_tail(&dev->list, &kvm->coalesced_zones);
mutex_unlock(&kvm->slots_lock);

- return ret;
+ return 0;

out_free_dev:
mutex_unlock(&kvm->slots_lock);
-
kfree(dev);

- if (dev == NULL)
- return -ENXIO;
-
- return 0;
+ return ret;
}

int kvm_vm_ioctl_unregister_coalesced_mmio(struct kvm *kvm,

2014-02-20 23:54:16

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 76/99] Revert "xhci: Avoid infinite loop when sg urb requires too many trbs"

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sarah Sharp <[email protected]>

commit 9cf00d91708221ff2d8a11143315f7ebab8d5da8 upstream.

This reverts commit d6c9ea9069af684358efedcaf2f2f687f51c58ee.

We are ripping out commit 35773dac5f862cb1c82ea151eba3e2f6de51ec3e "usb:
xhci: Link TRB must not occur within a USB payload burst" because it's a
hack that caused regressions in the usb-storage and userspace USB
drivers that use usbfs and libusb. This commit attempted to fix the
issues with that patch.

Signed-off-by: Sarah Sharp <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/usb/host/xhci-ring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -3008,7 +3008,7 @@ static int prepare_ring(struct xhci_hcd
if (num_trbs >= TRBS_PER_SEGMENT) {
xhci_err(xhci, "Too many fragments %d, max %d\n",
num_trbs, TRBS_PER_SEGMENT - 1);
- return -EINVAL;
+ return -ENOMEM;
}

nop_cmd = cpu_to_le32(TRB_TYPE(TRB_TR_NOOP) |

2014-02-20 23:59:03

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 50/99] staging: comedi: adv_pci1710: fix analog output readback value

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: H Hartley Sweeten <[email protected]>

commit 1e85c1ea1ff2a60659e790ef8ec76c7339445841 upstream.

The last value written to a analog output channel is cached in the
private data of this driver for readback.

Currently, the wrong value is cached in the (*insn_write) functions.
The current code stores the data[n] value for readback afer the loop
has written all the values. At this time 'n' points past the end of
the data array.

Fix the functions by using a local variable to hold the data being
written to the analog output channel. This variable is then used
after the loop is complete to store the readback value. The current
value is retrieved before the loop in case no values are actually
written..

Signed-off-by: H Hartley Sweeten <[email protected]>
Reviewed-by: Ian Abbott <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/staging/comedi/drivers/adv_pci1710.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)

--- a/drivers/staging/comedi/drivers/adv_pci1710.c
+++ b/drivers/staging/comedi/drivers/adv_pci1710.c
@@ -489,6 +489,7 @@ static int pci171x_insn_write_ao(struct
struct comedi_insn *insn, unsigned int *data)
{
struct pci1710_private *devpriv = dev->private;
+ unsigned int val;
int n, chan, range, ofs;

chan = CR_CHAN(insn->chanspec);
@@ -504,11 +505,14 @@ static int pci171x_insn_write_ao(struct
outw(devpriv->da_ranges, dev->iobase + PCI171x_DAREF);
ofs = PCI171x_DA1;
}
+ val = devpriv->ao_data[chan];

- for (n = 0; n < insn->n; n++)
- outw(data[n], dev->iobase + ofs);
+ for (n = 0; n < insn->n; n++) {
+ val = data[n];
+ outw(val, dev->iobase + ofs);
+ }

- devpriv->ao_data[chan] = data[n];
+ devpriv->ao_data[chan] = val;

return n;

@@ -674,6 +678,7 @@ static int pci1720_insn_write_ao(struct
struct comedi_insn *insn, unsigned int *data)
{
struct pci1710_private *devpriv = dev->private;
+ unsigned int val;
int n, rangereg, chan;

chan = CR_CHAN(insn->chanspec);
@@ -683,13 +688,15 @@ static int pci1720_insn_write_ao(struct
outb(rangereg, dev->iobase + PCI1720_RANGE);
devpriv->da_ranges = rangereg;
}
+ val = devpriv->ao_data[chan];

for (n = 0; n < insn->n; n++) {
- outw(data[n], dev->iobase + PCI1720_DA0 + (chan << 1));
+ val = data[n];
+ outw(val, dev->iobase + PCI1720_DA0 + (chan << 1));
outb(0, dev->iobase + PCI1720_SYNCOUT); /* update outputs */
}

- devpriv->ao_data[chan] = data[n];
+ devpriv->ao_data[chan] = val;

return n;
}

2014-02-20 23:59:01

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 42/99] drm/radeon: consolidate sdma hdp flushing code for CIK

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <[email protected]>

commit ca113f6baeb314a66463c35565b4f7955c484000 upstream.

It's used in several places so move to a common shared
function.

Signed-off-by: Alex Deucher <[email protected]>
Cc: Tom Stellard <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/gpu/drm/radeon/cik_sdma.c | 35 +++++++++++++++++++++++------------
1 file changed, 23 insertions(+), 12 deletions(-)

--- a/drivers/gpu/drm/radeon/cik_sdma.c
+++ b/drivers/gpu/drm/radeon/cik_sdma.c
@@ -88,6 +88,27 @@ void cik_sdma_ring_ib_execute(struct rad
}

/**
+ * cik_sdma_hdp_flush_ring_emit - emit an hdp flush on the DMA ring
+ *
+ * @rdev: radeon_device pointer
+ * @ridx: radeon ring index
+ *
+ * Emit an hdp flush packet on the requested DMA ring.
+ */
+static void cik_sdma_hdp_flush_ring_emit(struct radeon_device *rdev,
+ int ridx)
+{
+ struct radeon_ring *ring = &rdev->ring[ridx];
+
+ /* We should be using the new POLL_REG_MEM special op packet here
+ * but it causes sDMA to hang sometimes
+ */
+ radeon_ring_write(ring, SDMA_PACKET(SDMA_OPCODE_SRBM_WRITE, 0, 0xf000));
+ radeon_ring_write(ring, HDP_MEM_COHERENCY_FLUSH_CNTL >> 2);
+ radeon_ring_write(ring, 0);
+}
+
+/**
* cik_sdma_fence_ring_emit - emit a fence on the DMA ring
*
* @rdev: radeon_device pointer
@@ -111,12 +132,7 @@ void cik_sdma_fence_ring_emit(struct rad
/* generate an interrupt */
radeon_ring_write(ring, SDMA_PACKET(SDMA_OPCODE_TRAP, 0, 0));
/* flush HDP */
- /* We should be using the new POLL_REG_MEM special op packet here
- * but it causes sDMA to hang sometimes
- */
- radeon_ring_write(ring, SDMA_PACKET(SDMA_OPCODE_SRBM_WRITE, 0, 0xf000));
- radeon_ring_write(ring, HDP_MEM_COHERENCY_FLUSH_CNTL >> 2);
- radeon_ring_write(ring, 0);
+ cik_sdma_hdp_flush_ring_emit(rdev, fence->ring);
}

/**
@@ -747,12 +763,7 @@ void cik_dma_vm_flush(struct radeon_devi
radeon_ring_write(ring, VMID(0));

/* flush HDP */
- /* We should be using the new POLL_REG_MEM special op packet here
- * but it causes sDMA to hang sometimes
- */
- radeon_ring_write(ring, SDMA_PACKET(SDMA_OPCODE_SRBM_WRITE, 0, 0xf000));
- radeon_ring_write(ring, HDP_MEM_COHERENCY_FLUSH_CNTL >> 2);
- radeon_ring_write(ring, 0);
+ cik_sdma_hdp_flush_ring_emit(rdev, ridx);

/* flush TLB */
radeon_ring_write(ring, SDMA_PACKET(SDMA_OPCODE_SRBM_WRITE, 0, 0xf000));

2014-02-20 23:59:56

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 49/99] staging: r8188eu: Fix typo in USB_DEVICE list

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Larry Finger <[email protected]>

commit 08951f10ae146d0c4114ac508310ad316b6f8798 upstream.

There is a typo in the device list that interchanges the vendor and
product codes for one of the entries. This exchange was determined
by noticing that the vendor code is 0x07b8 for Abocom at
http://www.linux-usb.org/usb.ids.

Signed-off-by: Larry Finger <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/staging/rtl8188eu/os_dep/usb_intf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
@@ -53,7 +53,7 @@ static struct usb_device_id rtw_usb_id_t
{USB_DEVICE(USB_VENDER_ID_REALTEK, 0x0179)}, /* 8188ETV */
/*=== Customer ID ===*/
/****** 8188EUS ********/
- {USB_DEVICE(0x8179, 0x07B8)}, /* Abocom - Abocom */
+ {USB_DEVICE(0x07b8, 0x8179)}, /* Abocom - Abocom */
{USB_DEVICE(0x2001, 0x330F)}, /* DLink DWA-125 REV D1 */
{} /* Terminating entry */
};

2014-02-20 23:54:14

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 79/99] Modpost: fixed USB alias generation for ranges including 0x9 and 0xA

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jan Moskyto Matejka <[email protected]>

commit 03b56329f9bb5a1cb73d7dc659d529a9a9bf3acc upstream.

Commit afe2dab4f6 ("USB: add hex/bcd detection to usb modalias generation")
changed the routine that generates alias ranges. Before that change, only
digits 0-9 were supported; the commit tried to fix the case when the range
includes higher values than 0x9.

Unfortunately, the commit didn't fix the case when the range includes both
0x9 and 0xA, meaning that the final range must look like [x-9A-y] where
x <= 0x9 and y >= 0xA -- instead the [x-9A-x] range was produced.

Modprobe doesn't complain as it sees no difference between no-match and
bad-pattern results of fnmatch().

Fixing this simple bug to fix the aliases.
Also changing the hardcoded beginning of the range to uppercase as all the
other letters are also uppercase in the device version numbers.

Fortunately, this affects only the dvb-usb-dib0700 module, AFAIK.

Signed-off-by: Jan Moskyto Matejka <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
scripts/mod/file2alias.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/scripts/mod/file2alias.c
+++ b/scripts/mod/file2alias.c
@@ -210,8 +210,8 @@ static void do_usb_entry(void *symval,
range_lo < 0x9 ? "[%X-9" : "[%X",
range_lo);
sprintf(alias + strlen(alias),
- range_hi > 0xA ? "a-%X]" : "%X]",
- range_lo);
+ range_hi > 0xA ? "A-%X]" : "%X]",
+ range_hi);
}
}
if (bcdDevice_initial_digits < (sizeof(bcdDevice_lo) * 2 - 1))

2014-02-21 00:00:47

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 84/99] compiler/gcc4: Make quirk for asm_volatile_goto() unconditional

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Steven Noonan <[email protected]>

commit a9f180345f5378ac87d80ed0bea55ba421d83859 upstream.

I started noticing problems with KVM guest destruction on Linux
3.12+, where guest memory wasn't being cleaned up. I bisected it
down to the commit introducing the new 'asm goto'-based atomics,
and found this quirk was later applied to those.

Unfortunately, even with GCC 4.8.2 (which ostensibly fixed the
known 'asm goto' bug) I am still getting some kind of
miscompilation. If I enable the asm_volatile_goto quirk for my
compiler, KVM guests are destroyed correctly and the memory is
cleaned up.

So make the quirk unconditional for now, until bug is found
and fixed.

Suggested-by: Linus Torvalds <[email protected]>
Signed-off-by: Steven Noonan <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Steven Rostedt <[email protected]>
Cc: Jakub Jelinek <[email protected]>
Cc: Richard Henderson <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Oleg Nesterov <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Link: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670
Signed-off-by: Ingo Molnar <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
include/linux/compiler-gcc4.h | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)

--- a/include/linux/compiler-gcc4.h
+++ b/include/linux/compiler-gcc4.h
@@ -75,11 +75,7 @@
*
* (asm goto is automatically volatile - the naming reflects this.)
*/
-#if GCC_VERSION <= 40801
-# define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)
-#else
-# define asm_volatile_goto(x...) do { asm goto(x); } while (0)
-#endif
+#define asm_volatile_goto(x...) do { asm goto(x); asm (""); } while (0)

#ifdef CONFIG_ARCH_USE_BUILTIN_BSWAP
#if GCC_VERSION >= 40400

2014-02-21 00:00:45

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 85/99] misc: mic: fix possible signed underflow (undefined behavior) in userspace API

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sudeep Dutt <[email protected]>

commit 3b1cc9b9622a022208ec95b1259b05bbdf712eb7 upstream.

iovcnt is declared as a signed integer in both the userspace API and
as a local variable in mic_virtio.c. The while() loop in mic_virtio.c
iterates until the local variable iovcnt reaches the value 0. If
userspace passes e.g. INT_MIN as iovcnt field, this loop then appears
to depend on an undefined behavior (signed underflow) to complete.
The fix is to use unsigned integers in both the userspace API and
the local variable.

This issue was reported @ https://lkml.org/lkml/2014/1/10/10

Reported-by: Mathieu Desnoyers <[email protected]>
Reviewed-by: Ashutosh Dixit <[email protected]>
Signed-off-by: Sudeep Dutt <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/misc/mic/host/mic_virtio.c | 3 ++-
include/uapi/linux/mic_ioctl.h | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/misc/mic/host/mic_virtio.c
+++ b/drivers/misc/mic/host/mic_virtio.c
@@ -156,7 +156,8 @@ static int mic_vringh_copy(struct mic_vd
static int _mic_virtio_copy(struct mic_vdev *mvdev,
struct mic_copy_desc *copy)
{
- int ret = 0, iovcnt = copy->iovcnt;
+ int ret = 0;
+ u32 iovcnt = copy->iovcnt;
struct iovec iov;
struct iovec __user *u_iov = copy->iov;
void __user *ubuf = NULL;
--- a/include/uapi/linux/mic_ioctl.h
+++ b/include/uapi/linux/mic_ioctl.h
@@ -39,7 +39,7 @@ struct mic_copy_desc {
#else
struct iovec *iov;
#endif
- int iovcnt;
+ __u32 iovcnt;
__u8 vr_idx;
__u8 update_used;
__u32 out_len;

2014-02-20 23:54:11

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 78/99] Revert "usbcore: set lpm_capable field for LPM capable root hubs"

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sarah Sharp <[email protected]>

commit 140e3026a57ab7d830dab2f2c57796c222db0ea9 upstream.

Commit 9df89d85b407690afa46ddfbccc80bec6869971d "usbcore: set
lpm_capable field for LPM capable root hubs" was created under the
assumption that all USB host controllers should have USB 3.0 Link PM
enabled for all devices under the hosts.

Unfortunately, that's not the case. The xHCI driver relies on knowledge
of the host hardware scheduler to calculate the LPM U1/U2 timeout
values, and it only sets lpm_capable to one for Intel host controllers
(that have the XHCI_LPM_SUPPORT quirk set).

When LPM is enabled for some Fresco Logic hosts, it causes failures with
a AgeStar 3UBT USB 3.0 hard drive dock:

Jan 11 13:59:03 sg-laptop kernel: usb 3-1: new SuperSpeed USB device number 2 using xhci_hcd
Jan 11 13:59:03 sg-laptop kernel: usb 3-1: Set SEL for device-initiated U1 failed.
Jan 11 13:59:08 sg-laptop kernel: usb 3-1: Set SEL for device-initiated U2 failed.
Jan 11 13:59:08 sg-laptop kernel: usb-storage 3-1:1.0: USB Mass Storage device detected
Jan 11 13:59:08 sg-laptop mtp-probe[613]: checking bus 3, device 2: "/sys/devices/pci0000:00/0000:00:1c.3/0000:04:00.0/usb3/3-1"
Jan 11 13:59:08 sg-laptop mtp-probe[613]: bus: 3, device: 2 was not an MTP device
Jan 11 13:59:08 sg-laptop kernel: scsi6 : usb-storage 3-1:1.0
Jan 11 13:59:13 sg-laptop kernel: usb 3-1: Set SEL for device-initiated U1 failed.
Jan 11 13:59:18 sg-laptop kernel: usb 3-1: Set SEL for device-initiated U2 failed.
Jan 11 13:59:18 sg-laptop kernel: usbcore: registered new interface driver usb-storage
Jan 11 13:59:40 sg-laptop kernel: usb 3-1: reset SuperSpeed USB device number 2 using xhci_hcd
Jan 11 13:59:41 sg-laptop kernel: usb 3-1: device descriptor read/8, error -71
Jan 11 13:59:41 sg-laptop kernel: usb 3-1: reset SuperSpeed USB device number 2 using xhci_hcd
Jan 11 13:59:46 sg-laptop kernel: usb 3-1: device descriptor read/8, error -110
Jan 11 13:59:46 sg-laptop kernel: scsi 6:0:0:0: Device offlined - not ready after error recovery
Jan 11 13:59:46 sg-laptop kernel: usb 3-1: USB disconnect, device number 2

lspci for the affected host:

04:00.0 0c03: 1b73:1000 (rev 04) (prog-if 30 [XHCI])
Subsystem: 1043:1039
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupt: pin A routed to IRQ 19
Region 0: Memory at dd200000 (32-bit, non-prefetchable) [size=64K]
Capabilities: [50] Power Management version 3
Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold-)
Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=0 PME-
Capabilities: [68] MSI: Enable- Count=1/1 Maskable- 64bit+
Address: 0000000000000000 Data: 0000
Capabilities: [80] Express (v1) Endpoint, MSI 00
DevCap: MaxPayload 128 bytes, PhantFunc 0, Latency L0s <2us, L1 <32us
ExtTag- AttnBtn- AttnInd- PwrInd- RBE+ FLReset-
DevCtl: Report errors: Correctable- Non-Fatal- Fatal- Unsupported-
RlxdOrd+ ExtTag- PhantFunc- AuxPwr- NoSnoop+
MaxPayload 128 bytes, MaxReadReq 512 bytes
DevSta: CorrErr- UncorrErr- FatalErr- UnsuppReq- AuxPwr- TransPend-
LnkCap: Port #0, Speed 2.5GT/s, Width x1, ASPM L0s L1, Latency L0 unlimited, L1 unlimited
ClockPM- Surprise- LLActRep- BwNot-
LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- Retrain- CommClk+
ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
LnkSta: Speed 2.5GT/s, Width x1, TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
Kernel driver in use: xhci_hcd
Kernel modules: xhci_hcd

The commit was backported to stable kernels, and will need to be
reverted there as well.

Signed-off-by: Sarah Sharp <[email protected]>
Reported-by: Sergey Galanov <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/usb/core/hcd.c | 1 -
drivers/usb/core/hub.c | 7 +------
drivers/usb/core/usb.h | 1 -
3 files changed, 1 insertion(+), 8 deletions(-)

--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -1031,7 +1031,6 @@ static int register_root_hub(struct usb_
dev_name(&usb_dev->dev), retval);
return retval;
}
- usb_dev->lpm_capable = usb_device_supports_lpm(usb_dev);
}

retval = usb_new_device (usb_dev);
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -135,7 +135,7 @@ struct usb_hub *usb_hub_to_struct_hub(st
return usb_get_intfdata(hdev->actconfig->interface[0]);
}

-int usb_device_supports_lpm(struct usb_device *udev)
+static int usb_device_supports_lpm(struct usb_device *udev)
{
/* USB 2.1 (and greater) devices indicate LPM support through
* their USB 2.0 Extended Capabilities BOS descriptor.
@@ -156,11 +156,6 @@ int usb_device_supports_lpm(struct usb_d
"Power management will be impacted.\n");
return 0;
}
-
- /* udev is root hub */
- if (!udev->parent)
- return 1;
-
if (udev->parent->lpm_capable)
return 1;

--- a/drivers/usb/core/usb.h
+++ b/drivers/usb/core/usb.h
@@ -35,7 +35,6 @@ extern int usb_get_device_descriptor(str
unsigned int size);
extern int usb_get_bos_descriptor(struct usb_device *dev);
extern void usb_release_bos_descriptor(struct usb_device *dev);
-extern int usb_device_supports_lpm(struct usb_device *udev);
extern char *usb_cache_string(struct usb_device *udev, int index);
extern int usb_set_configuration(struct usb_device *dev, int configuration);
extern int usb_choose_configuration(struct usb_device *udev);

2014-02-21 00:01:30

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 82/99] block: add cond_resched() to potentially long running ioctl discard loop

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jens Axboe <[email protected]>

commit c8123f8c9cb517403b51aa41c3c46ff5e10b2c17 upstream.

When mkfs issues a full device discard and the device only
supports discards of a smallish size, we can loop in
blkdev_issue_discard() for a long time. If preempt isn't enabled,
this can turn into a softlock situation and the kernel will
start complaining.

Add an explicit cond_resched() at the end of the loop to avoid
that.

Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
block/blk-lib.c | 8 ++++++++
1 file changed, 8 insertions(+)

--- a/block/blk-lib.c
+++ b/block/blk-lib.c
@@ -119,6 +119,14 @@ int blkdev_issue_discard(struct block_de

atomic_inc(&bb.done);
submit_bio(type, bio);
+
+ /*
+ * We can loop for a long time in here, if someone does
+ * full device discards (like mkfs). Be nice and allow
+ * us to schedule out to avoid softlocking if preempt
+ * is disabled.
+ */
+ cond_resched();
}
blk_finish_plug(&plug);


2014-02-21 00:01:29

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 83/99] ACPI / hotplug / PCI: Relax the checking of _STA return values

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mika Westerberg <[email protected]>

commit 7282059489868e0ed1b0d79765730c6b233a8399 upstream.

The ACPI specification (ACPI 5.0A, Section 6.3.7) says:

_STA may return bit 0 clear (not present) with bit 3 set (device is
functional). This case is used to indicate a valid device for which
no device driver should be loaded (for example, a bridge device.)
Children of this device may be present and valid. OSPM should
continue enumeration below a device whose _STA returns this bit
combination.

Evidently, some BIOSes follow that and return 0x0A from _STA, which
causes problems to happen when they trigger bus check or device check
notifications for those devices too. Namely, ACPIPHP thinks that they
are gone and may drop them, for example, if such a notification is
triggered during a resume from system suspend.

To fix that, modify ACPICA to regard devies as present and
functioning if _STA returns both the ACPI_STA_DEVICE_ENABLED
and ACPI_STA_DEVICE_FUNCTIONING bits set for them.

Reported-and-tested-by: Peter Wu <[email protected]>
[rjw: Subject and changelog, minor code modifications]
Signed-off-by: Rafael J. Wysocki <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/pci/hotplug/acpiphp_glue.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)

--- a/drivers/pci/hotplug/acpiphp_glue.c
+++ b/drivers/pci/hotplug/acpiphp_glue.c
@@ -706,6 +706,17 @@ static unsigned int get_slot_status(stru
return (unsigned int)sta;
}

+static inline bool device_status_valid(unsigned int sta)
+{
+ /*
+ * ACPI spec says that _STA may return bit 0 clear with bit 3 set
+ * if the device is valid but does not require a device driver to be
+ * loaded (Section 6.3.7 of ACPI 5.0A).
+ */
+ unsigned int mask = ACPI_STA_DEVICE_ENABLED | ACPI_STA_DEVICE_FUNCTIONING;
+ return (sta & mask) == mask;
+}
+
/**
* trim_stale_devices - remove PCI devices that are not responding.
* @dev: PCI device to start walking the hierarchy from.
@@ -721,7 +732,7 @@ static void trim_stale_devices(struct pc
unsigned long long sta;

status = acpi_evaluate_integer(handle, "_STA", NULL, &sta);
- alive = (ACPI_SUCCESS(status) && sta == ACPI_STA_ALL)
+ alive = (ACPI_SUCCESS(status) && device_status_valid(sta))
|| acpiphp_no_hotplug(handle);
}
if (!alive) {
@@ -764,7 +775,7 @@ static void acpiphp_check_bridge(struct
mutex_lock(&slot->crit_sect);
if (slot_no_hotplug(slot)) {
; /* do nothing */
- } else if (get_slot_status(slot) == ACPI_STA_ALL) {
+ } else if (device_status_valid(get_slot_status(slot))) {
/* remove stale devices if any */
list_for_each_entry_safe(dev, tmp, &bus->devices,
bus_list)

2014-02-20 23:54:09

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 77/99] Revert "usb: xhci: Link TRB must not occur within a USB payload burst"

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sarah Sharp <[email protected]>

commit 3d4b81eda2211f32886e2978daf6f39885042fc4 upstream.

This reverts commit 35773dac5f862cb1c82ea151eba3e2f6de51ec3e. It's a
hack that caused regressions in the usb-storage and userspace USB
drivers that use usbfs and libusb. Commit 70cabb7d992f "xhci 1.0: Limit
arbitrarily-aligned scatter gather." should fix the issues seen with the
ax88179_178a driver on xHCI 1.0 hosts, without causing regressions.

Signed-off-by: Sarah Sharp <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/usb/host/xhci-ring.c | 54 +------------------------------------------
include/linux/usb.h | 2 -
2 files changed, 2 insertions(+), 54 deletions(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -2973,58 +2973,8 @@ static int prepare_ring(struct xhci_hcd
}

while (1) {
- if (room_on_ring(xhci, ep_ring, num_trbs)) {
- union xhci_trb *trb = ep_ring->enqueue;
- unsigned int usable = ep_ring->enq_seg->trbs +
- TRBS_PER_SEGMENT - 1 - trb;
- u32 nop_cmd;
-
- /*
- * Section 4.11.7.1 TD Fragments states that a link
- * TRB must only occur at the boundary between
- * data bursts (eg 512 bytes for 480M).
- * While it is possible to split a large fragment
- * we don't know the size yet.
- * Simplest solution is to fill the trb before the
- * LINK with nop commands.
- */
- if (num_trbs == 1 || num_trbs <= usable || usable == 0)
- break;
-
- if (ep_ring->type != TYPE_BULK)
- /*
- * While isoc transfers might have a buffer that
- * crosses a 64k boundary it is unlikely.
- * Since we can't add NOPs without generating
- * gaps in the traffic just hope it never
- * happens at the end of the ring.
- * This could be fixed by writing a LINK TRB
- * instead of the first NOP - however the
- * TRB_TYPE_LINK_LE32() calls would all need
- * changing to check the ring length.
- */
- break;
-
- if (num_trbs >= TRBS_PER_SEGMENT) {
- xhci_err(xhci, "Too many fragments %d, max %d\n",
- num_trbs, TRBS_PER_SEGMENT - 1);
- return -ENOMEM;
- }
-
- nop_cmd = cpu_to_le32(TRB_TYPE(TRB_TR_NOOP) |
- ep_ring->cycle_state);
- ep_ring->num_trbs_free -= usable;
- do {
- trb->generic.field[0] = 0;
- trb->generic.field[1] = 0;
- trb->generic.field[2] = 0;
- trb->generic.field[3] = nop_cmd;
- trb++;
- } while (--usable);
- ep_ring->enqueue = trb;
- if (room_on_ring(xhci, ep_ring, num_trbs))
- break;
- }
+ if (room_on_ring(xhci, ep_ring, num_trbs))
+ break;

if (ep_ring == xhci->cmd_ring) {
xhci_err(xhci, "Do not support expand command ring\n");
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1264,8 +1264,6 @@ typedef void (*usb_complete_t)(struct ur
* @sg: scatter gather buffer list, the buffer size of each element in
* the list (except the last) must be divisible by the endpoint's
* max packet size if no_sg_constraint isn't set in 'struct usb_bus'
- * (FIXME: scatter-gather under xHCI is broken for periodic transfers.
- * Do not use urb->sg for interrupt endpoints for now, only bulk.)
* @num_mapped_sgs: (internal) number of mapped sg entries
* @num_sgs: number of entries in the sg list
* @transfer_buffer_length: How big is transfer_buffer. The transfer may

2014-02-21 00:02:21

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 81/99] block: Fix nr_vecs for inline integrity vectors

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Martin K. Petersen" <[email protected]>

commit 087787959ce851d7bbb19f10f6e9241b7f85a3ca upstream.

Commit 9f060e2231ca changed the way we handle allocations for the
integrity vectors. When the vectors are inline there is no associated
slab and consequently bvec_nr_vecs() returns 0. Ensure that we check
against BIP_INLINE_VECS in that case.

Reported-by: David Milburn <[email protected]>
Tested-by: David Milburn <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/bio-integrity.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

--- a/fs/bio-integrity.c
+++ b/fs/bio-integrity.c
@@ -114,6 +114,14 @@ void bio_integrity_free(struct bio *bio)
}
EXPORT_SYMBOL(bio_integrity_free);

+static inline unsigned int bip_integrity_vecs(struct bio_integrity_payload *bip)
+{
+ if (bip->bip_slab == BIO_POOL_NONE)
+ return BIP_INLINE_VECS;
+
+ return bvec_nr_vecs(bip->bip_slab);
+}
+
/**
* bio_integrity_add_page - Attach integrity metadata
* @bio: bio to update
@@ -129,7 +137,7 @@ int bio_integrity_add_page(struct bio *b
struct bio_integrity_payload *bip = bio->bi_integrity;
struct bio_vec *iv;

- if (bip->bip_vcnt >= bvec_nr_vecs(bip->bip_slab)) {
+ if (bip->bip_vcnt >= bip_integrity_vecs(bip)) {
printk(KERN_ERR "%s: bip_vec full\n", __func__);
return 0;
}

2014-02-21 00:02:41

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 80/99] block: __elv_next_request() shouldnt call into the elevator if bypassing

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Tejun Heo <[email protected]>

commit 556ee818c06f37b2e583af0363e6b16d0e0270de upstream.

request_queue bypassing is used to suppress higher-level function of a
request_queue so that they can be switched, reconfigured and shut
down. A request_queue does the followings while bypassing.

* bypasses elevator and io_cq association and queues requests directly
to the FIFO dispatch queue.

* bypasses block cgroup request_list lookup and always uses the root
request_list.

Once confirmed to be bypassing, specific elevator and block cgroup
policy implementations can assume that nothing is in flight for them
and perform various operations which would be dangerous otherwise.

Such confirmation is acheived by short-circuiting all new requests
directly to the dispatch queue and waiting for all the requests which
were issued before to finish. Unfortunately, while the request
allocating and draining sides were properly handled, we forgot to
actually plug the request dispatch path. Even after bypassing mode is
confirmed, if the attached driver tries to fetch a request and the
dispatch queue is empty, __elv_next_request() would invoke the current
elevator's elevator_dispatch_fn() callback. As all in-flight requests
were drained, the elevator wouldn't contain any request but once
bypass is confirmed we don't even know whether the elevator is even
there. It might be in the process of being switched and half torn
down.

Frank Mayhar reports that this actually happened while switching
elevators, leading to an oops.

Let's fix it by making __elv_next_request() avoid invoking the
elevator_dispatch_fn() callback if the queue is bypassing. It already
avoids invoking the callback if the queue is dying. As a dying queue
is guaranteed to be bypassing, we can simply replace blk_queue_dying()
check with blk_queue_bypass().

Reported-by: Frank Mayhar <[email protected]>
References: http://lkml.kernel.org/g/[email protected]
Tested-by: Frank Mayhar <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
block/blk.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/block/blk.h
+++ b/block/blk.h
@@ -113,7 +113,7 @@ static inline struct request *__elv_next
q->flush_queue_delayed = 1;
return NULL;
}
- if (unlikely(blk_queue_dying(q)) ||
+ if (unlikely(blk_queue_bypass(q)) ||
!q->elevator->type->ops.elevator_dispatch_fn(q, 0))
return NULL;
}

2014-02-21 00:03:03

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 75/99] Revert "xhci: Set scatter-gather limit to avoid failed block writes."

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sarah Sharp <[email protected]>

commit 1386ff75797a187df324062fb4e929152392da88 upstream.

This reverts commit f2d9b991c549f159dc9ae81f77d8206c790cbfee.

We are ripping out commit 35773dac5f862cb1c82ea151eba3e2f6de51ec3e "usb:
xhci: Link TRB must not occur within a USB payload burst" because it's a
hack that caused regressions in the usb-storage and userspace USB
drivers that use usbfs and libusb. This commit attempted to fix the
issues with that patch.

Signed-off-by: Sarah Sharp <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/usb/host/xhci.c | 4 ++--
drivers/usb/host/xhci.h | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -4716,8 +4716,8 @@ int xhci_gen_setup(struct usb_hcd *hcd,
struct device *dev = hcd->self.controller;
int retval;

- /* Limit the block layer scatter-gather lists to half a segment. */
- hcd->self.sg_tablesize = TRBS_PER_SEGMENT / 2;
+ /* Accept arbitrarily long scatter-gather lists */
+ hcd->self.sg_tablesize = ~0;

/* XHCI controllers don't stop the ep queue on short packets :| */
hcd->self.no_stop_on_short = 1;
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1260,7 +1260,7 @@ union xhci_trb {
* since the command ring is 64-byte aligned.
* It must also be greater than 16.
*/
-#define TRBS_PER_SEGMENT 256
+#define TRBS_PER_SEGMENT 64
/* Allow two commands + a link TRB, along with any reserved command TRBs */
#define MAX_RSVD_CMD_TRBS (TRBS_PER_SEGMENT - 3)
#define TRB_SEGMENT_SIZE (TRBS_PER_SEGMENT*16)

2014-02-21 00:03:23

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 72/99] usb: option: blacklist ZTE MF667 net interface

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Raymond Wanyoike <[email protected]>

commit 3635c7e2d59f7861afa6fa5e87e2a58860ff514d upstream.

Interface #5 of 19d2:1270 is a net interface which has been submitted to the
qmi_wwan driver so consequently remove it from the option driver.

Signed-off-by: Raymond Wanyoike <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/usb/serial/option.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1362,7 +1362,8 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1267, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1268, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1269, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1270, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1270, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t)&net_intf5_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1271, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1272, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1273, 0xff, 0xff, 0xff) },

2014-02-21 00:03:58

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 71/99] usb-storage: enable multi-LUN scanning when needed

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <[email protected]>

commit 823d12c95c666fa7ab7dad208d735f6bc6afabdc upstream.

People sometimes create their own custom-configured kernels and forget
to enable CONFIG_SCSI_MULTI_LUN. This causes problems when they plug
in a USB storage device (such as a card reader) with more than one
LUN.

Fortunately, we can tell fairly easily when a storage device claims to
have more than one LUN. When that happens, this patch asks the SCSI
layer to probe all the LUNs automatically, regardless of the config
setting.

The patch also updates the Kconfig help text for usb-storage,
explaining that CONFIG_SCSI_MULTI_LUN may be necessary.

Signed-off-by: Alan Stern <[email protected]>
Reported-by: Thomas Raschbacher <[email protected]>
CC: Matthew Dharm <[email protected]>
CC: James Bottomley <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/usb/storage/Kconfig | 4 +++-
drivers/usb/storage/scsiglue.c | 6 ++++++
2 files changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/usb/storage/Kconfig
+++ b/drivers/usb/storage/Kconfig
@@ -18,7 +18,9 @@ config USB_STORAGE

This option depends on 'SCSI' support being enabled, but you
probably also need 'SCSI device support: SCSI disk support'
- (BLK_DEV_SD) for most USB storage devices.
+ (BLK_DEV_SD) for most USB storage devices. Some devices also
+ will require 'Probe all LUNs on each SCSI device'
+ (SCSI_MULTI_LUN).

To compile this driver as a module, choose M here: the
module will be called usb-storage.
--- a/drivers/usb/storage/scsiglue.c
+++ b/drivers/usb/storage/scsiglue.c
@@ -78,6 +78,8 @@ static const char* host_info(struct Scsi

static int slave_alloc (struct scsi_device *sdev)
{
+ struct us_data *us = host_to_us(sdev->host);
+
/*
* Set the INQUIRY transfer length to 36. We don't use any of
* the extra data and many devices choke if asked for more or
@@ -102,6 +104,10 @@ static int slave_alloc (struct scsi_devi
*/
blk_queue_update_dma_alignment(sdev->request_queue, (512 - 1));

+ /* Tell the SCSI layer if we know there is more than one LUN */
+ if (us->protocol == USB_PR_BULK && us->max_lun > 0)
+ sdev->sdev_bflags |= BLIST_FORCELUN;
+
return 0;
}


2014-02-21 00:04:23

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 70/99] usb-storage: restrict bcdDevice range for Super Top in Cypress ATACB

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <[email protected]>

commit a9c143c82608bee2a36410caa56d82cd86bdc7fa upstream.

The Cypress ATACB unusual-devs entry for the Super Top SATA bridge
causes problems. Although it was originally reported only for
bcdDevice = 0x160, its range was much larger. This resulted in a bug
report for bcdDevice 0x220, so the range was capped at 0x219. Now
Milan reports errors with bcdDevice 0x150.

Therefore this patch restricts the range to just 0x160.

Signed-off-by: Alan Stern <[email protected]>
Reported-and-tested-by: Milan Svoboda <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/usb/storage/unusual_cypress.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/storage/unusual_cypress.h
+++ b/drivers/usb/storage/unusual_cypress.h
@@ -31,7 +31,7 @@ UNUSUAL_DEV( 0x04b4, 0x6831, 0x0000, 0x
"Cypress ISD-300LP",
USB_SC_CYP_ATACB, USB_PR_DEVICE, NULL, 0),

-UNUSUAL_DEV( 0x14cd, 0x6116, 0x0000, 0x0219,
+UNUSUAL_DEV( 0x14cd, 0x6116, 0x0160, 0x0160,
"Super Top",
"USB 2.0 SATA BRIDGE",
USB_SC_CYP_ATACB, USB_PR_DEVICE, NULL, 0),

2014-02-20 23:53:54

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 63/99] mei: dont unset read cb ptr on reset

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Usyskin <[email protected]>

commit 5cb906c7035f03a3a44fecece9d3ff8fcc75d6e0 upstream.

Don't set read callback to NULL during reset as
this leads to memory leak of both cb and its buffer.
The memory is correctly freed during mei_release.

The memory leak is detectable by kmemleak if
application has open read call while system is going through
suspend/resume.

unreferenced object 0xecead780 (size 64):
comm "AsyncTask #1", pid 1018, jiffies 4294949621 (age 152.440s)
hex dump (first 32 bytes):
00 01 10 00 00 02 20 00 00 bf 30 f1 00 00 00 00 ...... ...0.....
00 00 00 00 00 00 00 00 36 01 00 00 00 70 da e2 ........6....p..
backtrace:
[<c1a60aec>] kmemleak_alloc+0x3c/0xa0
[<c131ed56>] kmem_cache_alloc_trace+0xc6/0x190
[<c16243c9>] mei_io_cb_init+0x29/0x50
[<c1625722>] mei_cl_read_start+0x102/0x360
[<c16268f3>] mei_read+0x103/0x4e0
[<c1324b09>] vfs_read+0x89/0x160
[<c1324d5f>] SyS_read+0x4f/0x80
[<c1a7b318>] syscall_call+0x7/0xb
[<ffffffff>] 0xffffffff
unreferenced object 0xe2da7000 (size 512):
comm "AsyncTask #1", pid 1018, jiffies 4294949621 (age 152.440s)
hex dump (first 32 bytes):
00 6c da e2 7c 00 00 00 00 00 00 00 c0 eb 0c 59 .l..|..........Y
1b 00 00 00 01 00 00 00 02 10 00 00 01 00 00 00 ................
backtrace:
[<c1a60aec>] kmemleak_alloc+0x3c/0xa0
[<c131f127>] __kmalloc+0xe7/0x1d0
[<c162447e>] mei_io_cb_alloc_resp_buf+0x2e/0x60
[<c162574c>] mei_cl_read_start+0x12c/0x360
[<c16268f3>] mei_read+0x103/0x4e0
[<c1324b09>] vfs_read+0x89/0x160
[<c1324d5f>] SyS_read+0x4f/0x80
[<c1a7b318>] syscall_call+0x7/0xb
[<ffffffff>] 0xffffffff

Signed-off-by: Alexander Usyskin <[email protected]>
Signed-off-by: Tomas Winkler <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/misc/mei/client.c | 1 -
1 file changed, 1 deletion(-)

--- a/drivers/misc/mei/client.c
+++ b/drivers/misc/mei/client.c
@@ -907,7 +907,6 @@ void mei_cl_all_disconnect(struct mei_de
list_for_each_entry_safe(cl, next, &dev->file_list, link) {
cl->state = MEI_FILE_DISCONNECTED;
cl->mei_flow_ctrl_creds = 0;
- cl->read_cb = NULL;
cl->timer_count = 0;
}
}

2014-02-21 00:04:44

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 66/99] Drivers: hv: vmbus: Dont timeout during the initial connection with host

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: "K. Y. Srinivasan" <[email protected]>

commit 269f979467cf49f2ea8132316c1f00f8c9678f7c upstream.

When the guest attempts to connect with the host when there may already be a
connection with the host (as would be the case during the kdump/kexec path),
it is difficult to guarantee timely response from the host. Starting with
WS2012 R2, the host supports this ability to re-connect with the host
(explicitly to support kexec). Prior to responding to the guest, the host
needs to ensure that device states based on the previous connection to
the host have been properly torn down. This may introduce unbounded delays.
To deal with this issue, don't do a timed wait during the initial connect
with the host.

Signed-off-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/hv/connection.c | 11 +----------
1 file changed, 1 insertion(+), 10 deletions(-)

--- a/drivers/hv/connection.c
+++ b/drivers/hv/connection.c
@@ -67,7 +67,6 @@ static int vmbus_negotiate_version(struc
int ret = 0;
struct vmbus_channel_initiate_contact *msg;
unsigned long flags;
- int t;

init_completion(&msginfo->waitevent);

@@ -102,15 +101,7 @@ static int vmbus_negotiate_version(struc
}

/* Wait for the connection response */
- t = wait_for_completion_timeout(&msginfo->waitevent, 5*HZ);
- if (t == 0) {
- spin_lock_irqsave(&vmbus_connection.channelmsg_lock,
- flags);
- list_del(&msginfo->msglistentry);
- spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock,
- flags);
- return -ETIMEDOUT;
- }
+ wait_for_completion(&msginfo->waitevent);

spin_lock_irqsave(&vmbus_connection.channelmsg_lock, flags);
list_del(&msginfo->msglistentry);

2014-02-21 00:05:31

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 65/99] Drivers: hv: vmbus: Specify the target CPU that should receive notification

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: "K. Y. Srinivasan" <[email protected]>

commit e28bab4828354583bb66ac09021ca69b341a7db4 upstream.

During the initial VMBUS connect phase, starting with WS2012 R2, we should
specify the VPCU in the guest that should receive the notification. Fix this
issue. This fix is required to properly connect to the host in the kexeced
kernel.

Signed-off-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/hv/connection.c | 2 ++
include/linux/hyperv.h | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/hv/connection.c
+++ b/drivers/hv/connection.c
@@ -78,6 +78,8 @@ static int vmbus_negotiate_version(struc
msg->interrupt_page = virt_to_phys(vmbus_connection.int_page);
msg->monitor_page1 = virt_to_phys(vmbus_connection.monitor_pages[0]);
msg->monitor_page2 = virt_to_phys(vmbus_connection.monitor_pages[1]);
+ if (version == VERSION_WIN8)
+ msg->target_vcpu = hv_context.vp_index[smp_processor_id()];

/*
* Add to list before we send the request since we may
--- a/include/linux/hyperv.h
+++ b/include/linux/hyperv.h
@@ -875,7 +875,7 @@ struct vmbus_channel_relid_released {
struct vmbus_channel_initiate_contact {
struct vmbus_channel_message_header header;
u32 vmbus_version_requested;
- u32 padding2;
+ u32 target_vcpu; /* The VCPU the host should respond to */
u64 interrupt_page;
u64 monitor_page1;
u64 monitor_page2;

2014-02-20 23:53:52

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 62/99] mei: clear write cb from waiting list on reset

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Usyskin <[email protected]>

commit 30c54df7cb9b15b222529a028390b9c9582dd65e upstream.

Clear write callbacks sitting in write_waiting list on reset.
Otherwise these callbacks are left dangling and cause memory leak.

Signed-off-by: Alexander Usyskin <[email protected]>
Signed-off-by: Tomas Winkler <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/misc/mei/client.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

--- a/drivers/misc/mei/client.c
+++ b/drivers/misc/mei/client.c
@@ -941,8 +941,16 @@ void mei_cl_all_wakeup(struct mei_device
void mei_cl_all_write_clear(struct mei_device *dev)
{
struct mei_cl_cb *cb, *next;
+ struct list_head *list;

- list_for_each_entry_safe(cb, next, &dev->write_list.list, list) {
+ list = &dev->write_list.list;
+ list_for_each_entry_safe(cb, next, list, list) {
+ list_del(&cb->list);
+ mei_io_cb_free(cb);
+ }
+
+ list = &dev->write_waiting_list.list;
+ list_for_each_entry_safe(cb, next, list, list) {
list_del(&cb->list);
mei_io_cb_free(cb);
}

2014-02-21 00:05:59

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 64/99] VME: Correct read/write alignment algorithm

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Martyn Welch <[email protected]>

commit f0342e66b397947ed8c3eef8c37b5ca2d5b1bb50 upstream.

In order to ensure the correct width cycles on the VME bus, the VME bridge
drivers implement an algorithm to utilise the largest possible width reads and
writes whilst maintaining natural alignment constraints. The algorithm
currently looks at the start address rather than the current read/write address
when determining whether a 16-bit width cycle is required to get to 32-bit
alignment. This results in incorrect alignment,

Reported-by: Jim Strouth <[email protected]>
Tested-by: Jim Strouth <[email protected]>
Signed-off-by: Martyn Welch <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/vme/bridges/vme_ca91cx42.c | 4 ++--
drivers/vme/bridges/vme_tsi148.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/vme/bridges/vme_ca91cx42.c
+++ b/drivers/vme/bridges/vme_ca91cx42.c
@@ -884,7 +884,7 @@ static ssize_t ca91cx42_master_read(stru
if (done == count)
goto out;
}
- if ((uintptr_t)addr & 0x2) {
+ if ((uintptr_t)(addr + done) & 0x2) {
if ((count - done) < 2) {
*(u8 *)(buf + done) = ioread8(addr + done);
done += 1;
@@ -938,7 +938,7 @@ static ssize_t ca91cx42_master_write(str
if (done == count)
goto out;
}
- if ((uintptr_t)addr & 0x2) {
+ if ((uintptr_t)(addr + done) & 0x2) {
if ((count - done) < 2) {
iowrite8(*(u8 *)(buf + done), addr + done);
done += 1;
--- a/drivers/vme/bridges/vme_tsi148.c
+++ b/drivers/vme/bridges/vme_tsi148.c
@@ -1289,7 +1289,7 @@ static ssize_t tsi148_master_read(struct
if (done == count)
goto out;
}
- if ((uintptr_t)addr & 0x2) {
+ if ((uintptr_t)(addr + done) & 0x2) {
if ((count - done) < 2) {
*(u8 *)(buf + done) = ioread8(addr + done);
done += 1;
@@ -1371,7 +1371,7 @@ static ssize_t tsi148_master_write(struc
if (done == count)
goto out;
}
- if ((uintptr_t)addr & 0x2) {
+ if ((uintptr_t)(addr + done) & 0x2) {
if ((count - done) < 2) {
iowrite8(*(u8 *)(buf + done), addr + done);
done += 1;

2014-02-20 23:53:49

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 55/99] iio: adis16400: Set timestamp as the last element in chan_spec

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Marcus Folkesson <[email protected]>

commit c76782d151dab7ecfdcdf9a01561c2d61d9b490f upstream.

This is necessary since timestamp is calculated as the last element
in iio_compute_scan_bytes().

Without this fix any userspace code reading the layout of the buffer via
sysfs will incorrectly interpret the data leading some nasty corruption.

Signed-off-by: Marcus Folkesson <[email protected]>
Acked-by: Lars-Peter Clausen <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/iio/imu/adis16400.h | 1 +
drivers/iio/imu/adis16400_core.c | 10 +++++-----
2 files changed, 6 insertions(+), 5 deletions(-)

--- a/drivers/iio/imu/adis16400.h
+++ b/drivers/iio/imu/adis16400.h
@@ -189,6 +189,7 @@ enum {
ADIS16300_SCAN_INCLI_X,
ADIS16300_SCAN_INCLI_Y,
ADIS16400_SCAN_ADC,
+ ADIS16400_SCAN_TIMESTAMP,
};

#ifdef CONFIG_IIO_BUFFER
--- a/drivers/iio/imu/adis16400_core.c
+++ b/drivers/iio/imu/adis16400_core.c
@@ -632,7 +632,7 @@ static const struct iio_chan_spec adis16
ADIS16400_MAGN_CHAN(Z, ADIS16400_ZMAGN_OUT, 14),
ADIS16400_TEMP_CHAN(ADIS16400_TEMP_OUT, 12),
ADIS16400_AUX_ADC_CHAN(ADIS16400_AUX_ADC, 12),
- IIO_CHAN_SOFT_TIMESTAMP(12)
+ IIO_CHAN_SOFT_TIMESTAMP(ADIS16400_SCAN_TIMESTAMP),
};

static const struct iio_chan_spec adis16448_channels[] = {
@@ -659,7 +659,7 @@ static const struct iio_chan_spec adis16
},
},
ADIS16400_TEMP_CHAN(ADIS16448_TEMP_OUT, 12),
- IIO_CHAN_SOFT_TIMESTAMP(11)
+ IIO_CHAN_SOFT_TIMESTAMP(ADIS16400_SCAN_TIMESTAMP),
};

static const struct iio_chan_spec adis16350_channels[] = {
@@ -677,7 +677,7 @@ static const struct iio_chan_spec adis16
ADIS16400_MOD_TEMP_CHAN(X, ADIS16350_XTEMP_OUT, 12),
ADIS16400_MOD_TEMP_CHAN(Y, ADIS16350_YTEMP_OUT, 12),
ADIS16400_MOD_TEMP_CHAN(Z, ADIS16350_ZTEMP_OUT, 12),
- IIO_CHAN_SOFT_TIMESTAMP(11)
+ IIO_CHAN_SOFT_TIMESTAMP(ADIS16400_SCAN_TIMESTAMP),
};

static const struct iio_chan_spec adis16300_channels[] = {
@@ -690,7 +690,7 @@ static const struct iio_chan_spec adis16
ADIS16400_AUX_ADC_CHAN(ADIS16300_AUX_ADC, 12),
ADIS16400_INCLI_CHAN(X, ADIS16300_PITCH_OUT, 13),
ADIS16400_INCLI_CHAN(Y, ADIS16300_ROLL_OUT, 13),
- IIO_CHAN_SOFT_TIMESTAMP(14)
+ IIO_CHAN_SOFT_TIMESTAMP(ADIS16400_SCAN_TIMESTAMP),
};

static const struct iio_chan_spec adis16334_channels[] = {
@@ -701,7 +701,7 @@ static const struct iio_chan_spec adis16
ADIS16400_ACCEL_CHAN(Y, ADIS16400_YACCL_OUT, 14),
ADIS16400_ACCEL_CHAN(Z, ADIS16400_ZACCL_OUT, 14),
ADIS16400_TEMP_CHAN(ADIS16350_XTEMP_OUT, 12),
- IIO_CHAN_SOFT_TIMESTAMP(8)
+ IIO_CHAN_SOFT_TIMESTAMP(ADIS16400_SCAN_TIMESTAMP),
};

static struct attribute *adis16400_attributes[] = {

2014-02-21 00:06:32

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 61/99] ALSA: hda - Fix mic capture on Sony VAIO Pro 11

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit f88abaa0d0dc0d1f1a9ae21f8e822918e5aadfdf upstream.

The very same fixup is needed to make the mic on Sony VAIO Pro 11
working as well as VAIO Pro 13 model.

Reported-and-tested-by: Hendrik-Jan Heins <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -4319,6 +4319,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1043, 0x8398, "ASUS P1005", ALC269_FIXUP_STEREO_DMIC),
SND_PCI_QUIRK(0x1043, 0x83ce, "ASUS P1005", ALC269_FIXUP_STEREO_DMIC),
SND_PCI_QUIRK(0x1043, 0x8516, "ASUS X101CH", ALC269_FIXUP_ASUS_X101),
+ SND_PCI_QUIRK(0x104d, 0x90b5, "Sony VAIO Pro 11", ALC286_FIXUP_SONY_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x104d, 0x90b6, "Sony VAIO Pro 13", ALC286_FIXUP_SONY_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x104d, 0x9073, "Sony VAIO", ALC275_FIXUP_SONY_VAIO_GPIO2),
SND_PCI_QUIRK(0x104d, 0x907b, "Sony VAIO", ALC275_FIXUP_SONY_HWEQ),

2014-02-21 00:06:49

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 60/99] ALSA: hda - Add a headset quirk for Dell XPS 13

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: David Henningsson <[email protected]>

commit f47e5dc464251f661da9495fcbf003a0d22c1360 upstream.

This quirk is needed for the headset microphone to work.

Alsa-info at http://www.alsa-project.org/db/?f=8c7dfe857ceff462ca2de133e67023c0f68de9cb

Reported-by: Po-Hsu Lin <[email protected]>
Signed-off-by: David Henningsson <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5093,6 +5093,7 @@ static const struct snd_pci_quirk alc662
SND_PCI_QUIRK(0x1025, 0x038b, "Acer Aspire 8943G", ALC662_FIXUP_ASPIRE),
SND_PCI_QUIRK(0x1028, 0x05d8, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1028, 0x05db, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x060a, "Dell XPS 13", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1028, 0x0623, "Dell", ALC668_FIXUP_AUTO_MUTE),
SND_PCI_QUIRK(0x1028, 0x0624, "Dell", ALC668_FIXUP_AUTO_MUTE),
SND_PCI_QUIRK(0x1028, 0x0625, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE),

2014-02-20 23:53:47

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 56/99] iio: ak8975: Fix calculation formula for convert micro tesla to gauss unit

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Beomho Seo <[email protected]>

commit bef44abccb2677e8d16e50b75316d4fd1061be81 upstream.

This effects the reported scale of the raw values, and thus userspace
applications that use this value.

One micro tesla equal 0.01 gauss. So I have fixed calculation formula And add RAW_TO_GAUSS macro.
ASA is in the range of 0 to 255. If multiply 0.003, calculation result(in_magn_[*]_scale) is
always 0. So multiply 3000 and return and IIO_VAL_INT_PLUS_MICRO.
As a result, read_raw call back function return accurate scale value.

Signed-off-by: Beomho Seo <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/iio/magnetometer/ak8975.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)

--- a/drivers/iio/magnetometer/ak8975.c
+++ b/drivers/iio/magnetometer/ak8975.c
@@ -85,6 +85,7 @@
#define AK8975_MAX_CONVERSION_TIMEOUT 500
#define AK8975_CONVERSION_DONE_POLL_TIME 10
#define AK8975_DATA_READY_TIMEOUT ((100*HZ)/1000)
+#define RAW_TO_GAUSS(asa) ((((asa) + 128) * 3000) / 256)

/*
* Per-instance context data for the device.
@@ -265,15 +266,15 @@ static int ak8975_setup(struct i2c_clien
*
* Since 1uT = 0.01 gauss, our final scale factor becomes:
*
- * Hadj = H * ((ASA + 128) / 256) * 3/10 * 100
- * Hadj = H * ((ASA + 128) * 30 / 256
+ * Hadj = H * ((ASA + 128) / 256) * 3/10 * 1/100
+ * Hadj = H * ((ASA + 128) * 0.003) / 256
*
* Since ASA doesn't change, we cache the resultant scale factor into the
* device context in ak8975_setup().
*/
- data->raw_to_gauss[0] = ((data->asa[0] + 128) * 30) >> 8;
- data->raw_to_gauss[1] = ((data->asa[1] + 128) * 30) >> 8;
- data->raw_to_gauss[2] = ((data->asa[2] + 128) * 30) >> 8;
+ data->raw_to_gauss[0] = RAW_TO_GAUSS(data->asa[0]);
+ data->raw_to_gauss[1] = RAW_TO_GAUSS(data->asa[1]);
+ data->raw_to_gauss[2] = RAW_TO_GAUSS(data->asa[2]);

return 0;
}
@@ -428,8 +429,9 @@ static int ak8975_read_raw(struct iio_de
case IIO_CHAN_INFO_RAW:
return ak8975_read_axis(indio_dev, chan->address, val);
case IIO_CHAN_INFO_SCALE:
- *val = data->raw_to_gauss[chan->address];
- return IIO_VAL_INT;
+ *val = 0;
+ *val2 = data->raw_to_gauss[chan->address];
+ return IIO_VAL_INT_PLUS_MICRO;
}
return -EINVAL;
}

2014-02-21 00:07:09

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 59/99] ftrace/x86: Use breakpoints for converting function graph caller

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Steven Rostedt (Red Hat)" <[email protected]>

commit 87fbb2ac6073a7039303517546a76074feb14c84 upstream.

When the conversion was made to remove stop machine and use the breakpoint
logic instead, the modification of the function graph caller is still
done directly as though it was being done under stop machine.

As it is not converted via stop machine anymore, there is a possibility
that the code could be layed across cache lines and if another CPU is
accessing that function graph call when it is being updated, it could
cause a General Protection Fault.

Convert the update of the function graph caller to use the breakpoint
method as well.

Cc: H. Peter Anvin <[email protected]>
Fixes: 08d636b6d4fb "ftrace/x86: Have arch x86_64 use breakpoints instead of stop machine"
Signed-off-by: Steven Rostedt <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/x86/kernel/ftrace.c | 83 ++++++++++++++++++++++++++---------------------
1 file changed, 47 insertions(+), 36 deletions(-)

--- a/arch/x86/kernel/ftrace.c
+++ b/arch/x86/kernel/ftrace.c
@@ -77,8 +77,7 @@ within(unsigned long addr, unsigned long
return addr >= start && addr < end;
}

-static int
-do_ftrace_mod_code(unsigned long ip, const void *new_code)
+static unsigned long text_ip_addr(unsigned long ip)
{
/*
* On x86_64, kernel text mappings are mapped read-only with
@@ -91,7 +90,7 @@ do_ftrace_mod_code(unsigned long ip, con
if (within(ip, (unsigned long)_text, (unsigned long)_etext))
ip = (unsigned long)__va(__pa_symbol(ip));

- return probe_kernel_write((void *)ip, new_code, MCOUNT_INSN_SIZE);
+ return ip;
}

static const unsigned char *ftrace_nop_replace(void)
@@ -123,8 +122,10 @@ ftrace_modify_code_direct(unsigned long
if (memcmp(replaced, old_code, MCOUNT_INSN_SIZE) != 0)
return -EINVAL;

+ ip = text_ip_addr(ip);
+
/* replace the text with the new text */
- if (do_ftrace_mod_code(ip, new_code))
+ if (probe_kernel_write((void *)ip, new_code, MCOUNT_INSN_SIZE))
return -EPERM;

sync_core();
@@ -221,37 +222,51 @@ int ftrace_modify_call(struct dyn_ftrace
return -EINVAL;
}

-int ftrace_update_ftrace_func(ftrace_func_t func)
+static unsigned long ftrace_update_func;
+
+static int update_ftrace_func(unsigned long ip, void *new)
{
- unsigned long ip = (unsigned long)(&ftrace_call);
- unsigned char old[MCOUNT_INSN_SIZE], *new;
+ unsigned char old[MCOUNT_INSN_SIZE];
int ret;

- memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
- new = ftrace_call_replace(ip, (unsigned long)func);
+ memcpy(old, (void *)ip, MCOUNT_INSN_SIZE);
+
+ ftrace_update_func = ip;
+ /* Make sure the breakpoints see the ftrace_update_func update */
+ smp_wmb();

/* See comment above by declaration of modifying_ftrace_code */
atomic_inc(&modifying_ftrace_code);

ret = ftrace_modify_code(ip, old, new);

+ atomic_dec(&modifying_ftrace_code);
+
+ return ret;
+}
+
+int ftrace_update_ftrace_func(ftrace_func_t func)
+{
+ unsigned long ip = (unsigned long)(&ftrace_call);
+ unsigned char *new;
+ int ret;
+
+ new = ftrace_call_replace(ip, (unsigned long)func);
+ ret = update_ftrace_func(ip, new);
+
/* Also update the regs callback function */
if (!ret) {
ip = (unsigned long)(&ftrace_regs_call);
- memcpy(old, &ftrace_regs_call, MCOUNT_INSN_SIZE);
new = ftrace_call_replace(ip, (unsigned long)func);
- ret = ftrace_modify_code(ip, old, new);
+ ret = update_ftrace_func(ip, new);
}

- atomic_dec(&modifying_ftrace_code);
-
return ret;
}

static int is_ftrace_caller(unsigned long ip)
{
- if (ip == (unsigned long)(&ftrace_call) ||
- ip == (unsigned long)(&ftrace_regs_call))
+ if (ip == ftrace_update_func)
return 1;

return 0;
@@ -677,45 +692,41 @@ int __init ftrace_dyn_arch_init(void *da
#ifdef CONFIG_DYNAMIC_FTRACE
extern void ftrace_graph_call(void);

-static int ftrace_mod_jmp(unsigned long ip,
- int old_offset, int new_offset)
+static unsigned char *ftrace_jmp_replace(unsigned long ip, unsigned long addr)
{
- unsigned char code[MCOUNT_INSN_SIZE];
+ static union ftrace_code_union calc;

- if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
- return -EFAULT;
+ /* Jmp not a call (ignore the .e8) */
+ calc.e8 = 0xe9;
+ calc.offset = ftrace_calc_offset(ip + MCOUNT_INSN_SIZE, addr);

- if (code[0] != 0xe9 || old_offset != *(int *)(&code[1]))
- return -EINVAL;
+ /*
+ * ftrace external locks synchronize the access to the static variable.
+ */
+ return calc.code;
+}

- *(int *)(&code[1]) = new_offset;
+static int ftrace_mod_jmp(unsigned long ip, void *func)
+{
+ unsigned char *new;

- if (do_ftrace_mod_code(ip, &code))
- return -EPERM;
+ new = ftrace_jmp_replace(ip, (unsigned long)func);

- return 0;
+ return update_ftrace_func(ip, new);
}

int ftrace_enable_ftrace_graph_caller(void)
{
unsigned long ip = (unsigned long)(&ftrace_graph_call);
- int old_offset, new_offset;
-
- old_offset = (unsigned long)(&ftrace_stub) - (ip + MCOUNT_INSN_SIZE);
- new_offset = (unsigned long)(&ftrace_graph_caller) - (ip + MCOUNT_INSN_SIZE);

- return ftrace_mod_jmp(ip, old_offset, new_offset);
+ return ftrace_mod_jmp(ip, &ftrace_graph_caller);
}

int ftrace_disable_ftrace_graph_caller(void)
{
unsigned long ip = (unsigned long)(&ftrace_graph_call);
- int old_offset, new_offset;
-
- old_offset = (unsigned long)(&ftrace_graph_caller) - (ip + MCOUNT_INSN_SIZE);
- new_offset = (unsigned long)(&ftrace_stub) - (ip + MCOUNT_INSN_SIZE);

- return ftrace_mod_jmp(ip, old_offset, new_offset);
+ return ftrace_mod_jmp(ip, &ftrace_stub);
}

#endif /* !CONFIG_DYNAMIC_FTRACE */

2014-02-21 00:07:50

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 58/99] x86, smap: smap_violation() is bogus if CONFIG_X86_SMAP is off

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: "H. Peter Anvin" <[email protected]>

commit 4640c7ee9b8953237d05a61ea3ea93981d1bc961 upstream.

If CONFIG_X86_SMAP is disabled, smap_violation() tests for conditions
which are incorrect (as the AC flag doesn't matter), causing spurious
faults.

The dynamic disabling of SMAP (nosmap on the command line) is fine
because it disables X86_FEATURE_SMAP, therefore causing the
static_cpu_has() to return false.

Found by Fengguang Wu's test system.

[ v3: move all predicates into smap_violation() ]
[ v2: use IS_ENABLED() instead of #ifdef ]

Reported-by: Fengguang Wu <[email protected]>
Link: http://lkml.kernel.org/r/20140213124550.GA30497@localhost
Signed-off-by: H. Peter Anvin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/x86/mm/fault.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)

--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -1001,6 +1001,12 @@ static int fault_in_kernel_space(unsigne

static inline bool smap_violation(int error_code, struct pt_regs *regs)
{
+ if (!IS_ENABLED(CONFIG_X86_SMAP))
+ return false;
+
+ if (!static_cpu_has(X86_FEATURE_SMAP))
+ return false;
+
if (error_code & PF_USER)
return false;

@@ -1087,11 +1093,9 @@ __do_page_fault(struct pt_regs *regs, un
if (unlikely(error_code & PF_RSVD))
pgtable_bad(regs, error_code, address);

- if (static_cpu_has(X86_FEATURE_SMAP)) {
- if (unlikely(smap_violation(error_code, regs))) {
- bad_area_nosemaphore(regs, error_code, address);
- return;
- }
+ if (unlikely(smap_violation(error_code, regs))) {
+ bad_area_nosemaphore(regs, error_code, address);
+ return;
}

/*

2014-02-20 23:53:43

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 43/99] drm/radeon/cik: use POLL_REG_MEM special op for sDMA HDP flush

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <[email protected]>

commit da9e07e6f53eaac4e838bc8c987d87c5769be724 upstream.

This is the preferred flushing method on CIK.

Signed-off-by: Alex Deucher <[email protected]>
Cc: Tom Stellard <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/gpu/drm/radeon/cik_sdma.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)

--- a/drivers/gpu/drm/radeon/cik_sdma.c
+++ b/drivers/gpu/drm/radeon/cik_sdma.c
@@ -99,13 +99,21 @@ static void cik_sdma_hdp_flush_ring_emit
int ridx)
{
struct radeon_ring *ring = &rdev->ring[ridx];
+ u32 extra_bits = (SDMA_POLL_REG_MEM_EXTRA_OP(1) |
+ SDMA_POLL_REG_MEM_EXTRA_FUNC(3)); /* == */
+ u32 ref_and_mask;

- /* We should be using the new POLL_REG_MEM special op packet here
- * but it causes sDMA to hang sometimes
- */
- radeon_ring_write(ring, SDMA_PACKET(SDMA_OPCODE_SRBM_WRITE, 0, 0xf000));
- radeon_ring_write(ring, HDP_MEM_COHERENCY_FLUSH_CNTL >> 2);
- radeon_ring_write(ring, 0);
+ if (ridx == R600_RING_TYPE_DMA_INDEX)
+ ref_and_mask = SDMA0;
+ else
+ ref_and_mask = SDMA1;
+
+ radeon_ring_write(ring, SDMA_PACKET(SDMA_OPCODE_POLL_REG_MEM, 0, extra_bits));
+ radeon_ring_write(ring, GPU_HDP_FLUSH_DONE);
+ radeon_ring_write(ring, GPU_HDP_FLUSH_REQ);
+ radeon_ring_write(ring, ref_and_mask); /* reference */
+ radeon_ring_write(ring, ref_and_mask); /* mask */
+ radeon_ring_write(ring, (0xfff << 16) | 10); /* retry count, poll interval */
}

/**

2014-02-21 00:08:09

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 57/99] x86, smap: Dont enable SMAP if CONFIG_X86_SMAP is disabled

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: "H. Peter Anvin" <[email protected]>

commit 03bbd596ac04fef47ce93a730b8f086d797c3021 upstream.

If SMAP support is not compiled into the kernel, don't enable SMAP in
CR4 -- in fact, we should clear it, because the kernel doesn't contain
the proper STAC/CLAC instructions for SMAP support.

Found by Fengguang Wu's test system.

Reported-by: Fengguang Wu <[email protected]>
Link: http://lkml.kernel.org/r/20140213124550.GA30497@localhost
Signed-off-by: H. Peter Anvin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/x86/kernel/cpu/common.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -284,8 +284,13 @@ static __always_inline void setup_smap(s
raw_local_save_flags(eflags);
BUG_ON(eflags & X86_EFLAGS_AC);

- if (cpu_has(c, X86_FEATURE_SMAP))
+ if (cpu_has(c, X86_FEATURE_SMAP)) {
+#ifdef CONFIG_X86_SMAP
set_in_cr4(X86_CR4_SMAP);
+#else
+ clear_in_cr4(X86_CR4_SMAP);
+#endif
+ }
}

/*

2014-02-21 00:08:33

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 54/99] iio: max1363: Use devm_regulator_get_optional for optional regulator

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Guenter Roeck <[email protected]>

commit 55b40d37311807a6bb2acdae0df904f54a0da3ae upstream.

In kernel version 3.13, devm_regulator_get() may return no error
if a regulator is undeclared. regulator_get_voltage() will return
-EINVAL if this happens. This causes the driver to fail loading if
the vref regulator is not declared.

Since vref is optional, call devm_regulator_get_optional instead.

Signed-off-by: Guenter Roeck <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/iio/adc/max1363.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/adc/max1363.c
+++ b/drivers/iio/adc/max1363.c
@@ -1560,7 +1560,7 @@ static int max1363_probe(struct i2c_clie
st->client = client;

st->vref_uv = st->chip_info->int_vref_mv * 1000;
- vref = devm_regulator_get(&client->dev, "vref");
+ vref = devm_regulator_get_optional(&client->dev, "vref");
if (!IS_ERR(vref)) {
int vref_uv;


2014-02-21 00:08:51

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 53/99] staging:iio:ad799x fix typo in ad799x_events[]

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Hartmut Knaack <[email protected]>

commit d180371d412627a10dc31d675ef8bc777567df09 upstream.

This patch fixes a typo in ad799x_events[], which caused the error "Failed to register event set".

Signed-off-by: Hartmut Knaack <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/staging/iio/adc/ad799x_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/iio/adc/ad799x_core.c
+++ b/drivers/staging/iio/adc/ad799x_core.c
@@ -393,7 +393,7 @@ static const struct iio_event_spec ad799
}, {
.type = IIO_EV_TYPE_THRESH,
.dir = IIO_EV_DIR_FALLING,
- .mask_separate = BIT(IIO_EV_INFO_VALUE),
+ .mask_separate = BIT(IIO_EV_INFO_VALUE) |
BIT(IIO_EV_INFO_ENABLE),
}, {
.type = IIO_EV_TYPE_THRESH,

2014-02-20 23:53:41

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 09/99] retrieving CIFS ACLs when mounted with SMB2 fails dropping session

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Steve French <[email protected]>

commit 83e3bc23ef9ce7c03b7b4e5d3d790246ea59db3e upstream.

The get/set ACL xattr support for CIFS ACLs attempts to send old
cifs dialect protocol requests even when mounted with SMB2 or later
dialects. Sending cifs requests on an smb2 session causes problems -
the server drops the session due to the illegal request.

This patch makes CIFS ACL operations protocol specific to fix that.

Attempting to query/set CIFS ACLs for SMB2 will now return
EOPNOTSUPP (until we add worker routines for sending query
ACL requests via SMB2) instead of sending invalid (cifs)
requests.

A separate followon patch will be needed to fix cifs_acl_to_fattr
(which takes a cifs specific u16 fid so can't be abstracted
to work with SMB2 until that is changed) and will be needed
to fix mount problems when "cifsacl" is specified on mount
with e.g. vers=2.1

Signed-off-by: Steve French <[email protected]>
Reviewed-by: Shirish Pargaonkar <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/cifs/cifsacl.c | 28 ++++++++++++++++++++++++----
fs/cifs/cifsglob.h | 4 ++++
fs/cifs/smb1ops.c | 4 ++++
fs/cifs/xattr.c | 15 +++++++++++----
4 files changed, 43 insertions(+), 8 deletions(-)

--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -1027,15 +1027,30 @@ id_mode_to_cifs_acl(struct inode *inode,
__u32 secdesclen = 0;
struct cifs_ntsd *pntsd = NULL; /* acl obtained from server */
struct cifs_ntsd *pnntsd = NULL; /* modified acl to be sent to server */
+ struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
+ struct tcon_link *tlink = cifs_sb_tlink(cifs_sb);
+ struct cifs_tcon *tcon;
+
+ if (IS_ERR(tlink))
+ return PTR_ERR(tlink);
+ tcon = tlink_tcon(tlink);

cifs_dbg(NOISY, "set ACL from mode for %s\n", path);

/* Get the security descriptor */
- pntsd = get_cifs_acl(CIFS_SB(inode->i_sb), inode, path, &secdesclen);
+
+ if (tcon->ses->server->ops->get_acl == NULL) {
+ cifs_put_tlink(tlink);
+ return -EOPNOTSUPP;
+ }
+
+ pntsd = tcon->ses->server->ops->get_acl(cifs_sb, inode, path,
+ &secdesclen);
if (IS_ERR(pntsd)) {
rc = PTR_ERR(pntsd);
cifs_dbg(VFS, "%s: error %d getting sec desc\n", __func__, rc);
- goto out;
+ cifs_put_tlink(tlink);
+ return rc;
}

/*
@@ -1048,6 +1063,7 @@ id_mode_to_cifs_acl(struct inode *inode,
pnntsd = kmalloc(secdesclen, GFP_KERNEL);
if (!pnntsd) {
kfree(pntsd);
+ cifs_put_tlink(tlink);
return -ENOMEM;
}

@@ -1056,14 +1072,18 @@ id_mode_to_cifs_acl(struct inode *inode,

cifs_dbg(NOISY, "build_sec_desc rc: %d\n", rc);

+ if (tcon->ses->server->ops->set_acl == NULL)
+ rc = -EOPNOTSUPP;
+
if (!rc) {
/* Set the security descriptor */
- rc = set_cifs_acl(pnntsd, secdesclen, inode, path, aclflag);
+ rc = tcon->ses->server->ops->set_acl(pnntsd, secdesclen, inode,
+ path, aclflag);
cifs_dbg(NOISY, "set_cifs_acl rc: %d\n", rc);
}
+ cifs_put_tlink(tlink);

kfree(pnntsd);
kfree(pntsd);
-out:
return rc;
}
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -391,6 +391,10 @@ struct smb_version_operations {
int (*set_EA)(const unsigned int, struct cifs_tcon *, const char *,
const char *, const void *, const __u16,
const struct nls_table *, int);
+ struct cifs_ntsd * (*get_acl)(struct cifs_sb_info *, struct inode *,
+ const char *, u32 *);
+ int (*set_acl)(struct cifs_ntsd *, __u32, struct inode *, const char *,
+ int);
};

struct smb_version_values {
--- a/fs/cifs/smb1ops.c
+++ b/fs/cifs/smb1ops.c
@@ -1015,6 +1015,10 @@ struct smb_version_operations smb1_opera
.query_all_EAs = CIFSSMBQAllEAs,
.set_EA = CIFSSMBSetEA,
#endif /* CIFS_XATTR */
+#ifdef CONFIG_CIFS_ACL
+ .get_acl = get_cifs_acl,
+ .set_acl = set_cifs_acl,
+#endif /* CIFS_ACL */
};

struct smb_version_values smb1_values = {
--- a/fs/cifs/xattr.c
+++ b/fs/cifs/xattr.c
@@ -176,8 +176,12 @@ int cifs_setxattr(struct dentry *direntr
rc = -ENOMEM;
} else {
memcpy(pacl, ea_value, value_size);
- rc = set_cifs_acl(pacl, value_size,
- direntry->d_inode, full_path, CIFS_ACL_DACL);
+ if (pTcon->ses->server->ops->set_acl)
+ rc = pTcon->ses->server->ops->set_acl(pacl,
+ value_size, direntry->d_inode,
+ full_path, CIFS_ACL_DACL);
+ else
+ rc = -EOPNOTSUPP;
if (rc == 0) /* force revalidate of the inode */
CIFS_I(direntry->d_inode)->time = 0;
kfree(pacl);
@@ -323,8 +327,11 @@ ssize_t cifs_getxattr(struct dentry *dir
u32 acllen;
struct cifs_ntsd *pacl;

- pacl = get_cifs_acl(cifs_sb, direntry->d_inode,
- full_path, &acllen);
+ if (pTcon->ses->server->ops->get_acl == NULL)
+ goto get_ea_exit; /* rc already EOPNOTSUPP */
+
+ pacl = pTcon->ses->server->ops->get_acl(cifs_sb,
+ direntry->d_inode, full_path, &acllen);
if (IS_ERR(pacl)) {
rc = PTR_ERR(pacl);
cifs_dbg(VFS, "%s: error %zd getting sec desc\n",

2014-02-21 00:09:12

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 52/99] staging:iio:ad799x fix error_free_irq which was freeing an irq that may not have been requested

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Hartmut Knaack <[email protected]>

commit 38408d056188be29a6c4e17f3703c796551bb330 upstream.

Only free an IRQ in error_free_irq, if it has been requested previously.

Signed-off-by: Hartmut Knaack <[email protected]>
Acked-by: Lars-Peter Clausen <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/staging/iio/adc/ad799x_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/staging/iio/adc/ad799x_core.c
+++ b/drivers/staging/iio/adc/ad799x_core.c
@@ -588,7 +588,8 @@ static int ad799x_probe(struct i2c_clien
return 0;

error_free_irq:
- free_irq(client->irq, indio_dev);
+ if (client->irq > 0)
+ free_irq(client->irq, indio_dev);
error_cleanup_ring:
ad799x_ring_cleanup(indio_dev);
error_disable_reg:

2014-02-20 23:53:37

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 41/99] drm/i915: Pair va_copy with va_end in i915_error_vprintf

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mika Kuoppala <[email protected]>

commit 1d2cb9a54abc6e1d239f28f07661366d5662a94a upstream.

Each invocation of va_copy() must be matched by a corresponding
invocation of va_end() in the same function.

This regression has been introduced in

commit e29bb4ebbf000ff9ac081d29784a3331618f012e
Author: Chris Wilson <[email protected]>
Date: Fri Sep 20 10:20:59 2013 +0100

drm/i915: Use a temporary va_list for two-pass string handling

Signed-off-by: Mika Kuoppala <[email protected]>
Reviewed-by: Chris Wilson <[email protected]>
Signed-off-by: Daniel Vetter <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/gpu/drm/i915/i915_gpu_error.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/i915_gpu_error.c
+++ b/drivers/gpu/drm/i915/i915_gpu_error.c
@@ -146,7 +146,10 @@ static void i915_error_vprintf(struct dr
va_list tmp;

va_copy(tmp, args);
- if (!__i915_error_seek(e, vsnprintf(NULL, 0, f, tmp)))
+ len = vsnprintf(NULL, 0, f, tmp);
+ va_end(tmp);
+
+ if (!__i915_error_seek(e, len))
return;
}


2014-02-21 00:09:44

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 08/99] Add protocol specific operation for CIFS xattrs

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Steve French <[email protected]>

commit d979f3b0a1f0b5499ab85e68cdf02b56852918b6 upstream.

Changeset 666753c3ef8fc88b0ddd5be4865d0aa66428ac35 added protocol
operations for get/setxattr to avoid calling cifs operations
on smb2/smb3 mounts for xattr operations and this changeset
adds the calls to cifs specific protocol operations for xattrs
(in order to reenable cifs support for xattrs which was
temporarily disabled by the previous changeset. We do not
have SMB2/SMB3 worker function for setting xattrs yet so
this only enables it for cifs.

CCing stable since without these two small changsets (its
small coreq 666753c3ef8fc88b0ddd5be4865d0aa66428ac35 is
also needed) calling getfattr/setfattr on smb2/smb3 mounts
causes problems.

Signed-off-by: Steve French <[email protected]>
Reviewed-by: Shirish Pargaonkar <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/cifs/inode.c | 13 +++++++++----
fs/cifs/smb1ops.c | 4 ++++
2 files changed, 13 insertions(+), 4 deletions(-)

--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -518,10 +518,15 @@ static int cifs_sfu_mode(struct cifs_fat
return PTR_ERR(tlink);
tcon = tlink_tcon(tlink);

- rc = CIFSSMBQAllEAs(xid, tcon, path, "SETFILEBITS",
- ea_value, 4 /* size of buf */, cifs_sb->local_nls,
- cifs_sb->mnt_cifs_flags &
- CIFS_MOUNT_MAP_SPECIAL_CHR);
+ if (tcon->ses->server->ops->query_all_EAs == NULL) {
+ cifs_put_tlink(tlink);
+ return -EOPNOTSUPP;
+ }
+
+ rc = tcon->ses->server->ops->query_all_EAs(xid, tcon, path,
+ "SETFILEBITS", ea_value, 4 /* size of buf */,
+ cifs_sb->local_nls,
+ cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR);
cifs_put_tlink(tlink);
if (rc < 0)
return (int)rc;
--- a/fs/cifs/smb1ops.c
+++ b/fs/cifs/smb1ops.c
@@ -1011,6 +1011,10 @@ struct smb_version_operations smb1_opera
.push_mand_locks = cifs_push_mandatory_locks,
.query_mf_symlink = open_query_close_cifs_symlink,
.is_read_op = cifs_is_read_op,
+#ifdef CONFIG_CIFS_XATTR
+ .query_all_EAs = CIFSSMBQAllEAs,
+ .set_EA = CIFSSMBSetEA,
+#endif /* CIFS_XATTR */
};

struct smb_version_values smb1_values = {

2014-02-21 00:10:28

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 07/99] CIFS: Fix SMB2 mounts so they dont try to set or get xattrs via cifs

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Steve French <[email protected]>

commit 666753c3ef8fc88b0ddd5be4865d0aa66428ac35 upstream.

When mounting with smb2 (or smb2.1 or smb3) we need to check to make
sure that attempts to query or set extended attributes do not
attempt to send the request with the older cifs protocol instead
(eventually we also need to add the support in SMB2
to query/set extended attributes but this patch prevents us from
using the wrong protocol for extended attribute operations).

Signed-off-by: Steve French <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/cifs/cifsglob.h | 6 ++++++
fs/cifs/xattr.c | 49 ++++++++++++++++++++++++++++++-------------------
2 files changed, 36 insertions(+), 19 deletions(-)

--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -385,6 +385,12 @@ struct smb_version_operations {
struct cifsFileInfo *target_file, u64 src_off, u64 len,
u64 dest_off);
int (*validate_negotiate)(const unsigned int, struct cifs_tcon *);
+ ssize_t (*query_all_EAs)(const unsigned int, struct cifs_tcon *,
+ const unsigned char *, const unsigned char *, char *,
+ size_t, const struct nls_table *, int);
+ int (*set_EA)(const unsigned int, struct cifs_tcon *, const char *,
+ const char *, const void *, const __u16,
+ const struct nls_table *, int);
};

struct smb_version_values {
--- a/fs/cifs/xattr.c
+++ b/fs/cifs/xattr.c
@@ -82,9 +82,11 @@ int cifs_removexattr(struct dentry *dire
goto remove_ea_exit;

ea_name += XATTR_USER_PREFIX_LEN; /* skip past user. prefix */
- rc = CIFSSMBSetEA(xid, pTcon, full_path, ea_name, NULL,
- (__u16)0, cifs_sb->local_nls,
- cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR);
+ if (pTcon->ses->server->ops->set_EA)
+ rc = pTcon->ses->server->ops->set_EA(xid, pTcon,
+ full_path, ea_name, NULL, (__u16)0,
+ cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
+ CIFS_MOUNT_MAP_SPECIAL_CHR);
}
remove_ea_exit:
kfree(full_path);
@@ -149,18 +151,22 @@ int cifs_setxattr(struct dentry *direntr
cifs_dbg(FYI, "attempt to set cifs inode metadata\n");

ea_name += XATTR_USER_PREFIX_LEN; /* skip past user. prefix */
- rc = CIFSSMBSetEA(xid, pTcon, full_path, ea_name, ea_value,
- (__u16)value_size, cifs_sb->local_nls,
- cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR);
+ if (pTcon->ses->server->ops->set_EA)
+ rc = pTcon->ses->server->ops->set_EA(xid, pTcon,
+ full_path, ea_name, ea_value, (__u16)value_size,
+ cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
+ CIFS_MOUNT_MAP_SPECIAL_CHR);
} else if (strncmp(ea_name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN)
== 0) {
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_XATTR)
goto set_ea_exit;

ea_name += XATTR_OS2_PREFIX_LEN; /* skip past os2. prefix */
- rc = CIFSSMBSetEA(xid, pTcon, full_path, ea_name, ea_value,
- (__u16)value_size, cifs_sb->local_nls,
- cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR);
+ if (pTcon->ses->server->ops->set_EA)
+ rc = pTcon->ses->server->ops->set_EA(xid, pTcon,
+ full_path, ea_name, ea_value, (__u16)value_size,
+ cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
+ CIFS_MOUNT_MAP_SPECIAL_CHR);
} else if (strncmp(ea_name, CIFS_XATTR_CIFS_ACL,
strlen(CIFS_XATTR_CIFS_ACL)) == 0) {
#ifdef CONFIG_CIFS_ACL
@@ -272,17 +278,21 @@ ssize_t cifs_getxattr(struct dentry *dir
/* revalidate/getattr then populate from inode */
} /* BB add else when above is implemented */
ea_name += XATTR_USER_PREFIX_LEN; /* skip past user. prefix */
- rc = CIFSSMBQAllEAs(xid, pTcon, full_path, ea_name, ea_value,
- buf_size, cifs_sb->local_nls,
- cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR);
+ if (pTcon->ses->server->ops->query_all_EAs)
+ rc = pTcon->ses->server->ops->query_all_EAs(xid, pTcon,
+ full_path, ea_name, ea_value, buf_size,
+ cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
+ CIFS_MOUNT_MAP_SPECIAL_CHR);
} else if (strncmp(ea_name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN) == 0) {
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_XATTR)
goto get_ea_exit;

ea_name += XATTR_OS2_PREFIX_LEN; /* skip past os2. prefix */
- rc = CIFSSMBQAllEAs(xid, pTcon, full_path, ea_name, ea_value,
- buf_size, cifs_sb->local_nls,
- cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR);
+ if (pTcon->ses->server->ops->query_all_EAs)
+ rc = pTcon->ses->server->ops->query_all_EAs(xid, pTcon,
+ full_path, ea_name, ea_value, buf_size,
+ cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
+ CIFS_MOUNT_MAP_SPECIAL_CHR);
} else if (strncmp(ea_name, POSIX_ACL_XATTR_ACCESS,
strlen(POSIX_ACL_XATTR_ACCESS)) == 0) {
#ifdef CONFIG_CIFS_POSIX
@@ -400,11 +410,12 @@ ssize_t cifs_listxattr(struct dentry *di
/* if proc/fs/cifs/streamstoxattr is set then
search server for EAs or streams to
returns as xattrs */
- rc = CIFSSMBQAllEAs(xid, pTcon, full_path, NULL, data,
- buf_size, cifs_sb->local_nls,
- cifs_sb->mnt_cifs_flags &
- CIFS_MOUNT_MAP_SPECIAL_CHR);

+ if (pTcon->ses->server->ops->query_all_EAs)
+ rc = pTcon->ses->server->ops->query_all_EAs(xid, pTcon,
+ full_path, NULL, data, buf_size,
+ cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
+ CIFS_MOUNT_MAP_SPECIAL_CHR);
list_ea_exit:
kfree(full_path);
free_xid(xid);

2014-02-20 23:53:33

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 34/99] tty: n_gsm: Fix for modems with brk in modem status control

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Lars Poeschel <[email protected]>

commit 3ac06b905655b3ef2fd2196bab36e4587e1e4e4f upstream.

3GPP TS 07.10 states in section 5.4.6.3.7:
"The length byte contains the value 2 or 3 ... depending on the break
signal." The break byte is optional and if it is sent, the length is
3. In fact the driver was not able to work with modems that send this
break byte in their modem status control message. If the modem just
sends the break byte if it is really set, then weird things might
happen.
The code for deconding the modem status to the internal linux
presentation in gsm_process_modem has already a big comment about
this 2 or 3 byte length thing and it is already able to decode the
brk, but the code calling the gsm_process_modem function in
gsm_control_modem does not encode it and hand it over the right way.
This patch fixes this.
Without this fix if the modem sends the brk byte in it's modem status
control message the driver will hang when opening a muxed channel.

Signed-off-by: Lars Poeschel <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/tty/n_gsm.c | 11 +++++++++++
1 file changed, 11 insertions(+)

--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -1089,6 +1089,7 @@ static void gsm_control_modem(struct gsm
{
unsigned int addr = 0;
unsigned int modem = 0;
+ unsigned int brk = 0;
struct gsm_dlci *dlci;
int len = clen;
u8 *dp = data;
@@ -1115,6 +1116,16 @@ static void gsm_control_modem(struct gsm
if (len == 0)
return;
}
+ len--;
+ if (len > 0) {
+ while (gsm_read_ea(&brk, *dp++) == 0) {
+ len--;
+ if (len == 0)
+ return;
+ }
+ modem <<= 7;
+ modem |= (brk & 0x7f);
+ }
tty = tty_port_tty_get(&dlci->port);
gsm_process_modem(tty, dlci, modem, clen);
if (tty) {

2014-02-21 00:10:53

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 05/99] mm/memory-failure.c: move refcount only in !MF_COUNT_INCREASED

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Naoya Horiguchi <[email protected]>

commit 8d547ff4ac5927245e0833ac18528f939da0ee0e upstream.

mce-test detected a test failure when injecting error to a thp tail
page. This is because we take page refcount of the tail page in
madvise_hwpoison() while the fix in commit a3e0f9e47d5e
("mm/memory-failure.c: transfer page count from head page to tail page
after split thp") assumes that we always take refcount on the head page.

When a real memory error happens we take refcount on the head page where
memory_failure() is called without MF_COUNT_INCREASED set, so it seems
to me that testing memory error on thp tail page using madvise makes
little sense.

This patch cancels moving refcount in !MF_COUNT_INCREASED for valid
testing.

[[email protected]: s/&&/&/]
Signed-off-by: Naoya Horiguchi <[email protected]>
Cc: Andi Kleen <[email protected]>
Cc: Wanpeng Li <[email protected]>
Cc: Chen Gong <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
mm/memory-failure.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -945,8 +945,10 @@ static int hwpoison_user_mappings(struct
* to it. Similarly, page lock is shifted.
*/
if (hpage != p) {
- put_page(hpage);
- get_page(p);
+ if (!(flags & MF_COUNT_INCREASED)) {
+ put_page(hpage);
+ get_page(p);
+ }
lock_page(p);
unlock_page(hpage);
*hpagep = p;

2014-02-21 00:11:23

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 04/99] mm: fix page leak at nfs_symlink()

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Rafael Aquini <[email protected]>

commit a0b54adda3fe4b4cc6d28f2a9217cd35d1aa888c upstream.

Changes in commit a0b8cab3b9b2 ("mm: remove lru parameter from
__pagevec_lru_add and remove parts of pagevec API") have introduced a
call to add_to_page_cache_lru() which causes a leak in nfs_symlink() as
now the page gets an extra refcount that is not dropped.

Jan Stancek observed and reported the leak effect while running test8
from Connectathon Testsuite. After several iterations over the test
case, which creates several symlinks on a NFS mountpoint, the test
system was quickly getting into an out-of-memory scenario.

This patch fixes the page leak by dropping that extra refcount
add_to_page_cache_lru() is grabbing.

Signed-off-by: Jan Stancek <[email protected]>
Signed-off-by: Rafael Aquini <[email protected]>
Acked-by: Mel Gorman <[email protected]>
Acked-by: Rik van Riel <[email protected]>
Cc: Jeff Layton <[email protected]>
Cc: Trond Myklebust <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/nfs/dir.c | 5 +++++
1 file changed, 5 insertions(+)

--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1837,6 +1837,11 @@ int nfs_symlink(struct inode *dir, struc
GFP_KERNEL)) {
SetPageUptodate(page);
unlock_page(page);
+ /*
+ * add_to_page_cache_lru() grabs an extra page refcount.
+ * Drop it here to avoid leaking this page later.
+ */
+ page_cache_release(page);
} else
__free_page(page);


2014-02-20 23:53:30

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 32/99] hwmon: (ntc_thermistor) Avoid math overflow

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Doug Anderson <[email protected]>

commit d3d89c468ceebbcf9423d1a3d66c5bf91f569570 upstream.

The ntc thermistor code was doing math whose temporary result might
have overflowed 32-bits. We need some casts in there to make it safe.

In one example I found:
- pullup_uV: 1800000
- result of iio_read_channel_raw: 3226
- 1800000 * 3226 => 0x15a1cbc80

Signed-off-by: Doug Anderson <[email protected]>
Signed-off-by: Guenter Roeck <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/hwmon/ntc_thermistor.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/hwmon/ntc_thermistor.c
+++ b/drivers/hwmon/ntc_thermistor.c
@@ -145,7 +145,7 @@ struct ntc_data {
static int ntc_adc_iio_read(struct ntc_thermistor_platform_data *pdata)
{
struct iio_channel *channel = pdata->chan;
- unsigned int result;
+ s64 result;
int val, ret;

ret = iio_read_channel_raw(channel, &val);
@@ -155,10 +155,10 @@ static int ntc_adc_iio_read(struct ntc_t
}

/* unit: mV */
- result = pdata->pullup_uv * val;
+ result = pdata->pullup_uv * (s64) val;
result >>= 12;

- return result;
+ return (int)result;
}

static const struct of_device_id ntc_match[] = {

2014-02-21 00:11:53

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 36/99] n_tty: Fix stale echo output

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Peter Hurley <[email protected]>

commit e2613be5093d04e6589924d36a1e363eef3c87c7 upstream.

When echoes cannot be flushed to output (usually because the tty
has no more write room) and L_ECHO is subsequently turned off, then
when L_ECHO is turned back on, stale echoes are output.

Output completed echoes regardless of the L_ECHO setting:
1. before normal writes to that tty
2. if the tty was stopped by soft flow control and is being
restarted

Reported-by: Mikulas Patocka <[email protected]>
Signed-off-by: Peter Hurley <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/tty/n_tty.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)

--- a/drivers/tty/n_tty.c
+++ b/drivers/tty/n_tty.c
@@ -813,8 +813,7 @@ static void process_echoes(struct tty_st
struct n_tty_data *ldata = tty->disc_data;
size_t echoed;

- if ((!L_ECHO(tty) && !L_ECHONL(tty)) ||
- ldata->echo_mark == ldata->echo_tail)
+ if (ldata->echo_mark == ldata->echo_tail)
return;

mutex_lock(&ldata->output_lock);
@@ -1238,7 +1237,8 @@ n_tty_receive_signal_char(struct tty_str
if (L_ECHO(tty)) {
echo_char(c, tty);
commit_echoes(tty);
- }
+ } else
+ process_echoes(tty);
isig(signal, tty);
return;
}
@@ -1269,7 +1269,7 @@ n_tty_receive_char_special(struct tty_st
if (I_IXON(tty)) {
if (c == START_CHAR(tty)) {
start_tty(tty);
- commit_echoes(tty);
+ process_echoes(tty);
return 0;
}
if (c == STOP_CHAR(tty)) {
@@ -1821,8 +1821,10 @@ static void n_tty_set_termios(struct tty
* Fix tty hang when I_IXON(tty) is cleared, but the tty
* been stopped by STOP_CHAR(tty) before it.
*/
- if (!I_IXON(tty) && old && (old->c_iflag & IXON) && !tty->flow_stopped)
+ if (!I_IXON(tty) && old && (old->c_iflag & IXON) && !tty->flow_stopped) {
start_tty(tty);
+ process_echoes(tty);
+ }

/* The termios change make the tty ready for I/O */
wake_up_interruptible(&tty->write_wait);

2014-02-21 00:11:52

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 37/99] drm/radeon: fix UVD IRQ support on 7xx

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <[email protected]>

commit 858a41c853cef2cb01de34dae334c19c1c15b237 upstream.

Otherwise decoding isn't really useable.

Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/gpu/drm/radeon/r600.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/drivers/gpu/drm/radeon/r600.c
+++ b/drivers/gpu/drm/radeon/r600.c
@@ -3904,6 +3904,10 @@ restart_ih:
break;
}
break;
+ case 124: /* UVD */
+ DRM_DEBUG("IH: UVD int: 0x%08x\n", src_data);
+ radeon_fence_process(rdev, R600_RING_TYPE_UVD_INDEX);
+ break;
case 176: /* CP_INT in ring buffer */
case 177: /* CP_INT in IB1 */
case 178: /* CP_INT in IB2 */

2014-02-20 23:53:28

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 33/99] lockd: send correct lock when granting a delayed lock.

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: NeilBrown <[email protected]>

commit 2ec197db1a56c9269d75e965f14c344b58b2a4f6 upstream.

If an NFS client attempts to get a lock (using NLM) and the lock is
not available, the server will remember the request and when the lock
becomes available it will send a GRANT request to the client to
provide the lock.

If the client already held an adjacent lock, the GRANT callback will
report the union of the existing and new locks, which can confuse the
client.

This happens because __posix_lock_file (called by vfs_lock_file)
updates the passed-in file_lock structure when adjacent or
over-lapping locks are found.

To avoid this problem we take a copy of the two fields that can
be changed (fl_start and fl_end) before the call and restore them
afterwards.
An alternate would be to allocate a 'struct file_lock', initialise it,
use locks_copy_lock() to take a copy, then locks_release_private()
after the vfs_lock_file() call. But that is a lot more work.

Reported-by: Olaf Kirch <[email protected]>
Signed-off-by: NeilBrown <[email protected]>
Signed-off-by: J. Bruce Fields <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

--
v1 had a couple of issues (large on-stack struct and didn't really work properly).
This version is much better tested.
Signed-off-by: J. Bruce Fields <[email protected]>

---
fs/lockd/svclock.c | 8 ++++++++
1 file changed, 8 insertions(+)

--- a/fs/lockd/svclock.c
+++ b/fs/lockd/svclock.c
@@ -779,6 +779,7 @@ nlmsvc_grant_blocked(struct nlm_block *b
struct nlm_file *file = block->b_file;
struct nlm_lock *lock = &block->b_call->a_args.lock;
int error;
+ loff_t fl_start, fl_end;

dprintk("lockd: grant blocked lock %p\n", block);

@@ -796,9 +797,16 @@ nlmsvc_grant_blocked(struct nlm_block *b
}

/* Try the lock operation again */
+ /* vfs_lock_file() can mangle fl_start and fl_end, but we need
+ * them unchanged for the GRANT_MSG
+ */
lock->fl.fl_flags |= FL_SLEEP;
+ fl_start = lock->fl.fl_start;
+ fl_end = lock->fl.fl_end;
error = vfs_lock_file(file->f_file, F_SETLK, &lock->fl, NULL);
lock->fl.fl_flags &= ~FL_SLEEP;
+ lock->fl.fl_start = fl_start;
+ lock->fl.fl_end = fl_end;

switch (error) {
case 0:

2014-02-21 00:12:41

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Hannes Reinecke <[email protected]>

commit d8a5dc3033af2fd6d16030d2ee4fbd073460fe54 upstream.

The 'active' sysfs attribute should refer to the currently active tty
devices the console is running on, not the currently active console.

The console structure doesn't refer to any device in sysfs, only the tty
the console is running on has. So we need to print out the tty names in
'active', not the console names.

This resolves an issue on s390 platforms in determining the correct
console device to use.

Cc: Lennart Poettering <[email protected]>
Cc: Kay Sievers <[email protected]>
Cc: Jiri Slaby <[email protected]>
Cc: David Herrmann <[email protected]>
Signed-off-by: Werner Fink <[email protected]>
Signed-off-by: Hannes Reinecke <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
Documentation/ABI/testing/sysfs-tty | 3 ++-
drivers/tty/tty_io.c | 25 ++++++++++++++++++-------
2 files changed, 20 insertions(+), 8 deletions(-)

--- a/Documentation/ABI/testing/sysfs-tty
+++ b/Documentation/ABI/testing/sysfs-tty
@@ -3,7 +3,8 @@ Date: Nov 2010
Contact: Kay Sievers <[email protected]>
Description:
Shows the list of currently configured
- console devices, like 'tty1 ttyS0'.
+ tty devices used for the console,
+ like 'tty1 ttyS0'.
The last entry in the file is the active
device connected to /dev/console.
The file supports poll() to detect virtual
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -1267,16 +1267,17 @@ static void pty_line_name(struct tty_dri
* @p: output buffer of at least 7 bytes
*
* Generate a name from a driver reference and write it to the output
- * buffer.
+ * buffer. Return the number of bytes written.
*
* Locking: None
*/
-static void tty_line_name(struct tty_driver *driver, int index, char *p)
+static ssize_t tty_line_name(struct tty_driver *driver, int index, char *p)
{
if (driver->flags & TTY_DRIVER_UNNUMBERED_NODE)
- strcpy(p, driver->name);
+ return sprintf(p, "%s", driver->name);
else
- sprintf(p, "%s%d", driver->name, index + driver->name_base);
+ return sprintf(p, "%s%d", driver->name,
+ index + driver->name_base);
}

/**
@@ -3545,9 +3546,19 @@ static ssize_t show_cons_active(struct d
if (i >= ARRAY_SIZE(cs))
break;
}
- while (i--)
- count += sprintf(buf + count, "%s%d%c",
- cs[i]->name, cs[i]->index, i ? ' ':'\n');
+ while (i--) {
+ struct tty_driver *driver;
+ const char *name = cs[i]->name;
+ int index = cs[i]->index;
+
+ driver = cs[i]->device(cs[i], &index);
+ if (driver) {
+ count += tty_line_name(driver, index, buf + count);
+ count += sprintf(buf + count, "%c", i ? ' ':'\n');
+ } else
+ count += sprintf(buf + count, "%s%d%c",
+ name, index, i ? ' ':'\n');
+ }
console_unlock();

return count;

2014-02-20 23:53:24

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 26/99] iwlwifi: mvm: BT Coex - disable BT when TXing probe request in scan

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Emmanuel Grumbach <[email protected]>

commit 8e2a866ef214af4e104ec8d593e3269d8fe66d19 upstream.

Not doing so will let BT kill our probe requests leading to
failures in scan.

Reviewed-by: Johannes Berg <[email protected]>
Signed-off-by: Emmanuel Grumbach <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/wireless/iwlwifi/mvm/scan.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/iwlwifi/mvm/scan.c
+++ b/drivers/net/wireless/iwlwifi/mvm/scan.c
@@ -325,7 +325,8 @@ int iwl_mvm_scan_request(struct iwl_mvm

iwl_mvm_scan_fill_ssids(cmd, req, basic_ssid ? 1 : 0);

- cmd->tx_cmd.tx_flags = cpu_to_le32(TX_CMD_FLG_SEQ_CTL);
+ cmd->tx_cmd.tx_flags = cpu_to_le32(TX_CMD_FLG_SEQ_CTL |
+ TX_CMD_FLG_BT_DIS);
cmd->tx_cmd.sta_id = mvm->aux_sta.sta_id;
cmd->tx_cmd.life_time = cpu_to_le32(TX_CMD_LIFE_TIME_INFINITE);
cmd->tx_cmd.rate_n_flags =

2014-02-21 00:13:07

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 31/99] raw: test against runtime value of max_raw_minors

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Paul Bolle <[email protected]>

commit 5bbb2ae3d6f896f8d2082d1eceb6131c2420b7cf upstream.

bind_get() checks the device number it is called with. It uses
MAX_RAW_MINORS for the upper bound. But MAX_RAW_MINORS is set at compile
time while the actual number of raw devices can be set at runtime. This
means the test can either be too strict or too lenient. And if the test
ends up being too lenient bind_get() might try to access memory beyond
what was allocated for "raw_devices".

So check against the runtime value (max_raw_minors) in this function.

Signed-off-by: Paul Bolle <[email protected]>
Acked-by: Jan Kara <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/char/raw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/char/raw.c
+++ b/drivers/char/raw.c
@@ -190,7 +190,7 @@ static int bind_get(int number, dev_t *d
struct raw_device_data *rawdev;
struct block_device *bdev;

- if (number <= 0 || number >= MAX_RAW_MINORS)
+ if (number <= 0 || number >= max_raw_minors)
return -EINVAL;

rawdev = &raw_devices[number];

2014-02-21 00:13:32

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 30/99] serial: sirf: fix kernel panic caused by unpaired spinlock

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Qipan Li <[email protected]>

commit fb78b811422cd2d8c8605949cc4cc13618347ad5 upstream.

commit 8b9ade9f74f8a279 coming from Viresh Kumar "tty: serial: sirfsoc: drop
uart_port->lock before calling tty_flip_buffer_push()" broke sirfsoc uart
driver by knic:

[ 5.129122] BUG: spinlock already unlocked on CPU#0, ip6tables/1331
[ 5.132554] lock: sirfsoc_uart_ports+0x4/0x8a0, .magic: dead4ead,
.owner: <none>/-1, .owner_cpu: -1
[ 5.141651] CPU: 0 PID: 1331 Comm: ip6tables Tainted: G
W O 3.10.16 #3
[ 5.148866] [<c0013528>] (unwind_backtrace+0x0/0xe0) from
[<c0010e70>] (show_stack+0x10/0x14)
[ 5.157362] [<c0010e70>] (show_stack+0x10/0x14) from
[<c01a5e68>] (do_raw_spin_unlock+0x40/0xc8)
[ 5.166125] [<c01a5e68>] (do_raw_spin_unlock+0x40/0xc8) from
[<c03ff8b4>] (_raw_spin_unlock+0x8/0x40)
[ 5.175322] [<c03ff8b4>] (_raw_spin_unlock+0x8/0x40) from
[<c0203fcc>] (sirfsoc_uart_pio_rx_chars+0xa4/0xc0)
[ 5.185120] [<c0203fcc>]
(sirfsoc_uart_pio_rx_chars+0xa4/0xc0) from [<c0204fb8>]
(sirfsoc_rx_tmo_process_tl+0xdc/0x1e0)
[ 5.195875] [<c0204fb8>]
(sirfsoc_rx_tmo_process_tl+0xdc/0x1e0) from [<c0024b50>]
(tasklet_action+0x8c/0xec)
[ 5.205673] [<c0024b50>] (tasklet_action+0x8c/0xec) from
[<c00242a8>] (__do_softirq+0xec/0x1d4)
[ 5.214347] [<c00242a8>] (__do_softirq+0xec/0x1d4) from
[<c0024428>] (do_softirq+0x48/0x54)
[ 5.222674] [<c0024428>] (do_softirq+0x48/0x54) from
[<c0024690>] (irq_exit+0x74/0xc0)
[ 5.230573] [<c0024690>] (irq_exit+0x74/0xc0) from
[<c000e1e8>] (handle_IRQ+0x6c/0x90)
[ 5.238465] [<c000e1e8>] (handle_IRQ+0x6c/0x90) from
[<c000d500>] (__irq_svc+0x40/0x70)
[ 5.246446] [<c000d500>] (__irq_svc+0x40/0x70) from
[<c0092e7c>] (mark_page_accessed+0xc/0x68)
[ 5.255034] [<c0092e7c>] (mark_page_accessed+0xc/0x68) from
[<c00a2a4c>] (unmap_single_vma+0x3bc/0x550)
[ 5.264402] [<c00a2a4c>] (unmap_single_vma+0x3bc/0x550) from
[<c00a3b4c>] (unmap_vmas+0x44/0x54)
[ 5.273164] [<c00a3b4c>] (unmap_vmas+0x44/0x54) from
[<c00a81a8>] (exit_mmap+0xc4/0x1e0)
[ 5.281233] [<c00a81a8>] (exit_mmap+0xc4/0x1e0) from
[<c001bb78>] (mmput+0x3c/0xdc)
[ 5.288868] [<c001bb78>] (mmput+0x3c/0xdc) from [<c0021b0c>]
(do_exit+0x30c/0x828)
[ 5.296413] [<c0021b0c>] (do_exit+0x30c/0x828) from
[<c0022dac>] (do_group_exit+0x4c/0xb0)
[ 5.304653] [<c0022dac>] (do_group_exit+0x4c/0xb0) from
[<c0022e20>] (__wake_up_parent+0x0/0x18)

Root cause:
the commit dropped uart_port->lock before calling tty_flip_buffer_push(), but in sirfsoc-uart,
sirfsoc_uart_pio_rx_chars() can be called by sirfsoc_rx_tmo_process_tl(). here uart_port->lock
has not been taken yet. so that caused unpaired lock/unlock.

Solution:
This patch is doing a quick fix for that, it adds spin_lock/unlock(&port->lock) protect to
sirfsoc_uart_pio_rx_chars() in sirfsoc_rx_tmo_process_tl() to keep spin_lock/unlock in pair.

Signed-off-by: Qipan Li <[email protected]>
Signed-off-by: Barry Song <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/tty/serial/sirfsoc_uart.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/tty/serial/sirfsoc_uart.c
+++ b/drivers/tty/serial/sirfsoc_uart.c
@@ -540,8 +540,10 @@ static void sirfsoc_rx_tmo_process_tl(un
wr_regl(port, ureg->sirfsoc_rx_dma_io_ctrl,
rd_regl(port, ureg->sirfsoc_rx_dma_io_ctrl) |
SIRFUART_IO_MODE);
- sirfsoc_uart_pio_rx_chars(port, 4 - sirfport->rx_io_count);
spin_unlock_irqrestore(&sirfport->rx_lock, flags);
+ spin_lock(&port->lock);
+ sirfsoc_uart_pio_rx_chars(port, 4 - sirfport->rx_io_count);
+ spin_unlock(&port->lock);
if (sirfport->rx_io_count == 4) {
spin_lock_irqsave(&sirfport->rx_lock, flags);
sirfport->rx_io_count = 0;

2014-02-21 00:14:26

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 03/99] fs/file.c:fdtable: avoid triggering OOMs from alloc_fdmem

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: "Eric W. Biederman" <[email protected]>

commit 96c7a2ff21501691587e1ae969b83cbec8b78e08 upstream.

Recently due to a spike in connections per second memcached on 3
separate boxes triggered the OOM killer from accept. At the time the
OOM killer was triggered there was 4GB out of 36GB free in zone 1. The
problem was that alloc_fdtable was allocating an order 3 page (32KiB) to
hold a bitmap, and there was sufficient fragmentation that the largest
page available was 8KiB.

I find the logic that PAGE_ALLOC_COSTLY_ORDER can't fail pretty dubious
but I do agree that order 3 allocations are very likely to succeed.

There are always pathologies where order > 0 allocations can fail when
there are copious amounts of free memory available. Using the pigeon
hole principle it is easy to show that it requires 1 page more than 50%
of the pages being free to guarantee an order 1 (8KiB) allocation will
succeed, 1 page more than 75% of the pages being free to guarantee an
order 2 (16KiB) allocation will succeed and 1 page more than 87.5% of
the pages being free to guarantee an order 3 allocate will succeed.

A server churning memory with a lot of small requests and replies like
memcached is a common case that if anything can will skew the odds
against large pages being available.

Therefore let's not give external applications a practical way to kill
linux server applications, and specify __GFP_NORETRY to the kmalloc in
alloc_fdmem. Unless I am misreading the code and by the time the code
reaches should_alloc_retry in __alloc_pages_slowpath (where
__GFP_NORETRY becomes signification). We have already tried everything
reasonable to allocate a page and the only thing left to do is wait. So
not waiting and falling back to vmalloc immediately seems like the
reasonable thing to do even if there wasn't a chance of triggering the
OOM killer.

Signed-off-by: "Eric W. Biederman" <[email protected]>
Cc: Eric Dumazet <[email protected]>
Acked-by: David Rientjes <[email protected]>
Cc: Cong Wang <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
fs/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/file.c
+++ b/fs/file.c
@@ -34,7 +34,7 @@ static void *alloc_fdmem(size_t size)
* vmalloc() if the allocation size will be considered "large" by the VM.
*/
if (size <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER)) {
- void *data = kmalloc(size, GFP_KERNEL|__GFP_NOWARN);
+ void *data = kmalloc(size, GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY);
if (data != NULL)
return data;
}

2014-02-20 23:53:21

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 25/99] iwlwifi: add more 7265 HW IDs

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Oren Givon <[email protected]>

commit f7690915ccce98553c5425b51e6b5a6c51e27f4e upstream.

Add 6 new HW IDs for the 7265 series.

Signed-off-by: Oren Givon <[email protected]>
Signed-off-by: Emmanuel Grumbach <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/wireless/iwlwifi/pcie/drv.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/iwlwifi/pcie/drv.c
+++ b/drivers/net/wireless/iwlwifi/pcie/drv.c
@@ -354,20 +354,25 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_ca
/* 7265 Series */
{IWL_PCI_DEVICE(0x095A, 0x5010, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x5110, iwl7265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x095A, 0x5112, iwl7265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x095A, 0x5100, iwl7265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x095A, 0x510A, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095B, 0x5310, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095B, 0x5302, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095B, 0x5210, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x5012, iwl7265_2ac_cfg)},
- {IWL_PCI_DEVICE(0x095A, 0x500A, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x5410, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x5400, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x1010, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x5000, iwl7265_2n_cfg)},
+ {IWL_PCI_DEVICE(0x095A, 0x500A, iwl7265_2n_cfg)},
{IWL_PCI_DEVICE(0x095B, 0x5200, iwl7265_2n_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x5002, iwl7265_n_cfg)},
{IWL_PCI_DEVICE(0x095B, 0x5202, iwl7265_n_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x9010, iwl7265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x095A, 0x9012, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x9110, iwl7265_2ac_cfg)},
+ {IWL_PCI_DEVICE(0x095A, 0x9112, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x9210, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x9510, iwl7265_2ac_cfg)},
{IWL_PCI_DEVICE(0x095A, 0x9310, iwl7265_2ac_cfg)},

2014-02-21 00:14:45

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 29/99] spi: nuc900: Set SPI_LSB_FIRST for master->mode_bits if hw->pdata->lsb is true

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Axel Lin <[email protected]>

commit f7db1588d6028c97c098bb6445eaabc56a25fed8 upstream.

Otherwise, spi_setup() fails with unsupported mode bits message.

Signed-off-by: Axel Lin <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/spi/spi-nuc900.c | 2 ++
1 file changed, 2 insertions(+)

--- a/drivers/spi/spi-nuc900.c
+++ b/drivers/spi/spi-nuc900.c
@@ -363,6 +363,8 @@ static int nuc900_spi_probe(struct platf
init_completion(&hw->done);

master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH;
+ if (hw->pdata->lsb)
+ master->mode_bits |= SPI_LSB_FIRST;
master->num_chipselect = hw->pdata->num_cs;
master->bus_num = hw->pdata->bus_num;
hw->bitbang.master = hw->master;

2014-02-21 00:15:07

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 28/99] of: fix PCI bus match for PCIe slots

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Kleber Sacilotto de Souza <[email protected]>

commit 14e2abb732e485ee57d9d5b2cb8884652238e5c1 upstream.

On IBM pseries systems the device_type device-tree property of a PCIe
bridge contains the string "pciex". The of_bus_pci_match() function was
looking only for "pci" on this property, so in such cases the bus
matching code was falling back to the default bus, causing problems on
functions that should be using "assigned-addresses" for region address
translation. This patch fixes the problem by also looking for "pciex" on
the PCI bus match function.

v2: added comment

Signed-off-by: Kleber Sacilotto de Souza <[email protected]>
Acked-by: Grant Likely <[email protected]>
Signed-off-by: Rob Herring <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/of/address.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/of/address.c
+++ b/drivers/of/address.c
@@ -99,11 +99,12 @@ static unsigned int of_bus_default_get_f
static int of_bus_pci_match(struct device_node *np)
{
/*
+ * "pciex" is PCI Express
* "vci" is for the /chaos bridge on 1st-gen PCI powermacs
* "ht" is hypertransport
*/
- return !strcmp(np->type, "pci") || !strcmp(np->type, "vci") ||
- !strcmp(np->type, "ht");
+ return !strcmp(np->type, "pci") || !strcmp(np->type, "pciex") ||
+ !strcmp(np->type, "vci") || !strcmp(np->type, "ht");
}

static void of_bus_pci_count_cells(struct device_node *np,

2014-02-21 00:15:37

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 27/99] powerpc: Fix endian issues in kexec and crash dump code

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Anton Blanchard <[email protected]>

commit ea961a828fe7250e954f086d74d9323c3d44c3e4 upstream.

We expose a number of OF properties in the kexec and crash dump code
and these need to be big endian.

Signed-off-by: Anton Blanchard <[email protected]>
Signed-off-by: Benjamin Herrenschmidt <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/powerpc/kernel/machine_kexec.c | 14 ++++++++++----
arch/powerpc/kernel/machine_kexec_64.c | 6 ++++--
2 files changed, 14 insertions(+), 6 deletions(-)

--- a/arch/powerpc/kernel/machine_kexec.c
+++ b/arch/powerpc/kernel/machine_kexec.c
@@ -196,7 +196,9 @@ int overlaps_crashkernel(unsigned long s

/* Values we need to export to the second kernel via the device tree. */
static phys_addr_t kernel_end;
+static phys_addr_t crashk_base;
static phys_addr_t crashk_size;
+static unsigned long long mem_limit;

static struct property kernel_end_prop = {
.name = "linux,kernel-end",
@@ -207,7 +209,7 @@ static struct property kernel_end_prop =
static struct property crashk_base_prop = {
.name = "linux,crashkernel-base",
.length = sizeof(phys_addr_t),
- .value = &crashk_res.start,
+ .value = &crashk_base
};

static struct property crashk_size_prop = {
@@ -219,9 +221,11 @@ static struct property crashk_size_prop
static struct property memory_limit_prop = {
.name = "linux,memory-limit",
.length = sizeof(unsigned long long),
- .value = &memory_limit,
+ .value = &mem_limit,
};

+#define cpu_to_be_ulong __PASTE(cpu_to_be, BITS_PER_LONG)
+
static void __init export_crashk_values(struct device_node *node)
{
struct property *prop;
@@ -237,8 +241,9 @@ static void __init export_crashk_values(
of_remove_property(node, prop);

if (crashk_res.start != 0) {
+ crashk_base = cpu_to_be_ulong(crashk_res.start),
of_add_property(node, &crashk_base_prop);
- crashk_size = resource_size(&crashk_res);
+ crashk_size = cpu_to_be_ulong(resource_size(&crashk_res));
of_add_property(node, &crashk_size_prop);
}

@@ -246,6 +251,7 @@ static void __init export_crashk_values(
* memory_limit is required by the kexec-tools to limit the
* crash regions to the actual memory used.
*/
+ mem_limit = cpu_to_be_ulong(memory_limit);
of_update_property(node, &memory_limit_prop);
}

@@ -264,7 +270,7 @@ static int __init kexec_setup(void)
of_remove_property(node, prop);

/* information needed by userspace when using default_machine_kexec */
- kernel_end = __pa(_end);
+ kernel_end = cpu_to_be_ulong(__pa(_end));
of_add_property(node, &kernel_end_prop);

export_crashk_values(node);
--- a/arch/powerpc/kernel/machine_kexec_64.c
+++ b/arch/powerpc/kernel/machine_kexec_64.c
@@ -369,6 +369,7 @@ void default_machine_kexec(struct kimage

/* Values we need to export to the second kernel via the device tree. */
static unsigned long htab_base;
+static unsigned long htab_size;

static struct property htab_base_prop = {
.name = "linux,htab-base",
@@ -379,7 +380,7 @@ static struct property htab_base_prop =
static struct property htab_size_prop = {
.name = "linux,htab-size",
.length = sizeof(unsigned long),
- .value = &htab_size_bytes,
+ .value = &htab_size,
};

static int __init export_htab_values(void)
@@ -403,8 +404,9 @@ static int __init export_htab_values(voi
if (prop)
of_remove_property(node, prop);

- htab_base = __pa(htab_address);
+ htab_base = cpu_to_be64(__pa(htab_address));
of_add_property(node, &htab_base_prop);
+ htab_size = cpu_to_be64(htab_size_bytes);
of_add_property(node, &htab_size_prop);

of_node_put(node);

2014-02-20 23:53:16

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 14/99] ath9k_htc: make ->sta_rc_update atomic for most calls

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Stanislaw Gruszka <[email protected]>

commit 2fa4cb905605c863bf570027233af7afd8149ae4 upstream.

sta_rc_update() callback must be atomic, hence we can not take mutexes
or do other operations, which can sleep in ath9k_htc_sta_rc_update().

I think we can just return from ath9k_htc_sta_rc_update(), if it is
called without IEEE80211_RC_SUPP_RATES_CHANGED bit. That will help
with scheduling while atomic bug for most cases (except mesh and IBSS
modes).

For mesh and IBSS I do not see other solution like creating additional
workqueue, because sending firmware command require us to sleep, but
this can be done in additional patch.

Patch partially fixes bug:
https://bugzilla.redhat.com/show_bug.cgi?id=990955

Signed-off-by: Stanislaw Gruszka <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/wireless/ath/ath9k/htc_drv_main.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)

--- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
@@ -1315,21 +1315,22 @@ static void ath9k_htc_sta_rc_update(stru
struct ath_common *common = ath9k_hw_common(priv->ah);
struct ath9k_htc_target_rate trate;

+ if (!(changed & IEEE80211_RC_SUPP_RATES_CHANGED))
+ return;
+
mutex_lock(&priv->mutex);
ath9k_htc_ps_wakeup(priv);

- if (changed & IEEE80211_RC_SUPP_RATES_CHANGED) {
- memset(&trate, 0, sizeof(struct ath9k_htc_target_rate));
- ath9k_htc_setup_rate(priv, sta, &trate);
- if (!ath9k_htc_send_rate_cmd(priv, &trate))
- ath_dbg(common, CONFIG,
- "Supported rates for sta: %pM updated, rate caps: 0x%X\n",
- sta->addr, be32_to_cpu(trate.capflags));
- else
- ath_dbg(common, CONFIG,
- "Unable to update supported rates for sta: %pM\n",
- sta->addr);
- }
+ memset(&trate, 0, sizeof(struct ath9k_htc_target_rate));
+ ath9k_htc_setup_rate(priv, sta, &trate);
+ if (!ath9k_htc_send_rate_cmd(priv, &trate))
+ ath_dbg(common, CONFIG,
+ "Supported rates for sta: %pM updated, rate caps: 0x%X\n",
+ sta->addr, be32_to_cpu(trate.capflags));
+ else
+ ath_dbg(common, CONFIG,
+ "Unable to update supported rates for sta: %pM\n",
+ sta->addr);

ath9k_htc_ps_restore(priv);
mutex_unlock(&priv->mutex);

2014-02-21 00:16:14

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 24/99] iwlwifi: mvm: print the version of the firmware when it asserts

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Emmanuel Grumbach <[email protected]>

commit b900a87b2eb90c0b9586496c82a323a1b8832d73 upstream.

This can be useful to be able to spot the firmware version
from the error reports without needing to fetch it from
another place.

Signed-off-by: Emmanuel Grumbach <[email protected]>
Reviewed-by: Johannes Berg <[email protected]>
Signed-off-by: Emmanuel Grumbach <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/wireless/iwlwifi/mvm/utils.c | 2 ++
1 file changed, 2 insertions(+)

--- a/drivers/net/wireless/iwlwifi/mvm/utils.c
+++ b/drivers/net/wireless/iwlwifi/mvm/utils.c
@@ -411,6 +411,8 @@ void iwl_mvm_dump_nic_error_log(struct i
mvm->status, table.valid);
}

+ IWL_ERR(mvm, "Loaded firmware version: %s\n", mvm->fw->fw_version);
+
trace_iwlwifi_dev_ucode_error(trans->dev, table.error_id, table.tsf_low,
table.data1, table.data2, table.data3,
table.blink1, table.blink2, table.ilink1,

2014-02-21 00:16:50

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 23/99] iwlwifi: mvm: disable scheduled scan

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johannes Berg <[email protected]>

commit 0822afe8ebb9389997ef677447c7b08e08797de9 upstream.

The iwlwifi scheduled scan implementation doesn't adhere to the
userspace API correctly - the API assumes that any new incoming
'incompatible' request (like scan or remain-on-channel for this
driver) will just cancel the scheduled scan. Instead our driver
relies on userspace cancelling it, thus breaking existing wpa_s
versions.

Fixes: 35a000b7c1bb ("iwlwifi: mvm: support sched scan if supported by the fw")
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Emmanuel Grumbach <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/wireless/iwlwifi/mvm/mac80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c
@@ -246,7 +246,7 @@ int iwl_mvm_mac_setup_register(struct iw
else
hw->wiphy->flags &= ~WIPHY_FLAG_PS_ON_BY_DEFAULT;

- if (mvm->fw->ucode_capa.flags & IWL_UCODE_TLV_FLAGS_SCHED_SCAN) {
+ if (0 && mvm->fw->ucode_capa.flags & IWL_UCODE_TLV_FLAGS_SCHED_SCAN) {
hw->wiphy->flags |= WIPHY_FLAG_SUPPORTS_SCHED_SCAN;
hw->wiphy->max_sched_scan_ssids = PROBE_OPTION_MAX;
hw->wiphy->max_match_sets = IWL_SCAN_MAX_PROFILES;

2014-02-21 00:17:11

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 22/99] iwlwifi: mvm: dont allow A band if SKU forbids it

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Emmanuel Grumbach <[email protected]>

commit c512865446e6dd5b6e91e81187e75b734ad7cfc7 upstream.

The driver wasn't reading the NVM properly. While this
didn't lead to any issue until now, it seems that there
is an old version of the NVM in the wild.
In this version, the A band channels appear to be valid
but the SKU capabilities (another field of the NVM) says
that A band isn't supported at all.
With this specific version of the NVM, the driver would
think that A band is supported while the HW / firmware
don't. This leads to asserts.

Reviewed-by: Johannes Berg <[email protected]>
Signed-off-by: Emmanuel Grumbach <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/wireless/iwlwifi/iwl-nvm-parse.c | 5 +++++
1 file changed, 5 insertions(+)

--- a/drivers/net/wireless/iwlwifi/iwl-nvm-parse.c
+++ b/drivers/net/wireless/iwlwifi/iwl-nvm-parse.c
@@ -182,6 +182,11 @@ static int iwl_init_channel_map(struct d

for (ch_idx = 0; ch_idx < IWL_NUM_CHANNELS; ch_idx++) {
ch_flags = __le16_to_cpup(nvm_ch_flags + ch_idx);
+
+ if (ch_idx >= NUM_2GHZ_CHANNELS &&
+ !data->sku_cap_band_52GHz_enable)
+ ch_flags &= ~NVM_CHANNEL_VALID;
+
if (!(ch_flags & NVM_CHANNEL_VALID)) {
IWL_DEBUG_EEPROM(dev,
"Ch. %d Flags %x [%sGHz] - No traffic\n",

2014-02-20 23:53:14

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 11/99] mac80211: release the channel in error path in start_ap

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Emmanuel Grumbach <[email protected]>

commit 0297ea17bf7879fb5846fafd1be4c0471e72848d upstream.

When the driver cannot start the AP or when the assignement
of the beacon goes wrong, we need to unassign the vif.

Signed-off-by: Emmanuel Grumbach <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
net/mac80211/cfg.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -995,8 +995,10 @@ static int ieee80211_start_ap(struct wip
IEEE80211_P2P_OPPPS_ENABLE_BIT;

err = ieee80211_assign_beacon(sdata, &params->beacon);
- if (err < 0)
+ if (err < 0) {
+ ieee80211_vif_release_channel(sdata);
return err;
+ }
changed |= err;

err = drv_start_ap(sdata->local, sdata);
@@ -1005,6 +1007,7 @@ static int ieee80211_start_ap(struct wip
if (old)
kfree_rcu(old, rcu_head);
RCU_INIT_POINTER(sdata->u.ap.beacon, NULL);
+ ieee80211_vif_release_channel(sdata);
return err;
}


2014-02-21 00:17:36

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 21/99] spi: Fix crash with double message finalisation on error handling

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Geert Uytterhoeven <[email protected]>

commit 1f802f8249a0da536877842c43c7204064c4de8b upstream.

This reverts commit e120cc0dcf2880a4c5c0a6cb27b655600a1cfa1d.

It causes a NULL pointer dereference with drivers using the generic
spi_transfer_one_message(), which always calls
spi_finalize_current_message(), which zeroes master->cur_msg.

Drivers implementing transfer_one_message() theirselves must always call
spi_finalize_current_message(), even if the transfer failed:

* @transfer_one_message: the subsystem calls the driver to transfer a single
* message while queuing transfers that arrive in the meantime. When the
* driver is finished with this message, it must call
* spi_finalize_current_message() so the subsystem can issue the next
* transfer

Signed-off-by: Geert Uytterhoeven <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/spi/spi.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -735,9 +735,7 @@ static void spi_pump_messages(struct kth
ret = master->transfer_one_message(master, master->cur_msg);
if (ret) {
dev_err(&master->dev,
- "failed to transfer one message from queue: %d\n", ret);
- master->cur_msg->status = ret;
- spi_finalize_current_message(master);
+ "failed to transfer one message from queue\n");
return;
}
}

2014-02-21 00:18:00

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 20/99] nl80211: Reset split_start when netlink skb is exhausted

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Pontus Fuchs <[email protected]>

commit f12cb2893069495726c21a4b0178705dacfecfe0 upstream.

When the netlink skb is exhausted split_start is left set. In the
subsequent retry, with a larger buffer, the dump is continued from the
failing point instead of from the beginning.

This was causing my rt28xx based USB dongle to now show up when
running "iw list" with an old iw version without split dump support.

Fixes: 3713b4e364ef ("nl80211: allow splitting wiphy information in dumps")
Signed-off-by: Pontus Fuchs <[email protected]>
[avoid the entire workaround when state->split is set]
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
net/wireless/nl80211.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -1677,9 +1677,10 @@ static int nl80211_dump_wiphy(struct sk_
* We can then retry with the larger buffer.
*/
if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
- !skb->len &&
+ !skb->len && !state->split &&
cb->min_dump_alloc < 4096) {
cb->min_dump_alloc = 4096;
+ state->split_start = 0;
rtnl_unlock();
return 1;
}

2014-02-21 00:18:22

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 02/99] xen-blkfront: handle backend CLOSED without CLOSING

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: David Vrabel <[email protected]>

commit 3661371701e714f0cea4120f6a365340858fb4e4 upstream.

Backend drivers shouldn't transistion to CLOSED unless the frontend is
CLOSED. If a backend does transition to CLOSED too soon then the
frontend may not see the CLOSING state and will not properly shutdown.

So, treat an unexpected backend CLOSED state the same as CLOSING.

Signed-off-by: David Vrabel <[email protected]>
Acked-by: Konrad Rzeszutek Wilk <[email protected]>
Signed-off-by: Konrad Rzeszutek Wilk <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/block/xen-blkfront.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c
@@ -1904,13 +1904,16 @@ static void blkback_changed(struct xenbu
case XenbusStateReconfiguring:
case XenbusStateReconfigured:
case XenbusStateUnknown:
- case XenbusStateClosed:
break;

case XenbusStateConnected:
blkfront_connect(info);
break;

+ case XenbusStateClosed:
+ if (dev->state == XenbusStateClosed)
+ break;
+ /* Missed the backend's Closing state -- fallthrough */
case XenbusStateClosing:
blkfront_closing(info);
break;

2014-02-21 00:18:41

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 19/99] s390: fix kernel crash due to linkage stack instructions

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Martin Schwidefsky <[email protected]>

commit 8d7f6690cedb83456edd41c9bd583783f0703bf0 upstream.

The kernel currently crashes with a low-address-protection exception
if a user space process executes an instruction that tries to use the
linkage stack. Set the base-ASTE origin and the subspace-ASTE origin
of the dispatchable-unit-control-table to point to a dummy ASTE.
Set up control register 15 to point to an empty linkage stack with no
room left.

A user space process with a linkage stack instruction will still crash
but with a different exception which is correctly translated to a
segmentation fault instead of a kernel oops.

Signed-off-by: Martin Schwidefsky <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/s390/kernel/head64.S | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

--- a/arch/s390/kernel/head64.S
+++ b/arch/s390/kernel/head64.S
@@ -59,7 +59,7 @@ ENTRY(startup_continue)
.quad 0 # cr12: tracing off
.quad 0 # cr13: home space segment table
.quad 0xc0000000 # cr14: machine check handling off
- .quad 0 # cr15: linkage stack operations
+ .quad .Llinkage_stack # cr15: linkage stack operations
.Lpcmsk:.quad 0x0000000180000000
.L4malign:.quad 0xffffffffffc00000
.Lscan2g:.quad 0x80000000 + 0x20000 - 8 # 2GB + 128K - 8
@@ -67,12 +67,15 @@ ENTRY(startup_continue)
.Lparmaddr:
.quad PARMAREA
.align 64
-.Lduct: .long 0,0,0,0,.Lduald,0,0,0
+.Lduct: .long 0,.Laste,.Laste,0,.Lduald,0,0,0
.long 0,0,0,0,0,0,0,0
+.Laste: .quad 0,0xffffffffffffffff,0,0,0,0,0,0
.align 128
.Lduald:.rept 8
.long 0x80000000,0,0,0 # invalid access-list entries
.endr
+.Llinkage_stack:
+ .long 0,0,0x89000000,0,0,0,0x8a000000,0

ENTRY(_ehead)


2014-02-21 00:18:56

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 18/99] s390/dump: Fix dump memory detection

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Michael Holzheu <[email protected]>

commit d7736ff5be31edaa4fe5ab62810c64529a24b149 upstream.

Dumps created by kdump or zfcpdump can contain invalid memory holes when
dumping z/VM systems that have memory pressure.

For example:

# zgetdump -i /proc/vmcore.
Memory map:
0000000000000000 - 0000000000bfffff (12 MB)
0000000000e00000 - 00000000014fffff (7 MB)
000000000bd00000 - 00000000f3bfffff (3711 MB)

The memory detection function find_memory_chunks() issues tprot to
find valid memory chunks. In case of CMM it can happen that pages are
marked as unstable via set_page_unstable() in arch_free_page().
If z/VM has released that pages, tprot returns -EFAULT and indicates
a memory hole.

So fix this and switch off CMM in case of kdump or zfcpdump.

Signed-off-by: Michael Holzheu <[email protected]>
Signed-off-by: Martin Schwidefsky <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/s390/mm/page-states.c | 10 ++++++++++
1 file changed, 10 insertions(+)

--- a/arch/s390/mm/page-states.c
+++ b/arch/s390/mm/page-states.c
@@ -12,6 +12,8 @@
#include <linux/mm.h>
#include <linux/gfp.h>
#include <linux/init.h>
+#include <asm/setup.h>
+#include <asm/ipl.h>

#define ESSA_SET_STABLE 1
#define ESSA_SET_UNUSED 2
@@ -41,6 +43,14 @@ void __init cmma_init(void)

if (!cmma_flag)
return;
+ /*
+ * Disable CMM for dump, otherwise the tprot based memory
+ * detection can fail because of unstable pages.
+ */
+ if (OLDMEM_BASE || ipl_info.type == IPL_TYPE_FCP_DUMP) {
+ cmma_flag = 0;
+ return;
+ }
asm volatile(
" .insn rrf,0xb9ab0000,%1,%1,0,0\n"
"0: la %0,0\n"

2014-02-20 23:53:09

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 10/99] mac80211: move roc cookie assignment earlier

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Eliad Peller <[email protected]>

commit 2f617435c3a6fe3f39efb9ae2baa77de2d6c97b8 upstream.

ieee80211_start_roc_work() might add a new roc
to existing roc, and tell cfg80211 it has already
started.

However, this might happen before the roc cookie
was set, resulting in REMAIN_ON_CHANNEL (started)
event with null cookie. Consequently, it can make
wpa_supplicant go out of sync.

Fix it by setting the roc cookie earlier.

Signed-off-by: Eliad Peller <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
net/mac80211/cfg.c | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)

--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2608,6 +2608,24 @@ static int ieee80211_start_roc_work(stru
INIT_DELAYED_WORK(&roc->work, ieee80211_sw_roc_work);
INIT_LIST_HEAD(&roc->dependents);

+ /*
+ * cookie is either the roc cookie (for normal roc)
+ * or the SKB (for mgmt TX)
+ */
+ if (!txskb) {
+ /* local->mtx protects this */
+ local->roc_cookie_counter++;
+ roc->cookie = local->roc_cookie_counter;
+ /* wow, you wrapped 64 bits ... more likely a bug */
+ if (WARN_ON(roc->cookie == 0)) {
+ roc->cookie = 1;
+ local->roc_cookie_counter++;
+ }
+ *cookie = roc->cookie;
+ } else {
+ *cookie = (unsigned long)txskb;
+ }
+
/* if there's one pending or we're scanning, queue this one */
if (!list_empty(&local->roc_list) ||
local->scanning || local->radar_detect_enabled)
@@ -2742,24 +2760,6 @@ static int ieee80211_start_roc_work(stru
if (!queued)
list_add_tail(&roc->list, &local->roc_list);

- /*
- * cookie is either the roc cookie (for normal roc)
- * or the SKB (for mgmt TX)
- */
- if (!txskb) {
- /* local->mtx protects this */
- local->roc_cookie_counter++;
- roc->cookie = local->roc_cookie_counter;
- /* wow, you wrapped 64 bits ... more likely a bug */
- if (WARN_ON(roc->cookie == 0)) {
- roc->cookie = 1;
- local->roc_cookie_counter++;
- }
- *cookie = roc->cookie;
- } else {
- *cookie = (unsigned long)txskb;
- }
-
return 0;
}


2014-02-21 00:19:20

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 17/99] ar5523: fix usb id for Gigaset.

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Oleksij Rempel <[email protected]>

commit 4fcfc7443d072582b5047b8b391d711590e5645c upstream.

Raw id and FW id should be switched.

Tested-by: Oleksij Rempel <[email protected]>
Signed-off-by: Oleksij Rempel <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/wireless/ath/ar5523/ar5523.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/ath/ar5523/ar5523.c
+++ b/drivers/net/wireless/ath/ar5523/ar5523.c
@@ -1765,7 +1765,7 @@ static struct usb_device_id ar5523_id_ta
AR5523_DEVICE_UG(0x07d1, 0x3a07), /* D-Link / WUA-2340 rev A1 */
AR5523_DEVICE_UG(0x1690, 0x0712), /* Gigaset / AR5523 */
AR5523_DEVICE_UG(0x1690, 0x0710), /* Gigaset / SMCWUSBTG */
- AR5523_DEVICE_UG(0x129b, 0x160c), /* Gigaset / USB stick 108
+ AR5523_DEVICE_UG(0x129b, 0x160b), /* Gigaset / USB stick 108
(CyberTAN Technology) */
AR5523_DEVICE_UG(0x16ab, 0x7801), /* Globalsun / AR5523_1 */
AR5523_DEVICE_UX(0x16ab, 0x7811), /* Globalsun / AR5523_2 */

2014-02-21 00:20:15

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 16/99] ath9k: Do not support PowerSave by default

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sujith Manoharan <[email protected]>

commit 8298383c2cd5a6d0639f1bb1781fba181bd20154 upstream.

Even though we make sure PowerSave is not enabled by default
by disabling the flag, WIPHY_FLAG_PS_ON_BY_DEFAULT on init,
PS could be enabled by userspace based on various factors
like battery usage etc. Since PS in ath9k is just broken
and has been untested for years, remove support for it, but
allow a user to explicitly enable it using a module parameter.

Signed-off-by: Sujith Manoharan <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/wireless/ath/ath9k/init.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/ath/ath9k/init.c
+++ b/drivers/net/wireless/ath/ath9k/init.c
@@ -57,6 +57,10 @@ static int ath9k_bt_ant_diversity;
module_param_named(bt_ant_diversity, ath9k_bt_ant_diversity, int, 0444);
MODULE_PARM_DESC(bt_ant_diversity, "Enable WLAN/BT RX antenna diversity");

+static int ath9k_ps_enable;
+module_param_named(ps_enable, ath9k_ps_enable, int, 0444);
+MODULE_PARM_DESC(ps_enable, "Enable WLAN PowerSave");
+
bool is_ath9k_unloaded;
/* We use the hw_value as an index into our private channel structure */

@@ -890,13 +894,15 @@ void ath9k_set_hw_capab(struct ath_softc
hw->flags = IEEE80211_HW_RX_INCLUDES_FCS |
IEEE80211_HW_HOST_BROADCAST_PS_BUFFERING |
IEEE80211_HW_SIGNAL_DBM |
- IEEE80211_HW_SUPPORTS_PS |
IEEE80211_HW_PS_NULLFUNC_STACK |
IEEE80211_HW_SPECTRUM_MGMT |
IEEE80211_HW_REPORTS_TX_ACK_STATUS |
IEEE80211_HW_SUPPORTS_RC_TABLE |
IEEE80211_HW_SUPPORTS_HT_CCK_RATES;

+ if (ath9k_ps_enable)
+ hw->flags |= IEEE80211_HW_SUPPORTS_PS;
+
if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_HT) {
hw->flags |= IEEE80211_HW_AMPDU_AGGREGATION;


2014-02-21 00:21:04

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 15/99] ath9k_htc: Do not support PowerSave by default

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Oleksij Rempel <[email protected]>

commit 6bca610d97b6139a1d7598b8009da9d339daa50f upstream.

It is a copy/paste of patch provided by Sujith for ath9k.

"Even though we make sure PowerSave is not enabled by default
by disabling the flag, WIPHY_FLAG_PS_ON_BY_DEFAULT on init,
PS could be enabled by userspace based on various factors
like battery usage etc. Since PS in ath9k is just broken
and has been untested for years, remove support for it, but
allow a user to explicitly enable it using a module parameter."

Signed-off-by: Oleksij Rempel <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
drivers/net/wireless/ath/ath9k/htc_drv_init.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
@@ -34,6 +34,10 @@ static int ath9k_htc_btcoex_enable;
module_param_named(btcoex_enable, ath9k_htc_btcoex_enable, int, 0444);
MODULE_PARM_DESC(btcoex_enable, "Enable wifi-BT coexistence");

+static int ath9k_ps_enable;
+module_param_named(ps_enable, ath9k_ps_enable, int, 0444);
+MODULE_PARM_DESC(ps_enable, "Enable WLAN PowerSave");
+
#define CHAN2G(_freq, _idx) { \
.center_freq = (_freq), \
.hw_value = (_idx), \
@@ -725,12 +729,14 @@ static void ath9k_set_hw_capab(struct at
IEEE80211_HW_SPECTRUM_MGMT |
IEEE80211_HW_HAS_RATE_CONTROL |
IEEE80211_HW_RX_INCLUDES_FCS |
- IEEE80211_HW_SUPPORTS_PS |
IEEE80211_HW_PS_NULLFUNC_STACK |
IEEE80211_HW_REPORTS_TX_ACK_STATUS |
IEEE80211_HW_MFP_CAPABLE |
IEEE80211_HW_HOST_BROADCAST_PS_BUFFERING;

+ if (ath9k_ps_enable)
+ hw->flags |= IEEE80211_HW_SUPPORTS_PS;
+
hw->wiphy->interface_modes =
BIT(NL80211_IFTYPE_STATION) |
BIT(NL80211_IFTYPE_ADHOC) |

2014-02-20 23:53:06

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 01/99] xen: properly account for _PAGE_NUMA during xen pte translations

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mel Gorman <[email protected]>

commit a9c8e4beeeb64c22b84c803747487857fe424b68 upstream.

Steven Noonan forwarded a users report where they had a problem starting
vsftpd on a Xen paravirtualized guest, with this in dmesg:

BUG: Bad page map in process vsftpd pte:8000000493b88165 pmd:e9cc01067
page:ffffea00124ee200 count:0 mapcount:-1 mapping: (null) index:0x0
page flags: 0x2ffc0000000014(referenced|dirty)
addr:00007f97eea74000 vm_flags:00100071 anon_vma:ffff880e98f80380 mapping: (null) index:7f97eea74
CPU: 4 PID: 587 Comm: vsftpd Not tainted 3.12.7-1-ec2 #1
Call Trace:
dump_stack+0x45/0x56
print_bad_pte+0x22e/0x250
unmap_single_vma+0x583/0x890
unmap_vmas+0x65/0x90
exit_mmap+0xc5/0x170
mmput+0x65/0x100
do_exit+0x393/0x9e0
do_group_exit+0xcc/0x140
SyS_exit_group+0x14/0x20
system_call_fastpath+0x1a/0x1f
Disabling lock debugging due to kernel taint
BUG: Bad rss-counter state mm:ffff880e9ca60580 idx:0 val:-1
BUG: Bad rss-counter state mm:ffff880e9ca60580 idx:1 val:1

The issue could not be reproduced under an HVM instance with the same
kernel, so it appears to be exclusive to paravirtual Xen guests. He
bisected the problem to commit 1667918b6483 ("mm: numa: clear numa
hinting information on mprotect") that was also included in 3.12-stable.

The problem was related to how xen translates ptes because it was not
accounting for the _PAGE_NUMA bit. This patch splits pte_present to add
a pteval_present helper for use by xen so both bare metal and xen use
the same code when checking if a PTE is present.

[[email protected]: wrote changelog, proposed minor modifications]
[[email protected]: fix typo in comment]
Reported-by: Steven Noonan <[email protected]>
Tested-by: Steven Noonan <[email protected]>
Signed-off-by: Elena Ufimtseva <[email protected]>
Signed-off-by: Mel Gorman <[email protected]>
Reviewed-by: David Vrabel <[email protected]>
Acked-by: Konrad Rzeszutek Wilk <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
arch/x86/include/asm/pgtable.h | 14 ++++++++++++--
arch/x86/xen/mmu.c | 4 ++--
2 files changed, 14 insertions(+), 4 deletions(-)

--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -445,10 +445,20 @@ static inline int pte_same(pte_t a, pte_
return a.pte == b.pte;
}

+static inline int pteval_present(pteval_t pteval)
+{
+ /*
+ * Yes Linus, _PAGE_PROTNONE == _PAGE_NUMA. Expressing it this
+ * way clearly states that the intent is that protnone and numa
+ * hinting ptes are considered present for the purposes of
+ * pagetable operations like zapping, protection changes, gup etc.
+ */
+ return pteval & (_PAGE_PRESENT | _PAGE_PROTNONE | _PAGE_NUMA);
+}
+
static inline int pte_present(pte_t a)
{
- return pte_flags(a) & (_PAGE_PRESENT | _PAGE_PROTNONE |
- _PAGE_NUMA);
+ return pteval_present(pte_flags(a));
}

#define pte_accessible pte_accessible
--- a/arch/x86/xen/mmu.c
+++ b/arch/x86/xen/mmu.c
@@ -365,7 +365,7 @@ void xen_ptep_modify_prot_commit(struct
/* Assume pteval_t is equivalent to all the other *val_t types. */
static pteval_t pte_mfn_to_pfn(pteval_t val)
{
- if (val & _PAGE_PRESENT) {
+ if (pteval_present(val)) {
unsigned long mfn = (val & PTE_PFN_MASK) >> PAGE_SHIFT;
unsigned long pfn = mfn_to_pfn(mfn);

@@ -381,7 +381,7 @@ static pteval_t pte_mfn_to_pfn(pteval_t

static pteval_t pte_pfn_to_mfn(pteval_t val)
{
- if (val & _PAGE_PRESENT) {
+ if (pteval_present(val)) {
unsigned long pfn = (val & PTE_PFN_MASK) >> PAGE_SHIFT;
pteval_t flags = val & PTE_FLAGS_MASK;
unsigned long mfn;

2014-02-21 00:21:47

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 13/99] mac80211: fix fragmentation code, particularly for encryption

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johannes Berg <[email protected]>

commit 338f977f4eb441e69bb9a46eaa0ac715c931a67f upstream.

The "new" fragmentation code (since my rewrite almost 5 years ago)
erroneously sets skb->len rather than using skb_trim() to adjust
the length of the first fragment after copying out all the others.
This leaves the skb tail pointer pointing to after where the data
originally ended, and thus causes the encryption MIC to be written
at that point, rather than where it belongs: immediately after the
data.

The impact of this is that if software encryption is done, then
a) encryption doesn't work for the first fragment, the connection
becomes unusable as the first fragment will never be properly
verified at the receiver, the MIC is practically guaranteed to
be wrong
b) we leak up to 8 bytes of plaintext (!) of the packet out into
the air

This is only mitigated by the fact that many devices are capable
of doing encryption in hardware, in which case this can't happen
as the tail pointer is irrelevant in that case. Additionally,
fragmentation is not used very frequently and would normally have
to be configured manually.

Fix this by using skb_trim() properly.

Fixes: 2de8e0d999b8 ("mac80211: rewrite fragmentation")
Reported-by: Jouni Malinen <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
net/mac80211/tx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -874,7 +874,7 @@ static int ieee80211_fragment(struct iee
}

/* adjust first fragment's length */
- skb->len = hdrlen + per_fragm;
+ skb_trim(skb, hdrlen + per_fragm);
return 0;
}


2014-02-21 00:22:04

by Greg Kroah-Hartman

[permalink] [raw]
Subject: [PATCH 3.13 12/99] mac80211: Fix IBSS disconnect

3.13-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sujith Manoharan <[email protected]>

commit d4c80d9df6d1e4473b1409e4d220ca3d1612125c upstream.

Currently, when a station leaves an IBSS network, the
corresponding BSS is not dropped from cfg80211 if there are
other active stations in the network. But, the small
window that is present when trying to determine a station's
status based on IEEE80211_IBSS_MERGE_INTERVAL introduces
a race.

Instead of trying to keep the BSS, always remove it when
leaving an IBSS network. There is not much benefit to retain
the BSS entry since it will be added with a subsequent join
operation.

This fixes an issue where a dangling BSS entry causes ath9k
to wait for a beacon indefinitely.

Reported-by: Simon Wunderlich <[email protected]>
Signed-off-by: Sujith Manoharan <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
net/mac80211/ibss.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)

--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -687,12 +687,9 @@ static void ieee80211_ibss_disconnect(st
struct cfg80211_bss *cbss;
struct beacon_data *presp;
struct sta_info *sta;
- int active_ibss;
u16 capability;

- active_ibss = ieee80211_sta_active_ibss(sdata);
-
- if (!active_ibss && !is_zero_ether_addr(ifibss->bssid)) {
+ if (!is_zero_ether_addr(ifibss->bssid)) {
capability = WLAN_CAPABILITY_IBSS;

if (ifibss->privacy)

2014-02-21 05:05:09

by Guenter Roeck

[permalink] [raw]
Subject: Re: [PATCH 3.13 00/99] 3.13.5-stable review

On 02/20/2014 03:51 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 3.13.5 release.
> There are 99 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat Feb 22 23:51:00 UTC 2014.
> Anything received after that time might be too late.
>

Build results:
total: 126 pass: 122 skipped: 4 fail: 0

qemu tests all passed.

Details are available at http://server.roeck-us.net:8010/builders.

Guenter

2014-02-21 14:48:48

by Josh Boyer

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

On Thu, Feb 20, 2014 at 6:52 PM, Greg Kroah-Hartman
<[email protected]> wrote:
> 3.13-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Hannes Reinecke <[email protected]>
>
> commit d8a5dc3033af2fd6d16030d2ee4fbd073460fe54 upstream.
>
> The 'active' sysfs attribute should refer to the currently active tty
> devices the console is running on, not the currently active console.
>
> The console structure doesn't refer to any device in sysfs, only the tty
> the console is running on has. So we need to print out the tty names in
> 'active', not the console names.
>
> This resolves an issue on s390 platforms in determining the correct
> console device to use.

Just to be double sure this is seen, Ray points out that it breaks
current plymouth because the heuristic changed. Hold off on this one?

josh

>
> Cc: Lennart Poettering <[email protected]>
> Cc: Kay Sievers <[email protected]>
> Cc: Jiri Slaby <[email protected]>
> Cc: David Herrmann <[email protected]>
> Signed-off-by: Werner Fink <[email protected]>
> Signed-off-by: Hannes Reinecke <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
>
> ---
> Documentation/ABI/testing/sysfs-tty | 3 ++-
> drivers/tty/tty_io.c | 25 ++++++++++++++++++-------
> 2 files changed, 20 insertions(+), 8 deletions(-)
>
> --- a/Documentation/ABI/testing/sysfs-tty
> +++ b/Documentation/ABI/testing/sysfs-tty
> @@ -3,7 +3,8 @@ Date: Nov 2010
> Contact: Kay Sievers <[email protected]>
> Description:
> Shows the list of currently configured
> - console devices, like 'tty1 ttyS0'.
> + tty devices used for the console,
> + like 'tty1 ttyS0'.
> The last entry in the file is the active
> device connected to /dev/console.
> The file supports poll() to detect virtual
> --- a/drivers/tty/tty_io.c
> +++ b/drivers/tty/tty_io.c
> @@ -1267,16 +1267,17 @@ static void pty_line_name(struct tty_dri
> * @p: output buffer of at least 7 bytes
> *
> * Generate a name from a driver reference and write it to the output
> - * buffer.
> + * buffer. Return the number of bytes written.
> *
> * Locking: None
> */
> -static void tty_line_name(struct tty_driver *driver, int index, char *p)
> +static ssize_t tty_line_name(struct tty_driver *driver, int index, char *p)
> {
> if (driver->flags & TTY_DRIVER_UNNUMBERED_NODE)
> - strcpy(p, driver->name);
> + return sprintf(p, "%s", driver->name);
> else
> - sprintf(p, "%s%d", driver->name, index + driver->name_base);
> + return sprintf(p, "%s%d", driver->name,
> + index + driver->name_base);
> }
>
> /**
> @@ -3545,9 +3546,19 @@ static ssize_t show_cons_active(struct d
> if (i >= ARRAY_SIZE(cs))
> break;
> }
> - while (i--)
> - count += sprintf(buf + count, "%s%d%c",
> - cs[i]->name, cs[i]->index, i ? ' ':'\n');
> + while (i--) {
> + struct tty_driver *driver;
> + const char *name = cs[i]->name;
> + int index = cs[i]->index;
> +
> + driver = cs[i]->device(cs[i], &index);
> + if (driver) {
> + count += tty_line_name(driver, index, buf + count);
> + count += sprintf(buf + count, "%c", i ? ' ':'\n');
> + } else
> + count += sprintf(buf + count, "%s%d%c",
> + name, index, i ? ' ':'\n');
> + }
> console_unlock();
>
> return count;
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/

2014-02-21 14:52:47

by Hannes Reinecke

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

On 02/21/2014 03:48 PM, Josh Boyer wrote:
> On Thu, Feb 20, 2014 at 6:52 PM, Greg Kroah-Hartman
> <[email protected]> wrote:
>> 3.13-stable review patch. If anyone has any objections, please let me know.
>>
>> ------------------
>>
>> From: Hannes Reinecke <[email protected]>
>>
>> commit d8a5dc3033af2fd6d16030d2ee4fbd073460fe54 upstream.
>>
>> The 'active' sysfs attribute should refer to the currently active tty
>> devices the console is running on, not the currently active console.
>>
>> The console structure doesn't refer to any device in sysfs, only the tty
>> the console is running on has. So we need to print out the tty names in
>> 'active', not the console names.
>>
>> This resolves an issue on s390 platforms in determining the correct
>> console device to use.
>
> Just to be double sure this is seen, Ray points out that it breaks
> current plymouth because the heuristic changed. Hold off on this one?
>
Without this patch systemd won't present a login console for s390.
I'd prefer fixing plymouth.

Cheers,

Hannes
--
Dr. Hannes Reinecke zSeries & Storage
[email protected] +49 911 74053 688
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 N?rnberg
GF: J. Hawn, J. Guild, F. Imend?rffer, HRB 16746 (AG N?rnberg)

2014-02-21 14:56:38

by Josh Boyer

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

On Fri, Feb 21, 2014 at 9:52 AM, Hannes Reinecke <[email protected]> wrote:
> On 02/21/2014 03:48 PM, Josh Boyer wrote:
>> On Thu, Feb 20, 2014 at 6:52 PM, Greg Kroah-Hartman
>> <[email protected]> wrote:
>>> 3.13-stable review patch. If anyone has any objections, please let me know.
>>>
>>> ------------------
>>>
>>> From: Hannes Reinecke <[email protected]>
>>>
>>> commit d8a5dc3033af2fd6d16030d2ee4fbd073460fe54 upstream.
>>>
>>> The 'active' sysfs attribute should refer to the currently active tty
>>> devices the console is running on, not the currently active console.
>>>
>>> The console structure doesn't refer to any device in sysfs, only the tty
>>> the console is running on has. So we need to print out the tty names in
>>> 'active', not the console names.
>>>
>>> This resolves an issue on s390 platforms in determining the correct
>>> console device to use.
>>
>> Just to be double sure this is seen, Ray points out that it breaks
>> current plymouth because the heuristic changed. Hold off on this one?
>>
> Without this patch systemd won't present a login console for s390.
> I'd prefer fixing plymouth.

Sure. Except fixing plymouth is easy to do, but not easy to actually
get deployed on all of the old userspace. So if someone runs a 3.14
kernel on any distro that doesn't have a fixed plymouth, it's broken.
By including this patch, you're basically trading one broken userspace
component for another.

Is there some other way this could be fixed in-kernel that would allow
both to work?

josh

2014-02-21 14:56:52

by Peter Hurley

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

On 02/21/2014 09:52 AM, Hannes Reinecke wrote:
> On 02/21/2014 03:48 PM, Josh Boyer wrote:
>> On Thu, Feb 20, 2014 at 6:52 PM, Greg Kroah-Hartman
>> <[email protected]> wrote:
>>> 3.13-stable review patch. If anyone has any objections, please let me know.
>>>
>>> ------------------
>>>
>>> From: Hannes Reinecke <[email protected]>
>>>
>>> commit d8a5dc3033af2fd6d16030d2ee4fbd073460fe54 upstream.
>>>
>>> The 'active' sysfs attribute should refer to the currently active tty
>>> devices the console is running on, not the currently active console.
>>>
>>> The console structure doesn't refer to any device in sysfs, only the tty
>>> the console is running on has. So we need to print out the tty names in
>>> 'active', not the console names.
>>>
>>> This resolves an issue on s390 platforms in determining the correct
>>> console device to use.
>>
>> Just to be double sure this is seen, Ray points out that it breaks
>> current plymouth because the heuristic changed. Hold off on this one?
>>
> Without this patch systemd won't present a login console for s390.
> I'd prefer fixing plymouth.

Not an option.

As I said before, the old interface should be left alone and
forked to present a new interface that systemd can use to
get what it expects.

Regards,
Peter Hurley

2014-02-21 15:59:13

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

On Fri, Feb 21, 2014 at 03:52:44PM +0100, Hannes Reinecke wrote:
> On 02/21/2014 03:48 PM, Josh Boyer wrote:
> > On Thu, Feb 20, 2014 at 6:52 PM, Greg Kroah-Hartman
> > <[email protected]> wrote:
> >> 3.13-stable review patch. If anyone has any objections, please let me know.
> >>
> >> ------------------
> >>
> >> From: Hannes Reinecke <[email protected]>
> >>
> >> commit d8a5dc3033af2fd6d16030d2ee4fbd073460fe54 upstream.
> >>
> >> The 'active' sysfs attribute should refer to the currently active tty
> >> devices the console is running on, not the currently active console.
> >>
> >> The console structure doesn't refer to any device in sysfs, only the tty
> >> the console is running on has. So we need to print out the tty names in
> >> 'active', not the console names.
> >>
> >> This resolves an issue on s390 platforms in determining the correct
> >> console device to use.
> >
> > Just to be double sure this is seen, Ray points out that it breaks
> > current plymouth because the heuristic changed. Hold off on this one?
> >
> Without this patch systemd won't present a login console for s390.
> I'd prefer fixing plymouth.

We can't break working userspace programs, sorry. I'll go revert this
patch from the stable kernel's, and from Linus's tree as well, as we
can't break things when 3.14 comes out either.

I'll be glad to take a patch that does not break existing systems...

thanks,

greg k-h

2014-02-21 16:01:52

by Kay Sievers

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

On Fri, Feb 21, 2014 at 3:56 PM, Josh Boyer <[email protected]> wrote:
> On Fri, Feb 21, 2014 at 9:52 AM, Hannes Reinecke <[email protected]> wrote:
>> On 02/21/2014 03:48 PM, Josh Boyer wrote:
>>> On Thu, Feb 20, 2014 at 6:52 PM, Greg Kroah-Hartman
>>> <[email protected]> wrote:
>>>> 3.13-stable review patch. If anyone has any objections, please let me know.
>>>>
>>>> ------------------
>>>>
>>>> From: Hannes Reinecke <[email protected]>
>>>>
>>>> commit d8a5dc3033af2fd6d16030d2ee4fbd073460fe54 upstream.
>>>>
>>>> The 'active' sysfs attribute should refer to the currently active tty
>>>> devices the console is running on, not the currently active console.
>>>>
>>>> The console structure doesn't refer to any device in sysfs, only the tty
>>>> the console is running on has. So we need to print out the tty names in
>>>> 'active', not the console names.
>>>>
>>>> This resolves an issue on s390 platforms in determining the correct
>>>> console device to use.
>>>
>>> Just to be double sure this is seen, Ray points out that it breaks
>>> current plymouth because the heuristic changed. Hold off on this one?
>>>
>> Without this patch systemd won't present a login console for s390.
>> I'd prefer fixing plymouth.
>
> Sure. Except fixing plymouth is easy to do, but not easy to actually
> get deployed on all of the old userspace. So if someone runs a 3.14
> kernel on any distro that doesn't have a fixed plymouth, it's broken.
> By including this patch, you're basically trading one broken userspace
> component for another.
>
> Is there some other way this could be fixed in-kernel that would allow
> both to work?

Why did the tty0 change to tty1 now? That doesn't look like a "driver
name" vs. "device name" issue?

Kay

2014-02-21 20:20:01

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

On Fri, Feb 21, 2014 at 09:48:46AM -0500, Josh Boyer wrote:
> On Thu, Feb 20, 2014 at 6:52 PM, Greg Kroah-Hartman
> <[email protected]> wrote:
> > 3.13-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Hannes Reinecke <[email protected]>
> >
> > commit d8a5dc3033af2fd6d16030d2ee4fbd073460fe54 upstream.
> >
> > The 'active' sysfs attribute should refer to the currently active tty
> > devices the console is running on, not the currently active console.
> >
> > The console structure doesn't refer to any device in sysfs, only the tty
> > the console is running on has. So we need to print out the tty names in
> > 'active', not the console names.
> >
> > This resolves an issue on s390 platforms in determining the correct
> > console device to use.
>
> Just to be double sure this is seen, Ray points out that it breaks
> current plymouth because the heuristic changed. Hold off on this one?

Ray, Josh, can I get some more information about this? Is this broken
in Linus's tree? Or did I get the backport wrong here? What is the
value of the file before and after this patch?

And what is plymouth doing with this file value, it was incorrect
before, what was it using the value for?

thanks,

greg k-h

2014-02-21 22:18:25

by Ray Strode

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

Hi,

On Fri, Feb 21, 2014 at 3:21 PM, Greg Kroah-Hartman
<[email protected]> wrote:
> Ray, Josh, can I get some more information about this? Is this broken
> in Linus's tree? Or did I get the backport wrong here?
I don't think it's a problem with the backport specifically. To be
honest, i'm not even 100% sure it is that patch. It was just the only
patch that touched that code recently so it seemed likely. I didn't
do builds to check for sure.

> What is the value of the file before and after this patch?
"tty0" in the past and "tty1" now

> And what is plymouth doing with this file value, it was incorrect
> before, what was it using the value for?
See the other (3.11) thread for my initial message, but basically
plymouth had code something like this pseudocode:

/* disable splash if there are serial consoles */
if (!contents_of_file_equals("/sys/class/tty/console/active", "tty0")) {
disable_splash_and_force_verbose_messages();
}

since the file started saying tty1 that code started disabling the
splash for everyone in rawhide.

2014-02-21 22:54:05

by Ray Strode

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

Hi,

On Fri, Feb 21, 2014 at 11:01 AM, Kay Sievers <[email protected]> wrote:
> Why did the tty0 change to tty1 now? That doesn't look like a "driver
> name" vs. "device name" issue?

I don't know if it's intentional, but the patch does:
+ int index = cs[i]->index;
...
+ driver = cs[i]->device(cs[i], &index);

which will presumably change the index from 0 to 1 because of this code:

static struct tty_driver *vt_console_device(struct console *c, int *index)
{
*index = c->index ? c->index-1 : fg_console;
return console_driver;
}

At least that's what it looks like is causing the problem from
browsing through the source a bit.

--Ray

2014-02-21 23:42:11

by Shuah Khan

[permalink] [raw]
Subject: Re: [PATCH 3.13 00/99] 3.13.5-stable review

On 02/20/2014 04:51 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 3.13.5 release.
> There are 99 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat Feb 22 23:51:00 UTC 2014.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> kernel.org/pub/linux/kernel/v3.0/stable-review/patch-3.13.5-rc1.gz
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>

Compile tests and boot tests passed. No dmesg regressions: emerg, crit,
alert, err are clean. No regressions in warn.

-- Shuah

--
Shuah Khan
Senior Linux Kernel Developer - Open Source Group
Samsung Research America(Silicon Valley)
[email protected] | (970) 672-0658

2014-02-22 01:50:18

by Satoru Takeuchi

[permalink] [raw]
Subject: Re: [PATCH 3.13 00/99] 3.13.5-stable review

At Thu, 20 Feb 2014 15:51:55 -0800,
Greg Kroah-Hartman wrote:
>
> This is the start of the stable review cycle for the 3.13.5 release.
> There are 99 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat Feb 22 23:51:00 UTC 2014.
> Anything received after that time might be too late.

All 3.4.82-rc1, 3.10.32-rc1, 3.12.13-rc1, and 3.13.5-rc1 passed my test.

- Test Cases:
- Build this kernel.
- Boot this kernel.
- Build the latest mainline kernel with this kernel.

- Test Tool:
https://github.com/satoru-takeuchi/test-linux-stable

- Test Result (kernel .config, ktest config and test log):
http://satoru-takeuchi.org/test-linux-stable/results/<version>-<test datetime>.xz

- Build Environment:
- OS: Debian Jessy x86_64
- CPU: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz x 4
- memory: 8GB

- Test Target Environment:
- Debian Jessy x86_64 (KVM guest on the Build Environment)
- # of vCPU: 2
- memory: 2GB

Thanks,
Satoru Takeuchi

2014-02-22 13:13:53

by Hannes Reinecke

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

On 02/21/2014 11:18 PM, Ray Strode wrote:
> Hi,
>
> On Fri, Feb 21, 2014 at 3:21 PM, Greg Kroah-Hartman
> <[email protected]> wrote:
>> Ray, Josh, can I get some more information about this? Is this broken
>> in Linus's tree? Or did I get the backport wrong here?
> I don't think it's a problem with the backport specifically. To be
> honest, i'm not even 100% sure it is that patch. It was just the only
> patch that touched that code recently so it seemed likely. I didn't
> do builds to check for sure.
>
>> What is the value of the file before and after this patch?
> "tty0" in the past and "tty1" now
>
>> And what is plymouth doing with this file value, it was incorrect
>> before, what was it using the value for?
> See the other (3.11) thread for my initial message, but basically
> plymouth had code something like this pseudocode:
>
> /* disable splash if there are serial consoles */
> if (!contents_of_file_equals("/sys/class/tty/console/active", "tty0")) {
> disable_splash_and_force_verbose_messages();
> }
>
> since the file started saying tty1 that code started disabling the
> splash for everyone in rawhide.
>
<sigh>

And of course, checking for "!tty0" is the proper check for serial console.
Which, of course, means we have to stay with a broken kernel interface
for ever and ever.

Innovation, here we come.

</sigh>

Cheers,

Hannes
--
Dr. Hannes Reinecke zSeries & Storage
[email protected] +49 911 74053 688
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: J. Hawn, J. Guild, F. Imendörffer, HRB 16746 (AG Nürnberg)

2014-02-22 13:25:49

by David Herrmann

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

Hi

On Fri, Feb 21, 2014 at 11:53 PM, Ray Strode <[email protected]> wrote:
> Hi,
>
> On Fri, Feb 21, 2014 at 11:01 AM, Kay Sievers <[email protected]> wrote:
>> Why did the tty0 change to tty1 now? That doesn't look like a "driver
>> name" vs. "device name" issue?
>
> I don't know if it's intentional, but the patch does:
> + int index = cs[i]->index;
> ...
> + driver = cs[i]->device(cs[i], &index);
>
> which will presumably change the index from 0 to 1 because of this code:
>
> static struct tty_driver *vt_console_device(struct console *c, int *index)
> {
> *index = c->index ? c->index-1 : fg_console;
> return console_driver;
> }
>
> At least that's what it looks like is causing the problem from
> browsing through the source a bit.

Yepp, that's it. So if you configure the console to always be
redirected to the foreground terminal, you simply bind it to tty0 and
this file used to return tty0 then.
With this patch, we actually return the foreground terminal instead,
so tty0 is resolved to the real VT. This sounds like the correct
behavior (even though it currently breaks poll() on this file). But if
it breaks stuff, we should revert it and add a second file just like
Peter suggested.

Thanks
David

2014-02-22 13:40:30

by Peter Hurley

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

On 02/22/2014 08:25 AM, David Herrmann wrote:
> Hi
>
> On Fri, Feb 21, 2014 at 11:53 PM, Ray Strode <[email protected]> wrote:
>> Hi,
>>
>> On Fri, Feb 21, 2014 at 11:01 AM, Kay Sievers <[email protected]> wrote:
>>> Why did the tty0 change to tty1 now? That doesn't look like a "driver
>>> name" vs. "device name" issue?
>>
>> I don't know if it's intentional, but the patch does:
>> + int index = cs[i]->index;
>> ...
>> + driver = cs[i]->device(cs[i], &index);
>>
>> which will presumably change the index from 0 to 1 because of this code:
>>
>> static struct tty_driver *vt_console_device(struct console *c, int *index)
>> {
>> *index = c->index ? c->index-1 : fg_console;
>> return console_driver;
>> }
>>
>> At least that's what it looks like is causing the problem from
>> browsing through the source a bit.
>
> Yepp, that's it. So if you configure the console to always be
> redirected to the foreground terminal, you simply bind it to tty0 and
> this file used to return tty0 then.
> With this patch, we actually return the foreground terminal instead,
> so tty0 is resolved to the real VT. This sounds like the correct
> behavior (even though it currently breaks poll() on this file). But if
> it breaks stuff, we should revert it and add a second file just like
> Peter suggested.

Or add sysfs entries for each console that exposes the device, so
that the underlying device is trivially discoverable, which is the
original problem.

Regards,
Peter Hurley

2014-02-22 14:27:47

by David Herrmann

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

Hi

On Sat, Feb 22, 2014 at 4:16 PM, Hannes Reinecke <[email protected]> wrote:
> On 02/21/2014 11:18 PM, Ray Strode wrote:
>>
>> Hi,
>>
>> On Fri, Feb 21, 2014 at 3:21 PM, Greg Kroah-Hartman
>> <[email protected]> wrote:
>>>
>>> Ray, Josh, can I get some more information about this? Is this broken
>>> in Linus's tree? Or did I get the backport wrong here?
>>
>> I don't think it's a problem with the backport specifically. To be
>> honest, i'm not even 100% sure it is that patch. It was just the only
>> patch that touched that code recently so it seemed likely. I didn't
>> do builds to check for sure.
>>
>>> What is the value of the file before and after this patch?
>>
>> "tty0" in the past and "tty1" now
>>
>>> And what is plymouth doing with this file value, it was incorrect
>>> before, what was it using the value for?
>>
>> See the other (3.11) thread for my initial message, but basically
>> plymouth had code something like this pseudocode:
>>
>> /* disable splash if there are serial consoles */
>> if (!contents_of_file_equals("/sys/class/tty/console/active", "tty0")) {
>> disable_splash_and_force_verbose_messages();
>> }
>>
>> since the file started saying tty1 that code started disabling the
>> splash for everyone in rawhide.
>>
> <sigh>
>
> And of course, checking for "!tty0" is the proper check for serial console.
> Which, of course, means we have to stay with a broken kernel interface for
> ever and ever.
>
> Innovation, here we come.
>
> </sigh>
>

How about this:

+ driver = cs[i]->device(cs[i], &index);
+ /* special case for tty0 which must not be resolved */
+ if (driver && (index > 0 || cs[i]->major != TTY_MAJOR)) {
+ count += tty_line_name(driver, index, buf + count);
+ count += sprintf(buf + count, "%c", i ? ' ':'\n');
+ } else
+ count += sprintf(buf + count, "%s%d%c",
+ name, index, i ? ' ':'\n');

Regards
David

2014-02-23 00:24:04

by Ray Strode

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

Hi,

(resending because my phone tried to send the reply as html mail and
it got rejected)

On Sat, Feb 22, 2014 at 9:27 AM, David Herrmann <[email protected]> wrote:
> > How about this:
>
> + driver = cs[i]->device(cs[i], &index);
> + /* special case for tty0 which must not be resolved */
> + if (driver && (index > 0 || cs[i]->major != TTY_MAJOR)) {
> + count += tty_line_name(driver, index, buf + count);
> + count += sprintf(buf + count, "%c", i ? ' ':'\n');
> + } else
> + count += sprintf(buf + count, "%s%d%c",
> + name, index, i ? ' ':'\n');
Assuming I'm reading the code correctly, I don't think that will work.
Index will be rewritten from 0 to fg_console (which I suppose is
going to be 1) after the device vfunc is called.

--Ray

2014-02-23 14:41:50

by Ray Strode

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

Hi,

On Sat, Feb 22, 2014 at 10:16 AM, Hannes Reinecke <[email protected]> wrote:
> And of course, checking for "!tty0" is the proper check for serial console.
> Which, of course, means we have to stay with a broken kernel interface for
> ever and ever.
>
> Innovation, here we come.
So just so we're clear:

1) you have every right to try to make s390 work better
2) You have every right to make mistakes in that venture as well (we
all make mistakes after all)
3) You can even unapologetically break userspace and then be snarky about it
4) And, like the above message, you can also ridicule the code using
the kernel interface you broke

Of those things I'd certainly prefer if you stuck to the first two and
skipped the last two.

For bonus points, you could:

5) Reply to Kay, Greg, and David when they ask questions about the
patch you wrote
6) Offer a follow up patch that acheives your initial objective
without the ensuing breakage
7) Offer any insight you might have on better ways for plymouth to
achieve what it wants to do going forward that would be less
objectionable

--Ray

2014-02-23 15:05:27

by David Herrmann

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

Hi

On Sun, Feb 23, 2014 at 1:20 AM, Ray Strode <[email protected]> wrote:
> Hi,
>
>
> On Feb 22, 2014 9:27 AM, "David Herrmann" <[email protected]> wrote:
>> How about this:
>>
>> + driver = cs[i]->device(cs[i], &index);
>> + /* special case for tty0 which must not be resolved */
>> + if (driver && (index > 0 || cs[i]->major != TTY_MAJOR)) {
>> + count += tty_line_name(driver, index, buf +
>> count);
>> + count += sprintf(buf + count, "%c", i ? ' ':'\n');
>> + } else
>> + count += sprintf(buf + count, "%s%d%c",
>> + name, index, i ? ' ':'\n');
>
> Assuming I'm reading the code correctly, I don't think that will work.
> Index will be rewritten from 0 to fg_console (which I suppose is going to be
> 1) after the device vfunc is called.

Oh, nice catch. We have to use cs[i]->index of course. I only
hand-edited the patch, I didn't even compile-test. But I guess you get
the idea of special-casing tty0.

Thanks
David

2014-02-24 09:51:46

by Hannes Reinecke

[permalink] [raw]
Subject: Re: [PATCH 3.13 35/99] tty: Set correct tty name in active sysfs attribute

On 02/23/2014 04:05 PM, David Herrmann wrote:
> Hi
>
> On Sun, Feb 23, 2014 at 1:20 AM, Ray Strode <[email protected]> wrote:
>> Hi,
>>
>>
>> On Feb 22, 2014 9:27 AM, "David Herrmann" <[email protected]> wrote:
>>> How about this:
>>>
>>> + driver = cs[i]->device(cs[i], &index);
>>> + /* special case for tty0 which must not be resolved */
>>> + if (driver && (index > 0 || cs[i]->major != TTY_MAJOR)) {
>>> + count += tty_line_name(driver, index, buf +
>>> count);
>>> + count += sprintf(buf + count, "%c", i ? ' ':'\n');
>>> + } else
>>> + count += sprintf(buf + count, "%s%d%c",
>>> + name, index, i ? ' ':'\n');
>>
>> Assuming I'm reading the code correctly, I don't think that will work.
>> Index will be rewritten from 0 to fg_console (which I suppose is going to be
>> 1) after the device vfunc is called.
>
> Oh, nice catch. We have to use cs[i]->index of course. I only
> hand-edited the patch, I didn't even compile-test. But I guess you get
> the idea of special-casing tty0.
>
Okay, that's a good idea.

I'll be redoing the patch.

Cheers,

Hannes
--
Dr. Hannes Reinecke zSeries & Storage
[email protected] +49 911 74053 688
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 N?rnberg
GF: J. Hawn, J. Guild, F. Imend?rffer, HRB 16746 (AG N?rnberg)