2013-09-30 10:11:33

by Luis Henriques

[permalink] [raw]
Subject: [ 3.5.y.z extended stable ] Linux 3.5.7.22 stable review

This is the start of the review cycle for the Linux 3.5.7.22 stable kernel.

This version contains 104 new patches, summarized below. The new patches are
posted as replies to this message and also available in this git branch:

http://kernel.ubuntu.com/git?p=ubuntu/linux.git;h=linux-3.5.y-review;a=shortlog

git://kernel.ubuntu.com/ubuntu/linux.git linux-3.5.y-review

The review period for version 3.5.7.22 will be open for the next three days.
To report a problem, please reply to the relevant follow-up patch message.

For more information about the Linux 3.5.y.z extended stable kernel version,
see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable .

-Luis

--
Documentation/DocBook/media_api.tmpl | 4 +-
arch/arm/mach-versatile/pci.c | 31 +++++++----
arch/mips/ath79/clock.c | 2 +-
arch/powerpc/kernel/align.c | 10 ++++
arch/powerpc/platforms/pseries/setup.c | 31 +++++++----
crypto/api.c | 7 ++-
drivers/acpi/ec.c | 8 +++
drivers/base/regmap/regmap.c | 2 +-
drivers/bluetooth/ath3k.c | 8 +++
drivers/bluetooth/btusb.c | 7 +++
drivers/gpu/drm/drm_edid.c | 3 ++
drivers/gpu/drm/i915/i915_reg.h | 2 +-
drivers/gpu/drm/i915/intel_opregion.c | 2 +-
drivers/gpu/drm/radeon/atombios_dp.c | 6 +--
drivers/gpu/drm/radeon/atombios_i2c.c | 4 +-
drivers/gpu/drm/radeon/evergreen.c | 34 +++++++++---
drivers/gpu/drm/radeon/evergreend.h | 4 ++
drivers/gpu/drm/radeon/ni.c | 9 ++--
drivers/gpu/drm/radeon/r600.c | 9 ++--
drivers/gpu/drm/radeon/radeon_atombios.c | 13 +++--
drivers/gpu/drm/radeon/radeon_irq_kms.c | 8 +--
drivers/gpu/drm/radeon/rs400.c | 9 ++--
drivers/gpu/drm/radeon/rv770.c | 9 ++--
drivers/gpu/drm/radeon/si.c | 32 ++++++++---
drivers/gpu/drm/radeon/sid.h | 4 ++
drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++-------
drivers/hid/hid-core.c | 17 ++++--
drivers/hid/hid-input.c | 16 ++++--
drivers/hid/hid-ntrig.c | 3 +-
drivers/hid/hid-picolcd.c | 2 +-
drivers/hid/hid-pl.c | 10 +++-
drivers/iommu/intel-iommu.c | 72 ++++++++++++-------------
drivers/media/video/hdpvr/hdpvr-core.c | 9 ++--
drivers/media/video/s5p-fimc/fimc-lite.c | 4 +-
drivers/media/video/s5p-fimc/fimc-mdevice.c | 2 +-
drivers/media/video/s5p-g2d/g2d.c | 1 +
drivers/mmc/host/tmio_mmc_dma.c | 4 +-
drivers/net/bonding/bond_main.c | 8 ++-
drivers/net/ethernet/realtek/8139cp.c | 1 +
drivers/net/macvtap.c | 62 ++++++++++++---------
drivers/net/tun.c | 6 ++-
drivers/net/wireless/ath/ath9k/ar9003_phy.c | 4 ++
drivers/net/wireless/ath/ath9k/ath9k.h | 5 +-
drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 10 ++++
drivers/net/wireless/ath/ath9k/recv.c | 17 ++++--
drivers/net/wireless/ath/ath9k/xmit.c | 1 +
drivers/net/wireless/brcm80211/brcmsmac/dma.c | 12 +++--
drivers/net/wireless/iwlegacy/4965-mac.c | 2 +-
drivers/net/wireless/iwlwifi/iwl-agn.c | 2 +-
drivers/of/base.c | 1 +
drivers/scsi/sd.c | 11 ++--
drivers/staging/comedi/drivers/dt282x.c | 3 +-
drivers/staging/zram/zram_drv.c | 2 -
drivers/staging/zram/zram_drv.h | 5 +-
drivers/target/target_core_cdb.c | 9 ++--
drivers/usb/class/cdc-wdm.c | 13 +++--
drivers/usb/core/config.c | 3 +-
drivers/usb/core/hub.c | 43 ++++++++-------
drivers/usb/host/ehci-mxc.c | 2 +-
drivers/usb/host/ohci-pci.c | 2 +-
drivers/usb/host/xhci-plat.c | 2 +-
drivers/usb/host/xhci.c | 29 +++++++++-
drivers/usb/host/xhci.h | 1 +
drivers/usb/serial/mos7720.c | 6 +--
drivers/xen/events.c | 11 ++++
drivers/xen/grant-table.c | 13 ++++-
fs/bio.c | 20 +++++--
fs/cifs/connect.c | 2 +
fs/cifs/readdir.c | 8 +++
fs/fuse/dir.c | 4 ++
fs/fuse/file.c | 3 +-
fs/ocfs2/extent_map.c | 1 -
include/linux/hid.h | 4 +-
include/linux/icmpv6.h | 2 +
include/linux/ipv6.h | 1 +
include/linux/rculist.h | 5 +-
include/linux/usb/hcd.h | 2 +-
include/media/v4l2-ctrls.h | 1 +
mm/huge_memory.c | 2 +
mm/memcontrol.c | 8 ++-
mm/swap.c | 77 ++++++++++++++++++---------
net/bridge/br_multicast.c | 3 +-
net/ceph/osd_client.c | 2 +
net/ceph/osdmap.c | 2 +-
net/core/neighbour.c | 10 ++--
net/core/sysctl_net_core.c | 7 ++-
net/ipv4/fib_trie.c | 5 +-
net/ipv4/tcp_cubic.c | 12 +++--
net/ipv6/addrconf.c | 10 ++--
net/ipv6/icmp.c | 10 +++-
net/ipv6/ip6_fib.c | 16 ++++--
net/ipv6/ndisc.c | 16 +++---
net/ipv6/reassembly.c | 5 ++
net/ipv6/tcp_ipv6.c | 2 +-
net/sched/sch_htb.c | 2 +-
net/sunrpc/xdr.c | 9 ++--
net/tipc/eth_media.c | 16 +++++-
scripts/kernel-doc | 3 ++
sound/i2c/other/ak4xxx-adda.c | 2 +-
sound/isa/opti9xx/opti92x-ad1848.c | 8 +--
sound/pci/hda/hda_eld.c | 46 ++++++++--------
sound/pci/hda/hda_intel.c | 1 +
sound/pci/hda/hda_local.h | 27 ++++++----
sound/pci/hda/patch_hdmi.c | 39 ++++++++++----
sound/soc/codecs/mc13783.c | 4 ++
sound/soc/codecs/wm8960.c | 6 +--
106 files changed, 777 insertions(+), 368 deletions(-)

AceLan Kao (1):
Bluetooth: Add support for Atheros [0cf3:e003]

Alan Stern (4):
USB: handle LPM errors during device suspend correctly
USB: OHCI: Allow runtime PM without system sleep
USB: fix build error when CONFIG_PM_SLEEP isn't enabled
[SCSI] sd: Fix potential out-of-bounds access

Alex Deucher (8):
drm/edid: add quirk for Medion MD30217PG
drm/radeon: fix endian bugs in hw i2c atom routines
drm/radeon: update line buffer allocation for dce4.1/5
drm/radeon: update line buffer allocation for dce6
drm/radeon: fix LCD record parsing
drm/radeon: fix resume on some rs4xx boards (v2)
drm/radeon: fix handling of variable sized arrays for router objects
drm/radeon: fix init ordering for r600+

Alex Williamson (1):
intel-iommu: Fix leaks in pagetable freeing

Alexey Khoroshilov (1):
hdpvr: fix iteration over uninitialized lists in hdpvr_probe()

Anand Avati (1):
fuse: invalidate inode attributes on xattr modification

Andrzej Hajda (2):
DocBook: upgrade media_api DocBook version to 4.2
v4l2: added missing mutex.h include to v4l2-ctrls.h

Anssi Hannula (1):
ALSA: hda - hdmi: Fallback to ALSA allocation when selecting CA

Anton Blanchard (1):
powerpc: Handle unaligned ldbrx/stdbrx

Arun Kumar K (1):
exynos4-is: Fix fimc-lite bayer formats

Cho, Yu-Chen (1):
Bluetooth: Add support for Mediatek Bluetooth device [0e8d:763f]

Dan Carpenter (4):
ALSA: ak4xx-adda: info leak in ak4xxx_capture_source_info()
USB: mos7720: use GFP_ATOMIC under spinlock
staging: comedi: dt282x: dt282x_ai_insn_read() always fails
tun: signedness bug in tun_get_user()

Daniel Borkmann (2):
net: bridge: convert MLDv2 Query MRC into msecs_to_jiffies for max_delay
net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv

Daniel Mack (1):
usb: ehci-mxc: check for pdata before dereferencing

Daniel Santos (1):
kernel-doc: bugfix - multi-line macros

Dave Jones (1):
8139cp: Fix skb leak in rx_status_loop failure path.

David Henningsson (1):
ALSA: hda - hdmi: Refactor hdmi_eld into parsed_hdmi_eld

David Herrmann (1):
HID: input: return ENODATA if reading battery attrs fails

David Vrabel (1):
xen/events: mask events when changing their VCPU binding

Eric Dumazet (3):
fib_trie: remove potential out of bound access
tcp: cubic: fix overflow error in bictcp_update()
tcp: cubic: fix bug in bictcp_acked()

Felix Fietkau (4):
ath9k: always clear ps filter bit on new assoc
ath9k: fix rx descriptor related race condition
ath9k: avoid accessing MRC registers on single-chain devices
MIPS: ath79: Fix ar933x watchdog clock

Grant Likely (1):
of: Fix missing memory initialization on FDT unflattening

Greg Thelen (1):
memcg: fix multiple large threshold notifications

Hannes Frederic Sowa (3):
ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not match
ipv6: remove max_addresses check from ipv6_create_tempaddr
ipv6: drop packets with multiple fragmentation headers

Hans de Goede (1):
usb: config->desc.bLength may not exceed amount of data returned by the device

Helmut Schaa (1):
ath9k_htc: Restore skb headroom when returning skb to mac80211

Herbert Xu (1):
crypto: api - Fix race condition in larval lookup

Imre Deak (1):
drm/i915: ivb: fix edp voltage swing reg val

Jakob Bornecrantz (1):
drm/vmwgfx: Split GMR2_REMAP commands if they are to large

Jani Nikula (1):
drm/i915: try not to lose backlight CBLV precision

Jason Wang (1):
macvtap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS

Jeff Layton (2):
cifs: don't instantiate new dentries in readdir for inodes that need to be revalidated immediately
cifs: ensure that srv_mutex is held when dealing with ssocket pointer

Jie Liu (1):
ocfs2: fix the end cluster offset of FIEMAP

Jiri Bohac (1):
ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO

Jiri Kosina (1):
HID: battery: don't do DMA from stack

Johan Hovold (1):
USB: mos7720: fix big-endian control requests

Johannes Berg (1):
iwlwifi: dvm: don't send BT_CONFIG on devices w/o Bluetooth

John W. Linville (1):
brcmsmac: Fix WARNING caused by lack of calls to dma_mapping_error()

Kees Cook (5):
HID: validate HID report id size
HID: pantherlord: validate output report details
HID: ntrig: validate feature report details
HID: picolcd_core: validate output report details
HID: check for NULL field when setting values

Khalid Aziz (1):
mm: fix aio performance regression for database caused by THP

Lan Tianyu (2):
ACPI / EC: Add HP Folio 13 to ec_dmi_table in order to skip DSDT scan
ACPI / EC: Add ASUSTEK L4R to quirk list in order to validate ECDT

Libin (1):
mm/huge_memory.c: fix potential NULL pointer dereference

Luis Henriques (1):
Revert "zram: use zram->lock to protect zram_free_page() in swap free notify path"

Maxim Patlasov (1):
fuse: postpone end_page_writeback() in fuse_writepage_locked()

Mike Dyer (1):
ASoC: wm8960: Fix PLL register writes

Nicholas Bellinger (1):
target: Fix trailing ASCII space usage in INQUIRY vendor+model

Noguchi Kazutosi (1):
Bluetooth: Add support for Foxconn/Hon Hai [0489:e04d]

Oliver Neukum (1):
USB: cdc-wdm: fix race between interrupt handler and tasklet

Paul Bolle (1):
regmap: silence GCC warning

Peter Maydell (2):
ARM: PCI: versatile: Fix map_irq function to match hardware
ARM: PCI: versatile: Fix SMAP register offsets

Roger Pau Monne (1):
xen-gnt: prevent adding duplicate gnt callbacks

Roland Dreier (1):
[SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal

Roman Gushchin (1):
net: check net.core.somaxconn sysctl values

Sachin Kamat (1):
s5p-g2d: Fix registration failure

Sage Weil (1):
libceph: use pg_num_mask instead of pgp_num_mask for pg.seed calc

Sarah Sharp (1):
xhci-plat: Don't enable legacy PCI interrupts.

Sergei Shtylyov (1):
mmc: tmio_mmc_dma: fix PIO fallback on SDHI

Sergey Senozhatsky (1):
radeon kms: fix uninitialised hotplug work usage in r100_irq_process()

Shawn Nematbakhsh (1):
usb: xhci: Disable runtime PM suspend for quirky controllers

Stanislaw Gruszka (1):
iwl4965: fix rfkill set state regression

Steffen Trumtrar (1):
ASoC: mc13783: add spi errata fix

Sujith Manoharan (1):
Bluetooth: ath3k: Add support for ID 0x13d3/0x3402

Sylwester Nawrocki (1):
exynos4-is: Fix entity unregistration on error path

Takashi Iwai (2):
ALSA: opti9xx: Fix conflicting driver object name
ALSA: hda - Add Toshiba Satellite C870 to MSI blacklist

Tejun Heo (1):
rculist: list_first_or_null_rcu() should use list_entry_rcu()

Thomas Graf (1):
ipv6: Don't depend on per socket memory for neighbour discovery messages

Thomas Loo (1):
Bluetooth: ath3k: Add support for Fujitsu Lifebook UH5x2 [04c5:1330]

Trond Myklebust (1):
SUNRPC: Fix memory corruption issue on 32-bit highmem systems

Vaidyanathan Srinivasan (1):
powerpc: Default arch idle could cede processor on pseries

Veaceslav Falico (2):
neighbour: populate neigh_parms on alloc before calling ndo_neigh_setup
bonding: modify only neigh_parms owned by us

Ying Xue (1):
tipc: fix lockdep warning during bearer initialization

majianpeng (1):
libceph: unregister request in __map_request failed and nofail == false

stephen hemminger (1):
htb: fix sign extension bug


2013-09-30 10:11:40

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 001/104] iwl4965: fix rfkill set state regression

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Stanislaw Gruszka <[email protected]>

commit b2fcc0aee58a3435566dd6d8501a0b355552f28b upstream.

My current 3.11 fix:

commit 788f7a56fce1bcb2067b62b851a086fca48a0056
Author: Stanislaw Gruszka <[email protected]>
Date: Thu Aug 1 12:07:55 2013 +0200

iwl4965: reset firmware after rfkill off

broke rfkill notification to user-space . I missed that bug, because
I compiled without CONFIG_RFKILL, sorry about that.

Signed-off-by: Stanislaw Gruszka <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/net/wireless/iwlegacy/4965-mac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c b/drivers/net/wireless/iwlegacy/4965-mac.c
index cbcf6f2..fde725c 100644
--- a/drivers/net/wireless/iwlegacy/4965-mac.c
+++ b/drivers/net/wireless/iwlegacy/4965-mac.c
@@ -4415,9 +4415,9 @@ il4965_irq_tasklet(struct il_priv *il)
set_bit(S_RFKILL, &il->status);
} else {
clear_bit(S_RFKILL, &il->status);
- wiphy_rfkill_set_hw_state(il->hw->wiphy, hw_rf_kill);
il_force_reset(il, true);
}
+ wiphy_rfkill_set_hw_state(il->hw->wiphy, hw_rf_kill);

handled |= CSR_INT_BIT_RF_KILL;
}
--
1.8.3.2

2013-09-30 10:11:50

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 007/104] ALSA: ak4xx-adda: info leak in ak4xxx_capture_source_info()

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit bd5fe738e388ceaa32e5171481e0d3ec59f0ccfe upstream.

"idx" is controled by the user and can be a negative offset into the
input_names[] array.

Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
sound/i2c/other/ak4xxx-adda.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/i2c/other/ak4xxx-adda.c b/sound/i2c/other/ak4xxx-adda.c
index cef813d..ed726d1 100644
--- a/sound/i2c/other/ak4xxx-adda.c
+++ b/sound/i2c/other/ak4xxx-adda.c
@@ -571,7 +571,7 @@ static int ak4xxx_capture_source_info(struct snd_kcontrol *kcontrol,
struct snd_akm4xxx *ak = snd_kcontrol_chip(kcontrol);
int mixer_ch = AK_GET_SHIFT(kcontrol->private_value);
const char **input_names;
- int num_names, idx;
+ unsigned int num_names, idx;

num_names = ak4xxx_capture_num_inputs(ak, mixer_ch);
if (!num_names)
--
1.8.3.2

2013-09-30 10:11:52

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 004/104] SUNRPC: Fix memory corruption issue on 32-bit highmem systems

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <[email protected]>

commit 347e2233b7667e336d9f671f1a52dfa3f0416e2c upstream.

Some architectures, such as ARM-32 do not return the same base address
when you call kmap_atomic() twice on the same page.
This causes problems for the memmove() call in the XDR helper routine
"_shift_data_right_pages()", since it defeats the detection of
overlapping memory ranges, and has been seen to corrupt memory.

The fix is to distinguish between the case where we're doing an
inter-page copy or not. In the former case of we know that the memory
ranges cannot possibly overlap, so we can additionally micro-optimise
by replacing memmove() with memcpy().

Reported-by: Mark Young <[email protected]>
Reported-by: Matt Craighead <[email protected]>
Cc: Bruce Fields <[email protected]>
Signed-off-by: Trond Myklebust <[email protected]>
Tested-by: Matt Craighead <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
net/sunrpc/xdr.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index fddcccf..78ad0f6 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -233,10 +233,13 @@ _shift_data_right_pages(struct page **pages, size_t pgto_base,
pgfrom_base -= copy;

vto = kmap_atomic(*pgto);
- vfrom = kmap_atomic(*pgfrom);
- memmove(vto + pgto_base, vfrom + pgfrom_base, copy);
+ if (*pgto != *pgfrom) {
+ vfrom = kmap_atomic(*pgfrom);
+ memcpy(vto + pgto_base, vfrom + pgfrom_base, copy);
+ kunmap_atomic(vfrom);
+ } else
+ memmove(vto + pgto_base, vto + pgfrom_base, copy);
flush_dcache_page(*pgto);
- kunmap_atomic(vfrom);
kunmap_atomic(vto);

} while ((len -= copy) != 0);
--
1.8.3.2

2013-09-30 10:11:57

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 017/104] USB: mos7720: use GFP_ATOMIC under spinlock

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit d0bd9a41186e076ea543c397ad8a67a6cf604b55 upstream.

The write_parport_reg_nonblock() function shouldn't sleep because it's
called with spinlocks held.

Signed-off-by: Dan Carpenter <[email protected]>
Acked-by: Johan Hovold <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/usb/serial/mos7720.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
index 9809fbc..feda880 100644
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -379,7 +379,7 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
kfree(urbtrack);
return -ENOMEM;
}
- urbtrack->setup = kmalloc(sizeof(*urbtrack->setup), GFP_KERNEL);
+ urbtrack->setup = kmalloc(sizeof(*urbtrack->setup), GFP_ATOMIC);
if (!urbtrack->setup) {
usb_free_urb(urbtrack->urb);
kfree(urbtrack);
--
1.8.3.2

2013-09-30 10:12:10

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 024/104] ACPI / EC: Add ASUSTEK L4R to quirk list in order to validate ECDT

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Lan Tianyu <[email protected]>

commit 524f42fab787a9510be826ce3d736b56d454ac6d upstream.

The ECDT of ASUSTEK L4R doesn't provide correct command and data
I/O ports. The DSDT provides the correct information instead.

For this reason, add this machine to quirk list for ECDT validation
and use the EC information from the DSDT.

[rjw: Changelog]
References: https://bugzilla.kernel.org/show_bug.cgi?id=60765
Reported-and-tested-by: Daniele Esposti <[email protected]>
Signed-off-by: Lan Tianyu <[email protected]>
Signed-off-by: Rafael J. Wysocki <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/acpi/ec.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
index 3251d4b..d1a9674 100644
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -978,6 +978,10 @@ static struct dmi_system_id __initdata ec_dmi_table[] = {
ec_skip_dsdt_scan, "HP Folio 13", {
DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
DMI_MATCH(DMI_PRODUCT_NAME, "HP Folio 13"),}, NULL},
+ {
+ ec_validate_ecdt, "ASUS hardware", {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTek Computer Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "L4R"),}, NULL},
{},
};

--
1.8.3.2

2013-09-30 10:12:00

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 018/104] USB: mos7720: fix big-endian control requests

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Johan Hovold <[email protected]>

commit 3b716caf190ccc6f2a09387210e0e6a26c1d81a4 upstream.

Fix endianess bugs in parallel-port code which caused corrupt
control-requests to be issued on big-endian machines.

Reported-by: kbuild test robot <[email protected]>
Signed-off-by: Johan Hovold <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/usb/serial/mos7720.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c
index feda880..e1c35fb 100644
--- a/drivers/usb/serial/mos7720.c
+++ b/drivers/usb/serial/mos7720.c
@@ -387,8 +387,8 @@ static int write_parport_reg_nonblock(struct mos7715_parport *mos_parport,
}
urbtrack->setup->bRequestType = (__u8)0x40;
urbtrack->setup->bRequest = (__u8)0x0e;
- urbtrack->setup->wValue = get_reg_value(reg, dummy);
- urbtrack->setup->wIndex = get_reg_index(reg);
+ urbtrack->setup->wValue = cpu_to_le16(get_reg_value(reg, dummy));
+ urbtrack->setup->wIndex = cpu_to_le16(get_reg_index(reg));
urbtrack->setup->wLength = 0;
usb_fill_control_urb(urbtrack->urb, usbdev,
usb_sndctrlpipe(usbdev, 0),
--
1.8.3.2

2013-09-30 10:12:30

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 038/104] htb: fix sign extension bug

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: stephen hemminger <[email protected]>

commit cbd375567f7e4811b1c721f75ec519828ac6583f upstream.

When userspace passes a large priority value
the assignment of the unsigned value hopt->prio
to signed int cl->prio causes cl->prio to become negative and the
comparison is with TC_HTB_NUMPRIO is always false.

The result is that HTB crashes by referencing outside
the array when processing packets. With this patch the large value
wraps around like other values outside the normal range.

See: https://bugzilla.kernel.org/show_bug.cgi?id=60669

Signed-off-by: Stephen Hemminger <[email protected]>
Acked-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
net/sched/sch_htb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index e9ea2f3..6f15bd1 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -86,7 +86,7 @@ struct htb_class {
unsigned int children;
struct htb_class *parent; /* parent class */

- int prio; /* these two are used only by leaves... */
+ u32 prio; /* these two are used only by leaves... */
int quantum; /* but stored for parent-to-leaf return */

union {
--
1.8.3.2

2013-09-30 10:12:34

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 044/104] tcp: cubic: fix bug in bictcp_acked()

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

commit cd6b423afd3c08b27e1fed52db828ade0addbc6b upstream.

While investigating about strange increase of retransmit rates
on hosts ~24 days after boot, Van found hystart was disabled
if ca->epoch_start was 0, as following condition is true
when tcp_time_stamp high order bit is set.

(s32)(tcp_time_stamp - ca->epoch_start) < HZ

Quoting Van :

At initialization & after every loss ca->epoch_start is set to zero so
I believe that the above line will turn off hystart as soon as the 2^31
bit is set in tcp_time_stamp & hystart will stay off for 24 days.
I think we've observed that cubic's restart is too aggressive without
hystart so this might account for the higher drop rate we observe.

Diagnosed-by: Van Jacobson <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Cc: Neal Cardwell <[email protected]>
Cc: Yuchung Cheng <[email protected]>
Acked-by: Neal Cardwell <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
net/ipv4/tcp_cubic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c
index b6b591f..b6ae92a 100644
--- a/net/ipv4/tcp_cubic.c
+++ b/net/ipv4/tcp_cubic.c
@@ -416,7 +416,7 @@ static void bictcp_acked(struct sock *sk, u32 cnt, s32 rtt_us)
return;

/* Discard delay samples right after fast recovery */
- if ((s32)(tcp_time_stamp - ca->epoch_start) < HZ)
+ if (ca->epoch_start && (s32)(tcp_time_stamp - ca->epoch_start) < HZ)
return;

delay = (rtt_us << 3) / USEC_PER_MSEC;
--
1.8.3.2

2013-09-30 10:12:19

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 028/104] regmap: silence GCC warning

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Paul Bolle <[email protected]>

commit a8f28cfad8cd44d7c34b166d0e5ace1125dbee1f upstream.

Building regmap.o triggers this GCC warning:
drivers/base/regmap/regmap.c: In function ‘regmap_raw_read’:
drivers/base/regmap/regmap.c:1172:6: warning: ‘ret’ may be used uninitialized in this function [-Wmaybe-uninitialized]

Long story short: Jakub Jelinek pointed out that there is a type
mismatch between 'num' in regmap_volatile_range() and 'val_count' in
regmap_raw_read(). And indeed, converting 'num' to the type of
'val_count' (ie, size_t) makes this warning go away.

Signed-off-by: Paul Bolle <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/base/regmap/regmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index c89aa01..cb721e3 100644
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -69,7 +69,7 @@ bool regmap_precious(struct regmap *map, unsigned int reg)
}

static bool regmap_volatile_range(struct regmap *map, unsigned int reg,
- unsigned int num)
+ size_t num)
{
unsigned int i;

--
1.8.3.2

2013-09-30 10:12:37

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 045/104] macvtap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Jason Wang <[email protected]>

commit ece793fcfc417b3925844be88a6a6dc82ae8f7c6 upstream.

We try to linearize part of the skb when the number of iov is greater than
MAX_SKB_FRAGS. This is not enough since each single vector may occupy more than
one pages, so zerocopy_sg_fromiovec() may still fail and may break the guest
network.

Solve this problem by calculate the pages needed for iov before trying to do
zerocopy and switch to use copy instead of zerocopy if it needs more than
MAX_SKB_FRAGS.

This is done through introducing a new helper to count the pages for iov, and
call uarg->callback() manually when switching from zerocopy to copy to notify
vhost.

We can do further optimization on top.

This bug were introduced from b92946e2919134ebe2a4083e4302236295ea2a73
(macvtap: zerocopy: validate vectors before building skb).

Cc: Michael S. Tsirkin <[email protected]>
Signed-off-by: Jason Wang <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[ luis: backported to 3.5:
- struct ubuf_info callback takes only one argument ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/net/macvtap.c | 62 ++++++++++++++++++++++++++++++---------------------
1 file changed, 37 insertions(+), 25 deletions(-)

diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
index cc5b48d..8b7c4f2 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -643,6 +643,28 @@ static int macvtap_skb_to_vnet_hdr(const struct sk_buff *skb,
return 0;
}

+static unsigned long iov_pages(const struct iovec *iv, int offset,
+ unsigned long nr_segs)
+{
+ unsigned long seg, base;
+ int pages = 0, len, size;
+
+ while (nr_segs && (offset >= iv->iov_len)) {
+ offset -= iv->iov_len;
+ ++iv;
+ --nr_segs;
+ }
+
+ for (seg = 0; seg < nr_segs; seg++) {
+ base = (unsigned long)iv[seg].iov_base + offset;
+ len = iv[seg].iov_len - offset;
+ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT;
+ pages += size;
+ offset = 0;
+ }
+
+ return pages;
+}

/* Get packet from user space buffer */
static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
@@ -689,31 +711,15 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
if (unlikely(count > UIO_MAXIOV))
goto err;

- if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY))
- zerocopy = true;
-
- if (zerocopy) {
- /* Userspace may produce vectors with count greater than
- * MAX_SKB_FRAGS, so we need to linearize parts of the skb
- * to let the rest of data to be fit in the frags.
- */
- if (count > MAX_SKB_FRAGS) {
- copylen = iov_length(iv, count - MAX_SKB_FRAGS);
- if (copylen < vnet_hdr_len)
- copylen = 0;
- else
- copylen -= vnet_hdr_len;
- }
- /* There are 256 bytes to be copied in skb, so there is enough
- * room for skb expand head in case it is used.
- * The rest buffer is mapped from userspace.
- */
- if (copylen < vnet_hdr.hdr_len)
- copylen = vnet_hdr.hdr_len;
- if (!copylen)
- copylen = GOODCOPY_LEN;
+ if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY)) {
+ copylen = vnet_hdr.hdr_len ? vnet_hdr.hdr_len : GOODCOPY_LEN;
linear = copylen;
- } else {
+ if (iov_pages(iv, vnet_hdr_len + copylen, count)
+ <= MAX_SKB_FRAGS)
+ zerocopy = true;
+ }
+
+ if (!zerocopy) {
copylen = len;
linear = vnet_hdr.hdr_len;
}
@@ -725,9 +731,15 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,

if (zerocopy)
err = zerocopy_sg_from_iovec(skb, iv, vnet_hdr_len, count);
- else
+ else {
err = skb_copy_datagram_from_iovec(skb, 0, iv, vnet_hdr_len,
len);
+ if (!err && m && m->msg_control) {
+ struct ubuf_info *uarg = m->msg_control;
+ uarg->callback(uarg);
+ }
+ }
+
if (err)
goto err_kfree;

--
1.8.3.2

2013-09-30 10:12:51

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 047/104] 8139cp: Fix skb leak in rx_status_loop failure path.

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Dave Jones <[email protected]>

commit d06f5187469eee1b2932c02fd093d113cfc60d5e upstream.

Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96
("8139cp: Add dma_mapping_error checking")

Signed-off-by: Dave Jones <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/net/ethernet/realtek/8139cp.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/realtek/8139cp.c b/drivers/net/ethernet/realtek/8139cp.c
index bf8eb57..efd3e34 100644
--- a/drivers/net/ethernet/realtek/8139cp.c
+++ b/drivers/net/ethernet/realtek/8139cp.c
@@ -524,6 +524,7 @@ rx_status_loop:
PCI_DMA_FROMDEVICE);
if (dma_mapping_error(&cp->pdev->dev, new_mapping)) {
dev->stats.rx_dropped++;
+ kfree_skb(new_skb);
goto rx_next;
}

--
1.8.3.2

2013-09-30 10:13:04

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 066/104] drm/radeon: update line buffer allocation for dce4.1/5

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <[email protected]>

commit 0b31e02363b0db4e7931561bc6c141436e729d9f upstream.

We need to allocate line buffer to each display when
setting up the watermarks. Failure to do so can lead
to a blank screen. This fixes blank screen problems
on dce4.1/5 asics.

Based on an initial fix from:
Jay Cornwall <[email protected]>

Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/gpu/drm/radeon/evergreen.c | 25 +++++++++++++++++++++----
drivers/gpu/drm/radeon/evergreend.h | 4 ++++
2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
index 7ac565f..269fa76 100644
--- a/drivers/gpu/drm/radeon/evergreen.c
+++ b/drivers/gpu/drm/radeon/evergreen.c
@@ -534,7 +534,8 @@ static u32 evergreen_line_buffer_adjust(struct radeon_device *rdev,
struct drm_display_mode *mode,
struct drm_display_mode *other_mode)
{
- u32 tmp;
+ u32 tmp, buffer_alloc, i;
+ u32 pipe_offset = radeon_crtc->crtc_id * 0x20;
/*
* Line Buffer Setup
* There are 3 line buffers, each one shared by 2 display controllers.
@@ -557,18 +558,34 @@ static u32 evergreen_line_buffer_adjust(struct radeon_device *rdev,
* non-linked crtcs for maximum line buffer allocation.
*/
if (radeon_crtc->base.enabled && mode) {
- if (other_mode)
+ if (other_mode) {
tmp = 0; /* 1/2 */
- else
+ buffer_alloc = 1;
+ } else {
tmp = 2; /* whole */
- } else
+ buffer_alloc = 2;
+ }
+ } else {
tmp = 0;
+ buffer_alloc = 0;
+ }

/* second controller of the pair uses second half of the lb */
if (radeon_crtc->crtc_id % 2)
tmp += 4;
WREG32(DC_LB_MEMORY_SPLIT + radeon_crtc->crtc_offset, tmp);

+ if (ASIC_IS_DCE41(rdev) || ASIC_IS_DCE5(rdev)) {
+ WREG32(PIPE0_DMIF_BUFFER_CONTROL + pipe_offset,
+ DMIF_BUFFERS_ALLOCATED(buffer_alloc));
+ for (i = 0; i < rdev->usec_timeout; i++) {
+ if (RREG32(PIPE0_DMIF_BUFFER_CONTROL + pipe_offset) &
+ DMIF_BUFFERS_ALLOCATED_COMPLETED)
+ break;
+ udelay(1);
+ }
+ }
+
if (radeon_crtc->base.enabled && mode) {
switch (tmp) {
case 0:
diff --git a/drivers/gpu/drm/radeon/evergreend.h b/drivers/gpu/drm/radeon/evergreend.h
index 735e515..5e24050 100644
--- a/drivers/gpu/drm/radeon/evergreend.h
+++ b/drivers/gpu/drm/radeon/evergreend.h
@@ -707,6 +707,10 @@
# define LATENCY_LOW_WATERMARK(x) ((x) << 0)
# define LATENCY_HIGH_WATERMARK(x) ((x) << 16)

+#define PIPE0_DMIF_BUFFER_CONTROL 0x0ca0
+# define DMIF_BUFFERS_ALLOCATED(x) ((x) << 0)
+# define DMIF_BUFFERS_ALLOCATED_COMPLETED (1 << 4)
+
#define IH_RB_CNTL 0x3e00
# define IH_RB_ENABLE (1 << 0)
# define IH_IB_SIZE(x) ((x) << 1) /* log2 */
--
1.8.3.2

2013-09-30 10:13:40

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 085/104] HID: ntrig: validate feature report details

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Kees Cook <[email protected]>

commit 875b4e3763dbc941f15143dd1a18d10bb0be303b upstream.

A HID device could send a malicious feature report that would cause the
ntrig HID driver to trigger a NULL dereference during initialization:

[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
...
[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]

CVE-2013-2896

Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Rafi Rubin <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/hid/hid-ntrig.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
index 9fae2eb..48cba85 100644
--- a/drivers/hid/hid-ntrig.c
+++ b/drivers/hid/hid-ntrig.c
@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
report_id_hash[0x0d];

- if (!report)
+ if (!report || report->maxfield < 1 ||
+ report->field[0]->report_count < 1)
return -EINVAL;

usbhid_submit_report(hdev, report, USB_DIR_IN);
--
1.8.3.2

2013-09-30 10:13:20

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 076/104] fuse: invalidate inode attributes on xattr modification

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Anand Avati <[email protected]>

commit d331a415aef98717393dda0be69b7947da08eba3 upstream.

Calls like setxattr and removexattr result in updation of ctime.
Therefore invalidate inode attributes to force a refresh.

Signed-off-by: Anand Avati <[email protected]>
Reviewed-by: Brian Foster <[email protected]>
Signed-off-by: Miklos Szeredi <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
fs/fuse/dir.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index f6e4bc8..b60cc5f 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1511,6 +1511,8 @@ static int fuse_setxattr(struct dentry *entry, const char *name,
fc->no_setxattr = 1;
err = -EOPNOTSUPP;
}
+ if (!err)
+ fuse_invalidate_attr(inode);
return err;
}

@@ -1640,6 +1642,8 @@ static int fuse_removexattr(struct dentry *entry, const char *name)
fc->no_removexattr = 1;
err = -EOPNOTSUPP;
}
+ if (!err)
+ fuse_invalidate_attr(inode);
return err;
}

--
1.8.3.2

2013-09-30 10:13:30

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 083/104] libceph: use pg_num_mask instead of pgp_num_mask for pg.seed calc

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Sage Weil <[email protected]>

commit 9542cf0bf9b1a3adcc2ef271edbcbdba03abf345 upstream.

Fix a typo that used the wrong bitmask for the pg.seed calculation. This
is normally unnoticed because in most cases pg_num == pgp_num. It is, however,
a bug that is easily corrected.

Signed-off-by: Sage Weil <[email protected]>
Reviewed-by: Alex Elder <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
net/ceph/osdmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
index d10a72b..dfedfd8 100644
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1064,7 +1064,7 @@ static int *calc_pg_raw(struct ceph_osdmap *osdmap, struct ceph_pg pgid,

/* pg_temp? */
t = ceph_stable_mod(ps, le32_to_cpu(pool->v.pg_num),
- pool->pgp_num_mask);
+ pool->pg_num_mask);
pgid.ps = cpu_to_le16(t);
pg = __lookup_pg_mapping(&osdmap->pg_temp, pgid);
if (pg) {
--
1.8.3.2

2013-09-30 10:13:34

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 086/104] HID: picolcd_core: validate output report details

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Kees Cook <[email protected]>

commit 1e87a2456b0227ca4ab881e19a11bb99d164e792 upstream.

A HID device could send a malicious output report that would cause the
picolcd HID driver to trigger a NULL dereference during attr file writing.

[[email protected]: changed

report->maxfield < 1

to

report->maxfield != 1

as suggested by Bruno].

CVE-2013-2899

Signed-off-by: Kees Cook <[email protected]>
Reviewed-by: Bruno Prémont <[email protected]>
Acked-by: Bruno Prémont <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
[ luis: backported to 3.5:
- file rename drivers/hid/hid-picolcd_core.c ->
drivers/hid/hid-picolcd.c ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/hid/hid-picolcd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/hid/hid-picolcd.c b/drivers/hid/hid-picolcd.c
index 45c3433..95f9047 100644
--- a/drivers/hid/hid-picolcd.c
+++ b/drivers/hid/hid-picolcd.c
@@ -1424,7 +1424,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
buf += 10;
cnt -= 10;
}
- if (!report)
+ if (!report || report->maxfield != 1)
return -EINVAL;

while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
--
1.8.3.2

2013-09-30 10:13:49

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 098/104] crypto: api - Fix race condition in larval lookup

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Herbert Xu <[email protected]>

commit 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa upstream.

crypto_larval_lookup should only return a larval if it created one.
Any larval created by another entity must be processed through
crypto_larval_wait before being returned.

Otherwise this will lead to a larval being killed twice, which
will most likely lead to a crash.

Reported-by: Kees Cook <[email protected]>
Tested-by: Kees Cook <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
crypto/api.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/crypto/api.c b/crypto/api.c
index 033a714..cea3cf6 100644
--- a/crypto/api.c
+++ b/crypto/api.c
@@ -34,6 +34,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem);
BLOCKING_NOTIFIER_HEAD(crypto_chain);
EXPORT_SYMBOL_GPL(crypto_chain);

+static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg);
+
static inline struct crypto_alg *crypto_alg_get(struct crypto_alg *alg)
{
atomic_inc(&alg->cra_refcnt);
@@ -150,8 +152,11 @@ static struct crypto_alg *crypto_larval_add(const char *name, u32 type,
}
up_write(&crypto_alg_sem);

- if (alg != &larval->alg)
+ if (alg != &larval->alg) {
kfree(larval);
+ if (crypto_is_larval(alg))
+ alg = crypto_larval_wait(alg);
+ }

return alg;
}
--
1.8.3.2

2013-09-30 10:14:20

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 101/104] ASoC: mc13783: add spi errata fix

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Steffen Trumtrar <[email protected]>

commit 9f6f0afbb9fdabf6dcac642dfec457f28981e3f8 upstream.

The MC13783 Chip Errata, Rev. 4 says, that depending on SPI clock
and main audio clock speed, the Audio Codec or Stereo DAC do sometimes
not start when programmed to do so. This is due to an internal clock
timing issue related to the loading of the SPI bits into the audio block.

On an i.MX27 based system, this issue lead to switched audio channels under
certain circumstances: RTC + Touch + Audio are used and loaded at startup.

The mentioned workaround of writing registers 40 and 41 two times is implemented
here.

Signed-off-by: Steffen Trumtrar <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
sound/soc/codecs/mc13783.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/sound/soc/codecs/mc13783.c b/sound/soc/codecs/mc13783.c
index 6276e35..3086194 100644
--- a/sound/soc/codecs/mc13783.c
+++ b/sound/soc/codecs/mc13783.c
@@ -126,6 +126,10 @@ static int mc13783_write(struct snd_soc_codec *codec,

ret = mc13xxx_reg_write(priv->mc13xxx, reg, value);

+ /* include errata fix for spi audio problems */
+ if (reg == MC13783_AUDIO_CODEC || reg == MC13783_AUDIO_DAC)
+ ret = mc13xxx_reg_write(priv->mc13xxx, reg, value);
+
mc13xxx_unlock(priv->mc13xxx);

return ret;
--
1.8.3.2

2013-09-30 10:13:56

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 104/104] kernel-doc: bugfix - multi-line macros

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Santos <[email protected]>

commit 654784284430bf2739985914b65e09c7c35a7273 upstream.

Prior to this patch the following code breaks:

/**
* multiline_example - this breaks kernel-doc
*/
#define multiline_example( \
myparam)

Producing this error:

Error(somefile.h:983): cannot understand prototype: 'multiline_example( \ '

This patch fixes the issue by appending all lines ending in a blackslash
(optionally followed by whitespace), removing the backslash and any
whitespace after it prior to appending (just like the C pre-processor
would).

This fixes a break in kerel-doc introduced by the additions to rbtree.h.

Signed-off-by: Daniel Santos <[email protected]>
Cc: Randy Dunlap <[email protected]>
Cc: Michal Marek <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
scripts/kernel-doc | 3 +++
1 file changed, 3 insertions(+)

diff --git a/scripts/kernel-doc b/scripts/kernel-doc
index 9b0c0b8..55ab5e4 100755
--- a/scripts/kernel-doc
+++ b/scripts/kernel-doc
@@ -2045,6 +2045,9 @@ sub process_file($) {

$section_counter = 0;
while (<IN>) {
+ while (s/\\\s*$//) {
+ $_ .= <IN>;
+ }
if ($state == 0) {
if (/$doc_start/o) {
$state = 1; # next line is always the function name
--
1.8.3.2

2013-09-30 10:14:15

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 103/104] Revert "zram: use zram->lock to protect zram_free_page() in swap free notify path"

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Luis Henriques <[email protected]>

This reverts commit 9e443904906ca2b5b3ae71f34ac4a4fa6905623e, which
was commit 57ab048532c0d975538cebd4456491b5c34248f4 upstream.

This commit was identified as provoking system lockups when under high
memory pressure, as noted in the following bug report:

BugLink: https://bugs.launchpad.net/bugs/1215513

Signed-off-by: Luis Henriques <[email protected]>
---
drivers/staging/zram/zram_drv.c | 2 --
drivers/staging/zram/zram_drv.h | 5 ++---
2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/drivers/staging/zram/zram_drv.c b/drivers/staging/zram/zram_drv.c
index 2e88a68..60ffc8c 100644
--- a/drivers/staging/zram/zram_drv.c
+++ b/drivers/staging/zram/zram_drv.c
@@ -697,9 +697,7 @@ static void zram_slot_free_notify(struct block_device *bdev,
struct zram *zram;

zram = bdev->bd_disk->private_data;
- down_write(&zram->lock);
zram_free_page(zram, index);
- up_write(&zram->lock);
zram_stat64_inc(zram, &zram->stats.notify_free);
}

diff --git a/drivers/staging/zram/zram_drv.h b/drivers/staging/zram/zram_drv.h
index 1047e82..fbe8ac9 100644
--- a/drivers/staging/zram/zram_drv.h
+++ b/drivers/staging/zram/zram_drv.h
@@ -107,9 +107,8 @@ struct zram {
void *compress_buffer;
struct table *table;
spinlock_t stat64_lock; /* protect 64-bit stats */
- struct rw_semaphore lock; /* protect compression buffers, table,
- * 32bit stat counters against concurrent
- * notifications, reads and writes */
+ struct rw_semaphore lock; /* protect compression buffers and table
+ * against concurrent read and writes */
struct request_queue *queue;
struct gendisk *disk;
int init_done;
--
1.8.3.2

2013-09-30 10:14:17

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 102/104] [SCSI] sd: Fix potential out-of-bounds access

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <[email protected]>

commit 984f1733fcee3fbc78d47e26c5096921c5d9946a upstream.

This patch fixes an out-of-bounds error in sd_read_cache_type(), found
by Google's AddressSanitizer tool. When the loop ends, we know that
"offset" lies beyond the end of the data in the buffer, so no Caching
mode page was found. In theory it may be present, but the buffer size
is limited to 512 bytes.

Signed-off-by: Alan Stern <[email protected]>
Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/scsi/sd.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
index 8e18431..68eb46e 100644
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -2226,14 +2226,9 @@ sd_read_cache_type(struct scsi_disk *sdkp, unsigned char *buffer)
}
}

- if (modepage == 0x3F) {
- sd_printk(KERN_ERR, sdkp, "No Caching mode page "
- "present\n");
- goto defaults;
- } else if ((buffer[offset] & 0x3f) != modepage) {
- sd_printk(KERN_ERR, sdkp, "Got wrong page\n");
- goto defaults;
- }
+ sd_printk(KERN_ERR, sdkp, "No Caching mode page found\n");
+ goto defaults;
+
Page_found:
if (modepage == 8) {
sdkp->WCE = ((buffer[offset + 2] & 0x04) != 0);
--
1.8.3.2

2013-09-30 10:13:44

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 093/104] memcg: fix multiple large threshold notifications

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Greg Thelen <[email protected]>

commit 2bff24a3707093c435ab3241c47dcdb5f16e432b upstream.

A memory cgroup with (1) multiple threshold notifications and (2) at least
one threshold >=2G was not reliable. Specifically the notifications would
either not fire or would not fire in the proper order.

The __mem_cgroup_threshold() signaling logic depends on keeping 64 bit
thresholds in sorted order. mem_cgroup_usage_register_event() sorts them
with compare_thresholds(), which returns the difference of two 64 bit
thresholds as an int. If the difference is positive but has bit[31] set,
then sort() treats the difference as negative and breaks sort order.

This fix compares the two arbitrary 64 bit thresholds returning the
classic -1, 0, 1 result.

The test below sets two notifications (at 0x1000 and 0x81001000):
cd /sys/fs/cgroup/memory
mkdir x
for x in 4096 2164264960; do
cgroup_event_listener x/memory.usage_in_bytes $x | sed "s/^/$x listener:/" &
done
echo $$ > x/cgroup.procs
anon_leaker 500M

v3.11-rc7 fails to signal the 4096 event listener:
Leaking...
Done leaking pages.

Patched v3.11-rc7 properly notifies:
Leaking...
4096 listener:2013:8:31:14:13:36
Done leaking pages.

The fixed bug is old. It appears to date back to the introduction of
memcg threshold notifications in v2.6.34-rc1-116-g2e72b6347c94 "memcg:
implement memory thresholds"

Signed-off-by: Greg Thelen <[email protected]>
Acked-by: Michal Hocko <[email protected]>
Acked-by: Kirill A. Shutemov <[email protected]>
Acked-by: Johannes Weiner <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
mm/memcontrol.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 08bcbd8..226b63e 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -4298,7 +4298,13 @@ static int compare_thresholds(const void *a, const void *b)
const struct mem_cgroup_threshold *_a = a;
const struct mem_cgroup_threshold *_b = b;

- return _a->threshold - _b->threshold;
+ if (_a->threshold > _b->threshold)
+ return 1;
+
+ if (_a->threshold < _b->threshold)
+ return -1;
+
+ return 0;
}

static int mem_cgroup_oom_notify_cb(struct mem_cgroup *memcg)
--
1.8.3.2

2013-09-30 10:15:02

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 099/104] cifs: ensure that srv_mutex is held when dealing with ssocket pointer

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Jeff Layton <[email protected]>

commit 73e216a8a42c0ef3d08071705c946c38fdbe12b0 upstream.

Oleksii reported that he had seen an oops similar to this:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000088
IP: [<ffffffff814dcc13>] sock_sendmsg+0x93/0xd0
PGD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: ipt_MASQUERADE xt_REDIRECT xt_tcpudp iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack ip_tables x_tables carl9170 ath usb_storage f2fs nfnetlink_log nfnetlink md4 cifs dns_resolver hid_generic usbhid hid af_packet uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev rfcomm btusb bnep bluetooth qmi_wwan qcserial cdc_wdm usb_wwan usbnet usbserial mii snd_hda_codec_hdmi snd_hda_codec_realtek iwldvm mac80211 coretemp intel_powerclamp kvm_intel kvm iwlwifi snd_hda_intel cfg80211 snd_hda_codec xhci_hcd e1000e ehci_pci snd_hwdep sdhci_pci snd_pcm ehci_hcd microcode psmouse sdhci thinkpad_acpi mmc_core i2c_i801 pcspkr usbcore hwmon snd_timer snd_page_alloc snd ptp rfkill pps_core soundcore evdev usb_common vboxnetflt(O) vboxdrv(O)Oops#2 Part8
loop tun binfmt_misc fuse msr acpi_call(O) ipv6 autofs4
CPU: 0 PID: 21612 Comm: kworker/0:1 Tainted: G W O 3.10.1SIGN #28
Hardware name: LENOVO 2306CTO/2306CTO, BIOS G2ET92WW (2.52 ) 02/22/2013
Workqueue: cifsiod cifs_echo_request [cifs]
task: ffff8801e1f416f0 ti: ffff880148744000 task.ti: ffff880148744000
RIP: 0010:[<ffffffff814dcc13>] [<ffffffff814dcc13>] sock_sendmsg+0x93/0xd0
RSP: 0000:ffff880148745b00 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff880148745b78 RCX: 0000000000000048
RDX: ffff880148745c90 RSI: ffff880181864a00 RDI: ffff880148745b78
RBP: ffff880148745c48 R08: 0000000000000048 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff880181864a00
R13: ffff880148745c90 R14: 0000000000000048 R15: 0000000000000048
FS: 0000000000000000(0000) GS:ffff88021e200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000088 CR3: 000000020c42c000 CR4: 00000000001407b0
Oops#2 Part7
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Stack:
ffff880148745b30 ffffffff810c4af9 0000004848745b30 ffff880181864a00
ffffffff81ffbc40 0000000000000000 ffff880148745c90 ffffffff810a5aab
ffff880148745bc0 ffffffff81ffbc40 ffff880148745b60 ffffffff815a9fb8
Call Trace:
[<ffffffff810c4af9>] ? finish_task_switch+0x49/0xe0
[<ffffffff810a5aab>] ? lock_timer_base.isra.36+0x2b/0x50
[<ffffffff815a9fb8>] ? _raw_spin_unlock_irqrestore+0x18/0x40
[<ffffffff810a673f>] ? try_to_del_timer_sync+0x4f/0x70
[<ffffffff815aa38f>] ? _raw_spin_unlock_bh+0x1f/0x30
[<ffffffff814dcc87>] kernel_sendmsg+0x37/0x50
[<ffffffffa081a0e0>] smb_send_kvec+0xd0/0x1d0 [cifs]
[<ffffffffa081a263>] smb_send_rqst+0x83/0x1f0 [cifs]
[<ffffffffa081ab6c>] cifs_call_async+0xec/0x1b0 [cifs]
[<ffffffffa08245e0>] ? free_rsp_buf+0x40/0x40 [cifs]
Oops#2 Part6
[<ffffffffa082606e>] SMB2_echo+0x8e/0xb0 [cifs]
[<ffffffffa0808789>] cifs_echo_request+0x79/0xa0 [cifs]
[<ffffffff810b45b3>] process_one_work+0x173/0x4a0
[<ffffffff810b52a1>] worker_thread+0x121/0x3a0
[<ffffffff810b5180>] ? manage_workers.isra.27+0x2b0/0x2b0
[<ffffffff810bae00>] kthread+0xc0/0xd0
[<ffffffff810bad40>] ? kthread_create_on_node+0x120/0x120
[<ffffffff815b199c>] ret_from_fork+0x7c/0xb0
[<ffffffff810bad40>] ? kthread_create_on_node+0x120/0x120
Code: 84 24 b8 00 00 00 4c 89 f1 4c 89 ea 4c 89 e6 48 89 df 4c 89 60 18 48 c7 40 28 00 00 00 00 4c 89 68 30 44 89 70 14 49 8b 44 24 28 <ff> 90 88 00 00 00 3d ef fd ff ff 74 10 48 8d 65 e0 5b 41 5c 41
RIP [<ffffffff814dcc13>] sock_sendmsg+0x93/0xd0
RSP <ffff880148745b00>
CR2: 0000000000000088

The client was in the middle of trying to send a frame when the
server->ssocket pointer got zeroed out. In most places, that we access
that pointer, the srv_mutex is held. There's only one spot that I see
that the server->ssocket pointer gets set and the srv_mutex isn't held.
This patch corrects that.

The upstream bug report was here:

https://bugzilla.kernel.org/show_bug.cgi?id=60557

Reported-by: Oleksii Shevchuk <[email protected]>
Signed-off-by: Jeff Layton <[email protected]>
Signed-off-by: Steve French <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
fs/cifs/connect.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 780385f..ce93dd5 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -382,6 +382,7 @@ cifs_reconnect(struct TCP_Server_Info *server)
try_to_freeze();

/* we should try only the port we connected to before */
+ mutex_lock(&server->srv_mutex);
rc = generic_ip_connect(server);
if (rc) {
cFYI(1, "reconnect error %d", rc);
@@ -393,6 +394,7 @@ cifs_reconnect(struct TCP_Server_Info *server)
server->tcpStatus = CifsNeedNegotiate;
spin_unlock(&GlobalMid_Lock);
}
+ mutex_unlock(&server->srv_mutex);
} while (server->tcpStatus == CifsNeedReconnect);

return rc;
--
1.8.3.2

2013-09-30 10:15:00

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 100/104] ALSA: hda - Add Toshiba Satellite C870 to MSI blacklist

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit 83f72151352791836a1b9c1542614cc9bf71ac61 upstream.

Toshiba Satellite C870 shows interrupt problems occasionally when
certain mixer controls like "Mic Switch" is toggled. This seems
worked around by not using MSI.

Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=833585
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
sound/pci/hda/hda_intel.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index d086bbf..c4b29d4 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -2812,6 +2812,7 @@ static struct snd_pci_quirk msi_black_list[] __devinitdata = {
SND_PCI_QUIRK(0x1043, 0x81f2, "ASUS", 0), /* Athlon64 X2 + nvidia */
SND_PCI_QUIRK(0x1043, 0x81f6, "ASUS", 0), /* nvidia */
SND_PCI_QUIRK(0x1043, 0x822d, "ASUS", 0), /* Athlon64 X2 + nvidia MCP55 */
+ SND_PCI_QUIRK(0x1179, 0xfb44, "Toshiba Satellite C870", 0), /* AMD Hudson */
SND_PCI_QUIRK(0x1849, 0x0888, "ASRock", 0), /* Athlon64 X2 + nvidia */
SND_PCI_QUIRK(0xa0a0, 0x0575, "Aopen MZ915-M", 0), /* ICH6 */
{}
--
1.8.3.2

2013-09-30 10:15:06

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 092/104] mm: fix aio performance regression for database caused by THP

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Khalid Aziz <[email protected]>

commit 7cb2ef56e6a8b7b368b2e883a0a47d02fed66911 upstream.

I am working with a tool that simulates oracle database I/O workload.
This tool (orion to be specific -
<http://docs.oracle.com/cd/E11882_01/server.112/e16638/iodesign.htm#autoId24>)
allocates hugetlbfs pages using shmget() with SHM_HUGETLB flag. It then
does aio into these pages from flash disks using various common block
sizes used by database. I am looking at performance with two of the most
common block sizes - 1M and 64K. aio performance with these two block
sizes plunged after Transparent HugePages was introduced in the kernel.
Here are performance numbers:

pre-THP 2.6.39 3.11-rc5
1M read 8384 MB/s 5629 MB/s 6501 MB/s
64K read 7867 MB/s 4576 MB/s 4251 MB/s

I have narrowed the performance impact down to the overheads introduced by
THP in __get_page_tail() and put_compound_page() routines. perf top shows
>40% of cycles being spent in these two routines. Every time direct I/O
to hugetlbfs pages starts, kernel calls get_page() to grab a reference to
the pages and calls put_page() when I/O completes to put the reference
away. THP introduced significant amount of locking overhead to get_page()
and put_page() when dealing with compound pages because hugepages can be
split underneath get_page() and put_page(). It added this overhead
irrespective of whether it is dealing with hugetlbfs pages or transparent
hugepages. This resulted in 20%-45% drop in aio performance when using
hugetlbfs pages.

Since hugetlbfs pages can not be split, there is no reason to go through
all the locking overhead for these pages from what I can see. I added
code to __get_page_tail() and put_compound_page() to bypass all the
locking code when working with hugetlbfs pages. This improved performance
significantly. Performance numbers with this patch:

pre-THP 3.11-rc5 3.11-rc5 + Patch
1M read 8384 MB/s 6501 MB/s 8371 MB/s
64K read 7867 MB/s 4251 MB/s 6510 MB/s

Performance with 64K read is still lower than what it was before THP, but
still a 53% improvement. It does mean there is more work to be done but I
will take a 53% improvement for now.

Please take a look at the following patch and let me know if it looks
reasonable.

[[email protected]: tweak comments]
Signed-off-by: Khalid Aziz <[email protected]>
Cc: Pravin B Shelar <[email protected]>
Cc: Christoph Lameter <[email protected]>
Cc: Andrea Arcangeli <[email protected]>
Cc: Johannes Weiner <[email protected]>
Cc: Mel Gorman <[email protected]>
Cc: Rik van Riel <[email protected]>
Cc: Minchan Kim <[email protected]>
Cc: Andi Kleen <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
mm/swap.c | 77 ++++++++++++++++++++++++++++++++++++++++++---------------------
1 file changed, 52 insertions(+), 25 deletions(-)

diff --git a/mm/swap.c b/mm/swap.c
index 4e7e2ec..0c833e8 100644
--- a/mm/swap.c
+++ b/mm/swap.c
@@ -30,6 +30,7 @@
#include <linux/backing-dev.h>
#include <linux/memcontrol.h>
#include <linux/gfp.h>
+#include <linux/hugetlb.h>

#include "internal.h"

@@ -77,6 +78,19 @@ static void __put_compound_page(struct page *page)

static void put_compound_page(struct page *page)
{
+ /*
+ * hugetlbfs pages cannot be split from under us. If this is a
+ * hugetlbfs page, check refcount on head page and release the page if
+ * the refcount becomes zero.
+ */
+ if (PageHuge(page)) {
+ page = compound_head(page);
+ if (put_page_testzero(page))
+ __put_compound_page(page);
+
+ return;
+ }
+
if (unlikely(PageTail(page))) {
/* __split_huge_page_refcount can run under us */
struct page *page_head = compound_trans_head(page);
@@ -180,38 +194,51 @@ bool __get_page_tail(struct page *page)
* proper PT lock that already serializes against
* split_huge_page().
*/
- unsigned long flags;
bool got = false;
- struct page *page_head = compound_trans_head(page);
+ struct page *page_head;

- if (likely(page != page_head && get_page_unless_zero(page_head))) {
+ /*
+ * If this is a hugetlbfs page it cannot be split under us. Simply
+ * increment refcount for the head page.
+ */
+ if (PageHuge(page)) {
+ page_head = compound_head(page);
+ atomic_inc(&page_head->_count);
+ got = true;
+ } else {
+ unsigned long flags;
+
+ page_head = compound_trans_head(page);
+ if (likely(page != page_head &&
+ get_page_unless_zero(page_head))) {
+
+ /* Ref to put_compound_page() comment. */
+ if (PageSlab(page_head)) {
+ if (likely(PageTail(page))) {
+ __get_page_tail_foll(page, false);
+ return true;
+ } else {
+ put_page(page_head);
+ return false;
+ }
+ }

- /* Ref to put_compound_page() comment. */
- if (PageSlab(page_head)) {
+ /*
+ * page_head wasn't a dangling pointer but it
+ * may not be a head page anymore by the time
+ * we obtain the lock. That is ok as long as it
+ * can't be freed from under us.
+ */
+ flags = compound_lock_irqsave(page_head);
+ /* here __split_huge_page_refcount won't run anymore */
if (likely(PageTail(page))) {
__get_page_tail_foll(page, false);
- return true;
- } else {
- put_page(page_head);
- return false;
+ got = true;
}
+ compound_unlock_irqrestore(page_head, flags);
+ if (unlikely(!got))
+ put_page(page_head);
}
-
- /*
- * page_head wasn't a dangling pointer but it
- * may not be a head page anymore by the time
- * we obtain the lock. That is ok as long as it
- * can't be freed from under us.
- */
- flags = compound_lock_irqsave(page_head);
- /* here __split_huge_page_refcount won't run anymore */
- if (likely(PageTail(page))) {
- __get_page_tail_foll(page, false);
- got = true;
- }
- compound_unlock_irqrestore(page_head, flags);
- if (unlikely(!got))
- put_page(page_head);
}
return got;
}
--
1.8.3.2

2013-09-30 10:16:14

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 097/104] ARM: PCI: versatile: Fix SMAP register offsets

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Peter Maydell <[email protected]>

commit 99f2b130370b904ca5300079243fdbcafa2c708b upstream.

The SMAP register offsets in the versatile PCI controller code were
all off by four. (This didn't have any observable bad effects
because on this board PHYS_OFFSET is zero, and (a) writing zero to
the flags register at offset 0x10 has no effect and (b) the reset
value of the SMAP register is zero anyway, so failing to write SMAP2
didn't matter.)

Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Linus Walleij <[email protected]>
Signed-off-by: Kevin Hilman <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
arch/arm/mach-versatile/pci.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm/mach-versatile/pci.c b/arch/arm/mach-versatile/pci.c
index 2dbaee9..474e76d 100644
--- a/arch/arm/mach-versatile/pci.c
+++ b/arch/arm/mach-versatile/pci.c
@@ -43,9 +43,9 @@
#define PCI_IMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x0)
#define PCI_IMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x4)
#define PCI_IMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x8)
-#define PCI_SMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x10)
-#define PCI_SMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x14)
-#define PCI_SMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x18)
+#define PCI_SMAP0 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x14)
+#define PCI_SMAP1 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x18)
+#define PCI_SMAP2 __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0x1c)
#define PCI_SELFID __IO_ADDRESS(VERSATILE_PCI_CORE_BASE+0xc)

#define DEVICE_ID_OFFSET 0x00
--
1.8.3.2

2013-09-30 10:16:32

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 096/104] ARM: PCI: versatile: Fix map_irq function to match hardware

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Peter Maydell <[email protected]>

commit f9b71fef12f0d6ac5c7051cfd87f7700f78c56b6 upstream.

The PCI controller code for the Versatile board has never had the
correct IRQ mapping for hardware. For many years it had an odd
mapping ("all interrupts are int 27") which aligned with the
equivalent bug in QEMU. However as of commit 1bc39ac5dab265
the mapping changed and no longer matched either hardware or QEMU,
with the result that any PCI card beyond the first in QEMU would
not have functioning interrupts; for example a boot with a SCSI
controller would time out as follows:

------------
sym0: <895a> rev 0x0 at pci 0000:00:0d.0 irq 92
sym0: SCSI BUS has been reset.
scsi0 : sym-2.2.3
[...]
scsi 0:0:0:0: ABORT operation started
scsi 0:0:0:0: ABORT operation timed-out.
scsi 0:0:0:0: DEVICE RESET operation started
scsi 0:0:0:0: DEVICE RESET operation timed-out.
scsi 0:0:0:0: BUS RESET operation started
scsi 0:0:0:0: BUS RESET operation timed-out.
scsi 0:0:0:0: HOST RESET operation started
sym0: SCSI BUS has been reset
------------

Fix the mapping so that it matches real hardware (checked against the
schematics for PB926 and backplane, and tested against the hardware).
This allows PCI cards using interrupts to work on hardware for the
first time; this change will also work with QEMU 1.5 or later, where
the equivalent bugs in the modelling of the hardware have been fixed.

Although QEMU will attempt to autodetect whether the kernel is
expecting the long-standing "everything is int 27" mapping or the one
hardware has, for certainty we force it into "definitely behave like
hardware mode"; this will avoid unexpected surprises later if we
implement sparse irqs. This is harmless on hardware.

Thanks to Paul Gortmaker for bisecting the problem and finding an initial
solution, to Russell King for providing the correct interrupt mapping,
and to Guenter Roeck for providing an initial version of this patch
and prodding me into relocating the hardware and retesting everything.

Signed-off-by: Peter Maydell <[email protected]>
Reviewed-by: Linus Walleij <[email protected]>
Signed-off-by: Kevin Hilman <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
arch/arm/mach-versatile/pci.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/arch/arm/mach-versatile/pci.c b/arch/arm/mach-versatile/pci.c
index af94887..2dbaee9 100644
--- a/arch/arm/mach-versatile/pci.c
+++ b/arch/arm/mach-versatile/pci.c
@@ -308,6 +308,19 @@ int __init pci_versatile_setup(int nr, struct pci_sys_data *sys)
__raw_writel(PHYS_OFFSET, local_pci_cfg_base + PCI_BASE_ADDRESS_2);

/*
+ * For many years the kernel and QEMU were symbiotically buggy
+ * in that they both assumed the same broken IRQ mapping.
+ * QEMU therefore attempts to auto-detect old broken kernels
+ * so that they still work on newer QEMU as they did on old
+ * QEMU. Since we now use the correct (ie matching-hardware)
+ * IRQ mapping we write a definitely different value to a
+ * PCI_INTERRUPT_LINE register to tell QEMU that we expect
+ * real hardware behaviour and it need not be backwards
+ * compatible for us. This write is harmless on real hardware.
+ */
+ __raw_writel(0, VERSATILE_PCI_VIRT_BASE+PCI_INTERRUPT_LINE);
+
+ /*
* Do not to map Versatile FPGA PCI device into memory space
*/
pci_slot_ignore |= (1 << myslot);
@@ -341,13 +354,13 @@ static int __init versatile_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
{
int irq;

- /* slot, pin, irq
- * 24 1 IRQ_SIC_PCI0
- * 25 1 IRQ_SIC_PCI1
- * 26 1 IRQ_SIC_PCI2
- * 27 1 IRQ_SIC_PCI3
+ /*
+ * Slot INTA INTB INTC INTD
+ * 31 PCI1 PCI2 PCI3 PCI0
+ * 30 PCI0 PCI1 PCI2 PCI3
+ * 29 PCI3 PCI0 PCI1 PCI2
*/
- irq = IRQ_SIC_PCI0 + ((slot - 24 + pin - 1) & 3);
+ irq = IRQ_SIC_PCI0 + ((slot + 2 + pin - 1) & 3);

return irq;
}
--
1.8.3.2

2013-09-30 10:16:54

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 094/104] intel-iommu: Fix leaks in pagetable freeing

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alex Williamson <[email protected]>

commit 3269ee0bd6686baf86630300d528500ac5b516d7 upstream.

At best the current code only seems to free the leaf pagetables and
the root. If you're unlucky enough to have a large gap (like any
QEMU guest with more than 3G of memory), only the first chunk of leaf
pagetables are freed (plus the root). This is a massive memory leak.
This patch re-writes the pagetable freeing function to use a
recursive algorithm and manages to not only free all the pagetables,
but does it without any apparent performance loss versus the current
broken version.

Signed-off-by: Alex Williamson <[email protected]>
Reviewed-by: Marcelo Tosatti <[email protected]>
Signed-off-by: Joerg Roedel <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/iommu/intel-iommu.c | 72 ++++++++++++++++++++++-----------------------
1 file changed, 35 insertions(+), 37 deletions(-)

diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
index eafc4ed..e560f54 100644
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -887,56 +887,54 @@ static int dma_pte_clear_range(struct dmar_domain *domain,
return order;
}

+static void dma_pte_free_level(struct dmar_domain *domain, int level,
+ struct dma_pte *pte, unsigned long pfn,
+ unsigned long start_pfn, unsigned long last_pfn)
+{
+ pfn = max(start_pfn, pfn);
+ pte = &pte[pfn_level_offset(pfn, level)];
+
+ do {
+ unsigned long level_pfn;
+ struct dma_pte *level_pte;
+
+ if (!dma_pte_present(pte) || dma_pte_superpage(pte))
+ goto next;
+
+ level_pfn = pfn & level_mask(level - 1);
+ level_pte = phys_to_virt(dma_pte_addr(pte));
+
+ if (level > 2)
+ dma_pte_free_level(domain, level - 1, level_pte,
+ level_pfn, start_pfn, last_pfn);
+
+ /* If range covers entire pagetable, free it */
+ if (!(start_pfn > level_pfn ||
+ last_pfn < level_pfn + level_size(level))) {
+ dma_clear_pte(pte);
+ domain_flush_cache(domain, pte, sizeof(*pte));
+ free_pgtable_page(level_pte);
+ }
+next:
+ pfn += level_size(level);
+ } while (!first_pte_in_page(++pte) && pfn <= last_pfn);
+}
+
/* free page table pages. last level pte should already be cleared */
static void dma_pte_free_pagetable(struct dmar_domain *domain,
unsigned long start_pfn,
unsigned long last_pfn)
{
int addr_width = agaw_to_width(domain->agaw) - VTD_PAGE_SHIFT;
- struct dma_pte *first_pte, *pte;
- int total = agaw_to_level(domain->agaw);
- int level;
- unsigned long tmp;
- int large_page = 2;

BUG_ON(addr_width < BITS_PER_LONG && start_pfn >> addr_width);
BUG_ON(addr_width < BITS_PER_LONG && last_pfn >> addr_width);
BUG_ON(start_pfn > last_pfn);

/* We don't need lock here; nobody else touches the iova range */
- level = 2;
- while (level <= total) {
- tmp = align_to_level(start_pfn, level);
-
- /* If we can't even clear one PTE at this level, we're done */
- if (tmp + level_size(level) - 1 > last_pfn)
- return;
-
- do {
- large_page = level;
- first_pte = pte = dma_pfn_level_pte(domain, tmp, level, &large_page);
- if (large_page > level)
- level = large_page + 1;
- if (!pte) {
- tmp = align_to_level(tmp + 1, level + 1);
- continue;
- }
- do {
- if (dma_pte_present(pte)) {
- free_pgtable_page(phys_to_virt(dma_pte_addr(pte)));
- dma_clear_pte(pte);
- }
- pte++;
- tmp += level_size(level);
- } while (!first_pte_in_page(pte) &&
- tmp + level_size(level) - 1 <= last_pfn);
+ dma_pte_free_level(domain, agaw_to_level(domain->agaw),
+ domain->pgd, 0, start_pfn, last_pfn);

- domain_flush_cache(domain, first_pte,
- (void *)pte - (void *)first_pte);
-
- } while (tmp && tmp + level_size(level) - 1 <= last_pfn);
- level++;
- }
/* free pgd */
if (start_pfn == 0 && last_pfn == DOMAIN_MAX_PFN(domain->gaw)) {
free_pgtable_page(domain->pgd);
--
1.8.3.2

2013-09-30 10:16:52

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 095/104] MIPS: ath79: Fix ar933x watchdog clock

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Felix Fietkau <[email protected]>

commit a1191927ace7e6f827132aa9e062779eb3f11fa5 upstream.

The watchdog device on the AR933x is connected to
the AHB clock, however the current code uses the
reference clock. Due to the wrong rate, the watchdog
driver can't calculate correct register values for
a given timeout value and the watchdog unexpectedly
restarts the system.

The code uses the wrong value since the initial
commit 04225e1d227c8e68d685936ecf42ac175fec0e54
(MIPS: ath79: add AR933X specific clock init)

The patch fixes the code to use the correct clock
rate to avoid the problem.

Signed-off-by: Felix Fietkau <[email protected]>
Signed-off-by: Gabor Juhos <[email protected]>
Cc: [email protected]
Patchwork: https://patchwork.linux-mips.org/patch/5777/
Signed-off-by: Ralf Baechle <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
arch/mips/ath79/clock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/mips/ath79/clock.c b/arch/mips/ath79/clock.c
index 579f452..300d7d3 100644
--- a/arch/mips/ath79/clock.c
+++ b/arch/mips/ath79/clock.c
@@ -164,7 +164,7 @@ static void __init ar933x_clocks_init(void)
ath79_ahb_clk.rate = freq / t;
}

- ath79_wdt_clk.rate = ath79_ref_clk.rate;
+ ath79_wdt_clk.rate = ath79_ahb_clk.rate;
ath79_uart_clk.rate = ath79_ref_clk.rate;
}

--
1.8.3.2

2013-09-30 10:17:31

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 090/104] ocfs2: fix the end cluster offset of FIEMAP

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Jie Liu <[email protected]>

commit 28e8be31803b19d0d8f76216cb11b480b8a98bec upstream.

Call fiemap ioctl(2) with given start offset as well as an desired mapping
range should show extents if possible. However, we somehow figure out the
end offset of mapping via 'mapping_end -= cpos' before iterating the
extent records which would cause problems if the given fiemap length is
too small to a cluster size, e.g,

Cluster size 4096:
debugfs.ocfs2 1.6.3
Block Size Bits: 12 Cluster Size Bits: 12

The extended fiemap test utility From David:
https://gist.github.com/anonymous/6172331

# dd if=/dev/urandom of=/ocfs2/test_file bs=1M count=1000
# ./fiemap /ocfs2/test_file 4096 10
start: 4096, length: 10
File /ocfs2/test_file has 0 extents:
# Logical Physical Length Flags
^^^^^ <-- No extent is shown

In this case, at ocfs2_fiemap(): cpos == mapping_end == 1. Hence the
loop of searching extent records was not executed at all.

This patch remove the in question 'mapping_end -= cpos', and loops
until the cpos is larger than the mapping_end as usual.

# ./fiemap /ocfs2/test_file 4096 10
start: 4096, length: 10
File /ocfs2/test_file has 1 extents:
# Logical Physical Length Flags
0: 0000000000000000 0000000056a01000 0000000006a00000 0000

Signed-off-by: Jie Liu <[email protected]>
Reported-by: David Weber <[email protected]>
Tested-by: David Weber <[email protected]>
Cc: Sunil Mushran <[email protected]>
Cc: Mark Fashen <[email protected]>
Cc: Joel Becker <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
fs/ocfs2/extent_map.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/fs/ocfs2/extent_map.c b/fs/ocfs2/extent_map.c
index 4dd0239..5083b75 100644
--- a/fs/ocfs2/extent_map.c
+++ b/fs/ocfs2/extent_map.c
@@ -782,7 +782,6 @@ int ocfs2_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
cpos = map_start >> osb->s_clustersize_bits;
mapping_end = ocfs2_clusters_for_bytes(inode->i_sb,
map_start + map_len);
- mapping_end -= cpos;
is_last = 0;
while (cpos < mapping_end && !is_last) {
u32 fe_flags;
--
1.8.3.2

2013-09-30 10:17:29

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 091/104] mm/huge_memory.c: fix potential NULL pointer dereference

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Libin <[email protected]>

commit a8f531ebc33052642b4bd7b812eedf397108ce64 upstream.

In collapse_huge_page() there is a race window between releasing the
mmap_sem read lock and taking the mmap_sem write lock, so find_vma() may
return NULL. So check the return value to avoid NULL pointer dereference.

collapse_huge_page
khugepaged_alloc_page
up_read(&mm->mmap_sem)
down_write(&mm->mmap_sem)
vma = find_vma(mm, address)

Signed-off-by: Libin <[email protected]>
Acked-by: Kirill A. Shutemov <[email protected]>
Reviewed-by: Wanpeng Li <[email protected]>
Reviewed-by: Michal Hocko <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
mm/huge_memory.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 7d0eb9e..613d436 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1900,6 +1900,8 @@ static void collapse_huge_page(struct mm_struct *mm,
goto out;

vma = find_vma(mm, address);
+ if (!vma)
+ goto out;
hstart = (vma->vm_start + ~HPAGE_PMD_MASK) & HPAGE_PMD_MASK;
hend = vma->vm_end & HPAGE_PMD_MASK;
if (address < hstart || address + HPAGE_PMD_SIZE > hend)
--
1.8.3.2

2013-09-30 10:18:05

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 088/104] drm/i915: try not to lose backlight CBLV precision

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Jani Nikula <[email protected]>

commit cac6a5ae0118832936eb162ec4cedb30f2422bcc upstream.

ACPI has _BCM and _BQC methods to set and query the backlight
brightness, respectively. The ACPI opregion has variables BCLP and CBLV
to hold the requested and current backlight brightness, respectively.

The BCLP variable has range 0..255 while the others have range
0..100. This means the _BCM method has to scale the brightness for BCLP,
and the gfx driver has to scale the requested value back for CBLV. If
the _BQC method uses the CBLV variable (apparently some implementations
do, some don't) for current backlight level reporting, there's room for
rounding errors.

Use DIV_ROUND_UP for scaling back to CBLV to get back to the same values
that were passed to _BCM, presuming the _BCM simply uses bclp = (in *
255) / 100 for scaling to BCLP.

Reference: https://gist.github.com/aaronlu/6314920
Reported-by: Aaron Lu <[email protected]>
Signed-off-by: Jani Nikula <[email protected]>
Reviewed-by: Aaron Lu <[email protected]>
Signed-off-by: Daniel Vetter <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/gpu/drm/i915/intel_opregion.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/intel_opregion.c b/drivers/gpu/drm/i915/intel_opregion.c
index e27c170..6d708d7 100644
--- a/drivers/gpu/drm/i915/intel_opregion.c
+++ b/drivers/gpu/drm/i915/intel_opregion.c
@@ -163,7 +163,7 @@ static u32 asle_set_backlight(struct drm_device *dev, u32 bclp)

max = intel_panel_get_max_backlight(dev);
intel_panel_set_backlight(dev, bclp * max / 255);
- iowrite32((bclp*0x64)/0xff | ASLE_CBLV_VALID, &asle->cblv);
+ iowrite32(DIV_ROUND_UP(bclp * 100, 255) | ASLE_CBLV_VALID, &asle->cblv);

return 0;
}
--
1.8.3.2

2013-09-30 10:18:03

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 089/104] powerpc: Default arch idle could cede processor on pseries

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Vaidyanathan Srinivasan <[email protected]>

commit 363edbe2614aa90df706c0f19ccfa2a6c06af0be upstream.

When adding cpuidle support to pSeries, we introduced two
regressions:

- The new cpuidle backend driver only works under hypervisors
supporting the "SLPLAR" option, which isn't the case of the
old POWER4 hypervisor and the HV "light" used on js2x blades

- The cpuidle driver registers fairly late, meaning that for
a significant portion of the boot process, we end up having
all threads spinning. This slows down the boot process and
increases the overall resource usage if the hypervisor has
shared processors.

This fixes both by implementing a "default" idle that will cede
to the hypervisor when possible, in a very simple way without
all the bells and whisles of cpuidle.

Reported-by: Paul Mackerras <[email protected]>
Signed-off-by: Vaidyanathan Srinivasan <[email protected]>
Acked-by: Deepthi Dharwar <[email protected]>
Signed-off-by: Benjamin Herrenschmidt <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
arch/powerpc/platforms/pseries/setup.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c
index 51ecac9..1e09357 100644
--- a/arch/powerpc/platforms/pseries/setup.c
+++ b/arch/powerpc/platforms/pseries/setup.c
@@ -352,7 +352,7 @@ static int alloc_dispatch_log_kmem_cache(void)
}
early_initcall(alloc_dispatch_log_kmem_cache);

-static void pSeries_idle(void)
+static void pseries_lpar_idle(void)
{
/* This would call on the cpuidle framework, and the back-end pseries
* driver to go to idle states
@@ -360,10 +360,22 @@ static void pSeries_idle(void)
if (cpuidle_idle_call()) {
/* On error, execute default handler
* to go into low thread priority and possibly
- * low power mode.
+ * low power mode by cedeing processor to hypervisor
*/
- HMT_low();
- HMT_very_low();
+
+ /* Indicate to hypervisor that we are idle. */
+ get_lppaca()->idle = 1;
+
+ /*
+ * Yield the processor to the hypervisor. We return if
+ * an external interrupt occurs (which are driven prior
+ * to returning here) or if a prod occurs from another
+ * processor. When returning here, external interrupts
+ * are enabled.
+ */
+ cede_processor();
+
+ get_lppaca()->idle = 0;
}
}

@@ -395,15 +407,14 @@ static void __init pSeries_setup_arch(void)

pSeries_nvram_init();

- if (firmware_has_feature(FW_FEATURE_SPLPAR)) {
+ if (firmware_has_feature(FW_FEATURE_LPAR)) {
vpa_init(boot_cpuid);
- ppc_md.power_save = pSeries_idle;
- }
-
- if (firmware_has_feature(FW_FEATURE_LPAR))
+ ppc_md.power_save = pseries_lpar_idle;
ppc_md.enable_pmcs = pseries_lpar_enable_pmcs;
- else
+ } else {
+ /* No special idle routine */
ppc_md.enable_pmcs = power4_enable_pmcs;
+ }
}

static int __init pSeries_init_panel(void)
--
1.8.3.2

2013-09-30 10:18:44

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 087/104] HID: check for NULL field when setting values

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Kees Cook <[email protected]>

commit be67b68d52fa28b9b721c47bb42068f0c1214855 upstream.

Defensively check that the field to be worked on is not NULL.

Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/hid/hid-core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 104792d..0d76d3f 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1133,7 +1133,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);

int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
{
- unsigned size = field->report_size;
+ unsigned size;
+
+ if (!field)
+ return -1;
+
+ size = field->report_size;

hid_dump_input(field->report->device, field->usage + offset, value);

--
1.8.3.2

2013-09-30 10:13:25

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 078/104] DocBook: upgrade media_api DocBook version to 4.2

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Andrzej Hajda <[email protected]>

commit 8bfd4a68ecc003c1a142f35551be846d6b13e822 upstream.

Fixes the last three errors of media_api DocBook validatation:
(...)
media_api.xml:414: element imagedata: validity error : Value "SVG" for attribute format of imagedata is not among the enumerated set
media_api.xml:432: element imagedata: validity error : Value "SVG" for attribute format of imagedata is not among the enumerated set
media_api.xml:452: element imagedata: validity error : Value "SVG" for attribute format of imagedata is not among the enumerated set
(...)

Signed-off-by: Andrzej Hajda <[email protected]>
Signed-off-by: Kyungmin Park <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
Documentation/DocBook/media_api.tmpl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Documentation/DocBook/media_api.tmpl b/Documentation/DocBook/media_api.tmpl
index 4e8e898..541f22d 100644
--- a/Documentation/DocBook/media_api.tmpl
+++ b/Documentation/DocBook/media_api.tmpl
@@ -1,6 +1,6 @@
<?xml version="1.0"?>
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY % media-entities SYSTEM "./media-entities.tmpl"> %media-entities;
<!ENTITY media-indices SYSTEM "./media-indices.tmpl">

--
1.8.3.2

2013-09-30 10:19:06

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 084/104] HID: pantherlord: validate output report details

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Kees Cook <[email protected]>

commit 412f30105ec6735224535791eed5cdc02888ecb4 upstream.

A HID device could send a malicious output report that would cause the
pantherlord HID driver to write beyond the output report allocation
during initialization, causing a heap overflow:

[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
...
[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten

CVE-2013-2892

Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/hid/hid-pl.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
index 47ed74c..00cd2f8 100644
--- a/drivers/hid/hid-pl.c
+++ b/drivers/hid/hid-pl.c
@@ -129,8 +129,14 @@ static int plff_init(struct hid_device *hid)
strong = &report->field[0]->value[2];
weak = &report->field[0]->value[3];
debug("detected single-field device");
- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
+ } else if (report->field[0]->maxusage == 1 &&
+ report->field[0]->usage[0].hid ==
+ (HID_UP_LED | 0x43) &&
+ report->maxfield >= 4 &&
+ report->field[0]->report_count >= 1 &&
+ report->field[1]->report_count >= 1 &&
+ report->field[2]->report_count >= 1 &&
+ report->field[3]->report_count >= 1) {
report->field[0]->value[0] = 0x00;
report->field[1]->value[0] = 0x00;
strong = &report->field[2]->value[0];
--
1.8.3.2

2013-09-30 10:19:22

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 082/104] exynos4-is: Fix entity unregistration on error path

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Sylwester Nawrocki <[email protected]>

commit d2b903b4427e417a73863cef36ad0796ea6b7404 upstream.

This patch corrects media entities unregistration order to make sure
the fimc.N.capture and fimc-lite video nodes are unregistered with
fimc->lock mutex held. This prevents races between video device open()
and defered probing and NULL pointer dereference in open() callback
as follows:
[ 77.645000] Unable to handle kernel NULL pointer dereference at virtual address 00000290t
[ 77.655000] pgd = ee7a8000
[ 77.660000] [00000290] *pgd=6e13c831, *pte=00000000, *ppte=00000000
[ 77.665000] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[ 77.670000] Modules linked in: s5p_fimc ipv6 exynos_fimc_is exynos_fimc_lite
s5p_csis v4l2_mem2mem videobuf2_dma_contig videobuf2_memops exynos4_is_common videobuf2_core [last unloaded: s5p_fimc]
[ 77.685000] CPU: 0 PID : 2998 Comm: v4l_id Tainted: G W 3.10.0-next-20130709-00039-g39f491b-dirty #1548
[ 77.695000] task: ee084000 ti: ee46e000 task.ti: ee46e000
[ 77.700000] PC is at __mutex_lock_slowpath+0x54/0x368
[ 77.705000] LR is at __mutex_lock_slowpath+0x24/0x368
[ 77.710000] pc : [<c038dc10>] lr : [<c038dbe0>] psr: 60000093
[ 77.710000] sp : ee46fd70 ip : 000008c8 fp : c054e34c
[ 77.725000] r10: ee084000 r9 : 00000000 r8 : ee439480
[ 77.730000] r7 : ee46e000 r6 : 60000013 r5 : 00000290 r4 : 0000028c
[ 77.735000] r3 : 00000000 r2 : 00000000 r1 : 20000093 r0 : 00000001
[ 77.740000] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
[ 77.750000] Control: 10c5387d Table: 6e7a804a DAC: 00000015
[ 77.755000] Process v4l_id (pid: 2998, stack limit = 0xee46e238)
[ 77.760000] Stack: (0xee46fd70 to 0xee470000)
...
[ 77.935000] [<c038dc10>] (__mutex_lock_slowpath+0x54/0x368) from [<c038df30>] (mutex_lock+0xc/0x24)
[ 77.945000] [<c038df30>] (mutex_lock+0xc/0x24) from [<bf03fa90>] (fimc_lite_open+0x12c/0x2bc [exynos_fimc_lite])
[ 77.955000] [<bf03fa90>] (fimc_lite_open+0x12c/0x2bc [exynos_fimc_lite]) from [<c02ab11c>] (v4l2_open+0xa0/0xe0)
[ 77.965000] [<c02ab11c>] (v4l2_open+0xa0/0xe0) from [<c00b1de4>] (chrdev_open+0x88/0x170)
[ 77.975000] [<c00b1de4>] (chrdev_open+0x88/0x170) from [<c00ac710>] (do_dentry_open.isra.14+0x1d8/0x258)
[ 77.985000] [<c00ac710>] (do_dentry_open.isra.14+0x1d8/0x258) from [<c00ac860>] (finish_open+0x20/0x38)
[ 77.995000] [<c00ac860>] (finish_open+0x20/0x38) from [<c00ba658>] (do_last.isra.43+0x538/0xb1c)
[ 78.000000] [<c00ba658>] (do_last.isra.43+0x538/0xb1c) from [<c00bacf0>] (path_openat+0xb4/0x5c4)
[ 78.010000] [<c00bacf0>] (path_openat+0xb4/0x5c4) from [<c00bb4b4>] (do_filp_open+0x2c/0x80)
[ 78.020000] [<c00bb4b4>] (do_filp_open+0x2c/0x80) from [<c00ad744>] (do_sys_open+0xf4/0x1a8)
[ 78.025000] [<c00ad744>] (do_sys_open+0xf4/0x1a8) from [<c000e320>] (ret_fast_syscall+0x0/0x30)
[ 78.035000] Code: 1a000093 e10f6000 f10c0080 e2845004 (e1953f9f)

Reported-by: Andrzej Hajda <[email protected]>
Signed-off-by: Sylwester Nawrocki <[email protected]>
Signed-off-by: Kyungmin Park <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[ luis: backported to 3.5:
- file rename drivers/media/platform/exynos4-is/media-dev.c ->
drivers/media/video/s5p-fimc/fimc-mdevice.c ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/media/video/s5p-fimc/fimc-mdevice.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/video/s5p-fimc/fimc-mdevice.c b/drivers/media/video/s5p-fimc/fimc-mdevice.c
index 52cef48..8a3ec6f 100644
--- a/drivers/media/video/s5p-fimc/fimc-mdevice.c
+++ b/drivers/media/video/s5p-fimc/fimc-mdevice.c
@@ -980,9 +980,9 @@ static int fimc_md_probe(struct platform_device *pdev)
err_unlock:
mutex_unlock(&fmd->media_dev.graph_mutex);
err_clk:
- media_device_unregister(&fmd->media_dev);
fimc_md_put_clocks(fmd);
fimc_md_unregister_entities(fmd);
+ media_device_unregister(&fmd->media_dev);
err_md:
v4l2_device_unregister(&fmd->v4l2_dev);
return ret;
--
1.8.3.2

2013-09-30 10:19:43

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 081/104] exynos4-is: Fix fimc-lite bayer formats

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Arun Kumar K <[email protected]>

commit 3396b096c54a84603c51bd705effa88f7f5b0d76 upstream.

The 10-bit and 12-bit Bayer output formats supported by FIMC-LITE
actually use 16 bits where the extra bits are padded with zeros.
The patch corrects buffer allocation for these two formats by
modifying the depth field. This prevents memory corruption by the
output DMA due to insufficient buffer size.

Signed-off-by: Arun Kumar K <[email protected]>
Signed-off-by: Sylwester Nawrocki <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/media/video/s5p-fimc/fimc-lite.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/video/s5p-fimc/fimc-lite.c b/drivers/media/video/s5p-fimc/fimc-lite.c
index 9132f61..f35903c 100644
--- a/drivers/media/video/s5p-fimc/fimc-lite.c
+++ b/drivers/media/video/s5p-fimc/fimc-lite.c
@@ -75,14 +75,14 @@ static const struct fimc_fmt fimc_lite_formats[] = {
}, {
.name = "RAW10 (GRBG)",
.fourcc = V4L2_PIX_FMT_SGRBG10,
- .depth = { 10 },
+ .depth = { 16 },
.color = FIMC_FMT_RAW10,
.memplanes = 1,
.mbus_code = V4L2_MBUS_FMT_SGRBG10_1X10,
}, {
.name = "RAW12 (GRBG)",
.fourcc = V4L2_PIX_FMT_SGRBG12,
- .depth = { 12 },
+ .depth = { 16 },
.color = FIMC_FMT_RAW12,
.memplanes = 1,
.mbus_code = V4L2_MBUS_FMT_SGRBG12_1X12,
--
1.8.3.2

2013-09-30 10:19:42

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 080/104] hdpvr: fix iteration over uninitialized lists in hdpvr_probe()

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexey Khoroshilov <[email protected]>

commit 2e923a0527ac439e135b9961e58d3acd876bba10 upstream.

free_buff_list and rec_buff_list are initialized in the middle of hdpvr_probe(),
but if something bad happens before that, error handling code calls hdpvr_delete(),
which contains iteration over the lists (via hdpvr_free_buffers()).
The patch moves the lists initialization to the beginning and by the way fixes
goto label in error handling of registering videodev.
Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[ luis: backported to 3.5:
- dropped hdpvr_register_videodev() error handling hunk ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/media/video/hdpvr/hdpvr-core.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/media/video/hdpvr/hdpvr-core.c b/drivers/media/video/hdpvr/hdpvr-core.c
index 304f43e..dcb7833 100644
--- a/drivers/media/video/hdpvr/hdpvr-core.c
+++ b/drivers/media/video/hdpvr/hdpvr-core.c
@@ -309,6 +309,11 @@ static int hdpvr_probe(struct usb_interface *interface,

dev->workqueue = 0;

+ /* init video transfer queues first of all */
+ /* to prevent oops in hdpvr_delete() on error paths */
+ INIT_LIST_HEAD(&dev->free_buff_list);
+ INIT_LIST_HEAD(&dev->rec_buff_list);
+
/* register v4l2_device early so it can be used for printks */
if (v4l2_device_register(&interface->dev, &dev->v4l2_dev)) {
dev_err(&interface->dev, "v4l2_device_register failed\n");
@@ -331,10 +336,6 @@ static int hdpvr_probe(struct usb_interface *interface,
if (!dev->workqueue)
goto error;

- /* init video transfer queues */
- INIT_LIST_HEAD(&dev->free_buff_list);
- INIT_LIST_HEAD(&dev->rec_buff_list);
-
dev->options = hdpvr_default_options;

if (default_video_input < HDPVR_VIDEO_INPUTS)
--
1.8.3.2

2013-09-30 10:20:18

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 079/104] v4l2: added missing mutex.h include to v4l2-ctrls.h

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Andrzej Hajda <[email protected]>

commit a19dec6ea94c036af68c31930c1c92681f55af41 upstream.

This patch fixes following error:
include/media/v4l2-ctrls.h:193:15: error: field ‘_lock’ has incomplete type
include/media/v4l2-ctrls.h: In function ‘v4l2_ctrl_lock’:
include/media/v4l2-ctrls.h:570:2: error: implicit declaration of
function ‘mutex_lock’ [-Werror=implicit-function-declaration]
include/media/v4l2-ctrls.h: In function ‘v4l2_ctrl_unlock’:
include/media/v4l2-ctrls.h:579:2: error: implicit declaration of
function ‘mutex_unlock’ [-Werror=implicit-function-declaration]

Signed-off-by: Andrzej Hajda <[email protected]>
Signed-off-by: Kyungmin Park <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
include/media/v4l2-ctrls.h | 1 +
1 file changed, 1 insertion(+)

diff --git a/include/media/v4l2-ctrls.h b/include/media/v4l2-ctrls.h
index 776605f..9b08010 100644
--- a/include/media/v4l2-ctrls.h
+++ b/include/media/v4l2-ctrls.h
@@ -22,6 +22,7 @@
#define _V4L2_CTRLS_H

#include <linux/list.h>
+#include <linux/mutex.h>
#include <linux/videodev2.h>

/* forward references */
--
1.8.3.2

2013-09-30 10:20:21

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 077/104] s5p-g2d: Fix registration failure

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Sachin Kamat <[email protected]>

commit 8a09a4cc9bd9389dc6a3b5b2dd3a7d64d2fab7e1 upstream.

Commit 1c1d86a1ea ("[media] v4l2: always require v4l2_dev,
rename parent to dev_parent") expects v4l2_dev to be always set.
It converted most of the drivers using the parent field of video_device
to v4l2_dev field. G2D driver did not set the parent field. Hence it got
left out. Without this patch we get the following boot warning and G2D
driver fails to register the video device.
WARNING: CPU: 0 PID: 1 at drivers/media/v4l2-core/v4l2-dev.c:775 __video_register_device+0xfc0/0x1028()
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.11.0-rc1-00001-g1c3e372-dirty #9
[<c0014b7c>] (unwind_backtrace+0x0/0xf4) from [<c0011524>] (show_stack+0x10/0x14)
[<c0011524>] (show_stack+0x10/0x14) from [<c041d7a8>] (dump_stack+0x7c/0xb0)
[<c041d7a8>] (dump_stack+0x7c/0xb0) from [<c001dc94>] (warn_slowpath_common+0x6c/0x88)
[<c001dc94>] (warn_slowpath_common+0x6c/0x88) from [<c001dd4c>] (warn_slowpath_null+0x1c/0x24)
[<c001dd4c>] (warn_slowpath_null+0x1c/0x24) from [<c02cf8d4>] (__video_register_device+0xfc0/0x1028)
[<c02cf8d4>] (__video_register_device+0xfc0/0x1028) from [<c0311a94>] (g2d_probe+0x1f8/0x398)
[<c0311a94>] (g2d_probe+0x1f8/0x398) from [<c0247d54>] (platform_drv_probe+0x14/0x18)
[<c0247d54>] (platform_drv_probe+0x14/0x18) from [<c0246b10>] (driver_probe_device+0x108/0x220)
[<c0246b10>] (driver_probe_device+0x108/0x220) from [<c0246cf8>] (__driver_attach+0x8c/0x90)
[<c0246cf8>] (__driver_attach+0x8c/0x90) from [<c0245050>] (bus_for_each_dev+0x60/0x94)
[<c0245050>] (bus_for_each_dev+0x60/0x94) from [<c02462c8>] (bus_add_driver+0x1c0/0x24c)
[<c02462c8>] (bus_add_driver+0x1c0/0x24c) from [<c02472d0>] (driver_register+0x78/0x140)
[<c02472d0>] (driver_register+0x78/0x140) from [<c00087c8>] (do_one_initcall+0xf8/0x144)
[<c00087c8>] (do_one_initcall+0xf8/0x144) from [<c05b29e8>] (kernel_init_freeable+0x13c/0x1d8)
[<c05b29e8>] (kernel_init_freeable+0x13c/0x1d8) from [<c041a108>] (kernel_init+0xc/0x160)
[<c041a108>] (kernel_init+0xc/0x160) from [<c000e2f8>] (ret_from_fork+0x14/0x3c)
---[ end trace 4e0ec028b0028e02 ]---
s5p-g2d 12800000.g2d: Failed to register video device
s5p-g2d: probe of 12800000.g2d failed with error -22

Signed-off-by: Sachin Kamat <[email protected]>
Cc: Hans Verkuil <[email protected]>
Signed-off-by: Kamil Debski <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/media/video/s5p-g2d/g2d.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/media/video/s5p-g2d/g2d.c b/drivers/media/video/s5p-g2d/g2d.c
index 7c98ee7..a96d7a2 100644
--- a/drivers/media/video/s5p-g2d/g2d.c
+++ b/drivers/media/video/s5p-g2d/g2d.c
@@ -753,6 +753,7 @@ static int g2d_probe(struct platform_device *pdev)
This driver needs auditing so that this flag can be removed. */
set_bit(V4L2_FL_LOCK_ALL_FOPS, &vfd->flags);
vfd->lock = &dev->mutex;
+ vfd->v4l2_dev = &dev->v4l2_dev;
ret = video_register_device(vfd, VFL_TYPE_GRABBER, 0);
if (ret) {
v4l2_err(&dev->v4l2_dev, "Failed to register video device\n");
--
1.8.3.2

2013-09-30 10:21:00

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 075/104] fuse: postpone end_page_writeback() in fuse_writepage_locked()

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Maxim Patlasov <[email protected]>

commit 4a4ac4eba1010ef9a804569058ab29e3450c0315 upstream.

The patch fixes a race between ftruncate(2), mmap-ed write and write(2):

1) An user makes a page dirty via mmap-ed write.
2) The user performs shrinking truncate(2) intended to purge the page.
3) Before fuse_do_setattr calls truncate_pagecache, the page goes to
writeback. fuse_writepage_locked fills FUSE_WRITE request and releases
the original page by end_page_writeback.
4) fuse_do_setattr() completes and successfully returns. Since now, i_mutex
is free.
5) Ordinary write(2) extends i_size back to cover the page. Note that
fuse_send_write_pages do wait for fuse writeback, but for another
page->index.
6) fuse_writepage_locked proceeds by queueing FUSE_WRITE request.
fuse_send_writepage is supposed to crop inarg->size of the request,
but it doesn't because i_size has already been extended back.

Moving end_page_writeback to the end of fuse_writepage_locked fixes the
race because now the fact that truncate_pagecache is successfully returned
infers that fuse_writepage_locked has already called end_page_writeback.
And this, in turn, infers that fuse_flush_writepages has already called
fuse_send_writepage, and the latter used valid (shrunk) i_size. write(2)
could not extend it because of i_mutex held by ftruncate(2).

Signed-off-by: Maxim Patlasov <[email protected]>
Signed-off-by: Miklos Szeredi <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
fs/fuse/file.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 514f12a..e7785e4 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1296,7 +1296,6 @@ static int fuse_writepage_locked(struct page *page)

inc_bdi_stat(mapping->backing_dev_info, BDI_WRITEBACK);
inc_zone_page_state(tmp_page, NR_WRITEBACK_TEMP);
- end_page_writeback(page);

spin_lock(&fc->lock);
list_add(&req->writepages_entry, &fi->writepages);
@@ -1304,6 +1303,8 @@ static int fuse_writepage_locked(struct page *page)
fuse_flush_writepages(inode);
spin_unlock(&fc->lock);

+ end_page_writeback(page);
+
return 0;

err_free:
--
1.8.3.2

2013-09-30 10:20:56

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 046/104] ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not match

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Hannes Frederic Sowa <[email protected]>

commit 3e3be275851bc6fc90bfdcd732cd95563acd982b upstream.

In case a subtree did not match we currently stop backtracking and return
NULL (root table from fib_lookup). This could yield in invalid routing
table lookups when using subtrees.

Instead continue to backtrack until a valid subtree or node is found
and return this match.

Also remove unneeded NULL check.

Reported-by: Teco Boot <[email protected]>
Cc: YOSHIFUJI Hideaki <[email protected]>
Cc: David Lamparter <[email protected]>
Cc: <[email protected]>
Signed-off-by: Hannes Frederic Sowa <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
net/ipv6/ip6_fib.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 0907191..3c30320 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -949,14 +949,22 @@ static struct fib6_node * fib6_lookup_1(struct fib6_node *root,

if (ipv6_prefix_equal(&key->addr, args->addr, key->plen)) {
#ifdef CONFIG_IPV6_SUBTREES
- if (fn->subtree)
- fn = fib6_lookup_1(fn->subtree, args + 1);
+ if (fn->subtree) {
+ struct fib6_node *sfn;
+ sfn = fib6_lookup_1(fn->subtree,
+ args + 1);
+ if (!sfn)
+ goto backtrack;
+ fn = sfn;
+ }
#endif
- if (!fn || fn->fn_flags & RTN_RTINFO)
+ if (fn->fn_flags & RTN_RTINFO)
return fn;
}
}
-
+#ifdef CONFIG_IPV6_SUBTREES
+backtrack:
+#endif
if (fn->fn_flags & RTN_ROOT)
break;

--
1.8.3.2

2013-09-30 10:21:31

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 073/104] HID: input: return ENODATA if reading battery attrs fails

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: David Herrmann <[email protected]>

commit d0a934b764c67b4bf626f5b7cf725a6e3066afd2 upstream.

power_supply core has the bad habit of calling our battery callbacks
from within power_supply_register(). Furthermore, if the callbacks
fail with an unhandled error code, it will skip any uevent that it
might currently process.
So if HID-core registers battery devices, an "add" uevent is generated
and the battery callbacks are called. These will gracefully fail due
to timeouts as they might still hold locks on event processing. One
could argue that this should be fixed in power_supply core, but the
least we can do is to signal ENODATA so power_supply core will just
skip the property and continue with the uevent.

This fixes a bug where "add" and "remove" uevents are skipped for
battery devices. upower is unable to track these devices and currently
needs to ignore them.

This patch also overwrites any other error code. I cannot see any reason
why we should forward protocol- or I/O-errors to the power_supply core.
We handle these errors in hid_ll_driver later, anyway, so just skip
them. power_supply core cannot do anything useful with them, anyway,
and we avoid skipping important uevents and confusing user-space.

Thanks a lot to Daniel Nicoletti for pushing and investigating
on this.

Cc: Jiri Kosina <[email protected]>
Cc: Anton Vorontsov <[email protected]>
Cc: David Woodhouse <[email protected]>
Reported-by: Daniel Nicoletti <[email protected]>
Signed-off-by: David Herrmann <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
[ luis: 3.5.y-prereq for:
6c2794a HID: battery: don't do DMA from stack ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/hid/hid-input.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index 5301006..73f2f7c 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -339,10 +339,10 @@ static int hidinput_get_battery_property(struct power_supply *psy,
dev->battery_report_type);

if (ret != 2) {
- if (ret >= 0)
- ret = -EINVAL;
+ ret = -ENODATA;
break;
}
+ ret = 0;

if (dev->battery_min < dev->battery_max &&
buf[1] >= dev->battery_min &&
--
1.8.3.2

2013-09-30 10:13:09

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 070/104] drm/radeon: fix handling of variable sized arrays for router objects

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <[email protected]>

commit fb93df1c2d8b3b1fb16d6ee9e32554e0c038815d upstream.

The table has the following format:

typedef struct _ATOM_SRC_DST_TABLE_FOR_ONE_OBJECT //usSrcDstTableOffset pointing to this structure
{
UCHAR ucNumberOfSrc;
USHORT usSrcObjectID[1];
UCHAR ucNumberOfDst;
USHORT usDstObjectID[1];
}ATOM_SRC_DST_TABLE_FOR_ONE_OBJECT;

usSrcObjectID[] and usDstObjectID[] are variably sized, so we
can't access them directly. Use pointers and update the offset
appropriately when accessing the Dst members.

Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/gpu/drm/radeon/radeon_atombios.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
index fa9b022..c54d295 100644
--- a/drivers/gpu/drm/radeon/radeon_atombios.c
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
@@ -715,13 +715,16 @@ bool radeon_get_atom_connector_info_from_object_table(struct drm_device *dev)
(ATOM_SRC_DST_TABLE_FOR_ONE_OBJECT *)
(ctx->bios + data_offset +
le16_to_cpu(router_obj->asObjects[k].usSrcDstTableOffset));
+ u8 *num_dst_objs = (u8 *)
+ ((u8 *)router_src_dst_table + 1 +
+ (router_src_dst_table->ucNumberOfSrc * 2));
+ u16 *dst_objs = (u16 *)(num_dst_objs + 1);
int enum_id;

router.router_id = router_obj_id;
- for (enum_id = 0; enum_id < router_src_dst_table->ucNumberOfDst;
- enum_id++) {
+ for (enum_id = 0; enum_id < (*num_dst_objs); enum_id++) {
if (le16_to_cpu(path->usConnObjectId) ==
- le16_to_cpu(router_src_dst_table->usDstObjectID[enum_id]))
+ le16_to_cpu(dst_objs[enum_id]))
break;
}

--
1.8.3.2

2013-09-30 10:21:49

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 074/104] HID: battery: don't do DMA from stack

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Jiri Kosina <[email protected]>

commit 6c2794a2984f4c17a58117a68703cc7640f01c5a upstream.

Instead of using data from stack for DMA in hidinput_get_battery_property(),
allocate the buffer dynamically.

Reported-by: Richard Ryniker <[email protected]>
Reported-by: Alan Stern <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/hid/hid-input.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index 73f2f7c..c460b74 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -325,7 +325,7 @@ static int hidinput_get_battery_property(struct power_supply *psy,
{
struct hid_device *dev = container_of(psy, struct hid_device, battery);
int ret = 0;
- __u8 buf[2] = {};
+ __u8 *buf;

switch (prop) {
case POWER_SUPPLY_PROP_PRESENT:
@@ -334,12 +334,19 @@ static int hidinput_get_battery_property(struct power_supply *psy,
break;

case POWER_SUPPLY_PROP_CAPACITY:
+
+ buf = kmalloc(2 * sizeof(__u8), GFP_KERNEL);
+ if (!buf) {
+ ret = -ENOMEM;
+ break;
+ }
ret = dev->hid_get_raw_report(dev, dev->battery_report_id,
- buf, sizeof(buf),
+ buf, 2,
dev->battery_report_type);

if (ret != 2) {
ret = -ENODATA;
+ kfree(buf);
break;
}
ret = 0;
@@ -349,6 +356,7 @@ static int hidinput_get_battery_property(struct power_supply *psy,
buf[1] <= dev->battery_max)
val->intval = (100 * (buf[1] - dev->battery_min)) /
(dev->battery_max - dev->battery_min);
+ kfree(buf);
break;

case POWER_SUPPLY_PROP_MODEL_NAME:
--
1.8.3.2

2013-09-30 10:22:19

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 071/104] radeon kms: fix uninitialised hotplug work usage in r100_irq_process()

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Sergey Senozhatsky <[email protected]>

commit 27c505ca84e164ec66ad55dcf3f5befaac83f10a upstream.

Commit a01c34f72e7cd2624570818f579b5ab464f93de2 (radeon kms: do not
flush uninitialized hotplug work) moved work initialisation phase to
the last step of radeon_irq_kms_init(). Meelis Roos reported that this
causes problems on his machine because drm_irq_install() uses hotplug
work on r100.

hotplug work flushed in radeon_irq_kms_fini(), with two possible cases:
-- radeon_irq_kms_fini() call after successful radeon_irq_kms_init()
-- radeon_irq_kms_fini() call after unsuccessful (or not called at all)
radeon_irq_kms_init()

The latter one causes flush work on uninitialised hotplug work. Move
work initialisation before drm_irq_install(), but keep existing agreement
to flush hotplug work in radeon_irq_kms_fini() only for `irq.installed'
(successful radeon_irq_kms_init()) case.

WARNING: CPU: 0 PID: 243 at kernel/workqueue.c:1378 __queue_work+0x132/0x16d()
Call Trace:
[<c12319b3>] ? dump_stack+0xa/0x13
[<c1022600>] ? warn_slowpath_common+0x75/0x8a
[<c1031010>] ? __queue_work+0x132/0x16d
[<c1031010>] ? __queue_work+0x132/0x16d
[<c102269e>] ? warn_slowpath_null+0x1b/0x1f
[<c1031010>] ? __queue_work+0x132/0x16d
[<c103107b>] ? queue_work_on+0x30/0x40
[<f8aed3f3>] ? r100_irq_process+0x16d/0x1e6 [radeon]
[<f8ae77cf>] ? radeon_driver_irq_preinstall_kms+0xc2/0xc5 [radeon]
[<f8974d77>] ? drm_irq_install+0xb2/0x1ac [drm]
[<f897604d>] ? drm_vblank_init+0x196/0x1d2 [drm]
[<f8ae78d3>] ? radeon_irq_kms_init+0x33/0xc6 [radeon]
[<f8aef35a>] ? r100_startup+0x1a3/0x1d6 [radeon]
[<f8ad77c8>] ? radeon_ttm_init+0x26e/0x287 [radeon]
[<f8aef752>] ? r100_init+0x2b3/0x309 [radeon]
[<c118082e>] ? vga_client_register+0x39/0x40
[<f8ac535f>] ? radeon_device_init+0x54b/0x61b [radeon]
[<f8ac40fd>] ? cail_mc_write+0x13/0x13 [radeon]
[<f8ac6864>] ? radeon_driver_load_kms+0x82/0xda [radeon]
[<f8978bbd>] ? drm_get_pci_dev+0x136/0x22d [drm]
[<f8ac409b>] ? radeon_pci_probe+0x6c/0x86 [radeon]
[<c112acf6>] ? pci_device_probe+0x4c/0x83
[<c11846c7>] ? driver_probe_device+0x80/0x184
[<c112a848>] ? pci_match_id+0x18/0x36
[<c1184837>] ? __driver_attach+0x44/0x5f
[<c11833f4>] ? bus_for_each_dev+0x50/0x5a
[<c118433e>] ? driver_attach+0x14/0x16
[<c11847f3>] ? __device_attach+0x28/0x28
[<c1184045>] ? bus_add_driver+0xd6/0x1bf
[<c1184c22>] ? driver_register+0x78/0xcf
[<f8ba8000>] ? 0xf8ba7fff
[<c10003bf>] ? do_one_initcall+0x8b/0x121
[<c101e668>] ? change_page_attr_clear+0x2e/0x33
[<f8ba8000>] ? 0xf8ba7fff
[<c101e689>] ? set_memory_ro+0x1c/0x20
[<c104de94>] ? set_page_attributes+0x11/0x12
[<c104f6e1>] ? load_module+0x12fa/0x17e8
[<c107483b>] ? map_vm_area+0x22/0x31
[<c104fc36>] ? SyS_init_module+0x67/0x7d
[<c1234245>] ? sysenter_do_call+0x12/0x26

Reported-by: Meelis Roos <[email protected]>
Tested-by: Meelis Roos <[email protected]>
Signed-off-by: Sergey Senozhatsky <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
[ luis: backported to 3.5:
- dropped initialisation of reset_work handler ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/gpu/drm/radeon/radeon_irq_kms.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/radeon/radeon_irq_kms.c b/drivers/gpu/drm/radeon/radeon_irq_kms.c
index 30003b6..6169e1b 100644
--- a/drivers/gpu/drm/radeon/radeon_irq_kms.c
+++ b/drivers/gpu/drm/radeon/radeon_irq_kms.c
@@ -198,16 +198,18 @@ int radeon_irq_kms_init(struct radeon_device *rdev)
dev_info(rdev->dev, "radeon: using MSI.\n");
}
}
+
+ INIT_WORK(&rdev->hotplug_work, radeon_hotplug_work_func);
+ INIT_WORK(&rdev->audio_work, r600_audio_update_hdmi);
+
rdev->irq.installed = true;
r = drm_irq_install(rdev->ddev);
if (r) {
rdev->irq.installed = false;
+ flush_work(&rdev->hotplug_work);
return r;
}

- INIT_WORK(&rdev->hotplug_work, radeon_hotplug_work_func);
- INIT_WORK(&rdev->audio_work, r600_audio_update_hdmi);
-
DRM_INFO("radeon: irq initialized.\n");
return 0;
}
--
1.8.3.2

2013-09-30 10:22:18

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 072/104] drm/radeon: fix init ordering for r600+

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <[email protected]>

commit e5903d399a7b0e5c14673c1206f4aeec2859c730 upstream.

The vram scratch buffer needs to be initialized
before the mc is programmed otherwise we program
0 as the GPU address of the default GPU fault
page. In most cases we put vram at zero anyway and
reserve a page for the legacy vga buffer so in practice
this shouldn't cause any problems, but better to make
it correct.

Was changed in:
6fab3febf6d949b0a12b1e4e73db38e4a177a79e

Reported-by: FrankR Huang <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
[ luis: backported to 3.5:
- adjusted context
-dropped changes to drivers/gpu/drm/radeon/cik.c ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/gpu/drm/radeon/evergreen.c | 9 +++++----
drivers/gpu/drm/radeon/ni.c | 9 +++++----
drivers/gpu/drm/radeon/r600.c | 9 +++++----
drivers/gpu/drm/radeon/rv770.c | 9 +++++----
drivers/gpu/drm/radeon/si.c | 9 +++++----
5 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
index 269fa76..650e2d7 100644
--- a/drivers/gpu/drm/radeon/evergreen.c
+++ b/drivers/gpu/drm/radeon/evergreen.c
@@ -3081,6 +3081,11 @@ static int evergreen_startup(struct radeon_device *rdev)
/* enable pcie gen2 link */
evergreen_pcie_gen2_enable(rdev);

+ /* scratch needs to be initialized before MC */
+ r = r600_vram_scratch_init(rdev);
+ if (r)
+ return r;
+
evergreen_mc_program(rdev);

if (ASIC_IS_DCE5(rdev)) {
@@ -3106,10 +3111,6 @@ static int evergreen_startup(struct radeon_device *rdev)
}
}

- r = r600_vram_scratch_init(rdev);
- if (r)
- return r;
-
if (rdev->flags & RADEON_IS_AGP) {
evergreen_agp_enable(rdev);
} else {
diff --git a/drivers/gpu/drm/radeon/ni.c b/drivers/gpu/drm/radeon/ni.c
index ba9ae56..fcd7335 100644
--- a/drivers/gpu/drm/radeon/ni.c
+++ b/drivers/gpu/drm/radeon/ni.c
@@ -1239,6 +1239,11 @@ static int cayman_startup(struct radeon_device *rdev)
/* enable pcie gen2 link */
evergreen_pcie_gen2_enable(rdev);

+ /* scratch needs to be initialized before MC */
+ r = r600_vram_scratch_init(rdev);
+ if (r)
+ return r;
+
evergreen_mc_program(rdev);

if (rdev->flags & RADEON_IS_IGP) {
@@ -1265,10 +1270,6 @@ static int cayman_startup(struct radeon_device *rdev)
}
}

- r = r600_vram_scratch_init(rdev);
- if (r)
- return r;
-
r = cayman_pcie_gart_enable(rdev);
if (r)
return r;
diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c
index 0e431c0..3458d4a 100644
--- a/drivers/gpu/drm/radeon/r600.c
+++ b/drivers/gpu/drm/radeon/r600.c
@@ -2361,6 +2361,11 @@ int r600_startup(struct radeon_device *rdev)
/* enable pcie gen2 link */
r600_pcie_gen2_enable(rdev);

+ /* scratch needs to be initialized before MC */
+ r = r600_vram_scratch_init(rdev);
+ if (r)
+ return r;
+
r600_mc_program(rdev);

if (!rdev->me_fw || !rdev->pfp_fw || !rdev->rlc_fw) {
@@ -2371,10 +2376,6 @@ int r600_startup(struct radeon_device *rdev)
}
}

- r = r600_vram_scratch_init(rdev);
- if (r)
- return r;
-
if (rdev->flags & RADEON_IS_AGP) {
r600_agp_enable(rdev);
} else {
diff --git a/drivers/gpu/drm/radeon/rv770.c b/drivers/gpu/drm/radeon/rv770.c
index d6fa2b5..186d019 100644
--- a/drivers/gpu/drm/radeon/rv770.c
+++ b/drivers/gpu/drm/radeon/rv770.c
@@ -890,6 +890,11 @@ static int rv770_startup(struct radeon_device *rdev)
/* enable pcie gen2 link */
rv770_pcie_gen2_enable(rdev);

+ /* scratch needs to be initialized before MC */
+ r = r600_vram_scratch_init(rdev);
+ if (r)
+ return r;
+
rv770_mc_program(rdev);

if (!rdev->me_fw || !rdev->pfp_fw || !rdev->rlc_fw) {
@@ -900,10 +905,6 @@ static int rv770_startup(struct radeon_device *rdev)
}
}

- r = r600_vram_scratch_init(rdev);
- if (r)
- return r;
-
if (rdev->flags & RADEON_IS_AGP) {
rv770_agp_enable(rdev);
} else {
diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c
index d3454a0..9987345 100644
--- a/drivers/gpu/drm/radeon/si.c
+++ b/drivers/gpu/drm/radeon/si.c
@@ -3698,6 +3698,11 @@ static int si_startup(struct radeon_device *rdev)
struct radeon_ring *ring;
int r;

+ /* scratch needs to be initialized before MC */
+ r = r600_vram_scratch_init(rdev);
+ if (r)
+ return r;
+
si_mc_program(rdev);

if (!rdev->me_fw || !rdev->pfp_fw || !rdev->ce_fw ||
@@ -3715,10 +3720,6 @@ static int si_startup(struct radeon_device *rdev)
return r;
}

- r = r600_vram_scratch_init(rdev);
- if (r)
- return r;
-
r = si_pcie_gart_enable(rdev);
if (r)
return r;
--
1.8.3.2

2013-09-30 10:23:24

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 069/104] drm/radeon: fix resume on some rs4xx boards (v2)

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <[email protected]>

commit acf88deb8ddbb73acd1c3fa32fde51af9153227f upstream.

Setting MC_MISC_CNTL.GART_INDEX_REG_EN causes hangs on
some boards on resume. The systems seem to work fine
without touching this bit so leave it as is.

v2: read-modify-write the GART_INDEX_REG_EN bit.
I suspect the problem is that we are losing the other
settings in the register.

fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=52952

Reported-by: Ondrej Zary <[email protected]>
Tested-by: Daniel Tobias <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/gpu/drm/radeon/rs400.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/radeon/rs400.c b/drivers/gpu/drm/radeon/rs400.c
index 9ada7ed..a56f440 100644
--- a/drivers/gpu/drm/radeon/rs400.c
+++ b/drivers/gpu/drm/radeon/rs400.c
@@ -174,10 +174,13 @@ int rs400_gart_enable(struct radeon_device *rdev)
/* FIXME: according to doc we should set HIDE_MMCFG_BAR=0,
* AGPMODE30=0 & AGP30ENHANCED=0 in NB_CNTL */
if ((rdev->family == CHIP_RS690) || (rdev->family == CHIP_RS740)) {
- WREG32_MC(RS480_MC_MISC_CNTL,
- (RS480_GART_INDEX_REG_EN | RS690_BLOCK_GFX_D3_EN));
+ tmp = RREG32_MC(RS480_MC_MISC_CNTL);
+ tmp |= RS480_GART_INDEX_REG_EN | RS690_BLOCK_GFX_D3_EN;
+ WREG32_MC(RS480_MC_MISC_CNTL, tmp);
} else {
- WREG32_MC(RS480_MC_MISC_CNTL, RS480_GART_INDEX_REG_EN);
+ tmp = RREG32_MC(RS480_MC_MISC_CNTL);
+ tmp |= RS480_GART_INDEX_REG_EN;
+ WREG32_MC(RS480_MC_MISC_CNTL, tmp);
}
/* Enable gart */
WREG32_MC(RS480_AGP_ADDRESS_SPACE_SIZE, (RS480_GART_EN | size_reg));
--
1.8.3.2

2013-09-30 10:12:58

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 053/104] ipv6: Don't depend on per socket memory for neighbour discovery messages

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Graf <[email protected]>

commit 25a6e6b84fba601eff7c28d30da8ad7cfbef0d43 upstream.

Allocating skbs when sending out neighbour discovery messages
currently uses sock_alloc_send_skb() based on a per net namespace
socket and thus share a socket wmem buffer space.

If a netdevice is temporarily unable to transmit due to carrier
loss or for other reasons, the queued up ndisc messages will cosnume
all of the wmem space and will thus prevent from any more skbs to
be allocated even for netdevices that are able to transmit packets.

The number of neighbour discovery messages sent is very limited,
use of alloc_skb() bypasses the socket wmem buffer size enforcement
while the manual call to skb_set_owner_w() maintains the socket
reference needed for the IPv6 output path.

This patch has orginally been posted by Eric Dumazet in a modified
form.

Signed-off-by: Thomas Graf <[email protected]>
Cc: Eric Dumazet <[email protected]>
Cc: Hannes Frederic Sowa <[email protected]>
Cc: Stephen Warren <[email protected]>
Cc: Fabio Estevam <[email protected]>
Tested-by: Fabio Estevam <[email protected]>
Tested-by: Stephen Warren <[email protected]>
Acked-by: Hannes Frederic Sowa <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
net/ipv6/ndisc.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 35bfebc..fbe0f9f 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -429,7 +429,6 @@ struct sk_buff *ndisc_build_skb(struct net_device *dev,
int hlen = LL_RESERVED_SPACE(dev);
int tlen = dev->needed_tailroom;
int len;
- int err;
u8 *opt;

if (!dev->addr_len)
@@ -439,13 +438,11 @@ struct sk_buff *ndisc_build_skb(struct net_device *dev,
if (llinfo)
len += ndisc_opt_addr_space(dev);

- skb = sock_alloc_send_skb(sk,
- (MAX_HEADER + sizeof(struct ipv6hdr) +
- len + hlen + tlen),
- 1, &err);
+ skb = alloc_skb((MAX_HEADER + sizeof(struct ipv6hdr) +
+ len + hlen + tlen), GFP_ATOMIC);
if (!skb) {
- ND_PRINTK(0, err, "ND: %s failed to allocate an skb, err=%d\n",
- __func__, err);
+ ND_PRINTK(0, err, "ND: %s failed to allocate an skb\n",
+ __func__);
return NULL;
}

@@ -473,6 +470,11 @@ struct sk_buff *ndisc_build_skb(struct net_device *dev,
csum_partial(hdr,
len, 0));

+ /* Manually assign socket ownership as we avoid calling
+ * sock_alloc_send_pskb() to bypass wmem buffer limits
+ */
+ skb_set_owner_w(skb, sk);
+
return skb;
}

--
1.8.3.2

2013-09-30 10:23:42

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 068/104] drm/radeon: fix LCD record parsing

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <[email protected]>

commit 95663948ba22a4be8b99acd67fbf83e86ddffba4 upstream.

If the LCD table contains an EDID record, properly account
for the edid size when walking through the records.

This should fix error messages about unknown LCD records.

Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/gpu/drm/radeon/radeon_atombios.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
index 38d87e1..fa9b022 100644
--- a/drivers/gpu/drm/radeon/radeon_atombios.c
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
@@ -1622,7 +1622,9 @@ struct radeon_encoder_atom_dig *radeon_atombios_get_lvds_info(struct
kfree(edid);
}
}
- record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD);
+ record += fake_edid_record->ucFakeEDIDLength ?
+ fake_edid_record->ucFakeEDIDLength + 2 :
+ sizeof(ATOM_FAKE_EDID_PATCH_RECORD);
break;
case LCD_PANEL_RESOLUTION_RECORD_TYPE:
panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record;
--
1.8.3.2

2013-09-30 10:23:46

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 067/104] drm/radeon: update line buffer allocation for dce6

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <[email protected]>

commit 290d24576ccf1aa0373d2185cedfe262d0d4952a upstream.

We need to allocate line buffer to each display when
setting up the watermarks. Failure to do so can lead
to a blank screen. This fixes blank screen problems
on dce6 asics.

Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=64850

Based on an initial fix from:
Jay Cornwall <[email protected]>

Signed-off-by: Alex Deucher <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/gpu/drm/radeon/si.c | 23 +++++++++++++++++++----
drivers/gpu/drm/radeon/sid.h | 4 ++++
2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/radeon/si.c b/drivers/gpu/drm/radeon/si.c
index 625c4ba..d3454a0 100644
--- a/drivers/gpu/drm/radeon/si.c
+++ b/drivers/gpu/drm/radeon/si.c
@@ -411,7 +411,8 @@ static u32 dce6_line_buffer_adjust(struct radeon_device *rdev,
struct drm_display_mode *mode,
struct drm_display_mode *other_mode)
{
- u32 tmp;
+ u32 tmp, buffer_alloc, i;
+ u32 pipe_offset = radeon_crtc->crtc_id * 0x20;
/*
* Line Buffer Setup
* There are 3 line buffers, each one shared by 2 display controllers.
@@ -426,16 +427,30 @@ static u32 dce6_line_buffer_adjust(struct radeon_device *rdev,
* non-linked crtcs for maximum line buffer allocation.
*/
if (radeon_crtc->base.enabled && mode) {
- if (other_mode)
+ if (other_mode) {
tmp = 0; /* 1/2 */
- else
+ buffer_alloc = 1;
+ } else {
tmp = 2; /* whole */
- } else
+ buffer_alloc = 2;
+ }
+ } else {
tmp = 0;
+ buffer_alloc = 0;
+ }

WREG32(DC_LB_MEMORY_SPLIT + radeon_crtc->crtc_offset,
DC_LB_MEMORY_CONFIG(tmp));

+ WREG32(PIPE0_DMIF_BUFFER_CONTROL + pipe_offset,
+ DMIF_BUFFERS_ALLOCATED(buffer_alloc));
+ for (i = 0; i < rdev->usec_timeout; i++) {
+ if (RREG32(PIPE0_DMIF_BUFFER_CONTROL + pipe_offset) &
+ DMIF_BUFFERS_ALLOCATED_COMPLETED)
+ break;
+ udelay(1);
+ }
+
if (radeon_crtc->base.enabled && mode) {
switch (tmp) {
case 0:
diff --git a/drivers/gpu/drm/radeon/sid.h b/drivers/gpu/drm/radeon/sid.h
index 916e13f..0a240fa 100644
--- a/drivers/gpu/drm/radeon/sid.h
+++ b/drivers/gpu/drm/radeon/sid.h
@@ -62,6 +62,10 @@

#define DMIF_ADDR_CALC 0xC00

+#define PIPE0_DMIF_BUFFER_CONTROL 0x0ca0
+# define DMIF_BUFFERS_ALLOCATED(x) ((x) << 0)
+# define DMIF_BUFFERS_ALLOCATED_COMPLETED (1 << 4)
+
#define SRBM_STATUS 0xE50

#define CC_SYS_RB_BACKEND_DISABLE 0xe80
--
1.8.3.2

2013-09-30 10:24:32

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 065/104] drm/radeon: fix endian bugs in hw i2c atom routines

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <[email protected]>

commit 4543eda52113d1e2cc0e9bf416f79597e6ef1ec7 upstream.

Need to swap the data fetched over i2c properly. This
is the same fix as the endian fix for aux channel
transactions.

Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/gpu/drm/radeon/atombios_dp.c | 6 +++---
drivers/gpu/drm/radeon/atombios_i2c.c | 4 +++-
2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/radeon/atombios_dp.c b/drivers/gpu/drm/radeon/atombios_dp.c
index 824d03c..a672379 100644
--- a/drivers/gpu/drm/radeon/atombios_dp.c
+++ b/drivers/gpu/drm/radeon/atombios_dp.c
@@ -51,7 +51,7 @@ static char *pre_emph_names[] = {
* or from atom. Note that atom operates on
* dw units.
*/
-static void radeon_copy_swap(u8 *dst, u8 *src, u8 num_bytes, bool to_le)
+void radeon_atom_copy_swap(u8 *dst, u8 *src, u8 num_bytes, bool to_le)
{
#ifdef __BIG_ENDIAN
u8 src_tmp[20], dst_tmp[20]; /* used for byteswapping */
@@ -101,7 +101,7 @@ static int radeon_process_aux_ch(struct radeon_i2c_chan *chan,

base = (unsigned char *)(rdev->mode_info.atom_context->scratch + 1);

- radeon_copy_swap(base, send, send_bytes, true);
+ radeon_atom_copy_swap(base, send, send_bytes, true);

args.v1.lpAuxRequest = cpu_to_le16((u16)(0 + 4));
args.v1.lpDataOut = cpu_to_le16((u16)(16 + 4));
@@ -138,7 +138,7 @@ static int radeon_process_aux_ch(struct radeon_i2c_chan *chan,
recv_bytes = recv_size;

if (recv && recv_size)
- radeon_copy_swap(recv, base + 16, recv_bytes, false);
+ radeon_atom_copy_swap(recv, base + 16, recv_bytes, false);

return recv_bytes;
}
diff --git a/drivers/gpu/drm/radeon/atombios_i2c.c b/drivers/gpu/drm/radeon/atombios_i2c.c
index 44d87b6..9ed94a8 100644
--- a/drivers/gpu/drm/radeon/atombios_i2c.c
+++ b/drivers/gpu/drm/radeon/atombios_i2c.c
@@ -27,6 +27,8 @@
#include "radeon.h"
#include "atom.h"

+extern void radeon_atom_copy_swap(u8 *dst, u8 *src, u8 num_bytes, bool to_le);
+
#define TARGET_HW_I2C_CLOCK 50

/* these are a limitation of ProcessI2cChannelTransaction not the hw */
@@ -77,7 +79,7 @@ static int radeon_process_i2c_ch(struct radeon_i2c_chan *chan,
}

if (!(flags & HW_I2C_WRITE))
- memcpy(buf, base, num);
+ radeon_atom_copy_swap(buf, base, num, false);

return 0;
}
--
1.8.3.2

2013-09-30 10:24:49

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 064/104] drm/edid: add quirk for Medion MD30217PG

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alex Deucher <[email protected]>

commit 118bdbd86b39dbb843155054021d2c59058f1e05 upstream.

This LCD monitor (1280x1024 native) has a completely
bogus detailed timing (640x350@70hz). User reports that
1280x1024@60 has waves so prefer 1280x1024@75.

Manufacturer: MED Model: 7b8 Serial#: 99188
Year: 2005 Week: 5
EDID Version: 1.3
Analog Display Input, Input Voltage Level: 0.700/0.700 V
Sync: Separate
Max Image Size [cm]: horiz.: 34 vert.: 27
Gamma: 2.50
DPMS capabilities: Off; RGB/Color Display
First detailed timing is preferred mode
redX: 0.645 redY: 0.348 greenX: 0.280 greenY: 0.605
blueX: 0.142 blueY: 0.071 whiteX: 0.313 whiteY: 0.329
Supported established timings:
720x400@70Hz
640x480@60Hz
640x480@72Hz
640x480@75Hz
800x600@56Hz
800x600@60Hz
800x600@72Hz
800x600@75Hz
1024x768@60Hz
1024x768@70Hz
1024x768@75Hz
1280x1024@75Hz
Manufacturer's mask: 0
Supported standard timings:
Supported detailed timing:
clock: 25.2 MHz Image Size: 337 x 270 mm
h_active: 640 h_sync: 688 h_sync_end 784 h_blank_end 800 h_border: 0
v_active: 350 v_sync: 350 v_sync_end 352 v_blanking: 449 v_border: 0
Monitor name: MD30217PG
Ranges: V min: 56 V max: 76 Hz, H min: 30 H max: 83 kHz, PixClock max 145 MHz
Serial No: 501099188
EDID (in hex):
00ffffffffffff0034a4b80774830100
050f010368221b962a0c55a559479b24
125054afcf00310a0101010101018180
000000000000d60980a0205e63103060
0200510e1100001e000000fc004d4433
3032313750470a202020000000fd0038
4c1e530e000a202020202020000000ff
003530313039393138380a2020200078

Signed-off-by: Alex Deucher <[email protected]>
Reported-by: [email protected]
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/gpu/drm/drm_edid.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
index c674823..bdbc6a2 100644
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -125,6 +125,9 @@ static struct edid_quirk {

/* ViewSonic VA2026w */
{ "VSC", 5020, EDID_QUIRK_FORCE_REDUCED_BLANKING },
+
+ /* Medion MD 30217 PG */
+ { "MED", 0x7b8, EDID_QUIRK_PREFER_LARGE_75 },
};

/*** DDC fetch and block validation ***/
--
1.8.3.2

2013-09-30 10:12:54

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 055/104] ath9k: always clear ps filter bit on new assoc

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Felix Fietkau <[email protected]>

commit 026d5b07c03458f9c0ccd19c3850564a5409c325 upstream.

Otherwise in some cases, EAPOL frames might be filtered during the
initial handshake, causing delays and assoc failures.

Signed-off-by: Felix Fietkau <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/net/wireless/ath/ath9k/xmit.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
index 894ed0e..63ce4cf 100644
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -2479,6 +2479,7 @@ void ath_tx_node_init(struct ath_softc *sc, struct ath_node *an)
for (acno = 0, ac = &an->ac[acno];
acno < WME_NUM_AC; acno++, ac++) {
ac->sched = false;
+ ac->clear_ps_filter = true;
ac->txq = sc->tx.txq_map[acno];
INIT_LIST_HEAD(&ac->tid_q);
}
--
1.8.3.2

2013-09-30 10:25:09

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 063/104] of: Fix missing memory initialization on FDT unflattening

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Grant Likely <[email protected]>

commit 0640332e073be9207f0784df43595c0c39716e42 upstream.

Any calls to dt_alloc() need to be zeroed. This is a temporary fix, but
the allocation function itself needs to zero memory before returning
it. This is a follow up to patch 9e4012752, "of: fdt: fix memory
initialization for expanded DT" which fixed one call site but missed
another.

Signed-off-by: Grant Likely <[email protected]>
Acked-by: Wladislav Wiebe <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/of/base.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/of/base.c b/drivers/of/base.c
index d9bfd49..226beaa 100644
--- a/drivers/of/base.c
+++ b/drivers/of/base.c
@@ -1227,6 +1227,7 @@ void of_alias_scan(void * (*dt_alloc)(u64 size, u64 align))
ap = dt_alloc(sizeof(*ap) + len + 1, 4);
if (!ap)
continue;
+ memset(ap, 0, sizeof(*ap) + len + 1);
ap->alias = start;
of_alias_add(ap, np, id, start, len);
}
--
1.8.3.2

2013-09-30 10:25:35

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 060/104] brcmsmac: Fix WARNING caused by lack of calls to dma_mapping_error()

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: "John W. Linville" <[email protected]>

commit 67d0cf50bd32b66eab709871714e55725ee30ce4 upstream.

The driver fails to check the results of DMA mapping in twp places,
which results in the following warning:

[ 28.078515] ------------[ cut here ]------------
[ 28.078529] WARNING: at lib/dma-debug.c:937 check_unmap+0x47e/0x930()
[ 28.078533] bcma-pci-bridge 0000:0e:00.0: DMA-API: device driver failed to check map error[device address=0x00000000b5d60d6c] [size=1876 bytes] [mapped as
single]
[ 28.078536] Modules linked in: bnep bluetooth vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) ipv6 b43 brcmsmac rtl8192cu rtl8192c_common rtlwifi mac802
11 brcmutil cfg80211 snd_hda_codec_conexant rng_core snd_hda_intel kvm_amd snd_hda_codec ssb kvm mmc_core snd_pcm snd_seq snd_timer snd_seq_device snd k8temp
cordic joydev serio_raw hwmon sr_mod sg pcmcia pcmcia_core soundcore cdrom i2c_nforce2 i2c_core forcedeth bcma snd_page_alloc autofs4 ext4 jbd2 mbcache crc1
6 scsi_dh_alua scsi_dh_hp_sw scsi_dh_rdac scsi_dh_emc scsi_dh ata_generic pata_amd
[ 28.078602] CPU: 1 PID: 2570 Comm: NetworkManager Tainted: G O 3.10.0-rc7-wl+ #42
[ 28.078605] Hardware name: Hewlett-Packard HP Pavilion dv2700 Notebook PC/30D6, BIOS F.27 11/27/2008
[ 28.078607] 0000000000000009 ffff8800bbb03ad8 ffffffff8144f898 ffff8800bbb03b18
[ 28.078612] ffffffff8103e1eb 0000000000000002 ffff8800b719f480 ffff8800b7b9c010
[ 28.078617] ffffffff824204c0 ffffffff81754d57 0000000000000754 ffff8800bbb03b78
[ 28.078622] Call Trace:
[ 28.078624] <IRQ> [<ffffffff8144f898>] dump_stack+0x19/0x1b
[ 28.078634] [<ffffffff8103e1eb>] warn_slowpath_common+0x6b/0xa0
[ 28.078638] [<ffffffff8103e2c1>] warn_slowpath_fmt+0x41/0x50
[ 28.078650] [<ffffffff8122d7ae>] check_unmap+0x47e/0x930
[ 28.078655] [<ffffffff8122de4c>] debug_dma_unmap_page+0x5c/0x70
[ 28.078679] [<ffffffffa04a808c>] dma64_getnextrxp+0x10c/0x190 [brcmsmac]
[ 28.078691] [<ffffffffa04a9042>] dma_rx+0x62/0x240 [brcmsmac]
[ 28.078707] [<ffffffffa0479101>] brcms_c_dpc+0x211/0x9d0 [brcmsmac]
[ 28.078717] [<ffffffffa046d927>] ? brcms_dpc+0x27/0xf0 [brcmsmac]
[ 28.078731] [<ffffffffa046d947>] brcms_dpc+0x47/0xf0 [brcmsmac]
[ 28.078736] [<ffffffff81047dcc>] tasklet_action+0x6c/0xf0
--snip--
[ 28.078974] [<ffffffff813891bd>] SyS_sendmsg+0xd/0x20
[ 28.078979] [<ffffffff81455c24>] tracesys+0xdd/0xe2
[ 28.078982] ---[ end trace 6164d1a08148e9c8 ]---
[ 28.078984] Mapped at:
[ 28.078985] [<ffffffff8122c8fd>] debug_dma_map_page+0x9d/0x150
[ 28.078989] [<ffffffffa04a9322>] dma_rxfill+0x102/0x3d0 [brcmsmac]
[ 28.079001] [<ffffffffa047a13d>] brcms_c_init+0x87d/0x1100 [brcmsmac]
[ 28.079010] [<ffffffffa046d851>] brcms_init+0x21/0x30 [brcmsmac]
[ 28.079018] [<ffffffffa04786e0>] brcms_c_up+0x150/0x430 [brcmsmac]

As the patch adds a new failure mechanism to dma_rxfill(). When I changed the
comment at the start of the routine to add that information, I also polished
the wording.

Signed-off-by: Larry Finger <[email protected]>
Cc: Brett Rudley <[email protected]>
Cc: Franky (Zhenhui) Lin <[email protected]>
Cc: Hante Meuleman <[email protected]>
Cc: [email protected]
Acked-by: Arend van Spriel <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
[ luis: backported to 3.5:
- adjusted context
- adjusted error handling in dma_txfast() as it returns an int ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/net/wireless/brcm80211/brcmsmac/dma.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/brcm80211/brcmsmac/dma.c b/drivers/net/wireless/brcm80211/brcmsmac/dma.c
index 11054ae..f76efd5 100644
--- a/drivers/net/wireless/brcm80211/brcmsmac/dma.c
+++ b/drivers/net/wireless/brcm80211/brcmsmac/dma.c
@@ -1013,9 +1013,10 @@ static bool dma64_rxidle(struct dma_info *di)

/*
* post receive buffers
- * return false is refill failed completely and ring is empty this will stall
- * the rx dma and user might want to call rxfill again asap. This unlikely
- * happens on memory-rich NIC, but often on memory-constrained dongle
+ * Return false if refill failed completely or dma mapping failed. The ring
+ * is empty, which will stall the rx dma and user might want to call rxfill
+ * again asap. This is unlikely to happen on a memory-rich NIC, but often on
+ * memory-constrained dongle.
*/
bool dma_rxfill(struct dma_pub *pub)
{
@@ -1074,6 +1075,8 @@ bool dma_rxfill(struct dma_pub *pub)

pa = dma_map_single(di->dmadev, p->data, di->rxbufsize,
DMA_FROM_DEVICE);
+ if (dma_mapping_error(di->dmadev, pa))
+ return false;

/* save the free packet pointer */
di->rxp[rxout] = p;
@@ -1294,6 +1297,9 @@ int dma_txfast(struct dma_pub *pub, struct sk_buff *p, bool commit)

/* get physical address of buffer start */
pa = dma_map_single(di->dmadev, data, len, DMA_TO_DEVICE);
+ /* if mapping failed, free skb */
+ if (dma_mapping_error(di->dmadev, pa))
+ goto outoftxd;

/* With a DMA segment list, Descriptor table is filled
* using the segment list instead of looping over
--
1.8.3.2

2013-09-30 10:25:32

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 062/104] HID: validate HID report id size

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Kees Cook <[email protected]>

commit 43622021d2e2b82ea03d883926605bdd0525e1d1 upstream.

The "Report ID" field of a HID report is used to build indexes of
reports. The kernel's index of these is limited to 256 entries, so any
malicious device that sets a Report ID greater than 255 will trigger
memory corruption on the host:

[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b

CVE-2013-2888

Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/hid/hid-core.c | 10 +++++++---
include/linux/hid.h | 4 +++-
2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 2f85e59..104792d 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
struct hid_report_enum *report_enum = device->report_enum + type;
struct hid_report *report;

+ if (id >= HID_MAX_IDS)
+ return NULL;
if (report_enum->report_id_hash[id])
return report_enum->report_id_hash[id];

@@ -392,8 +394,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)

case HID_GLOBAL_ITEM_TAG_REPORT_ID:
parser->global.report_id = item_udata(item);
- if (parser->global.report_id == 0) {
- hid_err(parser->device, "report_id 0 is invalid\n");
+ if (parser->global.report_id == 0 ||
+ parser->global.report_id >= HID_MAX_IDS) {
+ hid_err(parser->device, "report_id %u is invalid\n",
+ parser->global.report_id);
return -1;
}
return 0;
@@ -563,7 +567,7 @@ static void hid_close_report(struct hid_device *device)
for (i = 0; i < HID_REPORT_TYPES; i++) {
struct hid_report_enum *report_enum = device->report_enum + i;

- for (j = 0; j < 256; j++) {
+ for (j = 0; j < HID_MAX_IDS; j++) {
struct hid_report *report = report_enum->report_id_hash[j];
if (report)
hid_free_report(report);
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 449fa38..69b6e30 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -425,10 +425,12 @@ struct hid_report {
struct hid_device *device; /* associated device */
};

+#define HID_MAX_IDS 256
+
struct hid_report_enum {
unsigned numbered;
struct list_head report_list;
- struct hid_report *report_id_hash[256];
+ struct hid_report *report_id_hash[HID_MAX_IDS];
};

#define HID_REPORT_TYPES 3
--
1.8.3.2

2013-09-30 10:26:14

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 061/104] mmc: tmio_mmc_dma: fix PIO fallback on SDHI

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Sergei Shtylyov <[email protected]>

commit f936f9b67b7f8c2eae01dd303a0e90bd777c4679 upstream.

I'm testing SH-Mobile SDHI driver in DMA mode with a new DMA controller using
'bonnie++' and getting DMA error after which the tmio_mmc_dma.c code falls back
to PIO but all commands time out after that. It turned out that the fallback
code calls tmio_mmc_enable_dma() with RX/TX channels already freed and pointers
to them cleared, so that the function bails out early instead of clearing the
DMA bit in the CTL_DMA_ENABLE register. The regression was introduced by commit
162f43e31c5a376ec16336e5d0ac973373d54c89 (mmc: tmio: fix a deadlock).
Moving tmio_mmc_enable_dma() calls to the top of the PIO fallback code in
tmio_mmc_start_dma_{rx|tx}() helps.

Signed-off-by: Sergei Shtylyov <[email protected]>
Acked-by: Guennadi Liakhovetski <[email protected]>
Signed-off-by: Chris Ball <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/mmc/host/tmio_mmc_dma.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/mmc/host/tmio_mmc_dma.c b/drivers/mmc/host/tmio_mmc_dma.c
index fff9286..491e9ec 100644
--- a/drivers/mmc/host/tmio_mmc_dma.c
+++ b/drivers/mmc/host/tmio_mmc_dma.c
@@ -104,6 +104,7 @@ static void tmio_mmc_start_dma_rx(struct tmio_mmc_host *host)
pio:
if (!desc) {
/* DMA failed, fall back to PIO */
+ tmio_mmc_enable_dma(host, false);
if (ret >= 0)
ret = -EIO;
host->chan_rx = NULL;
@@ -116,7 +117,6 @@ pio:
}
dev_warn(&host->pdev->dev,
"DMA failed: %d, falling back to PIO\n", ret);
- tmio_mmc_enable_dma(host, false);
}

dev_dbg(&host->pdev->dev, "%s(): desc %p, cookie %d, sg[%d]\n", __func__,
@@ -185,6 +185,7 @@ static void tmio_mmc_start_dma_tx(struct tmio_mmc_host *host)
pio:
if (!desc) {
/* DMA failed, fall back to PIO */
+ tmio_mmc_enable_dma(host, false);
if (ret >= 0)
ret = -EIO;
host->chan_tx = NULL;
@@ -197,7 +198,6 @@ pio:
}
dev_warn(&host->pdev->dev,
"DMA failed: %d, falling back to PIO\n", ret);
- tmio_mmc_enable_dma(host, false);
}

dev_dbg(&host->pdev->dev, "%s(): desc %p, cookie %d\n", __func__,
--
1.8.3.2

2013-09-30 10:26:31

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 059/104] ath9k: avoid accessing MRC registers on single-chain devices

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Felix Fietkau <[email protected]>

commit a1c781bb20ac1e03280e420abd47a99eb8bbdd3b upstream.

They are not implemented, and accessing them might trigger errors

Signed-off-by: Felix Fietkau <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/net/wireless/ath/ath9k/ar9003_phy.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/ar9003_phy.c b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
index ac2aa7a..fb919e5 100644
--- a/drivers/net/wireless/ath/ath9k/ar9003_phy.c
+++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
@@ -956,6 +956,10 @@ static bool ar9003_hw_ani_control(struct ath_hw *ah,
* is_on == 0 means MRC CCK is OFF (more noise imm)
*/
bool is_on = param ? 1 : 0;
+
+ if (ah->caps.rx_chainmask == 1)
+ break;
+
REG_RMW_FIELD(ah, AR_PHY_MRC_CCK_CTRL,
AR_PHY_MRC_CCK_ENABLE, is_on);
REG_RMW_FIELD(ah, AR_PHY_MRC_CCK_CTRL,
--
1.8.3.2

2013-09-30 10:12:48

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 048/104] tun: signedness bug in tun_get_user()

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit 15718ea0d844e4816dbd95d57a8a0e3e264ba90e upstream.

The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is
not totally correct. Because "len" and "sizeof()" are size_t type, that
means they are never less than zero.

Signed-off-by: Dan Carpenter <[email protected]>
Acked-by: Michael S. Tsirkin <[email protected]>
Acked-by: Neil Horman <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/net/tun.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 21c33f2..f21bcef 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -615,8 +615,9 @@ static ssize_t tun_get_user(struct tun_struct *tun,
int offset = 0;

if (!(tun->flags & TUN_NO_PI)) {
- if ((len -= sizeof(pi)) > count)
+ if (len < sizeof(pi))
return -EINVAL;
+ len -= sizeof(pi);

if (memcpy_fromiovecend((void *)&pi, iv, 0, sizeof(pi)))
return -EFAULT;
@@ -624,8 +625,9 @@ static ssize_t tun_get_user(struct tun_struct *tun,
}

if (tun->flags & TUN_VNET_HDR) {
- if ((len -= tun->vnet_hdr_sz) > count)
+ if (len < tun->vnet_hdr_sz)
return -EINVAL;
+ len -= tun->vnet_hdr_sz;

if (memcpy_fromiovecend((void *)&gso, iv, offset, sizeof(gso)))
return -EFAULT;
--
1.8.3.2

2013-09-30 10:26:52

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 057/104] powerpc: Handle unaligned ldbrx/stdbrx

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Anton Blanchard <[email protected]>

commit 230aef7a6a23b6166bd4003bfff5af23c9bd381f upstream.

Normally when we haven't implemented an alignment handler for
a load or store instruction the process will be terminated.

The alignment handler uses the DSISR (or a pseudo one) to locate
the right handler. Unfortunately ldbrx and stdbrx overlap lfs and
stfs so we incorrectly think ldbrx is an lfs and stdbrx is an
stfs.

This bug is particularly nasty - instead of terminating the
process we apply an incorrect fixup and continue on.

With more and more overlapping instructions we should stop
creating a pseudo DSISR and index using the instruction directly,
but for now add a special case to catch ldbrx/stdbrx.

Signed-off-by: Anton Blanchard <[email protected]>
Signed-off-by: Benjamin Herrenschmidt <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
arch/powerpc/kernel/align.c | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/arch/powerpc/kernel/align.c b/arch/powerpc/kernel/align.c
index ee5b690..52e5758 100644
--- a/arch/powerpc/kernel/align.c
+++ b/arch/powerpc/kernel/align.c
@@ -764,6 +764,16 @@ int fix_alignment(struct pt_regs *regs)
nb = aligninfo[instr].len;
flags = aligninfo[instr].flags;

+ /* ldbrx/stdbrx overlap lfs/stfs in the DSISR unfortunately */
+ if (IS_XFORM(instruction) && ((instruction >> 1) & 0x3ff) == 532) {
+ nb = 8;
+ flags = LD+SW;
+ } else if (IS_XFORM(instruction) &&
+ ((instruction >> 1) & 0x3ff) == 660) {
+ nb = 8;
+ flags = ST+SW;
+ }
+
/* Byteswap little endian loads and stores */
swiz = 0;
if (regs->msr & MSR_LE) {
--
1.8.3.2

2013-09-30 10:26:49

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 058/104] ath9k: fix rx descriptor related race condition

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Felix Fietkau <[email protected]>

commit e96542e55a2aacf4bdeccfe2f17b77c4895b4df2 upstream.

Similar to a race condition that exists in the tx path, the hardware
might re-read the 'next' pointer of a descriptor of the last completed
frame. This only affects non-EDMA (pre-AR93xx) devices.

To deal with this race, defer clearing and re-linking a completed rx
descriptor until the next one has been processed.

Signed-off-by: Felix Fietkau <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/net/wireless/ath/ath9k/ath9k.h | 5 +----
drivers/net/wireless/ath/ath9k/recv.c | 17 +++++++++++++----
2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/ath9k.h b/drivers/net/wireless/ath/ath9k/ath9k.h
index e9a14c0..9afbb39 100644
--- a/drivers/net/wireless/ath/ath9k/ath9k.h
+++ b/drivers/net/wireless/ath/ath9k/ath9k.h
@@ -79,10 +79,6 @@ struct ath_config {
sizeof(struct ath_buf_state)); \
} while (0)

-#define ATH_RXBUF_RESET(_bf) do { \
- (_bf)->bf_stale = false; \
- } while (0)
-
/**
* enum buffer_type - Buffer type flags
*
@@ -314,6 +310,7 @@ struct ath_rx {
struct ath_buf *rx_bufptr;
struct ath_rx_edma rx_edma[ATH9K_RX_QUEUE_MAX];

+ struct ath_buf *buf_hold;
struct sk_buff *frag;
};

diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
index 0247fb1..ad82b4a 100644
--- a/drivers/net/wireless/ath/ath9k/recv.c
+++ b/drivers/net/wireless/ath/ath9k/recv.c
@@ -78,8 +78,6 @@ static void ath_rx_buf_link(struct ath_softc *sc, struct ath_buf *bf)
struct ath_desc *ds;
struct sk_buff *skb;

- ATH_RXBUF_RESET(bf);
-
ds = bf->bf_desc;
ds->ds_link = 0; /* link to null */
ds->ds_data = bf->bf_buf_addr;
@@ -106,6 +104,14 @@ static void ath_rx_buf_link(struct ath_softc *sc, struct ath_buf *bf)
sc->rx.rxlink = &ds->ds_link;
}

+static void ath_rx_buf_relink(struct ath_softc *sc, struct ath_buf *bf)
+{
+ if (sc->rx.buf_hold)
+ ath_rx_buf_link(sc, sc->rx.buf_hold);
+
+ sc->rx.buf_hold = bf;
+}
+
static void ath_setdefantenna(struct ath_softc *sc, u32 antenna)
{
/* XXX block beacon interrupts */
@@ -153,7 +159,6 @@ static bool ath_rx_edma_buf_link(struct ath_softc *sc,

skb = bf->bf_mpdu;

- ATH_RXBUF_RESET(bf);
memset(skb->data, 0, ah->caps.rx_status_len);
dma_sync_single_for_device(sc->dev, bf->bf_buf_addr,
ah->caps.rx_status_len, DMA_TO_DEVICE);
@@ -478,6 +483,7 @@ int ath_startrecv(struct ath_softc *sc)
if (list_empty(&sc->rx.rxbuf))
goto start_recv;

+ sc->rx.buf_hold = NULL;
sc->rx.rxlink = NULL;
list_for_each_entry_safe(bf, tbf, &sc->rx.rxbuf, list) {
ath_rx_buf_link(sc, bf);
@@ -723,6 +729,9 @@ static struct ath_buf *ath_get_next_rx_buf(struct ath_softc *sc,
}

bf = list_first_entry(&sc->rx.rxbuf, struct ath_buf, list);
+ if (bf == sc->rx.buf_hold)
+ return NULL;
+
ds = bf->bf_desc;

/*
@@ -1972,7 +1981,7 @@ requeue:
if (edma) {
ath_rx_edma_buf_link(sc, qtype);
} else {
- ath_rx_buf_link(sc, bf);
+ ath_rx_buf_relink(sc, bf);
ath9k_hw_rxena(ah);
}
} while (1);
--
1.8.3.2

2013-09-30 10:27:33

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 056/104] libceph: unregister request in __map_request failed and nofail == false

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: majianpeng <[email protected]>

commit 73d9f7eef3d98c3920e144797cc1894c6b005a1e upstream.

For nofail == false request, if __map_request failed, the caller does
cleanup work, like releasing the relative pages. It doesn't make any sense
to retry this request.

Signed-off-by: Jianpeng Ma <[email protected]>
Reviewed-by: Sage Weil <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
net/ceph/osd_client.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index f181972..a90c575 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -1745,6 +1745,8 @@ int ceph_osdc_start_request(struct ceph_osd_client *osdc,
dout("osdc_start_request failed map, "
" will retry %lld\n", req->r_tid);
rc = 0;
+ } else {
+ __unregister_request(osdc, req);
}
goto out_unlock;
}
--
1.8.3.2

2013-09-30 10:12:44

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 042/104] fib_trie: remove potential out of bound access

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

commit aab515d7c32a34300312416c50314e755ea6f765 upstream.

AddressSanitizer [1] dynamic checker pointed a potential
out of bound access in leaf_walk_rcu()

We could allocate one more slot in tnode_new() to leave the prefetch()
in-place but it looks not worth the pain.

Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode")

[1] :
https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel

Reported-by: Andrey Konovalov <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Cc: Dmitry Vyukov <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
net/ipv4/fib_trie.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 30b88d7..424704a 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -71,7 +71,6 @@
#include <linux/init.h>
#include <linux/list.h>
#include <linux/slab.h>
-#include <linux/prefetch.h>
#include <linux/export.h>
#include <net/net_namespace.h>
#include <net/ip.h>
@@ -1772,10 +1771,8 @@ static struct leaf *leaf_walk_rcu(struct tnode *p, struct rt_trie_node *c)
if (!c)
continue;

- if (IS_LEAF(c)) {
- prefetch(rcu_dereference_rtnl(p->child[idx]));
+ if (IS_LEAF(c))
return (struct leaf *) c;
- }

/* Rescan start scanning in new node */
p = (struct tnode *) c;
--
1.8.3.2

2013-09-30 10:27:49

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 054/104] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <[email protected]>

commit 3a1c756590633c0e86df606e5c618c190926a0df upstream.

In tcp_v6_do_rcv() code, when processing pkt options, we soley work
on our skb clone opt_skb that we've created earlier before entering
tcp_rcv_established() on our way. However, only in condition ...

if (np->rxopt.bits.rxtclass)
np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));

... we work on skb itself. As we extract every other information out
of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
already be released by tcp_rcv_established() earlier on. When we try
to access it in ipv6_hdr(), we will dereference freed skb.

[ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for
IP_PKTOPTIONS") ]

Signed-off-by: Daniel Borkmann <[email protected]>
Cc: Eric Dumazet <[email protected]>
Acked-by: Eric Dumazet <[email protected]>
Acked-by: Jiri Benc <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
net/ipv6/tcp_ipv6.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 989c024..1467fc7 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1573,7 +1573,7 @@ ipv6_pktoptions:
if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
if (np->rxopt.bits.rxtclass)
- np->rcv_tclass = ipv6_tclass(ipv6_hdr(skb));
+ np->rcv_tclass = ipv6_tclass(ipv6_hdr(opt_skb));
if (ipv6_opt_accepted(sk, opt_skb)) {
skb_set_owner_r(opt_skb, sk);
opt_skb = xchg(&np->pktoptions, opt_skb);
--
1.8.3.2

2013-09-30 10:28:25

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 051/104] net: bridge: convert MLDv2 Query MRC into msecs_to_jiffies for max_delay

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <[email protected]>

commit 2d98c29b6fb3de44d9eaa73c09f9cf7209346383 upstream.

While looking into MLDv1/v2 code, I noticed that bridging code does
not convert it's max delay into jiffies for MLDv2 messages as we do
in core IPv6' multicast code.

RFC3810, 5.1.3. Maximum Response Code says:

The Maximum Response Code field specifies the maximum time allowed
before sending a responding Report. The actual time allowed, called
the Maximum Response Delay, is represented in units of milliseconds,
and is derived from the Maximum Response Code as follows: [...]

As we update timers that work with jiffies, we need to convert it.

Signed-off-by: Daniel Borkmann <[email protected]>
Cc: Linus Lüssing <[email protected]>
Cc: Hannes Frederic Sowa <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
net/bridge/br_multicast.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 4c1954b..e881f7f 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1172,7 +1172,8 @@ static int br_ip6_multicast_query(struct net_bridge *br,
mld2q = (struct mld2_query *)icmp6_hdr(skb);
if (!mld2q->mld2q_nsrcs)
group = &mld2q->mld2q_mca;
- max_delay = mld2q->mld2q_mrc ? MLDV2_MRC(mld2q->mld2q_mrc) : 1;
+
+ max_delay = max(msecs_to_jiffies(MLDV2_MRC(ntohs(mld2q->mld2q_mrc))), 1UL);
}

if (!group)
--
1.8.3.2

2013-09-30 10:28:24

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 052/104] ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Jiri Bohac <[email protected]>

commit 61e76b178dbe7145e8d6afa84bb4ccea71918994 upstream.

RFC 4443 has defined two additional codes for ICMPv6 type 1 (destination
unreachable) messages:
5 - Source address failed ingress/egress policy
6 - Reject route to destination

Now they are treated as protocol error and icmpv6_err_convert() converts them
to EPROTO.

RFC 4443 says:
"Codes 5 and 6 are more informative subsets of code 1."

Treat codes 5 and 6 as code 1 (EACCES)

Btw, connect() returning -EPROTO confuses firefox, so that fallback to
other/IPv4 addresses does not work:
https://bugzilla.mozilla.org/show_bug.cgi?id=910773

Signed-off-by: Jiri Bohac <[email protected]>
Acked-by: Hannes Frederic Sowa <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[ luis: backported to 3.5:
- adjusted context
- include/uapi/linux/icmpv6.h -> include/linux/icmpv6.h ]
Signed-off-by: Luis Henriques <[email protected]>
---
include/linux/icmpv6.h | 2 ++
net/ipv6/icmp.c | 10 +++++++++-
2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/include/linux/icmpv6.h b/include/linux/icmpv6.h
index ba45e6b..f5a21d0 100644
--- a/include/linux/icmpv6.h
+++ b/include/linux/icmpv6.h
@@ -123,6 +123,8 @@ static inline struct icmp6hdr *icmp6_hdr(const struct sk_buff *skb)
#define ICMPV6_NOT_NEIGHBOUR 2
#define ICMPV6_ADDR_UNREACH 3
#define ICMPV6_PORT_UNREACH 4
+#define ICMPV6_POLICY_FAIL 5
+#define ICMPV6_REJECT_ROUTE 6

/*
* Codes for Time Exceeded
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 091a297..2da16f0 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -917,6 +917,14 @@ static const struct icmp6_err {
.err = ECONNREFUSED,
.fatal = 1,
},
+ { /* POLICY_FAIL */
+ .err = EACCES,
+ .fatal = 1,
+ },
+ { /* REJECT_ROUTE */
+ .err = EACCES,
+ .fatal = 1,
+ },
};

int icmpv6_err_convert(u8 type, u8 code, int *err)
@@ -928,7 +936,7 @@ int icmpv6_err_convert(u8 type, u8 code, int *err)
switch (type) {
case ICMPV6_DEST_UNREACH:
fatal = 1;
- if (code <= ICMPV6_PORT_UNREACH) {
+ if (code < ARRAY_SIZE(tab_unreach)) {
*err = tab_unreach[code].err;
fatal = tab_unreach[code].fatal;
}
--
1.8.3.2

2013-09-30 10:29:03

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 050/104] ipv6: drop packets with multiple fragmentation headers

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Hannes Frederic Sowa <[email protected]>

commit f46078cfcd77fa5165bf849f5e568a7ac5fa569c upstream.

It is not allowed for an ipv6 packet to contain multiple fragmentation
headers. So discard packets which were already reassembled by
fragmentation logic and send back a parameter problem icmp.

The updates for RFC 6980 will come in later, I have to do a bit more
research here.

Cc: YOSHIFUJI Hideaki <[email protected]>
Signed-off-by: Hannes Frederic Sowa <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
include/linux/ipv6.h | 1 +
net/ipv6/reassembly.c | 5 +++++
2 files changed, 6 insertions(+)

diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 8260ef7..e6412ee 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -260,6 +260,7 @@ struct inet6_skb_parm {
#define IP6SKB_XFRM_TRANSFORMED 1
#define IP6SKB_FORWARDED 2
#define IP6SKB_REROUTED 4
+#define IP6SKB_FRAGMENTED 16
};

#define IP6CB(skb) ((struct inet6_skb_parm*)((skb)->cb))
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 3673b8f..4da218c 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -531,6 +531,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
head->tstamp = fq->q.stamp;
ipv6_hdr(head)->payload_len = htons(payload_len);
IP6CB(head)->nhoff = nhoff;
+ IP6CB(head)->flags |= IP6SKB_FRAGMENTED;

/* Yes, and fold redundant checksum back. 8) */
if (head->ip_summed == CHECKSUM_COMPLETE)
@@ -564,6 +565,9 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
const struct ipv6hdr *hdr = ipv6_hdr(skb);
struct net *net = dev_net(skb_dst(skb)->dev);

+ if (IP6CB(skb)->flags & IP6SKB_FRAGMENTED)
+ goto fail_hdr;
+
IP6_INC_STATS_BH(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMREQDS);

/* Jumbo payload inhibits frag. header */
@@ -584,6 +588,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMOKS);

IP6CB(skb)->nhoff = (u8 *)fhdr - skb_network_header(skb);
+ IP6CB(skb)->flags |= IP6SKB_FRAGMENTED;
return 1;
}

--
1.8.3.2

2013-09-30 10:29:11

by David Henningsson

[permalink] [raw]
Subject: Re: [PATCH 026/104] ALSA: hda - hdmi: Refactor hdmi_eld into parsed_hdmi_eld

On 09/30/2013 12:10 PM, Luis Henriques wrote:
> 3.5.7.22 -stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: David Henningsson <[email protected]>
>
> commit 1613d6b46b433f07f1d2703e4bd102802dcd75a4 upstream.
>
> For better readability, the information that is parsed out of the
> ELD data is now put into a separate parsed_hdmi_eld struct.
>
> Signed-off-by: David Henningsson <[email protected]>
> Signed-off-by: Takashi Iwai <[email protected]>
> [ luis: 3.5.y-prereq for:
> 18e3918 ALSA: hda - hdmi: Fallback to ALSA allocation when selecting CA ]

I don't think this is really a prereq. Sorting out the fuzz in
hdmi_channel_allocation seems quite trivial to me, so I would suggest
doing so instead.

If you do go ahead and backport this patch, a bit of testing wouldn't
hurt: this patch was part of a bigger patch set, and I don't think
anyone tested just this one without the bigger set.

> Signed-off-by: Luis Henriques <[email protected]>
> ---
> sound/pci/hda/hda_eld.c | 46 +++++++++++++++++++++-------------------------
> sound/pci/hda/hda_local.h | 27 +++++++++++++++++----------
> sound/pci/hda/patch_hdmi.c | 28 +++++++++++++++++++---------
> 3 files changed, 57 insertions(+), 44 deletions(-)
>
> diff --git a/sound/pci/hda/hda_eld.c b/sound/pci/hda/hda_eld.c
> index 86f6468..f076dab 100644
> --- a/sound/pci/hda/hda_eld.c
> +++ b/sound/pci/hda/hda_eld.c
> @@ -246,8 +246,8 @@ static void hdmi_update_short_audio_desc(struct cea_sad *a,
> /*
> * Be careful, ELD buf could be totally rubbish!
> */
> -static int hdmi_update_eld(struct hdmi_eld *e,
> - const unsigned char *buf, int size)
> +int snd_hdmi_parse_eld(struct parsed_hdmi_eld *e,
> + const unsigned char *buf, int size)
> {
> int mnl;
> int i;
> @@ -260,7 +260,6 @@ static int hdmi_update_eld(struct hdmi_eld *e,
> goto out_fail;
> }
>
> - e->eld_size = size;
> e->baseline_len = GRAB_BITS(buf, 2, 0, 8);
> mnl = GRAB_BITS(buf, 4, 0, 5);
> e->cea_edid_ver = GRAB_BITS(buf, 4, 5, 3);
> @@ -305,7 +304,6 @@ static int hdmi_update_eld(struct hdmi_eld *e,
> if (!e->spk_alloc)
> e->spk_alloc = 0xffff;
>
> - e->eld_valid = true;
> return 0;
>
> out_fail:
> @@ -318,17 +316,16 @@ int snd_hdmi_get_eld_size(struct hda_codec *codec, hda_nid_t nid)
> AC_DIPSIZE_ELD_BUF);
> }
>
> -int snd_hdmi_get_eld(struct hdmi_eld *eld,
> - struct hda_codec *codec, hda_nid_t nid)
> +int snd_hdmi_get_eld(struct hda_codec *codec, hda_nid_t nid,
> + unsigned char *buf, int *eld_size)
> {
> int i;
> int ret = 0;
> int size;
> - unsigned char *buf;
>
> /*
> * ELD size is initialized to zero in caller function. If no errors and
> - * ELD is valid, actual eld_size is assigned in hdmi_update_eld()
> + * ELD is valid, actual eld_size is assigned.
> */
>
> size = snd_hdmi_get_eld_size(codec, nid);
> @@ -343,8 +340,6 @@ int snd_hdmi_get_eld(struct hdmi_eld *eld,
> }
>
> /* set ELD buffer */
> - buf = eld->eld_buffer;
> -
> for (i = 0; i < size; i++) {
> unsigned int val = hdmi_get_eld_data(codec, nid, i);
> /*
> @@ -372,8 +367,7 @@ int snd_hdmi_get_eld(struct hdmi_eld *eld,
> buf[i] = val;
> }
>
> - ret = hdmi_update_eld(eld, buf, size);
> -
> + *eld_size = size;
> error:
> return ret;
> }
> @@ -438,7 +432,7 @@ void snd_print_channel_allocation(int spk_alloc, char *buf, int buflen)
> buf[j] = '\0'; /* necessary when j == 0 */
> }
>
> -void snd_hdmi_show_eld(struct hdmi_eld *e)
> +void snd_hdmi_show_eld(struct parsed_hdmi_eld *e)
> {
> int i;
>
> @@ -487,10 +481,11 @@ static void hdmi_print_sad_info(int i, struct cea_sad *a,
> static void hdmi_print_eld_info(struct snd_info_entry *entry,
> struct snd_info_buffer *buffer)
> {
> - struct hdmi_eld *e = entry->private_data;
> + struct hdmi_eld *eld = entry->private_data;
> + struct parsed_hdmi_eld *e = &eld->info;
> char buf[SND_PRINT_CHANNEL_ALLOCATION_ADVISED_BUFSIZE];
> int i;
> - static char *eld_versoin_names[32] = {
> + static char *eld_version_names[32] = {
> "reserved",
> "reserved",
> "CEA-861D or below",
> @@ -505,15 +500,15 @@ static void hdmi_print_eld_info(struct snd_info_entry *entry,
> [4 ... 7] = "reserved"
> };
>
> - snd_iprintf(buffer, "monitor_present\t\t%d\n", e->monitor_present);
> - snd_iprintf(buffer, "eld_valid\t\t%d\n", e->eld_valid);
> - if (!e->eld_valid)
> + snd_iprintf(buffer, "monitor_present\t\t%d\n", eld->monitor_present);
> + snd_iprintf(buffer, "eld_valid\t\t%d\n", eld->eld_valid);
> + if (!eld->eld_valid)
> return;
> snd_iprintf(buffer, "monitor_name\t\t%s\n", e->monitor_name);
> snd_iprintf(buffer, "connection_type\t\t%s\n",
> eld_connection_type_names[e->conn_type]);
> snd_iprintf(buffer, "eld_version\t\t[0x%x] %s\n", e->eld_ver,
> - eld_versoin_names[e->eld_ver]);
> + eld_version_names[e->eld_ver]);
> snd_iprintf(buffer, "edid_version\t\t[0x%x] %s\n", e->cea_edid_ver,
> cea_edid_version_names[e->cea_edid_ver]);
> snd_iprintf(buffer, "manufacture_id\t\t0x%x\n", e->manufacture_id);
> @@ -535,7 +530,8 @@ static void hdmi_print_eld_info(struct snd_info_entry *entry,
> static void hdmi_write_eld_info(struct snd_info_entry *entry,
> struct snd_info_buffer *buffer)
> {
> - struct hdmi_eld *e = entry->private_data;
> + struct hdmi_eld *eld = entry->private_data;
> + struct parsed_hdmi_eld *e = &eld->info;
> char line[64];
> char name[64];
> char *sname;
> @@ -551,9 +547,9 @@ static void hdmi_write_eld_info(struct snd_info_entry *entry,
> * eld_version edid_version
> */
> if (!strcmp(name, "monitor_present"))
> - e->monitor_present = val;
> + eld->monitor_present = val;
> else if (!strcmp(name, "eld_valid"))
> - e->eld_valid = val;
> + eld->eld_valid = val;
> else if (!strcmp(name, "connection_type"))
> e->conn_type = val;
> else if (!strcmp(name, "port_id"))
> @@ -627,7 +623,7 @@ void snd_hda_eld_proc_free(struct hda_codec *codec, struct hdmi_eld *eld)
> #endif /* CONFIG_PROC_FS */
>
> /* update PCM info based on ELD */
> -void snd_hdmi_eld_update_pcm_info(struct hdmi_eld *eld,
> +void snd_hdmi_eld_update_pcm_info(struct parsed_hdmi_eld *e,
> struct hda_pcm_stream *hinfo)
> {
> u32 rates;
> @@ -644,8 +640,8 @@ void snd_hdmi_eld_update_pcm_info(struct hdmi_eld *eld,
> formats = SNDRV_PCM_FMTBIT_S16_LE;
> maxbps = 16;
> channels_max = 2;
> - for (i = 0; i < eld->sad_count; i++) {
> - struct cea_sad *a = &eld->sad[i];
> + for (i = 0; i < e->sad_count; i++) {
> + struct cea_sad *a = &e->sad[i];
> rates |= a->rates;
> if (a->channels > channels_max)
> channels_max = a->channels;
> diff --git a/sound/pci/hda/hda_local.h b/sound/pci/hda/hda_local.h
> index 9a096a8..da2eadc 100644
> --- a/sound/pci/hda/hda_local.h
> +++ b/sound/pci/hda/hda_local.h
> @@ -616,10 +616,10 @@ struct cea_sad {
> /*
> * ELD: EDID Like Data
> */
> -struct hdmi_eld {
> - bool monitor_present;
> - bool eld_valid;
> - int eld_size;
> +struct parsed_hdmi_eld {
> + /*
> + * all fields will be cleared before updating ELD
> + */
> int baseline_len;
> int eld_ver;
> int cea_edid_ver;
> @@ -634,19 +634,26 @@ struct hdmi_eld {
> int spk_alloc;
> int sad_count;
> struct cea_sad sad[ELD_MAX_SAD];
> - /*
> - * all fields above eld_buffer will be cleared before updating ELD
> - */
> +};
> +
> +struct hdmi_eld {
> + bool monitor_present;
> + bool eld_valid;
> + int eld_size;
> char eld_buffer[ELD_MAX_SIZE];
> + struct parsed_hdmi_eld info;
> #ifdef CONFIG_PROC_FS
> struct snd_info_entry *proc_entry;
> #endif
> };
>
> int snd_hdmi_get_eld_size(struct hda_codec *codec, hda_nid_t nid);
> -int snd_hdmi_get_eld(struct hdmi_eld *, struct hda_codec *, hda_nid_t);
> -void snd_hdmi_show_eld(struct hdmi_eld *eld);
> -void snd_hdmi_eld_update_pcm_info(struct hdmi_eld *eld,
> +int snd_hdmi_get_eld(struct hda_codec *codec, hda_nid_t nid,
> + unsigned char *buf, int *eld_size);
> +int snd_hdmi_parse_eld(struct parsed_hdmi_eld *e,
> + const unsigned char *buf, int size);
> +void snd_hdmi_show_eld(struct parsed_hdmi_eld *e);
> +void snd_hdmi_eld_update_pcm_info(struct parsed_hdmi_eld *e,
> struct hda_pcm_stream *hinfo);
>
> #ifdef CONFIG_PROC_FS
> diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
> index 375e0ff..bbd5e8d 100644
> --- a/sound/pci/hda/patch_hdmi.c
> +++ b/sound/pci/hda/patch_hdmi.c
> @@ -499,7 +499,7 @@ static int hdmi_channel_allocation(struct hdmi_eld *eld, int channels)
> * expand ELD's notions to match the ones used by Audio InfoFrame.
> */
> for (i = 0; i < ARRAY_SIZE(eld_speaker_allocation_bits); i++) {
> - if (eld->spk_alloc & (1 << i))
> + if (eld->info.spk_alloc & (1 << i))
> spk_mask |= eld_speaker_allocation_bits[i];
> }
>
> @@ -513,7 +513,7 @@ static int hdmi_channel_allocation(struct hdmi_eld *eld, int channels)
> }
> }
>
> - snd_print_channel_allocation(eld->spk_alloc, buf, sizeof(buf));
> + snd_print_channel_allocation(eld->info.spk_alloc, buf, sizeof(buf));
> snd_printdd("HDMI: select CA 0x%x for %d-channel allocation: %s\n",
> ca, channels, buf);
>
> @@ -705,7 +705,7 @@ static void hdmi_setup_audio_infoframe(struct hda_codec *codec, int pin_idx,
> ca = hdmi_channel_allocation(eld, channels);
>
> memset(&ai, 0, sizeof(ai));
> - if (eld->conn_type == 0) { /* HDMI */
> + if (eld->info.conn_type == 0) { /* HDMI */
> struct hdmi_audio_infoframe *hdmi_ai = &ai.hdmi;
>
> hdmi_ai->type = 0x84;
> @@ -714,7 +714,7 @@ static void hdmi_setup_audio_infoframe(struct hda_codec *codec, int pin_idx,
> hdmi_ai->CC02_CT47 = channels - 1;
> hdmi_ai->CA = ca;
> hdmi_checksum_audio_infoframe(hdmi_ai);
> - } else if (eld->conn_type == 1) { /* DisplayPort */
> + } else if (eld->info.conn_type == 1) { /* DisplayPort */
> struct dp_audio_infoframe *dp_ai = &ai.dp;
>
> dp_ai->type = 0x84;
> @@ -924,7 +924,7 @@ static int hdmi_pcm_open(struct hda_pcm_stream *hinfo,
>
> /* Restrict capabilities by ELD if this isn't disabled */
> if (!static_hdmi_pcm && eld->eld_valid) {
> - snd_hdmi_eld_update_pcm_info(eld, hinfo);
> + snd_hdmi_eld_update_pcm_info(&eld->info, hinfo);
> if (hinfo->channels_min > hinfo->channels_max ||
> !hinfo->rates || !hinfo->formats) {
> per_cvt->assigned = 0;
> @@ -985,8 +985,6 @@ static void hdmi_present_sense(struct hdmi_spec_per_pin *per_pin, int repoll)
> int present = snd_hda_pin_sense(codec, pin_nid);
> bool eld_valid = false;
>
> - memset(eld, 0, offsetof(struct hdmi_eld, eld_buffer));
> -
> eld->monitor_present = !!(present & AC_PINSENSE_PRESENCE);
> if (eld->monitor_present)
> eld_valid = !!(present & AC_PINSENSE_ELDV);
> @@ -997,8 +995,20 @@ static void hdmi_present_sense(struct hdmi_spec_per_pin *per_pin, int repoll)
>
> eld->eld_valid = false;
> if (eld_valid) {
> - if (!snd_hdmi_get_eld(eld, codec, pin_nid))
> - snd_hdmi_show_eld(eld);
> + if (snd_hdmi_get_eld(codec, pin_nid, eld->eld_buffer,
> + &eld->eld_size) < 0)
> + eld_valid = false;
> + else {
> + memset(&eld->info, 0, sizeof(struct parsed_hdmi_eld));
> + if (snd_hdmi_parse_eld(&eld->info, eld->eld_buffer,
> + eld->eld_size) < 0)
> + eld_valid = false;
> + }
> +
> + if (eld_valid) {
> + snd_hdmi_show_eld(&eld->info);
> + eld->eld_valid = true;
> + }
> else if (repoll) {
> queue_delayed_work(codec->bus->workq,
> &per_pin->work,
>



--
David Henningsson, Canonical Ltd.
https://launchpad.net/~diwic

2013-09-30 10:28:59

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 049/104] ipv6: remove max_addresses check from ipv6_create_tempaddr

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Hannes Frederic Sowa <[email protected]>

commit 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 upstream.

Because of the max_addresses check attackers were able to disable privacy
extensions on an interface by creating enough autoconfigured addresses:

<http://seclists.org/oss-sec/2012/q4/292>

But the check is not actually needed: max_addresses protects the
kernel to install too many ipv6 addresses on an interface and guards
addrconf_prefix_rcv to install further addresses as soon as this limit
is reached. We only generate temporary addresses in direct response of
a new address showing up. As soon as we filled up the maximum number of
addresses of an interface, we stop installing more addresses and thus
also stop generating more temp addresses.

Even if the attacker tries to generate a lot of temporary addresses
by announcing a prefix and removing it again (lifetime == 0) we won't
install more temp addresses, because the temporary addresses do count
to the maximum number of addresses, thus we would stop installing new
autoconfigured addresses when the limit is reached.

This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
possible).

Thanks to Ding Tianhong to bring this topic up again.

Cc: Ding Tianhong <[email protected]>
Cc: George Kargiotakis <[email protected]>
Cc: P J P <[email protected]>
Cc: YOSHIFUJI Hideaki <[email protected]>
Signed-off-by: Hannes Frederic Sowa <[email protected]>
Acked-by: Ding Tianhong <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
net/ipv6/addrconf.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 5e23f99..f4d2364 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -909,12 +909,10 @@ retry:
if (ifp->flags & IFA_F_OPTIMISTIC)
addr_flags |= IFA_F_OPTIMISTIC;

- ift = !max_addresses ||
- ipv6_count_addresses(idev) < max_addresses ?
- ipv6_add_addr(idev, &addr, tmp_plen,
- ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
- addr_flags) : NULL;
- if (!ift || IS_ERR(ift)) {
+ ift = ipv6_add_addr(idev, &addr, tmp_plen,
+ ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
+ addr_flags);
+ if (IS_ERR(ift)) {
in6_ifa_put(ifp);
in6_dev_put(idev);
pr_info("%s: retry temporary address regeneration\n", __func__);
--
1.8.3.2

2013-09-30 10:30:07

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 043/104] tcp: cubic: fix overflow error in bictcp_update()

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <[email protected]>

commit 2ed0edf9090bf4afa2c6fc4f38575a85a80d4b20 upstream.

commit 17a6e9f1aa9 ("tcp_cubic: fix clock dependency") added an
overflow error in bictcp_update() in following code :

/* change the unit from HZ to bictcp_HZ */
t = ((tcp_time_stamp + msecs_to_jiffies(ca->delay_min>>3) -
ca->epoch_start) << BICTCP_HZ) / HZ;

Because msecs_to_jiffies() being unsigned long, compiler does
implicit type promotion.

We really want to constrain (tcp_time_stamp - ca->epoch_start)
to a signed 32bit value, or else 't' has unexpected high values.

This bugs triggers an increase of retransmit rates ~24 days after
boot [1], as the high order bit of tcp_time_stamp flips.

[1] for hosts with HZ=1000

Big thanks to Van Jacobson for spotting this problem.

Diagnosed-by: Van Jacobson <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Cc: Neal Cardwell <[email protected]>
Cc: Yuchung Cheng <[email protected]>
Cc: Stephen Hemminger <[email protected]>
Acked-by: Neal Cardwell <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
net/ipv4/tcp_cubic.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c
index a9077f4..b6b591f 100644
--- a/net/ipv4/tcp_cubic.c
+++ b/net/ipv4/tcp_cubic.c
@@ -206,8 +206,8 @@ static u32 cubic_root(u64 a)
*/
static inline void bictcp_update(struct bictcp *ca, u32 cwnd)
{
- u64 offs;
- u32 delta, t, bic_target, max_cnt;
+ u32 delta, bic_target, max_cnt;
+ u64 offs, t;

ca->ack_cnt++; /* count the number of ACKs */

@@ -250,9 +250,11 @@ static inline void bictcp_update(struct bictcp *ca, u32 cwnd)
* if the cwnd < 1 million packets !!!
*/

+ t = (s32)(tcp_time_stamp - ca->epoch_start);
+ t += msecs_to_jiffies(ca->delay_min >> 3);
/* change the unit from HZ to bictcp_HZ */
- t = ((tcp_time_stamp + msecs_to_jiffies(ca->delay_min>>3)
- - ca->epoch_start) << BICTCP_HZ) / HZ;
+ t <<= BICTCP_HZ;
+ do_div(t, HZ);

if (t < ca->bic_K) /* t - K */
offs = ca->bic_K - t;
--
1.8.3.2

2013-09-30 10:12:25

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 035/104] cifs: don't instantiate new dentries in readdir for inodes that need to be revalidated immediately

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Jeff Layton <[email protected]>

commit 757c4f6260febff982276818bb946df89c1105aa upstream.

David reported that commit c2b93e06 (cifs: only set ops for inodes in
I_NEW state) caused a regression with mfsymlinks. Prior to that patch,
if a mfsymlink dentry was instantiated at readdir time, the inode would
get a new set of ops when it was revalidated. After that patch, this
did not occur.

This patch addresses this by simply skipping instantiating dentries in
the readdir codepath when we know that they will need to be immediately
revalidated. The next attempt to use that dentry will cause a new lookup
to occur (which is basically what we want to happen anyway).

Cc: "Stefan (metze) Metzmacher" <[email protected]>
Cc: Sachin Prabhu <[email protected]>
Reported-and-Tested-by: David McBride <[email protected]>
Signed-off-by: Jeff Layton <[email protected]>
Signed-off-by: Steve French <[email protected]>
[ luis: backported to 3.5: added 'NULL' return ]
Signed-off-by: Luis Henriques <[email protected]>
---
fs/cifs/readdir.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
index 6cb83b9..8ae4457 100644
--- a/fs/cifs/readdir.c
+++ b/fs/cifs/readdir.c
@@ -107,6 +107,14 @@ cifs_readdir_lookup(struct dentry *parent, struct qstr *name,
dput(dentry);
}

+ /*
+ * If we know that the inode will need to be revalidated immediately,
+ * then don't create a new dentry for it. We'll end up doing an on
+ * the wire call either way and this spares us an invalidation.
+ */
+ if (fattr->cf_flags & CIFS_FATTR_NEED_REVAL)
+ return NULL;
+
dentry = d_alloc(parent, name);
if (dentry == NULL)
return NULL;
--
1.8.3.2

2013-09-30 10:30:29

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 041/104] bonding: modify only neigh_parms owned by us

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Veaceslav Falico <[email protected]>

commit 9918d5bf329d0dc5bb2d9d293bcb772bdb626e65 upstream.

Otherwise, on neighbour creation, bond_neigh_init() will be called with a
foreign netdev.

Signed-off-by: Veaceslav Falico <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/net/bonding/bond_main.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 1e1ae64..c7fd229c 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -3759,11 +3759,17 @@ static int bond_neigh_init(struct neighbour *n)
* The bonding ndo_neigh_setup is called at init time beofre any
* slave exists. So we must declare proxy setup function which will
* be used at run time to resolve the actual slave neigh param setup.
+ *
+ * It's also called by master devices (such as vlans) to setup their
+ * underlying devices. In that case - do nothing, we're already set up from
+ * our init.
*/
static int bond_neigh_setup(struct net_device *dev,
struct neigh_parms *parms)
{
- parms->neigh_setup = bond_neigh_init;
+ /* modify only our neigh_parms */
+ if (parms->dev == dev)
+ parms->neigh_setup = bond_neigh_init;

return 0;
}
--
1.8.3.2

2013-09-30 10:31:08

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 040/104] neighbour: populate neigh_parms on alloc before calling ndo_neigh_setup

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Veaceslav Falico <[email protected]>

commit 63134803a6369dcf7dddf7f0d5e37b9566b308d2 upstream.

dev->ndo_neigh_setup() might need some of the values of neigh_parms, so
populate them before calling it.

Signed-off-by: Veaceslav Falico <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
net/core/neighbour.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index c09f82b..38d5188 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1443,16 +1443,18 @@ struct neigh_parms *neigh_parms_alloc(struct net_device *dev,
atomic_set(&p->refcnt, 1);
p->reachable_time =
neigh_rand_reach_time(p->base_reachable_time);
+ dev_hold(dev);
+ p->dev = dev;
+ write_pnet(&p->net, hold_net(net));
+ p->sysctl_table = NULL;

if (ops->ndo_neigh_setup && ops->ndo_neigh_setup(dev, p)) {
+ release_net(net);
+ dev_put(dev);
kfree(p);
return NULL;
}

- dev_hold(dev);
- p->dev = dev;
- write_pnet(&p->net, hold_net(net));
- p->sysctl_table = NULL;
write_lock_bh(&tbl->lock);
p->next = tbl->parms.next;
tbl->parms.next = p;
--
1.8.3.2

2013-09-30 10:31:30

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 037/104] tipc: fix lockdep warning during bearer initialization

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Ying Xue <[email protected]>

commit 4225a398c1352a7a5c14dc07277cb5cc4473983b upstream.

When the lockdep validator is enabled, it will report the below
warning when we enable a TIPC bearer:

[ INFO: possible irq lock inversion dependency detected ]
---------------------------------------------------------
Possible interrupt unsafe locking scenario:

CPU0 CPU1
---- ----
lock(ptype_lock);
local_irq_disable();
lock(tipc_net_lock);
lock(ptype_lock);
<Interrupt>
lock(tipc_net_lock);

*** DEADLOCK ***

the shortest dependencies between 2nd lock and 1st lock:
-> (ptype_lock){+.+...} ops: 10 {
[...]
SOFTIRQ-ON-W at:
[<c1089418>] __lock_acquire+0x528/0x13e0
[<c108a360>] lock_acquire+0x90/0x100
[<c1553c38>] _raw_spin_lock+0x38/0x50
[<c14651ca>] dev_add_pack+0x3a/0x60
[<c182da75>] arp_init+0x1a/0x48
[<c182dce5>] inet_init+0x181/0x27e
[<c1001114>] do_one_initcall+0x34/0x170
[<c17f7329>] kernel_init+0x110/0x1b2
[<c155b6a2>] kernel_thread_helper+0x6/0x10
[...]
... key at: [<c17e4b10>] ptype_lock+0x10/0x20
... acquired at:
[<c108a360>] lock_acquire+0x90/0x100
[<c1553c38>] _raw_spin_lock+0x38/0x50
[<c14651ca>] dev_add_pack+0x3a/0x60
[<c8bc18d2>] enable_bearer+0xf2/0x140 [tipc]
[<c8bb283a>] tipc_enable_bearer+0x1ba/0x450 [tipc]
[<c8bb3a04>] tipc_cfg_do_cmd+0x5c4/0x830 [tipc]
[<c8bbc032>] handle_cmd+0x42/0xd0 [tipc]
[<c148e802>] genl_rcv_msg+0x232/0x280
[<c148d3f6>] netlink_rcv_skb+0x86/0xb0
[<c148e5bc>] genl_rcv+0x1c/0x30
[<c148d144>] netlink_unicast+0x174/0x1f0
[<c148ddab>] netlink_sendmsg+0x1eb/0x2d0
[<c1456bc1>] sock_aio_write+0x161/0x170
[<c1135a7c>] do_sync_write+0xac/0xf0
[<c11360f6>] vfs_write+0x156/0x170
[<c11361e2>] sys_write+0x42/0x70
[<c155b0df>] sysenter_do_call+0x12/0x38
[...]
}
-> (tipc_net_lock){+..-..} ops: 4 {
[...]
IN-SOFTIRQ-R at:
[<c108953a>] __lock_acquire+0x64a/0x13e0
[<c108a360>] lock_acquire+0x90/0x100
[<c15541cd>] _raw_read_lock_bh+0x3d/0x50
[<c8bb874d>] tipc_recv_msg+0x1d/0x830 [tipc]
[<c8bc195f>] recv_msg+0x3f/0x50 [tipc]
[<c146a5fa>] __netif_receive_skb+0x22a/0x590
[<c146ab0b>] netif_receive_skb+0x2b/0xf0
[<c13c43d2>] pcnet32_poll+0x292/0x780
[<c146b00a>] net_rx_action+0xfa/0x1e0
[<c103a4be>] __do_softirq+0xae/0x1e0
[...]
}

>From the log, we can see three different call chains between
CPU0 and CPU1:

Time 0 on CPU0:

kernel_init()->inet_init()->dev_add_pack()

At time 0, the ptype_lock is held by CPU0 in dev_add_pack();

Time 1 on CPU1:

tipc_enable_bearer()->enable_bearer()->dev_add_pack()

At time 1, tipc_enable_bearer() first holds tipc_net_lock, and then
wants to take ptype_lock to register TIPC protocol handler into the
networking stack. But the ptype_lock has been taken by dev_add_pack()
on CPU0, so at this time the dev_add_pack() running on CPU1 has to be
busy looping.

Time 2 on CPU0:

netif_receive_skb()->recv_msg()->tipc_recv_msg()

At time 2, an incoming TIPC packet arrives at CPU0, hence
tipc_recv_msg() will be invoked. In tipc_recv_msg(), it first wants
to hold tipc_net_lock. At the moment, below scenario happens:

On CPU0, below is our sequence of taking locks:

lock(ptype_lock)->lock(tipc_net_lock)

On CPU1, our sequence of taking locks looks like:

lock(tipc_net_lock)->lock(ptype_lock)

Obviously deadlock may happen in this case.

But please note the deadlock possibly doesn't occur at all when the
first TIPC bearer is enabled. Before enable_bearer() -- running on
CPU1 does not hold ptype_lock, so the TIPC receive handler (i.e.
recv_msg()) is not registered successfully via dev_add_pack(), so
the tipc_recv_msg() cannot be called by recv_msg() even if a TIPC
message comes to CPU0. But when the second TIPC bearer is
registered, the deadlock can perhaps really happen.

To fix it, we will push the work of registering TIPC protocol
handler into workqueue context. After the change, both paths taking
ptype_lock are always in process contexts, thus, the deadlock should
never occur.

Signed-off-by: Ying Xue <[email protected]>
Signed-off-by: Jon Maloy <[email protected]>
Signed-off-by: Paul Gortmaker <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
net/tipc/eth_media.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/net/tipc/eth_media.c b/net/tipc/eth_media.c
index 90ac9bf..f2e04b4 100644
--- a/net/tipc/eth_media.c
+++ b/net/tipc/eth_media.c
@@ -46,12 +46,14 @@
* @bearer: ptr to associated "generic" bearer structure
* @dev: ptr to associated Ethernet network device
* @tipc_packet_type: used in binding TIPC to Ethernet driver
+ * @setup: work item used when enabling bearer
* @cleanup: work item used when disabling bearer
*/
struct eth_bearer {
struct tipc_bearer *bearer;
struct net_device *dev;
struct packet_type tipc_packet_type;
+ struct work_struct setup;
struct work_struct cleanup;
};

@@ -134,6 +136,17 @@ static int recv_msg(struct sk_buff *buf, struct net_device *dev,
}

/**
+ * setup_bearer - setup association between Ethernet bearer and interface
+ */
+static void setup_bearer(struct work_struct *work)
+{
+ struct eth_bearer *eb_ptr =
+ container_of(work, struct eth_bearer, setup);
+
+ dev_add_pack(&eb_ptr->tipc_packet_type);
+}
+
+/**
* enable_bearer - attach TIPC bearer to an Ethernet interface
*/
static int enable_bearer(struct tipc_bearer *tb_ptr)
@@ -173,7 +186,8 @@ static int enable_bearer(struct tipc_bearer *tb_ptr)
eb_ptr->tipc_packet_type.func = recv_msg;
eb_ptr->tipc_packet_type.af_packet_priv = eb_ptr;
INIT_LIST_HEAD(&(eb_ptr->tipc_packet_type.list));
- dev_add_pack(&eb_ptr->tipc_packet_type);
+ INIT_WORK(&eb_ptr->setup, setup_bearer);
+ schedule_work(&eb_ptr->setup);

/* Associate TIPC bearer with Ethernet bearer */
eb_ptr->bearer = tb_ptr;
--
1.8.3.2

2013-09-30 10:31:34

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 039/104] net: check net.core.somaxconn sysctl values

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Roman Gushchin <[email protected]>

commit 5f671d6b4ec3e6d66c2a868738af2cdea09e7509 upstream.

It's possible to assign an invalid value to the net.core.somaxconn
sysctl variable, because there is no checks at all.

The sk_max_ack_backlog field of the sock structure is defined as
unsigned short. Therefore, the backlog argument in inet_listen()
shouldn't exceed USHRT_MAX. The backlog argument in the listen() syscall
is truncated to the somaxconn value. So, the somaxconn value shouldn't
exceed 65535 (USHRT_MAX).
Also, negative values of somaxconn are meaningless.

before:
$ sysctl -w net.core.somaxconn=256
net.core.somaxconn = 256
$ sysctl -w net.core.somaxconn=65536
net.core.somaxconn = 65536
$ sysctl -w net.core.somaxconn=-100
net.core.somaxconn = -100

after:
$ sysctl -w net.core.somaxconn=256
net.core.somaxconn = 256
$ sysctl -w net.core.somaxconn=65536
error: "Invalid argument" setting key "net.core.somaxconn"
$ sysctl -w net.core.somaxconn=-100
error: "Invalid argument" setting key "net.core.somaxconn"

Based on a prior patch from Changli Gao.

Signed-off-by: Roman Gushchin <[email protected]>
Reported-by: Changli Gao <[email protected]>
Suggested-by: Eric Dumazet <[email protected]>
Acked-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
net/core/sysctl_net_core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index a7c3684..df0dafe 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -20,6 +20,9 @@
#include <net/sock.h>
#include <net/net_ratelimit.h>

+static int zero = 0;
+static int ushort_max = USHRT_MAX;
+
#ifdef CONFIG_RPS
static int rps_sock_flow_sysctl(ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
@@ -198,7 +201,9 @@ static struct ctl_table netns_core_table[] = {
.data = &init_net.core.sysctl_somaxconn,
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec
+ .extra1 = &zero,
+ .extra2 = &ushort_max,
+ .proc_handler = proc_dointvec_minmax
},
{ }
};
--
1.8.3.2

2013-09-30 10:31:57

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 036/104] xen/events: mask events when changing their VCPU binding

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: David Vrabel <[email protected]>

commit 4704fe4f03a5ab27e3c36184af85d5000e0f8a48 upstream.

When a event is being bound to a VCPU there is a window between the
EVTCHNOP_bind_vpcu call and the adjustment of the local per-cpu masks
where an event may be lost. The hypervisor upcalls the new VCPU but
the kernel thinks that event is still bound to the old VCPU and
ignores it.

There is even a problem when the event is being bound to the same VCPU
as there is a small window beween the clear_bit() and set_bit() calls
in bind_evtchn_to_cpu(). When scanning for pending events, the kernel
may read the bit when it is momentarily clear and ignore the event.

Avoid this by masking the event during the whole bind operation.

Signed-off-by: David Vrabel <[email protected]>
Signed-off-by: Konrad Rzeszutek Wilk <[email protected]>
Reviewed-by: Jan Beulich <[email protected]>
[ luis: backported to 3.5:
- removed the BM() cast (as per 3.2 backport) ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/xen/events.c | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/drivers/xen/events.c b/drivers/xen/events.c
index 025e98b..8a8cd6e 100644
--- a/drivers/xen/events.c
+++ b/drivers/xen/events.c
@@ -1431,8 +1431,10 @@ void rebind_evtchn_irq(int evtchn, int irq)
/* Rebind an evtchn so that it gets delivered to a specific cpu */
static int rebind_irq_to_cpu(unsigned irq, unsigned tcpu)
{
+ struct shared_info *s = HYPERVISOR_shared_info;
struct evtchn_bind_vcpu bind_vcpu;
int evtchn = evtchn_from_irq(irq);
+ int masked;

if (!VALID_EVTCHN(evtchn))
return -1;
@@ -1449,6 +1451,12 @@ static int rebind_irq_to_cpu(unsigned irq, unsigned tcpu)
bind_vcpu.vcpu = tcpu;

/*
+ * Mask the event while changing the VCPU binding to prevent
+ * it being delivered on an unexpected VCPU.
+ */
+ masked = sync_test_and_set_bit(evtchn, s->evtchn_mask);
+
+ /*
* If this fails, it usually just indicates that we're dealing with a
* virq or IPI channel, which don't actually need to be rebound. Ignore
* it, but don't do the xenlinux-level rebind in that case.
@@ -1456,6 +1464,9 @@ static int rebind_irq_to_cpu(unsigned irq, unsigned tcpu)
if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_vcpu, &bind_vcpu) >= 0)
bind_evtchn_to_cpu(evtchn, tcpu);

+ if (!masked)
+ unmask_evtchn(evtchn);
+
return 0;
}

--
1.8.3.2

2013-09-30 10:12:16

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 027/104] ALSA: hda - hdmi: Fallback to ALSA allocation when selecting CA

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <[email protected]>

commit 18e391862cceaf43ddb8eb5cca05e1a83abdebaa upstream.

hdmi_channel_allocation() tries to find a HDMI channel allocation that
matches the number channels in the playback stream and contains only
speakers that the HDMI sink has reported as available via EDID. If no
such allocation is found, 0 (stereo audio) is used.

Using CA 0 causes the audio causes the sink to discard everything except
the first two channels (front left and front right).

However, the sink may be capable of receiving more channels than it has
speakers (and then perform downmix or discard the extra channels), in
which case it is preferable to use a CA that contains extra channels
than to use CA 0 which discards all the non-stereo channels.

Additionally, it seems that HBR (HD) passthrough output does not work on
Intel HDMI codecs when CA is set to 0 (possibly the codec zeroes
channels not present in CA). This happens with all receivers that report
a 5.1 speaker mask since a HBR stream is carried on 8 channels to the
codec.

Add a fallback in the CA selection so that the CA channel count at least
matches the stream channel count, even if the stream contains channels
not present in the sink speaker descriptor.

Thanks to GrimGriefer at OpenELEC forums for discovering that changing
the sink speaker mask allowed HBR output.

Reported-by: GrimGriefer
Reported-by: Ashecrow
Reported-by: Frank Zafka <[email protected]>
Reported-by: Peter Frühberger <[email protected]>
Signed-off-by: Anssi Hannula <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
sound/pci/hda/patch_hdmi.c | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
index bbd5e8d..59f8cac 100644
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -513,6 +513,17 @@ static int hdmi_channel_allocation(struct hdmi_eld *eld, int channels)
}
}

+ if (!ca) {
+ /* if there was no match, select the regular ALSA channel
+ * allocation with the matching number of channels */
+ for (i = 0; i < ARRAY_SIZE(channel_allocations); i++) {
+ if (channels == channel_allocations[i].channels) {
+ ca = channel_allocations[i].ca_index;
+ break;
+ }
+ }
+ }
+
snd_print_channel_allocation(eld->info.spk_alloc, buf, sizeof(buf));
snd_printdd("HDMI: select CA 0x%x for %d-channel allocation: %s\n",
ca, channels, buf);
--
1.8.3.2

2013-09-30 10:32:22

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 031/104] Bluetooth: Add support for Mediatek Bluetooth device [0e8d:763f]

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: "Cho, Yu-Chen" <[email protected]>

commit 178c059e7640aa8e50213400c6f3dde00189d979 upstream.

This patch adds support for Mediatek Bluetooth device

T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
D: Ver= 2.01 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0e8d ProdID=763f Rev= 1.00
S: Manufacturer=MediaTek
S: Product=BT
S: SerialNumber=1.0
C:* #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=450mA
A: FirstIf#= 0 IfCount= 2 Cls=ff(vend.) Sub=ff Prot=ff
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=125us
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=125us
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
I: If#= 1 Alt= 6 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms

Signed-off-by: Cho, Yu-Chen <[email protected]>
Signed-off-by: Gustavo Padovan <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/bluetooth/btusb.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index bb480fd..5cdfd34 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -63,6 +63,9 @@ static struct usb_device_id btusb_table[] = {
/* Apple-specific (Broadcom) devices */
{ USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) },

+ /* MediaTek MT76x0E */
+ { USB_DEVICE(0x0e8d, 0x763f) },
+
/* Broadcom SoftSailing reporting vendor specific */
{ USB_DEVICE(0x0a5c, 0x21e1) },

--
1.8.3.2

2013-09-30 10:12:13

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 016/104] rculist: list_first_or_null_rcu() should use list_entry_rcu()

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Tejun Heo <[email protected]>

commit c34ac00caefbe49d40058ae7200bd58725cebb45 upstream.

list_first_or_null() should test whether the list is empty and return
pointer to the first entry if not in a RCU safe manner. It's broken
in several ways.

* It compares __kernel @__ptr with __rcu @__next triggering the
following sparse warning.

net/core/dev.c:4331:17: error: incompatible types in comparison expression (different address spaces)

* It doesn't perform rcu_dereference*() and computes the entry address
using container_of() directly from the __rcu pointer which is
inconsitent with other rculist interface. As a result, all three
in-kernel users - net/core/dev.c, macvlan, cgroup - are buggy. They
dereference the pointer w/o going through read barrier.

* While ->next dereference passes through list_next_rcu(), the
compiler is still free to fetch ->next more than once and thus
nullify the "__ptr != __next" condition check.

Fix it by making list_first_or_null_rcu() dereference ->next directly
using ACCESS_ONCE() and then use list_entry_rcu() on it like other
rculist accessors.

v2: Paul pointed out that the compiler may fetch the pointer more than
once nullifying the condition check. ACCESS_ONCE() added on
->next dereference.

v3: Restored () around macro param which was accidentally removed.
Spotted by Paul.

Signed-off-by: Tejun Heo <[email protected]>
Reported-by: Fengguang Wu <[email protected]>
Cc: Dipankar Sarma <[email protected]>
Cc: "Paul E. McKenney" <[email protected]>
Cc: "David S. Miller" <[email protected]>
Cc: Li Zefan <[email protected]>
Cc: Patrick McHardy <[email protected]>
Signed-off-by: Paul E. McKenney <[email protected]>
Reviewed-by: Josh Triplett <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
include/linux/rculist.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/include/linux/rculist.h b/include/linux/rculist.h
index e0f0fab..bbea697 100644
--- a/include/linux/rculist.h
+++ b/include/linux/rculist.h
@@ -267,8 +267,9 @@ static inline void list_splice_init_rcu(struct list_head *list,
*/
#define list_first_or_null_rcu(ptr, type, member) \
({struct list_head *__ptr = (ptr); \
- struct list_head __rcu *__next = list_next_rcu(__ptr); \
- likely(__ptr != __next) ? container_of(__next, type, member) : NULL; \
+ struct list_head *__next = ACCESS_ONCE(__ptr->next); \
+ likely(__ptr != __next) ? \
+ list_entry_rcu(__next, type, member) : NULL; \
})

/**
--
1.8.3.2

2013-09-30 10:32:49

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 033/104] Bluetooth: ath3k: Add support for ID 0x13d3/0x3402

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Sujith Manoharan <[email protected]>

commit 5b77a1f3d7b7360dc2b7c6d2188d39b9f8432907 upstream.

T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 5 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3402 Rev= 0.02
S: Manufacturer=Atheros Communications
S: Product=Bluetooth USB Host Controller
S: SerialNumber=Alaska Day 2006
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

Bug: https://bugzilla.kernel.org/show_bug.cgi?id=59701

Signed-off-by: Sujith Manoharan <[email protected]>
Signed-off-by: Gustavo Padovan <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)

diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
index 3e7e2ee..a9e5be4 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -92,6 +92,7 @@ static struct usb_device_id ath3k_table[] = {
{ USB_DEVICE(0x0489, 0xe056) },
{ USB_DEVICE(0x0489, 0xe04d) },
{ USB_DEVICE(0x04c5, 0x1330) },
+ { USB_DEVICE(0x13d3, 0x3402) },
{ USB_DEVICE(0x0cf3, 0x3121) },

/* Atheros AR5BBU12 with sflash firmware */
@@ -131,6 +132,7 @@ static struct usb_device_id ath3k_blist_tbl[] = {
{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },

/* Atheros AR5BBU22 with sflash firmware */
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 93fb265..b6a17c6 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -161,6 +161,7 @@ static struct usb_device_id blacklist_table[] = {
{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },

/* Atheros AR5BBU12 with sflash firmware */
--
1.8.3.2

2013-09-30 10:32:47

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 034/104] Bluetooth: Add support for Atheros [0cf3:e003]

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: AceLan Kao <[email protected]>

commit 1d5b569ef85d013a775560a90050dc630614c045 upstream.

Add support for the AR9462 chip

T: Bus=02 Lev=02 Prnt=02 Port=04 Cnt=01 Dev#= 4 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0cf3 ProdID=e003 Rev=00.02
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

Signed-off-by: AceLan Kao <[email protected]>
Signed-off-by: Gustavo Padovan <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)

diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
index a9e5be4..5a757be 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -94,6 +94,7 @@ static struct usb_device_id ath3k_table[] = {
{ USB_DEVICE(0x04c5, 0x1330) },
{ USB_DEVICE(0x13d3, 0x3402) },
{ USB_DEVICE(0x0cf3, 0x3121) },
+ { USB_DEVICE(0x0cf3, 0xe003) },

/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE02C) },
@@ -134,6 +135,7 @@ static struct usb_device_id ath3k_blist_tbl[] = {
{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },

/* Atheros AR5BBU22 with sflash firmware */
{ USB_DEVICE(0x0489, 0xE03C), .driver_info = BTUSB_ATH3012 },
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index b6a17c6..e17340f 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -163,6 +163,7 @@ static struct usb_device_id blacklist_table[] = {
{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },

/* Atheros AR5BBU12 with sflash firmware */
{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
--
1.8.3.2

2013-09-30 10:33:27

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 032/104] Bluetooth: ath3k: Add support for Fujitsu Lifebook UH5x2 [04c5:1330]

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Thomas Loo <[email protected]>

commit 84eb2ae1807dd1467bf6f500fc69ae61f1907b75 upstream.

The Fujitsu Lifebook UH552/UH572 ships with a Qualcomm AR9462/AR3012
WLAN/BT-Combo card.
Add device ID to the ath3k driver to enable the bluetooth side of things.
Patch against v3.10.

T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 3 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=04c5 ProdID=1330 Rev=00.02
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

Signed-off-by: Thomas Loo <[email protected]>
Signed-off-by: Gustavo Padovan <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)

diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
index 2b912cc..3e7e2ee 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -91,6 +91,7 @@ static struct usb_device_id ath3k_table[] = {
{ USB_DEVICE(0x0489, 0xe04e) },
{ USB_DEVICE(0x0489, 0xe056) },
{ USB_DEVICE(0x0489, 0xe04d) },
+ { USB_DEVICE(0x04c5, 0x1330) },
{ USB_DEVICE(0x0cf3, 0x3121) },

/* Atheros AR5BBU12 with sflash firmware */
@@ -129,6 +130,7 @@ static struct usb_device_id ath3k_blist_tbl[] = {
{ USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },

/* Atheros AR5BBU22 with sflash firmware */
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 5cdfd34..93fb265 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -160,6 +160,7 @@ static struct usb_device_id blacklist_table[] = {
{ USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },

/* Atheros AR5BBU12 with sflash firmware */
--
1.8.3.2

2013-09-30 10:33:51

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 030/104] iwlwifi: dvm: don't send BT_CONFIG on devices w/o Bluetooth

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Johannes Berg <[email protected]>

commit 707aee401d2467baa785a697f40a6e2d9ee79ad5 upstream.

The BT_CONFIG command that is sent to the device during
startup will enable BT coex unless the module parameter
turns it off, but on devices without Bluetooth this may
cause problems, as reported in Redhat BZ 885407.

Fix this by sending the BT_CONFIG command only when the
device has Bluetooth.

Reviewed-by: Emmanuel Grumbach <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
[ luis: backported to 3.5 (based on bwh's backport to 3.2):
- file rename: drivers/net/wireless/iwlwifi/dvm/main.c ->
drivers/net/wireless/iwlwifi/iwl-agn.c
- use priv->cfg instead of priv->lib ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/net/wireless/iwlwifi/iwl-agn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/iwlwifi/iwl-agn.c b/drivers/net/wireless/iwlwifi/iwl-agn.c
index ec36e2b..8e3629a 100644
--- a/drivers/net/wireless/iwlwifi/iwl-agn.c
+++ b/drivers/net/wireless/iwlwifi/iwl-agn.c
@@ -799,7 +799,7 @@ int iwl_alive_start(struct iwl_priv *priv)
BT_COEX_PRIO_TBL_EVT_INIT_CALIB2);
if (ret)
return ret;
- } else {
+ } else if (priv->cfg->bt_params) {
/*
* default is 2-wire BT coexexistence support
*/
--
1.8.3.2

2013-09-30 10:34:07

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 029/104] target: Fix trailing ASCII space usage in INQUIRY vendor+model

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Nicholas Bellinger <[email protected]>

commit ee60bddba5a5f23e39598195d944aa0eb2d455e5 upstream.

This patch fixes spc_emulate_inquiry_std() to add trailing ASCII
spaces for INQUIRY vendor + model fields following SPC-4 text:

"ASCII data fields described as being left-aligned shall have any
unused bytes at the end of the field (i.e., highest offset) and
the unused bytes shall be filled with ASCII space characters (20h)."

This addresses a problem with Falconstor NSS multipathing.

Reported-by: Tomas Molota <[email protected]>
Signed-off-by: Nicholas Bellinger <[email protected]>
[ luis: backported to 3.5:
- file rename: target_core_spc.c -> target_core_cdb.c
- use dev->se_sub_dev->t10_wwn instead of dev->t10_wwn ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/target/target_core_cdb.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/target/target_core_cdb.c b/drivers/target/target_core_cdb.c
index dd09f0f..1756838 100644
--- a/drivers/target/target_core_cdb.c
+++ b/drivers/target/target_core_cdb.c
@@ -97,9 +97,12 @@ target_emulate_inquiry_std(struct se_cmd *cmd, char *buf)

buf[7] = 0x2; /* CmdQue=1 */

- snprintf(&buf[8], 8, "LIO-ORG");
- snprintf(&buf[16], 16, "%s", dev->se_sub_dev->t10_wwn.model);
- snprintf(&buf[32], 4, "%s", dev->se_sub_dev->t10_wwn.revision);
+ memcpy(&buf[8], "LIO-ORG ", 8);
+ memset(&buf[16], 0x20, 16);
+ memcpy(&buf[16], dev->se_sub_dev->t10_wwn.model,
+ min_t(size_t, strlen(dev->se_sub_dev->t10_wwn.model), 16));
+ memcpy(&buf[32], dev->se_sub_dev->t10_wwn.revision,
+ min_t(size_t, strlen(dev->se_sub_dev->t10_wwn.revision), 4));
buf[4] = 31; /* Set additional length to 31 */

return 0;
--
1.8.3.2

2013-09-30 10:12:06

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 021/104] usb: xhci: Disable runtime PM suspend for quirky controllers

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Shawn Nematbakhsh <[email protected]>

commit c8476fb855434c733099079063990e5bfa7ecad6 upstream.

If a USB controller with XHCI_RESET_ON_RESUME goes to runtime suspend,
a reset will be performed upon runtime resume. Any previously suspended
devices attached to the controller will be re-enumerated at this time.
This will cause problems, for example, if an open system call on the
device triggered the resume (the open call will fail).

Note that this change is only relevant when persist_enabled is not set
for USB devices.

This patch should be backported to kernels as old as 3.0, that
contain the commit c877b3b2ad5cb9d4fe523c5496185cc328ff3ae9 "xhci: Add
reset on resume quirk for asrock p67 host".

Signed-off-by: Shawn Nematbakhsh <[email protected]>
Signed-off-by: Sarah Sharp <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/usb/host/xhci.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)

diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 5fcd576..2acae4d 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3501,10 +3501,21 @@ void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev)
{
struct xhci_hcd *xhci = hcd_to_xhci(hcd);
struct xhci_virt_device *virt_dev;
+ struct device *dev = hcd->self.controller;
unsigned long flags;
u32 state;
int i, ret;

+#ifndef CONFIG_USB_DEFAULT_PERSIST
+ /*
+ * We called pm_runtime_get_noresume when the device was attached.
+ * Decrement the counter here to allow controller to runtime suspend
+ * if no devices remain.
+ */
+ if (xhci->quirks & XHCI_RESET_ON_RESUME)
+ pm_runtime_put_noidle(dev);
+#endif
+
ret = xhci_check_args(hcd, udev, NULL, 0, true, __func__);
/* If the host is halted due to driver unload, we still need to free the
* device.
@@ -3576,6 +3587,7 @@ static int xhci_reserve_host_control_ep_resources(struct xhci_hcd *xhci)
int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev)
{
struct xhci_hcd *xhci = hcd_to_xhci(hcd);
+ struct device *dev = hcd->self.controller;
unsigned long flags;
int timeleft;
int ret;
@@ -3628,6 +3640,16 @@ int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev)
goto disable_slot;
}
udev->slot_id = xhci->slot_id;
+
+#ifndef CONFIG_USB_DEFAULT_PERSIST
+ /*
+ * If resetting upon resume, we can't put the controller into runtime
+ * suspend if there is a device attached.
+ */
+ if (xhci->quirks & XHCI_RESET_ON_RESUME)
+ pm_runtime_get_noresume(dev);
+#endif
+
/* Is this a LS or FS device under a HS hub? */
/* Hub or peripherial? */
return 1;
--
1.8.3.2

2013-09-30 10:34:34

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 026/104] ALSA: hda - hdmi: Refactor hdmi_eld into parsed_hdmi_eld

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: David Henningsson <[email protected]>

commit 1613d6b46b433f07f1d2703e4bd102802dcd75a4 upstream.

For better readability, the information that is parsed out of the
ELD data is now put into a separate parsed_hdmi_eld struct.

Signed-off-by: David Henningsson <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
[ luis: 3.5.y-prereq for:
18e3918 ALSA: hda - hdmi: Fallback to ALSA allocation when selecting CA ]
Signed-off-by: Luis Henriques <[email protected]>
---
sound/pci/hda/hda_eld.c | 46 +++++++++++++++++++++-------------------------
sound/pci/hda/hda_local.h | 27 +++++++++++++++++----------
sound/pci/hda/patch_hdmi.c | 28 +++++++++++++++++++---------
3 files changed, 57 insertions(+), 44 deletions(-)

diff --git a/sound/pci/hda/hda_eld.c b/sound/pci/hda/hda_eld.c
index 86f6468..f076dab 100644
--- a/sound/pci/hda/hda_eld.c
+++ b/sound/pci/hda/hda_eld.c
@@ -246,8 +246,8 @@ static void hdmi_update_short_audio_desc(struct cea_sad *a,
/*
* Be careful, ELD buf could be totally rubbish!
*/
-static int hdmi_update_eld(struct hdmi_eld *e,
- const unsigned char *buf, int size)
+int snd_hdmi_parse_eld(struct parsed_hdmi_eld *e,
+ const unsigned char *buf, int size)
{
int mnl;
int i;
@@ -260,7 +260,6 @@ static int hdmi_update_eld(struct hdmi_eld *e,
goto out_fail;
}

- e->eld_size = size;
e->baseline_len = GRAB_BITS(buf, 2, 0, 8);
mnl = GRAB_BITS(buf, 4, 0, 5);
e->cea_edid_ver = GRAB_BITS(buf, 4, 5, 3);
@@ -305,7 +304,6 @@ static int hdmi_update_eld(struct hdmi_eld *e,
if (!e->spk_alloc)
e->spk_alloc = 0xffff;

- e->eld_valid = true;
return 0;

out_fail:
@@ -318,17 +316,16 @@ int snd_hdmi_get_eld_size(struct hda_codec *codec, hda_nid_t nid)
AC_DIPSIZE_ELD_BUF);
}

-int snd_hdmi_get_eld(struct hdmi_eld *eld,
- struct hda_codec *codec, hda_nid_t nid)
+int snd_hdmi_get_eld(struct hda_codec *codec, hda_nid_t nid,
+ unsigned char *buf, int *eld_size)
{
int i;
int ret = 0;
int size;
- unsigned char *buf;

/*
* ELD size is initialized to zero in caller function. If no errors and
- * ELD is valid, actual eld_size is assigned in hdmi_update_eld()
+ * ELD is valid, actual eld_size is assigned.
*/

size = snd_hdmi_get_eld_size(codec, nid);
@@ -343,8 +340,6 @@ int snd_hdmi_get_eld(struct hdmi_eld *eld,
}

/* set ELD buffer */
- buf = eld->eld_buffer;
-
for (i = 0; i < size; i++) {
unsigned int val = hdmi_get_eld_data(codec, nid, i);
/*
@@ -372,8 +367,7 @@ int snd_hdmi_get_eld(struct hdmi_eld *eld,
buf[i] = val;
}

- ret = hdmi_update_eld(eld, buf, size);
-
+ *eld_size = size;
error:
return ret;
}
@@ -438,7 +432,7 @@ void snd_print_channel_allocation(int spk_alloc, char *buf, int buflen)
buf[j] = '\0'; /* necessary when j == 0 */
}

-void snd_hdmi_show_eld(struct hdmi_eld *e)
+void snd_hdmi_show_eld(struct parsed_hdmi_eld *e)
{
int i;

@@ -487,10 +481,11 @@ static void hdmi_print_sad_info(int i, struct cea_sad *a,
static void hdmi_print_eld_info(struct snd_info_entry *entry,
struct snd_info_buffer *buffer)
{
- struct hdmi_eld *e = entry->private_data;
+ struct hdmi_eld *eld = entry->private_data;
+ struct parsed_hdmi_eld *e = &eld->info;
char buf[SND_PRINT_CHANNEL_ALLOCATION_ADVISED_BUFSIZE];
int i;
- static char *eld_versoin_names[32] = {
+ static char *eld_version_names[32] = {
"reserved",
"reserved",
"CEA-861D or below",
@@ -505,15 +500,15 @@ static void hdmi_print_eld_info(struct snd_info_entry *entry,
[4 ... 7] = "reserved"
};

- snd_iprintf(buffer, "monitor_present\t\t%d\n", e->monitor_present);
- snd_iprintf(buffer, "eld_valid\t\t%d\n", e->eld_valid);
- if (!e->eld_valid)
+ snd_iprintf(buffer, "monitor_present\t\t%d\n", eld->monitor_present);
+ snd_iprintf(buffer, "eld_valid\t\t%d\n", eld->eld_valid);
+ if (!eld->eld_valid)
return;
snd_iprintf(buffer, "monitor_name\t\t%s\n", e->monitor_name);
snd_iprintf(buffer, "connection_type\t\t%s\n",
eld_connection_type_names[e->conn_type]);
snd_iprintf(buffer, "eld_version\t\t[0x%x] %s\n", e->eld_ver,
- eld_versoin_names[e->eld_ver]);
+ eld_version_names[e->eld_ver]);
snd_iprintf(buffer, "edid_version\t\t[0x%x] %s\n", e->cea_edid_ver,
cea_edid_version_names[e->cea_edid_ver]);
snd_iprintf(buffer, "manufacture_id\t\t0x%x\n", e->manufacture_id);
@@ -535,7 +530,8 @@ static void hdmi_print_eld_info(struct snd_info_entry *entry,
static void hdmi_write_eld_info(struct snd_info_entry *entry,
struct snd_info_buffer *buffer)
{
- struct hdmi_eld *e = entry->private_data;
+ struct hdmi_eld *eld = entry->private_data;
+ struct parsed_hdmi_eld *e = &eld->info;
char line[64];
char name[64];
char *sname;
@@ -551,9 +547,9 @@ static void hdmi_write_eld_info(struct snd_info_entry *entry,
* eld_version edid_version
*/
if (!strcmp(name, "monitor_present"))
- e->monitor_present = val;
+ eld->monitor_present = val;
else if (!strcmp(name, "eld_valid"))
- e->eld_valid = val;
+ eld->eld_valid = val;
else if (!strcmp(name, "connection_type"))
e->conn_type = val;
else if (!strcmp(name, "port_id"))
@@ -627,7 +623,7 @@ void snd_hda_eld_proc_free(struct hda_codec *codec, struct hdmi_eld *eld)
#endif /* CONFIG_PROC_FS */

/* update PCM info based on ELD */
-void snd_hdmi_eld_update_pcm_info(struct hdmi_eld *eld,
+void snd_hdmi_eld_update_pcm_info(struct parsed_hdmi_eld *e,
struct hda_pcm_stream *hinfo)
{
u32 rates;
@@ -644,8 +640,8 @@ void snd_hdmi_eld_update_pcm_info(struct hdmi_eld *eld,
formats = SNDRV_PCM_FMTBIT_S16_LE;
maxbps = 16;
channels_max = 2;
- for (i = 0; i < eld->sad_count; i++) {
- struct cea_sad *a = &eld->sad[i];
+ for (i = 0; i < e->sad_count; i++) {
+ struct cea_sad *a = &e->sad[i];
rates |= a->rates;
if (a->channels > channels_max)
channels_max = a->channels;
diff --git a/sound/pci/hda/hda_local.h b/sound/pci/hda/hda_local.h
index 9a096a8..da2eadc 100644
--- a/sound/pci/hda/hda_local.h
+++ b/sound/pci/hda/hda_local.h
@@ -616,10 +616,10 @@ struct cea_sad {
/*
* ELD: EDID Like Data
*/
-struct hdmi_eld {
- bool monitor_present;
- bool eld_valid;
- int eld_size;
+struct parsed_hdmi_eld {
+ /*
+ * all fields will be cleared before updating ELD
+ */
int baseline_len;
int eld_ver;
int cea_edid_ver;
@@ -634,19 +634,26 @@ struct hdmi_eld {
int spk_alloc;
int sad_count;
struct cea_sad sad[ELD_MAX_SAD];
- /*
- * all fields above eld_buffer will be cleared before updating ELD
- */
+};
+
+struct hdmi_eld {
+ bool monitor_present;
+ bool eld_valid;
+ int eld_size;
char eld_buffer[ELD_MAX_SIZE];
+ struct parsed_hdmi_eld info;
#ifdef CONFIG_PROC_FS
struct snd_info_entry *proc_entry;
#endif
};

int snd_hdmi_get_eld_size(struct hda_codec *codec, hda_nid_t nid);
-int snd_hdmi_get_eld(struct hdmi_eld *, struct hda_codec *, hda_nid_t);
-void snd_hdmi_show_eld(struct hdmi_eld *eld);
-void snd_hdmi_eld_update_pcm_info(struct hdmi_eld *eld,
+int snd_hdmi_get_eld(struct hda_codec *codec, hda_nid_t nid,
+ unsigned char *buf, int *eld_size);
+int snd_hdmi_parse_eld(struct parsed_hdmi_eld *e,
+ const unsigned char *buf, int size);
+void snd_hdmi_show_eld(struct parsed_hdmi_eld *e);
+void snd_hdmi_eld_update_pcm_info(struct parsed_hdmi_eld *e,
struct hda_pcm_stream *hinfo);

#ifdef CONFIG_PROC_FS
diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
index 375e0ff..bbd5e8d 100644
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -499,7 +499,7 @@ static int hdmi_channel_allocation(struct hdmi_eld *eld, int channels)
* expand ELD's notions to match the ones used by Audio InfoFrame.
*/
for (i = 0; i < ARRAY_SIZE(eld_speaker_allocation_bits); i++) {
- if (eld->spk_alloc & (1 << i))
+ if (eld->info.spk_alloc & (1 << i))
spk_mask |= eld_speaker_allocation_bits[i];
}

@@ -513,7 +513,7 @@ static int hdmi_channel_allocation(struct hdmi_eld *eld, int channels)
}
}

- snd_print_channel_allocation(eld->spk_alloc, buf, sizeof(buf));
+ snd_print_channel_allocation(eld->info.spk_alloc, buf, sizeof(buf));
snd_printdd("HDMI: select CA 0x%x for %d-channel allocation: %s\n",
ca, channels, buf);

@@ -705,7 +705,7 @@ static void hdmi_setup_audio_infoframe(struct hda_codec *codec, int pin_idx,
ca = hdmi_channel_allocation(eld, channels);

memset(&ai, 0, sizeof(ai));
- if (eld->conn_type == 0) { /* HDMI */
+ if (eld->info.conn_type == 0) { /* HDMI */
struct hdmi_audio_infoframe *hdmi_ai = &ai.hdmi;

hdmi_ai->type = 0x84;
@@ -714,7 +714,7 @@ static void hdmi_setup_audio_infoframe(struct hda_codec *codec, int pin_idx,
hdmi_ai->CC02_CT47 = channels - 1;
hdmi_ai->CA = ca;
hdmi_checksum_audio_infoframe(hdmi_ai);
- } else if (eld->conn_type == 1) { /* DisplayPort */
+ } else if (eld->info.conn_type == 1) { /* DisplayPort */
struct dp_audio_infoframe *dp_ai = &ai.dp;

dp_ai->type = 0x84;
@@ -924,7 +924,7 @@ static int hdmi_pcm_open(struct hda_pcm_stream *hinfo,

/* Restrict capabilities by ELD if this isn't disabled */
if (!static_hdmi_pcm && eld->eld_valid) {
- snd_hdmi_eld_update_pcm_info(eld, hinfo);
+ snd_hdmi_eld_update_pcm_info(&eld->info, hinfo);
if (hinfo->channels_min > hinfo->channels_max ||
!hinfo->rates || !hinfo->formats) {
per_cvt->assigned = 0;
@@ -985,8 +985,6 @@ static void hdmi_present_sense(struct hdmi_spec_per_pin *per_pin, int repoll)
int present = snd_hda_pin_sense(codec, pin_nid);
bool eld_valid = false;

- memset(eld, 0, offsetof(struct hdmi_eld, eld_buffer));
-
eld->monitor_present = !!(present & AC_PINSENSE_PRESENCE);
if (eld->monitor_present)
eld_valid = !!(present & AC_PINSENSE_ELDV);
@@ -997,8 +995,20 @@ static void hdmi_present_sense(struct hdmi_spec_per_pin *per_pin, int repoll)

eld->eld_valid = false;
if (eld_valid) {
- if (!snd_hdmi_get_eld(eld, codec, pin_nid))
- snd_hdmi_show_eld(eld);
+ if (snd_hdmi_get_eld(codec, pin_nid, eld->eld_buffer,
+ &eld->eld_size) < 0)
+ eld_valid = false;
+ else {
+ memset(&eld->info, 0, sizeof(struct parsed_hdmi_eld));
+ if (snd_hdmi_parse_eld(&eld->info, eld->eld_buffer,
+ eld->eld_size) < 0)
+ eld_valid = false;
+ }
+
+ if (eld_valid) {
+ snd_hdmi_show_eld(&eld->info);
+ eld->eld_valid = true;
+ }
else if (repoll) {
queue_delayed_work(codec->bus->workq,
&per_pin->work,
--
1.8.3.2

2013-09-30 10:34:55

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 025/104] USB: fix build error when CONFIG_PM_SLEEP isn't enabled

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <[email protected]>

commit 9d8924297cd9c256c23c02abae40202563452453 upstream.

This patch fixes a build error that occurs when CONFIG_PM is enabled
and CONFIG_PM_SLEEP isn't:

>> drivers/usb/host/ohci-pci.c:294:10: error: 'usb_hcd_pci_pm_ops' undeclared here (not in a function)
.pm = &usb_hcd_pci_pm_ops

Since the usb_hcd_pci_pm_ops structure is defined and used when
CONFIG_PM is enabled, its declaration should not be protected by
CONFIG_PM_SLEEP.

Signed-off-by: Alan Stern <[email protected]>
Reported-by: kbuild test robot <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
include/linux/usb/hcd.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h
index 49b3ac2..aed9773 100644
--- a/include/linux/usb/hcd.h
+++ b/include/linux/usb/hcd.h
@@ -402,7 +402,7 @@ extern int usb_hcd_pci_probe(struct pci_dev *dev,
extern void usb_hcd_pci_remove(struct pci_dev *dev);
extern void usb_hcd_pci_shutdown(struct pci_dev *dev);

-#ifdef CONFIG_PM_SLEEP
+#ifdef CONFIG_PM
extern const struct dev_pm_ops usb_hcd_pci_pm_ops;
#endif
#endif /* CONFIG_PCI */
--
1.8.3.2

2013-09-30 10:35:13

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 023/104] ACPI / EC: Add HP Folio 13 to ec_dmi_table in order to skip DSDT scan

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Lan Tianyu <[email protected]>

commit eff9a4b62b14cf0d9913e3caf1f26f8b7a6105c9 upstream.

HP Folio 13's BIOS defines CMOS RTC Operation Region and the EC's
_REG method will access that region. To allow the CMOS RTC region
handler to be installed before the EC _REG method is first invoked,
add ec_skip_dsdt_scan() as HP Folio 13's callback to ec_dmi_table.

References: https://bugzilla.kernel.org/show_bug.cgi?id=54621
Reported-and-tested-by: Stefan Nagy <[email protected]>
Signed-off-by: Lan Tianyu <[email protected]>
Signed-off-by: Rafael J. Wysocki <[email protected]>
[ luis: 3.5.y-prereq for:
524f42f ACPI / EC: Add ASUSTEK L4R to quirk list in order to validate ECDT ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/acpi/ec.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
index f9914e5..3251d4b 100644
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -974,6 +974,10 @@ static struct dmi_system_id __initdata ec_dmi_table[] = {
ec_enlarge_storm_threshold, "CLEVO hardware", {
DMI_MATCH(DMI_SYS_VENDOR, "CLEVO Co."),
DMI_MATCH(DMI_PRODUCT_NAME, "M720T/M730T"),}, NULL},
+ {
+ ec_skip_dsdt_scan, "HP Folio 13", {
+ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "HP Folio 13"),}, NULL},
{},
};

--
1.8.3.2

2013-09-30 10:35:42

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 022/104] USB: OHCI: Allow runtime PM without system sleep

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <[email protected]>

commit 69820e01aa756b8d228143d997f71523c1e97984 upstream.

Since ohci-hcd supports runtime PM, the .pm field in its pci_driver
structure should be protected by CONFIG_PM rather than
CONFIG_PM_SLEEP.

Without this change, OHCI controllers won't do runtime suspend if
system suspend or hibernation isn't enabled.

Signed-off-by: Alan Stern <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/usb/host/ohci-pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/host/ohci-pci.c b/drivers/usb/host/ohci-pci.c
index 1843bb6..6847b93 100644
--- a/drivers/usb/host/ohci-pci.c
+++ b/drivers/usb/host/ohci-pci.c
@@ -414,7 +414,7 @@ static struct pci_driver ohci_pci_driver = {
.remove = usb_hcd_pci_remove,
.shutdown = usb_hcd_pci_shutdown,

-#ifdef CONFIG_PM_SLEEP
+#ifdef CONFIG_PM
.driver = {
.pm = &usb_hcd_pci_pm_ops
},
--
1.8.3.2

2013-09-30 10:11:55

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 008/104] Bluetooth: Add support for Foxconn/Hon Hai [0489:e04d]

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Noguchi Kazutosi <[email protected]>

commit 0fc110f4e4f569e12c472f73f0af485e05631403 upstream.

Add support for the AR3012 chip.

T: Bus=01 Lev=02 Prnt=02 Port=05 Cnt=03 Dev#= 21 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0489 ProdID=e04d Rev=00.02
S: Manufacturer=Atheros Communications
S: Product=Bluetooth USB Host Controller
S: SerialNumber=Alaska Day 2006
C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb

Signed-off-by: Noguchi Kazutosi <[email protected]>
Signed-off-by: Gustavo Padovan <[email protected]>
[ luis: backported to 3.5:
- adjusted context, as commit 1ebd0b2 ("Bluetooth: Add support for
Atheros [0cf3:3121]) had already been picked ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/bluetooth/ath3k.c | 2 ++
drivers/bluetooth/btusb.c | 1 +
2 files changed, 3 insertions(+)

diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c
index 47b0f70..2b912cc 100644
--- a/drivers/bluetooth/ath3k.c
+++ b/drivers/bluetooth/ath3k.c
@@ -90,6 +90,7 @@ static struct usb_device_id ath3k_table[] = {
{ USB_DEVICE(0x13d3, 0x3393) },
{ USB_DEVICE(0x0489, 0xe04e) },
{ USB_DEVICE(0x0489, 0xe056) },
+ { USB_DEVICE(0x0489, 0xe04d) },
{ USB_DEVICE(0x0cf3, 0x3121) },

/* Atheros AR5BBU12 with sflash firmware */
@@ -127,6 +128,7 @@ static struct usb_device_id ath3k_blist_tbl[] = {
{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },

/* Atheros AR5BBU22 with sflash firmware */
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index f403d46..bb480fd 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -156,6 +156,7 @@ static struct usb_device_id blacklist_table[] = {
{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
{ USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },

/* Atheros AR5BBU12 with sflash firmware */
--
1.8.3.2

2013-09-30 10:36:25

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 020/104] usb: ehci-mxc: check for pdata before dereferencing

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Daniel Mack <[email protected]>

commit f375fc520d4df0cd9fcb570f33c103c6c0311f9e upstream.

Commit 7e8d5cd93fac ("USB: Add EHCI support for MX27 and MX31 based
boards") introduced code that could potentially lead to a NULL pointer
dereference on driver removal.

Fix this by checking for the value of pdata before dereferencing it.

Signed-off-by: Daniel Mack <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/usb/host/ehci-mxc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/host/ehci-mxc.c b/drivers/usb/host/ehci-mxc.c
index c778ffe..7bce025 100644
--- a/drivers/usb/host/ehci-mxc.c
+++ b/drivers/usb/host/ehci-mxc.c
@@ -291,7 +291,7 @@ static int __exit ehci_mxc_drv_remove(struct platform_device *pdev)
if (pdata && pdata->exit)
pdata->exit(pdev);

- if (pdata->otg)
+ if (pdata && pdata->otg)
usb_phy_shutdown(pdata->otg);

usb_remove_hcd(hcd);
--
1.8.3.2

2013-09-30 10:36:43

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 019/104] staging: comedi: dt282x: dt282x_ai_insn_read() always fails

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <[email protected]>

commit 2c4283ca7cdcc6605859c836fc536fcd83a4525f upstream.

In dt282x_ai_insn_read() we call this macro like:
wait_for(!mux_busy(), comedi_error(dev, "timeout\n"); return -ETIME;);
Because the if statement doesn't have curly braces it means we always
return -ETIME and the function never succeeds.

Signed-off-by: Dan Carpenter <[email protected]>
Acked-by: Ian Abbott <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/staging/comedi/drivers/dt282x.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/comedi/drivers/dt282x.c b/drivers/staging/comedi/drivers/dt282x.c
index 736d8fa..ec85fe2 100644
--- a/drivers/staging/comedi/drivers/dt282x.c
+++ b/drivers/staging/comedi/drivers/dt282x.c
@@ -277,8 +277,9 @@ struct dt282x_private {
} \
udelay(5); \
} \
- if (_i) \
+ if (_i) { \
b \
+ } \
} while (0)

static int prep_ai_dma(struct comedi_device *dev, int chan, int size);
--
1.8.3.2

2013-09-30 10:37:10

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 009/104] [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Roland Dreier <[email protected]>

commit 35dc248383bbab0a7203fca4d722875bc81ef091 upstream.

There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances
leads to one process writing data into the address space of some other
random unrelated process if the ioctl is interrupted by a signal.
What happens is the following:

- A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the
underlying SCSI command will transfer data from the SCSI device to
the buffer provided in the ioctl)

- Before the command finishes, a signal is sent to the process waiting
in the ioctl. This will end up waking up the sg_ioctl() code:

result = wait_event_interruptible(sfp->read_wait,
(srp_done(sfp, srp) || sdp->detached));

but neither srp_done() nor sdp->detached is true, so we end up just
setting srp->orphan and returning to userspace:

srp->orphan = 1;
write_unlock_irq(&sfp->rq_list_lock);
return result; /* -ERESTARTSYS because signal hit process */

At this point the original process is done with the ioctl and
blithely goes ahead handling the signal, reissuing the ioctl, etc.

- Eventually, the SCSI command issued by the first ioctl finishes and
ends up in sg_rq_end_io(). At the end of that function, we run through:

write_lock_irqsave(&sfp->rq_list_lock, iflags);
if (unlikely(srp->orphan)) {
if (sfp->keep_orphan)
srp->sg_io_owned = 0;
else
done = 0;
}
srp->done = done;
write_unlock_irqrestore(&sfp->rq_list_lock, iflags);

if (likely(done)) {
/* Now wake up any sg_read() that is waiting for this
* packet.
*/
wake_up_interruptible(&sfp->read_wait);
kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN);
kref_put(&sfp->f_ref, sg_remove_sfp);
} else {
INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext);
schedule_work(&srp->ew.work);
}

Since srp->orphan *is* set, we set done to 0 (assuming the
userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN
ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext()
to run in a workqueue.

- In workqueue context we go through sg_rq_end_io_usercontext() ->
sg_finish_rem_req() -> blk_rq_unmap_user() -> ... ->
bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user().

The key point here is that we are doing copy_to_user() on a
workqueue -- that is, we're on a kernel thread with current->mm
equal to whatever random previous user process was scheduled before
this kernel thread. So we end up copying whatever data the SCSI
command returned to the virtual address of the buffer passed into
the original ioctl, but it's quite likely we do this copying into a
different address space!

As suggested by James Bottomley <[email protected]>,
add a check for current->mm (which is NULL if we're on a kernel thread
without a real userspace address space) in bio_uncopy_user(), and skip
the copy if we're on a kernel thread.

There's no reason that I can think of for any caller of bio_uncopy_user()
to want to do copying on a kernel thread with a random active userspace
address space.

Huge thanks to Costa Sapuntzakis <[email protected]> for the
original pointer to this bug in the sg code.

Signed-off-by: Roland Dreier <[email protected]>
Tested-by: David Milburn <[email protected]>
Cc: Jens Axboe <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
[lizf: backported to 3.4:
- Use __bio_for_each_segment() instead of bio_for_each_segment_all()]
Cc: Li Zefan <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
fs/bio.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/fs/bio.c b/fs/bio.c
index 73922ab..bbd45cd 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -790,12 +790,22 @@ static int __bio_copy_iov(struct bio *bio, struct bio_vec *iovecs,
int bio_uncopy_user(struct bio *bio)
{
struct bio_map_data *bmd = bio->bi_private;
- int ret = 0;
+ struct bio_vec *bvec;
+ int ret = 0, i;

- if (!bio_flagged(bio, BIO_NULL_MAPPED))
- ret = __bio_copy_iov(bio, bmd->iovecs, bmd->sgvecs,
- bmd->nr_sgvecs, bio_data_dir(bio) == READ,
- 0, bmd->is_our_pages);
+ if (!bio_flagged(bio, BIO_NULL_MAPPED)) {
+ /*
+ * if we're in a workqueue, the request is orphaned, so
+ * don't copy into a random user address space, just free.
+ */
+ if (current->mm)
+ ret = __bio_copy_iov(bio, bmd->iovecs, bmd->sgvecs,
+ bmd->nr_sgvecs, bio_data_dir(bio) == READ,
+ 0, bmd->is_our_pages);
+ else if (bmd->is_our_pages)
+ __bio_for_each_segment(bvec, bio, i, 0)
+ __free_page(bvec->bv_page);
+ }
bio_free_map_data(bmd);
bio_put(bio);
return ret;
--
1.8.3.2

2013-09-30 10:37:37

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 015/104] ASoC: wm8960: Fix PLL register writes

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Mike Dyer <[email protected]>

commit 85fa532b6ef920b32598df86b194571a7059a77c upstream.

Bit 9 of PLL2,3 and 4 is reserved as '0'. The 24bit fractional part
should be split across each register in 8bit chunks.

Signed-off-by: Mike Dyer <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
sound/soc/codecs/wm8960.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sound/soc/codecs/wm8960.c b/sound/soc/codecs/wm8960.c
index 8bc659d..f27448b 100644
--- a/sound/soc/codecs/wm8960.c
+++ b/sound/soc/codecs/wm8960.c
@@ -789,9 +789,9 @@ static int wm8960_set_dai_pll(struct snd_soc_dai *codec_dai, int pll_id,
if (pll_div.k) {
reg |= 0x20;

- snd_soc_write(codec, WM8960_PLL2, (pll_div.k >> 18) & 0x3f);
- snd_soc_write(codec, WM8960_PLL3, (pll_div.k >> 9) & 0x1ff);
- snd_soc_write(codec, WM8960_PLL4, pll_div.k & 0x1ff);
+ snd_soc_write(codec, WM8960_PLL2, (pll_div.k >> 16) & 0xff);
+ snd_soc_write(codec, WM8960_PLL3, (pll_div.k >> 8) & 0xff);
+ snd_soc_write(codec, WM8960_PLL4, pll_div.k & 0xff);
}
snd_soc_write(codec, WM8960_PLL1, reg);

--
1.8.3.2

2013-09-30 10:37:55

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 014/104] xhci-plat: Don't enable legacy PCI interrupts.

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Sarah Sharp <[email protected]>

commit 52fb61250a7a132b0cfb9f4a1060a1f3c49e5a25 upstream.

The xHCI platform driver calls into usb_add_hcd to register the irq for
its platform device. It does not want the xHCI generic driver to
register an interrupt for it at all. The original code did that by
setting the XHCI_BROKEN_MSI quirk, which tells the xHCI driver to not
enable MSI or MSI-X for a PCI host.

Unfortunately, if CONFIG_PCI is enabled, and CONFIG_USB_DW3 is enabled,
the xHCI generic driver will attempt to register a legacy PCI interrupt
for the xHCI platform device in xhci_try_enable_msi(). This will result
in a bogus irq being registered, since the underlying device is a
platform_device, not a pci_device, and thus the pci_device->irq pointer
will be bogus.

Add a new quirk, XHCI_PLAT, so that the xHCI generic driver can
distinguish between a PCI device that can't handle MSI or MSI-X, and a
platform device that should not have its interrupts touched at all.
This quirk may be useful in the future, in case other corner cases like
this arise.

This patch should be backported to kernels as old as 3.9, that
contain the commit 00eed9c814cb8f281be6f0f5d8f45025dc0a97eb "USB: xhci:
correctly enable interrupts".

Signed-off-by: Sarah Sharp <[email protected]>
Reported-by: Yu Y Wang <[email protected]>
Tested-by: Yu Y Wang <[email protected]>
Reviewed-by: Felipe Balbi <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/usb/host/xhci-plat.c | 2 +-
drivers/usb/host/xhci.c | 7 ++++++-
drivers/usb/host/xhci.h | 1 +
3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
index 93ad67e..6e70ce9 100644
--- a/drivers/usb/host/xhci-plat.c
+++ b/drivers/usb/host/xhci-plat.c
@@ -24,7 +24,7 @@ static void xhci_plat_quirks(struct device *dev, struct xhci_hcd *xhci)
* here that the generic code does not try to make a pci_dev from our
* dev struct in order to setup MSI
*/
- xhci->quirks |= XHCI_BROKEN_MSI;
+ xhci->quirks |= XHCI_PLAT;
}

/* called during probe() after chip reset completes */
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 585bd6c..5fcd576 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -342,9 +342,14 @@ static void xhci_msix_sync_irqs(struct xhci_hcd *xhci)
static int xhci_try_enable_msi(struct usb_hcd *hcd)
{
struct xhci_hcd *xhci = hcd_to_xhci(hcd);
- struct pci_dev *pdev = to_pci_dev(xhci_to_hcd(xhci)->self.controller);
+ struct pci_dev *pdev;
int ret;

+ /* The xhci platform device has set up IRQs through usb_add_hcd. */
+ if (xhci->quirks & XHCI_PLAT)
+ return 0;
+
+ pdev = to_pci_dev(xhci_to_hcd(xhci)->self.controller);
/*
* Some Fresco Logic host controllers advertise MSI, but fail to
* generate interrupts. Don't even try to enable MSI.
diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
index 3e8bf2d..30c3a1d 100644
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1516,6 +1516,7 @@ struct xhci_hcd {
#define XHCI_SPURIOUS_REBOOT (1 << 13)
#define XHCI_COMP_MODE_QUIRK (1 << 14)
#define XHCI_AVOID_BEI (1 << 15)
+#define XHCI_PLAT (1 << 16)
unsigned int num_active_eps;
unsigned int limit_active_eps;
/* There are two roothubs to keep track of bus suspend info for */
--
1.8.3.2

2013-09-30 10:38:00

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 013/104] USB: handle LPM errors during device suspend correctly

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <[email protected]>

commit aa5ceae24bf8dff1d6fe87c6c4b08e69c6d33550 upstream.

The hub driver's usb_port_suspend() routine doesn't handle errors
related to Link Power Management properly. It always returns failure,
it doesn't try to clean up the wakeup setting, (in the case of system
sleep) it doesn't try to go ahead with the port suspend regardless,
and it doesn't try to apply the new power-off mechanism.

This patch fixes these problems.

Note: Sarah fixed this patch to apply against 3.11, since the original
commit (4fae6f0fa86f92e6bc7429371b1e177ad0aaac66 "USB: handle LPM errors
during device suspend correctly") called usb_disable_remote_wakeup,
which won't be added until 3.12.

This patch should be backported to kernels as old as 3.5, that
contain the commit 8306095fd2c1100e8244c09bf560f97aca5a311d "USB:
Disable USB 3.0 LPM in critical sections.". There will be merge
conflicts, since LTM wasn't added until 3.6.

Signed-off-by: Alan Stern <[email protected]>
Signed-off-by: Sarah Sharp <[email protected]>
[ luis: backported to 3.5:
- dropped LTM-related code
- dropped code related with PM QoS ]
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/usb/core/hub.c | 43 +++++++++++++++++++++++--------------------
1 file changed, 23 insertions(+), 20 deletions(-)

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 8deaeb5..7be4e11 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2798,7 +2798,7 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg)
status);
/* bail if autosuspend is requested */
if (PMSG_IS_AUTO(msg))
- return status;
+ goto err_wakeup;
}
}

@@ -2807,9 +2807,10 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg)
usb_set_usb2_hardware_lpm(udev, 0);

if (usb_unlocked_disable_lpm(udev)) {
- dev_err(&udev->dev, "%s Failed to disable LPM before suspend\n.",
- __func__);
- return -ENOMEM;
+ dev_err(&udev->dev, "Failed to disable LPM before suspend\n.");
+ status = -ENOMEM;
+ if (PMSG_IS_AUTO(msg))
+ goto err_lpm3;
}

/* see 7.1.7.6 */
@@ -2823,27 +2824,29 @@ int usb_port_suspend(struct usb_device *udev, pm_message_t msg)
if (status) {
dev_dbg(hub->intfdev, "can't suspend port %d, status %d\n",
port1, status);
- /* paranoia: "should not happen" */
- if (udev->do_remote_wakeup) {
- if (!hub_is_superspeed(hub->hdev)) {
- (void) usb_control_msg(udev,
- usb_sndctrlpipe(udev, 0),
- USB_REQ_CLEAR_FEATURE,
- USB_RECIP_DEVICE,
- USB_DEVICE_REMOTE_WAKEUP, 0,
- NULL, 0,
- USB_CTRL_SET_TIMEOUT);
- } else
- (void) usb_disable_function_remotewakeup(udev);
-
- }

+ /* Try to enable USB3 LPM and LTM again */
+ usb_unlocked_enable_lpm(udev);
+ err_lpm3:
/* Try to enable USB2 hardware LPM again */
if (udev->usb2_hw_lpm_capable == 1)
usb_set_usb2_hardware_lpm(udev, 1);

- /* Try to enable USB3 LPM again */
- usb_unlocked_enable_lpm(udev);
+ if (udev->do_remote_wakeup) {
+ if (udev->speed < USB_SPEED_SUPER)
+ usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
+ USB_REQ_CLEAR_FEATURE,
+ USB_RECIP_DEVICE,
+ USB_DEVICE_REMOTE_WAKEUP, 0,
+ NULL, 0, USB_CTRL_SET_TIMEOUT);
+ else
+ usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
+ USB_REQ_CLEAR_FEATURE,
+ USB_RECIP_INTERFACE,
+ USB_INTRF_FUNC_SUSPEND, 0,
+ NULL, 0, USB_CTRL_SET_TIMEOUT);
+ }
+ err_wakeup:

/* System sleep transitions should never fail */
if (!PMSG_IS_AUTO(msg))
--
1.8.3.2

2013-09-30 10:38:41

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 005/104] drm/i915: ivb: fix edp voltage swing reg val

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Imre Deak <[email protected]>

commit 77fa4cbd5fa389e28419bbe8ac491b5fdd54840d upstream.

Fix the typo introduced in

commit 1a2eb4604b85c5efb343da8a4dcf41288fcfca85
Author: Keith Packard <[email protected]>
Date: Wed Nov 16 16:26:07 2011 -0800

drm/i915: Hook up Ivybridge eDP

This fixes eDP link-training failures and cases where all voltage swing
/pre-emphasis levels were tried and failed during clock recovery and -
as a fallback - we go on to do channel equalization with the last voltage
swing/pre-emphasis level which will succeed. Both issues can lead to a
blank screen.

v2:
- improve commit message

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=64880
Tested-by: Jeremy Moles <[email protected]>
Signed-off-by: Imre Deak <[email protected]>
Reviewed-by: Paulo Zanoni <[email protected]>
Signed-off-by: Daniel Vetter <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/gpu/drm/i915/i915_reg.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h
index 70bfc0f..e275ef6 100644
--- a/drivers/gpu/drm/i915/i915_reg.h
+++ b/drivers/gpu/drm/i915/i915_reg.h
@@ -3991,7 +3991,7 @@
#define EDP_LINK_TRAIN_600MV_0DB_IVB (0x30 <<22)
#define EDP_LINK_TRAIN_600MV_3_5DB_IVB (0x36 <<22)
#define EDP_LINK_TRAIN_800MV_0DB_IVB (0x38 <<22)
-#define EDP_LINK_TRAIN_800MV_3_5DB_IVB (0x33 <<22)
+#define EDP_LINK_TRAIN_800MV_3_5DB_IVB (0x3e <<22)

/* legacy values */
#define EDP_LINK_TRAIN_500MV_0DB_IVB (0x00 <<22)
--
1.8.3.2

2013-09-30 10:38:39

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 006/104] drm/vmwgfx: Split GMR2_REMAP commands if they are to large

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Jakob Bornecrantz <[email protected]>

commit 6e4dcff3adbf25acb87e74500a58e3c07bdec40f upstream.

This fixes the piglit test texturing/max-texture-size
causing the VM to die due to a too large SVGA command.

Signed-off-by: Jakob Bornecrantz <[email protected]>
Reviewed-by: Biran Paul <[email protected]>
Reviewed-by: Zack Rusin <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++++------------
1 file changed, 39 insertions(+), 19 deletions(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c b/drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c
index 21ee782..e1978a2 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c
@@ -29,7 +29,9 @@
#include "drmP.h"
#include "ttm/ttm_bo_driver.h"

-#define VMW_PPN_SIZE sizeof(unsigned long)
+#define VMW_PPN_SIZE (sizeof(unsigned long))
+/* A future safe maximum remap size. */
+#define VMW_PPN_PER_REMAP ((31 * 1024) / VMW_PPN_SIZE)

static int vmw_gmr2_bind(struct vmw_private *dev_priv,
struct page *pages[],
@@ -38,43 +40,61 @@ static int vmw_gmr2_bind(struct vmw_private *dev_priv,
{
SVGAFifoCmdDefineGMR2 define_cmd;
SVGAFifoCmdRemapGMR2 remap_cmd;
- uint32_t define_size = sizeof(define_cmd) + 4;
- uint32_t remap_size = VMW_PPN_SIZE * num_pages + sizeof(remap_cmd) + 4;
uint32_t *cmd;
uint32_t *cmd_orig;
+ uint32_t define_size = sizeof(define_cmd) + sizeof(*cmd);
+ uint32_t remap_num = num_pages / VMW_PPN_PER_REMAP + ((num_pages % VMW_PPN_PER_REMAP) > 0);
+ uint32_t remap_size = VMW_PPN_SIZE * num_pages + (sizeof(remap_cmd) + sizeof(*cmd)) * remap_num;
+ uint32_t remap_pos = 0;
+ uint32_t cmd_size = define_size + remap_size;
uint32_t i;

- cmd_orig = cmd = vmw_fifo_reserve(dev_priv, define_size + remap_size);
+ cmd_orig = cmd = vmw_fifo_reserve(dev_priv, cmd_size);
if (unlikely(cmd == NULL))
return -ENOMEM;

define_cmd.gmrId = gmr_id;
define_cmd.numPages = num_pages;

+ *cmd++ = SVGA_CMD_DEFINE_GMR2;
+ memcpy(cmd, &define_cmd, sizeof(define_cmd));
+ cmd += sizeof(define_cmd) / sizeof(*cmd);
+
+ /*
+ * Need to split the command if there are too many
+ * pages that goes into the gmr.
+ */
+
remap_cmd.gmrId = gmr_id;
remap_cmd.flags = (VMW_PPN_SIZE > sizeof(*cmd)) ?
SVGA_REMAP_GMR2_PPN64 : SVGA_REMAP_GMR2_PPN32;
- remap_cmd.offsetPages = 0;
- remap_cmd.numPages = num_pages;

- *cmd++ = SVGA_CMD_DEFINE_GMR2;
- memcpy(cmd, &define_cmd, sizeof(define_cmd));
- cmd += sizeof(define_cmd) / sizeof(uint32);
+ while (num_pages > 0) {
+ unsigned long nr = min(num_pages, (unsigned long)VMW_PPN_PER_REMAP);
+
+ remap_cmd.offsetPages = remap_pos;
+ remap_cmd.numPages = nr;

- *cmd++ = SVGA_CMD_REMAP_GMR2;
- memcpy(cmd, &remap_cmd, sizeof(remap_cmd));
- cmd += sizeof(remap_cmd) / sizeof(uint32);
+ *cmd++ = SVGA_CMD_REMAP_GMR2;
+ memcpy(cmd, &remap_cmd, sizeof(remap_cmd));
+ cmd += sizeof(remap_cmd) / sizeof(*cmd);

- for (i = 0; i < num_pages; ++i) {
- if (VMW_PPN_SIZE <= 4)
- *cmd = page_to_pfn(*pages++);
- else
- *((uint64_t *)cmd) = page_to_pfn(*pages++);
+ for (i = 0; i < nr; ++i) {
+ if (VMW_PPN_SIZE <= 4)
+ *cmd = page_to_pfn(*pages++);
+ else
+ *((uint64_t *)cmd) = page_to_pfn(*pages++);

- cmd += VMW_PPN_SIZE / sizeof(*cmd);
+ cmd += VMW_PPN_SIZE / sizeof(*cmd);
+ }
+
+ num_pages -= nr;
+ remap_pos += nr;
}

- vmw_fifo_commit(dev_priv, define_size + remap_size);
+ BUG_ON(cmd != cmd_orig + cmd_size / sizeof(*cmd));
+
+ vmw_fifo_commit(dev_priv, cmd_size);

return 0;
}
--
1.8.3.2

2013-09-30 10:38:37

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 010/104] xen-gnt: prevent adding duplicate gnt callbacks

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Roger Pau Monne <[email protected]>

commit 5f338d9001094a56cf87bd8a280b4e7ff953bb59 upstream.

With the current implementation, the callback in the tail of the list
can be added twice, because the check done in
gnttab_request_free_callback is bogus, callback->next can be NULL if
it is the last callback in the list. If we add the same callback twice
we end up with an infinite loop, were callback == callback->next.

Replace this check with a proper one that iterates over the list to
see if the callback has already been added.

Signed-off-by: Roger Pau Monné <[email protected]>
Cc: Konrad Rzeszutek Wilk <[email protected]>
Cc: David Vrabel <[email protected]>
Signed-off-by: Konrad Rzeszutek Wilk <[email protected]>
Acked-by: Matt Wilson <[email protected]>
Reviewed-by: David Vrabel <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/xen/grant-table.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
index 22be735..8a6ecc5 100644
--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -728,9 +728,18 @@ void gnttab_request_free_callback(struct gnttab_free_callback *callback,
void (*fn)(void *), void *arg, u16 count)
{
unsigned long flags;
+ struct gnttab_free_callback *cb;
+
spin_lock_irqsave(&gnttab_list_lock, flags);
- if (callback->next)
- goto out;
+
+ /* Check if the callback is already on the list */
+ cb = gnttab_free_callback_list;
+ while (cb) {
+ if (cb == callback)
+ goto out;
+ cb = cb->next;
+ }
+
callback->fn = fn;
callback->arg = arg;
callback->count = count;
--
1.8.3.2

2013-09-30 10:38:36

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 011/104] usb: config->desc.bLength may not exceed amount of data returned by the device

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Hans de Goede <[email protected]>

commit b4f17a488ae2e09bfcf95c0e0b4219c246f1116a upstream.

While reading the config parsing code I noticed this check is missing, without
this check config->desc.wTotalLength can end up with a value larger then the
dev->rawdescriptors length for the config, and when userspace then tries to
get the rawdescriptors bad things may happen.

Signed-off-by: Hans de Goede <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/usb/core/config.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index f4bdd0c..78609d3 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -424,7 +424,8 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,

memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
if (config->desc.bDescriptorType != USB_DT_CONFIG ||
- config->desc.bLength < USB_DT_CONFIG_SIZE) {
+ config->desc.bLength < USB_DT_CONFIG_SIZE ||
+ config->desc.bLength > size) {
dev_err(ddev, "invalid descriptor for config index %d: "
"type = 0x%X, length = %d\n", cfgidx,
config->desc.bDescriptorType, config->desc.bLength);
--
1.8.3.2

2013-09-30 10:38:34

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 012/104] USB: cdc-wdm: fix race between interrupt handler and tasklet

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Neukum <[email protected]>

commit 6dd433e6cf2475ce8abec1b467720858c24450eb upstream.

Both could want to submit the same URB. Some checks of the flag
intended to prevent that were missing.

Signed-off-by: Oliver Neukum <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/usb/class/cdc-wdm.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
index 97c1d8e..7c25710 100644
--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -233,6 +233,7 @@ skip_error:
static void wdm_int_callback(struct urb *urb)
{
int rv = 0;
+ int responding;
int status = urb->status;
struct wdm_device *desc;
struct usb_cdc_notification *dr;
@@ -286,8 +287,8 @@ static void wdm_int_callback(struct urb *urb)

spin_lock(&desc->iuspin);
clear_bit(WDM_READ, &desc->flags);
- set_bit(WDM_RESPONDING, &desc->flags);
- if (!test_bit(WDM_DISCONNECTING, &desc->flags)
+ responding = test_and_set_bit(WDM_RESPONDING, &desc->flags);
+ if (!responding && !test_bit(WDM_DISCONNECTING, &desc->flags)
&& !test_bit(WDM_SUSPENDING, &desc->flags)) {
rv = usb_submit_urb(desc->response, GFP_ATOMIC);
dev_dbg(&desc->intf->dev, "%s: usb_submit_urb %d",
@@ -691,16 +692,20 @@ static void wdm_rxwork(struct work_struct *work)
{
struct wdm_device *desc = container_of(work, struct wdm_device, rxwork);
unsigned long flags;
- int rv;
+ int rv = 0;
+ int responding;

spin_lock_irqsave(&desc->iuspin, flags);
if (test_bit(WDM_DISCONNECTING, &desc->flags)) {
spin_unlock_irqrestore(&desc->iuspin, flags);
} else {
+ responding = test_and_set_bit(WDM_RESPONDING, &desc->flags);
spin_unlock_irqrestore(&desc->iuspin, flags);
- rv = usb_submit_urb(desc->response, GFP_KERNEL);
+ if (!responding)
+ rv = usb_submit_urb(desc->response, GFP_KERNEL);
if (rv < 0 && rv != -EPERM) {
spin_lock_irqsave(&desc->iuspin, flags);
+ clear_bit(WDM_RESPONDING, &desc->flags);
if (!test_bit(WDM_DISCONNECTING, &desc->flags))
schedule_work(&desc->rxwork);
spin_unlock_irqrestore(&desc->iuspin, flags);
--
1.8.3.2

2013-09-30 10:11:35

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 003/104] ALSA: opti9xx: Fix conflicting driver object name

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Takashi Iwai <[email protected]>

commit fb615499f0ad28ed74201c1cdfddf9e64e205424 upstream.

The recent commit to delay the release of kobject triggered NULL
dereferences of opti9xx drivers. The cause is that all
snd-opti92x-ad1848, snd-opti92x-cs4231 and snd-opti93x drivers
register the PnP card driver with the very same name, and also
snd-opti92x-ad1848 and -cs4231 drivers register the ISA driver with
the same name, too. When these drivers are built in, quick
"register-release-and-re-register" actions occur, and this results in
Oops because of the same name is assigned to the kobject.

The fix is simply to assign individual names. As a bonus, by using
KBUILD_MODNAME, the patch reduces more lines than it adds.

The fix is based on the suggestion by Russell King.

Reported-and-tested-by: Fengguang Wu <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
sound/isa/opti9xx/opti92x-ad1848.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/sound/isa/opti9xx/opti92x-ad1848.c b/sound/isa/opti9xx/opti92x-ad1848.c
index d7ccf28..4589acd 100644
--- a/sound/isa/opti9xx/opti92x-ad1848.c
+++ b/sound/isa/opti9xx/opti92x-ad1848.c
@@ -173,11 +173,7 @@ MODULE_DEVICE_TABLE(pnp_card, snd_opti9xx_pnpids);

#endif /* CONFIG_PNP */

-#ifdef OPTi93X
-#define DEV_NAME "opti93x"
-#else
-#define DEV_NAME "opti92x"
-#endif
+#define DEV_NAME KBUILD_MODNAME

static char * snd_opti9xx_names[] = {
"unknown",
@@ -1126,7 +1122,7 @@ static void __devexit snd_opti9xx_pnp_remove(struct pnp_card_link * pcard)

static struct pnp_card_driver opti9xx_pnpc_driver = {
.flags = PNP_DRIVER_RES_DISABLE,
- .name = "opti9xx",
+ .name = DEV_NAME,
.id_table = snd_opti9xx_pnpids,
.probe = snd_opti9xx_pnp_probe,
.remove = __devexit_p(snd_opti9xx_pnp_remove),
--
1.8.3.2

2013-09-30 10:40:04

by Luis Henriques

[permalink] [raw]
Subject: [PATCH 002/104] ath9k_htc: Restore skb headroom when returning skb to mac80211

3.5.7.22 -stable review patch. If anyone has any objections, please let me know.

------------------

From: Helmut Schaa <[email protected]>

commit d2e9fc141e2aa21f4b35ee27072d84e9aa6e2ba0 upstream.

ath9k_htc adds padding between the 802.11 header and the payload during
TX by moving the header. When handing the frame back to mac80211 for TX
status handling the header is not moved back into its original position.
This can result in a too small skb headroom when entering ath9k_htc
again (due to a soft retransmission for example) causing an
skb_under_panic oops.

Fix this by moving the 802.11 header back into its original position
before returning the frame to mac80211 as other drivers like rt2x00
or ath5k do.

Reported-by: Marc Kleine-Budde <[email protected]>
Signed-off-by: Helmut Schaa <[email protected]>
Tested-by: Marc Kleine-Budde <[email protected]>
Signed-off-by: Marc Kleine-Budde <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Luis Henriques <[email protected]>
---
drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index 9cbbb6a..43b8aba 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -448,6 +448,7 @@ static void ath9k_htc_tx_process(struct ath9k_htc_priv *priv,
struct ieee80211_conf *cur_conf = &priv->hw->conf;
bool txok;
int slot;
+ int hdrlen, padsize;

slot = strip_drv_header(priv, skb);
if (slot < 0) {
@@ -504,6 +505,15 @@ send_mac80211:

ath9k_htc_tx_clear_slot(priv, slot);

+ /* Remove padding before handing frame back to mac80211 */
+ hdrlen = ieee80211_get_hdrlen_from_skb(skb);
+
+ padsize = hdrlen & 3;
+ if (padsize && skb->len > hdrlen + padsize) {
+ memmove(skb->data + padsize, skb->data, hdrlen);
+ skb_pull(skb, padsize);
+ }
+
/* Send status to mac80211 */
ieee80211_tx_status(priv->hw, skb);
}
--
1.8.3.2

2013-09-30 11:10:55

by Luis Henriques

[permalink] [raw]
Subject: Re: [PATCH 026/104] ALSA: hda - hdmi: Refactor hdmi_eld into parsed_hdmi_eld

Hi David,

David Henningsson <[email protected]> writes:

> On 09/30/2013 12:10 PM, Luis Henriques wrote:
>> 3.5.7.22 -stable review patch. If anyone has any objections, please let me know.
>>
>> ------------------
>>
>> From: David Henningsson <[email protected]>
>>
>> commit 1613d6b46b433f07f1d2703e4bd102802dcd75a4 upstream.
>>
>> For better readability, the information that is parsed out of the
>> ELD data is now put into a separate parsed_hdmi_eld struct.
>>
>> Signed-off-by: David Henningsson <[email protected]>
>> Signed-off-by: Takashi Iwai <[email protected]>
>> [ luis: 3.5.y-prereq for:
>> 18e3918 ALSA: hda - hdmi: Fallback to ALSA allocation when selecting CA ]
>
> I don't think this is really a prereq. Sorting out the fuzz in
> hdmi_channel_allocation seems quite trivial to me, so I would suggest
> doing so instead.
>
> If you do go ahead and backport this patch, a bit of testing wouldn't
> hurt: this patch was part of a bigger patch set, and I don't think
> anyone tested just this one without the bigger set.

Ok, I agree with you and I'm dropping this patch from the 3.5 kernel.
Also, I'm replacing

[PATCH 027/104] ALSA: hda - hdmi: Fallback to ALSA allocation when selecting CA

with the patch below. Are you Ok with this?

(btw, thank you for your review!)

Cheers,
--
Luis

>From 51287bff2ce7478d73856459c23d52e5bf2e5592 Mon Sep 17 00:00:00 2001
From: Anssi Hannula <[email protected]>
Date: Sun, 1 Sep 2013 14:36:47 +0300
Subject: [PATCH] ALSA: hda - hdmi: Fallback to ALSA allocation when selecting
CA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

commit 18e391862cceaf43ddb8eb5cca05e1a83abdebaa upstream.

hdmi_channel_allocation() tries to find a HDMI channel allocation that
matches the number channels in the playback stream and contains only
speakers that the HDMI sink has reported as available via EDID. If no
such allocation is found, 0 (stereo audio) is used.

Using CA 0 causes the audio causes the sink to discard everything except
the first two channels (front left and front right).

However, the sink may be capable of receiving more channels than it has
speakers (and then perform downmix or discard the extra channels), in
which case it is preferable to use a CA that contains extra channels
than to use CA 0 which discards all the non-stereo channels.

Additionally, it seems that HBR (HD) passthrough output does not work on
Intel HDMI codecs when CA is set to 0 (possibly the codec zeroes
channels not present in CA). This happens with all receivers that report
a 5.1 speaker mask since a HBR stream is carried on 8 channels to the
codec.

Add a fallback in the CA selection so that the CA channel count at least
matches the stream channel count, even if the stream contains channels
not present in the sink speaker descriptor.

Thanks to GrimGriefer at OpenELEC forums for discovering that changing
the sink speaker mask allowed HBR output.

Reported-by: GrimGriefer
Reported-by: Ashecrow
Reported-by: Frank Zafka <[email protected]>
Reported-by: Peter Frühberger <[email protected]>
Signed-off-by: Anssi Hannula <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
[ luis: backported to 3.5: adjusted context ]
Signed-off-by: Luis Henriques <[email protected]>
---
sound/pci/hda/patch_hdmi.c | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
index 375e0ff..c3cd1f8 100644
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -513,6 +513,17 @@ static int hdmi_channel_allocation(struct hdmi_eld *eld, int channels)
}
}

+ if (!ca) {
+ /* if there was no match, select the regular ALSA channel
+ * allocation with the matching number of channels */
+ for (i = 0; i < ARRAY_SIZE(channel_allocations); i++) {
+ if (channels == channel_allocations[i].channels) {
+ ca = channel_allocations[i].ca_index;
+ break;
+ }
+ }
+ }
+
snd_print_channel_allocation(eld->spk_alloc, buf, sizeof(buf));
snd_printdd("HDMI: select CA 0x%x for %d-channel allocation: %s\n",
ca, channels, buf);
--
1.8.3.2

2013-09-30 11:38:01

by David Henningsson

[permalink] [raw]
Subject: Re: [PATCH 026/104] ALSA: hda - hdmi: Refactor hdmi_eld into parsed_hdmi_eld

On 09/30/2013 01:10 PM, Luis Henriques wrote:
> Hi David,
>
> David Henningsson <[email protected]> writes:
>
>> On 09/30/2013 12:10 PM, Luis Henriques wrote:
>>> 3.5.7.22 -stable review patch. If anyone has any objections, please let me know.
>>>
>>> ------------------
>>>
>>> From: David Henningsson <[email protected]>
>>>
>>> commit 1613d6b46b433f07f1d2703e4bd102802dcd75a4 upstream.
>>>
>>> For better readability, the information that is parsed out of the
>>> ELD data is now put into a separate parsed_hdmi_eld struct.
>>>
>>> Signed-off-by: David Henningsson <[email protected]>
>>> Signed-off-by: Takashi Iwai <[email protected]>
>>> [ luis: 3.5.y-prereq for:
>>> 18e3918 ALSA: hda - hdmi: Fallback to ALSA allocation when selecting CA ]
>>
>> I don't think this is really a prereq. Sorting out the fuzz in
>> hdmi_channel_allocation seems quite trivial to me, so I would suggest
>> doing so instead.
>>
>> If you do go ahead and backport this patch, a bit of testing wouldn't
>> hurt: this patch was part of a bigger patch set, and I don't think
>> anyone tested just this one without the bigger set.
>
> Ok, I agree with you and I'm dropping this patch from the 3.5 kernel.
> Also, I'm replacing
>
> [PATCH 027/104] ALSA: hda - hdmi: Fallback to ALSA allocation when selecting CA
>
> with the patch below. Are you Ok with this?

Yes, I think it looks good.

> (btw, thank you for your review!)

Thanks for the stable backport :-)


--
David Henningsson, Canonical Ltd.
https://launchpad.net/~diwic

2013-09-30 13:14:40

by Jack Wang

[permalink] [raw]
Subject: Re: [PATCH 092/104] mm: fix aio performance regression for database caused by THP

On 09/30/2013 12:11 PM, Luis Henriques wrote:
> 3.5.7.22 -stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Khalid Aziz <[email protected]>
>
> commit 7cb2ef56e6a8b7b368b2e883a0a47d02fed66911 upstream.
>
> I am working with a tool that simulates oracle database I/O workload.
> This tool (orion to be specific -
> <http://docs.oracle.com/cd/E11882_01/server.112/e16638/iodesign.htm#autoId24>)
> allocates hugetlbfs pages using shmget() with SHM_HUGETLB flag. It then
> does aio into these pages from flash disks using various common block
> sizes used by database. I am looking at performance with two of the most
> common block sizes - 1M and 64K. aio performance with these two block
> sizes plunged after Transparent HugePages was introduced in the kernel.
> Here are performance numbers:
>
> pre-THP 2.6.39 3.11-rc5
> 1M read 8384 MB/s 5629 MB/s 6501 MB/s
> 64K read 7867 MB/s 4576 MB/s 4251 MB/s
>
> I have narrowed the performance impact down to the overheads introduced by
> THP in __get_page_tail() and put_compound_page() routines. perf top shows
>> 40% of cycles being spent in these two routines. Every time direct I/O
> to hugetlbfs pages starts, kernel calls get_page() to grab a reference to
> the pages and calls put_page() when I/O completes to put the reference
> away. THP introduced significant amount of locking overhead to get_page()
> and put_page() when dealing with compound pages because hugepages can be
> split underneath get_page() and put_page(). It added this overhead
> irrespective of whether it is dealing with hugetlbfs pages or transparent
> hugepages. This resulted in 20%-45% drop in aio performance when using
> hugetlbfs pages.
>
> Since hugetlbfs pages can not be split, there is no reason to go through
> all the locking overhead for these pages from what I can see. I added
> code to __get_page_tail() and put_compound_page() to bypass all the
> locking code when working with hugetlbfs pages. This improved performance
> significantly. Performance numbers with this patch:
>
> pre-THP 3.11-rc5 3.11-rc5 + Patch
> 1M read 8384 MB/s 6501 MB/s 8371 MB/s
> 64K read 7867 MB/s 4251 MB/s 6510 MB/s
>
> Performance with 64K read is still lower than what it was before THP, but
> still a 53% improvement. It does mean there is more work to be done but I
> will take a 53% improvement for now.
>
> Please take a look at the following patch and let me know if it looks
> reasonable.
>
> [[email protected]: tweak comments]
> Signed-off-by: Khalid Aziz <[email protected]>
> Cc: Pravin B Shelar <[email protected]>
> Cc: Christoph Lameter <[email protected]>
> Cc: Andrea Arcangeli <[email protected]>
> Cc: Johannes Weiner <[email protected]>
> Cc: Mel Gorman <[email protected]>
> Cc: Rik van Riel <[email protected]>
> Cc: Minchan Kim <[email protected]>
> Cc: Andi Kleen <[email protected]>
> Signed-off-by: Andrew Morton <[email protected]>
> Signed-off-by: Linus Torvalds <[email protected]>
> [ luis: backported to 3.5: adjusted context ]
> Signed-off-by: Luis Henriques <[email protected]>
Hi Greg,

I suppose this patch also needed for 3.4, right?

Regards,
Jack


> ---
> mm/swap.c | 77 ++++++++++++++++++++++++++++++++++++++++++---------------------
> 1 file changed, 52 insertions(+), 25 deletions(-)
>
> diff --git a/mm/swap.c b/mm/swap.c
> index 4e7e2ec..0c833e8 100644
> --- a/mm/swap.c
> +++ b/mm/swap.c
> @@ -30,6 +30,7 @@
> #include <linux/backing-dev.h>
> #include <linux/memcontrol.h>
> #include <linux/gfp.h>
> +#include <linux/hugetlb.h>
>
> #include "internal.h"
>
> @@ -77,6 +78,19 @@ static void __put_compound_page(struct page *page)
>
> static void put_compound_page(struct page *page)
> {
> + /*
> + * hugetlbfs pages cannot be split from under us. If this is a
> + * hugetlbfs page, check refcount on head page and release the page if
> + * the refcount becomes zero.
> + */
> + if (PageHuge(page)) {
> + page = compound_head(page);
> + if (put_page_testzero(page))
> + __put_compound_page(page);
> +
> + return;
> + }
> +
> if (unlikely(PageTail(page))) {
> /* __split_huge_page_refcount can run under us */
> struct page *page_head = compound_trans_head(page);
> @@ -180,38 +194,51 @@ bool __get_page_tail(struct page *page)
> * proper PT lock that already serializes against
> * split_huge_page().
> */
> - unsigned long flags;
> bool got = false;
> - struct page *page_head = compound_trans_head(page);
> + struct page *page_head;
>
> - if (likely(page != page_head && get_page_unless_zero(page_head))) {
> + /*
> + * If this is a hugetlbfs page it cannot be split under us. Simply
> + * increment refcount for the head page.
> + */
> + if (PageHuge(page)) {
> + page_head = compound_head(page);
> + atomic_inc(&page_head->_count);
> + got = true;
> + } else {
> + unsigned long flags;
> +
> + page_head = compound_trans_head(page);
> + if (likely(page != page_head &&
> + get_page_unless_zero(page_head))) {
> +
> + /* Ref to put_compound_page() comment. */
> + if (PageSlab(page_head)) {
> + if (likely(PageTail(page))) {
> + __get_page_tail_foll(page, false);
> + return true;
> + } else {
> + put_page(page_head);
> + return false;
> + }
> + }
>
> - /* Ref to put_compound_page() comment. */
> - if (PageSlab(page_head)) {
> + /*
> + * page_head wasn't a dangling pointer but it
> + * may not be a head page anymore by the time
> + * we obtain the lock. That is ok as long as it
> + * can't be freed from under us.
> + */
> + flags = compound_lock_irqsave(page_head);
> + /* here __split_huge_page_refcount won't run anymore */
> if (likely(PageTail(page))) {
> __get_page_tail_foll(page, false);
> - return true;
> - } else {
> - put_page(page_head);
> - return false;
> + got = true;
> }
> + compound_unlock_irqrestore(page_head, flags);
> + if (unlikely(!got))
> + put_page(page_head);
> }
> -
> - /*
> - * page_head wasn't a dangling pointer but it
> - * may not be a head page anymore by the time
> - * we obtain the lock. That is ok as long as it
> - * can't be freed from under us.
> - */
> - flags = compound_lock_irqsave(page_head);
> - /* here __split_huge_page_refcount won't run anymore */
> - if (likely(PageTail(page))) {
> - __get_page_tail_foll(page, false);
> - got = true;
> - }
> - compound_unlock_irqrestore(page_head, flags);
> - if (unlikely(!got))
> - put_page(page_head);
> }
> return got;
> }
>

2013-09-30 13:26:44

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH 092/104] mm: fix aio performance regression for database caused by THP

On Mon, Sep 30, 2013 at 03:14:52PM +0200, Jack Wang wrote:
> On 09/30/2013 12:11 PM, Luis Henriques wrote:
> > 3.5.7.22 -stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Khalid Aziz <[email protected]>
> >
> > commit 7cb2ef56e6a8b7b368b2e883a0a47d02fed66911 upstream.
> >
> > I am working with a tool that simulates oracle database I/O workload.
> > This tool (orion to be specific -
> > <http://docs.oracle.com/cd/E11882_01/server.112/e16638/iodesign.htm#autoId24>)
> > allocates hugetlbfs pages using shmget() with SHM_HUGETLB flag. It then
> > does aio into these pages from flash disks using various common block
> > sizes used by database. I am looking at performance with two of the most
> > common block sizes - 1M and 64K. aio performance with these two block
> > sizes plunged after Transparent HugePages was introduced in the kernel.
> > Here are performance numbers:
> >
> > pre-THP 2.6.39 3.11-rc5
> > 1M read 8384 MB/s 5629 MB/s 6501 MB/s
> > 64K read 7867 MB/s 4576 MB/s 4251 MB/s
> >
> > I have narrowed the performance impact down to the overheads introduced by
> > THP in __get_page_tail() and put_compound_page() routines. perf top shows
> >> 40% of cycles being spent in these two routines. Every time direct I/O
> > to hugetlbfs pages starts, kernel calls get_page() to grab a reference to
> > the pages and calls put_page() when I/O completes to put the reference
> > away. THP introduced significant amount of locking overhead to get_page()
> > and put_page() when dealing with compound pages because hugepages can be
> > split underneath get_page() and put_page(). It added this overhead
> > irrespective of whether it is dealing with hugetlbfs pages or transparent
> > hugepages. This resulted in 20%-45% drop in aio performance when using
> > hugetlbfs pages.
> >
> > Since hugetlbfs pages can not be split, there is no reason to go through
> > all the locking overhead for these pages from what I can see. I added
> > code to __get_page_tail() and put_compound_page() to bypass all the
> > locking code when working with hugetlbfs pages. This improved performance
> > significantly. Performance numbers with this patch:
> >
> > pre-THP 3.11-rc5 3.11-rc5 + Patch
> > 1M read 8384 MB/s 6501 MB/s 8371 MB/s
> > 64K read 7867 MB/s 4251 MB/s 6510 MB/s
> >
> > Performance with 64K read is still lower than what it was before THP, but
> > still a 53% improvement. It does mean there is more work to be done but I
> > will take a 53% improvement for now.
> >
> > Please take a look at the following patch and let me know if it looks
> > reasonable.
> >
> > [[email protected]: tweak comments]
> > Signed-off-by: Khalid Aziz <[email protected]>
> > Cc: Pravin B Shelar <[email protected]>
> > Cc: Christoph Lameter <[email protected]>
> > Cc: Andrea Arcangeli <[email protected]>
> > Cc: Johannes Weiner <[email protected]>
> > Cc: Mel Gorman <[email protected]>
> > Cc: Rik van Riel <[email protected]>
> > Cc: Minchan Kim <[email protected]>
> > Cc: Andi Kleen <[email protected]>
> > Signed-off-by: Andrew Morton <[email protected]>
> > Signed-off-by: Linus Torvalds <[email protected]>
> > [ luis: backported to 3.5: adjusted context ]
> > Signed-off-by: Luis Henriques <[email protected]>
> Hi Greg,
>
> I suppose this patch also needed for 3.4, right?

As it didn't originally apply there, I didn't apply it.

If people think it should be applicable for 3.4, I'll take it.

thanks,

greg k-h

2013-09-30 13:32:18

by Khalid Aziz

[permalink] [raw]
Subject: Re: [PATCH 092/104] mm: fix aio performance regression for database caused by THP

On 09/30/2013 07:26 AM, Greg Kroah-Hartman wrote:
> On Mon, Sep 30, 2013 at 03:14:52PM +0200, Jack Wang wrote:
>> On 09/30/2013 12:11 PM, Luis Henriques wrote:
>>> 3.5.7.22 -stable review patch. If anyone has any objections, please let me know.
>>>
>>> ------------------
>>>
>>> From: Khalid Aziz <[email protected]>
>>>
>>> commit 7cb2ef56e6a8b7b368b2e883a0a47d02fed66911 upstream.
>>>
>>> I am working with a tool that simulates oracle database I/O workload.
>>> This tool (orion to be specific -
>>> <http://docs.oracle.com/cd/E11882_01/server.112/e16638/iodesign.htm#autoId24>)
>>> allocates hugetlbfs pages using shmget() with SHM_HUGETLB flag. It then
>>> does aio into these pages from flash disks using various common block
>>> sizes used by database. I am looking at performance with two of the most
>>> common block sizes - 1M and 64K. aio performance with these two block
>>> sizes plunged after Transparent HugePages was introduced in the kernel.
>>> Here are performance numbers:
>>>
>>> pre-THP 2.6.39 3.11-rc5
>>> 1M read 8384 MB/s 5629 MB/s 6501 MB/s
>>> 64K read 7867 MB/s 4576 MB/s 4251 MB/s
>>>
>>> I have narrowed the performance impact down to the overheads introduced by
>>> THP in __get_page_tail() and put_compound_page() routines. perf top shows
>>>> 40% of cycles being spent in these two routines. Every time direct I/O
>>> to hugetlbfs pages starts, kernel calls get_page() to grab a reference to
>>> the pages and calls put_page() when I/O completes to put the reference
>>> away. THP introduced significant amount of locking overhead to get_page()
>>> and put_page() when dealing with compound pages because hugepages can be
>>> split underneath get_page() and put_page(). It added this overhead
>>> irrespective of whether it is dealing with hugetlbfs pages or transparent
>>> hugepages. This resulted in 20%-45% drop in aio performance when using
>>> hugetlbfs pages.
>>>
>>> Since hugetlbfs pages can not be split, there is no reason to go through
>>> all the locking overhead for these pages from what I can see. I added
>>> code to __get_page_tail() and put_compound_page() to bypass all the
>>> locking code when working with hugetlbfs pages. This improved performance
>>> significantly. Performance numbers with this patch:
>>>
>>> pre-THP 3.11-rc5 3.11-rc5 + Patch
>>> 1M read 8384 MB/s 6501 MB/s 8371 MB/s
>>> 64K read 7867 MB/s 4251 MB/s 6510 MB/s
>>>
>>> Performance with 64K read is still lower than what it was before THP, but
>>> still a 53% improvement. It does mean there is more work to be done but I
>>> will take a 53% improvement for now.
>>>
>>> Please take a look at the following patch and let me know if it looks
>>> reasonable.
>>>
>>> [[email protected]: tweak comments]
>>> Signed-off-by: Khalid Aziz <[email protected]>
>>> Cc: Pravin B Shelar <[email protected]>
>>> Cc: Christoph Lameter <[email protected]>
>>> Cc: Andrea Arcangeli <[email protected]>
>>> Cc: Johannes Weiner <[email protected]>
>>> Cc: Mel Gorman <[email protected]>
>>> Cc: Rik van Riel <[email protected]>
>>> Cc: Minchan Kim <[email protected]>
>>> Cc: Andi Kleen <[email protected]>
>>> Signed-off-by: Andrew Morton <[email protected]>
>>> Signed-off-by: Linus Torvalds <[email protected]>
>>> [ luis: backported to 3.5: adjusted context ]
>>> Signed-off-by: Luis Henriques <[email protected]>
>> Hi Greg,
>>
>> I suppose this patch also needed for 3.4, right?
>
> As it didn't originally apply there, I didn't apply it.
>
> If people think it should be applicable for 3.4, I'll take it.
>
> thanks,
>
> greg k-h
>

Hi Greg,

I did send you a backported version of this patch to apply to 3.0, 3.2
and 3.4 last Monday and cc'd [email protected]. That patch should
apply cleanly to those three kernels.

--
Khalid

2013-09-30 15:00:06

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH 092/104] mm: fix aio performance regression for database caused by THP

On Mon, Sep 30, 2013 at 07:31:35AM -0600, Khalid Aziz wrote:
> On 09/30/2013 07:26 AM, Greg Kroah-Hartman wrote:
> > On Mon, Sep 30, 2013 at 03:14:52PM +0200, Jack Wang wrote:
> >> On 09/30/2013 12:11 PM, Luis Henriques wrote:
> >>> 3.5.7.22 -stable review patch. If anyone has any objections, please let me know.
> >>>
> >>> ------------------
> >>>
> >>> From: Khalid Aziz <[email protected]>
> >>>
> >>> commit 7cb2ef56e6a8b7b368b2e883a0a47d02fed66911 upstream.
> >>>
> >>> I am working with a tool that simulates oracle database I/O workload.
> >>> This tool (orion to be specific -
> >>> <http://docs.oracle.com/cd/E11882_01/server.112/e16638/iodesign.htm#autoId24>)
> >>> allocates hugetlbfs pages using shmget() with SHM_HUGETLB flag. It then
> >>> does aio into these pages from flash disks using various common block
> >>> sizes used by database. I am looking at performance with two of the most
> >>> common block sizes - 1M and 64K. aio performance with these two block
> >>> sizes plunged after Transparent HugePages was introduced in the kernel.
> >>> Here are performance numbers:
> >>>
> >>> pre-THP 2.6.39 3.11-rc5
> >>> 1M read 8384 MB/s 5629 MB/s 6501 MB/s
> >>> 64K read 7867 MB/s 4576 MB/s 4251 MB/s
> >>>
> >>> I have narrowed the performance impact down to the overheads introduced by
> >>> THP in __get_page_tail() and put_compound_page() routines. perf top shows
> >>>> 40% of cycles being spent in these two routines. Every time direct I/O
> >>> to hugetlbfs pages starts, kernel calls get_page() to grab a reference to
> >>> the pages and calls put_page() when I/O completes to put the reference
> >>> away. THP introduced significant amount of locking overhead to get_page()
> >>> and put_page() when dealing with compound pages because hugepages can be
> >>> split underneath get_page() and put_page(). It added this overhead
> >>> irrespective of whether it is dealing with hugetlbfs pages or transparent
> >>> hugepages. This resulted in 20%-45% drop in aio performance when using
> >>> hugetlbfs pages.
> >>>
> >>> Since hugetlbfs pages can not be split, there is no reason to go through
> >>> all the locking overhead for these pages from what I can see. I added
> >>> code to __get_page_tail() and put_compound_page() to bypass all the
> >>> locking code when working with hugetlbfs pages. This improved performance
> >>> significantly. Performance numbers with this patch:
> >>>
> >>> pre-THP 3.11-rc5 3.11-rc5 + Patch
> >>> 1M read 8384 MB/s 6501 MB/s 8371 MB/s
> >>> 64K read 7867 MB/s 4251 MB/s 6510 MB/s
> >>>
> >>> Performance with 64K read is still lower than what it was before THP, but
> >>> still a 53% improvement. It does mean there is more work to be done but I
> >>> will take a 53% improvement for now.
> >>>
> >>> Please take a look at the following patch and let me know if it looks
> >>> reasonable.
> >>>
> >>> [[email protected]: tweak comments]
> >>> Signed-off-by: Khalid Aziz <[email protected]>
> >>> Cc: Pravin B Shelar <[email protected]>
> >>> Cc: Christoph Lameter <[email protected]>
> >>> Cc: Andrea Arcangeli <[email protected]>
> >>> Cc: Johannes Weiner <[email protected]>
> >>> Cc: Mel Gorman <[email protected]>
> >>> Cc: Rik van Riel <[email protected]>
> >>> Cc: Minchan Kim <[email protected]>
> >>> Cc: Andi Kleen <[email protected]>
> >>> Signed-off-by: Andrew Morton <[email protected]>
> >>> Signed-off-by: Linus Torvalds <[email protected]>
> >>> [ luis: backported to 3.5: adjusted context ]
> >>> Signed-off-by: Luis Henriques <[email protected]>
> >> Hi Greg,
> >>
> >> I suppose this patch also needed for 3.4, right?
> >
> > As it didn't originally apply there, I didn't apply it.
> >
> > If people think it should be applicable for 3.4, I'll take it.
> >
> > thanks,
> >
> > greg k-h
> >
>
> Hi Greg,
>
> I did send you a backported version of this patch to apply to 3.0, 3.2
> and 3.4 last Monday and cc'd [email protected]. That patch should
> apply cleanly to those three kernels.

Ah, you didn't specifically say that in the patch, so I just thought you
were reminding me to apply it to the 3.10 and 3.11 trees. Please be
more explicit in the future.

I'll queue it up for the next round of stable kernels after this one.

thanks,

greg k-h

2013-10-03 02:46:04

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH 092/104] mm: fix aio performance regression for database caused by THP

On Mon, Sep 30, 2013 at 08:00:02AM -0700, Greg Kroah-Hartman wrote:
> On Mon, Sep 30, 2013 at 07:31:35AM -0600, Khalid Aziz wrote:
> > On 09/30/2013 07:26 AM, Greg Kroah-Hartman wrote:
> > > On Mon, Sep 30, 2013 at 03:14:52PM +0200, Jack Wang wrote:
> > >> On 09/30/2013 12:11 PM, Luis Henriques wrote:
> > >>> 3.5.7.22 -stable review patch. If anyone has any objections, please let me know.
> > >>>
> > >>> ------------------
> > >>>
> > >>> From: Khalid Aziz <[email protected]>
> > >>>
> > >>> commit 7cb2ef56e6a8b7b368b2e883a0a47d02fed66911 upstream.
> > >>>
> > >>> I am working with a tool that simulates oracle database I/O workload.
> > >>> This tool (orion to be specific -
> > >>> <http://docs.oracle.com/cd/E11882_01/server.112/e16638/iodesign.htm#autoId24>)
> > >>> allocates hugetlbfs pages using shmget() with SHM_HUGETLB flag. It then
> > >>> does aio into these pages from flash disks using various common block
> > >>> sizes used by database. I am looking at performance with two of the most
> > >>> common block sizes - 1M and 64K. aio performance with these two block
> > >>> sizes plunged after Transparent HugePages was introduced in the kernel.
> > >>> Here are performance numbers:
> > >>>
> > >>> pre-THP 2.6.39 3.11-rc5
> > >>> 1M read 8384 MB/s 5629 MB/s 6501 MB/s
> > >>> 64K read 7867 MB/s 4576 MB/s 4251 MB/s
> > >>>
> > >>> I have narrowed the performance impact down to the overheads introduced by
> > >>> THP in __get_page_tail() and put_compound_page() routines. perf top shows
> > >>>> 40% of cycles being spent in these two routines. Every time direct I/O
> > >>> to hugetlbfs pages starts, kernel calls get_page() to grab a reference to
> > >>> the pages and calls put_page() when I/O completes to put the reference
> > >>> away. THP introduced significant amount of locking overhead to get_page()
> > >>> and put_page() when dealing with compound pages because hugepages can be
> > >>> split underneath get_page() and put_page(). It added this overhead
> > >>> irrespective of whether it is dealing with hugetlbfs pages or transparent
> > >>> hugepages. This resulted in 20%-45% drop in aio performance when using
> > >>> hugetlbfs pages.
> > >>>
> > >>> Since hugetlbfs pages can not be split, there is no reason to go through
> > >>> all the locking overhead for these pages from what I can see. I added
> > >>> code to __get_page_tail() and put_compound_page() to bypass all the
> > >>> locking code when working with hugetlbfs pages. This improved performance
> > >>> significantly. Performance numbers with this patch:
> > >>>
> > >>> pre-THP 3.11-rc5 3.11-rc5 + Patch
> > >>> 1M read 8384 MB/s 6501 MB/s 8371 MB/s
> > >>> 64K read 7867 MB/s 4251 MB/s 6510 MB/s
> > >>>
> > >>> Performance with 64K read is still lower than what it was before THP, but
> > >>> still a 53% improvement. It does mean there is more work to be done but I
> > >>> will take a 53% improvement for now.
> > >>>
> > >>> Please take a look at the following patch and let me know if it looks
> > >>> reasonable.
> > >>>
> > >>> [[email protected]: tweak comments]
> > >>> Signed-off-by: Khalid Aziz <[email protected]>
> > >>> Cc: Pravin B Shelar <[email protected]>
> > >>> Cc: Christoph Lameter <[email protected]>
> > >>> Cc: Andrea Arcangeli <[email protected]>
> > >>> Cc: Johannes Weiner <[email protected]>
> > >>> Cc: Mel Gorman <[email protected]>
> > >>> Cc: Rik van Riel <[email protected]>
> > >>> Cc: Minchan Kim <[email protected]>
> > >>> Cc: Andi Kleen <[email protected]>
> > >>> Signed-off-by: Andrew Morton <[email protected]>
> > >>> Signed-off-by: Linus Torvalds <[email protected]>
> > >>> [ luis: backported to 3.5: adjusted context ]
> > >>> Signed-off-by: Luis Henriques <[email protected]>
> > >> Hi Greg,
> > >>
> > >> I suppose this patch also needed for 3.4, right?
> > >
> > > As it didn't originally apply there, I didn't apply it.
> > >
> > > If people think it should be applicable for 3.4, I'll take it.
> > >
> > > thanks,
> > >
> > > greg k-h
> > >
> >
> > Hi Greg,
> >
> > I did send you a backported version of this patch to apply to 3.0, 3.2
> > and 3.4 last Monday and cc'd [email protected]. That patch should
> > apply cleanly to those three kernels.
>
> Ah, you didn't specifically say that in the patch, so I just thought you
> were reminding me to apply it to the 3.10 and 3.11 trees. Please be
> more explicit in the future.
>
> I'll queue it up for the next round of stable kernels after this one.

And I've lost it, I can't find it in my archives anywhere. Sorry about
that, can you resend it please?

thanks,

greg k-h