[PATCH 3.2 120/152] libata: allow sata_sil24 to opt-out of tag ordered submission
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Dan Williams dan.j.willi...@intel.com commit 72dd299d5039a336493993dcc63413cf31d0e662 upstream. Ronny reports: https://bugzilla.kernel.org/show_bug.cgi?id=87101 Since commit 8a4aeec8d libata/ahci: accommodate tag ordered controllers the access to the harddisk on the first SATA-port is failing on its first access. The access to the harddisk on the second port is working normal. When reverting the above commit, access to both harddisks is working fine again. Maintain tag ordered submission as the default, but allow sata_sil24 to continue with the old behavior. Cc: Tejun Heo t...@kernel.org Reported-by: Ronny Hegewald ronny.hegew...@online.de Signed-off-by: Dan Williams dan.j.willi...@intel.com Signed-off-by: Tejun Heo t...@kernel.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/ata/libata-core.c | 5 - drivers/ata/sata_sil24.c | 2 +- include/linux/libata.h| 1 + 3 files changed, 6 insertions(+), 2 deletions(-) --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -4730,7 +4730,10 @@ static struct ata_queued_cmd *ata_qc_new return NULL; for (i = 0, tag = ap-last_tag + 1; i max_queue; i++, tag++) { - tag = tag max_queue ? tag : 0; + if (ap-flags ATA_FLAG_LOWTAG) + tag = i; + else + tag = tag max_queue ? tag : 0; /* the last tag is reserved for internal command. */ if (tag == ATA_TAG_INTERNAL) --- a/drivers/ata/sata_sil24.c +++ b/drivers/ata/sata_sil24.c @@ -246,7 +246,7 @@ enum { /* host flags */ SIL24_COMMON_FLAGS = ATA_FLAG_SATA | ATA_FLAG_PIO_DMA | ATA_FLAG_NCQ | ATA_FLAG_ACPI_SATA | - ATA_FLAG_AN | ATA_FLAG_PMP, + ATA_FLAG_AN | ATA_FLAG_PMP | ATA_FLAG_LOWTAG, SIL24_FLAG_PCIX_IRQ_WOC = (1 24), /* IRQ loss errata on PCI-X */ IRQ_STAT_4PORTS = 0xf, --- a/include/linux/libata.h +++ b/include/linux/libata.h @@ -207,6 +207,7 @@ enum { ATA_FLAG_SW_ACTIVITY= (1 22), /* driver supports sw activity * led */ ATA_FLAG_NO_DIPM= (1 23), /* host not happy with DIPM */ + ATA_FLAG_LOWTAG = (1 24), /* host wants lowest available tag */ /* bits 24:31 of ap-flags are reserved for LLD specific flags */ -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 126/152] x86, tls: Interpret an all-zero struct user_desc as no segment
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Andy Lutomirski l...@amacapital.net commit 3669ef9fa7d35f573ec9c0e0341b29251c2734a7 upstream. The Witcher 2 did something like this to allocate a TLS segment index: struct user_desc u_info; bzero(u_info, sizeof(u_info)); u_info.entry_number = (uint32_t)-1; syscall(SYS_set_thread_area, u_info); Strictly speaking, this code was never correct. It should have set read_exec_only and seg_not_present to 1 to indicate that it wanted to find a free slot without putting anything there, or it should have put something sensible in the TLS slot if it wanted to allocate a TLS entry for real. The actual effect of this code was to allocate a bogus segment that could be used to exploit espfix. The set_thread_area hardening patches changed the behavior, causing set_thread_area to return -EINVAL and crashing the game. This changes set_thread_area to interpret this as a request to find a free slot and to leave it empty, which isn't *quite* what the game expects but should be close enough to keep it working. In particular, using the code above to allocate two segments will allocate the same segment both times. According to FrostbittenKing on Github, this fixes The Witcher 2. If this somehow still causes problems, we could instead allocate a limit==0 32-bit data segment, but that seems rather ugly to me. Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix Signed-off-by: Andy Lutomirski l...@amacapital.net Cc: torva...@linux-foundation.org Link: http://lkml.kernel.org/r/0cb251abe1ff0958b8e468a9a9a905b80ae3a746.1421954363.git.l...@amacapital.net Signed-off-by: Thomas Gleixner t...@linutronix.de Signed-off-by: Ben Hutchings b...@decadent.org.uk --- arch/x86/include/asm/desc.h | 13 + arch/x86/kernel/tls.c | 25 +++-- 2 files changed, 36 insertions(+), 2 deletions(-) --- a/arch/x86/include/asm/desc.h +++ b/arch/x86/include/asm/desc.h @@ -259,6 +259,19 @@ static inline void native_load_tls(struc (info)-seg_not_present== 1 \ (info)-useable== 0) +/* Lots of programs expect an all-zero user_desc to mean no segment at all. */ +static inline bool LDT_zero(const struct user_desc *info) +{ + return (info-base_addr == 0 + info-limit == 0 + info-contents == 0 + info-read_exec_only== 0 + info-seg_32bit == 0 + info-limit_in_pages== 0 + info-seg_not_present == 0 + info-useable == 0); +} + static inline void clear_LDT(void) { set_ldt(NULL, 0); --- a/arch/x86/kernel/tls.c +++ b/arch/x86/kernel/tls.c @@ -30,7 +30,28 @@ static int get_free_idx(void) static bool tls_desc_okay(const struct user_desc *info) { - if (LDT_empty(info)) + /* +* For historical reasons (i.e. no one ever documented how any +* of the segmentation APIs work), user programs can and do +* assume that a struct user_desc that's all zeros except for +* entry_number means no segment at all. This never actually +* worked. In fact, up to Linux 3.19, a struct user_desc like +* this would create a 16-bit read-write segment with base and +* limit both equal to zero. +* +* That was close enough to no segment at all until we +* hardened this function to disallow 16-bit TLS segments. Fix +* it up by interpreting these zeroed segments the way that they +* were almost certainly intended to be interpreted. +* +* The correct way to ask for no segment at all is to specify +* a user_desc that satisfies LDT_empty. To keep everything +* working, we accept both. +* +* Note that there's a similar kludge in modify_ldt -- look at +* the distinction between modes 1 and 0x11. +*/ + if (LDT_empty(info) || LDT_zero(info)) return true; /* @@ -72,7 +93,7 @@ static void set_tls_desc(struct task_str cpu = get_cpu(); while (n-- 0) { - if (LDT_empty(info)) + if (LDT_empty(info) || LDT_zero(info)) desc-a = desc-b = 0; else fill_ldt(desc, info); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 110/152] can: dev: fix crtlmode_supported check
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Oliver Hartkopp socket...@hartkopp.net commit 9b1087aa5e86448fe6ad40a58964e35f3ba423d5 upstream. When changing flags in the CAN drivers ctrlmode the provided new content has to be checked whether the bits are allowed to be changed. The bits that are to be changed are given as a bitfield in cm-mask. Therefore checking against cm-flags is wrong as the content can hold any kind of values. The iproute2 tool sets the bits in cm-mask and cm-flags depending on the detected command line options. To be robust against bogus user space applications additionally sanitize the provided flags with the provided mask. Cc: Wolfgang Grandegger w...@grandegger.com Signed-off-by: Oliver Hartkopp socket...@hartkopp.net Signed-off-by: Marc Kleine-Budde m...@pengutronix.de [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/net/can/dev.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/drivers/net/can/dev.c +++ b/drivers/net/can/dev.c @@ -605,10 +605,14 @@ static int can_changelink(struct net_dev if (dev-flags IFF_UP) return -EBUSY; cm = nla_data(data[IFLA_CAN_CTRLMODE]); - if (cm-flags ~priv-ctrlmode_supported) + + /* check whether changed bits are allowed to be modified */ + if (cm-mask ~priv-ctrlmode_supported) return -EOPNOTSUPP; + + /* clear bits to be modified and copy the flag values */ priv-ctrlmode = ~cm-mask; - priv-ctrlmode |= cm-flags; + priv-ctrlmode |= (cm-flags cm-mask); } if (data[IFLA_CAN_BITTIMING]) { -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 130/152] USB: Add OTG PET device to TPL
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Macpaul Lin macp...@gmail.com commit e5dff0e80463cc3fa236e898ef1491b40be70b19 upstream. OTG device shall support this device for allowing compliance automated testing. The modification is derived from Pavankumar and Vijayavardhans' previous work. Signed-off-by: Macpaul Lin macp...@gmail.com Cc: Pavankumar Kondeti pkond...@codeaurora.org Cc: Vijayavardhan Vennapusa vvre...@codeaurora.org Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/usb/core/otg_whitelist.h | 5 + drivers/usb/core/quirks.c| 4 2 files changed, 9 insertions(+) --- a/drivers/usb/core/otg_whitelist.h +++ b/drivers/usb/core/otg_whitelist.h @@ -59,6 +59,11 @@ static int is_targeted(struct usb_device le16_to_cpu(dev-descriptor.idProduct) == 0xbadd)) return 0; + /* OTG PET device is always targeted (see OTG 2.0 ECN 6.4.2) */ + if ((le16_to_cpu(dev-descriptor.idVendor) == 0x1a0a +le16_to_cpu(dev-descriptor.idProduct) == 0x0200)) + return 1; + /* NOTE: can't use usb_match_id() since interface caches * aren't set up yet. this is cut/paste from that code. */ --- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -168,6 +168,10 @@ static const struct usb_device_id usb_qu { USB_DEVICE(0x0b05, 0x17e0), .driver_info = USB_QUIRK_IGNORE_REMOTE_WAKEUP }, + /* Protocol and OTG Electrical Test Device */ + { USB_DEVICE(0x1a0a, 0x0200), .driver_info = + USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL }, + { } /* terminating entry must be last */ }; -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 134/152] vm: add VM_FAULT_SIGSEGV handling support
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Linus Torvalds torva...@linux-foundation.org commit 33692f27597fcab536d7cbbcc8f52905133e4aa7 upstream. The core VM already knows about VM_FAULT_SIGBUS, but cannot return a you should SIGSEGV error, because the SIGSEGV case was generally handled by the caller - usually the architecture fault handler. That results in lots of duplication - all the architecture fault handlers end up doing very similar look up vma, check permissions, do retries etc - but it generally works. However, there are cases where the VM actually wants to SIGSEGV, and applications _expect_ SIGSEGV. In particular, when accessing the stack guard page, libsigsegv expects a SIGSEGV. And it usually got one, because the stack growth is handled by that duplicated architecture fault handler. However, when the generic VM layer started propagating the error return from the stack expansion in commit fee7e49d4514 (mm: propagate error from stack expansion even for guard page), that now exposed the existing VM_FAULT_SIGBUS result to user space. And user space really expected SIGSEGV, not SIGBUS. To fix that case, we need to add a VM_FAULT_SIGSEGV, and teach all those duplicate architecture fault handlers about it. They all already have the code to handle SIGSEGV, so it's about just tying that new return value to the existing code, but it's all a bit annoying. This is the mindless minimal patch to do this. A more extensive patch would be to try to gather up the mostly shared fault handling logic into one generic helper routine, and long-term we really should do that cleanup. Just from this patch, you can generally see that most architectures just copied (directly or indirectly) the old x86 way of doing things, but in the meantime that original x86 model has been improved to hold the VM semaphore for shorter times etc and to handle VM_FAULT_RETRY and other newer things, so it would be a good idea to bring all those improvements to the generic case and teach other architectures about them too. Reported-and-tested-by: Takashi Iwai ti...@suse.de Tested-by: Jan Engelhardt jeng...@inai.de Acked-by: Heiko Carstens heiko.carst...@de.ibm.com # s390 still compiles and boots Cc: linux-a...@vger.kernel.org Signed-off-by: Linus Torvalds torva...@linux-foundation.org [bwh: Backported to 3.2: - Adjust filenames, context - Drop arc, metag, nios2 and lustre changes - For sh, patch both 32-bit and 64-bit implementations to use goto bad_area - For s390, pass int_code and trans_exc_code as arguments to do_no_context() and do_sigsegv()] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- --- a/arch/alpha/mm/fault.c +++ b/arch/alpha/mm/fault.c @@ -150,6 +150,8 @@ do_page_fault(unsigned long address, uns if (unlikely(fault VM_FAULT_ERROR)) { if (fault VM_FAULT_OOM) goto out_of_memory; + else if (fault VM_FAULT_SIGSEGV) + goto bad_area; else if (fault VM_FAULT_SIGBUS) goto do_sigbus; BUG(); --- a/arch/avr32/mm/fault.c +++ b/arch/avr32/mm/fault.c @@ -136,6 +136,8 @@ good_area: if (unlikely(fault VM_FAULT_ERROR)) { if (fault VM_FAULT_OOM) goto out_of_memory; + else if (fault VM_FAULT_SIGSEGV) + goto bad_area; else if (fault VM_FAULT_SIGBUS) goto do_sigbus; BUG(); --- a/arch/cris/mm/fault.c +++ b/arch/cris/mm/fault.c @@ -166,6 +166,8 @@ do_page_fault(unsigned long address, str if (unlikely(fault VM_FAULT_ERROR)) { if (fault VM_FAULT_OOM) goto out_of_memory; + else if (fault VM_FAULT_SIGSEGV) + goto bad_area; else if (fault VM_FAULT_SIGBUS) goto do_sigbus; BUG(); --- a/arch/frv/mm/fault.c +++ b/arch/frv/mm/fault.c @@ -167,6 +167,8 @@ asmlinkage void do_page_fault(int datamm if (unlikely(fault VM_FAULT_ERROR)) { if (fault VM_FAULT_OOM) goto out_of_memory; + else if (fault VM_FAULT_SIGSEGV) + goto bad_area; else if (fault VM_FAULT_SIGBUS) goto do_sigbus; BUG(); --- a/arch/ia64/mm/fault.c +++ b/arch/ia64/mm/fault.c @@ -163,6 +163,8 @@ ia64_do_page_fault (unsigned long addres */ if (fault VM_FAULT_OOM) { goto out_of_memory; + } else if (fault VM_FAULT_SIGSEGV) { + goto bad_area; } else if (fault VM_FAULT_SIGBUS) { signal = SIGBUS; goto bad_area; --- a/arch/m32r/mm/fault.c +++ b/arch/m32r/mm/fault.c @@ -199,6 +199,8 @@ good_area:
[PATCH 3.2 005/152] writeback: Move I_DIRTY_PAGES handling
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Jan Kara j...@suse.cz commit 6290be1c1dc6589eeda213aa40946b27fa4faac8 upstream. Instead of clearing I_DIRTY_PAGES and resetting it when we didn't succeed in writing them all, just clear the bit only when we succeeded writing all the pages. We also move the clearing of the bit close to other i_state handling to separate it from writeback list handling. This is desirable because list handling will differ for flusher thread and other writeback_single_inode() callers in future. No filesystem plays any tricks with I_DIRTY_PAGES (like checking it in -writepages or -write_inode implementation) so this movement is safe. Signed-off-by: Jan Kara j...@suse.cz Signed-off-by: Fengguang Wu fengguang...@intel.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- fs/fs-writeback.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/fs/fs-writeback.c +++ b/fs/fs-writeback.c @@ -396,7 +396,6 @@ writeback_single_inode(struct inode *ino /* Set I_SYNC, reset I_DIRTY_PAGES */ inode-i_state |= I_SYNC; - inode-i_state = ~I_DIRTY_PAGES; spin_unlock(inode-i_lock); spin_unlock(wb-list_lock); @@ -419,6 +418,9 @@ writeback_single_inode(struct inode *ino * write_inode() */ spin_lock(inode-i_lock); + /* Clear I_DIRTY_PAGES if we've written out all dirty pages */ + if (!mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) + inode-i_state = ~I_DIRTY_PAGES; dirty = inode-i_state I_DIRTY; inode-i_state = ~(I_DIRTY_SYNC | I_DIRTY_DATASYNC); spin_unlock(inode-i_lock); @@ -447,7 +449,6 @@ writeback_single_inode(struct inode *ino * We didn't write back all the pages. nfs_writepages() * sometimes bales out without doing anything. */ - inode-i_state |= I_DIRTY_PAGES; if (wbc-nr_to_write = 0) { /* * slice used up: queue for next turn -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 117/152] gpio: sysfs: fix gpio attribute-creation race
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Johan Hovold jo...@kernel.org commit ebbeba120ab2ec6ac5f3afc1425ec6ff0b77ad6f upstream. Fix attribute-creation race with userspace by using the default group to create also the contingent gpio device attributes. Fixes: d8f388d8dc8d (gpio: sysfs interface) Signed-off-by: Johan Hovold jo...@kernel.org Signed-off-by: Linus Walleij linus.wall...@linaro.org [bwh: Backported to 3.2: - Adjust filenames, context - Use gpio_to_desc(), not gpiod_to_desc(), in gpio_is_visible() - gpio_is_visible() must return mode_t] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -58,6 +58,7 @@ struct gpio_desc { #define FLAG_TRIG_FALL 5 /* trigger on falling edge */ #define FLAG_TRIG_RISE 6 /* trigger on rising edge */ #define FLAG_ACTIVE_LOW7 /* sysfs value has active low */ +#define FLAG_SYSFS_DIR 10 /* show sysfs direction attribute */ #define ID_SHIFT 16 /* add new flags before this one */ @@ -543,12 +544,45 @@ static ssize_t gpio_active_low_store(str static DEVICE_ATTR(active_low, 0644, gpio_active_low_show, gpio_active_low_store); +static mode_t gpio_is_visible(struct kobject *kobj, struct attribute *attr, + int n) +{ + struct device *dev = container_of(kobj, struct device, kobj); + struct gpio_desc *desc = dev_get_drvdata(dev); + unsigned gpio = desc - gpio_desc; + mode_t mode = attr-mode; + bool show_direction = test_bit(FLAG_SYSFS_DIR, desc-flags); + + if (attr == dev_attr_direction.attr) { + if (!show_direction) + mode = 0; + } else if (attr == dev_attr_edge.attr) { + if (gpio_to_irq(gpio) 0) + mode = 0; + if (!show_direction test_bit(FLAG_IS_OUT, desc-flags)) + mode = 0; + } + + return mode; +} + static struct attribute *gpio_attrs[] = { + dev_attr_direction.attr, + dev_attr_edge.attr, dev_attr_value.attr, dev_attr_active_low.attr, NULL, }; -ATTRIBUTE_GROUPS(gpio); + +static const struct attribute_group gpio_group = { + .attrs = gpio_attrs, + .is_visible = gpio_is_visible, +}; + +static const struct attribute_group *gpio_groups[] = { + gpio_group, + NULL +}; /* * /sys/class/gpio/gpiochipN/ @@ -723,8 +757,11 @@ int gpio_export(unsigned gpio, bool dire return -EPERM; } - if (!desc-chip-direction_input || !desc-chip-direction_output) - direction_may_change = false; + if (desc-chip-direction_input desc-chip-direction_output + direction_may_change) { + set_bit(FLAG_SYSFS_DIR, desc-flags); + } + spin_unlock_irqrestore(gpio_lock, flags); if (desc-chip-names desc-chip-names[gpio - desc-chip-base]) @@ -738,27 +775,10 @@ int gpio_export(unsigned gpio, bool dire goto fail_unlock; } - if (direction_may_change) { - status = device_create_file(dev, dev_attr_direction); - if (status) - goto fail_unregister_device; - } - - if (gpio_to_irq(gpio) = 0 (direction_may_change || - !test_bit(FLAG_IS_OUT, desc-flags))) { - status = device_create_file(dev, dev_attr_edge); - if (status) - goto fail_remove_attr_direction; - } - set_bit(FLAG_EXPORT, desc-flags); mutex_unlock(sysfs_lock); return 0; -fail_remove_attr_direction: - device_remove_file(dev, dev_attr_direction); -fail_unregister_device: - device_unregister(dev); fail_unlock: mutex_unlock(sysfs_lock); pr_debug(%s: gpio%d status %d\n, __func__, gpio, status); @@ -889,6 +909,7 @@ void gpio_unexport(unsigned gpio) dev = class_find_device(gpio_class, NULL, desc, match_export); if (dev) { gpio_setup_irq(desc, dev, 0); + clear_bit(FLAG_SYSFS_DIR, desc-flags); clear_bit(FLAG_EXPORT, desc-flags); } else status = -ENODEV; @@ -896,8 +917,6 @@ void gpio_unexport(unsigned gpio) mutex_unlock(sysfs_lock); if (dev) { - device_remove_file(dev, dev_attr_edge); - device_remove_file(dev, dev_attr_direction); device_unregister(dev); put_device(dev); } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 150/152] netfilter: conntrack: disable generic tracking for known protocols
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Florian Westphal f...@strlen.de commit db29a9508a9246e77087c5531e45b2c88ec6988b upstream. Given following iptables ruleset: -P FORWARD DROP -A FORWARD -m sctp --dport 9 -j ACCEPT -A FORWARD -p tcp --dport 80 -j ACCEPT -A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT One would assume that this allows SCTP on port 9 and TCP on port 80. Unfortunately, if the SCTP conntrack module is not loaded, this allows *all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT, which we think is a security issue. This is because on the first SCTP packet on port 9, we create a dummy generic l4 conntrack entry without any port information (since conntrack doesn't know how to extract this information). All subsequent packets that are unknown will then be in established state since they will fallback to proto_generic and will match the 'generic' entry. Our originally proposed version [1] completely disabled generic protocol tracking, but Jozsef suggests to not track protocols for which a more suitable helper is available, hence we now mitigate the issue for in tree known ct protocol helpers only, so that at least NAT and direction information will still be preserved for others. [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html Joint work with Daniel Borkmann. Signed-off-by: Florian Westphal f...@strlen.de Signed-off-by: Daniel Borkmann dbork...@redhat.com Acked-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- net/netfilter/nf_conntrack_proto_generic.c | 26 +- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c index d25f293..957c1db 100644 --- a/net/netfilter/nf_conntrack_proto_generic.c +++ b/net/netfilter/nf_conntrack_proto_generic.c @@ -14,6 +14,30 @@ static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ; +static bool nf_generic_should_process(u8 proto) +{ + switch (proto) { +#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE + case IPPROTO_SCTP: + return false; +#endif +#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE + case IPPROTO_DCCP: + return false; +#endif +#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE + case IPPROTO_GRE: + return false; +#endif +#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE + case IPPROTO_UDPLITE: + return false; +#endif + default: + return true; + } +} + static bool generic_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff, struct nf_conntrack_tuple *tuple) @@ -56,7 +80,7 @@ static int generic_packet(struct nf_conn *ct, static bool new(struct nf_conn *ct, const struct sk_buff *skb, unsigned int dataoff) { - return true; + return nf_generic_should_process(nf_ct_protonum(ct)); } #ifdef CONFIG_SYSCTL -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 007/152] usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable()
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Kazuya Mizuguchi kazuya.mizuguchi...@renesas.com commit 11432050f070810ba139d0226344eef120c3a559 upstream. This patch fixes an issue that the NULL pointer dereference happens when we uses g_audio driver. Since the g_audio driver will call usb_ep_disable() in afunc_set_alt() before it calls usb_ep_enable(), the uep-pipe of renesas usbhs driver will be NULL. So, this patch adds a condition to avoid the oops. Signed-off-by: Kazuya Mizuguchi kazuya.mizuguchi...@renesas.com Signed-off-by: Takeshi Kihara takeshi.kihara...@renesas.com Signed-off-by: Yoshihiro Shimoda yoshihiro.shimoda...@renesas.com Fixes: 2f98382dc (usb: renesas_usbhs: Add Renesas USBHS Gadget) Signed-off-by: Felipe Balbi ba...@ti.com [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/usb/renesas_usbhs/mod_gadget.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/usb/renesas_usbhs/mod_gadget.c +++ b/drivers/usb/renesas_usbhs/mod_gadget.c @@ -514,6 +514,10 @@ static int usbhsg_ep_enable(struct usb_e static int usbhsg_ep_disable(struct usb_ep *ep) { struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep); + struct usbhs_pipe *pipe = usbhsg_uep_to_pipe(uep); + + if (!pipe) + return -EINVAL; return usbhsg_pipe_disable(uep); } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 139/152] s390/3215: fix tty output containing tabs
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Martin Schwidefsky schwidef...@de.ibm.com commit e512d56c799517f33b301d81e9a5e0ebf30c2d1e upstream. git commit 37f81fa1f63ad38e16125526bb2769ae0ea8d332 n_tty: do O_ONLCR translation as a single write surfaced a bug in the 3215 device driver. In combination this broke tab expansion for tty ouput. The cause is an asymmetry in the behaviour of tty3215_ops-write vs tty3215_ops-put_char. The put_char function scans for '\t' but the write function does not. As the driver has logic for the '\t' expansion remove XTABS from c_oflag of the initial termios as well. Reported-by: Stephen Powell zlinux...@wowway.com Signed-off-by: Martin Schwidefsky schwidef...@de.ibm.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/s390/char/con3215.c | 20 +--- 1 file changed, 17 insertions(+), 3 deletions(-) --- a/drivers/s390/char/con3215.c +++ b/drivers/s390/char/con3215.c @@ -993,12 +993,26 @@ static int tty3215_write(struct tty_stru const unsigned char *buf, int count) { struct raw3215_info *raw; + int i, written; if (!tty) return 0; raw = (struct raw3215_info *) tty-driver_data; - raw3215_write(raw, buf, count); - return count; + written = count; + while (count 0) { + for (i = 0; i count; i++) + if (buf[i] == '\t' || buf[i] == '\n') + break; + raw3215_write(raw, buf, i); + count -= i; + buf += i; + if (count 0) { + raw3215_putchar(raw, *buf); + count--; + buf++; + } + } + return written; } /* @@ -1146,7 +1160,7 @@ static int __init tty3215_init(void) driver-subtype = SYSTEM_TYPE_TTY; driver-init_termios = tty_std_termios; driver-init_termios.c_iflag = IGNBRK | IGNPAR; - driver-init_termios.c_oflag = ONLCR | XTABS; + driver-init_termios.c_oflag = ONLCR; driver-init_termios.c_lflag = ISIG; driver-flags = TTY_DRIVER_REAL_RAW; tty_set_operations(driver, tty3215_ops); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 014/152] drbd: merge_bvec_fn: properly remap bvm-bi_bdev
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Lars Ellenberg lars.ellenb...@linbit.com commit 3b9d35d744bb5139f9fed57f38c019bb8c7d351c upstream. This was not noticed for many years. Affects operation if md raid is used a backing device for DRBD. Signed-off-by: Philipp Reisner philipp.reis...@linbit.com Signed-off-by: Lars Ellenberg lars.ellenb...@linbit.com Signed-off-by: Jens Axboe ax...@fb.com [bwh: Backported to 3.2: s/device/mdev/] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/block/drbd/drbd_req.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/block/drbd/drbd_req.c +++ b/drivers/block/drbd/drbd_req.c @@ -1184,6 +1184,7 @@ int drbd_merge_bvec(struct request_queue struct request_queue * const b = mdev-ldev-backing_bdev-bd_disk-queue; if (b-merge_bvec_fn) { + bvm-bi_bdev = mdev-ldev-backing_bdev; backing_limit = b-merge_bvec_fn(b, bvm, bvec); limit = min(limit, backing_limit); } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 015/152] PCI: Restore detection of read-only BARs
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Myron Stowe myron.st...@redhat.com commit 36e8164882ca6d3c41cb91e6f09a3ed236841f80 upstream. Commit 6ac665c63dca (PCI: rewrite PCI BAR reading code) masked off low-order bits from 'l', but not from 'sz'. Both are passed to pci_size(), which compares 'base == maxbase' to check for read-only BARs. The masking of 'l' means that comparison will never be 'true', so the check for read-only BARs no longer works. Resolve this by also masking off the low-order bits of 'sz' before passing it into pci_size() as 'maxbase'. With this change, pci_size() will once again catch the problems that have been encountered to date: - AGP aperture BAR of AMD-7xx host bridges: if the AGP window is disabled, this BAR is read-only and read as 0x0008 [1] - BARs 0-4 of ALi IDE controllers can be non-zero and read-only [1] - Intel Sandy Bridge - Thermal Management Controller [8086:0103]; BAR 0 returning 0xfed98004 [2] - Intel Xeon E5 v3/Core i7 Power Control Unit [8086:2fc0]; Bar 0 returning 0x1a [3] Link: [1] https://git.kernel.org/cgit/linux/kernel/git/tglx/history.git/commit/drivers/pci/probe.c?id=1307ef6621991f1c4bc3cec1b5a4ebd6fd3d66b9 (PCI: probing read-only BARs (pre-git)) Link: [2] https://bugzilla.kernel.org/show_bug.cgi?id=43331 Link: [3] https://bugzilla.kernel.org/show_bug.cgi?id=85991 Reported-by: William Unruh un...@physics.ubc.ca Reported-by: Martin Lucina mar...@lucina.net Signed-off-by: Myron Stowe myron.st...@redhat.com Signed-off-by: Bjorn Helgaas bhelg...@google.com CC: Matthew Wilcox wi...@linux.intel.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/pci/probe.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -175,14 +175,17 @@ int __pci_read_base(struct pci_dev *dev, res-flags |= IORESOURCE_SIZEALIGN; if (res-flags IORESOURCE_IO) { l = PCI_BASE_ADDRESS_IO_MASK; + sz = PCI_BASE_ADDRESS_IO_MASK; mask = PCI_BASE_ADDRESS_IO_MASK (u32) IO_SPACE_LIMIT; } else { l = PCI_BASE_ADDRESS_MEM_MASK; + sz = PCI_BASE_ADDRESS_MEM_MASK; mask = (u32)PCI_BASE_ADDRESS_MEM_MASK; } } else { res-flags |= (l IORESOURCE_ROM_ENABLE); l = PCI_ROM_ADDRESS_MASK; + sz = PCI_ROM_ADDRESS_MASK; mask = (u32)PCI_ROM_ADDRESS_MASK; } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 018/152] genhd: check for int overflow in disk_expand_part_tbl()
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Jens Axboe ax...@fb.com commit 5fabcb4c33fe11c7e3afdf805fde26c1a54d0953 upstream. We can get here from blkdev_ioctl() - blkpg_ioctl() - add_partition() with a user passed in partno value. If we pass in 0x7fff, the new target in disk_expand_part_tbl() overflows the 'int' and we access beyond the end of ptbl-part[] and even write to it when we do the rcu_assign_pointer() to assign the new partition. Reported-by: David Ramos dara...@stanford.edu Signed-off-by: Jens Axboe ax...@fb.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- block/genhd.c | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) --- a/block/genhd.c +++ b/block/genhd.c @@ -1070,9 +1070,16 @@ int disk_expand_part_tbl(struct gendisk struct disk_part_tbl *old_ptbl = disk-part_tbl; struct disk_part_tbl *new_ptbl; int len = old_ptbl ? old_ptbl-len : 0; - int target = partno + 1; + int i, target; size_t size; - int i; + + /* +* check for int overflow, since we can get here from blkpg_ioctl() +* with a user passed 'partno'. +*/ + target = partno + 1; + if (target 0) + return -EINVAL; /* disk_max_parts() is zero during initialization, ignore if so */ if (disk_max_parts(disk) target disk_max_parts(disk)) -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 146/152] enic: fix rx skb checksum
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Govindarajulu Varadarajan _gov...@gmx.com [ Upstream commit 17e96834fd35997ca7cdfbf15413bcd5a36ad448 ] Hardware always provides compliment of IP pseudo checksum. Stack expects whole packet checksum without pseudo checksum if CHECKSUM_COMPLETE is set. This causes checksum error in nf ovs. kernel: qg-19546f09-f2: hw csum failure kernel: CPU: 9 PID: 0 Comm: swapper/9 Tainted: GF O-- 3.10.0-123.8.1.el7.x86_64 #1 kernel: Hardware name: Cisco Systems Inc UCSB-B200-M3/UCSB-B200-M3, BIOS B200M3.2.2.3.0.080820141339 08/08/2014 kernel: 881218f4 df68243feb35e3a8 881237a43ab8 815e237b kernel: 881237a43ad0 814cd4ca 8829ec71eb00 881237a43af0 kernel: 814c6232 0286 8829ec71eb00 881237a43b00 kernel: Call Trace: kernel: IRQ [815e237b] dump_stack+0x19/0x1b kernel: [814cd4ca] netdev_rx_csum_fault+0x3a/0x40 kernel: [814c6232] __skb_checksum_complete_head+0x62/0x70 kernel: [814c6251] __skb_checksum_complete+0x11/0x20 kernel: [8155a20c] nf_ip_checksum+0xcc/0x100 kernel: [a049edc7] icmp_error+0x1f7/0x35c [nf_conntrack_ipv4] kernel: [814cf419] ? netif_rx+0xb9/0x1d0 kernel: [a040eb7b] ? internal_dev_recv+0xdb/0x130 [openvswitch] kernel: [a04c8330] nf_conntrack_in+0xf0/0xa80 [nf_conntrack] kernel: [81509380] ? inet_del_offload+0x40/0x40 kernel: [a049e302] ipv4_conntrack_in+0x22/0x30 [nf_conntrack_ipv4] kernel: [815005ca] nf_iterate+0xaa/0xc0 kernel: [81509380] ? inet_del_offload+0x40/0x40 kernel: [81500664] nf_hook_slow+0x84/0x140 kernel: [81509380] ? inet_del_offload+0x40/0x40 kernel: [81509dd4] ip_rcv+0x344/0x380 Hardware verifies IP tcp/udp header checksum but does not provide payload checksum, use CHECKSUM_UNNECESSARY. Set it only if its valid IP tcp/udp packet. Cc: Jiri Benc jb...@redhat.com Cc: Stefan Assmann sassm...@redhat.com Reported-by: Sunil Choudhary schou...@redhat.com Signed-off-by: Govindarajulu Varadarajan _gov...@gmx.com Reviewed-by: Jiri Benc jb...@redhat.com Signed-off-by: David S. Miller da...@davemloft.net Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/net/ethernet/cisco/enic/enic_main.c | 12 1 file changed, 8 insertions(+), 4 deletions(-) --- a/drivers/net/ethernet/cisco/enic/enic_main.c +++ b/drivers/net/ethernet/cisco/enic/enic_main.c @@ -1272,10 +1272,14 @@ static void enic_rq_indicate_buf(struct skb_put(skb, bytes_written); skb-protocol = eth_type_trans(skb, netdev); - if ((netdev-features NETIF_F_RXCSUM) !csum_not_calc) { - skb-csum = htons(checksum); - skb-ip_summed = CHECKSUM_COMPLETE; - } + /* Hardware does not provide whole packet checksum. It only +* provides pseudo checksum. Since hw validates the packet +* checksum but not provide us the checksum value. use +* CHECSUM_UNNECESSARY. +*/ + if ((netdev-features NETIF_F_RXCSUM) tcp_udp_csum_ok + ipv4_csum_ok) + skb-ip_summed = CHECKSUM_UNNECESSARY; skb-dev = netdev; -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 017/152] bus: omap_l3_noc: Correct returning IRQ_HANDLED unconditionally in the irq handler
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Keerthy j-keer...@ti.com commit c4cf0935a2d8fe6d186bf4253ea3c4b4a8a8a710 upstream. Correct returning IRQ_HANDLED unconditionally in the irq handler. Return IRQ_NONE for some interrupt which we do not expect to be handled in this handler. This prevents kernel stalling with back to back spurious interrupts. Fixes: 2722e56de6 (OMAP4: l3: Introduce l3-interconnect error handling driver) Acked-by: Nishanth Menon n...@ti.com Signed-off-by: Keerthy j-keer...@ti.com Signed-off-by: Tony Lindgren t...@atomide.com [bwh: Backported to 3.2: adjust filename, indentation] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- --- a/arch/arm/mach-omap2/omap_l3_noc.c +++ b/arch/arm/mach-omap2/omap_l3_noc.c @@ -121,11 +121,15 @@ static irqreturn_t l3_interrupt_handler( /* Nothing to be handled here as of now */ break; } - /* Error found so break the for loop */ - break; + /* Error found so break the for loop */ + return IRQ_HANDLED; } } - return IRQ_HANDLED; + + dev_err(l3-dev, L3 %s IRQ not handled!!\n, + inttype ? debug : application); + + return IRQ_NONE; } static int __devinit omap4_l3_probe(struct platform_device *pdev) -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 001/152] eCryptfs: Force RO mount when encrypted view is enabled
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Tyler Hicks tyhi...@canonical.com commit 332b122d39c9cbff8b799007a825d94b2e7c12f2 upstream. The ecryptfs_encrypted_view mount option greatly changes the functionality of an eCryptfs mount. Instead of encrypting and decrypting lower files, it provides a unified view of the encrypted files in the lower filesystem. The presence of the ecryptfs_encrypted_view mount option is intended to force a read-only mount and modifying files is not supported when the feature is in use. See the following commit for more information: e77a56d [PATCH] eCryptfs: Encrypted passthrough This patch forces the mount to be read-only when the ecryptfs_encrypted_view mount option is specified by setting the MS_RDONLY flag on the superblock. Additionally, this patch removes some broken logic in ecryptfs_open() that attempted to prevent modifications of files when the encrypted view feature was in use. The check in ecryptfs_open() was not sufficient to prevent file modifications using system calls that do not operate on a file descriptor. Signed-off-by: Tyler Hicks tyhi...@canonical.com Reported-by: Priya Bansal p.ban...@samsung.com [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- fs/ecryptfs/file.c | 12 fs/ecryptfs/main.c | 16 +--- 2 files changed, 13 insertions(+), 15 deletions(-) --- a/fs/ecryptfs/file.c +++ b/fs/ecryptfs/file.c @@ -196,24 +196,12 @@ static int ecryptfs_open(struct inode *i { int rc = 0; struct ecryptfs_crypt_stat *crypt_stat = NULL; - struct ecryptfs_mount_crypt_stat *mount_crypt_stat; struct dentry *ecryptfs_dentry = file-f_path.dentry; /* Private value of ecryptfs_dentry allocated in * ecryptfs_lookup() */ struct dentry *lower_dentry; struct ecryptfs_file_info *file_info; - mount_crypt_stat = ecryptfs_superblock_to_private( - ecryptfs_dentry-d_sb)-mount_crypt_stat; - if ((mount_crypt_stat-flags ECRYPTFS_ENCRYPTED_VIEW_ENABLED) -((file-f_flags O_WRONLY) || (file-f_flags O_RDWR) - || (file-f_flags O_CREAT) || (file-f_flags O_TRUNC) - || (file-f_flags O_APPEND))) { - printk(KERN_WARNING Mount has encrypted view enabled; - files may only be read\n); - rc = -EPERM; - goto out; - } /* Released in ecryptfs_release or end of function if failure */ file_info = kmem_cache_zalloc(ecryptfs_file_info_cache, GFP_KERNEL); ecryptfs_set_file_private(file, file_info); --- a/fs/ecryptfs/main.c +++ b/fs/ecryptfs/main.c @@ -494,6 +494,7 @@ static struct dentry *ecryptfs_mount(str { struct super_block *s; struct ecryptfs_sb_info *sbi; + struct ecryptfs_mount_crypt_stat *mount_crypt_stat; struct ecryptfs_dentry_info *root_info; const char *err = Getting sb failed; struct inode *inode; @@ -512,6 +513,7 @@ static struct dentry *ecryptfs_mount(str err = Error parsing options; goto out; } + mount_crypt_stat = sbi-mount_crypt_stat; s = sget(fs_type, NULL, set_anon_super, NULL); if (IS_ERR(s)) { @@ -557,11 +559,19 @@ static struct dentry *ecryptfs_mount(str /** * Set the POSIX ACL flag based on whether they're enabled in the lower -* mount. Force a read-only eCryptfs mount if the lower mount is ro. -* Allow a ro eCryptfs mount even when the lower mount is rw. +* mount. */ s-s_flags = flags ~MS_POSIXACL; - s-s_flags |= path.dentry-d_sb-s_flags (MS_RDONLY | MS_POSIXACL); + s-s_flags |= path.dentry-d_sb-s_flags MS_POSIXACL; + + /** +* Force a read-only eCryptfs mount when: +* 1) The lower mount is ro +* 2) The ecryptfs_encrypted_view mount option is specified +*/ + if (path.dentry-d_sb-s_flags MS_RDONLY || + mount_crypt_stat-flags ECRYPTFS_ENCRYPTED_VIEW_ENABLED) + s-s_flags |= MS_RDONLY; s-s_maxbytes = path.dentry-d_sb-s_maxbytes; s-s_blocksize = path.dentry-d_sb-s_blocksize; -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 013/152] driver core: Fix unbalanced device reference in drivers_probe
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Alex Williamson alex.william...@redhat.com commit 0372ffb35d00288802265586a29c117911d02fb8 upstream. bus_find_device_by_name() acquires a device reference which is never released. This results in an object leak, which on older kernels results in failure to release all resources of PCI devices. libvirt uses drivers_probe to re-attach devices to the host after assignment and is therefore a common trigger for this leak. Example: # cd /sys/bus/pci/ # dmesg -C # echo 1 devices/\:01\:00.0/sriov_numvfs # echo 0 devices/\:01\:00.0/sriov_numvfs # dmesg | grep 01:10 pci :01:10.0: [8086:10ca] type 00 class 0x02 kobject: ':01:10.0' (8801d79cd0a8): kobject_add_internal: parent: ':00:01.0', set: 'devices' kobject: ':01:10.0' (8801d79cd0a8): kobject_uevent_env kobject: ':01:10.0' (8801d79cd0a8): fill_kobj_path: path = '/devices/pci:00/:00:01.0/:01:10.0' kobject: ':01:10.0' (8801d79cd0a8): kobject_uevent_env kobject: ':01:10.0' (8801d79cd0a8): fill_kobj_path: path = '/devices/pci:00/:00:01.0/:01:10.0' kobject: ':01:10.0' (8801d79cd0a8): kobject_uevent_env kobject: ':01:10.0' (8801d79cd0a8): fill_kobj_path: path = '/devices/pci:00/:00:01.0/:01:10.0' kobject: ':01:10.0' (8801d79cd0a8): kobject_cleanup, parent (null) kobject: ':01:10.0' (8801d79cd0a8): calling ktype release kobject: ':01:10.0': free name [kobject freed as expected] # dmesg -C # echo 1 devices/\:01\:00.0/sriov_numvfs # echo :01:10.0 drivers_probe # echo 0 devices/\:01\:00.0/sriov_numvfs # dmesg | grep 01:10 pci :01:10.0: [8086:10ca] type 00 class 0x02 kobject: ':01:10.0' (8801d79ce0a8): kobject_add_internal: parent: ':00:01.0', set: 'devices' kobject: ':01:10.0' (8801d79ce0a8): kobject_uevent_env kobject: ':01:10.0' (8801d79ce0a8): fill_kobj_path: path = '/devices/pci:00/:00:01.0/:01:10.0' kobject: ':01:10.0' (8801d79ce0a8): kobject_uevent_env kobject: ':01:10.0' (8801d79ce0a8): fill_kobj_path: path = '/devices/pci:00/:00:01.0/:01:10.0' kobject: ':01:10.0' (8801d79ce0a8): kobject_uevent_env kobject: ':01:10.0' (8801d79ce0a8): fill_kobj_path: path = '/devices/pci:00/:00:01.0/:01:10.0' [no free] Signed-off-by: Alex Williamson alex.william...@redhat.com Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/base/bus.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/drivers/base/bus.c +++ b/drivers/base/bus.c @@ -240,13 +240,15 @@ static ssize_t store_drivers_probe(struc const char *buf, size_t count) { struct device *dev; + int err = -EINVAL; dev = bus_find_device_by_name(bus, NULL, buf); if (!dev) return -ENODEV; - if (bus_rescan_devices_helper(dev, NULL) != 0) - return -EINVAL; - return count; + if (bus_rescan_devices_helper(dev, NULL) == 0) + err = count; + put_device(dev); + return err; } #endif -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 012/152] UBI: Fix invalid vfree()
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Richard Weinberger rich...@nod.at commit f38aed975c0c3645bbdfc5ebe35726e64caaf588 upstream. The logic of vfree()'ing vol-upd_buf is tied to vol-updating. In ubi_start_update() vol-updating is set long before vmalloc()'ing vol-upd_buf. If we encounter a write failure in ubi_start_update() before vmalloc() the UBI device release function will try to vfree() vol-upd_buf because vol-updating is set. Fix this by allocating vol-upd_buf directly after setting vol-updating. Fixes: [ 31.559338] UBI warning: vol_cdev_release: update of volume 2 not finished, volume is damaged [ 31.559340] [ cut here ] [ 31.559343] WARNING: CPU: 1 PID: 2747 at mm/vmalloc.c:1446 __vunmap+0xe3/0x110() [ 31.559344] Trying to vfree() nonexistent vm area (c90001f2b000) [ 31.559345] Modules linked in: [ 31.565620] 0bba 88002a0cbdb0 818f0497 88003b9ba148 [ 31.566347] 88002a0cbde0 8156f515 88003b9ba148 0bba [ 31.567073] 88002a0cbe88 8156c10a [ 31.567793] Call Trace: [ 31.568034] [818f0497] dump_stack+0x4e/0x7a [ 31.568510] [8156f515] ubi_io_write_vid_hdr+0x155/0x160 [ 31.569084] [8156c10a] ubi_eba_write_leb+0x23a/0x870 [ 31.569628] [81569b36] vol_cdev_write+0x226/0x380 [ 31.570155] [81179265] vfs_write+0xb5/0x1f0 [ 31.570627] [81179f8a] SyS_pwrite64+0x6a/0xa0 [ 31.571123] [818fde12] system_call_fastpath+0x16/0x1b Signed-off-by: Richard Weinberger rich...@nod.at Signed-off-by: Artem Bityutskiy artem.bityuts...@linux.intel.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/mtd/ubi/upd.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) --- a/drivers/mtd/ubi/upd.c +++ b/drivers/mtd/ubi/upd.c @@ -135,6 +135,10 @@ int ubi_start_update(struct ubi_device * ubi_assert(!vol-updating !vol-changing_leb); vol-updating = 1; + vol-upd_buf = vmalloc(ubi-leb_size); + if (!vol-upd_buf) + return -ENOMEM; + err = set_update_marker(ubi, vol); if (err) return err; @@ -154,14 +158,12 @@ int ubi_start_update(struct ubi_device * err = clear_update_marker(ubi, vol, 0); if (err) return err; + + vfree(vol-upd_buf); vol-updating = 0; return 0; } - vol-upd_buf = vmalloc(ubi-leb_size); - if (!vol-upd_buf) - return -ENOMEM; - vol-upd_ebs = div_u64(bytes + vol-usable_leb_size - 1, vol-usable_leb_size); vol-upd_bytes = bytes; -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 003/152] [media] sound: Update au0828 quirks table
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Mauro Carvalho Chehab mche...@osg.samsung.com commit 678fa12fb8e75c6dc1e781a02e3ddbbba7e1a904 upstream. The au0828 quirks table is currently not in sync with the au0828 media driver. Syncronize it and put them on the same order as found at au0828 driver, as all the au0828 devices with analog TV need the same quirks. Signed-off-by: Mauro Carvalho Chehab mche...@osg.samsung.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- sound/usb/quirks-table.h | 10 +- 1 file changed, 9 insertions(+), 1 deletion(-) --- a/sound/usb/quirks-table.h +++ b/sound/usb/quirks-table.h @@ -2563,14 +2563,22 @@ YAMAHA_DEVICE(0x7010, UB99), } AU0828_DEVICE(0x2040, 0x7200, Hauppauge, HVR-950Q), +AU0828_DEVICE(0x2040, 0x7240, Hauppauge, HVR-850), AU0828_DEVICE(0x2040, 0x7210, Hauppauge, HVR-950Q), AU0828_DEVICE(0x2040, 0x7217, Hauppauge, HVR-950Q), AU0828_DEVICE(0x2040, 0x721b, Hauppauge, HVR-950Q), AU0828_DEVICE(0x2040, 0x721e, Hauppauge, HVR-950Q), AU0828_DEVICE(0x2040, 0x721f, Hauppauge, HVR-950Q), -AU0828_DEVICE(0x2040, 0x7240, Hauppauge, HVR-850), AU0828_DEVICE(0x2040, 0x7280, Hauppauge, HVR-950Q), AU0828_DEVICE(0x0fd9, 0x0008, Hauppauge, HVR-950Q), +AU0828_DEVICE(0x2040, 0x7201, Hauppauge, HVR-950Q-MXL), +AU0828_DEVICE(0x2040, 0x7211, Hauppauge, HVR-950Q-MXL), +AU0828_DEVICE(0x2040, 0x7281, Hauppauge, HVR-950Q-MXL), +AU0828_DEVICE(0x05e1, 0x0480, Hauppauge, Woodbury), +AU0828_DEVICE(0x2040, 0x8200, Hauppauge, Woodbury), +AU0828_DEVICE(0x2040, 0x7260, Hauppauge, HVR-950Q), +AU0828_DEVICE(0x2040, 0x7213, Hauppauge, HVR-950Q), +AU0828_DEVICE(0x2040, 0x7270, Hauppauge, HVR-950Q), /* Digidesign Mbox */ { -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 010/152] ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Daniel Borkmann dbork...@redhat.com commit 4c672e4b42bc8046d63a6eb0a2c6a450a501af32 upstream. It has been reported that generating an MLD listener report on devices with large MTUs (e.g. 9000) and a high number of IPv6 addresses can trigger a skb_over_panic(): skbuff: skb_over_panic: text:80612a5d len:3776 put:20 head:88046d751000 data:88046d751010 tail:0xed0 end:0xec0 dev:port1 [ cut here ] kernel BUG at net/core/skbuff.c:100! invalid opcode: [#1] SMP Modules linked in: ixgbe(O) CPU: 3 PID: 0 Comm: swapper/3 Tainted: G O 3.14.23+ #4 [...] Call Trace: IRQ [80578226] ? skb_put+0x3a/0x3b [80612a5d] ? add_grhead+0x45/0x8e [80612e3a] ? add_grec+0x394/0x3d4 [80613222] ? mld_ifc_timer_expire+0x195/0x20d [8061308d] ? mld_dad_timer_expire+0x45/0x45 [80255b5d] ? call_timer_fn.isra.29+0x12/0x68 [80255d16] ? run_timer_softirq+0x163/0x182 [80250e6f] ? __do_softirq+0xe0/0x21d [8025112b] ? irq_exit+0x4e/0xd3 [802214bb] ? smp_apic_timer_interrupt+0x3b/0x46 [8063f10a] ? apic_timer_interrupt+0x6a/0x70 mld_newpack() skb allocations are usually requested with dev-mtu in size, since commit 72e09ad107e7 (ipv6: avoid high order allocations) we have changed the limit in order to be less likely to fail. However, in MLD/IGMP code, we have some rather ugly AVAILABLE(skb) macros, which determine if we may end up doing an skb_put() for adding another record. To avoid possible fragmentation, we check the skb's tailroom as skb-dev-mtu - skb-len, which is a wrong assumption as the actual max allocation size can be much smaller. The IGMP case doesn't have this issue as commit 57e1ab6eaddc (igmp: refine skb allocations) stores the allocation size in the cb[]. Set a reserved_tailroom to make it fit into the MTU and use skb_availroom() helper instead. This also allows to get rid of igmp_skb_size(). Reported-by: Wei Liu lw1a2.j...@gmail.com Fixes: 72e09ad107e7 (ipv6: avoid high order allocations) Signed-off-by: Daniel Borkmann dbork...@redhat.com Cc: Eric Dumazet eduma...@google.com Cc: Hannes Frederic Sowa han...@stressinduktion.org Cc: David L Stevens david.stev...@oracle.com Acked-by: Eric Dumazet eduma...@google.com Acked-by: Hannes Frederic Sowa han...@stressinduktion.org Signed-off-by: David S. Miller da...@davemloft.net [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- net/ipv4/igmp.c | 11 +-- net/ipv6/mcast.c | 9 + 2 files changed, 10 insertions(+), 10 deletions(-) --- a/net/ipv4/igmp.c +++ b/net/ipv4/igmp.c @@ -294,9 +294,7 @@ igmp_scount(struct ip_mc_list *pmc, int return scount; } -#define igmp_skb_size(skb) (*(unsigned int *)((skb)-cb)) - -static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size) +static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu) { struct sk_buff *skb; struct rtable *rt; @@ -306,6 +304,7 @@ static struct sk_buff *igmpv3_newpack(st struct flowi4 fl4; int hlen = LL_RESERVED_SPACE(dev); int tlen = dev-needed_tailroom; + unsigned int size = mtu; while (1) { skb = alloc_skb(size + hlen + tlen, @@ -316,7 +315,6 @@ static struct sk_buff *igmpv3_newpack(st if (size 256) return NULL; } - igmp_skb_size(skb) = size; rt = ip_route_output_ports(net, fl4, NULL, IGMPV3_ALL_MCR, 0, 0, 0, @@ -329,6 +327,8 @@ static struct sk_buff *igmpv3_newpack(st skb_dst_set(skb, rt-dst); skb-dev = dev; + skb-reserved_tailroom = skb_end_offset(skb) - +min(mtu, skb_end_offset(skb)); skb_reserve(skb, hlen); skb_reset_network_header(skb); @@ -398,8 +398,7 @@ static struct sk_buff *add_grhead(struct return skb; } -#define AVAILABLE(skb) ((skb) ? ((skb)-dev ? igmp_skb_size(skb) - (skb)-len : \ - skb_tailroom(skb)) : 0) +#define AVAILABLE(skb) ((skb) ? skb_availroom(skb) : 0) static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc, int type, int gdeleted, int sdeleted) --- a/net/ipv6/mcast.c +++ b/net/ipv6/mcast.c @@ -1334,7 +1334,7 @@ mld_scount(struct ifmcaddr6 *pmc, int ty return scount; } -static struct sk_buff *mld_newpack(struct inet6_dev *idev, int size) +static struct sk_buff *mld_newpack(struct inet6_dev *idev, unsigned int mtu) { struct net_device *dev = idev-dev; struct net *net = dev_net(dev); @@ -1345,13 +1345,13 @@ static struct sk_buff *mld_newpack(struc const struct in6_addr *saddr; int hlen = LL_RESERVED_SPACE(dev); int tlen = dev-needed_tailroom; + unsigned int size = mtu + hlen + tlen; int err;
[PATCH 3.2 148/152] vfs: Fix vfsmount_lock imbalance in path_init()
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Ben Hutchings b...@decadent.org.uk When backporting commit 4023bfc9f351 (be careful with nd-inode in path_init() and follow_dotdot_rcu()), I failed to account for the vfsmount_lock that is used in 3.2 but not upstream. path_init() takes the lock if performing RCU lookup, but must drop it if (and only if) it subsequently fails. Reported-by: n...@vault24.org References: https://bugzilla.kernel.org/show_bug.cgi?id=92531 Signed-off-by: Ben Hutchings b...@decadent.org.uk Tested-by: n...@vault24.org --- --- a/fs/namei.c +++ b/fs/namei.c @@ -1567,6 +1567,7 @@ static int path_init(int dfd, const char if (!(nd-flags LOOKUP_ROOT)) nd-root.mnt = NULL; rcu_read_unlock(); + br_read_unlock(vfsmount_lock); return -ECHILD; fput_fail: -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 142/152] KEYS: close race between key lookup and freeing
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Sasha Levin sasha.le...@oracle.com commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream. When a key is being garbage collected, it's key-user would get put before the -destroy() callback is called, where the key is removed from it's respective tracking structures. This leaves a key hanging in a semi-invalid state which leaves a window open for a different task to try an access key-user. An example is find_keyring_by_name() which would dereference key-user for a key that is in the process of being garbage collected (where key-user was freed but -destroy() wasn't called yet - so it's still present in the linked list). This would cause either a panic, or corrupt memory. Fixes CVE-2014-9529. Signed-off-by: Sasha Levin sasha.le...@oracle.com Signed-off-by: David Howells dhowe...@redhat.com [bwh: Backported to 3.2: adjust indentation] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- security/keys/gc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/security/keys/gc.c +++ b/security/keys/gc.c @@ -186,12 +186,12 @@ static noinline void key_gc_unused_key(s if (test_bit(KEY_FLAG_INSTANTIATED, key-flags)) atomic_dec(key-user-nikeys); - key_user_put(key-user); - /* now throw away the key memory */ if (key-type-destroy) key-type-destroy(key); + key_user_put(key-user); + kfree(key-description); #ifdef KEY_DEBUGGING -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] mm, hugetlb: set PageLRU for in-use/active hugepages
Currently we are not safe from concurrent calls of isolate_huge_page(), which can make the victim hugepage in invalid state and results in BUG_ON(). The root problem of this is that we don't have any information on struct page (so easily accessible) about the hugepage's activeness. Note that hugepages' activeness means just being linked to hstate-hugepage_activelist, which is not the same as normal pages' activeness represented by PageActive flag. Normal pages are isolated by isolate_lru_page() which prechecks PageLRU before isolation, so let's do similarly for hugetlb. PageLRU is unused on hugetlb, so this change is mostly straightforward. One non-straightforward point is that __put_compound_page() calls __page_cache_release() to do some LRU works, but this is obviously for thps and assumes that hugetlb has always !PageLRU. This assumption is no more true, so this patch simply adds if (!PageHuge) to avoid calling __page_cache_release() for hugetlb. Set/ClearPageLRU should be called within hugetlb_lock, but hugetlb_cow() and hugetlb_no_page() don't do this. This is justified because in these function SetPageLRU is called right after the hugepage is allocated and no other thread tries to isolate it. Fixes: commit 31caf665e666 (mm: migrate: make core migration code aware of hugepage) Signed-off-by: Naoya Horiguchi n-horigu...@ah.jp.nec.com Cc: sta...@vger.kernel.org[3.12+] --- mm/hugetlb.c | 17 ++--- mm/swap.c| 4 +++- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git v3.19_with_hugemigration_fixes.orig/mm/hugetlb.c v3.19_with_hugemigration_fixes/mm/hugetlb.c index a2bfd02e289f..e28489270d9a 100644 --- v3.19_with_hugemigration_fixes.orig/mm/hugetlb.c +++ v3.19_with_hugemigration_fixes/mm/hugetlb.c @@ -830,7 +830,7 @@ static void update_and_free_page(struct hstate *h, struct page *page) page[i].flags = ~(1 PG_locked | 1 PG_error | 1 PG_referenced | 1 PG_dirty | 1 PG_active | 1 PG_private | - 1 PG_writeback); + 1 PG_writeback | 1 PG_lru); } VM_BUG_ON_PAGE(hugetlb_cgroup_from_page(page), page); set_compound_page_dtor(page, NULL); @@ -875,6 +875,7 @@ void free_huge_page(struct page *page) ClearPagePrivate(page); spin_lock(hugetlb_lock); + ClearPageLRU(page); hugetlb_cgroup_uncharge_page(hstate_index(h), pages_per_huge_page(h), page); if (restore_reserve) @@ -2889,6 +2890,7 @@ static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma, copy_user_huge_page(new_page, old_page, address, vma, pages_per_huge_page(h)); __SetPageUptodate(new_page); + SetPageLRU(new_page); mmun_start = address huge_page_mask(h); mmun_end = mmun_start + huge_page_size(h); @@ -3001,6 +3003,7 @@ static int hugetlb_no_page(struct mm_struct *mm, struct vm_area_struct *vma, } clear_huge_page(page, address, pages_per_huge_page(h)); __SetPageUptodate(page); + SetPageLRU(page); if (vma-vm_flags VM_MAYSHARE) { int err; @@ -3794,6 +3797,7 @@ int dequeue_hwpoisoned_huge_page(struct page *hpage) * so let it point to itself with list_del_init(). */ list_del_init(hpage-lru); + ClearPageLRU(hpage); set_page_refcounted(hpage); h-free_huge_pages--; h-free_huge_pages_node[nid]--; @@ -3806,11 +3810,17 @@ int dequeue_hwpoisoned_huge_page(struct page *hpage) bool isolate_huge_page(struct page *page, struct list_head *list) { + bool ret = true; + VM_BUG_ON_PAGE(!PageHead(page), page); - if (!get_page_unless_zero(page)) - return false; spin_lock(hugetlb_lock); + if (!PageLRU(page) || !get_page_unless_zero(page)) { + ret = false; + goto unlock; + } + ClearPageLRU(page); list_move_tail(page-lru, list); +unlock: spin_unlock(hugetlb_lock); return true; } @@ -3819,6 +3829,7 @@ void putback_active_hugepage(struct page *page) { VM_BUG_ON_PAGE(!PageHead(page), page); spin_lock(hugetlb_lock); + SetPageLRU(page); list_move_tail(page-lru, (page_hstate(page))-hugepage_activelist); spin_unlock(hugetlb_lock); put_page(page); diff --git v3.19_with_hugemigration_fixes.orig/mm/swap.c v3.19_with_hugemigration_fixes/mm/swap.c index 8a12b33936b4..ea8fe72999a8 100644 --- v3.19_with_hugemigration_fixes.orig/mm/swap.c +++ v3.19_with_hugemigration_fixes/mm/swap.c @@ -31,6 +31,7 @@ #include linux/memcontrol.h #include linux/gfp.h #include linux/uio.h +#include linux/hugetlb.h #include internal.h @@ -75,7 +76,8 @@ static void
Re: [PATCH v2] usb: move definition of PCI_VENDOR_ID_SYNOPSYS to linux/pci_ids.h
On Mon, Feb 16, 2015 at 07:32:46PM -0700, Joseph Kogut wrote: Removed FIXME from usb/dwc3/dwc3-pci.c by moving definition of PCI_VENDOR_ID_SYNOPSYS shared with usb/dwc2 to linux/pci_ids.h. Signed-off-by: Joseph Kogut joseph.ko...@gmail.com --- drivers/usb/dwc2/pci.c | 1 - drivers/usb/dwc3/dwc3-pci.c | 2 -- include/linux/pci_ids.h | 2 ++ 3 files changed, 2 insertions(+), 3 deletions(-) Felipe will take this through his tree when it opens back up again in a few weeks. thanks, greg k-h -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 100/152] usb: gadget: udc: atmel: fix possible IN hang issue
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Bo Shen voice.s...@atmel.com commit 6785a1034461c2d2c205215f63a50a740896e55b upstream. When receive data, the RXRDY in status register set by hardware after a new packet has been stored in the endpoint FIFO. When it is copied from FIFO, this bit is cleared which make the FIFO can be accessed again. In the receive_data() function, this bit RXRDY has been cleared. So, after the receive_data() function return, this bit should not be cleared again, or else it may cause the accessing FIFO corrupt, which will make the data loss. Fixes: 914a3f3b3754 (USB: add atmel_usba_udc driver) Acked-by: Nicolas Ferre nicolas.fe...@atmel.com Signed-off-by: Bo Shen voice.s...@atmel.com Signed-off-by: Felipe Balbi ba...@ti.com [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/usb/gadget/atmel_usba_udc.c | 1 - 1 file changed, 1 deletion(-) --- a/drivers/usb/gadget/atmel_usba_udc.c +++ b/drivers/usb/gadget/atmel_usba_udc.c @@ -1597,7 +1597,6 @@ static void usba_ep_irq(struct usba_udc if ((epstatus epctrl) USBA_RX_BK_RDY) { DBG(DBG_BUS, %s: RX data ready\n, ep-ep.name); receive_data(ep); - usba_ep_writel(ep, CLR_STA, USBA_RX_BK_RDY); } } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 062/152] ceph: introduce global empty snap context
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Yan, Zheng z...@redhat.com commit 97c85a828f36bbfffe9d77b977b65a5872b6cad4 upstream. Current snaphost code does not properly handle moving inode from one empty snap realm to another empty snap realm. After changing inode's snap realm, some dirty pages' snap context can be not equal to inode's i_head_snap. This can trigger BUG() in ceph_put_wrbuffer_cap_refs() The fix is introduce a global empty snap context for all empty snap realm. This avoids triggering the BUG() for filesystem with no snapshot. Fixes: http://tracker.ceph.com/issues/9928 Signed-off-by: Yan, Zheng z...@redhat.com Reviewed-by: Ilya Dryomov idryo...@redhat.com [bwh: Backported to 3.2: - Adjust context - As we don't have ceph_create_snap_context(), open-code it in ceph_snap_init()] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- --- a/fs/ceph/snap.c +++ b/fs/ceph/snap.c @@ -288,6 +288,9 @@ static int cmpu64_rev(const void *a, con return 0; } + +static struct ceph_snap_context *empty_snapc; + /* * build the snap context for a given realm. */ @@ -329,6 +332,12 @@ static int build_snap_context(struct cep return 0; } + if (num == 0 realm-seq == empty_snapc-seq) { + ceph_get_snap_context(empty_snapc); + snapc = empty_snapc; + goto done; + } + /* alloc new snap context */ err = -ENOMEM; if (num (SIZE_MAX - sizeof(*snapc)) / sizeof(u64)) @@ -364,6 +373,7 @@ static int build_snap_context(struct cep dout(build_snap_context %llx %p: %p seq %lld (%d snaps)\n, realm-ino, realm, snapc, snapc-seq, snapc-num_snaps); +done: if (realm-cached_context) ceph_put_snap_context(realm-cached_context); realm-cached_context = snapc; @@ -465,6 +475,9 @@ void ceph_queue_cap_snap(struct ceph_ino cap_snap. lucky us. */ dout(queue_cap_snap %p already pending\n, inode); kfree(capsnap); + } else if (ci-i_snap_realm-cached_context == empty_snapc) { + dout(queue_cap_snap %p empty snapc\n, inode); + kfree(capsnap); } else if (dirty (CEPH_CAP_AUTH_EXCL|CEPH_CAP_XATTR_EXCL| CEPH_CAP_FILE_EXCL|CEPH_CAP_FILE_WR)) { struct ceph_snap_context *snapc = ci-i_head_snapc; @@ -927,5 +940,17 @@ out: return; } +int __init ceph_snap_init(void) +{ + empty_snapc = kzalloc(sizeof(struct ceph_snap_context), GFP_NOFS); + if (!empty_snapc) + return -ENOMEM; + atomic_set(empty_snapc-nref, 1); + empty_snapc-seq = 1; + return 0; +} - +void ceph_snap_exit(void) +{ + ceph_put_snap_context(empty_snapc); +} --- a/fs/ceph/super.c +++ b/fs/ceph/super.c @@ -911,14 +911,20 @@ static int __init init_ceph(void) if (ret) goto out; - ret = register_filesystem(ceph_fs_type); + ret = ceph_snap_init(); if (ret) goto out_icache; + ret = register_filesystem(ceph_fs_type); + if (ret) + goto out_snap; + pr_info(loaded (mds proto %d)\n, CEPH_MDSC_PROTOCOL); return 0; +out_snap: + ceph_snap_exit(); out_icache: destroy_caches(); out: @@ -929,6 +935,7 @@ static void __exit exit_ceph(void) { dout(exit_ceph\n); unregister_filesystem(ceph_fs_type); + ceph_snap_exit(); destroy_caches(); } --- a/fs/ceph/super.h +++ b/fs/ceph/super.h @@ -677,6 +677,8 @@ extern void ceph_queue_cap_snap(struct c extern int __ceph_finish_cap_snap(struct ceph_inode_info *ci, struct ceph_cap_snap *capsnap); extern void ceph_cleanup_empty_realms(struct ceph_mds_client *mdsc); +extern int ceph_snap_init(void); +extern void ceph_snap_exit(void); /* * a cap_snap is pending if it is still awaiting an in-progress -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 067/152] udf: Verify i_size when loading inode
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Jan Kara j...@suse.cz commit e159332b9af4b04d882dbcfe1bb0117f0a6d4b58 upstream. Verify that inode size is sane when loading inode with data stored in ICB. Otherwise we may get confused later when working with the inode and inode size is too big. Reported-by: Carl Henrik Lunde chlu...@ping.uio.no Signed-off-by: Jan Kara j...@suse.cz [bwh: Backported to 3.2: on error, call make_bad_inode() then return] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- fs/udf/inode.c | 14 ++ 1 file changed, 14 insertions(+) --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -1403,6 +1403,24 @@ static void udf_fill_inode(struct inode iinfo-i_lenEAttr; } + /* Sanity checks for files in ICB so that we don't get confused later */ + if (iinfo-i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { + /* +* For file in ICB data is stored in allocation descriptor +* so sizes should match +*/ + if (iinfo-i_lenAlloc != inode-i_size) { + make_bad_inode(inode); + return; + } + /* File in ICB has to fit in there... */ + if (inode-i_size inode-i_sb-s_blocksize - + udf_file_entry_alloc_offset(inode)) { + make_bad_inode(inode); + return; + } + } + switch (fe-icbTag.fileType) { case ICBTAG_FILE_TYPE_DIRECTORY: inode-i_op = udf_dir_inode_operations; -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 073/152] crypto: af_alg - fix backlog handling
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Rabin Vincent rabin.vinc...@axis.com commit 7e77bdebff5cb1e9876c561f69710b9ab8fa1f7e upstream. If a request is backlogged, it's complete() handler will get called twice: once with -EINPROGRESS, and once with the final error code. af_alg's complete handler, unlike other users, does not handle the -EINPROGRESS but instead always completes the completion that recvmsg() is waiting on. This can lead to a return to user space while the request is still pending in the driver. If userspace closes the sockets before the requests are handled by the driver, this will lead to use-after-frees (and potential crashes) in the kernel due to the tfm having been freed. The crashes can be easily reproduced (for example) by reducing the max queue length in cryptod.c and running the following (from http://www.chronox.de/libkcapi.html) on AES-NI capable hardware: $ while true; do kcapi -x 1 -e -c '__ecb-aes-aesni' \ -k \ -p /dev/null done Signed-off-by: Rabin Vincent rabin.vinc...@axis.com Signed-off-by: Herbert Xu herb...@gondor.apana.org.au Signed-off-by: Ben Hutchings b...@decadent.org.uk --- crypto/af_alg.c | 3 +++ 1 file changed, 3 insertions(+) --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -449,6 +449,9 @@ void af_alg_complete(struct crypto_async { struct af_alg_completion *completion = req-data; + if (err == -EINPROGRESS) + return; + completion-err = err; complete(completion-completion); } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 084/152] virtio_pci: document why we defer kfree
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Michael S. Tsirkin m...@redhat.com commit a1eb03f546d651a8f39c7d0692b1f7f5b4e7e3cd upstream. The reason we defer kfree until release function is because it's a general rule for kobjects: kfree of the reference counter itself is only legal in the release function. Previous patch didn't make this clear, document this in code. Signed-off-by: Michael S. Tsirkin m...@redhat.com [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/virtio/virtio_pci.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/virtio/virtio_pci.c +++ b/drivers/virtio/virtio_pci.c @@ -615,6 +615,9 @@ static void virtio_pci_release_dev(struc struct virtio_device *vdev = dev_to_virtio(_d); struct virtio_pci_device *vp_dev = to_vp_device(vdev); + /* As struct device is a kobject, it's not safe to +* free the memory (including the reference counter itself) +* until it's release callback. */ kfree(vp_dev); } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 090/152] time: adjtimex: Validate the ADJ_FREQUENCY values
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Sasha Levin sasha.le...@oracle.com commit 5e5aeb4367b450a28f447f6d5ab57d8f2ab16a5f upstream. Verify that the frequency value from userspace is valid and makes sense. Unverified values can cause overflows later on. Cc: Thomas Gleixner t...@linutronix.de Cc: Ingo Molnar mi...@kernel.org Signed-off-by: Sasha Levin sasha.le...@oracle.com [jstultz: Fix up bug for negative values and drop redunent cap check] Signed-off-by: John Stultz john.stu...@linaro.org [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- kernel/time/ntp.c | 7 +++ 1 file changed, 7 insertions(+) --- a/kernel/time/ntp.c +++ b/kernel/time/ntp.c @@ -608,6 +608,13 @@ int do_adjtimex(struct timex *txc) return -EINVAL; } + if (txc-modes ADJ_FREQUENCY) { + if (LONG_MIN / PPM_SCALE txc-freq) + return -EINVAL; + if (LONG_MAX / PPM_SCALE txc-freq) + return -EINVAL; + } + if (txc-modes ADJ_SETOFFSET) { struct timespec delta; delta.tv_sec = txc-time.tv_sec; -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 069/152] udf: Treat symlink component of type 2 as /
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Jan Kara j...@suse.cz commit fef2e9f3301934773e4f1b3cc5c7bffb119346b8 upstream. Currently, we ignore symlink component of type 2. But mkisofs and other OS' seem to treat it as / so do the same for compatibility. Reported-by: Gábor S. otnacc...@hotmail.com Signed-off-by: Jan Kara j...@suse.cz Signed-off-by: Ben Hutchings b...@decadent.org.uk --- fs/udf/symlink.c | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) --- a/fs/udf/symlink.c +++ b/fs/udf/symlink.c @@ -41,10 +41,16 @@ static void udf_pc_to_char(struct super_ pc = (struct pathComponent *)(from + elen); switch (pc-componentType) { case 1: - if (pc-lengthComponentIdent == 0) { - p = to; - *p++ = '/'; - } + /* +* Symlink points to some place which should be agreed +* upon between originator and receiver of the media. Ignore. +*/ + if (pc-lengthComponentIdent 0) + break; + /* Fall through */ + case 2: + p = to; + *p++ = '/'; break; case 3: memcpy(p, ../, 3); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 057/152] genirq: Prevent proc race against freeing of irq descriptors
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Thomas Gleixner t...@linutronix.de commit c291ee622165cb2c8d4e7af63fffd499354a23be upstream. Since the rework of the sparse interrupt code to actually free the unused interrupt descriptors there exists a race between the /proc interfaces to the irq subsystem and the code which frees the interrupt descriptor. CPU0CPU1 show_interrupts() desc = irq_to_desc(X); free_desc(desc) remove_from_radix_tree(); kfree(desc); raw_spinlock_irq(desc-lock); /proc/interrupts is the only interface which can actively corrupt kernel memory via the lock access. /proc/stat can only read from freed memory. Extremly hard to trigger, but possible. The interfaces in /proc/irq/N/ are not affected by this because the removal of the proc file is serialized in procfs against concurrent readers/writers. The removal happens before the descriptor is freed. For architectures which have CONFIG_SPARSE_IRQ=n this is a non issue as the descriptor is never freed. It's merely cleared out with the irq descriptor lock held. So any concurrent proc access will either see the old correct value or the cleared out ones. Protect the lookup and access to the irq descriptor in show_interrupts() with the sparse_irq_lock. Provide kstat_irqs_usr() which is protecting the lookup and access with sparse_irq_lock and switch /proc/stat to use it. Document the existing kstat_irqs interfaces so it's clear that the caller needs to take care about protection. The users of these interfaces are either not affected due to SPARSE_IRQ=n or already protected against removal. Fixes: 1f5a5b87f78f genirq: Implement a sane sparse_irq allocator Signed-off-by: Thomas Gleixner t...@linutronix.de [bwh: Backported to 3.2: - Adjust context - Handle the CONFIG_GENERIC_HARDIRQS=n case] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- --- a/fs/proc/stat.c +++ b/fs/proc/stat.c @@ -141,7 +141,7 @@ static int show_stat(struct seq_file *p, /* sum again ? it could be updated? */ for_each_irq_nr(j) - seq_printf(p, %u, kstat_irqs(j)); + seq_printf(p, %u, kstat_irqs_usr(j)); seq_printf(p, \nctxt %llu\n --- a/include/linux/kernel_stat.h +++ b/include/linux/kernel_stat.h @@ -96,8 +96,13 @@ static inline unsigned int kstat_irqs(un return sum; } +static inline unsigned int kstat_irqs_usr(unsigned int irq) +{ + return kstat_irqs(irq); +} #else extern unsigned int kstat_irqs(unsigned int irq); +extern unsigned int kstat_irqs_usr(unsigned int irq); #endif /* --- a/kernel/irq/internals.h +++ b/kernel/irq/internals.h @@ -76,6 +76,13 @@ extern void irq_percpu_disable(struct ir extern void mask_irq(struct irq_desc *desc); extern void unmask_irq(struct irq_desc *desc); +#ifdef CONFIG_SPARSE_IRQ +extern void irq_lock_sparse(void); +extern void irq_unlock_sparse(void); +#else +static inline void irq_lock_sparse(void) { } +static inline void irq_unlock_sparse(void) { } +#endif extern void init_kstat_irqs(struct irq_desc *desc, int node, int nr); irqreturn_t handle_irq_event_percpu(struct irq_desc *desc, struct irqaction *action); --- a/kernel/irq/irqdesc.c +++ b/kernel/irq/irqdesc.c @@ -130,6 +130,16 @@ static void free_masks(struct irq_desc * static inline void free_masks(struct irq_desc *desc) { } #endif +void irq_lock_sparse(void) +{ + mutex_lock(sparse_irq_lock); +} + +void irq_unlock_sparse(void) +{ + mutex_unlock(sparse_irq_lock); +} + static struct irq_desc *alloc_desc(int irq, int node, struct module *owner) { struct irq_desc *desc; @@ -166,6 +176,12 @@ static void free_desc(unsigned int irq) unregister_irq_proc(irq, desc); + /* +* sparse_irq_lock protects also show_interrupts() and +* kstat_irq_usr(). Once we deleted the descriptor from the +* sparse tree we can free it. Access in proc will fail to +* lookup the descriptor. +*/ mutex_lock(sparse_irq_lock); delete_irq_desc(irq); mutex_unlock(sparse_irq_lock); @@ -487,6 +503,15 @@ void dynamic_irq_cleanup(unsigned int ir raw_spin_unlock_irqrestore(desc-lock, flags); } +/** + * kstat_irqs_cpu - Get the statistics for an interrupt on a cpu + * @irq: The interrupt number + * @cpu: The cpu number + * + * Returns the sum of interrupt counts on @cpu since boot for + * @irq. The caller must ensure that the interrupt is not removed + * concurrently. + */ unsigned int kstat_irqs_cpu(unsigned int irq, int cpu) { struct irq_desc *desc = irq_to_desc(irq); @@ -495,6 +520,14 @@ unsigned int kstat_irqs_cpu(unsigned int *per_cpu_ptr(desc-kstat_irqs, cpu) : 0; } +/** + * kstat_irqs - Get the statistics for an interrupt + * @irq: The interrupt
[PATCH 3.2 044/152] ath9k_hw: fix hardware queue allocation
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Felix Fietkau n...@openwrt.org commit ad8fdccf9c197a89e2d2fa78c453283dcc2c343f upstream. The driver passes the desired hardware queue index for a WMM data queue in qinfo-tqi_subtype. This was ignored in ath9k_hw_setuptxqueue, which instead relied on the order in which the function is called. Reported-by: Hubert Feurstein h.feurst...@gmail.com Signed-off-by: Felix Fietkau n...@openwrt.org Signed-off-by: John W. Linville linvi...@tuxdriver.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/net/wireless/ath/ath9k/mac.c | 9 + 1 file changed, 1 insertion(+), 8 deletions(-) --- a/drivers/net/wireless/ath/ath9k/mac.c +++ b/drivers/net/wireless/ath/ath9k/mac.c @@ -311,14 +311,7 @@ int ath9k_hw_setuptxqueue(struct ath_hw q = ATH9K_NUM_TX_QUEUES - 3; break; case ATH9K_TX_QUEUE_DATA: - for (q = 0; q ATH9K_NUM_TX_QUEUES; q++) - if (ah-txq[q].tqi_type == - ATH9K_TX_QUEUE_INACTIVE) - break; - if (q == ATH9K_NUM_TX_QUEUES) { - ath_err(common, No available TX queue\n); - return -1; - } + q = qinfo-tqi_subtype; break; default: ath_err(common, Invalid TX queue type: %u\n, type); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 026/152] Bluetooth: Add support for Toshiba Bluetooth device [0930:0220]
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Marco Piazza mpia...@gmail.com commit bd0976dd3379e790b031cef7f477c58b82a65fc2 upstream. This patch adds support for new Toshiba Bluetooth device. T: Bus=05 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 4 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0930 ProdID=0220 Rev=00.02 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: Marco Piazza mpia...@gmail.com Signed-off-by: Gustavo Padovan gustavo.pado...@collabora.co.uk Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/bluetooth/ath3k.c | 2 ++ drivers/bluetooth/btusb.c | 1 + 2 files changed, 3 insertions(+) --- a/drivers/bluetooth/ath3k.c +++ b/drivers/bluetooth/ath3k.c @@ -88,6 +88,7 @@ static struct usb_device_id ath3k_table[ { USB_DEVICE(0x0CF3, 0xE004) }, { USB_DEVICE(0x0CF3, 0xE005) }, { USB_DEVICE(0x0930, 0x0219) }, + { USB_DEVICE(0x0930, 0x0220) }, { USB_DEVICE(0x0489, 0xe057) }, { USB_DEVICE(0x13d3, 0x3393) }, { USB_DEVICE(0x0489, 0xe04e) }, @@ -133,6 +134,7 @@ static struct usb_device_id ath3k_blist_ { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 }, --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -162,6 +162,7 @@ static struct usb_device_id blacklist_ta { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 }, -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 091/152] Input: i8042 - reset keyboard to fix Elantech touchpad detection
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Srihari Vijayaraghavan linux.bug.report...@gmail.com commit 148e9a711e034e06310a8c36b64957934ebe30f2 upstream. On some laptops, keyboard needs to be reset in order to successfully detect touchpad (e.g., some Gigabyte laptop models with Elantech touchpads). Without resettin keyboard touchpad pretends to be completely dead. Based on the original patch by Mateusz Jończyk this version has been expanded to include DMI based detection application of the fix automatically on the affected models of laptops. This has been confirmed to fix problem by three users already on three different models of laptops. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=81331 Signed-off-by: Srihari Vijayaraghavan linux.bug.report...@gmail.com Acked-by: Mateusz Jończyk mat.jonc...@o2.pl Tested-by: Srihari Vijayaraghavan linux.bug.report...@gmail.com Tested by: Zakariya Dehlawi zdehl...@gmail.com Tested-by: Guillaum Bouchard guillaum.bouch...@gmail.com Signed-off-by: Dmitry Torokhov dmitry.torok...@gmail.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- Documentation/kernel-parameters.txt | 1 + drivers/input/serio/i8042-x86ia64io.h | 32 drivers/input/serio/i8042.c | 14 ++ 3 files changed, 47 insertions(+) --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -940,6 +940,7 @@ bytes respectively. Such letter suffixes i8042.notimeout [HW] Ignore timeout condition signalled by conroller i8042.reset [HW] Reset the controller during init and cleanup i8042.unlock[HW] Unlock (ignore) the keylock + i8042.kbdreset [HW] Reset device connected to KBD port i810= [HW,DRM] --- a/drivers/input/serio/i8042-x86ia64io.h +++ b/drivers/input/serio/i8042-x86ia64io.h @@ -714,6 +714,35 @@ static const struct dmi_system_id __init { } }; +/* + * Some laptops need keyboard reset before probing for the trackpad to get + * it detected, initialised finally work. + */ +static const struct dmi_system_id __initconst i8042_dmi_kbdreset_table[] = { + { + /* Gigabyte P35 v2 - Elantech touchpad */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, GIGABYTE), + DMI_MATCH(DMI_PRODUCT_NAME, P35V2), + }, + }, + { + /* Aorus branded Gigabyte X3 Plus - Elantech touchpad */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, GIGABYTE), + DMI_MATCH(DMI_PRODUCT_NAME, X3), + }, + }, + { + /* Gigabyte P34 - Elantech touchpad */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, GIGABYTE), + DMI_MATCH(DMI_PRODUCT_NAME, P34), + }, + }, + { } +}; + #endif /* CONFIG_X86 */ #ifdef CONFIG_PNP @@ -992,6 +1021,9 @@ static int __init i8042_platform_init(vo if (dmi_check_system(i8042_dmi_dritek_table)) i8042_dritek = true; + if (dmi_check_system(i8042_dmi_kbdreset_table)) + i8042_kbdreset = true; + /* * A20 was already enabled during early kernel init. But some buggy * BIOSes (in MSI Laptops) require A20 to be enabled using 8042 to --- a/drivers/input/serio/i8042.c +++ b/drivers/input/serio/i8042.c @@ -67,6 +67,10 @@ static bool i8042_notimeout; module_param_named(notimeout, i8042_notimeout, bool, 0); MODULE_PARM_DESC(notimeout, Ignore timeouts signalled by i8042); +static bool i8042_kbdreset; +module_param_named(kbdreset, i8042_kbdreset, bool, 0); +MODULE_PARM_DESC(kbdreset, Reset device connected to KBD port); + #ifdef CONFIG_X86 static bool i8042_dritek; module_param_named(dritek, i8042_dritek, bool, 0); @@ -783,6 +787,16 @@ static int __init i8042_check_aux(void) return -1; /* + * Reset keyboard (needed on some laptops to successfully detect + * touchpad, e.g., some Gigabyte laptop models with Elantech + * touchpads). + */ + if (i8042_kbdreset) { + pr_warn(Attempting to reset device connected to KBD port\n); + i8042_kbd_write(NULL, (unsigned char) 0xff); + } + +/* * Test AUX IRQ delivery to make sure BIOS did not grab the IRQ and * used it for a PCI card or somethig else. */ -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 045/152] ath9k: fix BE/BK queue order
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Felix Fietkau n...@openwrt.org commit 78063d81d353e10cbdd279c490593113b8fdae1c upstream. Hardware queues are ordered by priority. Use queue index 0 for BK, which has lower priority than BE. Signed-off-by: Felix Fietkau n...@openwrt.org Signed-off-by: John W. Linville linvi...@tuxdriver.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/net/wireless/ath/ath9k/hw.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/net/wireless/ath/ath9k/hw.h +++ b/drivers/net/wireless/ath/ath9k/hw.h @@ -174,8 +174,8 @@ #define PAPRD_IDEAL_AGC2_PWR_RANGE 0xe0 enum ath_hw_txq_subtype { - ATH_TXQ_AC_BE = 0, - ATH_TXQ_AC_BK = 1, + ATH_TXQ_AC_BK = 0, + ATH_TXQ_AC_BE = 1, ATH_TXQ_AC_VI = 2, ATH_TXQ_AC_VO = 3, }; -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 043/152] dm space map metadata: fix sm_bootstrap_get_nr_blocks()
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Dan Carpenter dan.carpen...@oracle.com commit c1c6156fe4d4577444b769d7edd5dd503e57bbc9 upstream. This function isn't right and it causes a static checker warning: drivers/md/dm-thin.c:3016 maybe_resize_data_dev() error: potentially using uninitialized 'sb_data_size'. It should set *count and return zero on success the same as the sm_metadata_get_nr_blocks() function does earlier. Fixes: 3241b1d3e0aa ('dm: add persistent data library') Signed-off-by: Dan Carpenter dan.carpen...@oracle.com Acked-by: Joe Thornber e...@redhat.com Signed-off-by: Mike Snitzer snit...@redhat.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/md/persistent-data/dm-space-map-metadata.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/md/persistent-data/dm-space-map-metadata.c +++ b/drivers/md/persistent-data/dm-space-map-metadata.c @@ -419,7 +419,9 @@ static int sm_bootstrap_get_nr_blocks(st { struct sm_metadata *smm = container_of(sm, struct sm_metadata, sm); - return smm-ll.nr_blocks; + *count = smm-ll.nr_blocks; + + return 0; } static int sm_bootstrap_get_nr_free(struct dm_space_map *sm, dm_block_t *count) -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 022/152] serial: samsung: wait for transfer completion before clock disable
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Robert Baldyga r.bald...@samsung.com commit 1ff383a4c3eda8893ec61b02831826e1b1f46b41 upstream. This patch adds waiting until transmit buffer and shifter will be empty before clock disabling. Without this fix it's possible to have clock disabled while data was not transmited yet, which causes unproper state of TX line and problems in following data transfers. Signed-off-by: Robert Baldyga r.bald...@samsung.com Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/tty/serial/samsung.c | 4 1 file changed, 4 insertions(+) --- a/drivers/tty/serial/samsung.c +++ b/drivers/tty/serial/samsung.c @@ -519,11 +519,15 @@ static void s3c24xx_serial_pm(struct uar unsigned int old) { struct s3c24xx_uart_port *ourport = to_ourport(port); + int timeout = 1; ourport-pm_level = level; switch (level) { case 3: + while (--timeout !s3c24xx_serial_txempty_nofifo(port)) + udelay(100); + if (!IS_ERR(ourport-baudclk) ourport-baudclk != NULL) clk_disable(ourport-baudclk); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] usb: move definition of PCI_VENDOR_ID_SYNOPSYS to linux/pci_ids.h
On Mon, Feb 16, 2015 at 07:16:36PM -0700, Joseph Kogut wrote: On Mon, 2015-02-16 at 17:57 -0800, Greg KH wrote: On Mon, Feb 16, 2015 at 06:45:53PM -0700, Joseph Kogut wrote: Signed-off-by: Joseph Kogut joseph.ko...@gmail.com You need a changelog description here please. Should I reply inline, or is resending the patch okay? Do a 'v2' version of the patch, we can't apply inline changes :) thanks, greg k-h -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 028/152] Bluetooth: Add firmware update for Atheros 0cf3:311f
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Oliver Neukum oli...@neukum.org commit 1e56f1eb2bbeab0ddc3a1e536d2a0065cfe4c131 upstream. The device is not functional without firmware. The device without firmware: T: Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0cf3 ProdID=311f Rev=00.01 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb The device with firmware: T: Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#= 4 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0cf3 ProdID=3007 Rev=00.01 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: Oliver Neukum oneu...@suse.de Signed-off-by: Marcel Holtmann mar...@holtmann.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/bluetooth/ath3k.c | 2 ++ drivers/bluetooth/btusb.c | 1 + 2 files changed, 3 insertions(+) --- a/drivers/bluetooth/ath3k.c +++ b/drivers/bluetooth/ath3k.c @@ -77,6 +77,7 @@ static struct usb_device_id ath3k_table[ { USB_DEVICE(0x0CF3, 0x3008) }, { USB_DEVICE(0x0CF3, 0x311D) }, { USB_DEVICE(0x0CF3, 0x311E) }, + { USB_DEVICE(0x0CF3, 0x311F) }, { USB_DEVICE(0x0CF3, 0x817a) }, { USB_DEVICE(0x13d3, 0x3375) }, { USB_DEVICE(0x04CA, 0x3004) }, @@ -124,6 +125,7 @@ static struct usb_device_id ath3k_blist_ { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0cf3, 0x311E), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x311F), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -151,6 +151,7 @@ static struct usb_device_id blacklist_ta { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 081/152] spi: dw-mid: fix FIFO size
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Andy Shevchenko andriy.shevche...@linux.intel.com commit 67bf9cda4b498b8cea4a40be67a470afe57d2e88 upstream. The FIFO size is 40 accordingly to the specifications, but this means 0x40, i.e. 64 bytes. This patch fixes the typo and enables FIFO size autodetection for Intel MID devices. Fixes: 7063c0d942a1 (spi/dw_spi: add DMA support) Signed-off-by: Andy Shevchenko andriy.shevche...@linux.intel.com Signed-off-by: Mark Brown broo...@kernel.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/spi/spi-dw-mid.c | 1 - 1 file changed, 1 deletion(-) --- a/drivers/spi/spi-dw-mid.c +++ b/drivers/spi/spi-dw-mid.c @@ -219,7 +219,6 @@ int dw_spi_mid_init(struct dw_spi *dws) iounmap(clk_reg); dws-num_cs = 16; - dws-fifo_len = 40; /* FIFO has 40 words buffer */ #ifdef CONFIG_SPI_DW_MID_DMA dws-dma_priv = kzalloc(sizeof(struct mid_dma), GFP_KERNEL); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 088/152] sata_dwc_460ex: fix resource leak on error path
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Andy Shevchenko andriy.shevche...@linux.intel.com commit 4aaa71873ddb9faf4b0c4826579e2f6d18ff9ab4 upstream. DMA mapped IO should be unmapped on the error path in probe() and unconditionally on remove(). Fixes: 62936009f35a ([libata] Add 460EX on-chip SATA driver, sata_dwc_460ex) Signed-off-by: Andy Shevchenko andriy.shevche...@linux.intel.com Signed-off-by: Tejun Heo t...@kernel.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/ata/sata_dwc_460ex.c | 26 -- 1 file changed, 12 insertions(+), 14 deletions(-) --- a/drivers/ata/sata_dwc_460ex.c +++ b/drivers/ata/sata_dwc_460ex.c @@ -791,7 +791,7 @@ static int dma_dwc_init(struct sata_dwc_ if (err) { dev_err(host_pvt.dwc_dev, %s: dma_request_interrupts returns %d\n, __func__, err); - goto error_out; + return err; } /* Enabe DMA */ @@ -802,11 +802,6 @@ static int dma_dwc_init(struct sata_dwc_ sata_dma_regs); return 0; - -error_out: - dma_dwc_exit(hsdev); - - return err; } static int sata_dwc_scr_read(struct ata_link *link, unsigned int scr, u32 *val) @@ -1634,7 +1629,7 @@ static int sata_dwc_probe(struct platfor char *ver = (char *)versionr; u8 *base = NULL; int err = 0; - int irq, rc; + int irq; struct ata_host *host; struct ata_port_info pi = sata_dwc_port_info[0]; const struct ata_port_info *ppi[] = { pi, NULL }; @@ -1688,7 +1683,7 @@ static int sata_dwc_probe(struct platfor if (irq == NO_IRQ) { dev_err(ofdev-dev, no SATA DMA irq\n); err = -ENODEV; - goto error_out; + goto error_iomap; } /* Get physical SATA DMA register base address */ @@ -1697,14 +1692,16 @@ static int sata_dwc_probe(struct platfor dev_err(ofdev-dev, ioremap failed for AHBDMA register address\n); err = -ENODEV; - goto error_out; + goto error_iomap; } /* Save dev for later use in dev_xxx() routines */ host_pvt.dwc_dev = ofdev-dev; /* Initialize AHB DMAC */ - dma_dwc_init(hsdev, irq); + err = dma_dwc_init(hsdev, irq); + if (err) + goto error_dma_iomap; /* Enable SATA Interrupts */ sata_dwc_enable_interrupts(hsdev); @@ -1722,9 +1719,8 @@ static int sata_dwc_probe(struct platfor * device discovery process, invoking our port_start() handler * error_handler() to execute a dummy Softreset EH session */ - rc = ata_host_activate(host, irq, sata_dwc_isr, 0, sata_dwc_sht); - - if (rc != 0) + err = ata_host_activate(host, irq, sata_dwc_isr, 0, sata_dwc_sht); + if (err) dev_err(ofdev-dev, failed to activate host); dev_set_drvdata(ofdev-dev, host); @@ -1733,7 +1729,8 @@ static int sata_dwc_probe(struct platfor error_out: /* Free SATA DMA resources */ dma_dwc_exit(hsdev); - +error_dma_iomap: + iounmap((void __iomem *)host_pvt.sata_dma_regs); error_iomap: iounmap(base); error_kmalloc: @@ -1754,6 +1751,7 @@ static int sata_dwc_remove(struct platfo /* Free SATA DMA resources */ dma_dwc_exit(hsdev); + iounmap((void __iomem *)host_pvt.sata_dma_regs); iounmap(hsdev-reg_base); kfree(hsdev); kfree(host); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 103/152] mm: Don't count the stack guard page towards RLIMIT_STACK
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Linus Torvalds torva...@linux-foundation.org commit 690eac53daff34169a4d74fc7bfbd388c4896abb upstream. Commit fee7e49d4514 (mm: propagate error from stack expansion even for guard page) made sure that we return the error properly for stack growth conditions. It also theorized that counting the guard page towards the stack limit might break something, but also said Let's see if anybody notices. Somebody did notice. Apparently android-x86 sets the stack limit very close to the limit indeed, and including the guard page in the rlimit check causes the android 'zygote' process problems. So this adds the (fairly trivial) code to make the stack rlimit check be against the actual real stack size, rather than the size of the vma that includes the guard page. Reported-and-tested-by: Chih-Wei Huang cwhu...@android-x86.org Cc: Jay Foad jay.f...@gmail.com Signed-off-by: Linus Torvalds torva...@linux-foundation.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- mm/mmap.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1648,14 +1648,17 @@ static int acct_stack_growth(struct vm_a { struct mm_struct *mm = vma-vm_mm; struct rlimit *rlim = current-signal-rlim; - unsigned long new_start; + unsigned long new_start, actual_size; /* address space limit tests */ if (!may_expand_vm(mm, grow)) return -ENOMEM; /* Stack limit test */ - if (size ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) + actual_size = size; + if (size (vma-vm_flags (VM_GROWSUP | VM_GROWSDOWN))) + actual_size -= PAGE_SIZE; + if (actual_size ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur)) return -ENOMEM; /* mlock limit tests */ -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 128/152] usb-storage/SCSI: blacklist FUA on JMicron 152d:2566 USB-SATA controller
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Dmitry Nezhevenko d...@dion.org.ua commit bf5c4136fa5ce471bdbf4cf59a813e32755fd014 upstream. It looks like FUA support is broken on JMicron 152d:2566 bridge: [223159.885704] sd 7:0:0:0: [sdc] Write Protect is off [223159.885706] sd 7:0:0:0: [sdc] Mode Sense: 47 00 10 08 [223159.885942] sd 7:0:0:0: [sdc] Write cache: enabled, read cache: enabled, supports DPO and FUA [223283.691677] sd 7:0:0:0: [sdc] [223283.691680] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE [223283.691681] sd 7:0:0:0: [sdc] [223283.691682] Sense Key : Illegal Request [current] [223283.691684] sd 7:0:0:0: [sdc] [223283.691685] Add. Sense: Invalid field in cdb [223283.691686] sd 7:0:0:0: [sdc] CDB: [223283.691687] Write(10): 2a 08 15 d0 83 0d 00 00 01 00 [223283.691690] blk_update_request: critical target error, dev sdc, sector 2927892584 This patch adds blacklist flag so that sd will not use FUA Signed-off-by: Dmitry Nezhevenko d...@dion.org.ua Cc: Phil Dibowitz p...@ipom.com Cc: Alan Stern st...@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/usb/storage/unusual_devs.h | 7 +++ 1 file changed, 7 insertions(+) --- a/drivers/usb/storage/unusual_devs.h +++ b/drivers/usb/storage/unusual_devs.h @@ -1956,6 +1956,13 @@ UNUSUAL_DEV( 0x152d, 0x2329, 0x0100, 0x USB_SC_DEVICE, USB_PR_DEVICE, NULL, US_FL_IGNORE_RESIDUE | US_FL_SANE_SENSE ), +/* Reported by Dmitry Nezhevenko d...@dion.org.ua */ +UNUSUAL_DEV( 0x152d, 0x2566, 0x0114, 0x0114, + JMicron, + USB to ATA/ATAPI Bridge, + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_BROKEN_FUA ), + /* Entrega Technologies U1-SC25 (later Xircom PortGear PGSCSI) * and Mac USB Dock USB-SCSI */ UNUSUAL_DEV( 0x1645, 0x0007, 0x0100, 0x0133, -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 104/152] mm: fix corner case in anon_vma endless growing prevention
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Konstantin Khlebnikov koc...@gmail.com commit b800c91a0517071156e772d4fb329ad33590da62 upstream. Fix for BUG_ON(anon_vma-degree) splashes in unlink_anon_vmas() (kernel BUG at mm/rmap.c:399!) caused by commit 7a3ef208e662 (mm: prevent endless growth of anon_vma hierarchy) Anon_vma_clone() is usually called for a copy of source vma in destination argument. If source vma has anon_vma it should be already in dst-anon_vma. NULL in dst-anon_vma is used as a sign that it's called from anon_vma_fork(). In this case anon_vma_clone() finds anon_vma for reusing. Vma_adjust() calls it differently and this breaks anon_vma reusing logic: anon_vma_clone() links vma to old anon_vma and updates degree counters but vma_adjust() overrides vma-anon_vma right after that. As a result final unlink_anon_vmas() decrements degree for wrong anon_vma. This patch assigns -anon_vma before calling anon_vma_clone(). Signed-off-by: Konstantin Khlebnikov koc...@gmail.com Reported-and-tested-by: Chris Clayton chris2...@googlemail.com Reported-and-tested-by: Oded Gabbay oded.gab...@amd.com Reported-and-tested-by: Chih-Wei Huang cwhu...@android-x86.org Acked-by: Rik van Riel r...@redhat.com Acked-by: Vlastimil Babka vba...@suse.cz Cc: Daniel Forrest dan.forr...@ssec.wisc.edu Cc: Michal Hocko mho...@suse.cz Signed-off-by: Linus Torvalds torva...@linux-foundation.org [bwh: Backported to 3.2: vma_adjust() didn't use a variable to propagate the error code from anon_vma_clone(); change that at the same time] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- --- a/mm/mmap.c +++ b/mm/mmap.c @@ -537,9 +537,14 @@ again: remove_next = 1 + (end next- * shrinking vma had, to cover any anon pages imported. */ if (exporter exporter-anon_vma !importer-anon_vma) { - if (anon_vma_clone(importer, exporter)) - return -ENOMEM; + int error; + importer-anon_vma = exporter-anon_vma; + error = anon_vma_clone(importer, exporter); + if (error) { + importer-anon_vma = NULL; + return error; + } } } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 115/152] Fix circular locking dependency (3.3-rc2)
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Ming Lei tom.leim...@gmail.com commit 864533ceb6db336dead389577c102a8b792a121a upstream. Hi, On Wed, Feb 8, 2012 at 8:41 PM, Felipe Balbi ba...@ti.com wrote: Hi guys, I have just triggered the folllowing: [ Â 84.860321] == [ Â 84.860321] [ INFO: possible circular locking dependency detected ] [ Â 84.860321] 3.3.0-rc2-00026-ge4e8a39 #474 Not tainted [ Â 84.860321] --- [ Â 84.860321] bash/949 is trying to acquire lock: [ Â 84.860321] Â (sysfs_lock){+.+.+.}, at: [c0275358] gpio_value_store+0x24/0xcc [ Â 84.860321] [ Â 84.860321] but task is already holding lock: [ Â 84.860321] Â (s_active#22){.+}, at: [c016996c] sysfs_write_file+0xdc/0x184 [ Â 84.911468] [ Â 84.911468] which lock already depends on the new lock. [ Â 84.911468] [ Â 84.920043] [ Â 84.920043] the existing dependency chain (in reverse order) is: [ Â 84.920043] [ Â 84.927886] - #1 (s_active#22){.+}: [ Â 84.927886] Â Â Â Â [c008f640] check_prevs_add+0xdc/0x150 [ Â 84.927886] Â Â Â Â [c008fc18] validate_chain.clone.24+0x564/0x694 [ Â 84.927886] Â Â Â Â [c0090cdc] __lock_acquire+0x49c/0x980 [ Â 84.951660] Â Â Â Â [c0091838] lock_acquire+0x98/0x100 [ Â 84.951660] Â Â Â Â [c016a8e8] sysfs_deactivate+0xb0/0x100 [ Â 84.962982] Â Â Â Â [c016b1b4] sysfs_addrm_finish+0x2c/0x6c [ Â 84.962982] Â Â Â Â [c016b8bc] sysfs_remove_dir+0x84/0x98 [ Â 84.962982] Â Â Â Â [c02590d8] kobject_del+0x10/0x78 [ Â 84.974670] Â Â Â Â [c02c29e8] device_del+0x140/0x170 [ Â 84.974670] Â Â Â Â [c02c2a24] device_unregister+0xc/0x18 [ Â 84.985382] Â Â Â Â [c0276894] gpio_unexport+0xbc/0xdc [ Â 84.985382] Â Â Â Â [c02768c8] gpio_free+0x14/0xfc [ Â 85.001708] Â Â Â Â [c0276a28] unexport_store+0x78/0x8c [ Â 85.001708] Â Â Â Â [c02c5af8] class_attr_store+0x18/0x24 [ Â 85.007293] Â Â Â Â [c0169990] sysfs_write_file+0x100/0x184 [ Â 85.018981] Â Â Â Â [c0109d48] vfs_write+0xb4/0x148 [ Â 85.018981] Â Â Â Â [c0109fd0] sys_write+0x40/0x70 [ Â 85.018981] Â Â Â Â [c0013cc0] ret_fast_syscall+0x0/0x3c [ Â 85.035003] [ Â 85.035003] - #0 (sysfs_lock){+.+.+.}: [ Â 85.035003] Â Â Â Â [c008f54c] check_prev_add+0x680/0x698 [ Â 85.035003] Â Â Â Â [c008f640] check_prevs_add+0xdc/0x150 [ Â 85.052093] Â Â Â Â [c008fc18] validate_chain.clone.24+0x564/0x694 [ Â 85.052093] Â Â Â Â [c0090cdc] __lock_acquire+0x49c/0x980 [ Â 85.052093] Â Â Â Â [c0091838] lock_acquire+0x98/0x100 [ Â 85.069885] Â Â Â Â [c047e280] mutex_lock_nested+0x3c/0x2f4 [ Â 85.069885] Â Â Â Â [c0275358] gpio_value_store+0x24/0xcc [ Â 85.069885] Â Â Â Â [c02c18dc] dev_attr_store+0x18/0x24 [ Â 85.087158] Â Â Â Â [c0169990] sysfs_write_file+0x100/0x184 [ Â 85.087158] Â Â Â Â [c0109d48] vfs_write+0xb4/0x148 [ Â 85.098297] Â Â Â Â [c0109fd0] sys_write+0x40/0x70 [ Â 85.098297] Â Â Â Â [c0013cc0] ret_fast_syscall+0x0/0x3c [ Â 85.109069] [ Â 85.109069] other info that might help us debug this: [ Â 85.109069] [ Â 85.117462] Â Possible unsafe locking scenario: [ Â 85.117462] [ Â 85.117462] Â Â Â Â CPU0 Â Â Â Â Â Â Â Â Â Â CPU1 [ Â 85.128417] Â Â Â Â Â Â Â Â Â Â Â Â Â Â [ Â 85.128417] Â lock(s_active#22); [ Â 85.128417] Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â lock(sysfs_lock); [ Â 85.128417] Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â lock(s_active#22); [ Â 85.142486] Â lock(sysfs_lock); [ Â 85.151794] [ Â 85.151794] Â *** DEADLOCK *** [ Â 85.151794] [ Â 85.151794] 2 locks held by bash/949: [ Â 85.158020] Â #0: Â (buffer-mutex){+.+.+.}, at: [c01698b8] sysfs_write_file+0x28/0x184 [ Â 85.170349] Â #1: Â (s_active#22){.+}, at: [c016996c] sysfs_write_file+0xdc/0x184 [ Â 85.170349] [ Â 85.178588] stack backtrace: [ Â 85.178588] [c001b824] (unwind_backtrace+0x0/0xf0) from [c008de64] (print_circular_bug+0x100/0x114) [ Â 85.193023] [c008de64] (print_circular_bug+0x100/0x114) from [c008f54c] (check_prev_add+0x680/0x698) [ Â 85.193023] [c008f54c] (check_prev_add+0x680/0x698) from [c008f640] (check_prevs_add+0xdc/0x150) [ Â 85.212524] [c008f640] (check_prevs_add+0xdc/0x150) from [c008fc18] (validate_chain.clone.24+0x564/0x694) [ Â 85.212524] [c008fc18] (validate_chain.clone.24+0x564/0x694) from [c0090cdc] (__lock_acquire+0x49c/0x980) [ Â 85.233306] [c0090cdc] (__lock_acquire+0x49c/0x980) from [c0091838] (lock_acquire+0x98/0x100) [ Â 85.233306] [c0091838] (lock_acquire+0x98/0x100) from [c047e280] (mutex_lock_nested+0x3c/0x2f4) [ Â 85.242614] [c047e280] (mutex_lock_nested+0x3c/0x2f4) from [c0275358] (gpio_value_store+0x24/0xcc) [ Â 85.261840] [c0275358] (gpio_value_store+0x24/0xcc) from [c02c18dc] (dev_attr_store+0x18/0x24) [ Â 85.261840] [c02c18dc] (dev_attr_store+0x18/0x24) from [c0169990] (sysfs_write_file+0x100/0x184) [ Â 85.271240] [c0169990] (sysfs_write_file+0x100/0x184) from [c0109d48] (vfs_write+0xb4/0x148) [ Â 85.290008] [c0109d48] (vfs_write+0xb4/0x148) from [c0109fd0]
[PATCH 3.2 123/152] x86, hyperv: Mark the Hyper-V clocksource as being continuous
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: K. Y. Srinivasan k...@microsoft.com commit 32c6590d126836a062b3140ed52d898507987017 upstream. The Hyper-V clocksource is continuous; mark it accordingly. Signed-off-by: K. Y. Srinivasan k...@microsoft.com Acked-by: jasow...@redhat.com Cc: gre...@linuxfoundation.org Cc: de...@linuxdriverproject.org Cc: o...@aepfle.de Cc: a...@canonical.com Link: http://lkml.kernel.org/r/1421108762-3331-1-git-send-email-...@microsoft.com Signed-off-by: Thomas Gleixner t...@linutronix.de Signed-off-by: Ben Hutchings b...@decadent.org.uk --- arch/x86/kernel/cpu/mshyperv.c | 1 + 1 file changed, 1 insertion(+) --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -56,6 +56,7 @@ static struct clocksource hyperv_cs = { .rating = 400, /* use this when running on Hyperv*/ .read = read_hv_clock, .mask = CLOCKSOURCE_MASK(64), + .flags = CLOCK_SOURCE_IS_CONTINUOUS, }; static void __init ms_hyperv_init_platform(void) -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 089/152] time: settimeofday: Validate the values of tv from user
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Sasha Levin sasha.le...@oracle.com commit 6ada1fc0e1c4775de0e043e1bd3ae9d065491aa5 upstream. An unvalidated user input is multiplied by a constant, which can result in an undefined behaviour for large values. While this is validated later, we should avoid triggering undefined behaviour. Cc: Thomas Gleixner t...@linutronix.de Cc: Ingo Molnar mi...@kernel.org Signed-off-by: Sasha Levin sasha.le...@oracle.com [jstultz: include trivial milisecond-microsecond correction noticed by Andy] Signed-off-by: John Stultz john.stu...@linaro.org [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- include/linux/time.h | 13 + kernel/time.c| 4 2 files changed, 17 insertions(+) --- a/include/linux/time.h +++ b/include/linux/time.h @@ -138,6 +138,19 @@ static inline bool timespec_valid_strict return true; } +static inline bool timeval_valid(const struct timeval *tv) +{ + /* Dates before 1970 are bogus */ + if (tv-tv_sec 0) + return false; + + /* Can't have more microseconds then a second */ + if (tv-tv_usec 0 || tv-tv_usec = USEC_PER_SEC) + return false; + + return true; +} + extern void read_persistent_clock(struct timespec *ts); extern void read_boot_clock(struct timespec *ts); extern int update_persistent_clock(struct timespec now); --- a/kernel/time.c +++ b/kernel/time.c @@ -192,6 +192,10 @@ SYSCALL_DEFINE2(settimeofday, struct tim if (tv) { if (copy_from_user(user_tv, tv, sizeof(*tv))) return -EFAULT; + + if (!timeval_valid(user_tv)) + return -EINVAL; + new_ts.tv_sec = user_tv.tv_sec; new_ts.tv_nsec = user_tv.tv_usec * NSEC_PER_USEC; } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 102/152] USB: console: fix potential use after free
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Johan Hovold jo...@kernel.org commit 32a4bf2e81ec378e5925d4e069e0677a6c86a6ad upstream. Use tty kref to release the fake tty in usb_console_setup to avoid use after free if the underlying serial driver has acquired a reference. Note that using the tty destructor release_one_tty requires some more state to be initialised. Fixes: 4a90f09b20f4 (tty: usb-serial krefs) Signed-off-by: Johan Hovold jo...@kernel.org [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/usb/serial/console.c | 15 ++- 1 file changed, 10 insertions(+), 5 deletions(-) --- a/drivers/usb/serial/console.c +++ b/drivers/usb/serial/console.c @@ -47,6 +47,8 @@ static struct console usbcons; * */ +static const struct tty_operations usb_console_fake_tty_ops = { +}; /* * The parsing of the command line works exactly like the @@ -141,14 +143,17 @@ static int usb_console_setup(struct cons goto reset_open_count; } kref_init(tty-kref); - tty_port_tty_set(port-port, tty); tty-driver = usb_serial_tty_driver; tty-index = co-index; + INIT_LIST_HEAD(tty-tty_files); + kref_get(tty-driver-kref); + tty-ops = usb_console_fake_tty_ops; if (tty_init_termios(tty)) { retval = -ENOMEM; err(no more memory); - goto free_tty; + goto put_tty; } + tty_port_tty_set(port-port, tty); } /* only call the device specific open if this @@ -170,7 +175,7 @@ static int usb_console_setup(struct cons serial-type-set_termios(tty, port, dummy); tty_port_tty_set(port-port, NULL); - kfree(tty); + tty_kref_put(tty); } set_bit(ASYNCB_INITIALIZED, port-port.flags); } @@ -186,8 +191,8 @@ static int usb_console_setup(struct cons fail: tty_port_tty_set(port-port, NULL); - free_tty: - kfree(tty); + put_tty: + tty_kref_put(tty); reset_open_count: port-port.count = 0; usb_autopm_put_interface(serial-interface); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 000/152] 3.2.67-rc1 review
This is the start of the stable review cycle for the 3.2.67 release. There are 152 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Feb 19 02:00:00 UTC 2015. Anything received after that time might be too late. A combined patch relative to 3.2.66 will be posted as an additional response to this. A shortlog and diffstat can be found below. Ben. - Alex Williamson (1): driver core: Fix unbalanced device reference in drivers_probe [0372ffb35d00288802265586a29c117911d02fb8] Alexander Duyck (1): fib_trie: Fix /proc/net/fib_trie when CONFIG_IP_MULTIPLE_TABLES is not defined [a5a519b2710be43fce3cf9ce7bd8de8db3f2a9de] Anantha Krishnan (2): Bluetooth: Add support for Acer [0489:e078] [4b552bc9edfdc947862af225a0e2521edb5d37a0] Bluetooth: Add support for Acer [13D3:3432] [fa2f1394fe9c1a217213f02df77812701de6362f] Andreas Müller (1): mac80211: fix multicast LED blinking and counter [d025933e29872cb1fe19fc54d80e4dfa4ee5779c] Andy Lutomirski (6): x86, tls, ldt: Stop checking lm in LDT_empty [e30ab185c490e9a9381385529e0fd32f0a399495] x86, tls: Interpret an all-zero struct user_desc as no segment [3669ef9fa7d35f573ec9c0e0341b29251c2734a7] x86/tls: Disallow unusual TLS segments [0e58af4e1d2166e9e33375a0f121e4867010d4f8] x86/tls: Don't validate lm in set_thread_area() after all [3fb2f4237bb452eb4e98f6a5dbd5a445b4fed9d0] x86_64, switch_to(): Load TLS descriptors before switching DS and ES [f647d7c155f069c1a068030255c300663516420e] x86_64, vdso: Fix the vdso address randomization algorithm [394f56fe480140877304d342dec46d50dc823d46] Andy Shevchenko (4): Bluetooth: append new supported device to the list [0b05:17d0] [a735f9e22432899cee188d167966782c29246390] Bluetooth: sort the list of IDs in the source code [0b8800623d3f12dd40a039aa191d52bfa4eef5b4] sata_dwc_460ex: fix resource leak on error path [4aaa71873ddb9faf4b0c4826579e2f6d18ff9ab4] spi: dw-mid: fix FIFO size [67bf9cda4b498b8cea4a40be67a470afe57d2e88] Arseny Solokha (1): OHCI: add a quirk for ULi M5237 blocking on reset [56abcab833fafcfaeb2f5b25e0364c1dec45f53e] Ashay Jaiswal (1): regulator: core: fix race condition in regulator_put() [83b0302d347a49f951e904184afe57ac3723476e] Avi Kivity (1): KVM: x86 emulator: reject SYSENTER in compatibility mode on AMD guests [1a18a69b762374c423305772500f36eb8984ca52] Axel Lin (1): spi: dw: Fix detecting FIFO depth [d297933cc7fcfbaaf2d37570baac73287bf0357d] Ben Hutchings (6): Revert tcp: Apply device TSO segment limit earlier [843925f33fcc293d80acf2c5c8a78adf3344d49b] Revert x86, 64bit, mm: Mark data/bss/brk to nx [not upstream; regression is specific to 3.2] Revert x86, mm: Set NX across entire PMD at boot [not upstream; regression is specific to 3.2] dcache: Fix locking bugs in backported deal with deadlock in d_walk() [not upstream; regression is specific to 3.2] splice: Apply generic position and size checks to each write [8d0207652cbe27d1f962050737848e5ad4671958] vfs: Fix vfsmount_lock imbalance in path_init() [not upstream; regression is specific to 3.2] Bo Shen (2): usb: gadget: udc: atmel: change setting for DMA [f40afdddeb6c54ffd1e2920a5e93e363d6748db6] usb: gadget: udc: atmel: fix possible IN hang issue [6785a1034461c2d2c205215f63a50a740896e55b] Bob Paauwe (1): drm/i915: Only fence tiled region of object. [af1a7301c7cf8912dca03065d448c4437c5c239f] Borislav Petkov (1): x86, cpu, amd: Add workaround for family 16h, erratum 793 [3b56496865f9f7d9bcb2f93b44c63f274f08e3b6] Christian Borntraeger (1): KVM: s390: flush CPU on load control [2dca485f8740208604543c3960be31a5dd3ea603] Clemens Ladisch (1): ALSA: seq-dummy: remove deadlock-causing events on close [0767e95bb96d7fdddcd590fb809e6975d93aebc5] Dan Carpenter (6): ALSA: hda - using uninitialized data [69eba10e606a80665f8573221fec589430d9d1cb] HID: roccat: potential out of bounds in pyra_sysfs_write_settings() [606185b20caf4c57d7e41e5a5ea4aff460aef2ab] USB: adutux: NULL dereferences on disconnect [fc625960edecfb57e62c2975d1f155155e28e6ba] decompress_bunzip2: off by one in get_next_block() [b5c8afe5be51078a979d86ae5ae78c4ac948063d] dm space map metadata: fix sm_bootstrap_get_nr_blocks() [c1c6156fe4d4577444b769d7edd5dd503e57bbc9] netfilter: ipset: small potential read beyond the end of buffer [2196937e12b1b4ba139806d132647e1651d655df] Dan Williams (1): libata: allow
[PATCH 3.2 152/152] KVM: x86: SYSENTER emulation is broken
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Nadav Amit na...@cs.technion.ac.il commit f3747379accba8e95d70cec0eae0582c8c182050 upstream. SYSENTER emulation is broken in several ways: 1. It misses the case of 16-bit code segments completely (CVE-2015-0239). 2. MSR_IA32_SYSENTER_CS is checked in 64-bit mode incorrectly (bits 0 and 1 can still be set without causing #GP). 3. MSR_IA32_SYSENTER_EIP and MSR_IA32_SYSENTER_ESP are not masked in legacy-mode. 4. There is some unneeded code. Fix it. Cc: sta...@vger.linux.org Signed-off-by: Nadav Amit na...@cs.technion.ac.il Signed-off-by: Paolo Bonzini pbonz...@redhat.com [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- arch/x86/kvm/emulate.c | 27 --- 1 file changed, 8 insertions(+), 19 deletions(-) --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -2083,7 +2083,7 @@ static int em_sysenter(struct x86_emulat * Not recognized on AMD in compat mode (but is recognized in legacy * mode). */ - if ((ctxt-mode == X86EMUL_MODE_PROT32) (efer EFER_LMA) + if ((ctxt-mode != X86EMUL_MODE_PROT64) (efer EFER_LMA) !vendor_intel(ctxt)) return emulate_ud(ctxt); @@ -2096,23 +2096,13 @@ static int em_sysenter(struct x86_emulat setup_syscalls_segments(ctxt, cs, ss); ops-get_msr(ctxt, MSR_IA32_SYSENTER_CS, msr_data); - switch (ctxt-mode) { - case X86EMUL_MODE_PROT32: - if ((msr_data 0xfffc) == 0x0) - return emulate_gp(ctxt, 0); - break; - case X86EMUL_MODE_PROT64: - if (msr_data == 0x0) - return emulate_gp(ctxt, 0); - break; - } + if ((msr_data 0xfffc) == 0x0) + return emulate_gp(ctxt, 0); ctxt-eflags = ~(EFLG_VM | EFLG_IF | EFLG_RF); - cs_sel = (u16)msr_data; - cs_sel = ~SELECTOR_RPL_MASK; + cs_sel = (u16)msr_data ~SELECTOR_RPL_MASK; ss_sel = cs_sel + 8; - ss_sel = ~SELECTOR_RPL_MASK; - if (ctxt-mode == X86EMUL_MODE_PROT64 || (efer EFER_LMA)) { + if (efer EFER_LMA) { cs.d = 0; cs.l = 1; } @@ -2121,10 +2111,11 @@ static int em_sysenter(struct x86_emulat ops-set_segment(ctxt, ss_sel, ss, 0, VCPU_SREG_SS); ops-get_msr(ctxt, MSR_IA32_SYSENTER_EIP, msr_data); - ctxt-_eip = msr_data; + ctxt-_eip = (efer EFER_LMA) ? msr_data : (u32)msr_data; ops-get_msr(ctxt, MSR_IA32_SYSENTER_ESP, msr_data); - ctxt-regs[VCPU_REGS_RSP] = msr_data; + ctxt-regs[VCPU_REGS_RSP] = (efer EFER_LMA) ? msr_data : + (u32)msr_data; return X86EMUL_CONTINUE; } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH v4 1/3] lib: find_*_bit reimplementation
The new implementation takes less space in the sources (see diffstat) and in the object. For me it's 710 vs 453 bytes of text. It also shows a better performance. find_last_bit description fixed due to obvious typo. In this patch 2 macros were introduced: {LOW,HIGH}_BITS_MASK, that are doing almost the same as BITMAP_{FIRST,LAST}_WORD_MASK in include/linux/bitmap.h. But 'LAST' macro is potentially less effective, because it issues a conditional branch that can be omitted. If it is replaced one day by a more effective implementation, {LOW,HIGH}_BITS_MASK can be removed. Signed-off-by: Yury Norov yury.no...@gmail.com --- include/linux/bitops.h | 4 +- lib/find_last_bit.c| 37 +++ lib/find_next_bit.c| 269 ++--- 3 files changed, 94 insertions(+), 216 deletions(-) diff --git a/include/linux/bitops.h b/include/linux/bitops.h index 5d858e0..297f5bd 100644 --- a/include/linux/bitops.h +++ b/include/linux/bitops.h @@ -218,9 +218,9 @@ static inline unsigned long __ffs64(u64 word) /** * find_last_bit - find the last set bit in a memory region * @addr: The address to start the search at - * @size: The maximum size to search + * @size: The number of bits to search * - * Returns the bit number of the first set bit, or size. + * Returns the bit number of the last set bit, or size. */ extern unsigned long find_last_bit(const unsigned long *addr, unsigned long size); diff --git a/lib/find_last_bit.c b/lib/find_last_bit.c index 91ca09f..edbb281 100644 --- a/lib/find_last_bit.c +++ b/lib/find_last_bit.c @@ -4,6 +4,9 @@ * Written by Rusty Russell ru...@rustcorp.com.au * (Inspired by David Howell's find_next_bit implementation) * + * Rewritten by Yury Norov yury.no...@gmail.com to decrease + * size and improve performance, 2015. + * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version @@ -12,36 +15,26 @@ #include linux/bitops.h #include linux/export.h -#include asm/types.h -#include asm/byteorder.h +#include linux/kernel.h + +#define LOW_BITS_MASK(nr) (~0UL -(nr)) #ifndef find_last_bit unsigned long find_last_bit(const unsigned long *addr, unsigned long size) { - unsigned long words; - unsigned long tmp; + if (size) { + unsigned long val = LOW_BITS_MASK(size % BITS_PER_LONG); + unsigned long idx = (size-1) / BITS_PER_LONG; - /* Start at final word. */ - words = size / BITS_PER_LONG; + do { + val = addr[idx]; + if (val) + return idx * BITS_PER_LONG + __fls(val); - /* Partial final word? */ - if (size (BITS_PER_LONG-1)) { - tmp = (addr[words] (~0UL (BITS_PER_LONG -- (size (BITS_PER_LONG-1); - if (tmp) - goto found; + val = ~0ul; + } while (idx--); } - - while (words) { - tmp = addr[--words]; - if (tmp) { -found: - return words * BITS_PER_LONG + __fls(tmp); - } - } - - /* Not found */ return size; } EXPORT_SYMBOL(find_last_bit); diff --git a/lib/find_next_bit.c b/lib/find_next_bit.c index 0cbfc0b..1f5f108 100644 --- a/lib/find_next_bit.c +++ b/lib/find_next_bit.c @@ -3,6 +3,9 @@ * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved. * Written by David Howells (dhowe...@redhat.com) * + * Rewritten by Yury Norov yury.no...@gmail.com to decrease + * size and improve performance, 2015. + * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version @@ -11,98 +14,60 @@ #include linux/bitops.h #include linux/export.h -#include asm/types.h -#include asm/byteorder.h +#include linux/kernel.h -#define BITOP_WORD(nr) ((nr) / BITS_PER_LONG) +#define HIGH_BITS_MASK(nr) (~0UL (nr)) + +#if !defined(find_next_bit) || !defined(find_next_zero_bit) -#ifndef find_next_bit /* - * Find the next set bit in a memory region. + * This is a common helper function for find_next_bit and + * find_next_zero_bit. The difference is the invert argument, which + * is XORed with each fetched word before searching it for one bits. */ -unsigned long find_next_bit(const unsigned long *addr, unsigned long size, - unsigned long offset) +static unsigned long _find_next_bit(const unsigned long *addr, + unsigned long nbits, unsigned long start, unsigned long invert) { - const unsigned long *p = addr + BITOP_WORD(offset); - unsigned long result = offset ~(BITS_PER_LONG-1); unsigned long
[PATCH v4 0/3] lib: find_*_bit reimplementation
This patchset does rework find_bit functions family to achieve better performance, and decrease size of text. All rework is done in patch 1. Patches 2 and 3 are about code moving and renaming. It was boot-tested on x86_64 and MIPS (big-endian) machines. Performance tests were ran on userspace with code like this: /* addr[] is filled from /dev/urandom */ start = clock(); while (ret nbits) ret = find_next_bit(addr, nbits, ret + 1); end = clock(); printf(%ld\t, (unsigned long) end - start); On Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz measuremets are next: (for find_next_bit, nbits is 8M, for find_first_bit - 80K) find_next_bit: find_first_bit: new current new current 26932 43151 14777 14925 26947 43182 14521 15423 26507 43824 15053 14705 27329 43759 14473 14777 26895 43367 14847 15023 26990 43693 15103 15163 26775 43299 15067 15232 27282 42752 14544 15121 27504 43088 14644 14858 26761 43856 14699 15193 26692 43075 14781 14681 27137 42969 14451 15061 ... ... find_next_bit performance gain is 35-40%; find_first_bit - no measurable difference. On ARM machine, there is arch-specific implementation for find_bit. To disable it, and use generic one, please apply next patch: --- arch/arm/include/asm/bitops.h | 19 --- arch/arm/kernel/armksyms.c | 11 --- arch/arm/lib/Makefile | 2 +- include/asm-generic/bitops/le.h | 1 + 4 files changed, 2 insertions(+), 31 deletions(-) diff --git a/arch/arm/include/asm/bitops.h b/arch/arm/include/asm/bitops.h index 5638099..e0611d1 100644 --- a/arch/arm/include/asm/bitops.h +++ b/arch/arm/include/asm/bitops.h @@ -192,25 +192,6 @@ extern int _find_next_bit_be(const unsigned long *p, int size, int offset); #define test_and_clear_bit(nr,p) ATOMIC_BITOP(test_and_clear_bit,nr,p) #define test_and_change_bit(nr,p) ATOMIC_BITOP(test_and_change_bit,nr,p) -#ifndef __ARMEB__ -/* - * These are the little endian, atomic definitions. - */ -#define find_first_zero_bit(p,sz) _find_first_zero_bit_le(p,sz) -#define find_next_zero_bit(p,sz,off) _find_next_zero_bit_le(p,sz,off) -#define find_first_bit(p,sz) _find_first_bit_le(p,sz) -#define find_next_bit(p,sz,off) _find_next_bit_le(p,sz,off) - -#else -/* - * These are the big endian, atomic definitions. - */ -#define find_first_zero_bit(p,sz) _find_first_zero_bit_be(p,sz) -#define find_next_zero_bit(p,sz,off) _find_next_zero_bit_be(p,sz,off) -#define find_first_bit(p,sz) _find_first_bit_be(p,sz) -#define find_next_bit(p,sz,off) _find_next_bit_be(p,sz,off) - -#endif #if __LINUX_ARM_ARCH__ 5 diff --git a/arch/arm/kernel/armksyms.c b/arch/arm/kernel/armksyms.c index a88671c..22e8748 100644 --- a/arch/arm/kernel/armksyms.c +++ b/arch/arm/kernel/armksyms.c @@ -146,17 +146,6 @@ EXPORT_SYMBOL(_clear_bit); EXPORT_SYMBOL(_test_and_clear_bit); EXPORT_SYMBOL(_change_bit); EXPORT_SYMBOL(_test_and_change_bit); -EXPORT_SYMBOL(_find_first_zero_bit_le); -EXPORT_SYMBOL(_find_next_zero_bit_le); -EXPORT_SYMBOL(_find_first_bit_le); -EXPORT_SYMBOL(_find_next_bit_le); - -#ifdef __ARMEB__ -EXPORT_SYMBOL(_find_first_zero_bit_be); -EXPORT_SYMBOL(_find_next_zero_bit_be); -EXPORT_SYMBOL(_find_first_bit_be); -EXPORT_SYMBOL(_find_next_bit_be); -#endif #ifdef CONFIG_FUNCTION_TRACER #ifdef CONFIG_OLD_MCOUNT diff --git a/arch/arm/lib/Makefile b/arch/arm/lib/Makefile index 0573faa..de369aa 100644 --- a/arch/arm/lib/Makefile +++ b/arch/arm/lib/Makefile @@ -6,7 +6,7 @@ lib-y := backtrace.o changebit.o csumipv6.o csumpartial.o \ csumpartialcopy.o csumpartialcopyuser.o clearbit.o \ - delay.o delay-loop.o findbit.o memchr.o memcpy.o \ + delay.o delay-loop.o memchr.o memcpy.o \ memmove.o memset.o memzero.o setbit.o \ strchr.o strrchr.o \ testchangebit.o testclearbit.o testsetbit.o\ diff --git
[PATCH v4 2/3] lib: move find_last_bit to lib/find_next_bit.c
Currently all 'find_*_bit' family is located in lib/find_next_bit.c, except 'find_last_bit', which is in lib/find_last_bit.c. It seems, there's no major benefit to have it separated. --- lib/Makefile| 2 +- lib/find_last_bit.c | 42 -- lib/find_next_bit.c | 27 ++- 3 files changed, 27 insertions(+), 44 deletions(-) delete mode 100644 lib/find_last_bit.c diff --git a/lib/Makefile b/lib/Makefile index 87eb3bf..9dafcd5 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -25,7 +25,7 @@ obj-y += lockref.o obj-y += bcd.o div64.o sort.o parser.o halfmd4.o debug_locks.o random32.o \ bust_spinlocks.o kasprintf.o bitmap.o scatterlist.o \ gcd.o lcm.o list_sort.o uuid.o flex_array.o clz_ctz.o \ -bsearch.o find_last_bit.o find_next_bit.o llist.o memweight.o kfifo.o \ +bsearch.o find_next_bit.o llist.o memweight.o kfifo.o \ percpu-refcount.o percpu_ida.o rhashtable.o reciprocal_div.o obj-y += string_helpers.o obj-$(CONFIG_TEST_STRING_HELPERS) += test-string_helpers.o diff --git a/lib/find_last_bit.c b/lib/find_last_bit.c deleted file mode 100644 index edbb281..000 --- a/lib/find_last_bit.c +++ /dev/null @@ -1,42 +0,0 @@ -/* find_last_bit.c: fallback find next bit implementation - * - * Copyright (C) 2008 IBM Corporation - * Written by Rusty Russell ru...@rustcorp.com.au - * (Inspired by David Howell's find_next_bit implementation) - * - * Rewritten by Yury Norov yury.no...@gmail.com to decrease - * size and improve performance, 2015. - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version - * 2 of the License, or (at your option) any later version. - */ - -#include linux/bitops.h -#include linux/export.h -#include linux/kernel.h - -#define LOW_BITS_MASK(nr) (~0UL -(nr)) - -#ifndef find_last_bit - -unsigned long find_last_bit(const unsigned long *addr, unsigned long size) -{ - if (size) { - unsigned long val = LOW_BITS_MASK(size % BITS_PER_LONG); - unsigned long idx = (size-1) / BITS_PER_LONG; - - do { - val = addr[idx]; - if (val) - return idx * BITS_PER_LONG + __fls(val); - - val = ~0ul; - } while (idx--); - } - return size; -} -EXPORT_SYMBOL(find_last_bit); - -#endif diff --git a/lib/find_next_bit.c b/lib/find_next_bit.c index 1f5f108..627d0ec 100644 --- a/lib/find_next_bit.c +++ b/lib/find_next_bit.c @@ -1,8 +1,12 @@ -/* find_next_bit.c: fallback find next bit implementation +/* bit search implementation * * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved. * Written by David Howells (dhowe...@redhat.com) * + * Copyright (C) 2008 IBM Corporation + * 'find_last_bit' is written by Rusty Russell ru...@rustcorp.com.au + * (Inspired by David Howell's find_next_bit implementation) + * * Rewritten by Yury Norov yury.no...@gmail.com to decrease * size and improve performance, 2015. * @@ -17,6 +21,7 @@ #include linux/kernel.h #define HIGH_BITS_MASK(nr) (~0UL (nr)) +#define LOW_BITS_MASK(nr) (~0UL -(nr)) #if !defined(find_next_bit) || !defined(find_next_zero_bit) @@ -108,6 +113,26 @@ unsigned long find_first_zero_bit(const unsigned long *addr, unsigned long size) EXPORT_SYMBOL(find_first_zero_bit); #endif +#ifndef find_last_bit +unsigned long find_last_bit(const unsigned long *addr, unsigned long size) +{ + if (size) { + unsigned long val = LOW_BITS_MASK(size % BITS_PER_LONG); + unsigned long idx = (size-1) / BITS_PER_LONG; + + do { + val = addr[idx]; + if (val) + return idx * BITS_PER_LONG + __fls(val); + + val = ~0ul; + } while (idx--); + } + return size; +} +EXPORT_SYMBOL(find_last_bit); +#endif + #ifdef __BIG_ENDIAN /* include/linux/byteorder does not support unsigned long type */ -- 2.1.0 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH v4 3/3] lib: rename lib/find_next_bit.c to lib/find_bit.c
This file contains implementation for all find_*_bit{,_le} family. So giving it more generic name looks reasonable. --- lib/Makefile| 2 +- lib/{find_next_bit.c = find_bit.c} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename lib/{find_next_bit.c = find_bit.c} (100%) diff --git a/lib/Makefile b/lib/Makefile index 9dafcd5..d857965 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -25,7 +25,7 @@ obj-y += lockref.o obj-y += bcd.o div64.o sort.o parser.o halfmd4.o debug_locks.o random32.o \ bust_spinlocks.o kasprintf.o bitmap.o scatterlist.o \ gcd.o lcm.o list_sort.o uuid.o flex_array.o clz_ctz.o \ -bsearch.o find_next_bit.o llist.o memweight.o kfifo.o \ +bsearch.o find_bit.o llist.o memweight.o kfifo.o \ percpu-refcount.o percpu_ida.o rhashtable.o reciprocal_div.o obj-y += string_helpers.o obj-$(CONFIG_TEST_STRING_HELPERS) += test-string_helpers.o diff --git a/lib/find_next_bit.c b/lib/find_bit.c similarity index 100% rename from lib/find_next_bit.c rename to lib/find_bit.c -- 2.1.0 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 009/152] ipv6: Remove all uses of LL_ALLOCATED_SPACE
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Herbert Xu herb...@gondor.apana.org.au commit a7ae1992248e5cf9dc5bd35695ab846d27efe15f upstream. ipv6: Remove all uses of LL_ALLOCATED_SPACE The macro LL_ALLOCATED_SPACE was ill-conceived. It applies the alignment to the sum of needed_headroom and needed_tailroom. As the amount that is then reserved for head room is needed_headroom with alignment, this means that the tail room left may be too small. This patch replaces all uses of LL_ALLOCATED_SPACE in net/ipv6 with the macro LL_RESERVED_SPACE and direct reference to needed_tailroom. This also fixes the problem with needed_headroom changing between allocating the skb and reserving the head room. Signed-off-by: Herbert Xu herb...@gondor.apana.org.au Signed-off-by: David S. Miller da...@davemloft.net [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- net/ipv6/ip6_output.c | 8 ++-- net/ipv6/mcast.c | 12 net/ipv6/ndisc.c | 13 + net/ipv6/raw.c| 6 -- 4 files changed, 27 insertions(+), 12 deletions(-) --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -623,6 +623,7 @@ int ip6_fragment(struct sk_buff *skb, in struct ipv6hdr *tmp_hdr; struct frag_hdr *fh; unsigned int mtu, hlen, left, len; + int hroom, troom; __be32 frag_id = 0; int ptr, offset = 0, err=0; u8 *prevhdr, nexthdr = 0; @@ -789,6 +790,8 @@ slow_path: */ *prevhdr = NEXTHDR_FRAGMENT; + hroom = LL_RESERVED_SPACE(rt-dst.dev); + troom = rt-dst.dev-needed_tailroom; /* * Keep copying data until we run out. @@ -807,7 +810,8 @@ slow_path: * Allocate buffer. */ - if ((frag = alloc_skb(len+hlen+sizeof(struct frag_hdr)+LL_ALLOCATED_SPACE(rt-dst.dev), GFP_ATOMIC)) == NULL) { + if ((frag = alloc_skb(len + hlen + sizeof(struct frag_hdr) + + hroom + troom, GFP_ATOMIC)) == NULL) { NETDEBUG(KERN_INFO IPv6: frag: no memory for new fragment!\n); IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_FRAGFAILS); @@ -820,7 +824,7 @@ slow_path: */ ip6_copy_metadata(frag, skb); - skb_reserve(frag, LL_RESERVED_SPACE(rt-dst.dev)); + skb_reserve(frag, hroom); skb_put(frag, len + hlen + sizeof(struct frag_hdr)); skb_reset_network_header(frag); fh = (struct frag_hdr *)(skb_network_header(frag) + hlen); --- a/net/ipv6/mcast.c +++ b/net/ipv6/mcast.c @@ -1343,13 +1343,15 @@ static struct sk_buff *mld_newpack(struc struct mld2_report *pmr; struct in6_addr addr_buf; const struct in6_addr *saddr; + int hlen = LL_RESERVED_SPACE(dev); + int tlen = dev-needed_tailroom; int err; u8 ra[8] = { IPPROTO_ICMPV6, 0, IPV6_TLV_ROUTERALERT, 2, 0, 0, IPV6_TLV_PADN, 0 }; /* we assume size sizeof(ra) here */ - size += LL_ALLOCATED_SPACE(dev); + size += hlen + tlen; /* limit our allocations to order-0 page */ size = min_t(int, size, SKB_MAX_ORDER(0, 0)); skb = sock_alloc_send_skb(sk, size, 1, err); @@ -1357,7 +1359,7 @@ static struct sk_buff *mld_newpack(struc if (!skb) return NULL; - skb_reserve(skb, LL_RESERVED_SPACE(dev)); + skb_reserve(skb, hlen); if (__ipv6_get_lladdr(idev, addr_buf, IFA_F_TENTATIVE)) { /* draft-ietf-magma-mld-source-05.txt: @@ -1725,6 +1727,8 @@ static void igmp6_send(struct in6_addr * struct mld_msg *hdr; const struct in6_addr *snd_addr, *saddr; struct in6_addr addr_buf; + int hlen = LL_RESERVED_SPACE(dev); + int tlen = dev-needed_tailroom; int err, len, payload_len, full_len; u8 ra[8] = { IPPROTO_ICMPV6, 0, IPV6_TLV_ROUTERALERT, 2, 0, 0, @@ -1746,7 +1750,7 @@ static void igmp6_send(struct in6_addr * IPSTATS_MIB_OUT, full_len); rcu_read_unlock(); - skb = sock_alloc_send_skb(sk, LL_ALLOCATED_SPACE(dev) + full_len, 1, err); + skb = sock_alloc_send_skb(sk, hlen + tlen + full_len, 1, err); if (skb == NULL) { rcu_read_lock(); @@ -1756,7 +1760,7 @@ static void igmp6_send(struct in6_addr * return; } - skb_reserve(skb, LL_RESERVED_SPACE(dev)); + skb_reserve(skb, hlen); if (ipv6_get_lladdr(dev, addr_buf, IFA_F_TENTATIVE)) { /* draft-ietf-magma-mld-source-05.txt: --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c @@ -446,6 +446,8 @@ struct sk_buff *ndisc_build_skb(struct n struct sock *sk =
[PATCH 3.2 133/152] net: sctp: fix slab corruption from use after free on INIT collisions
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Daniel Borkmann dbork...@redhat.com commit 600ddd6825543962fb807884169e57b580dba208 upstream. When hitting an INIT collision case during the 4WHS with AUTH enabled, as already described in detail in commit 1be9a950c646 (net: sctp: inherit auth_capable on INIT collisions), it can happen that we occasionally still remotely trigger the following panic on server side which seems to have been uncovered after the fix from commit 1be9a950c646 ... [ 533.876389] BUG: unable to handle kernel paging request at [ 533.913657] IP: [811ac385] __kmalloc+0x95/0x230 [ 533.940559] PGD 5030f2067 PUD 0 [ 533.957104] Oops: [#1] SMP [ 533.974283] Modules linked in: sctp mlx4_en [...] [ 534.939704] Call Trace: [ 534.951833] [81294e30] ? crypto_init_shash_ops+0x60/0xf0 [ 534.984213] [81294e30] crypto_init_shash_ops+0x60/0xf0 [ 535.015025] [8128c8ed] __crypto_alloc_tfm+0x6d/0x170 [ 535.045661] [8128d12c] crypto_alloc_base+0x4c/0xb0 [ 535.074593] [8160bd42] ? _raw_spin_lock_bh+0x12/0x50 [ 535.105239] [a0418c11] sctp_inet_listen+0x161/0x1e0 [sctp] [ 535.138606] [814e43bd] SyS_listen+0x9d/0xb0 [ 535.166848] [816149a9] system_call_fastpath+0x16/0x1b ... or depending on the the application, for example this one: [ 1370.026490] BUG: unable to handle kernel paging request at [ 1370.026506] IP: [811ab455] kmem_cache_alloc+0x75/0x1d0 [ 1370.054568] PGD 633c94067 PUD 0 [ 1370.070446] Oops: [#1] SMP [ 1370.085010] Modules linked in: sctp kvm_amd kvm [...] [ 1370.963431] Call Trace: [ 1370.974632] [8120f7cf] ? SyS_epoll_ctl+0x53f/0x960 [ 1371.000863] [8120f7cf] SyS_epoll_ctl+0x53f/0x960 [ 1371.027154] [812100d3] ? anon_inode_getfile+0xd3/0x170 [ 1371.054679] [811e3d67] ? __alloc_fd+0xa7/0x130 [ 1371.080183] [816149a9] system_call_fastpath+0x16/0x1b With slab debugging enabled, we can see that the poison has been overwritten: [ 669.826368] BUG kmalloc-128 (Tainted: GW ): Poison overwritten [ 669.826385] INFO: 0x880228b32e50-0x880228b32e50. First byte 0x6a instead of 0x6b [ 669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494 [ 669.826424] __slab_alloc+0x4bf/0x566 [ 669.826433] __kmalloc+0x280/0x310 [ 669.826453] sctp_auth_create_key+0x23/0x50 [sctp] [ 669.826471] sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp] [ 669.826488] sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp] [ 669.826505] sctp_do_sm+0x29d/0x17c0 [sctp] [...] [ 669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494 [ 669.826635] __slab_free+0x39/0x2a8 [ 669.826643] kfree+0x1d6/0x230 [ 669.826650] kzfree+0x31/0x40 [ 669.82] sctp_auth_key_put+0x19/0x20 [sctp] [ 669.826681] sctp_assoc_update+0x1ee/0x2d0 [sctp] [ 669.826695] sctp_do_sm+0x674/0x17c0 [sctp] Since this only triggers in some collision-cases with AUTH, the problem at heart is that sctp_auth_key_put() on asoc-asoc_shared_key is called twice when having refcnt 1, once directly in sctp_assoc_update() and yet again from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on the already kzfree'd memory, which is also consistent with the observation of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected at a later point in time when poison is checked on new allocation). Reference counting of auth keys revisited: Shared keys for AUTH chunks are being stored in endpoints and associations in endpoint_shared_keys list. On endpoint creation, a null key is being added; on association creation, all endpoint shared keys are being cached and thus cloned over to the association. struct sctp_shared_key only holds a pointer to the actual key bytes, that is, struct sctp_auth_bytes which keeps track of users internally through refcounting. Naturally, on assoc or enpoint destruction, sctp_shared_key are being destroyed directly and the reference on sctp_auth_bytes dropped. User space can add keys to either list via setsockopt(2) through struct sctp_authkey and by passing that to sctp_auth_set_key() which replaces or adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes with refcount 1 and in case of replacement drops the reference on the old sctp_auth_bytes. A key can be set active from user space through setsockopt() on the id via sctp_auth_set_active_key(), which iterates through either endpoint_shared_keys and in case of an assoc, invokes (one of various places) sctp_auth_asoc_init_active_key(). sctp_auth_asoc_init_active_key() computes the actual secret from local's and peer's random, hmac and shared key parameters and returns a new key directly as sctp_auth_bytes, that is asoc-asoc_shared_key, plus drops the reference if there was a previous one. The secret, which where we
[PATCH 3.2 006/152] writeback: fix a subtle race condition in I_DIRTY clearing
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Tejun Heo t...@kernel.org commit 9c6ac78eb3521c5937b2dd8a7d1b300f41092f45 upstream. After invoking -dirty_inode(), __mark_inode_dirty() does smp_mb() and tests inode-i_state locklessly to see whether it already has all the necessary I_DIRTY bits set. The comment above the barrier doesn't contain any useful information - memory barriers can't ensure changes are seen by all cpus by itself. And it sure enough was broken. Please consider the following scenario. CPU 0 CPU 1 --- enters __writeback_single_inode() grabs inode-i_lock tests PAGECACHE_TAG_DIRTY which is clear enters __set_page_dirty() grabs mapping-tree_lock sets PAGECACHE_TAG_DIRTY releases mapping-tree_lock leaves __set_page_dirty() enters __mark_inode_dirty() smp_mb() sees I_DIRTY_PAGES set leaves __mark_inode_dirty() clears I_DIRTY_PAGES releases inode-i_lock Now @inode has dirty pages w/ I_DIRTY_PAGES clear. This doesn't seem to lead to an immediately critical problem because requeue_inode() later checks PAGECACHE_TAG_DIRTY instead of I_DIRTY_PAGES when deciding whether the inode needs to be requeued for IO and there are enough unintentional memory barriers inbetween, so while the inode ends up with inconsistent I_DIRTY_PAGES flag, it doesn't fall off the IO list. The lack of explicit barrier may also theoretically affect the other I_DIRTY bits which deal with metadata dirtiness. There is no guarantee that a strong enough barrier exists between I_DIRTY_[DATA]SYNC clearing and write_inode() writing out the dirtied inode. Filesystem inode writeout path likely has enough stuff which can behave as full barrier but it's theoretically possible that the writeout may not see all the updates from -dirty_inode(). Fix it by adding an explicit smp_mb() after I_DIRTY clearing. Note that I_DIRTY_PAGES needs a special treatment as it always needs to be cleared to be interlocked with the lockless test on __mark_inode_dirty() side. It's cleared unconditionally and reinstated after smp_mb() if the mapping still has dirty pages. Also add comments explaining how and why the barriers are paired. Lightly tested. Signed-off-by: Tejun Heo t...@kernel.org Cc: Jan Kara j...@suse.cz Cc: Mikulas Patocka mpato...@redhat.com Cc: Jens Axboe ax...@kernel.dk Cc: Al Viro v...@zeniv.linux.org.uk Reviewed-by: Jan Kara j...@suse.cz Signed-off-by: Jens Axboe ax...@fb.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- fs/fs-writeback.c | 29 ++--- 1 file changed, 22 insertions(+), 7 deletions(-) --- a/fs/fs-writeback.c +++ b/fs/fs-writeback.c @@ -418,12 +418,28 @@ writeback_single_inode(struct inode *ino * write_inode() */ spin_lock(inode-i_lock); - /* Clear I_DIRTY_PAGES if we've written out all dirty pages */ - if (!mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) - inode-i_state = ~I_DIRTY_PAGES; + dirty = inode-i_state I_DIRTY; - inode-i_state = ~(I_DIRTY_SYNC | I_DIRTY_DATASYNC); + inode-i_state = ~I_DIRTY; + + /* +* Paired with smp_mb() in __mark_inode_dirty(). This allows +* __mark_inode_dirty() to test i_state without grabbing i_lock - +* either they see the I_DIRTY bits cleared or we see the dirtied +* inode. +* +* I_DIRTY_PAGES is always cleared together above even if @mapping +* still has dirty pages. The flag is reinstated after smp_mb() if +* necessary. This guarantees that either __mark_inode_dirty() +* sees clear I_DIRTY_PAGES or we see PAGECACHE_TAG_DIRTY. +*/ + smp_mb(); + + if (mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) + inode-i_state |= I_DIRTY_PAGES; + spin_unlock(inode-i_lock); + /* Don't write the inode if only I_DIRTY_PAGES was set */ if (dirty (I_DIRTY_SYNC | I_DIRTY_DATASYNC)) { int err = write_inode(inode, wbc); @@ -1065,12 +1081,11 @@ void __mark_inode_dirty(struct inode *in } /* -* make sure that changes are seen by all cpus before we test i_state -* -- mikulas +* Paired with smp_mb() in __writeback_single_inode() for the +* following lockless i_state test. See there for details. */ smp_mb(); - /* avoid the locking if we can */ if ((inode-i_state flags) == flags) return; -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 3.2 131/152] drm/i915: Only fence tiled region of object.
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Bob Paauwe bob.j.paa...@intel.com commit af1a7301c7cf8912dca03065d448c4437c5c239f upstream. When creating a fence for a tiled object, only fence the area that makes up the actual tiles. The object may be larger than the tiled area and if we allow those extra addresses to be fenced, they'll get converted to addresses beyond where the object is mapped. This opens up the possiblity of writes beyond the end of object. To prevent this, we adjust the size of the fence to only encompass the area that makes up the actual tiles. The extra space is considered un-tiled and now behaves as if it was a linear object. Testcase: igt/gem_tiled_fence_overflow Reported-by: Dan Hettena d...@ghs.com Signed-off-by: Bob Paauwe bob.j.paa...@intel.com Reviewed-by: Daniel Vetter daniel.vet...@ffwll.ch Signed-off-by: Jani Nikula jani.nik...@intel.com [bwh: Backported to 3.2: - Adjust context, indentation - Apply to both i965_write_fence_reg() and sandybridge_write_fence_reg(), which have been combined into one function upstream] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/gpu/drm/i915/i915_gem.c | 7 +++ 1 file changed, 7 insertions(+) --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -2248,6 +2248,13 @@ static int sandybridge_write_fence_reg(s int regnum = obj-fence_reg; uint64_t val; + /* Adjust fence size to match tiled area */ + if (obj-tiling_mode != I915_TILING_NONE) { + uint32_t row_size = obj-stride * + (obj-tiling_mode == I915_TILING_Y ? 32 : 8); + size = (size / row_size) * row_size; + } + val = (uint64_t)((obj-gtt_offset + size - 4096) 0xf000) 32; val |= obj-gtt_offset 0xf000; @@ -2285,6 +2292,13 @@ static int i965_write_fence_reg(struct d int regnum = obj-fence_reg; uint64_t val; + /* Adjust fence size to match tiled area */ + if (obj-tiling_mode != I915_TILING_NONE) { + uint32_t row_size = obj-stride * + (obj-tiling_mode == I915_TILING_Y ? 32 : 8); + size = (size / row_size) * row_size; + } + val = (uint64_t)((obj-gtt_offset + size - 4096) 0xf000) 32; val |= obj-gtt_offset 0xf000; -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 137/152] Revert x86, 64bit, mm: Mark data/bss/brk to nx
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Ben Hutchings b...@decadent.org.uk This reverts commit e105c8187b7101e8a8a54ac0218c9d9c9463c636 which was commit 72212675d1c96f5db8ec6fb35701879911193158 upstream. This caused suspend/resume to stop working on at least some systems - specifically, the system would reboot when woken. Signed-off-by: Ben Hutchings b...@decadent.org.uk Cc: Steven Rostedt rost...@goodmis.org --- --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -778,7 +778,6 @@ void mark_rodata_ro(void) unsigned long text_end = PAGE_ALIGN((unsigned long) __stop___ex_table); unsigned long rodata_end = PAGE_ALIGN((unsigned long) __end_rodata); unsigned long data_start = (unsigned long) _sdata; - unsigned long all_end = PFN_ALIGN(_end); printk(KERN_INFO Write protecting the kernel read-only data: %luk\n, (end - start) 10); @@ -787,10 +786,10 @@ void mark_rodata_ro(void) kernel_set_to_readonly = 1; /* -* The rodata/data/bss/brk section (but not the kernel text!) -* should also be not-executable. +* The rodata section (but not the kernel text!) should also be +* not-executable. */ - set_memory_nx(rodata_start, (all_end - rodata_start) PAGE_SHIFT); + set_memory_nx(rodata_start, (end - rodata_start) PAGE_SHIFT); rodata_test(); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 002/152] [media] sound: simplify au0828 quirk table
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Mauro Carvalho Chehab mche...@osg.samsung.com commit 5d1f00a20d2d56ed480e64e938a2391353ee565b upstream. Add a macro to simplify au0828 quirk table. That makes easier to check it against the USB IDs at drivers/media/usb/au0828/au0828-cards.c. Signed-off-by: Mauro Carvalho Chehab mche...@osg.samsung.com [bwh: Backported to 3.2: - Adjust filename - Quirks were in a different order] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- --- a/drivers/media/video/au0828/au0828-cards.c +++ b/drivers/media/video/au0828/au0828-cards.c @@ -36,6 +36,11 @@ void hvr950q_cs5340_audio(void *priv, in au0828_clear(dev, REG_000, 0x10); } +/* + * WARNING: There's a quirks table at sound/usb/quirks-table.h + * that should also be updated every time a new device with V4L2 support + * is added here. + */ struct au0828_board au0828_boards[] = { [AU0828_BOARD_UNKNOWN] = { .name = Unknown board, --- a/sound/usb/quirks-table.h +++ b/sound/usb/quirks-table.h @@ -2540,133 +2540,37 @@ YAMAHA_DEVICE(0x7010, UB99), } }, -/* Hauppauge HVR-950Q and HVR-850 */ -{ - USB_DEVICE_VENDOR_SPEC(0x2040, 0x7200), - .match_flags = USB_DEVICE_ID_MATCH_DEVICE | - USB_DEVICE_ID_MATCH_INT_CLASS | - USB_DEVICE_ID_MATCH_INT_SUBCLASS, - .bInterfaceClass = USB_CLASS_AUDIO, - .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL, - .driver_info = (unsigned long) (const struct snd_usb_audio_quirk) { - .vendor_name = Hauppauge, - .product_name = HVR-950Q, - .ifnum = QUIRK_ANY_INTERFACE, - .type = QUIRK_AUDIO_ALIGN_TRANSFER, - } -}, -{ - USB_DEVICE_VENDOR_SPEC(0x2040, 0x7240), - .match_flags = USB_DEVICE_ID_MATCH_DEVICE | - USB_DEVICE_ID_MATCH_INT_CLASS | - USB_DEVICE_ID_MATCH_INT_SUBCLASS, - .bInterfaceClass = USB_CLASS_AUDIO, - .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL, - .driver_info = (unsigned long) (const struct snd_usb_audio_quirk) { - .vendor_name = Hauppauge, - .product_name = HVR-850, - .ifnum = QUIRK_ANY_INTERFACE, - .type = QUIRK_AUDIO_ALIGN_TRANSFER, - } -}, -{ - USB_DEVICE_VENDOR_SPEC(0x2040, 0x7210), - .match_flags = USB_DEVICE_ID_MATCH_DEVICE | - USB_DEVICE_ID_MATCH_INT_CLASS | - USB_DEVICE_ID_MATCH_INT_SUBCLASS, - .bInterfaceClass = USB_CLASS_AUDIO, - .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL, - .driver_info = (unsigned long) (const struct snd_usb_audio_quirk) { - .vendor_name = Hauppauge, - .product_name = HVR-950Q, - .ifnum = QUIRK_ANY_INTERFACE, - .type = QUIRK_AUDIO_ALIGN_TRANSFER, - } -}, -{ - USB_DEVICE_VENDOR_SPEC(0x2040, 0x7217), - .match_flags = USB_DEVICE_ID_MATCH_DEVICE | - USB_DEVICE_ID_MATCH_INT_CLASS | - USB_DEVICE_ID_MATCH_INT_SUBCLASS, - .bInterfaceClass = USB_CLASS_AUDIO, - .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL, - .driver_info = (unsigned long) (const struct snd_usb_audio_quirk) { - .vendor_name = Hauppauge, - .product_name = HVR-950Q, - .ifnum = QUIRK_ANY_INTERFACE, - .type = QUIRK_AUDIO_ALIGN_TRANSFER, - } -}, -{ - USB_DEVICE_VENDOR_SPEC(0x2040, 0x721b), - .match_flags = USB_DEVICE_ID_MATCH_DEVICE | - USB_DEVICE_ID_MATCH_INT_CLASS | - USB_DEVICE_ID_MATCH_INT_SUBCLASS, - .bInterfaceClass = USB_CLASS_AUDIO, - .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL, - .driver_info = (unsigned long) (const struct snd_usb_audio_quirk) { - .vendor_name = Hauppauge, - .product_name = HVR-950Q, - .ifnum = QUIRK_ANY_INTERFACE, - .type = QUIRK_AUDIO_ALIGN_TRANSFER, - } -}, -{ - USB_DEVICE_VENDOR_SPEC(0x2040, 0x721e), - .match_flags = USB_DEVICE_ID_MATCH_DEVICE | - USB_DEVICE_ID_MATCH_INT_CLASS | - USB_DEVICE_ID_MATCH_INT_SUBCLASS, - .bInterfaceClass = USB_CLASS_AUDIO, - .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL, - .driver_info = (unsigned long) (const struct snd_usb_audio_quirk) { - .vendor_name = Hauppauge, - .product_name = HVR-950Q, - .ifnum = QUIRK_ANY_INTERFACE, - .type = QUIRK_AUDIO_ALIGN_TRANSFER, - } -}, -{ - USB_DEVICE_VENDOR_SPEC(0x2040, 0x721f), - .match_flags = USB_DEVICE_ID_MATCH_DEVICE | - USB_DEVICE_ID_MATCH_INT_CLASS | - USB_DEVICE_ID_MATCH_INT_SUBCLASS, - .bInterfaceClass = USB_CLASS_AUDIO, -
[PATCH 3.2 143/152] netfilter: ipset: small potential read beyond the end of buffer
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Dan Carpenter dan.carpen...@oracle.com commit 2196937e12b1b4ba139806d132647e1651d655df upstream. We could be reading 8 bytes into a 4 byte buffer here. It seems harmless but adding a check is the right thing to do and it silences a static checker warning. Signed-off-by: Dan Carpenter dan.carpen...@oracle.com Acked-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- net/netfilter/ipset/ip_set_core.c | 6 ++ 1 file changed, 6 insertions(+) --- a/net/netfilter/ipset/ip_set_core.c +++ b/net/netfilter/ipset/ip_set_core.c @@ -1615,6 +1615,12 @@ ip_set_sockfn_get(struct sock *sk, int o if (*op IP_SET_OP_VERSION) { /* Check the version at the beginning of operations */ struct ip_set_req_version *req_version = data; + + if (*len sizeof(struct ip_set_req_version)) { + ret = -EINVAL; + goto done; + } + if (req_version-version != IPSET_PROTOCOL) { ret = -EPROTO; goto done; -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 136/152] Revert x86, mm: Set NX across entire PMD at boot
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Ben Hutchings b...@decadent.org.uk This reverts commit a5c187d92d2ce30315f333b9dff33af832e8b443 which was commit 45e2a9d4701d8c624d4a4bcdd1084eae31e92f58 upstream. The previous commit caused suspend/resume to stop working on at least some systems - specifically, the system would reboot when woken. Signed-off-by: Ben Hutchings b...@decadent.org.uk Cc: Steven Rostedt rost...@goodmis.org --- --- a/arch/x86/mm/init_64.c +++ b/arch/x86/mm/init_64.c @@ -778,7 +778,7 @@ void mark_rodata_ro(void) unsigned long text_end = PAGE_ALIGN((unsigned long) __stop___ex_table); unsigned long rodata_end = PAGE_ALIGN((unsigned long) __end_rodata); unsigned long data_start = (unsigned long) _sdata; - unsigned long all_end; + unsigned long all_end = PFN_ALIGN(_end); printk(KERN_INFO Write protecting the kernel read-only data: %luk\n, (end - start) 10); @@ -789,16 +789,7 @@ void mark_rodata_ro(void) /* * The rodata/data/bss/brk section (but not the kernel text!) * should also be not-executable. -* -* We align all_end to PMD_SIZE because the existing mapping -* is a full PMD. If we would align _brk_end to PAGE_SIZE we -* split the PMD and the reminder between _brk_end and the end -* of the PMD will remain mapped executable. -* -* Any PMD which was setup after the one which covers _brk_end -* has been zapped already via cleanup_highmem(). */ - all_end = roundup((unsigned long)_brk_end, PMD_SIZE); set_memory_nx(rodata_start, (all_end - rodata_start) PAGE_SHIFT); rodata_test(); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 33/35] tick: Make hrtimer broadcasting opt-in
On 02/16/2015 05:45 PM, Peter Zijlstra wrote: Reviewed-by: Preeti U Murthy pre...@linux.vnet.ibm.com -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH v2 0/7] New Lenovos 2015 touchpads: party time!
On Fri, Feb 6, 2015 at 3:04 PM, Benjamin Tissoires benjamin.tissoi...@redhat.com wrote: Hi, This is the second episode of the Lenovo 2015 party :) Thanks to Andrew, we now have an idea within the driver of what are the extra buttons aimed for, and the patch series looks cleaner. Many thanks for your help. I marked only patches 1/7, 2/7 and 3/7 as stable because they are really stable fixes. Without the rest of the series, user-space can cope with the kernel result, and so there is IMO no need to backport too many patches in stable. I bet distributions will cherry-pick the rest of the series however. Guys, any chances we consider this for 3.20 (or whatever it will be numbered)? I'd really like to see this accepted upstream in one way or one other so we will prevent the mess we had to deal with last year. Cheers, Benjamin Benjamin Tissoires (7): Input: synaptics - fix middle button on Lenovo 2015 products Input: synaptics - handle spurious release of trackstick buttons Input: synaptics - do not retrieve the board id on old firmwares Input: synaptics - retrieve the extended capabilities in query $10 Input: synaptics - remove TOPBUTTONPAD property for Lenovos 2015 Input: synaptics - re-route tracksticks buttons on the Lenovo 2015 series Input: synaptics - Remove X1 Carbon 3rd gen from the topbuttonpad list drivers/input/mouse/synaptics.c | 129 +--- drivers/input/mouse/synaptics.h | 28 + 2 files changed, 122 insertions(+), 35 deletions(-) -- 2.1.0 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 3.2 000/152] 3.2.67-rc1 review
On 02/16/2015 05:46 PM, Ben Hutchings wrote: This is the start of the stable review cycle for the 3.2.67 release. There are 152 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Feb 19 02:00:00 UTC 2015. Anything received after that time might be too late. Build tests: total: 98 pass: 95 fail: 3 Failed builds: mips:allmodconfig xtensa:defconfig xtensa:allmodconfig Qemu tests: total: 20 pass: 20 fail: 0 Results are as expected. Detailed build results are available at http://server.roeck-us.net:8010/builders. Guenter -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V4] tick/hotplug: Handover time related duties before cpu offline
On 02/17/2015 07:28 AM, Michael Ellerman wrote: On Sat, 2015-01-31 at 09:44 +0530, Preeti U Murthy wrote: These duties include do_timer to update jiffies and broadcast wakeups on those platforms which do not have an external device to handle wakeup of cpus from deep idle states. The handover of these duties is not robust against a cpu offline operation today. The do_timer duty is handed over in the CPU_DYING phase today to one of the online cpus. This relies on the fact that *all* cpus participate in stop_machine phase. But if this design is to change in the future, i.e. if all cpus are not required to participate in stop_machine, the freshly nominated do_timer cpu could be idle at the time of handover. In that case, unless its interrupted, it will not wakeup to update jiffies and timekeeping will hang. With regard to broadcast wakeups, today if the cpu handling broadcast of wakeups goes offline, the job of broadcasting is handed over to another cpu in the CPU_DEAD phase. The CPU_DEAD notifiers are run only after the offline cpu sets its state as CPU_DEAD. Meanwhile, the kthread doing the offline is scheduled out while waiting for this transition by queuing a timer. This is fatal because if the cpu on which this kthread was running has no other work queued on it, it can re-enter deep idle state, since it sees that a broadcast cpu still exists. However the broadcast wakeup will never come since the cpu which was handling it is offline, and the cpu on which the kthread doing the hotplug operation was running never wakes up to see this because its in deep idle state. Fix these issues by handing over the do_timer and broadcast wakeup duties just before the offline cpu kills itself, to the cpu performing the hotplug operation. Since the cpu performing the hotplug operation is up and running, it becomes aware of the handover of do_timer duty and queues the broadcast timer upon itself so as to seamlessly continue both these operations. It fixes the bug reported here: http://linuxppc.10917.n7.nabble.com/offlining-cpus-breakage-td88619.html Signed-off-by: Preeti U Murthy pre...@linux.vnet.ibm.com --- Changes from V3: https://lkml.org/lkml/2015/1/20/236 1. Move handover of broadcast duty away from CPU_DYING phase to just before the cpu kills itself. 2. Club the handover of timekeeping duty along with broadcast duty to make timekeeping robust against hotplug. Hi Preeti, This bug is still causing breakage for people on Power8 machines. Are we just waiting for Thomas to take the patch? Hi mpe, Thomas has included the patch for fixing this issue in a recent patchset that he posted for cleaning up tick/clockevents related code. https://lkml.org/lkml/2015/2/16/213. I think it will go into this merge-window. There are a couple of issues there, once that is fixed I will remind him to mark it for stable. Regards Preeti U Murthy cheers ___ Linuxppc-dev mailing list linuxppc-...@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
linux-next: Tree for Feb 17
Hi all, Please do not add any material destined for v3.21 to your linux-next included trees until after v3.20-rc1 has been released. Changes since 20150216: The slave-dma tree lost its build failure. Non-merge commits (relative to Linus' tree): 2980 2871 files changed, 124415 insertions(+), 70264 deletions(-) I have created today's linux-next tree at git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git (patches at http://www.kernel.org/pub/linux/kernel/next/ ). If you are tracking the linux-next tree using git, you should not use git pull to do so as that will try to merge the new linux-next release with the old one. You should use git fetch and checkout or reset to the new master. You can see which trees have been included by looking in the Next/Trees file in the source. There are also quilt-import.log and merge.log files in the Next directory. Between each merge, the tree was built with a ppc64_defconfig for powerpc and an allmodconfig for x86_64 and a multi_v7_defconfig for arm. After the final fixups (if any), it is also built with powerpc allnoconfig (32 and 64 bit), ppc44x_defconfig and allyesconfig (this fails its final link) and i386, sparc, sparc64 and arm defconfig. Below is a summary of the state of the merge. I am currently merging 206 trees (counting Linus' and 30 trees of patches pending for Linus' tree). Stats about the size of the tree over time can be seen at http://neuling.org/linux-next-size.html . Status of my local build tests will be at http://kisskb.ellerman.id.au/linux-next . If maintainers want to give advice about cross compilers/configs that work, we are always open to add more builds. Thanks to Randy Dunlap for doing many randconfig builds. And to Paul Gortmaker for triage and bug fixes. -- Cheers, Stephen Rothwells...@canb.auug.org.au $ git checkout master $ git reset --hard stable Merging origin/master (1fa185ebcbce Merge tag 'cris-for-3.20' of git://git.kernel.org/pub/scm/linux/kernel/git/jesper/cris) Merging fixes/master (b94d525e58dc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net) Merging kbuild-current/rc-fixes (a16c5f99a28c kbuild: Fix removal of the debian/ directory) Merging arc-current/for-curr (2ce7598c9a45 Linux 3.17-rc4) Merging arm-current/fixes (8e6480667246 ARM: 8299/1: mm: ensure local active ASID is marked as allocated on rollover) Merging m68k-current/for-linus (4436820a98cd m68k/defconfig: Enable Ethernet bridging) Merging metag-fixes/fixes (ffe6902b66aa asm-generic: remove _STK_LIM_MAX) Merging mips-fixes/mips-fixes (1795cd9b3a91 Linux 3.16-rc5) Merging powerpc-merge/merge (31345e1a071e powerpc/pci: Remove unused force_32bit_msi quirk) Merging powerpc-merge-mpe/fixes (c59c961ca511 Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux) Merging sparc/master (66d0f7ec9f10 sparc32: destroy_context() and switch_mm() needs to disable interrupts.) Merging net/master (7afb8886a05b rtnetlink: call -dellink on failure when -newlink exists) Merging ipsec/master (ac37e2515c1a xfrm: release dst_orig in case of error in xfrm_lookup()) Merging sound-current/for-linus (93ceaa303b29 ALSA: hda/tegra check correct return value from ioremap_resource) Merging pci-current/for-linus (feb28979c137 of/pci: Remove duplicate kfree in of_pci_get_host_bridge_resources()) Merging wireless-drivers/master (aeb2d2a4c0ae rtlwifi: Remove logging statement that is no longer needed) Merging driver-core.current/driver-core-linus (26bc420b59a3 Linux 3.19-rc6) Merging tty.current/tty-linus (ec6f34e5b552 Linux 3.19-rc5) Merging usb.current/usb-linus (e36f014edff7 Linux 3.19-rc7) Merging usb-gadget-fixes/fixes (0df8fc37f6e4 usb: phy: never defer probe in non-OF case) Merging usb-serial-fixes/usb-linus (a6f0331236fa USB: cp210x: add ID for RUGGEDCOM USB Serial Console) Merging staging.current/staging-linus (e36f014edff7 Linux 3.19-rc7) Merging char-misc.current/char-misc-linus (e36f014edff7 Linux 3.19-rc7) Merging input-current/for-linus (4ba24fef3eb3 Merge branch 'next' into for-linus) Merging crypto-current/master (96692a7305c4 crypto: tcrypt - do not allocate iv on stack for aead speed tests) Merging ide/master (f96fe225677b Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net) Merging devicetree-current/devicetree/merge (6b1271de3723 of/unittest: Overlays with sub-devices tests) Merging rr-fixes/fixes (dc4515ea26d6 scsi: always increment reference count) Merging vfio-fixes/for-linus (7c2e211f3c95 vfio-pci: Fix the check on pci device type in vfio_pci_probe()) Merging kselftest-fixes/fixes (f5db310d77ef selftests/vm: fix link error for transhuge-stress test) Merging drm-intel-fixes/for-linux-next-fixes (bfa76d495765 Linux 3.19) Merging asm-generic/master (643165c8bbc8 Merge tag 'uaccess_for_upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost into asm-generic) CONFLICT (content): Merge
[PATCH 3.2 072/152] udf: Check component length before reading it
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Jan Kara j...@suse.cz commit e237ec37ec154564f8690c5bd1795339955eeef9 upstream. Check that length specified in a component of a symlink fits in the input buffer we are reading. Also properly ignore component length for component types that do not use it. Otherwise we read memory after end of buffer for corrupted udf image. Reported-by: Carl Henrik Lunde chlu...@ping.uio.no Signed-off-by: Jan Kara j...@suse.cz Signed-off-by: Ben Hutchings b...@decadent.org.uk --- fs/udf/symlink.c | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) --- a/fs/udf/symlink.c +++ b/fs/udf/symlink.c @@ -42,14 +42,17 @@ static int udf_pc_to_char(struct super_b tolen--; while (elen fromlen) { pc = (struct pathComponent *)(from + elen); + elen += sizeof(struct pathComponent); switch (pc-componentType) { case 1: /* * Symlink points to some place which should be agreed * upon between originator and receiver of the media. Ignore. */ - if (pc-lengthComponentIdent 0) + if (pc-lengthComponentIdent 0) { + elen += pc-lengthComponentIdent; break; + } /* Fall through */ case 2: if (tolen == 0) @@ -74,6 +77,9 @@ static int udf_pc_to_char(struct super_b /* that would be . - just ignore */ break; case 5: + elen += pc-lengthComponentIdent; + if (elen fromlen) + return -EIO; comp_len = udf_get_filename(sb, pc-componentIdent, pc-lengthComponentIdent, p, tolen); @@ -85,7 +91,6 @@ static int udf_pc_to_char(struct super_b tolen--; break; } - elen += sizeof(struct pathComponent) + pc-lengthComponentIdent; } if (p to + 1) p[-1] = '\0'; -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 094/152] mm: prevent endless growth of anon_vma hierarchy
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Konstantin Khlebnikov koc...@gmail.com commit 7a3ef208e662f4b63d43a23f61a64a129c525bbc upstream. Constantly forking task causes unlimited grow of anon_vma chain. Each next child allocates new level of anon_vmas and links vma to all previous levels because pages might be inherited from any level. This patch adds heuristic which decides to reuse existing anon_vma instead of forking new one. It adds counter anon_vma-degree which counts linked vmas and directly descending anon_vmas and reuses anon_vma if counter is lower than two. As a result each anon_vma has either vma or at least two descending anon_vmas. In such trees half of nodes are leafs with alive vmas, thus count of anon_vmas is no more than two times bigger than count of vmas. This heuristic reuses anon_vmas as few as possible because each reuse adds false aliasing among vmas and rmap walker ought to scan more ptes when it searches where page is might be mapped. Link: http://lkml.kernel.org/r/20120816024610.ga5...@evergreen.ssec.wisc.edu Fixes: 5beb49305251 (mm: change anon_vma linking to fix multi-process server scalability issue) [a...@linux-foundation.org: fix typo, per Rik] Signed-off-by: Konstantin Khlebnikov koc...@gmail.com Reported-by: Daniel Forrest dan.forr...@ssec.wisc.edu Tested-by: Michal Hocko mho...@suse.cz Tested-by: Jerome Marchand jmarc...@redhat.com Reviewed-by: Michal Hocko mho...@suse.cz Reviewed-by: Rik van Riel r...@redhat.com Signed-off-by: Andrew Morton a...@linux-foundation.org Signed-off-by: Linus Torvalds torva...@linux-foundation.org [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- include/linux/rmap.h | 10 ++ mm/rmap.c| 42 +- 2 files changed, 51 insertions(+), 1 deletion(-) --- a/include/linux/rmap.h +++ b/include/linux/rmap.h @@ -37,6 +37,16 @@ struct anon_vma { atomic_t refcount; /* +* Count of child anon_vmas and VMAs which points to this anon_vma. +* +* This counter is used for making decision about reusing anon_vma +* instead of forking new one. See comments in function anon_vma_clone. +*/ + unsigned degree; + + struct anon_vma *parent;/* Parent of this anon_vma */ + + /* * NOTE: the LSB of the head.next is set by * mm_take_all_locks() _after_ taking the above lock. So the * head must only be read/written after taking the above lock --- a/mm/rmap.c +++ b/mm/rmap.c @@ -72,6 +72,8 @@ static inline struct anon_vma *anon_vma_ anon_vma = kmem_cache_alloc(anon_vma_cachep, GFP_KERNEL); if (anon_vma) { atomic_set(anon_vma-refcount, 1); + anon_vma-degree = 1; /* Reference for first vma */ + anon_vma-parent = anon_vma; /* * Initialise the anon_vma root to point to itself. If called * from fork, the root will be reset to the parents anon_vma. @@ -181,6 +183,8 @@ int anon_vma_prepare(struct vm_area_stru avc-vma = vma; list_add(avc-same_vma, vma-anon_vma_chain); list_add_tail(avc-same_anon_vma, anon_vma-head); + /* vma reference or self-parent link for new root */ + anon_vma-degree++; allocated = NULL; avc = NULL; } @@ -244,6 +248,14 @@ static void anon_vma_chain_link(struct v /* * Attach the anon_vmas from src to dst. * Returns 0 on success, -ENOMEM on failure. + * + * If dst-anon_vma is NULL this function tries to find and reuse existing + * anon_vma which has no vmas and only one child anon_vma. This prevents + * degradation of anon_vma hierarchy to endless linear chain in case of + * constantly forking task. On the other hand, an anon_vma with more than one + * child isn't reused even if there was no alive vma, thus rmap walker has a + * good chance of avoiding scanning the whole hierarchy when it searches where + * page is mapped. */ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src) { @@ -264,7 +276,21 @@ int anon_vma_clone(struct vm_area_struct anon_vma = pavc-anon_vma; root = lock_anon_vma_root(root, anon_vma); anon_vma_chain_link(dst, avc, anon_vma); + + /* +* Reuse existing anon_vma if its degree lower than two, +* that means it has no vma and only one anon_vma child. +* +* Do not chose parent anon_vma, otherwise first child +* will always reuse it. Root anon_vma is never reused: +* it has self-parent reference and at least one child. +*/ + if (!dst-anon_vma anon_vma != src-anon_vma +
[PATCH 3.2 096/152] mm: protect set_page_dirty() from ongoing truncation
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Johannes Weiner han...@cmpxchg.org commit 2d6d7f98284648c5ed113fe22a132148950b140f upstream. Tejun, while reviewing the code, spotted the following race condition between the dirtying and truncation of a page: __set_page_dirty_nobuffers() __delete_from_page_cache() if (TestSetPageDirty(page)) page-mapping = NULL if (PageDirty()) dec_zone_page_state(page, NR_FILE_DIRTY); dec_bdi_stat(mapping-backing_dev_info, BDI_RECLAIMABLE); if (page-mapping) account_page_dirtied(page) __inc_zone_page_state(page, NR_FILE_DIRTY); __inc_bdi_stat(mapping-backing_dev_info, BDI_RECLAIMABLE); which results in an imbalance of NR_FILE_DIRTY and BDI_RECLAIMABLE. Dirtiers usually lock out truncation, either by holding the page lock directly, or in case of zap_pte_range(), by pinning the mapcount with the page table lock held. The notable exception to this rule, though, is do_wp_page(), for which this race exists. However, do_wp_page() already waits for a locked page to unlock before setting the dirty bit, in order to prevent a race where clear_page_dirty() misses the page bit in the presence of dirty ptes. Upgrade that wait to a fully locked set_page_dirty() to also cover the situation explained above. Afterwards, the code in set_page_dirty() dealing with a truncation race is no longer needed. Remove it. Reported-by: Tejun Heo t...@kernel.org Signed-off-by: Johannes Weiner han...@cmpxchg.org Acked-by: Kirill A. Shutemov kirill.shute...@linux.intel.com Reviewed-by: Jan Kara j...@suse.cz Signed-off-by: Andrew Morton a...@linux-foundation.org Signed-off-by: Linus Torvalds torva...@linux-foundation.org [bwh: Backported to 3.2: - Adjust context - Use VM_BUG_ON() rather than VM_BUG_ON_PAGE()] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- include/linux/writeback.h | 1 - mm/memory.c | 27 +-- mm/page-writeback.c | 43 --- 3 files changed, 29 insertions(+), 42 deletions(-) --- a/include/linux/writeback.h +++ b/include/linux/writeback.h @@ -190,7 +190,6 @@ int write_cache_pages(struct address_spa struct writeback_control *wbc, writepage_t writepage, void *data); int do_writepages(struct address_space *mapping, struct writeback_control *wbc); -void set_page_dirty_balance(struct page *page); void writeback_set_ratelimit(void); void tag_pages_for_writeback(struct address_space *mapping, pgoff_t start, pgoff_t end); --- a/mm/memory.c +++ b/mm/memory.c @@ -2661,17 +2661,24 @@ reuse: if (!dirty_page) return ret; - /* -* Yes, Virginia, this is actually required to prevent a race -* with clear_page_dirty_for_io() from clearing the page dirty -* bit after it clear all dirty ptes, but before a racing -* do_wp_page installs a dirty pte. -* -* __do_fault is protected similarly. -*/ if (!page_mkwrite) { - wait_on_page_locked(dirty_page); - set_page_dirty_balance(dirty_page); + struct address_space *mapping; + int dirtied; + + lock_page(dirty_page); + dirtied = set_page_dirty(dirty_page); + VM_BUG_ON(PageAnon(dirty_page)); + mapping = dirty_page-mapping; + unlock_page(dirty_page); + + if (dirtied mapping) { + /* +* Some device drivers do not set page.mapping +* but still dirty their pages +*/ + balance_dirty_pages_ratelimited(mapping); + } + } put_page(dirty_page); if (page_mkwrite) { --- a/mm/page-writeback.c +++ b/mm/page-writeback.c @@ -1202,16 +1202,6 @@ pause: bdi_start_background_writeback(bdi); } -void set_page_dirty_balance(struct page *page) -{ - if (set_page_dirty(page)) { - struct address_space *mapping = page_mapping(page); - - if (mapping) - balance_dirty_pages_ratelimited(mapping); - } -} - static DEFINE_PER_CPU(int, bdp_ratelimits); /** @@ -1764,32 +1754,25 @@ EXPORT_SYMBOL(account_page_writeback); * page dirty in that case, but not all the buffers. This is a bottom-up * dirtying, whereas __set_page_dirty_buffers() is a top-down dirtying. * - * Most callers have
[PATCH 0/4] hw_random: bcm63xx-rng: misc cleanups and reorg
Hi, This patchset prepares the driver to be built on non-MIPS bcm63xx architectures such as the ARM bcm63xx variants, thanks! Although patch 3 touches a MIPS header file, there should be little to no conflicts there if all patches went through the hw_random tree (is there one?) Thanks! Florian Fainelli (4): hw_random: bcm63xx-rng: drop bcm_{readl,writel} macros hw_random: bcm63xx-rng: move register definitions to driver MIPS: BCM63xx: remove RSET_RNG register definitions hw_random: bcm63xx-rng: use devm_* helpers arch/mips/include/asm/mach-bcm63xx/bcm63xx_regs.h | 14 drivers/char/hw_random/bcm63xx-rng.c | 43 +++ 2 files changed, 21 insertions(+), 36 deletions(-) -- 2.1.0 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 085/152] USB: cp210x: add IDs for CEL USB sticks and MeshWorks devices
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: David Peterson david.peter...@cel.com commit 1ae78a4870989a354028cb17dabf819b595e70e3 upstream. Added virtual com port VID/PID entries for CEL USB sticks and MeshWorks devices. Signed-off-by: David Peterson david.peter...@cel.com Signed-off-by: Johan Hovold jo...@kernel.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/usb/serial/cp210x.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/usb/serial/cp210x.c +++ b/drivers/usb/serial/cp210x.c @@ -126,10 +126,12 @@ static const struct usb_device_id id_tab { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */ { USB_DEVICE(0x10C4, 0x8664) }, /* AC-Services CAN-IF */ { USB_DEVICE(0x10C4, 0x8665) }, /* AC-Services OBD-IF */ - { USB_DEVICE(0x10C4, 0x8857) }, /* CEL MeshConnect USB Stick */ + { USB_DEVICE(0x10C4, 0x8856) }, /* CEL EM357 ZigBee USB Stick - LR */ + { USB_DEVICE(0x10C4, 0x8857) }, /* CEL EM357 ZigBee USB Stick */ { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */ { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */ { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */ + { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */ { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */ { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */ { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */ -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 149/152] splice: Apply generic position and size checks to each write
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Ben Hutchings b...@decadent.org.uk We need to check the position and size of file writes against various limits, using generic_write_check(). This was not being done for the splice write path. It was fixed upstream by commit 8d0207652cbe (-splice_write() via -write_iter()) but we can't apply that. CVE-2014-7822 Signed-off-by: Ben Hutchings b...@decadent.org.uk --- fs/ocfs2/file.c | 8 ++-- fs/splice.c | 8 ++-- 2 files changed, 12 insertions(+), 4 deletions(-) --- a/fs/ocfs2/file.c +++ b/fs/ocfs2/file.c @@ -2468,9 +2468,7 @@ static ssize_t ocfs2_file_splice_write(s struct address_space *mapping = out-f_mapping; struct inode *inode = mapping-host; struct splice_desc sd = { - .total_len = len, .flags = flags, - .pos = *ppos, .u.file = out, }; @@ -2480,6 +2478,12 @@ static ssize_t ocfs2_file_splice_write(s out-f_path.dentry-d_name.len, out-f_path.dentry-d_name.name, len); + ret = generic_write_checks(out, ppos, len, 0); + if (ret) + return ret; + sd.total_len = len; + sd.pos = *ppos; + if (pipe-inode) mutex_lock_nested(pipe-inode-i_mutex, I_MUTEX_PARENT); --- a/fs/splice.c +++ b/fs/splice.c @@ -1013,13 +1013,17 @@ generic_file_splice_write(struct pipe_in struct address_space *mapping = out-f_mapping; struct inode *inode = mapping-host; struct splice_desc sd = { - .total_len = len, .flags = flags, - .pos = *ppos, .u.file = out, }; ssize_t ret; + ret = generic_write_checks(out, ppos, len, S_ISBLK(inode-i_mode)); + if (ret) + return ret; + sd.total_len = len; + sd.pos = *ppos; + pipe_lock(pipe); splice_from_pipe_begin(sd); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 098/152] OHCI: add a quirk for ULi M5237 blocking on reset
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Arseny Solokha asolo...@kb.kras.ru commit 56abcab833fafcfaeb2f5b25e0364c1dec45f53e upstream. Commit 8dccddbc2368 (OHCI: final fix for NVIDIA problems (I hope)) introduced into 3.1.9 broke boot on e.g. Freescale P2020DS development board. The code path that was previously specific to NVIDIA controllers had then become taken for all chips. However, the M5237 installed on the board wedges solid when accessing its base+OHCI_FMINTERVAL register, making it impossible to boot any kernel newer than 3.1.8 on this particular and apparently other similar machines. Don't readl() and writel() base+OHCI_FMINTERVAL on PCI ID 10b9:5237. The patch is suitable for the -next tree as well as all maintained kernels up to 3.2 inclusive. Signed-off-by: Arseny Solokha asolo...@kb.kras.ru Acked-by: Alan Stern st...@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/usb/host/pci-quirks.c | 18 +++--- 1 file changed, 15 insertions(+), 3 deletions(-) --- a/drivers/usb/host/pci-quirks.c +++ b/drivers/usb/host/pci-quirks.c @@ -470,7 +470,8 @@ static void __devinit quirk_usb_handoff_ { void __iomem *base; u32 control; - u32 fminterval; + u32 fminterval = 0; + bool no_fminterval = false; int cnt; if (!mmio_resource_enabled(pdev, 0)) @@ -480,6 +481,13 @@ static void __devinit quirk_usb_handoff_ if (base == NULL) return; + /* +* ULi M5237 OHCI controller locks the whole system when accessing +* the OHCI_FMINTERVAL offset. +*/ + if (pdev-vendor == PCI_VENDOR_ID_AL pdev-device == 0x5237) + no_fminterval = true; + control = readl(base + OHCI_CONTROL); /* On PA-RISC, PDC can leave IR set incorrectly; ignore it there. */ @@ -518,7 +526,9 @@ static void __devinit quirk_usb_handoff_ } /* software reset of the controller, preserving HcFmInterval */ - fminterval = readl(base + OHCI_FMINTERVAL); + if (!no_fminterval) + fminterval = readl(base + OHCI_FMINTERVAL); + writel(OHCI_HCR, base + OHCI_CMDSTATUS); /* reset requires max 10 us delay */ @@ -527,7 +537,9 @@ static void __devinit quirk_usb_handoff_ break; udelay(1); } - writel(fminterval, base + OHCI_FMINTERVAL); + + if (!no_fminterval) + writel(fminterval, base + OHCI_FMINTERVAL); /* Now the controller is safely in SUSPEND and nothing can wake it up */ iounmap(base); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3/4] MIPS: BCM63xx: remove RSET_RNG register definitions
Now that these definitions have been moved to drivers/char/hw_random/bcm63xx-rng.c where they belong to make the driver standalone, we can safely remove these definitions from bcm63xx_regs.h. Signed-off-by: Florian Fainelli f.faine...@gmail.com --- arch/mips/include/asm/mach-bcm63xx/bcm63xx_regs.h | 14 -- 1 file changed, 14 deletions(-) diff --git a/arch/mips/include/asm/mach-bcm63xx/bcm63xx_regs.h b/arch/mips/include/asm/mach-bcm63xx/bcm63xx_regs.h index 4794067cb5a7..5035f09c5427 100644 --- a/arch/mips/include/asm/mach-bcm63xx/bcm63xx_regs.h +++ b/arch/mips/include/asm/mach-bcm63xx/bcm63xx_regs.h @@ -1259,20 +1259,6 @@ #define M2M_DSTID_REG(x) ((x) * 0x40 + 0x18) /* - * _REG relative to RSET_RNG - */ - -#define RNG_CTRL 0x00 -#define RNG_EN (1 0) - -#define RNG_STAT 0x04 -#define RNG_AVAIL_MASK (0xff00) - -#define RNG_DATA 0x08 -#define RNG_THRES 0x0c -#define RNG_MASK 0x10 - -/* * _REG relative to RSET_SPI */ -- 2.1.0 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 1/4] hw_random: bcm63xx-rng: drop bcm_{readl,writel} macros
bcm_{readl,writel} macros expand to __raw_{readl,writel}, use these directly such that we do not rely on the platform to provide these for us. As a result, we no longer use bcm63xx_io.h, so remove that inclusion too. Signed-off-by: Florian Fainelli f.faine...@gmail.com --- drivers/char/hw_random/bcm63xx-rng.c | 13 ++--- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/char/hw_random/bcm63xx-rng.c b/drivers/char/hw_random/bcm63xx-rng.c index ba6a65ac023b..ed9b28b35a39 100644 --- a/drivers/char/hw_random/bcm63xx-rng.c +++ b/drivers/char/hw_random/bcm63xx-rng.c @@ -13,7 +13,6 @@ #include linux/platform_device.h #include linux/hw_random.h -#include bcm63xx_io.h #include bcm63xx_regs.h struct bcm63xx_rng_priv { @@ -28,9 +27,9 @@ static int bcm63xx_rng_init(struct hwrng *rng) struct bcm63xx_rng_priv *priv = to_rng_priv(rng); u32 val; - val = bcm_readl(priv-regs + RNG_CTRL); + val = __raw_readl(priv-regs + RNG_CTRL); val |= RNG_EN; - bcm_writel(val, priv-regs + RNG_CTRL); + __raw_writel(val, priv-regs + RNG_CTRL); return 0; } @@ -40,23 +39,23 @@ static void bcm63xx_rng_cleanup(struct hwrng *rng) struct bcm63xx_rng_priv *priv = to_rng_priv(rng); u32 val; - val = bcm_readl(priv-regs + RNG_CTRL); + val = __raw_readl(priv-regs + RNG_CTRL); val = ~RNG_EN; - bcm_writel(val, priv-regs + RNG_CTRL); + __raw_writel(val, priv-regs + RNG_CTRL); } static int bcm63xx_rng_data_present(struct hwrng *rng, int wait) { struct bcm63xx_rng_priv *priv = to_rng_priv(rng); - return bcm_readl(priv-regs + RNG_STAT) RNG_AVAIL_MASK; + return __raw_readl(priv-regs + RNG_STAT) RNG_AVAIL_MASK; } static int bcm63xx_rng_data_read(struct hwrng *rng, u32 *data) { struct bcm63xx_rng_priv *priv = to_rng_priv(rng); - *data = bcm_readl(priv-regs + RNG_DATA); + *data = __raw_readl(priv-regs + RNG_DATA); return 4; } -- 2.1.0 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 4/4] hw_random: bcm63xx-rng: use devm_* helpers
Simplify the driver's probe function and error handling by using the device managed allocators, while at it, drop the redundant out of memory messages since these are already printed by the allocator. Signed-off-by: Florian Fainelli f.faine...@gmail.com --- drivers/char/hw_random/bcm63xx-rng.c | 20 ++-- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/drivers/char/hw_random/bcm63xx-rng.c b/drivers/char/hw_random/bcm63xx-rng.c index c7f3af852599..27da00f68c8f 100644 --- a/drivers/char/hw_random/bcm63xx-rng.c +++ b/drivers/char/hw_random/bcm63xx-rng.c @@ -83,18 +83,16 @@ static int bcm63xx_rng_probe(struct platform_device *pdev) goto out; } - priv = kzalloc(sizeof(*priv), GFP_KERNEL); + priv = devm_kzalloc(pdev-dev, sizeof(*priv), GFP_KERNEL); if (!priv) { - dev_err(pdev-dev, no memory for private structure\n); ret = -ENOMEM; goto out; } - rng = kzalloc(sizeof(*rng), GFP_KERNEL); + rng = devm_kzalloc(pdev-dev, sizeof(*rng), GFP_KERNEL); if (!rng) { - dev_err(pdev-dev, no memory for rng structure\n); ret = -ENOMEM; - goto out_free_priv; + goto out; } platform_set_drvdata(pdev, rng); @@ -109,7 +107,7 @@ static int bcm63xx_rng_probe(struct platform_device *pdev) if (IS_ERR(clk)) { dev_err(pdev-dev, no clock for device\n); ret = PTR_ERR(clk); - goto out_free_rng; + goto out; } priv-clk = clk; @@ -118,7 +116,7 @@ static int bcm63xx_rng_probe(struct platform_device *pdev) resource_size(r), pdev-name)) { dev_err(pdev-dev, request mem failed); ret = -ENOMEM; - goto out_free_rng; + goto out; } priv-regs = devm_ioremap_nocache(pdev-dev, r-start, @@ -126,7 +124,7 @@ static int bcm63xx_rng_probe(struct platform_device *pdev) if (!priv-regs) { dev_err(pdev-dev, ioremap failed); ret = -ENOMEM; - goto out_free_rng; + goto out; } clk_enable(clk); @@ -143,10 +141,6 @@ static int bcm63xx_rng_probe(struct platform_device *pdev) out_clk_disable: clk_disable(clk); -out_free_rng: - kfree(rng); -out_free_priv: - kfree(priv); out: return ret; } @@ -158,8 +152,6 @@ static int bcm63xx_rng_remove(struct platform_device *pdev) hwrng_unregister(rng); clk_disable(priv-clk); - kfree(priv); - kfree(rng); return 0; } -- 2.1.0 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 2/4] hw_random: bcm63xx-rng: move register definitions to driver
arch/mips/include/asm/mach-bcm63xx/bcm63xx_regs.h contains the register definitions for this random number generator block, incorporate these register definitions directly into the bcm63xx-rng driver so we do not rely on this header to be provided. Signed-off-by: Florian Fainelli f.faine...@gmail.com --- drivers/char/hw_random/bcm63xx-rng.c | 10 +- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/char/hw_random/bcm63xx-rng.c b/drivers/char/hw_random/bcm63xx-rng.c index ed9b28b35a39..c7f3af852599 100644 --- a/drivers/char/hw_random/bcm63xx-rng.c +++ b/drivers/char/hw_random/bcm63xx-rng.c @@ -13,7 +13,15 @@ #include linux/platform_device.h #include linux/hw_random.h -#include bcm63xx_regs.h +#define RNG_CTRL 0x00 +#define RNG_EN (1 0) + +#define RNG_STAT 0x04 +#define RNG_AVAIL_MASK (0xff00) + +#define RNG_DATA 0x08 +#define RNG_THRES 0x0c +#define RNG_MASK 0x10 struct bcm63xx_rng_priv { struct clk *clk; -- 2.1.0 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 055/152] x86_64, switch_to(): Load TLS descriptors before switching DS and ES
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Andy Lutomirski l...@amacapital.net commit f647d7c155f069c1a068030255c300663516420e upstream. Otherwise, if buggy user code points DS or ES into the TLS array, they would be corrupted after a context switch. This also significantly improves the comments and documents some gotchas in the code. Before this patch, the both tests below failed. With this patch, the es test passes, although the gsbase test still fails. - begin es test - /* * Copyright (c) 2014 Andy Lutomirski * GPL v2 */ static unsigned short GDT3(int idx) { return (idx 3) | 3; } static int create_tls(int idx, unsigned int base) { struct user_desc desc = { .entry_number= idx, .base_addr = base, .limit = 0xf, .seg_32bit = 1, .contents= 0, /* Data, grow-up */ .read_exec_only = 0, .limit_in_pages = 1, .seg_not_present = 0, .useable = 0, }; if (syscall(SYS_set_thread_area, desc) != 0) err(1, set_thread_area); return desc.entry_number; } int main() { int idx = create_tls(-1, 0); printf(Allocated GDT index %d\n, idx); unsigned short orig_es; asm volatile (mov %%es,%0 : =rm (orig_es)); int errors = 0; int total = 1000; for (int i = 0; i total; i++) { asm volatile (mov %0,%%es : : rm (GDT3(idx))); usleep(100); unsigned short es; asm volatile (mov %%es,%0 : =rm (es)); asm volatile (mov %0,%%es : : rm (orig_es)); if (es != GDT3(idx)) { if (errors == 0) printf([FAIL]\tES changed from 0x%hx to 0x%hx\n, GDT3(idx), es); errors++; } } if (errors) { printf([FAIL]\tES was corrupted %d/%d times\n, errors, total); return 1; } else { printf([OK]\tES was preserved\n); return 0; } } - end es test - - begin gsbase test - /* * gsbase.c, a gsbase test * Copyright (c) 2014 Andy Lutomirski * GPL v2 */ static unsigned char *testptr, *testptr2; static unsigned char read_gs_testvals(void) { unsigned char ret; asm volatile (movb %%gs:%1, %0 : =r (ret) : m (*testptr)); return ret; } int main() { int errors = 0; testptr = mmap((void *)0x2UL, 1, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS, -1, 0); if (testptr == MAP_FAILED) err(1, mmap); testptr2 = mmap((void *)0x3UL, 1, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS, -1, 0); if (testptr2 == MAP_FAILED) err(1, mmap); *testptr = 0; *testptr2 = 1; if (syscall(SYS_arch_prctl, ARCH_SET_GS, (unsigned long)testptr2 - (unsigned long)testptr) != 0) err(1, ARCH_SET_GS); usleep(100); if (read_gs_testvals() == 1) { printf([OK]\tARCH_SET_GS worked\n); } else { printf([FAIL]\tARCH_SET_GS failed\n); errors++; } asm volatile (mov %0,%%gs : : r (0)); if (read_gs_testvals() == 0) { printf([OK]\tWriting 0 to gs worked\n); } else { printf([FAIL]\tWriting 0 to gs failed\n); errors++; } usleep(100); if (read_gs_testvals() == 0) { printf([OK]\tgsbase is still zero\n); } else { printf([FAIL]\tgsbase was corrupted\n); errors++; } return errors == 0 ? 0 : 1; } - end gsbase test - Signed-off-by: Andy Lutomirski l...@amacapital.net Cc: Andi Kleen a...@firstfloor.org Cc: Linus Torvalds torva...@linux-foundation.org Link: http://lkml.kernel.org/r/509d27c9fec78217691c3dad91cec87e1006b34a.1418075657.git.l...@amacapital.net Signed-off-by: Ingo Molnar mi...@kernel.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- arch/x86/kernel/process_64.c | 101 +++ 1 file changed, 73 insertions(+), 28 deletions(-) --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -385,24 +385,9 @@ __switch_to(struct task_struct *prev_p, fpu = switch_fpu_prepare(prev_p, next_p); - /* -* Reload esp0, LDT and the page table pointer: -*/ + /* Reload esp0 and ss1. */ load_sp0(tss, next); - /* -* Switch DS and ES. -* This won't pick up thread selector changes,
[PATCH 3.2 056/152] mac80211: fix multicast LED blinking and counter
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Andreas Müller g...@stapelspeicher.org commit d025933e29872cb1fe19fc54d80e4dfa4ee5779c upstream. As multicast-frames can't be fragmented, dot11MulticastReceivedFrameCount stopped being incremented after the use-after-free fix. Furthermore, the RX-LED will be triggered by every multicast frame (which wouldn't happen before) which wouldn't allow the LED to rest at all. Fixes https://bugzilla.kernel.org/show_bug.cgi?id=89431 which also had the patch. Fixes: b8fff407a180 (mac80211: fix use-after-free in defragmentation) Signed-off-by: Andreas Müller g...@stapelspeicher.org [rewrite commit message] Signed-off-by: Johannes Berg johannes.b...@intel.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- net/mac80211/rx.c | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -1470,14 +1470,14 @@ ieee80211_rx_h_defragment(struct ieee802 sc = le16_to_cpu(hdr-seq_ctrl); frag = sc IEEE80211_SCTL_FRAG; - if (likely(!ieee80211_has_morefrags(fc) frag == 0)) - goto out; - if (is_multicast_ether_addr(hdr-addr1)) { rx-local-dot11MulticastReceivedFrameCount++; - goto out; + goto out_no_led; } + if (likely(!ieee80211_has_morefrags(fc) frag == 0)) + goto out; + I802_DEBUG_INC(rx-local-rx_handlers_fragments); if (skb_linearize(rx-skb)) @@ -1568,9 +1568,10 @@ ieee80211_rx_h_defragment(struct ieee802 status-rx_flags |= IEEE80211_RX_FRAGMENTED; out: + ieee80211_led_rx(rx-local); + out_no_led: if (rx-sta) rx-sta-rx_packets++; - ieee80211_led_rx(rx-local); return RX_CONTINUE; } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 032/152] Bluetooth: Add support for Intel bootloader devices
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Marcel Holtmann mar...@holtmann.org commit 40df783d1ef1989ac454e3dfcda017270b8950e6 upstream. Intel Bluetooth devices that boot up in bootloader mode can not be used as generic HCI devices, but their HCI transport is still valuable and so bring that up as raw-only devices. T: Bus=02 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#= 14 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=ff(vend.) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=8087 ProdID=0a5a Rev= 0.00 S: Manufacturer=Intel(R) Corporation S: Product=Intel(R) Wilkins Peak 2x2 S: SerialNumber=001122334455 WP_A0 C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=1ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms Signed-off-by: Marcel Holtmann mar...@holtmann.org Signed-off-by: Johan Hedberg johan.hedb...@intel.com [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/bluetooth/btusb.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -55,6 +55,7 @@ static struct usb_driver btusb_driver; #define BTUSB_BROKEN_ISOC 0x20 #define BTUSB_WRONG_SCO_MTU0x40 #define BTUSB_ATH3012 0x80 +#define BTUSB_INTEL_BOOT 0x200 static struct usb_device_id btusb_table[] = { /* Generic Bluetooth USB device */ @@ -125,6 +126,9 @@ static struct usb_device_id btusb_table[ /* IMC Networks - Broadcom based */ { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01) }, + /* Intel Bluetooth USB Bootloader (RAM module) */ + { USB_DEVICE(0x8087, 0x0a5a), .driver_info = BTUSB_INTEL_BOOT }, + { } /* Terminating entry */ }; @@ -1070,6 +1074,9 @@ static int btusb_probe(struct usb_interf hdev-owner = THIS_MODULE; + if (id-driver_info BTUSB_INTEL_BOOT) + set_bit(HCI_QUIRK_RAW_DEVICE, hdev-quirks); + /* Interface numbers are hardcoded in the specification */ data-isoc = usb_ifnum_to_if(data-udev, 1); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 061/152] iscsi-target: Fail connection on short sendmsg writes
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Nicholas Bellinger n...@linux-iscsi.org commit 6bf6ca7515c1df06f5c03737537f5e0eb191e29e upstream. This patch changes iscsit_do_tx_data() to fail on short writes when kernel_sendmsg() returns a value different than requested transfer length, returning -EPIPE and thus causing a connection reset to occur. This avoids a potential bug in the original code where a short write would result in kernel_sendmsg() being called again with the original iovec base + length. In practice this has not been an issue because iscsit_do_tx_data() is only used for transferring 48 byte headers + 4 byte digests, along with seldom used control payloads from NOPIN + TEXT_RSP + REJECT with less than 32k of data. So following Al's audit of iovec consumers, go ahead and fail the connection on short writes for now, and remove the bogus logic ahead of his proper upstream fix. Reported-by: Al Viro v...@zeniv.linux.org.uk Cc: David S. Miller da...@davemloft.net Signed-off-by: Nicholas Bellinger n...@linux-iscsi.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/target/iscsi/iscsi_target_util.c | 26 +++--- 1 file changed, 11 insertions(+), 15 deletions(-) --- a/drivers/target/iscsi/iscsi_target_util.c +++ b/drivers/target/iscsi/iscsi_target_util.c @@ -1483,15 +1483,15 @@ static int iscsit_do_tx_data( struct iscsi_conn *conn, struct iscsi_data_count *count) { - int data = count-data_length, total_tx = 0, tx_loop = 0, iov_len; + int ret, iov_len; struct kvec *iov_p; struct msghdr msg; if (!conn || !conn-sock || !conn-conn_ops) return -1; - if (data = 0) { - pr_err(Data length is: %d\n, data); + if (count-data_length = 0) { + pr_err(Data length is: %d\n, count-data_length); return -1; } @@ -1500,20 +1500,16 @@ static int iscsit_do_tx_data( iov_p = count-iov; iov_len = count-iov_count; - while (total_tx data) { - tx_loop = kernel_sendmsg(conn-sock, msg, iov_p, iov_len, - (data - total_tx)); - if (tx_loop = 0) { - pr_debug(tx_loop: %d total_tx %d\n, - tx_loop, total_tx); - return tx_loop; - } - total_tx += tx_loop; - pr_debug(tx_loop: %d, total_tx: %d, data: %d\n, - tx_loop, total_tx, data); + ret = kernel_sendmsg(conn-sock, msg, iov_p, iov_len, +count-data_length); + if (ret != count-data_length) { + pr_err(Unexpected ret: %d send data %d\n, + ret, count-data_length); + return -EPIPE; } + pr_debug(ret: %d, sent data: %d\n, ret, count-data_length); - return total_tx; + return ret; } int rx_data( -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 054/152] ncpfs: return proper error from NCP_IOC_SETROOT ioctl
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Jan Kara j...@suse.cz commit a682e9c28cac152e6e54c39efcf046e0c8cfcf63 upstream. If some error happens in NCP_IOC_SETROOT ioctl, the appropriate error return value is then (in most cases) just overwritten before we return. This can result in reporting success to userspace although error happened. This bug was introduced by commit 2e54eb96e2c8 (BKL: Remove BKL from ncpfs). Propagate the errors correctly. Coverity id: 1226925. Fixes: 2e54eb96e2c80 (BKL: Remove BKL from ncpfs) Signed-off-by: Jan Kara j...@suse.cz Cc: Petr Vandrovec p...@vandrovec.name Signed-off-by: Andrew Morton a...@linux-foundation.org Signed-off-by: Linus Torvalds torva...@linux-foundation.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- fs/ncpfs/ioctl.c | 1 - 1 file changed, 1 deletion(-) --- a/fs/ncpfs/ioctl.c +++ b/fs/ncpfs/ioctl.c @@ -445,7 +445,6 @@ static long __ncp_ioctl(struct inode *in result = -EIO; } } - result = 0; } mutex_unlock(server-root_setup_lock); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 046/152] ath5k: fix hardware queue index assignment
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Felix Fietkau n...@openwrt.org commit 9e4982f6a51a2442f1bb588fee42521b44b4531c upstream. Like with ath9k, ath5k queues also need to be ordered by priority. queue_info-tqi_subtype already contains the correct index, so use it instead of relying on the order of ath5k_hw_setup_tx_queue calls. Signed-off-by: Felix Fietkau n...@openwrt.org Signed-off-by: John W. Linville linvi...@tuxdriver.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/net/wireless/ath/ath5k/qcu.c | 8 +--- 1 file changed, 1 insertion(+), 7 deletions(-) --- a/drivers/net/wireless/ath/ath5k/qcu.c +++ b/drivers/net/wireless/ath/ath5k/qcu.c @@ -167,13 +167,7 @@ int ath5k_hw_setup_tx_queue(struct ath5k } else { switch (queue_type) { case AR5K_TX_QUEUE_DATA: - for (queue = AR5K_TX_QUEUE_ID_DATA_MIN; - ah-ah_txq[queue].tqi_type != - AR5K_TX_QUEUE_INACTIVE; queue++) { - - if (queue AR5K_TX_QUEUE_ID_DATA_MAX) - return -EINVAL; - } + queue = queue_info-tqi_subtype; break; case AR5K_TX_QUEUE_UAPSD: queue = AR5K_TX_QUEUE_ID_UAPSD; -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 037/152] Bluetooth: Add support for Acer [0489:e078]
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Anantha Krishnan anan...@codeaurora.org commit 4b552bc9edfdc947862af225a0e2521edb5d37a0 upstream. Add support for the QCA6174 chip. T: Bus=06 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0489 ProdID=e078 Rev=00.01 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: Anantha Krishnan anan...@codeaurora.org Signed-off-by: Marcel Holtmann mar...@holtmann.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/bluetooth/ath3k.c | 2 ++ drivers/bluetooth/btusb.c | 1 + 2 files changed, 3 insertions(+) --- a/drivers/bluetooth/ath3k.c +++ b/drivers/bluetooth/ath3k.c @@ -77,6 +77,7 @@ static struct usb_device_id ath3k_table[ { USB_DEVICE(0x0489, 0xe057) }, { USB_DEVICE(0x0489, 0xe056) }, { USB_DEVICE(0x0489, 0xe05f) }, + { USB_DEVICE(0x0489, 0xe078) }, { USB_DEVICE(0x04c5, 0x1330) }, { USB_DEVICE(0x04CA, 0x3004) }, { USB_DEVICE(0x04CA, 0x3005) }, @@ -128,6 +129,7 @@ static struct usb_device_id ath3k_blist_ { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -162,6 +162,7 @@ static struct usb_device_id blacklist_ta { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 047/152] iommu/vt-d: Fix an off-by-one bug in __domain_mapping()
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Jiang Liu jiang@linux.intel.com commit cc4f14aa170d895c9a43bdb56f62070c8a6da908 upstream. There's an off-by-one bug in function __domain_mapping(), which may trigger the BUG_ON(nr_pages lvl_pages) when (nr_pages + 1) superpage_mask == 0 The issue was introduced by commit 9051aa0268dc intel-iommu: Combine domain_pfn_mapping() and domain_sg_mapping(), which sets sg_res to nr_pages + 1 to avoid some of the 'sg_res==0' code paths. It's safe to remove extra +1 because sg_res is only used to calculate page size now. Reported-And-Tested-by: Sudeep Dutt sudeep.d...@intel.com Signed-off-by: Jiang Liu jiang@linux.intel.com Acked-By: David Woodhouse david.woodho...@intel.com Signed-off-by: Joerg Roedel jroe...@suse.de [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/iommu/intel-iommu.c | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) --- a/drivers/iommu/intel-iommu.c +++ b/drivers/iommu/intel-iommu.c @@ -1763,7 +1763,7 @@ static int __domain_mapping(struct dmar_ struct dma_pte *first_pte = NULL, *pte = NULL; phys_addr_t uninitialized_var(pteval); int addr_width = agaw_to_width(domain-agaw) - VTD_PAGE_SHIFT; - unsigned long sg_res; + unsigned long sg_res = 0; unsigned int largepage_lvl = 0; unsigned long lvl_pages = 0; @@ -1774,10 +1774,8 @@ static int __domain_mapping(struct dmar_ prot = DMA_PTE_READ | DMA_PTE_WRITE | DMA_PTE_SNP; - if (sg) - sg_res = 0; - else { - sg_res = nr_pages + 1; + if (!sg) { + sg_res = nr_pages; pteval = ((phys_addr_t)phys_pfn VTD_PAGE_SHIFT) | prot; } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 031/152] Bluetooth: append new supported device to the list [0b05:17d0]
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Andy Shevchenko andriy.shevche...@linux.intel.com commit a735f9e22432899cee188d167966782c29246390 upstream. The device found on Asus Z87 Expert motherboard requires firmware to work correctly. T: Bus=03 Lev=01 Prnt=01 Port=03 Cnt=02 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0b05 ProdID=17d0 Rev=00.02 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb Signed-off-by: Andy Shevchenko andriy.shevche...@linux.intel.com Signed-off-by: Marcel Holtmann mar...@holtmann.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/bluetooth/ath3k.c | 2 ++ drivers/bluetooth/btusb.c | 1 + 2 files changed, 3 insertions(+) --- a/drivers/bluetooth/ath3k.c +++ b/drivers/bluetooth/ath3k.c @@ -86,6 +86,7 @@ static struct usb_device_id ath3k_table[ { USB_DEVICE(0x04CA, 0x300b) }, { USB_DEVICE(0x0930, 0x0219) }, { USB_DEVICE(0x0930, 0x0220) }, + { USB_DEVICE(0x0b05, 0x17d0) }, { USB_DEVICE(0x0CF3, 0x0036) }, { USB_DEVICE(0x0CF3, 0x3004) }, { USB_DEVICE(0x0CF3, 0x3008) }, @@ -134,6 +135,7 @@ static struct usb_device_id ath3k_blist_ { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0CF3, 0x0036), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -163,6 +163,7 @@ static struct usb_device_id blacklist_ta { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 035/152] Bluetooth: Add support for Broadcom device of Asus Z97-DELUXE motherboard
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Marcel Holtmann mar...@holtmann.org commit c2aef6e8cbebd60f79555baeb9266e220f135a44 upstream. The Asus Z97-DELUXE motherboard contains a Broadcom based Bluetooth controller on the USB bus. However vendor and product ID are listed as ASUSTek Computer. T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0b05 ProdID=17cf Rev= 1.12 S: Manufacturer=Broadcom Corp S: Product=BCM20702A0 S: SerialNumber=54271E910064 C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) Reported-by: Jerome Leclanche jer...@leclan.ch Signed-off-by: Marcel Holtmann mar...@holtmann.org Signed-off-by: Johan Hedberg johan.hedb...@intel.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/bluetooth/btusb.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -120,6 +120,9 @@ static struct usb_device_id btusb_table[ /* Broadcom devices with vendor specific id */ { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01) }, + /* ASUSTek Computer - Broadcom based */ + { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01) }, + /* Belkin F8065bf - Broadcom based */ { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) }, -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 113/152] gpio: sysfs: fix gpio-chip device-attribute leak
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Johan Hovold jo...@kernel.org commit 121b6a79955a3a3fd7bbb9b8cb88d5b9dad6283d upstream. The gpio-chip device attributes were never destroyed when the device was removed. Fix by using device_create_with_groups() to create the device attributes of the chip class device. Note that this also fixes the attribute-creation race with userspace. Fixes: d8f388d8dc8d (gpio: sysfs interface) Signed-off-by: Johan Hovold jo...@kernel.org Signed-off-by: Linus Walleij linus.wall...@linaro.org [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/gpio/gpiolib.c | 19 --- 1 file changed, 8 insertions(+), 11 deletions(-) --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -587,16 +587,13 @@ static ssize_t chip_ngpio_show(struct de } static DEVICE_ATTR(ngpio, 0444, chip_ngpio_show, NULL); -static const struct attribute *gpiochip_attrs[] = { +static struct attribute *gpiochip_attrs[] = { dev_attr_base.attr, dev_attr_label.attr, dev_attr_ngpio.attr, NULL, }; - -static const struct attribute_group gpiochip_attr_group = { - .attrs = (struct attribute **) gpiochip_attrs, -}; +ATTRIBUTE_GROUPS(gpiochip); /* * /sys/class/gpio/export ... write-only @@ -918,13 +915,13 @@ static int gpiochip_export(struct gpio_c /* use chip-base for the ID; it's already known to be unique */ mutex_lock(sysfs_lock); - dev = device_create(gpio_class, chip-dev, MKDEV(0, 0), chip, - gpiochip%d, chip-base); - if (!IS_ERR(dev)) { - status = sysfs_create_group(dev-kobj, - gpiochip_attr_group); - } else + dev = device_create_with_groups(gpio_class, chip-dev, MKDEV(0, 0), + chip, gpiochip_groups, + gpiochip%d, chip-base); + if (IS_ERR(dev)) status = PTR_ERR(dev); + else + status = 0; chip-exported = (status == 0); mutex_unlock(sysfs_lock); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 125/152] Input: i8042 - add noloop quirk for Medion Akoya E7225 (MD98857)
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Jochen Hein joc...@jochen.org commit 1d90d6d5522befa8efa1a7ea406be65cf865ded4 upstream. Without this the aux port does not get detected, and consequently the touchpad will not work. With this patch the touchpad is detected: $ dmesg | grep -E (SYN|i8042|serio) pnp 00:03: Plug and Play ACPI device, IDs SYN1d22 PNP0f13 (active) i8042: PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at 0x60,0x64 irq 1,12 serio: i8042 KBD port at 0x60,0x64 irq 1 serio: i8042 AUX port at 0x60,0x64 irq 12 input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input4 psmouse serio1: synaptics: Touchpad model: 1, fw: 8.1, id: 0x1e2b1, caps: 0xd00123/0x840300/0x126800, board id: 2863, fw id: 1473085 input: SynPS/2 Synaptics TouchPad as /devices/platform/i8042/serio1/input/input6 dmidecode excerpt for this laptop is: Handle 0x0001, DMI type 1, 27 bytes System Information Manufacturer: Medion Product Name: Akoya E7225 Version: 1.0 Signed-off-by: Jochen Hein joc...@jochen.org Signed-off-by: Dmitry Torokhov dmitry.torok...@gmail.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/input/serio/i8042-x86ia64io.h | 8 1 file changed, 8 insertions(+) --- a/drivers/input/serio/i8042-x86ia64io.h +++ b/drivers/input/serio/i8042-x86ia64io.h @@ -152,6 +152,14 @@ static const struct dmi_system_id __init }, }, { + /* Medion Akoya E7225 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, Medion), + DMI_MATCH(DMI_PRODUCT_NAME, Akoya E7225), + DMI_MATCH(DMI_PRODUCT_VERSION, 1.0), + }, + }, + { /* Blue FB5601 */ .matches = { DMI_MATCH(DMI_SYS_VENDOR, blue), -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 077/152] USB: cp210x: fix ID for production CEL MeshConnect USB Stick
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Preston Fick pff...@gmail.com commit 90441b4dbe90ba0c38111ea89fa093a8c9627801 upstream. Fixing typo for MeshConnect IDs. The original PID (0x8875) is not in production and is not needed. Instead it has been changed to the official production PID (0x8857). Signed-off-by: Preston Fick pff...@gmail.com Signed-off-by: Johan Hovold jo...@kernel.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/usb/serial/cp210x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/serial/cp210x.c +++ b/drivers/usb/serial/cp210x.c @@ -126,7 +126,7 @@ static const struct usb_device_id id_tab { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */ { USB_DEVICE(0x10C4, 0x8664) }, /* AC-Services CAN-IF */ { USB_DEVICE(0x10C4, 0x8665) }, /* AC-Services OBD-IF */ - { USB_DEVICE(0x10C4, 0x8875) }, /* CEL MeshConnect USB Stick */ + { USB_DEVICE(0x10C4, 0x8857) }, /* CEL MeshConnect USB Stick */ { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */ { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */ { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */ -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 093/152] Input: I8042 - add Acer Aspire 7738 to the nomux list
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Dmitry Torokhov dmitry.torok...@gmail.com commit 9333caeaeae4f831054e0e127a6ed3948b604d3e upstream. When KBC is in active multiplexing mode the touchpad on this laptop does not work. Reported-by: Bilal Koc koc.b...@googlemail.com Signed-off-by: Dmitry Torokhov dmitry.torok...@gmail.com Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/input/serio/i8042-x86ia64io.h | 7 +++ 1 file changed, 7 insertions(+) --- a/drivers/input/serio/i8042-x86ia64io.h +++ b/drivers/input/serio/i8042-x86ia64io.h @@ -408,6 +408,13 @@ static const struct dmi_system_id __init }, }, { + /* Acer Aspire 7738 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, Acer), + DMI_MATCH(DMI_PRODUCT_NAME, Aspire 7738), + }, + }, + { /* Gericom Bellagio */ .matches = { DMI_MATCH(DMI_SYS_VENDOR, Gericom), -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 116/152] gpio: sysfs: fix gpio device-attribute leak
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Johan Hovold jo...@kernel.org commit 0915e6feb38de8d3601819992a5bd050201a56fa upstream. The gpio device attributes were never destroyed when the gpio was unexported (or on export failures). Use device_create_with_groups() to create the default device attributes of the gpio class device. Note that this also fixes the attribute-creation race with userspace for these attributes. Remove contingent attributes in export error path and on unexport. Fixes: d8f388d8dc8d (gpio: sysfs interface) Signed-off-by: Johan Hovold jo...@kernel.org Signed-off-by: Linus Walleij linus.wall...@linaro.org [bwh: Backported to 3.2: adjust filename, context] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/gpio/gpiolib.c | 28 +--- 1 file changed, 13 insertions(+), 15 deletions(-) --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -317,7 +317,7 @@ static ssize_t gpio_value_store(struct d return status; } -static const DEVICE_ATTR(value, 0644, +static DEVICE_ATTR(value, 0644, gpio_value_show, gpio_value_store); static irqreturn_t gpio_sysfs_irq(int irq, void *priv) @@ -540,18 +540,15 @@ static ssize_t gpio_active_low_store(str return status ? : size; } -static const DEVICE_ATTR(active_low, 0644, +static DEVICE_ATTR(active_low, 0644, gpio_active_low_show, gpio_active_low_store); -static const struct attribute *gpio_attrs[] = { +static struct attribute *gpio_attrs[] = { dev_attr_value.attr, dev_attr_active_low.attr, NULL, }; - -static const struct attribute_group gpio_attr_group = { - .attrs = (struct attribute **) gpio_attrs, -}; +ATTRIBUTE_GROUPS(gpio); /* * /sys/class/gpio/gpiochipN/ @@ -733,17 +730,14 @@ int gpio_export(unsigned gpio, bool dire if (desc-chip-names desc-chip-names[gpio - desc-chip-base]) ioname = desc-chip-names[gpio - desc-chip-base]; - dev = device_create(gpio_class, desc-chip-dev, MKDEV(0, 0), - desc, ioname ? ioname : gpio%u, gpio); + dev = device_create_with_groups(gpio_class, desc-chip-dev, + MKDEV(0, 0), desc, gpio_groups, + ioname ? ioname : gpio%u, gpio); if (IS_ERR(dev)) { status = PTR_ERR(dev); goto fail_unlock; } - status = sysfs_create_group(dev-kobj, gpio_attr_group); - if (status) - goto fail_unregister_device; - if (direction_may_change) { status = device_create_file(dev, dev_attr_direction); if (status) @@ -754,13 +748,15 @@ int gpio_export(unsigned gpio, bool dire !test_bit(FLAG_IS_OUT, desc-flags))) { status = device_create_file(dev, dev_attr_edge); if (status) - goto fail_unregister_device; + goto fail_remove_attr_direction; } set_bit(FLAG_EXPORT, desc-flags); mutex_unlock(sysfs_lock); return 0; +fail_remove_attr_direction: + device_remove_file(dev, dev_attr_direction); fail_unregister_device: device_unregister(dev); fail_unlock: @@ -900,6 +896,8 @@ void gpio_unexport(unsigned gpio) mutex_unlock(sysfs_lock); if (dev) { + device_remove_file(dev, dev_attr_edge); + device_remove_file(dev, dev_attr_direction); device_unregister(dev); put_device(dev); } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 106/152] crypto: include crypto- module prefix in template
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Kees Cook keesc...@chromium.org commit 4943ba16bbc2db05115707b3ff7b4874e9e3c560 upstream. This adds the module loading prefix crypto- to the template lookup as well. For example, attempting to load 'vfat(blowfish)' via AF_ALG now correctly includes the crypto- prefix at every level, correctly rejecting vfat: net-pf-38 algif-hash crypto-vfat(blowfish) crypto-vfat(blowfish)-all crypto-vfat Reported-by: Mathias Krause mini...@googlemail.com Signed-off-by: Kees Cook keesc...@chromium.org Acked-by: Mathias Krause mini...@googlemail.com Signed-off-by: Herbert Xu herb...@gondor.apana.org.au [bwh: Backported to 3.2: drop changes to cmac and mcryptd which we don't have] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- --- a/arch/x86/crypto/fpu.c +++ b/arch/x86/crypto/fpu.c @@ -17,6 +17,7 @@ #include linux/kernel.h #include linux/module.h #include linux/slab.h +#include linux/crypto.h #include asm/i387.h struct crypto_fpu_ctx { @@ -159,3 +160,5 @@ void __exit crypto_fpu_exit(void) { crypto_unregister_template(crypto_fpu_tmpl); } + +MODULE_ALIAS_CRYPTO(fpu); --- a/crypto/algapi.c +++ b/crypto/algapi.c @@ -477,8 +477,8 @@ static struct crypto_template *__crypto_ struct crypto_template *crypto_lookup_template(const char *name) { - return try_then_request_module(__crypto_lookup_template(name), %s, - name); + return try_then_request_module(__crypto_lookup_template(name), + crypto-%s, name); } EXPORT_SYMBOL_GPL(crypto_lookup_template); --- a/crypto/authenc.c +++ b/crypto/authenc.c @@ -710,3 +710,4 @@ module_exit(crypto_authenc_module_exit); MODULE_LICENSE(GPL); MODULE_DESCRIPTION(Simple AEAD wrapper for IPsec); +MODULE_ALIAS_CRYPTO(authenc); --- a/crypto/authencesn.c +++ b/crypto/authencesn.c @@ -833,3 +833,4 @@ module_exit(crypto_authenc_esn_module_ex MODULE_LICENSE(GPL); MODULE_AUTHOR(Steffen Klassert steffen.klass...@secunet.com); MODULE_DESCRIPTION(AEAD wrapper for IPsec with extended sequence numbers); +MODULE_ALIAS_CRYPTO(authencesn); --- a/crypto/cbc.c +++ b/crypto/cbc.c @@ -289,3 +289,4 @@ module_exit(crypto_cbc_module_exit); MODULE_LICENSE(GPL); MODULE_DESCRIPTION(CBC block cipher algorithm); +MODULE_ALIAS_CRYPTO(cbc); --- a/crypto/ccm.c +++ b/crypto/ccm.c @@ -890,3 +890,4 @@ MODULE_LICENSE(GPL); MODULE_DESCRIPTION(Counter with CBC MAC); MODULE_ALIAS_CRYPTO(ccm_base); MODULE_ALIAS_CRYPTO(rfc4309); +MODULE_ALIAS_CRYPTO(ccm); --- a/crypto/chainiv.c +++ b/crypto/chainiv.c @@ -360,3 +360,4 @@ module_exit(chainiv_module_exit); MODULE_LICENSE(GPL); MODULE_DESCRIPTION(Chain IV Generator); +MODULE_ALIAS_CRYPTO(chainiv); --- a/crypto/cryptd.c +++ b/crypto/cryptd.c @@ -955,3 +955,4 @@ module_exit(cryptd_exit); MODULE_LICENSE(GPL); MODULE_DESCRIPTION(Software async crypto daemon); +MODULE_ALIAS_CRYPTO(cryptd); --- a/crypto/ctr.c +++ b/crypto/ctr.c @@ -422,3 +422,4 @@ module_exit(crypto_ctr_module_exit); MODULE_LICENSE(GPL); MODULE_DESCRIPTION(CTR Counter block mode); MODULE_ALIAS_CRYPTO(rfc3686); +MODULE_ALIAS_CRYPTO(ctr); --- a/crypto/cts.c +++ b/crypto/cts.c @@ -351,3 +351,4 @@ module_exit(crypto_cts_module_exit); MODULE_LICENSE(Dual BSD/GPL); MODULE_DESCRIPTION(CTS-CBC CipherText Stealing for CBC); +MODULE_ALIAS_CRYPTO(cts); --- a/crypto/ecb.c +++ b/crypto/ecb.c @@ -185,3 +185,4 @@ module_exit(crypto_ecb_module_exit); MODULE_LICENSE(GPL); MODULE_DESCRIPTION(ECB block cipher algorithm); +MODULE_ALIAS_CRYPTO(ecb); --- a/crypto/eseqiv.c +++ b/crypto/eseqiv.c @@ -267,3 +267,4 @@ module_exit(eseqiv_module_exit); MODULE_LICENSE(GPL); MODULE_DESCRIPTION(Encrypted Sequence Number IV Generator); +MODULE_ALIAS_CRYPTO(eseqiv); --- a/crypto/gcm.c +++ b/crypto/gcm.c @@ -1377,3 +1377,4 @@ MODULE_AUTHOR(Mikko Herranen mh1@iki.f MODULE_ALIAS_CRYPTO(gcm_base); MODULE_ALIAS_CRYPTO(rfc4106); MODULE_ALIAS_CRYPTO(rfc4543); +MODULE_ALIAS_CRYPTO(gcm); --- a/crypto/hmac.c +++ b/crypto/hmac.c @@ -271,3 +271,4 @@ module_exit(hmac_module_exit); MODULE_LICENSE(GPL); MODULE_DESCRIPTION(HMAC hash algorithm); +MODULE_ALIAS_CRYPTO(hmac); --- a/crypto/lrw.c +++ b/crypto/lrw.c @@ -312,3 +312,4 @@ module_exit(crypto_module_exit); MODULE_LICENSE(GPL); MODULE_DESCRIPTION(LRW block cipher mode); +MODULE_ALIAS_CRYPTO(lrw); --- a/crypto/pcbc.c +++ b/crypto/pcbc.c @@ -295,3 +295,4 @@ module_exit(crypto_pcbc_module_exit); MODULE_LICENSE(GPL); MODULE_DESCRIPTION(PCBC block cipher algorithm); +MODULE_ALIAS_CRYPTO(pcbc); --- a/crypto/pcrypt.c +++ b/crypto/pcrypt.c @@ -565,3 +565,4 @@ module_exit(pcrypt_exit); MODULE_LICENSE(GPL); MODULE_AUTHOR(Steffen Klassert steffen.klass...@secunet.com); MODULE_DESCRIPTION(Parallel crypto wrapper); +MODULE_ALIAS_CRYPTO(pcrypt); --- a/crypto/seqiv.c +++ b/crypto/seqiv.c @@ -363,3 +363,4 @@
[PATCH 3.2 124/152] x86, tls, ldt: Stop checking lm in LDT_empty
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Andy Lutomirski l...@amacapital.net commit e30ab185c490e9a9381385529e0fd32f0a399495 upstream. 32-bit programs don't have an lm bit in their ABI, so they can't reliably cause LDT_empty to return true without resorting to memset. They shouldn't need to do this. This should fix a longstanding, if minor, issue in all 64-bit kernels as well as a potential regression in the TLS hardening code. Fixes: 41bdc78544b8 x86/tls: Validate TLS entries to protect espfix Signed-off-by: Andy Lutomirski l...@amacapital.net Cc: torva...@linux-foundation.org Link: http://lkml.kernel.org/r/72a059de55e86ad5e2935c80aa91880ddf19d07c.1421954363.git.l...@amacapital.net Signed-off-by: Thomas Gleixner t...@linutronix.de Signed-off-by: Ben Hutchings b...@decadent.org.uk --- arch/x86/include/asm/desc.h | 9 ++--- 1 file changed, 2 insertions(+), 7 deletions(-) --- a/arch/x86/include/asm/desc.h +++ b/arch/x86/include/asm/desc.h @@ -248,7 +248,8 @@ static inline void native_load_tls(struc gdt[GDT_ENTRY_TLS_MIN + i] = t-tls_array[i]; } -#define _LDT_empty(info) \ +/* This intentionally ignores lm, since 32-bit apps don't have that field. */ +#define LDT_empty(info)\ ((info)-base_addr == 0 \ (info)-limit == 0 \ (info)-contents == 0 \ @@ -258,12 +259,6 @@ static inline void native_load_tls(struc (info)-seg_not_present== 1 \ (info)-useable== 0) -#ifdef CONFIG_X86_64 -#define LDT_empty(info) (_LDT_empty(info) ((info)-lm == 0)) -#else -#define LDT_empty(info) (_LDT_empty(info)) -#endif - static inline void clear_LDT(void) { set_ldt(NULL, 0); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 144/152] dcache: Fix locking bugs in backported deal with deadlock in d_walk()
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Ben Hutchings b...@decadent.org.uk Steven Rostedt reported: Porting -rt to the latest 3.2 stable tree I triggered this bug: = [ BUG: bad unlock balance detected! ] - rm/1638 is trying to release lock (rcu_read_lock) at: [c04fde6c] rcu_read_unlock+0x0/0x23 but there are no more locks to release! other info that might help us debug this: 2 locks held by rm/1638: #0: (sb-s_type-i_mutex_key#9/1){+.+.+.}, at: [c04f93eb] do_rmdir+0x5f/0xd2 #1: (sb-s_type-i_mutex_key#9){+.+.+.}, at: [c04f9329] vfs_rmdir+0x49/0xac stack backtrace: Pid: 1638, comm: rm Not tainted 3.2.66-test-rt96+ #2 Call Trace: [c083f390] ? printk+0x1d/0x1f [c0463cdf] print_unlock_inbalance_bug+0xc3/0xcd [c04653a8] lock_release_non_nested+0x98/0x1ec [c046228d] ? trace_hardirqs_off_caller+0x18/0x90 [c0456f1c] ? local_clock+0x2d/0x50 [c04fde6c] ? d_hash+0x2f/0x2f [c04fde6c] ? d_hash+0x2f/0x2f [c046568e] lock_release+0x192/0x1ad [c04fde83] rcu_read_unlock+0x17/0x23 [c04ff344] shrink_dcache_parent+0x227/0x270 [c04f9348] vfs_rmdir+0x68/0xac [c04f9424] do_rmdir+0x98/0xd2 [c04f03ad] ? fput+0x1a3/0x1ab [c084dd42] ? sysenter_exit+0xf/0x1a [c0465b58] ? trace_hardirqs_on_caller+0x118/0x149 [c04fa3e0] sys_unlinkat+0x2b/0x35 [c084dd13] sysenter_do_call+0x12/0x12 There's a path to calling rcu_read_unlock() without calling rcu_read_lock() in have_submounts(). goto positive; positive: if (!locked read_seqretry(rename_lock, seq)) goto rename_retry; rename_retry: rcu_read_unlock(); in the above path, rcu_read_lock() is never done before calling rcu_read_unlock(); I reviewed locking contexts in all three functions that I changed when backporting deal with deadlock in d_walk(). It's actually worse than this: - We don't hold this_parent-d_lock at the 'positive' label in have_submounts(), but it is unlocked after 'rename_retry'. - There is an rcu_read_unlock() after the 'out' label in select_parent(), but it's not held at the 'goto out'. Fix all three lock imbalances. Reported-by: Steven Rostedt rost...@goodmis.org Signed-off-by: Ben Hutchings b...@decadent.org.uk Tested-by: Steven Rostedt rost...@goodmis.org --- fs/dcache.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/fs/dcache.c +++ b/fs/dcache.c @@ -1035,7 +1035,7 @@ ascend: return 0; /* No mount points found in tree */ positive: if (!locked read_seqretry(rename_lock, seq)) - goto rename_retry; + goto rename_retry_unlocked; if (locked) write_sequnlock(rename_lock); return 1; @@ -1045,6 +1045,7 @@ rename_retry: rcu_read_unlock(); if (locked) goto again; +rename_retry_unlocked: locked = 1; write_seqlock(rename_lock); goto again; @@ -1109,6 +1110,7 @@ resume: */ if (found need_resched()) { spin_unlock(dentry-d_lock); + rcu_read_lock(); goto out; } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 114/152] gpiolib: Refactor gpio_export
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Ryan Mallon rmal...@gmail.com commit fc4e2514995d9cd7f3e1a67098ce65d72acf8ec7 upstream. The gpio_export function uses nested if statements and the status variable to handle the failure cases. This makes the function logic difficult to follow. Refactor the code to abort immediately on failure using goto. This makes the code slightly longer, but significantly reduces the nesting and number of split lines and makes the code easier to read. Signed-off-by: Ryan Mallon rmal...@gmail.com Signed-off-by: Linus Walleij linus.wall...@linaro.org Signed-off-by: Ben Hutchings b...@decadent.org.uk --- drivers/gpio/gpiolib.c | 85 +++--- 1 file changed, 46 insertions(+), 39 deletions(-) --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -697,8 +697,9 @@ int gpio_export(unsigned gpio, bool dire { unsigned long flags; struct gpio_desc*desc; - int status = -EINVAL; + int status; const char *ioname = NULL; + struct device *dev; /* can't export until sysfs is available ... */ if (!gpio_class.p) { @@ -706,59 +707,65 @@ int gpio_export(unsigned gpio, bool dire return -ENOENT; } - if (!gpio_is_valid(gpio)) - goto done; + if (!gpio_is_valid(gpio)) { + pr_debug(%s: gpio %d is not valid\n, __func__, gpio); + return -EINVAL; + } mutex_lock(sysfs_lock); spin_lock_irqsave(gpio_lock, flags); desc = gpio_desc[gpio]; - if (test_bit(FLAG_REQUESTED, desc-flags) -!test_bit(FLAG_EXPORT, desc-flags)) { - status = 0; - if (!desc-chip-direction_input - || !desc-chip-direction_output) - direction_may_change = false; + if (!test_bit(FLAG_REQUESTED, desc-flags) || +test_bit(FLAG_EXPORT, desc-flags)) { + spin_unlock_irqrestore(gpio_lock, flags); + pr_debug(%s: gpio %d unavailable (requested=%d, exported=%d)\n, + __func__, gpio, + test_bit(FLAG_REQUESTED, desc-flags), + test_bit(FLAG_EXPORT, desc-flags)); + return -EPERM; } + + if (!desc-chip-direction_input || !desc-chip-direction_output) + direction_may_change = false; spin_unlock_irqrestore(gpio_lock, flags); if (desc-chip-names desc-chip-names[gpio - desc-chip-base]) ioname = desc-chip-names[gpio - desc-chip-base]; - if (status == 0) { - struct device *dev; + dev = device_create(gpio_class, desc-chip-dev, MKDEV(0, 0), + desc, ioname ? ioname : gpio%u, gpio); + if (IS_ERR(dev)) { + status = PTR_ERR(dev); + goto fail_unlock; + } + + status = sysfs_create_group(dev-kobj, gpio_attr_group); + if (status) + goto fail_unregister_device; + + if (direction_may_change) { + status = device_create_file(dev, dev_attr_direction); + if (status) + goto fail_unregister_device; + } - dev = device_create(gpio_class, desc-chip-dev, MKDEV(0, 0), - desc, ioname ? ioname : gpio%u, gpio); - if (!IS_ERR(dev)) { - status = sysfs_create_group(dev-kobj, - gpio_attr_group); - - if (!status direction_may_change) - status = device_create_file(dev, - dev_attr_direction); - - if (!status gpio_to_irq(gpio) = 0 -(direction_may_change - || !test_bit(FLAG_IS_OUT, - desc-flags))) - status = device_create_file(dev, - dev_attr_edge); - - if (status != 0) - device_unregister(dev); - } else - status = PTR_ERR(dev); - if (status == 0) - set_bit(FLAG_EXPORT, desc-flags); + if (gpio_to_irq(gpio) = 0 (direction_may_change || + !test_bit(FLAG_IS_OUT, desc-flags))) { + status = device_create_file(dev, dev_attr_edge); + if (status) + goto fail_unregister_device; } + set_bit(FLAG_EXPORT, desc-flags); mutex_unlock(sysfs_lock); + return
[PATCH 3.2 141/152] fsnotify: next_i is freed during fsnotify_unmount_inodes.
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Jerry Hoemann jerry.hoem...@hp.com commit 6424babfd68dd8a83d9c60a5242d27038856599f upstream. During file system stress testing on 3.10 and 3.12 based kernels, the umount command occasionally hung in fsnotify_unmount_inodes in the section of code: spin_lock(inode-i_lock); if (inode-i_state (I_FREEING|I_WILL_FREE|I_NEW)) { spin_unlock(inode-i_lock); continue; } As this section of code holds the global inode_sb_list_lock, eventually the system hangs trying to acquire the lock. Multiple crash dumps showed: The inode-i_state == 0x60 and i_count == 0 and i_sb_list would point back at itself. As this is not the value of list upon entry to the function, the kernel never exits the loop. To help narrow down problem, the call to list_del_init in inode_sb_list_del was changed to list_del. This poisons the pointers in the i_sb_list and causes a kernel to panic if it transverse a freed inode. Subsequent stress testing paniced in fsnotify_unmount_inodes at the bottom of the list_for_each_entry_safe loop showing next_i had become free. We believe the root cause of the problem is that next_i is being freed during the window of time that the list_for_each_entry_safe loop temporarily releases inode_sb_list_lock to call fsnotify and fsnotify_inode_delete. The code in fsnotify_unmount_inodes attempts to prevent the freeing of inode and next_i by calling __iget. However, the code doesn't do the __iget call on next_i if i_count == 0 or if i_state (I_FREEING | I_WILL_FREE) The patch addresses this issue by advancing next_i in the above two cases until we either find a next_i which we can __iget or we reach the end of the list. This makes the handling of next_i more closely match the handling of the variable inode. The time to reproduce the hang is highly variable (from hours to days.) We ran the stress test on a 3.10 kernel with the proposed patch for a week without failure. During list_for_each_entry_safe, next_i is becoming free causing the loop to never terminate. Advance next_i in those cases where __iget is not done. Signed-off-by: Jerry Hoemann jerry.hoem...@hp.com Cc: Jeff Kirsher jeffrey.t.kirs...@intel.com Cc: Ken Helias kenhel...@firemail.de Signed-off-by: Andrew Morton a...@linux-foundation.org Signed-off-by: Linus Torvalds torva...@linux-foundation.org Signed-off-by: Ben Hutchings b...@decadent.org.uk Cc: Jan Kara j...@suse.cz --- fs/notify/inode_mark.c | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) --- a/fs/notify/inode_mark.c +++ b/fs/notify/inode_mark.c @@ -282,20 +282,25 @@ void fsnotify_unmount_inodes(struct list spin_unlock(inode-i_lock); /* In case the dropping of a reference would nuke next_i. */ - if ((next_i-i_sb_list != list) - atomic_read(next_i-i_count)) { + while (next_i-i_sb_list != list) { spin_lock(next_i-i_lock); - if (!(next_i-i_state (I_FREEING | I_WILL_FREE))) { + if (!(next_i-i_state (I_FREEING | I_WILL_FREE)) + atomic_read(next_i-i_count)) { __iget(next_i); need_iput = next_i; + spin_unlock(next_i-i_lock); + break; } spin_unlock(next_i-i_lock); + next_i = list_entry(next_i-i_sb_list.next, + struct inode, i_sb_list); } /* -* We can safely drop inode_sb_list_lock here because we hold -* references on both inode and next_i. Also no new inodes -* will be added since the umount has begun. +* We can safely drop inode_sb_list_lock here because either +* we actually hold references on both inode and next_i or +* end of list. Also no new inodes will be added since the +* umount has begun. */ spin_unlock(inode_sb_list_lock); -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 3.2 119/152] ALSA: usb-audio: Add mic volume fix quirk for Logitech Webcam C210
3.2.67-rc1 review patch. If anyone has any objections, please let me know. -- From: Jason Lee Cragg jcr...@gmail.com commit 6455931186bff407493135e74c5f32efd30860e2 upstream. Signed-off-by: Jason Lee Cragg jcr...@gmail.com Signed-off-by: Takashi Iwai ti...@suse.de Signed-off-by: Ben Hutchings b...@decadent.org.uk --- sound/usb/mixer.c | 1 + 1 file changed, 1 insertion(+) --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -834,6 +834,7 @@ static void volume_control_quirks(struct case USB_ID(0x046d, 0x0807): /* Logitech Webcam C500 */ case USB_ID(0x046d, 0x0808): case USB_ID(0x046d, 0x0809): + case USB_ID(0x046d, 0x0819): /* Logitech Webcam C210 */ case USB_ID(0x046d, 0x081b): /* HD Webcam c310 */ case USB_ID(0x046d, 0x081d): /* HD Webcam c510 */ case USB_ID(0x046d, 0x0825): /* HD Webcam c270 */ -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/