1. 14 Mar, 2013 24 commits
    • Mike Christie's avatar
      dm: fix limits initialization when there are no data devices · 6d2c84a0
      Mike Christie authored
      commit 87eb5b21 upstream.
      
      dm_calculate_queue_limits will first reset the provided limits to
      defaults using blk_set_stacking_limits; whereby defeating the purpose of
      retaining the original live table's limits -- as was intended via commit
      3ae70656 ("dm: retain table limits when
      swapping to new table with no devices").
      
      Fix this improper limits initialization (in the no data devices case) by
      avoiding the call to dm_calculate_queue_limits.
      
      [patch header revised by Mike Snitzer]
      Signed-off-by: default avatarMike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d2c84a0
    • Jun'ichi Nomura's avatar
      dm: do not replace bioset for request based dm · f7ed89f0
      Jun'ichi Nomura authored
      commit 16245bdc upstream.
      
      This patch fixes a regression introduced in v3.8, which causes oops
      like this when dm-multipath is used:
      
      general protection fault: 0000 [#1] SMP
      RIP: 0010:[<ffffffff810fe754>]  [<ffffffff810fe754>] mempool_free+0x24/0xb0
      Call Trace:
        <IRQ>
        [<ffffffff81187417>] bio_put+0x97/0xc0
        [<ffffffffa02247a5>] end_clone_bio+0x35/0x90 [dm_mod]
        [<ffffffff81185efd>] bio_endio+0x1d/0x30
        [<ffffffff811f03a3>] req_bio_endio.isra.51+0xa3/0xe0
        [<ffffffff811f2f68>] blk_update_request+0x118/0x520
        [<ffffffff811f3397>] blk_update_bidi_request+0x27/0xa0
        [<ffffffff811f343c>] blk_end_bidi_request+0x2c/0x80
        [<ffffffff811f34d0>] blk_end_request+0x10/0x20
        [<ffffffffa000b32b>] scsi_io_completion+0xfb/0x6c0 [scsi_mod]
        [<ffffffffa000107d>] scsi_finish_command+0xbd/0x120 [scsi_mod]
        [<ffffffffa000b12f>] scsi_softirq_done+0x13f/0x160 [scsi_mod]
        [<ffffffff811f9fd0>] blk_done_softirq+0x80/0xa0
        [<ffffffff81044551>] __do_softirq+0xf1/0x250
        [<ffffffff8142ee8c>] call_softirq+0x1c/0x30
        [<ffffffff8100420d>] do_softirq+0x8d/0xc0
        [<ffffffff81044885>] irq_exit+0xd5/0xe0
        [<ffffffff8142f3e3>] do_IRQ+0x63/0xe0
        [<ffffffff814257af>] common_interrupt+0x6f/0x6f
        <EOI>
        [<ffffffffa021737c>] srp_queuecommand+0x8c/0xcb0 [ib_srp]
        [<ffffffffa0002f18>] scsi_dispatch_cmd+0x148/0x310 [scsi_mod]
        [<ffffffffa000a38e>] scsi_request_fn+0x31e/0x520 [scsi_mod]
        [<ffffffff811f1e57>] __blk_run_queue+0x37/0x50
        [<ffffffff811f1f69>] blk_delay_work+0x29/0x40
        [<ffffffff81059003>] process_one_work+0x1c3/0x5c0
        [<ffffffff8105b22e>] worker_thread+0x15e/0x440
        [<ffffffff8106164b>] kthread+0xdb/0xe0
        [<ffffffff8142db9c>] ret_from_fork+0x7c/0xb0
      
      The regression was introduced by the change
      c0820cf5 "dm: introduce per_bio_data", where dm started to replace
      bioset during table replacement.
      For bio-based dm, it is good because clone bios do not exist during the
      table replacement.
      For request-based dm, however, (not-yet-mapped) clone bios may stay in
      request queue and survive during the table replacement.
      So freeing the old bioset could cause the oops in bio_put().
      
      Since the size of front_pad may change only with bio-based dm,
      it is not necessary to replace bioset for request-based dm.
      Reported-by: default avatarBart Van Assche <bvanassche@acm.org>
      Tested-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarJun'ichi Nomura <j-nomura@ce.jp.nec.com>
      Acked-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Acked-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f7ed89f0
    • Mikulas Patocka's avatar
      dm: fix truncated status strings · a9317072
      Mikulas Patocka authored
      commit fd7c092e upstream.
      
      Avoid returning a truncated table or status string instead of setting
      the DM_BUFFER_FULL_FLAG when the last target of a table fills the
      buffer.
      
      When processing a table or status request, the function retrieve_status
      calls ti->type->status. If ti->type->status returns non-zero,
      retrieve_status assumes that the buffer overflowed and sets
      DM_BUFFER_FULL_FLAG.
      
      However, targets don't return non-zero values from their status method
      on overflow. Most targets returns always zero.
      
      If a buffer overflow happens in a target that is not the last in the
      table, it gets noticed during the next iteration of the loop in
      retrieve_status; but if a buffer overflow happens in the last target, it
      goes unnoticed and erroneously truncated data is returned.
      
      In the current code, the targets behave in the following way:
      * dm-crypt returns -ENOMEM if there is not enough space to store the
        key, but it returns 0 on all other overflows.
      * dm-thin returns errors from the status method if a disk error happened.
        This is incorrect because retrieve_status doesn't check the error
        code, it assumes that all non-zero values mean buffer overflow.
      * all the other targets always return 0.
      
      This patch changes the ti->type->status function to return void (because
      most targets don't use the return code). Overflow is detected in
      retrieve_status: if the status method fills up the remaining space
      completely, it is assumed that buffer overflow happened.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a9317072
    • Jeff Layton's avatar
      cifs: ensure that cifs_get_root() only traverses directories · ceab37b0
      Jeff Layton authored
      commit ce2ac521 upstream.
      
      Kjell Braden reported this oops:
      
      [  833.211970] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [  833.212816] IP: [<          (null)>]           (null)
      [  833.213280] PGD 1b9b2067 PUD e9f7067 PMD 0
      [  833.213874] Oops: 0010 [#1] SMP
      [  833.214344] CPU 0
      [  833.214458] Modules linked in: des_generic md4 nls_utf8 cifs vboxvideo drm snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq bnep rfcomm snd_timer bluetooth snd_seq_device ppdev snd vboxguest parport_pc joydev mac_hid soundcore snd_page_alloc psmouse i2c_piix4 serio_raw lp parport usbhid hid e1000
      [  833.215629]
      [  833.215629] Pid: 1752, comm: mount.cifs Not tainted 3.0.0-rc7-bisectcifs-fec11dd9+ #18 innotek GmbH VirtualBox/VirtualBox
      [  833.215629] RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
      [  833.215629] RSP: 0018:ffff8800119c9c50  EFLAGS: 00010282
      [  833.215629] RAX: ffffffffa02186c0 RBX: ffff88000c427780 RCX: 0000000000000000
      [  833.215629] RDX: 0000000000000000 RSI: ffff88000c427780 RDI: ffff88000c4362e8
      [  833.215629] RBP: ffff8800119c9c88 R08: ffff88001fc15e30 R09: 00000000d69515c7
      [  833.215629] R10: ffffffffa0201972 R11: ffff88000e8f6a28 R12: ffff88000c4362e8
      [  833.215629] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88001181aaa6
      [  833.215629] FS:  00007f2986171700(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000
      [  833.215629] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  833.215629] CR2: 0000000000000000 CR3: 000000001b982000 CR4: 00000000000006f0
      [  833.215629] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  833.215629] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [  833.215629] Process mount.cifs (pid: 1752, threadinfo ffff8800119c8000, task ffff88001c1c16f0)
      [  833.215629] Stack:
      [  833.215629]  ffffffff8116a9b5 ffff8800119c9c88 ffffffff81178075 0000000000000286
      [  833.215629]  0000000000000000 ffff88000c4276c0 ffff8800119c9ce8 ffff8800119c9cc8
      [  833.215629]  ffffffff8116b06e ffff88001bc6fc00 ffff88000c4276c0 ffff88000c4276c0
      [  833.215629] Call Trace:
      [  833.215629]  [<ffffffff8116a9b5>] ? d_alloc_and_lookup+0x45/0x90
      [  833.215629]  [<ffffffff81178075>] ? d_lookup+0x35/0x60
      [  833.215629]  [<ffffffff8116b06e>] __lookup_hash.part.14+0x9e/0xc0
      [  833.215629]  [<ffffffff8116b1d6>] lookup_one_len+0x146/0x1e0
      [  833.215629]  [<ffffffff815e4f7e>] ? _raw_spin_lock+0xe/0x20
      [  833.215629]  [<ffffffffa01eef0d>] cifs_do_mount+0x26d/0x500 [cifs]
      [  833.215629]  [<ffffffff81163bd3>] mount_fs+0x43/0x1b0
      [  833.215629]  [<ffffffff8117d41a>] vfs_kern_mount+0x6a/0xd0
      [  833.215629]  [<ffffffff8117e584>] do_kern_mount+0x54/0x110
      [  833.215629]  [<ffffffff8117fdc2>] do_mount+0x262/0x840
      [  833.215629]  [<ffffffff81108a0e>] ? __get_free_pages+0xe/0x50
      [  833.215629]  [<ffffffff8117f9ca>] ? copy_mount_options+0x3a/0x180
      [  833.215629]  [<ffffffff8118075d>] sys_mount+0x8d/0xe0
      [  833.215629]  [<ffffffff815ece82>] system_call_fastpath+0x16/0x1b
      [  833.215629] Code:  Bad RIP value.
      [  833.215629] RIP  [<          (null)>]           (null)
      [  833.215629]  RSP <ffff8800119c9c50>
      [  833.215629] CR2: 0000000000000000
      [  833.238525] ---[ end trace ec00758b8d44f529 ]---
      
      When walking down the path on the server, it's possible to hit a
      symlink. The path walking code assumes that the caller will handle that
      situation properly, but cifs_get_root() isn't set up for it. This patch
      prevents the oops by simply returning an error.
      
      A better solution would be to try and chase the symlinks here, but that's
      fairly complicated to handle.
      
      Fixes:
      
          https://bugzilla.kernel.org/show_bug.cgi?id=53221Reported-and-tested-by: default avatarKjell Braden <afflux@pentabarf.de>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ceab37b0
    • Josef Bacik's avatar
      Btrfs: delete inline extents when we find them during logging · 53fc95ea
      Josef Bacik authored
      commit 124fe663 upstream.
      
      Apparently when we do inline extents we allow the data to overlap the last chunk
      of the btrfs_file_extent_item, which means that we can possibly have a
      btrfs_file_extent_item that isn't actually as large as a btrfs_file_extent_item.
      This messes with us when we try to overwrite the extent when logging new extents
      since we expect for it to be the right size.  To fix this just delete the item
      and try to do the insert again which will give us the proper sized
      btrfs_file_extent_item.  This fixes a panic where map_private_extent_buffer
      would blow up because we're trying to write past the end of the leaf.  Thanks,
      Signed-off-by: default avatarJosef Bacik <jbacik@fusionio.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      53fc95ea
    • Josef Bacik's avatar
      Btrfs: copy everything if we've created an inline extent · 0a8c4b4e
      Josef Bacik authored
      commit bdc20e67 upstream.
      
      I noticed while looking into a tree logging bug that we aren't logging inline
      extents properly.  Since this requires copying and it shouldn't happen too often
      just force us to copy everything for the inode into the tree log when we have an
      inline extent.  With this patch we have valid data after a crash when we write
      an inline extent.  Thanks,
      Signed-off-by: default avatarJosef Bacik <jbacik@fusionio.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0a8c4b4e
    • Thomas Gleixner's avatar
      btrfs: Init io_lock after cloning btrfs device struct · 9cf12597
      Thomas Gleixner authored
      commit 1cba0cdf upstream.
      
      __btrfs_close_devices() clones btrfs device structs with
      memcpy(). Some of the fields in the clone are reinitialized, but it's
      missing to init io_lock. In mainline this goes unnoticed, but on RT it
      leaves the plist pointing to the original about to be freed lock
      struct.
      
      Initialize io_lock after cloning, so no references to the original
      struct are left.
      Reported-and-tested-by: default avatarMike Galbraith <efault@gmx.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarChris Mason <chris.mason@fusionio.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9cf12597
    • Lukas Czerner's avatar
      ext4: convert number of blocks to clusters properly · a4352d7e
      Lukas Czerner authored
      commit 810da240 upstream.
      
      We're using macro EXT4_B2C() to convert number of blocks to number of
      clusters for bigalloc file systems.  However, we should be using
      EXT4_NUM_B2C().
      Signed-off-by: default avatarLukas Czerner <lczerner@redhat.com>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a4352d7e
    • Nicholas Bellinger's avatar
      iscsi-target: Fix immediate queue starvation regression with DATAIN · f8d5ba6c
      Nicholas Bellinger authored
      commit fd3a9025 upstream.
      
      This patch addresses a v3.5+ regression in iscsi-target where TX thread
      process context -> handle_response_queue() execution is allowed to run
      unbounded while servicing constant outgoing flow of ISTATE_SEND_DATAIN
      response state.
      
      This ends up preventing memory release of StatSN acknowledged commands
      in a timely manner when under heavy large block streaming DATAIN
      workloads.
      
      The regression bug was initially introduced with:
      
      commit 6f3c0e69
      Author: Andy Grover <agrover@redhat.com>
      Date:   Tue Apr 3 15:51:09 2012 -0700
      
          target/iscsi: Refactor target_tx_thread immediate+response queue loops
      
      Go ahead and follow original iscsi_target_tx_thread() logic and check
      to break for immediate queue processing after each DataIN Sequence and/or
      Response PDU has been sent.
      Reported-by: default avatarBenjamin ESTRABAUD <be@mpstor.com>
      Cc: Andy Grover <agrover@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8d5ba6c
    • Asias He's avatar
      target/pscsi: Fix page increment · 50909650
      Asias He authored
      commit 472b72f2 upstream.
      
      The page++ is wrong. It makes bio_add_pc_page() pointing to a wrong page
      address if the 'while (len > 0 && data_len > 0) { ... }' loop is
      executed more than one once.
      Signed-off-by: default avatarAsias He <asias@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      50909650
    • K. Y. Srinivasan's avatar
      SCSI: storvsc: Initialize the sglist · f8b16d21
      K. Y. Srinivasan authored
      commit 9d2696e6 upstream.
      
      Properly initialize scatterlist before using it.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8b16d21
    • Dan Carpenter's avatar
      SCSI: dc395x: uninitialized variable in device_alloc() · 3221f151
      Dan Carpenter authored
      commit 208afec4 upstream.
      
      This bug was introduced back in bitkeeper days in 2003.  We use
      "dcb->dev_mode" before it has been initialized.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarOliver Neukum <oliver@neukum.org>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3221f151
    • Mattia Dongili's avatar
      sony-laptop: fully enable SNY controlled modems · fddc34f9
      Mattia Dongili authored
      commit 3ec1c398 upstream.
      
      The call to handlers 0x124 and 0x135 (rfkill control) seems to take a
      bitmask to control various states of the device. For our rfkill we need
      a fully on/off. SVZ1311Z9R/X's LTE modem needs more bits up.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=47751Signed-off-by: default avatarMattia Dongili <malattia@linux.it>
      Signed-off-by: default avatarMatthew Garrett <matthew.garrett@nebula.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fddc34f9
    • Takahisa Tanaka's avatar
      watchdog: sp5100_tco: Write back the original value to reserved bits, instead of zero · 5f60f421
      Takahisa Tanaka authored
      commit 41adafbd upstream.
      
      In case of SP5100 or SB7x0 chipsets, the sp5100_tco module writes zero to
      reserved bits. The module, however, shouldn't depend on specific default
      value, and should perform a read-merge-write operation for the reserved
      bits.
      
      This patch makes the sp5100_tco module perform a read-merge-write operation
      on all the chipset (sp5100, sb7x0, sb8x0 or later).
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=43176Signed-off-by: default avatarTakahisa Tanaka <mc74hc00@gmail.com>
      Tested-by: default avatarPaul Menzel <paulepanter@users.sourceforge.net>
      Signed-off-by: default avatarWim Van Sebroeck <wim@iguana.be>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5f60f421
    • Takahisa Tanaka's avatar
      watchdog: sp5100_tco: Fix wrong indirect I/O access for getting value of reserved bits · cc3edac7
      Takahisa Tanaka authored
      commit 10ab329b upstream.
      
      In case of SB800 or later chipset and re-programming MMIO address(*),
      sp5100_tco module may read incorrect value of reserved bit, because the module
      reads a value from an incorrect I/O address. However, this bug doesn't cause
      a problem, because when re-programming MMIO address, by chance the module
      writes zero (this is BIOS's default value) to the low three bits of register.
      * In most cases, PC with SB8x0 or later chipset doesn't need to re-programming
        MMIO address, because such PC can enable AcpiMmio and can use 0xfed80b00 for
        watchdog register base address.
      
      This patch fixes this bug.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=43176Signed-off-by: default avatarTakahisa Tanaka <mc74hc00@gmail.com>
      Tested-by: default avatarPaul Menzel <paulepanter@users.sourceforge.net>
      Signed-off-by: default avatarWim Van Sebroeck <wim@iguana.be>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cc3edac7
    • Randy Dunlap's avatar
      watchdog: da9055_wdt needs to select WATCHDOG_CORE · f328def5
      Randy Dunlap authored
      commit 12a5c05c upstream.
      
      DA9055_WATCHDOG (introduced in v3.8) needs to select WATCHDOG_CORE so that it will
      build cleanly.  Fixes these build errors:
      
      da9055_wdt.c:(.text+0xe9bc7): undefined reference to `watchdog_unregister_device'
      da9055_wdt.c:(.text+0xe9f4b): undefined reference to `watchdog_register_device'
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: David Dajun Chen <dchen@diasemi.com>
      Signed-off-by: default avatarWim Van Sebroeck <wim@iguana.be>
      Cc: linux-watchdog@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f328def5
    • Konrad Rzeszutek Wilk's avatar
      xen/pci: We don't do multiple MSI's. · ee74fecf
      Konrad Rzeszutek Wilk authored
      commit 884ac297 upstream.
      
      There is no hypercall to setup multiple MSI per PCI device.
      As such with these two new commits:
      -  08261d87
         PCI/MSI: Enable multiple MSIs with pci_enable_msi_block_auto()
      - 5ca72c4f
         AHCI: Support multiple MSIs
      
      we would call the PHYSDEVOP_map_pirq 'nvec' times with the same
      contents of the PCI device. Sander discovered that we would get
      the same PIRQ value 'nvec' times and return said values to the
      caller. That of course meant that the device was configured only
      with one MSI and AHCI would fail with:
      
      ahci 0000:00:11.0: version 3.0
      xen: registering gsi 19 triggering 0 polarity 1
      xen: --> pirq=19 -> irq=19 (gsi=19)
      (XEN) [2013-02-27 19:43:07] IOAPIC[0]: Set PCI routing entry (6-19 -> 0x99 -> IRQ 19 Mode:1 Active:1)
      ahci 0000:00:11.0: AHCI 0001.0200 32 slots 4 ports 6 Gbps 0xf impl SATA mode
      ahci 0000:00:11.0: flags: 64bit ncq sntf ilck pm led clo pmp pio slum part
      ahci: probe of 0000:00:11.0 failed with error -22
      
      That is b/c in ahci_host_activate the second call to
      devm_request_threaded_irq  would return -EINVAL as we passed in
      (on the second run) an IRQ that was never initialized.
      Reported-and-Tested-by: default avatarSander Eikelenboom <linux@eikelenboom.it>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ee74fecf
    • Konrad Rzeszutek Wilk's avatar
      xen/pat: Disable PAT using pat_enabled value. · ca47ff97
      Konrad Rzeszutek Wilk authored
      commit c79c4982 upstream.
      
      The git commit 8eaffa67
      (xen/pat: Disable PAT support for now) explains in details why
      we want to disable PAT for right now. However that
      change was not enough and we should have also disabled
      the pat_enabled value. Otherwise we end up with:
      
      mmap-example:3481 map pfn expected mapping type write-back for
      [mem 0x00010000-0x00010fff], got uncached-minus
       ------------[ cut here ]------------
      WARNING: at /build/buildd/linux-3.8.0/arch/x86/mm/pat.c:774 untrack_pfn+0xb8/0xd0()
      mem 0x00010000-0x00010fff], got uncached-minus
      ------------[ cut here ]------------
      WARNING: at /build/buildd/linux-3.8.0/arch/x86/mm/pat.c:774
      untrack_pfn+0xb8/0xd0()
      ...
      Pid: 3481, comm: mmap-example Tainted: GF 3.8.0-6-generic #13-Ubuntu
      Call Trace:
       [<ffffffff8105879f>] warn_slowpath_common+0x7f/0xc0
       [<ffffffff810587fa>] warn_slowpath_null+0x1a/0x20
       [<ffffffff8104bcc8>] untrack_pfn+0xb8/0xd0
       [<ffffffff81156c1c>] unmap_single_vma+0xac/0x100
       [<ffffffff81157459>] unmap_vmas+0x49/0x90
       [<ffffffff8115f808>] exit_mmap+0x98/0x170
       [<ffffffff810559a4>] mmput+0x64/0x100
       [<ffffffff810560f5>] dup_mm+0x445/0x660
       [<ffffffff81056d9f>] copy_process.part.22+0xa5f/0x1510
       [<ffffffff81057931>] do_fork+0x91/0x350
       [<ffffffff81057c76>] sys_clone+0x16/0x20
       [<ffffffff816ccbf9>] stub_clone+0x69/0x90
       [<ffffffff816cc89d>] ? system_call_fastpath+0x1a/0x1f
      ---[ end trace 4918cdd0a4c9fea4 ]---
      
      (a similar message shows up if you end up launching 'mcelog')
      
      The call chain is (as analyzed by Liu, Jinsong):
      do_fork
        --> copy_process
          --> dup_mm
            --> dup_mmap
             	--> copy_page_range
                --> track_pfn_copy
                  --> reserve_pfn_range
                    --> line 624: flags != want_flags
      It comes from different memory types of page table (_PAGE_CACHE_WB) and MTRR
      (_PAGE_CACHE_UC_MINUS).
      
      Stefan Bader dug in this deep and found out that:
      "That makes it clearer as this will do
      
      reserve_memtype(...)
      --> pat_x_mtrr_type
        --> mtrr_type_lookup
          --> __mtrr_type_lookup
      
      And that can return -1/0xff in case of MTRR not being enabled/initialized. Which
      is not the case (given there are no messages for it in dmesg). This is not equal
      to MTRR_TYPE_WRBACK and thus becomes _PAGE_CACHE_UC_MINUS.
      
      It looks like the problem starts early in reserve_memtype:
      
             	if (!pat_enabled) {
                      /* This is identical to page table setting without PAT */
                      if (new_type) {
                              if (req_type == _PAGE_CACHE_WC)
                                      *new_type = _PAGE_CACHE_UC_MINUS;
                              else
                                     	*new_type = req_type & _PAGE_CACHE_MASK;
                     	}
                      return 0;
              }
      
      This would be what we want, that is clearing the PWT and PCD flags from the
      supported flags - if pat_enabled is disabled."
      
      This patch does that - disabling PAT.
      Reported-by: default avatarSander Eikelenboom <linux@eikelenboom.it>
      Reported-and-Tested-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Reported-and-Tested-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ca47ff97
    • Steven Noonan's avatar
      xenbus: fix compile failure on ARM with Xen enabled · a1c9ea40
      Steven Noonan authored
      commit 45e27161 upstream.
      
      Adding an include of linux/mm.h resolves this:
      	drivers/xen/xenbus/xenbus_client.c: In function ‘xenbus_map_ring_valloc_hvm’:
      	drivers/xen/xenbus/xenbus_client.c:532:66: error: implicit declaration of function ‘page_to_section’ [-Werror=implicit-function-declaration]
      Signed-off-by: default avatarSteven Noonan <steven@uplinklabs.net>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a1c9ea40
    • Alan Stern's avatar
      USB: EHCI: revert "remove ASS/PSS polling timeout" · 83bdd77f
      Alan Stern authored
      commit 221f8dfc upstream.
      
      This patch (as1649) reverts commit
      55bcdce8 (USB: EHCI: remove ASS/PSS
      polling timeout).  That commit was written under the assumption that
      some controllers may take a very long time to turn off their async and
      periodic schedules.  It now appears that in fact the schedules do get
      turned off reasonably quickly, but some controllers occasionally leave
      the schedules' status bits turned on and consequently ehci-hcd can't
      tell that the schedules are off.
      
      VIA controllers in particular have this problem.  ehci-hcd tells the
      hardware to turn off the async schedule, the schedule does get turned
      off, but the status bit remains on.  Since the EHCI spec requires that
      the schedules not be re-enabled until the previous disable has taken
      effect, with an unlimited timeout the async schedule never gets turned
      back on.  The resulting symptom is that the system is unable to
      communicate with USB devices.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-and-tested-by: default avatarRonald <ronald645@gmail.com>
      Reported-and-tested-by: default avatarPaul Hartman <paul.hartman@gmail.com>
      Reported-and-tested-by: default avatarDieter Nützel <dieter@nuetzel-hh.de>
      Reported-and-tested-by: default avatarJean Delvare <khali@linux-fr.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      83bdd77f
    • Catalin Marinas's avatar
      ARM: 7654/1: Preserve L_PTE_VALID in pte_modify() · df97c726
      Catalin Marinas authored
      commit 69dde4c5 upstream.
      
      Following commit 26ffd0d4 (ARM: mm: introduce present, faulting entries
      for PAGE_NONE), if a page has been mapped as PROT_NONE, the L_PTE_VALID
      bit is cleared by the set_pte_ext() code. With LPAE the software and
      hardware pte share the same location and subsequent modifications of pte
      range (change_protection()) will leave the L_PTE_VALID bit cleared.
      
      This patch adds the L_PTE_VALID bit to the newprot mask in pte_modify().
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Reported-by: default avatarSubash Patel <subash.rp@samsung.com>
      Tested-by: default avatarSubash Patel <subash.rp@samsung.com>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      df97c726
    • Nicolas Pitre's avatar
      ARM: 7653/2: do not scale loops_per_jiffy when using a constant delay clock · 13cfc757
      Nicolas Pitre authored
      commit 70264367 upstream.
      
      When udelay() is implemented using an architected timer, it is wrong
      to scale loops_per_jiffy when changing the CPU clock frequency since
      the timer clock remains constant.
      
      The lpj should probably become an implementation detail relevant to
      the CPU loop based delay routine only and more confined to it. In the
      mean time this is the minimal fix needed to have expected delays with
      the timer based implementation when cpufreq is also in use.
      Reported-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarNicolas Pitre <nico@linaro.org>
      Tested-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Acked-by: default avatarLiviu Dudau <Liviu.Dudau@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      13cfc757
    • Russell King's avatar
      ARM: fix scheduling while atomic warning in alignment handling code · 69ac92ed
      Russell King authored
      commit b255188f upstream.
      
      Paolo Pisati reports that IPv6 triggers this warning:
      
      BUG: scheduling while atomic: swapper/0/0/0x40000100
      Modules linked in:
      [<c001b1c4>] (unwind_backtrace+0x0/0xf0) from [<c0503c5c>] (__schedule_bug+0x48/0x5c)
      [<c0503c5c>] (__schedule_bug+0x48/0x5c) from [<c0508608>] (__schedule+0x700/0x740)
      [<c0508608>] (__schedule+0x700/0x740) from [<c007007c>] (__cond_resched+0x24/0x34)
      [<c007007c>] (__cond_resched+0x24/0x34) from [<c05086dc>] (_cond_resched+0x3c/0x44)
      [<c05086dc>] (_cond_resched+0x3c/0x44) from [<c0021f6c>] (do_alignment+0x178/0x78c)
      [<c0021f6c>] (do_alignment+0x178/0x78c) from [<c00083e0>] (do_DataAbort+0x34/0x98)
      [<c00083e0>] (do_DataAbort+0x34/0x98) from [<c0509a60>] (__dabt_svc+0x40/0x60)
      Exception stack(0xc0763d70 to 0xc0763db8)
      3d60:                                     e97e805e e97e806e 2c000000 11000000
      3d80: ea86bb00 0000002c 00000011 e97e807e c076d2a8 e97e805e e97e806e 0000002c
      3da0: 3d000000 c0763dbc c04b98fc c02a8490 00000113 ffffffff
      [<c0509a60>] (__dabt_svc+0x40/0x60) from [<c02a8490>] (__csum_ipv6_magic+0x8/0xc8)
      
      Fix this by using probe_kernel_address() stead of __get_user().
      Reported-by: default avatarPaolo Pisati <p.pisati@gmail.com>
      Tested-by: default avatarPaolo Pisati <p.pisati@gmail.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      69ac92ed
    • Russell King's avatar
      ARM: VFP: fix emulation of second VFP instruction · 908e88f2
      Russell King authored
      commit 5e4ba617 upstream.
      
      Martin Storsjö reports that the sequence:
      
              ee312ac1        vsub.f32        s4, s3, s2
              ee702ac0        vsub.f32        s5, s1, s0
              e59f0028        ldr             r0, [pc, #40]
              ee111a90        vmov            r1, s3
      
      on Raspberry Pi (implementor 41 architecture 1 part 20 variant b rev 5)
      where s3 is a denormal and s2 is zero results in incorrect behaviour -
      the instruction "vsub.f32 s5, s1, s0" is not executed:
      
              VFP: bounce: trigger ee111a90 fpexc d0000780
              VFP: emulate: INST=0xee312ac1 SCR=0x00000000
              ...
      
      As we can see, the instruction triggering the exception is the "vmov"
      instruction, and we emulate the "vsub.f32 s4, s3, s2" but fail to
      properly take account of the FPEXC_FP2V flag in FPEXC.  This is because
      the test for the second instruction register being valid is bogus, and
      will always skip emulation of the second instruction.
      Reported-by: default avatarMartin Storsjö <martin@martin.st>
      Tested-by: default avatarMartin Storsjö <martin@martin.st>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      908e88f2
  2. 03 Mar, 2013 16 commits