1. 26 Mar, 2015 16 commits
  2. 18 Mar, 2015 24 commits
    • Greg Kroah-Hartman's avatar
      Linux 3.14.36 · 8a5f782c
      Greg Kroah-Hartman authored
      8a5f782c
    • Sergei Shtylyov's avatar
      clk-gate: fix bit # check in clk_register_gate() · f11bd978
      Sergei Shtylyov authored
      commit 2e9dcdae upstream.
      
      In case CLK_GATE_HIWORD_MASK flag is passed to clk_register_gate(), the bit #
      should be no higher than 15, however the corresponding check is obviously off-
      by-one.
      
      Fixes: 04577994 ("clk: gate: add CLK_GATE_HIWORD_MASK")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarMichael Turquette <mturquette@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f11bd978
    • Kalle Valo's avatar
      ath6kl: fix struct hif_scatter_req list handling · f23e11ca
      Kalle Valo authored
      commit 31b9cc9a upstream.
      
      Jason noticed that with Yocto GCC 4.8.1 ath6kl crashes with this iperf command:
      
      iperf -c $TARGET_IP -i 5 -t 50 -w 1M
      
      The crash was:
      
      Unable to handle kernel paging request at virtual address 1a480000
      pgd = 80004000
      [1a480000] *pgd=00000000
      Internal error: Oops: 805 [#1] SMP ARM
      Modules linked in: ath6kl_sdio ath6kl_core [last unloaded: ath6kl_core]
      CPU: 0 PID: 1953 Comm: kworker/u4:0 Not tainted 3.10.9-1.0.0_alpha+dbf364b #1
      Workqueue: ath6kl ath6kl_sdio_write_async_work [ath6kl_sdio]
      task: dcc9a680 ti: dc9ae000 task.ti: dc9ae000
      PC is at v7_dma_clean_range+0x20/0x38
      LR is at dma_cache_maint_page+0x50/0x54
      pc : [<8001a6f8>]    lr : [<800170fc>]    psr: 20000093
      sp : dc9afcf8  ip : 8001a748  fp : 00000004
      r10: 00000000  r9 : 00000001  r8 : 00000000
      r7 : 00000001  r6 : 00000000  r5 : 80cb7000  r4 : 03f9a480
      r3 : 0000001f  r2 : 00000020  r1 : 1a480000  r0 : 1a480000
      Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
      Control: 10c53c7d  Table: 6cc5004a  DAC: 00000015
      Process kworker/u4:0 (pid: 1953, stack limit = 0xdc9ae238)
      Stack: (0xdc9afcf8 to 0xdc9b0000)
      fce0:                                                       80c9b29c 00000000
      fd00: 00000000 80017134 8001a748 dc302ac0 00000000 00000000 dc454a00 80c12ed8
      fd20: dc115410 80017238 00000000 dc454a10 00000001 80017588 00000001 00000000
      fd40: 00000000 dc302ac0 dc9afe38 dc9afe68 00000004 80c12ed8 00000000 dc454a00
      fd60: 00000004 80436f88 00000000 00000000 00000600 0000ffff 0000000c 80c113c4
      fd80: 80c9b29c 00000001 00000004 dc115470 60000013 dc302ac0 dc46e000 dc302800
      fda0: dc9afe10 dc302b78 60000013 dc302ac0 dc46e000 00000035 dc46e5b0 80438c90
      fdc0: dc9afe10 dc302800 dc302800 dc9afe68 dc9afe38 80424cb4 00000005 dc9afe10
      fde0: dc9afe20 80424de8 dc9afe10 dc302800 dc46e910 80424e90 dc473c00 dc454f00
      fe00: 000001b5 7f619d64 dcc7c830 00000000 00000000 dc9afe38 dc9afe68 00000000
      fe20: 00000000 00000000 dc9afe28 dc9afe28 80424d80 00000000 00000035 9cac0034
      fe40: 00000000 00000000 00000000 00000000 000001b5 00000000 00000000 00000000
      fe60: dc9afe68 dc9afe10 3b9aca00 00000000 00000080 00000034 00000000 00000100
      fe80: 00000000 00000000 dc9afe10 00000004 dc454a00 00000000 dc46e010 dc46e96c
      fea0: dc46e000 dc46e964 00200200 00100100 dc46e910 7f619ec0 00000600 80c0e770
      fec0: dc15a900 dcc7c838 00000000 dc46e954 8042d434 dcc44680 dc46e954 dc004400
      fee0: dc454500 00000000 00000000 dc9ae038 dc004400 8003c450 dcc44680 dc004414
      ff00: dc46e954 dc454500 00000001 dcc44680 dc004414 dcc44698 dc9ae000 dc9ae030
      ff20: 00000001 dc9ae000 dc004400 8003d158 8003d020 00000000 00000000 80c53941
      ff40: dc9aff64 dcb71ea0 00000000 dcc44680 8003d020 00000000 00000000 00000000
      ff60: 00000000 80042480 00000000 00000000 000000f8 dcc44680 00000000 00000000
      ff80: dc9aff80 dc9aff80 00000000 00000000 dc9aff90 dc9aff90 dc9affac dcb71ea0
      ffa0: 800423cc 00000000 00000000 8000e018 00000000 00000000 00000000 00000000
      ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
      [<8001a6f8>] (v7_dma_clean_range+0x20/0x38) from [<800170fc>] (dma_cache_maint_page+0x50/0x54)
      [<800170fc>] (dma_cache_maint_page+0x50/0x54) from [<80017134>] (__dma_page_cpu_to_dev+0x34/0x9c)
      [<80017134>] (__dma_page_cpu_to_dev+0x34/0x9c) from [<80017238>] (arm_dma_map_page+0x64/0x68)
      [<80017238>] (arm_dma_map_page+0x64/0x68) from [<80017588>] (arm_dma_map_sg+0x7c/0xf4)
      [<80017588>] (arm_dma_map_sg+0x7c/0xf4) from [<80436f88>] (sdhci_send_command+0x894/0xe00)
      [<80436f88>] (sdhci_send_command+0x894/0xe00) from [<80438c90>] (sdhci_request+0xc0/0x1ec)
      [<80438c90>] (sdhci_request+0xc0/0x1ec) from [<80424cb4>] (mmc_start_request+0xb8/0xd4)
      [<80424cb4>] (mmc_start_request+0xb8/0xd4) from [<80424de8>] (__mmc_start_req+0x60/0x84)
      [<80424de8>] (__mmc_start_req+0x60/0x84) from [<80424e90>] (mmc_wait_for_req+0x10/0x20)
      [<80424e90>] (mmc_wait_for_req+0x10/0x20) from [<7f619d64>] (ath6kl_sdio_scat_rw.isra.10+0x1dc/0x240 [ath6kl_sdio])
      [<7f619d64>] (ath6kl_sdio_scat_rw.isra.10+0x1dc/0x240 [ath6kl_sdio]) from [<7f619ec0>] (ath6kl_sdio_write_async_work+0x5c/0x104 [ath6kl_sdio])
      [<7f619ec0>] (ath6kl_sdio_write_async_work+0x5c/0x104 [ath6kl_sdio]) from [<8003c450>] (process_one_work+0x10c/0x370)
      [<8003c450>] (process_one_work+0x10c/0x370) from [<8003d158>] (worker_thread+0x138/0x3fc)
      [<8003d158>] (worker_thread+0x138/0x3fc) from [<80042480>] (kthread+0xb4/0xb8)
      [<80042480>] (kthread+0xb4/0xb8) from [<8000e018>] (ret_from_fork+0x14/0x3c)
      Code: e1a02312 e2423001 e1c00003 f57ff04f (ee070f3a)
      ---[ end trace 0c038f0b8e0b67a3 ]---
      Kernel panic - not syncing: Fatal exception
      
      Jason's analysis:
      
        "The GCC 4.8.1 compiler will not do the for-loop till scat_entries, instead,
         it only run one round loop. This may be caused by that the GCC 4.8.1 thought
         that the scat_list only have one item and then no need to do full iteration,
         but this is simply wrong by looking at the assebly code. This will cause the sg
         buffer not get set when scat_entries > 1 and thus lead to kernel panic.
      
         Note: This issue not observed with GCC 4.7.2, only found on the GCC 4.8.1)"
      
      Fix this by using the normal [0] style for defining unknown number of list
      entries following the struct. This also fixes corruption with scat_q_depth, which
      was mistankely added to the end of struct and overwritten if there were more
      than item in the scat list.
      Reported-by: default avatarJason Liu <r64343@freescale.com>
      Tested-by: default avatarJason Liu <r64343@freescale.com>
      Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
      Cc: Josh Cartwright <joshc@ni.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f23e11ca
    • Sergey Ryazanov's avatar
      ath5k: fix spontaneus AR5312 freezes · cd15a863
      Sergey Ryazanov authored
      commit 8bfae4f9 upstream.
      
      Sometimes while CPU have some load and ath5k doing the wireless
      interface reset the whole WiSoC completely freezes. Set of tests shows
      that using atomic delay function while we wait interface reset helps to
      avoid such freezes.
      
      The easiest way to reproduce this issue: create a station interface,
      start continous scan with wpa_supplicant and load CPU by something. Or
      just create multiple station interfaces and put them all in continous
      scan.
      
      This patch partially reverts the commit 1846ac3d ("ath5k: Use
      usleep_range where possible"), which replaces initial udelay()
      by usleep_range().
      
      I do not know actual source of this issue, but all looks like that HW
      freeze is caused by transaction on internal SoC bus, while wireless
      block is in reset state.
      
      Also I should note that I do not know how many chips are affected, but I
      did not see this issue with chips, other than AR5312.
      
      CC: Jiri Slaby <jirislaby@gmail.com>
      CC: Nick Kossifidis <mickflemm@gmail.com>
      CC: Luis R. Rodriguez <mcgrof@do-not-panic.com>
      Fixes: 1846ac3d ("ath5k: Use usleep_range where possible")
      Reported-by: default avatarChristophe Prevotaux <c.prevotaux@rural-networks.com>
      Tested-by: default avatarChristophe Prevotaux <c.prevotaux@rural-networks.com>
      Tested-by: default avatarEric Bree <ebree@nltinc.com>
      Signed-off-by: default avatarSergey Ryazanov <ryazanov.s.a@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd15a863
    • Peter Ujfalusi's avatar
      ASoC: omap-pcm: Correct dma mask · e47d8943
      Peter Ujfalusi authored
      commit d51199a8 upstream.
      
      DMA_BIT_MASK of 64 is not valid dma address mask for OMAPs, it should be
      set to 32.
      The 64 was introduced by commit (in 2009):
      a152ff24 ASoC: OMAP: Make DMA 64 aligned
      
      But the dma_mask and coherent_dma_mask can not be used to specify alignment.
      
      Fixes: a152ff24 (ASoC: OMAP: Make DMA 64 aligned)
      Reported-by: default avatarGrygorii Strashko <Grygorii.Strashko@linaro.org>
      Signed-off-by: default avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e47d8943
    • Trond Myklebust's avatar
      NFSv4: Don't call put_rpccred() under the rcu_read_lock() · e1887ec3
      Trond Myklebust authored
      commit 7c0af9ff upstream.
      
      put_rpccred() can sleep.
      
      Fixes: 8f649c37 ("NFSv4: Fix the locking in nfs_inode_reclaim_delegation()")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e1887ec3
    • Chris Wilson's avatar
      ACPI / video: Load the module even if ACPI is disabled · d0cf2aa4
      Chris Wilson authored
      commit 6e17cb12 upstream.
      
      i915.ko depends upon the acpi/video.ko module and so refuses to load if
      ACPI is disabled at runtime if for example the BIOS is broken beyond
      repair. acpi/video provides an optional service for i915.ko and so we
      should just allow the modules to load, but do no nothing in order to let
      the machines boot correctly.
      Reported-by: default avatarBill Augur <bill-auger@programmer.net>
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: Jani Nikula <jani.nikula@intel.com>
      Acked-by: default avatarAaron Lu <aaron.lu@intel.com>
      [ rjw: Fixed up the new comment in acpi_video_init() ]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d0cf2aa4
    • Dan Carpenter's avatar
      efi: Small leak on error in runtime map code · f563d482
      Dan Carpenter authored
      commit 86d68a58 upstream.
      
      The "> 0" here should ">= 0" so we free map_entries[0].
      
      Fixes: 926172d4 ('efi: Export EFI runtime memory mapping to sysfs')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarDave Young <dyoung@redhat.com>
      Signed-off-by: default avatarMatt Fleming <matt.fleming@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f563d482
    • Alex Deucher's avatar
      drm/radeon: fix 1 RB harvest config setup for TN/RL · 6831c3a8
      Alex Deucher authored
      commit dbfb00c3 upstream.
      
      The logic was reversed from what the hw actually exposed.
      Fixes graphics corruption in certain harvest configurations.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6831c3a8
    • Alex Deucher's avatar
      drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh · cdd9eb05
      Alex Deucher authored
      commit 3d2d98ee upstream.
      
      Just in case it hasn't been calculated for the mode.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cdd9eb05
    • Jason Gerecke's avatar
      HID: wacom: Report ABS_MISC event for Cintiq Companion Hybrid · cf0690d1
      Jason Gerecke authored
      commit 33e5df0e upstream.
      
      It appears that the Cintiq Companion Hybrid does not send an ABS_MISC event to
      userspace when any of its ExpressKeys are pressed. This is not strictly
      necessary now that the pad exists on its own device, but should be fixed for
      consistency's sake.
      
      Traditionally both the stylus and pad shared the same device node, and
      xf86-input-wacom would use ABS_MISC for disambiguation. Not sending this causes
      the Hybrid to behave incorrectly with xf86-input-wacom beginning with its
      8f44f3 commit.
      Signed-off-by: default avatarJason Gerecke <killertofu@gmail.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      [killertofu@gmail.com: ported to drivers/input/tablet/wacom_wac.c]
      Signed-off-by: default avatarJason Gerecke <killertofu@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf0690d1
    • Jiri Kosina's avatar
      HID: fixup the conflicting keyboard mappings quirk · f3995eb5
      Jiri Kosina authored
      commit 8e7b3410 upstream.
      
      The ignore check that got added in 6ce901eb ("HID: input: fix confusion
      on conflicting mappings") needs to properly check for VARIABLE reports
      as well (ARRAY reports should be ignored), otherwise legitimate keyboards
      might break.
      
      Fixes: 6ce901eb ("HID: input: fix confusion on conflicting mappings")
      Reported-by: default avatarFredrik Hallenberg <megahallon@gmail.com>
      Reported-by: default avatarDavid Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3995eb5
    • David Herrmann's avatar
      HID: input: fix confusion on conflicting mappings · 20f6cd73
      David Herrmann authored
      commit 6ce901eb upstream.
      
      On an PC-101/103/104 keyboard (American layout) the 'Enter' key and its
      neighbours look like this:
      
                 +---+ +---+ +-------+
                 | 1 | | 2 | |   5   |
                 +---+ +---+ +-------+
                   +---+ +-----------+
                   | 3 | |     4     |
                   +---+ +-----------+
      
      On a PC-102/105 keyboard (European layout) it looks like this:
      
                 +---+ +---+ +-------+
                 | 1 | | 2 | |       |
                 +---+ +---+ +-+  4  |
                   +---+ +---+ |     |
                   | 3 | | 5 | |     |
                   +---+ +---+ +-----+
      
      (Note that the number of keys is the same, but key '5' is moved down and
       the shape of key '4' is changed. Keys '1' to '3' are exactly the same.)
      
      The keys 1-4 report the same scan-code in HID in both layouts, even though
      the keysym they produce is usually different depending on the XKB-keymap
      used by user-space.
      However, key '5' (US 'backslash'/'pipe') reports 0x31 for the upper layout
      and 0x32 for the lower layout, as defined by the HID spec. This is highly
      confusing as the linux-input API uses a single keycode for both.
      
      So far, this was never a problem as there never has been a keyboard with
      both of those keys present at the same time. It would have to look
      something like this:
      
                 +---+ +---+ +-------+
                 | 1 | | 2 | |  x31  |
                 +---+ +---+ +-------+
                   +---+ +---+ +-----+
                   | 3 | |x32| |  4  |
                   +---+ +---+ +-----+
      
      HID can represent such a keyboard, but the linux-input API cannot.
      Furthermore, any user-space mapping would be confused by this and,
      luckily, no-one ever produced such hardware.
      
      Now, the HID input layer fixed this mess by mapping both 0x31 and 0x32 to
      the same keycode (KEY_BACKSLASH==0x2b). As only one of both physical keys
      is present on a hardware, this works just fine.
      
      Lets introduce hardware-vendors into this:
      ------------------------------------------
      
      Unfortunately, it seems way to expensive to produce a different device for
      American and European layouts. Therefore, hardware-vendors put both keys,
      (0x31 and 0x32) on the same keyboard, but only one of them is hooked up
      to the physical button, the other one is 'dead'.
      This means, they can use the same hardware, with a different button-layout
      and automatically produce the correct HID events for American *and*
      European layouts. This is unproblematic for normal keyboards, as the
      'dead' key will never report any KEY-DOWN events. But RollOver keyboards
      send the whole matrix on each key-event, allowing n-key roll-over mode.
      This means, we get a 0x31 and 0x32 event on each key-press. One of them
      will always be 0, the other reports the real state. As we map both to the
      same keycode, we will get spurious key-events, even though the real
      key-state never changed.
      
      The easiest way would be to blacklist 'dead' keys and never handle those.
      We could simply read the 'country' tag of USB devices and blacklist either
      key according to the layout. But... hardware vendors... want the same
      device for all countries and thus many of them set 'country' to 0 for all
      devices. Meh..
      
      So we have to deal with this properly. As we cannot know which of the keys
      is 'dead', we either need a heuristic and track those keys, or we simply
      make use of our value-tracking for HID fields. We simply ignore HID events
      for absolute data if the data didn't change. As HID tracks events on the
      HID level, we haven't done the keycode translation, yet. Therefore, the
      'dead' key is tracked independently of the real key, therefore, any events
      on it will be ignored.
      
      This patch simply discards any HID events for absolute data if it didn't
      change compared to the last report. We need to ignore relative and
      buffered-byte reports for obvious reasons. But those cannot be affected by
      this bug, so we're fine.
      
      Preferably, we'd do this filtering on the HID-core level. But this might
      break a lot of custom drivers, if they do not follow the HID specs.
      Therefore, we do this late in hid-input just before we inject it into the
      input layer (which does the exact same filtering, but on the keycode
      level).
      
      If this turns out to break some devices, we might have to limit filtering
      to EV_KEY events. But lets try to do the Right Thing first, and properly
      filter any absolute data that didn't change.
      
      This patch is tagged for 'stable' as it fixes a lot of n-key RollOver
      hardware. We might wanna wait with backporting for a while, before we know
      it doesn't break anything else, though.
      Reported-by: default avatarAdam Goode <adam@spicenitz.org>
      Reported-by: default avatarFredrik Hallenberg <megahallon@gmail.com>
      Tested-by: default avatarFredrik Hallenberg <megahallon@gmail.com>
      Signed-off-by: default avatarDavid Herrmann <dh.herrmann@gmail.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20f6cd73
    • Ian Abbott's avatar
      staging: comedi: cb_pcidas64: fix incorrect AI range code handling · 4d92b31f
      Ian Abbott authored
      commit be8e8908 upstream.
      
      The hardware range code values and list of valid ranges for the AI
      subdevice is incorrect for several supported boards.  The hardware range
      code values for all boards except PCI-DAS4020/12 is determined by
      calling `ai_range_bits_6xxx()` based on the maximum voltage of the range
      and whether it is bipolar or unipolar, however it only returns the
      correct hardware range code for the PCI-DAS60xx boards.  For
      PCI-DAS6402/16 (and /12) it returns the wrong code for the unipolar
      ranges.  For PCI-DAS64/Mx/16 it returns the wrong code for all the
      ranges and the comedi range table is incorrect.
      
      Change `ai_range_bits_6xxx()` to use a look-up table pointed to by new
      member `ai_range_codes` of `struct pcidas64_board` to map the comedi
      range table indices to the hardware range codes.  Use a new comedi range
      table for the PCI-DAS64/Mx/16 boards (and the commented out variants).
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4d92b31f
    • Mikulas Patocka's avatar
      dm snapshot: fix a possible invalid memory access on unload · fe14b343
      Mikulas Patocka authored
      commit 22aa66a3 upstream.
      
      When the snapshot target is unloaded, snapshot_dtr() waits until
      pending_exceptions_count drops to zero.  Then, it destroys the snapshot.
      Therefore, the function that decrements pending_exceptions_count
      should not touch the snapshot structure after the decrement.
      
      pending_complete() calls free_pending_exception(), which decrements
      pending_exceptions_count, and then it performs up_write(&s->lock) and it
      calls retry_origin_bios() which dereferences  s->origin.  These two
      memory accesses to the fields of the snapshot may touch the dm_snapshot
      struture after it is freed.
      
      This patch moves the call to free_pending_exception() to the end of
      pending_complete(), so that the snapshot will not be destroyed while
      pending_complete() is in progress.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fe14b343
    • Mikulas Patocka's avatar
      dm: fix a race condition in dm_get_md · 66c4b517
      Mikulas Patocka authored
      commit 2bec1f4a upstream.
      
      The function dm_get_md finds a device mapper device with a given dev_t,
      increases the reference count and returns the pointer.
      
      dm_get_md calls dm_find_md, dm_find_md takes _minor_lock, finds the
      device, tests that the device doesn't have DMF_DELETING or DMF_FREEING
      flag, drops _minor_lock and returns pointer to the device. dm_get_md then
      calls dm_get. dm_get calls BUG if the device has the DMF_FREEING flag,
      otherwise it increments the reference count.
      
      There is a possible race condition - after dm_find_md exits and before
      dm_get is called, there are no locks held, so the device may disappear or
      DMF_FREEING flag may be set, which results in BUG.
      
      To fix this bug, we need to call dm_get while we hold _minor_lock. This
      patch renames dm_find_md to dm_get_md and changes it so that it calls
      dm_get while holding the lock.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66c4b517
    • Darrick J. Wong's avatar
      dm io: reject unsupported DISCARD requests with EOPNOTSUPP · e2fed6e5
      Darrick J. Wong authored
      commit 37527b86 upstream.
      
      I created a dm-raid1 device backed by a device that supports DISCARD
      and another device that does NOT support DISCARD with the following
      dm configuration:
      
       #  echo '0 2048 mirror core 1 512 2 /dev/sda 0 /dev/sdb 0' | dmsetup create moo
       # lsblk -D
       NAME         DISC-ALN DISC-GRAN DISC-MAX DISC-ZERO
       sda                 0        4K       1G         0
       `-moo (dm-0)        0        4K       1G         0
       sdb                 0        0B       0B         0
       `-moo (dm-0)        0        4K       1G         0
      
      Notice that the mirror device /dev/mapper/moo advertises DISCARD
      support even though one of the mirror halves doesn't.
      
      If I issue a DISCARD request (via fstrim, mount -o discard, or ioctl
      BLKDISCARD) through the mirror, kmirrord gets stuck in an infinite
      loop in do_region() when it tries to issue a DISCARD request to sdb.
      The problem is that when we call do_region() against sdb, num_sectors
      is set to zero because q->limits.max_discard_sectors is zero.
      Therefore, "remaining" never decreases and the loop never terminates.
      
      To fix this: before entering the loop, check for the combination of
      REQ_DISCARD and no discard and return -EOPNOTSUPP to avoid hanging up
      the mirror device.
      
      This bug was found by the unfortunate coincidence of pvmove and a
      discard operation in the RHEL 6.5 kernel; upstream is also affected.
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Acked-by: default avatar"Martin K. Petersen" <martin.petersen@oracle.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2fed6e5
    • Mikulas Patocka's avatar
      dm mirror: do not degrade the mirror on discard error · 65a93539
      Mikulas Patocka authored
      commit f2ed51ac upstream.
      
      It may be possible that a device claims discard support but it rejects
      discards with -EOPNOTSUPP.  It happens when using loopback on ext2/ext3
      filesystem driven by the ext4 driver.  It may also happen if the
      underlying devices are moved from one disk on another.
      
      If discard error happens, we reject the bio with -EOPNOTSUPP, but we do
      not degrade the array.
      
      This patch fixes failed test shell/lvconvert-repair-transient.sh in the
      lvm2 testsuite if the testsuite is extracted on an ext2 or ext3
      filesystem and it is being driven by the ext4 driver.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      65a93539
    • Ian Abbott's avatar
      staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back · 31e5cd3b
      Ian Abbott authored
      commit 42b8ce6f upstream.
      
      `do_cmd_ioctl()` in "comedi_fops.c" handles the `COMEDI_CMD` ioctl.
      This returns `-EAGAIN` if it has copied a modified `struct comedi_cmd`
      back to user-space.  (This occurs when the low-level Comedi driver's
      `do_cmdtest()` handler returns non-zero to indicate a problem with the
      contents of the `struct comedi_cmd`, or when the `struct comedi_cmd` has
      the `CMDF_BOGUS` flag set.)
      
      `compat_cmd()` in "comedi_compat32.c" handles the 32-bit compatible
      version of the `COMEDI_CMD` ioctl.  Currently, it never copies a 32-bit
      compatible version of `struct comedi_cmd` back to user-space, which is
      at odds with the way the regular `COMEDI_CMD` ioctl is handled.  To fix
      it, change `compat_cmd()` to copy a 32-bit compatible version of the
      `struct comedi_cmd` back to user-space when the main ioctl handler
      returns `-EAGAIN`.
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Reviewed-by: default avatarH Hartley Sweeten <hsweeten@visionengravers.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      31e5cd3b
    • Chen-Yu Tsai's avatar
      clk: sunxi: Support factor clocks with N factor starting not from 0 · 5fcb7748
      Chen-Yu Tsai authored
      commit 9a5e6c7e upstream.
      
      The PLLs on newer Allwinner SoC's, such as the A31 and A23, have a
      N multiplier factor that starts from 1, not 0.
      
      This patch adds an option to the factor clk driver's config data
      structures to specify the base value of N.
      Signed-off-by: default avatarChen-Yu Tsai <wens@csie.org>
      Acked-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5fcb7748
    • Hans de Goede's avatar
      sunxi: clk: Set sun6i-pll1 n_start = 1 · c52b5661
      Hans de Goede authored
      commit 76820fcf upstream.
      
      For all pll-s on sun6i n == 0 means use a multiplier of 1, rather then 0 as
      it means on sun4i / sun5i / sun7i. n_start = 1 is already correctly set
      for sun6i pll6, but was missing for pll1, this commit fixes this.
      
      Cc: Chen-Yu Tsai <wens@csie.org>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c52b5661
    • Soren Brinkmann's avatar
      clk: zynq: Force CPU_2X clock to be ungated · dc2301c7
      Soren Brinkmann authored
      commit 3dccfecd upstream.
      
      The CPU_2X clock does not have a classical in-kernel user, but is,
      amongst other things, required for OCM and debug access. Make sure this
      clock is not mistakenly disabled during boot up by enabling it in the
      platform's clock driver.
      
      Fixes: 0ee52b15 'clk: zynq: Add clock controller driver'
      Signed-off-by: default avatarSoren Brinkmann <soren.brinkmann@xilinx.com>
      Signed-off-by: default avatarMichael Turquette <mturquette@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dc2301c7
    • Minh Duc Tran's avatar
      fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather... · 0457b985
      Minh Duc Tran authored
      fixed invalid assignment of 64bit mask to host dma_boundary for scatter gather segment boundary limit.
      
      commit f76a610a upstream.
      
      In reference to bug https://bugzilla.redhat.com/show_bug.cgi?id=1097141
      Assert is seen with AMD cpu whenever calling pci_alloc_consistent.
      
      [   29.406183] ------------[ cut here ]------------
      [   29.410505] kernel BUG at lib/iommu-helper.c:13!
      Signed-off-by: default avatarMinh Tran <minh.tran@emulex.com>
      Fixes: 6733b39aSigned-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      0457b985
    • Ryusuke Konishi's avatar
      nilfs2: fix potential memory overrun on inode · ce084ba5
      Ryusuke Konishi authored
      commit 957ed60b upstream.
      
      Each inode of nilfs2 stores a root node of a b-tree, and it turned out to
      have a memory overrun issue:
      
      Each b-tree node of nilfs2 stores a set of key-value pairs and the number
      of them (in "bn_nchildren" member of nilfs_btree_node struct), as well as
      a few other "bn_*" members.
      
      Since the value of "bn_nchildren" is used for operations on the key-values
      within the b-tree node, it can cause memory access overrun if a large
      number is incorrectly set to "bn_nchildren".
      
      For instance, nilfs_btree_node_lookup() function determines the range of
      binary search with it, and too large "bn_nchildren" leads
      nilfs_btree_node_get_key() in that function to overrun.
      
      As for intermediate b-tree nodes, this is prevented by a sanity check
      performed when each node is read from a drive, however, no sanity check
      has been done for root nodes stored in inodes.
      
      This patch fixes the issue by adding missing sanity check against b-tree
      root nodes so that it's called when on-memory inodes are read from ifile,
      inode metadata file.
      Signed-off-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce084ba5