1. 14 Mar, 2013 40 commits
    • Sean Connor's avatar
      ALSA: ice1712: Initialize card->private_data properly · e54d986a
      Sean Connor authored
      commit 69a4cfdd upstream.
      
      Set card->private_data in snd_ice1712_create for fixing NULL
      dereference in snd_ice1712_remove().
      Signed-off-by: default avatarSean Connor <sconnor004@allyinics.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e54d986a
    • Ben Hutchings's avatar
      dmi_scan: fix missing check for _DMI_ signature in smbios_present() · 0bb19997
      Ben Hutchings authored
      commit a40e7cf8 upstream.
      
      Commit 9f9c9cbb ("drivers/firmware/dmi_scan.c: fetch dmi version
      from SMBIOS if it exists") hoisted the check for "_DMI_" into
      dmi_scan_machine(), which means that we don't bother to check for
      "_DMI_" at offset 16 in an SMBIOS entry.  smbios_present() may also call
      dmi_present() for an address where we found "_SM_", if it failed further
      validation.
      
      Check for "_DMI_" in smbios_present() before calling dmi_present().
      
      [akpm@linux-foundation.org: fix build]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Reported-by: default avatarTim McGrath <tmhikaru@gmail.com>
      Tested-by: default avatarTim Mcgrath <tmhikaru@gmail.com>
      Cc: Zhenzhong Duan <zhenzhong.duan@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0bb19997
    • Peter Hurley's avatar
      ipc: don't allocate a copy larger than max · f273e025
      Peter Hurley authored
      commit 88b9e456 upstream.
      
      When MSG_COPY is set, a duplicate message must be allocated for the copy
      before locking the queue.  However, the copy could not be larger than was
      sent which is limited to msg_ctlmax.
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Acked-by: default avatarStanislav Kinsbursky <skinsbursky@parallels.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f273e025
    • Peter Hurley's avatar
      ipc: fix potential oops when src msg > 4k w/ MSG_COPY · 32b25b63
      Peter Hurley authored
      commit e1082f45 upstream.
      
      If the src msg is > 4k, then dest->next points to the
      next allocated segment; resetting it just prior to dereferencing
      is bad.
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Acked-by: default avatarStanislav Kinsbursky <skinsbursky@parallels.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      32b25b63
    • Patrik Jakobsson's avatar
      drm/i915: Turn off hsync and vsync on ADPA when disabling crt · aaf4a851
      Patrik Jakobsson authored
      commit f40ebd6b upstream.
      
      According to PRM we need to disable hsync and vsync even though ADPA is
      disabled. The previous code did infact do the opposite so we fix it.
      Signed-off-by: default avatarPatrik Jakobsson <patrik.r.jakobsson@gmail.com>
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=56359Tested-by: default avatarmax <manikulin@gmail.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aaf4a851
    • Daniel Vetter's avatar
      drm/i915: enable irqs earlier when resuming · 31f14f42
      Daniel Vetter authored
      commit 15239099 upstream.
      
      We need it to restore the ilk rc6 context, since the gpu wait no
      requires interrupts. But in general having interrupts around should
      help in code sanity, since more and more stuff is interrupt driven.
      
      This regression has been introduced in
      
      commit 3e960501
      Author: Chris Wilson <chris@chris-wilson.co.uk>
      Date:   Tue Nov 27 16:22:54 2012 +0000
      
          drm/i915: Rearrange code to only have a single method for waiting upon the ring
      
      Like in the driver load code we need to make sure that hotplug
      interrupts don't cause havoc with our modeset state, hence block them
      with the existing infrastructure. Again we ignore races where we might
      loose hotplug interrupts ...
      
      Note that the driver load part of the regression has already been
      fixed in
      
      commit 52d7eced
      Author: Daniel Vetter <daniel.vetter@ffwll.ch>
      Date:   Sat Dec 1 21:03:22 2012 +0100
      
          drm/i915: reorder setup sequence to have irqs for output setup
      
      v2: Add a note to the commit message about which patch fixed the
      driver load part of the regression. Stable kernels need to backport
      both patches.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=54691
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: Mika Kuoppala <mika.kuoppala@intel.com>
      Reported-and-Tested-by: default avatarIlya Tumaykin <itumaykin@gmail.com>
      Reviewed-by: Chris wilson <chris@chris-wilson.co.uk> (v1)
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      31f14f42
    • Daniel Vetter's avatar
      drm/i915: reorder setup sequence to have irqs for output setup · 2a981044
      Daniel Vetter authored
      commit 52d7eced upstream.
      
      Otherwise the new&shiny irq-driven gmbus and dp aux code won't work that
      well. Noticed since the dp aux code doesn't have an automatic fallback
      with a timeout (since the hw provides for that already).
      
      v2: Simple move drm_irq_install before intel_modeset_gem_init, as
      suggested by Ben Widawsky.
      
      v3: Now that interrupts are enabled before all connectors are fully
      set up, we might fall over serving a HPD interrupt while things are
      still being set up. Instead of jumping through massive hoops and
      complicating the code with a separate hpd irq enable step, simply
      block out the hotplug work item from doing anything until things are
      in place.
      
      v4: Actually, we can enable hotplug processing only after the fbdev is
      fully set up, since we call down into the fbdev from the hotplug work
      functions. So stick the hpd enabling right next to the poll helper
      initialization.
      
      v5: We need to enable irqs before intel_modeset_init, since that
      function sets up the outputs.
      
      v6: Fixup cleanup sequence, too.
      Reviewed-by: default avatarImre Deak <imre.deak@intel.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a981044
    • Kenneth Graunke's avatar
      drm/i915: Fix Haswell/CRW PCI IDs. · f49b7242
      Kenneth Graunke authored
      commit 86c268ed upstream.
      
      The second digit was off by one, which meant we accidentally treated
      GT(n) as GT(n-1).  This also meant no support for GT1 at all.
      Signed-off-by: default avatarKenneth Graunke <kenneth@whitecape.org>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f49b7242
    • Stéphane Marchesin's avatar
      drm/i915: Increase the RC6p threshold. · 57a2ae96
      Stéphane Marchesin authored
      commit 0920a487 upstream.
      
      This increases GEN6_RC6p_THRESHOLD from 100000 to 150000. For some
      reason this avoids the gen6_gt_check_fifodbg.isra warnings and
      associated GPU lockups, which makes my ivy bridge machine stable.
      Signed-off-by: default avatarStéphane Marchesin <marcheu@chromium.org>
      Acked-by: default avatarJesse Barnes <jbarnes@virtuousgeek.org>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      57a2ae96
    • Will Deacon's avatar
      ARM: 7663/1: perf: fix ARMv7 EVTYPE_MASK to include NSH bit · 424c6185
      Will Deacon authored
      commit f2fe09b0 upstream.
      
      Masked out PMXEVTYPER.NSH means that we can't enable profiling at PL2,
      regardless of the settings in the HDCR.
      
      This patch fixes the broken mask.
      Reported-by: default avatarChristoffer Dall <cdall@cs.columbia.edu>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      424c6185
    • Will Deacon's avatar
      ARM: 7659/1: mm: make mm->context.id an atomic64_t variable · 9f400745
      Will Deacon authored
      commit 8a4e3a9e upstream.
      
      mm->context.id is updated under asid_lock when a new ASID is allocated
      to an mm_struct. However, it is also read without the lock when a task
      is being scheduled and checking whether or not the current ASID
      generation is up-to-date.
      
      If two threads of the same process are being scheduled in parallel and
      the bottom bits of the generation in their mm->context.id match the
      current generation (that is, the mm_struct has not been used for ~2^24
      rollovers) then the non-atomic, lockless access to mm->context.id may
      yield the incorrect ASID.
      
      This patch fixes this issue by making mm->context.id and atomic64_t,
      ensuring that the generation is always read consistently. For code that
      only requires access to the ASID bits (e.g. TLB flushing by mm), then
      the value is accessed directly, which GCC converts to an ldrb.
      Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9f400745
    • Will Deacon's avatar
      ARM: 7658/1: mm: fix race updating mm->context.id on ASID rollover · 810f6379
      Will Deacon authored
      commit 37f47e3d upstream.
      
      If a thread triggers an ASID rollover, other threads of the same process
      must be made to wait until the mm->context.id for the shared mm_struct
      has been updated to new generation and associated book-keeping (e.g.
      TLB invalidation) has ben performed.
      
      However, there is a *tiny* window where both mm->context.id and the
      relevant active_asids entry are updated to the new generation, but the
      TLB flush has not been performed, which could allow another thread to
      return to userspace with a dirty TLB, potentially leading to data
      corruption. In reality this will never occur because one CPU would need
      to perform a context-switch in the time it takes another to do a couple
      of atomic test/set operations but we should plug the race anyway.
      
      This patch moves the active_asids update until after the potential TLB
      flush on context-switch.
      Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      810f6379
    • Will Deacon's avatar
      ARM: 7657/1: head: fix swapper and idmap population with LPAE and big-endian · 2eef33c7
      Will Deacon authored
      commit d61947a1 upstream.
      
      The LPAE page table format uses 64-bit descriptors, so we need to take
      endianness into account when populating the swapper and idmap tables
      during early initialisation.
      
      This patch ensures that we store the two words making up each page table
      entry in the correct order when running big-endian.
      Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Tested-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2eef33c7
    • Alex Deucher's avatar
      drm/radeon: add primary dac adj quirk for R200 board · ffa812bb
      Alex Deucher authored
      commit e8fc4137 upstream.
      
      vbios values are wrong leading to colors that are
      too bright.  Use the default values instead.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ffa812bb
    • Alex Deucher's avatar
      drm/radeon: don't set hpd, afmt interrupts when interrupts are disabled · dad07bf9
      Alex Deucher authored
      commit cc9945bf upstream.
      
      Avoids splatter if the interrupt handler is not registered due
      to acceleration being disabled.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Reviewed-by: default avatarJerome Glisse <jglisse@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dad07bf9
    • Guenter Roeck's avatar
      hwmon: (pmbus/ltc2978) Use detected chip ID to select supported functionality · 1dde5a36
      Guenter Roeck authored
      commit f366fccd upstream.
      
      We read the chip ID from the chip, use it to determine if the chip ID provided
      to the driver is correct, and report it if wrong. We should also use the
      correct chip ID to select supported functionality.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Acked-by: default avatarJean Delvare <khali@linux-fr.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1dde5a36
    • Guenter Roeck's avatar
      hwmon: (pmbus/ltc2978) Fix peak attribute handling · 4404ee44
      Guenter Roeck authored
      commit dbd712c2 upstream.
      
      Peak attributes were not initialized and cleared correctly.
      Also, temp2_max is only supported on page 0 and thus does not need to be
      an array.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Acked-by: default avatarJean Delvare <khali@linux-fr.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4404ee44
    • Mark Brown's avatar
      hwmon: (sht15) Check return value of regulator_enable() · 6d29c5ec
      Mark Brown authored
      commit 3e78080f upstream.
      
      Not having power is a pretty serious error so check that we are able to
      enable the supply and error out if we can't.
      Signed-off-by: default avatarMark Brown <broonie@opensource.wolfsonmicro.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      6d29c5ec
    • NeilBrown's avatar
      md/raid1,raid10: fix deadlock with freeze_array() · 71192d46
      NeilBrown authored
      commit ee0b0244 upstream.
      
      When raid1/raid10 needs to fix a read error, it first drains
      all pending requests by calling freeze_array().
      This calls flush_pending_writes() if it needs to sleep,
      but some writes may be pending in a per-process plug rather
      than in the per-array request queue.
      
      When raid1{,0}_unplug() moves the request from the per-process
      plug to the per-array request queue (from which
      flush_pending_writes() can flush them), it needs to wake up
      freeze_array(), or freeze_array() will never flush them and so
      it will block forever.
      
      So add the requires wake_up() calls.
      
      This bug was introduced by commit
         f54a9d0e
      for raid1 and a similar commit for RAID10, and so has been present
      since linux-3.6.  As the bug causes a deadlock I believe this fix is
      suitable for -stable.
      Reported-by: default avatarTregaron Bayly <tbayly@bluehost.com>
      Tested-by: default avatarTregaron Bayly <tbayly@bluehost.com>
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      71192d46
    • NeilBrown's avatar
      md: raid0: fix error return from create_stripe_zones. · 5260b2b5
      NeilBrown authored
      commit 58ebb34c upstream.
      
      Create_stripe_zones returns an error slightly differently to
      raid0_run and to raid0_takeover_*.
      
      The error returned used by the second was wrong and an error would
      result in mddev->private being set to NULL and sooner or later a
      crash.
      
      So never return NULL, return ERR_PTR(err), not NULL from
      create_stripe_zones.
      
      This bug has been present since 2.6.35 so the fix is suitable
      for any kernel since then.
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5260b2b5
    • NeilBrown's avatar
      md: fix two bugs when attempting to resize RAID0 array. · cac9a265
      NeilBrown authored
      commit a6468539 upstream.
      
      You cannot resize a RAID0 array (in terms of making the devices
      bigger), but the code doesn't entirely stop you.
      So:
      
       disable setting of the available size on each device for
       RAID0 and Linear devices.  This must not change as doing so
       can change the effective layout of data.
      
       Make sure that the size that raid0_size() reports is accurate,
       but rounding devices sizes to chunk sizes.  As the device sizes
       cannot change now, this isn't so important, but it is best to be
       safe.
      
      Without this change:
        mdadm --grow /dev/md0 -z max
        mdadm --grow /dev/md0 -Z max
        then read to the end of the array
      
      can cause a BUG in a RAID0 array.
      
      These bugs have been present ever since it became possible
      to resize any device, which is a long time.  So the fix is
      suitable for any -stable kerenl.
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cac9a265
    • Sebastian Riemer's avatar
      md: protect against crash upon fsync on ro array · 22c776d6
      Sebastian Riemer authored
      commit bbfa57c0 upstream.
      
      If an fsync occurs on a read-only array, we need to send a
      completion for the IO and may not increment the active IO count.
      Otherwise, we hit a bug trace and can't stop the MD array anymore.
      
      By advice of Christoph Hellwig we return success upon a flush
      request but we return -EROFS for other writes.
      We detect flush requests by checking if the bio has zero sectors.
      
      This patch is suitable to any -stable kernel to which it applies.
      Signed-off-by: default avatarSebastian Riemer <sebastian.riemer@profitbricks.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: Ben Hutchings <ben@decadent.org.uk>
      Cc: NeilBrown <neilb@suse.de>
      Reported-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Acked-by: default avatarPaul Menzel <paulepanter@users.sourceforge.net>
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      22c776d6
    • Frederic Weisbecker's avatar
      nohz: Make tick_nohz_irq_exit() irq safe · 0cb205ec
      Frederic Weisbecker authored
      commit e5ab012c upstream.
      
      As it stands, irq_exit() may or may not be called with
      irqs disabled, depending on __ARCH_IRQ_EXIT_IRQS_DISABLED
      that the arch can define.
      
      It makes tick_nohz_irq_exit() unsafe. For example two
      interrupts can race in tick_nohz_stop_sched_tick(): the inner
      most one computes the expiring time on top of the timer list,
      then it's interrupted right before reprogramming the
      clock. The new interrupt enqueues a new timer list timer,
      it reprogram the clock to take it into account and it exits.
      The CPUs resumes the inner most interrupt and performs the clock
      reprogramming without considering the new timer list timer.
      
      This regression has been introduced by:
           280f0677
           ("nohz: Separate out irq exit and idle loop dyntick logic")
      
      Let's fix it right now with the appropriate protections.
      
      A saner long term solution will be to remove
      __ARCH_IRQ_EXIT_IRQS_DISABLED and mandate that irq_exit() is called
      with interrupts disabled.
      Signed-off-by: default avatarFrederic Weisbecker <fweisbec@gmail.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Linus Torvalds <torvalds@linuxfoundation.org>
      Link: http://lkml.kernel.org/r/1361373336-11337-1-git-send-email-fweisbec@gmail.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0cb205ec
    • Kees Cook's avatar
      proc connector: reject unprivileged listener bumps · 5836682c
      Kees Cook authored
      commit e70ab977 upstream.
      
      While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
      for an unprivileged user to turn off notifications for all listeners by
      sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
      required for a multicast bind.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Evgeniy Polyakov <zbr@ioremap.net>
      Cc: Matt Helsley <matthltc@us.ibm.com>
      Acked-by: default avatarEvgeniy Polyakov <zbr@ioremap.net>
      Acked-by: default avatarMatt Helsley <matthltc@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5836682c
    • Felix Fietkau's avatar
      ath9k_hw: improve reset reliability after errors · a9382b77
      Felix Fietkau authored
      commit 3412f2f0 upstream.
      
      On many different chips, important aspects of the MAC state are not
      fully cleared by a warm reset. This can show up as tx/rx hangs, those
      annoying "DMA failed to stop in 10 ms..." messages or other quirks.
      
      On AR933x, the chip can occasionally get stuck in a way that only a
      driver unload/reload or a reboot would bring it back to life.
      
      With this patch, a full reset is issued when bringing the chip out of
      FULL-SLEEP state (after idle), or if either Rx or Tx was not shut down
      properly. This makes the DMA related error messages disappear completely
      in my tests on AR933x, and the chip does not get stuck anymore.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a9382b77
    • Felix Fietkau's avatar
      ath9k_htc: fix signal strength handling issues · 97fe3c32
      Felix Fietkau authored
      commit 838f4279 upstream.
      
      The ath9k commit 2ef16755
      (ath9k: fix signal strength reporting issues) fixed an issue where the
      reported per-frame signal strength reported to mac80211 was being
      overwritten with an internal average. The same issue is also present
      in ath9k_htc.
      In addition to preventing the driver from overwriting the value, this
      commit also ensures that the internal average (which is used for ANI)
      only tracks beacons of the AP that we're connected to.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      97fe3c32
    • Felix Fietkau's avatar
      ath9k: fix RSSI dummy marker value · 7e928048
      Felix Fietkau authored
      commit a3d63cad upstream.
      
      RSSI is being stored internally as s8 in several places. The indication
      of an unset RSSI value, ATH_RSSI_DUMMY_MARKER, was supposed to have been
      set to 127, but ended up being set to 0x127 because of a code cleanup
      mistake. This could lead to invalid signal strength values in a few
      places.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7e928048
    • Bing Zhao's avatar
      libertas: fix crash for SD8688 · 556b1db4
      Bing Zhao authored
      commit 46602698 upstream.
      
      For SD8688, FUNC_INIT command is queued before fw_ready flag is
      set. This causes the following crash as lbs_thread blocks any
      command if fw_ready is not set.
      
      [  209.338953] [<c0502248>] (__schedule+0x610/0x764) from [<bf20ae24>] (__lbs_cmd+0xb8/0x130 [libertas])
      [  209.348340] [<bf20ae24>] (__lbs_cmd+0xb8/0x130 [libertas]) from [<bf222474>] (if_sdio_finish_power_on+0xec/0x1b0 [libertas_sdio])
      [  209.360136] [<bf222474>] (if_sdio_finish_power_on+0xec/0x1b0 [libertas_sdio]) from [<bf2226c4>] (if_sdio_power_on+0x18c/0x20c [libertas_sdio])
      [  209.373052] [<bf2226c4>] (if_sdio_power_on+0x18c/0x20c [libertas_sdio]) from [<bf222944>] (if_sdio_probe+0x200/0x31c [libertas_sdio])
      [  209.385316] [<bf222944>] (if_sdio_probe+0x200/0x31c [libertas_sdio]) from [<bf01d820>] (sdio_bus_probe+0x94/0xfc [mmc_core])
      [  209.396748] [<bf01d820>] (sdio_bus_probe+0x94/0xfc [mmc_core]) from [<c02e729c>] (driver_probe_device+0x12c/0x348)
      [  209.407214] [<c02e729c>] (driver_probe_device+0x12c/0x348) from [<c02e7530>] (__driver_attach+0x78/0x9c)
      [  209.416798] [<c02e7530>] (__driver_attach+0x78/0x9c) from [<c02e5658>] (bus_for_each_dev+0x50/0x88)
      [  209.425946] [<c02e5658>] (bus_for_each_dev+0x50/0x88) from [<c02e6810>] (bus_add_driver+0x108/0x268)
      [  209.435180] [<c02e6810>] (bus_add_driver+0x108/0x268) from [<c02e782c>] (driver_register+0xa4/0x134)
      [  209.444426] [<c02e782c>] (driver_register+0xa4/0x134) from [<bf22601c>] (if_sdio_init_module+0x1c/0x3c [libertas_sdio])
      [  209.455339] [<bf22601c>] (if_sdio_init_module+0x1c/0x3c [libertas_sdio]) from [<c00085b8>] (do_one_initcall+0x98/0x174)
      [  209.466236] [<c00085b8>] (do_one_initcall+0x98/0x174) from [<c0076504>] (load_module+0x1c5c/0x1f80)
      [  209.475390] [<c0076504>] (load_module+0x1c5c/0x1f80) from [<c007692c>] (sys_init_module+0x104/0x128)
      [  209.484632] [<c007692c>] (sys_init_module+0x104/0x128) from [<c0008c40>] (ret_fast_syscall+0x0/0x38)
      
      Fix it by setting fw_ready flag prior to queuing FUNC_INIT command.
      Reported-by: default avatarLubomir Rintel <lkundrak@v3.sk>
      Tested-by: default avatarLubomir Rintel <lkundrak@v3.sk>
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      556b1db4
    • Avinash Patil's avatar
      mwifiex: correct sleep delay counter · 107725a5
      Avinash Patil authored
      commit 3e7a4ff7 upstream.
      
      Maximum delay for waking up card is 50 ms. Because of typo in
      counter, this delay goes to 500ms. This patch fixes the bug.
      Signed-off-by: default avatarAvinash Patil <patila@marvell.com>
      Signed-off-by: default avatarAmitkumar Karwar <akarwar@marvell.com>
      Signed-off-by: default avatarYogesh Ashok Powar <yogeshp@marvell.com>
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      107725a5
    • Johannes Berg's avatar
      iwlwifi: always copy first 16 bytes of commands · 0ad547e7
      Johannes Berg authored
      commit 8a964f44 upstream.
      
      The FH hardware will always write back to the scratch field
      in commands, even host commands not just TX commands, which
      can overwrite parts of the command. This is problematic if
      the command is re-used (with IWL_HCMD_DFL_NOCOPY) and can
      cause calibration issues.
      
      Address this problem by always putting at least the first
      16 bytes into the buffer we also use for the command header
      and therefore make the DMA engine write back into this.
      
      For commands that are smaller than 16 bytes also always map
      enough memory for the DMA engine to write back to.
      Reviewed-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ad547e7
    • Rusty Russell's avatar
      hw_random: make buffer usable in scatterlist. · ea967e9c
      Rusty Russell authored
      commit f7f154f1 upstream.
      
      virtio_rng feeds the randomness buffer handed by the core directly
      into the scatterlist, since commit bb347d98.
      
      However, if CONFIG_HW_RANDOM=m, the static buffer isn't a linear address
      (at least on most archs).  We could fix this in virtio_rng, but it's actually
      far easier to just do it in the core as virtio_rng would have to allocate
      a buffer every time (it doesn't know how much the core will want to read).
      Reported-by: default avatarAurelien Jarno <aurelien@aurel32.net>
      Tested-by: default avatarAurelien Jarno <aurelien@aurel32.net>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ea967e9c
    • Weston Andros Adamson's avatar
      NFSv4.1: Hold reference to layout hdr in layoutget · 216e4186
      Weston Andros Adamson authored
      commit a47970ff upstream.
      
      This fixes an oops where a LAYOUTGET is in still in the rpciod queue,
      but the requesting processes has been killed.  Without this, killing
      the process does the final pnfs_put_layout_hdr() and sets NFS_I(inode)->layout
      to NULL while the LAYOUTGET rpc task still references it.
      
      Example oops:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
      IP: [<ffffffffa01bd586>] pnfs_choose_layoutget_stateid+0x37/0xef [nfsv4]
      PGD 7365b067 PUD 7365d067 PMD 0
      Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
      Modules linked in: nfs_layout_nfsv41_files nfsv4 auth_rpcgss nfs lockd sunrpc ipt_MASQUERADE ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat nf_nat_ipv4 nf_nat iptable_mangle ip6table_filter ip6_tables ppdev e1000 i2c_piix4 i2c_core shpchp parport_pc parport crc32c_intel aesni_intel xts aes_x86_64 lrw gf128mul ablk_helper cryptd mptspi scsi_transport_spi mptscsih mptbase floppy autofs4
      CPU 0
      Pid: 27, comm: kworker/0:1 Not tainted 3.8.0-dros_cthon2013+ #4 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
      RIP: 0010:[<ffffffffa01bd586>]  [<ffffffffa01bd586>] pnfs_choose_layoutget_stateid+0x37/0xef [nfsv4]
      RSP: 0018:ffff88007b0c1c88  EFLAGS: 00010246
      RAX: ffff88006ed36678 RBX: 0000000000000000 RCX: 0000000ea877e3bc
      RDX: ffff88007a729da8 RSI: 0000000000000000 RDI: ffff88007a72b958
      RBP: ffff88007b0c1ca8 R08: 0000000000000002 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff88007a72b958
      R13: ffff88007a729da8 R14: 0000000000000000 R15: ffffffffa011077e
      FS:  0000000000000000(0000) GS:ffff88007f600000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000080 CR3: 00000000735f8000 CR4: 00000000001407f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process kworker/0:1 (pid: 27, threadinfo ffff88007b0c0000, task ffff88007c2fa0c0)
      Stack:
       ffff88006fc05388 ffff88007a72b908 ffff88007b240900 ffff88006fc05388
       ffff88007b0c1cd8 ffffffffa01a2170 ffff88007b240900 ffff88007b240900
       ffff88007b240970 ffffffffa011077e ffff88007b0c1ce8 ffffffffa0110791
      Call Trace:
       [<ffffffffa01a2170>] nfs4_layoutget_prepare+0x7b/0x92 [nfsv4]
       [<ffffffffa011077e>] ? __rpc_atrun+0x15/0x15 [sunrpc]
       [<ffffffffa0110791>] rpc_prepare_task+0x13/0x15 [sunrpc]
      Reported-by: default avatarTigran Mkrtchyan <tigran.mkrtchyan@desy.de>
      Signed-off-by: default avatarWeston Andros Adamson <dros@netapp.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      216e4186
    • Benny Halevy's avatar
      pnfs: fix resend_to_mds for directio · a6b9a1d3
      Benny Halevy authored
      commit 78f33277 upstream.
      
      Pass the directio request on pageio_init to clean up the API.
      
      Percolate pg_dreq from original nfs_pageio_descriptor to the
      pnfs_{read,write}_done_resend_to_mds and use it on respective
      call to nfs_pageio_init_{read,write} on the newly created
      nfs_pageio_descriptor.
      
      Reproduced by command:
       mount -o vers=4.1 server:/ /mnt
       dd bs=128k count=8 if=/dev/zero of=/mnt/dd.out oflag=direct
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
      IP: [<ffffffffa021a3a8>] atomic_inc+0x4/0x9 [nfs]
      PGD 34786067 PUD 34794067 PMD 0
      Oops: 0002 [#1] SMP
      Modules linked in: nfs_layout_nfsv41_files nfsv4 nfs nfsd lockd nfs_acl auth_rpcgss exportfs sunrpc btrfs zlib_deflate libcrc32c ipv6 autofs4
      CPU 1
      Pid: 259, comm: kworker/1:2 Not tainted 3.8.0-rc6 #2 Bochs Bochs
      RIP: 0010:[<ffffffffa021a3a8>]  [<ffffffffa021a3a8>] atomic_inc+0x4/0x9 [nfs]
      RSP: 0018:ffff880038f8fa68  EFLAGS: 00010206
      RAX: ffffffffa021a6a9 RBX: ffff880038f8fb48 RCX: 00000000000a0000
      RDX: ffffffffa021e616 RSI: ffff8800385e9a40 RDI: 0000000000000028
      RBP: ffff880038f8fa68 R08: ffffffff81ad6720 R09: ffff8800385e9510
      R10: ffffffffa0228450 R11: ffff880038e87418 R12: ffff8800385e9a40
      R13: ffff8800385e9a70 R14: ffff880038f8fb38 R15: ffffffffa0148878
      FS:  0000000000000000(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 0000000000000028 CR3: 0000000034789000 CR4: 00000000000006e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process kworker/1:2 (pid: 259, threadinfo ffff880038f8e000, task ffff880038302480)
      Stack:
       ffff880038f8fa78 ffffffffa021a6bf ffff880038f8fa88 ffffffffa021bb82
       ffff880038f8fae8 ffffffffa021f454 ffff880038f8fae8 ffffffff8109689d
       ffff880038f8fab8 ffffffff00000006 0000000000000000 ffff880038f8fb48
      Call Trace:
       [<ffffffffa021a6bf>] nfs_direct_pgio_init+0x16/0x18 [nfs]
       [<ffffffffa021bb82>] nfs_pgheader_init+0x6a/0x6c [nfs]
       [<ffffffffa021f454>] nfs_generic_pg_writepages+0x51/0xf8 [nfs]
       [<ffffffff8109689d>] ? mark_held_locks+0x71/0x99
       [<ffffffffa0148878>] ? rpc_release_resources_task+0x37/0x37 [sunrpc]
       [<ffffffffa021bc25>] nfs_pageio_doio+0x1a/0x43 [nfs]
       [<ffffffffa021be7c>] nfs_pageio_complete+0x16/0x2c [nfs]
       [<ffffffffa02608be>] pnfs_write_done_resend_to_mds+0x95/0xc5 [nfsv4]
       [<ffffffffa0148878>] ? rpc_release_resources_task+0x37/0x37 [sunrpc]
       [<ffffffffa028e27f>] filelayout_reset_write+0x8c/0x99 [nfs_layout_nfsv41_files]
       [<ffffffffa028e5f9>] filelayout_write_done_cb+0x4d/0xc1 [nfs_layout_nfsv41_files]
       [<ffffffffa024587a>] nfs4_write_done+0x36/0x49 [nfsv4]
       [<ffffffffa021f996>] nfs_writeback_done+0x53/0x1cc [nfs]
       [<ffffffffa021fb1d>] nfs_writeback_done_common+0xe/0x10 [nfs]
       [<ffffffffa028e03d>] filelayout_write_call_done+0x28/0x2a [nfs_layout_nfsv41_files]
       [<ffffffffa01488a1>] rpc_exit_task+0x29/0x87 [sunrpc]
       [<ffffffffa014a0c9>] __rpc_execute+0x11d/0x3cc [sunrpc]
       [<ffffffff810969dc>] ? trace_hardirqs_on_caller+0x117/0x173
       [<ffffffffa014a39f>] rpc_async_schedule+0x27/0x32 [sunrpc]
       [<ffffffffa014a378>] ? __rpc_execute+0x3cc/0x3cc [sunrpc]
       [<ffffffff8105f8c1>] process_one_work+0x226/0x422
       [<ffffffff8105f7f4>] ? process_one_work+0x159/0x422
       [<ffffffff81094757>] ? lock_acquired+0x210/0x249
       [<ffffffffa014a378>] ? __rpc_execute+0x3cc/0x3cc [sunrpc]
       [<ffffffff810600d8>] worker_thread+0x126/0x1c4
       [<ffffffff8105ffb2>] ? manage_workers+0x240/0x240
       [<ffffffff81064ef8>] kthread+0xb1/0xb9
       [<ffffffff81064e47>] ? __kthread_parkme+0x65/0x65
       [<ffffffff815206ec>] ret_from_fork+0x7c/0xb0
       [<ffffffff81064e47>] ? __kthread_parkme+0x65/0x65
      Code: 00 83 38 02 74 12 48 81 4b 50 00 00 01 00 c7 83 60 07 00 00 01 00 00 00 48 89 df e8 55 fe ff ff 5b 41 5c 5d c3 66 90 55 48 89 e5 <f0> ff 07 5d c3 55 48 89 e5 f0 ff 0f 0f 94 c0 84 c0 0f 95 c0 0f
      RIP  [<ffffffffa021a3a8>] atomic_inc+0x4/0x9 [nfs]
       RSP <ffff880038f8fa68>
      CR2: 0000000000000028
      Signed-off-by: default avatarBenny Halevy <bhalevy@tonian.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a6b9a1d3
    • Trond Myklebust's avatar
      SUNRPC: Don't start the retransmission timer when out of socket space · f1c0d40a
      Trond Myklebust authored
      commit a9a6b52e upstream.
      
      If the socket is full, we're better off just waiting until it empties,
      or until the connection is broken. The reason why we generally don't
      want to time out is that the call to xprt->ops->release_xprt() will
      trigger a connection reset, which isn't helpful...
      
      Let's make an exception for soft RPC calls, since they have to provide
      timeout guarantees.
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f1c0d40a
    • Trond Myklebust's avatar
      NFS: Don't allow NFS silly-renamed files to be deleted, no signal · 8a14f843
      Trond Myklebust authored
      commit 5a7a613a upstream.
      
      Commit 73ca1001 broke the code that prevents the client from deleting
      a silly renamed dentry.  This affected "delete on last close"
      semantics as after that commit, nothing prevented removal of
      silly-renamed files.  As a result, a process holding a file open
      could easily get an ESTALE on the file in a directory where some
      other process issued 'rm -rf some_dir_containing_the_file' twice.
      Before the commit, any attempt at unlinking silly renamed files would
      fail inside may_delete() with -EBUSY because of the
      DCACHE_NFSFS_RENAMED flag.  The following testcase demonstrates
      the problem:
        tail -f /nfsmnt/dir/file &
        rm -rf /nfsmnt/dir
        rm -rf /nfsmnt/dir
        # second removal does not fail, 'tail' process receives ESTALE
      
      The problem with the above commit is that it unhashes the old and
      new dentries from the lookup path, even in the normal case when
      a signal is not encountered and it would have been safe to call
      d_move.  Unfortunately the old dentry has the special
      DCACHE_NFSFS_RENAMED flag set on it.  Unhashing has the
      side-effect that future lookups call d_alloc(), allocating a new
      dentry without the special flag for any silly-renamed files.  As a
      result, subsequent calls to unlink silly renamed files do not fail
      but allow the removal to go through.  This will result in ESTALE
      errors for any other process doing operations on the file.
      
      To fix this, go back to using d_move on success.
      For the signal case, it's unclear what we may safely do beyond d_drop.
      Reported-by: default avatarDave Wysochanski <dwysocha@redhat.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Acked-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8a14f843
    • Mikulas Patocka's avatar
      dm snapshot: add missing module aliases · 9de98532
      Mikulas Patocka authored
      commit 23cb2109 upstream.
      
      Add module aliases so that autoloading works correctly if the user
      tries to activate "snapshot-origin" or "snapshot-merge" targets.
      
      Reference: https://bugzilla.redhat.com/889973Reported-by: default avatarChao Yang <chyang@redhat.com>
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9de98532
    • Mike Christie's avatar
      dm: fix limits initialization when there are no data devices · 6d2c84a0
      Mike Christie authored
      commit 87eb5b21 upstream.
      
      dm_calculate_queue_limits will first reset the provided limits to
      defaults using blk_set_stacking_limits; whereby defeating the purpose of
      retaining the original live table's limits -- as was intended via commit
      3ae70656 ("dm: retain table limits when
      swapping to new table with no devices").
      
      Fix this improper limits initialization (in the no data devices case) by
      avoiding the call to dm_calculate_queue_limits.
      
      [patch header revised by Mike Snitzer]
      Signed-off-by: default avatarMike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d2c84a0
    • Jun'ichi Nomura's avatar
      dm: do not replace bioset for request based dm · f7ed89f0
      Jun'ichi Nomura authored
      commit 16245bdc upstream.
      
      This patch fixes a regression introduced in v3.8, which causes oops
      like this when dm-multipath is used:
      
      general protection fault: 0000 [#1] SMP
      RIP: 0010:[<ffffffff810fe754>]  [<ffffffff810fe754>] mempool_free+0x24/0xb0
      Call Trace:
        <IRQ>
        [<ffffffff81187417>] bio_put+0x97/0xc0
        [<ffffffffa02247a5>] end_clone_bio+0x35/0x90 [dm_mod]
        [<ffffffff81185efd>] bio_endio+0x1d/0x30
        [<ffffffff811f03a3>] req_bio_endio.isra.51+0xa3/0xe0
        [<ffffffff811f2f68>] blk_update_request+0x118/0x520
        [<ffffffff811f3397>] blk_update_bidi_request+0x27/0xa0
        [<ffffffff811f343c>] blk_end_bidi_request+0x2c/0x80
        [<ffffffff811f34d0>] blk_end_request+0x10/0x20
        [<ffffffffa000b32b>] scsi_io_completion+0xfb/0x6c0 [scsi_mod]
        [<ffffffffa000107d>] scsi_finish_command+0xbd/0x120 [scsi_mod]
        [<ffffffffa000b12f>] scsi_softirq_done+0x13f/0x160 [scsi_mod]
        [<ffffffff811f9fd0>] blk_done_softirq+0x80/0xa0
        [<ffffffff81044551>] __do_softirq+0xf1/0x250
        [<ffffffff8142ee8c>] call_softirq+0x1c/0x30
        [<ffffffff8100420d>] do_softirq+0x8d/0xc0
        [<ffffffff81044885>] irq_exit+0xd5/0xe0
        [<ffffffff8142f3e3>] do_IRQ+0x63/0xe0
        [<ffffffff814257af>] common_interrupt+0x6f/0x6f
        <EOI>
        [<ffffffffa021737c>] srp_queuecommand+0x8c/0xcb0 [ib_srp]
        [<ffffffffa0002f18>] scsi_dispatch_cmd+0x148/0x310 [scsi_mod]
        [<ffffffffa000a38e>] scsi_request_fn+0x31e/0x520 [scsi_mod]
        [<ffffffff811f1e57>] __blk_run_queue+0x37/0x50
        [<ffffffff811f1f69>] blk_delay_work+0x29/0x40
        [<ffffffff81059003>] process_one_work+0x1c3/0x5c0
        [<ffffffff8105b22e>] worker_thread+0x15e/0x440
        [<ffffffff8106164b>] kthread+0xdb/0xe0
        [<ffffffff8142db9c>] ret_from_fork+0x7c/0xb0
      
      The regression was introduced by the change
      c0820cf5 "dm: introduce per_bio_data", where dm started to replace
      bioset during table replacement.
      For bio-based dm, it is good because clone bios do not exist during the
      table replacement.
      For request-based dm, however, (not-yet-mapped) clone bios may stay in
      request queue and survive during the table replacement.
      So freeing the old bioset could cause the oops in bio_put().
      
      Since the size of front_pad may change only with bio-based dm,
      it is not necessary to replace bioset for request-based dm.
      Reported-by: default avatarBart Van Assche <bvanassche@acm.org>
      Tested-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarJun'ichi Nomura <j-nomura@ce.jp.nec.com>
      Acked-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Acked-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f7ed89f0
    • Mikulas Patocka's avatar
      dm: fix truncated status strings · a9317072
      Mikulas Patocka authored
      commit fd7c092e upstream.
      
      Avoid returning a truncated table or status string instead of setting
      the DM_BUFFER_FULL_FLAG when the last target of a table fills the
      buffer.
      
      When processing a table or status request, the function retrieve_status
      calls ti->type->status. If ti->type->status returns non-zero,
      retrieve_status assumes that the buffer overflowed and sets
      DM_BUFFER_FULL_FLAG.
      
      However, targets don't return non-zero values from their status method
      on overflow. Most targets returns always zero.
      
      If a buffer overflow happens in a target that is not the last in the
      table, it gets noticed during the next iteration of the loop in
      retrieve_status; but if a buffer overflow happens in the last target, it
      goes unnoticed and erroneously truncated data is returned.
      
      In the current code, the targets behave in the following way:
      * dm-crypt returns -ENOMEM if there is not enough space to store the
        key, but it returns 0 on all other overflows.
      * dm-thin returns errors from the status method if a disk error happened.
        This is incorrect because retrieve_status doesn't check the error
        code, it assumes that all non-zero values mean buffer overflow.
      * all the other targets always return 0.
      
      This patch changes the ti->type->status function to return void (because
      most targets don't use the return code). Overflow is detected in
      retrieve_status: if the status method fills up the remaining space
      completely, it is assumed that buffer overflow happened.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a9317072
    • Jeff Layton's avatar
      cifs: ensure that cifs_get_root() only traverses directories · ceab37b0
      Jeff Layton authored
      commit ce2ac521 upstream.
      
      Kjell Braden reported this oops:
      
      [  833.211970] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [  833.212816] IP: [<          (null)>]           (null)
      [  833.213280] PGD 1b9b2067 PUD e9f7067 PMD 0
      [  833.213874] Oops: 0010 [#1] SMP
      [  833.214344] CPU 0
      [  833.214458] Modules linked in: des_generic md4 nls_utf8 cifs vboxvideo drm snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq bnep rfcomm snd_timer bluetooth snd_seq_device ppdev snd vboxguest parport_pc joydev mac_hid soundcore snd_page_alloc psmouse i2c_piix4 serio_raw lp parport usbhid hid e1000
      [  833.215629]
      [  833.215629] Pid: 1752, comm: mount.cifs Not tainted 3.0.0-rc7-bisectcifs-fec11dd9+ #18 innotek GmbH VirtualBox/VirtualBox
      [  833.215629] RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
      [  833.215629] RSP: 0018:ffff8800119c9c50  EFLAGS: 00010282
      [  833.215629] RAX: ffffffffa02186c0 RBX: ffff88000c427780 RCX: 0000000000000000
      [  833.215629] RDX: 0000000000000000 RSI: ffff88000c427780 RDI: ffff88000c4362e8
      [  833.215629] RBP: ffff8800119c9c88 R08: ffff88001fc15e30 R09: 00000000d69515c7
      [  833.215629] R10: ffffffffa0201972 R11: ffff88000e8f6a28 R12: ffff88000c4362e8
      [  833.215629] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88001181aaa6
      [  833.215629] FS:  00007f2986171700(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000
      [  833.215629] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  833.215629] CR2: 0000000000000000 CR3: 000000001b982000 CR4: 00000000000006f0
      [  833.215629] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  833.215629] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [  833.215629] Process mount.cifs (pid: 1752, threadinfo ffff8800119c8000, task ffff88001c1c16f0)
      [  833.215629] Stack:
      [  833.215629]  ffffffff8116a9b5 ffff8800119c9c88 ffffffff81178075 0000000000000286
      [  833.215629]  0000000000000000 ffff88000c4276c0 ffff8800119c9ce8 ffff8800119c9cc8
      [  833.215629]  ffffffff8116b06e ffff88001bc6fc00 ffff88000c4276c0 ffff88000c4276c0
      [  833.215629] Call Trace:
      [  833.215629]  [<ffffffff8116a9b5>] ? d_alloc_and_lookup+0x45/0x90
      [  833.215629]  [<ffffffff81178075>] ? d_lookup+0x35/0x60
      [  833.215629]  [<ffffffff8116b06e>] __lookup_hash.part.14+0x9e/0xc0
      [  833.215629]  [<ffffffff8116b1d6>] lookup_one_len+0x146/0x1e0
      [  833.215629]  [<ffffffff815e4f7e>] ? _raw_spin_lock+0xe/0x20
      [  833.215629]  [<ffffffffa01eef0d>] cifs_do_mount+0x26d/0x500 [cifs]
      [  833.215629]  [<ffffffff81163bd3>] mount_fs+0x43/0x1b0
      [  833.215629]  [<ffffffff8117d41a>] vfs_kern_mount+0x6a/0xd0
      [  833.215629]  [<ffffffff8117e584>] do_kern_mount+0x54/0x110
      [  833.215629]  [<ffffffff8117fdc2>] do_mount+0x262/0x840
      [  833.215629]  [<ffffffff81108a0e>] ? __get_free_pages+0xe/0x50
      [  833.215629]  [<ffffffff8117f9ca>] ? copy_mount_options+0x3a/0x180
      [  833.215629]  [<ffffffff8118075d>] sys_mount+0x8d/0xe0
      [  833.215629]  [<ffffffff815ece82>] system_call_fastpath+0x16/0x1b
      [  833.215629] Code:  Bad RIP value.
      [  833.215629] RIP  [<          (null)>]           (null)
      [  833.215629]  RSP <ffff8800119c9c50>
      [  833.215629] CR2: 0000000000000000
      [  833.238525] ---[ end trace ec00758b8d44f529 ]---
      
      When walking down the path on the server, it's possible to hit a
      symlink. The path walking code assumes that the caller will handle that
      situation properly, but cifs_get_root() isn't set up for it. This patch
      prevents the oops by simply returning an error.
      
      A better solution would be to try and chase the symlinks here, but that's
      fairly complicated to handle.
      
      Fixes:
      
          https://bugzilla.kernel.org/show_bug.cgi?id=53221Reported-and-tested-by: default avatarKjell Braden <afflux@pentabarf.de>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ceab37b0