1. 13 Oct, 2013 40 commits
    • Josef Bacik's avatar
      Btrfs: skip subvol entries when checking if we've created a dir already · 0ac5762c
      Josef Bacik authored
      commit a0525414 upstream.
      
      We have logic to see if we've already created a parent directory by check to see
      if an inode inside of that directory has a lower inode number than the one we
      are currently processing.  The logic is that if there is a lower inode number
      then we would have had to made sure the directory was created at that previous
      point.  The problem is that subvols inode numbers count from the lowest objectid
      in the root tree, which may be less than our current progress.  So just skip if
      our dir item key is a root item.  This fixes the original test and the xfstest
      version I made that added an extra subvol create.  Thanks,
      Reported-by: default avatarEmil Karlson <jekarlson@gmail.com>
      Signed-off-by: default avatarJosef Bacik <jbacik@fusionio.com>
      Signed-off-by: default avatarChris Mason <chris.mason@fusionio.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ac5762c
    • Josef Bacik's avatar
      Btrfs: change how we queue blocks for backref checking · 34aa872c
      Josef Bacik authored
      commit b6c60c80 upstream.
      
      Previously we only added blocks to the list to have their backrefs checked if
      the level of the block is right above the one we are searching for.  This is
      because we want to make sure we don't add the entire path up to the root to the
      lists to make sure we process things one at a time.  This assumes that if any
      blocks in the path to the root are going to be not checked (shared in other
      words) then they will be in the level right above the current block on up.  This
      isn't quite right though since we can have blocks higher up the list that are
      shared because they are attached to a reloc root.  But we won't add this block
      to be checked and then later on we will BUG_ON(!upper->checked).  So instead
      keep track of wether or not we've queued a block to be checked in this current
      search, and if we haven't go ahead and queue it to be checked.  This patch fixed
      the panic I was seeing where we BUG_ON(!upper->checked).  Thanks,
      Signed-off-by: default avatarJosef Bacik <jbacik@fusionio.com>
      Signed-off-by: default avatarChris Mason <chris.mason@fusionio.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34aa872c
    • Martin Schwidefsky's avatar
      s390: fix system call restart after inferior call · 98e00cd8
      Martin Schwidefsky authored
      commit dbbfe487 upstream.
      
      Git commit 61649881 "s390: system call path micro optimization"
      introduced a regression in regard to system call restarting and inferior
      function calls via the ptrace interface. The pointer to the system call
      table needs to be loaded in sysc_sigpending if do_signal returns with
      TIF_SYSCALl set after it restored a system call context.
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      98e00cd8
    • Chris Metcalf's avatar
      tile: use a more conservative __my_cpu_offset in CONFIG_PREEMPT · bc30c357
      Chris Metcalf authored
      commit f862eefe upstream.
      
      It turns out the kernel relies on barrier() to force a reload of the
      percpu offset value.  Since we can't easily modify the definition of
      barrier() to include "tp" as an output register, we instead provide a
      definition of __my_cpu_offset as extended assembly that includes a fake
      stack read to hazard against barrier(), forcing gcc to know that it
      must reread "tp" and recompute anything based on "tp" after a barrier.
      
      This fixes observed hangs in the slub allocator when we are looping
      on a percpu cmpxchg_double.
      
      A similar fix for ARMv7 was made in June in change 509eb76e.
      Signed-off-by: default avatarChris Metcalf <cmetcalf@tilera.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bc30c357
    • Takashi Iwai's avatar
      ALSA: hda - Fix GPIO for Acer Aspire 3830TG · 22c748d6
      Takashi Iwai authored
      commit 4a437044 upstream.
      
      Acer Aspire 3830TG seems requiring GPIO bit 0 as the primary mute
      control.  When a machine is booted after Windows 8, the GPIO pin is
      turned off and it results in the silent output.
      
      This patch adds the manual fixup of GPIO bit 0 for this model.
      Reported-by: default avatarChristopher <DIDI2002@web.de>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      22c748d6
    • Ben Skeggs's avatar
      drm/nouveau/bios/init: stub opcode 0xaa · f60945fd
      Ben Skeggs authored
      commit 5495e39f upstream.
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f60945fd
    • Mark Tinguely's avatar
      xfs: fix node forward in xfs_node_toosmall · 1fe36ec4
      Mark Tinguely authored
      commit 997def25 upstream.
      
      Commit f5ea1100 cleans up the disk to host conversions for
      node directory entries, but because a variable is reused in
      xfs_node_toosmall() the next node is not correctly found.
      If the original node is small enough (<= 3/8 of the node size),
      this change may incorrectly cause a node collapse when it should
      not. That will cause an assert in xfstest generic/319:
      
         Assertion failed: first <= last && last < BBTOB(bp->b_length),
         file: /root/newest/xfs/fs/xfs/xfs_trans_buf.c, line: 569
      
      Keep the original node header to get the correct forward node.
      
      (When a node is considered for a merge with a sibling, it overwrites the
       sibling pointers of the original incore nodehdr with the sibling's
       pointers.  This leads to loop considering the original node as a merge
       candidate with itself in the second pass, and so it incorrectly
       determines a merge should occur.)
      
      [v3: added Dave Chinner's (slightly modified) suggestion to the commit header,
      	cleaned up whitespace.  -bpm]
      Signed-off-by: default avatarMark Tinguely <tinguely@sgi.com>
      Reviewed-by: default avatarBen Myers <bpm@sgi.com>
      Signed-off-by: default avatarBen Myers <bpm@sgi.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      1fe36ec4
    • Lv Zheng's avatar
      ACPI / IPMI: Fix atomic context requirement of ipmi_msg_handler() · 2af8997a
      Lv Zheng authored
      commit 06a8566b upstream.
      
      This patch fixes the issues indicated by the test results that
      ipmi_msg_handler() is invoked in atomic context.
      
      BUG: scheduling while atomic: kipmi0/18933/0x10000100
      Modules linked in: ipmi_si acpi_ipmi ...
      CPU: 3 PID: 18933 Comm: kipmi0 Tainted: G       AW    3.10.0-rc7+ #2
      Hardware name: QCI QSSC-S4R/QSSC-S4R, BIOS QSSC-S4R.QCI.01.00.0027.070120100606 07/01/2010
       ffff8838245eea00 ffff88103fc63c98 ffffffff814c4a1e ffff88103fc63ca8
       ffffffff814bfbab ffff88103fc63d28 ffffffff814c73e0 ffff88103933cbd4
       0000000000000096 ffff88103fc63ce8 ffff88102f618000 ffff881035c01fd8
      Call Trace:
       <IRQ>  [<ffffffff814c4a1e>] dump_stack+0x19/0x1b
       [<ffffffff814bfbab>] __schedule_bug+0x46/0x54
       [<ffffffff814c73e0>] __schedule+0x83/0x59c
       [<ffffffff81058853>] __cond_resched+0x22/0x2d
       [<ffffffff814c794b>] _cond_resched+0x14/0x1d
       [<ffffffff814c6d82>] mutex_lock+0x11/0x32
       [<ffffffff8101e1e9>] ? __default_send_IPI_dest_field.constprop.0+0x53/0x58
       [<ffffffffa09e3f9c>] ipmi_msg_handler+0x23/0x166 [ipmi_si]
       [<ffffffff812bf6e4>] deliver_response+0x55/0x5a
       [<ffffffff812c0fd4>] handle_new_recv_msgs+0xb67/0xc65
       [<ffffffff81007ad1>] ? read_tsc+0x9/0x19
       [<ffffffff814c8620>] ? _raw_spin_lock_irq+0xa/0xc
       [<ffffffffa09e1128>] ipmi_thread+0x5c/0x146 [ipmi_si]
       ...
      
      Also Tony Camuso says:
      
       We were getting occasional "Scheduling while atomic" call traces
       during boot on some systems. Problem was first seen on a Cisco C210
       but we were able to reproduce it on a Cisco c220m3. Setting
       CONFIG_LOCKDEP and LOCKDEP_SUPPORT to 'y' exposed a lockdep around
       tx_msg_lock in acpi_ipmi.c struct acpi_ipmi_device.
      
       =================================
       [ INFO: inconsistent lock state ]
       2.6.32-415.el6.x86_64-debug-splck #1
       ---------------------------------
       inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
       ksoftirqd/3/17 [HC0[0]:SC1[1]:HE1:SE0] takes:
        (&ipmi_device->tx_msg_lock){+.?...}, at: [<ffffffff81337a27>] ipmi_msg_handler+0x71/0x126
       {SOFTIRQ-ON-W} state was registered at:
         [<ffffffff810ba11c>] __lock_acquire+0x63c/0x1570
         [<ffffffff810bb0f4>] lock_acquire+0xa4/0x120
         [<ffffffff815581cc>] __mutex_lock_common+0x4c/0x400
         [<ffffffff815586ea>] mutex_lock_nested+0x4a/0x60
         [<ffffffff8133789d>] acpi_ipmi_space_handler+0x11b/0x234
         [<ffffffff81321c62>] acpi_ev_address_space_dispatch+0x170/0x1be
      
      The fix implemented by this change has been tested by Tony:
      
       Tested the patch in a boot loop with lockdep debug enabled and never
       saw the problem in over 400 reboots.
      Reported-and-tested-by: default avatarTony Camuso <tcamuso@redhat.com>
      Signed-off-by: default avatarLv Zheng <lv.zheng@intel.com>
      Reviewed-by: default avatarHuang Ying <ying.huang@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Cc: Jonghwan Choi <jhbird.choi@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2af8997a
    • Michael Grzeschik's avatar
      dmaengine: imx-dma: fix slow path issue in prep_dma_cyclic · 414224fc
      Michael Grzeschik authored
      commit edc530fe upstream.
      
      When perparing cyclic_dma buffers by the sound layer, it will dump the
      following lockdep trace. The leading snd_pcm_action_single get called
      with read_lock_irq called. To fix this, we change the kcalloc call from
      GFP_KERNEL to GFP_ATOMIC.
      
      WARNING: at kernel/lockdep.c:2740 lockdep_trace_alloc+0xcc/0x114()
      DEBUG_LOCKS_WARN_ON(irqs_disabled_flags(flags))
      Modules linked in:
      CPU: 0 PID: 832 Comm: aplay Not tainted 3.11.0-20130823+ #903
      Backtrace:
      [<c000b98c>] (dump_backtrace+0x0/0x10c) from [<c000bb28>] (show_stack+0x18/0x1c)
       r6:c004c090 r5:00000009 r4:c2e0bd18 r3:00404000
      [<c000bb10>] (show_stack+0x0/0x1c) from [<c02f397c>] (dump_stack+0x20/0x28)
      [<c02f395c>] (dump_stack+0x0/0x28) from [<c001531c>] (warn_slowpath_common+0x54/0x70)
      [<c00152c8>] (warn_slowpath_common+0x0/0x70) from [<c00153dc>] (warn_slowpath_fmt+0x38/0x40)
       r8:00004000 r7:a3b90000 r6:000080d0 r5:60000093 r4:c2e0a000 r3:00000009
      [<c00153a4>] (warn_slowpath_fmt+0x0/0x40) from [<c004c090>] (lockdep_trace_alloc+0xcc/0x114)
       r3:c03955d8 r2:c03907db
      [<c004bfc4>] (lockdep_trace_alloc+0x0/0x114) from [<c008f16c>] (__kmalloc+0x34/0x118)
       r6:000080d0 r5:c3800120 r4:000080d0 r3:c040a0f8
      [<c008f138>] (__kmalloc+0x0/0x118) from [<c019c95c>] (imxdma_prep_dma_cyclic+0x64/0x168)
       r7:a3b90000 r6:00000004 r5:c39d8420 r4:c3847150
      [<c019c8f8>] (imxdma_prep_dma_cyclic+0x0/0x168) from [<c024618c>] (snd_dmaengine_pcm_trigger+0xa8/0x160)
      [<c02460e4>] (snd_dmaengine_pcm_trigger+0x0/0x160) from [<c0241fa8>] (soc_pcm_trigger+0x90/0xb4)
       r8:c058c7b0 r7:c3b8140c r6:c39da560 r5:00000001 r4:c3b81000
      [<c0241f18>] (soc_pcm_trigger+0x0/0xb4) from [<c022ece4>] (snd_pcm_do_start+0x2c/0x38)
       r7:00000000 r6:00000003 r5:c058c7b0 r4:c3b81000
      [<c022ecb8>] (snd_pcm_do_start+0x0/0x38) from [<c022e958>] (snd_pcm_action_single+0x40/0x6c)
      [<c022e918>] (snd_pcm_action_single+0x0/0x6c) from [<c022ea64>] (snd_pcm_action_lock_irq+0x7c/0x9c)
       r7:00000003 r6:c3b810f0 r5:c3b810f0 r4:c3b81000
      [<c022e9e8>] (snd_pcm_action_lock_irq+0x0/0x9c) from [<c023009c>] (snd_pcm_common_ioctl1+0x7f8/0xfd0)
       r8:c3b7f888 r7:005407b8 r6:c2c991c0 r5:c3b81000 r4:c3b81000 r3:00004142
      [<c022f8a4>] (snd_pcm_common_ioctl1+0x0/0xfd0) from [<c023117c>] (snd_pcm_playback_ioctl1+0x464/0x488)
      [<c0230d18>] (snd_pcm_playback_ioctl1+0x0/0x488) from [<c02311d4>] (snd_pcm_playback_ioctl+0x34/0x40)
       r8:c3b7f888 r7:00004142 r6:00000004 r5:c2c991c0 r4:005407b8
      [<c02311a0>] (snd_pcm_playback_ioctl+0x0/0x40) from [<c00a14a4>] (vfs_ioctl+0x30/0x44)
      [<c00a1474>] (vfs_ioctl+0x0/0x44) from [<c00a1fe8>] (do_vfs_ioctl+0x55c/0x5c0)
      [<c00a1a8c>] (do_vfs_ioctl+0x0/0x5c0) from [<c00a208c>] (SyS_ioctl+0x40/0x68)
      [<c00a204c>] (SyS_ioctl+0x0/0x68) from [<c0009380>] (ret_fast_syscall+0x0/0x44)
       r8:c0009544 r7:00000036 r6:bedeaa58 r5:00000000 r4:000000c0
      Signed-off-by: default avatarMichael Grzeschik <m.grzeschik@pengutronix.de>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Cc: Jonghwan Choi <jhbird.choi@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      414224fc
    • Michael Grzeschik's avatar
      dmaengine: imx-dma: fix callback path in tasklet · 8dac1d15
      Michael Grzeschik authored
      commit fcaaba6c upstream.
      
      We need to free the ld_active list head before jumping into the callback
      routine. Otherwise the callback could run into issue_pending and change
      our ld_active list head we just going to free. This will run the channel
      list into an currupted and undefined state.
      Signed-off-by: default avatarMichael Grzeschik <m.grzeschik@pengutronix.de>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Cc: Jonghwan Choi <jhbird.choi@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8dac1d15
    • Michael Grzeschik's avatar
      dmaengine: imx-dma: fix lockdep issue between irqhandler and tasklet · 16c72f37
      Michael Grzeschik authored
      commit 5a276fa6 upstream.
      
      The tasklet and irqhandler are using spin_lock while other routines are
      using spin_lock_irqsave/restore. This leads to lockdep issues as
      described bellow. This patch is changing the code to use
      spinlock_irq_save/restore in both code pathes.
      
      As imxdma_xfer_desc always gets called with spin_lock_irqsave lock held,
      this patch also removes the spare call inside the routine to avoid
      double locking.
      
      [  403.358162] =================================
      [  403.362549] [ INFO: inconsistent lock state ]
      [  403.366945] 3.10.0-20130823+ #904 Not tainted
      [  403.371331] ---------------------------------
      [  403.375721] inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
      [  403.381769] swapper/0 [HC0[0]:SC1[1]:HE1:SE0] takes:
      [  403.386762]  (&(&imxdma->lock)->rlock){?.-...}, at: [<c019d77c>] imxdma_tasklet+0x20/0x134
      [  403.395201] {IN-HARDIRQ-W} state was registered at:
      [  403.400108]   [<c004b264>] mark_lock+0x2a0/0x6b4
      [  403.404798]   [<c004d7c8>] __lock_acquire+0x650/0x1a64
      [  403.410004]   [<c004f15c>] lock_acquire+0x94/0xa8
      [  403.414773]   [<c02f74e4>] _raw_spin_lock+0x54/0x8c
      [  403.419720]   [<c019d094>] dma_irq_handler+0x78/0x254
      [  403.424845]   [<c0061124>] handle_irq_event_percpu+0x38/0x1b4
      [  403.430670]   [<c00612e4>] handle_irq_event+0x44/0x64
      [  403.435789]   [<c0063a70>] handle_level_irq+0xd8/0xf0
      [  403.440903]   [<c0060a20>] generic_handle_irq+0x28/0x38
      [  403.446194]   [<c0009cc4>] handle_IRQ+0x68/0x8c
      [  403.450789]   [<c0008714>] avic_handle_irq+0x3c/0x48
      [  403.455811]   [<c0008f84>] __irq_svc+0x44/0x74
      [  403.460314]   [<c0040b04>] cpu_startup_entry+0x88/0xf4
      [  403.465525]   [<c02f00d0>] rest_init+0xb8/0xe0
      [  403.470045]   [<c03e07dc>] start_kernel+0x28c/0x2d4
      [  403.474986]   [<a0008040>] 0xa0008040
      [  403.478709] irq event stamp: 50854
      [  403.482140] hardirqs last  enabled at (50854): [<c001c6b8>] tasklet_action+0x38/0xdc
      [  403.489954] hardirqs last disabled at (50853): [<c001c6a0>] tasklet_action+0x20/0xdc
      [  403.497761] softirqs last  enabled at (50850): [<c001bc64>] _local_bh_enable+0x14/0x18
      [  403.505741] softirqs last disabled at (50851): [<c001c268>] irq_exit+0x88/0xdc
      [  403.513026]
      [  403.513026] other info that might help us debug this:
      [  403.519593]  Possible unsafe locking scenario:
      [  403.519593]
      [  403.525548]        CPU0
      [  403.528020]        ----
      [  403.530491]   lock(&(&imxdma->lock)->rlock);
      [  403.534828]   <Interrupt>
      [  403.537474]     lock(&(&imxdma->lock)->rlock);
      [  403.541983]
      [  403.541983]  *** DEADLOCK ***
      [  403.541983]
      [  403.547951] no locks held by swapper/0.
      [  403.551813]
      [  403.551813] stack backtrace:
      [  403.556222] CPU: 0 PID: 0 Comm: swapper Not tainted 3.10.0-20130823+ #904
      [  403.563039] Backtrace:
      [  403.565581] [<c000b98c>] (dump_backtrace+0x0/0x10c) from [<c000bb28>] (show_stack+0x18/0x1c)
      [  403.574054]  r6:00000000 r5:c05c51d8 r4:c040bd58 r3:00200000
      [  403.579872] [<c000bb10>] (show_stack+0x0/0x1c) from [<c02f398c>] (dump_stack+0x20/0x28)
      [  403.587955] [<c02f396c>] (dump_stack+0x0/0x28) from [<c02f29c8>] (print_usage_bug.part.28+0x224/0x28c)
      [  403.597340] [<c02f27a4>] (print_usage_bug.part.28+0x0/0x28c) from [<c004b404>] (mark_lock+0x440/0x6b4)
      [  403.606682]  r8:c004a41c r7:00000000 r6:c040bd58 r5:c040c040 r4:00000002
      [  403.613566] [<c004afc4>] (mark_lock+0x0/0x6b4) from [<c004d844>] (__lock_acquire+0x6cc/0x1a64)
      [  403.622244] [<c004d178>] (__lock_acquire+0x0/0x1a64) from [<c004f15c>] (lock_acquire+0x94/0xa8)
      [  403.631010] [<c004f0c8>] (lock_acquire+0x0/0xa8) from [<c02f74e4>] (_raw_spin_lock+0x54/0x8c)
      [  403.639614] [<c02f7490>] (_raw_spin_lock+0x0/0x8c) from [<c019d77c>] (imxdma_tasklet+0x20/0x134)
      [  403.648434]  r6:c3847010 r5:c040e890 r4:c38470d4
      [  403.653194] [<c019d75c>] (imxdma_tasklet+0x0/0x134) from [<c001c70c>] (tasklet_action+0x8c/0xdc)
      [  403.662013]  r8:c0599160 r7:00000000 r6:00000000 r5:c040e890 r4:c3847114 r3:c019d75c
      [  403.670042] [<c001c680>] (tasklet_action+0x0/0xdc) from [<c001bd4c>] (__do_softirq+0xe4/0x1f0)
      [  403.678687]  r7:00000101 r6:c0402000 r5:c059919c r4:00000001
      [  403.684498] [<c001bc68>] (__do_softirq+0x0/0x1f0) from [<c001c268>] (irq_exit+0x88/0xdc)
      [  403.692652] [<c001c1e0>] (irq_exit+0x0/0xdc) from [<c0009cc8>] (handle_IRQ+0x6c/0x8c)
      [  403.700514]  r4:00000030 r3:00000110
      [  403.704192] [<c0009c5c>] (handle_IRQ+0x0/0x8c) from [<c0008714>] (avic_handle_irq+0x3c/0x48)
      [  403.712664]  r5:c0403f28 r4:c0593ebc
      [  403.716343] [<c00086d8>] (avic_handle_irq+0x0/0x48) from [<c0008f84>] (__irq_svc+0x44/0x74)
      [  403.724733] Exception stack(0xc0403f28 to 0xc0403f70)
      [  403.729841] 3f20:                   00000001 00000004 00000000 20000013 c0402000 c04104a8
      [  403.738078] 3f40: 00000002 c0b69620 a0004000 41069264 a03fb5f4 c0403f7c c0403f40 c0403f70
      [  403.746301] 3f60: c004b92c c0009e74 20000013 ffffffff
      [  403.751383]  r6:ffffffff r5:20000013 r4:c0009e74 r3:c004b92c
      [  403.757210] [<c0009e30>] (arch_cpu_idle+0x0/0x4c) from [<c0040b04>] (cpu_startup_entry+0x88/0xf4)
      [  403.766161] [<c0040a7c>] (cpu_startup_entry+0x0/0xf4) from [<c02f00d0>] (rest_init+0xb8/0xe0)
      [  403.774753] [<c02f0018>] (rest_init+0x0/0xe0) from [<c03e07dc>] (start_kernel+0x28c/0x2d4)
      [  403.783051]  r6:c03fc484 r5:ffffffff r4:c040a0e0
      [  403.787797] [<c03e0550>] (start_kernel+0x0/0x2d4) from [<a0008040>] (0xa0008040)
      Signed-off-by: default avatarMichael Grzeschik <m.grzeschik@pengutronix.de>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Cc: Jonghwan Choi <jhbird.choi@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16c72f37
    • Rafał Miłecki's avatar
      Revert "drm/radeon: add missing hdmi callbacks for rv6xx" · 04283173
      Rafał Miłecki authored
      This reverts commit b2a94840.
      
      Commit 99d79aa2 (backported by
      b2a94840) was supposed to fix rv6xx_asic
      struct.
      
      In kernel 3.10 we didn't have that struct yet, so the original patch
      should never be backported to the 3.10. Accidentally it has applied and
      modified different struct (r520_asic) that shouldn't have any HDMI
      callbacks at all.
      Signed-off-by: default avatarRafał Miłecki <zajec5@gmail.com>
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      04283173
    • Frederic Weisbecker's avatar
      irq: Force hardirq exit's softirq processing on its own stack · 6dcdd575
      Frederic Weisbecker authored
      commit ded79754 upstream.
      
      The commit facd8b80
      ("irq: Sanitize invoke_softirq") converted irq exit
      calls of do_softirq() to __do_softirq() on all architectures,
      assuming it was only used there for its irq disablement
      properties.
      
      But as a side effect, the softirqs processed in the end
      of the hardirq are always called on the inline current
      stack that is used by irq_exit() instead of the softirq
      stack provided by the archs that override do_softirq().
      
      The result is mostly safe if the architecture runs irq_exit()
      on a separate irq stack because then softirqs are processed
      on that same stack that is near empty at this stage (assuming
      hardirq aren't nesting).
      
      Otherwise irq_exit() runs in the task stack and so does the softirq
      too. The interrupted call stack can be randomly deep already and
      the softirq can dig through it even further. To add insult to the
      injury, this softirq can be interrupted by a new hardirq, maximizing
      the chances for a stack overrun as reported in powerpc for example:
      
      	do_IRQ: stack overflow: 1920
      	CPU: 0 PID: 1602 Comm: qemu-system-ppc Not tainted 3.10.4-300.1.fc19.ppc64p7 #1
      	Call Trace:
      	[c0000000050a8740] .show_stack+0x130/0x200 (unreliable)
      	[c0000000050a8810] .dump_stack+0x28/0x3c
      	[c0000000050a8880] .do_IRQ+0x2b8/0x2c0
      	[c0000000050a8930] hardware_interrupt_common+0x154/0x180
      	--- Exception: 501 at .cp_start_xmit+0x3a4/0x820 [8139cp]
      		LR = .cp_start_xmit+0x390/0x820 [8139cp]
      	[c0000000050a8d40] .dev_hard_start_xmit+0x394/0x640
      	[c0000000050a8e00] .sch_direct_xmit+0x110/0x260
      	[c0000000050a8ea0] .dev_queue_xmit+0x260/0x630
      	[c0000000050a8f40] .br_dev_queue_push_xmit+0xc4/0x130 [bridge]
      	[c0000000050a8fc0] .br_dev_xmit+0x198/0x270 [bridge]
      	[c0000000050a9070] .dev_hard_start_xmit+0x394/0x640
      	[c0000000050a9130] .dev_queue_xmit+0x428/0x630
      	[c0000000050a91d0] .ip_finish_output+0x2a4/0x550
      	[c0000000050a9290] .ip_local_out+0x50/0x70
      	[c0000000050a9310] .ip_queue_xmit+0x148/0x420
      	[c0000000050a93b0] .tcp_transmit_skb+0x4e4/0xaf0
      	[c0000000050a94a0] .__tcp_ack_snd_check+0x7c/0xf0
      	[c0000000050a9520] .tcp_rcv_established+0x1e8/0x930
      	[c0000000050a95f0] .tcp_v4_do_rcv+0x21c/0x570
      	[c0000000050a96c0] .tcp_v4_rcv+0x734/0x930
      	[c0000000050a97a0] .ip_local_deliver_finish+0x184/0x360
      	[c0000000050a9840] .ip_rcv_finish+0x148/0x400
      	[c0000000050a98d0] .__netif_receive_skb_core+0x4f8/0xb00
      	[c0000000050a99d0] .netif_receive_skb+0x44/0x110
      	[c0000000050a9a70] .br_handle_frame_finish+0x2bc/0x3f0 [bridge]
      	[c0000000050a9b20] .br_nf_pre_routing_finish+0x2ac/0x420 [bridge]
      	[c0000000050a9bd0] .br_nf_pre_routing+0x4dc/0x7d0 [bridge]
      	[c0000000050a9c70] .nf_iterate+0x114/0x130
      	[c0000000050a9d30] .nf_hook_slow+0xb4/0x1e0
      	[c0000000050a9e00] .br_handle_frame+0x290/0x330 [bridge]
      	[c0000000050a9ea0] .__netif_receive_skb_core+0x34c/0xb00
      	[c0000000050a9fa0] .netif_receive_skb+0x44/0x110
      	[c0000000050aa040] .napi_gro_receive+0xe8/0x120
      	[c0000000050aa0c0] .cp_rx_poll+0x31c/0x590 [8139cp]
      	[c0000000050aa1d0] .net_rx_action+0x1dc/0x310
      	[c0000000050aa2b0] .__do_softirq+0x158/0x330
      	[c0000000050aa3b0] .irq_exit+0xc8/0x110
      	[c0000000050aa430] .do_IRQ+0xdc/0x2c0
      	[c0000000050aa4e0] hardware_interrupt_common+0x154/0x180
      	 --- Exception: 501 at .bad_range+0x1c/0x110
      		 LR = .get_page_from_freelist+0x908/0xbb0
      	[c0000000050aa7d0] .list_del+0x18/0x50 (unreliable)
      	[c0000000050aa850] .get_page_from_freelist+0x908/0xbb0
      	[c0000000050aa9e0] .__alloc_pages_nodemask+0x21c/0xae0
      	[c0000000050aaba0] .alloc_pages_vma+0xd0/0x210
      	[c0000000050aac60] .handle_pte_fault+0x814/0xb70
      	[c0000000050aad50] .__get_user_pages+0x1a4/0x640
      	[c0000000050aae60] .get_user_pages_fast+0xec/0x160
      	[c0000000050aaf10] .__gfn_to_pfn_memslot+0x3b0/0x430 [kvm]
      	[c0000000050aafd0] .kvmppc_gfn_to_pfn+0x64/0x130 [kvm]
      	[c0000000050ab070] .kvmppc_mmu_map_page+0x94/0x530 [kvm]
      	[c0000000050ab190] .kvmppc_handle_pagefault+0x174/0x610 [kvm]
      	[c0000000050ab270] .kvmppc_handle_exit_pr+0x464/0x9b0 [kvm]
      	[c0000000050ab320]  kvm_start_lightweight+0x1ec/0x1fc [kvm]
      	[c0000000050ab4f0] .kvmppc_vcpu_run_pr+0x168/0x3b0 [kvm]
      	[c0000000050ab9c0] .kvmppc_vcpu_run+0xc8/0xf0 [kvm]
      	[c0000000050aba50] .kvm_arch_vcpu_ioctl_run+0x5c/0x1a0 [kvm]
      	[c0000000050abae0] .kvm_vcpu_ioctl+0x478/0x730 [kvm]
      	[c0000000050abc90] .do_vfs_ioctl+0x4ec/0x7c0
      	[c0000000050abd80] .SyS_ioctl+0xd4/0xf0
      	[c0000000050abe30] syscall_exit+0x0/0x98
      
      Since this is a regression, this patch proposes a minimalistic
      and low-risk solution by blindly forcing the hardirq exit processing of
      softirqs on the softirq stack. This way we should reduce significantly
      the opportunities for task stack overflow dug by softirqs.
      
      Longer term solutions may involve extending the hardirq stack coverage to
      irq_exit(), etc...
      Reported-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarFrederic Weisbecker <fweisbec@gmail.com>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Paul Mackerras <paulus@au1.ibm.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Paul Mackerras <paulus@au1.ibm.com>
      Cc: James Hogan <james.hogan@imgtec.com>
      Cc: James E.J. Bottomley <jejb@parisc-linux.org>
      Cc: Helge Deller <deller@gmx.de>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6dcdd575
    • Eric W. Biederman's avatar
      net: Update the sysctl permissions handler to test effective uid/gid · acbf720a
      Eric W. Biederman authored
      commit 2433c8f0 upstream.
      
      Modify the code to use current_euid(), and in_egroup_p, as in done
      in fs/proc/proc_sysctl.c:test_perm()
      Reviewed-by: default avatarEric Sandeen <sandeen@redhat.com>
      Reported-by: default avatarEric Sandeen <sandeen@redhat.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      acbf720a
    • Nicholas Bellinger's avatar
      iscsi-target: Only perform wait_for_tasks when performing shutdown · a0348152
      Nicholas Bellinger authored
      commit e255a285 upstream.
      
      This patch changes transport_generic_free_cmd() to only wait_for_tasks
      when shutdown=true is passed to iscsit_free_cmd().
      
      With the advent of >= v3.10 iscsi-target code using se_cmd->cmd_kref,
      the extra wait_for_tasks with shutdown=false is unnecessary, and may
      end up causing an extra context switch when releasing WRITEs.
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a0348152
    • Rafael Aquini's avatar
      mm: avoid reinserting isolated balloon pages into LRU lists · 009dfd44
      Rafael Aquini authored
      commit 117aad1e upstream.
      
      Isolated balloon pages can wrongly end up in LRU lists when
      migrate_pages() finishes its round without draining all the isolated
      page list.
      
      The same issue can happen when reclaim_clean_pages_from_list() tries to
      reclaim pages from an isolated page list, before migration, in the CMA
      path.  Such balloon page leak opens a race window against LRU lists
      shrinkers that leads us to the following kernel panic:
      
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
        IP: [<ffffffff810c2625>] shrink_page_list+0x24e/0x897
        PGD 3cda2067 PUD 3d713067 PMD 0
        Oops: 0000 [#1] SMP
        CPU: 0 PID: 340 Comm: kswapd0 Not tainted 3.12.0-rc1-22626-g4367597 #87
        Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
        RIP: shrink_page_list+0x24e/0x897
        RSP: 0000:ffff88003da499b8  EFLAGS: 00010286
        RAX: 0000000000000000 RBX: ffff88003e82bd60 RCX: 00000000000657d5
        RDX: 0000000000000000 RSI: 000000000000031f RDI: ffff88003e82bd40
        RBP: ffff88003da49ab0 R08: 0000000000000001 R09: 0000000081121a45
        R10: ffffffff81121a45 R11: ffff88003c4a9a28 R12: ffff88003e82bd40
        R13: ffff88003da0e800 R14: 0000000000000001 R15: ffff88003da49d58
        FS:  0000000000000000(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00000000067d9000 CR3: 000000003ace5000 CR4: 00000000000407b0
        Call Trace:
          shrink_inactive_list+0x240/0x3de
          shrink_lruvec+0x3e0/0x566
          __shrink_zone+0x94/0x178
          shrink_zone+0x3a/0x82
          balance_pgdat+0x32a/0x4c2
          kswapd+0x2f0/0x372
          kthread+0xa2/0xaa
          ret_from_fork+0x7c/0xb0
        Code: 80 7d 8f 01 48 83 95 68 ff ff ff 00 4c 89 e7 e8 5a 7b 00 00 48 85 c0 49 89 c5 75 08 80 7d 8f 00 74 3e eb 31 48 8b 80 18 01 00 00 <48> 8b 74 0d 48 8b 78 30 be 02 00 00 00 ff d2 eb
        RIP  [<ffffffff810c2625>] shrink_page_list+0x24e/0x897
         RSP <ffff88003da499b8>
        CR2: 0000000000000028
        ---[ end trace 703d2451af6ffbfd ]---
        Kernel panic - not syncing: Fatal exception
      
      This patch fixes the issue, by assuring the proper tests are made at
      putback_movable_pages() & reclaim_clean_pages_from_list() to avoid
      isolated balloon pages being wrongly reinserted in LRU lists.
      
      [akpm@linux-foundation.org: clarify awkward comment text]
      Signed-off-by: default avatarRafael Aquini <aquini@redhat.com>
      Reported-by: default avatarLuiz Capitulino <lcapitulino@redhat.com>
      Tested-by: default avatarLuiz Capitulino <lcapitulino@redhat.com>
      Cc: Mel Gorman <mel@csn.ul.ie>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      009dfd44
    • Christian Lamparter's avatar
      p54usb: add USB ID for Corega WLUSB2GTST USB adapter · 3e197292
      Christian Lamparter authored
      commit 1e43692c upstream.
      
      Added USB ID for Corega WLUSB2GTST USB adapter.
      Reported-by: default avatarJoerg Kalisch <the_force@gmx.de>
      Signed-off-by: default avatarChristian Lamparter <chunkeey@googlemail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3e197292
    • Larry Finger's avatar
      rtlwifi: Align private space in rtl_priv struct · c00095f3
      Larry Finger authored
      commit 60ce314d upstream.
      
      The private array at the end of the rtl_priv struct is not aligned.
      On ARM architecture, this causes an alignment trap and is fixed by aligning
      that array with __align(sizeof(void *)). That should properly align that
      space according to the requirements of all architectures.
      Reported-by: default avatarJason Andrews <jasona@cadence.com>
      Tested-by: default avatarJason Andrews <jasona@cadence.com>
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c00095f3
    • Jack Wang's avatar
      ib_srpt: always set response for task management · b07ce930
      Jack Wang authored
      commit c807f643 upstream.
      
      The SRP specification requires:
      
        "Response data shall be provided in any SRP_RSP response that is sent in
         response to an SRP_TSK_MGMT request (see 6.7). The information in the
         RSP_CODE field (see table 24) shall indicate the completion status of
         the task management function."
      
      So fix this to avoid the SRP initiator interprets task management functions
      that succeeded as failed.
      Signed-off-by: default avatarJack Wang <jinpu.wang@profitbricks.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b07ce930
    • Nicholas Bellinger's avatar
      ib_srpt: Destroy cm_id before destroying QP. · 5b973823
      Nicholas Bellinger authored
      commit 0b41d6ca upstream.
      
      This patch fixes a bug where ib_destroy_cm_id() was incorrectly being called
      after srpt_destroy_ch_ib() had destroyed the active QP.
      
      This would result in the following failed SRP_LOGIN_REQ messages:
      
      Received SRP_LOGIN_REQ with i_port_id 0x0:0x2590ffff1762bd, t_port_id 0x2c903009f8f40:0x2c903009f8f40 and it_iu_len 260 on port 1 (guid=0xfe80000000000000:0x2c903009f8f41)
      Received SRP_LOGIN_REQ with i_port_id 0x0:0x2590ffff1758f9, t_port_id 0x2c903009f8f40:0x2c903009f8f40 and it_iu_len 260 on port 2 (guid=0xfe80000000000000:0x2c903009f8f42)
      Received SRP_LOGIN_REQ with i_port_id 0x0:0x2590ffff175941, t_port_id 0x2c903009f8f40:0x2c903009f8f40 and it_iu_len 260 on port 2 (guid=0xfe80000000000000:0x2c90300a3cfb2)
      Received SRP_LOGIN_REQ with i_port_id 0x0:0x2590ffff176299, t_port_id 0x2c903009f8f40:0x2c903009f8f40 and it_iu_len 260 on port 1 (guid=0xfe80000000000000:0x2c90300a3cfb1)
      mlx4_core 0000:84:00.0: command 0x19 failed: fw status = 0x9
      rejected SRP_LOGIN_REQ because creating a new RDMA channel failed.
      Received SRP_LOGIN_REQ with i_port_id 0x0:0x2590ffff176299, t_port_id 0x2c903009f8f40:0x2c903009f8f40 and it_iu_len 260 on port 1 (guid=0xfe80000000000000:0x2c90300a3cfb1)
      mlx4_core 0000:84:00.0: command 0x19 failed: fw status = 0x9
      rejected SRP_LOGIN_REQ because creating a new RDMA channel failed.
      Received SRP_LOGIN_REQ with i_port_id 0x0:0x2590ffff176299, t_port_id 0x2c903009f8f40:0x2c903009f8f40 and it_iu_len 260 on port 1 (guid=0xfe80000000000000:0x2c90300a3cfb1)
      Reported-by: default avatarNavin Ahuja <navin.ahuja@saratoga-speed.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b973823
    • David Vrabel's avatar
      xen/hvc: allow xenboot console to be used again · 8598a32d
      David Vrabel authored
      commit a9fbf4d5 upstream.
      
      Commit d0380e6c (early_printk:
      consolidate random copies of identical code) added in 3.10 introduced
      a check for con->index == -1 in early_console_register().
      
      Initialize index to -1 for the xenboot console so earlyprintk=xen
      works again.
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Cc: Jiri Slaby <jslaby@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8598a32d
    • Michal Malý's avatar
      USB: serial: option: Ignore card reader interface on Huawei E1750 · 1b069646
      Michal Malý authored
      commit eb2addd4 upstream.
      
      Hi,
      
      my Huawei 3G modem has an embedded Smart Card reader which causes
      trouble when the modem is being detected (a bunch of "<warn>  (ttyUSBx):
      open blocked by driver for more than 7 seconds!" in messages.log). This
      trivial patch corrects the problem for me. The modem identifies itself
      as "12d1:1406 Huawei Technologies Co., Ltd. E1750" in lsusb although the
      description on the body says "Model E173u-1"
      Signed-off-by: default avatarMichal Malý <madcatxster@prifuk.cz>
      Cc: Bjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b069646
    • Bing Zhao's avatar
      mwifiex: fix PCIe hs_cfg cancel cmd timeout · e54fcd5b
      Bing Zhao authored
      commit b7be1522 upstream.
      
      For pcie8897, the hs_cfg cancel command (0xe5) times out when host
      comes out of suspend. This is caused by an incompleted host sleep
      handshake between driver and firmware.
      
      Like SDIO interface, PCIe also needs to go through firmware power
      save events to complete the handshake for host sleep configuration.
      Only USB interface doesn't require power save events for hs_cfg.
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarAmitkumar Karwar <akarwar@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e54fcd5b
    • Amitkumar Karwar's avatar
      mwifiex: fix hang issue for USB chipsets · 88fb132a
      Amitkumar Karwar authored
      commit bd1c6142 upstream.
      
      Bug 60815 - Interface hangs in mwifiex_usb
      https://bugzilla.kernel.org/show_bug.cgi?id=60815
      
      We have 4 bytes of interface header for packets delivered to SDIO
      and PCIe, but not for USB interface.
      
      In Tx AMSDU case, currently 4 bytes of garbage data is unnecessarily
      appended for USB packets. This sometimes leads to a firmware hang,
      because it may not interpret the data packet correctly.
      
      Problem is fixed by removing this redundant headroom for USB.
      Tested-by: default avatarDmitry Khromov <icechrome@gmail.com>
      Signed-off-by: default avatarAmitkumar Karwar <akarwar@marvell.com>
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88fb132a
    • Bing Zhao's avatar
      mwifiex: fix NULL pointer dereference in usb suspend handler · c7a448c3
      Bing Zhao authored
      commit 346ece0b upstream.
      
      Bug 60815 - Interface hangs in mwifiex_usb
      https://bugzilla.kernel.org/show_bug.cgi?id=60815
      
      [ 2.883807] BUG: unable to handle kernel NULL pointer dereference
                  at 0000000000000048
      [ 2.883813] IP: [<ffffffff815a65e0>] pfifo_fast_enqueue+0x90/0x90
      
      [ 2.883834] CPU: 1 PID: 3220 Comm: kworker/u8:90 Not tainted
                  3.11.1-monotone-l0 #6
      [ 2.883834] Hardware name: Microsoft Corporation Surface with
                  Windows 8 Pro/Surface with Windows 8 Pro,
                  BIOS 1.03.0450 03/29/2013
      
      On Surface Pro, suspend to ram gives a NULL pointer dereference in
      pfifo_fast_enqueue(). The stack trace reveals that the offending
      call is clearing carrier in mwifiex_usb suspend handler.
      
      Since commit 1499d9fa "mwifiex: don't drop carrier flag over suspend"
      has removed the carrier flag handling over suspend/resume in SDIO
      and PCIe drivers, I'm removing it in USB driver too. This also fixes
      the bug for Surface Pro.
      Tested-by: default avatarDmitry Khromov <icechrome@gmail.com>
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c7a448c3
    • Trond Myklebust's avatar
      NFSv4.1: nfs4_fl_prepare_ds - fix bugs when the connect attempt fails · 28f7ae25
      Trond Myklebust authored
      commit 52b26a3e upstream.
      
      - Fix an Oops when nfs4_ds_connect() returns an error.
      - Always check the device status after waiting for a connect to complete.
      Reported-by: default avatarAndy Adamson <andros@netapp.com>
      Reported-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      28f7ae25
    • Ian Abbott's avatar
      staging: comedi: ni_65xx: (bug fix) confine insn_bits to one subdevice · 96baebd4
      Ian Abbott authored
      commit 677a3156 upstream.
      
      The `insn_bits` handler `ni_65xx_dio_insn_bits()` has a `for` loop that
      currently writes (optionally) and reads back up to 5 "ports" consisting
      of 8 channels each.  It reads up to 32 1-bit channels but can only read
      and write a whole port at once - it needs to handle up to 5 ports as the
      first channel it reads might not be aligned on a port boundary.  It
      breaks out of the loop early if the next port it handles is beyond the
      final port on the card.  It also breaks out early on the 5th port in the
      loop if the first channel was aligned.  Unfortunately, it doesn't check
      that the current port it is dealing with belongs to the comedi subdevice
      the `insn_bits` handler is acting on.  That's a bug.
      
      Redo the `for` loop to terminate after the final port belonging to the
      subdevice, changing the loop variable in the process to simplify things
      a bit.  The `for` loop could now try and handle more than 5 ports if the
      subdevice has more than 40 channels, but the test `if (bitshift >= 32)`
      ensures it will break out early after 4 or 5 ports (depending on whether
      the first channel is aligned on a port boundary).  (`bitshift` will be
      between -7 and 7 inclusive on the first iteration, increasing by 8 for
      each subsequent operation.)
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      96baebd4
    • Darrick J. Wong's avatar
      mm/bounce.c: fix a regression where MS_SNAP_STABLE (stable pages snapshotting) was ignored · a1cccf25
      Darrick J. Wong authored
      commit 83b2944f upstream.
      
      The "force" parameter in __blk_queue_bounce was being ignored, which
      means that stable page snapshots are not always happening (on ext3).
      This of course leads to DIF disks reporting checksum errors, so fix this
      regression.
      
      The regression was introduced in commit 6bc454d1 ("bounce: Refactor
      __blk_queue_bounce to not use bi_io_vec")
      Reported-by: default avatarMel Gorman <mgorman@suse.de>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Cc: Kent Overstreet <koverstreet@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a1cccf25
    • David Miller's avatar
      mm: Fix generic hugetlb pte check return type. · 4dc59be5
      David Miller authored
      [ Upstream commit 26794942 ]
      
      The include/asm-generic/hugetlb.h stubs that just vector huge_pte_*()
      calls to the pte_*() implementations won't work in certain situations.
      
      x86 and sparc, for example, return "unsigned long" from the bit
      checks, and just go "return pte_val(pte) & PTE_BIT_FOO;"
      
      But since huge_pte_*() returns 'int', if any high bits on 64-bit are
      relevant, they get chopped off.
      
      The net effect is that we can loop forever trying to COW a huge page,
      because the huge_pte_write() check signals false all the time.
      Reported-by: default avatarGurudas Pai <gurudas.pai@oracle.com>
      Tested-by: default avatarGurudas Pai <gurudas.pai@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Acked-by: default avatarDavid Rientjes <rientjes@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4dc59be5
    • Kirill Tkhai's avatar
      sparc32: Fix exit flag passed from traced sys_sigreturn · 04e7d3c0
      Kirill Tkhai authored
      [ Upstream commit 7a3b0f89 ]
      
      Pass 1 in %o1 to indicate that syscall_trace accounts exit.
      Signed-off-by: default avatarKirill Tkhai <tkhai@yandex.ru>
      CC: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      04e7d3c0
    • Kirill Tkhai's avatar
      sparc64: Fix not SRA'ed %o5 in 32-bit traced syscall · 4026b686
      Kirill Tkhai authored
      [ Upstream commit ab2abda6 ]
      
      (From v1 to v2: changed comment)
      
      On the way linux_sparc_syscall32->linux_syscall_trace32->goto 2f,
      register %o5 doesn't clear its second 32-bit.
      
      Fix that.
      Signed-off-by: default avatarKirill Tkhai <tkhai@yandex.ru>
      CC: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4026b686
    • David S. Miller's avatar
    • Kees Cook's avatar
      sparc: fix ldom_reboot buffer overflow harder · 5c19adb2
      Kees Cook authored
      [ Upstream commit 20928bd3 ]
      
      The length argument to strlcpy was still wrong. It could overflow the end of
      full_boot_str by 5 bytes. Instead of strcat and strlcpy, just use snprint.
      Reported-by: default avatarBrad Spengler <spender@grsecurity.net>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c19adb2
    • David S. Miller's avatar
      sparc64: Fix buggy strlcpy() conversion in ldom_reboot(). · 34b6bdb2
      David S. Miller authored
      [ Upstream commit 2bd161a6 ]
      
      Commit 117a0c5f ("sparc: kernel: using
      strlcpy() instead of strcpy()") added a bug to ldom_reboot in
      arch/sparc/kernel/ds.c
      
      -		strcpy(full_boot_str + strlen("boot "), boot_command);
      +				     strlcpy(full_boot_str + strlen("boot "), boot_command,
      +				     			     sizeof(full_boot_str + strlen("boot ")));
      
      That last sizeof() expression evaluates to sizeof(size_t) which is
      not what was intended.
      
      Also even the corrected:
      
           sizeof(full_boot_str) + strlen("boot ")
      
      is not right as the destination buffer length is just plain
      "sizeof(full_boot_str)" and that's what the final argument
      should be.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34b6bdb2
    • Kirill Tkhai's avatar
      sparc64: Remove RWSEM export leftovers · 32f0ba8e
      Kirill Tkhai authored
      [ Upstream commit 61d9b935 ]
      
      The functions
      
      			__down_read
      			__down_read_trylock
      			__down_write
      			__down_write_trylock
      			__up_read
      			__up_write
      			__downgrade_write
      
      are implemented inline, so remove corresponding EXPORT_SYMBOLs
      (They lead to compile errors on RT kernel).
      Signed-off-by: default avatarKirill Tkhai <tkhai@yandex.ru>
      CC: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      32f0ba8e
    • Kirill Tkhai's avatar
      sparc64: Fix ITLB handler of null page · 84c041cc
      Kirill Tkhai authored
      [ Upstream commit 1c2696cd ]
      
      1)Use kvmap_itlb_longpath instead of kvmap_dtlb_longpath.
      
      2)Handle page #0 only, don't handle page #1: bleu -> blu
      
       (KERNBASE is 0x400000, so #1 does not exist too. But everything
        is possible in the future. Fix to not to have problems later.)
      
      3)Remove unused kvmap_itlb_nonlinear.
      Signed-off-by: default avatarKirill Tkhai <tkhai@yandex.ru>
      CC: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      84c041cc
    • David S. Miller's avatar
      esp_scsi: Fix tag state corruption when autosensing. · 74e8a9ef
      David S. Miller authored
      [ Upstream commit 21af8107 ]
      
      Meelis Roos reports a crash in esp_free_lun_tag() in the presense
      of a disk which has died.
      
      The issue is that when we issue an autosense command, we do so by
      hijacking the original command that caused the check-condition.
      
      When we do so we clear out the ent->tag[] array when we issue it via
      find_and_prep_issuable_command().  This is so that the autosense
      command is forced to be issued non-tagged.
      
      That is problematic, because it is the value of ent->tag[] which
      determines whether we issued the original scsi command as tagged
      vs. non-tagged (see esp_alloc_lun_tag()).
      
      And that, in turn, is what trips up the sanity checks in
      esp_free_lun_tag().  That function needs the original ->tag[] values
      in order to free up the tag slot properly.
      
      Fix this by remembering the original command's tag values, and
      having esp_alloc_lun_tag() and esp_free_lun_tag() use them.
      Reported-by: default avatarMeelis Roos <mroos@linux.ee>
      Tested-by: default avatarMeelis Roos <mroos@linux.ee>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      74e8a9ef
    • Vyacheslav Dubeyko's avatar
      nilfs2: fix issue with race condition of competition between segments for dirty blocks · d8974c7f
      Vyacheslav Dubeyko authored
      commit 7f42ec39 upstream.
      
      Many NILFS2 users were reported about strange file system corruption
      (for example):
      
         NILFS: bad btree node (blocknr=185027): level = 0, flags = 0x0, nchildren = 768
         NILFS error (device sda4): nilfs_bmap_last_key: broken bmap (inode number=11540)
      
      But such error messages are consequence of file system's issue that takes
      place more earlier.  Fortunately, Jerome Poulin <jeromepoulin@gmail.com>
      and Anton Eliasson <devel@antoneliasson.se> were reported about another
      issue not so recently.  These reports describe the issue with segctor
      thread's crash:
      
        BUG: unable to handle kernel paging request at 0000000000004c83
        IP: nilfs_end_page_io+0x12/0xd0 [nilfs2]
      
        Call Trace:
         nilfs_segctor_do_construct+0xf25/0x1b20 [nilfs2]
         nilfs_segctor_construct+0x17b/0x290 [nilfs2]
         nilfs_segctor_thread+0x122/0x3b0 [nilfs2]
         kthread+0xc0/0xd0
         ret_from_fork+0x7c/0xb0
      
      These two issues have one reason.  This reason can raise third issue
      too.  Third issue results in hanging of segctor thread with eating of
      100% CPU.
      
      REPRODUCING PATH:
      
      One of the possible way or the issue reproducing was described by
      Jermoe me Poulin <jeromepoulin@gmail.com>:
      
      1. init S to get to single user mode.
      2. sysrq+E to make sure only my shell is running
      3. start network-manager to get my wifi connection up
      4. login as root and launch "screen"
      5. cd /boot/log/nilfs which is a ext3 mount point and can log when NILFS dies.
      6. lscp | xz -9e > lscp.txt.xz
      7. mount my snapshot using mount -o cp=3360839,ro /dev/vgUbuntu/root /mnt/nilfs
      8. start a screen to dump /proc/kmsg to text file since rsyslog is killed
      9. start a screen and launch strace -f -o find-cat.log -t find
      /mnt/nilfs -type f -exec cat {} > /dev/null \;
      10. start a screen and launch strace -f -o apt-get.log -t apt-get update
      11. launch the last command again as it did not crash the first time
      12. apt-get crashes
      13. ps aux > ps-aux-crashed.log
      13. sysrq+W
      14. sysrq+E  wait for everything to terminate
      15. sysrq+SUSB
      
      Simplified way of the issue reproducing is starting kernel compilation
      task and "apt-get update" in parallel.
      
      REPRODUCIBILITY:
      
      The issue is reproduced not stable [60% - 80%].  It is very important to
      have proper environment for the issue reproducing.  The critical
      conditions for successful reproducing:
      
      (1) It should have big modified file by mmap() way.
      
      (2) This file should have the count of dirty blocks are greater that
          several segments in size (for example, two or three) from time to time
          during processing.
      
      (3) It should be intensive background activity of files modification
          in another thread.
      
      INVESTIGATION:
      
      First of all, it is possible to see that the reason of crash is not valid
      page address:
      
        NILFS [nilfs_segctor_complete_write]:2100 bh->b_count 0, bh->b_blocknr 13895680, bh->b_size 13897727, bh->b_page 0000000000001a82
        NILFS [nilfs_segctor_complete_write]:2101 segbuf->sb_segnum 6783
      
      Moreover, value of b_page (0x1a82) is 6786.  This value looks like segment
      number.  And b_blocknr with b_size values look like block numbers.  So,
      buffer_head's pointer points on not proper address value.
      
      Detailed investigation of the issue is discovered such picture:
      
        [-----------------------------SEGMENT 6783-------------------------------]
        NILFS [nilfs_segctor_do_construct]:2310 nilfs_segctor_begin_construction
        NILFS [nilfs_segctor_do_construct]:2321 nilfs_segctor_collect
        NILFS [nilfs_segctor_do_construct]:2336 nilfs_segctor_assign
        NILFS [nilfs_segctor_do_construct]:2367 nilfs_segctor_update_segusage
        NILFS [nilfs_segctor_do_construct]:2371 nilfs_segctor_prepare_write
        NILFS [nilfs_segctor_do_construct]:2376 nilfs_add_checksums_on_logs
        NILFS [nilfs_segctor_do_construct]:2381 nilfs_segctor_write
        NILFS [nilfs_segbuf_submit_bio]:464 bio->bi_sector 111149024, segbuf->sb_segnum 6783
      
        [-----------------------------SEGMENT 6784-------------------------------]
        NILFS [nilfs_segctor_do_construct]:2310 nilfs_segctor_begin_construction
        NILFS [nilfs_segctor_do_construct]:2321 nilfs_segctor_collect
        NILFS [nilfs_lookup_dirty_data_buffers]:782 bh->b_count 1, bh->b_page ffffea000709b000, page->index 0, i_ino 1033103, i_size 25165824
        NILFS [nilfs_lookup_dirty_data_buffers]:783 bh->b_assoc_buffers.next ffff8802174a6798, bh->b_assoc_buffers.prev ffff880221cffee8
        NILFS [nilfs_segctor_do_construct]:2336 nilfs_segctor_assign
        NILFS [nilfs_segctor_do_construct]:2367 nilfs_segctor_update_segusage
        NILFS [nilfs_segctor_do_construct]:2371 nilfs_segctor_prepare_write
        NILFS [nilfs_segctor_do_construct]:2376 nilfs_add_checksums_on_logs
        NILFS [nilfs_segctor_do_construct]:2381 nilfs_segctor_write
        NILFS [nilfs_segbuf_submit_bh]:575 bh->b_count 1, bh->b_page ffffea000709b000, page->index 0, i_ino 1033103, i_size 25165824
        NILFS [nilfs_segbuf_submit_bh]:576 segbuf->sb_segnum 6784
        NILFS [nilfs_segbuf_submit_bh]:577 bh->b_assoc_buffers.next ffff880218a0d5f8, bh->b_assoc_buffers.prev ffff880218bcdf50
        NILFS [nilfs_segbuf_submit_bio]:464 bio->bi_sector 111150080, segbuf->sb_segnum 6784, segbuf->sb_nbio 0
        [----------] ditto
        NILFS [nilfs_segbuf_submit_bio]:464 bio->bi_sector 111164416, segbuf->sb_segnum 6784, segbuf->sb_nbio 15
      
        [-----------------------------SEGMENT 6785-------------------------------]
        NILFS [nilfs_segctor_do_construct]:2310 nilfs_segctor_begin_construction
        NILFS [nilfs_segctor_do_construct]:2321 nilfs_segctor_collect
        NILFS [nilfs_lookup_dirty_data_buffers]:782 bh->b_count 2, bh->b_page ffffea000709b000, page->index 0, i_ino 1033103, i_size 25165824
        NILFS [nilfs_lookup_dirty_data_buffers]:783 bh->b_assoc_buffers.next ffff880219277e80, bh->b_assoc_buffers.prev ffff880221cffc88
        NILFS [nilfs_segctor_do_construct]:2367 nilfs_segctor_update_segusage
        NILFS [nilfs_segctor_do_construct]:2371 nilfs_segctor_prepare_write
        NILFS [nilfs_segctor_do_construct]:2376 nilfs_add_checksums_on_logs
        NILFS [nilfs_segctor_do_construct]:2381 nilfs_segctor_write
        NILFS [nilfs_segbuf_submit_bh]:575 bh->b_count 2, bh->b_page ffffea000709b000, page->index 0, i_ino 1033103, i_size 25165824
        NILFS [nilfs_segbuf_submit_bh]:576 segbuf->sb_segnum 6785
        NILFS [nilfs_segbuf_submit_bh]:577 bh->b_assoc_buffers.next ffff880218a0d5f8, bh->b_assoc_buffers.prev ffff880222cc7ee8
        NILFS [nilfs_segbuf_submit_bio]:464 bio->bi_sector 111165440, segbuf->sb_segnum 6785, segbuf->sb_nbio 0
        [----------] ditto
        NILFS [nilfs_segbuf_submit_bio]:464 bio->bi_sector 111177728, segbuf->sb_segnum 6785, segbuf->sb_nbio 12
      
        NILFS [nilfs_segctor_do_construct]:2399 nilfs_segctor_wait
        NILFS [nilfs_segbuf_wait]:676 segbuf->sb_segnum 6783
        NILFS [nilfs_segbuf_wait]:676 segbuf->sb_segnum 6784
        NILFS [nilfs_segbuf_wait]:676 segbuf->sb_segnum 6785
      
        NILFS [nilfs_segctor_complete_write]:2100 bh->b_count 0, bh->b_blocknr 13895680, bh->b_size 13897727, bh->b_page 0000000000001a82
      
        BUG: unable to handle kernel paging request at 0000000000001a82
        IP: [<ffffffffa024d0f2>] nilfs_end_page_io+0x12/0xd0 [nilfs2]
      
      Usually, for every segment we collect dirty files in list.  Then, dirty
      blocks are gathered for every dirty file, prepared for write and
      submitted by means of nilfs_segbuf_submit_bh() call.  Finally, it takes
      place complete write phase after calling nilfs_end_bio_write() on the
      block layer.  Buffers/pages are marked as not dirty on final phase and
      processed files removed from the list of dirty files.
      
      It is possible to see that we had three prepare_write and submit_bio
      phases before segbuf_wait and complete_write phase.  Moreover, segments
      compete between each other for dirty blocks because on every iteration
      of segments processing dirty buffer_heads are added in several lists of
      payload_buffers:
      
        [SEGMENT 6784]: bh->b_assoc_buffers.next ffff880218a0d5f8, bh->b_assoc_buffers.prev ffff880218bcdf50
        [SEGMENT 6785]: bh->b_assoc_buffers.next ffff880218a0d5f8, bh->b_assoc_buffers.prev ffff880222cc7ee8
      
      The next pointer is the same but prev pointer has changed.  It means
      that buffer_head has next pointer from one list but prev pointer from
      another.  Such modification can be made several times.  And, finally, it
      can be resulted in various issues: (1) segctor hanging, (2) segctor
      crashing, (3) file system metadata corruption.
      
      FIX:
      This patch adds:
      
      (1) setting of BH_Async_Write flag in nilfs_segctor_prepare_write()
          for every proccessed dirty block;
      
      (2) checking of BH_Async_Write flag in
          nilfs_lookup_dirty_data_buffers() and
          nilfs_lookup_dirty_node_buffers();
      
      (3) clearing of BH_Async_Write flag in nilfs_segctor_complete_write(),
          nilfs_abort_logs(), nilfs_forget_buffer(), nilfs_clear_dirty_page().
      Reported-by: default avatarJerome Poulin <jeromepoulin@gmail.com>
      Reported-by: default avatarAnton Eliasson <devel@antoneliasson.se>
      Cc: Paul Fertser <fercerpav@gmail.com>
      Cc: ARAI Shun-ichi <hermes@ceres.dti.ne.jp>
      Cc: Piotr Szymaniak <szarpaj@grubelek.pl>
      Cc: Juan Barry Manuel Canham <Linux@riotingpacifist.net>
      Cc: Zahid Chowdhury <zahid.chowdhury@starsolutions.com>
      Cc: Elmer Zhang <freeboy6716@gmail.com>
      Cc: Kenneth Langga <klangga@gmail.com>
      Signed-off-by: default avatarVyacheslav Dubeyko <slava@dubeyko.com>
      Acked-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d8974c7f
    • Johan Hedberg's avatar
      Bluetooth: Fix rfkill functionality during the HCI setup stage · 23035271
      Johan Hedberg authored
      commit bf543036 upstream.
      
      We need to let the setup stage complete cleanly even when the HCI device
      is rfkilled. Otherwise the HCI device will stay in an undefined state
      and never get notified to user space through mgmt (even when it gets
      unblocked through rfkill).
      
      This patch makes sure that hci_dev_open() can be called in the HCI_SETUP
      stage, that blocking the device doesn't abort the setup stage, and that
      the device gets proper powered down as soon as the setup stage completes
      in case it was blocked meanwhile.
      
      The bug that this patch fixed can be very easily reproduced using e.g.
      the rfkill command line too. By running "rfkill block all" before
      inserting a Bluetooth dongle the resulting HCI device goes into a state
      where it is never announced over mgmt, not even when "rfkill unblock all"
      is run.
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Acked-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGustavo Padovan <gustavo.padovan@collabora.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      23035271
    • Johan Hedberg's avatar
      Bluetooth: Introduce a new HCI_RFKILLED flag · ddc650c1
      Johan Hedberg authored
      commit 5e130367 upstream.
      
      This makes it more convenient to check for rfkill (no need to check for
      dev->rfkill before calling rfkill_blocked()) and also avoids potential
      races if the RFKILL state needs to be checked from within the rfkill
      callback.
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Acked-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGustavo Padovan <gustavo.padovan@collabora.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ddc650c1