1. 23 Mar, 2011 36 commits
    • Sarah Sharp's avatar
      xhci: Fix cycle bit calculation during stall handling. · 24dfb5f9
      Sarah Sharp authored
      commit 01a1fdb9 upstream.
      
      When an endpoint stalls, we need to update the xHCI host's internal
      dequeue pointer to move it past the stalled transfer.  This includes
      updating the cycle bit (TRB ownership bit) if we have moved the dequeue
      pointer past a link TRB with the toggle cycle bit set.
      
      When we're trying to find the new dequeue segment, find_trb_seg() is
      supposed to keep track of whether we've passed any link TRBs with the
      toggle cycle bit set.  However, this while loop's body
      
      	while (cur_seg->trbs > trb ||
      			&cur_seg->trbs[TRBS_PER_SEGMENT - 1] < trb) {
      
      Will never get executed if the ring only contains one segment.
      find_trb_seg() will return immediately, without updating the new cycle
      bit.  Since find_trb_seg() has no idea where in the segment the TD that
      stalled was, make the caller, xhci_find_new_dequeue_state(), check for
      this special case and update the cycle bit accordingly.
      
      This patch should be queued to kernels all the way back to 2.6.31.
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Tested-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      24dfb5f9
    • Sarah Sharp's avatar
      xhci: Update internal dequeue pointers after stalls. · 5fb7c166
      Sarah Sharp authored
      commit bf161e85 upstream.
      
      When an endpoint stalls, the xHCI driver must move the endpoint ring's
      dequeue pointer past the stalled transfer.  To do that, the driver issues
      a Set TR Dequeue Pointer command, which will complete some time later.
      
      Takashi was having issues with USB 1.1 audio devices that stalled, and his
      analysis of the code was that the old code would not update the xHCI
      driver's ring dequeue pointer after the command completes.  However, the
      dequeue pointer is set in xhci_find_new_dequeue_state(), just before the
      set command is issued to the hardware.
      
      Setting the dequeue pointer before the Set TR Dequeue Pointer command
      completes is a dangerous thing to do, since the xHCI hardware can fail the
      command.  Instead, store the new dequeue pointer in the xhci_virt_ep
      structure, and update the ring's dequeue pointer when the Set TR dequeue
      pointer command completes.
      
      While we're at it, make sure we can't queue another Set TR Dequeue Command
      while the first one is still being processed.  This just won't work with
      the internal xHCI state code.  I'm still not sure if this is the right
      thing to do, since we might have a case where a driver queues multiple
      URBs to a control ring, one of the URBs Stalls, and then the driver tries
      to cancel the second URB.  There may be a race condition there where the
      xHCI driver might try to issue multiple Set TR Dequeue Pointer commands,
      but I would have to think very hard about how the Stop Endpoint and
      cancellation code works.  Keep the fix simple until when/if we run into
      that case.
      
      This patch should be queued to kernels all the way back to 2.6.31.
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Tested-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      5fb7c166
    • Alan Stern's avatar
      USB: move usbcore away from hcd->state · ca81d776
      Alan Stern authored
      commit 9b37596a upstream.
      
      The hcd->state variable is a disaster.  It's not clearly owned by
      either usbcore or the host controller drivers, and they both change it
      from time to time, potentially stepping on each other's toes.  It's
      not protected by any locks.  And there's no mechanism to prevent it
      from going through an invalid transition.
      
      This patch (as1451) takes a first step toward fixing these problems.
      As it turns out, usbcore uses hcd->state for essentially only two
      things: checking whether the controller's root hub is running and
      checking whether the controller has died.  Therefore the patch adds
      two new atomic bitflags to the hcd structure, to store these pieces of
      information.  The new flags are used only by usbcore, and a private
      spinlock prevents invalid combinations (a dead controller's root hub
      cannot be running).
      
      The patch does not change the places where usbcore sets hcd->state,
      since HCDs may depend on them.  Furthermore, there is one place in
      usb_hcd_irq() where usbcore still must use hcd->state: An HCD's
      interrupt handler can implicitly indicate that the controller died by
      setting hcd->state to HC_STATE_HALT.  Nevertheless, the new code is a
      big improvement over the current code.
      
      The patch makes one other change.  The hcd_bus_suspend() and
      hcd_bus_resume() routines now check first whether the host controller
      has died; if it has then they return immediately without calling the
      HCD's bus_suspend or bus_resume methods.
      
      This fixes the major problem reported in Bugzilla #29902: The system
      fails to suspend after a host controller dies during system resume.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Tested-by: default avatarAlex Terekhov <a.terekhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      ca81d776
    • Matthew Garrett's avatar
      ehci: Check individual port status registers on resume · a6b2dd27
      Matthew Garrett authored
      commit 294d95f2 upstream.
      
      If a device plug/unplug is detected on an ATI SB700 USB controller in D3,
      it appears to set the port status register but not the controller status
      register. As a result we'll fail to detect the plug event. Check the port
      status register on resume as well in order to catch this case.
      Signed-off-by: default avatarMatthew Garrett <mjg@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      a6b2dd27
    • Sebastian Andrzej Siewior's avatar
      USB: isp1760: Implement solution for erratum 2 · 679a1ea6
      Sebastian Andrzej Siewior authored
      commit b14e840d upstream.
      
      The document says:
      |2.1 Problem description
      |    When at least two USB devices are simultaneously running, it is observed that
      |    sometimes the INT corresponding to one of the USB devices stops occurring. This may
      |    be observed sometimes with USB-to-serial or USB-to-network devices.
      |    The problem is not noticed when only USB mass storage devices are running.
      |2.2 Implication
      |    This issue is because of the clearing of the respective Done Map bit on reading the ATL
      |    PTD Done Map register when an INT is generated by another PTD completion, but is not
      |    found set on that read access. In this situation, the respective Done Map bit will remain
      |    reset and no further INT will be asserted so the data transfer corresponding to that USB
      |    device will stop.
      |2.3 Workaround
      |    An SOF INT can be used instead of an ATL INT with polling on Done bits. A time-out can
      |    be implemented and if a certain Done bit is never set, verification of the PTD completion
      |    can be done by reading PTD contents (valid bit).
      |    This is a proven workaround implemented in software.
      
      Russell King run into this with an USB-to-serial converter. This patch
      implements his suggestion to enable the high frequent SOF interrupt only
      at the time we have ATL packages queued. It goes even one step further
      and enables the SOF interrupt only if we have more than one ATL packet
      queued at the same time.
      Tested-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      679a1ea6
    • Larry Finger's avatar
      rtl8187: Change rate-control feedback · 9d072975
      Larry Finger authored
      commit 6410db59 upstream.
      
      The driver for the RTL8187L chips returns IEEE80211_TX_STAT_ACK for all
      packets, even if the maximum number of retries was exhausted. In addition
      it fails to setup max_rates in the ieee80211_hw struct, This behavior
      may be responsible for the problems noted in Bug 14168. As the bug is very
      old, testers have not been found, and I do not have the case where the
      indicated signal is less than -70 dBm.
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Acked-by: default avatarHin-Tak Leung <htl10@users.sourceforge.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      9d072975
    • Felipe Contreras's avatar
      staging: tidspbridge: protect dmm_map properly · 9d0a3d6a
      Felipe Contreras authored
      commit ab42abf3 upstream.
      
      We need to protect not only the dmm_map list, but the individual
      map_obj's, otherwise, we might be building the scatter-gather list with
      garbage. So, use the existing proc_lock for that.
      
      I observed race conditions which caused kernel panics while running
      stress tests, also, Tuomas Kulve found it happening quite often in
      Gumstix Over. This patch fixes those.
      
      Cc: Tuomas Kulve <tuomas@kulve.fi>
      Signed-off-by: default avatarFelipe Contreras <felipe.contreras@nokia.com>
      Signed-off-by: default avatarOmar Ramirez Luna <omar.ramirez@ti.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      9d0a3d6a
    • Jeff Mahoney's avatar
      staging: winbond: needs <linux/delay.h> for msleep and friends · 9396b825
      Jeff Mahoney authored
      commit cecf826d upstream.
      
      linux/delay.h is pulled in somehow on x86 but not on ia64 or powerpc.
      
      This fixes a build failure on those arches since they use [mu]delay.
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      9396b825
    • wangyanqing's avatar
      USB: serial: ch341: add new id · 1bc826c8
      wangyanqing authored
      commit d0781383 upstream.
      
      I picked up a new DAK-780EX(professional digitl reverb/mix system),
      which use CH341T chipset to communication with computer on 3/2011
      and the CH341T's vendor code is 1a86
      
      Looking up the CH341T's vendor and product id's I see:
      
      1a86  QinHeng Electronics
        5523  CH341 in serial mode, usb to serial port converter
      
      CH341T,CH341 are the products of the same company, maybe
      have some common hardware, and I test the ch341.c works
      well with CH341T
      
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      1bc826c8
    • Herton Ronaldo Krzesinski's avatar
      USB: serial: option: Apply OPTION_BLACKLIST_SENDSETUP also for ZTE MF626 · c576af54
      Herton Ronaldo Krzesinski authored
      commit 7a89e4cb upstream.
      
      On https://bugs.launchpad.net/ubuntu/+source/linux/+bug/636091, one of
      the cases reported is a big timeout on option_send_setup, which causes
      some side effects as tty_lock is held. Looks like some of ZTE MF626
      devices also don't like the RTS/DTR setting in option_send_setup, like
      with 4G XS Stick W14. The reporter confirms which this it solves the
      long freezes in his system.
      Signed-off-by: default avatarHerton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      c576af54
    • Jiri Slaby's avatar
      USB: serial/kobil_sct, fix potential tty NULL dereference · 0a04fbe5
      Jiri Slaby authored
      commit 6960f40a upstream.
      
      Make sure that we check the return value of tty_port_tty_get.
      Sometimes it may return NULL and we later dereference that.
      
      The only place here is in kobil_read_int_callback, so fix it.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: Alan Cox <alan@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      0a04fbe5
    • Alan Stern's avatar
      USB: serial drivers need to use larger bulk-in buffers · 366a91fb
      Alan Stern authored
      commit 969e3033 upstream.
      
      When a driver doesn't know how much data a device is going to send,
      the buffer size should be at least as big as the endpoint's maxpacket
      value.  The serial drivers don't follow this rule; many of them
      request only 256-byte bulk-in buffers.  As a result, they suffer
      overflow errors if a high-speed device wants to send a lot of data,
      because high-speed bulk endpoints are required to have a maxpacket
      size of 512.
      
      This patch (as1450) fixes the problem by using the driver's
      bulk_in_size value as a minimum, always allocating buffers no smaller
      than the endpoint's maxpacket size.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Tested-by: default avatarFlynn Marquardt <flynn@flynnux.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      366a91fb
    • Yin Kangkai's avatar
      serial: change the divisor latch only when prescalar actually changed · 2ac31a25
      Yin Kangkai authored
      commit 0d0389e5 upstream.
      
      In 8250.c original ns16550 autoconfig code, we change the divisor latch when
      we goto to high speed mode, we're assuming the previous speed is legacy. This
      some times is not true.
      
      For example in a system with both CONFIG_SERIAL_8250 and
      CONFIG_SERIAL_8250_PNP set, in this case, the code (autoconfig) will be called
      twice, one in serial8250_init/probe() and the other is from
      serial_pnp_probe. When serial_pnp_probe calls the autoconfig for NS16550A,
      it's already in high speed mode, change the divisor latch (quot << 3) in this
      case will make the UART console garbled.
      
      CC: Greg Kroah-Hartman <greg@kroah.com>
      CC: David Woodhouse <dwmw2@infradead.org>
      CC: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarYin Kangkai <kangkai.yin@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      2ac31a25
    • Yin Kangkai's avatar
      serial: also set the uartclk value in resume after goes to highspeed · 102965a0
      Yin Kangkai authored
      commit 95926d2d upstream.
      
      For any reason if the NS16550A was not work in high speed mode (e.g. we hold
      NS16550A from going to high speed mode in autoconfig_16550a()), now we are
      resume from suspend, we should also set the uartclk to the correct
      value. Otherwise it is still the old 1843200 and that will bring issues.
      
      CC: Greg Kroah-Hartman <greg@kroah.com>
      CC: David Woodhouse <dwmw2@infradead.org>
      CC: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarYin Kangkai <kangkai.yin@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      102965a0
    • Dan Carpenter's avatar
      serial: mrst_max3110: make buffer larger · ffe6f167
      Dan Carpenter authored
      commit d8653d30 upstream.
      
      This is used to store the spi_device ->modalias so they have to be the same
      size.  SPI_NAME_SIZE is 32.
      Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
      Signed-off-by: default avatarAlan Cox <alan@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      ffe6f167
    • Felix Fietkau's avatar
      ath9k: remove support for the FIF_PROMISC_IN_BSS filter flag · fd190dfb
      Felix Fietkau authored
      commit 2e286947 upstream.
      
      The hardware rx filter flag triggered by FIF_PROMISC_IN_BSS is overly broad
      and covers even frames with PHY errors. When this flag is enabled, this message
      shows up frequently during scanning or hardware resets:
      
      ath: Could not stop RX, we could be confusing the DMA engine when we start RX up
      
      Since promiscuous mode is usually not particularly useful, yet enabled by
      default by bridging (either used normally in 4-addr mode, or with hacks
      for various virtualization software), we should sacrifice it for better
      reliability during normal operation.
      
      This patch leaves it enabled if there are active monitor mode interfaces, since
      it's very useful for debugging.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      fd190dfb
    • Senthil Balasubramanian's avatar
      ath9k_hw: Fix incorrect macversion and macrev checks · ef9d94d4
      Senthil Balasubramanian authored
      commit ac45c12d upstream.
      
      There are few places where we are checking for macversion and revsions
      before RTC is powered ON. However we are reading the macversion and
      revisions only after RTC is powered ON and so both macversion and
      revisions are actully zero and this leads to incorrect srev checks
      
      Incorrect srev checks can cause registers to be configured wrongly and can
      cause unexpected behavior. Fixing this seems to address the ASPM issue that
      we have observed. The laptop becomes very slow and hangs mostly with ASPM L1
      enabled without this fix.
      
      fix this by reading the macversion and revisisons even before we start
      using them. There is no reason why should we delay reading this info
      until RTC is powered on as this is just a register information.
      Signed-off-by: default avatarSenthil Balasubramanian <senthilkumar@atheros.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      ef9d94d4
    • Senthil Balasubramanian's avatar
      ath9k_hw: read and backup AR_WA register value even before chip reset on. · d1fd5e3a
      Senthil Balasubramanian authored
      commit 0a8d7cb0 upstream.
      
      We need to read and backup AR_WA register value permanently and reading
      this after the chip is awakened results in this register being zeroed out.
      
      This seems to fix the ASPM with L1 enabled issue that we have observed.
      The laptop becomes very slow and hangs mostly with ASPM L1 enabled without
      this fix.
      Signed-off-by: default avatarSenthil Balasubramanian <senthilkumar@atheros.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      d1fd5e3a
    • Chris Wilson's avatar
      drm: Hold the mode mutex whilst probing for sysfs status · d65298f4
      Chris Wilson authored
      commit 007c80a5 upstream.
      
      As detect will use hw registers and may modify structures, it needs to be
      serialised by use of the dev->mode_config.mutex. Make it so.
      
      Otherwise, we may cause random crashes as the sysfs file is queried
      whilst a concurrent hotplug poll is being run. For example:
      
      [ 1189.189626] BUG: unable to handle kernel NULL pointer dereference at 00000100
      [ 1189.189821] IP: [<e0c22019>] intel_tv_detect_type+0xa2/0x203 [i915]
      [ 1189.190020] *pde = 00000000
      [ 1189.190104] Oops: 0000 [#1] SMP
      [ 1189.190209] last sysfs file: /sys/devices/pci0000:00/0000:00:02.0/drm/card0/card0-SVIDEO-1/status
      [ 1189.190412] Modules linked in: mperf cpufreq_conservative cpufreq_userspace cpufreq_powersave cpufreq_stats decnet uinput fuse loop joydev snd_hd a_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm i915 snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq drm_kms_helper snd_timer uvcvideo d rm snd_seq_device eeepc_laptop tpm_tis usbhid videodev i2c_algo_bit v4l1_compat snd sparse_keymap i2c_core hid serio_raw tpm psmouse evdev tpm_bios rfkill shpchp ac processor rng_c ore battery video power_supply soundcore pci_hotplug button output snd_page_alloc usb_storage uas ext3 jbd mbcache sd_mod crc_t10dif ata_generic ahci libahci ata_piix libata uhci_h cd ehci_hcd scsi_mod usbcore thermal atl2 thermal_sys nls_base [last unloaded: scsi_wait_scan]
      [ 1189.192007]
      [ 1189.192007] Pid: 1464, comm: upowerd Not tainted 2.6.37-2-686 #1 ASUSTeK Computer INC. 701/701
      [ 1189.192007] EIP: 0060:[<e0c22019>] EFLAGS: 00010246 CPU: 0
      [ 1189.192007] EIP is at intel_tv_detect_type+0xa2/0x203 [i915]
      [ 1189.192007] EAX: 00000000 EBX: dca74000 ECX: e0f68004 EDX: 00068004
      [ 1189.192007] ESI: dd110c00 EDI: 400c0c37 EBP: dca7429c ESP: de365e2c
      [ 1189.192007]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      [ 1189.192007] Process upowerd (pid: 1464, ti=de364000 task=dcc8acb0 task.ti=de364000)
      [ 1189.192007] Stack: Mar 15 03:43:23 hostname kernel: [ 1189.192007]  e0c2cda4 70000000 400c0c30 00000000 dd111000 de365e54 de365f24 dd110c00
      [ 1189.192007]  e0c22203 01000000 00000003 00000000 00000000 00000000 00000000 4353544e
      [ 1189.192007]  30383420 00000069 00000000 00000000 00000000 00000000 00000000 00000000
      [ 1189.192007] Call Trace: Mar 15 03:43:23 hostname kernel: [ 1189.192007]  [<e0c22203>] ?  intel_tv_detect+0x89/0x12d [i915]
      [ 1189.192007]  [<e0a9dcef>] ?  status_show+0x0/0x2f [drm]
      [ 1189.192007]  [<e0a9dd03>] ?  status_show+0x14/0x2f [drm]
      
      [Digression: what is upowerd doing reading those power hungry files?]
      Reported-by: default avatarPaul Menzel <paulepanter@users.sourceforge.net>
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      d65298f4
    • Alex Deucher's avatar
      drm/radeon/kms: fix typo in atom overscan setup · 8901c285
      Alex Deucher authored
      commit 942b0e95 upstream.
      
      Typo in the aspect scale setup.
      Signed-off-by: default avatarAlex Deucher <alexdeucher@gmail.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      8901c285
    • Chris Wilson's avatar
      drm/i915: Replace vblank PM QoS with "Interrupt-Based AGPBUSY#" · 7d77d221
      Chris Wilson authored
      commit 8692d00e upstream.
      
      I stumbled over this magic bit in the gen3 INSTPM:
      
      Bit11 Interrupt-Based AGPBUSY# Enable:
      
      ‘0’ = Pending GMCH interrupts will not cause AGPBUSY# assertion.
      ‘1’ = Pending GMCH interrupts will cause AGPBUSY# assertion and hence
            can cause the CPU to exit C3.  There is no suppression of cacheable
            writes.
      
      Note that in either case in C3 the interrupts are not lost. They will be
      forwarded to the ICH when the GMCH is out of C3.
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Tested-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      7d77d221
    • Tetsuo Handa's avatar
      TOMOYO: Fix memory leak upon file open. · 7cd4ad7e
      Tetsuo Handa authored
      commit eae61f3c upstream.
      
      In tomoyo_check_open_permission() since 2.6.36, TOMOYO was by error
      recalculating already calculated pathname when checking allow_rewrite
      permission. As a result, memory will leak whenever a file is opened for writing
      without O_APPEND flag. Also, performance will degrade because TOMOYO is
      calculating pathname regardless of profile configuration.
      This patch fixes the leak and performance degrade.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      7cd4ad7e
    • Mathieu Desnoyers's avatar
      x86: stop_machine_text_poke() should issue sync_core() · 41fa53b8
      Mathieu Desnoyers authored
      commit 0e00f7ae upstream.
      
      Intel Archiecture Software Developer's Manual section 7.1.3 specifies that a
      core serializing instruction such as "cpuid" should be executed on _each_ core
      before the new instruction is made visible.
      
      Failure to do so can lead to unspecified behavior (Intel XMC erratas include
      General Protection Fault in the list), so we should avoid this at all cost.
      
      This problem can affect modified code executed by interrupt handlers after
      interrupt are re-enabled at the end of stop_machine, because no core serializing
      instruction is executed between the code modification and the moment interrupts
      are reenabled.
      
      Because stop_machine_text_poke performs the text modification from the first CPU
      decrementing stop_machine_first, modified code executed in thread context is
      also affected by this problem. To explain why, we have to split the CPUs in two
      categories: the CPU that initiates the text modification (calls text_poke_smp)
      and all the others. The scheduler, executed on all other CPUs after
      stop_machine, issues an "iret" core serializing instruction, and therefore
      handles core serialization for all these CPUs. However, the text modification
      initiator can continue its execution on the same thread and access the modified
      text without any scheduler call. Given that the CPU that initiates the code
      modification is not guaranteed to be the one actually performing the code
      modification, it falls into the XMC errata.
      
      Q: Isn't this executed from an IPI handler, which will return with IRET (a
         serializing instruction) anyway?
      A: No, now stop_machine uses per-cpu workqueue, so that handler will be
         executed from worker threads. There is no iret anymore.
      Signed-off-by: default avatarMathieu Desnoyers <mathieu.desnoyers@efficios.com>
      LKML-Reference: <20110303160137.GB1590@Krystal>
      Reviewed-by: default avatarMasami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
      Cc: Arjan van de Ven <arjan@infradead.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andi Kleen <andi@firstfloor.org>
      Cc: Frederic Weisbecker <fweisbec@gmail.com>
      Signed-off-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      41fa53b8
    • Steven J. Magnani's avatar
      microblaze: Fix /dev/zero corruption from __clear_user() · 1bb392f3
      Steven J. Magnani authored
      commit 6f3946b4 upstream.
      
      A userland read of more than PAGE_SIZE bytes from /dev/zero results in
      (a) not all of the bytes returned being zero, and
      (b) memory corruption due to zeroing of bytes beyond the user buffer.
      
      This is caused by improper constraints on the assembly __clear_user function.
      The constrints don't indicate to the compiler that the pointer argument is
      modified. Since the function is inline, this results in double-incrementing
      of the pointer when __clear_user() is invoked through a multi-page read() of
      /dev/zero.
      Signed-off-by: default avatarSteven J. Magnani <steve@digidescorp.com>
      Acked-by: default avatarMichal Simek <monstr@monstr.eu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      1bb392f3
    • Andreas Herrmann's avatar
      x86, quirk: Fix SB600 revision check · b030eac9
      Andreas Herrmann authored
      commit 1d3e09a3 upstream.
      
      Commit 7f74f8f2
      (x86 quirk: Fix polarity for IRQ0 pin2 override on SB800
      systems) introduced a regression. It removed some SB600 specific
      code to determine the revision ID without adapting a
      corresponding revision ID check for SB600.
      
      See this mail thread:
      
        http://marc.info/?l=linux-kernel&m=129980296006380&w=2
      
      This patch adapts the corresponding check to cover all SB600
      revisions.
      Tested-by: default avatarWang Lei <f3d27b@gmail.com>
      Signed-off-by: default avatarAndreas Herrmann <andreas.herrmann3@amd.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      LKML-Reference: <20110315143137.GD29499@alberich.amd.com>
      Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      b030eac9
    • Sean Hefty's avatar
      IB/cm: Bump reference count on cm_id before invoking callback · 6fee8c66
      Sean Hefty authored
      commit 29963437 upstream.
      
      When processing a SIDR REQ, the ib_cm allocates a new cm_id.  The
      refcount of the cm_id is initialized to 1.  However, cm_process_work
      will decrement the refcount after invoking all callbacks.  The result
      is that the cm_id will end up with refcount set to 0 by the end of the
      sidr req handler.
      
      If a user tries to destroy the cm_id, the destruction will proceed,
      under the incorrect assumption that no other threads are referencing
      the cm_id.  This can lead to a crash when the cm callback thread tries
      to access the cm_id.
      
      This problem was noticed as part of a larger investigation with kernel
      crashes in the rdma_cm when running on a real time OS.
      Signed-off-by: default avatarSean Hefty <sean.hefty@intel.com>
      Acked-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      6fee8c66
    • Linus Torvalds's avatar
      Increase OSF partition limit from 8 to 18 · cd970182
      Linus Torvalds authored
      commit 34d211a2 upstream.
      
      It turns out that while a maximum of 8 partitions may be what people
      "should" have had, you can actually fit up to 18 entries(*) in a sector.
      
      And some people clearly were taking advantage of that, like Michael
      Cree, who had ten partitions on one of his OSF disks.
      
      (*) The OSF partition data starts at byte offset 64 in the first sector,
          and the array of 16-byte partition entries start at offset 148 in
          the on-disk partition structure.
      Reported-by: default avatarMichael Cree <mcree@orcon.net.nz>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      cd970182
    • Sean Hefty's avatar
      RDMA/cma: Fix crash in request handlers · 4d94af00
      Sean Hefty authored
      commit 25ae21a1 upstream.
      
      Doug Ledford and Red Hat reported a crash when running the rdma_cm on
      a real-time OS.  The crash has the following call trace:
      
          cm_process_work
             cma_req_handler
                cma_disable_callback
                rdma_create_id
                   kzalloc
                   init_completion
                cma_get_net_info
                cma_save_net_info
                cma_any_addr
                   cma_zero_addr
                rdma_translate_ip
                   rdma_copy_addr
                cma_acquire_dev
                   rdma_addr_get_sgid
                   ib_find_cached_gid
                   cma_attach_to_dev
                ucma_event_handler
                   kzalloc
                   ib_copy_ah_attr_to_user
                cma_comp
      
      [ preempted ]
      
          cma_write
              copy_from_user
              ucma_destroy_id
                 copy_from_user
                 _ucma_find_context
                 ucma_put_ctx
                 ucma_free_ctx
                    rdma_destroy_id
                       cma_exch
                       cma_cancel_operation
                       rdma_node_get_transport
      
              rt_mutex_slowunlock
              bad_area_nosemaphore
              oops_enter
      
      They were able to reproduce the crash multiple times with the
      following details:
      
          Crash seems to always happen on the:
                  mutex_unlock(&conn_id->handler_mutex);
          as conn_id looks to have been freed during this code path.
      
      An examination of the code shows that a race exists in the request
      handlers.  When a new connection request is received, the rdma_cm
      allocates a new connection identifier.  This identifier has a single
      reference count on it.  If a user calls rdma_destroy_id() from another
      thread after receiving a callback, rdma_destroy_id will proceed to
      destroy the id and free the associated memory.  However, the request
      handlers may still be in the process of running.  When control returns
      to the request handlers, they can attempt to access the newly created
      identifiers.
      
      Fix this by holding a reference on the newly created rdma_cm_id until
      the request handler is through accessing it.
      Signed-off-by: default avatarSean Hefty <sean.hefty@intel.com>
      Acked-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      4d94af00
    • Tejun Heo's avatar
      libata: fix hotplug for drivers which don't implement LPM · bcefd0d7
      Tejun Heo authored
      commit eb0e85e3 upstream.
      
      ata_eh_analyze_serror() suppresses hotplug notifications if LPM is
      being used because LPM generates spurious hotplug events.  It compared
      whether link->lpm_policy was different from ATA_LPM_MAX_POWER to
      determine whether LPM is enabled; however, this is incorrect as for
      drivers which don't implement LPM, lpm_policy is always
      ATA_LPM_UNKNOWN.  This disabled hotplug detection for all drivers
      which don't implement LPM.
      
      Fix it by comparing whether lpm_policy is greater than
      ATA_LPM_MAX_POWER.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarJeff Garzik <jgarzik@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      bcefd0d7
    • Per Jessen's avatar
      ahci: recognize Marvell 88se9125 PCIe SATA 6.0 Gb/s controller · bfa65173
      Per Jessen authored
      commit 467b41c6 upstream.
      
      Recognize Marvell 88SE9125 PCIe SATA 6.0 Gb/s controller.
      Signed-off-by: default avatarPer Jessen <per@computer.org>
      Signed-off-by: default avatarJeff Garzik <jgarzik@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      bfa65173
    • Seth Heasley's avatar
      ahci: AHCI mode SATA patch for Intel Patsburg SATA RAID controller · a3980437
      Seth Heasley authored
      commit 64a3903d upstream.
      
      This patch adds an updated SATA RAID DeviceID for the Intel Patsburg PCH.
      Signed-off-by: default avatarSeth Heasley <seth.heasley@intel.com>
      Signed-off-by: default avatarJeff Garzik <jgarzik@pobox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      a3980437
    • Kamal Mostafa's avatar
      x86: Emit "mem=nopentium ignored" warning when not supported · 82c6db7f
      Kamal Mostafa authored
      commit 9a6d44b9 upstream.
      
      Emit warning when "mem=nopentium" is specified on any arch other
      than x86_32 (the only that arch supports it).
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      BugLink: http://bugs.launchpad.net/bugs/553464
      Cc: Yinghai Lu <yinghai@kernel.org>
      Cc: Len Brown <len.brown@intel.com>
      Cc: Rafael J. Wysocki <rjw@sisk.pl>
      LKML-Reference: <1296783486-23033-2-git-send-email-kamal@canonical.com>
      Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      82c6db7f
    • Kamal Mostafa's avatar
      x86: Fix panic when handling "mem={invalid}" param · d59c7a36
      Kamal Mostafa authored
      commit 77eed821 upstream.
      
      Avoid removing all of memory and panicing when "mem={invalid}"
      is specified, e.g. mem=blahblah, mem=0, or mem=nopentium (on
      platforms other than x86_32).
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      BugLink: http://bugs.launchpad.net/bugs/553464
      Cc: Yinghai Lu <yinghai@kernel.org>
      Cc: Len Brown <len.brown@intel.com>
      Cc: Rafael J. Wysocki <rjw@sisk.pl>
      LKML-Reference: <1296783486-23033-1-git-send-email-kamal@canonical.com>
      Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      d59c7a36
    • Steven Rostedt's avatar
      ftrace: Fix memory leak with function graph and cpu hotplug · 1883e22e
      Steven Rostedt authored
      commit 868baf07 upstream.
      
      When the fuction graph tracer starts, it needs to make a special
      stack for each task to save the real return values of the tasks.
      All running tasks have this stack created, as well as any new
      tasks.
      
      On CPU hot plug, the new idle task will allocate a stack as well
      when init_idle() is called. The problem is that cpu hotplug does
      not create a new idle_task. Instead it uses the idle task that
      existed when the cpu went down.
      
      ftrace_graph_init_task() will add a new ret_stack to the task
      that is given to it. Because a clone will make the task
      have a stack of its parent it does not check if the task's
      ret_stack is already NULL or not. When the CPU hotplug code
      starts a CPU up again, it will allocate a new stack even
      though one already existed for it.
      
      The solution is to treat the idle_task specially. In fact, the
      function_graph code already does, just not at init_idle().
      Instead of using the ftrace_graph_init_task() for the idle task,
      which that function expects the task to be a clone, have a
      separate ftrace_graph_init_idle_task(). Also, we will create a
      per_cpu ret_stack that is used by the idle task. When we call
      ftrace_graph_init_idle_task() it will check if the idle task's
      ret_stack is NULL, if it is, then it will assign it the per_cpu
      ret_stack.
      Reported-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Suggested-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      1883e22e
    • Trond Myklebust's avatar
      VFS: Fix the nfs sillyrename regression in kernel 2.6.38 · 2c048b5d
      Trond Myklebust authored
      commit c83ce989 upstream.
      
      The new vfs locking scheme introduced in 2.6.38 breaks NFS sillyrename
      because the latter relies on being able to determine the parent
      directory of the dentry in the ->iput() callback in order to send the
      appropriate unlink rpc call.
      
      Looking at the code that cares about races with dput(), there doesn't
      seem to be anything that specifically uses d_parent as a test for
      whether or not there is a race:
        - __d_lookup_rcu(), __d_lookup() all test for d_hashed() after d_parent
        - shrink_dcache_for_umount() is safe since nothing else can rearrange
          the dentries in that super block.
        - have_submount(), select_parent() and d_genocide() can test for a
          deletion if we set the DCACHE_DISCONNECTED flag when the dentry
          is removed from the parent's d_subdirs list.
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      2c048b5d
    • Linus Torvalds's avatar
      dcache.c: create helper function for duplicated functionality · c4e8d54f
      Linus Torvalds authored
      commit c826cb7d upstream.
      
      This creates a helper function for he "try to ascend into the parent
      directory" case, which was written out in triplicate before.  With all
      the locking and subtle sequence number stuff, we really don't want to
      duplicate that kind of code.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      c4e8d54f
  2. 15 Mar, 2011 1 commit
  3. 14 Mar, 2011 3 commits