1. 04 Jul, 2012 27 commits
    • Jonghwan Choi's avatar
      ARM: SAMSUNG: Should check for IS_ERR(clk) instead of NULL · 52c8c02c
      Jonghwan Choi authored
      commit a5d8f476 upstream.
      
      On the error condition clk_get() returns ERR_PTR().
      Signed-off-by: default avatarJonghwan Choi <jhbird.choi@samsung.com>
      Signed-off-by: default avatarKukjin Kim <kgene.kim@samsung.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      52c8c02c
    • Antonio Quartulli's avatar
      batman-adv: fix skb->data assignment · 6f4d747d
      Antonio Quartulli authored
      commit 2c995ff8 upstream.
      
      skb_linearize(skb) possibly rearranges the skb internal data and then changes
      the skb->data pointer value. For this reason any other pointer in the code that
      was assigned skb->data before invoking skb_linearise(skb) must be re-assigned.
      
      In the current tt_query message handling code this is not done and therefore, in
      case of skb linearization, the pointer used to handle the packet header ends up
      in pointing to free'd memory.
      
      This bug was introduced by a73105b8
      (batman-adv: improved client announcement mechanism)
      Signed-off-by: default avatarAntonio Quartulli <ordex@autistici.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [This patch is a backport for kernel versions 3.1 and 3.2 - Antonio]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6f4d747d
    • Felix Fietkau's avatar
      ath9k: fix a tx rate duration calculation bug · 4c42ad8f
      Felix Fietkau authored
      commit 76591bea upstream.
      
      The rate pointer variable for a rate series is used in a loop before it is
      initialized. This went unnoticed because it was used earlier for the RTS/CTS
      rate. This bug can lead to the wrong PHY type being passed to the
      duration calculation function.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4c42ad8f
    • Dan Carpenter's avatar
      can: c_can: precedence error in c_can_chip_config() · 86f65876
      Dan Carpenter authored
      commit d9cb9bd6 upstream.
      
      (CAN_CTRLMODE_LISTENONLY & CAN_CTRLMODE_LOOPBACK) is (0x02 & 0x01) which
      is zero so the condition is never true.  The intent here was to test
      that both flags were set.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      86f65876
    • Mohammed Shafi Shajakhan's avatar
      ath9k: Fix softlockup in AR9485 · bc623ac3
      Mohammed Shafi Shajakhan authored
      commit bcb7ad7b upstream.
      
      steps to recreate:
      load latest ath9k driver with AR9485
      stop the network-manager and wpa_supplicant
      bring the interface up
      
      	Call Trace:
      	[<ffffffffa0517490>] ? ath_hw_check+0xe0/0xe0 [ath9k]
      	[<ffffffff812cd1e8>] __const_udelay+0x28/0x30
      	[<ffffffffa03bae7a>] ar9003_get_pll_sqsum_dvc+0x4a/0x80 [ath9k_hw]
      	[<ffffffffa05174eb>] ath_hw_pll_work+0x5b/0xe0 [ath9k]
      	[<ffffffff810744fe>] process_one_work+0x11e/0x470
      	[<ffffffff8107530f>] worker_thread+0x15f/0x360
      	[<ffffffff810751b0>] ? manage_workers+0x230/0x230
      	[<ffffffff81079af3>] kthread+0x93/0xa0
      	[<ffffffff815fd3a4>] kernel_thread_helper+0x4/0x10
      	[<ffffffff81079a60>] ? kthread_freezable_should_stop+0x70/0x70
      	[<ffffffff815fd3a0>] ? gs_change+0x13/0x13
      
      ensure that the PLL-WAR for AR9485/AR9340 is executed only if the STA is
      associated (or) IBSS/AP mode had started beaconing. Ideally this WAR
      is needed to recover from some rare beacon stuck during stress testing.
      Before the STA is associated/IBSS had started beaconing, PLL4(0x1618c)
      always seem to have zero even though we had configured PLL3(0x16188) to
      query about PLL's locking status. When we keep on polling infinitely PLL4's
      8th bit(ie check for PLL locking measurements is done), machine hangs
      due to softlockup.
      
      fixes https://bugzilla.redhat.com/show_bug.cgi?id=811142Reported-by: default avatarRolf Offermanns <rolf.offermanns@gmx.net>
      Tested-by: default avatarMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
      Signed-off-by: default avatarMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bc623ac3
    • Eliad Peller's avatar
      cfg80211: fix potential deadlock in regulatory · d1207689
      Eliad Peller authored
      commit fe20b39e upstream.
      
      reg_timeout_work() calls restore_regulatory_settings() which
      takes cfg80211_mutex.
      
      reg_set_request_processed() already holds cfg80211_mutex
      before calling cancel_delayed_work_sync(reg_timeout),
      so it might deadlock.
      
      Call the async cancel_delayed_work instead, in order
      to avoid the potential deadlock.
      
      This is the relevant lockdep warning:
      
      cfg80211: Calling CRDA for country: XX
      
      ======================================================
      [ INFO: possible circular locking dependency detected ]
      3.4.0-rc5-wl+ #26 Not tainted
      -------------------------------------------------------
      kworker/0:2/1391 is trying to acquire lock:
       (cfg80211_mutex){+.+.+.}, at: [<bf28ae00>] restore_regulatory_settings+0x34/0x418 [cfg80211]
      
      but task is already holding lock:
       ((reg_timeout).work){+.+...}, at: [<c0059e94>] process_one_work+0x1f0/0x480
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #2 ((reg_timeout).work){+.+...}:
             [<c008fd44>] validate_chain+0xb94/0x10f0
             [<c0090b68>] __lock_acquire+0x8c8/0x9b0
             [<c0090d40>] lock_acquire+0xf0/0x114
             [<c005b600>] wait_on_work+0x4c/0x154
             [<c005c000>] __cancel_work_timer+0xd4/0x11c
             [<c005c064>] cancel_delayed_work_sync+0x1c/0x20
             [<bf28b274>] reg_set_request_processed+0x50/0x78 [cfg80211]
             [<bf28bd84>] set_regdom+0x550/0x600 [cfg80211]
             [<bf294cd8>] nl80211_set_reg+0x218/0x258 [cfg80211]
             [<c03c7738>] genl_rcv_msg+0x1a8/0x1e8
             [<c03c6a00>] netlink_rcv_skb+0x5c/0xc0
             [<c03c7584>] genl_rcv+0x28/0x34
             [<c03c6720>] netlink_unicast+0x15c/0x228
             [<c03c6c7c>] netlink_sendmsg+0x218/0x298
             [<c03933c8>] sock_sendmsg+0xa4/0xc0
             [<c039406c>] __sys_sendmsg+0x1e4/0x268
             [<c0394228>] sys_sendmsg+0x4c/0x70
             [<c0013840>] ret_fast_syscall+0x0/0x3c
      
      -> #1 (reg_mutex){+.+.+.}:
             [<c008fd44>] validate_chain+0xb94/0x10f0
             [<c0090b68>] __lock_acquire+0x8c8/0x9b0
             [<c0090d40>] lock_acquire+0xf0/0x114
             [<c04734dc>] mutex_lock_nested+0x48/0x320
             [<bf28b2cc>] reg_todo+0x30/0x538 [cfg80211]
             [<c0059f44>] process_one_work+0x2a0/0x480
             [<c005a4b4>] worker_thread+0x1bc/0x2bc
             [<c0061148>] kthread+0x98/0xa4
             [<c0014af4>] kernel_thread_exit+0x0/0x8
      
      -> #0 (cfg80211_mutex){+.+.+.}:
             [<c008ed58>] print_circular_bug+0x68/0x2cc
             [<c008fb28>] validate_chain+0x978/0x10f0
             [<c0090b68>] __lock_acquire+0x8c8/0x9b0
             [<c0090d40>] lock_acquire+0xf0/0x114
             [<c04734dc>] mutex_lock_nested+0x48/0x320
             [<bf28ae00>] restore_regulatory_settings+0x34/0x418 [cfg80211]
             [<bf28b200>] reg_timeout_work+0x1c/0x20 [cfg80211]
             [<c0059f44>] process_one_work+0x2a0/0x480
             [<c005a4b4>] worker_thread+0x1bc/0x2bc
             [<c0061148>] kthread+0x98/0xa4
             [<c0014af4>] kernel_thread_exit+0x0/0x8
      
      other info that might help us debug this:
      
      Chain exists of:
        cfg80211_mutex --> reg_mutex --> (reg_timeout).work
      
       Possible unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock((reg_timeout).work);
                                     lock(reg_mutex);
                                     lock((reg_timeout).work);
        lock(cfg80211_mutex);
      
       *** DEADLOCK ***
      
      2 locks held by kworker/0:2/1391:
       #0:  (events){.+.+.+}, at: [<c0059e94>] process_one_work+0x1f0/0x480
       #1:  ((reg_timeout).work){+.+...}, at: [<c0059e94>] process_one_work+0x1f0/0x480
      
      stack backtrace:
      [<c001b928>] (unwind_backtrace+0x0/0x12c) from [<c0471d3c>] (dump_stack+0x20/0x24)
      [<c0471d3c>] (dump_stack+0x20/0x24) from [<c008ef70>] (print_circular_bug+0x280/0x2cc)
      [<c008ef70>] (print_circular_bug+0x280/0x2cc) from [<c008fb28>] (validate_chain+0x978/0x10f0)
      [<c008fb28>] (validate_chain+0x978/0x10f0) from [<c0090b68>] (__lock_acquire+0x8c8/0x9b0)
      [<c0090b68>] (__lock_acquire+0x8c8/0x9b0) from [<c0090d40>] (lock_acquire+0xf0/0x114)
      [<c0090d40>] (lock_acquire+0xf0/0x114) from [<c04734dc>] (mutex_lock_nested+0x48/0x320)
      [<c04734dc>] (mutex_lock_nested+0x48/0x320) from [<bf28ae00>] (restore_regulatory_settings+0x34/0x418 [cfg80211])
      [<bf28ae00>] (restore_regulatory_settings+0x34/0x418 [cfg80211]) from [<bf28b200>] (reg_timeout_work+0x1c/0x20 [cfg80211])
      [<bf28b200>] (reg_timeout_work+0x1c/0x20 [cfg80211]) from [<c0059f44>] (process_one_work+0x2a0/0x480)
      [<c0059f44>] (process_one_work+0x2a0/0x480) from [<c005a4b4>] (worker_thread+0x1bc/0x2bc)
      [<c005a4b4>] (worker_thread+0x1bc/0x2bc) from [<c0061148>] (kthread+0x98/0xa4)
      [<c0061148>] (kthread+0x98/0xa4) from [<c0014af4>] (kernel_thread_exit+0x0/0x8)
      cfg80211: Calling CRDA to update world regulatory domain
      cfg80211: World regulatory domain updated:
      cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
      cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
      cfg80211:   (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
      cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
      cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
      cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
      Signed-off-by: default avatarEliad Peller <eliad@wizery.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d1207689
    • Mohammed Shafi Shajakhan's avatar
      ath9k: Fix a WARNING on suspend/resume with IBSS · 14dd08df
      Mohammed Shafi Shajakhan authored
      commit 2031b4c2 upstream.
      
      this patch is dependent on the patch "cfg80211: fix interface
      combinations"
      
      In ath9k currently we have ADHOC interface as a single incompatible
      interface. when drv_add_interface is called during resume we got to
      consider number of vifs already present in addition to checking the
      drivers 'opmode' information about ADHOC.  we incorrectly assume
      an ADHOC interface is already present. Then we may miss some driver
      specific data for the ADHOC interface after resume.
      
      The above mentioned checks can be removed from the driver,
      as the patch 'cfg80211: fix interface combinations' ensures that
      if an interface type is not advertised by the driver in any of the
      interface combinations(via ieee80211_iface_combination) then it shall
      be treated as a single incompatible interface. Fixes the following
      warning on suspend/resume with ibss interface.
      
              ath: phy0: Cannot create ADHOC interface when other
              interfaces already exist.
              WARNING: at net/mac80211/driver-ops.h:12
              ieee80211_reconfig+0x1882/0x1ca0 [mac80211]()
              Hardware name: 2842RK1
              wlan2:  Failed check-sdata-in-driver check, flags: 0x0
      
              Call Trace:
              [<c01361b2>] warn_slowpath_common+0x72/0xa0
              [<f8aaa7c2>] ? ieee80211_reconfig+0x1882/0x1ca0
              [mac80211]
              [<f8aaa7c2>] ? ieee80211_reconfig+0x1882/0x1ca0
              [mac80211]
              [<c0136283>] warn_slowpath_fmt+0x33/0x40
              [<f8aaa7c2>] ieee80211_reconfig+0x1882/0x1ca0 [mac80211]
              [<c06c1d1a>] ? mutex_lock_nested+0x23a/0x2f0
              [<f8a95097>] ieee80211_resume+0x27/0x70 [mac80211]
              [<fd177edf>] wiphy_resume+0x8f/0xa0 [cfg80211]
      
      Cc: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
      Signed-off-by: default avatarMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      14dd08df
    • Mike Snitzer's avatar
      dm thin: reinstate missing mempool_free in cell_release_singleton · c2ddd0a4
      Mike Snitzer authored
      commit 03aaae7c upstream.
      
      Fix a significant memory leak inadvertently introduced during
      simplification of cell_release_singleton() in commit
      6f94a4c4 ("dm thin: fix stacked bi_next
      usage").
      
      A cell's hlist_del() must be accompanied by a mempool_free().
      Use __cell_release() to do this, like before.
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c2ddd0a4
    • Ben Skeggs's avatar
      drm/nouveau/fbcon: using nv_two_heads is not a good idea · 6fd8c58d
      Ben Skeggs authored
      commit 9bd0c15f upstream.
      
      nv_two_heads() was never meant to be used outside of pre-nv50 code.  The
      code checks for >= NV_10 for 2 CRTCs, then downgrades a few specific
      chipsets to 1 CRTC based on (pci_device & 0x0ff0).
      
      The breakage example seen is on GTX 560Ti, with a pciid of 0x1200, which
      gets detected as an NV20 (0x020x) with 1 CRTC by nv_two_heads(), causing
      memory corruption because there's actually 2 CRTCs..
      
      This switches fbcon to use the CRTC count directly from the mode_config
      structure, which will also fix the same issue on Kepler boards which have
      4 CRTCs.
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6fd8c58d
    • Daniel Vetter's avatar
      drm/edid: don't return stack garbage from supports_rb · 707799fd
      Daniel Vetter authored
      commit b196a498 upstream.
      
      We need to initialize this to false, because the is_rb callback only
      ever sets it to true.
      
      Noticed while reading through the code.
      Signed-Off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Reviewed-by: default avatarAdam Jackson <ajax@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      707799fd
    • Michael Krufky's avatar
      64ae8cf3
    • Hans de Goede's avatar
      gspca-core: Fix buffers staying in queued state after a stream_off · 2b1e0f0a
      Hans de Goede authored
      commit af05ef01 upstream.
      
      This fixes a regression introduced by commit f7059eaa and should be
      backported to all supported stable kernels which have this commit.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Tested-by: default avatarAntonio Ospite <ospite@studenti.unina.it>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@redhat.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2b1e0f0a
    • wwang's avatar
      staging:rts_pstor:Fix possible panic by NULL pointer dereference · c4a08668
      wwang authored
      commit 0d05568a upstream.
      
      rtsx_transport.c (rtsx_transfer_sglist_adma_partial):
      pointer struct scatterlist *sg, which is mapped in dma_map_sg,
      is used as an iterator in later transfer operation. It is corrupted and
      passed to dma_unmap_sg, thus causing fatal unmap of some erroneous address.
      Fix it by duplicating *sg_ptr for iterating.
      Signed-off-by: default avatarwwang <wei_wang@realsil.com.cn>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c4a08668
    • Eric Anholt's avatar
      drm/i915: Do the fallback non-IRQ wait in ring throttle, too. · 86d94bc5
      Eric Anholt authored
      commit 7ea29b13 upstream.
      
      As a workaround for IRQ synchronization issues in the gen7 BLT ring,
      we want to turn the two wait functions into polling loops.
      Signed-off-by: default avatarEric Anholt <eric@anholt.net>
      Tested-by: default avatarEugeni Dodonov <eugeni.dodonov@intel.com>
      Reviewed-by: default avatarEugeni Dodonov <eugeni.dodonov@intel.com>
      Acked-by: default avatarKenneth Graunke <kenneth@whitecape.org>
      Signed-off-by: default avatarKeith Packard <keithp@keithp.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      86d94bc5
    • Chris Boot's avatar
      e1000e: Remove special case for 82573/82574 ASPM L1 disablement · 4cf6a971
      Chris Boot authored
      commit 59aed952 upstream.
      
      For the 82573, ASPM L1 gets disabled wholesale so this special-case code
      is not required. For the 82574 the previous patch does the same as for
      the 82573, disabling L1 on the adapter. Thus, this code is no longer
      required and can be removed.
      Signed-off-by: default avatarChris Boot <bootc@bootc.net>
      Tested-by: default avatarJeff Pieper <jeffrey.e.pieper@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4cf6a971
    • Chris Boot's avatar
      e1000e: Disable ASPM L1 on 82574 · 7b4e7391
      Chris Boot authored
      commit id d4a4206e
      
      ASPM on the 82574 causes trouble. Currently the driver disables L0s for
      this NIC but only disables L1 if the MTU is >1500. This patch simply
      causes L1 to be disabled regardless of the MTU setting.
      Signed-off-by: default avatarChris Boot <bootc@bootc.net>
      Cc: "Wyborny, Carolyn" <carolyn.wyborny@intel.com>
      Cc: Nix <nix@esperi.org.uk>
      Link: https://lkml.org/lkml/2012/3/19/362Tested-by: default avatarJeff Pieper <jeffrey.e.pieper@intel.com>
      [Jeff Kirsher: Backport to 3.2-3.4 kernels]
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7b4e7391
    • Chris Wilson's avatar
      drm/i915: Remove use of the autoreported ringbuffer HEAD position · dbc50a3f
      Chris Wilson authored
      This is a revert of 6aa56062.
      
      This was originally introduced to workaround reads of the ringbuffer
      registers returning 0 on SandyBridge causing hangs due to ringbuffer
      overflow. The root cause here was reads through the GT powerwell require
      the forcewake dance, something we only learnt of later. Now it appears
      that reading the reported head position from the HWS is returning
      garbage, leading once again to hangs.
      
      For example, on q35 the autoreported head reports:
        [  217.975608] head now 00010000, actual 00010000
        [  436.725613] head now 00200000, actual 00200000
        [  462.956033] head now 00210000, actual 00210010
        [  485.501409] head now 00400000, actual 00400020
        [  508.064280] head now 00410000, actual 00410000
        [  530.576078] head now 00600000, actual 00600020
        [  553.273489] head now 00610000, actual 00610018
      which appears reasonably sane. In contrast, if we look at snb:
        [  141.970680] head now 00e10000, actual 00008238
        [  141.974062] head now 02734000, actual 000083c8
        [  141.974425] head now 00e10000, actual 00008488
        [  141.980374] head now 032b5000, actual 000088b8
        [  141.980885] head now 03271000, actual 00008950
        [  142.040628] head now 02101000, actual 00008b40
        [  142.180173] head now 02734000, actual 00009050
        [  142.181090] head now 00000000, actual 00000ae0
        [  142.183737] head now 02734000, actual 00009050
      
      In addition, the automatic reporting of the head position is scheduled
      to be defeatured in the future. It has no more utility, remove it.
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=45492Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Tested-by: default avatarEric Anholt <eric@anholt.net>
      Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: default avatarJesse Barnes <jbarnes@virtuousgeek.org>
      (cherry picked from commit 5d031e5b)
      Signed-off-by: default avatarTimo Aaltonen <timo.aaltonen@canonical.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dbc50a3f
    • Chris Wilson's avatar
      drm/i915: Finish any pending operations on the framebuffer before disabling · ac6dd8ca
      Chris Wilson authored
      Similar to the case where we are changing from one framebuffer to
      another, we need to be sure that there are no pending WAIT_FOR_EVENTs on
      the pipe for the current framebuffer before switching. If we disable the
      pipe, and then try to execute a WAIT_FOR_EVENT it will block
      indefinitely and cause a GPU hang.
      
      We attempted to fix this in commit 85345517
      (drm/i915: Retire any pending operations on the old scanout when switching)
      for the case of mode switching, but this leaves the condition where we
      are switching off the pipe vulnerable.
      
      There still remains the race condition were a display may be unplugged,
      switched off by the core, a uevent sent to notify the DDX and the DDX
      may issue a WAIT_FOR_EVENT before it processes the uevent. This window
      does not exist if the pipe is only switched off in response to the
      uevent. Time to make sure that is so...
      Reported-by: default avatarFrancis Leblanc <Francis.Leblanc-Lebeau@verint.com>
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=36515
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=45413Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Reviewed-by: default avatarEugeni Dodonov <eugeni.dodonov@intel.com>
      [danvet: fixup spelling in comment, noticed by Eugeni.]
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      (cherry picked from commit 14667a4b)
      Signed-off-by: default avatarTimo Aaltonen <timo.aaltonen@canonical.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ac6dd8ca
    • Ryusuke Konishi's avatar
      nilfs2: ensure proper cache clearing for gc-inodes · a49f6b0b
      Ryusuke Konishi authored
      commit fbb24a3a upstream.
      
      A gc-inode is a pseudo inode used to buffer the blocks to be moved by
      garbage collection.
      
      Block caches of gc-inodes must be cleared every time a garbage collection
      function (nilfs_clean_segments) completes.  Otherwise, stale blocks
      buffered in the caches may be wrongly reused in successive calls of the GC
      function.
      
      For user files, this is not a problem because their gc-inodes are
      distinguished by a checkpoint number as well as an inode number.  They
      never buffer different blocks if either an inode number, a checkpoint
      number, or a block offset differs.
      
      However, gc-inodes of sufile, cpfile and DAT file can store different data
      for the same block offset.  Thus, the nilfs_clean_segments function can
      move incorrect block for these meta-data files if an old block is cached.
      I found this is really causing meta-data corruption in nilfs.
      
      This fixes the issue by ensuring cache clear of gc-inodes and resolves
      reported GC problems including checkpoint file corruption, b-tree
      corruption, and the following warning during GC.
      
        nilfs_palloc_freev: entry number 307234 already freed.
        ...
      Signed-off-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Tested-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a49f6b0b
    • Andrea Arcangeli's avatar
      thp: avoid atomic64_read in pmd_read_atomic for 32bit PAE · dcad89e6
      Andrea Arcangeli authored
      commit e4eed03f upstream.
      
      In the x86 32bit PAE CONFIG_TRANSPARENT_HUGEPAGE=y case while holding the
      mmap_sem for reading, cmpxchg8b cannot be used to read pmd contents under
      Xen.
      
      So instead of dealing only with "consistent" pmdvals in
      pmd_none_or_trans_huge_or_clear_bad() (which would be conceptually
      simpler) we let pmd_none_or_trans_huge_or_clear_bad() deal with pmdvals
      where the low 32bit and high 32bit could be inconsistent (to avoid having
      to use cmpxchg8b).
      
      The only guarantee we get from pmd_read_atomic is that if the low part of
      the pmd was found null, the high part will be null too (so the pmd will be
      considered unstable).  And if the low part of the pmd is found "stable"
      later, then it means the whole pmd was read atomically (because after a
      pmd is stable, neither MADV_DONTNEED nor page faults can alter it anymore,
      and we read the high part after the low part).
      
      In the 32bit PAE x86 case, it is enough to read the low part of the pmdval
      atomically to declare the pmd as "stable" and that's true for THP and no
      THP, furthermore in the THP case we also have a barrier() that will
      prevent any inconsistent pmdvals to be cached by a later re-read of the
      *pmd.
      Signed-off-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Cc: Jonathan Nieder <jrnieder@gmail.com>
      Cc: Ulrich Obergfell <uobergfe@redhat.com>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Larry Woodman <lwoodman@redhat.com>
      Cc: Petr Matousek <pmatouse@redhat.com>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Jan Beulich <jbeulich@suse.com>
      Cc: KOSAKI Motohiro <kosaki.motohiro@gmail.com>
      Tested-by: default avatarAndrew Jones <drjones@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dcad89e6
    • Andrea Arcangeli's avatar
      mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition · 02d1854e
      Andrea Arcangeli authored
      commit 26c19178 upstream.
      
      When holding the mmap_sem for reading, pmd_offset_map_lock should only
      run on a pmd_t that has been read atomically from the pmdp pointer,
      otherwise we may read only half of it leading to this crash.
      
      PID: 11679  TASK: f06e8000  CPU: 3   COMMAND: "do_race_2_panic"
       #0 [f06a9dd8] crash_kexec at c049b5ec
       #1 [f06a9e2c] oops_end at c083d1c2
       #2 [f06a9e40] no_context at c0433ded
       #3 [f06a9e64] bad_area_nosemaphore at c043401a
       #4 [f06a9e6c] __do_page_fault at c0434493
       #5 [f06a9eec] do_page_fault at c083eb45
       #6 [f06a9f04] error_code (via page_fault) at c083c5d5
          EAX: 01fb470c EBX: fff35000 ECX: 00000003 EDX: 00000100 EBP:
          00000000
          DS:  007b     ESI: 9e201000 ES:  007b     EDI: 01fb4700 GS:  00e0
          CS:  0060     EIP: c083bc14 ERR: ffffffff EFLAGS: 00010246
       #7 [f06a9f38] _spin_lock at c083bc14
       #8 [f06a9f44] sys_mincore at c0507b7d
       #9 [f06a9fb0] system_call at c083becd
                               start           len
          EAX: ffffffda  EBX: 9e200000  ECX: 00001000  EDX: 6228537f
          DS:  007b      ESI: 00000000  ES:  007b      EDI: 003d0f00
          SS:  007b      ESP: 62285354  EBP: 62285388  GS:  0033
          CS:  0073      EIP: 00291416  ERR: 000000da  EFLAGS: 00000286
      
      This should be a longstanding bug affecting x86 32bit PAE without THP.
      Only archs with 64bit large pmd_t and 32bit unsigned long should be
      affected.
      
      With THP enabled the barrier() in pmd_none_or_trans_huge_or_clear_bad()
      would partly hide the bug when the pmd transition from none to stable,
      by forcing a re-read of the *pmd in pmd_offset_map_lock, but when THP is
      enabled a new set of problem arises by the fact could then transition
      freely in any of the none, pmd_trans_huge or pmd_trans_stable states.
      So making the barrier in pmd_none_or_trans_huge_or_clear_bad()
      unconditional isn't good idea and it would be a flakey solution.
      
      This should be fully fixed by introducing a pmd_read_atomic that reads
      the pmd in order with THP disabled, or by reading the pmd atomically
      with cmpxchg8b with THP enabled.
      
      Luckily this new race condition only triggers in the places that must
      already be covered by pmd_none_or_trans_huge_or_clear_bad() so the fix
      is localized there but this bug is not related to THP.
      
      NOTE: this can trigger on x86 32bit systems with PAE enabled with more
      than 4G of ram, otherwise the high part of the pmd will never risk to be
      truncated because it would be zero at all times, in turn so hiding the
      SMP race.
      
      This bug was discovered and fully debugged by Ulrich, quote:
      
      ----
      [..]
      pmd_none_or_trans_huge_or_clear_bad() loads the content of edx and
      eax.
      
          496 static inline int pmd_none_or_trans_huge_or_clear_bad(pmd_t
          *pmd)
          497 {
          498         /* depend on compiler for an atomic pmd read */
          499         pmd_t pmdval = *pmd;
      
                                      // edi = pmd pointer
      0xc0507a74 <sys_mincore+548>:   mov    0x8(%esp),%edi
      ...
                                      // edx = PTE page table high address
      0xc0507a84 <sys_mincore+564>:   mov    0x4(%edi),%edx
      ...
                                      // eax = PTE page table low address
      0xc0507a8e <sys_mincore+574>:   mov    (%edi),%eax
      
      [..]
      
      Please note that the PMD is not read atomically. These are two "mov"
      instructions where the high order bits of the PMD entry are fetched
      first. Hence, the above machine code is prone to the following race.
      
      -  The PMD entry {high|low} is 0x0000000000000000.
         The "mov" at 0xc0507a84 loads 0x00000000 into edx.
      
      -  A page fault (on another CPU) sneaks in between the two "mov"
         instructions and instantiates the PMD.
      
      -  The PMD entry {high|low} is now 0x00000003fda38067.
         The "mov" at 0xc0507a8e loads 0xfda38067 into eax.
      ----
      Reported-by: default avatarUlrich Obergfell <uobergfe@redhat.com>
      Signed-off-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Larry Woodman <lwoodman@redhat.com>
      Cc: Petr Matousek <pmatouse@redhat.com>
      Cc: Rik van Riel <riel@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      02d1854e
    • Henrik Rydberg's avatar
      hwmon: (applesmc) Limit key length in warning messages · 51b9f4cb
      Henrik Rydberg authored
      commit ac852edb upstream.
      
      Key lookups may call read_smc() with a fixed-length key string,
      and if the lookup fails, trailing stack content may appear in the
      kernel log. Fixed with this patch.
      Signed-off-by: default avatarHenrik Rydberg <rydberg@euromail.se>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      51b9f4cb
    • Lubomir Schmidt's avatar
      staging: r8712u: Add new USB IDs · d01f9593
      Lubomir Schmidt authored
      commit 3026b0e9 upstream.
      
      There are two new devices for this driver.
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d01f9593
    • Peter Korsgaard's avatar
      hwrng: atmel-rng - fix data valid check · 07cea158
      Peter Korsgaard authored
      commit c475c06f upstream.
      
      Brown paper bag: Data valid is LSB of the ISR (status register), and NOT
      of ODATA (current random data word)!
      
      With this, rngtest is a lot happier. Before:
      
      rngtest 3
      Copyright (c) 2004 by Henrique de Moraes Holschuh
      This is free software; see the source for copying conditions.  There is NO warr.
      
      rngtest: starting FIPS tests...
      rngtest: bits received from input: 20000032
      rngtest: FIPS 140-2 successes: 3
      rngtest: FIPS 140-2 failures: 997
      rngtest: FIPS 140-2(2001-10-10) Monobit: 604
      rngtest: FIPS 140-2(2001-10-10) Poker: 996
      rngtest: FIPS 140-2(2001-10-10) Runs: 36
      rngtest: FIPS 140-2(2001-10-10) Long run: 0
      rngtest: FIPS 140-2(2001-10-10) Continuous run: 117
      rngtest: input channel speed: (min=622.371; avg=23682.481; max=28224.350)Kibitss
      rngtest: FIPS tests speed: (min=12.361; avg=12.718; max=12.861)Mibits/s
      rngtest: Program run time: 2331696 microsecondsx
      
      After:
      rngtest 3
      Copyright (c) 2004 by Henrique de Moraes Holschuh
      This is free software; see the source for copying conditions.  There is NO warr.
      
      rngtest: starting FIPS tests...
      rngtest: bits received from input: 20000032
      rngtest: FIPS 140-2 successes: 999
      rngtest: FIPS 140-2 failures: 1
      rngtest: FIPS 140-2(2001-10-10) Monobit: 0
      rngtest: FIPS 140-2(2001-10-10) Poker: 0
      rngtest: FIPS 140-2(2001-10-10) Runs: 1
      rngtest: FIPS 140-2(2001-10-10) Long run: 0
      rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
      rngtest: input channel speed: (min=777.363; avg=43588.270; max=47870.711)Kibitss
      rngtest: FIPS tests speed: (min=11.943; avg=12.716; max=12.844)Mibits/s
      rngtest: Program run time: 1955282 microseconds
      Signed-off-by: default avatarPeter Korsgaard <jacmet@sunsite.dk>
      Reported-by: default avatarGeorge Pontis <GPontis@z9.com>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      07cea158
    • Chen Gong's avatar
      edac: avoid mce decoding crash after edac driver unloaded · 4ce3278c
      Chen Gong authored
      commit e35fca47 upstream.
      
      Some edac drivers register themselves as mce decoders via
      notifier_chain. But in current notifier_chain implementation logic,
      it doesn't accept same notifier registered twice. If so, it will be
      wrong when adding/removing the element from the list. For example,
      on one SandyBridge platform, remove module sb_edac and then trigger
      one error, it will hit oops because it has no mce decoder registered
      but related notifier_chain still points to an invalid callback
      function. Here is an example:
      
      Call Trace:
       [<ffffffff8150ef6a>] atomic_notifier_call_chain+0x1a/0x20
       [<ffffffff8102b936>] mce_log+0x46/0x180
       [<ffffffff8102eaea>] apei_mce_report_mem_error+0x4a/0x60
       [<ffffffff812e19d2>] ghes_do_proc+0x192/0x210
       [<ffffffff812e2066>] ghes_proc+0x46/0x70
       [<ffffffff812e20d8>] ghes_notify_sci+0x48/0x80
       [<ffffffff8150ef05>] notifier_call_chain+0x55/0x80
       [<ffffffff81076f1a>] __blocking_notifier_call_chain+0x5a/0x80
       [<ffffffff812aea11>] ? acpi_os_wait_events_complete+0x23/0x23
       [<ffffffff81076f56>] blocking_notifier_call_chain+0x16/0x20
       [<ffffffff812ddc4d>] acpi_hed_notify+0x19/0x1b
       [<ffffffff812b16bd>] acpi_device_notify+0x19/0x1b
       [<ffffffff812beb38>] acpi_ev_notify_dispatch+0x67/0x7f
       [<ffffffff812aea3a>] acpi_os_execute_deferred+0x29/0x36
       [<ffffffff81069dc2>] process_one_work+0x132/0x450
       [<ffffffff8106bbcb>] worker_thread+0x17b/0x3c0
       [<ffffffff8106ba50>] ? manage_workers+0x120/0x120
       [<ffffffff81070aee>] kthread+0x9e/0xb0
       [<ffffffff81514724>] kernel_thread_helper+0x4/0x10
       [<ffffffff81070a50>] ? kthread_freezable_should_stop+0x70/0x70
       [<ffffffff81514720>] ? gs_change+0x13/0x13
      Code: f3 49 89 d4 45 85 ed 4d 89 c6 48 8b 0f 74 48 48 85 c9 75 17 eb 41
      0f 1f 80 00 00 00 00 41 83 ed 01 4c 89 f9 74 22 4d 85 ff 74 1d <4c> 8b
      79 08 4c 89 e2 48 89 de 48 89 cf ff 11 4d 85 f6 74 04 41
      RIP  [<ffffffff8150eef6>] notifier_call_chain+0x46/0x80
       RSP <ffff88042868fb20>
      CR2: ffffffffa01af838
      ---[ end trace 0100930068e73e6f ]---
      BUG: unable to handle kernel paging request at fffffffffffffff8
      IP: [<ffffffff810705b0>] kthread_data+0x10/0x20
      PGD 1a0d067 PUD 1a0e067 PMD 0
      Oops: 0000 [#2] SMP
      
      Only i7core_edac and sb_edac have such issues because they have more
      than one memory controller which means they have to register mce
      decoder many times.
      Signed-off-by: default avatarChen Gong <gong.chen@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@redhat.com>
      [bwh: Backported to 3.2: drivers call atomic_notifier_chain_{,un}register()
       directly]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4ce3278c
    • Olaf Hering's avatar
      Tools: hv: verify origin of netlink connector message · 10682d24
      Olaf Hering authored
      commit bcc2c9c3 upstream.
      
      The SuSE security team suggested to use recvfrom instead of recv to be
      certain that the connector message is originated from kernel.
      
      CVE-2012-2669
      Signed-off-by: default avatarOlaf Hering <olaf@aepfle.de>
      Signed-off-by: default avatarMarcus Meissner <meissner@suse.de>
      Signed-off-by: default avatarSebastian Krahmer <krahmer@suse.de>
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      10682d24
    • Lars-Peter Clausen's avatar
      staging:iio:ad7606: Re-add missing scale attribute · f3853ace
      Lars-Peter Clausen authored
      commit 279bf2e5 upstream.
      
      Commit 50ac23be ("staging:iio:adc:ad7606 add local define for chan_spec
      structures.") accidentally removed the scale info_mask flag. This patch
      adds it back again.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Acked-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2:
       - info_mask was completely gone rather than set to another flag
       - IIO_CHAN_INFO_SCALE_SHARED_BIT was not defined; write it out as a shift]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f3853ace
  2. 19 Jun, 2012 13 commits
    • Ben Hutchings's avatar
      Linux 3.2.21 · 8499e79e
      Ben Hutchings authored
      8499e79e
    • Alex Deucher's avatar
      drm/radeon: add some additional 6xx/7xx/EG register init · cae016e2
      Alex Deucher authored
      commit b866d133 upstream.
      
      - SMX_SAR_CTL0 needs to be programmed correctly to prevent
      problems with memory exports in certain cases.
      - VC_ENHANCE needs to be initialized on 6xx/7xx.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cae016e2
    • Hugh Dickins's avatar
      swap: fix shmem swapping when more than 8 areas · e0254df5
      Hugh Dickins authored
      commit 9b15b817 upstream.
      
      Minchan Kim reports that when a system has many swap areas, and tmpfs
      swaps out to the ninth or more, shmem_getpage_gfp()'s attempts to read
      back the page cannot locate it, and the read fails with -ENOMEM.
      
      Whoops.  Yes, I blindly followed read_swap_header()'s pte_to_swp_entry(
      swp_entry_to_pte()) technique for determining maximum usable swap
      offset, without stopping to realize that that actually depends upon the
      pte swap encoding shifting swap offset to the higher bits and truncating
      it there.  Whereas our radix_tree swap encoding leaves offset in the
      lower bits: it's swap "type" (that is, index of swap area) that was
      truncated.
      
      Fix it by reducing the SWP_TYPE_SHIFT() in swapops.h, and removing the
      broken radix_to_swp_entry(swp_to_radix_entry()) from read_swap_header().
      
      This does not reduce the usable size of a swap area any further, it
      leaves it as claimed when making the original commit: no change from 3.0
      on x86_64, nor on i386 without PAE; but 3.0's 512GB is reduced to 128GB
      per swapfile on i386 with PAE.  It's not a change I would have risked
      five years ago, but with x86_64 supported for ten years, I believe it's
      appropriate now.
      
      Hmm, and what if some architecture implements its swap pte with offset
      encoded below type? That would equally break the maximum usable swap
      offset check.  Happily, they all follow the same tradition of encoding
      offset above type, but I'll prepare a check on that for next.
      Reported-and-Reviewed-and-Tested-by: default avatarMinchan Kim <minchan@kernel.org>
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e0254df5
    • Daniel Mack's avatar
      USB: fix gathering of interface associations · 7e86185a
      Daniel Mack authored
      commit b3a3dd07 upstream.
      
      TEAC's UD-H01 (and probably other devices) have a gap in the interface
      number allocation of their descriptors:
      
        Configuration Descriptor:
          bLength                 9
          bDescriptorType         2
          wTotalLength          220
          bNumInterfaces          3
          [...]
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        0
            bAlternateSetting       0
            [...]
          Interface Association:
            bLength                 8
            bDescriptorType        11
            bFirstInterface         2
            bInterfaceCount         2
            bFunctionClass          1 Audio
            bFunctionSubClass       0
            bFunctionProtocol      32
            iFunction               4
          Interface Descriptor:
            bLength                 9
            bDescriptorType         4
            bInterfaceNumber        2
            bAlternateSetting       0
            [...]
      
      Once a configuration is selected, usb_set_configuration() walks the
      known interfaces of a given configuration and calls find_iad() on
      each of them to set the interface association pointer the interface
      is included in.
      
      The problem here is that the loop variable is taken for the interface
      number in the comparison logic that gathers the association. Which is
      fine as long as the descriptors are sane.
      
      In the case above, however, the logic gets out of sync and the
      interface association fields of all interfaces beyond the interface
      number gap are wrong.
      
      Fix this by passing the interface's bInterfaceNumber to find_iad()
      instead.
      Signed-off-by: default avatarDaniel Mack <zonque@gmail.com>
      Reported-by: default avatarbEN <ml_all@circa.be>
      Reported-by: default avatarIvan Perrone <ivanperrone@hotmail.com>
      Tested-by: default avatarivan perrone <ivanperrone@hotmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7e86185a
    • Otto Meta's avatar
      usb: cdc-acm: fix devices not unthrottled on open · d65602a8
      Otto Meta authored
      commit 6c4707f3 upstream.
      
      Currently CDC-ACM devices stay throttled when their TTY is closed while
      throttled, stalling further communication attempts after the next open.
      
      Unthrottling during open/activate got lost starting with kernel
      3.0.0 and this patch reintroduces it.
      Signed-off-by: default avatarOtto Meta <otto.patches@sister-shadow.de>
      Acked-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d65602a8
    • Ricardo Martins's avatar
      USB: fix PS3 EHCI systems · 4dd27dc9
      Ricardo Martins authored
      commit 4f7a67e2 upstream.
      
      After commit aaa0ef28 "PS3 EHCI QH
      read work-around", Terratec Grabby (em28xx) stopped working with AMD
      Geode LX 800 (USB controller AMD CS5536). Since this is a PS3 only
      fix, the following patch adds a conditional block around it.
      Signed-off-by: default avatarRicardo Martins <rasm@fe.up.pt>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4dd27dc9
    • Geoff Levand's avatar
      usb: PS3 EHCI QH read work-around · 5f081af6
      Geoff Levand authored
      commit aaa0ef28 upstream.
      
      PS3 EHCI HC errata fix 244.  The SCC EHCI HC will not correctly perform QH
      reads that occur near or span a micro-frame boundry.  This is due to a problem
      in the Nak Count Reload Control logic (EHCI Specification 1.0 Section 4.9.1).
      
      The work-around for this problem is for the HC driver to set I=1 (inactive) for
      QHs with H=1 (list head).
      Signed-off-by: default avatarGeoff Levand <geoff@infradead.org>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5f081af6
    • Andiry Xu's avatar
      xHCI: Increase the timeout for controller save/restore state operation · 29623c3e
      Andiry Xu authored
      commit 622eb783 upstream.
      
      When system software decides to power down the xHC with the intent of
      resuming operation at a later time, it will ask xHC to save the internal
      state and restore it when resume to correctly recover from a power event.
      Two bits are used to enable this operation: Save State and Restore State.
      
      xHCI spec 4.23.2 says software should "Set the Controller Save/Restore
      State flag in the USBCMD register and wait for the Save/Restore State
      Status flag in the USBSTS register to transition to '0'". However, it does
      not define how long software should wait for the SSS/RSS bit to transition
      to 0.
      
      Currently the timeout is set to 1ms. There is bug report
      (https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1002697)
      indicates that the timeout is too short for ASMedia ASM1042 host controller
      to save/restore the state successfully. Increase the timeout to 10ms helps to
      resolve the issue.
      
      This patch should be backported to stable kernels as old as 2.6.37, that
      contain the commit 5535b1d5 "USB: xHCI:
      PCI power management implementation"
      Signed-off-by: default avatarAndiry Xu <andiry.xu@gmail.com>
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Cc: Ming Lei <ming.lei@canonical.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      29623c3e
    • Takashi Iwai's avatar
      xhci: Don't free endpoints in xhci_mem_cleanup() · a48eb115
      Takashi Iwai authored
      commit 32f1d2c5 upstream.
      
      This patch fixes a few issues introduced in the recent fix
      [f8a9e72d: USB: fix resource leak in xhci power loss path]
      
      - The endpoints listed in bw table are just links and each entry is an
       array member of dev->eps[].  But the commit above adds a kfree() call
       to these instances, and thus it results in memory corruption.
      
      - It clears only the first entry of rh_bw[], but there can be multiple
        ports.
      
      - It'd be safer to clear the list_head of ep as well, not only
        removing from the list, as it's checked in
        xhci_discover_or_reset_device().
      
      This patch should be backported to kernels as old as 3.2, that contain
      the commit 839c817c "xhci: Store
      information about roothubs and TTs."
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Reviewed-by: default avatarOliver Neukum <oneukum@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a48eb115
    • Takashi Iwai's avatar
      xhci: Fix invalid loop check in xhci_free_tt_info() · 2fa00055
      Takashi Iwai authored
      commit 46ed8f00 upstream.
      
      xhci_free_tt_info() may access the invalid memory when it removes the
      last entry but the list is not empty.  Then tt_next reaches to the
      list head but it still tries to check the tt_info of that entry.
      
      This patch fixes the bug and cleans up the messy code by rewriting
      with a simple list_for_each_entry_safe().
      
      This patch should be backported to kernels as old as 3.2, that contain
      the commit 839c817c "xhci: Store
      information about roothubs and TTs."
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Reviewed-by: default avatarOliver Neukum <oneukum@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2fa00055
    • Bjørn Mork's avatar
      USB: serial: Enforce USB driver and USB serial driver match · f21c1931
      Bjørn Mork authored
      commit 954c3f8a upstream.
      
      We need to make sure that the USB serial driver we find
      matches the USB driver whose probe we are currently
      executing. Otherwise we will end up with USB serial
      devices bound to the correct serial driver but wrong
      USB driver.
      
      An example of such cross-probing, where the usbserial_generic
      USB driver has found the sierra serial driver:
      
      May 29 18:26:15 nemi kernel: [ 4442.559246] usbserial_generic 4-4:1.0: Sierra USB modem converter detected
      May 29 18:26:20 nemi kernel: [ 4447.556747] usbserial_generic 4-4:1.2: Sierra USB modem converter detected
      May 29 18:26:25 nemi kernel: [ 4452.557288] usbserial_generic 4-4:1.3: Sierra USB modem converter detected
      
      sysfs view of the same problem:
      
      bjorn@nemi:~$ ls -l /sys/bus/usb/drivers/sierra/
      total 0
      --w------- 1 root root 4096 May 29 18:23 bind
      lrwxrwxrwx 1 root root    0 May 29 18:23 module -> ../../../../module/usbserial
      --w------- 1 root root 4096 May 29 18:23 uevent
      --w------- 1 root root 4096 May 29 18:23 unbind
      bjorn@nemi:~$ ls -l /sys/bus/usb-serial/drivers/sierra/
      total 0
      --w------- 1 root root 4096 May 29 18:23 bind
      lrwxrwxrwx 1 root root    0 May 29 18:23 module -> ../../../../module/sierra
      -rw-r--r-- 1 root root 4096 May 29 18:23 new_id
      lrwxrwxrwx 1 root root    0 May 29 18:32 ttyUSB0 -> ../../../../devices/pci0000:00/0000:00:1d.7/usb4/4-4/4-4:1.0/ttyUSB0
      lrwxrwxrwx 1 root root    0 May 29 18:32 ttyUSB1 -> ../../../../devices/pci0000:00/0000:00:1d.7/usb4/4-4/4-4:1.2/ttyUSB1
      lrwxrwxrwx 1 root root    0 May 29 18:32 ttyUSB2 -> ../../../../devices/pci0000:00/0000:00:1d.7/usb4/4-4/4-4:1.3/ttyUSB2
      --w------- 1 root root 4096 May 29 18:23 uevent
      --w------- 1 root root 4096 May 29 18:23 unbind
      
      bjorn@nemi:~$ ls -l /sys/bus/usb/drivers/usbserial_generic/
      total 0
      lrwxrwxrwx 1 root root    0 May 29 18:33 4-4:1.0 -> ../../../../devices/pci0000:00/0000:00:1d.7/usb4/4-4/4-4:1.0
      lrwxrwxrwx 1 root root    0 May 29 18:33 4-4:1.2 -> ../../../../devices/pci0000:00/0000:00:1d.7/usb4/4-4/4-4:1.2
      lrwxrwxrwx 1 root root    0 May 29 18:33 4-4:1.3 -> ../../../../devices/pci0000:00/0000:00:1d.7/usb4/4-4/4-4:1.3
      --w------- 1 root root 4096 May 29 18:33 bind
      lrwxrwxrwx 1 root root    0 May 29 18:33 module -> ../../../../module/usbserial
      --w------- 1 root root 4096 May 29 18:22 uevent
      --w------- 1 root root 4096 May 29 18:33 unbind
      bjorn@nemi:~$ ls -l /sys/bus/usb-serial/drivers/generic/
      total 0
      --w------- 1 root root 4096 May 29 18:33 bind
      lrwxrwxrwx 1 root root    0 May 29 18:33 module -> ../../../../module/usbserial
      -rw-r--r-- 1 root root 4096 May 29 18:33 new_id
      --w------- 1 root root 4096 May 29 18:22 uevent
      --w------- 1 root root 4096 May 29 18:33 unbind
      
      So we end up with a mismatch between the USB driver and the
      USB serial driver.  The reason for the above is simple: The
      USB driver probe will succeed if *any* registered serial
      driver matches, and will use that serial driver for all
      serial driver functions.
      
      This makes ref counting go wrong. We count the USB driver
      as used, but not the USB serial driver.  This may result
      in Oops'es as demonstrated by Johan Hovold <jhovold@gmail.com>:
      
      [11811.646396] drivers/usb/serial/usb-serial.c: get_free_serial 1
      [11811.646443] drivers/usb/serial/usb-serial.c: get_free_serial - minor base = 0
      [11811.646460] drivers/usb/serial/usb-serial.c: usb_serial_probe - registering ttyUSB0
      [11811.646766] usb 6-1: pl2303 converter now attached to ttyUSB0
      [11812.264197] USB Serial deregistering driver FTDI USB Serial Device
      [11812.264865] usbcore: deregistering interface driver ftdi_sio
      [11812.282180] USB Serial deregistering driver pl2303
      [11812.283141] pl2303 ttyUSB0: pl2303 converter now disconnected from ttyUSB0
      [11812.283272] usbcore: deregistering interface driver pl2303
      [11812.301056] USB Serial deregistering driver generic
      [11812.301186] usbcore: deregistering interface driver usbserial_generic
      [11812.301259] drivers/usb/serial/usb-serial.c: usb_serial_disconnect
      [11812.301823] BUG: unable to handle kernel paging request at f8e7438c
      [11812.301845] IP: [<f8e38445>] usb_serial_disconnect+0xb5/0x100 [usbserial]
      [11812.301871] *pde = 357ef067 *pte = 00000000
      [11812.301957] Oops: 0000 [#1] PREEMPT SMP
      [11812.301983] Modules linked in: usbserial(-) [last unloaded: pl2303]
      [11812.302008]
      [11812.302019] Pid: 1323, comm: modprobe Tainted: G        W    3.4.0-rc7+ #101 Dell Inc. Vostro 1520/0T816J
      [11812.302115] EIP: 0060:[<f8e38445>] EFLAGS: 00010246 CPU: 1
      [11812.302130] EIP is at usb_serial_disconnect+0xb5/0x100 [usbserial]
      [11812.302141] EAX: f508a180 EBX: f508a180 ECX: 00000000 EDX: f8e74300
      [11812.302151] ESI: f5050800 EDI: 00000001 EBP: f5141e78 ESP: f5141e58
      [11812.302160]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
      [11812.302170] CR0: 8005003b CR2: f8e7438c CR3: 34848000 CR4: 000007d0
      [11812.302180] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      [11812.302189] DR6: ffff0ff0 DR7: 00000400
      [11812.302199] Process modprobe (pid: 1323, ti=f5140000 task=f61e2bc0 task.ti=f5140000)
      [11812.302209] Stack:
      [11812.302216]  f8e3be0f f8e3b29c f8e3ae00 00000000 f513641c f5136400 f513641c f507a540
      [11812.302325]  f5141e98 c133d2c1 00000000 00000000 f509c400 f513641c f507a590 f5136450
      [11812.302372]  f5141ea8 c12f0344 f513641c f507a590 f5141ebc c12f0c67 00000000 f507a590
      [11812.302419] Call Trace:
      [11812.302439]  [<c133d2c1>] usb_unbind_interface+0x51/0x190
      [11812.302456]  [<c12f0344>] __device_release_driver+0x64/0xb0
      [11812.302469]  [<c12f0c67>] driver_detach+0x97/0xa0
      [11812.302483]  [<c12f001c>] bus_remove_driver+0x6c/0xe0
      [11812.302500]  [<c145938d>] ? __mutex_unlock_slowpath+0xcd/0x140
      [11812.302514]  [<c12f0ff9>] driver_unregister+0x49/0x80
      [11812.302528]  [<c1457df6>] ? printk+0x1d/0x1f
      [11812.302540]  [<c133c50d>] usb_deregister+0x5d/0xb0
      [11812.302557]  [<f8e37c55>] ? usb_serial_deregister+0x45/0x50 [usbserial]
      [11812.302575]  [<f8e37c8d>] usb_serial_deregister_drivers+0x2d/0x40 [usbserial]
      [11812.302593]  [<f8e3a6e2>] usb_serial_generic_deregister+0x12/0x20 [usbserial]
      [11812.302611]  [<f8e3acf0>] usb_serial_exit+0x8/0x32 [usbserial]
      [11812.302716]  [<c1080b48>] sys_delete_module+0x158/0x260
      [11812.302730]  [<c110594e>] ? mntput+0x1e/0x30
      [11812.302746]  [<c145c3c3>] ? sysenter_exit+0xf/0x18
      [11812.302746]  [<c107777c>] ? trace_hardirqs_on_caller+0xec/0x170
      [11812.302746]  [<c145c390>] sysenter_do_call+0x12/0x36
      [11812.302746] Code: 24 02 00 00 e8 dd f3 20 c8 f6 86 74 02 00 00 02 74 b4 8d 86 4c 02 00 00 47 e8 78 55 4b c8 0f b6 43 0e 39 f8 7f a9 8b 53 04 89 d8 <ff> 92 8c 00 00 00 89 d8 e8 0e ff ff ff 8b 45 f0 c7 44 24 04 2f
      [11812.302746] EIP: [<f8e38445>] usb_serial_disconnect+0xb5/0x100 [usbserial] SS:ESP 0068:f5141e58
      [11812.302746] CR2: 00000000f8e7438c
      
      Fix by only evaluating serial drivers pointing back to the
      USB driver we are currently probing.  This still allows two
      or more drivers to match the same device, running their
      serial driver probes to sort out which one to use.
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Reviewed-by: default avatarFelipe Balbi <balbi@ti.com>
      Tested-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f21c1931
    • Alan Stern's avatar
      USB: add NO_D3_DURING_SLEEP flag and revert 151b6128 · 625adc70
      Alan Stern authored
      commit c2fb8a3f upstream.
      
      This patch (as1558) fixes a problem affecting several ASUS computers:
      The machine crashes or corrupts memory when going into suspend if the
      ehci-hcd driver is bound to any controllers.  Users have been forced
      to unbind or unload ehci-hcd before putting their systems to sleep.
      
      After extensive testing, it was determined that the machines don't
      like going into suspend when any EHCI controllers are in the PCI D3
      power state.  Presumably this is a firmware bug, but there's nothing
      we can do about it except to avoid putting the controllers in D3
      during system sleep.
      
      The patch adds a new flag to indicate whether the problem is present,
      and avoids changing the controller's power state if the flag is set.
      Runtime suspend is unaffected; this matters only for system suspend.
      However as a side effect, the controller will not respond to remote
      wakeup requests while the system is asleep.  Hence USB wakeup is not
      functional -- but of course, this is already true in the current state
      of affairs.
      
      A similar patch has already been applied as commit
      151b6128 (USB: EHCI: fix crash during
      suspend on ASUS computers).  The patch supersedes that one and reverts
      it.  There are two differences:
      
      	The old patch added the flag at the USB level; this patch
      	adds it at the PCI level.
      
      	The old patch applied to all chipsets with the same vendor,
      	subsystem vendor, and product IDs; this patch makes an
      	exception for a known-good system (based on DMI information).
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Tested-by: default avatarDâniel Fraga <fragabr@gmail.com>
      Tested-by: default avatarAndrey Rahmatullin <wrar@wrar.name>
      Tested-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Reviewed-by: default avatarRafael J. Wysocki <rjw@sisk.pl>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      625adc70
    • Roland Dreier's avatar
      target: Return error to initiator if SET TARGET PORT GROUPS emulation fails · 1686a65d
      Roland Dreier authored
      commit 59e4f541 upstream.
      
      The error paths in target_emulate_set_target_port_groups() are all
      essentially "rc = -EINVAL; goto out;" but the code at "out:" ignores
      rc and always returns success.  This means that even if eg explicit
      ALUA is turned off, the initiator will always see a good SCSI status
      for SET TARGET PORT GROUPS.
      
      Fix this by returning rc as is intended.  It appears this bug was
      added by the following patch:
      
      commit 05d1c7c0
      Author: Andy Grover <agrover@redhat.com>
      Date:   Wed Jul 20 19:13:28 2011 +0000
      
          target: Make all control CDBs scatter-gather
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Cc: Andy Grover <agrover@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [bwh: Backported to 3.2: we have transport_complete_task()
       and not target_complete_cmd()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1686a65d