1. 11 Jul, 2014 40 commits
    • J. Bruce Fields's avatar
      nfsd4: fix FREE_STATEID lockowner leak · 85845448
      J. Bruce Fields authored
      commit 48385408 upstream.
      
      27b11428 ("nfsd4: remove lockowner when removing lock stateid")
      introduced a memory leak.
      Reported-by: default avatarJeff Layton <jeff.layton@primarydata.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      85845448
    • Benjamin Tissoires's avatar
      Input: synaptics - fix resolution for manually provided min/max · 19475c82
      Benjamin Tissoires authored
      commit d49cb7ae upstream.
      
      commit 421e08c4 fixed the reported min/max for the X and Y axis,
      but unfortunately, it broke the resolution of those same axis.
      
      On the t540p, the resolution is the same regarding X and Y. It is not
      a problem for xf86-input-synaptics because this driver is only interested
      in the ratio between X and Y.
      Unfortunately, xf86-input-cmt uses directly the resolution, and having a
      null resolution leads to some divide by 0 errors, which are translated by
      -infinity in the resulting coordinates.
      Reported-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      [bwh: Backported to 3.2: I didn't apply the PNP ID changes, so the
       code being moved looks different]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      19475c82
    • Hans de Goede's avatar
      Input: elantech - don't set bit 1 of reg_10 when the no_hw_res quirk is set · cb70ede3
      Hans de Goede authored
      commit fb4f8f56 upstream.
      
      The touchpad on the GIGABYTE U2442 not only stops communicating when we try
      to set bit 3 (enable real hardware resolution) of reg_10, but on some BIOS
      versions also when we set bit 1 (enable two finger mode auto correct).
      
      I've asked the original reporter of:
      https://bugzilla.kernel.org/show_bug.cgi?id=61151
      
      To check that not setting bit 1 does not lead to any adverse effects on his
      model / BIOS revision, and it does not, so this commit fixes the touchpad
      not working on these versions by simply never setting bit 1 for laptop
      models with the no_hw_res quirk.
      Reported-and-tested-by: default avatarJames Lademann <jwlademann@gmail.com>
      Tested-by: default avatarPhilipp Wolfer <ph.wolfer@gmail.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cb70ede3
    • Hans de Goede's avatar
      Input: elantech - deal with clickpads reporting right button events · 714e2d65
      Hans de Goede authored
      commit cd9e83e2 upstream.
      
      At least the Dell Vostro 5470 elantech *clickpad* reports right button
      clicks when clicked in the right bottom area:
      
      https://bugzilla.redhat.com/show_bug.cgi?id=1103528
      
      This is different from how (elantech) clickpads normally operate, normally
      no matter where the user clicks on the pad the pad always reports a left
      button event, since there is only 1 hardware button beneath the path.
      
      It looks like Dell has put 2 buttons under the pad, one under each bottom
      corner, causing this.
      
      Since this however still clearly is a real clickpad hardware-wise, we still
      want to report it as such to userspace, so that things like finger movement
      in the bottom area can be properly ignored as it should be on clickpads.
      
      So deal with this weirdness by simply mapping a right click to a left click
      on elantech clickpads. As an added advantage this is something which we can
      simply do on all elantech clickpads, so no need to add special quirks for
      this weird model.
      Reported-and-tested-by: default avatarElder Marco <eldermarco@gmail.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      714e2d65
    • Lai Jiangshan's avatar
      idr: fix overflow bug during maximum ID calculation at maximum height · 5ab98da0
      Lai Jiangshan authored
      commit 3afb69cb upstream.
      
      idr_replace() open-codes the logic to calculate the maximum valid ID
      given the height of the idr tree; unfortunately, the open-coded logic
      doesn't account for the fact that the top layer may have unused slots
      and over-shifts the limit to zero when the tree is at its maximum
      height.
      
      The following test code shows it fails to replace the value for
      id=((1<<27)+42):
      
        static void test5(void)
        {
              int id;
              DEFINE_IDR(test_idr);
        #define TEST5_START ((1<<27)+42) /* use the highest layer */
      
              printk(KERN_INFO "Start test5\n");
              id = idr_alloc(&test_idr, (void *)1, TEST5_START, 0, GFP_KERNEL);
              BUG_ON(id != TEST5_START);
              TEST_BUG_ON(idr_replace(&test_idr, (void *)2, TEST5_START) != (void *)1);
              idr_destroy(&test_idr);
              printk(KERN_INFO "End of test5\n");
        }
      
      Fix the bug by using idr_max() which correctly takes into account the
      maximum allowed shift.
      
      sub_alloc() shares the same problem and may incorrectly fail with
      -EAGAIN; however, this bug doesn't affect correct operation because
      idr_get_empty_slot(), which already uses idr_max(), retries with the
      increased @id in such cases.
      
      [tj@kernel.org: Updated patch description.]
      Signed-off-by: default avatarLai Jiangshan <laijs@cn.fujitsu.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5ab98da0
    • Matthew Dempsky's avatar
      ptrace: fix fork event messages across pid namespaces · 0b8ad905
      Matthew Dempsky authored
      commit 4e52365f upstream.
      
      When tracing a process in another pid namespace, it's important for fork
      event messages to contain the child's pid as seen from the tracer's pid
      namespace, not the parent's.  Otherwise, the tracer won't be able to
      correlate the fork event with later SIGTRAP signals it receives from the
      child.
      
      We still risk a race condition if a ptracer from a different pid
      namespace attaches after we compute the pid_t value.  However, sending a
      bogus fork event message in this unlikely scenario is still a vast
      improvement over the status quo where we always send bogus fork event
      messages to debuggers in a different pid namespace than the forking
      process.
      Signed-off-by: default avatarMatthew Dempsky <mdempsky@chromium.org>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Julien Tinnes <jln@chromium.org>
      Cc: Roland McGrath <mcgrathr@chromium.org>
      Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0b8ad905
    • Boris BREZILLON's avatar
      rtc: rtc-at91rm9200: fix infinite wait for ACKUPD irq · 6df2529a
      Boris BREZILLON authored
      commit 2fe121e1 upstream.
      
      The rtc user must wait at least 1 sec between each time/calandar update
      (see atmel's datasheet chapter "Updating Time/Calendar").
      
      Use the 1Hz interrupt to update the at91_rtc_upd_rdy flag and wait for
      the at91_rtc_wait_upd_rdy event if the rtc is not ready.
      
      This patch fixes a deadlock in an uninterruptible wait when the RTC is
      updated more than once every second.  AFAICT the bug is here from the
      beginning, but I think we should at least backport this fix to 3.10 and
      the following longterm and stable releases.
      Signed-off-by: default avatarBoris BREZILLON <boris.brezillon@free-electrons.com>
      Reported-by: default avatarBryan Evenson <bevenson@melinkcorp.com>
      Tested-by: default avatarBryan Evenson <bevenson@melinkcorp.com>
      Cc: Andrew Victor <linux@maxim.org.za>
      Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
      Cc: Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>
      Cc: Alessandro Zummo <a.zummo@towertech.it>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2:
       - Adjust context
       - at91_rtc_write() is called at91_sys_write()
       - Use at91_sys_write() directly instead of the missing
         at91_rtc_write_ier() and at91_rtc_write_idr()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6df2529a
    • Johannes Weiner's avatar
      mm: vmscan: clear kswapd's special reclaim powers before exiting · e70d6e73
      Johannes Weiner authored
      commit 71abdc15 upstream.
      
      When kswapd exits, it can end up taking locks that were previously held
      by allocating tasks while they waited for reclaim.  Lockdep currently
      warns about this:
      
      On Wed, May 28, 2014 at 06:06:34PM +0800, Gu Zheng wrote:
      >  inconsistent {RECLAIM_FS-ON-W} -> {IN-RECLAIM_FS-R} usage.
      >  kswapd2/1151 [HC0[0]:SC0[0]:HE1:SE1] takes:
      >   (&sig->group_rwsem){+++++?}, at: exit_signals+0x24/0x130
      >  {RECLAIM_FS-ON-W} state was registered at:
      >     mark_held_locks+0xb9/0x140
      >     lockdep_trace_alloc+0x7a/0xe0
      >     kmem_cache_alloc_trace+0x37/0x240
      >     flex_array_alloc+0x99/0x1a0
      >     cgroup_attach_task+0x63/0x430
      >     attach_task_by_pid+0x210/0x280
      >     cgroup_procs_write+0x16/0x20
      >     cgroup_file_write+0x120/0x2c0
      >     vfs_write+0xc0/0x1f0
      >     SyS_write+0x4c/0xa0
      >     tracesys+0xdd/0xe2
      >  irq event stamp: 49
      >  hardirqs last  enabled at (49):  _raw_spin_unlock_irqrestore+0x36/0x70
      >  hardirqs last disabled at (48):  _raw_spin_lock_irqsave+0x2b/0xa0
      >  softirqs last  enabled at (0):  copy_process.part.24+0x627/0x15f0
      >  softirqs last disabled at (0):            (null)
      >
      >  other info that might help us debug this:
      >   Possible unsafe locking scenario:
      >
      >         CPU0
      >         ----
      >    lock(&sig->group_rwsem);
      >    <Interrupt>
      >      lock(&sig->group_rwsem);
      >
      >   *** DEADLOCK ***
      >
      >  no locks held by kswapd2/1151.
      >
      >  stack backtrace:
      >  CPU: 30 PID: 1151 Comm: kswapd2 Not tainted 3.10.39+ #4
      >  Call Trace:
      >    dump_stack+0x19/0x1b
      >    print_usage_bug+0x1f7/0x208
      >    mark_lock+0x21d/0x2a0
      >    __lock_acquire+0x52a/0xb60
      >    lock_acquire+0xa2/0x140
      >    down_read+0x51/0xa0
      >    exit_signals+0x24/0x130
      >    do_exit+0xb5/0xa50
      >    kthread+0xdb/0x100
      >    ret_from_fork+0x7c/0xb0
      
      This is because the kswapd thread is still marked as a reclaimer at the
      time of exit.  But because it is exiting, nobody is actually waiting on
      it to make reclaim progress anymore, and it's nothing but a regular
      thread at this point.  Be tidy and strip it of all its powers
      (PF_MEMALLOC, PF_SWAPWRITE, PF_KSWAPD, and the lockdep reclaim state)
      before returning from the thread function.
      Signed-off-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Reported-by: default avatarGu Zheng <guz.fnst@cn.fujitsu.com>
      Cc: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      Cc: Tang Chen <tangchen@cn.fujitsu.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e70d6e73
    • Nicholas Bellinger's avatar
      iscsi-target: Reject mutual authentication with reflected CHAP_C · 9ae0f3c0
      Nicholas Bellinger authored
      commit 1d2b60a5 upstream.
      
      This patch adds an explicit check in chap_server_compute_md5() to ensure
      the CHAP_C value received from the initiator during mutual authentication
      does not match the original CHAP_C provided by the target.
      
      This is in line with RFC-3720, section 8.2.1:
      
         Originators MUST NOT reuse the CHAP challenge sent by the Responder
         for the other direction of a bidirectional authentication.
         Responders MUST check for this condition and close the iSCSI TCP
         connection if it occurs.
      Reported-by: default avatarTejas Vaykole <tejas.vaykole@calsoftinc.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9ae0f3c0
    • Kailang Yang's avatar
      ALSA: hda/realtek - Add support of ALC891 codec · 4e53b9de
      Kailang Yang authored
      commit b6c5fbad upstream.
      
      New codec support for ALC891.
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4e53b9de
    • Benjamin Herrenschmidt's avatar
      powerpc/serial: Use saner flags when creating legacy ports · 19e84f23
      Benjamin Herrenschmidt authored
      commit c4cad90f upstream.
      
      We had a mix & match of flags used when creating legacy ports
      depending on where we found them in the device-tree. Among others
      we were missing UPF_SKIP_TEST for some kind of ISA ports which is
      a problem as quite a few UARTs out there don't support the loopback
      test (such as a lot of BMCs).
      
      Let's pick the set of flags used by the SoC code and generalize it
      which means autoconf, no loopback test, irq maybe shared and fixed
      port.
      
      Sending to stable as the lack of UPF_SKIP_TEST is breaking
      serial on some machines so I want this back into distros
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      19e84f23
    • Hugh Dickins's avatar
      mm: fix sleeping function warning from __put_anon_vma · e3ffaedc
      Hugh Dickins authored
      commit 7f39dda9 upstream.
      
      Trinity reports BUG:
      
        sleeping function called from invalid context at kernel/locking/rwsem.c:47
        in_atomic(): 0, irqs_disabled(): 0, pid: 5787, name: trinity-c27
      
      __might_sleep < down_write < __put_anon_vma < page_get_anon_vma <
      migrate_pages < compact_zone < compact_zone_order < try_to_compact_pages ..
      
      Right, since conversion to mutex then rwsem, we should not put_anon_vma()
      from inside an rcu_read_lock()ed section: fix the two places that did so.
      And add might_sleep() to anon_vma_free(), as suggested by Peter Zijlstra.
      
      Fixes: 88c22088 ("mm: optimize page_lock_anon_vma() fast-path")
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e3ffaedc
    • Benny Halevy's avatar
      nfsd4: use recall_lock for delegation hashing · ba1ef838
      Benny Halevy authored
      commit 931ee56c upstream.
      
      This fixes a bug in the handling of the fi_delegations list.
      
      nfs4_setlease does not hold the recall_lock when adding to it. The
      client_mutex is held, which prevents against concurrent list changes,
      but nfsd_break_deleg_cb does not hold while walking it. New delegations
      could theoretically creep onto the list while we're walking it there.
      Signed-off-by: default avatarBenny Halevy <bhalevy@primarydata.com>
      Signed-off-by: default avatarJeff Layton <jlayton@primarydata.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      [bwh: Backported to 3.2:
       - Adjust context
       - Also remove a list_del_init() in nfs4_setlease() which would now be
         before the corresponding list_add()
       - Drop change to nfsd_find_all_delegations(), which doesn't exist]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ba1ef838
    • Jérôme Carretero's avatar
      ahci: Add Device ID for HighPoint RocketRaid 642L · 13ce2ab0
      Jérôme Carretero authored
      commit d2518365 upstream.
      
      This device normally comes with a proprietary driver, using a web GUI
      to configure RAID:
       http://www.highpoint-tech.com/USA_new/series_rr600-download.htm
      But thankfully it also works out of the box with the AHCI driver,
      being just a Marvell 88SE9235.
      
      Devices 640L, 644L, 644LS should also be supported but not tested here.
      Signed-off-by: default avatarJérôme Carretero <cJ-ko@zougloub.eu>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      13ce2ab0
    • Alex Deucher's avatar
      drm/radeon: only apply hdmi bpc pll flags when encoder mode is hdmi · 3c010c0b
      Alex Deucher authored
      commit 7d5ab300 upstream.
      
      May fix display issues with non-HDMI displays.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3c010c0b
    • Alex Deucher's avatar
      drm/radeon/atom: fix dithering on certain panels · 94264f44
      Alex Deucher authored
      commit 64252835 upstream.
      
      We need to specify the encoder mode as LVDS for eDP
      when using the Crtc_Source atom table in order to properly
      set up the FMT hardware.
      
      bug:
      https://bugs.freedesktop.org/show_bug.cgi?id=73911Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      94264f44
    • Alex Deucher's avatar
      drm/radeon: fix typo in radeon_connector_is_dp12_capable() · 08e6c752
      Alex Deucher authored
      commit af5d3653 upstream.
      
      We were checking the ext clock rather than the display clock.
      
      Noticed by ArtForz on IRC.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      08e6c752
    • hujianyang's avatar
      UBIFS: Remove incorrect assertion in shrink_tnc() · a1c97ac5
      hujianyang authored
      commit 72abc8f4 upstream.
      
      I hit the same assert failed as Dolev Raviv reported in Kernel v3.10
      shows like this:
      
      [ 9641.164028] UBIFS assert failed in shrink_tnc at 131 (pid 13297)
      [ 9641.234078] CPU: 1 PID: 13297 Comm: mmap.test Tainted: G           O 3.10.40 #1
      [ 9641.234116] [<c0011a6c>] (unwind_backtrace+0x0/0x12c) from [<c000d0b0>] (show_stack+0x20/0x24)
      [ 9641.234137] [<c000d0b0>] (show_stack+0x20/0x24) from [<c0311134>] (dump_stack+0x20/0x28)
      [ 9641.234188] [<c0311134>] (dump_stack+0x20/0x28) from [<bf22425c>] (shrink_tnc_trees+0x25c/0x350 [ubifs])
      [ 9641.234265] [<bf22425c>] (shrink_tnc_trees+0x25c/0x350 [ubifs]) from [<bf2245ac>] (ubifs_shrinker+0x25c/0x310 [ubifs])
      [ 9641.234307] [<bf2245ac>] (ubifs_shrinker+0x25c/0x310 [ubifs]) from [<c00cdad8>] (shrink_slab+0x1d4/0x2f8)
      [ 9641.234327] [<c00cdad8>] (shrink_slab+0x1d4/0x2f8) from [<c00d03d0>] (do_try_to_free_pages+0x300/0x544)
      [ 9641.234344] [<c00d03d0>] (do_try_to_free_pages+0x300/0x544) from [<c00d0a44>] (try_to_free_pages+0x2d0/0x398)
      [ 9641.234363] [<c00d0a44>] (try_to_free_pages+0x2d0/0x398) from [<c00c6a60>] (__alloc_pages_nodemask+0x494/0x7e8)
      [ 9641.234382] [<c00c6a60>] (__alloc_pages_nodemask+0x494/0x7e8) from [<c00f62d8>] (new_slab+0x78/0x238)
      [ 9641.234400] [<c00f62d8>] (new_slab+0x78/0x238) from [<c031081c>] (__slab_alloc.constprop.42+0x1a4/0x50c)
      [ 9641.234419] [<c031081c>] (__slab_alloc.constprop.42+0x1a4/0x50c) from [<c00f80e8>] (kmem_cache_alloc_trace+0x54/0x188)
      [ 9641.234459] [<c00f80e8>] (kmem_cache_alloc_trace+0x54/0x188) from [<bf227908>] (do_readpage+0x168/0x468 [ubifs])
      [ 9641.234553] [<bf227908>] (do_readpage+0x168/0x468 [ubifs]) from [<bf2296a0>] (ubifs_readpage+0x424/0x464 [ubifs])
      [ 9641.234606] [<bf2296a0>] (ubifs_readpage+0x424/0x464 [ubifs]) from [<c00c17c0>] (filemap_fault+0x304/0x418)
      [ 9641.234638] [<c00c17c0>] (filemap_fault+0x304/0x418) from [<c00de694>] (__do_fault+0xd4/0x530)
      [ 9641.234665] [<c00de694>] (__do_fault+0xd4/0x530) from [<c00e10c0>] (handle_pte_fault+0x480/0xf54)
      [ 9641.234690] [<c00e10c0>] (handle_pte_fault+0x480/0xf54) from [<c00e2bf8>] (handle_mm_fault+0x140/0x184)
      [ 9641.234716] [<c00e2bf8>] (handle_mm_fault+0x140/0x184) from [<c0316688>] (do_page_fault+0x150/0x3ac)
      [ 9641.234737] [<c0316688>] (do_page_fault+0x150/0x3ac) from [<c000842c>] (do_DataAbort+0x3c/0xa0)
      [ 9641.234759] [<c000842c>] (do_DataAbort+0x3c/0xa0) from [<c0314e38>] (__dabt_usr+0x38/0x40)
      
      After analyzing the code, I found a condition that may cause this failed
      in correct operations. Thus, I think this assertion is wrong and should be
      removed.
      
      Suppose there are two clean znodes and one dirty znode in TNC. So the
      per-filesystem atomic_t @clean_zn_cnt is (2). If commit start, dirty_znode
      is set to COW_ZNODE in get_znodes_to_commit() in case of potentially ops
      on this znode. We clear COW bit and DIRTY bit in write_index() without
      @tnc_mutex locked. We don't increase @clean_zn_cnt in this place. As the
      comments in write_index() shows, if another process hold @tnc_mutex and
      dirty this znode after we clean it, @clean_zn_cnt would be decreased to (1).
      We will increase @clean_zn_cnt to (2) with @tnc_mutex locked in
      free_obsolete_znodes() to keep it right.
      
      If shrink_tnc() performs between decrease and increase, it will release
      other 2 clean znodes it holds and found @clean_zn_cnt is less than zero
      (1 - 2 = -1), then hit the assertion. Because free_obsolete_znodes() will
      soon correct @clean_zn_cnt and no harm to fs in this case, I think this
      assertion could be removed.
      
      2 clean zondes and 1 dirty znode, @clean_zn_cnt == 2
      
      Thread A (commit)         Thread B (write or others)       Thread C (shrinker)
      ->write_index
         ->clear_bit(DIRTY_NODE)
         ->clear_bit(COW_ZNODE)
      
                  @clean_zn_cnt == 2
                                ->mutex_locked(&tnc_mutex)
                                ->dirty_cow_znode
                                    ->!ubifs_zn_cow(znode)
                                    ->!test_and_set_bit(DIRTY_NODE)
                                    ->atomic_dec(&clean_zn_cnt)
                                ->mutex_unlocked(&tnc_mutex)
      
                  @clean_zn_cnt == 1
                                                                 ->mutex_locked(&tnc_mutex)
                                                                 ->shrink_tnc
                                                                   ->destroy_tnc_subtree
                                                                   ->atomic_sub(&clean_zn_cnt, 2)
                                                                   ->ubifs_assert  <- hit
                                                                 ->mutex_unlocked(&tnc_mutex)
      
                  @clean_zn_cnt == -1
      ->mutex_lock(&tnc_mutex)
      ->free_obsolete_znodes
         ->atomic_inc(&clean_zn_cnt)
      ->mutux_unlock(&tnc_mutex)
      
                  @clean_zn_cnt == 0 (correct after shrink)
      Signed-off-by: default avatarhujianyang <hujianyang@huawei.com>
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a1c97ac5
    • Christoph Hellwig's avatar
      nfsd: getattr for FATTR4_WORD0_FILES_AVAIL needs the statfs buffer · ad6a6b22
      Christoph Hellwig authored
      commit 12337901 upstream.
      
      Note nobody's ever noticed because the typical client probably never
      requests FILES_AVAIL without also requesting something else on the list.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ad6a6b22
    • Yann Droneaud's avatar
      RDMA/cxgb4: Add missing padding at end of struct c4iw_create_cq_resp · e36a18a9
      Yann Droneaud authored
      commit b6f04d3d upstream.
      
      The i386 ABI disagrees with most other ABIs regarding alignment of
      data types larger than 4 bytes: on most ABIs a padding must be added
      at end of the structures, while it is not required on i386.
      
      So for most ABI struct c4iw_create_cq_resp gets implicitly padded
      to be aligned on a 8 bytes multiple, while for i386, such padding
      is not added.
      
      The tool pahole can be used to find such implicit padding:
      
        $ pahole --anon_include \
                 --nested_anon_include \
                 --recursive \
                 --class_name c4iw_create_cq_resp \
                 drivers/infiniband/hw/cxgb4/iw_cxgb4.o
      
      Then, structure layout can be compared between i386 and x86_64:
      
      # +++ obj-i386/drivers/infiniband/hw/cxgb4/iw_cxgb4.o.pahole.txt   2014-03-28 11:43:05.547432195 +0100
      # --- obj-x86_64/drivers/infiniband/hw/cxgb4/iw_cxgb4.o.pahole.txt 2014-03-28 10:55:10.990133017 +0100
        @@ -14,9 +13,8 @@ struct c4iw_create_cq_resp {
                __u32                      size;                 /*    28     4 */
                __u32                      qid_mask;             /*    32     4 */
      
        -       /* size: 36, cachelines: 1, members: 6 */
        -       /* last cacheline: 36 bytes */
        +       /* size: 40, cachelines: 1, members: 6 */
        +       /* padding: 4 */
        +       /* last cacheline: 40 bytes */
         };
      
      This ABI disagreement will make an x86_64 kernel try to write past the
      buffer provided by an i386 binary.
      
      When boundary check will be implemented, the x86_64 kernel will refuse
      to write past the i386 userspace provided buffer and the uverbs will
      fail.
      
      If the structure is on a page boundary and the next page is not
      mapped, ib_copy_to_udata() will fail and the uverb will fail.
      
      This patch adds an explicit padding at end of structure
      c4iw_create_cq_resp, and, like 92b0ca7c ("IB/mlx5: Fix stack info
      leak in mlx5_ib_alloc_ucontext()"), makes function c4iw_create_cq()
      not writting this padding field to userspace. This way, x86_64 kernel
      will be able to write struct c4iw_create_cq_resp as expected by
      unpatched and patched i386 libcxgb4.
      
      Link: http://marc.info/?i=cover.1399309513.git.ydroneaud@opteya.com
      Fixes: cfdda9d7 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC")
      Fixes: e24a72a3 ("RDMA/cxgb4: Fix four byte info leak in c4iw_create_cq()")
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarYann Droneaud <ydroneaud@opteya.com>
      Acked-by: default avatarSteve Wise <swise@opengridcomputing.com>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e36a18a9
    • Dan Carpenter's avatar
      RDMA/cxgb4: Fix four byte info leak in c4iw_create_cq() · bec3dbf1
      Dan Carpenter authored
      commit e24a72a3 upstream.
      
      There is a four byte hole at the end of the "uresp" struct after the
      ->qid_mask member.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bec3dbf1
    • Bart Van Assche's avatar
      IB/umad: Fix error handling · f414d289
      Bart Van Assche authored
      commit 8ec0a0e6 upstream.
      
      Avoid leaking a kref count in ib_umad_open() if port->ib_dev == NULL
      or if nonseekable_open() fails.
      
      Avoid leaking a kref count, that sm_sem is kept down and also that the
      IB_PORT_SM capability mask is not cleared in ib_umad_sm_open() if
      nonseekable_open() fails.
      
      Since container_of() never returns NULL, remove the code that tests
      whether container_of() returns NULL.
      
      Moving the kref_get() call from the start of ib_umad_*open() to the
      end is safe since it is the responsibility of the caller of these
      functions to ensure that the cdev pointer remains valid until at least
      when these functions return.
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      
      [ydroneaud@opteya.com: rework a bit to reduce the amount of code changed]
      Signed-off-by: default avatarYann Droneaud <ydroneaud@opteya.com>
      
      [ nonseekable_open() can't actually fail, but....  - Roland ]
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f414d289
    • Mathias Nyman's avatar
      xhci: delete endpoints from bandwidth list before freeing whole device · 28170033
      Mathias Nyman authored
      commit 5dc2808c upstream.
      
      Lists of endpoints are stored for bandwidth calculation for roothub ports.
      Make sure we remove all endpoints from the list before the whole device,
      containing its endpoints list_head stuctures, is freed.
      
      This used to be done in the wrong order in xhci_mem_cleanup(),
      and triggered an oops in resume from S4 (hibernate).
      Tested-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      28170033
    • Thomas Gleixner's avatar
      rtmutex: Fix deadlock detector for real · d70ca108
      Thomas Gleixner authored
      commit 397335f0 upstream.
      
      The current deadlock detection logic does not work reliably due to the
      following early exit path:
      
      	/*
      	 * Drop out, when the task has no waiters. Note,
      	 * top_waiter can be NULL, when we are in the deboosting
      	 * mode!
      	 */
      	if (top_waiter && (!task_has_pi_waiters(task) ||
      			   top_waiter != task_top_pi_waiter(task)))
      		goto out_unlock_pi;
      
      So this not only exits when the task has no waiters, it also exits
      unconditionally when the current waiter is not the top priority waiter
      of the task.
      
      So in a nested locking scenario, it might abort the lock chain walk
      and therefor miss a potential deadlock.
      
      Simple fix: Continue the chain walk, when deadlock detection is
      enabled.
      
      We also avoid the whole enqueue, if we detect the deadlock right away
      (A-A). It's an optimization, but also prevents that another waiter who
      comes in after the detection and before the task has undone the damage
      observes the situation and detects the deadlock and returns
      -EDEADLOCK, which is wrong as the other task is not in a deadlock
      situation.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Reviewed-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: Lai Jiangshan <laijs@cn.fujitsu.com>
      Link: http://lkml.kernel.org/r/20140522031949.725272460@linutronix.deSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d70ca108
    • Arik Nemtsov's avatar
      mac80211: don't check netdev state for debugfs read/write · 37543a4e
      Arik Nemtsov authored
      commit 923eaf36 upstream.
      
      Doing so will lead to an oops for a p2p-dev interface, since it has
      no netdev.
      Signed-off-by: default avatarArik Nemtsov <arikx.nemtsov@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      37543a4e
    • Christian Borntraeger's avatar
      s390/lowcore: reserve 96 bytes for IRB in lowcore · e4a0cc26
      Christian Borntraeger authored
      commit 993072ee upstream.
      
      The IRB might be 96 bytes if the extended-I/O-measurement facility is
      used. This feature is currently not used by Linux, but struct irb
      already has the emw defined. So let's make the irb in lowcore match the
      size of the internal data structure to be future proof.
      We also have to add a pad, to correctly align the paste.
      
      The bigger irb field also circumvents a bug in some QEMU versions that
      always write the emw field on test subchannel and therefore destroy the
      paste definitions of this CPU. Running under these QEMU version broke
      some timing functions in the VDSO and all users of these functions,
      e.g. some JREs.
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Sebastian Ott <sebott@linux.vnet.ibm.com>
      Cc: Cornelia Huck <cornelia.huck@de.ibm.com>
      [bwh: Backported to 3.2: offsets of the affected fields in the 64-bit version
       of struct _lowcore are 128 bytes smaller]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e4a0cc26
    • NeilBrown's avatar
      md: always set MD_RECOVERY_INTR when aborting a reshape or other "resync". · 8197104d
      NeilBrown authored
      commit 3991b31e upstream.
      
      If mddev->ro is set, md_to_sync will (correctly) abort.
      However in that case MD_RECOVERY_INTR isn't set.
      
      If a RESHAPE had been requested, then ->finish_reshape() will be
      called and it will think the reshape was successful even though
      nothing happened.
      
      Normally a resync will not be requested if ->ro is set, but if an
      array is stopped while a reshape is on-going, then when the array is
      started, the reshape will be restarted.  If the array is also set
      read-only at this point, the reshape will instantly appear to success,
      resulting in data corruption.
      
      Consequently, this patch is suitable for any -stable kernel.
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8197104d
    • Guenter Roeck's avatar
      powerpc: Fix 64 bit builds with binutils 2.24 · 1e2f98c5
      Guenter Roeck authored
      commit 7998eb3d upstream.
      
      With binutils 2.24, various 64 bit builds fail with relocation errors
      such as
      
      arch/powerpc/kernel/built-in.o: In function `exc_debug_crit_book3e':
      	(.text+0x165ee): relocation truncated to fit: R_PPC64_ADDR16_HI
      	against symbol `interrupt_base_book3e' defined in .text section
      	in arch/powerpc/kernel/built-in.o
      arch/powerpc/kernel/built-in.o: In function `exc_debug_crit_book3e':
      	(.text+0x16602): relocation truncated to fit: R_PPC64_ADDR16_HI
      	against symbol `interrupt_end_book3e' defined in .text section
      	in arch/powerpc/kernel/built-in.o
      
      The assembler maintainer says:
      
       I changed the ABI, something that had to be done but unfortunately
       happens to break the booke kernel code.  When building up a 64-bit
       value with lis, ori, shl, oris, ori or similar sequences, you now
       should use @high and @higha in place of @h and @ha.  @h and @ha
       (and their associated relocs R_PPC64_ADDR16_HI and R_PPC64_ADDR16_HA)
       now report overflow if the value is out of 32-bit signed range.
       ie. @h and @ha assume you're building a 32-bit value. This is needed
       to report out-of-range -mcmodel=medium toc pointer offsets in @toc@h
       and @toc@ha expressions, and for consistency I did the same for all
       other @h and @ha relocs.
      
      Replacing @h with @high in one strategic location fixes the relocation
      errors. This has to be done conditionally since the assembler either
      supports @h or @high but not both.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1e2f98c5
    • Huang Rui's avatar
      usb: usbtest: fix unlink write error with pattern 1 · 895902a9
      Huang Rui authored
      commit e4d58f5d upstream.
      
      TEST 12 and TEST 24 unlinks the URB write request for N times. When
      host and gadget both initialize pattern 1 (mod 63) data series to
      transfer, the gadget side will complain the wrong data which is not
      expected.  Because in host side, usbtest doesn't fill the data buffer
      as mod 63 and this patch fixed it.
      
      [20285.488974] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready
      [20285.489181] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Not Active
      [20285.489423] dwc3 dwc3.0.auto: ep1out-bulk: req ffff8800aa6cb480 dma aeb50800 length 512 last
      [20285.489727] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Start Transfer' params 00000000 a9eaf000 00000000
      [20285.490055] dwc3 dwc3.0.auto: Command Complete --> 0
      [20285.490281] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready
      [20285.490492] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Active
      [20285.490713] dwc3 dwc3.0.auto: ep1out-bulk: endpoint busy
      [20285.490909] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Complete
      [20285.491117] dwc3 dwc3.0.auto: request ffff8800aa6cb480 from ep1out-bulk completed 512/512 ===> 0
      [20285.491431] zero gadget: bad OUT byte, buf[1] = 0
      [20285.491605] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Set Stall' params 00000000 00000000 00000000
      [20285.491915] dwc3 dwc3.0.auto: Command Complete --> 0
      [20285.492099] dwc3 dwc3.0.auto: queing request ffff8800aa6cb480 to ep1out-bulk length 512
      [20285.492387] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready
      [20285.492595] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Not Active
      [20285.492830] dwc3 dwc3.0.auto: ep1out-bulk: req ffff8800aa6cb480 dma aeb51000 length 512 last
      [20285.493135] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Start Transfer' params 00000000 a9eaf000 00000000
      [20285.493465] dwc3 dwc3.0.auto: Command Complete --> 0
      Signed-off-by: default avatarHuang Rui <ray.huang@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      895902a9
    • Alexej Starschenko's avatar
      USB: serial: option: add support for Novatel E371 PCIe card · 8a652e0c
      Alexej Starschenko authored
      commit 8a61ba3a upstream.
      
      Adds product ID for the Novatel E371 PCI Express Mini Card.
      
      $ lsusb
      Bus 001 Device 024: ID 1410:9011 Novatel Wireless
      
      $ usb-devices
      T:  Bus=01 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 24 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=1410 ProdID=9011 Rev=00.03
      S:  Manufacturer=Novatel Wireless, Inc.
      S:  Product=Novatel Wireless HSPA
      S:  SerialNumber=012773002115811
      C:  #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 6 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
      I:  If#= 7 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
      
      Tested with kernel 3.2.0.
      Signed-off-by: default avatarAlexej Starschenko <starschenko@gmail.com>
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8a652e0c
    • George McCollister's avatar
      USB: ftdi_sio: add NovaTech OrionLXm product ID · 53ff5212
      George McCollister authored
      commit d0839d75 upstream.
      
      The NovaTech OrionLXm uses an onboard FTDI serial converter for JTAG and
      console access.
      
      Here is the lsusb output:
      Bus 004 Device 123: ID 0403:7c90 Future Technology Devices
      International, Ltd
      Signed-off-by: default avatarGeorge McCollister <george.mccollister@gmail.com>
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      53ff5212
    • Johan Hovold's avatar
      USB: io_ti: fix firmware download on big-endian machines (part 2) · 4f2a2b64
      Johan Hovold authored
      commit c03890ff upstream.
      
      A recent patch that purported to fix firmware download on big-endian
      machines failed to add the corresponding sparse annotation to the
      i2c-header. This was reported by the kbuild test robot.
      
      Adding the appropriate annotation revealed another endianess bug related
      to the i2c-header Size-field in a code path that is exercised when the
      firmware is actually being downloaded (and not just verified and left
      untouched unless older than the firmware at hand).
      
      This patch adds the required sparse annotation to the i2c-header and
      makes sure that the Size-field is sent in little-endian byte order
      during firmware download also on big-endian machines.
      
      Note that this patch is only compile-tested, but that there is no
      functional change for little-endian systems.
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Cc: Ludovic Drolez <ldrolez@debian.org>
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4f2a2b64
    • Johan Hovold's avatar
      USB: cdc-acm: fix potential urb leak and PM imbalance in write · 5ddef05c
      Johan Hovold authored
      commit 183a4508 upstream.
      
      Make sure to check return value of autopm get in write() in order to
      avoid urb leak and PM counter imbalance on errors.
      
      Fixes: 11ea859d ("USB: additional power savings for cdc-acm devices
      that support remote wakeup")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2:
       - Adjust context
       - Error/status variable is called rc, not stat]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5ddef05c
    • Johan Hovold's avatar
      USB: cdc-acm: fix runtime PM for control messages · 57eb9099
      Johan Hovold authored
      commit bae3f4c5 upstream.
      
      Fix runtime PM handling of control messages by adding the required PM
      counter operations.
      
      Fixes: 11ea859d ("USB: additional power savings for cdc-acm devices
      that support remote wakeup")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      57eb9099
    • Johan Hovold's avatar
      USB: cdc-acm: fix broken runtime suspend · ab05a2e4
      Johan Hovold authored
      commit 140cb81a upstream.
      
      The current ACM runtime-suspend implementation is broken in several
      ways:
      
      Firstly, it buffers only the first write request being made while
      suspended -- any further writes are silently dropped.
      
      Secondly, writes being dropped also leak write urbs, which are never
      reclaimed (until the device is unbound).
      
      Thirdly, even the single buffered write is not cleared at shutdown
      (which may happen before the device is resumed), something which can
      lead to another urb leak as well as a PM usage-counter leak.
      
      Fix this by implementing a delayed-write queue using urb anchors and
      making sure to discard the queue properly at shutdown.
      
      Fixes: 11ea859d ("USB: additional power savings for cdc-acm devices
      that support remote wakeup")
      Reported-by: default avatarXiao Jin <jin.xiao@intel.com>
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ab05a2e4
    • Johan Hovold's avatar
      USB: cdc-acm: fix write and resume race · 16142775
      Johan Hovold authored
      commit e144ed28 upstream.
      
      Fix race between write() and resume() due to improper locking that could
      lead to writes being reordered.
      
      Resume must be done atomically and susp_count be protected by the
      write_lock in order to prevent racing with write(). This could otherwise
      lead to writes being reordered if write() grabs the write_lock after
      susp_count is decremented, but before the delayed urb is submitted.
      
      Fixes: 11ea859d ("USB: additional power savings for cdc-acm devices
      that support remote wakeup")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2:
       - Adjust context
       - Move mutex_lock(acm->mutex) above acquisition of spinlocks]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      16142775
    • Johan Hovold's avatar
      USB: cdc-acm: fix write and suspend race · 3627c075
      Johan Hovold authored
      commit 5a345c20 upstream.
      
      Fix race between write() and suspend() which could lead to writes being
      dropped (or I/O while suspended) if the device is runtime suspended
      while a write request is being processed.
      
      Specifically, suspend() releases the write_lock after determining the
      device is idle but before incrementing the susp_count, thus leaving a
      window where a concurrent write() can submit an urb.
      
      Fixes: 11ea859d ("USB: additional power savings for cdc-acm devices
      that support remote wakeup")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3627c075
    • Johan Hovold's avatar
      USB: usb_wwan: fix potential blocked I/O after resume · 75a5d8fe
      Johan Hovold authored
      commit fb7ad4f9 upstream.
      
      Keep trying to submit urbs rather than bail out on first read-urb
      submission error, which would also prevent I/O for any further ports
      from being resumed.
      
      Instead keep an error count, for all types of failed submissions, and
      let USB core know that something went wrong.
      
      Also make sure to always clear the suspended flag. Currently a failed
      read-urb submission would prevent cached writes as well as any
      subsequent writes from being submitted until next suspend-resume cycle,
      something which may not even necessarily happen.
      
      Note that USB core currently only logs an error if an interface resume
      failed.
      
      Fixes: 383cedc3 ("USB: serial: full autosuspend support for the
      option driver")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      75a5d8fe
    • Johan Hovold's avatar
      USB: usb_wwan: fix urb leak at shutdown · 19306d4c
      Johan Hovold authored
      commit 79eed03e upstream.
      
      The delayed-write queue was never emptied at shutdown (close), something
      which could lead to leaked urbs if the port is closed before being
      runtime resumed due to a write.
      
      When this happens the output buffer would not drain on close
      (closing_wait timeout), and after consecutive opens, writes could be
      corrupted with previously buffered data, transfered with reduced
      throughput or completely blocked.
      
      Note that unbusy_queued_urb() was simply moved out of CONFIG_PM.
      
      Fixes: 383cedc3 ("USB: serial: full autosuspend support for the
      option driver")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      19306d4c
    • Johan Hovold's avatar
      USB: usb_wwan: fix write and suspend race · 85296fc4
      Johan Hovold authored
      commit 170fad9e upstream.
      
      Fix race between write() and suspend() which could lead to writes being
      dropped (or I/O while suspended) if the device is runtime suspended
      while a write request is being processed.
      
      Specifically, suspend() releases the susp_lock after determining the
      device is idle but before setting the suspended flag, thus leaving a
      window where a concurrent write() can submit an urb.
      
      Fixes: 383cedc3 ("USB: serial: full autosuspend support for the
      option driver")
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      85296fc4