1. 18 Jul, 2014 34 commits
    • Yasuaki Ishimatsu's avatar
      workqueue: zero cpumask of wq_numa_possible_cpumask on init · 9b8fa806
      Yasuaki Ishimatsu authored
      commit 5a6024f1 upstream.
      
      When hot-adding and onlining CPU, kernel panic occurs, showing following
      call trace.
      
        BUG: unable to handle kernel paging request at 0000000000001d08
        IP: [<ffffffff8114acfd>] __alloc_pages_nodemask+0x9d/0xb10
        PGD 0
        Oops: 0000 [#1] SMP
        ...
        Call Trace:
         [<ffffffff812b8745>] ? cpumask_next_and+0x35/0x50
         [<ffffffff810a3283>] ? find_busiest_group+0x113/0x8f0
         [<ffffffff81193bc9>] ? deactivate_slab+0x349/0x3c0
         [<ffffffff811926f1>] new_slab+0x91/0x300
         [<ffffffff815de95a>] __slab_alloc+0x2bb/0x482
         [<ffffffff8105bc1c>] ? copy_process.part.25+0xfc/0x14c0
         [<ffffffff810a3c78>] ? load_balance+0x218/0x890
         [<ffffffff8101a679>] ? sched_clock+0x9/0x10
         [<ffffffff81105ba9>] ? trace_clock_local+0x9/0x10
         [<ffffffff81193d1c>] kmem_cache_alloc_node+0x8c/0x200
         [<ffffffff8105bc1c>] copy_process.part.25+0xfc/0x14c0
         [<ffffffff81114d0d>] ? trace_buffer_unlock_commit+0x4d/0x60
         [<ffffffff81085a80>] ? kthread_create_on_node+0x140/0x140
         [<ffffffff8105d0ec>] do_fork+0xbc/0x360
         [<ffffffff8105d3b6>] kernel_thread+0x26/0x30
         [<ffffffff81086652>] kthreadd+0x2c2/0x300
         [<ffffffff81086390>] ? kthread_create_on_cpu+0x60/0x60
         [<ffffffff815f20ec>] ret_from_fork+0x7c/0xb0
         [<ffffffff81086390>] ? kthread_create_on_cpu+0x60/0x60
      
      In my investigation, I found the root cause is wq_numa_possible_cpumask.
      All entries of wq_numa_possible_cpumask is allocated by
      alloc_cpumask_var_node(). And these entries are used without initializing.
      So these entries have wrong value.
      
      When hot-adding and onlining CPU, wq_update_unbound_numa() is called.
      wq_update_unbound_numa() calls alloc_unbound_pwq(). And alloc_unbound_pwq()
      calls get_unbound_pool(). In get_unbound_pool(), worker_pool->node is set
      as follow:
      
      3592         /* if cpumask is contained inside a NUMA node, we belong to that node */
      3593         if (wq_numa_enabled) {
      3594                 for_each_node(node) {
      3595                         if (cpumask_subset(pool->attrs->cpumask,
      3596                                            wq_numa_possible_cpumask[node])) {
      3597                                 pool->node = node;
      3598                                 break;
      3599                         }
      3600                 }
      3601         }
      
      But wq_numa_possible_cpumask[node] does not have correct cpumask. So, wrong
      node is selected. As a result, kernel panic occurs.
      
      By this patch, all entries of wq_numa_possible_cpumask are allocated by
      zalloc_cpumask_var_node to initialize them. And the panic disappeared.
      Signed-off-by: default avatarYasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      Reviewed-by: default avatarLai Jiangshan <laijs@cn.fujitsu.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Fixes: bce90380 ("workqueue: add wq_numa_tbl_len and wq_numa_possible_cpumask[]")
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9b8fa806
    • Gu Zheng's avatar
      cpuset,mempolicy: fix sleeping function called from invalid context · d9e8b4f6
      Gu Zheng authored
      commit 391acf97 upstream.
      
      When runing with the kernel(3.15-rc7+), the follow bug occurs:
      [ 9969.258987] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:586
      [ 9969.359906] in_atomic(): 1, irqs_disabled(): 0, pid: 160655, name: python
      [ 9969.441175] INFO: lockdep is turned off.
      [ 9969.488184] CPU: 26 PID: 160655 Comm: python Tainted: G       A      3.15.0-rc7+ #85
      [ 9969.581032] Hardware name: FUJITSU-SV PRIMEQUEST 1800E/SB, BIOS PRIMEQUEST 1000 Series BIOS Version 1.39 11/16/2012
      [ 9969.706052]  ffffffff81a20e60 ffff8803e941fbd0 ffffffff8162f523 ffff8803e941fd18
      [ 9969.795323]  ffff8803e941fbe0 ffffffff8109995a ffff8803e941fc58 ffffffff81633e6c
      [ 9969.884710]  ffffffff811ba5dc ffff880405c6b480 ffff88041fdd90a0 0000000000002000
      [ 9969.974071] Call Trace:
      [ 9970.003403]  [<ffffffff8162f523>] dump_stack+0x4d/0x66
      [ 9970.065074]  [<ffffffff8109995a>] __might_sleep+0xfa/0x130
      [ 9970.130743]  [<ffffffff81633e6c>] mutex_lock_nested+0x3c/0x4f0
      [ 9970.200638]  [<ffffffff811ba5dc>] ? kmem_cache_alloc+0x1bc/0x210
      [ 9970.272610]  [<ffffffff81105807>] cpuset_mems_allowed+0x27/0x140
      [ 9970.344584]  [<ffffffff811b1303>] ? __mpol_dup+0x63/0x150
      [ 9970.409282]  [<ffffffff811b1385>] __mpol_dup+0xe5/0x150
      [ 9970.471897]  [<ffffffff811b1303>] ? __mpol_dup+0x63/0x150
      [ 9970.536585]  [<ffffffff81068c86>] ? copy_process.part.23+0x606/0x1d40
      [ 9970.613763]  [<ffffffff810bf28d>] ? trace_hardirqs_on+0xd/0x10
      [ 9970.683660]  [<ffffffff810ddddf>] ? monotonic_to_bootbased+0x2f/0x50
      [ 9970.759795]  [<ffffffff81068cf0>] copy_process.part.23+0x670/0x1d40
      [ 9970.834885]  [<ffffffff8106a598>] do_fork+0xd8/0x380
      [ 9970.894375]  [<ffffffff81110e4c>] ? __audit_syscall_entry+0x9c/0xf0
      [ 9970.969470]  [<ffffffff8106a8c6>] SyS_clone+0x16/0x20
      [ 9971.030011]  [<ffffffff81642009>] stub_clone+0x69/0x90
      [ 9971.091573]  [<ffffffff81641c29>] ? system_call_fastpath+0x16/0x1b
      
      The cause is that cpuset_mems_allowed() try to take
      mutex_lock(&callback_mutex) under the rcu_read_lock(which was hold in
      __mpol_dup()). And in cpuset_mems_allowed(), the access to cpuset is
      under rcu_read_lock, so in __mpol_dup, we can reduce the rcu_read_lock
      protection region to protect the access to cpuset only in
      current_cpuset_is_being_rebound(). So that we can avoid this bug.
      
      This patch is a temporary solution that just addresses the bug
      mentioned above, can not fix the long-standing issue about cpuset.mems
      rebinding on fork():
      
      "When the forker's task_struct is duplicated (which includes
       ->mems_allowed) and it races with an update to cpuset_being_rebound
       in update_tasks_nodemask() then the task's mems_allowed doesn't get
       updated. And the child task's mems_allowed can be wrong if the
       cpuset's nodemask changes before the child has been added to the
       cgroup's tasklist."
      Signed-off-by: default avatarGu Zheng <guz.fnst@cn.fujitsu.com>
      Acked-by: default avatarLi Zefan <lizefan@huawei.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d9e8b4f6
    • Maxime Bizon's avatar
      workqueue: fix dev_set_uevent_suppress() imbalance · 982170a3
      Maxime Bizon authored
      commit bddbceb6 upstream.
      
      Uevents are suppressed during attributes registration, but never
      restored, so kobject_uevent() does nothing.
      Signed-off-by: default avatarMaxime Bizon <mbizon@freebox.fr>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Fixes: 226223abSigned-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      982170a3
    • Jan Kardell's avatar
      iio: ti_am335x_adc: Fix: Use same step id at FIFOs both ends · 376a57d0
      Jan Kardell authored
      commit baa3c652 upstream.
      
      Since AI lines could be selected at will (linux-3.11) the sending
      and receiving ends of the FIFO does not agree about what step is used
      for a line. It only works if the last lines are used, like 5,6,7,
      and fails if ie 2,4,6 is selected in DT.
      Signed-off-by: default avatarJan Kardell <jan.kardell@telliq.com>
      Tested-by: default avatarZubair Lutfullah <zubair.lutfullah@gmail.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      376a57d0
    • Michal Sojka's avatar
    • Bert Vermeulen's avatar
      USB: ftdi_sio: Add extra PID. · 065cccd3
      Bert Vermeulen authored
      commit 5a7fbe7e upstream.
      
      This patch adds PID 0x0003 to the VID 0x128d (Testo). At least the
      Testo 435-4 uses this, likely other gear as well.
      Signed-off-by: default avatarBert Vermeulen <bert@biot.com>
      Cc: Johan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      065cccd3
    • Andras Kovacs's avatar
      USB: cp210x: add support for Corsair usb dongle · a74bd870
      Andras Kovacs authored
      commit b9326057 upstream.
      
      Corsair USB Dongles are shipped with Corsair AXi series PSUs.
      These are cp210x serial usb devices, so make driver detect these.
      I have a program, that can get information from these PSUs.
      
      Tested with 2 different dongles shipped with Corsair AX860i and
      AX1200i units.
      Signed-off-by: default avatarAndras Kovacs <andras@sth.sze.hu>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a74bd870
    • Bernd Wachter's avatar
      usb: option: Add ID for Telewell TW-LTE 4G v2 · 04e38195
      Bernd Wachter authored
      commit 3d28bd84 upstream.
      
      Add ID of the Telewell 4G v2 hardware to option driver to get legacy
      serial interface working
      Signed-off-by: default avatarBernd Wachter <bernd.wachter@jolla.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      04e38195
    • Hugh Dickins's avatar
      mm: fix crashes from mbind() merging vmas · 3eef6e60
      Hugh Dickins authored
      commit d05f0cdc upstream.
      
      In v2.6.34 commit 9d8cebd4 ("mm: fix mbind vma merge problem")
      introduced vma merging to mbind(), but it should have also changed the
      convention of passing start vma from queue_pages_range() (formerly
      check_range()) to new_vma_page(): vma merging may have already freed
      that structure, resulting in BUG at mm/mempolicy.c:1738 and probably
      worse crashes.
      
      Fixes: 9d8cebd4 ("mm: fix mbind vma merge problem")
      Reported-by: default avatarNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Tested-by: default avatarNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Acked-by: default avatarChristoph Lameter <cl@linux.com>
      Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
      Cc: Minchan Kim <minchan.kim@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      3eef6e60
    • Mikulas Patocka's avatar
      sym53c8xx_2: Set DID_REQUEUE return code when aborting squeue · ae267ec9
      Mikulas Patocka authored
      commit fd1232b2 upstream.
      
      This patch fixes I/O errors with the sym53c8xx_2 driver when the disk
      returns QUEUE FULL status.
      
      When the controller encounters an error (including QUEUE FULL or BUSY
      status), it aborts all not yet submitted requests in the function
      sym_dequeue_from_squeue.
      
      This function aborts them with DID_SOFT_ERROR.
      
      If the disk has full tag queue, the request that caused the overflow is
      aborted with QUEUE FULL status (and the scsi midlayer properly retries
      it until it is accepted by the disk), but the sym53c8xx_2 driver aborts
      the following requests with DID_SOFT_ERROR --- for them, the midlayer
      does just a few retries and then signals the error up to sd.
      
      The result is that disk returning QUEUE FULL causes request failures.
      
      The error was reproduced on 53c895 with COMPAQ BD03685A24 disk
      (rebranded ST336607LC) with command queue 48 or 64 tags.  The disk has
      64 tags, but under some access patterns it return QUEUE FULL when there
      are less than 64 pending tags.  The SCSI specification allows returning
      QUEUE FULL anytime and it is up to the host to retry.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Cc: Matthew Wilcox <matthew@wil.cx>
      Cc: James Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ae267ec9
    • Sander Eikelenboom's avatar
      ALSA: usb-audio: Prevent printk ratelimiting from spamming kernel log while DEBUG not defined · fbfba9cf
      Sander Eikelenboom authored
      commit b7a77235 upstream.
      
      This (widely used) construction:
      
      if(printk_ratelimit())
      	dev_dbg()
      
      Causes the ratelimiting to spam the kernel log with the "callbacks suppressed"
      message below, even while the dev_dbg it is supposed to rate limit wouldn't
      print anything because DEBUG is not defined for this device.
      
      [  533.803964] retire_playback_urb: 852 callbacks suppressed
      [  538.807930] retire_playback_urb: 852 callbacks suppressed
      [  543.811897] retire_playback_urb: 852 callbacks suppressed
      [  548.815745] retire_playback_urb: 852 callbacks suppressed
      [  553.819826] retire_playback_urb: 852 callbacks suppressed
      
      So use dev_dbg_ratelimited() instead of this construction.
      Signed-off-by: default avatarSander Eikelenboom <linux@eikelenboom.it>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      fbfba9cf
    • Tim Gardner's avatar
      ALSA: usb-audio: Suppress repetitive debug messages from retire_playback_urb() · eae433b4
      Tim Gardner authored
      commit a5065eb6 upstream.
      
      BugLink: http://bugs.launchpad.net/bugs/1305133
      
      Malfunctioning or slow devices can cause a flood of dmesg SPAM.
      
      I've ignored checkpatch.pl complaints about the use of printk_ratelimit() in favour
      of prior art in sound/usb/pcm.c.
      
      WARNING: Prefer printk_ratelimited or pr_<level>_ratelimited to printk_ratelimit
      +	if (printk_ratelimit() &&
      
      Cc: Jaroslav Kysela <perex@perex.cz>
      Cc: Takashi Iwai <tiwai@suse.de>
      Cc: Eldad Zack <eldad@fogrefinery.com>
      Cc: Daniel Mack <zonque@gmail.com>
      Cc: Clemens Ladisch <clemens@ladisch.de>
      Signed-off-by: default avatarTim Gardner <tim.gardner@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      eae433b4
    • Micky Ching's avatar
      mmc: rtsx: add R1-no-CRC mmc command type handle · c9fcc0e3
      Micky Ching authored
      commit 5027251e upstream.
      
      a27fbf2f ("mmc: add ignorance case for CMD13 CRC error") produced
      a cmd.flags unhandled in realtek pci host driver.  This will make MMC
      card fail to initialize, this patch is used to handle the new cmd.flags
      condition and MMC card can be used.
      Signed-off-by: default avatarMicky Ching <micky_ching@realsil.com.cn>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarChris Ball <chris@printf.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c9fcc0e3
    • Peter Hurley's avatar
      tty: Correct INPCK handling · ad4a4e1f
      Peter Hurley authored
      commit 66528f90 upstream.
      
      If INPCK is not set, input parity detection should be disabled. This means
      parity errors should not be received from the tty driver, and the data
      received should be treated normally.
      
      SUS v3, 11.2.2, General Terminal Interface - Input Modes, states:
        "If INPCK is set, input parity checking shall be enabled. If INPCK is
         not set, input parity checking shall be disabled, allowing output parity
         generation without input parity errors. Note that whether input parity
         checking is enabled or disabled is independent of whether parity detection
         is enabled or disabled (see Control Modes). If parity detection is enabled
         but input parity checking is disabled, the hardware to which the terminal
         is connected shall recognize the parity bit, but the terminal special file
         shall not check whether or not this bit is correctly set."
      
      Ignore parity errors reported by the tty driver when INPCK is not set, and
      handle the received data normally.
      
      Fixes: Bugzilla #71681, 'Improvement of n_tty_receive_parity_error from n_tty.c'
      Reported-by: default avatarIvan <athlon_@mail.ru>
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ad4a4e1f
    • Peter Hurley's avatar
      serial: Fix IGNBRK handling · 7d6467cf
      Peter Hurley authored
      commit ef8b9ddc upstream.
      
      If IGNBRK is set without either BRKINT or PARMRK set, some uart
      drivers send a 0x00 byte for BREAK without the TTYBREAK flag to the
      line discipline, when it should send either nothing or the TTYBREAK flag
      set. This happens because the read_status_mask masks out the BI
      condition, which uart_insert_char() then interprets as a normal 0x00 byte.
      
      SUS v3 is clear regarding the meaning of IGNBRK; Section 11.2.2, General
      Terminal Interface - Input Modes, states:
        "If IGNBRK is set, a break condition detected on input shall be ignored;
         that is, not put on the input queue and therefore not read by any
         process."
      
      Fix read_status_mask to include the BI bit if IGNBRK is set; the
      lsr status retains the BI bit if a BREAK is recv'd, which is
      subsequently ignored in uart_insert_char() when masked with the
      ignore_status_mask.
      
      Affected drivers:
      8250 - all
      serial_txx9
      mfd
      amba-pl010
      amba-pl011
      atmel_serial
      bfin_uart
      dz
      ip22zilog
      max310x
      mxs-auart
      netx-serial
      pnx8xxx_uart
      pxa
      sb1250-duart
      sccnxp
      serial_ks8695
      sirfsoc_uart
      st-asc
      vr41xx_siu
      zs
      sunzilog
      fsl_lpuart
      sunsab
      ucc_uart
      bcm63xx_uart
      sunsu
      efm32-uart
      pmac_zilog
      mpsc
      msm_serial
      m32r_sio
      
      Unaffected drivers:
      omap-serial
      rp2
      sa1100
      imx
      icom
      
      Annotated for fixes:
      altera_uart
      mcf
      
      Drivers without break detection:
      21285
      xilinx-uartps
      altera_jtaguart
      apbuart
      arc-uart
      clps711x
      max3100
      uartlite
      msm_serial_hs
      nwpserial
      lantiq
      vt8500_serial
      
      Unknown:
      samsung
      mpc52xx_uart
      bfin_sport_uart
      cpm_uart/core
      
      Fixes: Bugzilla #71651, '8250_core.c incorrectly handles IGNBRK flag'
      Reported-by: default avatarIvan <athlon_@mail.ru>
      Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7d6467cf
    • Michal Nazarewicz's avatar
      mm: page_alloc: fix CMA area initialisation when pageblock > MAX_ORDER · c225b325
      Michal Nazarewicz authored
      commit dc78327c upstream.
      
      With a kernel configured with ARM64_64K_PAGES && !TRANSPARENT_HUGEPAGE,
      the following is triggered at early boot:
      
        SMP: Total of 8 processors activated.
        devtmpfs: initialized
        Unable to handle kernel NULL pointer dereference at virtual address 00000008
        pgd = fffffe0000050000
        [00000008] *pgd=00000043fba00003, *pmd=00000043fba00003, *pte=00e0000078010407
        Internal error: Oops: 96000006 [#1] SMP
        Modules linked in:
        CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.15.0-rc864k+ #44
        task: fffffe03bc040000 ti: fffffe03bc080000 task.ti: fffffe03bc080000
        PC is at __list_add+0x10/0xd4
        LR is at free_one_page+0x270/0x638
        ...
        Call trace:
          __list_add+0x10/0xd4
          free_one_page+0x26c/0x638
          __free_pages_ok.part.52+0x84/0xbc
          __free_pages+0x74/0xbc
          init_cma_reserved_pageblock+0xe8/0x104
          cma_init_reserved_areas+0x190/0x1e4
          do_one_initcall+0xc4/0x154
          kernel_init_freeable+0x204/0x2a8
          kernel_init+0xc/0xd4
      
      This happens because init_cma_reserved_pageblock() calls
      __free_one_page() with pageblock_order as page order but it is bigger
      than MAX_ORDER.  This in turn causes accesses past zone->free_list[].
      
      Fix the problem by changing init_cma_reserved_pageblock() such that it
      splits pageblock into individual MAX_ORDER pages if pageblock is bigger
      than a MAX_ORDER page.
      
      In cases where !CONFIG_HUGETLB_PAGE_SIZE_VARIABLE, which is all
      architectures expect for ia64, powerpc and tile at the moment, the
      “pageblock_order > MAX_ORDER” condition will be optimised out since both
      sides of the operator are constants.  In cases where pageblock size is
      variable, the performance degradation should not be significant anyway
      since init_cma_reserved_pageblock() is called only at boot time at most
      MAX_CMA_AREAS times which by default is eight.
      Signed-off-by: default avatarMichal Nazarewicz <mina86@mina86.com>
      Reported-by: default avatarMark Salter <msalter@redhat.com>
      Tested-by: default avatarMark Salter <msalter@redhat.com>
      Tested-by: default avatarChristopher Covington <cov@codeaurora.org>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Marek Szyprowski <m.szyprowski@samsung.com>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c225b325
    • Thomas Gleixner's avatar
      irqchip: spear_shirq: Fix interrupt offset · d90ff081
      Thomas Gleixner authored
      commit 4f436603 upstream.
      
      The ras3 block on spear320 claims to have 3 interrupts. In fact it has
      one and 6 reserved interrupts. Account the 6 reserved to this block so
      it has 7 interrupts total. That matches the datasheet and the device
      tree entries.
      
      Broken since commit 80515a5a(ARM: SPEAr3xx: shirq: simplify and move
      the shared irq multiplexor to DT). Testing is overrated....
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20140619212712.872379208@linutronix.de
      Fixes: 80515a5a ('ARM: SPEAr3xx: shirq: simplify and move the shared irq multiplexor to DT')
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarJason Cooper <jason@lakedaemon.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d90ff081
    • NeilBrown's avatar
      md: flush writes before starting a recovery. · f18a52f4
      NeilBrown authored
      commit 133d4527 upstream.
      
      When we write to a degraded array which has a bitmap, we
      make sure the relevant bit in the bitmap remains set when
      the write completes (so a 're-add' can quickly rebuilt a
      temporarily-missing device).
      
      If, immediately after such a write starts, we incorporate a spare,
      commence recovery, and skip over the region where the write is
      happening (because the 'needs recovery' flag isn't set yet),
      then that write will not get to the new device.
      
      Once the recovery finishes the new device will be trusted, but will
      have incorrect data, leading to possible corruption.
      
      We cannot set the 'needs recovery' flag when we start the write as we
      do not know easily if the write will be "degraded" or not.  That
      depends on details of the particular raid level and particular write
      request.
      
      This patch fixes a corruption issue of long standing and so it
      suitable for any -stable kernel.  It applied correctly to 3.0 at
      least and will minor editing to earlier kernels.
      Reported-by: default avatarBill <billstuff2001@sbcglobal.net>
      Tested-by: default avatarBill <billstuff2001@sbcglobal.net>
      Link: http://lkml.kernel.org/r/53A518BB.60709@sbcglobal.netSigned-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      f18a52f4
    • Steven Rostedt (Red Hat)'s avatar
      tracing: Remove ftrace_stop/start() from reading the trace file · 19a01928
      Steven Rostedt (Red Hat) authored
      commit 099ed151 upstream.
      
      Disabling reading and writing to the trace file should not be able to
      disable all function tracing callbacks. There's other users today
      (like kprobes and perf). Reading a trace file should not stop those
      from happening.
      Reviewed-by: default avatarMasami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      19a01928
    • Michal Nazarewicz's avatar
      tools: ffs-test: fix header values endianess · cb116d6b
      Michal Nazarewicz authored
      commit f35f7124 upstream.
      
      It appears that no one ever run ffs-test on a big-endian machine,
      since it used cpu-endianess for fs_count and hs_count fields which
      should be in little-endian format.  Fix by wrapping the numbers in
      cpu_to_le32.
      Signed-off-by: default avatarMichal Nazarewicz <mina86@mina86.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      cb116d6b
    • J. Bruce Fields's avatar
      nfsd: fix rare symlink decoding bug · 12ea9001
      J. Bruce Fields authored
      commit 76f47128 upstream.
      
      An NFS operation that creates a new symlink includes the symlink data,
      which is xdr-encoded as a length followed by the data plus 0 to 3 bytes
      of zero-padding as required to reach a 4-byte boundary.
      
      The vfs, on the other hand, wants null-terminated data.
      
      The simple way to handle this would be by copying the data into a newly
      allocated buffer with space for the final null.
      
      The current nfsd_symlink code tries to be more clever by skipping that
      step in the (likely) case where the byte following the string is already
      0.
      
      But that assumes that the byte following the string is ours to look at.
      In fact, it might be the first byte of a page that we can't read, or of
      some object that another task might modify.
      
      Worse, the NFSv4 code tries to fix the problem by actually writing to
      that byte.
      
      In the NFSv2/v3 cases this actually appears to be safe:
      
      	- nfs3svc_decode_symlinkargs explicitly null-terminates the data
      	  (after first checking its length and copying it to a new
      	  page).
      	- NFSv2 limits symlinks to 1k.  The buffer holding the rpc
      	  request is always at least a page, and the link data (and
      	  previous fields) have maximum lengths that prevent the request
      	  from reaching the end of a page.
      
      In the NFSv4 case the CREATE op is potentially just one part of a long
      compound so can end up on the end of a page if you're unlucky.
      
      The minimal fix here is to copy and null-terminate in the NFSv4 case.
      The nfsd_symlink() interface here seems too fragile, though.  It should
      really either do the copy itself every time or just require a
      null-terminated string.
      Reported-by: default avatarJeff Layton <jlayton@primarydata.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      12ea9001
    • Adam Thomson's avatar
      iio: of_iio_channel_get_by_name() returns non-null pointers for error legs · 8f2574b7
      Adam Thomson authored
      commit a2c12493 upstream.
      
      Currently in the inkern.c code for IIO framework, the function
      of_iio_channel_get_by_name() will return a non-NULL pointer when
      it cannot find a channel using of_iio_channel_get() and when it
      tries to search for 'io-channel-ranges' property and fails. This
      is incorrect behaviour as the function which calls this expects
      a NULL pointer for failure. This patch rectifies the issue.
      Signed-off-by: default avatarAdam Thomson <Adam.Thomson.Opensource@diasemi.com>
      Signed-off-by: default avatarJonathan Cameron <jic23@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8f2574b7
    • Paolo Bonzini's avatar
      KVM: x86: preserve the high 32-bits of the PAT register · d964adc8
      Paolo Bonzini authored
      commit 7cb060a9 upstream.
      
      KVM does not really do much with the PAT, so this went unnoticed for a
      long time.  It is exposed however if you try to do rdmsr on the PAT
      register.
      Reported-by: default avatarValentine Sinitsyn <valentine.sinitsyn@gmail.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d964adc8
    • Nadav Amit's avatar
      KVM: x86: Increase the number of fixed MTRR regs to 10 · 35d3871e
      Nadav Amit authored
      commit 682367c4 upstream.
      
      Recent Intel CPUs have 10 variable range MTRRs. Since operating systems
      sometime make assumptions on CPUs while they ignore capability MSRs, it is
      better for KVM to be consistent with recent CPUs. Reporting more MTRRs than
      actually supported has no functional implications.
      Signed-off-by: default avatarNadav Amit <namit@cs.technion.ac.il>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      35d3871e
    • Jan Kara's avatar
      ext4: Fix hole punching for files with indirect blocks · 9011a645
      Jan Kara authored
      commit a93cd4cf upstream.
      
      Hole punching code for files with indirect blocks wrongly computed
      number of blocks which need to be cleared when traversing the indirect
      block tree. That could result in punching more blocks than actually
      requested and thus effectively cause a data loss. For example:
      
      fallocate -n -p 10240000 4096
      
      will punch the range 10240000 - 12632064 instead of the range 1024000 -
      10244096. Fix the calculation.
      
      Fixes: 8bad6fc8Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9011a645
    • Jan Kara's avatar
      ext4: Fix buffer double free in ext4_alloc_branch() · 18e64a6a
      Jan Kara authored
      commit c5c7b8dd upstream.
      
      Error recovery in ext4_alloc_branch() calls ext4_forget() even for
      buffer corresponding to indirect block it did not allocate. This leads
      to brelse() being called twice for that buffer (once from ext4_forget()
      and once from cleanup in ext4_ind_map_blocks()) leading to buffer use
      count misaccounting. Eventually (but often much later because there
      are other users of the buffer) we will see messages like:
      VFS: brelse: Trying to free free buffer
      
      Another manifestation of this problem is an error:
      JBD2 unexpected failure: jbd2_journal_revoke: !buffer_revoked(bh);
      inconsistent data on disk
      
      The fix is easy - don't forget buffer we did not allocate. Also add an
      explanatory comment because the indexing at ext4_alloc_branch() is
      somewhat subtle.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      18e64a6a
    • Tejun Heo's avatar
      blkcg: fix use-after-free in __blkg_release_rcu() by making blkcg_gq refcnt an atomic_t · 04e1cd73
      Tejun Heo authored
      commit a5049a8a upstream.
      
      Hello,
      
      So, this patch should do.  Joe, Vivek, can one of you guys please
      verify that the oops goes away with this patch?
      
      Jens, the original thread can be read at
      
        http://thread.gmane.org/gmane.linux.kernel/1720729
      
      The fix converts blkg->refcnt from int to atomic_t.  It does some
      overhead but it should be minute compared to everything else which is
      going on and the involved cacheline bouncing, so I think it's highly
      unlikely to cause any noticeable difference.  Also, the refcnt in
      question should be converted to a perpcu_ref for blk-mq anyway, so the
      atomic_t is likely to go away pretty soon anyway.
      
      Thanks.
      
      ------- 8< -------
      __blkg_release_rcu() may be invoked after the associated request_queue
      is released with a RCU grace period inbetween.  As such, the function
      and callbacks invoked from it must not dereference the associated
      request_queue.  This is clearly indicated in the comment above the
      function.
      
      Unfortunately, while trying to fix a different issue, 2a4fd070
      ("blkcg: move bulk of blkcg_gq release operations to the RCU
      callback") ignored this and added [un]locking of @blkg->q->queue_lock
      to __blkg_release_rcu().  This of course can cause oops as the
      request_queue may be long gone by the time this code gets executed.
      
        general protection fault: 0000 [#1] SMP
        CPU: 21 PID: 30 Comm: rcuos/21 Not tainted 3.15.0 #1
        Hardware name: Stratus ftServer 6400/G7LAZ, BIOS BIOS Version 6.3:57 12/25/2013
        task: ffff880854021de0 ti: ffff88085403c000 task.ti: ffff88085403c000
        RIP: 0010:[<ffffffff8162e9e5>]  [<ffffffff8162e9e5>] _raw_spin_lock_irq+0x15/0x60
        RSP: 0018:ffff88085403fdf0  EFLAGS: 00010086
        RAX: 0000000000020000 RBX: 0000000000000010 RCX: 0000000000000000
        RDX: 000060ef80008248 RSI: 0000000000000286 RDI: 6b6b6b6b6b6b6b6b
        RBP: ffff88085403fdf0 R08: 0000000000000286 R09: 0000000000009f39
        R10: 0000000000020001 R11: 0000000000020001 R12: ffff88103c17a130
        R13: ffff88103c17a080 R14: 0000000000000000 R15: 0000000000000000
        FS:  0000000000000000(0000) GS:ffff88107fca0000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00000000006e5ab8 CR3: 000000000193d000 CR4: 00000000000407e0
        Stack:
         ffff88085403fe18 ffffffff812cbfc2 ffff88103c17a130 0000000000000000
         ffff88103c17a130 ffff88085403fec0 ffffffff810d1d28 ffff880854021de0
         ffff880854021de0 ffff88107fcaec58 ffff88085403fe80 ffff88107fcaec30
        Call Trace:
         [<ffffffff812cbfc2>] __blkg_release_rcu+0x72/0x150
         [<ffffffff810d1d28>] rcu_nocb_kthread+0x1e8/0x300
         [<ffffffff81091d81>] kthread+0xe1/0x100
         [<ffffffff8163813c>] ret_from_fork+0x7c/0xb0
        Code: ff 47 04 48 8b 7d 08 be 00 02 00 00 e8 55 48 a4 ff 5d c3 0f 1f 00 66 66 66 66 90 55 48 89 e5
        +fa 66 66 90 66 66 90 b8 00 00 02 00 <f0> 0f c1 07 89 c2 c1 ea 10 66 39 c2 75 02 5d c3 83 e2 fe 0f
        +b7
        RIP  [<ffffffff8162e9e5>] _raw_spin_lock_irq+0x15/0x60
         RSP <ffff88085403fdf0>
      
      The request_queue locking was added because blkcg_gq->refcnt is an int
      protected with the queue lock and __blkg_release_rcu() needs to put
      the parent.  Let's fix it by making blkcg_gq->refcnt an atomic_t and
      dropping queue locking in the function.
      
      Given the general heavy weight of the current request_queue and blkcg
      operations, this is unlikely to cause any noticeable overhead.
      Moreover, blkcg_gq->refcnt is likely to be converted to percpu_ref in
      the near future, so whatever (most likely negligible) overhead it may
      add is temporary.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarJoe Lawrence <joe.lawrence@stratus.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      Link: http://lkml.kernel.org/g/alpine.DEB.2.02.1406081816540.17948@jlaw-desktop.mno.stratus.comSigned-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      04e1cd73
    • Steve French's avatar
      CIFS: fix mount failure with broken pathnames when smb3 mount with mapchars option · 10bdb522
      Steve French authored
      commit ce36d9ab upstream.
      
      When we SMB3 mounted with mapchars (to allow reserved characters : \ / > < * ?
      via the Unicode Windows to POSIX remap range) empty paths
      (eg when we open "" to query the root of the SMB3 directory on mount) were not
      null terminated so we sent garbarge as a path name on empty paths which caused
      SMB2/SMB2.1/SMB3 mounts to fail when mapchars was specified.  mapchars is
      particularly important since Unix Extensions for SMB3 are not supported (yet)
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Reviewed-by: default avatarDavid Disseldorp <ddiss@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      10bdb522
    • Rafał Miłecki's avatar
      b43: fix frequency reported on G-PHY with /new/ firmware · bf792b9b
      Rafał Miłecki authored
      commit 2fc68eb1 upstream.
      
      Support for firmware rev 508+ was added years ago, but we never noticed
      it reports channel in a different way for G-PHY devices. Instead of
      offset from 2400 MHz it simply passes channel id (AKA hw_value).
      
      So far it was (most probably) affecting monitor mode users only, but
      the following recent commit made it noticeable for quite everybody:
      
      commit 3afc2167
      Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
      Date:   Tue Mar 4 16:50:13 2014 +0200
      
          cfg80211/mac80211: ignore signal if the frame was heard on wrong channel
      Reported-by: default avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: default avatarRafał Miłecki <zajec5@gmail.com>
      Tested-by: default avatarAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      bf792b9b
    • Maxime Ripard's avatar
      net: allwinner: emac: Add missing free_irq · 9b272249
      Maxime Ripard authored
      commit b9111328 upstream.
      
      If the mdio probe function fails in emac_open, the interrupt we just requested
      isn't freed. If emac_open is called again, for example because we try to set up
      the interface again, the kernel will oops because the interrupt wasn't properly
      released.
      Signed-off-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      9b272249
    • ChiaHao's avatar
      arm64: Bug fix in stack alignment exception · 0c935c95
      ChiaHao authored
      commit 3906c2b5 upstream.
      
      The value of ESR has been stored into x1, and should be directly pass to
      do_sp_pc_abort function, "MOV x1, x25" is an extra operation and do_sp_pc_abort
      will get the wrong value of ESR.
      Signed-off-by: default avatarChiaHao <andy.jhshiu@gmail.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      0c935c95
    • David R. Piegdon's avatar
      ARM: OMAP2+: Fix parser-bug in platform muxing code · 356d96c5
      David R. Piegdon authored
      commit c021f241 upstream.
      
      Fix a parser-bug in the omap2 muxing code where muxtable-entries will be
      wrongly selected if the requested muxname is a *prefix* of their
      m0-entry and they have a matching mN-entry. Fix by additionally checking
      that the length of the m0_entry is equal.
      
      For example muxing of "dss_data2.dss_data2" on omap32xx will fail
      because the prefix "dss_data2" will match the mux-entries "dss_data2" as
      well as "dss_data20", with the suffix "dss_data2" matching m0 (for
      dss_data2) and m4 (for dss_data20). Thus both are recognized as signal
      path candidates:
      
      Relevant muxentries from mux34xx.c:
              _OMAP3_MUXENTRY(DSS_DATA20, 90,
                      "dss_data20", NULL, "mcspi3_somi", "dss_data2",
                      "gpio_90", NULL, NULL, "safe_mode"),
              _OMAP3_MUXENTRY(DSS_DATA2, 72,
                      "dss_data2", NULL, NULL, NULL,
                      "gpio_72", NULL, NULL, "safe_mode"),
      
      This will result in a failure to mux the pin at all:
      
       _omap_mux_get_by_name: Multiple signal paths (2) for dss_data2.dss_data2
      
      Patch should apply to linus' latest master down to rather old linux-2.6
      trees.
      Signed-off-by: default avatarDavid R. Piegdon <lkml@p23q.org>
      Cc: stable@vger.kernel.org
      [tony@atomide.com: updated description to include full description]
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      356d96c5
    • Steve Capper's avatar
      arm64: mm: Make icache synchronisation logic huge page aware · 53d968ca
      Steve Capper authored
      commit 923b8f50 upstream.
      
      The __sync_icache_dcache routine will only flush the dcache for the
      first page of a compound page, potentially leading to stale icache
      data residing further on in a hugetlb page.
      
      This patch addresses this issue by taking into consideration the
      order of the page when flushing the dcache.
      Reported-by: default avatarMark Brown <broonie@linaro.org>
      Tested-by: default avatarMark Brown <broonie@linaro.org>
      Signed-off-by: default avatarSteve Capper <steve.capper@linaro.org>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      53d968ca
    • David Rientjes's avatar
      mm, pcp: allow restoring percpu_pagelist_fraction default · 6b500267
      David Rientjes authored
      commit 7cd2b0a3 upstream.
      
      Oleg reports a division by zero error on zero-length write() to the
      percpu_pagelist_fraction sysctl:
      
          divide error: 0000 [#1] SMP DEBUG_PAGEALLOC
          CPU: 1 PID: 9142 Comm: badarea_io Not tainted 3.15.0-rc2-vm-nfs+ #19
          Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
          task: ffff8800d5aeb6e0 ti: ffff8800d87a2000 task.ti: ffff8800d87a2000
          RIP: 0010: percpu_pagelist_fraction_sysctl_handler+0x84/0x120
          RSP: 0018:ffff8800d87a3e78  EFLAGS: 00010246
          RAX: 0000000000000f89 RBX: ffff88011f7fd000 RCX: 0000000000000000
          RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000010
          RBP: ffff8800d87a3e98 R08: ffffffff81d002c8 R09: ffff8800d87a3f50
          R10: 000000000000000b R11: 0000000000000246 R12: 0000000000000060
          R13: ffffffff81c3c3e0 R14: ffffffff81cfddf8 R15: ffff8801193b0800
          FS:  00007f614f1e9740(0000) GS:ffff88011f440000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
          CR2: 00007f614f1fa000 CR3: 00000000d9291000 CR4: 00000000000006e0
          Call Trace:
            proc_sys_call_handler+0xb3/0xc0
            proc_sys_write+0x14/0x20
            vfs_write+0xba/0x1e0
            SyS_write+0x46/0xb0
            tracesys+0xe1/0xe6
      
      However, if the percpu_pagelist_fraction sysctl is set by the user, it
      is also impossible to restore it to the kernel default since the user
      cannot write 0 to the sysctl.
      
      This patch allows the user to write 0 to restore the default behavior.
      It still requires a fraction equal to or larger than 8, however, as
      stated by the documentation for sanity.  If a value in the range [1, 7]
      is written, the sysctl will return EINVAL.
      
      This successfully solves the divide by zero issue at the same time.
      Signed-off-by: default avatarDavid Rientjes <rientjes@google.com>
      Reported-by: default avatarOleg Drokin <green@linuxhacker.ru>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6b500267
  2. 17 Jul, 2014 6 commits