1. 14 Mar, 2013 40 commits
    • Guenter Roeck's avatar
      hwmon: (pmbus/ltc2978) Use detected chip ID to select supported functionality · 1dde5a36
      Guenter Roeck authored
      commit f366fccd upstream.
      
      We read the chip ID from the chip, use it to determine if the chip ID provided
      to the driver is correct, and report it if wrong. We should also use the
      correct chip ID to select supported functionality.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Acked-by: default avatarJean Delvare <khali@linux-fr.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1dde5a36
    • Guenter Roeck's avatar
      hwmon: (pmbus/ltc2978) Fix peak attribute handling · 4404ee44
      Guenter Roeck authored
      commit dbd712c2 upstream.
      
      Peak attributes were not initialized and cleared correctly.
      Also, temp2_max is only supported on page 0 and thus does not need to be
      an array.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Acked-by: default avatarJean Delvare <khali@linux-fr.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4404ee44
    • Mark Brown's avatar
      hwmon: (sht15) Check return value of regulator_enable() · 6d29c5ec
      Mark Brown authored
      commit 3e78080f upstream.
      
      Not having power is a pretty serious error so check that we are able to
      enable the supply and error out if we can't.
      Signed-off-by: default avatarMark Brown <broonie@opensource.wolfsonmicro.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      6d29c5ec
    • NeilBrown's avatar
      md/raid1,raid10: fix deadlock with freeze_array() · 71192d46
      NeilBrown authored
      commit ee0b0244 upstream.
      
      When raid1/raid10 needs to fix a read error, it first drains
      all pending requests by calling freeze_array().
      This calls flush_pending_writes() if it needs to sleep,
      but some writes may be pending in a per-process plug rather
      than in the per-array request queue.
      
      When raid1{,0}_unplug() moves the request from the per-process
      plug to the per-array request queue (from which
      flush_pending_writes() can flush them), it needs to wake up
      freeze_array(), or freeze_array() will never flush them and so
      it will block forever.
      
      So add the requires wake_up() calls.
      
      This bug was introduced by commit
         f54a9d0e
      for raid1 and a similar commit for RAID10, and so has been present
      since linux-3.6.  As the bug causes a deadlock I believe this fix is
      suitable for -stable.
      Reported-by: default avatarTregaron Bayly <tbayly@bluehost.com>
      Tested-by: default avatarTregaron Bayly <tbayly@bluehost.com>
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      71192d46
    • NeilBrown's avatar
      md: raid0: fix error return from create_stripe_zones. · 5260b2b5
      NeilBrown authored
      commit 58ebb34c upstream.
      
      Create_stripe_zones returns an error slightly differently to
      raid0_run and to raid0_takeover_*.
      
      The error returned used by the second was wrong and an error would
      result in mddev->private being set to NULL and sooner or later a
      crash.
      
      So never return NULL, return ERR_PTR(err), not NULL from
      create_stripe_zones.
      
      This bug has been present since 2.6.35 so the fix is suitable
      for any kernel since then.
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5260b2b5
    • NeilBrown's avatar
      md: fix two bugs when attempting to resize RAID0 array. · cac9a265
      NeilBrown authored
      commit a6468539 upstream.
      
      You cannot resize a RAID0 array (in terms of making the devices
      bigger), but the code doesn't entirely stop you.
      So:
      
       disable setting of the available size on each device for
       RAID0 and Linear devices.  This must not change as doing so
       can change the effective layout of data.
      
       Make sure that the size that raid0_size() reports is accurate,
       but rounding devices sizes to chunk sizes.  As the device sizes
       cannot change now, this isn't so important, but it is best to be
       safe.
      
      Without this change:
        mdadm --grow /dev/md0 -z max
        mdadm --grow /dev/md0 -Z max
        then read to the end of the array
      
      can cause a BUG in a RAID0 array.
      
      These bugs have been present ever since it became possible
      to resize any device, which is a long time.  So the fix is
      suitable for any -stable kerenl.
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cac9a265
    • Sebastian Riemer's avatar
      md: protect against crash upon fsync on ro array · 22c776d6
      Sebastian Riemer authored
      commit bbfa57c0 upstream.
      
      If an fsync occurs on a read-only array, we need to send a
      completion for the IO and may not increment the active IO count.
      Otherwise, we hit a bug trace and can't stop the MD array anymore.
      
      By advice of Christoph Hellwig we return success upon a flush
      request but we return -EROFS for other writes.
      We detect flush requests by checking if the bio has zero sectors.
      
      This patch is suitable to any -stable kernel to which it applies.
      Signed-off-by: default avatarSebastian Riemer <sebastian.riemer@profitbricks.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: Ben Hutchings <ben@decadent.org.uk>
      Cc: NeilBrown <neilb@suse.de>
      Reported-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Acked-by: default avatarPaul Menzel <paulepanter@users.sourceforge.net>
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      22c776d6
    • Frederic Weisbecker's avatar
      nohz: Make tick_nohz_irq_exit() irq safe · 0cb205ec
      Frederic Weisbecker authored
      commit e5ab012c upstream.
      
      As it stands, irq_exit() may or may not be called with
      irqs disabled, depending on __ARCH_IRQ_EXIT_IRQS_DISABLED
      that the arch can define.
      
      It makes tick_nohz_irq_exit() unsafe. For example two
      interrupts can race in tick_nohz_stop_sched_tick(): the inner
      most one computes the expiring time on top of the timer list,
      then it's interrupted right before reprogramming the
      clock. The new interrupt enqueues a new timer list timer,
      it reprogram the clock to take it into account and it exits.
      The CPUs resumes the inner most interrupt and performs the clock
      reprogramming without considering the new timer list timer.
      
      This regression has been introduced by:
           280f0677
           ("nohz: Separate out irq exit and idle loop dyntick logic")
      
      Let's fix it right now with the appropriate protections.
      
      A saner long term solution will be to remove
      __ARCH_IRQ_EXIT_IRQS_DISABLED and mandate that irq_exit() is called
      with interrupts disabled.
      Signed-off-by: default avatarFrederic Weisbecker <fweisbec@gmail.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Linus Torvalds <torvalds@linuxfoundation.org>
      Link: http://lkml.kernel.org/r/1361373336-11337-1-git-send-email-fweisbec@gmail.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0cb205ec
    • Kees Cook's avatar
      proc connector: reject unprivileged listener bumps · 5836682c
      Kees Cook authored
      commit e70ab977 upstream.
      
      While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible
      for an unprivileged user to turn off notifications for all listeners by
      sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as
      required for a multicast bind.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Evgeniy Polyakov <zbr@ioremap.net>
      Cc: Matt Helsley <matthltc@us.ibm.com>
      Acked-by: default avatarEvgeniy Polyakov <zbr@ioremap.net>
      Acked-by: default avatarMatt Helsley <matthltc@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5836682c
    • Felix Fietkau's avatar
      ath9k_hw: improve reset reliability after errors · a9382b77
      Felix Fietkau authored
      commit 3412f2f0 upstream.
      
      On many different chips, important aspects of the MAC state are not
      fully cleared by a warm reset. This can show up as tx/rx hangs, those
      annoying "DMA failed to stop in 10 ms..." messages or other quirks.
      
      On AR933x, the chip can occasionally get stuck in a way that only a
      driver unload/reload or a reboot would bring it back to life.
      
      With this patch, a full reset is issued when bringing the chip out of
      FULL-SLEEP state (after idle), or if either Rx or Tx was not shut down
      properly. This makes the DMA related error messages disappear completely
      in my tests on AR933x, and the chip does not get stuck anymore.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a9382b77
    • Felix Fietkau's avatar
      ath9k_htc: fix signal strength handling issues · 97fe3c32
      Felix Fietkau authored
      commit 838f4279 upstream.
      
      The ath9k commit 2ef16755
      (ath9k: fix signal strength reporting issues) fixed an issue where the
      reported per-frame signal strength reported to mac80211 was being
      overwritten with an internal average. The same issue is also present
      in ath9k_htc.
      In addition to preventing the driver from overwriting the value, this
      commit also ensures that the internal average (which is used for ANI)
      only tracks beacons of the AP that we're connected to.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      97fe3c32
    • Felix Fietkau's avatar
      ath9k: fix RSSI dummy marker value · 7e928048
      Felix Fietkau authored
      commit a3d63cad upstream.
      
      RSSI is being stored internally as s8 in several places. The indication
      of an unset RSSI value, ATH_RSSI_DUMMY_MARKER, was supposed to have been
      set to 127, but ended up being set to 0x127 because of a code cleanup
      mistake. This could lead to invalid signal strength values in a few
      places.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7e928048
    • Bing Zhao's avatar
      libertas: fix crash for SD8688 · 556b1db4
      Bing Zhao authored
      commit 46602698 upstream.
      
      For SD8688, FUNC_INIT command is queued before fw_ready flag is
      set. This causes the following crash as lbs_thread blocks any
      command if fw_ready is not set.
      
      [  209.338953] [<c0502248>] (__schedule+0x610/0x764) from [<bf20ae24>] (__lbs_cmd+0xb8/0x130 [libertas])
      [  209.348340] [<bf20ae24>] (__lbs_cmd+0xb8/0x130 [libertas]) from [<bf222474>] (if_sdio_finish_power_on+0xec/0x1b0 [libertas_sdio])
      [  209.360136] [<bf222474>] (if_sdio_finish_power_on+0xec/0x1b0 [libertas_sdio]) from [<bf2226c4>] (if_sdio_power_on+0x18c/0x20c [libertas_sdio])
      [  209.373052] [<bf2226c4>] (if_sdio_power_on+0x18c/0x20c [libertas_sdio]) from [<bf222944>] (if_sdio_probe+0x200/0x31c [libertas_sdio])
      [  209.385316] [<bf222944>] (if_sdio_probe+0x200/0x31c [libertas_sdio]) from [<bf01d820>] (sdio_bus_probe+0x94/0xfc [mmc_core])
      [  209.396748] [<bf01d820>] (sdio_bus_probe+0x94/0xfc [mmc_core]) from [<c02e729c>] (driver_probe_device+0x12c/0x348)
      [  209.407214] [<c02e729c>] (driver_probe_device+0x12c/0x348) from [<c02e7530>] (__driver_attach+0x78/0x9c)
      [  209.416798] [<c02e7530>] (__driver_attach+0x78/0x9c) from [<c02e5658>] (bus_for_each_dev+0x50/0x88)
      [  209.425946] [<c02e5658>] (bus_for_each_dev+0x50/0x88) from [<c02e6810>] (bus_add_driver+0x108/0x268)
      [  209.435180] [<c02e6810>] (bus_add_driver+0x108/0x268) from [<c02e782c>] (driver_register+0xa4/0x134)
      [  209.444426] [<c02e782c>] (driver_register+0xa4/0x134) from [<bf22601c>] (if_sdio_init_module+0x1c/0x3c [libertas_sdio])
      [  209.455339] [<bf22601c>] (if_sdio_init_module+0x1c/0x3c [libertas_sdio]) from [<c00085b8>] (do_one_initcall+0x98/0x174)
      [  209.466236] [<c00085b8>] (do_one_initcall+0x98/0x174) from [<c0076504>] (load_module+0x1c5c/0x1f80)
      [  209.475390] [<c0076504>] (load_module+0x1c5c/0x1f80) from [<c007692c>] (sys_init_module+0x104/0x128)
      [  209.484632] [<c007692c>] (sys_init_module+0x104/0x128) from [<c0008c40>] (ret_fast_syscall+0x0/0x38)
      
      Fix it by setting fw_ready flag prior to queuing FUNC_INIT command.
      Reported-by: default avatarLubomir Rintel <lkundrak@v3.sk>
      Tested-by: default avatarLubomir Rintel <lkundrak@v3.sk>
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      556b1db4
    • Avinash Patil's avatar
      mwifiex: correct sleep delay counter · 107725a5
      Avinash Patil authored
      commit 3e7a4ff7 upstream.
      
      Maximum delay for waking up card is 50 ms. Because of typo in
      counter, this delay goes to 500ms. This patch fixes the bug.
      Signed-off-by: default avatarAvinash Patil <patila@marvell.com>
      Signed-off-by: default avatarAmitkumar Karwar <akarwar@marvell.com>
      Signed-off-by: default avatarYogesh Ashok Powar <yogeshp@marvell.com>
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      107725a5
    • Johannes Berg's avatar
      iwlwifi: always copy first 16 bytes of commands · 0ad547e7
      Johannes Berg authored
      commit 8a964f44 upstream.
      
      The FH hardware will always write back to the scratch field
      in commands, even host commands not just TX commands, which
      can overwrite parts of the command. This is problematic if
      the command is re-used (with IWL_HCMD_DFL_NOCOPY) and can
      cause calibration issues.
      
      Address this problem by always putting at least the first
      16 bytes into the buffer we also use for the command header
      and therefore make the DMA engine write back into this.
      
      For commands that are smaller than 16 bytes also always map
      enough memory for the DMA engine to write back to.
      Reviewed-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ad547e7
    • Rusty Russell's avatar
      hw_random: make buffer usable in scatterlist. · ea967e9c
      Rusty Russell authored
      commit f7f154f1 upstream.
      
      virtio_rng feeds the randomness buffer handed by the core directly
      into the scatterlist, since commit bb347d98.
      
      However, if CONFIG_HW_RANDOM=m, the static buffer isn't a linear address
      (at least on most archs).  We could fix this in virtio_rng, but it's actually
      far easier to just do it in the core as virtio_rng would have to allocate
      a buffer every time (it doesn't know how much the core will want to read).
      Reported-by: default avatarAurelien Jarno <aurelien@aurel32.net>
      Tested-by: default avatarAurelien Jarno <aurelien@aurel32.net>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ea967e9c
    • Weston Andros Adamson's avatar
      NFSv4.1: Hold reference to layout hdr in layoutget · 216e4186
      Weston Andros Adamson authored
      commit a47970ff upstream.
      
      This fixes an oops where a LAYOUTGET is in still in the rpciod queue,
      but the requesting processes has been killed.  Without this, killing
      the process does the final pnfs_put_layout_hdr() and sets NFS_I(inode)->layout
      to NULL while the LAYOUTGET rpc task still references it.
      
      Example oops:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
      IP: [<ffffffffa01bd586>] pnfs_choose_layoutget_stateid+0x37/0xef [nfsv4]
      PGD 7365b067 PUD 7365d067 PMD 0
      Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
      Modules linked in: nfs_layout_nfsv41_files nfsv4 auth_rpcgss nfs lockd sunrpc ipt_MASQUERADE ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat nf_nat_ipv4 nf_nat iptable_mangle ip6table_filter ip6_tables ppdev e1000 i2c_piix4 i2c_core shpchp parport_pc parport crc32c_intel aesni_intel xts aes_x86_64 lrw gf128mul ablk_helper cryptd mptspi scsi_transport_spi mptscsih mptbase floppy autofs4
      CPU 0
      Pid: 27, comm: kworker/0:1 Not tainted 3.8.0-dros_cthon2013+ #4 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
      RIP: 0010:[<ffffffffa01bd586>]  [<ffffffffa01bd586>] pnfs_choose_layoutget_stateid+0x37/0xef [nfsv4]
      RSP: 0018:ffff88007b0c1c88  EFLAGS: 00010246
      RAX: ffff88006ed36678 RBX: 0000000000000000 RCX: 0000000ea877e3bc
      RDX: ffff88007a729da8 RSI: 0000000000000000 RDI: ffff88007a72b958
      RBP: ffff88007b0c1ca8 R08: 0000000000000002 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff88007a72b958
      R13: ffff88007a729da8 R14: 0000000000000000 R15: ffffffffa011077e
      FS:  0000000000000000(0000) GS:ffff88007f600000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000080 CR3: 00000000735f8000 CR4: 00000000001407f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process kworker/0:1 (pid: 27, threadinfo ffff88007b0c0000, task ffff88007c2fa0c0)
      Stack:
       ffff88006fc05388 ffff88007a72b908 ffff88007b240900 ffff88006fc05388
       ffff88007b0c1cd8 ffffffffa01a2170 ffff88007b240900 ffff88007b240900
       ffff88007b240970 ffffffffa011077e ffff88007b0c1ce8 ffffffffa0110791
      Call Trace:
       [<ffffffffa01a2170>] nfs4_layoutget_prepare+0x7b/0x92 [nfsv4]
       [<ffffffffa011077e>] ? __rpc_atrun+0x15/0x15 [sunrpc]
       [<ffffffffa0110791>] rpc_prepare_task+0x13/0x15 [sunrpc]
      Reported-by: default avatarTigran Mkrtchyan <tigran.mkrtchyan@desy.de>
      Signed-off-by: default avatarWeston Andros Adamson <dros@netapp.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      216e4186
    • Benny Halevy's avatar
      pnfs: fix resend_to_mds for directio · a6b9a1d3
      Benny Halevy authored
      commit 78f33277 upstream.
      
      Pass the directio request on pageio_init to clean up the API.
      
      Percolate pg_dreq from original nfs_pageio_descriptor to the
      pnfs_{read,write}_done_resend_to_mds and use it on respective
      call to nfs_pageio_init_{read,write} on the newly created
      nfs_pageio_descriptor.
      
      Reproduced by command:
       mount -o vers=4.1 server:/ /mnt
       dd bs=128k count=8 if=/dev/zero of=/mnt/dd.out oflag=direct
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
      IP: [<ffffffffa021a3a8>] atomic_inc+0x4/0x9 [nfs]
      PGD 34786067 PUD 34794067 PMD 0
      Oops: 0002 [#1] SMP
      Modules linked in: nfs_layout_nfsv41_files nfsv4 nfs nfsd lockd nfs_acl auth_rpcgss exportfs sunrpc btrfs zlib_deflate libcrc32c ipv6 autofs4
      CPU 1
      Pid: 259, comm: kworker/1:2 Not tainted 3.8.0-rc6 #2 Bochs Bochs
      RIP: 0010:[<ffffffffa021a3a8>]  [<ffffffffa021a3a8>] atomic_inc+0x4/0x9 [nfs]
      RSP: 0018:ffff880038f8fa68  EFLAGS: 00010206
      RAX: ffffffffa021a6a9 RBX: ffff880038f8fb48 RCX: 00000000000a0000
      RDX: ffffffffa021e616 RSI: ffff8800385e9a40 RDI: 0000000000000028
      RBP: ffff880038f8fa68 R08: ffffffff81ad6720 R09: ffff8800385e9510
      R10: ffffffffa0228450 R11: ffff880038e87418 R12: ffff8800385e9a40
      R13: ffff8800385e9a70 R14: ffff880038f8fb38 R15: ffffffffa0148878
      FS:  0000000000000000(0000) GS:ffff88003e400000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 0000000000000028 CR3: 0000000034789000 CR4: 00000000000006e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process kworker/1:2 (pid: 259, threadinfo ffff880038f8e000, task ffff880038302480)
      Stack:
       ffff880038f8fa78 ffffffffa021a6bf ffff880038f8fa88 ffffffffa021bb82
       ffff880038f8fae8 ffffffffa021f454 ffff880038f8fae8 ffffffff8109689d
       ffff880038f8fab8 ffffffff00000006 0000000000000000 ffff880038f8fb48
      Call Trace:
       [<ffffffffa021a6bf>] nfs_direct_pgio_init+0x16/0x18 [nfs]
       [<ffffffffa021bb82>] nfs_pgheader_init+0x6a/0x6c [nfs]
       [<ffffffffa021f454>] nfs_generic_pg_writepages+0x51/0xf8 [nfs]
       [<ffffffff8109689d>] ? mark_held_locks+0x71/0x99
       [<ffffffffa0148878>] ? rpc_release_resources_task+0x37/0x37 [sunrpc]
       [<ffffffffa021bc25>] nfs_pageio_doio+0x1a/0x43 [nfs]
       [<ffffffffa021be7c>] nfs_pageio_complete+0x16/0x2c [nfs]
       [<ffffffffa02608be>] pnfs_write_done_resend_to_mds+0x95/0xc5 [nfsv4]
       [<ffffffffa0148878>] ? rpc_release_resources_task+0x37/0x37 [sunrpc]
       [<ffffffffa028e27f>] filelayout_reset_write+0x8c/0x99 [nfs_layout_nfsv41_files]
       [<ffffffffa028e5f9>] filelayout_write_done_cb+0x4d/0xc1 [nfs_layout_nfsv41_files]
       [<ffffffffa024587a>] nfs4_write_done+0x36/0x49 [nfsv4]
       [<ffffffffa021f996>] nfs_writeback_done+0x53/0x1cc [nfs]
       [<ffffffffa021fb1d>] nfs_writeback_done_common+0xe/0x10 [nfs]
       [<ffffffffa028e03d>] filelayout_write_call_done+0x28/0x2a [nfs_layout_nfsv41_files]
       [<ffffffffa01488a1>] rpc_exit_task+0x29/0x87 [sunrpc]
       [<ffffffffa014a0c9>] __rpc_execute+0x11d/0x3cc [sunrpc]
       [<ffffffff810969dc>] ? trace_hardirqs_on_caller+0x117/0x173
       [<ffffffffa014a39f>] rpc_async_schedule+0x27/0x32 [sunrpc]
       [<ffffffffa014a378>] ? __rpc_execute+0x3cc/0x3cc [sunrpc]
       [<ffffffff8105f8c1>] process_one_work+0x226/0x422
       [<ffffffff8105f7f4>] ? process_one_work+0x159/0x422
       [<ffffffff81094757>] ? lock_acquired+0x210/0x249
       [<ffffffffa014a378>] ? __rpc_execute+0x3cc/0x3cc [sunrpc]
       [<ffffffff810600d8>] worker_thread+0x126/0x1c4
       [<ffffffff8105ffb2>] ? manage_workers+0x240/0x240
       [<ffffffff81064ef8>] kthread+0xb1/0xb9
       [<ffffffff81064e47>] ? __kthread_parkme+0x65/0x65
       [<ffffffff815206ec>] ret_from_fork+0x7c/0xb0
       [<ffffffff81064e47>] ? __kthread_parkme+0x65/0x65
      Code: 00 83 38 02 74 12 48 81 4b 50 00 00 01 00 c7 83 60 07 00 00 01 00 00 00 48 89 df e8 55 fe ff ff 5b 41 5c 5d c3 66 90 55 48 89 e5 <f0> ff 07 5d c3 55 48 89 e5 f0 ff 0f 0f 94 c0 84 c0 0f 95 c0 0f
      RIP  [<ffffffffa021a3a8>] atomic_inc+0x4/0x9 [nfs]
       RSP <ffff880038f8fa68>
      CR2: 0000000000000028
      Signed-off-by: default avatarBenny Halevy <bhalevy@tonian.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a6b9a1d3
    • Trond Myklebust's avatar
      SUNRPC: Don't start the retransmission timer when out of socket space · f1c0d40a
      Trond Myklebust authored
      commit a9a6b52e upstream.
      
      If the socket is full, we're better off just waiting until it empties,
      or until the connection is broken. The reason why we generally don't
      want to time out is that the call to xprt->ops->release_xprt() will
      trigger a connection reset, which isn't helpful...
      
      Let's make an exception for soft RPC calls, since they have to provide
      timeout guarantees.
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f1c0d40a
    • Trond Myklebust's avatar
      NFS: Don't allow NFS silly-renamed files to be deleted, no signal · 8a14f843
      Trond Myklebust authored
      commit 5a7a613a upstream.
      
      Commit 73ca1001 broke the code that prevents the client from deleting
      a silly renamed dentry.  This affected "delete on last close"
      semantics as after that commit, nothing prevented removal of
      silly-renamed files.  As a result, a process holding a file open
      could easily get an ESTALE on the file in a directory where some
      other process issued 'rm -rf some_dir_containing_the_file' twice.
      Before the commit, any attempt at unlinking silly renamed files would
      fail inside may_delete() with -EBUSY because of the
      DCACHE_NFSFS_RENAMED flag.  The following testcase demonstrates
      the problem:
        tail -f /nfsmnt/dir/file &
        rm -rf /nfsmnt/dir
        rm -rf /nfsmnt/dir
        # second removal does not fail, 'tail' process receives ESTALE
      
      The problem with the above commit is that it unhashes the old and
      new dentries from the lookup path, even in the normal case when
      a signal is not encountered and it would have been safe to call
      d_move.  Unfortunately the old dentry has the special
      DCACHE_NFSFS_RENAMED flag set on it.  Unhashing has the
      side-effect that future lookups call d_alloc(), allocating a new
      dentry without the special flag for any silly-renamed files.  As a
      result, subsequent calls to unlink silly renamed files do not fail
      but allow the removal to go through.  This will result in ESTALE
      errors for any other process doing operations on the file.
      
      To fix this, go back to using d_move on success.
      For the signal case, it's unclear what we may safely do beyond d_drop.
      Reported-by: default avatarDave Wysochanski <dwysocha@redhat.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Acked-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8a14f843
    • Mikulas Patocka's avatar
      dm snapshot: add missing module aliases · 9de98532
      Mikulas Patocka authored
      commit 23cb2109 upstream.
      
      Add module aliases so that autoloading works correctly if the user
      tries to activate "snapshot-origin" or "snapshot-merge" targets.
      
      Reference: https://bugzilla.redhat.com/889973Reported-by: default avatarChao Yang <chyang@redhat.com>
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9de98532
    • Mike Christie's avatar
      dm: fix limits initialization when there are no data devices · 6d2c84a0
      Mike Christie authored
      commit 87eb5b21 upstream.
      
      dm_calculate_queue_limits will first reset the provided limits to
      defaults using blk_set_stacking_limits; whereby defeating the purpose of
      retaining the original live table's limits -- as was intended via commit
      3ae70656 ("dm: retain table limits when
      swapping to new table with no devices").
      
      Fix this improper limits initialization (in the no data devices case) by
      avoiding the call to dm_calculate_queue_limits.
      
      [patch header revised by Mike Snitzer]
      Signed-off-by: default avatarMike Christie <michaelc@cs.wisc.edu>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d2c84a0
    • Jun'ichi Nomura's avatar
      dm: do not replace bioset for request based dm · f7ed89f0
      Jun'ichi Nomura authored
      commit 16245bdc upstream.
      
      This patch fixes a regression introduced in v3.8, which causes oops
      like this when dm-multipath is used:
      
      general protection fault: 0000 [#1] SMP
      RIP: 0010:[<ffffffff810fe754>]  [<ffffffff810fe754>] mempool_free+0x24/0xb0
      Call Trace:
        <IRQ>
        [<ffffffff81187417>] bio_put+0x97/0xc0
        [<ffffffffa02247a5>] end_clone_bio+0x35/0x90 [dm_mod]
        [<ffffffff81185efd>] bio_endio+0x1d/0x30
        [<ffffffff811f03a3>] req_bio_endio.isra.51+0xa3/0xe0
        [<ffffffff811f2f68>] blk_update_request+0x118/0x520
        [<ffffffff811f3397>] blk_update_bidi_request+0x27/0xa0
        [<ffffffff811f343c>] blk_end_bidi_request+0x2c/0x80
        [<ffffffff811f34d0>] blk_end_request+0x10/0x20
        [<ffffffffa000b32b>] scsi_io_completion+0xfb/0x6c0 [scsi_mod]
        [<ffffffffa000107d>] scsi_finish_command+0xbd/0x120 [scsi_mod]
        [<ffffffffa000b12f>] scsi_softirq_done+0x13f/0x160 [scsi_mod]
        [<ffffffff811f9fd0>] blk_done_softirq+0x80/0xa0
        [<ffffffff81044551>] __do_softirq+0xf1/0x250
        [<ffffffff8142ee8c>] call_softirq+0x1c/0x30
        [<ffffffff8100420d>] do_softirq+0x8d/0xc0
        [<ffffffff81044885>] irq_exit+0xd5/0xe0
        [<ffffffff8142f3e3>] do_IRQ+0x63/0xe0
        [<ffffffff814257af>] common_interrupt+0x6f/0x6f
        <EOI>
        [<ffffffffa021737c>] srp_queuecommand+0x8c/0xcb0 [ib_srp]
        [<ffffffffa0002f18>] scsi_dispatch_cmd+0x148/0x310 [scsi_mod]
        [<ffffffffa000a38e>] scsi_request_fn+0x31e/0x520 [scsi_mod]
        [<ffffffff811f1e57>] __blk_run_queue+0x37/0x50
        [<ffffffff811f1f69>] blk_delay_work+0x29/0x40
        [<ffffffff81059003>] process_one_work+0x1c3/0x5c0
        [<ffffffff8105b22e>] worker_thread+0x15e/0x440
        [<ffffffff8106164b>] kthread+0xdb/0xe0
        [<ffffffff8142db9c>] ret_from_fork+0x7c/0xb0
      
      The regression was introduced by the change
      c0820cf5 "dm: introduce per_bio_data", where dm started to replace
      bioset during table replacement.
      For bio-based dm, it is good because clone bios do not exist during the
      table replacement.
      For request-based dm, however, (not-yet-mapped) clone bios may stay in
      request queue and survive during the table replacement.
      So freeing the old bioset could cause the oops in bio_put().
      
      Since the size of front_pad may change only with bio-based dm,
      it is not necessary to replace bioset for request-based dm.
      Reported-by: default avatarBart Van Assche <bvanassche@acm.org>
      Tested-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarJun'ichi Nomura <j-nomura@ce.jp.nec.com>
      Acked-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Acked-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f7ed89f0
    • Mikulas Patocka's avatar
      dm: fix truncated status strings · a9317072
      Mikulas Patocka authored
      commit fd7c092e upstream.
      
      Avoid returning a truncated table or status string instead of setting
      the DM_BUFFER_FULL_FLAG when the last target of a table fills the
      buffer.
      
      When processing a table or status request, the function retrieve_status
      calls ti->type->status. If ti->type->status returns non-zero,
      retrieve_status assumes that the buffer overflowed and sets
      DM_BUFFER_FULL_FLAG.
      
      However, targets don't return non-zero values from their status method
      on overflow. Most targets returns always zero.
      
      If a buffer overflow happens in a target that is not the last in the
      table, it gets noticed during the next iteration of the loop in
      retrieve_status; but if a buffer overflow happens in the last target, it
      goes unnoticed and erroneously truncated data is returned.
      
      In the current code, the targets behave in the following way:
      * dm-crypt returns -ENOMEM if there is not enough space to store the
        key, but it returns 0 on all other overflows.
      * dm-thin returns errors from the status method if a disk error happened.
        This is incorrect because retrieve_status doesn't check the error
        code, it assumes that all non-zero values mean buffer overflow.
      * all the other targets always return 0.
      
      This patch changes the ti->type->status function to return void (because
      most targets don't use the return code). Overflow is detected in
      retrieve_status: if the status method fills up the remaining space
      completely, it is assumed that buffer overflow happened.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a9317072
    • Jeff Layton's avatar
      cifs: ensure that cifs_get_root() only traverses directories · ceab37b0
      Jeff Layton authored
      commit ce2ac521 upstream.
      
      Kjell Braden reported this oops:
      
      [  833.211970] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [  833.212816] IP: [<          (null)>]           (null)
      [  833.213280] PGD 1b9b2067 PUD e9f7067 PMD 0
      [  833.213874] Oops: 0010 [#1] SMP
      [  833.214344] CPU 0
      [  833.214458] Modules linked in: des_generic md4 nls_utf8 cifs vboxvideo drm snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq bnep rfcomm snd_timer bluetooth snd_seq_device ppdev snd vboxguest parport_pc joydev mac_hid soundcore snd_page_alloc psmouse i2c_piix4 serio_raw lp parport usbhid hid e1000
      [  833.215629]
      [  833.215629] Pid: 1752, comm: mount.cifs Not tainted 3.0.0-rc7-bisectcifs-fec11dd9+ #18 innotek GmbH VirtualBox/VirtualBox
      [  833.215629] RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
      [  833.215629] RSP: 0018:ffff8800119c9c50  EFLAGS: 00010282
      [  833.215629] RAX: ffffffffa02186c0 RBX: ffff88000c427780 RCX: 0000000000000000
      [  833.215629] RDX: 0000000000000000 RSI: ffff88000c427780 RDI: ffff88000c4362e8
      [  833.215629] RBP: ffff8800119c9c88 R08: ffff88001fc15e30 R09: 00000000d69515c7
      [  833.215629] R10: ffffffffa0201972 R11: ffff88000e8f6a28 R12: ffff88000c4362e8
      [  833.215629] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88001181aaa6
      [  833.215629] FS:  00007f2986171700(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000
      [  833.215629] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  833.215629] CR2: 0000000000000000 CR3: 000000001b982000 CR4: 00000000000006f0
      [  833.215629] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  833.215629] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [  833.215629] Process mount.cifs (pid: 1752, threadinfo ffff8800119c8000, task ffff88001c1c16f0)
      [  833.215629] Stack:
      [  833.215629]  ffffffff8116a9b5 ffff8800119c9c88 ffffffff81178075 0000000000000286
      [  833.215629]  0000000000000000 ffff88000c4276c0 ffff8800119c9ce8 ffff8800119c9cc8
      [  833.215629]  ffffffff8116b06e ffff88001bc6fc00 ffff88000c4276c0 ffff88000c4276c0
      [  833.215629] Call Trace:
      [  833.215629]  [<ffffffff8116a9b5>] ? d_alloc_and_lookup+0x45/0x90
      [  833.215629]  [<ffffffff81178075>] ? d_lookup+0x35/0x60
      [  833.215629]  [<ffffffff8116b06e>] __lookup_hash.part.14+0x9e/0xc0
      [  833.215629]  [<ffffffff8116b1d6>] lookup_one_len+0x146/0x1e0
      [  833.215629]  [<ffffffff815e4f7e>] ? _raw_spin_lock+0xe/0x20
      [  833.215629]  [<ffffffffa01eef0d>] cifs_do_mount+0x26d/0x500 [cifs]
      [  833.215629]  [<ffffffff81163bd3>] mount_fs+0x43/0x1b0
      [  833.215629]  [<ffffffff8117d41a>] vfs_kern_mount+0x6a/0xd0
      [  833.215629]  [<ffffffff8117e584>] do_kern_mount+0x54/0x110
      [  833.215629]  [<ffffffff8117fdc2>] do_mount+0x262/0x840
      [  833.215629]  [<ffffffff81108a0e>] ? __get_free_pages+0xe/0x50
      [  833.215629]  [<ffffffff8117f9ca>] ? copy_mount_options+0x3a/0x180
      [  833.215629]  [<ffffffff8118075d>] sys_mount+0x8d/0xe0
      [  833.215629]  [<ffffffff815ece82>] system_call_fastpath+0x16/0x1b
      [  833.215629] Code:  Bad RIP value.
      [  833.215629] RIP  [<          (null)>]           (null)
      [  833.215629]  RSP <ffff8800119c9c50>
      [  833.215629] CR2: 0000000000000000
      [  833.238525] ---[ end trace ec00758b8d44f529 ]---
      
      When walking down the path on the server, it's possible to hit a
      symlink. The path walking code assumes that the caller will handle that
      situation properly, but cifs_get_root() isn't set up for it. This patch
      prevents the oops by simply returning an error.
      
      A better solution would be to try and chase the symlinks here, but that's
      fairly complicated to handle.
      
      Fixes:
      
          https://bugzilla.kernel.org/show_bug.cgi?id=53221Reported-and-tested-by: default avatarKjell Braden <afflux@pentabarf.de>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ceab37b0
    • Josef Bacik's avatar
      Btrfs: delete inline extents when we find them during logging · 53fc95ea
      Josef Bacik authored
      commit 124fe663 upstream.
      
      Apparently when we do inline extents we allow the data to overlap the last chunk
      of the btrfs_file_extent_item, which means that we can possibly have a
      btrfs_file_extent_item that isn't actually as large as a btrfs_file_extent_item.
      This messes with us when we try to overwrite the extent when logging new extents
      since we expect for it to be the right size.  To fix this just delete the item
      and try to do the insert again which will give us the proper sized
      btrfs_file_extent_item.  This fixes a panic where map_private_extent_buffer
      would blow up because we're trying to write past the end of the leaf.  Thanks,
      Signed-off-by: default avatarJosef Bacik <jbacik@fusionio.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      53fc95ea
    • Josef Bacik's avatar
      Btrfs: copy everything if we've created an inline extent · 0a8c4b4e
      Josef Bacik authored
      commit bdc20e67 upstream.
      
      I noticed while looking into a tree logging bug that we aren't logging inline
      extents properly.  Since this requires copying and it shouldn't happen too often
      just force us to copy everything for the inode into the tree log when we have an
      inline extent.  With this patch we have valid data after a crash when we write
      an inline extent.  Thanks,
      Signed-off-by: default avatarJosef Bacik <jbacik@fusionio.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0a8c4b4e
    • Thomas Gleixner's avatar
      btrfs: Init io_lock after cloning btrfs device struct · 9cf12597
      Thomas Gleixner authored
      commit 1cba0cdf upstream.
      
      __btrfs_close_devices() clones btrfs device structs with
      memcpy(). Some of the fields in the clone are reinitialized, but it's
      missing to init io_lock. In mainline this goes unnoticed, but on RT it
      leaves the plist pointing to the original about to be freed lock
      struct.
      
      Initialize io_lock after cloning, so no references to the original
      struct are left.
      Reported-and-tested-by: default avatarMike Galbraith <efault@gmx.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarChris Mason <chris.mason@fusionio.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9cf12597
    • Lukas Czerner's avatar
      ext4: convert number of blocks to clusters properly · a4352d7e
      Lukas Czerner authored
      commit 810da240 upstream.
      
      We're using macro EXT4_B2C() to convert number of blocks to number of
      clusters for bigalloc file systems.  However, we should be using
      EXT4_NUM_B2C().
      Signed-off-by: default avatarLukas Czerner <lczerner@redhat.com>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a4352d7e
    • Nicholas Bellinger's avatar
      iscsi-target: Fix immediate queue starvation regression with DATAIN · f8d5ba6c
      Nicholas Bellinger authored
      commit fd3a9025 upstream.
      
      This patch addresses a v3.5+ regression in iscsi-target where TX thread
      process context -> handle_response_queue() execution is allowed to run
      unbounded while servicing constant outgoing flow of ISTATE_SEND_DATAIN
      response state.
      
      This ends up preventing memory release of StatSN acknowledged commands
      in a timely manner when under heavy large block streaming DATAIN
      workloads.
      
      The regression bug was initially introduced with:
      
      commit 6f3c0e69
      Author: Andy Grover <agrover@redhat.com>
      Date:   Tue Apr 3 15:51:09 2012 -0700
      
          target/iscsi: Refactor target_tx_thread immediate+response queue loops
      
      Go ahead and follow original iscsi_target_tx_thread() logic and check
      to break for immediate queue processing after each DataIN Sequence and/or
      Response PDU has been sent.
      Reported-by: default avatarBenjamin ESTRABAUD <be@mpstor.com>
      Cc: Andy Grover <agrover@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8d5ba6c
    • Asias He's avatar
      target/pscsi: Fix page increment · 50909650
      Asias He authored
      commit 472b72f2 upstream.
      
      The page++ is wrong. It makes bio_add_pc_page() pointing to a wrong page
      address if the 'while (len > 0 && data_len > 0) { ... }' loop is
      executed more than one once.
      Signed-off-by: default avatarAsias He <asias@redhat.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      50909650
    • K. Y. Srinivasan's avatar
      SCSI: storvsc: Initialize the sglist · f8b16d21
      K. Y. Srinivasan authored
      commit 9d2696e6 upstream.
      
      Properly initialize scatterlist before using it.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8b16d21
    • Dan Carpenter's avatar
      SCSI: dc395x: uninitialized variable in device_alloc() · 3221f151
      Dan Carpenter authored
      commit 208afec4 upstream.
      
      This bug was introduced back in bitkeeper days in 2003.  We use
      "dcb->dev_mode" before it has been initialized.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarOliver Neukum <oliver@neukum.org>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3221f151
    • Mattia Dongili's avatar
      sony-laptop: fully enable SNY controlled modems · fddc34f9
      Mattia Dongili authored
      commit 3ec1c398 upstream.
      
      The call to handlers 0x124 and 0x135 (rfkill control) seems to take a
      bitmask to control various states of the device. For our rfkill we need
      a fully on/off. SVZ1311Z9R/X's LTE modem needs more bits up.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=47751Signed-off-by: default avatarMattia Dongili <malattia@linux.it>
      Signed-off-by: default avatarMatthew Garrett <matthew.garrett@nebula.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fddc34f9
    • Takahisa Tanaka's avatar
      watchdog: sp5100_tco: Write back the original value to reserved bits, instead of zero · 5f60f421
      Takahisa Tanaka authored
      commit 41adafbd upstream.
      
      In case of SP5100 or SB7x0 chipsets, the sp5100_tco module writes zero to
      reserved bits. The module, however, shouldn't depend on specific default
      value, and should perform a read-merge-write operation for the reserved
      bits.
      
      This patch makes the sp5100_tco module perform a read-merge-write operation
      on all the chipset (sp5100, sb7x0, sb8x0 or later).
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=43176Signed-off-by: default avatarTakahisa Tanaka <mc74hc00@gmail.com>
      Tested-by: default avatarPaul Menzel <paulepanter@users.sourceforge.net>
      Signed-off-by: default avatarWim Van Sebroeck <wim@iguana.be>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5f60f421
    • Takahisa Tanaka's avatar
      watchdog: sp5100_tco: Fix wrong indirect I/O access for getting value of reserved bits · cc3edac7
      Takahisa Tanaka authored
      commit 10ab329b upstream.
      
      In case of SB800 or later chipset and re-programming MMIO address(*),
      sp5100_tco module may read incorrect value of reserved bit, because the module
      reads a value from an incorrect I/O address. However, this bug doesn't cause
      a problem, because when re-programming MMIO address, by chance the module
      writes zero (this is BIOS's default value) to the low three bits of register.
      * In most cases, PC with SB8x0 or later chipset doesn't need to re-programming
        MMIO address, because such PC can enable AcpiMmio and can use 0xfed80b00 for
        watchdog register base address.
      
      This patch fixes this bug.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=43176Signed-off-by: default avatarTakahisa Tanaka <mc74hc00@gmail.com>
      Tested-by: default avatarPaul Menzel <paulepanter@users.sourceforge.net>
      Signed-off-by: default avatarWim Van Sebroeck <wim@iguana.be>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cc3edac7
    • Randy Dunlap's avatar
      watchdog: da9055_wdt needs to select WATCHDOG_CORE · f328def5
      Randy Dunlap authored
      commit 12a5c05c upstream.
      
      DA9055_WATCHDOG (introduced in v3.8) needs to select WATCHDOG_CORE so that it will
      build cleanly.  Fixes these build errors:
      
      da9055_wdt.c:(.text+0xe9bc7): undefined reference to `watchdog_unregister_device'
      da9055_wdt.c:(.text+0xe9f4b): undefined reference to `watchdog_register_device'
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: David Dajun Chen <dchen@diasemi.com>
      Signed-off-by: default avatarWim Van Sebroeck <wim@iguana.be>
      Cc: linux-watchdog@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f328def5
    • Konrad Rzeszutek Wilk's avatar
      xen/pci: We don't do multiple MSI's. · ee74fecf
      Konrad Rzeszutek Wilk authored
      commit 884ac297 upstream.
      
      There is no hypercall to setup multiple MSI per PCI device.
      As such with these two new commits:
      -  08261d87
         PCI/MSI: Enable multiple MSIs with pci_enable_msi_block_auto()
      - 5ca72c4f
         AHCI: Support multiple MSIs
      
      we would call the PHYSDEVOP_map_pirq 'nvec' times with the same
      contents of the PCI device. Sander discovered that we would get
      the same PIRQ value 'nvec' times and return said values to the
      caller. That of course meant that the device was configured only
      with one MSI and AHCI would fail with:
      
      ahci 0000:00:11.0: version 3.0
      xen: registering gsi 19 triggering 0 polarity 1
      xen: --> pirq=19 -> irq=19 (gsi=19)
      (XEN) [2013-02-27 19:43:07] IOAPIC[0]: Set PCI routing entry (6-19 -> 0x99 -> IRQ 19 Mode:1 Active:1)
      ahci 0000:00:11.0: AHCI 0001.0200 32 slots 4 ports 6 Gbps 0xf impl SATA mode
      ahci 0000:00:11.0: flags: 64bit ncq sntf ilck pm led clo pmp pio slum part
      ahci: probe of 0000:00:11.0 failed with error -22
      
      That is b/c in ahci_host_activate the second call to
      devm_request_threaded_irq  would return -EINVAL as we passed in
      (on the second run) an IRQ that was never initialized.
      Reported-and-Tested-by: default avatarSander Eikelenboom <linux@eikelenboom.it>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ee74fecf
    • Konrad Rzeszutek Wilk's avatar
      xen/pat: Disable PAT using pat_enabled value. · ca47ff97
      Konrad Rzeszutek Wilk authored
      commit c79c4982 upstream.
      
      The git commit 8eaffa67
      (xen/pat: Disable PAT support for now) explains in details why
      we want to disable PAT for right now. However that
      change was not enough and we should have also disabled
      the pat_enabled value. Otherwise we end up with:
      
      mmap-example:3481 map pfn expected mapping type write-back for
      [mem 0x00010000-0x00010fff], got uncached-minus
       ------------[ cut here ]------------
      WARNING: at /build/buildd/linux-3.8.0/arch/x86/mm/pat.c:774 untrack_pfn+0xb8/0xd0()
      mem 0x00010000-0x00010fff], got uncached-minus
      ------------[ cut here ]------------
      WARNING: at /build/buildd/linux-3.8.0/arch/x86/mm/pat.c:774
      untrack_pfn+0xb8/0xd0()
      ...
      Pid: 3481, comm: mmap-example Tainted: GF 3.8.0-6-generic #13-Ubuntu
      Call Trace:
       [<ffffffff8105879f>] warn_slowpath_common+0x7f/0xc0
       [<ffffffff810587fa>] warn_slowpath_null+0x1a/0x20
       [<ffffffff8104bcc8>] untrack_pfn+0xb8/0xd0
       [<ffffffff81156c1c>] unmap_single_vma+0xac/0x100
       [<ffffffff81157459>] unmap_vmas+0x49/0x90
       [<ffffffff8115f808>] exit_mmap+0x98/0x170
       [<ffffffff810559a4>] mmput+0x64/0x100
       [<ffffffff810560f5>] dup_mm+0x445/0x660
       [<ffffffff81056d9f>] copy_process.part.22+0xa5f/0x1510
       [<ffffffff81057931>] do_fork+0x91/0x350
       [<ffffffff81057c76>] sys_clone+0x16/0x20
       [<ffffffff816ccbf9>] stub_clone+0x69/0x90
       [<ffffffff816cc89d>] ? system_call_fastpath+0x1a/0x1f
      ---[ end trace 4918cdd0a4c9fea4 ]---
      
      (a similar message shows up if you end up launching 'mcelog')
      
      The call chain is (as analyzed by Liu, Jinsong):
      do_fork
        --> copy_process
          --> dup_mm
            --> dup_mmap
             	--> copy_page_range
                --> track_pfn_copy
                  --> reserve_pfn_range
                    --> line 624: flags != want_flags
      It comes from different memory types of page table (_PAGE_CACHE_WB) and MTRR
      (_PAGE_CACHE_UC_MINUS).
      
      Stefan Bader dug in this deep and found out that:
      "That makes it clearer as this will do
      
      reserve_memtype(...)
      --> pat_x_mtrr_type
        --> mtrr_type_lookup
          --> __mtrr_type_lookup
      
      And that can return -1/0xff in case of MTRR not being enabled/initialized. Which
      is not the case (given there are no messages for it in dmesg). This is not equal
      to MTRR_TYPE_WRBACK and thus becomes _PAGE_CACHE_UC_MINUS.
      
      It looks like the problem starts early in reserve_memtype:
      
             	if (!pat_enabled) {
                      /* This is identical to page table setting without PAT */
                      if (new_type) {
                              if (req_type == _PAGE_CACHE_WC)
                                      *new_type = _PAGE_CACHE_UC_MINUS;
                              else
                                     	*new_type = req_type & _PAGE_CACHE_MASK;
                     	}
                      return 0;
              }
      
      This would be what we want, that is clearing the PWT and PCD flags from the
      supported flags - if pat_enabled is disabled."
      
      This patch does that - disabling PAT.
      Reported-by: default avatarSander Eikelenboom <linux@eikelenboom.it>
      Reported-and-Tested-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Reported-and-Tested-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ca47ff97
    • Steven Noonan's avatar
      xenbus: fix compile failure on ARM with Xen enabled · a1c9ea40
      Steven Noonan authored
      commit 45e27161 upstream.
      
      Adding an include of linux/mm.h resolves this:
      	drivers/xen/xenbus/xenbus_client.c: In function ‘xenbus_map_ring_valloc_hvm’:
      	drivers/xen/xenbus/xenbus_client.c:532:66: error: implicit declaration of function ‘page_to_section’ [-Werror=implicit-function-declaration]
      Signed-off-by: default avatarSteven Noonan <steven@uplinklabs.net>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a1c9ea40