1. 04 Dec, 2013 19 commits
  2. 29 Nov, 2013 21 commits
    • Greg Kroah-Hartman's avatar
      Linux 3.4.71 · 71ea1738
      Greg Kroah-Hartman authored
      71ea1738
    • Mauro Carvalho Chehab's avatar
      cris: media platform drivers: fix build · 778409c6
      Mauro Carvalho Chehab authored
      commit 72a0c557 upstream.
      
      On cris arch, the functions below aren't defined:
      
        drivers/media/platform/sh_veu.c: In function 'sh_veu_reg_read':
      
        drivers/media/platform/sh_veu.c:228:2: error: implicit declaration of function 'ioread32' [-Werror=implicit-function-declaration]
        drivers/media/platform/sh_veu.c: In function 'sh_veu_reg_write':
      
        drivers/media/platform/sh_veu.c:234:2: error: implicit declaration of function 'iowrite32' [-Werror=implicit-function-declaration]
        drivers/media/platform/vsp1/vsp1.h: In function 'vsp1_read':
        drivers/media/platform/vsp1/vsp1.h:66:2: error: implicit declaration of function 'ioread32' [-Werror=implicit-function-declaration]
        drivers/media/platform/vsp1/vsp1.h: In function 'vsp1_write':
        drivers/media/platform/vsp1/vsp1.h:71:2: error: implicit declaration of function 'iowrite32' [-Werror=implicit-function-declaration]
        drivers/media/platform/vsp1/vsp1.h: In function 'vsp1_read':
        drivers/media/platform/vsp1/vsp1.h:66:2: error: implicit declaration of function 'ioread32' [-Werror=implicit-function-declaration]
        drivers/media/platform/vsp1/vsp1.h: In function 'vsp1_write':
        drivers/media/platform/vsp1/vsp1.h:71:2: error: implicit declaration of function 'iowrite32' [-Werror=implicit-function-declaration]
        drivers/media/platform/soc_camera/rcar_vin.c: In function 'rcar_vin_setup':
        drivers/media/platform/soc_camera/rcar_vin.c:284:3: error: implicit declaration of function 'iowrite32' [-Werror=implicit-function-declaration]
      
        drivers/media/platform/soc_camera/rcar_vin.c: In function 'rcar_vin_request_capture_stop':
        drivers/media/platform/soc_camera/rcar_vin.c:353:2: error: implicit declaration of function 'ioread32' [-Werror=implicit-function-declaration]
      
      Yet, they're available, as CONFIG_GENERIC_IOMAP is defined.  What happens
      is that asm/io.h was not including asm-generic/iomap.h.
      Suggested-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarMauro Carvalho Chehab <m.chehab@samsung.com>
      Cc: Mikael Starvik <starvik@axis.com>
      Cc: Jesper Nilsson <jesper.nilsson@axis.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      778409c6
    • Junxiao Bi's avatar
      configfs: fix race between dentry put and lookup · b4db55f3
      Junxiao Bi authored
      commit 76ae281f upstream.
      
      A race window in configfs, it starts from one dentry is UNHASHED and end
      before configfs_d_iput is called.  In this window, if a lookup happen,
      since the original dentry was UNHASHED, so a new dentry will be
      allocated, and then in configfs_attach_attr(), sd->s_dentry will be
      updated to the new dentry.  Then in configfs_d_iput(),
      BUG_ON(sd->s_dentry != dentry) will be triggered and system panic.
      
      sys_open:                     sys_close:
       ...                           fput
                                      dput
                                       dentry_kill
                                        __d_drop <--- dentry unhashed here,
                                                 but sd->dentry still point
                                                 to this dentry.
      
       lookup_real
        configfs_lookup
         configfs_attach_attr---> update sd->s_dentry
                                  to new allocated dentry here.
      
                                         d_kill
                                           configfs_d_iput <--- BUG_ON(sd->s_dentry != dentry)
                                                           triggered here.
      
      To fix it, change configfs_d_iput to not update sd->s_dentry if
      sd->s_count > 2, that means there are another dentry is using the sd
      beside the one that is going to be put.  Use configfs_dirent_lock in
      configfs_attach_attr to sync with configfs_d_iput.
      
      With the following steps, you can reproduce the bug.
      
      1. enable ocfs2, this will mount configfs at /sys/kernel/config and
         fill configure in it.
      
      2. run the following script.
      	while [ 1 ]; do cat /sys/kernel/config/cluster/$your_cluster_name/idle_timeout_ms > /dev/null; done &
      	while [ 1 ]; do cat /sys/kernel/config/cluster/$your_cluster_name/idle_timeout_ms > /dev/null; done &
      Signed-off-by: default avatarJunxiao Bi <junxiao.bi@oracle.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b4db55f3
    • Stanislaw Gruszka's avatar
      rt2800usb: slow down TX status polling · f087a3e5
      Stanislaw Gruszka authored
      commit 36165fd5 upstream.
      
      Polling TX statuses too frequently has two negative effects. First is
      randomly peek CPU usage, causing overall system functioning delays.
      Second bad effect is that device is not able to fill TX statuses in
      H/W register on some workloads and we get lot of timeouts like below:
      
      ieee80211 phy4: rt2800usb_entry_txstatus_timeout: Warning - TX status timeout for entry 7 in queue 2
      ieee80211 phy4: rt2800usb_entry_txstatus_timeout: Warning - TX status timeout for entry 7 in queue 2
      ieee80211 phy4: rt2800usb_txdone: Warning - Got TX status for an empty queue 2, dropping
      
      This not only cause flood of messages in dmesg, but also bad throughput,
      since rate scaling algorithm can not work optimally.
      
      In the future, we should probably make polling interval be adjusted
      automatically, but for now just increase values, this make mentioned
      problems gone.
      
      Resolve:
      https://bugzilla.kernel.org/show_bug.cgi?id=62781Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f087a3e5
    • Trond Myklebust's avatar
      SUNRPC: Fix a data corruption issue when retransmitting RPC calls · 53c620ea
      Trond Myklebust authored
      commit a6b31d18 upstream.
      
      The following scenario can cause silent data corruption when doing
      NFS writes. It has mainly been observed when doing database writes
      using O_DIRECT.
      
      1) The RPC client uses sendpage() to do zero-copy of the page data.
      2) Due to networking issues, the reply from the server is delayed,
         and so the RPC client times out.
      
      3) The client issues a second sendpage of the page data as part of
         an RPC call retransmission.
      
      4) The reply to the first transmission arrives from the server
         _before_ the client hardware has emptied the TCP socket send
         buffer.
      5) After processing the reply, the RPC state machine rules that
         the call to be done, and triggers the completion callbacks.
      6) The application notices the RPC call is done, and reuses the
         pages to store something else (e.g. a new write).
      
      7) The client NIC drains the TCP socket send buffer. Since the
         page data has now changed, it reads a corrupted version of the
         initial RPC call, and puts it on the wire.
      
      This patch fixes the problem in the following manner:
      
      The ordering guarantees of TCP ensure that when the server sends a
      reply, then we know that the _first_ transmission has completed. Using
      zero-copy in that situation is therefore safe.
      If a time out occurs, we then send the retransmission using sendmsg()
      (i.e. no zero-copy), We then know that the socket contains a full copy of
      the data, and so it will retransmit a faithful reproduction even if the
      RPC call completes, and the application reuses the O_DIRECT buffer in
      the meantime.
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      53c620ea
    • Michael Neuling's avatar
      powerpc/signals: Mark VSX not saved with small contexts · 6beceb76
      Michael Neuling authored
      commit c13f20ac upstream.
      
      The VSX MSR bit in the user context indicates if the context contains VSX
      state.  Currently we set this when the process has touched VSX at any stage.
      
      Unfortunately, if the user has not provided enough space to save the VSX state,
      we can't save it but we currently still set the MSR VSX bit.
      
      This patch changes this to clear the MSR VSX bit when the user doesn't provide
      enough space.  This indicates that there is no valid VSX state in the user
      context.
      
      This is needed to support get/set/make/swapcontext for applications that use
      VSX but only provide a small context.  For example, getcontext in glibc
      provides a smaller context since the VSX registers don't need to be saved over
      the glibc function call.  But since the program calling getcontext may have
      used VSX, the kernel currently says the VSX state is valid when it's not.  If
      the returned context is then used in setcontext (ie. a small context without
      VSX but with MSR VSX set), the kernel will refuse the context.  This situation
      has been reported by the glibc community.
      
      Based on patch from Carlos O'Donell.
      Tested-by: default avatarHaren Myneni <haren@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6beceb76
    • Gavin Shan's avatar
      powerpc/powernv: Add PE to its own PELTV · b745b007
      Gavin Shan authored
      commit 631ad691 upstream.
      
      We need add PE to its own PELTV. Otherwise, the errors originated
      from the PE might contribute to other PEs. In the result, we can't
      clear up the error successfully even we're checking and clearing
      errors during access to PCI config space.
      
      Reported-by: kalshett@in.ibm.com
      Signed-off-by: default avatarGavin Shan <shangw@linux.vnet.ibm.com>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b745b007
    • Prarit Bhargava's avatar
      powerpc/vio: use strcpy in modalias_show · 49aa69fe
      Prarit Bhargava authored
      commit 411cabf7 upstream.
      
      Commit e82b89a6 used strcat instead of
      strcpy which can result in an overflow of newlines on the buffer.
      
      Signed-off-by: Prarit Bhargava
      Cc: benh@kernel.crashing.org
      Cc: ben@decadent.org.uk
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      49aa69fe
    • Mike Snitzer's avatar
      block: properly stack underlying max_segment_size to DM device · 80132799
      Mike Snitzer authored
      commit d82ae52e upstream.
      
      Without this patch all DM devices will default to BLK_MAX_SEGMENT_SIZE
      (65536) even if the underlying device(s) have a larger value -- this is
      due to blk_stack_limits() using min_not_zero() when stacking the
      max_segment_size limit.
      
      1073741824
      
      before patch:
      65536
      
      after patch:
      1073741824
      Reported-by: default avatarLukasz Flis <l.flis@cyfronet.pl>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      80132799
    • Mikulas Patocka's avatar
      block: fix a probe argument to blk_register_region · 82b80fae
      Mikulas Patocka authored
      commit a207f593 upstream.
      
      The probe function is supposed to return NULL on failure (as we can see in
      kobj_lookup: kobj = probe(dev, index, data); ... if (kobj) return kobj;
      
      However, in loop and brd, it returns negative error from ERR_PTR.
      
      This causes a crash if we simulate disk allocation failure and run
      less -f /dev/loop0 because the negative number is interpreted as a pointer:
      
      BUG: unable to handle kernel NULL pointer dereference at 00000000000002b4
      IP: [<ffffffff8118b188>] __blkdev_get+0x28/0x450
      PGD 23c677067 PUD 23d6d1067 PMD 0
      Oops: 0000 [#1] PREEMPT SMP
      Modules linked in: loop hpfs nvidia(PO) ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev msr ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_stats cpufreq_ondemand cpufreq_userspace cpufreq_powersave cpufreq_conservative hid_generic spadfs usbhid hid fuse raid0 snd_usb_audio snd_pcm_oss snd_mixer_oss md_mod snd_pcm snd_timer snd_page_alloc snd_hwdep snd_usbmidi_lib dmi_sysfs snd_rawmidi nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack snd soundcore lm85 hwmon_vid ohci_hcd ehci_pci ehci_hcd serverworks sata_svw libata acpi_cpufreq freq_table mperf ide_core usbcore kvm_amd kvm tg3 i2c_piix4 libphy microcode e100 usb_common ptp skge i2c_core pcspkr k10temp evdev floppy hwmon pps_core mii rtc_cmos button processor unix [last unloaded: nvidia]
      CPU: 1 PID: 6831 Comm: less Tainted: P        W  O 3.10.15-devel #18
      Hardware name: empty empty/S3992-E, BIOS 'V1.06   ' 06/09/2009
      task: ffff880203cc6bc0 ti: ffff88023e47c000 task.ti: ffff88023e47c000
      RIP: 0010:[<ffffffff8118b188>]  [<ffffffff8118b188>] __blkdev_get+0x28/0x450
      RSP: 0018:ffff88023e47dbd8  EFLAGS: 00010286
      RAX: ffffffffffffff74 RBX: ffffffffffffff74 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
      RBP: ffff88023e47dc18 R08: 0000000000000002 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff88023f519658
      R13: ffffffff8118c300 R14: 0000000000000000 R15: ffff88023f519640
      FS:  00007f2070bf7700(0000) GS:ffff880247400000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000000002b4 CR3: 000000023da1d000 CR4: 00000000000007e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Stack:
       0000000000000002 0000001d00000000 000000003e47dc50 ffff88023f519640
       ffff88043d5bb668 ffffffff8118c300 ffff88023d683550 ffff88023e47de60
       ffff88023e47dc98 ffffffff8118c10d 0000001d81605698 0000000000000292
      Call Trace:
       [<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60
       [<ffffffff8118c10d>] blkdev_get+0x1dd/0x370
       [<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60
       [<ffffffff813cea6c>] ? _raw_spin_unlock+0x2c/0x50
       [<ffffffff8118c300>] ? blkdev_get_by_dev+0x60/0x60
       [<ffffffff8118c365>] blkdev_open+0x65/0x80
       [<ffffffff8114d12e>] do_dentry_open.isra.18+0x23e/0x2f0
       [<ffffffff8114d214>] finish_open+0x34/0x50
       [<ffffffff8115e122>] do_last.isra.62+0x2d2/0xc50
       [<ffffffff8115eb58>] path_openat.isra.63+0xb8/0x4d0
       [<ffffffff81115a8e>] ? might_fault+0x4e/0xa0
       [<ffffffff8115f4f0>] do_filp_open+0x40/0x90
       [<ffffffff813cea6c>] ? _raw_spin_unlock+0x2c/0x50
       [<ffffffff8116db85>] ? __alloc_fd+0xa5/0x1f0
       [<ffffffff8114e45f>] do_sys_open+0xef/0x1d0
       [<ffffffff8114e559>] SyS_open+0x19/0x20
       [<ffffffff813cff16>] system_call_fastpath+0x1a/0x1f
      Code: 44 00 00 55 48 89 e5 41 57 49 89 ff 41 56 41 89 d6 41 55 41 54 4c 8d 67 18 53 48 83 ec 18 89 75 cc e9 f2 00 00 00 0f 1f 44 00 00 <48> 8b 80 40 03 00 00 48 89 df 4c 8b 68 58 e8 d5
      a4 07 00 44 89
      RIP  [<ffffffff8118b188>] __blkdev_get+0x28/0x450
       RSP <ffff88023e47dbd8>
      CR2: 00000000000002b4
      ---[ end trace bb7f32dbf02398dc ]---
      
      The brd change should be backported to stable kernels starting with 2.6.25.
      The loop change should be backported to stable kernels starting with 2.6.22.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      82b80fae
    • Jeff Moyer's avatar
      block: fix race between request completion and timeout handling · 5413d6c0
      Jeff Moyer authored
      commit 4912aa6c upstream.
      
      crocode i2c_i801 i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma dca be2net sg ses enclosure ext4 mbcache jbd2 sd_mod crc_t10dif ahci megaraid_sas(U) dm_mirror dm_region_hash dm_log dm_mod [last unloaded: scsi_wait_scan]
      
      Pid: 491, comm: scsi_eh_0 Tainted: G        W  ----------------   2.6.32-220.13.1.el6.x86_64 #1 IBM  -[8722PAX]-/00D1461
      RIP: 0010:[<ffffffff8124e424>]  [<ffffffff8124e424>] blk_requeue_request+0x94/0xa0
      RSP: 0018:ffff881057eefd60  EFLAGS: 00010012
      RAX: ffff881d99e3e8a8 RBX: ffff881d99e3e780 RCX: ffff881d99e3e8a8
      RDX: ffff881d99e3e8a8 RSI: ffff881d99e3e780 RDI: ffff881d99e3e780
      RBP: ffff881057eefd80 R08: ffff881057eefe90 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff881057f92338
      R13: 0000000000000000 R14: ffff881057f92338 R15: ffff883058188000
      FS:  0000000000000000(0000) GS:ffff880040200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
      CR2: 00000000006d3ec0 CR3: 000000302cd7d000 CR4: 00000000000406b0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process scsi_eh_0 (pid: 491, threadinfo ffff881057eee000, task ffff881057e29540)
      Stack:
       0000000000001057 0000000000000286 ffff8810275efdc0 ffff881057f16000
      <0> ffff881057eefdd0 ffffffff81362323 ffff881057eefe20 ffffffff8135f393
      <0> ffff881057e29af8 ffff8810275efdc0 ffff881057eefe78 ffff881057eefe90
      Call Trace:
       [<ffffffff81362323>] __scsi_queue_insert+0xa3/0x150
       [<ffffffff8135f393>] ? scsi_eh_ready_devs+0x5e3/0x850
       [<ffffffff81362a23>] scsi_queue_insert+0x13/0x20
       [<ffffffff8135e4d4>] scsi_eh_flush_done_q+0x104/0x160
       [<ffffffff8135fb6b>] scsi_error_handler+0x35b/0x660
       [<ffffffff8135f810>] ? scsi_error_handler+0x0/0x660
       [<ffffffff810908c6>] kthread+0x96/0xa0
       [<ffffffff8100c14a>] child_rip+0xa/0x20
       [<ffffffff81090830>] ? kthread+0x0/0xa0
       [<ffffffff8100c140>] ? child_rip+0x0/0x20
      Code: 00 00 eb d1 4c 8b 2d 3c 8f 97 00 4d 85 ed 74 bf 49 8b 45 00 49 83 c5 08 48 89 de 4c 89 e7 ff d0 49 8b 45 00 48 85 c0 75 eb eb a4 <0f> 0b eb fe 0f 1f 84 00 00 00 00 00 55 48 89 e5 0f 1f 44 00 00
      RIP  [<ffffffff8124e424>] blk_requeue_request+0x94/0xa0
       RSP <ffff881057eefd60>
      
      The RIP is this line:
              BUG_ON(blk_queued_rq(rq));
      
      After digging through the code, I think there may be a race between the
      request completion and the timer handler running.
      
      A timer is started for each request put on the device's queue (see
      blk_start_request->blk_add_timer).  If the request does not complete
      before the timer expires, the timer handler (blk_rq_timed_out_timer)
      will mark the request complete atomically:
      
      static inline int blk_mark_rq_complete(struct request *rq)
      {
              return test_and_set_bit(REQ_ATOM_COMPLETE, &rq->atomic_flags);
      }
      
      and then call blk_rq_timed_out.  The latter function will call
      scsi_times_out, which will return one of BLK_EH_HANDLED,
      BLK_EH_RESET_TIMER or BLK_EH_NOT_HANDLED.  If BLK_EH_RESET_TIMER is
      returned, blk_clear_rq_complete is called, and blk_add_timer is again
      called to simply wait longer for the request to complete.
      
      Now, if the request happens to complete while this is going on, what
      happens?  Given that we know the completion handler will bail if it
      finds the REQ_ATOM_COMPLETE bit set, we need to focus on the completion
      handler running after that bit is cleared.  So, from the above
      paragraph, after the call to blk_clear_rq_complete.  If the completion
      sets REQ_ATOM_COMPLETE before the BUG_ON in blk_add_timer, we go boom
      there (I haven't seen this in the cores).  Next, if we get the
      completion before the call to list_add_tail, then the timer will
      eventually fire for an old req, which may either be freed or reallocated
      (there is evidence that this might be the case).  Finally, if the
      completion comes in *after* the addition to the timeout list, I think
      it's harmless.  The request will be removed from the timeout list,
      req_atom_complete will be set, and all will be well.
      
      This will only actually explain the coredumps *IF* the request
      structure was freed, reallocated *and* queued before the error handler
      thread had a chance to process it.  That is possible, but it may make
      sense to keep digging for another race.  I think that if this is what
      was happening, we would see other instances of this problem showing up
      as null pointer or garbage pointer dereferences, for example when the
      request structure was not re-used.  It looks like we actually do run
      into that situation in other reports.
      
      This patch moves the BUG_ON(test_bit(REQ_ATOM_COMPLETE,
      &req->atomic_flags)); from blk_add_timer to the only caller that could
      trip over it (blk_start_request).  It then inverts the calls to
      blk_clear_rq_complete and blk_add_timer in blk_rq_timed_out to address
      the race.  I've boot tested this patch, but nothing more.
      Signed-off-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Acked-by: default avatarHannes Reinecke <hare@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5413d6c0
    • Guenter Roeck's avatar
      hwmon: (lm90) Fix max6696 alarm handling · cf359232
      Guenter Roeck authored
      commit e41fae2b upstream.
      
      Bit 2 of status register 2 on MAX6696 (external diode 2 open)
      sets ALERT; the bit thus has to be listed in alert_alarms.
      Also display a message in the alert handler if the condition
      is encountered.
      
      Even though not all overtemperature conditions cause ALERT
      to be set, we should not ignore them in the alert handler.
      Display messages for all out-of-range conditions.
      Reported-by: default avatarJean Delvare <khali@linux-fr.org>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarJean Delvare <khali@linux-fr.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf359232
    • Thomas Renninger's avatar
      x86/microcode/amd: Tone down printk(), don't treat a missing firmware file as an error · b227aa81
      Thomas Renninger authored
      commit 11f918d3 upstream.
      
      Do it the same way as done in microcode_intel.c: use pr_debug()
      for missing firmware files.
      
      There seem to be CPUs out there for which no microcode update
      has been submitted to kernel-firmware repo yet resulting in
      scary sounding error messages in dmesg:
      
        microcode: failed to load file amd-ucode/microcode_amd_fam16h.bin
      Signed-off-by: default avatarThomas Renninger <trenn@suse.de>
      Acked-by: default avatarBorislav Petkov <bp@suse.de>
      Link: http://lkml.kernel.org/r/1384274383-43510-1-git-send-email-trenn@suse.deSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b227aa81
    • Christoph Hellwig's avatar
      nfsd: make sure to balance get/put_write_access · 107bb3cc
      Christoph Hellwig authored
      commit 987da479 upstream.
      
      Use a straight goto error label style in nfsd_setattr to make sure
      we always do the put_write_access call after we got it earlier.
      
      Note that the we have been failing to do that in the case
      nfsd_break_lease() returns an error, a bug introduced into 2.6.38 with
      6a76bebe "nfsd4: break lease on nfsd
      setattr".
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      107bb3cc
    • Christoph Hellwig's avatar
      nfsd: split up nfsd_setattr · 6ee4fd26
      Christoph Hellwig authored
      commit 818e5a22 upstream.
      
      Split out two helpers to make the code more readable and easier to verify
      for correctness.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ee4fd26
    • Trond Myklebust's avatar
      NFSv4: Fix a use-after-free situation in _nfs4_proc_getlk() · 1ac50b94
      Trond Myklebust authored
      commit a6f951dd upstream.
      
      In nfs4_proc_getlk(), when some error causes a retry of the call to
      _nfs4_proc_getlk(), we can end up with Oopses of the form
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000134
       IP: [<ffffffff8165270e>] _raw_spin_lock+0xe/0x30
      <snip>
       Call Trace:
        [<ffffffff812f287d>] _atomic_dec_and_lock+0x4d/0x70
        [<ffffffffa053c4f2>] nfs4_put_lock_state+0x32/0xb0 [nfsv4]
        [<ffffffffa053c585>] nfs4_fl_release_lock+0x15/0x20 [nfsv4]
        [<ffffffffa0522c06>] _nfs4_proc_getlk.isra.40+0x146/0x170 [nfsv4]
        [<ffffffffa052ad99>] nfs4_proc_lock+0x399/0x5a0 [nfsv4]
      
      The problem is that we don't clear the request->fl_ops after the first
      try and so when we retry, nfs4_set_lock_state() exits early without
      setting the lock stateid.
      Regression introduced by commit 70cc6487
      (locks: make ->lock release private data before returning in GETLK case)
      Reported-by: default avatarWeston Andros Adamson <dros@netapp.com>
      Reported-by: default avatarJorge Mora <mora@netapp.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1ac50b94
    • Takashi Iwai's avatar
      ALSA: msnd: Avoid duplicated driver name · eaea722e
      Takashi Iwai authored
      commit 092f9cd1 upstream.
      
      msnd_pinnacle.c is used for both snd-msnd-pinnacle and
      snd-msnd-classic drivers, and both should have different driver
      names.  Using the same driver name results in the sysfs warning for
      duplicated entries like
       kobject: 'msnd-pinnacle.7' (cec33408): kobject_release, parent   (null) (delayed)
       kobject: 'msnd-pinnacle' (cecd4980): kobject_release, parent cf3ad9b0 (delayed)
       ------------[ cut here ]------------
       WARNING: CPU: 0 PID: 1 at fs/sysfs/dir.c:486 sysfs_warn_dup+0x7d/0xa0()
       sysfs: cannot create duplicate filename '/bus/isa/drivers/msnd-pinnacle'
       ......
      Reported-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eaea722e
    • Takashi Iwai's avatar
      ALSA: 6fire: Fix probe of multiple cards · 1b443352
      Takashi Iwai authored
      commit 9b389a8a upstream.
      
      The probe code of snd-usb-6fire driver overrides the devices[] pointer
      wrongly without checking whether it's already occupied or not.  This
      would screw up the device disconnection later.
      
      Spotted by coverity CID 141423.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b443352
    • Kees Cook's avatar
      exec/ptrace: fix get_dumpable() incorrect tests · c0d30628
      Kees Cook authored
      commit d049f74f upstream.
      
      The get_dumpable() return value is not boolean.  Most users of the
      function actually want to be testing for non-SUID_DUMP_USER(1) rather than
      SUID_DUMP_DISABLE(0).  The SUID_DUMP_ROOT(2) is also considered a
      protected state.  Almost all places did this correctly, excepting the two
      places fixed in this patch.
      
      Wrong logic:
          if (dumpable == SUID_DUMP_DISABLE) { /* be protective */ }
              or
          if (dumpable == 0) { /* be protective */ }
              or
          if (!dumpable) { /* be protective */ }
      
      Correct logic:
          if (dumpable != SUID_DUMP_USER) { /* be protective */ }
              or
          if (dumpable != 1) { /* be protective */ }
      
      Without this patch, if the system had set the sysctl fs/suid_dumpable=2, a
      user was able to ptrace attach to processes that had dropped privileges to
      that user.  (This may have been partially mitigated if Yama was enabled.)
      
      The macros have been moved into the file that declares get/set_dumpable(),
      which means things like the ia64 code can see them too.
      
      CVE-2013-2929
      Reported-by: default avatarVasily Kulikov <segoon@openwall.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: "Luck, Tony" <tony.luck@intel.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c0d30628
    • Mimi Zohar's avatar
      Revert "ima: policy for RAMFS" · 7288f91d
      Mimi Zohar authored
      commit 08de59eb upstream.
      
      This reverts commit 4c2c3927.
      
      Everything in the initramfs should be measured and appraised,
      but until the initramfs has extended attribute support, at
      least measured.
      Signed-off-by: default avatarMimi Zohar <zohar@us.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7288f91d
    • Stanislaw Gruszka's avatar
      rt2x00: check if device is still available on rt2x00mac_flush() · 7eebf56b
      Stanislaw Gruszka authored
      commit 5671ab05 upstream.
      
      Fix random kernel panic with below messages when remove dongle.
      
      [ 2212.355447] BUG: unable to handle kernel NULL pointer dereference at 0000000000000250
      [ 2212.355527] IP: [<ffffffffa02667f2>] rt2x00usb_kick_tx_entry+0x12/0x160 [rt2x00usb]
      [ 2212.355599] PGD 0
      [ 2212.355626] Oops: 0000 [#1] SMP
      [ 2212.355664] Modules linked in: rt2800usb rt2x00usb rt2800lib crc_ccitt rt2x00lib mac80211 cfg80211 tun arc4 fuse rfcomm bnep snd_hda_codec_realtek snd_hda_intel snd_hda_codec btusb uvcvideo bluetooth snd_hwdep x86_pkg_temp_thermal snd_seq coretemp aesni_intel aes_x86_64 snd_seq_device glue_helper snd_pcm ablk_helper videobuf2_vmalloc sdhci_pci videobuf2_memops videobuf2_core sdhci videodev mmc_core serio_raw snd_page_alloc microcode i2c_i801 snd_timer hid_multitouch thinkpad_acpi lpc_ich mfd_core snd tpm_tis wmi tpm tpm_bios soundcore acpi_cpufreq i915 i2c_algo_bit drm_kms_helper drm i2c_core video [last unloaded: cfg80211]
      [ 2212.356224] CPU: 0 PID: 34 Comm: khubd Not tainted 3.12.0-rc3-wl+ #3
      [ 2212.356268] Hardware name: LENOVO 3444CUU/3444CUU, BIOS G6ET93WW (2.53 ) 02/04/2013
      [ 2212.356319] task: ffff880212f687c0 ti: ffff880212f66000 task.ti: ffff880212f66000
      [ 2212.356392] RIP: 0010:[<ffffffffa02667f2>]  [<ffffffffa02667f2>] rt2x00usb_kick_tx_entry+0x12/0x160 [rt2x00usb]
      [ 2212.356481] RSP: 0018:ffff880212f67750  EFLAGS: 00010202
      [ 2212.356519] RAX: 000000000000000c RBX: 000000000000000c RCX: 0000000000000293
      [ 2212.356568] RDX: ffff8801f4dc219a RSI: 0000000000000000 RDI: 0000000000000240
      [ 2212.356617] RBP: ffff880212f67778 R08: ffffffffa02667e0 R09: 0000000000000002
      [ 2212.356665] R10: 0001f95254ab4b40 R11: ffff880212f675be R12: ffff8801f4dc2150
      [ 2212.356712] R13: 0000000000000000 R14: ffffffffa02667e0 R15: 000000000000000d
      [ 2212.356761] FS:  0000000000000000(0000) GS:ffff88021e200000(0000) knlGS:0000000000000000
      [ 2212.356813] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2212.356852] CR2: 0000000000000250 CR3: 0000000001a0c000 CR4: 00000000001407f0
      [ 2212.356899] Stack:
      [ 2212.356917]  000000000000000c ffff8801f4dc2150 0000000000000000 ffffffffa02667e0
      [ 2212.356980]  000000000000000d ffff880212f677b8 ffffffffa03a31ad ffff8801f4dc219a
      [ 2212.357038]  ffff8801f4dc2150 0000000000000000 ffff8800b93217a0 ffff8801f49bc800
      [ 2212.357099] Call Trace:
      [ 2212.357122]  [<ffffffffa02667e0>] ? rt2x00usb_interrupt_txdone+0x90/0x90 [rt2x00usb]
      [ 2212.357174]  [<ffffffffa03a31ad>] rt2x00queue_for_each_entry+0xed/0x170 [rt2x00lib]
      [ 2212.357244]  [<ffffffffa026701c>] rt2x00usb_kick_queue+0x5c/0x60 [rt2x00usb]
      [ 2212.357314]  [<ffffffffa03a3682>] rt2x00queue_flush_queue+0x62/0xa0 [rt2x00lib]
      [ 2212.357386]  [<ffffffffa03a2930>] rt2x00mac_flush+0x30/0x70 [rt2x00lib]
      [ 2212.357470]  [<ffffffffa04edded>] ieee80211_flush_queues+0xbd/0x140 [mac80211]
      [ 2212.357555]  [<ffffffffa0502e52>] ieee80211_set_disassoc+0x2d2/0x3d0 [mac80211]
      [ 2212.357645]  [<ffffffffa0506da3>] ieee80211_mgd_deauth+0x1d3/0x240 [mac80211]
      [ 2212.357718]  [<ffffffff8108b17c>] ? try_to_wake_up+0xec/0x290
      [ 2212.357788]  [<ffffffffa04dbd18>] ieee80211_deauth+0x18/0x20 [mac80211]
      [ 2212.357872]  [<ffffffffa0418ddc>] cfg80211_mlme_deauth+0x9c/0x140 [cfg80211]
      [ 2212.357913]  [<ffffffffa041907c>] cfg80211_mlme_down+0x5c/0x60 [cfg80211]
      [ 2212.357962]  [<ffffffffa041cd18>] cfg80211_disconnect+0x188/0x1a0 [cfg80211]
      [ 2212.358014]  [<ffffffffa04013bc>] ? __cfg80211_stop_sched_scan+0x1c/0x130 [cfg80211]
      [ 2212.358067]  [<ffffffffa03f8954>] cfg80211_leave+0xc4/0xe0 [cfg80211]
      [ 2212.358124]  [<ffffffffa03f8d1b>] cfg80211_netdev_notifier_call+0x3ab/0x5e0 [cfg80211]
      [ 2212.358177]  [<ffffffff815140f8>] ? inetdev_event+0x38/0x510
      [ 2212.358217]  [<ffffffff81085a94>] ? __wake_up+0x44/0x50
      [ 2212.358254]  [<ffffffff8155995c>] notifier_call_chain+0x4c/0x70
      [ 2212.358293]  [<ffffffff81081156>] raw_notifier_call_chain+0x16/0x20
      [ 2212.358361]  [<ffffffff814b6dd5>] call_netdevice_notifiers_info+0x35/0x60
      [ 2212.358429]  [<ffffffff814b6ec9>] __dev_close_many+0x49/0xd0
      [ 2212.358487]  [<ffffffff814b7028>] dev_close_many+0x88/0x100
      [ 2212.358546]  [<ffffffff814b8150>] rollback_registered_many+0xb0/0x220
      [ 2212.358612]  [<ffffffff814b8319>] unregister_netdevice_many+0x19/0x60
      [ 2212.358694]  [<ffffffffa04d8eb2>] ieee80211_remove_interfaces+0x112/0x190 [mac80211]
      [ 2212.358791]  [<ffffffffa04c585f>] ieee80211_unregister_hw+0x4f/0x100 [mac80211]
      [ 2212.361994]  [<ffffffffa03a1221>] rt2x00lib_remove_dev+0x161/0x1a0 [rt2x00lib]
      [ 2212.365240]  [<ffffffffa0266e2e>] rt2x00usb_disconnect+0x2e/0x70 [rt2x00usb]
      [ 2212.368470]  [<ffffffff81419ce4>] usb_unbind_interface+0x64/0x1c0
      [ 2212.371734]  [<ffffffff813b446f>] __device_release_driver+0x7f/0xf0
      [ 2212.374999]  [<ffffffff813b4503>] device_release_driver+0x23/0x30
      [ 2212.378131]  [<ffffffff813b3c98>] bus_remove_device+0x108/0x180
      [ 2212.381358]  [<ffffffff813b0565>] device_del+0x135/0x1d0
      [ 2212.384454]  [<ffffffff81417760>] usb_disable_device+0xb0/0x270
      [ 2212.387451]  [<ffffffff8140d9cd>] usb_disconnect+0xad/0x1d0
      [ 2212.390294]  [<ffffffff8140f6cd>] hub_thread+0x63d/0x1660
      [ 2212.393034]  [<ffffffff8107c860>] ? wake_up_atomic_t+0x30/0x30
      [ 2212.395728]  [<ffffffff8140f090>] ? hub_port_debounce+0x130/0x130
      [ 2212.398412]  [<ffffffff8107baa0>] kthread+0xc0/0xd0
      [ 2212.401058]  [<ffffffff8107b9e0>] ? insert_kthread_work+0x40/0x40
      [ 2212.403639]  [<ffffffff8155de3c>] ret_from_fork+0x7c/0xb0
      [ 2212.406193]  [<ffffffff8107b9e0>] ? insert_kthread_work+0x40/0x40
      [ 2212.408732] Code: 24 58 08 00 00 bf 80 00 00 00 e8 3a c3 e0 e0 5b 41 5c 5d c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 <48> 8b 47 10 48 89 fb 4c 8b 6f 28 4c 8b 20 49 8b 04 24 4c 8b 30
      [ 2212.414671] RIP  [<ffffffffa02667f2>] rt2x00usb_kick_tx_entry+0x12/0x160 [rt2x00usb]
      [ 2212.417646]  RSP <ffff880212f67750>
      [ 2212.420547] CR2: 0000000000000250
      [ 2212.441024] ---[ end trace 5442918f33832bce ]---
      Signed-off-by: default avatarStanislaw Gruszka <stf_xl@wp.pl>
      Acked-by: default avatarHelmut Schaa <helmut.schaa@googlemail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7eebf56b