1. 06 Feb, 2013 13 commits
    • Mark Brown's avatar
      ASoC: wm5100: Remove DSP B and left justified formats · 336c24e2
      Mark Brown authored
      commit 5f960294 upstream.
      
      These are not supported
      Signed-off-by: default avatarMark Brown <broonie@opensource.wolfsonmicro.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      336c24e2
    • Sarah Sharp's avatar
      xhci: Avoid "dead ports", add roothub port polling. · da4fa01c
      Sarah Sharp authored
      commit c52804a4 upstream.
      
      The USB core hub thread (khubd) is designed with external USB hubs in
      mind.  It expects that if a port status change bit is set, the hub will
      continue to send a notification through the hub status data transfer.
      Basically, it expects hub notifications to be level-triggered.
      
      The xHCI host controller is designed to be edge-triggered on the logical
      'OR' of all the port status change bits.  When all port status change
      bits are clear, and a new change bit is set, the xHC will generate a
      Port Status Change Event.  If another change bit is set in the same port
      status register before the first bit is cleared, it will not send
      another event.
      
      This means that the hub code may lose port status changes because of
      race conditions between clearing change bits.  The user sees this as a
      "dead port" that doesn't react to device connects.
      
      The fix is to turn on port polling whenever a new change bit is set.
      Once the USB core issues a hub status request that shows that no change
      bits are set in any USB ports, turn off port polling.
      
      We can't allow the USB core to poll the roothub for port events during
      host suspend because if the PCI host is in D3cold, the port registers
      will be all f's.  Instead, stop the port polling timer, and
      unconditionally restart it when the host resumes.  If there are no port
      change bits set after the resume, the first call to hub_status_data will
      disable polling.
      
      This patch should be backported to stable kernels with the first xHCI
      support, 2.6.31 and newer, that include the commit
      0f2a7930 "USB: xhci: Root hub support."
      There will be merge conflicts because the check for HC_STATE_SUSPENDED
      was moved into xhci_suspend in 3.8.
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      da4fa01c
    • Sarah Sharp's avatar
      USB: Handle warm reset failure on empty port. · c135dc2e
      Sarah Sharp authored
      commit 65bdac5e upstream.
      
      An empty port can transition to either Inactive or Compliance Mode if a
      newly connected USB 3.0 device fails to link train.  In that case, we
      issue a warm reset.  Some devices, such as John's Roseweil eusb3
      enclosure, slip back into Compliance Mode after the warm reset.
      
      The current warm reset code does not check for device connect status on
      warm reset completion, and it incorrectly reports the warm reset
      succeeded.  This causes the USB core to attempt to send a Set Address
      control transfer to a port in Compliance Mode, which will always fail.
      
      Make hub_port_wait_reset check the current connect status and link state
      after the warm reset completes.  Return a failure status if the device
      is disconnected or the link state is Compliance Mode or SS.Inactive.
      
      Make hub_events disable the port if warm reset fails.  This will disable
      the port, and then bring it back into the RxDetect state.  Make the USB
      core ignore the connect change until the device reconnects.
      
      Note that this patch does NOT handle connected devices slipping into the
      Inactive state very well.  This is a concern, because devices can go
      into the Inactive state on U1/U2 exit failure.  However, the fix for
      that case is too large for stable, so it will be submitted in a separate
      patch.
      
      This patch should be backported to kernels as old as 3.2, contain the
      commit ID 75d7cf72 "usbcore: refine warm
      reset logic"
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarJohn Covici <covici@ccs.covici.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c135dc2e
    • Sarah Sharp's avatar
      USB: Ignore port state until reset completes. · 340eb6fe
      Sarah Sharp authored
      commit 4f43447e upstream.
      
      The port reset code bails out early if the current connect status is
      cleared (device disconnected).  If we're issuing a hot reset, it may
      also look at the link state before the reset is finished.
      
      Section 10.14.2.6 of the USB 3.0 spec says that when a port enters the
      Error state or Resetting state, the port connection bit retains the
      value from the previous state.  Therefore we can't trust it until the
      reset finishes.  Also, the xHCI spec section 4.19.1.2.5 says software
      shall ignore the link state while the port is resetting, as it can be in
      an unknown state.
      
      The port state during reset is also unknown for USB 2.0 hubs.  The hub
      sends a reset signal by driving the bus into an SE0 state.  This
      overwhelms the "connect" signal from the device, so the port can't tell
      whether anything is connected or not.
      
      Fix the port reset code to ignore the port link state and current
      connect bit until the reset finishes, and USB_PORT_STAT_RESET is
      cleared.
      
      Remove the check for USB_PORT_STAT_C_BH_RESET in the warm reset case,
      because it's redundant.  When the warm reset finishes, the port reset
      bit will be cleared at the same time USB_PORT_STAT_C_BH_RESET is set.
      Remove the now-redundant check for a cleared USB_PORT_STAT_RESET bit
      in the code to deal with the finished reset.
      
      This patch should be backported to all stable kernels.
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      340eb6fe
    • Sarah Sharp's avatar
      USB: Increase reset timeout. · fbac94c5
      Sarah Sharp authored
      commit 77c7f072 upstream.
      
      John's NEC 0.96 xHCI host controller needs a longer timeout for a warm
      reset to complete.  The logs show it takes 650ms to complete the warm
      reset, so extend the hub reset timeout to 800ms to be on the safe side.
      
      This commit should be backported to kernels as old as 3.2, that contain
      the commit 75d7cf72 "usbcore: refine
      warm reset logic".
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarJohn Covici <covici@ccs.covici.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fbac94c5
    • Sarah Sharp's avatar
      USB: Allow USB 3.0 ports to be disabled. · 8f2c189d
      Sarah Sharp authored
      commit 41e7e056 upstream.
      
      If hot and warm reset fails, or a port remains in the Compliance Mode,
      the USB core needs to be able to disable a USB 3.0 port.  Unlike USB 2.0
      ports, once the port is placed into the Disabled link state, it will not
      report any new device connects.  To get device connect notifications, we
      need to put the link into the Disabled state, and then the RxDetect
      state.
      
      The xHCI driver needs to atomically clear all change bits on USB 3.0
      port disable, so that we get Port Status Change Events for future port
      changes.  We could technically do this in the USB core instead of in the
      xHCI roothub code, since the port state machine can't advance out of the
      disabled state until we set the link state to RxDetect.  However,
      external USB 3.0 hubs don't need this code.  They are level-triggered,
      not edge-triggered like xHCI, so they will continue to send interrupt
      events when any change bit is set.  Therefore it doesn't make sense to
      put this code in the USB core.
      
      This patch is part of a series to fix several reports of infinite loops
      on device enumeration failure.  This includes John, when he boots with
      a USB 3.0 device (Roseweil eusb3 enclosure) attached to his NEC 0.96
      host controller.  The fix requires warm reset support, so it does not
      make sense to backport this patch to stable kernels without warm reset
      support.
      
      This patch should be backported to kernels as old as 3.2, contain the
      commit ID 75d7cf72 "usbcore: refine warm
      reset logic"
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarJohn Covici <covici@ccs.covici.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8f2c189d
    • Sarah Sharp's avatar
      USB: Ignore xHCI Reset Device status. · 6cee667e
      Sarah Sharp authored
      commit 8b8132bc upstream.
      
      When the USB core finishes reseting a USB device, the xHCI driver sends
      a Reset Device command to the host.  The xHC then updates its internal
      representation of the USB device to the 'Default' device state.  If the
      device was already in the Default state, the xHC will complete the
      command with an error status.
      
      If a device needs to be reset several times during enumeration, the
      second reset will always fail because of the xHCI Reset Device command.
      This can cause issues during enumeration.
      
      For example, usb_reset_and_verify_device calls into hub_port_init in a
      loop.  Say that on the first call into hub_port_init, the device is
      successfully reset, but doesn't respond to several set address control
      transfers.  Then the port will be disabled, but the udev will remain in
      tact.  usb_reset_and_verify_device will call into hub_port_init again.
      
      On the second call into hub_port_init, the device will be reset, and the
      xHCI driver will issue a Reset Device command.  This command will fail
      (because the device is already in the Default state), and
      usb_reset_and_verify_device will fail.  The port will be disabled, and
      the device won't be able to enumerate.
      
      Fix this by ignoring the return value of the HCD reset_device callback.
      
      This commit should be backported to kernels as old as 3.2, that contain
      the commit 75d7cf72 "usbcore: refine
      warm reset logic".
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6cee667e
    • Sarah Sharp's avatar
      USB: Handle auto-transition from hot to warm reset. · 330a5270
      Sarah Sharp authored
      commit 1c7439c6 upstream.
      
      USB 3.0 hubs and roothubs will automatically transition a failed hot
      reset to a warm (BH) reset.  In that case, the warm reset change bit
      will be set, and the link state change bit may also be set.  Change
      hub_port_finish_reset to unconditionally clear those change bits for USB
      3.0 hubs.  If these bits are not cleared, we may lose port change events
      from the roothub.
      
      This commit should be backported to kernels as old as 3.2, that contain
      the commit 75d7cf72 "usbcore: refine
      warm reset logic".
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      330a5270
    • Sarah Sharp's avatar
      xhci: Handle HS bulk/ctrl endpoints that don't NAK. · 4a2b6c95
      Sarah Sharp authored
      commit 55c1945e upstream.
      
      A high speed control or bulk endpoint may have bInterval set to zero,
      which means it does not NAK.  If bInterval is non-zero, it means the
      endpoint NAKs at a rate of 2^(bInterval - 1).
      
      The xHCI code to compute the NAK interval does not handle the special
      case of zero properly.  The current code unconditionally subtracts one
      from bInterval and uses it as an exponent.  This causes a very large
      bInterval to be used, and warning messages like these will be printed:
      
      usb 1-1: ep 0x1 - rounding interval to 32768 microframes, ep desc says 0 microframes
      
      This may cause the xHCI host hardware to reject the Configure Endpoint
      command, which means the HS device will be unusable under xHCI ports.
      
      This patch should be backported to kernels as old as 2.6.31, that contain
      commit dfa49c4a "USB: xhci - fix math in
      xhci_get_endpoint_interval()".
      Reported-by: default avatarVincent Pelletier <plr.vincent@gmail.com>
      Suggested-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4a2b6c95
    • Johannes Berg's avatar
      mac80211: use del_timer_sync for final sta cleanup timer deletion · ac2c3982
      Johannes Berg authored
      commit a56f992c upstream.
      
      This is a very old bug, but there's nothing that prevents the
      timer from running while the module is being removed when we
      only do del_timer() instead of del_timer_sync().
      
      The timer should normally not be running at this point, but
      it's not clearly impossible (or we could just remove this.)
      Tested-by: default avatarBen Greear <greearb@candelatech.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ac2c3982
    • Alexander Graf's avatar
      virtio-blk: Don't free ida when disk is in use · 63dddb49
      Alexander Graf authored
      commit f4953fe6 upstream.
      
      When a file system is mounted on a virtio-blk disk, we then remove it
      and then reattach it, the reattached disk gets the same disk name and
      ids as the hot removed one.
      
      This leads to very nasty effects - mostly rendering the newly attached
      device completely unusable.
      
      Trying what happens when I do the same thing with a USB device, I saw
      that the sd node simply doesn't get free'd when a device gets forcefully
      removed.
      
      Imitate the same behavior for vd devices. This way broken vd devices
      simply are never free'd and newly attached ones keep working just fine.
      Signed-off-by: default avatarAlexander Graf <agraf@suse.de>
      Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      63dddb49
    • Sergei Shtylyov's avatar
      usb: musb: core: print new line in the driver banner again · 9d38cd59
      Sergei Shtylyov authored
      commit 2ac788f7 upstream.
      
      Commit 5c8a86e1 (usb: musb: drop unneeded
      musb_debug trickery) erroneously removed '\n' from the driver's banner.
      Concatenate all the banner substrings while adding it back...
      Signed-off-by: default avatarSergei Shtylyov <sshtylyov@ru.mvista.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9d38cd59
    • Sebastian Andrzej Siewior's avatar
      usb: gadget: dummy: fix enumeration with g_multi · 7cce8398
      Sebastian Andrzej Siewior authored
      commit 1d16638e upstream.
      
      If we do have endpoints named like "ep-a" then bEndpointAddress is
      counted internally by the gadget framework.
      
      If we do have endpoints named like "ep-1" then bEndpointAddress is
      assigned from the digit after "ep-".
      
      If we do have both, then it is likely that after we used up the
      "generic" endpoints we will use the digits and thus assign one
      bEndpointAddress to multiple endpoints.
      
      This theory can be proofed by using the completely enabled g_multi.
      Without this patch, the mass storage won't enumerate and times out
      because it shares endpoints with RNDIS.
      
      This patch also adds fills up the endpoints list so we have in total
      endpoints 1 to 15 in + out available while some of them are restricted
      to certain types like BULK or ISO. Without this change the nokia gadget
      won't load because the system does not provide enough (BULK) endpoints
      but it did before ep-a - ep-f were removed.
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7cce8398
  2. 16 Jan, 2013 27 commits
    • Ben Hutchings's avatar
      Linux 3.2.37 · 2d187726
      Ben Hutchings authored
      2d187726
    • Ed Cashin's avatar
      aoe: do not call bdi_init after blk_alloc_queue · d9bc6299
      Ed Cashin authored
      commit 0a41409c upstream.
      
      blk_alloc_queue has already done a bdi_init, so do not bdi_init
      again in aoeblk_gdalloc.  The extra call causes list corruption
      in the per-CPU backing dev info stats lists.
      
      Affected users see console WARNINGs about list_del corruption on
      percpu_counter_destroy when doing "rmmod aoe" or "aoeflush -a"
      when AoE targets have been detected and initialized by the
      system.
      
      The patch below applies to v3.6.11, with its v47 aoe driver.  It
      is expected to apply to all currently maintained stable kernels
      except 3.7.y.  A related but different fix has been posted for
      3.7.y.
      
      References:
      
        RedHat bugzilla ticket with original report
        https://bugzilla.redhat.com/show_bug.cgi?id=853064
      
        LKML discussion of bug and fix
        http://thread.gmane.org/gmane.linux.kernel/1416336/focus=1416497Reported-by: default avatarJosh Boyer <jwboyer@redhat.com>
      Signed-off-by: default avatarEd Cashin <ecashin@coraid.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d9bc6299
    • Zhang Rui's avatar
      ACPI : do not use Lid and Sleep button for S5 wakeup · 5afa0c0e
      Zhang Rui authored
      commit b7e38304 upstream.
      
      When system enters power off, the _PSW of Lid device is enabled.
      But this may cause the system to reboot instead of power off.
      
      A proper way to fix this is to always disable lid wakeup capability for S5.
      
      References: https://bugzilla.kernel.org/show_bug.cgi?id=35262Signed-off-by: default avatarZhang Rui <rui.zhang@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5afa0c0e
    • Tatyana Nikolova's avatar
      RDMA/nes: Fix for terminate timer crash · 49896bd5
      Tatyana Nikolova authored
      commit 7bfcfa51 upstream.
      
      The terminate timer needs to be initialized just once.
      Signed-off-by: default avatarTatyana Nikolova <Tatyana.E.Nikolova@intel.com>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      49896bd5
    • Tatyana Nikolova's avatar
    • Jianpeng Ma's avatar
      mvsas: Fix oops when ata commond timeout. · 3b6ee0c4
      Jianpeng Ma authored
      commit 95ab0003 upstream.
      
      Kernel message follows:
      
      [  511.712011] sd 11:0:0:0: [sdf] command ffff8800a4e81400 timed out
      [  511.712022] sas: Enter sas_scsi_recover_host busy: 1 failed: 1
      [  511.712024] sas: trying to find task 0xffff8800a4d24c80
      [  511.712026] sas: sas_scsi_find_task: aborting task 0xffff8800a4d24c80
      [  511.712029] drivers/scsi/mvsas/mv_sas.c 1631:mvs_abort_task()
      mvi=ffff8800b5300000 task=ffff8800a4d24c80 slot=ffff8800b5325038
      slot_idx=x0
      [  511.712035] BUG: unable to handle kernel NULL pointer dereference at
      0000000000000058
      [  511.712040] IP: [<ffffffff815f8c0c>] _raw_spin_lock_irqsave+0xc/0x30
      [  511.712047] PGD 0
      [  511.712049] Oops: 0002 [#1] SMP
      [  511.712052] Modules linked in: mvsas libsas scsi_transport_sas
      raid456 async_pq async_xor xor async_memcpy async_raid6_recov raid6_pq
      async_tx [last unloaded: mvsas]
      [  511.712062] CPU 3
      [  511.712066] Pid: 7322, comm: scsi_eh_11 Not tainted 3.5.0+ #106 To Be
      Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M.
      [  511.712068] RIP: 0010:[<ffffffff815f8c0c>]  [<ffffffff815f8c0c>]
      _raw_spin_lock_irqsave+0xc/0x30
      [  511.712073] RSP: 0018:ffff880098d3bcb0  EFLAGS: 00010086
      [  511.712074] RAX: 0000000000000286 RBX: 0000000000000058 RCX:
      00000000000000c3
      [  511.712076] RDX: 0000000000000100 RSI: 0000000000000046 RDI:
      0000000000000058
      [  511.712078] RBP: ffff880098d3bcb0 R08: 000000000000000a R09:
      0000000000000000
      [  511.712080] R10: 00000000000004e8 R11: 00000000000004e7 R12:
      ffff8800a4d24c80
      [  511.712082] R13: 0000000000000050 R14: ffff8800b5325038 R15:
      ffff8800a4eafe00
      [  511.712084] FS:  0000000000000000(0000) GS:ffff8800bdb80000(0000)
      knlGS:0000000000000000
      [  511.712086] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  511.712088] CR2: 0000000000000058 CR3: 00000000a4ce6000 CR4:
      00000000000407e0
      [  511.712090] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
      0000000000000000
      [  511.712091] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
      0000000000000400
      [  511.712093] Process scsi_eh_11 (pid: 7322, threadinfo
      ffff880098d3a000, task ffff8800a61dde40)
      [  511.712095] Stack:
      [  511.712096]  ffff880098d3bce0 ffffffff81060683 ffff880000000000
      0000000000000000
      [  511.712099]  ffff8800a4d24c80 ffff8800b5300000 ffff880098d3bcf0
      ffffffffa0076a88
      [  511.712102]  ffff880098d3bd50 ffffffffa0079bb5 ffff880000000000
      ffff880000000018
      [  511.712106] Call Trace:
      [  511.712110]  [<ffffffff81060683>] complete+0x23/0x60
      [  511.712115]  [<ffffffffa0076a88>] mvs_tmf_timedout+0x18/0x20 [mvsas]
      [  511.712119]  [<ffffffffa0079bb5>] mvs_slot_complete+0x765/0x7d0
      [mvsas]
      [  511.712125]  [<ffffffffa005a17d>] sas_scsi_recover_host+0x55d/0xdb0
      [libsas]
      [  511.712128]  [<ffffffff8106d600>] ? idle_balance+0xe0/0x130
      [  511.712133]  [<ffffffff813b150c>] scsi_error_handler+0xcc/0x470
      [  511.712136]  [<ffffffff815f7ad0>] ? __schedule+0x370/0x730
      [  511.712139]  [<ffffffff8105f728>] ? __wake_up_common+0x58/0x90
      [  511.712142]  [<ffffffff813b1440>] ? scsi_eh_get_sense+0x110/0x110
      [  511.712146]  [<ffffffff810571be>] kthread+0x8e/0xa0
      [  511.712150]  [<ffffffff816015f4>] kernel_thread_helper+0x4/0x10
      [  511.712153]  [<ffffffff81057130>] ? flush_kthread_work+0x120/0x120
      [  511.712156]  [<ffffffff816015f0>] ? gs_change+0xb/0xb
      [  511.712157] Code: 8a 00 01 00 00 89 d0 f0 66 0f b1 0f 66 39 d0 0f 94
      c0 0f b6 c0 5d c3 0f 1f 84 00 00 00 00 00 55 48 89 e5 9c 58 fa ba 00 01
      00 00 <f0> 66 0f c1 17 0f b6 ce 38 d1 74 11 0f 1f 84 00 00 00 00 00 f3
      [  511.712191] RIP  [<ffffffff815f8c0c>] _raw_spin_lock_irqsave+0xc/0x30
      [  511.712194]  RSP <ffff880098d3bcb0>
      [  511.712196] CR2: 0000000000000058
      [  511.712198] ---[ end trace a781c7b1e65db92c ]---
      Signed-off-by: default avatarJianpeng Ma <majianpeng@gmail.com>
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3b6ee0c4
    • Eric Dumazet's avatar
      tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation · e252bbd8
      Eric Dumazet authored
      [ Upstream commit 354e4aa3 ]
      
      RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation]
      
        All TCP stacks MAY implement the following mitigation.  TCP stacks
        that implement this mitigation MUST add an additional input check to
        any incoming segment.  The ACK value is considered acceptable only if
        it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
        SND.NXT).  All incoming segments whose ACK value doesn't satisfy the
        above condition MUST be discarded and an ACK sent back.
      
      Move tcp_send_challenge_ack() before tcp_ack() to avoid a forward
      declaration.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Jerry Chu <hkchu@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e252bbd8
    • Eric Dumazet's avatar
      tcp: tcp_replace_ts_recent() should not be called from tcp_validate_incoming() · 9ae46af9
      Eric Dumazet authored
      [ Upstream commit bd090dfc ]
      
      We added support for RFC 5961 in latest kernels but TCP fails
      to perform exhaustive check of ACK sequence.
      
      We can update our view of peer tsval from a frame that is
      later discarded by tcp_ack()
      
      This makes timestamps enabled sessions vulnerable to injection of
      a high tsval : peers start an ACK storm, since the victim
      sends a dupack each time it receives an ACK from the other peer.
      
      As tcp_validate_incoming() is called before tcp_ack(), we should
      not peform tcp_replace_ts_recent() from it, and let callers do it
      at the right time.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Nandita Dukkipati <nanditad@google.com>
      Cc: H.K. Jerry Chu <hkchu@google.com>
      Cc: Romain Francoise <romain@orebokech.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9ae46af9
    • Eric Dumazet's avatar
      tcp: refine SYN handling in tcp_validate_incoming · d37f92d3
      Eric Dumazet authored
      [ Upstream commit e3715899 ]
      
      Followup of commit 0c24604b (tcp: implement RFC 5961 4.2)
      
      As reported by Vijay Subramanian, we should send a challenge ACK
      instead of a dup ack if a SYN flag is set on a packet received out of
      window.
      
      This permits the ratelimiting to work as intended, and to increase
      correct SNMP counters.
      Suggested-by: default avatarVijay Subramanian <subramanian.vijay@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarVijay Subramanian <subramanian.vijay@gmail.com>
      Cc: Kiran Kumar Kella <kkiran@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d37f92d3
    • Eric Dumazet's avatar
      tcp: implement RFC 5961 4.2 · 481079c4
      Eric Dumazet authored
      [ Upstream commit 0c24604b ]
      
      Implement the RFC 5691 mitigation against Blind
      Reset attack using SYN bit.
      
      Section 4.2 of RFC 5961 advises to send a Challenge ACK and drop
      incoming packet, instead of resetting the session.
      
      Add a new SNMP counter to count number of challenge acks sent
      in response to SYN packets.
      (netstat -s | grep TCPSYNChallenge)
      
      Remove obsolete TCPAbortOnSyn, since we no longer abort a TCP session
      because of a SYN flag.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Kiran Kumar Kella <kkiran@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      481079c4
    • Eric Dumazet's avatar
      tcp: implement RFC 5961 3.2 · 61f69dc4
      Eric Dumazet authored
      [ Upstream commit 282f23c6 ]
      
      Implement the RFC 5691 mitigation against Blind
      Reset attack using RST bit.
      
      Idea is to validate incoming RST sequence,
      to match RCV.NXT value, instead of previouly accepted
      window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND)
      
      If sequence is in window but not an exact match, send
      a "challenge ACK", so that the other part can resend an
      RST with the appropriate sequence.
      
      Add a new sysctl, tcp_challenge_ack_limit, to limit
      number of challenge ACK sent per second.
      
      Add a new SNMP counter to count number of challenge acks sent.
      (netstat -s | grep TCPChallengeACK)
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Kiran Kumar Kella <kkiran@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      61f69dc4
    • Stefan Hasko's avatar
      net: sched: integer overflow fix · 254a9848
      Stefan Hasko authored
      [ Upstream commit d2fe85da ]
      
      Fixed integer overflow in function htb_dequeue
      Signed-off-by: default avatarStefan Hasko <hasko.stevo@gmail.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      254a9848
    • Christoph Paasch's avatar
      inet: Fix kmemleak in tcp_v4/6_syn_recv_sock and dccp_v4/6_request_recv_sock · 9c68c2b7
      Christoph Paasch authored
      [ Upstream commit e337e24d ]
      
      If in either of the above functions inet_csk_route_child_sock() or
      __inet_inherit_port() fails, the newsk will not be freed:
      
      unreferenced object 0xffff88022e8a92c0 (size 1592):
        comm "softirq", pid 0, jiffies 4294946244 (age 726.160s)
        hex dump (first 32 bytes):
          0a 01 01 01 0a 01 01 02 00 00 00 00 a7 cc 16 00  ................
          02 00 03 01 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          [<ffffffff8153d190>] kmemleak_alloc+0x21/0x3e
          [<ffffffff810ab3e7>] kmem_cache_alloc+0xb5/0xc5
          [<ffffffff8149b65b>] sk_prot_alloc.isra.53+0x2b/0xcd
          [<ffffffff8149b784>] sk_clone_lock+0x16/0x21e
          [<ffffffff814d711a>] inet_csk_clone_lock+0x10/0x7b
          [<ffffffff814ebbc3>] tcp_create_openreq_child+0x21/0x481
          [<ffffffff814e8fa5>] tcp_v4_syn_recv_sock+0x3a/0x23b
          [<ffffffff814ec5ba>] tcp_check_req+0x29f/0x416
          [<ffffffff814e8e10>] tcp_v4_do_rcv+0x161/0x2bc
          [<ffffffff814eb917>] tcp_v4_rcv+0x6c9/0x701
          [<ffffffff814cea9f>] ip_local_deliver_finish+0x70/0xc4
          [<ffffffff814cec20>] ip_local_deliver+0x4e/0x7f
          [<ffffffff814ce9f8>] ip_rcv_finish+0x1fc/0x233
          [<ffffffff814cee68>] ip_rcv+0x217/0x267
          [<ffffffff814a7bbe>] __netif_receive_skb+0x49e/0x553
          [<ffffffff814a7cc3>] netif_receive_skb+0x50/0x82
      
      This happens, because sk_clone_lock initializes sk_refcnt to 2, and thus
      a single sock_put() is not enough to free the memory. Additionally, things
      like xfrm, memcg, cookie_values,... may have been initialized.
      We have to free them properly.
      
      This is fixed by forcing a call to tcp_done(), ending up in
      inet_csk_destroy_sock, doing the final sock_put(). tcp_done() is necessary,
      because it ends up doing all the cleanup on xfrm, memcg, cookie_values,
      xfrm,...
      
      Before calling tcp_done, we have to set the socket to SOCK_DEAD, to
      force it entering inet_csk_destroy_sock. To avoid the warning in
      inet_csk_destroy_sock, inet_num has to be set to 0.
      As inet_csk_destroy_sock does a dec on orphan_count, we first have to
      increase it.
      
      Calling tcp_done() allows us to remove the calls to
      tcp_clear_xmit_timer() and tcp_cleanup_congestion_control().
      
      A similar approach is taken for dccp by calling dccp_done().
      
      This is in the kernel since 093d2823 (tproxy: fix hash locking issue
      when using port redirection in __inet_inherit_port()), thus since
      version >= 2.6.37.
      Signed-off-by: default avatarChristoph Paasch <christoph.paasch@uclouvain.be>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9c68c2b7
    • Dave Kleikamp's avatar
      sparc: huge_ptep_set_* functions need to call set_huge_pte_at() · 79f4631f
      Dave Kleikamp authored
      [ Upstream commit 6cb9c369 ]
      
      Modifying the huge pte's requires that all the underlying pte's be
      modified.
      
      Version 2: added missing flush_tlb_page()
      Signed-off-by: default avatarDave Kleikamp <dave.kleikamp@oracle.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: sparclinux@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      79f4631f
    • Steven Rostedt's avatar
      ftrace: Do not function trace inlined functions · f2ad8a6a
      Steven Rostedt authored
      commit 45959ee7 upstream.
      
      When gcc inlines a function, it does not mark it with the mcount
      prologue, which in turn means that inlined functions are not traced
      by the function tracer. But if CONFIG_OPTIMIZE_INLINING is set, then
      gcc is allowed not to inline a function that is marked inline.
      
      Depending on the options and the compiler, a function may or may
      not be traced by the function tracer, depending on whether gcc
      decides to inline a function or not. This has caused several
      problems in the pass becaues gcc is not always consistent with
      what it decides to inline between different gcc versions.
      
      Some places should not be traced (like paravirt native_* functions)
      and these are mostly marked as inline. When gcc decides not to
      inline the function, and if that function should not be traced, then
      the ftrace function tracer will suddenly break when it use to work
      fine. This becomes even harder to debug when different versions of
      gcc will not inline that function, making the same kernel and config
      work for some gcc versions and not work for others.
      
      By making all functions marked inline to not be traced will remove
      the ambiguity that gcc adds when it comes to tracing functions marked
      inline. All gcc versions will be consistent with what functions are
      traced and having volatile working code will be removed.
      
      Note, only the inline macro when CONFIG_OPTIMIZE_INLINING is set needs
      to have notrace added, as the attribute __always_inline will force
      the function to be inlined and then not traced.
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f2ad8a6a
    • Stanislaw Gruszka's avatar
      Revert: "rt2x00: Don't let mac80211 send a BAR when an AMPDU subframe fails" · c31f484c
      Stanislaw Gruszka authored
      commit ab9d6e4f upstream.
      
      This revert:
      
      commit be03d4a4
      Author: Andreas Hartmann <andihartmann@01019freenet.de>
      Date:   Tue Apr 17 00:25:28 2012 +0200
      
          rt2x00: Don't let mac80211 send a BAR when an AMPDU subframe fails
      
      To fix problem workaround by above commit use
      IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL flag (see change log for
      "mac80211: introduce IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL" patch).
      
      Resolve: https://bugzilla.kernel.org/show_bug.cgi?id=42828Bisected-by: default avatarFrancisco Pina Martins <f.pinamartins@gmail.com>
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c31f484c
    • Stanislaw Gruszka's avatar
      mac80211: introduce IEEE80211_HW_TEARDOWN_AGGR_ON_BAR_FAIL · 23bc781f
      Stanislaw Gruszka authored
      commit 5b632fe8 upstream.
      
      Commit f0425bed "mac80211: retry sending
      failed BAR frames later instead of tearing down aggr" caused regression
      on rt2x00 hardware (connection hangs). This regression was fixed by
      commit be03d4a4 "rt2x00: Don't let
      mac80211 send a BAR when an AMPDU subframe fails". But the latter
      commit caused yet another problem reported in
      https://bugzilla.kernel.org/show_bug.cgi?id=42828#c22
      
      After long discussion in this thread:
      http://mid.gmane.org/20121018075615.GA18212@redhat.com
      and testing various alternative solutions, which failed on one or other
      setup, we have no other good fix for the issues like just revert both
      mentioned earlier commits.
      
      To do not affect other hardware which benefit from commit
      f0425bed, instead of reverting it,
      introduce flag that when used will restore mac80211 behaviour before
      the commit.
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      [replaced link with mid.gmane.org that has message-id]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      23bc781f
    • Andreas Hartmann's avatar
      rt2x00: Don't let mac80211 send a BAR when an AMPDU subframe fails · 226d4879
      Andreas Hartmann authored
      commit be03d4a4 upstream.
      
      There are connection stalls or very poor throughputs with rt2800
      hardware using 802.11n in AP mode since patch "mac80211: retry sending
      failed BAR frames later instead of tearing down aggr"[1][2].
      
      Since rt2800 hardware is not able to correctly report the tx status of
      BAR frames, this patch removes as workaround the existing error handling
      on AP side, which lets mac80211 send a BAR when an AMPDU subframe fails.
      
      As a result, most wifi clients (aside from Intel STAs on Windows)
      instead will timeout now the reorder buffer and request the lost frame
      again.
      
      The correct solution would be, to tear down BA session on AP side.
      
      This patch was born on the basis of "[RFT] rt2x00: Tear down BA
      session on QoS frame failure"[3].
      
      Thanks to Helmut Schaa for his support!
      
      [1] http://thread.gmane.org/gmane.linux.kernel.wireless.general/83297/focus=83304
      [2] http://git.kernel.org/?p=linux/kernel/git/linville/wireless-testing.git;a=commit;h=f0425beda4d404a6e751439b562100b902ba9c98
      [3] http://thread.gmane.org/gmane.linux.drivers.rt2x00.user/569Signed-off-by: default avatarAndreas Hartmann <andihartmann@01019freenet.de>
      Acked-by: default avatarHelmut Schaa <helmut.schaa@googlemail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      226d4879
    • Eric Wong's avatar
      epoll: prevent missed events on EPOLL_CTL_MOD · 416db02b
      Eric Wong authored
      commit 128dd175 upstream.
      
      EPOLL_CTL_MOD sets the interest mask before calling f_op->poll() to
      ensure events are not missed.  Since the modifications to the interest
      mask are not protected by the same lock as ep_poll_callback, we need to
      ensure the change is visible to other CPUs calling ep_poll_callback.
      
      We also need to ensure f_op->poll() has an up-to-date view of past
      events which occured before we modified the interest mask.  So this
      barrier also pairs with the barrier in wq_has_sleeper().
      
      This should guarantee either ep_poll_callback or f_op->poll() (or both)
      will notice the readiness of a recently-ready/modified item.
      
      This issue was encountered by Andreas Voellmy and Junchang(Jason) Wang in:
      http://thread.gmane.org/gmane.linux.kernel/1408782/Signed-off-by: default avatarEric Wong <normalperson@yhbt.net>
      Cc: Hans Verkuil <hans.verkuil@cisco.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Davide Libenzi <davidel@xmailserver.org>
      Cc: Hans de Goede <hdegoede@redhat.com>
      Cc: Mauro Carvalho Chehab <mchehab@infradead.org>
      Cc: David Miller <davem@davemloft.net>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andreas Voellmy <andreas.voellmy@yale.edu>
      Tested-by: default avatar"Junchang(Jason) Wang" <junchang.wang@yale.edu>
      Cc: netdev@vger.kernel.org
      Cc: linux-fsdevel@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      416db02b
    • Namjae Jeon's avatar
      udf: don't increment lenExtents while writing to a hole · 89c71239
      Namjae Jeon authored
      commit fb719c59 upstream.
      
      Incrementing lenExtents even while writing to a hole is bad
      for performance as calls to udf_discard_prealloc and
      udf_truncate_tail_extent would not return from start if
      isize != lenExtents
      Signed-off-by: default avatarNamjae Jeon <namjae.jeon@samsung.com>
      Signed-off-by: default avatarAshish Sangwan <a.sangwan@samsung.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      89c71239
    • Tony Prisk's avatar
      drivers/rtc/rtc-vt8500.c: fix handling of data passed in struct rtc_time · 75814f28
      Tony Prisk authored
      commit 2f90b683 upstream.
      
      tm_mon is 0..11, whereas vt8500 expects 1..12 for the month field,
      causing invalid date errors for January, and causing the day field to
      roll over incorrectly.
      
      The century flag is only handled in vt8500_rtc_read_time, but not set in
      vt8500_rtc_set_time.  This patch corrects the behaviour of the century
      flag.
      Signed-off-by: default avatarEdgar Toernig <froese@gmx.de>
      Signed-off-by: default avatarTony Prisk <linux@prisktech.co.nz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      75814f28
    • Tony Prisk's avatar
      drivers/rtc/rtc-vt8500.c: correct handling of CR_24H bitfield · c71f617d
      Tony Prisk authored
      commit 532db570 upstream.
      
      Control register bitfield for 12H/24H mode is handled incorrectly.
      Setting CR_24H actually enables 12H mode.  This patch renames the define
      and changes the initialization code to correctly set 24H mode.
      Signed-off-by: default avatarTony Prisk <linux@prisktech.co.nz>
      Cc: Edgar Toernig <froese@gmx.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c71f617d
    • Michal Hocko's avatar
      mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT · 9a1eb12a
      Michal Hocko authored
      commit 53a59fc6 upstream.
      
      Since commit e303297e ("mm: extended batches for generic
      mmu_gather") we are batching pages to be freed until either
      tlb_next_batch cannot allocate a new batch or we are done.
      
      This works just fine most of the time but we can get in troubles with
      non-preemptible kernel (CONFIG_PREEMPT_NONE or CONFIG_PREEMPT_VOLUNTARY)
      on large machines where too aggressive batching might lead to soft
      lockups during process exit path (exit_mmap) because there are no
      scheduling points down the free_pages_and_swap_cache path and so the
      freeing can take long enough to trigger the soft lockup.
      
      The lockup is harmless except when the system is setup to panic on
      softlockup which is not that unusual.
      
      The simplest way to work around this issue is to limit the maximum
      number of batches in a single mmu_gather.  10k of collected pages should
      be safe to prevent from soft lockups (we would have 2ms for one) even if
      they are all freed without an explicit scheduling point.
      
      This patch doesn't add any new explicit scheduling points because it
      relies on zap_pmd_range during page tables zapping which calls
      cond_resched per PMD.
      
      The following lockup has been reported for 3.0 kernel with a huge
      process (in order of hundreds gigs but I do know any more details).
      
        BUG: soft lockup - CPU#56 stuck for 22s! [kernel:31053]
        Modules linked in: af_packet nfs lockd fscache auth_rpcgss nfs_acl sunrpc mptctl mptbase autofs4 binfmt_misc dm_round_robin dm_multipath bonding cpufreq_conservative cpufreq_userspace cpufreq_powersave pcc_cpufreq mperf microcode fuse loop osst sg sd_mod crc_t10dif st qla2xxx scsi_transport_fc scsi_tgt netxen_nic i7core_edac iTCO_wdt joydev e1000e serio_raw pcspkr edac_core iTCO_vendor_support acpi_power_meter rtc_cmos hpwdt hpilo button container usbhid hid dm_mirror dm_region_hash dm_log linear uhci_hcd ehci_hcd usbcore usb_common scsi_dh_emc scsi_dh_alua scsi_dh_hp_sw scsi_dh_rdac scsi_dh dm_snapshot pcnet32 mii edd dm_mod raid1 ext3 mbcache jbd fan thermal processor thermal_sys hwmon cciss scsi_mod
        Supported: Yes
        CPU 56
        Pid: 31053, comm: kernel Not tainted 3.0.31-0.9-default #1 HP ProLiant DL580 G7
        RIP: 0010:  _raw_spin_unlock_irqrestore+0x8/0x10
        RSP: 0018:ffff883ec1037af0  EFLAGS: 00000206
        RAX: 0000000000000e00 RBX: ffffea01a0817e28 RCX: ffff88803ffd9e80
        RDX: 0000000000000200 RSI: 0000000000000206 RDI: 0000000000000206
        RBP: 0000000000000002 R08: 0000000000000001 R09: ffff887ec724a400
        R10: 0000000000000000 R11: dead000000200200 R12: ffffffff8144c26e
        R13: 0000000000000030 R14: 0000000000000297 R15: 000000000000000e
        FS:  00007ed834282700(0000) GS:ffff88c03f200000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
        CR2: 000000000068b240 CR3: 0000003ec13c5000 CR4: 00000000000006e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
        Process kernel (pid: 31053, threadinfo ffff883ec1036000, task ffff883ebd5d4100)
        Call Trace:
          release_pages+0xc5/0x260
          free_pages_and_swap_cache+0x9d/0xc0
          tlb_flush_mmu+0x5c/0x80
          tlb_finish_mmu+0xe/0x50
          exit_mmap+0xbd/0x120
          mmput+0x49/0x120
          exit_mm+0x122/0x160
          do_exit+0x17a/0x430
          do_group_exit+0x3d/0xb0
          get_signal_to_deliver+0x247/0x480
          do_signal+0x71/0x1b0
          do_notify_resume+0x98/0xb0
          int_signal+0x12/0x17
        DWARF2 unwinder stuck at int_signal+0x12/0x17
      Signed-off-by: default avatarMichal Hocko <mhocko@suse.cz>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9a1eb12a
    • Rafael J. Wysocki's avatar
      ACPI / scan: Do not use dummy HID for system bus ACPI nodes · fadfad5b
      Rafael J. Wysocki authored
      commit 4f5f64cf upstream.
      
      At one point acpi_device_set_id() checks if acpi_device_hid(device)
      returns NULL, but that never happens, so system bus devices with an
      empty list of PNP IDs are given the dummy HID ("device") instead of
      the "system bus HID" ("LNXSYBUS").  Fix the code to use the right
      check.
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      fadfad5b
    • Trond Myklebust's avatar
      SUNRPC: Ensure that we free the rpc_task after cleanups are done · c45475d0
      Trond Myklebust authored
      commit c6567ed1 upstream.
      
      This patch ensures that we free the rpc_task after the cleanup callbacks
      are done in order to avoid a deadlock problem that can be triggered if
      the callback needs to wait for another workqueue item to complete.
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Cc: Weston Andros Adamson <dros@netapp.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Bruce Fields <bfields@fieldses.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c45475d0
    • Xi Wang's avatar
      nfs: fix null checking in nfs_get_option_str() · 66ebe467
      Xi Wang authored
      commit e25fbe38 upstream.
      
      The following null pointer check is broken.
      
      	*option = match_strdup(args);
      	return !option;
      
      The pointer `option' must be non-null, and thus `!option' is always false.
      Use `!*option' instead.
      
      The bug was introduced in commit c5cb09b6 ("Cleanup: Factor out some
      cut-and-paste code.").
      Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      66ebe467
    • Lothar Waßmann's avatar
      video: mxsfb: fix crash when unblanking the display · c69aab88
      Lothar Waßmann authored
      commit 6c1ecba8 upstream.
      
      The VDCTRL4 register does not provide the MXS SET/CLR/TOGGLE feature.
      The write in mxsfb_disable_controller() sets the data_cnt for the LCD
      DMA to 0 which obviously means the max. count for the LCD DMA and
      leads to overwriting arbitrary memory when the display is unblanked.
      Signed-off-by: default avatarLothar Waßmann <LW@KARO-electronics.de>
      Acked-by: default avatarJuergen Beisert <jbe@pengutronix.de>
      Tested-by: default avatarLauri Hintsala <lauri.hintsala@bluegiga.net>
      Signed-off-by: default avatarShawn Guo <shawn.guo@linaro.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c69aab88