1. 04 Dec, 2013 40 commits
    • Steven Rostedt (Red Hat)'s avatar
      ftrace: Fix function graph with loading of modules · 51d351d5
      Steven Rostedt (Red Hat) authored
      commit 8a56d776 upstream.
      
      Commit 8c4f3c3f "ftrace: Check module functions being traced on reload"
      fixed module loading and unloading with respect to function tracing, but
      it missed the function graph tracer. If you perform the following
      
       # cd /sys/kernel/debug/tracing
       # echo function_graph > current_tracer
       # modprobe nfsd
       # echo nop > current_tracer
      
      You'll get the following oops message:
      
       ------------[ cut here ]------------
       WARNING: CPU: 2 PID: 2910 at /linux.git/kernel/trace/ftrace.c:1640 __ftrace_hash_rec_update.part.35+0x168/0x1b9()
       Modules linked in: nfsd exportfs nfs_acl lockd ipt_MASQUERADE sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables uinput snd_hda_codec_idt
       CPU: 2 PID: 2910 Comm: bash Not tainted 3.13.0-rc1-test #7
       Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M., BIOS SDBLI944.86P 05/08/2007
        0000000000000668 ffff8800787efcf8 ffffffff814fe193 ffff88007d500000
        0000000000000000 ffff8800787efd38 ffffffff8103b80a 0000000000000668
        ffffffff810b2b9a ffffffff81a48370 0000000000000001 ffff880037aea000
       Call Trace:
        [<ffffffff814fe193>] dump_stack+0x4f/0x7c
        [<ffffffff8103b80a>] warn_slowpath_common+0x81/0x9b
        [<ffffffff810b2b9a>] ? __ftrace_hash_rec_update.part.35+0x168/0x1b9
        [<ffffffff8103b83e>] warn_slowpath_null+0x1a/0x1c
        [<ffffffff810b2b9a>] __ftrace_hash_rec_update.part.35+0x168/0x1b9
        [<ffffffff81502f89>] ? __mutex_lock_slowpath+0x364/0x364
        [<ffffffff810b2cc2>] ftrace_shutdown+0xd7/0x12b
        [<ffffffff810b47f0>] unregister_ftrace_graph+0x49/0x78
        [<ffffffff810c4b30>] graph_trace_reset+0xe/0x10
        [<ffffffff810bf393>] tracing_set_tracer+0xa7/0x26a
        [<ffffffff810bf5e1>] tracing_set_trace_write+0x8b/0xbd
        [<ffffffff810c501c>] ? ftrace_return_to_handler+0xb2/0xde
        [<ffffffff811240a8>] ? __sb_end_write+0x5e/0x5e
        [<ffffffff81122aed>] vfs_write+0xab/0xf6
        [<ffffffff8150a185>] ftrace_graph_caller+0x85/0x85
        [<ffffffff81122dbd>] SyS_write+0x59/0x82
        [<ffffffff8150a185>] ftrace_graph_caller+0x85/0x85
        [<ffffffff8150a2d2>] system_call_fastpath+0x16/0x1b
       ---[ end trace 940358030751eafb ]---
      
      The above mentioned commit didn't go far enough. Well, it covered the
      function tracer by adding checks in __register_ftrace_function(). The
      problem is that the function graph tracer circumvents that (for a slight
      efficiency gain when function graph trace is running with a function
      tracer. The gain was not worth this).
      
      The problem came with ftrace_startup() which should always be called after
      __register_ftrace_function(), if you want this bug to be completely fixed.
      
      Anyway, this solution moves __register_ftrace_function() inside of
      ftrace_startup() and removes the need to call them both.
      Reported-by: default avatarDave Wysochanski <dwysocha@redhat.com>
      Fixes: ed926f9b ("ftrace: Use counters to enable functions to trace")
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      51d351d5
    • Alex Williamson's avatar
      KVM: Fix iommu map/unmap to handle memory slot moves · 5833570f
      Alex Williamson authored
      commit e40f193f upstream.
      
      The iommu integration into memory slots expects memory slots to be
      added or removed and doesn't handle the move case.  We can unmap
      slots from the iommu after we mark them invalid and map them before
      installing the final memslot array.  Also re-order the kmemdup vs
      map so we don't leave iommu mappings if we get ENOMEM.
      Reviewed-by: default avatarGleb Natapov <gleb@redhat.com>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
      Cc: Luis Henriques <luis.henriques@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5833570f
    • Marcelo Tosatti's avatar
      KVM: perform an invalid memslot step for gpa base change · 9af88f0e
      Marcelo Tosatti authored
      commit 12d6e753 upstream.
      
      PPC must flush all translations before the new memory slot
      is visible.
      Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
      Signed-off-by: default avatarAvi Kivity <avi@redhat.com>
      Cc: Luis Henriques <luis.henriques@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9af88f0e
    • Tom Gundersen's avatar
      Input: i8042 - add PNP modaliases · 1fefeae7
      Tom Gundersen authored
      commit 78551277 upstream.
      
      This allows the module to be autoloaded in the common case.
      
      In order to work on non-PnP systems the module should be compiled in or
      loaded unconditionally at boot (c.f. modules-load.d(5)), as before.
      Signed-off-by: default avatarTom Gundersen <teg@jklm.no>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1fefeae7
    • Steven Rostedt (Red Hat)'s avatar
      tracing: Allow events to have NULL strings · 4d815b62
      Steven Rostedt (Red Hat) authored
      commit 4e58e547 upstream.
      
      If an TRACE_EVENT() uses __assign_str() or __get_str on a NULL pointer
      then the following oops will happen:
      
      BUG: unable to handle kernel NULL pointer dereference at   (null)
      IP: [<c127a17b>] strlen+0x10/0x1a
      *pde = 00000000 ^M
      Oops: 0000 [#1] PREEMPT SMP
      Modules linked in:
      CPU: 1 PID: 0 Comm: swapper/1 Not tainted 3.13.0-rc1-test+ #2
      Hardware name:                  /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006^M
      task: f5cde9f0 ti: f5e5e000 task.ti: f5e5e000
      EIP: 0060:[<c127a17b>] EFLAGS: 00210046 CPU: 1
      EIP is at strlen+0x10/0x1a
      EAX: 00000000 EBX: c2472da8 ECX: ffffffff EDX: c2472da8
      ESI: c1c5e5fc EDI: 00000000 EBP: f5e5fe84 ESP: f5e5fe80
       DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      CR0: 8005003b CR2: 00000000 CR3: 01f32000 CR4: 000007d0
      Stack:
       f5f18b90 f5e5feb8 c10687a8 0759004f 00000005 00000005 00000005 00200046
       00000002 00000000 c1082a93 f56c7e28 c2472da8 c1082a93 f5e5fee4 c106bc61^M
       00000000 c1082a93 00000000 00000000 00000001 00200046 00200082 00000000
      Call Trace:
       [<c10687a8>] ftrace_raw_event_lock+0x39/0xc0
       [<c1082a93>] ? ktime_get+0x29/0x69
       [<c1082a93>] ? ktime_get+0x29/0x69
       [<c106bc61>] lock_release+0x57/0x1a5
       [<c1082a93>] ? ktime_get+0x29/0x69
       [<c10824dd>] read_seqcount_begin.constprop.7+0x4d/0x75
       [<c1082a93>] ? ktime_get+0x29/0x69^M
       [<c1082a93>] ktime_get+0x29/0x69
       [<c108a46a>] __tick_nohz_idle_enter+0x1e/0x426
       [<c10690e8>] ? lock_release_holdtime.part.19+0x48/0x4d
       [<c10bc184>] ? time_hardirqs_off+0xe/0x28
       [<c1068c82>] ? trace_hardirqs_off_caller+0x3f/0xaf
       [<c108a8cb>] tick_nohz_idle_enter+0x59/0x62
       [<c1079242>] cpu_startup_entry+0x64/0x192
       [<c102299c>] start_secondary+0x277/0x27c
      Code: 90 89 c6 89 d0 88 c4 ac 38 e0 74 09 84 c0 75 f7 be 01 00 00 00 89 f0 48 5e 5d c3 55 89 e5 57 66 66 66 66 90 83 c9 ff 89 c7 31 c0 <f2> ae f7 d1 8d 41 ff 5f 5d c3 55 89 e5 57 66 66 66 66 90 31 ff
      EIP: [<c127a17b>] strlen+0x10/0x1a SS:ESP 0068:f5e5fe80
      CR2: 0000000000000000
      ---[ end trace 01bc47bf519ec1b2 ]---
      
      New tracepoints have been added that have allowed for NULL pointers
      being assigned to strings. To fix this, change the TRACE_EVENT() code
      to check for NULL and if it is, it will assign "(null)" to it instead
      (similar to what glibc printf does).
      Reported-by: default avatarShuah Khan <shuah.kh@samsung.com>
      Reported-by: default avatarJovi Zhangwei <jovi.zhangwei@gmail.com>
      Link: http://lkml.kernel.org/r/CAGdX0WFeEuy+DtpsJzyzn0343qEEjLX97+o1VREFkUEhndC+5Q@mail.gmail.com
      Link: http://lkml.kernel.org/r/528D6972.9010702@samsung.com
      Fixes: 9cbf1176 ("tracing/events: provide string with undefined size support")
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4d815b62
    • Kailang Yang's avatar
      ALSA: hda/realtek - Set pcbeep amp for ALC668 · 1d78aecd
      Kailang Yang authored
      commit 9ad54547 upstream.
      
      Set the missing pcbeep default amp for ALC668.
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d78aecd
    • Peter Zijlstra's avatar
      cpuset: Fix memory allocator deadlock · fe094c41
      Peter Zijlstra authored
      commit 0fc0287c upstream.
      
      Juri hit the below lockdep report:
      
      [    4.303391] ======================================================
      [    4.303392] [ INFO: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected ]
      [    4.303394] 3.12.0-dl-peterz+ #144 Not tainted
      [    4.303395] ------------------------------------------------------
      [    4.303397] kworker/u4:3/689 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
      [    4.303399]  (&p->mems_allowed_seq){+.+...}, at: [<ffffffff8114e63c>] new_slab+0x6c/0x290
      [    4.303417]
      [    4.303417] and this task is already holding:
      [    4.303418]  (&(&q->__queue_lock)->rlock){..-...}, at: [<ffffffff812d2dfb>] blk_execute_rq_nowait+0x5b/0x100
      [    4.303431] which would create a new lock dependency:
      [    4.303432]  (&(&q->__queue_lock)->rlock){..-...} -> (&p->mems_allowed_seq){+.+...}
      [    4.303436]
      
      [    4.303898] the dependencies between the lock to be acquired and SOFTIRQ-irq-unsafe lock:
      [    4.303918] -> (&p->mems_allowed_seq){+.+...} ops: 2762 {
      [    4.303922]    HARDIRQ-ON-W at:
      [    4.303923]                     [<ffffffff8108ab9a>] __lock_acquire+0x65a/0x1ff0
      [    4.303926]                     [<ffffffff8108cbe3>] lock_acquire+0x93/0x140
      [    4.303929]                     [<ffffffff81063dd6>] kthreadd+0x86/0x180
      [    4.303931]                     [<ffffffff816ded6c>] ret_from_fork+0x7c/0xb0
      [    4.303933]    SOFTIRQ-ON-W at:
      [    4.303933]                     [<ffffffff8108abcc>] __lock_acquire+0x68c/0x1ff0
      [    4.303935]                     [<ffffffff8108cbe3>] lock_acquire+0x93/0x140
      [    4.303940]                     [<ffffffff81063dd6>] kthreadd+0x86/0x180
      [    4.303955]                     [<ffffffff816ded6c>] ret_from_fork+0x7c/0xb0
      [    4.303959]    INITIAL USE at:
      [    4.303960]                    [<ffffffff8108a884>] __lock_acquire+0x344/0x1ff0
      [    4.303963]                    [<ffffffff8108cbe3>] lock_acquire+0x93/0x140
      [    4.303966]                    [<ffffffff81063dd6>] kthreadd+0x86/0x180
      [    4.303969]                    [<ffffffff816ded6c>] ret_from_fork+0x7c/0xb0
      [    4.303972]  }
      
      Which reports that we take mems_allowed_seq with interrupts enabled. A
      little digging found that this can only be from
      cpuset_change_task_nodemask().
      
      This is an actual deadlock because an interrupt doing an allocation will
      hit get_mems_allowed()->...->__read_seqcount_begin(), which will spin
      forever waiting for the write side to complete.
      
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Mel Gorman <mgorman@suse.de>
      Reported-by: default avatarJuri Lelli <juri.lelli@gmail.com>
      Signed-off-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Tested-by: default avatarJuri Lelli <juri.lelli@gmail.com>
      Acked-by: default avatarLi Zefan <lizefan@huawei.com>
      Acked-by: default avatarMel Gorman <mgorman@suse.de>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fe094c41
    • Michael Neuling's avatar
      powerpc/signals: Improved mark VSX not saved with small contexts fix · df29bdd4
      Michael Neuling authored
      commit ec67ad82 upstream.
      
      In a recent patch:
        commit c13f20ac
        Author: Michael Neuling <mikey@neuling.org>
        powerpc/signals: Mark VSX not saved with small contexts
      
      We fixed an issue but an improved solution was later discussed after the patch
      was merged.
      
      Firstly, this patch doesn't handle the 64bit signals case, which could also hit
      this issue (but has never been reported).
      
      Secondly, the original patch isn't clear what MSR VSX should be set to.  The
      new approach below always clears the MSR VSX bit (to indicate no VSX is in the
      context) and sets it only in the specific case where VSX is available (ie. when
      VSX has been used and the signal context passed has space to provide the
      state).
      
      This reverts the original patch and replaces it with the improved solution.  It
      also adds a 64 bit version.
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      df29bdd4
    • NeilBrown's avatar
      md: fix calculation of stacking limits on level change. · f69a26d2
      NeilBrown authored
      commit 02e5f5c0 upstream.
      
      The various ->run routines of md personalities assume that the 'queue'
      has been initialised by the blk_set_stacking_limits() call in
      md_alloc().
      
      However when the level is changed (by level_store()) the ->run routine
      for the new level is called for an array which has already had the
      stacking limits modified.  This can result in incorrect final
      settings.
      
      So call blk_set_stacking_limits() before ->run in level_store().
      
      A specific consequence of this bug is that it causes
      discard_granularity to be set incorrectly when reshaping a RAID4 to a
      RAID0.
      
      This is suitable for any -stable kernel since 3.3 in which
      blk_set_stacking_limits() was introduced.
      Reported-and-tested-by: default avatar"Baldysiak, Pawel" <pawel.baldysiak@intel.com>
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f69a26d2
    • Jerome Glisse's avatar
      radeon: workaround pinning failure on low ram gpu · 3ae78536
      Jerome Glisse authored
      commit 97b6ff6b upstream.
      
      GPU with low amount of ram can fails at pinning new framebuffer before
      unpinning old one. On such failure, retry with unpinning old one before
      pinning new one allowing to work around the issue. This is somewhat
      ugly but only affect those old GPU we care about.
      Signed-off-by: default avatarJerome Glisse <jglisse@redhat.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ae78536
    • Alex Deucher's avatar
      drm/radeon/si: fix define for MC_SEQ_TRAIN_WAKEUP_CNTL · e21e0c15
      Alex Deucher authored
      commit d5693761 upstream.
      
      Typo in the register offset.
      Noticed-by: default avatarSylvain BERTRAND <sylware@legeek.net>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e21e0c15
    • Ben Skeggs's avatar
    • Daniel Vetter's avatar
      drm/i915: flush cursors harder · 38b24f2c
      Daniel Vetter authored
      commit b2ea8ef5 upstream.
      
      Apparently they need the same treatment as primary planes. This fixes
      modesetting failures because of stuck cursors (!) on Thomas' i830M
      machine.
      
      I've figured while at it I'll also roll it out for the ivb 3 pipe
      version of this function. I didn't do this for i845/i865 since Bspec
      says the update mechanism works differently, and there's some
      additional rules about what can be updated in which order.
      Tested-by: default avatarThomas Richter <thor@math.tu-berlin.de>
      Cc:  Thomas Richter <thor@math.tu-berlin.de>
      Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      38b24f2c
    • Jakob Bornecrantz's avatar
      drm/ttm: Handle in-memory region copies · 6e911aa9
      Jakob Bornecrantz authored
      commit 9a0599dd upstream.
      
      Fix the case where the ttm pointer may be NULL causing
      a NULL pointer dereference.
      Signed-off-by: default avatarJakob Bornecrantz <jakob@vmware.com>
      Signed-off-by: default avatarThomas Hellström <thellstrom@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e911aa9
    • Dan Williams's avatar
      prism54: set netdev type to "wlan" · 230ab9de
      Dan Williams authored
      commit 8e3ffa47 upstream.
      
      Userspace uses the netdev devtype for stuff like device naming and type
      detection.  Be nice and set it.  Remove the pointless #if/#endif around
      SET_NETDEV_DEV too.
      Signed-off-by: default avatarDan Williams <dcbw@redhat.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      230ab9de
    • Andreas Bießmann's avatar
      avr32: fix out-of-range jump in large kernels · fb1601f0
      Andreas Bießmann authored
      commit d617b338 upstream.
      
      This patch fixes following error (for big kernels):
      
      ---8<---
      arch/avr32/boot/u-boot/head.o: In function `no_tag_table':
      (.init.text+0x44): relocation truncated to fit: R_AVR32_22H_PCREL against symbol `panic' defined in .text.unlikely section in kernel/built-in.o
      arch/avr32/kernel/built-in.o: In function `bad_return':
      (.ex.text+0x236): relocation truncated to fit: R_AVR32_22H_PCREL against symbol `panic' defined in .text.unlikely section in kernel/built-in.o
      --->8---
      
      It comes up when the kernel increases and 'panic()' is too far away to fit in
      the +/- 2MiB range. Which in turn issues from the 21-bit displacement in
      'br{cond4}' mnemonic which is one of the two ways to do jumps (rjmp has just
      10-bit displacement and therefore a way smaller range). This fact was stated
      before in 8d29b7b9.
      One solution to solve this is to add a local storage for the symbol address
      and just load the $pc with that value.
      Signed-off-by: default avatarAndreas Bießmann <andreas@biessmann.de>
      Acked-by: default avatarHans-Christian Egtvedt <egtvedt@samfundet.no>
      Cc: Haavard Skinnemoen <hskinnemoen@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fb1601f0
    • Andreas Bießmann's avatar
      avr32: setup crt for early panic() · 07cf6ad3
      Andreas Bießmann authored
      commit 7a2a74f4 upstream.
      
      Before the CRT was (fully) set up in kernel_entry (bss cleared before in
      _start, but also not before jump to panic() in no_tag_table case).
      
      This patch fixes this up to have a fully working CRT when branching to panic()
      in no_tag_table.
      Signed-off-by: default avatarAndreas Bießmann <andreas@biessmann.de>
      Acked-by: default avatarHans-Christian Egtvedt <egtvedt@samfundet.no>
      Cc: Haavard Skinnemoen <hskinnemoen@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      07cf6ad3
    • Paul Moore's avatar
      selinux: correct locking in selinux_netlbl_socket_connect) · 17af9d91
      Paul Moore authored
      commit 42d64e1a upstream.
      
      The SELinux/NetLabel glue code has a locking bug that affects systems
      with NetLabel enabled, see the kernel error message below.  This patch
      corrects this problem by converting the bottom half socket lock to a
      more conventional, and correct for this call-path, lock_sock() call.
      
       ===============================
       [ INFO: suspicious RCU usage. ]
       3.11.0-rc3+ #19 Not tainted
       -------------------------------
       net/ipv4/cipso_ipv4.c:1928 suspicious rcu_dereference_protected() usage!
      
       other info that might help us debug this:
      
       rcu_scheduler_active = 1, debug_locks = 0
       2 locks held by ping/731:
        #0:  (slock-AF_INET/1){+.-...}, at: [...] selinux_netlbl_socket_connect
        #1:  (rcu_read_lock){.+.+..}, at: [<...>] netlbl_conn_setattr
      
       stack backtrace:
       CPU: 1 PID: 731 Comm: ping Not tainted 3.11.0-rc3+ #19
       Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
        0000000000000001 ffff88006f659d28 ffffffff81726b6a ffff88003732c500
        ffff88006f659d58 ffffffff810e4457 ffff88006b845a00 0000000000000000
        000000000000000c ffff880075aa2f50 ffff88006f659d90 ffffffff8169bec7
       Call Trace:
        [<ffffffff81726b6a>] dump_stack+0x54/0x74
        [<ffffffff810e4457>] lockdep_rcu_suspicious+0xe7/0x120
        [<ffffffff8169bec7>] cipso_v4_sock_setattr+0x187/0x1a0
        [<ffffffff8170f317>] netlbl_conn_setattr+0x187/0x190
        [<ffffffff8170f195>] ? netlbl_conn_setattr+0x5/0x190
        [<ffffffff8131ac9e>] selinux_netlbl_socket_connect+0xae/0xc0
        [<ffffffff81303025>] selinux_socket_connect+0x135/0x170
        [<ffffffff8119d127>] ? might_fault+0x57/0xb0
        [<ffffffff812fb146>] security_socket_connect+0x16/0x20
        [<ffffffff815d3ad3>] SYSC_connect+0x73/0x130
        [<ffffffff81739a85>] ? sysret_check+0x22/0x5d
        [<ffffffff810e5e2d>] ? trace_hardirqs_on_caller+0xfd/0x1c0
        [<ffffffff81373d4e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
        [<ffffffff815d52be>] SyS_connect+0xe/0x10
        [<ffffffff81739a59>] system_call_fastpath+0x16/0x1b
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      17af9d91
    • Yinghai Lu's avatar
      PCI: Remove duplicate pci_disable_device() from pcie_portdrv_remove() · 5d6d6a7a
      Yinghai Lu authored
      commit e7cc5cf7 upstream.
      
      The pcie_portdrv .probe() method calls pci_enable_device() once, in
      pcie_port_device_register(), but the .remove() method calls
      pci_disable_device() twice, in pcie_port_device_remove() and in
      pcie_portdrv_remove().
      
      That causes a "disabling already-disabled device" warning when removing a
      PCIe port device.  This happens all the time when removing Thunderbolt
      devices, but is also easy to reproduce with, e.g.,
      "echo 0000:00:1c.3 > /sys/bus/pci/drivers/pcieport/unbind"
      
      This patch removes the disable from pcie_portdrv_remove().
      
      [bhelgaas: changelog, tag for stable]
      Reported-by: default avatarDavid Bulkow <David.Bulkow@stratus.com>
      Reported-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarYinghai Lu <yinghai@kernel.org>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5d6d6a7a
    • Mathias Krause's avatar
      audit: fix info leak in AUDIT_GET requests · 4e0c56ab
      Mathias Krause authored
      commit 64fbff9a upstream.
      
      We leak 4 bytes of kernel stack in response to an AUDIT_GET request as
      we miss to initialize the mask member of status_set. Fix that.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4e0c56ab
    • Mathias Krause's avatar
      audit: use nlmsg_len() to get message payload length · 42979968
      Mathias Krause authored
      commit 4d8fe737 upstream.
      
      Using the nlmsg_len member of the netlink header to test if the message
      is valid is wrong as it includes the size of the netlink header itself.
      Thereby allowing to send short netlink messages that pass those checks.
      
      Use nlmsg_len() instead to test for the right message length. The result
      of nlmsg_len() is guaranteed to be non-negative as the netlink message
      already passed the checks of nlmsg_ok().
      
      Also switch to min_t() to please checkpatch.pl.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      42979968
    • Tyler Hicks's avatar
      audit: printk USER_AVC messages when audit isn't enabled · e49ee6c6
      Tyler Hicks authored
      commit 0868a5e1 upstream.
      
      When the audit=1 kernel parameter is absent and auditd is not running,
      AUDIT_USER_AVC messages are being silently discarded.
      
      AUDIT_USER_AVC messages should be sent to userspace using printk(), as
      mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the
      audit-disabled case for discarding user messages").
      
      When audit_enabled is 0, audit_receive_msg() discards all user messages
      except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg()
      refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to
      special case AUDIT_USER_AVC messages in both functions.
      
      It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()")
      introduced this bug.
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Eric Paris <eparis@redhat.com>
      Cc: linux-audit@redhat.com
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e49ee6c6
    • Avinash Patil's avatar
      mwifiex: correct packet length for packets from SDIO interface · d4bb402d
      Avinash Patil authored
      commit d03b4aa7 upstream.
      
      While receiving a packet on SDIO interface, we allocate skb with
      size multiple of SDIO block size. We need to resize this skb
      after RX using packet length from RX header.
      Signed-off-by: default avatarAvinash Patil <patila@marvell.com>
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d4bb402d
    • Aaron Lu's avatar
      PM / hibernate: Avoid overflow in hibernate_preallocate_memory() · 7094547c
      Aaron Lu authored
      commit fd432b9f upstream.
      
      When system has a lot of highmem (e.g. 16GiB using a 32 bits kernel),
      the code to calculate how much memory we need to preallocate in
      normal zone may cause overflow. As Leon has analysed:
      
       It looks that during computing 'alloc' variable there is overflow:
       alloc = (3943404 - 1970542) - 1978280 = -5418 (signed)
       And this function goes to err_out.
      
      Fix this by avoiding that overflow.
      
      References: https://bugzilla.kernel.org/show_bug.cgi?id=60817Reported-and-tested-by: default avatarLeon Drugi <eyak@wp.pl>
      Signed-off-by: default avatarAaron Lu <aaron.lu@intel.com>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7094547c
    • Mikulas Patocka's avatar
      dm: allocate buffer for messages with small number of arguments using GFP_NOIO · 3ccb527f
      Mikulas Patocka authored
      commit f36afb39 upstream.
      
      dm-mpath and dm-thin must process messages even if some device is
      suspended, so we allocate argv buffer with GFP_NOIO. These messages have
      a small fixed number of arguments.
      
      On the other hand, dm-switch needs to process bulk data using messages
      so excessive use of GFP_NOIO could cause trouble.
      
      The patch also lowers the default number of arguments from 64 to 8, so
      that there is smaller load on GFP_NOIO allocations.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Acked-by: default avatarAlasdair G Kergon <agk@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ccb527f
    • Stanislaw Gruszka's avatar
      rt2400pci: fix RSSI read · b725146e
      Stanislaw Gruszka authored
      commit 2bf127a5 upstream.
      
      RSSI value is provided on word3 not on word2.
      Signed-off-by: default avatarStanislaw Gruszka <stf_xl@wp.pl>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b725146e
    • Ursula Braun's avatar
      qeth: avoid buffer overflow in snmp ioctl · 401a0f38
      Ursula Braun authored
      commit 6fb392b1 upstream.
      
      Check user-defined length in snmp ioctl request and allow request
      only if it fits into a qeth command buffer.
      Signed-off-by: default avatarUrsula Braun <ursula.braun@de.ibm.com>
      Signed-off-by: default avatarFrank Blaschka <frank.blaschka@de.ibm.com>
      Reviewed-by: default avatarHeiko Carstens <heicars2@linux.vnet.ibm.com>
      Reported-by: default avatarNico Golde <nico@ngolde.de>
      Reported-by: default avatarFabian Yamaguchi <fabs@goesec.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      401a0f38
    • Larry Finger's avatar
      rtlwifi: rtl8192cu: Fix incorrect signal strength for unassociated AP · dca32a77
      Larry Finger authored
      commit 78dbfecb upstream.
      
      The routine that processes received frames was returning the RSSI value for the
      signal strength; however, that value is available only for associated APs. As
      a result, the strength was the absurd value of 10 dBm. As a result, scans
      return incorrect values for the strength, which causes unwanted attempts to roam.
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dca32a77
    • Larry Finger's avatar
      rtlwifi: rtl8192se: Fix incorrect signal strength for unassociated AP · f59cbdca
      Larry Finger authored
      commit b4ade797 upstream.
      
      The routine that processes received frames was returning the RSSI value for the
      signal strength; however, that value is available only for associated APs. As
      a result, the strength was the absurd value of 10 dBm. As a result, scans
      return incorrect values for the strength, which causes unwanted attempts to roam.
      
      This patch fixes https://bugzilla.kernel.org/show_bug.cgi?id=63881.
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Reported-by: default avatarMatthieu Baerts <matttbe@gmail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f59cbdca
    • Larry Finger's avatar
      rtlwifi: rtl8192de: Fix incorrect signal strength for unassociated AP · 80c82f6f
      Larry Finger authored
      commit 3545f3d5 upstream.
      
      The routine that processes received frames was returning the RSSI value for the
      signal strength; however, that value is available only for associated APs. As
      a result, the strength was the absurd value of 10 dBm. As a result, scans
      return incorrect values for the strength, which causes unwanted attempts to roam.
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      80c82f6f
    • Malcolm Priestley's avatar
      staging: vt6656: [BUG] Fix for TX USB resets from vendors driver. · 6aefef7e
      Malcolm Priestley authored
      commit 9df68292 upstream.
      
      This fixes resets on heavy TX data traffic.
      
      Vendor driver
      VT6656_Linux_src_v1.21.03_x86_11.04.zip
      http://www.viaembedded.com/servlet/downloadSvl?id=1890&download_file_id=14704
      This is GPL-licensed code.
      
      original code
      BBbVT3184Init
      ...
      //2007-0725, RobertChang add, Enable Squelch detect reset option(SQ_RST_Opt), USB (register4, bit1)
      CONTROLnsRequestIn(pDevice,
                                       MESSAGE_TYPE_READ,
                                       (WORD)0x600+4,     // USB's Reg4's bit1
                                       MESSAGE_REQUEST_MEM,
                                       1,
                                       (PBYTE) &byData);
      byData = byData|2 ;
      CONTROLnsRequestOut(pDevice,
                                    MESSAGE_TYPE_WRITE,
                                    (WORD)0x600+4,     // USB's Reg4's bit1
                                    MESSAGE_REQUEST_MEM,
                                    1,
                                    (PBYTE) &byData);
      
      return TRUE;//ntStatus;
      ....
      
      A back port patch is needed for kernels less than 3.10.
      Signed-off-by: default avatarMalcolm Priestley <tvboxspy@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6aefef7e
    • Vegard Nossum's avatar
      xen/blkback: fix reference counting · fbd60498
      Vegard Nossum authored
      commit ea5ec76d upstream.
      
      If the permission check fails, we drop a reference to the blkif without
      having taken it in the first place. The bug was introduced in commit
      604c499c (xen/blkback: Check device
      permissions before allowing OP_DISCARD).
      
      Cc: Jan Beulich <JBeulich@suse.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fbd60498
    • Theodore Ts'o's avatar
    • Huang Shijie's avatar
      mtd: gpmi: fix kernel BUG due to racing DMA operations · 1eb9c342
      Huang Shijie authored
      commit 7b3d2fb9 upstream.
      
      [1] The gpmi uses the nand_command_lp to issue the commands to NAND chips.
          The gpmi issues a DMA operation with gpmi_cmd_ctrl when it handles
          a NAND_CMD_NONE control command. So when we read a page(NAND_CMD_READ0)
          from the NAND, we may send two DMA operations back-to-back.
      
          If we do not serialize the two DMA operations, we will meet a bug when
      
          1.1) we enable CONFIG_DMA_API_DEBUG, CONFIG_DMADEVICES_DEBUG,
               and CONFIG_DEBUG_SG.
      
          1.2) Use the following commands in an UART console and a SSH console:
               cmd 1: while true;do dd if=/dev/mtd0 of=/dev/null;done
               cmd 1: while true;do dd if=/dev/mmcblk0 of=/dev/null;done
      
          The kernel log shows below:
          -----------------------------------------------------------------
          kernel BUG at lib/scatterlist.c:28!
          Unable to handle kernel NULL pointer dereference at virtual address 00000000
            .........................
          [<80044a0c>] (__bug+0x18/0x24) from [<80249b74>] (sg_next+0x48/0x4c)
          [<80249b74>] (sg_next+0x48/0x4c) from [<80255398>] (debug_dma_unmap_sg+0x170/0x1a4)
          [<80255398>] (debug_dma_unmap_sg+0x170/0x1a4) from [<8004af58>] (dma_unmap_sg+0x14/0x6c)
          [<8004af58>] (dma_unmap_sg+0x14/0x6c) from [<8027e594>] (mxs_dma_tasklet+0x18/0x1c)
          [<8027e594>] (mxs_dma_tasklet+0x18/0x1c) from [<8007d444>] (tasklet_action+0x114/0x164)
          -----------------------------------------------------------------
      
          1.3) Assume the two DMA operations is X (first) and Y (second).
      
               The root cause of the bug:
      	   Assume process P issues DMA X, and sleep on the completion
      	 @this->dma_done. X's tasklet callback is dma_irq_callback. It firstly
      	 wake up the process sleeping on the completion @this->dma_done,
      	 and then trid to unmap the scatterlist S. The waked process P will
      	 issue Y in another ARM core. Y initializes S->sg_magic to zero
      	 with sg_init_one(), while dma_irq_callback is unmapping S at the same
      	 time.
      
      	 See the diagram:
      
                         ARM core 0              |         ARM core 1
      	 -------------------------------------------------------------
               (P issues DMA X, then sleep)  --> |
                                                 |
               (X's tasklet wakes P)         --> |
                                                 |
                                                 | <-- (P begin to issue DMA Y)
                                                 |
               (X's tasklet unmap the            |
            scatterlist S with dma_unmap_sg) --> | <-- (Y calls sg_init_one() to init
                                                 |      scatterlist S)
                                                 |
      
      [2] This patch serialize both the X and Y in the following way:
           Unmap the DMA scatterlist S firstly, and wake up the process at the end
           of the DMA callback, in such a way, Y will be executed after X.
      
           After this patch:
      
                         ARM core 0              |         ARM core 1
      	 -------------------------------------------------------------
               (P issues DMA X, then sleep)  --> |
                                                 |
               (X's tasklet unmap the            |
            scatterlist S with dma_unmap_sg) --> |
                                                 |
               (X's tasklet wakes P)         --> |
                                                 |
                                                 | <-- (P begin to issue DMA Y)
                                                 |
                                                 | <-- (Y calls sg_init_one() to init
                                                 |     scatterlist S)
                                                 |
      Signed-off-by: default avatarHuang Shijie <b32955@freescale.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1eb9c342
    • Wang Haitao's avatar
      mtd: map: fixed bug in 64-bit systems · 09f66504
      Wang Haitao authored
      commit a4d62bab upstream.
      
      Hardware:
      	CPU: XLP832,the 64-bit OS
      	NOR Flash:S29GL128S 128M
      Software:
      	Kernel:2.6.32.41
      	Filesystem:JFFS2
      When writing files, errors appear:
      	Write len 182  but return retlen 180
      	Write of 182 bytes at 0x072c815c failed. returned -5, retlen 180
      	Write len 186  but return retlen 184
      	Write of 186 bytes at 0x072caff4 failed. returned -5, retlen 184
      These errors exist only in 64-bit systems,not in 32-bit systems. After analysis, we
      found that the left shift operation is wrong in map_word_load_partial. For instance:
      	unsigned char buf[3] ={0x9e,0x3a,0xea};
      	map_bankwidth(map) is 4;
      	for (i=0; i < 3; i++) {
      		int bitpos;
      		bitpos = (map_bankwidth(map)-1-i)*8;
      		orig.x[0] &= ~(0xff << bitpos);
      		orig.x[0] |= buf[i] << bitpos;
      	}
      
      The value of orig.x[0] is expected to be 0x9e3aeaff, but in this situation(64-bit
      System) we'll get the wrong value of 0xffffffff9e3aeaff due to the 64-bit sign
      extension:
      buf[i] is defined as "unsigned char" and the left-shift operation will convert it
      to the type of "signed int", so when left-shift buf[i] by 24 bits, the final result
      will get the wrong value: 0xffffffff9e3aeaff.
      
      If the left-shift bits are less than 24, then sign extension will not occur. Whereas
      the bankwidth of the nor flash we used is 4, therefore this BUG emerges.
      Signed-off-by: default avatarPang Xunlei <pang.xunlei@zte.com.cn>
      Signed-off-by: default avatarZhang Yi <zhang.yi20@zte.com.cn>
      Signed-off-by: default avatarLu Zhongjun <lu.zhongjun@zte.com.cn>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      09f66504
    • Brian Norris's avatar
      mtd: nand: hack ONFI for non-power-of-2 dimensions · b22831e6
      Brian Norris authored
      commit 4355b70c upstream.
      
      Some bright specification writers decided to write this in the ONFI spec
      (from ONFI 3.0, Section 3.1):
      
        "The number of blocks and number of pages per block is not required to
        be a power of two. In the case where one of these values is not a
        power of two, the corresponding address shall be rounded to an
        integral number of bits such that it addresses a range up to the
        subsequent power of two value. The host shall not access upper
        addresses in a range that is shown as not supported."
      
      This breaks every assumption MTD makes about NAND block/chip-size
      dimensions -- they *must* be a power of two!
      
      And of course, an enterprising manufacturer has made use of this lovely
      freedom. Exhibit A: Micron MT29F32G08CBADAWP
      
        "- Plane size: 2 planes x 1064 blocks per plane
         - Device size: 32Gb: 2128 blockss [sic]"
      
      This quickly hits a BUG() in nand_base.c, since the extra dimensions
      overflow so we think it's a second chip (on my single-chip setup):
      
          ONFI param page 0 valid
          ONFI flash detected
          NAND device: Manufacturer ID: 0x2c, Chip ID: 0x44 (Micron MT29F32G08CBADAWP), 4256MiB, page size: 8192, OOB size: 744
          ------------[ cut here ]------------
          kernel BUG at drivers/mtd/nand/nand_base.c:203!
          Internal error: Oops - BUG: 0 [#1] SMP ARM
          [... trim ...]
          [<c02cf3e4>] (nand_select_chip+0x18/0x2c) from [<c02d25c0>] (nand_do_read_ops+0x90/0x424)
          [<c02d25c0>] (nand_do_read_ops+0x90/0x424) from [<c02d2dd8>] (nand_read+0x54/0x78)
          [<c02d2dd8>] (nand_read+0x54/0x78) from [<c02ad2c8>] (mtd_read+0x84/0xbc)
          [<c02ad2c8>] (mtd_read+0x84/0xbc) from [<c02d4b28>] (scan_read.clone.4+0x4c/0x64)
          [<c02d4b28>] (scan_read.clone.4+0x4c/0x64) from [<c02d4c88>] (search_bbt+0x148/0x290)
          [<c02d4c88>] (search_bbt+0x148/0x290) from [<c02d4ea4>] (nand_scan_bbt+0xd4/0x5c0)
          [... trim ...]
          ---[ end trace 0c9363860d865ff2 ]---
      
      So to fix this, just truncate these dimensions down to the greatest
      power-of-2 dimension that is less than or equal to the specified
      dimension.
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b22831e6
    • Mikulas Patocka's avatar
      loop: fix crash if blk_alloc_queue fails · 0aa9fced
      Mikulas Patocka authored
      commit 3ec981e3 upstream.
      
      loop: fix crash if blk_alloc_queue fails
      
      If blk_alloc_queue fails, loop_add cleans up, but it doesn't clean up the
      identifier allocated with idr_alloc. That causes crash on module unload in
      idr_for_each(&loop_index_idr, &loop_exit_cb, NULL); where we attempt to
      remove non-existed device with that id.
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000380
      IP: [<ffffffff812057c9>] del_gendisk+0x19/0x2d0
      PGD 43d399067 PUD 43d0ad067 PMD 0
      Oops: 0000 [#1] PREEMPT SMP
      Modules linked in: loop(-) dm_snapshot dm_zero dm_mirror dm_region_hash dm_log dm_loop dm_mod ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev msr ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_userspace cpufreq_stats cpufreq_ondemand cpufreq_conservative cpufreq_powersave spadfs fuse hid_generic usbhid hid raid0 md_mod dmi_sysfs nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack snd_usb_audio snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc lm85 hwmon_vid snd_hwdep snd_usbmidi_lib snd_rawmidi snd soundcore acpi_cpufreq ohci_hcd freq_table tg3 ehci_pci mperf ehci_hcd kvm_amd kvm sata_svw serverworks libphy libata ide_core k10temp usbcore hwmon microcode ptp pcspkr pps_core e100 skge mii usb_common i2c_piix4 floppy evdev rtc_cmos i2c_core processor but!
       ton unix
      CPU: 7 PID: 2735 Comm: rmmod Tainted: G        W    3.10.15-devel #15
      Hardware name: empty empty/S3992-E, BIOS 'V1.06   ' 06/09/2009
      task: ffff88043d38e780 ti: ffff88043d21e000 task.ti: ffff88043d21e000
      RIP: 0010:[<ffffffff812057c9>]  [<ffffffff812057c9>] del_gendisk+0x19/0x2d0
      RSP: 0018:ffff88043d21fe10  EFLAGS: 00010282
      RAX: ffffffffa05102e0 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: ffff88043ea82800 RDI: 0000000000000000
      RBP: ffff88043d21fe48 R08: 0000000000000000 R09: 0000000000000001
      R10: 0000000000000001 R11: 0000000000000000 R12: 00000000000000ff
      R13: 0000000000000080 R14: 0000000000000000 R15: ffff88043ea82800
      FS:  00007ff646534700(0000) GS:ffff880447000000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 0000000000000380 CR3: 000000043e9bf000 CR4: 00000000000007e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Stack:
       ffffffff8100aba4 0000000000000092 ffff88043d21fe48 ffff88043ea82800
       00000000000000ff ffff88043d21fe98 0000000000000000 ffff88043d21fe60
       ffffffffa05102b4 0000000000000000 ffff88043d21fe70 ffffffffa05102ec
      Call Trace:
       [<ffffffff8100aba4>] ? native_sched_clock+0x24/0x80
       [<ffffffffa05102b4>] loop_remove+0x14/0x40 [loop]
       [<ffffffffa05102ec>] loop_exit_cb+0xc/0x10 [loop]
       [<ffffffff81217b74>] idr_for_each+0x104/0x190
       [<ffffffffa05102e0>] ? loop_remove+0x40/0x40 [loop]
       [<ffffffff8109adc5>] ? trace_hardirqs_on_caller+0x105/0x1d0
       [<ffffffffa05135dc>] loop_exit+0x34/0xa58 [loop]
       [<ffffffff810a98ea>] SyS_delete_module+0x13a/0x260
       [<ffffffff81221d5e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
       [<ffffffff813cff16>] system_call_fastpath+0x1a/0x1f
      Code: f0 4c 8b 6d f8 c9 c3 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 56 41 55 4c 8d af 80 00 00 00 41 54 53 48 89 fb 48 83 ec 18 <48> 83 bf 80 03 00
      00 00 74 4d e8 98 fe ff ff 31 f6 48 c7 c7 20
      RIP  [<ffffffff812057c9>] del_gendisk+0x19/0x2d0
       RSP <ffff88043d21fe10>
      CR2: 0000000000000380
      ---[ end trace 64ec069ec70f1309 ]---
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0aa9fced
    • Jan Kara's avatar
      IB/ipath: Convert ipath_user_sdma_pin_pages() to use get_user_pages_fast() · ac6638ed
      Jan Kara authored
      commit 4adcf7fb upstream.
      
      ipath_user_sdma_queue_pkts() gets called with mmap_sem held for
      writing.  Except for get_user_pages() deep down in
      ipath_user_sdma_pin_pages() we don't seem to need mmap_sem at all.
      
      Even more interestingly the function ipath_user_sdma_queue_pkts() (and
      also ipath_user_sdma_coalesce() called somewhat later) call
      copy_from_user() which can hit a page fault and we deadlock on trying
      to get mmap_sem when handling that fault.  So just make
      ipath_user_sdma_pin_pages() use get_user_pages_fast() and leave
      mmap_sem locking for mm.
      
      This deadlock has actually been observed in the wild when the node
      is under memory pressure.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      [ Merged in fix for call to get_user_pages_fast from Tetsuo Handa
        <penguin-kernel@I-love.SAKURA.ne.jp>.  - Roland ]
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ac6638ed
    • Eric Seppanen's avatar
      iscsi-target: chap auth shouldn't match username with trailing garbage · 27c0008c
      Eric Seppanen authored
      commit 86784c6b upstream.
      
      In iSCSI negotiations with initiator CHAP enabled, usernames with
      trailing garbage are permitted, because the string comparison only
      checks the strlen of the configured username.
      
      e.g. "usernameXXXXX" will be permitted to match "username".
      
      Just check one more byte so the trailing null char is also matched.
      Signed-off-by: default avatarEric Seppanen <eric@purestorage.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      27c0008c
    • Eric Seppanen's avatar
      iscsi-target: fix extract_param to handle buffer length corner case · 7dac7f10
      Eric Seppanen authored
      commit 369653e4 upstream.
      
      extract_param() is called with max_length set to the total size of the
      output buffer.  It's not safe to allow a parameter length equal to the
      buffer size as the terminating null would be written one byte past the
      end of the output buffer.
      Signed-off-by: default avatarEric Seppanen <eric@purestorage.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7dac7f10