1. 06 Mar, 2013 40 commits
    • Jan Kara's avatar
      fs: Fix possible use-after-free with AIO · 53edcd23
      Jan Kara authored
      commit 54c807e7 upstream.
      
      Running AIO is pinning inode in memory using file reference. Once AIO
      is completed using aio_complete(), file reference is put and inode can
      be freed from memory. So we have to be sure that calling aio_complete()
      is the last thing we do with the inode.
      
      CC: Christoph Hellwig <hch@infradead.org>
      CC: Jens Axboe <axboe@kernel.dk>
      CC: Jeff Moyer <jmoyer@redhat.com>
      Acked-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      53edcd23
    • Lukas Czerner's avatar
      ext4: fix free clusters calculation in bigalloc filesystem · 668f6e6a
      Lukas Czerner authored
      commit 304e220f upstream.
      
      ext4_has_free_clusters() should tell us whether there is enough free
      clusters to allocate, however number of free clusters in the file system
      is converted to blocks using EXT4_C2B() which is not only wrong use of
      the macro (we should have used EXT4_NUM_B2C) but it's also completely
      wrong concept since everything else is in cluster units.
      
      Moreover when calculating number of root clusters we should be using
      macro EXT4_NUM_B2C() instead of EXT4_B2C() otherwise the result might be
      off by one. However r_blocks_count should always be a multiple of the
      cluster ratio so doing a plain bit shift should be enough here. We
      avoid using EXT4_B2C() because it's confusing.
      
      As a result of the first problem number of free clusters is much bigger
      than it should have been and ext4_has_free_clusters() would return 1 even
      if there is really not enough free clusters available.
      
      Fix this by removing the EXT4_C2B() conversion of free clusters and
      using bit shift when calculating number of root clusters. This bug
      affects number of xfstests tests covering file system ENOSPC situation
      handling. With this patch most of the ENOSPC problems with bigalloc file
      system disappear, especially the errors caused by delayed allocation not
      having enough space when the actual allocation is finally requested.
      Signed-off-by: default avatarLukas Czerner <lczerner@redhat.com>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      668f6e6a
    • Lars-Peter Clausen's avatar
      drivers/video/backlight/adp88?0_bl.c: fix resume · 8ca4e7b9
      Lars-Peter Clausen authored
      commit 5eb02c01 upstream.
      
      Clearing the NSTBY bit in the control register also automatically clears
      the BLEN bit.  So we need to make sure to set it again during resume,
      otherwise the backlight will stay off.
      Signed-off-by: default avatarLars-Peter Clausen <lars@metafoo.de>
      Acked-by: default avatarMichael Hennerich <michael.hennerich@analog.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8ca4e7b9
    • Junxiao Bi's avatar
      ocfs2: unlock super lock if lockres refresh failed · 9ba3d1e2
      Junxiao Bi authored
      commit 3278bb74 upstream.
      
      If lockres refresh failed, the super lock will never be released which
      will cause some processes on other cluster nodes hung forever.
      Signed-off-by: default avatarJunxiao Bi <junxiao.bi@oracle.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Mark Fasheh <mfasheh@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9ba3d1e2
    • MITSUNARI Shigeo's avatar
      fs/block_dev.c: page cache wrongly left invalidated after revalidate_disk() · 65a79a3b
      MITSUNARI Shigeo authored
      commit 7630b661 upstream.
      
      We found that bdev->bd_invalidated was left set once revalidate_disk()
      is called, which results in page cache flush every time that device is
      open.
      
      Specifically, we found this problem in MD block device.  Once we resize
      a MD device, mdadm --monitor periodically flush all page cache for that
      device every 60 or 1000 seconds when it opens the device.
      
      This bug lies since at least 3.2.0 till the latest kernel(3.6.2).  Patch
      is attached.
      
      The following steps will reproduce the problem.
      
      1. prepair a block device (eg /dev/sdb).
      
      2. create two partitions:
      
         sudo parted /dev/sdb
         mklabel gpt
         mkpart primary 0% 50%
         mkpart primary 50% 100%
      
      3. create a md device.
      
         sudo mdadm -C /dev/md/hoge -l 1 -n 2 -e 1.2 --assume-clean --auto=md --symlink=no /dev/sdb1 /dev/sdb2
      
      4. create file system and mount it
      
         sudo mkfs.ext3 /dev/md/hoge
         sudo mkdir /mnt/test
         sudo mount /dev/md/hoge /mnt/test
      
      5. try to resize the device
      
         sudo mdadm -G /dev/md/hoge --size=max
      
      6. create a file to fill file cache.
      
        sudo dd if=/dev/urandom of=/mnt/test/data bs=1M count=10
      
      and verify the current status of file by free command.
      
      7. mdadm monitor will open the md device every 1000 seconds and you
         will find all file cache on the device are cleared.
      
      The timing can be reduced by the following steps.
      
      a) kill mdadm and restart it with --delay option
      
         /sbin/mdadm --monitor --delay=30 --pid-file /var/run/mdadm/monitor.pid --daemonise --scan --syslog
      
      or open the md device directly.
      
         sudo dd if=/dev/md/hoge of=/dev/null bs=4096 count=1
      Signed-off-by: default avatarMITSUNARI Shigeo <herumi@nifty.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Jeff Moyer <jmoyer@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      65a79a3b
    • Jim Somerville's avatar
      inotify: remove broken mask checks causing unmount to be EINVAL · c8164cb5
      Jim Somerville authored
      commit 676a0675 upstream.
      
      Running the command:
      
      	inotifywait -e unmount /mnt/disk
      
      immediately aborts with a -EINVAL return code.  This is however a valid
      parameter.  This abort occurs only if unmount is the sole event
      parameter.  If other event parameters are supplied, then the unmount
      event wait will work.
      
      The problem was introduced by commit 44b350fc ("inotify: Fix mask
      checks").  In that commit, it states:
      
      	The mask checks in inotify_update_existing_watch() and
      	inotify_new_watch() are useless because inotify_arg_to_mask()
      	sets FS_IN_IGNORED and FS_EVENT_ON_CHILD bits anyway.
      
      But instead of removing the useless checks, it did this:
      
      	        mask = inotify_arg_to_mask(arg);
      	-       if (unlikely(!mask))
      	+       if (unlikely(!(mask & IN_ALL_EVENTS)))
      	                return -EINVAL;
      
      The problem is that IN_ALL_EVENTS doesn't include IN_UNMOUNT, and other
      parts of the code keep IN_UNMOUNT separate from IN_ALL_EVENTS.  So the
      check should be:
      
      	if (unlikely(!(mask & (IN_ALL_EVENTS | IN_UNMOUNT))))
      
      But inotify_arg_to_mask(arg) always sets the IN_UNMOUNT bit in the mask
      anyway, so the check is always going to pass and thus should simply be
      removed.  Also note that inotify_arg_to_mask completely controls what
      mask bits get set from arg, there's no way for invalid bits to get
      enabled there.
      
      Lets fix it by simply removing the useless broken checks.
      Signed-off-by: default avatarJim Somerville <Jim.Somerville@windriver.com>
      Signed-off-by: default avatarPaul Gortmaker <paul.gortmaker@windriver.com>
      Cc: Jerome Marchand <jmarchan@redhat.com>
      Cc: John McCutchan <john@johnmccutchan.com>
      Cc: Robert Love <rlove@rlove.org>
      Cc: Eric Paris <eparis@parisplace.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c8164cb5
    • Tejun Heo's avatar
      posix-timer: Don't call idr_find() with out-of-range ID · 4fa1b6ed
      Tejun Heo authored
      commit e182bb38 upstream.
      
      When idr_find() was fed a negative ID, it used to look up the ID
      ignoring the sign bit before recent ("idr: remove MAX_IDR_MASK and
      move left MAX_IDR_* into idr.c") patch. Now a negative ID triggers
      a WARN_ON_ONCE().
      
      __lock_timer() feeds timer_id from userland directly to idr_find()
      without sanitizing it which can trigger the above malfunctions.  Add a
      range check on @timer_id before invoking idr_find() in __lock_timer().
      
      While timer_t is defined as int by all archs at the moment, Andrew
      worries that it may be defined as a larger type later on.  Make the
      test cover larger integers too so that it at least is guaranteed to
      not return the wrong timer.
      
      Note that WARN_ON_ONCE() in idr_find() on id < 0 is transitional
      precaution while moving away from ignoring MSB.  Once it's gone we can
      remove the guard as long as timer_t isn't larger than int.
      
      Signed-off-by: Tejun Heo <tj@kernel.org>nnn
      Reported-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Link: http://lkml.kernel.org/r/20130220232412.GL3570@htj.dyndns.orgSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4fa1b6ed
    • Pawel Moll's avatar
      ALSA: usb: Fix Processing Unit Descriptor parsers · 7d3cbb43
      Pawel Moll authored
      commit b531f81b upstream.
      
      Commit 99fc8645 "ALSA: usb-mixer:
      parse descriptors with structs" introduced a set of useful parsers
      for descriptors. Unfortunately the parses for the Processing Unit
      Descriptor came with a very subtle bug...
      
      Functions uac_processing_unit_iProcessing() and
      uac_processing_unit_specific() were indexing the baSourceID array
      forgetting the fields before the iProcessing and process-specific
      descriptors.
      
      The problem was observed with Sound Blaster Extigy mixer,
      where nNrModes in Up/Down-mix Processing Unit Descriptor
      was accessed at offset 10 of the descriptor (value 0)
      instead of offset 15 (value 7). In result the resulting
      control had interesting limit values:
      
      Simple mixer control 'Channel Routing Mode Select',0
        Capabilities: volume volume-joined penum
        Playback channels: Mono
        Capture channels: Mono
        Limits: 0 - -1
        Mono: -1 [100%]
      
      Fixed by starting from the bmControls, which was calculated
      correctly, instead of baSourceID.
      
      Now the mentioned control is fine:
      
      Simple mixer control 'Channel Routing Mode Select',0
        Capabilities: volume volume-joined penum
        Playback channels: Mono
        Capture channels: Mono
        Limits: 0 - 6
        Mono: 0 [0%]
      Signed-off-by: default avatarPawel Moll <mail@pawelmoll.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7d3cbb43
    • Matt Fleming's avatar
      x86, efi: Make "noefi" really disable EFI runtime serivces · 1a116473
      Matt Fleming authored
      commit fb834c7a upstream.
      
      commit 1de63d60 ("efi: Clear EFI_RUNTIME_SERVICES rather than
      EFI_BOOT by "noefi" boot parameter") attempted to make "noefi" true to
      its documentation and disable EFI runtime services to prevent the
      bricking bug described in commit e0094244 ("samsung-laptop:
      Disable on EFI hardware"). However, it's not possible to clear
      EFI_RUNTIME_SERVICES from an early param function because
      EFI_RUNTIME_SERVICES is set in efi_init() *after* parse_early_param().
      
      This resulted in "noefi" effectively becoming a no-op and no longer
      providing users with a way to disable EFI, which is bad for those
      users that have buggy machines.
      Reported-by: default avatarWalt Nelson Jr <walt0924@gmail.com>
      Cc: Satoru Takeuchi <takeuchi_satoru@jp.fujitsu.com>
      Signed-off-by: default avatarMatt Fleming <matt.fleming@intel.com>
      Link: http://lkml.kernel.org/r/1361392572-25657-1-git-send-email-matt@console-pimps.orgSigned-off-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      [bwh: Backported to 3.2: efi_runtime_init() is not a separate function,
       so put a whole set of statements in an if (!disable_runtime) block]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1a116473
    • Stefan Bader's avatar
      xen: Send spinlock IPI to all waiters · 7afb6c33
      Stefan Bader authored
      commit 76eaca03 upstream.
      
      There is a loophole between Xen's current implementation of
      pv-spinlocks and the scheduler. This was triggerable through
      a testcase until v3.6 changed the TLB flushing code. The
      problem potentially is still there just not observable in the
      same way.
      
      What could happen was (is):
      
      1. CPU n tries to schedule task x away and goes into a slow
         wait for the runq lock of CPU n-# (must be one with a lower
         number).
      2. CPU n-#, while processing softirqs, tries to balance domains
         and goes into a slow wait for its own runq lock (for updating
         some records). Since this is a spin_lock_irqsave in softirq
         context, interrupts will be re-enabled for the duration of
         the poll_irq hypercall used by Xen.
      3. Before the runq lock of CPU n-# is unlocked, CPU n-1 receives
         an interrupt (e.g. endio) and when processing the interrupt,
         tries to wake up task x. But that is in schedule and still
         on_cpu, so try_to_wake_up goes into a tight loop.
      4. The runq lock of CPU n-# gets unlocked, but the message only
         gets sent to the first waiter, which is CPU n-# and that is
         busily stuck.
      5. CPU n-# never returns from the nested interruption to take and
         release the lock because the scheduler uses a busy wait.
         And CPU n never finishes the task migration because the unlock
         notification only went to CPU n-#.
      
      To avoid this and since the unlocking code has no real sense of
      which waiter is best suited to grab the lock, just send the IPI
      to all of them. This causes the waiters to return from the hyper-
      call (those not interrupted at least) and do active spinlocking.
      
      BugLink: http://bugs.launchpad.net/bugs/1011792Acked-by: default avatarJan Beulich <JBeulich@suse.com>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7afb6c33
    • Wei Liu's avatar
      xen: close evtchn port if binding to irq fails · c03cebd1
      Wei Liu authored
      commit e7e44e44 upstream.
      Signed-off-by: default avatarWei Liu <wei.liu2@citrix.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c03cebd1
    • Daniel Vetter's avatar
      intel/iommu: force writebuffer-flush quirk on Gen 4 Chipsets · cf65e1c8
      Daniel Vetter authored
      commit 210561ff upstream.
      
      We already have the quirk entry for the mobile platform, but also
      reports on some desktop versions. So be paranoid and set it
      everywhere.
      
      References: http://www.mail-archive.com/dri-devel@lists.freedesktop.org/msg33138.html
      Cc: David Woodhouse <dwmw2@infradead.org>
      Cc: "Sankaran, Rajesh" <rajesh.sankaran@intel.com>
      Reported-and-tested-by: default avatarMihai Moldovan <ionic@ionic.de>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cf65e1c8
    • Patrik Jakobsson's avatar
      drm/i915: Set i9xx sdvo clock limits according to specifications · 9ee8bc68
      Patrik Jakobsson authored
      commit 4f7dfb67 upstream.
      
      The Intel PRM says the M1 and M2 divisors must be in the range of 10-20 and 5-9.
      Since we do all calculations based on them being register values (which are
      subtracted by 2) we need to specify them accordingly.
      Signed-off-by: default avatarPatrik Jakobsson <patrik.r.jakobsson@gmail.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=56359Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9ee8bc68
    • Jani Nikula's avatar
      drm/i915: add missing \n to UTS_RELEASE in the error_state · 59bebf6c
      Jani Nikula authored
      commit fdfa175d upstream.
      
      Amending
      commit 4518f611
      Author: Daniel Vetter <daniel.vetter@ffwll.ch>
      Date:   Wed Jan 23 16:16:35 2013 +0100
      
          drm/i915: dump UTS_RELEASE into the error_state
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Reviewed-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      59bebf6c
    • Mika Kuoppala's avatar
      drm/i915: disable shared panel fitter for pipe · db0a8a87
      Mika Kuoppala authored
      commit 24a1f16d upstream.
      
      If encoder is switched off by BIOS, but the panel fitter is left on,
      we never try to turn off the panel fitter and leave it still attached
      to the pipe - which can cause blurry output elsewhere.
      
      Based on work by Chris Wilson <chris@chris-wilson.co.uk>
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=58867Signed-off-by: default avatarMika Kuoppala <mika.kuoppala@intel.com>
      Tested-by: default avatarAndreas Sturmlechner <andreas.sturmlechner@gmail.com>
      [danvet: Remove the redundant HAS_PCH_SPLIT check and add a tiny
      comment.]
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      db0a8a87
    • Paulo Zanoni's avatar
      drm: don't add inferred modes for monitors that don't support them · 7a8e149e
      Paulo Zanoni authored
      commit 196e077d upstream.
      
      If bit 0 of the features byte (0x18) is set to 0, then, according to
      the EDID spec, "the display is non-continuous frequency (multi-mode)
      and is only specified to accept the video timing formats that are
      listed in Base EDID and certain Extension Blocks".
      
      For more information, please see the EDID spec, check the notes of the
      table that explains the "Feature Support" byte (18h) and also the
      notes on the tables of the section that explains "Display Range Limits
      & Additional Timing Description Definition (tag #FDh)".
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=45729Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Reviewed-by: default avatarAdam Jackson <ajax@redhat.com>
      Signed-off-by: default avatarPaulo Zanoni <paulo.r.zanoni@intel.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7a8e149e
    • Jan Beulich's avatar
      xen-blkback: do not leak mode property · 0b9662bc
      Jan Beulich authored
      commit 9d092603 upstream.
      
      "be->mode" is obtained from xenbus_read(), which does a kmalloc() for
      the message body. The short string is never released, so do it along
      with freeing "be" itself, and make sure the string isn't kept when
      backend_changed() doesn't complete successfully (which made it
      desirable to slightly re-structure that function, so that the error
      cleanup can be done in one place).
      Reported-by: default avatarOlaf Hering <olaf@aepfle.de>
      Signed-off-by: default avatarJan Beulich <jbeulich@suse.com>
      Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0b9662bc
    • David Henningsson's avatar
      ALSA: hda - hdmi: ELD shouldn't be valid after unplug · dd250c18
      David Henningsson authored
      commit bbfd8a19 upstream.
      
      Currently, eld_valid is never set to false, except at kernel module
      load time. This patch makes sure that eld is no longer valid when
      the cable is (hot-)unplugged.
      Signed-off-by: default avatarDavid Henningsson <david.henningsson@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      dd250c18
    • Trond Myklebust's avatar
      NLM: Ensure that we resend all pending blocking locks after a reclaim · c0bb151f
      Trond Myklebust authored
      commit 666b3d80 upstream.
      
      Currently, nlmclnt_lock will break out of the for(;;) loop when
      the reclaimer wakes up the blocking lock thread by setting
      nlm_lck_denied_grace_period. This causes the lock request to fail
      with an ENOLCK error.
      The intention was always to ensure that we resend the lock request
      after the grace period has expired.
      Reported-by: default avatarWangyuan Zhang <Wangyuan.Zhang@netapp.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c0bb151f
    • Larry Finger's avatar
      b43: Increase number of RX DMA slots · c6f8eab7
      Larry Finger authored
      commit ccae0e50 upstream.
      
      Bastian Bittorf reported that some of the silent freezes on a Linksys WRT54G
      were due to overflow of the RX DMA ring buffer, which was created with 64
      slots. That finding reminded me that I was seeing similar crashed on a netbook,
      which also has a relatively slow processor. After increasing the number of
      slots to 128, runs on the netbook that previously failed now worked; however,
      I found that 109 slots had been used in one test. For that reason, the number
      of slots is being increased to 256.
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Cc: Bastian Bittorf <bittorf@bluebottle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c6f8eab7
    • Steven Rostedt (Red Hat)'s avatar
      ftrace: Call ftrace cleanup module notifier after all other notifiers · a638e6bb
      Steven Rostedt (Red Hat) authored
      commit 8c189ea6 upstream.
      
      Commit: c1bf08ac "ftrace: Be first to run code modification on modules"
      
      changed ftrace module notifier's priority to INT_MAX in order to
      process the ftrace nops before anything else could touch them
      (namely kprobes). This was the correct thing to do.
      
      Unfortunately, the ftrace module notifier also contains the ftrace
      clean up code. As opposed to the set up code, this code should be
      run *after* all the module notifiers have run in case a module is doing
      correct clean-up and unregisters its ftrace hooks. Basically, ftrace
      needs to do clean up on module removal, as it needs to know about code
      being removed so that it doesn't try to modify that code. But after it
      removes the module from its records, if a ftrace user tries to remove
      a probe, that removal will fail due as the record of that code segment
      no longer exists.
      
      Nothing really bad happens if the probe removal is called after ftrace
      did the clean up, but the ftrace removal function will return an error.
      Correct code (such as kprobes) will produce a WARN_ON() if it fails
      to remove the probe. As people get annoyed by frivolous warnings, it's
      best to do the ftrace clean up after everything else.
      
      By splitting the ftrace_module_notifier into two notifiers, one that
      does the module load setup that is run at high priority, and the other
      that is called for module clean up that is run at low priority, the
      problem is solved.
      Reported-by: default avatarFrank Ch. Eigler <fche@redhat.com>
      Acked-by: default avatarMasami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a638e6bb
    • Nicholas Bellinger's avatar
      target: Add missing mapped_lun bounds checking during make_mappedlun setup · 5f5db37d
      Nicholas Bellinger authored
      commit fbbf8555 upstream.
      
      This patch adds missing bounds checking for the configfs provided
      mapped_lun value during target_fabric_make_mappedlun() setup ahead
      of se_lun_acl initialization.
      
      This addresses a potential OOPs when using a mapped_lun value that
      exceeds the hardcoded TRANSPORT_MAX_LUNS_PER_TPG-1 value within
      se_node_acl->device_list[].
      Reported-by: default avatarJan Engelhardt <jengelh@inai.de>
      Cc: Jan Engelhardt <jengelh@inai.de>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5f5db37d
    • Nicholas Bellinger's avatar
      target: Fix lookup of dynamic NodeACLs during cached demo-mode operation · f310bed9
      Nicholas Bellinger authored
      commit fcf29481 upstream.
      
      This patch fixes a bug in core_tpg_check_initiator_node_acl() ->
      core_tpg_get_initiator_node_acl() where a dynamically created
      se_node_acl generated during session login would be skipped during
      subsequent lookup due to the '!acl->dynamic_node_acl' check, causing
      a new se_node_acl to be created with a duplicate ->initiatorname.
      
      This would occur when a fabric endpoint was configured with
      TFO->tpg_check_demo_mode()=1 + TPF->tpg_check_demo_mode_cache()=1
      preventing the release of an existing se_node_acl during se_session
      shutdown.
      
      Also, drop the unnecessary usage of core_tpg_get_initiator_node_acl()
      within core_dev_init_initiator_node_lun_acl() that originally
      required the extra '!acl->dynamic_node_acl' check, and just pass
      the configfs provided se_node_acl pointer instead.
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      [bwh: Backported to 3.2: adjust context, filename of header]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f310bed9
    • Jussi Kivilinna's avatar
      rtlwifi: usb: allocate URB control message setup_packet and data buffer separately · 9e2282d4
      Jussi Kivilinna authored
      commit bc6b8923 upstream.
      
      rtlwifi allocates both setup_packet and data buffer of control message urb,
      using shared kmalloc in _usbctrl_vendorreq_async_write. Structure used for
      allocating is:
      	struct {
      		u8 data[254];
      		struct usb_ctrlrequest dr;
      	};
      
      Because 'struct usb_ctrlrequest' is __packed, setup packet is unaligned and
      DMA mapping of both 'data' and 'dr' confuses ARM/sunxi, leading to memory
      corruptions and freezes.
      
      Patch changes setup packet to be allocated separately.
      
      [v2]:
       - Use WARN_ON_ONCE instead of WARN_ON
      Signed-off-by: default avatarJussi Kivilinna <jussi.kivilinna@mbnet.fi>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9e2282d4
    • Linus Torvalds's avatar
      mm: fix pageblock bitmap allocation · 0d15de8e
      Linus Torvalds authored
      commit 7c45512d upstream.
      
      Commit c060f943 ("mm: use aligned zone start for pfn_to_bitidx
      calculation") fixed out calculation of the index into the pageblock
      bitmap when a !SPARSEMEM zome was not aligned to pageblock_nr_pages.
      
      However, the _allocation_ of that bitmap had never taken this alignment
      requirement into accout, so depending on the exact size and alignment of
      the zone, the use of that index could then access past the allocation,
      resulting in some very subtle memory corruption.
      
      This was reported (and bisected) by Ingo Molnar: one of his random
      config builds would hang with certain very specific kernel command line
      options.
      
      In the meantime, commit c060f943 has been marked for stable, so this
      fix needs to be back-ported to the stable kernels that backported the
      commit to use the right alignment.
      Bisected-and-tested-by: default avatarIngo Molnar <mingo@kernel.org>
      Acked-by: default avatarMel Gorman <mgorman@suse.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0d15de8e
    • Lukas Czerner's avatar
      ext4: fix xattr block allocation/release with bigalloc · f861f64d
      Lukas Czerner authored
      commit 1231b3a1 upstream.
      
      Currently when new xattr block is created or released we we would call
      dquot_free_block() or dquot_alloc_block() respectively, among the else
      decrementing or incrementing the number of blocks assigned to the
      inode by one block.
      
      This however does not work for bigalloc file system because we always
      allocate/free the whole cluster so we have to count with that in
      dquot_free_block() and dquot_alloc_block() as well.
      
      Use the clusters-to-blocks conversion EXT4_C2B() when passing number of
      blocks to the dquot_alloc/free functions to fix the problem.
      
      The problem has been revealed by xfstests #117 (and possibly others).
      Signed-off-by: default avatarLukas Czerner <lczerner@redhat.com>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Reviewed-by: default avatarEric Sandeen <sandeen@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f861f64d
    • Li Zefan's avatar
      cpuset: fix cpuset_print_task_mems_allowed() vs rename() race · 59222bdd
      Li Zefan authored
      commit 63f43f55 upstream.
      
      rename() will change dentry->d_name. The result of this race can
      be worse than seeing partially rewritten name, but we might access
      a stale pointer because rename() will re-allocate memory to hold
      a longer name.
      
      It's safe in the protection of dentry->d_lock.
      
      v2: check NULL dentry before acquiring dentry lock.
      Signed-off-by: default avatarLi Zefan <lizefan@huawei.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      59222bdd
    • Li Zefan's avatar
      cgroup: fix exit() vs rmdir() race · d6f179e6
      Li Zefan authored
      commit 71b5707e upstream.
      
      In cgroup_exit() put_css_set_taskexit() is called without any lock,
      which might lead to accessing a freed cgroup:
      
      thread1                           thread2
      ---------------------------------------------
      exit()
        cgroup_exit()
          put_css_set_taskexit()
            atomic_dec(cgrp->count);
                                         rmdir();
            /* not safe !! */
            check_for_release(cgrp);
      
      rcu_read_lock() can be used to make sure the cgroup is alive.
      Signed-off-by: default avatarLi Zefan <lizefan@huawei.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d6f179e6
    • fanchaoting's avatar
      umount oops when remove blocklayoutdriver first · a6a26fe0
      fanchaoting authored
      commit 5a12cca6 upstream.
      
      now pnfs client uses block layout, maybe we can remove
      blocklayoutdriver first. if we umount later,
      it can cause oops in unset_pnfs_layoutdriver.
      because nfss->pnfs_curr_ld->clear_layoutdriver is invalid.
      
      reproduce it:
       modprobe  blocklayoutdriver
       mount -t nfs4 -o minorversion=1 pnfsip:/ /mnt/
       rmmod blocklayoutdriver
       umount /mnt
      
      then you can see following
      
      CPU 0
      Pid: 17023, comm: umount.nfs4 Tainted: GF          O 3.7.0-rc6-pnfs #1 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
      RIP: 0010:[<ffffffffa04cfe6d>]  [<ffffffffa04cfe6d>] unset_pnfs_layoutdriver+0x1d/0x70 [nfsv4]
      RSP: 0018:ffff8800022d9e48  EFLAGS: 00010286
      RAX: ffffffffa04a1b00 RBX: ffff88000b013800 RCX: 0000000000000001
      RDX: ffffffff81ae8ee0 RSI: ffff880001ee94b8 RDI: ffff88000b013800
      RBP: ffff8800022d9e58 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffff880001ee9400
      R13: ffff8800105978c0 R14: 00007fff25846c08 R15: 0000000001bba550
      FS:  00007f45ae7f0700(0000) GS:ffff880012c00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: ffffffffa04a1b38 CR3: 0000000002c0c000 CR4: 00000000000006f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process umount.nfs4 (pid: 17023, threadinfo ffff8800022d8000, task ffff880006e48aa0)
      Stack:
      ffff8800105978c0 ffff88000b013800 ffff8800022d9e78 ffffffffa04cd0ce
      ffff8800022d9e78 ffff88000b013800 ffff8800022d9ea8 ffffffffa04755a7
      ffff8800022d9ea8 ffff880002f96400 ffff88000b013800 ffff880002f96400
      Call Trace:
      [<ffffffffa04cd0ce>] nfs4_destroy_server+0x1e/0x30 [nfsv4]
      [<ffffffffa04755a7>] nfs_free_server+0xb7/0x150 [nfs]
      [<ffffffffa047d4d5>] nfs_kill_super+0x35/0x40 [nfs]
      [<ffffffff81178d35>] deactivate_locked_super+0x45/0x70
      [<ffffffff8117986a>] deactivate_super+0x4a/0x70
      [<ffffffff81193ee2>] mntput_no_expire+0xd2/0x130
      [<ffffffff81194d62>] sys_umount+0x72/0xe0
      [<ffffffff8154af59>] system_call_fastpath+0x16/0x1b
      Code: 06 e1 b8 ea ff ff ff eb 9e 0f 1f 44 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 48 8b 87 80 03 00 00 48 89 fb 48 85 c0 74 29 <48> 8b 40 38 48 85 c0 74 02 ff d0 48 8b 03 3e ff 48 04 0f 94 c2
      RIP  [<ffffffffa04cfe6d>] unset_pnfs_layoutdriver+0x1d/0x70 [nfsv4]
      RSP <ffff8800022d9e48>
      CR2: ffffffffa04a1b38
      ---[ end trace 29f75aaedda058bf ]---
      
      Signed-off-by: fanchaoting<fanchaoting@cn.fujitsu.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a6a26fe0
    • Weston Andros Adamson's avatar
      NFSv4.1: Don't decode skipped layoutgets · 3c5add9c
      Weston Andros Adamson authored
      commit 085b7a45 upstream.
      
      layoutget's prepare hook can call rpc_exit with status = NFS4_OK (0).
      Because of this, nfs4_proc_layoutget can't depend on a 0 status to mean
      that the RPC was successfully sent, received and parsed.
      
      To fix this, use the result's len member to see if parsing took place.
      
      This fixes the following OOPS -- calling xdr_init_decode() with a buffer length
      0 doesn't set the stream's 'p' member and ends up using uninitialized memory
      in filelayout_decode_layout.
      
      BUG: unable to handle kernel paging request at 0000000000008050
      IP: [<ffffffff81282e78>] memcpy+0x18/0x120
      PGD 0
      Oops: 0000 [#1] SMP
      last sysfs file: /sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/irq
      CPU 1
      Modules linked in: nfs_layout_nfsv41_files nfs lockd fscache auth_rpcgss nfs_acl autofs4 sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 dm_mirror dm_region_hash dm_log dm_mod ppdev parport_pc parport snd_ens1371 snd_rawmidi snd_ac97_codec ac97_bus snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc e1000 microcode vmware_balloon i2c_piix4 i2c_core sg shpchp ext4 mbcache jbd2 sr_mod cdrom sd_mod crc_t10dif pata_acpi ata_generic ata_piix mptspi mptscsih mptbase scsi_transport_spi [last unloaded: speedstep_lib]
      
      Pid: 1665, comm: flush-0:22 Not tainted 2.6.32-356-test-2 #2 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
      RIP: 0010:[<ffffffff81282e78>]  [<ffffffff81282e78>] memcpy+0x18/0x120
      RSP: 0018:ffff88003dfab588  EFLAGS: 00010206
      RAX: ffff88003dc42000 RBX: ffff88003dfab610 RCX: 0000000000000009
      RDX: 000000003f807ff0 RSI: 0000000000008050 RDI: ffff88003dc42000
      RBP: ffff88003dfab5b0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000080 R12: 0000000000000024
      R13: ffff88003dc42000 R14: ffff88003f808030 R15: ffff88003dfab6a0
      FS:  0000000000000000(0000) GS:ffff880003420000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
      CR2: 0000000000008050 CR3: 000000003bc92000 CR4: 00000000001407e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process flush-0:22 (pid: 1665, threadinfo ffff88003dfaa000, task ffff880037f77540)
      Stack:
      ffffffffa0398ac1 ffff8800397c5940 ffff88003dfab610 ffff88003dfab6a0
      <d> ffff88003dfab5d0 ffff88003dfab680 ffffffffa01c150b ffffea0000d82e70
      <d> 000000508116713b 0000000000000000 0000000000000000 0000000000000000
      Call Trace:
      [<ffffffffa0398ac1>] ? xdr_inline_decode+0xb1/0x120 [sunrpc]
      [<ffffffffa01c150b>] filelayout_decode_layout+0xeb/0x350 [nfs_layout_nfsv41_files]
      [<ffffffffa01c17fc>] filelayout_alloc_lseg+0x8c/0x3c0 [nfs_layout_nfsv41_files]
      [<ffffffff8150e6ce>] ? __wait_on_bit+0x7e/0x90
      Signed-off-by: default avatarWeston Andros Adamson <dros@netapp.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3c5add9c
    • J. Bruce Fields's avatar
      svcrpc: make svc_age_temp_xprts enqueue under sv_lock · a60210ba
      J. Bruce Fields authored
      commit e75bafbf upstream.
      
      svc_age_temp_xprts expires xprts in a two-step process: first it takes
      the sv_lock and moves the xprts to expire off their server-wide list
      (sv_tempsocks or sv_permsocks) to a local list.  Then it drops the
      sv_lock and enqueues and puts each one.
      
      I see no reason for this: svc_xprt_enqueue() will take sp_lock, but the
      sv_lock and sp_lock are not otherwise nested anywhere (and documentation
      at the top of this file claims it's correct to nest these with sp_lock
      inside.)
      Tested-by: default avatarJason Tibbitts <tibbs@math.uh.edu>
      Tested-by: default avatarPaweł Sikora <pawel.sikora@agmk.net>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a60210ba
    • Stanislaw Gruszka's avatar
      posix-cpu-timers: Fix nanosleep task_struct leak · de80ffb4
      Stanislaw Gruszka authored
      commit e6c42c29 upstream.
      
      The trinity fuzzer triggered a task_struct reference leak via
      clock_nanosleep with CPU_TIMERs. do_cpu_nanosleep() calls
      posic_cpu_timer_create(), but misses a corresponding
      posix_cpu_timer_del() which leads to the task_struct reference leak.
      Reported-and-tested-by: default avatarTommi Rantala <tt.rantala@gmail.com>
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Cc: Dave Jones <davej@redhat.com>
      Cc: John Stultz <john.stultz@linaro.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Link: http://lkml.kernel.org/r/20130215100810.GF4392@redhat.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      de80ffb4
    • Josh Boyer's avatar
      USB: usb-storage: unusual_devs update for Super TOP SATA bridge · b6803d8d
      Josh Boyer authored
      commit 18e03310 upstream.
      
      The current entry in unusual_cypress.h for the Super TOP SATA bridge devices
      seems to be causing corruption on newer revisions of this device.  This has
      been reported in Arch Linux and Fedora.  The original patch was tested on
      devices with bcdDevice of 1.60, whereas the newer devices report bcdDevice
      as 2.20.  Limit the UNUSUAL_DEV entry to devices less than 2.20.
      
      This fixes https://bugzilla.redhat.com/show_bug.cgi?id=909591
      
      The Arch Forum post on this is here:
      	https://bbs.archlinux.org/viewtopic.php?id=152011Reported-by: default avatarCarsten S. <carsteniq@yahoo.com>
      Tested-by: default avatarCarsten S. <carsteniq@yahoo.com>
      Signed-off-by: default avatarJosh Boyer <jwboyer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b6803d8d
    • Roger Quadros's avatar
      USB: ehci-omap: Fix autoloading of module · 507c50ba
      Roger Quadros authored
      commit 04753523 upstream.
      
      The module alias should be "ehci-omap" and not
      "omap-ehci" to match the platform device name.
      The omap-ehci module should now autoload correctly.
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      507c50ba
    • Arnd Bergmann's avatar
      ARM: w90x900: fix legacy assembly syntax · ee0a25ab
      Arnd Bergmann authored
      commit fa5ce5f9 upstream.
      
      New ARM binutils don't allow extraneous whitespace inside
      of brackets, which causes this error on all mach-w90x900
      defconfigs:
      
      arch/arm/kernel/entry-armv.S: Assembler messages:
      arch/arm/kernel/entry-armv.S:214: Error: ARM register expected -- `ldr r0,[ r6,#(0x10C)]'
      arch/arm/kernel/entry-armv.S:214: Error: ARM register expected -- `ldr r0,[ r6,#(0x110)]'
      arch/arm/kernel/entry-armv.S:430: Error: ARM register expected -- `ldr r0,[ r6,#(0x10C)]'
      arch/arm/kernel/entry-armv.S:430: Error: ARM register expected -- `ldr r0,[ r6,#(0x110)]'
      
      This removes the whitespace in order to build the kernel
      again.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Wan ZongShun <mcuos.com@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ee0a25ab
    • Arnd Bergmann's avatar
      ARM: samsung: fix assembly syntax for new gas · 70c46976
      Arnd Bergmann authored
      commit 2815774b upstream.
      
      Recent assembler versions complain about extraneous
      whitespace inside [] brackets. This fixes all of
      these instances for the samsung platforms. We should
      backport this to all kernels that might need to
      be built with new binutils.
      
      arch/arm/kernel/entry-armv.S: Assembler messages:
      arch/arm/kernel/entry-armv.S:214: Error: ARM register expected -- `ldr r2,[ r6,#(0x10)]'
      arch/arm/kernel/entry-armv.S:214: Error: ARM register expected -- `ldr r0,[ r6,#(0x14)]'
      arch/arm/kernel/entry-armv.S:430: Error: ARM register expected -- `ldr r2,[ r6,#(0x10)]'
      arch/arm/kernel/entry-armv.S:430: Error: ARM register expected -- `ldr r0,[ r6,#(0x14)]'
      arch/arm/mach-s3c24xx/sleep-s3c2410.S: Assembler messages:
      arch/arm/mach-s3c24xx/sleep-s3c2410.S:48: Error: ARM register expected -- `ldr r7,[ r4 ]'
      arch/arm/mach-s3c24xx/sleep-s3c2410.S:49: Error: ARM register expected -- `ldr r8,[ r5 ]'
      arch/arm/mach-s3c24xx/sleep-s3c2410.S:50: Error: ARM register expected -- `ldr r9,[ r6 ]'
      arch/arm/mach-s3c24xx/sleep-s3c2410.S:64: Error: ARM register expected -- `streq r7,[ r4 ]'
      arch/arm/mach-s3c24xx/sleep-s3c2410.S:65: Error: ARM register expected -- `streq r8,[ r5 ]'
      arch/arm/mach-s3c24xx/sleep-s3c2410.S:66: Error: ARM register expected -- `streq r9,[ r6 ]'
      arch/arm/kernel/debug.S: Assembler messages:
      arch/arm/kernel/debug.S:83: Error: ARM register expected -- `ldr r2,[ r2,#((0x0B0)+(((0x56000000)-(0x50000000))+(0xF6000000+(0x01000000))))-((0)+(((0x56000000)-(0x50000000))+(0xF6000000+(0x01000000))))]'
      arch/arm/kernel/debug.S:83: Error: ARM register expected -- `ldr r2,[ r3,#(0x18)]'
      arch/arm/kernel/debug.S:85: Error: ARM register expected -- `ldr r2,[ r2,#((0x0B0)+(((0x56000000)-(0x50000000))+(0xF6000000+(0x01000000))))-((0)+(((0x56000000)-(0x50000000))+(0xF6000000+(0x01000000))))]'
      arch/arm/kernel/debug.S:85: Error: ARM register expected -- `ldr r2,[ r3,#(0x18)]'
      arch/arm/mach-s3c24xx/pm-h1940.S: Assembler messages:
      arch/arm/mach-s3c24xx/pm-h1940.S:33: Error: ARM register expected -- `ldr pc,[ r0,#((0x0B8)+(((0x56000000)-(0x50000000))+(0xF6000000+(0x01000000))))-(((0x56000000)-(0x50000000))+(0xF6000000+(0x01000000)))]'
      arch/arm/mach-s3c24xx/sleep-s3c2412.S: Assembler messages:
      arch/arm/mach-s3c24xx/sleep-s3c2412.S:60: Error: ARM register expected -- `ldrne r9,[ r1 ]'
      arch/arm/mach-s3c24xx/sleep-s3c2412.S:61: Error: ARM register expected -- `strne r9,[ r1 ]'
      arch/arm/mach-s3c24xx/sleep-s3c2412.S:62: Error: ARM register expected -- `ldrne r9,[ r2 ]'
      arch/arm/mach-s3c24xx/sleep-s3c2412.S:63: Error: ARM register expected -- `strne r9,[ r2 ]'
      arch/arm/mach-s3c24xx/sleep-s3c2412.S:64: Error: ARM register expected -- `ldrne r9,[ r3 ]'
      arch/arm/mach-s3c24xx/sleep-s3c2412.S:65: Error: ARM register expected -- `strne r9,[ r3 ]'
      arch/arm/kernel/debug.S:83: Error: ARM register expected -- `ldr r2,[ r3,#(0x08)]'
      arch/arm/kernel/debug.S:83: Error: ARM register expected -- `ldr r2,[ r3,#(0x18)]'
      arch/arm/kernel/debug.S:83: Error: ARM register expected -- `ldr r2,[ r3,#(0x10)]'
      arch/arm/kernel/debug.S:85: Error: ARM register expected -- `ldr r2,[ r3,#(0x08)]'
      arch/arm/kernel/debug.S:85: Error: ARM register expected -- `ldr r2,[ r3,#(0x18)]'
      arch/arm/kernel/debug.S:85: Error: ARM register expected -- `ldr r2,[ r3,#(0x10)]'
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarKukjin Kim <kgene.kim@samsung.com>
      Cc: Ben Dooks <ben-linux@fluff.org>
      [bwh: Backported to 3.2: adjust filenames]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      70c46976
    • Satoru Takeuchi's avatar
      efi: Clear EFI_RUNTIME_SERVICES rather than EFI_BOOT by "noefi" boot parameter · ce75086e
      Satoru Takeuchi authored
      commit 1de63d60 upstream.
      
      There was a serious problem in samsung-laptop that its platform driver is
      designed to run under BIOS and running under EFI can cause the machine to
      become bricked or can cause Machine Check Exceptions.
      
          Discussion about this problem:
          https://bugs.launchpad.net/ubuntu-cdimage/+bug/1040557
          https://bugzilla.kernel.org/show_bug.cgi?id=47121
      
          The patches to fix this problem:
          efi: Make 'efi_enabled' a function to query EFI facilities
          83e68189
      
          samsung-laptop: Disable on EFI hardware
          e0094244
      
      Unfortunately this problem comes back again if users specify "noefi" option.
      This parameter clears EFI_BOOT and that driver continues to run even if running
      under EFI. Refer to the document, this parameter should clear
      EFI_RUNTIME_SERVICES instead.
      
      Documentation/kernel-parameters.txt:
      ===============================================================================
      ...
      	noefi		[X86] Disable EFI runtime services support.
      ...
      ===============================================================================
      
      Documentation/x86/x86_64/uefi.txt:
      ===============================================================================
      ...
      - If some or all EFI runtime services don't work, you can try following
        kernel command line parameters to turn off some or all EFI runtime
        services.
      	noefi		turn off all EFI runtime services
      ...
      ===============================================================================
      Signed-off-by: default avatarSatoru Takeuchi <takeuchi_satoru@jp.fujitsu.com>
      Link: http://lkml.kernel.org/r/511C2C04.2070108@jp.fujitsu.com
      Cc: Matt Fleming <matt.fleming@intel.com>
      Signed-off-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ce75086e
    • Bjørn Mork's avatar
      USB: option: add Huawei "ACM" devices using protocol = vendor · e8c94532
      Bjørn Mork authored
      commit 1f3f6877 upstream.
      
      The USB device descriptor of one identity presented by a few
      Huawei morphing devices have serial functions with class codes
      02/02/ff, indicating CDC ACM with a vendor specific protocol. This
      combination is often used for MSFT RNDIS functions, and the CDC
      ACM class driver will therefore ignore such functions.
      
      The CDC ACM class driver cannot support functions with only 2
      endpoints.  The underlying serial functions of these modems are
      also believed to be the same as for alternate device identities
      already supported by the option driver. Letting the same driver
      handle these functions independently of the current identity
      ensures consistent handling and user experience.
      
      There is no need to blacklist these devices in the rndis_host
      driver. Huawei serial functions will either have only 2 endpoints
      or a CDC ACM functional descriptor with bmCapabilities != 0, making
      them correctly ignored as "non RNDIS" by that driver.
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e8c94532
    • Rafael J. Wysocki's avatar
      PCI/PM: Clean up PME state when removing a device · f93873c3
      Rafael J. Wysocki authored
      commit 249bfb83 upstream.
      
      Devices are added to pci_pme_list when drivers use pci_enable_wake()
      or pci_wake_from_d3(), but they aren't removed from the list unless
      the driver explicitly disables wakeup.  Many drivers never disable
      wakeup, so their devices remain on the list even after they are
      removed, e.g., via hotplug.  A subsequent PME poll will oops when
      it tries to touch the device.
      
      This patch disables PME# on a device before removing it, which removes
      the device from pci_pme_list.  This is safe even if the device never
      had PME# enabled.
      
      This oops can be triggered by unplugging a Thunderbolt ethernet adapter
      on a Macbook Pro, as reported by Daniel below.
      
      [bhelgaas: changelog]
      Reference: http://lkml.kernel.org/r/CAMVG2svG21yiM1wkH4_2pen2n+cr2-Zv7TbH3Gj+8MwevZjDbw@mail.gmail.comReported-and-tested-by: default avatarDaniel J Blueman <daniel@quora.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f93873c3
    • George Spelvin's avatar
      pps: Fix a use-after free bug when unregistering a source. · 77327a71
      George Spelvin authored
      commit d953e0e8 upstream.
      
      Remove the cdev from the system (with cdev_del) *before* deallocating it
      (in pps_device_destruct, called via kobject_put from device_destroy).
      
      Also prevent deallocating a device with open file handles.
      
      A better long-term fix is probably to remove the cdev from the pps_device
      entirely, and instead have all devices reference one global cdev.  Then
      the deallocation ordering becomes simpler.
      
      But that's more complex and invasive change, so we leave that
      for later.
      Signed-off-by: default avatarGeorge Spelvin <linux@horizon.com>
      Acked-by: default avatarRodolfo Giometti <giometti@enneenne.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      77327a71