commit 774e1e67ef51e643e0415baddcbd26f4d44e3270 Author: Greg Kroah-Hartman Date: Tue May 6 07:59:58 2014 -0700 Linux 3.14.3 commit cff520b03d074fc0a4a34de7a70a83af0e5e961e Author: Leigh Brown Date: Wed Apr 16 12:26:35 2014 +0100 ARM: dts: am335x: update USB DT references commit a2f8d6b303213a98436455aece7e14cdd1240629 upstream. In "ARM: dts: am33xx: correcting dt node unit address for usb", the usb_ctrl_mod and cppi41dma nodes were updated with the correct register addresses. However, the dts files that reference these nodes were not updated, and those devices are no longer being enabled. This patch corrects the references for the affected dts files. Signed-off-by: Leigh Brown Signed-off-by: Tony Lindgren Cc: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 4ea5e5e98e4e8ab48085002fef5e3bee01774ba2 Author: Aaron Sanders Date: Mon Mar 31 15:54:21 2014 +0200 USB: pl2303: add ids for Hewlett-Packard HP POS pole displays commit b16c02fbfb963fa2941b7517ebf1f8a21946775e upstream. Add device ids to pl2303 for the Hewlett-Packard HP POS pole displays: LD960: 03f0:0B39 LCM220: 03f0:3139 LCM960: 03f0:3239 [ Johan: fix indentation and sort PIDs numerically ] Signed-off-by: Aaron Sanders Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 7df528e7b9c438b592401473083126d6d79f78f9 Author: Stephen Warren Date: Mon Apr 14 15:21:23 2014 -0600 USB: EHCI: tegra: set txfill_tuning commit 4f2fe2d27472f4a5dbd875888af4fc5175f3fdc5 upstream. To avoid memory fetch underflows with larger USB transfers, Tegra SoCs need txfill_tuning's txfifothresh register field set to a non-default value. Add a custom reset override in order to set this up. These values are recommended practice for all Tegra chips. However, I've only noticed practical problems when not setting them this way on systems using Tegra124. Hence, CC: stable only for recent kernels which actually support Tegra124. Signed-off-by: Stephen Warren Acked-by: Alan Stern Tested-by: Alexandre Courbot Signed-off-by: Greg Kroah-Hartman commit 73be2e28cf568eb9662fb9e1fb680977e072f66a Author: Stephen Warren Date: Tue Apr 1 14:13:17 2014 -0600 dt: tegra: remove non-existent clock IDs commit 9ef1af9ea28c23d0eaed97f7f5142788b6cf570a upstream. The Tegra124 clock DT binding currently provides 3 clocks that don't actually exist; 2 for NAND and one for UART5/UARTE. Delete these. While this is technically an incompatible DT ABI change, nothing could have used these clock IDs for anything practical, since the HW doesn't exist. Signed-off-by: Stephen Warren Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit c3dc2128976353457155573fd30427e035327f76 Author: Stephen Warren Date: Tue Apr 1 14:13:16 2014 -0600 clk: tegra: remove non-existent clocks commit 9ba71705706aa83bcd7f9b74ae2d167da934c951 upstream. The Tegra124 clock driver currently provides 3 clocks that don't actually exist; 2 for NAND and one for UART5/UARTE. Delete these. Signed-off-by: Stephen Warren Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 185a3afb4e3dd9da07a2187bd2dfdecdf1d74cee Author: Stephen Warren Date: Tue Apr 1 14:13:15 2014 -0600 ARM: tegra: remove UART5/UARTE from tegra124.dtsi commit 862f0eea38409ff0d7f226c1245b787e3f0e2607 upstream. Tegra124 only has 4 UARTs. Parts of the documentation hint at a fifth UART, but this appears to be left-over from earlier SoC documentation. Remove the non-existent DT node for UART5. Signed-off-by: Stephen Warren Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 6292e9cbfdeddcc857abe004ddc1aa4b66df2593 Author: Julius Werner Date: Fri Apr 25 19:20:13 2014 +0300 usb: xhci: Prefer endpoint context dequeue pointer over stopped_trb commit 1f81b6d22a5980955b01e08cf27fb745dc9b686f upstream. We have observed a rare cycle state desync bug after Set TR Dequeue Pointer commands on Intel LynxPoint xHCs (resulting in an endpoint that doesn't fetch new TRBs and thus an unresponsive USB device). It always triggers when a previous Set TR Dequeue Pointer command has set the pointer to the final Link TRB of a segment, and then another URB gets enqueued and cancelled again before it can be completed. Further investigation showed that the xHC had returned the Link TRB in the TRB Pointer field of the Transfer Event (CC == Stopped -- Length Invalid), but when xhci_find_new_dequeue_state() later accesses the Endpoint Context's TR Dequeue Pointer field it is set to the first TRB of the next segment. The driver expects those two values to be the same in this situation, and uses the cycle state of the latter together with the address of the former. This should be fine according to the XHCI specification, since the endpoint ring should be stopped when returning the Transfer Event and thus should not advance over the Link TRB before it gets restarted. However, real-world XHCI implementations apparently don't really care that much about these details, so the driver should follow a more defensive approach to try to work around HC spec violations. This patch removes the stopped_trb variable that had been used to store the TRB Pointer from the last Transfer Event of a stopped TRB. Instead, xhci_find_new_dequeue_state() now relies only on the Endpoint Context, requiring a small amount of additional processing to find the virtual address corresponding to the TR Dequeue Pointer. Some other parts of the function were slightly rearranged to better fit into this model. This patch should be backported to kernels as old as 2.6.31 that contain the commit ae636747146ea97efa18e04576acd3416e2514f5 "USB: xhci: URB cancellation support." Signed-off-by: Julius Werner Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 1c4af2535cd0c5378e3d91b9edac7772a2c70d1e Author: Theodore Ts'o Date: Sat Apr 12 12:45:25 2014 -0400 ext4: use i_size_read in ext4_unaligned_aio() commit 6e6358fc3c3c862bfe9a5bc029d3f8ce43dc9765 upstream. We haven't taken i_mutex yet, so we need to use i_size_read(). Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit de65d2a2221ab864583fee719b8a3f9e045a385b Author: Theodore Ts'o Date: Fri Apr 11 10:35:17 2014 -0400 ext4: move ext4_update_i_disksize() into mpage_map_and_submit_extent() commit 622cad1325e404598fe3b148c3fa640dbaabc235 upstream. The function ext4_update_i_disksize() is used in only one place, in the function mpage_map_and_submit_extent(). Move its code to simplify the code paths, and also move the call to ext4_mark_inode_dirty() into the i_data_sem's critical region, to be consistent with all of the other places where we update i_disksize. That way, we also keep the raw_inode's i_disksize protected, to avoid the following race: CPU #1 CPU #2 down_write(&i_data_sem) Modify i_disk_size up_write(&i_data_sem) down_write(&i_data_sem) Modify i_disk_size Copy i_disk_size to on-disk inode up_write(&i_data_sem) Copy i_disk_size to on-disk inode Signed-off-by: "Theodore Ts'o" Reviewed-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 58b9dc7b5d9d84783ea2d317b5fe29efbe4c9c83 Author: Jan Kara Date: Mon Apr 7 10:54:21 2014 -0400 ext4: fix jbd2 warning under heavy xattr load commit ec4cb1aa2b7bae18dd8164f2e9c7c51abcf61280 upstream. When heavily exercising xattr code the assertion that jbd2_journal_dirty_metadata() shouldn't return error was triggered: WARNING: at /srv/autobuild-ceph/gitbuilder.git/build/fs/jbd2/transaction.c:1237 jbd2_journal_dirty_metadata+0x1ba/0x260() CPU: 0 PID: 8877 Comm: ceph-osd Tainted: G W 3.10.0-ceph-00049-g68d04c9 #1 Hardware name: Dell Inc. PowerEdge R410/01V648, BIOS 1.6.3 02/07/2011 ffffffff81a1d3c8 ffff880214469928 ffffffff816311b0 ffff880214469968 ffffffff8103fae0 ffff880214469958 ffff880170a9dc30 ffff8802240fbe80 0000000000000000 ffff88020b366000 ffff8802256e7510 ffff880214469978 Call Trace: [] dump_stack+0x19/0x1b [] warn_slowpath_common+0x70/0xa0 [] warn_slowpath_null+0x1a/0x20 [] jbd2_journal_dirty_metadata+0x1ba/0x260 [] __ext4_handle_dirty_metadata+0xa3/0x140 [] ext4_xattr_release_block+0x103/0x1f0 [] ext4_xattr_block_set+0x1e0/0x910 [] ext4_xattr_set_handle+0x38b/0x4a0 [] ? trace_hardirqs_on+0xd/0x10 [] ext4_xattr_set+0xc2/0x140 [] ext4_xattr_user_set+0x47/0x50 [] generic_setxattr+0x6e/0x90 [] __vfs_setxattr_noperm+0x7b/0x1c0 [] vfs_setxattr+0xc4/0xd0 [] setxattr+0x13e/0x1e0 [] ? __sb_start_write+0xe7/0x1b0 [] ? mnt_want_write_file+0x28/0x60 [] ? fget_light+0x3c/0x130 [] ? mnt_want_write_file+0x28/0x60 [] ? __mnt_want_write+0x58/0x70 [] SyS_fsetxattr+0xbe/0x100 [] system_call_fastpath+0x16/0x1b The reason for the warning is that buffer_head passed into jbd2_journal_dirty_metadata() didn't have journal_head attached. This is caused by the following race of two ext4_xattr_release_block() calls: CPU1 CPU2 ext4_xattr_release_block() ext4_xattr_release_block() lock_buffer(bh); /* False */ if (BHDR(bh)->h_refcount == cpu_to_le32(1)) } else { le32_add_cpu(&BHDR(bh)->h_refcount, -1); unlock_buffer(bh); lock_buffer(bh); /* True */ if (BHDR(bh)->h_refcount == cpu_to_le32(1)) get_bh(bh); ext4_free_blocks() ... jbd2_journal_forget() jbd2_journal_unfile_buffer() -> JH is gone error = ext4_handle_dirty_xattr_block(handle, inode, bh); -> triggers the warning We fix the problem by moving ext4_handle_dirty_xattr_block() under the buffer lock. Sadly this cannot be done in nojournal mode as that function can call sync_dirty_buffer() which would deadlock. Luckily in nojournal mode the race is harmless (we only dirty already freed buffer) and thus for nojournal mode we leave the dirtying outside of the buffer lock. Reported-by: Sage Weil Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 6309a184a691c9e520f2336a46481d5ea04480a2 Author: Matthew Wilcox Date: Mon Apr 7 10:54:20 2014 -0400 ext4: note the error in ext4_end_bio() commit 9503c67c93ed0b95ba62d12d1fd09da6245dbdd6 upstream. ext4_end_bio() currently throws away the error that it receives. Chances are this is part of a spate of errors, one of which will end up getting the error returned to userspace somehow, but we shouldn't take that risk. Also print out the errno to aid in debug. Signed-off-by: Matthew Wilcox Signed-off-by: "Theodore Ts'o" Reviewed-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 549b3cf1c4393f2020e375dcbf891c2c811036b8 Author: Kazuya Mio Date: Mon Apr 7 10:53:28 2014 -0400 ext4: FIBMAP ioctl causes BUG_ON due to handle EXT_MAX_BLOCKS commit 4adb6ab3e0fa71363a5ef229544b2d17de6600d7 upstream. When we try to get 2^32-1 block of the file which has the extent (ee_block=2^32-2, ee_len=1) with FIBMAP ioctl, it causes BUG_ON in ext4_ext_put_gap_in_cache(). To avoid the problem, ext4_map_blocks() needs to check the file logical block number. ext4_ext_put_gap_in_cache() called via ext4_map_blocks() cannot handle 2^32-1 because the maximum file logical block number is 2^32-2. Note that ext4_ind_map_blocks() returns -EIO when the block number is invalid. So ext4_map_blocks() should also return the same errno. Signed-off-by: Kazuya Mio Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit b4140e2b766bb20f0eb9d363be9072905977c5e0 Author: Martin K. Petersen Date: Tue Apr 8 22:43:43 2014 -0400 block: Fix for_each_bvec() commit b7aa84d9cb9f26da1a9312c3e39dbd1a3c25a426 upstream. Commit 4550dd6c6b062 introduced for_each_bvec() which iterates over each bvec attached to a bio or bip. However, the macro fails to check bi_size before dereferencing which can lead to crashes while counting/mapping integrity scatterlist segments. Signed-off-by: Martin K. Petersen Cc: Kent Overstreet Cc: Nicholas Bellinger Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit fc7b1646bf29f722277bdd19551e01420ce9da8f Author: Al Viro Date: Thu Feb 27 09:35:45 2014 -0500 smarter propagate_mnt() commit f2ebb3a921c1ca1e2ddd9242e95a1989a50c4c68 upstream. The current mainline has copies propagated to *all* nodes, then tears down the copies we made for nodes that do not contain counterparts of the desired mountpoint. That sets the right propagation graph for the copies (at teardown time we move the slaves of removed node to a surviving peer or directly to master), but we end up paying a fairly steep price in useless allocations. It's fairly easy to create a situation where N calls of mount(2) create exactly N bindings, with O(N^2) vfsmounts allocated and freed in process. Fortunately, it is possible to avoid those allocations/freeings. The trick is to create copies in the right order and find which one would've eventually become a master with the current algorithm. It turns out to be possible in O(nodes getting propagation) time and with no extra allocations at all. One part is that we need to make sure that eventual master will be created before its slaves, so we need to walk the propagation tree in a different order - by peer groups. And iterate through the peers before dealing with the next group. Another thing is finding the (earlier) copy that will be a master of one we are about to create; to do that we are (temporary) marking the masters of mountpoints we are attaching the copies to. Either we are in a peer of the last mountpoint we'd dealt with, or we have the following situation: we are attaching to mountpoint M, the last copy S_0 had been attached to M_0 and there are sequences S_0...S_n, M_0...M_n such that S_{i+1} is a master of S_{i}, S_{i} mounted on M{i} and we need to create a slave of the first S_{k} such that M is getting propagation from M_{k}. It means that the master of M_{k} will be among the sequence of masters of M. On the other hand, the nearest marked node in that sequence will either be the master of M_{k} or the master of M_{k-1} (the latter - in the case if M_{k-1} is a slave of something M gets propagation from, but in a wrong peer group). So we go through the sequence of masters of M until we find a marked one (P). Let N be the one before it. Then we go through the sequence of masters of S_0 until we find one (say, S) mounted on a node D that has P as master and check if D is a peer of N. If it is, S will be the master of new copy, if not - the master of S will be. That's it for the hard part; the rest is fairly simple. Iterator is in next_group(), handling of one prospective mountpoint is propagate_one(). It seems to survive all tests and gives a noticably better performance than the current mainline for setups that are seriously using shared subtrees. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 66e23040261cce32af8011582b4af652bb022bf0 Author: Krzysztof Kozlowski Date: Fri Mar 21 13:18:17 2014 +0100 clk: s2mps11: Fix possible NULL pointer dereference commit 238e14055da87d0d012257788e39fe0df3a82226 upstream. If parent device does not have of_node set the s2mps11_clk_parse_dt() returned NULL. This NULL was later passed to of_clk_add_provider() which dereferenced it in pr_debug() call. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Mike Turquette Signed-off-by: Greg Kroah-Hartman commit e6713b5e477f4b3efda4faf1f4793acbdf722b06 Author: Tetsuo Handa Date: Thu Apr 3 14:47:07 2014 -0700 ocfs2: fix panic on kfree(xattr->name) commit f81c20158f8d5f7938d5eb86ecc42ecc09273ce6 upstream. Commit 9548906b2bb7 ('xattr: Constify ->name member of "struct xattr"') missed that ocfs2 is calling kfree(xattr->name). As a result, kernel panic occurs upon calling kfree(xattr->name) because xattr->name refers static constant names. This patch removes kfree(xattr->name) from ocfs2_mknod() and ocfs2_symlink(). Signed-off-by: Tetsuo Handa Reported-by: Tariq Saeed Tested-by: Tariq Saeed Reviewed-by: Srinivas Eeda Cc: Joel Becker Cc: Mark Fasheh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 65155d0493fce311051ae7eba0abcb43239c012c Author: alex chen Date: Thu Apr 3 14:47:05 2014 -0700 ocfs2: do not put bh when buffer_uptodate failed commit f7cf4f5bfe073ad792ab49c04f247626b3e38db6 upstream. Do not put bh when buffer_uptodate failed in ocfs2_write_block and ocfs2_write_super_or_backup, because it will put bh in b_end_io. Otherwise it will hit a warning "VFS: brelse: Trying to free free buffer". Signed-off-by: Alex Chen Reviewed-by: Joseph Qi Reviewed-by: Srinivas Eeda Cc: Mark Fasheh Acked-by: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 798c267521e133a97e3f9e12c285e08517e619bf Author: Junxiao Bi Date: Thu Apr 3 14:46:51 2014 -0700 ocfs2: dlm: fix recovery hung commit ded2cf71419b9353060e633b59e446c42a6a2a09 upstream. There is a race window in dlm_do_recovery() between dlm_remaster_locks() and dlm_reset_recovery() when the recovery master nearly finish the recovery process for a dead node. After the master sends FINALIZE_RECO message in dlm_remaster_locks(), another node may become the recovery master for another dead node, and then send the BEGIN_RECO message to all the nodes included the old master, in the handler of this message dlm_begin_reco_handler() of old master, dlm->reco.dead_node and dlm->reco.new_master will be set to the second dead node and the new master, then in dlm_reset_recovery(), these two variables will be reset to default value. This will cause new recovery master can not finish the recovery process and hung, at last the whole cluster will hung for recovery. old recovery master: new recovery master: dlm_remaster_locks() become recovery master for another dead node. dlm_send_begin_reco_message() dlm_begin_reco_handler() { if (dlm->reco.state & DLM_RECO_STATE_FINALIZE) { return -EAGAIN; } dlm_set_reco_master(dlm, br->node_idx); dlm_set_reco_dead_node(dlm, br->dead_node); } dlm_reset_recovery() { dlm_set_reco_dead_node(dlm, O2NM_INVALID_NODE_NUM); dlm_set_reco_master(dlm, O2NM_INVALID_NODE_NUM); } will hang in dlm_remaster_locks() for request dlm locks info Before send FINALIZE_RECO message, recovery master should set DLM_RECO_STATE_FINALIZE for itself and clear it after the recovery done, this can break the race windows as the BEGIN_RECO messages will not be handled before DLM_RECO_STATE_FINALIZE flag is cleared. A similar race may happen between new recovery master and normal node which is in dlm_finalize_reco_handler(), also fix it. Signed-off-by: Junxiao Bi Reviewed-by: Srinivas Eeda Reviewed-by: Wengang Wang Cc: Joel Becker Cc: Mark Fasheh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit de3778076cf4aa73274866ced68947c093996e61 Author: Junxiao Bi Date: Thu Apr 3 14:46:49 2014 -0700 ocfs2: dlm: fix lock migration crash commit 34aa8dac482f1358d59110d5e3a12f4351f6acaa upstream. This issue was introduced by commit 800deef3f6f8 ("ocfs2: use list_for_each_entry where benefical") in 2007 where it replaced list_for_each with list_for_each_entry. The variable "lock" will point to invalid data if "tmpq" list is empty and a panic will be triggered due to this. Sunil advised reverting it back, but the old version was also not right. At the end of the outer for loop, that list_for_each_entry will also set "lock" to an invalid data, then in the next loop, if the "tmpq" list is empty, "lock" will be an stale invalid data and cause the panic. So reverting the list_for_each back and reset "lock" to NULL to fix this issue. Another concern is that this seemes can not happen because the "tmpq" list should not be empty. Let me describe how. old lock resource owner(node 1): migratation target(node 2): image there's lockres with a EX lock from node 2 in granted list, a NR lock from node x with convert_type EX in converting list. dlm_empty_lockres() { dlm_pick_migration_target() { pick node 2 as target as its lock is the first one in granted list. } dlm_migrate_lockres() { dlm_mark_lockres_migrating() { res->state |= DLM_LOCK_RES_BLOCK_DIRTY; wait_event(dlm->ast_wq, !dlm_lockres_is_dirty(dlm, res)); //after the above code, we can not dirty lockres any more, // so dlm_thread shuffle list will not run downconvert lock from EX to NR upconvert lock from NR to EX <<< migration may schedule out here, then <<< node 2 send down convert request to convert type from EX to <<< NR, then send up convert request to convert type from NR to <<< EX, at this time, lockres granted list is empty, and two locks <<< in the converting list, node x up convert lock followed by <<< node 2 up convert lock. // will set lockres RES_MIGRATING flag, the following // lock/unlock can not run dlm_lockres_release_ast(dlm, res); } dlm_send_one_lockres() dlm_process_recovery_data() for (i=0; inum_locks; i++) if (ml->node == dlm->node_num) for (j = DLM_GRANTED_LIST; j <= DLM_BLOCKED_LIST; j++) { list_for_each_entry(lock, tmpq, list) if (lock) break; <<< lock is invalid as grant list is empty. } if (lock->ml.node != ml->node) BUG() >>> crash here } I see the above locks status from a vmcore of our internal bug. Signed-off-by: Junxiao Bi Reviewed-by: Wengang Wang Cc: Sunil Mushran Reviewed-by: Srinivas Eeda Cc: Joel Becker Cc: Mark Fasheh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 536102644107af12510f4724360c5ebef3211353 Author: Serge Hallyn Date: Thu Apr 3 14:48:33 2014 -0700 xattr: guard against simultaneous glibc header inclusion commit ea1a8217b06b41b31a2b60b0b83f75c77ef9c873 upstream. If the glibc xattr.h header is included after the uapi header, compilation fails due to an enum re-using a #define from the uapi header. Protect against this by guarding the define and enum inclusions against each other. (See https://lists.debian.org/debian-glibc/2014/03/msg00029.html and https://sourceware.org/glibc/wiki/Synchronizing_Headers for more information.) Signed-off-by: Serge Hallyn Cc: Andrew Morton Cc: Allan McRae Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit dfe468daba552b4d474db75ff54562691150bb78 Author: Liu Hua Date: Mon Apr 7 15:38:57 2014 -0700 hung_task: check the value of "sysctl_hung_task_timeout_sec" commit 80df28476505ed4e6701c3448c63c9229a50c655 upstream. As sysctl_hung_task_timeout_sec is unsigned long, when this value is larger then LONG_MAX/HZ, the function schedule_timeout_interruptible in watchdog will return immediately without sleep and with print : schedule_timeout: wrong timeout value ffffffffffffff83 and then the funtion watchdog will call schedule_timeout_interruptible again and again. The screen will be filled with "schedule_timeout: wrong timeout value ffffffffffffff83" This patch does some check and correction in sysctl, to let the function schedule_timeout_interruptible allways get the valid parameter. Signed-off-by: Liu Hua Tested-by: Satoru Takeuchi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 05b36270c305cf8e4d0d2b29b89c42f7ecd77d1c Author: Mizuma, Masayoshi Date: Mon Apr 7 15:37:54 2014 -0700 mm: hugetlb: fix softlockup when a large number of hugepages are freed. commit 55f67141a8927b2be3e51840da37b8a2320143ed upstream. When I decrease the value of nr_hugepage in procfs a lot, softlockup happens. It is because there is no chance of context switch during this process. On the other hand, when I allocate a large number of hugepages, there is some chance of context switch. Hence softlockup doesn't happen during this process. So it's necessary to add the context switch in the freeing process as same as allocating process to avoid softlockup. When I freed 12 TB hugapages with kernel-2.6.32-358.el6, the freeing process occupied a CPU over 150 seconds and following softlockup message appeared twice or more. $ echo 6000000 > /proc/sys/vm/nr_hugepages $ cat /proc/sys/vm/nr_hugepages 6000000 $ grep ^Huge /proc/meminfo HugePages_Total: 6000000 HugePages_Free: 6000000 HugePages_Rsvd: 0 HugePages_Surp: 0 Hugepagesize: 2048 kB $ echo 0 > /proc/sys/vm/nr_hugepages BUG: soft lockup - CPU#16 stuck for 67s! [sh:12883] ... Pid: 12883, comm: sh Not tainted 2.6.32-358.el6.x86_64 #1 Call Trace: free_pool_huge_page+0xb8/0xd0 set_max_huge_pages+0x128/0x190 hugetlb_sysctl_handler_common+0x113/0x140 hugetlb_sysctl_handler+0x1e/0x20 proc_sys_call_handler+0x97/0xd0 proc_sys_write+0x14/0x20 vfs_write+0xb8/0x1a0 sys_write+0x51/0x90 __audit_syscall_exit+0x265/0x290 system_call_fastpath+0x16/0x1b I have not confirmed this problem with upstream kernels because I am not able to prepare the machine equipped with 12TB memory now. However I confirmed that the amount of decreasing hugepages was directly proportional to the amount of required time. I measured required times on a smaller machine. It showed 130-145 hugepages decreased in a millisecond. Amount of decreasing Required time Decreasing rate hugepages (msec) (pages/msec) ------------------------------------------------------------ 10,000 pages == 20GB 70 - 74 135-142 30,000 pages == 60GB 208 - 229 131-144 It means decrement of 6TB hugepages will trigger softlockup with the default threshold 20sec, in this decreasing rate. Signed-off-by: Masayoshi Mizuma Cc: Joonsoo Kim Cc: Michal Hocko Cc: Wanpeng Li Cc: Aneesh Kumar Cc: KOSAKI Motohiro Cc: Naoya Horiguchi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9eef7172d412d1886b51f8c75b7e9b71c50203e3 Author: Vlastimil Babka Date: Mon Apr 7 15:37:50 2014 -0700 mm: try_to_unmap_cluster() should lock_page() before mlocking commit 57e68e9cd65b4b8eb4045a1e0d0746458502554c upstream. A BUG_ON(!PageLocked) was triggered in mlock_vma_page() by Sasha Levin fuzzing with trinity. The call site try_to_unmap_cluster() does not lock the pages other than its check_page parameter (which is already locked). The BUG_ON in mlock_vma_page() is not documented and its purpose is somewhat unclear, but apparently it serializes against page migration, which could otherwise fail to transfer the PG_mlocked flag. This would not be fatal, as the page would be eventually encountered again, but NR_MLOCK accounting would become distorted nevertheless. This patch adds a comment to the BUG_ON in mlock_vma_page() and munlock_vma_page() to that effect. The call site try_to_unmap_cluster() is fixed so that for page != check_page, trylock_page() is attempted (to avoid possible deadlocks as we already have check_page locked) and mlock_vma_page() is performed only upon success. If the page lock cannot be obtained, the page is left without PG_mlocked, which is again not a problem in the whole unevictable memory design. Signed-off-by: Vlastimil Babka Signed-off-by: Bob Liu Reported-by: Sasha Levin Cc: Wanpeng Li Cc: Michel Lespinasse Cc: KOSAKI Motohiro Acked-by: Rik van Riel Cc: David Rientjes Cc: Mel Gorman Cc: Hugh Dickins Cc: Joonsoo Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1409f8372a391e331fb9f6b1bc4d4ad8df0d31d4 Author: Johannes Weiner Date: Mon Apr 7 15:37:48 2014 -0700 mm: page_alloc: spill to remote nodes before waking kswapd commit 3a025760fc158b3726eac89ee95d7f29599e9dfa upstream. On NUMA systems, a node may start thrashing cache or even swap anonymous pages while there are still free pages on remote nodes. This is a result of commits 81c0a2bb515f ("mm: page_alloc: fair zone allocator policy") and fff4068cba48 ("mm: page_alloc: revert NUMA aspect of fair allocation policy"). Before those changes, the allocator would first try all allowed zones, including those on remote nodes, before waking any kswapds. But now, the allocator fastpath doubles as the fairness pass, which in turn can only consider the local node to prevent remote spilling based on exhausted fairness batches alone. Remote nodes are only considered in the slowpath, after the kswapds are woken up. But if remote nodes still have free memory, kswapd should not be woken to rebalance the local node or it may thrash cash or swap prematurely. Fix this by adding one more unfair pass over the zonelist that is allowed to spill to remote nodes after the local fairness pass fails but before entering the slowpath and waking the kswapds. This also gets rid of the GFP_THISNODE exemption from the fairness protocol because the unfair pass is no longer tied to kswapd, which GFP_THISNODE is not allowed to wake up. However, because remote spills can be more frequent now - we prefer them over local kswapd reclaim - the allocation batches on remote nodes could underflow more heavily. When resetting the batches, use atomic_long_read() directly instead of zone_page_state() to calculate the delta as the latter filters negative counter values. Signed-off-by: Johannes Weiner Acked-by: Rik van Riel Acked-by: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3eb537be8f50abc292d868e46eef6d8f749ce4cf Author: Matt Fleming Date: Thu Apr 3 14:46:20 2014 -0700 sh: fix format string bug in stack tracer commit a0c32761e73c9999cbf592b702f284221fea8040 upstream. Kees reported the following error: arch/sh/kernel/dumpstack.c: In function 'print_trace_address': arch/sh/kernel/dumpstack.c:118:2: error: format not a string literal and no format arguments [-Werror=format-security] Use the "%s" format so that it's impossible to interpret 'data' as a format string. Signed-off-by: Matt Fleming Reported-by: Kees Cook Acked-by: Kees Cook Cc: Paul Mundt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit af0f6576e84e4d5ae788ef295091eb1f8ff5e285 Author: Nicholas Bellinger Date: Fri May 2 21:26:30 2014 +0000 iser-target: Add missing se_cmd put for WRITE_PENDING in tx_comp_err commit 03e7848a64ed535a30f5d7fc6dede2d5a6a2534b upstream. This patch fixes a bug where outstanding RDMA_READs with WRITE_PENDING status require an extra target_put_sess_cmd() in isert_put_cmd() code when called from isert_cq_tx_comp_err() + isert_cq_drain_comp_llist() context during session shutdown. The extra kref PUT is required so that transport_generic_free_cmd() invokes the last target_put_sess_cmd() -> target_release_cmd_kref(), which will complete(&se_cmd->cmd_wait_comp) the outstanding se_cmd descriptor with WRITE_PENDING status, and awake the completion in target_wait_for_sess_cmds() to invoke TFO->release_cmd(). The bug was manifesting itself in target_wait_for_sess_cmds() where a se_cmd descriptor with WRITE_PENDING status would end up sleeping indefinately. Acked-by: Sagi Grimberg Cc: Or Gerlitz Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 1ffddb5071b692412fe5d41393763c7b516dfb9c Author: Nicholas Bellinger Date: Fri May 2 21:26:29 2014 +0000 iser-target: Match FRMR descriptors to available session tags commit f46d6a8a01d6bbd83a97140f30a72a89b038807b upstream. This patch changes isert_conn_create_fastreg_pool() to follow logic in iscsi_target_locate_portal() for determining how many FRMR descriptors to allocate based upon the number of possible per-session command slots that are available. This addresses an OOPs in isert_reg_rdma() where due to the use of ISCSI_DEF_XMIT_CMDS_MAX could end up returning a bogus fast_reg_descriptor when the number of active tags exceeded the original hardcoded max. Note this also includes moving isert_conn_create_fastreg_pool() from isert_connect_request() to isert_put_login_tx() before posting the final Login Response PDU in order to determine the se_nacl->queue_depth (eg: number of tags) per session the target will be enforcing. v2 changes: - Move isert_conn->conn_fr_pool list_head init into isert_conn_request() v3 changes: - Drop unnecessary list_empty() check in isert_reg_rdma() (Sagi) Cc: Sagi Grimberg Cc: Or Gerlitz Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit c260938a788fec7a9819fe4907351468347603bc Author: Sam Bradshaw Date: Thu Mar 13 14:33:30 2014 -0700 mtip32xx: mtip_async_complete() bug fixes commit 5eb9291c36c7d71d7c6c832d5a4f551eb8ac015d upstream. This patch fixes 2 issues in the fast completion path: 1) Possible double completions / double dma_unmap_sg() calls due to lack of atomicity in the check and subsequent dereference of the upper layer callback function. Fixed with cmpxchg before unmap and callback. 2) Regression in unaligned IO constraining workaround for p420m devices. Fixed by checking if IO is unaligned and using proper semaphore if so. Signed-off-by: Sam Bradshaw Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 039c42311d46cff77dac8eded00cedb1fdba1ea9 Author: Felipe Franciosi Date: Thu Mar 13 14:34:21 2014 +0000 mtip32xx: Unmap the DMA segments before completing the IO request commit 368c89d7ac70f937c93cd6f3b65bcfdfb3ba794f upstream. If the buffers are unmapped after completing a request, then stale data might be in the request. Signed-off-by: Felipe Franciosi Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit ccbbc3ab78800068d1ecc6984e74db64f2165702 Author: Felipe Franciosi Date: Thu Mar 13 14:34:20 2014 +0000 mtip32xx: Set queue bounce limit commit 1044b1bb9278f2e656a1a7b63dc24a59506540aa upstream. We need to set the queue bounce limit during the device initialization to prevent excessive bouncing on 32 bit architectures. Signed-off-by: Felipe Franciosi Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 1090e5f4a8650d823a35bd060dcac1c4361920bc Author: Alan Stern Date: Wed Mar 12 11:30:38 2014 -0400 USB: unbind all interfaces before rebinding any commit 6aec044cc2f5670cf3b143c151c8be846499bd15 upstream. When a driver doesn't have pre_reset, post_reset, or reset_resume methods, the USB core unbinds that driver when its device undergoes a reset or a reset-resume, and then rebinds it afterward. The existing straightforward implementation can lead to problems, because each interface gets unbound and rebound before the next interface is handled. If a driver claims additional interfaces, the claim may fail because the old binding instance may still own the additional interface when the new instance tries to claim it. This patch fixes the problem by first unbinding all the interfaces that are marked (i.e., their needs_binding flag is set) and then rebinding all of them. The patch also makes the helper functions in driver.c a little more uniform and adjusts some out-of-date comments. Signed-off-by: Alan Stern Reported-and-tested-by: "Poulain, Loic" Signed-off-by: Greg Kroah-Hartman commit 06f3ded634136e1db9614a2b0975b6b786c7d66c Author: Daniel Mack Date: Wed Apr 16 17:11:16 2014 +0200 usb: phy: am335x-control: wait 1ms after power-up transitions commit a31a942a148e0083ce560ffeb54fb60e06ab7201 upstream. Tests have shown that when a power-up transition is followed by other PHY operations too quickly, the USB port appears dead. Waiting 1ms fixes this problem. Signed-off-by: Daniel Mack Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 2460e335c076a4ec30043bca6615d9349a739c00 Author: Michal Simek Date: Tue Mar 11 13:23:14 2014 +0100 usb: phy: Add ulpi IDs for SMSC USB3320 and TI TUSB1210 commit ead5178bf442dbae4008ee54bf4f66a1f6a317c9 upstream. Add new ulpi IDs which are available on Xilinx Zynq boards. Signed-off-by: Michal Simek Signed-off-by: Greg Kroah-Hartman commit df55b19e5b501e69790ccb5cc5deb45b7245cc78 Author: Paul Gortmaker Date: Tue Jan 14 16:03:37 2014 -0500 hvc: ensure hvc_init is only ever called once in hvc_console.c commit f76a1cbed18c86e2d192455f0daebb48458965f3 upstream. Commit 3e6c6f630a5282df8f3393a59f10eb9c56536d23 ("Delay creation of khcvd thread") moved the call of hvc_init from being a device_initcall into hvc_alloc, and used a non-null hvc_driver as indication of whether hvc_init had already been called. The problem with this is that hvc_driver is only assigned a value at the bottom of hvc_init, and so there is a window where multiple hvc_alloc calls can be in progress at the same time and hence try and call hvc_init multiple times. Previously the use of device_init guaranteed that hvc_init was only called once. This manifests itself as sporadic instances of two hvc_init calls racing each other, and with the loser of the race getting -EBUSY from tty_register_driver() and hence that virtual console fails: Couldn't register hvc console driver virtio-ports vport0p1: error -16 allocating hvc for port Here we add an atomic_t to guarantee we'll never run hvc_init twice. Cc: Rusty Russell Cc: Greg Kroah-Hartman Fixes: 3e6c6f630a52 ("Delay creation of khcvd thread") Reported-by: Jim Somerville Tested-by: Jim Somerville Signed-off-by: Paul Gortmaker Signed-off-by: Greg Kroah-Hartman commit 355cd8c7cb2b67811648d6b9dd9bee99a7cf90c9 Author: Felipe Balbi Date: Fri Mar 28 14:31:47 2014 -0500 usb: musb: fix PHY power on/off commit 3063a12be2b07c64e9802708a19489342e64c1a3 upstream. commi 30a70b0 (usb: musb: fix obex in g_nokia.ko causing kernel panic) removed phy_power_on() and phy_power_off() calls from runtime PM callbacks but it failed to note that the driver depended on pm_runtime_get_sync() calls to power up the PHY, thus leaving some platforms without any means to have a working PHY. Fix that by enabling the phy during omap2430_musb_init() and killing it in omap2430_musb_exit(). Fixes: 30a70b0 (usb: musb: fix obex in g_nokia.ko causing kernel panic) Cc: Pali Rohár Cc: Ivaylo Dimitrov Reported-by: Michael Scott Tested-by: Michael Scott Tested-by: Stefan Roese Reported-by: Rabin Vincent Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit c72590ffdf9cf3467e8cd9040b44d773c1cccda2 Author: Felipe Balbi Date: Tue Feb 25 10:58:43 2014 -0600 usb: musb: avoid NULL pointer dereference commit eee3f15d5f1f4f0c283dd4db67dc1b874a2852d1 upstream. instead of relying on the otg pointer, which can be NULL in certain cases, we can use the gadget and host pointers we already hold inside struct musb. Tested-by: Tony Lindgren Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 31cbda45ef836067bae9ca4427926671371b98ff Author: Felipe Balbi Date: Tue Mar 4 09:23:50 2014 -0600 usb: dwc3: fix randconfig build errors commit 610183051d8f9421f138c4203ca894387f9f8839 upstream. commit 388e5c5 (usb: dwc3: remove dwc3 dependency on host AND gadget.) created the possibility for host-only and peripheral-only dwc3 builds but left a possible randconfig build error when host-only builds are selected. Reported-by: Jim Davis Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit a1ecfcff95284ef723e88a6f5b88b820819de4f1 Author: Huang Rui Date: Tue Jan 7 17:45:50 2014 +0800 usb: dwc3: fix wrong bit mask in dwc3_event_devt commit 06f9b6e59661cee510b04513b13ea7927727d758 upstream. Around DWC USB3 2.30a release another bit has been added to the Device-Specific Event (DEVT) Event Information (EvtInfo) bitfield. Because of that, what used to be 8 bits long, has become 9 bits long. Per dwc3 2.30a+ spec in the Device-Specific Event (DEVT), the field of Event Information Bits(EvtInfo) uses [24:16] bits, and it has 9 bits not 8 bits. And the following reserved field uses [31:25] bits not [31:24] bits, and it has 7 bits. So in dwc3_event_devt, the bit mask should be: event_info [24:16] 9 bits reserved31_25 [31:25] 7 bits This patch makes sure that newer core releases will work fine with Linux and that we will decode the event information properly on new core releases. [ balbi@ti.com : improve commit log a bit ] Signed-off-by: Huang Rui Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit ce5e66c83d3ca3699cd1942255b5850543d43913 Author: Wolfram Sang Date: Sat Feb 1 15:26:00 2014 -0300 media: media: gspca: sn9c20x: add ID for Genius Look 1320 V2 commit 61f0319193c44adbbada920162d880b1fdb3aeb3 upstream. Signed-off-by: Wolfram Sang Signed-off-by: Hans de Goede Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 248ae305f95bccbc25ae7bcb7550ec2abe09de0c Author: Florian Vaussard Date: Fri Jan 17 16:37:38 2014 -0300 media: omap3isp: preview: Fix the crop margins commit 8b57b9669aa884ac75b8d09c251d6b1755533c15 upstream. Commit 3fdfedaaa "[media] omap3isp: preview: Lower the crop margins" accidentally changed the previewer's cropping, causing the previewer to miss four pixels on each line, thus corrupting the final image. Restored the removed setting. Signed-off-by: Florian Vaussard Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit dadb8da6f06b6c38ad64a39432e470ca75028ef7 Author: Hans Verkuil Date: Fri Mar 7 07:28:39 2014 -0300 media: saa7134: fix WARN_ON during resume commit 30d652823de5fd7907d40e969a2d8e23938d8d03 upstream. Do not attempt to reload the tuner modules when resuming after a suspend. This triggers a WARN_ON in kernel/kmod.c:148 __request_module. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=69581. This has always been wrong, but it was never noticed until the WARN_ON was added in 3.9. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit aa706f0d499e32200fafea3f2def9dfe2bb1bca6 Author: Antti Palosaari Date: Tue Mar 11 06:53:16 2014 -0300 media: em28xx: fix PCTV 290e LNA oops commit 3ec40dcfb413214b2874aec858870502b61c2202 upstream. Pointer to device state has been moved to different location during some change. PCTV 290e LNA function still uses old pointer, carried over FE priv, and it crash. Reported-by: Janne Kujanpää Signed-off-by: Antti Palosaari Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit d292ef8faa5b3f85632325f5c683cd724b77d7c3 Author: Malcolm Priestley Date: Tue Feb 25 23:05:39 2014 -0300 media: m88rs2000: add caps FE_CAN_INVERSION_AUTO commit 3c8023a782964c72574ad8268ba0ea4e2d9772fc upstream. The m88rs2000 frontend is always auto inversion. Signed-off-by: Malcolm Priestley Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit a5f0c485731823506fffd3cc881e3f8f212eea41 Author: Frank Schaefer Date: Fri Jan 17 14:18:42 2014 -0300 media: em28xx-audio: fix user counting in snd_em28xx_capture_open() commit 01ae3b51af7144ea29eb28ba718b65ad59ab9493 upstream. dev->adev.users always needs to be increased when snd_em28xx_capture_open() is called and succeeds. Signed-off-by: Frank Schäfer Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 3aa5fe9222c1524c635ed9e71d873ca2cf308a61 Author: Malcolm Priestley Date: Tue Feb 25 23:11:34 2014 -0300 media: m88rs2000: prevent frontend crash on continuous transponder scans commit 8272d0a0c0d374a01721e579df6e8add5577132b upstream. Add m88rs2000_get_tune_settings, min delay of 2000 ms on symbol rate more than 3000000 and delay of 3000ms less than this. Adding min delay prevents crashing the frontend on continuous transponder scans. Other dvb_frontend_tune_settings remain as default. This makes very little time difference to good channel scans, but slows down the set frontend where lock can never be achieved i.e. DVB-S2. Signed-off-by: Malcolm Priestley Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit ab38314e7a3fa72d106a0c0480079cb311d63a89 Author: Hans Verkuil Date: Thu Mar 6 07:24:21 2014 -0300 media: v4l2-compat-ioctl32: fix wrong VIDIOC_SUBDEV_G/S_EDID32 support commit bc826d6e39fe5f09cbadf8723e9183e6331b586f upstream. The wrong ioctl numbers were used due to a copy-and-paste error. Signed-off-by: Hans Verkuil Acked-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit a8eedb3b38b3503c054d769139c5b21e6115d59b Author: Hans Verkuil Date: Tue Mar 4 04:51:50 2014 -0300 media: v4l2-dv-timings: add module name, description, license commit c4885ada88e4331f8ac56d14296d0058359db2d7 upstream. I completely forgot to add them when I made this module. Loading this module without it will taint the kernel, which is not intended. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit be0ed1dfdb7c750615a89cab5758ac19d2b8966a Author: Antoine Ténart Date: Fri Mar 7 17:20:54 2014 +0100 video: atmel_lcdfb: ensure the hardware is initialized with the correct mode commit 7d3477d801808a5037a511cf5a5aae5718e7ecce upstream. If no driver takeover the atmel_lcdfb, the lcd won't be in a working state since atmel_lcdfb_set_par() will never be called. Enabling a driver which does, like fbcon, will call the function and put atmel_lcdfb in a working state. Fixes: b985172b328a (video: atmel_lcdfb: add device tree suport) Signed-off-by: Antoine Ténart Reported-by: Alexandre Belloni Acked-by: Alexandre Belloni Acked-by: Nicolas Ferre Signed-off-by: Tomi Valkeinen Signed-off-by: Greg Kroah-Hartman commit 96f4b20a17943b622857110fbe2d01ba6fed377e Author: Hans Verkuil Date: Thu Feb 27 06:04:57 2014 -0300 media: videodev2.h: add parenthesis around macro arguments commit aee786acfc0a12bcd37a1c60f3198fb25cf7181a upstream. bt->width should be (bt)->width, and same for the other fields. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 113b0ef4087afb611ceab37311c53a1f250b57bb Author: Oleksij Rempel Date: Sun Feb 16 06:59:32 2014 -0300 media: uvcvideo: Do not use usb_set_interface on bulk EP commit b1e43f232698274871e1358c276d7b0242a7d607 upstream. The UVC specification uses alternate setting selection to notify devices of stream start/stop. This breaks when using bulk-based devices, as the video streaming interface has a single alternate setting in that case, making video stream start and video stream stop events to appear identical to the device. Bulk-based devices are thus not well supported by UVC. The webcam built in the Asus Zenbook UX302LA ignores the set interface request and will keep the video stream enabled when the driver tries to stop it. If USB autosuspend is enabled the device will then be suspended and will crash, requiring a cold reboot. USB trace capture showed that Windows sends a CLEAR_FEATURE(HALT) request to the bulk endpoint when stopping the stream instead of selecting alternate setting 0. The camera then behaves correctly, and thus seems to require that behaviour. Replace selection of alternate setting 0 with clearing of the endpoint halt feature at video stream stop for bulk-based devices. Let's refrain from blaming Microsoft this time, as it's not clear whether this Windows-specific but USB-compliant behaviour was specifically developed to handle bulkd-based UVC devices, or if the camera just took advantage of it. Signed-off-by: Oleksij Rempel Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit d3630d64f1ee975567681ab6c59f0ce34befdfe5 Author: David Cohen Date: Fri Apr 25 19:20:16 2014 +0300 usb/xhci: fix compilation warning when !CONFIG_PCI && !CONFIG_PM commit 01bb59ebffdec314da8da66266edf29529372f9b upstream. When CONFIG_PCI and CONFIG_PM are not selected, xhci.c gets this warning: drivers/usb/host/xhci.c:409:13: warning: ‘xhci_msix_sync_irqs’ defined but not used [-Wunused-function] Instead of creating nested #ifdefs, this patch fixes it by defining the xHCI PCI stubs as inline. This warning has been in since 3.2 kernel and was caused by commit 421aa841a134f6a743111cf44d0c6d3b45e3cf8c "usb/xhci: hide MSI code behind PCI bars", but wasn't noticed until 3.13 when a configuration with these options was tried Signed-off-by: David Cohen Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 93ba9a2e903812f1ef6c6a3581f0f51740793d0f Author: Igor Gnatenko Date: Fri Apr 25 19:20:15 2014 +0300 xhci: extend quirk for Renesas cards commit 6db249ebefc6bf5c39f35dfaacc046d8ad3ffd70 upstream. After suspend another Renesas PCI-X USB 3.0 card doesn't work. [root@fedora-20 ~]# lspci -vmnnd 1912: Device: 03:00.0 Class: USB controller [0c03] Vendor: Renesas Technology Corp. [1912] Device: uPD720202 USB 3.0 Host Controller [0015] SVendor: Renesas Technology Corp. [1912] SDevice: uPD720202 USB 3.0 Host Controller [0015] Rev: 02 ProgIf: 30 This patch should be applied to stable kernel 3.14 that contain the commit 1aa9578c1a9450fb21501c4f549f5b1edb557e6d "xhci: Fix resume issues on Renesas chips in Samsung laptops" Reported-and-tested-by: Anatoly Kharchenko Reference: http://redmine.russianfedora.pro/issues/1315 Signed-off-by: Igor Gnatenko Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 5092b2b3c54eeb1a41329661d14289f59f81bdcb Author: Denis Turischev Date: Fri Apr 25 19:20:14 2014 +0300 xhci: Switch Intel Lynx Point ports to EHCI on shutdown. commit c09ec25d3684cad74d851c0f028a495999591279 upstream. The same issue like with Panther Point chipsets. If the USB ports are switched to xHCI on shutdown, the xHCI host will send a spurious interrupt, which will wake the system. Some BIOS have work around for this, but not all. One example is Compulab's mini-desktop, the Intense-PC2. The bug can be avoided if the USB ports are switched back to EHCI on shutdown. This patch should be backported to stable kernels as old as 3.12, that contain the commit 638298dc66ea36623dbc2757a24fc2c4ab41b016 "xhci: Fix spurious wakeups after S5 on Haswell" Signed-off-by: Denis Turischev Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit e7573909b5b8df35591a66146d8629f7aa41675e Author: Mathias Nyman Date: Mon Mar 3 19:30:17 2014 +0200 xhci: Prevent runtime pm from autosuspending during initialization commit bcffae7708eb8352f44dc510b326541fe43a02a4 upstream. xHCI driver has its own pci probe function that will call usb_hcd_pci_probe to register its usb-2 bus, and then continue to manually register the usb-3 bus. usb_hcd_pci_probe does a pm_runtime_put_noidle at the end and might thus trigger a runtime suspend before the usb-3 bus is ready. Prevent the runtime suspend by increasing the usage count in the beginning of xhci_pci_probe, and decrease it once the usb-3 bus is ready. xhci-platform driver is not using usb_hcd_pci_probe to set up busses and should not need to have it's usage count increased during probe. Signed-off-by: Mathias Nyman Acked-by: Dan Williams Acked-by: Alan Stern Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit e880a6df5538989f764a851565802124b654860f Author: Roger Quadros Date: Wed Mar 26 18:46:38 2014 +0200 usb: gadget: zero: Fix SuperSpeed enumeration for alternate setting 1 commit 9c1b70361e0b38e4acb8e62b54da66538cb77ff2 upstream. It was impossible to enumerate on a SuperSpeed (XHCI) host with alternate setting = 1 due to the wrongly set 'bMaxBurst' field in the SuperSpeed Endpoint Companion descriptor. Testcase: modprobe -r usbtest; modprobe usbtest alt=1 modprobe g_zero plug device to SuperSpeed port on the host. Without this patch the host always complains like so "usb 12-2: Not enough bandwidth for new device state. usb 12-2: Not enough bandwidth for altsetting 1" Bug was introduced by commit cf9a08ae in v3.9 Fixes: cf9a08ae5aec (usb: gadget: convert source sink and loopback to new function interface) Reviewed-by: Felipe Balbi Acked-by: Sebastian Andrzej Siewior Signed-off-by: Roger Quadros Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit f2ae820563a9d76626c09a05e5887490a96cb3c2 Author: Gregory CLEMENT Date: Mon Mar 3 17:48:34 2014 +0100 usb: gadget: atmel_usba: fix crashed during stopping when DEBUG is enabled commit d8eb6c653ef6b323d630de3c5685478469e248bc upstream. commit 511f3c5 (usb: gadget: udc-core: fix a regression during gadget driver unbinding) introduced a crash when DEBUG is enabled. The debug trace in the atmel_usba_stop function made the assumption that the driver pointer passed in parameter was not NULL, but since the commit above, such assumption was no longer always true. This commit now uses the driver pointer stored in udc which fixes this issue. [ balbi@ti.com : improved commit log a bit ] Acked-by: Alexandre Belloni Signed-off-by: Gregory CLEMENT Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit c269953543992a67cc7dc47bbf892d77d49d6060 Author: Kees Cook Date: Tue Mar 11 13:26:16 2014 -0700 usb: gadget: tcm_usb_gadget: stop format strings commit aba37fd975f0dd58e025c99c2a79b61b20190831 upstream. This makes sure that the name coming out of configfs cannot be used accidentally as a format string. Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman commit 3defef4e960c9b3ab1026b9b5a1f0393be5b0536 Author: Jeff Mahoney Date: Wed Apr 2 14:40:26 2014 -0400 reiserfs: fix race in readdir commit 01d8885785a60ae8f4c37b0ed75bdc96d0fc6a44 upstream. jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) The -ENOENT is due to readdir calling dir_emit on the same entry twice. If the dir_emit callback sleeps and the tree is changed underneath us, we won't be able to trust deh_offset(deh) anymore. We need to save next_pos before we might sleep so we can find the next entry. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 5a8662c721425479147eb22de81d42e1f3bfc551 Author: Russell King Date: Mon Apr 7 12:00:17 2014 +0100 DRM: armada: fix corruption while loading cursors commit c39b06951f1dc2e384650288676c5b7dcc0ec92c upstream. Loading cursors to the LCD controller's SRAM can be corrupted when the configured pixel clock is relatively slow. This seems to be caused when we write back-to-back to the SRAM registers. There doesn't appear to be any status register we can read to check when an access has completed. Inserting a dummy read between the writes appears to fix the problem. Signed-off-by: Russell King Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 0fe2736f2ceed378f4b6d94eb337914fdec7611e Author: Miklos Szeredi Date: Fri Apr 11 11:25:40 2014 +0100 arm64: __NR_compat_syscalls fix commit 838977f0178334bf3d7f3e974ea3154b68979be0 upstream. This fixes commit 6290b53de025 (arm64: compat: Wire up new AArch32 syscalls) which did not update __NR_compat_syscalls accordingly. Signed-off-by: Miklos Szeredi Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit f697f4d7a739712bf1876a32281bf01bb401deac Author: Will Deacon Date: Wed Apr 23 17:52:52 2014 +0100 word-at-a-time: avoid undefined behaviour in zero_bytemask macro commit ec6931b281797b69e6cf109f9cc94d5a2bf994e0 upstream. The asm-generic, big-endian version of zero_bytemask creates a mask of bytes preceding the first zero-byte by left shifting ~0ul based on the position of the first zero byte. Unfortunately, if the first (top) byte is zero, the output of prep_zero_mask has only the top bit set, resulting in undefined C behaviour as we shift left by an amount equal to the width of the type. As it happens, GCC doesn't manage to spot this through the call to fls(), but the issue remains if architectures choose to implement their shift instructions differently. An example would be arch/arm/ (AArch32), where LSL Rd, Rn, #32 results in Rd == 0x0, whilst on arch/arm64 (AArch64) LSL Xd, Xn, #64 results in Xd == Xn. Rather than check explicitly for the problematic shift, this patch adds an extra shift by 1, replacing fls with __fls. Since zero_bytemask is never called with a zero argument (has_zero() is used to check the data first), we don't need to worry about calling __fls(0), which is undefined. Cc: Victor Kamensky Signed-off-by: Will Deacon Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e504a78c9336d920d48566dc8adcd25f0b5d99b8 Author: Matt Fleming Date: Thu Apr 10 14:11:45 2014 +0100 efi: Pass correct file handle to efi_file_{read,close} commit 47514c996fac5e6f13ef3a4c5e23f1c5cffabb7b upstream. We're currently passing the file handle for the root file system to efi_file_read() and efi_file_close(), instead of the file handle for the file we wish to read/close. While this has worked up until now, it seems that it has only been by pure luck. Olivier explains, "The issue is the UEFI Fat driver might return the same function for 'fh->read()' and 'h->read()'. While in our case it does not work with a different implementation of EFI_SIMPLE_FILE_SYSTEM_PROTOCOL. In our case, we return a different pointer when reading a directory and reading a file." Fixing this actually clears up the two functions because we can drop one of the arguments, and instead only pass a file 'handle' argument. Reported-by: Olivier Martin Reviewed-by: Olivier Martin Reviewed-by: Mark Rutland Cc: Leif Lindholm Signed-off-by: Matt Fleming Signed-off-by: Greg Kroah-Hartman commit 45ada9fae6d836aa8e3be5302d7aeb50c44e0629 Author: Matt Fleming Date: Tue Apr 8 13:14:00 2014 +0100 x86/efi: Correct EFI boot stub use of code32_start commit 7e8213c1f3acc064aef37813a39f13cbfe7c3ce7 upstream. code32_start should point at the start of the protected mode code, and *not* at the beginning of the bzImage. This is much easier to do in assembly so document that callers of make_boot_params() need to fill out code32_start. The fallout from this bug is that we would end up relocating the image but copying the image at some offset, resulting in what appeared to be memory corruption. Reported-by: Thomas Bächler Signed-off-by: Matt Fleming Signed-off-by: Greg Kroah-Hartman commit e1339dc85fd9a6b3670a0d9cca831826b4d7f3c0 Author: K. Y. Srinivasan Date: Thu Apr 3 18:02:45 2014 -0700 Drivers: hv: vmbus: Negotiate version 3.0 when running on ws2012r2 hosts commit 03367ef5ea811475187a0732aada068919e14d61 upstream. Only ws2012r2 hosts support the ability to reconnect to the host on VMBUS. This functionality is needed by kexec in Linux. To use this functionality we need to negotiate version 3.0 of the VMBUS protocol. Signed-off-by: K. Y. Srinivasan Signed-off-by: Greg Kroah-Hartman commit 8489218aef0f7e61d5cab1c713a77e59f61a2fd5 Author: Andy Grover Date: Fri Apr 4 16:44:37 2014 -0700 target/tcm_fc: Fix use-after-free of ft_tpg commit 2c42be2dd4f6586728dba5c4e197afd5cfaded78 upstream. ft_del_tpg checks tpg->tport is set before unlinking the tpg from the tport when the tpg is being removed. Set this pointer in ft_tport_create, or the unlinking won't happen in ft_del_tpg and tport->tpg will reference a deleted object. This patch sets tpg->tport in ft_tport_create, because that's what ft_del_tpg checks, and is the only way to get back to the tport to clear tport->tpg. The bug was occuring when: - lport created, tport (our per-lport, per-provider context) is allocated. tport->tpg = NULL - tpg created - a PRLI is received. ft_tport_create is called, tpg is found and tport->tpg is set - tpg removed. ft_tpg is freed in ft_del_tpg. Since tpg->tport was not set, tport->tpg is not cleared and points at freed memory - Future calls to ft_tport_create return tport via first conditional, instead of searching for new tpg by calling ft_lport_find_tpg. tport->tpg is still invalid, and will access freed memory. see https://bugzilla.redhat.com/show_bug.cgi?id=1071340 Signed-off-by: Andy Grover Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 2799366670b3cf84a6a5c2962d78c1fe6cce66a0 Author: Nicholas Bellinger Date: Thu Apr 3 03:35:02 2014 +0000 target/iblock: Fix double bioset_integrity_free bug commit d84287bcfe624697cd4f3c1df746beb53b86d9c4 upstream. This patch fixes a double free bug during IBLOCK backend shutdown where bioset_integrity_free() was incorrectly called ahead of bioset_free(), who is already making the same call directly. This bug was introduced with commit ecebbf6cc, and will end up triggering a general protection fault in iblock_free_device() Reviewed-by: Sagi Grimberg Cc: Martin K. Petersen Cc: Or Gerlitz Cc: Quinn Tran Cc: Giridhar Malavali Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 1a7bfeb1107d5fd3e537ab38227688be685e2ce8 Author: Martin Svec Date: Tue Apr 1 16:03:02 2014 +0200 Target/sbc: Initialize COMPARE_AND_WRITE write_sg scatterlist commit a1e1774c6dfa3a524dd8df51ca95185fe5ef3247 upstream. When compiled with CONFIG_DEBUG_SG set, uninitialized SGL leads to BUG() in compare_and_write_callback(). Signed-off-by: Martin Svec Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit d57b778d6769de07e6ba703ff3f2d0f07f01c94a Author: Quinn Tran Date: Fri Mar 28 19:05:27 2014 -0400 target/rd: T10-Dif: RAM disk is allocating more space than required. commit 9d2e59f2a778328a41771fe9a0098dadbc4314ba upstream. Ram disk is allocating 8x more space than required for diff data. For large RAM disk test, there is small potential for memory starvation. (Use block_size when calculating total_sg_needed - sagi + nab) Signed-off-by: Giridhar Malavali Signed-off-by: Quinn Tran Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit cc39e3c4930e678a5af686315db98f8e9165bd29 Author: Nicholas Bellinger Date: Wed Feb 19 23:32:14 2014 +0000 iscsi-target: Fix ERL=2 ASYNC_EVENT connection pointer bug commit d444edc679e7713412f243b792b1f964e5cff1e1 upstream. This patch fixes a long-standing bug in iscsit_build_conn_drop_async_message() where during ERL=2 connection recovery, a bogus conn_p pointer could end up being used to send the ISCSI_OP_ASYNC_EVENT + DROPPING_CONNECTION notifying the initiator that cmd->logout_cid has failed. The bug was manifesting itself as an OOPs in iscsit_allocate_cmd() with a bogus conn_p pointer in iscsit_build_conn_drop_async_message(). Reported-by: Arshad Hussain Reported-by: santosh kulkarni Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 60babe4b2093420c4a29162b1614671b65dc1949 Author: Dan Carpenter Date: Tue Feb 11 19:06:33 2014 +0300 SCSI: arcmsr: upper 32 of dma address lost commit e2c70425f05219b142b3a8a9489a622c736db39d upstream. The original code always set the upper 32 bits to zero because it was doing a shift of the wrong variable. Fixes: 1a4f550a09f8 ('[SCSI] arcmsr: 1.20.00.15: add SATA RAID plus other fixes') Signed-off-by: Dan Carpenter Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit b5c0bf598c7ce3f45fe670be00e873228746a727 Author: Dan Carpenter Date: Tue Jan 21 10:00:10 2014 +0300 SCSI: qla2xxx: fix error handling of qla2x00_mem_alloc() commit b2a72ec32d0f499aaadf41264232517a12326df0 upstream. qla2x00_mem_alloc() returns 1 on success and -ENOMEM on failure. On the one hand the caller assumes non-zero is success but on the other hand the caller also assumes that it returns an error code. I've fixed it to return zero on success and a negative error code on failure. This matches the documentation as well. [jejb: checkpatch fix] Fixes: e315cd28b9ef ('[SCSI] qla2xxx: Code changes for qla data structure refactoring') Signed-off-by: Dan Carpenter Acked-by: Saurav Kashyap Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit c2421ce1c1500245b6a916e7681fb310b8806f20 Author: Mike Marciniszyn Date: Mon Apr 7 13:58:35 2014 -0400 ib_srpt: Use correct ib_sg_dma primitives commit b076808051f2c80d38e03fb2f1294f525c7a446d upstream. The code was incorrectly using sg_dma_address() and sg_dma_len() instead of ib_sg_dma_address() and ib_sg_dma_len(). This prevents srpt from functioning with the Intel HCA and indeed will corrupt memory badly. Cc: Bart Van Assche Reviewed-by: Dennis Dalessandro Tested-by: Vinod Kumar Signed-off-by: Mike Marciniszyn Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 5daac1bcbb85cbf03e7e7d3cafeeb31977d82113 Author: Moni Shoua Date: Thu Mar 27 10:52:58 2014 +0200 IB/core: Don't resolve passive side RoCE L2 address in CMA REQ handler commit b2853fd6c2d0f383dbdf7427e263eb576a633867 upstream. The code that resolves the passive side source MAC within the rdma_cm connection request handler was both redundant and buggy, so remove it. It was redundant since later, when an RC QP is modified to RTR state, the resolution will take place in the ib_core module. It was buggy because this callback also deals with UD SIDR exchange, for which we incorrectly looked at the REQ member of the CM event and dereferenced a random value. Fixes: dd5f03beb4f7 ("IB/core: Ethernet L2 attributes in verbs/cm structures") Signed-off-by: Moni Shoua Signed-off-by: Or Gerlitz Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 9fedb513ae782fbe1e315afa269eb6a661e40942 Author: Yann Droneaud Date: Mon Mar 10 23:06:28 2014 +0100 IB/qib: add missing braces in do_qib_user_sdma_queue_create() commit 37a967651caf99dd267017023737bd442f5acb3d upstream. Commit c804f07248895ff9c moved qib_assign_ctxt() to do_qib_user_sdma_queue_create() but dropped the braces around the statements. This was spotted by coccicheck (coccinelle/spatch): $ make C=2 CHECK=scripts/coccicheck drivers/infiniband/hw/qib/ CHECK drivers/infiniband/hw/qib/qib_file_ops.c drivers/infiniband/hw/qib/qib_file_ops.c:1583:2-23: code aligned with following code on line 1587 This patch adds braces back. Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com Cc: Mike Marciniszyn Cc: infinipath@intel.com Cc: Julia Lawall Cc: cocci@systeme.lip6.fr Signed-off-by: Yann Droneaud Tested-by: Mike Marciniszyn Acked-by: Mike Marciniszyn Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 88e2517ceb1bdb4e19559109d247f068f6d6eea6 Author: Mike Marciniszyn Date: Fri Mar 7 08:32:31 2014 -0500 IB/qib: Fix debugfs ordering issue with multiple HCAs commit f8b6c47a44c063062317646683a73371c24c69ee upstream. The debugfs init code was incorrectly called before the idr mechanism is used to get the unit number, so the dd->unit hasn't been initialized. This caused the unit relative directory creation to fail after the first. This patch moves the init for the debugfs stuff until after all of the failures and after the unit number has been determined. A bug in unwind code in qib_alloc_devdata() is also fixed. Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit b1bb4fbfcb79809874aab591bc1bdff09ca69189 Author: Yann Droneaud Date: Mon Mar 10 23:06:25 2014 +0100 IB/ehca: Returns an error on ib_copy_to_udata() failure commit 5bdb0f02add5994b0bc17494f4726925ca5d6ba1 upstream. In case of error when writing to userspace, function ehca_create_cq() does not set an error code before following its error path. This patch sets the error code to -EFAULT when ib_copy_to_udata() fails. This was caught when using spatch (aka. coccinelle) to rewrite call to ib_copy_{from,to}_udata(). Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com Signed-off-by: Yann Droneaud Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 2f13b4c794dd8f2669f69445e20eb799336ad6f3 Author: Yann Droneaud Date: Mon Mar 10 23:06:26 2014 +0100 IB/mthca: Return an error on ib_copy_to_udata() failure commit 08e74c4b00c30c232d535ff368554959403d0432 upstream. In case of error when writing to userspace, the function mthca_create_cq() does not set an error code before following its error path. This patch sets the error code to -EFAULT when ib_copy_to_udata() fails. This was caught when using spatch (aka. coccinelle) to rewrite call to ib_copy_{from,to}_udata(). Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com Signed-off-by: Yann Droneaud Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit cf84cf57c4712984bbf4b8fe41666c3047d8842c Author: Yann Droneaud Date: Mon Mar 10 23:06:27 2014 +0100 IB/nes: Return an error on ib_copy_from_udata() failure instead of NULL commit 9d194d1025f463392feafa26ff8c2d8247f71be1 upstream. In case of error while accessing to userspace memory, function nes_create_qp() returns NULL instead of an error code wrapped through ERR_PTR(). But NULL is not expected by ib_uverbs_create_qp(), as it check for error with IS_ERR(). As page 0 is likely not mapped, it is going to trigger an Oops when the kernel will try to dereference NULL pointer to access to struct ib_qp's fields. In some rare cases, page 0 could be mapped by userspace, which could turn this bug to a vulnerability that could be exploited: the function pointers in struct ib_device will be under userspace total control. This was caught when using spatch (aka. coccinelle) to rewrite calls to ib_copy_{from,to}_udata(). Link: https://www.gitorious.org/opteya/ib-hw-nes-create-qp-null Link: https://www.gitorious.org/opteya/coccib/source/75ebf2c1033c64c1d81df13e4ae44ee99c989eba:ib_copy_udata.cocci Link: http://marc.info/?i=cover.1394485254.git.ydroneaud@opteya.com Signed-off-by: Yann Droneaud Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 8684c541069dbc344182ab856464c6d5c4e14139 Author: Dennis Dalessandro Date: Thu Feb 20 11:02:53 2014 -0500 IB/ipath: Fix potential buffer overrun in sending diag packet routine commit a2cb0eb8a64adb29a99fd864013de957028f36ae upstream. Guard against a potential buffer overrun. The size to read from the user is passed in, and due to the padding that needs to be taken into account, as well as the place holder for the ICRC it is possible to overflow the 32bit value which would cause more data to be copied from user space than is allocated in the buffer. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Reviewed-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 43222bc58fa3a2d917a99026fb1f55921e5bbd42 Author: Jeff Layton Date: Tue Apr 15 08:51:48 2014 -0400 nfsd: set timeparms.to_maxval in setup_callback_client commit 3758cf7e14b753838fe754ede3862af10b35fdac upstream. ...otherwise the logic in the timeout handling doesn't work correctly. Spotted-by: Trond Myklebust Signed-off-by: Jeff Layton Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit c54b5d2149ee37a96dbbc01dabdd9475c07c52e1 Author: Kinglong Mee Date: Wed Mar 26 22:09:30 2014 +0800 NFSD: Traverse unconfirmed client through hash-table commit 2b9056359889c78ea5decb5b654a512c2e8a945c upstream. When stopping nfsd, I got BUG messages, and soft lockup messages, The problem is cuased by double rb_erase() in nfs4_state_destroy_net() and destroy_client(). This patch just let nfsd traversing unconfirmed client through hash-table instead of rbtree. [ 2325.021995] BUG: unable to handle kernel NULL pointer dereference at (null) [ 2325.022809] IP: [] rb_erase+0x14c/0x390 [ 2325.022982] PGD 7a91b067 PUD 7a33d067 PMD 0 [ 2325.022982] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC [ 2325.022982] Modules linked in: nfsd(OF) cfg80211 rfkill bridge stp llc snd_intel8x0 snd_ac97_codec ac97_bus auth_rpcgss nfs_acl serio_raw e1000 i2c_piix4 ppdev snd_pcm snd_timer lockd pcspkr joydev parport_pc snd parport i2c_core soundcore microcode sunrpc ata_generic pata_acpi [last unloaded: nfsd] [ 2325.022982] CPU: 1 PID: 2123 Comm: nfsd Tainted: GF O 3.14.0-rc8+ #2 [ 2325.022982] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 2325.022982] task: ffff88007b384800 ti: ffff8800797f6000 task.ti: ffff8800797f6000 [ 2325.022982] RIP: 0010:[] [] rb_erase+0x14c/0x390 [ 2325.022982] RSP: 0018:ffff8800797f7d98 EFLAGS: 00010246 [ 2325.022982] RAX: ffff880079c1f010 RBX: ffff880079f4c828 RCX: 0000000000000000 [ 2325.022982] RDX: 0000000000000000 RSI: ffff880079bcb070 RDI: ffff880079f4c810 [ 2325.022982] RBP: ffff8800797f7d98 R08: 0000000000000000 R09: ffff88007964fc70 [ 2325.022982] R10: 0000000000000000 R11: 0000000000000400 R12: ffff880079f4c800 [ 2325.022982] R13: ffff880079bcb000 R14: ffff8800797f7da8 R15: ffff880079f4c860 [ 2325.022982] FS: 0000000000000000(0000) GS:ffff88007f900000(0000) knlGS:0000000000000000 [ 2325.022982] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 2325.022982] CR2: 0000000000000000 CR3: 000000007a3ef000 CR4: 00000000000006e0 [ 2325.022982] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2325.022982] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2325.022982] Stack: [ 2325.022982] ffff8800797f7de0 ffffffffa0191c6e ffff8800797f7da8 ffff8800797f7da8 [ 2325.022982] ffff880079f4c810 ffff880079bcb000 ffffffff81cc26c0 ffff880079c1f010 [ 2325.022982] ffff880079bcb070 ffff8800797f7e28 ffffffffa01977f2 ffff8800797f7df0 [ 2325.022982] Call Trace: [ 2325.022982] [] destroy_client+0x32e/0x3b0 [nfsd] [ 2325.022982] [] nfs4_state_shutdown_net+0x1a2/0x220 [nfsd] [ 2325.022982] [] nfsd_shutdown_net+0x38/0x70 [nfsd] [ 2325.022982] [] nfsd_last_thread+0x4e/0x80 [nfsd] [ 2325.022982] [] svc_shutdown_net+0x2b/0x30 [sunrpc] [ 2325.022982] [] nfsd_destroy+0x5b/0x80 [nfsd] [ 2325.022982] [] nfsd+0x103/0x130 [nfsd] [ 2325.022982] [] ? nfsd_destroy+0x80/0x80 [nfsd] [ 2325.022982] [] kthread+0xd2/0xf0 [ 2325.022982] [] ? insert_kthread_work+0x40/0x40 [ 2325.022982] [] ret_from_fork+0x7c/0xb0 [ 2325.022982] [] ? insert_kthread_work+0x40/0x40 [ 2325.022982] Code: 48 83 e1 fc 48 89 10 0f 84 02 01 00 00 48 3b 41 10 0f 84 08 01 00 00 48 89 51 08 48 89 fa e9 74 ff ff ff 0f 1f 40 00 48 8b 50 10 02 01 0f 84 93 00 00 00 48 8b 7a 10 48 85 ff 74 05 f6 07 01 [ 2325.022982] RIP [] rb_erase+0x14c/0x390 [ 2325.022982] RSP [ 2325.022982] CR2: 0000000000000000 [ 2325.022982] ---[ end trace 28c27ed011655e57 ]--- [ 228.064071] BUG: soft lockup - CPU#0 stuck for 22s! [nfsd:558] [ 228.064428] Modules linked in: ip6t_rpfilter ip6t_REJECT cfg80211 xt_conntrack rfkill ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw nfsd(OF) auth_rpcgss nfs_acl lockd snd_intel8x0 snd_ac97_codec ac97_bus joydev snd_pcm snd_timer e1000 sunrpc snd ppdev parport_pc serio_raw pcspkr i2c_piix4 microcode parport soundcore i2c_core ata_generic pata_acpi [ 228.064539] CPU: 0 PID: 558 Comm: nfsd Tainted: GF O 3.14.0-rc8+ #2 [ 228.064539] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 228.064539] task: ffff880076adec00 ti: ffff880074616000 task.ti: ffff880074616000 [ 228.064539] RIP: 0010:[] [] rb_next+0x27/0x50 [ 228.064539] RSP: 0018:ffff880074617de0 EFLAGS: 00000282 [ 228.064539] RAX: ffff880074478010 RBX: ffff88007446f860 RCX: 0000000000000014 [ 228.064539] RDX: ffff880074478010 RSI: 0000000000000000 RDI: ffff880074478010 [ 228.064539] RBP: ffff880074617de0 R08: 0000000000000000 R09: 0000000000000012 [ 228.064539] R10: 0000000000000001 R11: ffffffffffffffec R12: ffffea0001d11a00 [ 228.064539] R13: ffff88007f401400 R14: ffff88007446f800 R15: ffff880074617d50 [ 228.064539] FS: 0000000000000000(0000) GS:ffff88007f800000(0000) knlGS:0000000000000000 [ 228.064539] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 228.064539] CR2: 00007fe9ac6ec000 CR3: 000000007a5d6000 CR4: 00000000000006f0 [ 228.064539] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 228.064539] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 228.064539] Stack: [ 228.064539] ffff880074617e28 ffffffffa01ab7db ffff880074617df0 ffff880074617df0 [ 228.064539] ffff880079273000 ffffffff81cc26c0 ffffffff81cc26c0 0000000000000000 [ 228.064539] 0000000000000000 ffff880074617e48 ffffffffa01840b8 ffffffff81cc26c0 [ 228.064539] Call Trace: [ 228.064539] [] nfs4_state_shutdown_net+0x18b/0x220 [nfsd] [ 228.064539] [] nfsd_shutdown_net+0x38/0x70 [nfsd] [ 228.064539] [] nfsd_last_thread+0x4e/0x80 [nfsd] [ 228.064539] [] svc_shutdown_net+0x2b/0x30 [sunrpc] [ 228.064539] [] nfsd_destroy+0x5b/0x80 [nfsd] [ 228.064539] [] nfsd+0x103/0x130 [nfsd] [ 228.064539] [] ? nfsd_destroy+0x80/0x80 [nfsd] [ 228.064539] [] kthread+0xd2/0xf0 [ 228.064539] [] ? insert_kthread_work+0x40/0x40 [ 228.064539] [] ret_from_fork+0x7c/0xb0 [ 228.064539] [] ? insert_kthread_work+0x40/0x40 [ 228.064539] Code: 1f 44 00 00 55 48 8b 17 48 89 e5 48 39 d7 74 3b 48 8b 47 08 48 85 c0 75 0e eb 25 66 0f 1f 84 00 00 00 00 00 48 89 d0 48 8b 50 10 <48> 85 d2 75 f4 5d c3 66 90 48 3b 78 08 75 f6 48 8b 10 48 89 c7 Fixes: ac55fdc408039 (nfsd: move the confirmed and unconfirmed hlists...) Signed-off-by: Kinglong Mee Reviewed-by: Jeff Layton Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 0a5bb094810064fd31b9229c5e9d9d76bb56f5f3 Author: J. Bruce Fields Date: Mon Mar 10 14:17:55 2014 -0400 nfsd4: fix setclientid encode size commit 480efaee085235bb848f1063f959bf144103c342 upstream. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 647183f379be5a197f3df3a469321de4fe532e54 Author: Yan, Zheng Date: Mon Mar 10 12:52:07 2014 +0800 nfsd4: fix memory leak in nfsd4_encode_fattr() commit 18df11d0eacf67bbcd8dda755b568bbbd7264735 upstream. fh_put() does not free the temporary file handle. Signed-off-by: Yan, Zheng Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 34ef215eede8f77b8f27d35096aa9e4aa149d522 Author: Stanislav Kinsbursky Date: Wed Feb 26 16:50:01 2014 +0300 nfsd: check passed socket's net matches NFSd superblock's one commit 3064639423c48d6e0eb9ecc27c512a58e38c6c57 upstream. There could be a case, when NFSd file system is mounted in network, different to socket's one, like below: "ip netns exec" creates new network and mount namespace, which duplicates NFSd mount point, created in init_net context. And thus NFS server stop in nested network context leads to RPCBIND client destruction in init_net. Then, on NFSd start in nested network context, rpc.nfsd process creates socket in nested net and passes it into "write_ports", which leads to RPCBIND sockets creation in init_net context because of the same reason (NFSd monut point was created in init_net context). An attempt to register passed socket in nested net leads to panic, because no RPCBIND client present in nexted network namespace. This patch add check that passed socket's net matches NFSd superblock's one. And returns -EINVAL error to user psace otherwise. v2: Put socket on exit. Reported-by: Weng Meiling Signed-off-by: Stanislav Kinsbursky Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit f7cffcfc0ffd809f1f6e0c679888cb378984716a Author: J. Bruce Fields Date: Mon Feb 24 14:59:47 2014 -0500 nfsd: notify_change needs elevated write count commit 9f67f189939eccaa54f3d2c9cf10788abaf2d584 upstream. Looks like this bug has been here since these write counts were introduced, not sure why it was just noticed now. Thanks also to Jan Kara for pointing out the problem. Reported-by: Matthew Rahtz Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 725e71de82a2ab297c35819ded9c88eef012eaf8 Author: J. Bruce Fields Date: Mon Feb 3 16:38:47 2014 -0500 nfsd4: leave reply buffer space for failed setattr commit 04819bf6449094e62cebaf5199d85d68d711e667 upstream. This fixes an ommission from 18032ca062e621e15683cb61c066ef3dc5414a7b "NFSD: Server implementation of MAC Labeling", which increased the size of the setattr error reply without increasing COMPOUND_ERR_SLACK_SPACE. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit c48069a373b6472b2351dc43eb9afc895f430257 Author: J. Bruce Fields Date: Mon Feb 3 16:31:42 2014 -0500 nfsd4: fix test_stateid error reply encoding commit a11fcce1544df08c723d950ff0edef3adac40405 upstream. If the entire operation fails then there's nothing to encode. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit d37c37d2d4d8fb671d7775d9760afde90a435cbd Author: J. Bruce Fields Date: Tue Jan 28 16:05:15 2014 -0500 nfsd4: buffer-length check for SUPPATTR_EXCLCREAT commit de3997a7eeb9ea286b15879fdf8a95aae065b4f7 upstream. This was an omission from 8c18f2052e756e7d5dea712fc6e7ed70c00e8a39 "nfsd41: SUPPATTR_EXCLCREAT attribute". Cc: Benny Halevy Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 6cd9ecd59521d89c087c561680ae272dcc3a5059 Author: J. Bruce Fields Date: Tue Jan 28 16:01:04 2014 -0500 nfsd4: session needs room for following op to error out commit 4c69d5855a16f7378648c5733632628fa10431db upstream. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 83b19121522b00aa21b5342a0c2e1e019bd1d5f2 Author: J. Bruce Fields Date: Thu Apr 3 15:10:35 2014 -0400 nfsd: revert v2 half of "nfsd: don't return high mode bits" commit 082f31a2169bd639785e45bf252f3d5bce0303c6 upstream. This reverts the part of commit 6e14b46b91fee8a049b0940333ce13a820beaaa5 that changes NFSv2 behavior. Mark Lord found that it broke nfs-root for Linux clients, because it broke NFSv2. In fact, from RFC 1094: "Notice that the file type is specified both in the mode bits and in the file type. This is really a bug in the protocol and will be fixed in future versions." So NFSv2 clients really are expected to depend on the high bits of the mode. Reported-by: Mark Lord Reviewed-by: Jeff Layton Signed-off-by: J. Bruce Fields Cc: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit dbeeb36eb6046aa44004d4ee2077f3e84b1979d3 Author: Trond Myklebust Date: Wed Mar 26 13:24:37 2014 -0700 NFSv4: Fix a use-after-free problem in open() commit e911b8158ee1def8153849b1641b736026b036e0 upstream. If we interrupt the nfs4_wait_for_completion_rpc_task() call in nfs4_run_open_task(), then we don't prevent the RPC call from completing. So freeing up the opendata->f_attr.mdsthreshold in the error path in _nfs4_do_open() leads to a use-after-free when the XDR decoder tries to decode the mdsthreshold information from the server. Fixes: 82be417aa37c0 (NFSv4.1 cache mdsthreshold values on OPEN) Tested-by: Steve Dickson Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 9a64345f0369251f2841bccec8054f5bdb2b673b Author: Krzysztof Kozlowski Date: Tue Mar 18 08:13:00 2014 +0000 iio: cm36651: Fix i2c client leak and possible NULL pointer dereference commit d0a588a57c2b0748df8307a0865a1bbbf1624c53 upstream. During probe the driver allocates dummy I2C devices (i2c_new_dummy()) but they aren't unregistered during driver remove or probe failure. Additionally driver does not check the return value of i2c_new_dummy(). In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later dereferenced by i2c_smbus_{read,write}_data() functions. Fix issues by properly checking for i2c_new_dummy() return value and unregistering I2C devices on driver remove or probe failure. Signed-off-by: Krzysztof Kozlowski Acked-by: Beomho Seo Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 7b2e3d27a269cc43bbf7fa37d28b8e554ed6b66c Author: Beomho Seo Date: Wed Dec 3 00:57:00 2014 +0000 iio: cm32181: Fix read integration time function commit 41c897f8789d0d1039ed873ddcd0caabd5756e0f upstream. In read integration time function, assign 0 to val. Because, prevent return inaccurate value when call read integration time. Cc: Kevin Tsai Signed-off-by: Beomho Seo Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit ba546e37f5d0654709aeac991d78e820e0eff501 Author: Alexandre Belloni Date: Sat May 3 16:57:00 2014 +0100 iio: adc: at91_adc: Repair broken platform_data support commit 467a44b0372d8268ce5bd90e58bde7db51c1d476 upstream. Trying to use the at91_adc driver while not using device tree is ending up in a kernel crash: Unable to handle kernel NULL pointer dereference at virtual address 00000004 [...] [] (at91_adc_probe) from [] (platform_drv_probe+0x18/0x48) [] (platform_drv_probe) from [] (driver_probe_device+0x100/0x218) [] (driver_probe_device) from [] (__driver_attach+0x8c/0x90) [] (__driver_attach) from [] (bus_for_each_dev+0x58/0x88) [] (bus_for_each_dev) from [] (bus_add_driver+0xd4/0x1d4) [] (bus_add_driver) from [] (driver_register+0x78/0xf4) [] (driver_register) from [] (do_one_initcall+0xe8/0x14c) [] (do_one_initcall) from [] (kernel_init_freeable+0xec/0x1b4) [] (kernel_init_freeable) from [] (kernel_init+0x8/0xe4) [] (kernel_init) from [] (ret_from_fork+0x14/0x24) This is because the at91_adc_caps structure is mandatory but is not filled when using platform_data. Correct that by using an id_table. It ensues that the driver will not match "at91_adc" anymore but it was crashing anyway. Fixes: c46016665fff (iio: at91: ADC start-up time calculation changed since at91sam9x5) Signed-off-by: Alexandre Belloni Tested-by: Josh Wu Acked-by: Josh Wu Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 92c5fbd00304d038d57a282552986cd44912decf Author: Alec Berg Date: Wed Mar 19 18:50:00 2014 +0000 iio: querying buffer scan_mask should return 0/1 commit 2076a20fc1a06f7b0333c62a2bb4eeeac7ed1bcb upstream. Ensure that querying the IIO buffer scan_mask returns a value of 0 or 1. Currently querying the scan mask has the value returned by test_bit(), which returns either true or false. For some architectures test_bit() may return -1 for true, which will appear to return an error when returning from iio_scan_mask_query(). Additionally, it's important for the sysfs interface to consistently return the same thing when querying the scan_mask. Signed-off-by: Alec Berg Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 56c5ac2015532f262d8c609fce21eda5b91a5cb8 Author: Alan Stern Date: Mon Apr 14 13:48:47 2014 -0400 USB: fix crash during hotplug of PCI USB controller card commit a2ff864b53eac9a0e9b05bfe9d1781ccd6c2af71 upstream. The code in hcd-pci.c that matches up EHCI controllers with their companion UHCI or OHCI controllers assumes that the private drvdata fields don't get set too early. However, it turns out that this field gets set by usb_create_hcd(), before hcd-pci expects it, and this can result in a crash when two controllers are probed in parallel (as can happen when a new controller card is hotplugged). The companions_rwsem lock was supposed to prevent this sort of thing, but usb_create_hcd() is called outside the scope of the rwsem. A simple solution is to check that the root-hub pointer has been initialized as well as the drvdata field. This doesn't happen until usb_add_hcd() is called; that call and the check are both protected by the rwsem. This patch should be applied to stable kernels from 3.10 onward. Signed-off-by: Alan Stern Reported-by: Stefani Seibold Tested-by: Stefani Seibold Signed-off-by: Greg Kroah-Hartman commit 1fa3b8a3f8273ed7f6caa9d3621840e5630822a5 Author: Jean-Jacques Hiblot Date: Fri Feb 14 11:46:15 2014 -0700 PCI: mvebu: Fix potential issue in range parsing commit 4f4bde1df33bde076f53325bdf2c6430cf85e1bb upstream. The second parameter of of_read_number() is not the index, but a size. As it happens, in this case it may work just fine because of the conversion to u32 and the favorable endianness on this architecture. Fixes: 11be65472a427 ("PCI: mvebu: Adapt to the new device tree layout") Tested-by: Thomas Petazzoni Signed-off-by: Jean-Jacques Hiblot Signed-off-by: Bjorn Helgaas Acked-by: Thomas Petazzoni Acked-by: Jason Cooper Signed-off-by: Greg Kroah-Hartman commit 829293965dc0ffc44aae31eb6a535d6e6b10f875 Author: Marek Vasut Date: Wed Feb 19 13:22:18 2014 -0700 PCI: imx6: Wait for retraining commit f95d3ae771916c8c7024fecfb6c420e5dfeced05 upstream. This patch handles the case where the PCIe link is up and running, yet drops into the LTSSM training mode. The link spends short time in the LTSSM training mode, but the current code can misinterpret it as the link being stalled. Waiting for the LTSSM training to complete fixes the issue. Quoting Sascha: This is broken since commit 7f9f40c01cce ('PCI: imx6: Report "link up" only after link training completes'). The designware driver changes the PORT_LOGIC_SPEED_CHANGE bit in dw_pcie_host_init() which causes the link to be retrained. During the next call to dw_pcie_rd_conf() the link is then reported being down and the function returns PCIBIOS_DEVICE_NOT_FOUND resulting in nonfunctioning PCIe. Fixes: 7f9f40c01cce (PCI: imx6: Report "link up" only after link training completes) Tested-by: Troy Kisky Tested-by: Sascha Hauer Signed-off-by: Marek Vasut Signed-off-by: Troy Kisky Signed-off-by: Bjorn Helgaas Acked-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit eb849671adf8c9d27903138a43f94f8019c65624 Author: Charles Keepax Date: Tue Mar 18 10:49:17 2014 +0000 regulator: arizona-ldo1: Correct default regulator init_data commit a35ff2861690eaf9dbb38fa744a8a9e6f4ebfd61 upstream. Both 5102 and 8997 have the regulator capable of supplying 1.8V, and the voltage step from the 5110 regulator is different from what is specified in the default description. This patch updates the default regulator description to match 5110 and selects the 1.8V capable description for 8997. Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit ac6b1125facad9f1dc7af1dd53648f161d6f2616 Author: H. Peter Anvin Date: Sun Mar 16 15:31:54 2014 -0700 x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels commit b3b42ac2cbae1f3cecbb6229964a4d48af31d382 upstream. The IRET instruction, when returning to a 16-bit segment, only restores the bottom 16 bits of the user space stack pointer. We have a software workaround for that ("espfix") for the 32-bit kernel, but it relies on a nonzero stack segment base which is not available in 32-bit mode. Since 16-bit support is somewhat crippled anyway on a 64-bit kernel (no V86 mode), and most (if not quite all) 64-bit processors support virtualization for the users who really need it, simply reject attempts at creating a 16-bit segment when running on top of a 64-bit kernel. Cc: Linus Torvalds Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/n/tip-kicdm89kzw9lldryb1br9od0@git.kernel.org Signed-off-by: Greg Kroah-Hartman commit d5b18ed1dff8d3cf90e42981ffb54f5d4a4982f8 Author: Petr Mladek Date: Mon Feb 24 17:12:20 2014 +0100 ftrace/x86: One more missing sync after fixup of function modification failure commit 12729f14d8357fb845d75155228b21e76360272d upstream. If a failure occurs while modifying ftrace function, it bails out and will remove the tracepoints to be back to what the code originally was. There is missing the final sync run across the CPUs after the fix up is done and before the ftrace int3 handler flag is reset. Here's the description of the problem: CPU0 CPU1 ---- ---- remove_breakpoint(); modifying_ftrace_code = 0; [still sees breakpoint] [sees modifying_ftrace_code as zero] [no breakpoint handler] [goto failed case] [trap exception - kernel breakpoint, no handler] BUG() Link: http://lkml.kernel.org/r/1393258342-29978-2-git-send-email-pmladek@suse.cz Fixes: 8a4d0a687a5 "ftrace: Use breakpoint method to update ftrace caller" Acked-by: Frederic Weisbecker Acked-by: H. Peter Anvin Signed-off-by: Petr Mladek Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 5bc3ab30db9b6deee6a686596d13e0c20a52d13b Author: Fenghua Yu Date: Thu Feb 20 13:24:51 2014 -0800 x86, AVX-512: Enable AVX-512 States Context Switch commit c2bc11f10a39527cd1bb252097b5525664560956 upstream. This patch enables Opmask, ZMM_Hi256, and Hi16_ZMM AVX-512 states for xstate context switch. Signed-off-by: Fenghua Yu Link: http://lkml.kernel.org/r/1392931491-33237-2-git-send-email-fenghua.yu@intel.com Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 05f4be82046529c44f01b42d905e57d1b2df4920 Author: Fenghua Yu Date: Thu Feb 20 13:24:50 2014 -0800 x86, AVX-512: AVX-512 Feature Detection commit 8e5780fdeef7dc490b3f0b3a62704593721fa4f3 upstream. AVX-512 is an extention of AVX2. Its spec can be found at: http://download-software.intel.com/sites/default/files/managed/71/2e/319433-017.pdf This patch detects AVX-512 features by CPUID. Signed-off-by: Fenghua Yu Link: http://lkml.kernel.org/r/1392931491-33237-1-git-send-email-fenghua.yu@intel.com Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit f88b98a743b5a59ff49b2e289009d00eff7d7c26 Author: Jan Beulich Date: Thu Feb 27 08:47:02 2014 +0000 x86, hash: Fix build failure with older binutils commit 06325190bd577e11429444d54f454b9d13f560c9 upstream. Just like for other ISA extension instruction uses we should check whether the assembler actually supports them. The fallback here simply is to encode an instruction with fixed operands (%eax and %ecx). [ hpa: tagging for -stable as a build fix ] Signed-off-by: Jan Beulich Link: http://lkml.kernel.org/r/530F0996020000780011FBE7@nat28.tlf.novell.com Cc: Francesco Fusco Cc: Thomas Graf Cc: David S. Miller Acked-by: Daniel Borkmann Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 7f37f259e30d6230e06d43363b2cbbd9658f0f59 Author: Larry Finger Date: Wed Apr 9 11:12:58 2014 -0500 staging: r8188eu: Calling rtw_get_stainfo() with a NULL sta_addr will return NULL commit 9452bf560273e4de2395ffdd79024debfb0c1290 upstream. This makes the follow-on check for psta != NULL pointless and makes the whole exercise rather pointless. This is another case of why blindly zero-initializing variables when they are declared is bad. Reported-by: Jes Sorensen Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman commit 6500aa1097fae4de3407ef0033d25d4f85233c25 Author: H Hartley Sweeten Date: Fri Mar 28 09:20:58 2014 -0700 staging: comedi: usbdux: bug fix for accessing 'ao_chanlist' in private data commit 2704f807f9498054b8153002bafa3e818079e9a5 upstream. In usbdux_ao_cmd(), the channels for the command are transfered from the cmd->chanlist and stored in the private data 'ao_chanlist'. The channel numbers are bit-shifted when stored so that they become the "command" that is transfered to the device. The channel to command conversion results in the 'ao_chanlist' having these values for the channels: channel 0 -> ao_chanlist = 0x00 channel 1 -> ao_chanlist = 0x40 channel 2 -> ao_chanlist = 0x80 channel 3 -> ao_chanlist = 0xc0 The problem is, the usbduxsub_ao_isoc_irq() function uses the 'chan' value from 'ao_chanlist' to access the 'ao_readback' array in the private data. So instead of accessing the array as 0, 1, 2, 3, it accesses it as 0x00, 0x40, 0x80, 0xc0. Fix this by storing the raw channel number in 'ao_chanlist' and doing the bit-shift when creating the command. Fixes: a998a3db530bff80 "staging: comedi: usbdux: cleanup the private data 'outBuffer'" Signed-off-by: H Hartley Sweeten Reviewed-by: Ian Abbott Acked-by: Bernd Porr Signed-off-by: Greg Kroah-Hartman commit 7acdbd97cf944c41e0fa5a1b891e7bf5358449b2 Author: Larry Finger Date: Wed Apr 16 14:49:33 2014 -0500 staging: r8712u: Fix case where ethtype was never obtained and always be checked against 0 commit f764cd68d9036498f08fe8834deb6a367b5c2542 upstream. Zero-initializing ether_type masked that the ether type would never be obtained for 8021x packets and the comparison against eapol_type would always fail. Reported-by: Jes Sorensen Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman commit fac3a5f8441b219038adcd79e773e4412e9f36dc Author: Himangi Saraogi Date: Wed Mar 5 04:59:57 2014 +0530 staging:serqt_usb2: Fix sparse warning restricted __le16 degrades to integer commit abe5d64d1a74195a44cd14624f8178b9f48b7cc7 upstream. This patch fixes the following sparse warning : drivers/staging/serqt_usb2/serqt_usb2.c:727:40: warning: restricted __le16 degrades to integer Signed-off-by: Himangi Saraogi Signed-off-by: Greg Kroah-Hartman commit d98eafe3aef87dedc6fbbb2a4dbf37a797d02ff6 Author: David Fries Date: Wed Jan 15 22:29:12 2014 -0600 w1: fix w1_send_slave dropping a slave id commit 6b355b33a64fd6d8ead2b838ec16fb9b551f71e8 upstream. Previous logic, if (avail > 8) { store slave; return; } send data; clear; The logic error is, if there isn't space send the buffer and clear, but the slave wasn't added to the now empty buffer loosing that slave id. It also should have been "if (avail >= 8)" because when it is 8, there is space. Instead, if there isn't space send and clear the buffer, then there is always space for the slave id. Signed-off-by: David Fries Acked-by: Evgeniy Polyakov Signed-off-by: Greg Kroah-Hartman commit 53135e61923afaaa461bbca2b365767c39368ab2 Author: Tomas Novotny Date: Mon Mar 10 19:12:50 2014 +0100 mfd: twl-core: Fix accessibility of some twl4030 audio registers commit 56816b700c8c773270f3aaf4c92be53e359a03fd upstream. There are some unused registers in twl4030 at I2C address 0x49 and function twl4030_49_nop_reg() is used to check accessibility of that registers. These registers are written in decimal format but the values are correct in hexadecimal format. (It can be checked few lines above the patched code - these registers are marked as unused there.) As a consequence three registers of audio submodule are treated as inaccessible (preamplifier carkit right and both handsfree registers). Signed-off-by: Tomas Novotny Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit 00834e4d81ffd1e58206d24ed096f8210958096f Author: Guenter Roeck Date: Thu Mar 20 08:12:28 2014 -0700 mfd: kempld-core: Fix potential hang-up during boot commit 204747c970c0d568721c76ab8a57dde0e5dcf0d5 upstream. On PXT and COMe-cPC2 boards it is observed that the hardware mutex is acquired but not being released during initialization. This can result in a hang-up during boot if the driver is built into the kernel. Releasing the mutex twice if it was acquired fixes the problem. Subsequent request/release cycles work as expected, so the fix is only needed during initialization. Reviewed-by: Michael Brunner Tested-by: Michael Brunner Signed-off-by: Guenter Roeck Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit 9ae64846e73d519426778a0cad99b17d2a8a38c9 Author: Krzysztof Kozlowski Date: Wed Mar 12 16:50:44 2014 +0100 mfd: tps65910: Fix possible invalid pointer dereference on regmap_add_irq_chip fail commit 483e2dfdbc94751430e41db9973985f5b054d322 upstream. Fixes: 4aab3fadad32 ("mfd: tps65910: Move interrupt implementation code to mfd file") tps65910_irq_init() sets 'tps65910->chip_irq' before calling regmap_add_irq_chip(). If the regmap_add_irq_chip() call fails in memory allocation of regmap_irq_chip_data members then: 1. The 'tps65910->chip_irq' will still hold some value 2. 'tps65910->irq_data' will be pointing to already freed memory (because regmap_add_irq_chip() will free it on error) This results in invalid memory access during driver remove because the tps65910_irq_exit() tests whether 'tps65910->chip_irq' is not zero. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit 209c4f31f9f6b8521b81ea9bd4558835ac75a99c Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:34 2014 +0100 mfd: max8997: Fix possible NULL pointer dereference on i2c_new_dummy error commit 97dc4ed3fa377ec91bb60ba98b70d645c2099384 upstream. During probe the driver allocates dummy I2C devices for RTC, haptic and MUIC with i2c_new_dummy() but it does not check the return value of this calls. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by i2c_unregister_device(). If i2c_new_dummy() fails for RTC, haptic or MUIC devices, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit fd91cbef7c21208696715986d201ca1238ea9737 Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:35 2014 +0100 mfd: max8998: Fix possible NULL pointer dereference on i2c_new_dummy error commit ed26f87b9f71693a1d1ee85f5e6209601505080f upstream. During probe the driver allocates dummy I2C device for RTC with i2c_new_dummy() but it does not check the return value of this call. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by i2c_unregister_device(). If i2c_new_dummy() fails for RTC device, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit 50cc472171dbd8b6fc943423a5bd962f4cee67f8 Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:33 2014 +0100 mfd: max8925: Fix possible NULL pointer dereference on i2c_new_dummy error commit 96cf3dedc491d2f1f66cc26217f2b06b0c7b6797 upstream. During probe the driver allocates dummy I2C devices for RTC and ADC with i2c_new_dummy() but it does not check the return value of this calls. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by i2c_unregister_device(). If i2c_new_dummy() fails for RTC or ADC devices, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit 28fcbf3dd39f6160556879ecb9123ade24c7defd Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:32 2014 +0100 mfd: max77693: Fix possible NULL pointer dereference on i2c_new_dummy error commit ad09dd6a1f5d6244bd89314015af506ba7f9810a upstream. During probe the driver allocates dummy I2C devices for MUIC and haptic with i2c_new_dummy() but it does not check the return value of this calls. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by devm_regmap_init_i2c() and i2c_unregister_device(). If i2c_new_dummy() fails for MUIC or haptic devices, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit 1139c7aea9f960412f0609d057fe7c6461641a11 Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:31 2014 +0100 mfd: max77686: Fix possible NULL pointer dereference on i2c_new_dummy error commit b9e183a1d495cd65412abe0f9df19b151716bfe7 upstream. During probe the driver allocates dummy I2C device for RTC with i2c_new_dummy() but it does not check the return value of this call. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by i2c_unregister_device(). If i2c_new_dummy() fails for RTC device, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit b89fa5eb9efe824d6e08a01867773991d6419d25 Author: Krzysztof Kozlowski Date: Wed Feb 12 11:10:56 2014 +0100 mfd: 88pm800: Fix I2C device resource leak if probe fails commit 141050cf3d84fc303df58796d68dc1376b0e8f67 upstream. During probe the driver allocates two dummy I2C devices for subchips in function pm800_pages_init(). Additionally this function allocates regmaps for these subchips. If any of these steps fail then these dummy I2C devices are not freed and resources leak. On pm800_pages_init() fail the driver must call pm800_pages_exit() to unregister dummy I2C devices. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit fb8be80b493d7c68ebbd528872fa799484b9adbc Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:30 2014 +0100 mfd: 88pm860x: Fix I2C device resource leak on regmap init fail commit a7ab1c8b261305af583ce26bb4a14f555fdaa73e upstream. During probe the driver allocates dummy I2C device for companion chip and then allocates a regmap for it. If regmap_init_i2c() fails then the I2C driver (allocated with i2c_new_dummy()) is not freed and this resource leaks. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit b9ca3dd22e63b9ab1f069a2b25234d55986d1054 Author: Krzysztof Kozlowski Date: Tue Feb 11 11:03:29 2014 +0100 mfd: 88pm860x: Fix possible NULL pointer dereference on i2c_new_dummy error commit 159ce52a6b777fc82fa0b51c7440e25f9e4c6feb upstream. During probe the driver allocates dummy I2C device for companion chip with i2c_new_dummy() but it does not check the return value of this call. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by regmap_init_i2c(). If i2c_new_dummy() fails for companion device, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit 045d75e6434efe98576b2f80a4e93fa029a4f183 Author: Krzysztof Kozlowski Date: Tue Feb 11 10:12:25 2014 +0100 mfd: sec-core: Fix possible NULL pointer dereference when i2c_new_dummy error commit 65aba1e04916d72b30c028730a1e31860c225412 upstream. During probe the sec-core driver allocates dummy I2C device for RTC with i2c_new_dummy() but return value is not checked. In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later used by devm_regmap_init_i2c() or i2c_unregister_device(). If i2c_new_dummy() fails for RTC device, fail also the probe for main MFD driver. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit 360fec6392d511b059562ac629b600fadc3cd77b Author: Alexander Usyskin Date: Tue Apr 1 23:50:41 2014 +0300 mei: ignore client writing state during cb completion commit 34ec43661fe8f1977dd0f05353302ae2ed10aabb upstream. Ignore client writing state during cb completion to fix a memory leak. When moving cbs to the completion list we should not look at writing_state as this state can be already overwritten by next write, the fact that a cb is on the write waiting list means that it was already written to the HW and we can safely complete it. Same pays for wait in poll handler, we do not have to check the state wake is done after completion list processing. Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman commit 5716684805259aec90a6dc3d6b28340826d1e2ad Author: Tomas Winkler Date: Tue Mar 25 21:25:18 2014 +0200 mei: me: do not load the driver if the FW doesn't support MEI interface commit 5e6533a6f52f1a8283b2f818f5828be99a417dd6 upstream. NM and SPS FW types that may run on ME device on server platforms do not have valid MEI/HECI interface and driver should not be bound to it as this might lead to system hung. In practice not all BIOSes effectively hide such devices from the OS and in some cases it is not possible. We determine FW type by examining Host FW status registers in order to unbind the driver. In this patch we are adding check for ME on Cougar Point, Lynx Point Devices Signed-off-by: Tomas Winkler Tested-by: Nikola Ciprich Signed-off-by: Greg Kroah-Hartman commit 331e449e92ba18f9f9f39f6e8776d3cd4d999146 Author: Tomas Winkler Date: Mon Mar 10 15:10:40 2014 +0200 mei: fix memory leak of pending write cb objects commit cc99ecfdac01215594c73907726b12f251c21e20 upstream. Write callbacks are released on the write completed path but when file handler is closed before the writes are completed those are left dangling on write and write_waiting queues. We add mei_io_list_free function to perform this task Also move static functions to client.c form client.h Signed-off-by: Tomas Winkler Signed-off-by: Alexander Usyskin Signed-off-by: Greg Kroah-Hartman commit b76ef393e23a7eb8616dd439227f80b63d347a29 Author: Martin Schwidefsky Date: Tue Apr 1 13:45:33 2014 +0200 s390: fix control register update commit a8a934e44f2bd0ed613e1aa0471e3478c6a9228a upstream. The git commit c63badebfebacdba827ab1cc1d420fc81bd8d818 "s390: optimize control register update" broke the update for control register 0. After the update do the lctlg from the correct value. Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 90f13e94a66ccf503e1eb15a5c7577a95422f56d Author: Heiko Carstens Date: Thu Mar 20 08:55:00 2014 +0100 s390/bitops,atomic: add missing memory barriers commit 0ccc8b7ac86053388e793bad20bd26bd777752eb upstream. When reworking the bitops and atomic ops I missed that those instructions that got atomic behaviour only perform a "specific-operand-serialization" instead of a full "serialization". The compare-and-swap instruction used before performs a full serialization before and after the instruction is executed, which means it has full memory barrier semantics. In order to give the new bitops and atomic ops functions also full memory barrier semantics add a "bcr 14,0" before and after each of those new instructions which performs full serialization as well. This restores memory barrier semantics for bitops and atomic ops functions which return values, like e.g. atomic_add_return(), but not for functions which do not return a value, like e.g. atomic_add(). This is consistent to other architectures and what common code requires. Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 6d807fb1a3280648dffbdb78751d762d07048b5a Author: Christian Borntraeger Date: Thu Mar 6 16:01:38 2014 +0100 KVM: s390: Optimize ucontrol path commit 2955c83f72801245afd0fe5c560cc75b82bea9aa upstream. Since commit 7c470539c95630c1f2a10f109e96f249730b75eb (s390/kvm: avoid automatic sie reentry) we will run through the C code of KVM on host interrupts instead of just reentering the guest. This will result in additional ucontrol exits (at least HZ per second). Let handle a 0 intercept in the kernel and dont return to userspace, even if in ucontrol mode. Signed-off-by: Christian Borntraeger Reviewed-by: Cornelia Huck Signed-off-by: Greg Kroah-Hartman commit 0149df238fd66b16e3aab4d1750342a7750150a6 Author: Sebastian Ott Date: Mon Jan 27 13:26:10 2014 +0100 s390/cio: fix driver callback initialization for ccw consoles commit 2253e8d79237c69086ded391e6767afe16972527 upstream. ccw consoles are in use before they can be properly registered with the driver core. For devices which are in use by a device driver we rely on the ccw_device's pointer to the driver callbacks to be valid. For ccw consoles this pointer is NULL until they are registered later during boot and we dereferenced this pointer. This worked by chance on 64 bit builds (cdev->drv was NULL but the optional callback cdev->drv->path_event was also NULL by coincidence) and was unnoticed until we received reports about boot failures on 31 bit systems. Fix it by initializing the driver pointer for ccw consoles. Reported-by: Mike Frysinger Reported-by: Heiko Carstens Reviewed-by: Peter Oberparleiter Signed-off-by: Sebastian Ott Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit f2fa919e04df73c81f0943ed4e50ef4c77d495c6 Author: Axel Lin Date: Tue Mar 25 12:44:13 2014 +0800 spi: dw: Don't call kfree for memory allocated by devm_kzalloc commit c63f5da00845143de621e991ea186be0829647ee upstream. With devm_kzalloc, the memory is automatically freed when spi_device detach from the bus. Fixes: commit 43f627ac9de42 (spi: dw: fix memory leak on error path) Signed-off-by: Axel Lin Acked-by: Baruch Siach Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 1e3fe0a434d0a08c4170b02c22c5c2251a2d2318 Author: Uwe Kleine-König Date: Tue Mar 25 15:51:50 2014 +0100 spi: efm32: use $vendor,$device scheme for compatible string commit 12f6dd860cf8bf036c0bec38c00a53da71bcd43a upstream. Wolfram Sang pointed out that "efm32,$device" is non-standard. So use the common scheme and prefix device with "efm32-". The old compatible string is left in place until arch/arm/boot/dts/efm32* is fixed. Signed-off-by: Uwe Kleine-König Acked-by: Wolfram Sang Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit fcb993e3da4cc31af8d3bac3b478be5bd1e3ce80 Author: Lv Zheng Date: Wed Feb 26 10:29:40 2014 +0800 ACPICA: Restore code that repairs NULL package elements in return values. commit 61db45ca21630f5ab7f678d54c5d969c21647854 upstream. The original code was lost accidently, it was not generated along with the following commit of mechanism improvements and thus not get merged: Commit: d5a36100f62fa6db5541344e08b361b34e9114c5 Subject: ACPICA: Add mechanism for early object repairs on a per-name basis Adds the framework to allow object repairs very early in the return object analysis. Enables repairs like string->unicode, etc. This patch restores the implementation of the NULL element repair code for ACPI_RTYPE_NONE. In the original design, ACPI_RTYPE_NONE is defined to collect simple NULL object repairs. Lv Zheng. Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=67901 Signed-off-by: Lv Zheng Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 7fffc6c818b4e6fb2c3f013a4d41aae4a3405864 Author: Kailang Yang Date: Wed Apr 16 15:53:12 2014 +0800 ALSA: hda/realtek - Add headset Mic support for Dell machine commit 8dc9abb93dde94e7f2bc719032fe16f5713df05c upstream. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ff1a015ee353d4945122aa0448d9d16ede41d308 Author: Kailang Yang Date: Mon Apr 14 15:09:44 2014 +0800 ALSA: hda/realtek - Add support of ALC288 codec commit 7c66593286bcd153e4868383e675673a27071bd5 upstream. Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 395caeae8b0c34c266dcd6bc217958dc8024bf62 Author: Takashi Iwai Date: Thu Apr 3 11:51:21 2014 +0200 ALSA: hda - Fix silent speaker output due to mute LED fixup commit 415d555e6b398b00fc1733f0113065a54df9106a upstream. The recent fixups for HP laptops to support the mute LED made the speaker output silent on some machines. It turned out that they use the NID 0x18 for the speaker while it's also used for controlling the LED via VREF bits although the current driver code blindly assumes that such a node is a mic pin (where 0x18 is usually so). This patch fixes the problem by only changing the VREF bits and keeping the other pin ctl bits. Reported-and-tested-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 20bb89b0cc8cf20c0b24d6aae49638ee6f516e0b Author: Takashi Iwai Date: Tue Apr 8 16:58:34 2014 +0200 ALSA: ice1712: Fix boundary checks in PCM pointer ops commit 4f8e940095536bc002a81666a4107a581c84e9b9 upstream. PCM pointer callbacks in ice1712 driver check the buffer size boundary wrongly between bytes and frames. This leads to PCM core warnings like: snd_pcm_update_hw_ptr0: 105 callbacks suppressed ALSA pcm_lib.c:352 BUG: pcmC3D0c:0, pos = 5461, buffer size = 5461, period size = 2730 This patch fixes these checks to be placed after the proper unit conversions. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 41e05b9c541698e9169f144a0e4ec84a189257d2 Author: W. Trevor King Date: Sat Mar 29 17:47:24 2014 -0700 ALSA: hda - Enable beep for ASUS 1015E commit a4b7f21d7b42b33609df3f86992a8deff80abfaf upstream. The `lspci -nnvv` output contains (wrapped for line length): 00:1b.0 Audio device [0403]: Intel Corporation 7 Series/C210 Series Chipset Family High Definition Audio Controller [8086:1e20] (rev 04) Subsystem: ASUSTeK Computer Inc. Device [1043:115d] Signed-off-by: W. Trevor King Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit a2ce7e5ea029ffc411be9dee9e93b5636eeb27af Author: Hui Wang Date: Wed Mar 26 10:27:41 2014 +0800 ALSA: hda - add headset mic detect quirks for three Dell laptops commit a870593bab179ca402ead455f45af6e4404a2a7f upstream. When we plug a 3-ring headset on the Dell machines (VID: 0x10ec0255, SID: 0x10280632; VID: 0x10ec0293, SID: 0x1028062c; VID: 0x10ec0293, SID: 0x1028062e), the headset mic can't be detected, after apply this patch, the headset mic can work well. BugLink: https://bugs.launchpad.net/bugs/1297581 Cc: David Henningsson Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6eb2eda73a1c3a0a8306f740d59bcbe98ced6b11 Author: Kailang Yang Date: Mon Mar 17 13:51:27 2014 +0800 ALSA: hda/realtek - Restore default value for ALC283 commit 6bd55b04fe05cb26094b0fe494c7a207e6c0c36e upstream. Restore the registers to prevent the abnormal digital power supply rising ratio/sequence to the codec and causing the incorrect default codec register restoration during initialization. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=71861 Signed-off-by: Kailang Yang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b98c1e1c1f71ab32e755e2e417e9a682865578b8 Author: Andrea Adami Date: Tue Apr 8 14:53:44 2014 +0200 ARM: pxa: hx4700.h: include "irqs.h" for PXA_NR_BUILTIN_GPIO commit c02b50e90be9f41d6802049a1a08246e9eb1a22c upstream. hx4700 needs the same fix as in 9705e74671f0e4f994d86b00cecf441917c64a66 "ARM: pxa: fix various compilation problems" Fix build errors. Initial one is: /linux/arch/arm/mach-pxa/include/mach/hx4700.h:18:32: error: 'PXA_NR_BUILTIN_GPIO' undeclared here (not in a function) | #define HX4700_ASIC3_GPIO_BASE PXA_NR_BUILTIN_GPIO Signed-off-by: Andrea Adami Signed-off-by: Linus Walleij Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 8d0e11e0fb8cb9c61e56194a00abbd7a63dddd26 Author: Thomas Petazzoni Date: Wed Mar 26 00:33:58 2014 +0100 ARM: mvebu: ensure the mdio node has a clock reference on Armada 370/XP commit a6e03dd451c724f785277d8ecca5d1a0b886d892 upstream. The mvmdio driver accesses some register of the Ethernet unit. It therefore takes a reference and enables a clock. However, on Armada 370/XP, no clock specification was given in the Device Tree, which leads the mvmdio driver to fail when being used as a module and loaded before the mvneta driver: it tries to access a register from a hardware unit that isn't clocked. Signed-off-by: Thomas Petazzoni Link: https://lkml.kernel.org/r/1395790439-21332-2-git-send-email-thomas.petazzoni@free-electrons.com Acked-by: Andrew Lunn Acked-by: Gregory CLEMENT Signed-off-by: Jason Cooper Signed-off-by: Greg Kroah-Hartman commit 441f74e074bb5d924df970a00ba193b888c3fb17 Author: Liu Hua Date: Fri Apr 18 07:45:36 2014 +0100 ARM: 8030/1: ARM : kdump : add arch_crash_save_vmcoreinfo commit 56b700fd6f1e49149880fb1b6ffee0dca5be45fb upstream. For vmcore generated by LPAE enabled kernel, user space utility such as crash needs additional infomation to parse. So this patch add arch_crash_save_vmcoreinfo as what PAE enabled i386 linux does. Reviewed-by: Will Deacon Signed-off-by: Liu Hua Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 9f1d9d1c15654575878485fab093094ce66283aa Author: Xiangyu Lu Date: Tue Apr 15 09:38:17 2014 +0100 ARM: 8027/1: fix do_div() bug in big-endian systems commit 80bb3ef109ff40a7593d9481c17de9bbc4d7c0e2 upstream. In big-endian systems, "%1" get the most significant part of the value, cause the instruction to get the wrong result. When viewing ftrace record in big-endian ARM systems, we found that the timestamp errors: swapper-0 [001] 1325.970000: 0:120:R ==> [001] 16:120:R events/1 events/1-16 [001] 1325.970000: 16:120:S ==> [001] 0:120:R swapper swapper-0 [000] 1325.1000000: 0:120:R + [000] 15:120:R events/0 swapper-0 [000] 1325.1000000: 0:120:R ==> [000] 15:120:R events/0 swapper-0 [000] 1326.030000: 0:120:R + [000] 1150:120:R sshd swapper-0 [000] 1326.030000: 0:120:R ==> [000] 1150:120:R sshd When viewed ftrace records, it will call the do_div(n, base) function, which achieved arch/arm/include/asm/div64.h in. When n = 10000000, base = 1000000, in do_div(n, base) will execute "umull %Q0, %R0, %1, %Q2". Reviewed-by: Dave Martin Reviewed-by: Nicolas Pitre Signed-off-by: Alex Wu Signed-off-by: Xiangyu Lu Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 8d25ae876767e67d9edace3b075643263af00062 Author: Christopher Covington Date: Wed Mar 19 18:12:25 2014 +0100 ARM: 8007/1: Remove extraneous kcmp syscall ignore commit 95c52fe063351192e0f4ffb70ef9bac1aa26f5a4 upstream. The kcmp system call was ported to ARM in commit 3f7d1fe108dbaefd0c57a41753fc2c90b395f458 "ARM: 7665/1: Wire up kcmp syscall". Fixes: 3f7d1fe108db ("ARM: 7665/1: Wire up kcmp syscall") Signed-off-by: Christopher Covington Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit e02098d84d67b8ff15defddcc7841bd3452a5e11 Author: Andrew Lunn Date: Sat Feb 22 20:14:54 2014 +0100 ARM: Fix default CPU selection for ARCH_MULTI_V5 commit 12567bbdee7ea553237085a2bbc0ffa5240f5248 upstream. CPU_ARM926T should be selected if no other CPU is. Put the ! in the right place so this works. Signed-off-by: Andrew Lunn Acked-by: Arnd Bergmann Tested-by: Jason Gunthorpe Fixes: 24e860fbfdb1c ("ARM: multiplatform: always pick one CPU type") Signed-off-by: Jason Cooper Signed-off-by: Greg Kroah-Hartman commit 10e9152881485c4e4c21909dad5dfc25cfb30378 Author: Will Deacon Date: Fri Feb 7 19:12:27 2014 +0100 ARM: 7954/1: mm: remove remaining domain support from ARMv6 commit b6ccb9803e90c16b212cf4ed62913a7591e79a39 upstream. CPU_32v6 currently selects CPU_USE_DOMAINS if CPU_V6 and MMU. This is because ARM 1136 r0pX CPUs lack the v6k extensions, and therefore do not have hardware thread registers. The lack of these registers requires the kernel to update the vectors page at each context switch in order to write a new TLS pointer. This write must be done via the userspace mapping, since aliasing caches can lead to expensive flushing when using kmap. Finally, this requires the vectors page to be mapped r/w for kernel and r/o for user, which has implications for things like put_user which must trigger CoW appropriately when targetting user pages. The upshot of all this is that a v6/v7 kernel makes use of domains to segregate kernel and user memory accesses. This has the nasty side-effect of making device mappings executable, which has been observed to cause subtle bugs on recent cores (e.g. Cortex-A15 performing a speculative instruction fetch from the GIC and acking an interrupt in the process). This patch solves this problem by removing the remaining domain support from ARMv6. A new memory type is added specifically for the vectors page which allows that page (and only that page) to be mapped as user r/o, kernel r/w. All other user r/o pages are mapped also as kernel r/o. Patch co-developed with Russell King. Signed-off-by: Will Deacon Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 7dcbda0aef594f0e0bc0ae69c336ca8454a96cd3 Author: Tomasz Figa Date: Fri Feb 14 07:43:54 2014 +0900 ARM: dts: Keep G3D regulator always on for exynos5250-arndale commit bfeda827278f09f4db35877e5f1ca9c149ca2890 upstream. Apparently, if G3D regulator is powered off, the SoC cannot enter low power modes and just hangs. This patch fixes this by keeping the regulator always on when the system is running, as suggested by Exynos 4 User's Manual in case of Exynos4210/4x12 SoCs (Exynos5250 UM does not have such note, but observed behavior seems to confirm that it is true for this SoC as well). This fixes an issue preventing Arndale board from entering sleep mode observed since commit 346f372f7b72a0 clk: exynos5250: Add CLK_IGNORE_UNUSED flag for pmu clock that landed in kernel 3.10, which has fixed the clock driver to make the SoC actually try to enter the sleep mode. Signed-off-by: Tomasz Figa Acked-by: Kyungmin Park Tested-by: Tushar Behera Signed-off-by: Kukjin Kim Signed-off-by: Greg Kroah-Hartman commit a6fc0933d80f2230e7b402d63b1f578a0a1a9449 Author: Florian Vaussard Date: Wed Feb 26 11:38:09 2014 +0100 ARM: dts: omap4/5: Use l3_ick for the gpmc node commit 7b8b6af169a069454936053631d151a50af7b69a upstream. The GPMC clock is derived from l3_ick. The simplest solution is to reference directly l3_ick to provide the GPMC fck in order to get correct timings. The real management of the clock is left to hwmod. Signed-off-by: Florian Vaussard Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit eecb4d000aaa8617b25d203163ab66cd904f3ccc Author: Mugunthan V N Date: Thu Mar 6 18:01:34 2014 +0530 ARM: dts: am33xx: correcting dt node unit address for usb commit 8abcdd680d543fb582371e146e62ba9f2af8a816 upstream. DT node's unit address should be its own register offset address to make it a unique across the system. This patch corrects the incorrect USB entries with correct register offset for unit address. Acked-by: Sebastian Andrzej Siewior Acked-by: Felipe Balbi Signed-off-by: Mugunthan V N Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 9ffd98a63e6c5fc1d3dd022156dc1bfdb32ee3b9 Author: Roger Quadros Date: Thu Apr 10 10:18:17 2014 +0300 ARM: OMAP3: hwmod data: Correct clock domains for USB modules commit c6c56697ae4bf1226263c19e8353343d7083f40e upstream. OMAP3 doesn't contain "l3_init_clkdm" clock domain. Use the proper clock domains for USB Host and USB TLL modules. Gets rid of the following warnings during boot omap_hwmod: usb_host_hs: could not associate to clkdm l3_init_clkdm omap_hwmod: usb_tll_hs: could not associate to clkdm l3_init_clkdm Reported-by: Nishanth Menon Cc: Paul Walmsley Signed-off-by: Roger Quadros Fixes: de231388cb80a8ef3e779bbfa0564ba0157b7377 ("ARM: OMAP: USB: EHCI and OHCI hwmod structures for OMAP3") Cc: Keshava Munegowda Cc: Partha Basak Signed-off-by: Paul Walmsley Signed-off-by: Greg Kroah-Hartman commit 3b7b6496674b48b7fe5aa6961bed7788531897d0 Author: Nishanth Menon Date: Wed Mar 12 16:43:20 2014 -0500 ARM: OMAP4: Fix definition of IS_PM44XX_ERRATUM commit 07484ca33ef83900f5cfbde075c1a19e5a237aa1 upstream. Just like IS_PM34XX_ERRATUM, IS_PM44XX_ERRATUM is valid only if CONFIG_PM is enabled, else, disabling CONFIG_PM results in build failure complaining about the following: arch/arm/mach-omap2/built-in.o: In function `omap4_boot_secondary': :(.text+0x8a70): undefined reference to `pm44xx_errata' Fixes: c962184 (ARM: OMAP4: PM: add errata support) Reported-by: Tony Lindgren Signed-off-by: Nishanth Menon Acked-by: Santosh Shilimkar Acked-by: Kevin Hilman Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 1722226dab5a1874b368ecb12cdcdf429e85e08f Author: Florian Vaussard Date: Wed Feb 26 11:38:08 2014 +0100 CLK: TI: OMAP4/5/DRA7: Remove gpmc_fck from dummy clocks commit 8559087f0e9722a95df43fa5968bd1ee42bcf540 upstream. When arch/arm/mach-omap2/gpmc.c calls clk_get(..., "fck"), it will get a dummy clock and try to use it. As the rate is configured to zero, this will result in several divisions by zero, and misconfigured timings, with devices on the bus being lost in the La La Land. It is better to remove gpmc_fck from the dummy clocks, so that gpmc.c can fail gracefully. Signed-off-by: Florian Vaussard Acked-by: Tero Kristo Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 2aead66d9afe226f2af1a1db4c8152549a4f0411 Author: Suman Anna Date: Fri Mar 14 14:45:17 2014 +0530 ARM: OMAP2+: hwmod: fix missing braces in _init() commit 3d36ad7e7a9be0d130c862727a052ed279046437 upstream. Bug was introduced by commit 'f92d959: ARM: OMAP2+: hwmod: Extract no-idle and no-reset info from DT' There were 2 versions of the patch posted which resulted in the above commit. While v1 [1] had the bug, v2 [2] had it fixed. However v1 apparently seemed to have been pulled in by mistake introducing the bug. Given of_find_property() does return NULL when the node passed is NULL, it did not introduce any functional issues as such, just the fact that the second if check was executed unnecessarily. [1] https://www.mail-archive.com/linux-omap@vger.kernel.org/msg94220.html [2] http://www.spinics.net/lists/linux-omap/msg98490.html Cc: Nishanth Menon Signed-off-by: Rajendra Nayak Signed-off-by: Suman Anna Signed-off-by: Lokesh Vutla Fixes: f92d9597f781f6a5a39c73dc71604bd8a21c5299 ("ARM: OMAP2+: hwmod: Extract no-idle and no-reset info from DT") Signed-off-by: Paul Walmsley Signed-off-by: Greg Kroah-Hartman commit 37e85ea59cd87bcbe23d295c1c416a60e4f38de6 Author: Stefan Sørensen Date: Thu Mar 6 16:27:15 2014 +0100 ARM: OMAP2+: INTC: Acknowledge stuck active interrupts commit 698b48532539484b012fb7c4176b959d32a17d00 upstream. When an interrupt has become active on the INTC it will stay active until it is acked, even if masked or de-asserted. The INTC_PENDING_IRQn registers are however updated and since these are used by omap_intc_handle_irq to determine which interrupt to handle, it will never see the active interrupt. This will result in a storm of useless interrupts that is only stopped when another higher priority interrupt is asserted. Fix by sending the INTC an acknowledge if we find no interrupts to handle. Signed-off-by: Stefan Sørensen Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit efa1ca365156f7faebbbd7cda83195c51cd17b19 Author: Brian Austin Date: Tue Mar 18 13:56:21 2014 -0500 ASoC: cs42l73: Fix mask bits for SOC_VALUE_ENUM_SINGLE commit 1555b652970e541fa1cb80c61ffc696bbfb92bb7 upstream. The mask bits values were wrong for the SOC_VALUE_ENUM_SINGLE for the mono mix controls. Reported-by: Takashi Iwai Signed-off-by: Brian Austin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit d61d06aa9840ed4a0e7d2299e0095cdc0eac256e Author: Brian Austin Date: Tue Mar 18 14:01:47 2014 -0500 ASoC: cs42l52: Fix mask bits for SOC_VALUE_ENUM_SINGLE commit d31a33dd7792c7d6c11fda226a3b9e4fb7f86f95 upstream. The mask bits values were wrong for the SOC_VALUE_ENUM_SINGLE for the PCM/ADC Swap controls Reported-by: Takashi Iwai Signed-off-by: Brian Austin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit eb0d2c6bb2ac5e54de5d60ce4fee226d5f0d4ad3 Author: Brian Austin Date: Wed Mar 19 10:40:02 2014 -0500 ASoC: cs42l51: Fix SOC_DOUBLE_R_SX_TLV shift values for ADC, PCM, and Analog kcontrols commit 7272e051157ccd5871b5d939548d0ba5a94a2965 upstream. The shift values for the ADC,PCM, and Analog kcontrols were wrong causing wrong values for the SOC_DOUBLE_R_SX_TLV macros Fixed the TLV for aout_tlv to show -102dB correctly Fixes: 1d99f2436d (ASoC: core: Rework SOC_DOUBLE_R_SX_TLV add SOC_SINGLE_SX_TLV) Reported-by: Thomas Petazzoni Signed-off-by: Brian Austin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit d5421c54b0a6c751f3b8e3141381ffa7e4e6e0ff Author: Mark Brown Date: Sat Mar 22 18:29:15 2014 +0000 ASoC: pcm: Drop incorrect double/extra frees commit 017d9491ce203c620ad1377f46a3ce78d554b2de upstream. The changes in "ASoC: pcm: free path list before exiting from error conditions" actually introduced both double frees (in case where the path list was allocated but empty) and frees of unallocated memory (in cases where the error being handled was -ENOMEM. Drop the commit for now. Fixes: e4ad1accb (ASoC: pcm: free path list before exiting from error conditions) Reported-by: Ben Hutchings Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit af3d6c44de2b9b79682156194e48ad30e2830ccd Author: Catalin Marinas Date: Wed Mar 12 16:07:06 2014 +0000 arm64: Make DMA coherent and strongly ordered mappings not executable commit de2db7432917a82b62d55bb59635586eeca6d1bd upstream. pgprot_{dmacoherent,writecombine,noncached} don't need to generate executable mappings with side-effects like __sync_icache_dcache() being called when the mapping is in user space. Signed-off-by: Catalin Marinas Reported-by: Bharat Bhushan Tested-by: Laura Abbott Tested-by: Bharat Bhushan Signed-off-by: Greg Kroah-Hartman commit 05a759c87255a4eeabfd49aa98bb87ea7310fc64 Author: Catalin Marinas Date: Wed Mar 12 16:28:09 2014 +0000 arm64: Do not synchronise I and D caches for special ptes commit 71fdb6bf61bf0692f004f9daf5650392c0cfe300 upstream. Special pte mappings are not intended to be executable and do not even have an associated struct page. This patch ensures that we do not call __sync_icache_dcache() on such ptes. Signed-off-by: Catalin Marinas Reported-by: Steve Capper Tested-by: Laura Abbott Tested-by: Bharat Bhushan Signed-off-by: Greg Kroah-Hartman