Commit Graph

413161 Commits

Author SHA1 Message Date
Luciano Coelho cfa8889370 iwlwifi: mvm: set seqno also when no keys are set
In an open BSS, after suspend/resume, we don't set the last seqno
because the iwl_mvm_setup_connection_keep() returns too early.  This
happens because the check to see if we have any keys was returning
immediately, without setting seqno and seqno_valid.  Fix this.

Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2013-11-25 23:00:20 +02:00
Alexander Bondar 6860bd15c2 iwlwifi: pcie: stop sending commands to dead firmware
If we call ieee80211_hw_restart, it means that the
firmware is in bad condition and will be reset soon.
Since the firmware will be reset, there is no good
reason to keep sending host commands.

Signed-off-by: Alexander Bondar <alexander.bondar@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2013-11-25 23:00:20 +02:00
Emmanuel Grumbach 3fde33b762 iwlwifi: bump required firmware API version for 3160/7260
A new firmware is coming out soon with new APIs.
To make sure that this new firmware won't be loaded on old
driver that don't support it, it's API version has been
updated to 8. In order to be able to load it, bump the API
version to 8.
API version 7 is still supported and will be for another
year or so.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2013-11-25 23:00:20 +02:00
Emmanuel Grumbach 9fc3fe96c3 iwlwifi: mvm: don't WARN about unsuccessful time event
Time event notification can have a failure status even if
the time event was scheduled:
* in START notification, this can happen if the time event
  was scheduled later than the requested apply time.
* in STOP notification, this can happen if the time event
  is truncated.

Even if both happened, the offchannel packets sent during
the remain on channel are very likely to have been sent.
Hence, don't WARN when this happens, but rather print a
discrete line in the kernel log.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
2013-11-25 23:00:20 +02:00
Emmanuel Grumbach 56c07a9c95 iwlwifi: mvm: BT Coex fix another NULL pointer dereference
This patch is very similar to a previous fix: 22cba0c085

When we disassociate, mac80211 removes the station and
then, it sets the bss it unsets the assoc bool in bss_info.

Since the firwmware wants it the opposite (first set the
MAC context as unassoc, and only then, remove the STA of
the API), we have a small period of time in which the STA
in firmware doesn't have a valid ieee80211_sta pointer.
During that time, iwl_mvm_vif->ap_sta_id, is still set
to the STA in firmware that represent the AP.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2013-11-25 23:00:20 +02:00
Emmanuel Grumbach a338f1efa5 iwlwifi: mvm: BT Coex - don't enable MULTI_PRIO_LUT
This feature isn't supported by the firmware (yet).
Note that settingt he values to BT_CFG_CMD is harmless if
the validity bit is clear - so keep the configuration
values in BT_CFG_CMD, but clear the validity bit until thes
feature is enabled in the firmware.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2013-11-25 23:00:19 +02:00
Oren Givon 53e88cb116 iwlwifi: add new HW - 7265 series
Add new HW IDs and configurations for 7265 series.

Signed-off-by: Oren Givon <oren.givon@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2013-11-25 23:00:19 +02:00
Emmanuel Grumbach 6960a059b2 iwlwifi: pcie: fix interrupt coalescing for 7260 / 3160
We changed the timeout for the interrupt coealescing for
calibration, but that wasn't effective since we changed
that value back before loading the firmware. Since
calibrations are notification from firmware and not Rx
packets, this doesn't change anyway - the firmware will
fire an interrupt straight away regardless of the interrupt
coalescing value.
Also, a HW issue has been discovered in 7000 devices series.
The work around is to disable the new interrupt coalescing
timeout feature - do this by setting bit 31 in
CSR_INT_COALESCING.
This has been fixed in 7265 which means that we can't rely
on the device family and must have a hint in the iwl_cfg
structure.

Cc: stable@vger.kernel.org [3.10+]
Fixes: 99cd471423 ("iwlwifi: add 7000 series device configuration")
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2013-11-25 23:00:19 +02:00
Johannes Berg 60765a47a4 iwlwifi: mvm: check sta_id/drain values in debugfs
The station ID must be valid, if it's out of range then
the array access may crash. Validate the station ID to
the array length, and also validate the drain value even
if that doesn't matter all that much.

Cc: stable@vger.kernel.org
Fixes: 8ca151b568 ("iwlwifi: add the MVM driver")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2013-11-25 23:00:19 +02:00
Olav Haugan 67296874eb staging: zsmalloc: Ensure handle is never 0 on success
zsmalloc encodes a handle using the pfn and an object
index. On hardware platforms with physical memory starting
at 0x0 the pfn can be 0. This causes the encoded handle to be
0 and is incorrectly interpreted as an allocation failure.

This issue affects all current and future SoCs with physical
memory starting at 0x0. All MSM8974 SoCs which includes
Google Nexus 5 devices are affected.

To prevent this false error we ensure that the encoded handle
will not be 0 when allocation succeeds.

Signed-off-by: Olav Haugan <ohaugan@codeaurora.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 12:52:45 -08:00
Peng Tao b39f15c972 staging/lustre/ptlrpc: fix ptlrpc_stop_pinger logic
It was introduced due to a patch hunk when porting
commit 20802057 (staging/lustre/ptlrpc: race in pinger).

Cc: Andreas Dilger <andreas.dilger@intel.com>
Signed-off-by: Peng Tao <bergwolf@gmail.com>
Cc: stable <stable@vger.kernel.org> # 3.12
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 12:52:45 -08:00
Larry Finger 9ecfc0f450 staging: r8188eu: Fix AP mode
Two code lines were accidentally deleted.  Restore them.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 12:52:45 -08:00
Greg Kroah-Hartman 1676587bca First round of fixes for IIO in the 3.13 cycle.
The usual mixed bag of fixes.
 
 * 3 cases where kconfig dependencies were missing.  We need to keep a closer
   eye on this in new drivers.
 
 * hid_sensors was abusing the iio_dev->trigger pointer.  We had a round
   of clearing this out some time ago but this driver clearly slipped through.
 
 * A misuse of the IIO_ST macro, in mcp3422, which we should really make a
   concertive effort to finish removing.
 
 * Avoid a double free introduced by recent buffer reference counting in the
   one driver that (quite reasonably!) does things differently (am335x)
 
 * A missing mutex_unlock in kxsd9 that means that driver has been non
   functional for some time and no one noticed (including me who for once
   actually has one of the supported devices).
 
 * An incorrect assumption about the parameters of sign_extend32 in mcp3422.
 
 So nothing controversial.  The only substantial patch is the hid_sensors
 one and that is actually just adding a new pointer to the devices private
 state then moving the code over to it.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJSk7SvAAoJEFSFNJnE9BaIRNsQAJnM/WiH1ghfA5nuc0V7JrnB
 2Z6Qtm3Stoq4Ul5LYiEMxumo6ckL17YFddxejUF9X4Eq5N8YyAxdPd8JdDJgS2OL
 yCM2x6izd9drIGA3YUMMOvZ1BScSK1e5DmXJHp4nuF68uHtf2TM4TGF/2zuqt3TN
 2bL7blNF3/5O/TiBRB4XjkH4Sy5c4G2kke+0SckRnWohTn8oE7tWihr84nYPciqt
 mu11Nrv9S+sr/5GzRwN8d5SU33yU2/ML32QU/4oQzb/XxBW0W759NJflqY5sSZ89
 JQnHcCKKZD7IWBFT0VAMiuEjBpSRGc4vxBbYjsVHtEHzW7v3L0fvob5YqfSrzMlD
 rVUiTQJm7fC/4hn7iJUPrxkWsSGsjCvVrLZmZFOK3OYONUfd+Cqg0nliihRZo65s
 054/yi4v8xd6OUzqSxtWKIK/ZQjDxa5W2BlRoryShCrUAo/e3Djy+jH32v4Mmgfe
 D9aEwdUqa8kPlq6pyQC2QRgWWU1K5+RRrzW5nNNLlmjYtVlfF+8OgcQYGHW8iMur
 8AaDXNZwQLEYA4409T/Ar9lNg4gDqc0YZsvNibu0q4Kxfp13dJOwra+xmF+ktECr
 KcIFxu5v89SgpE1Rra74OXYFWQ1I4Qy+sJxhQKymthPzmw4nuUidK33mxjtcojwz
 TvQJu8f3us8Ea5vQLZo0
 =cIMc
 -----END PGP SIGNATURE-----

Merge tag 'fixes-for-3.13a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus

Jonathan writes:

First round of fixes for IIO in the 3.13 cycle.

The usual mixed bag of fixes.

* 3 cases where kconfig dependencies were missing.  We need to keep a closer
  eye on this in new drivers.

* hid_sensors was abusing the iio_dev->trigger pointer.  We had a round
  of clearing this out some time ago but this driver clearly slipped through.

* A misuse of the IIO_ST macro, in mcp3422, which we should really make a
  concertive effort to finish removing.

* Avoid a double free introduced by recent buffer reference counting in the
  one driver that (quite reasonably!) does things differently (am335x)

* A missing mutex_unlock in kxsd9 that means that driver has been non
  functional for some time and no one noticed (including me who for once
  actually has one of the supported devices).

* An incorrect assumption about the parameters of sign_extend32 in mcp3422.

So nothing controversial.  The only substantial patch is the hid_sensors
one and that is actually just adding a new pointer to the devices private
state then moving the code over to it.
2013-11-25 12:50:11 -08:00
Linus Torvalds 8e45099e02 regulator: Fixes for v3.13
A bunch of fixes, a few driver specific ones and a framework fix for
 voltage enumeration on fixed voltage regulators which had previously
 worked but had been misplaced during some refactoring causing problems
 for users that needed to know the voltage.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.15 (GNU/Linux)
 
 iQIcBAABAgAGBQJSkgsOAAoJELSic+t+oim9soIQAIQL1Im2MKVa0M2Kj9npsf2G
 QKgyobmpQRyjcVrEJp8waOG8WEdIY2s7iJOUNWWnBsyLJ88wMsRPYbloE87DO2nA
 dBjYUI25YcTHOlqVYqCrhH5rJfS3m1PsbMJBgrW7vB0IvseobY63sk64hdfyO8Z+
 zgroggEI6JXo6IYprtLYgIEOhDt3izZBvyFZyCdlpiGPPlMaD2UQFaJ/qwqQdwpY
 FR5o4DbXmggILIhjl5TjH1u6UKinJDdS1n027626zsGSoVz3DJbgcwiDIUkbawfo
 lucRQc4tESbr8D05TvTY1BuyKCU6Z1Ejf5DTPn7H5ESCfTer1TZ5BT5Vfgc5YDGq
 my7vEZfpw2OndgunqG8bCG5MuWrA4mQ05sg7FFSbdWIbM3FfKB2bfPg3MHE4F3q6
 pi7hFnnjdG0cVee+Dxn/vYn1KJ8JqaqutnFdVRmeB5PWqQUhafbIlNEpOoIaTtdq
 8cMG9px9yKCC7NmI6pOEbQx9tjkJzvuLNOfuzYsehMKorFa0mqdyzBVYzhKFboCp
 lSwA0B3slp1CcKda4WzCq3y7bSEf9+1xOW2kIfaGWfdJQTn4i7Pb0mp19f4++lDQ
 GVtpmCP9fanpi+Xq6J5CnLCIZLZOLFz1PFQvjbD10vUbhW/9aJ7t4+dKdd3KwZxL
 LvAzBohVYJc5VKoZYlRQ
 =2BEl
 -----END PGP SIGNATURE-----

Merge tag 'regulator-v3.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

Pull regulator fixes from Mark Brown:
 "A bunch of fixes, a few driver specific ones and a framework fix for
  voltage enumeration on fixed voltage regulators which had previously
  worked but had been misplaced during some refactoring causing problems
  for users that needed to know the voltage"

* tag 'regulator-v3.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: arizona-micsupp: Correct wm5110 voltage selection
  regulator: pfuze100: allow misprogrammed ID
  regulator: fixed: fix regulator_list_voltage() for regression
  regulator: gpio-regulator: Don't oops on missing regulator-type property
2013-11-25 12:50:08 -08:00
Holger Bechtold 7ee330c7b3 can: c_can: fix calculation of transmitted bytes on tx complete
The number of bytes transmitted was not updated correctly, if several CAN
messages (with different length) were transmitted in one 'bunch'. Thus
programs like 'ifconfig' showed wrong transmit byte counts. Reason was, that
the message object whose DLC is to be read was not necessarily the active one
at the time when

    priv->read_reg(priv, C_CAN_IFACE(MSGCTRL_REG, 0)) & IF_MCONT_DLC_MASK;

was executed.

Signed-off-by: Holger Bechtold <Holger.Bechtold@gmx.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2013-11-25 21:48:54 +01:00
Marc Kleine-Budde e35d46adc4 can: c_can: don't call pm_runtime_get_sync() from interrupt context
The c_can driver contians a callpath (c_can_poll -> c_can_state_change ->
c_can_get_berr_counter) which may call pm_runtime_get_sync() from the IRQ
handler, which is not allowed and results in "BUG: scheduling while atomic".

This problem is fixed by introducing __c_can_get_berr_counter, which will not
call pm_runtime_get_sync().

Reported-by: Andrew Glen <AGlen@bepmarine.com>
Tested-by: Andrew Glen <AGlen@bepmarine.com>
Signed-off-by: Andrew Glen <AGlen@bepmarine.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2013-11-25 21:48:51 +01:00
John W. Linville d5aedd7e1b Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 2013-11-25 15:47:18 -05:00
Ujjal Roy 517543fd72 mwifiex: fix memory leak issue for ibss join
For IBSS join if the requested SSID matches current SSID,
it returns without freeing the allocated beacon IE buffer.

Cc: <stable@vger.kernel.org> # 3.10+
Signed-off-by: Ujjal Roy <royujjal@gmail.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-11-25 15:46:50 -05:00
Borislav Petkov 0b3f575397 brcmsmac: Fix build dep on LEDS_CLASS
When building randconfigs with CONFIG_BCMA_DRIVER_GPIO=y, I get

drivers/built-in.o: In function `brcms_led_unregister':
(.text+0x351aca): undefined reference to `led_classdev_unregister'
drivers/built-in.o: In function `brcms_led_register':
(.text+0x351c65): undefined reference to `led_classdev_register'

during final linking stage because brcmsmac/led.c needs LEDS_CLASS for
registering/deregistering the led device. Select the required symbols.

Cc: Arend van Spriel <arend@broadcom.com>
Cc: "Rafał Miłecki" <zajec5@gmail.com>
Cc: <linux-wireless@vger.kernel.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-11-25 15:46:50 -05:00
Oliver Hartkopp 2fea6cd303 can: sja1000: fix {pre,post}_irq() handling and IRQ handler return value
This patch fixes the issue that the sja1000_interrupt() function may have
returned IRQ_NONE without processing the optional pre_irq() and post_irq()
function before. Further the irq processing counter 'n' is moved to the end of
the while statement to return correct IRQ_[NONE|HANDLED] values at error
conditions.

Reported-by: Wolfgang Grandegger <wg@grandegger.com>
Acked-by: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2013-11-25 21:16:53 +01:00
Geert Uytterhoeven 5fa9576a1b Staging: btmtk_usb: Add hdev parameter to hdev->send driver callback
drivers/staging/btmtk_usb/btmtk_usb.c: In function ‘btmtk_usb_probe’:
drivers/staging/btmtk_usb/btmtk_usb.c:1610: warning: assignment from incompatible pointer type

Add the new hdev parameter, cfr. commit
7bd8f09f69 ("Bluetooth: Add hdev parameter to
hdev->send driver callback").

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 12:15:58 -08:00
Roberto Sassu dbc335d2dc ima: make a copy of template_fmt in template_desc_init_fields()
This patch makes a copy of the 'template_fmt' function argument so that
the latter will not be modified by strsep(), which does the splitting by
replacing the given separator with '\0'.

 IMA: No TPM chip found, activating TPM-bypass!
 Unable to handle kernel pointer dereference at virtual kernel address 0000000000842000
 Oops: 0004 [#1] SMP
 Modules linked in:
 CPU: 3 PID: 1 Comm: swapper/0 Not tainted 3.12.0-rc2-00098-g3ce1217d6cd5 #17
 task: 000000003ffa0000 ti: 000000003ff84000 task.ti: 000000003ff84000
 Krnl PSW : 0704e00180000000 000000000044bf88 (strsep+0x7c/0xa0)
            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 EA:3
 Krnl GPRS: 000000000000007c 000000000000007c 000000003ff87d90 0000000000821fd8
            0000000000000000 000000000000007c 0000000000aa37e0 0000000000aa9008
            0000000000000051 0000000000a114d8 0000000100000002 0000000000842bde
            0000000000842bdf 00000000006f97f0 000000000040062c 000000003ff87cf0
 Krnl Code: 000000000044bf7c: a7f4000a           brc     15,44bf90
            000000000044bf80: b90200cc           ltgr    %r12,%r12
           #000000000044bf84: a7840006           brc     8,44bf90
           >000000000044bf88: 9200c000           mvi     0(%r12),0
            000000000044bf8c: 41c0c001           la      %r12,1(%r12)
            000000000044bf90: e3c020000024       stg     %r12,0(%r2)
            000000000044bf96: b904002b           lgr     %r2,%r11
            000000000044bf9a: ebbcf0700004       lmg     %r11,%r12,112(%r15)
 Call Trace:
 ([<00000000004005fe>] ima_init_template+0xa2/0x1bc)
  [<0000000000a7c896>] ima_init+0x7a/0xa8
  [<0000000000a7c938>] init_ima+0x24/0x40
  [<00000000001000e8>] do_one_initcall+0x68/0x128
  [<0000000000a4eb56>] kernel_init_freeable+0x20a/0x2b4
  [<00000000006a1ff4>] kernel_init+0x30/0x178
  [<00000000006b69fe>] kernel_thread_starter+0x6/0xc
  [<00000000006b69f8>] kernel_thread_starter+0x0/0xc
 Last Breaking-Event-Address:
  [<000000000044bf42>] strsep+0x36/0xa0

Fixes commit: adf53a7 ima: new templates management mechanism

Changelog v1:
- make template_fmt 'const char *' (reported-by James Morris)
- fix kstrdup memory leak (reported-by James Morris)

Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
2013-11-25 15:05:33 -05:00
Greg Kroah-Hartman e6bbda9da9 Staging: go7007: fix up some remaining go->dev issues
This fixes up the remaining "dev is used before it is set" issues in the
go7007 driver that were originally caused by commit
b6ea5ef80a but not fixed up by reverting
it due to other patches later on adding these "fixes".

Cc: Hans Verkuil <hans.verkuil@cisco.com>
Cc: Mauro Carvalho Chehab <m.chehab@samsung.com>
Cc: Dulshani Gunawardhana <dulshani.gunawardhana89@gmail.com>
Cc: Josh Triplett <josh@joshtriplett.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 09:29:32 -08:00
Josh Boyer 9c74360f9a staging: imx-drm: Fix modular build of DRM_IMX_IPUV3
commit b8d181e408 (staging: drm/imx: add drm plane support) added a file
to the make target for DRM_IMX_IPUV3 but didn't adjust the objs required
to actually build that as a module.  Kbuild got confused and this lead to
link errors like:

ERROR: "ipu_plane_disable" [drivers/staging/imx-drm/ipuv3-crtc.ko] undefined!
ERROR: "ipu_plane_enable" [drivers/staging/imx-drm/ipuv3-crtc.ko] undefined!

Additionally, it added a call to imx_drm_crtc_id which also fails with a
link error as above.  To fix this, we adjust the make target with the proper
objs, which will change the name of the resulting .ko.  We also add an
EXPORT_SYMBOL_GPL for imx_drm_crtc_id.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Fixes: b8d181e408 '(staging: drm/imx: add drm plane support)'
Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 09:25:18 -08:00
Michal Nazarewicz 8aced95022 staging: ft1000: fix use of potentially uninitialized variable
If boot_case is false, status in never assigned a value.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 09:25:18 -08:00
Greg Kroah-Hartman 66a528c1c3 Revert "staging:media: Use dev_dbg() instead of pr_debug()"
This reverts commit b6ea5ef80a.

Turns out to have lots of run-time issues in that the structure is not
initialized before it is used in the debugging messages.

Reported-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
Cc: Dulshani Gunawardhana <dulshani.gunawardhana89@gmail.com>
Cc: Josh Triplett <josh@joshtriplett.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 09:21:55 -08:00
Peter Hurley aebf045382 n_tty: Protect minimum_to_wake reset for concurrent readers
With multiple, concurrent readers (each waiting to acquire the
atomic_read_lock mutex), a departing reader may mistakenly reset
minimum_to_wake after a new reader has already set a new value.

Protect the minimum_to_wake reset with the atomic_read_lock critical
section.

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 09:17:49 -08:00
Rashika Kheria 1b672224d1 Staging: zram: Fix memory leak by refcount mismatch
As suggested by Minchan Kim and Jerome Marchand "The code in reset_store
get the block device (bdget_disk()) but it does not put it (bdput()) when
it's done using it. The usage count is therefore incremented but never
decremented."

This patch also puts bdput() for all error cases.

Acked-by: Minchan Kim <minchan@kernel.org>
Acked-by: Jerome Marchand <jmarchan@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Rashika Kheria <rashika.kheria@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 09:14:29 -08:00
Malcolm Priestley 9df682927c staging: vt6656: [BUG] Fix for TX USB resets from vendors driver.
This fixes resets on heavy TX data traffic.

Vendor driver
VT6656_Linux_src_v1.21.03_x86_11.04.zip
http://www.viaembedded.com/servlet/downloadSvl?id=1890&download_file_id=14704
This is GPL-licensed code.

original code
BBbVT3184Init
...
//2007-0725, RobertChang add, Enable Squelch detect reset option(SQ_RST_Opt), USB (register4, bit1)
CONTROLnsRequestIn(pDevice,
                                 MESSAGE_TYPE_READ,
                                 (WORD)0x600+4,     // USB's Reg4's bit1
                                 MESSAGE_REQUEST_MEM,
                                 1,
                                 (PBYTE) &byData);
byData = byData|2 ;
CONTROLnsRequestOut(pDevice,
                              MESSAGE_TYPE_WRITE,
                              (WORD)0x600+4,     // USB's Reg4's bit1
                              MESSAGE_REQUEST_MEM,
                              1,
                              (PBYTE) &byData);

return TRUE;//ntStatus;
....

A back port patch is needed for kernels less than 3.10.

Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Cc: stable@vger.kernel.org # v3.10+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 09:14:29 -08:00
Dan Carpenter 6330f9cf34 staging: nvec: potential NULL dereference on error path
We assume nvec->rx can be NULL earlier so I have added a check here as
well.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 09:14:29 -08:00
Dan Carpenter cb4855b49d Staging: vt6655-6: potential NULL dereference in hostap_disable_hostapd()
We fixed this to use free_netdev() instead of kfree() but unfortunately
free_netdev() doesn't accept NULL pointers.  Smatch complains about
this, it's not something I discovered through testing.

Fixes: 3030d40b50 ('staging: vt6655: use free_netdev instead of kfree')
Fixes: 0a438d5b38 ('staging: vt6656: use free_netdev instead of kfree')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 09:14:29 -08:00
Ian Abbott 3de00ee4ce staging: comedi: s626: fix value written by s626_set_dac()
I broke `s626_set_dac()` by changing the type of the `dacdata` parameter
from `short` to `unsigned short`.  It's actually designed to take a
signed value in the range -0x1fff to +0x2000 although values above
0x1fff get clamped to 0x1fff.  (We could change the `maxdata` value to
0x1ffe to avoid the clamping, but `maxdata` values are usually a power
of 2 minus 1.)  The bug results in all negative values passed to the
function being changed to +0x1fff by the clamp.  Change the parameter
type to `int16_t` to fix the problem.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 09:09:07 -08:00
Dan Carpenter 9382c06e2d Staging: comedi: pcl730: fix some bitwise vs logical AND bugs
These conditions are never true because they use bitwise AND instead of
logical ands.

Fixes: b3ff824a81 ('staging: comedi: drivers: use comedi_dio_update_state() for complex cases')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 09:09:07 -08:00
Michal Nazarewicz c16975a06c staging: comedi: fix potentially uninitialised variable
If none of the if conditions take a true path, the ret variable will
never be assigned a value.

Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 09:09:07 -08:00
Peter Hurley d4855e1fc0 tty: Reset hupped state on open
A common security idiom is to hangup the current tty (via vhangup())
after forking but before execing a root shell. This hangs up any
existing opens which other processes may have and ensures subsequent
opens have the necessary permissions to open the root shell tty/pty.

Reset the TTY_HUPPED state after the driver has successfully
returned the opened tty (perform the reset while the tty is locked
to avoid racing with concurrent hangups).

Reported-by: Heorhi Valakhanovich <valahanovich@tut.by>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Cc: stable <stable@vger.kernel.org> # 3.12
Tested-by: Heorhi Valakhanovich <valahanovich@tut.by>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 08:56:49 -08:00
Geert Uytterhoeven 3dcf344bef TTY: amiserial, add missing platform check
When booting a multi-platform m68k kernel on a non-Amiga with
"console=ttyS0" on the kernel command line, it crashes with:

Unable to handle kernel access at virtual address 81dff01c
Oops: 00000000
PC: [<001e09a8>] serial_console_write+0xc/0x70

Add the missing platform check to amiserial_console_init() to fix this.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 08:54:25 -08:00
Geert Uytterhoeven dc1dc2f8a5 TTY: pmac_zilog, check existence of ports in pmz_console_init()
When booting a multi-platform m68k kernel on a non-Mac with "console=ttyS0"
on the kernel command line, it crashes with:

Unable to handle kernel NULL pointer dereference at virtual address   (null)
Oops: 00000000
PC: [<0013ad28>] __pmz_startup+0x32/0x2a0
...
Call Trace: [<002c5d3e>] pmz_console_setup+0x64/0xe4

The normal tty driver doesn't crash, because init_pmz() checks
pmz_ports_count again after calling pmz_probe().

In the serial console initialization path, pmz_console_init() doesn't do
this, causing the driver to crash later.

Add a check for pmz_ports_count to fix this.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Finn Thain <fthain@telegraphics.com.au>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 08:54:25 -08:00
Chao Bi c284ee2cf1 n_gsm: race between ld close and gsmtty open
ttyA has ld associated to n_gsm, when ttyA is closing, it triggers
to release gsmttyB's ld data dlci[B], then race would happen if gsmttyB
is opening in parallel.

Here are race cases we found recently in test:

CASE #1
====================================================================
releasing dlci[B] race with gsmtty_install(gsmttyB), then panic
in gsmtty_open(gsmttyB), as below:

 tty_release(ttyA)                  tty_open(gsmttyB)
     |                                   |
   -----                           gsmtty_install(gsmttyB)
     |                                   |
   -----                    gsm_dlci_alloc(gsmttyB) => alloc dlci[B]
 tty_ldisc_release(ttyA)               -----
     |                                   |
 gsm_dlci_release(dlci[B])             -----
     |                                   |
 gsm_dlci_free(dlci[B])                -----
     |                                   |
   -----                           gsmtty_open(gsmttyB)

 gsmtty_open()
 {
     struct gsm_dlci *dlci = tty->driver_data; => here it uses dlci[B]
     ...
 }

 In gsmtty_open(gsmttyA), it uses dlci[B] which was release, so hit a panic.
=====================================================================

CASE #2
=====================================================================
releasing dlci[0] race with gsmtty_install(gsmttyB), then panic
in gsmtty_open(), as below:

 tty_release(ttyA)                  tty_open(gsmttyB)
     |                                   |
   -----                           gsmtty_install(gsmttyB)
     |                                   |
   -----                    gsm_dlci_alloc(gsmttyB) => alloc dlci[B]
     |                                   |
   -----                         gsmtty_open(gsmttyB) fail
     |                                   |
   -----                           tty_release(gsmttyB)
     |                                   |
   -----                           gsmtty_close(gsmttyB)
     |                                   |
   -----                        gsmtty_detach_dlci(dlci[B])
     |                                   |
   -----                             dlci_put(dlci[B])
     |                                   |
 tty_ldisc_release(ttyA)               -----
     |                                   |
 gsm_dlci_release(dlci[0])             -----
     |                                   |
 gsm_dlci_free(dlci[0])                -----
     |                                   |
   -----                             dlci_put(dlci[0])

 In gsmtty_detach_dlci(dlci[B]), it tries to use dlci[0] which was released,
 then hit panic.
=====================================================================

IMHO, n_gsm tty operations would refer released ldisc,  as long as
gsm_dlci_release() has chance to release ldisc data when some gsmtty operations
are not completed..

This patch is try to avoid it by:

1) in n_gsm driver, use a global gsm spin lock to avoid gsm_dlci_release() run in
parallel with gsmtty_install();

2) Increase dlci's ref count in gsmtty_install() instead of in gsmtty_open(), the
purpose is to prevent gsm_dlci_release() releasing dlci after gsmtty_install()
allocats dlci but before gsmtty_open increases dlci's ref count;

3) Decrease dlci's ref count in gsmtty_remove(), which is a tty framework api, and
this is the opposite process of step 2).

Signed-off-by: Chao Bi <chao.bi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 08:52:53 -08:00
Randy Dunlap f3014127ad tty/serial/8250: fix typo in help text
Commit 9326b047e4 includes a typo
of "8350_core" instead of "8250_core", so correct it.

Fixes kernel bugzilla #60724:
  https://bugzilla.kernel.org/show_bug.cgi?id=60724

Reported-by: Christoph Biedl <bugzilla.kernel.bpeb@manchmal.in-ulm.de>
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 08:52:53 -08:00
Catalin Marinas b3bf6aa7e7 arm64: Unmask asynchronous aborts when in kernel mode
The asynchronous aborts are generally fatal for the kernel but they can
be masked via the pstate A bit. If a system error happens while in
kernel mode, it won't be visible until returning to user space. This
patch enables this kind of abort early to help identifying the cause.

Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2013-11-25 16:44:05 +00:00
Catalin Marinas df503ba7f6 arm64: dts: Reserve the memory used for secondary CPU release address
With the spin-table SMP booting method, secondary CPUs poll a location
passed in the DT. The foundation-v8.dts file doesn't have this memory
reserved and there is a risk of Linux using it before secondary CPUs are
started.

Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2013-11-25 16:44:04 +00:00
Marc Zyngier 6468178767 arm64: let the core code deal with preempt_count
Commit f27dde8dee (sched: Add NEED_RESCHED to the preempt_count)
introduced the use of bit 31 in preempt_count for obscure scheduling
purposes.

This causes interrupts taken from EL0 to hit the (open coded) BUG when
this flag is flipped while handling the interrupt (we compare the
values before and after, and kill the kernel if they are different).

The fix is to stop messing with the preempt count entirely, as this
is already being dealt with in the generic code (irq_enter/irq_exit).

Tested on a dual A53 FPGA running cyclictest.

Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2013-11-25 16:44:04 +00:00
Peter Hurley c77569d2f3 n_tty: Fix 4096-byte canonical reads
Although the maximum allowable canonical line is specified to
be 255 bytes (MAX_CANON), the practical limit has actually been
the size of the line discipline read buffer (N_TTY_BUF_SIZE == 4096).

Commit 32f13521ca,
n_tty: Line copy to user buffer in canonical mode, limited the
line copy to 4095 bytes. With a completely full line discipline
read buffer and a userspace buffer > 4095, _no_ data was copied,
and the read() syscall returned 0, indicating EOF.

Fix the interval arithmetic to compute the correct number of bytes
to copy to userspace in the range [1..4096].

Cc: <stable@vger.kernel.org> # 3.12.x
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 08:36:56 -08:00
Peter Hurley 6f2225363c n_tty: Fix echo overrun tail computation
Commit cbfd0340ae,
'n_tty: Process echoes in blocks', introduced an error when
consuming the echo buffer tail to prevent buffer overrun, where
the incorrect operation code byte is checked to determine how
far to advance the tail to the next echo byte.

Check the correct byte for the echo operation code byte.

Cc: <stable@vger.kernel.org> # 3.12.x : c476f65 tty: incorrect test of echo_buf() result for ECHO_OP_START
Cc: <stable@vger.kernel.org> # 3.12.x
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 08:35:00 -08:00
Peter Hurley 42458f41d0 n_tty: Ensure reader restarts worker for next reader
A departing reader must restart a flush_to_ldisc() worker _before_
the next reader enters the read loop; this is to avoid the new reader
concluding no more i/o is available and prematurely exiting, when the
old reader simply hasn't re-started the worker yet.

Cc: stable <stable@vger.kernel.org> # 3.12
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-25 08:35:00 -08:00
Karl Beldan 24d47300d1 mac80211: set hw initial idle state
ATM, the first call of ieee80211_do_open will configure the hw as
non-idle, even if the interface being brought up is not a monitor, and
this leads to inconsistent sequences like:

register_hw()
	do_open(sta)
		hw_config(non-idle)
(.. sta is non-idle ..)
scan(sta)
	hw_config(idle) (after scan finishes)
do_stop(sta)
do_open(sta)
(.. sta is idle ..)

Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-11-25 16:56:54 +01:00
Karl Beldan 5664da4429 mac80211: use capped prob when computing throughputs
Commit 3e8b1eb "mac80211/minstrel_ht: improve rate selection stability"
introduced a local capped prob in minstrel_ht_calc_tp but omitted to use
it to compute the per rate throughput.

Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
Cc: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-11-25 16:56:17 +01:00
Felix Fietkau 1b09cd82d8 cfg80211: ignore supported rates for nonexistant bands on scan
Fixes wpa_supplicant p2p_find on 5GHz-only devices

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-11-25 16:54:26 +01:00
Steve French f19e84df37 [CIFS] Do not use btrfs refcopy ioctl for SMB2 copy offload
Change cifs.ko to using CIFS_IOCTL_COPYCHUNK instead
of BTRFS_IOC_CLONE to avoid confusion about whether
copy-on-write is required or optional for this operation.

SMB2/SMB3 copyoffload had used the BTRFS_IOC_CLONE ioctl since
they both speed up copy by offloading the copy rather than
passing many read and write requests back and forth and both have
identical syntax (passing file handles), but for SMB2/SMB3
CopyChunk the server is not required to use copy-on-write
to make a copy of the file (although some do), and Christoph
has commented that since CopyChunk does not require
copy-on-write we should not reuse BTRFS_IOC_CLONE.

This patch renames the ioctl to use a cifs specific IOCTL
CIFS_IOCTL_COPYCHUNK.  This ioctl is particularly important
for SMB2/SMB3 since large file copy over the network otherwise
can be very slow, and with this is often more than 100 times
faster putting less load on server and client.

Note that if a copy syscall is ever introduced, depending on
its requirements/format it could end up using one of the other
three methods that CIFS/SMB2/SMB3 can do for copy offload,
but this method is particularly useful for file copy
and broadly supported (not just by Samba server).

Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-11-25 09:50:31 -06:00
Eliad Peller 12b5f34d2d mac80211: fix connection polling
Commit 392b9ff ("mac80211: change beacon/connection polling")
removed the IEEE80211_STA_BEACON_POLL flag.

However, it accidentally removed the setting of
IEEE80211_STA_CONNECTION_POLL, making the connection polling
completely useless (the flag is always clear, so the result
is never being checked). Fix it.

Signed-off-by: Eliad Peller <eliad@wizery.com>
Acked-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-11-25 16:50:14 +01:00