Each page mapped in a process's address space must be correctly
accounted for in _mapcount. Normally the rules for this are
straightforward but hugetlbfs page table sharing is different. The page
table pages at the PMD level are reference counted while the mapcount
remains the same.
If this accounting is wrong, it causes bugs like this one reported by
Larry Woodman:
kernel BUG at mm/filemap.c:135!
invalid opcode: 0000 [#1] SMP
CPU 22
Modules linked in: bridge stp llc sunrpc binfmt_misc dcdbas microcode pcspkr acpi_pad acpi]
Pid: 18001, comm: mpitest Tainted: G W 3.3.0+ #4 Dell Inc. PowerEdge R620/07NDJ2
RIP: 0010:[<ffffffff8112cfed>] [<ffffffff8112cfed>] __delete_from_page_cache+0x15d/0x170
Process mpitest (pid: 18001, threadinfo ffff880428972000, task ffff880428b5cc20)
Call Trace:
delete_from_page_cache+0x40/0x80
truncate_hugepages+0x115/0x1f0
hugetlbfs_evict_inode+0x18/0x30
evict+0x9f/0x1b0
iput_final+0xe3/0x1e0
iput+0x3e/0x50
d_kill+0xf8/0x110
dput+0xe2/0x1b0
__fput+0x162/0x240
During fork(), copy_hugetlb_page_range() detects if huge_pte_alloc()
shared page tables with the check dst_pte == src_pte. The logic is if
the PMD page is the same, they must be shared. This assumes that the
sharing is between the parent and child. However, if the sharing is
with a different process entirely then this check fails as in this
diagram:
parent
|
------------>pmd
src_pte----------> data page
^
other--------->pmd--------------------|
^
child-----------|
dst_pte
For this situation to occur, it must be possible for Parent and Other to
have faulted and failed to share page tables with each other. This is
possible due to the following style of race.
PROC A PROC B
copy_hugetlb_page_range copy_hugetlb_page_range
src_pte == huge_pte_offset src_pte == huge_pte_offset
!src_pte so no sharing !src_pte so no sharing
(time passes)
hugetlb_fault hugetlb_fault
huge_pte_alloc huge_pte_alloc
huge_pmd_share huge_pmd_share
LOCK(i_mmap_mutex)
find nothing, no sharing
UNLOCK(i_mmap_mutex)
LOCK(i_mmap_mutex)
find nothing, no sharing
UNLOCK(i_mmap_mutex)
pmd_alloc pmd_alloc
LOCK(instantiation_mutex)
fault
UNLOCK(instantiation_mutex)
LOCK(instantiation_mutex)
fault
UNLOCK(instantiation_mutex)
These two processes are not poing to the same data page but are not
sharing page tables because the opportunity was missed. When either
process later forks, the src_pte == dst pte is potentially insufficient.
As the check falls through, the wrong PTE information is copied in
(harmless but wrong) and the mapcount is bumped for a page mapped by a
shared page table leading to the BUG_ON.
This patch addresses the issue by moving pmd_alloc into huge_pmd_share
which guarantees that the shared pud is populated in the same critical
section as pmd. This also means that huge_pte_offset test in
huge_pmd_share is serialized correctly now which in turn means that the
success of the sharing will be higher as the racing tasks see the pud
and pmd populated together.
Race identified and changelog written mostly by Mel Gorman.
{akpm@linux-foundation.org: attempt to make the huge_pmd_share() comment comprehensible, clean up coding style]
Reported-by: Larry Woodman <lwoodman@redhat.com>
Tested-by: Larry Woodman <lwoodman@redhat.com>
Reviewed-by: Mel Gorman <mgorman@suse.de>
Signed-off-by: Michal Hocko <mhocko@suse.cz>
Reviewed-by: Rik van Riel <riel@redhat.com>
Cc: David Gibson <david@gibson.dropbear.id.au>
Cc: Ken Chen <kenchen@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Hillf Danton <dhillf@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Delete code which sets SCSI status incorrectly as it's already been set
correctly above this incorrect code. The bug was introduced in 2009 by
commit b0e15f6db1 ("cciss: fix typo that causes scsi status to be
lost.")
Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
Reported-by: Roel van Meer <roel.vanmeer@bokxing.nl>
Tested-by: Roel van Meer <roel.vanmeer@bokxing.nl>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Occasionally an isolated BUG_ON(mm->nr_ptes) gets reported, indicating
that not all the page tables allocated could be found and freed when
exit_mmap() tore down the user address space.
There's usually nothing we can say about it, beyond that it's probably a
sign of some bad memory or memory corruption; though it might still
indicate a bug in vma or page table management (and did recently reveal a
race in THP, fixed a few months ago).
But one overdue change we can make is from BUG_ON to WARN_ON.
It's fairly likely that the system will crash shortly afterwards in some
other way (for example, the BUG_ON(page_mapped(page)) in
__delete_from_page_cache(), once an inode mapped into the lost page tables
gets evicted); but might tell us more before that.
Change the BUG_ON(page_mapped) to WARN_ON too? Later perhaps: I'm less
eager, since that one has several times led to fixes.
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Fixes the following sparse warning:
drivers/gpu/drm/drm_proc.c:92:5:
warning: symbol 'drm_proc_create_files' was not declared. Should it be static?
drivers/gpu/drm/drm_proc.c:175:5:
warning: symbol 'drm_proc_remove_files' was not declared. Should it be static?
Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
This turns off the crtc when its been disabled,
fixes it not turning off properly the whole time.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
If you do a page flip with no flags set then event is NULL. If event is
NULL then the vmw_gfx driver likes to go digging into NULL and extracts
NULL->base.file_priv.
On a modern kernel with NULL mapping protection it's just another oops,
without it there are some "intriguing" possibilities.
What it should do is an open question but that for the driver owners to
sort out.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Reviewed-by: Jakob Bornecrantz <jakob@vmware.com>
Cc: stable@vger.kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Daniel writes:
" Nothing too major:
- A few fixes around the edid handling from Jani, also fixing a regression
in 3.5 due to us using gmbus by default.
- Fixup hsw uncached pte flags.
- Fix suspend/resume crash when using hw contexts, from Ben.
- Try to tune gpu turbo a bit better, seems to help with some oddball
power regressions."
* 'drm-intel-fixes' of git://people.freedesktop.org/~danvet/drm-intel:
drm/i915: use hsw rps tuning values everywhere on gen6+
drm/i915: fall back to bit-banging if GMBUS fails in CRT EDID reads
drm/i915: extract connector update from intel_ddc_get_modes() for reuse
drm/i915: fix hsw uncached pte
drm/i915/contexts: fix list corruption
drm/i915: fix EDID memory leak in SDVO
Alex writes:
"This is the current set of radeon fixes for 3.6. Nothing too major.
Highlights:
- fix vbios fetch on pure uefi systems
- fix vbios fetch on thunderbolt systems
- MSAA fixes
- lockup timeout fix
- modesetting fix"
* 'drm-fixes-3.6' of git://people.freedesktop.org/~agd5f/linux:
drm/radeon/ss: use num_crtc rather than hardcoded 6
Revert "drm/radeon: fix bo creation retry path"
drm/radeon: split ATRM support out from the ATPX handler (v3)
drm/radeon: convert radeon vfct code to use acpi_get_table_with_size
ACPI: export symbol acpi_get_table_with_size
drm/radeon: implement ACPI VFCT vbios fetch (v3)
drm/radeon/kms: extend the Fujitsu D3003-S2 board connector quirk to cover later silicon stepping
drm/radeon: fix checking of MSAA renderbuffers on r600-r700
drm/radeon: allow CMASK and FMASK in the CS checker on r600-r700
drm/radeon: init lockup timeout on ring init
drm/radeon: avoid turning off spread spectrum for used pll
If "l->stripe_unit" is zero the the mod on the next line will cause a
divide by zero bug. This comes from the copy_from_user() in
ceph_ioctl_set_layout_policy(). Passing 0 is valid, though (it means
"do not change") so avoid the % check in that case.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Sage Weil <sage@inktank.com>
Reviewed-by: Alex Elder <elder@inktank.com>
Because the Ceph client messenger uses a non-blocking connect, it is
possible for the sending of the client banner to race with the
arrival of the banner sent by the peer.
When ceph_sock_state_change() notices the connect has completed, it
schedules work to process the socket via con_work(). During this
time the peer is writing its banner, and arrival of the peer banner
races with con_work().
If con_work() calls try_read() before the peer banner arrives, there
is nothing for it to do, after which con_work() calls try_write() to
send the client's banner. In this case Ceph's protocol negotiation
can complete succesfully.
The server-side messenger immediately sends its banner and addresses
after accepting a connect request, *before* actually attempting to
read or verify the banner from the client. As a result, it is
possible for the banner from the server to arrive before con_work()
calls try_read(). If that happens, try_read() will read the banner
and prepare protocol negotiation info via prepare_write_connect().
prepare_write_connect() calls con_out_kvec_reset(), which discards
the as-yet-unsent client banner. Next, con_work() calls
try_write(), which sends the protocol negotiation info rather than
the banner that the peer is expecting.
The result is that the peer sees an invalid banner, and the client
reports "negotiation failed".
Fix this by moving con_out_kvec_reset() out of
prepare_write_connect() to its callers at all locations except the
one where the banner might still need to be sent.
[elder@inktak.com: added note about server-side behavior]
Signed-off-by: Jim Schutt <jaschut@sandia.gov>
Reviewed-by: Alex Elder <elder@inktank.com>
If the MDS gives us a dentry and we weren't prepared to handle it,
WARN_ON_ONCE instead of crashing.
Reported-by: Yan, Zheng <zheng.z.yan@intel.com>
Signed-off-by: Sage Weil <sage@inktank.com>
Reviewed-by: Alex Elder <elder@inktank.com>
Pablo Neira Ayuso discovered that avahi and
potentially NetworkManager accept spoofed Netlink messages because of a
kernel bug. The kernel passes all-zero SCM_CREDENTIALS ancillary data
to the receiver if the sender did not provide such data, instead of not
including any such data at all or including the correct data from the
peer (as it is the case with AF_UNIX).
This bug was introduced in commit 16e5726269
(af_unix: dont send SCM_CREDENTIALS by default)
This patch forces passing credentials for netlink, as
before the regression.
Another fix would be to not add SCM_CREDENTIALS in
netlink messages if not provided by the sender, but it
might break some programs.
With help from Florian Weimer & Petr Matousek
This issue is designated as CVE-2012-3520
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Petr Matousek <pmatouse@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Christian Casteyde reported a kmemcheck 32-bit read from uninitialized
memory in __ip_select_ident().
It turns out that __ip_make_skb() called ip_select_ident() before
properly initializing iph->daddr.
This is a bug uncovered by commit 1d861aa4b3 (inet: Minimize use of
cached route inetpeer.)
Addresses https://bugzilla.kernel.org/show_bug.cgi?id=46131
Reported-by: Christian Casteyde <casteyde.christian@free.fr>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Since 0e73441992 ("ipv4: Use inet_csk_route_child_sock() in DCCP and
TCP."), inet_csk_route_child_sock() is called instead of
inet_csk_route_req().
However, after creating the child-sock in tcp/dccp_v4_syn_recv_sock(),
ireq->opt is set to NULL, before calling inet_csk_route_child_sock().
Thus, inside inet_csk_route_child_sock() opt is always NULL and the
SRR-options are not respected anymore.
Packets sent by the server won't have the correct destination-IP.
This patch fixes it by accessing newinet->inet_opt instead of ireq->opt
inside inet_csk_route_child_sock().
Reported-by: Luca Boccassi <luca.boccassi@gmail.com>
Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
This was originally for helping fabrics to determine overflow/underflow
status, and has been superceeded by SCF_OVERFLOW_BIT + SCF_UNDERFLOW_BIT.
Signed-off-by: Roland Dreier <roland@purestorage.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Pull audit-tree fixes from Miklos Szeredi:
"The audit subsystem maintainers (Al and Eric) are not responding to
repeated resends. Eric did ack them a while ago, but no response
since then. So I'm sending these directly to you."
* 'audit-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
audit: clean up refcounting in audit-tree
audit: fix refcounting in audit-tree
audit: don't free_chunk() after fsnotify_add_mark()
Pull m68knommu arch fixes from Greg Ungerer:
"This contains 2 fixes. One fixes compilation of ColdFire clk code,
the other makes sure we use the generic atomic64 support on all m68k
targets."
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
m68k: select CONFIG_GENERIC_ATOMIC64 for all m68k CPU types
m68knommu: select CONFIG_HAVE_CLK for ColdFire CPU types
- Fixed Nomadik errorpath
- Fixed documentation spelling errors
- Forward-declare struct device in a header file
- Remove some extraneous code lines when getting pinctrl states
- Correct the i.MX51 configure register number
- Fix the Nomadik keypad function group list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAABAgAGBQJQMmrMAAoJEEEQszewGV1zFpEP/0tTUOT60A12qbMMgW7smwRM
jt/AqLxULX9iLawJtBZ3IY5iIoo8ZYpHDAUEIISKZEUnpCKGx3VDKHrHjsPxxfFf
oBZ8PAQIVJYN0jiUkCeGAeKGzqzNGALt8NvBghlJJC6/CDk89Fe8fAjeRUXRCPjo
hVY9hZ73TcqFAtZ80ETk5vDMMa3/OQukdbuVVBQTi+Y0mJ15zeFqNogPQRgX6oC7
VJiIpPSUbcmgE+wWRUxIdf2y4isHZum62EWLjFPsgrK3ms1c2ap6RCr9P7ORXWc7
lBq9uGDWa0ptXlI8drXVit8Pd4b98keEczyuNJFe7sSLYO4/BB8dUvp1jXdyjUWz
kY6aIIvWrG0607rafPyg/5EbPQcX3NLmp3wevL0XEV/mwalu7ZcXaqnUWUVunRMM
l8Y95T2uyoM+J4yPw8mUyPrRbN/THDqk9s53P+hQZEZjlkvGeaT2kRqbANkq/uKz
XNaH2Zzdt1duvM0HO+S4gl+gz/iCpebjeb6gLf1bzd/NRqKlopmWw6L2cGbyTInq
TohQQhYhvm+dib3a3teF4DEeJBRPmheNzdIoAnHQ1tbe6LNQzVSZzE3qEKGk7sSG
Rk5SASW575LNBV+I/g8P4uuV4qMdr6jJikTLYGU4FsTBRNNhFvZtRTUWVTS6gdxt
9KrpXkhZdV1dVElupOX/
=E7f4
-----END PGP SIGNATURE-----
Merge tag 'pinctrl-fixes-v3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
Pull pin control fixes from Linus Walleij:
- Fixed Nomadik errorpath
- Fixed documentation spelling errors
- Forward-declare struct device in a header file
- Remove some extraneous code lines when getting pinctrl states
- Correct the i.MX51 configure register number
- Fix the Nomadik keypad function group list
* tag 'pinctrl-fixes-v3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
pinctrl/nomadik: add kp_b_2 keyboard function group list
pinctrl: imx51: fix .conf_reg of MX51_PAD_SD2_CMD__CSPI_MOSI
trivial: pinctrl core: remove extraneous code lines
pinctrl: header: trivial: declare struct device
Documentation/pinctrl.txt: Fix some misspelled macros
pinctrl/nomadik: fix null in irqdomain errorpath
This update became slightly bigger than usual for rc3, but most of the
commits are small and trivial. A large chunk is found for HD-audio
ca0132 codec, which is mostly a clean up of the specific code, to make
SPDIF working properly, and also in the new ASoC Arizona driver.
One important fix is for usb-audio Oops fix since 3.5. We still see
some EHCI related bandwidth problem, but usb-audio should be more
stabilized now.
Other than that, a Kconfig fix is spread over files, and various
HD-audio and ASoC fixes as usual, in addition to Julia's error path
fixes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQIcBAABAgAGBQJQM0KtAAoJEGwxgFQ9KSmkgvkP/ifTaAQAJcuR15G8wHf4awPn
cy/S7M5I02MRFe2c4IltJiK/y21jSsYLNvq3ISlcVxWrBod4r9ee2/23y/1veI2Z
MhNXjN5vU/gNN/Ll5GTg/8dKaVTOSp3GqKJrEUDWhld42IZFS2OZwF6Qdx/jqoSS
eCDEBQnkGj5mxLGC53ZwWURLCBrj8gIaaLXcm3121+/MAM3y8o7HaU45pJCPMVRR
QdvVCW7FoPQ+S/j4eozElcGuACJTNvJnUhfSk0oAUoiZHfb8UThpexdF4K8l1qNB
9PP3Pc1X2Fu7Ta1HDFenY3eOqNEOUY1Kj3isxEj0QOZugRpHYsp0k4GakAyDd8Ik
2xUQumwzuxLEkkoHOVLM3lwppnD15KKm67OXeykNiI1xqlXNiuyhCL/pZIkxluuQ
dPyG3EP+8yyFIuB709oaGlrMcscPZcxUw2RMeWBGTEUY0ECnrz8pCQRseazcmBP6
LcyVlT3IWsmsogFU1OLGhl7kpmV3KisAJcUPPNNaq7wYEFtRxfUo0w3oXrn8jGe3
sPiUhDm6WULJDsQYa9kss1GzXJVsdkCzoPw9vMTb9x9cXFO5XYigY0Qf6ujtjdQy
WAvOYnuTfa2DAS+YCCFG0rO1H8Fv7SamDKyP4jJpnV7WHbDNOveWjtAC6VMcb9EY
v+ko6dxRohfjUbvgdLiS
=d2Si
-----END PGP SIGNATURE-----
Merge tag 'sound-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"This update became slightly bigger than usual for rc3, but most of the
commits are small and trivial. A large chunk is found for HD-audio
ca0132 codec, which is mostly a clean up of the specific code, to make
SPDIF working properly, and also in the new ASoC Arizona driver.
One important fix is for usb-audio Oops fix since 3.5. We still see
some EHCI related bandwidth problem, but usb-audio should be more
stabilized now.
Other than that, a Kconfig fix is spread over files, and various
HD-audio and ASoC fixes as usual, in addition to Julia's error path
fixes."
* tag 'sound-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (42 commits)
ALSA: snd-als100: fix suspend/resume
ALSA: hda - Fix leftover codec->power_transition
ALSA: hda - don't create dysfunctional mixer controls for ca0132
ALSA: sound/ppc/snd_ps3.c: fix error return code
ALSA: sound/pci/rme9652/hdspm.c: fix error return code
ALSA: sound/pci/sis7019.c: fix error return code
ALSA: sound/pci/ctxfi/ctatc.c: fix error return code
ALSA: sound/atmel/ac97c.c: fix error return code
ALSA: sound/atmel/abdac.c: fix error return code
ALSA: fix pcm.h kernel-doc warning and notation
sound: oss/sb_audio: prevent divide by zero bug
ASoC: wm9712: Fix inverted capture volume
ASoC: wm9712: Fix microphone source selection
ASoC: wm5102: Remove DRC2
ALSA: hda - Don't send invalid volume knob command on IDT 92hd75bxx
ALSA: usb-audio: Fix scheduling-while-atomic bug in PCM capture stream
ALSA: lx6464es: Add a missing error check
ALSA: hda - Fix 'Beep Playback Switch' with no underlying mute switch
ASoC: jack: Always notify full jack status
ASoC: wm5110: Add missing input PGA routes
...
It seems commit 4a9d4b024a ("switch fput to task_work_add") re-
introduced the problem addressed in 944be0b224 ("close_files(): add
scheduling point")
If a server process with a lot of files (say 2 million tcp sockets) is
killed, we can spend a lot of time in task_work_run() and trigger a soft
lockup.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
So we've had a fair few reports of fbcon handover breakage between
efi/vesafb and i915 surface recently, so I dedicated a couple of
days to finding the problem.
Essentially the last thing we saw was the conflicting framebuffer
message and that was all.
So after much tracing with direct netconsole writes (printks
under console_lock not so useful), I think I found the race.
Thread A (driver load) Thread B (timer thread)
unbind_con_driver -> |
bind_con_driver -> |
vc->vc_sw->con_deinit -> |
fbcon_deinit -> |
console_lock() |
| |
| fbcon_flashcursor timer fires
| console_lock() <- blocked for A
|
|
fbcon_del_cursor_timer ->
del_timer_sync
(BOOM)
Of course because all of this is under the console lock,
we never see anything, also since we also just unbound the active
console guess what we never see anything.
Hopefully this fixes the problem for anyone seeing vesafb->kms
driver handoff.
Signed-off-by: David Airlie <airlied@redhat.com>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: stable@vger.kernel.org
Tested-by: Josh Boyer <jwboyer@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This reverts commit d1c7871ddb.
ttm_bo_init() destroys the BO on failure. So this patch makes
the retry path work with freed memory. This ends up causing
kernel panics when this path is hit.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
snd_card_als100_probe() does not set pcm field in struct snd_sb.
As a result, PCM is not suspended and applications don't know that they need
to resume the playback.
Tested with Labway A381-F20 card (ALS120).
Signed-off-by: Ondrej Zary <linux@rainbow-software.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Pull PCI fixes from Bjorn Helgaas:
"Here are two patches from Rafael Wysocki.
One fixes an EHCI-related hibernation crash on ASUS boxes. We fixed a
similar suspend issue in v3.6-rc1, and this applies the same fix to
the hibernate path.
The other fixes D3/D3cold/D4 messages related to the D3cold support we
merged in v3.6-rc1."
(Removed redundant top non-fast-forward merge commit from pulled branch)
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
PCI: EHCI: Fix crash during hibernation on ASUS computers
PCI / PM: Fix D3/D3cold/D4 messages printed by acpi_pci_set_power_state()
Use rcu_dereference_protected in order to prevent lockdep
complaint. Sequel of the patch 863555be
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Denis Efremov <yefremov.denis@gmail.com>
Acked-by: Mark D. Rustad <mark.d.rustad@intel.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Here TRANSPORT_IQN_LEN is 224, which is a multiple of 4.
Since vhost_tpgt is 2 bytes and abi_version is 4, the total size would
be 230. But gcc needs struct size be aligned to first field size, which
is 4 bytes, so it pads the structure by extra 2 bytes to the total of
232.
This padding is very undesirable in an ABI:
- it can not be initialized easily
- it can not be checked easily
- it can leak information between kernel and userspace
Simplest solution is probably just to make the padding
explicit.
(v2: Add check for zero'ed backend->reserved field for VHOST_SCSI_SET_ENDPOINT
and VHOST_SCSI_CLEAR_ENDPOINT ops as requested by MST)
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Here are 10 more USB patches for 3.6-rc3. They all fix reported
problems (build problems for one of them, and easily repeatable oopses
for the others.)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
iEYEABECAAYFAlAyjj4ACgkQMUfUDdst+yn8gQCgkNpc92Ux5hBYJIX/AQYoBrTB
ktAAoLiXxIhVP+D4C42R1VLw9vGeB1QH
=+8kb
-----END PGP SIGNATURE-----
Merge tag 'usb-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull more USB patches from Greg Kroah-Hartman:
"Here are 10 more USB patches for 3.6-rc3. They all fix reported
problems (build problems for one of them, and easily repeatable oopses
for the others.)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"
* tag 'usb-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
gpu/mfd/usb: Fix USB randconfig problems
USB: CDC ACM: Fix NULL pointer dereference
USB: emi62: remove __devinit* from the struct usb_device_id table
USB: winbond: remove __devinit* from the struct usb_device_id table
USB: vt6656: remove __devinit* from the struct usb_device_id table
USB: rtl8187: remove __devinit* from the struct usb_device_id table
USB: p54usb: remove __devinit* from the struct usb_device_id table
USB: spca506: remove __devinit* from the struct usb_device_id table
USB: jl2005bcd: remove __devinit* from the struct usb_device_id table
USB: smsusb: remove __devinit* from the struct usb_device_id table
Here is one fix for the dmesg line corruption problem that the previous
set of patches caused.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
iEYEABECAAYFAlAyh14ACgkQMUfUDdst+yn2RQCbBissjdBqDhaX9schGTKyrxPM
UOUAn3o3KZpUzFWSGYXQGaSI7HtcyElz
=GWkA
-----END PGP SIGNATURE-----
Merge tag 'driver-core-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
Pull one more driver core fix from Greg Kroah-Hartman:
"Here is one fix for the dmesg line corruption problem that the
previous set of patches caused.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"
* tag 'driver-core-3.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
dyndbg: fix for SOH in logging messages
Pull x86 platform driver update from Matthew Garrett:
"Some small updates for a few drivers, and some hardware enablement for
new Ideapads and the gmux hardware in the latest Macs.
This code won't run on older devices and has been well tested on new
ones, so low risk of regressions."
* 'for_linus' of git://cavan.codon.org.uk/platform-drivers-x86:
ideapad: add Lenovo IdeaPad Z570 support (part 3)
ideapad: add Lenovo IdeaPad Z570 support (part 2)
ideapad: add Lenovo IdeaPad Z570 support (part 1)
classmate-laptop: always call input_sync() after input_report_switch()
thinkpad-acpi: recognize latest V-Series using DMI_BIOS_VENDOR
dell-laptop: Fixed typo in touchpad LED quirk
vga_switcheroo: Don't require handler init callback
vga_switcheroo: Remove assumptions about registration/unregistration ordering
apple-gmux: Add display mux support
apple-gmux: Fix kconfig dependencies
asus-wmi: record wlan status while controlled by userapp
apple_gmux: Fix ACPI video unregister
apple_gmux: Add support for newer hardware
gmux: Add generic write32 function
Grant is still away so another pull request with some fairly minor
fixes, the most notable of which are several fixes for some common error
patterns with the reference counting spi_master_get/put do.
-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAABAgAGBQJQLrxzAAoJEFJkBDiqVpZ4xHIP+wQ8wi6X/HkB4I7EA9aET/hO
UzyUTZtK6UQGjpqOBK0S38BMweyC23rbeYCcyWgF7rKI7IEjlul1r4O3iChgmeWR
0ksrDfAIajb+9r1VoN7JQXnqk6miIIFdK2rotLNPnpbNlJTFCmmXD2FK5Zfc/pNA
e3OjFvtMcaOGjTo5xvN3RK3e2IcH3eKHLCeoj33bKqElT6loITHPnOaEWyIe6QCc
ExNCiv+D4apTRZ7nlvrttJrNtoMrL49rMy4rz0Z68nsClf1RZeZlTbVeT9+le3LQ
VhrHUeW8TqYYPBuyMgDyCCBmkVlTZCODBaW2ZtXaC32n72luJuDgq3cZBXhCYuKe
OPibJSY9j1P9CQBlro6Ccb/3pMjfegaLKCKsSHOdaMF730z9CImT78a2hVgMCNjQ
WsUDwsOp8l8iJpgTylD1ijQGhH5h7yfp1TXc8rdeEWsRlI2wovCJtU4G4okvFUID
UQFWShim73f6tDE5dzSYhzigg1ikbaOe5CpO3xk1foyNOx/o3/7U7Da0P5t6yVBa
zwW/zXdl3GWMLGkqL+oHHMDGLGPeALsgIzMwSMVQY6cK3qROL3fJI9ajk31a1zeP
sbWx53G2/AHDOqmvvXbuM/GJ8FOrQx7qJ/A2kLp+Fd+y8j/X15C28qVjQYNCJCXi
x/02RXln1MxLrFKVasvn
=8RgT
-----END PGP SIGNATURE-----
Merge tag 'spi-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc
Pull spi fixes from Mark Brown:
"Grant is still away so another pull request with some fairly minor
fixes, the most notable of which are several fixes for some common
error patterns with the reference counting spi_master_get/put do."
* tag 'spi-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc:
spi/coldfire-qspi: Drop extra calls to spi_master_get in suspend/resume functions
spi: spi-coldfire-qspi: Drop extra spi_master_put in device remove function
spi/pl022: fix spi-pl022 pm enable at probe
spi/bcm63xx: Ensure that memory is freed only after it is no longer used
spi: omap2-mcspi: Fix the error handling in probe
spi/s3c64xx: Add missing static storage class specifiers
commit 7c5763b845 (drivers:misc: Remove MISC_DEVICES config option) removed
CONFIG_MISC_DEVICES option, so remove the occurrences from the config files
as well.
Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
A bunch of fixes which are a combination of minor fixes that have been
shaken down due to greater testing exposure, the biggest block of which
are for the Palmas driver which hadn't had all the changes required for
mainline properly tested when it was merged.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAABAgAGBQJQLsN2AAoJEFJkBDiqVpZ4po4QAKdrLVeV3LgNQJEIbig+sDkx
7buj8nFez4RzjM0JOj7k1bJc4kDW8XaBSOsMEO2T4yFk7uEsAHfbusqeBwl3imQe
I6bdoo5AClDzvkWIoPQ0ssuRv9DWj2s0B9S5QtMFL7WdnlQyaOCweResOcRyV0OJ
8CwoX9/oQszAEkpgjEF+CW40DLeaevogz0SQg4vMzYT5yzMUtYIVO2K+NDNMoTMg
Kwc8mKj9feEP8ilkyM86iz2/YASMf3YP0Vj+VmZQ52BxFhDBytIZJk3xKqkuVNJg
qd8TLMsF4gz2Jc+KtEWKOA0DW7N0DrE4SaweDOgNrL8A0odegOL5Hk7SQRv1c8BX
qyJEBSS19L7OYW44gGrZG6pWdSI9PuThjaibzBd5J/PfbpTBMWCz8i7S9n2yMlil
KyNWxrWiHY7y6xBii6qWtnU5sdVVqLfeQxLv++vPexy+DMROrUdN43oJef5eomY5
0SYo1ElPmb8EsTEX1DQqHEKEH3yTbrGzjgpyCtvhn/3+cmJwlBUJzxSSjsg13y1Z
P72aQhuNBYjjeuTss0ZlX6luHUhlLB0x4DYnMs7E89CuqnJ2iBhVgnwRTpU6SS/E
2pZWYsfeHrraGYmiRdiOEUEvaVxtgXNrgobfSqyiz8jnzkM0GtwBPNXy0lLyMEzI
69vhwu3OjSKKSE0rYJ1B
=gocn
-----END PGP SIGNATURE-----
Merge tag 'regulator-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
Pull regulator fixes from Mark Brown:
"A bunch of fixes which are a combination of minor fixes that have been
shaken down due to greater testing exposure, the biggest block of
which are for the Palmas driver which hadn't had all the changes
required for mainline properly tested when it was merged."
* tag 'regulator-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: twl-regulator: fix up VINTANA1/VINTANA2
regulator: core: request only valid gpio pins for regulator enable
regulator: twl: Remove references to the twl4030 regulator
regulator: gpio-regulator: Split setting of voltages and currents
regulator: ab3100: add missing voltage table
regulator: anatop: Fix wrong mask used in anatop_get_voltage_sel
regulator: tps6586x: correct vin pin for sm0/sm1/sm2
regulator: palmas: Fix palmas_probe error handling
regulator: palmas: Call palmas_ldo_[read|write] in palmas_ldo_init
regulator: palmas: Fix regmap offsets for PALMAS_REG_SMPS10 vsel_reg
regulator: palmas: Fix calculating selector in palmas_map_voltage_ldo
Two fixes are necessary. One patch fixes a boot crash on MacBook Air
with interrupt remapping enabled and the other patch fixes a regression
(which causes a boot crash on AMD IOMMUv2 systems too) in the init code
of the AMD IOMMU driver.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABAgAGBQJQMgntAAoJECvwRC2XARrjhTgP/jW6k9NYwJD4QOyrDkj7957V
KkOfTF+TsPVlhtxwyY+hauvtKywf4rNK5l5/pYTiZlV4m06qZIlwpl/fYxjLKESA
+xMgRc7GAGK0g3RKBgSqBXzmwCLPMuUab83GgmKHvjMvq7SbhMDgWklsGKRA9uni
38nOnLby1TZfTctJlZ/6SqBkYYMz13GGqdxcdlCls8OSQVa+MbgyE7eWBhhwgWVA
gvuCKL6vWkl6xMZYP8lR+rf6v0DRU01aHdCduIXdpqAUr5r4qXd7yxOQEYVXPE4s
xgnq4AA2un0O4c2OibrXUBCzZhKVo/yKYpTThMAmuC0RTqPhfrZ6VMyuRvbBWKgE
ozRKqsKq7TrwYebGvDWVFe9wHqX7BBha4p4C5wuhX411qFXLtynYs2dcHDhf7qBk
mSivpWj9K+Gmetl+HaeJ4kOpMCPLtxMu7EytsZAlfunb3VzARtv6JDLx6zceuk8g
rImHNdT6kh3Oat7K1a5/tBimRm/o+3MHVCE8EDg1/XPKRWa1a5VyWaeRx4CLVxZ3
Cjqo8yvwj7EgVbyHzCMMISUEm70+Yn+l2dVJYRXCnlPaH99YXn1WLSOvlqWGpmQI
rSUqH78mTPu2r5mfwqUT3cEzCgjQQfbVQ2wVBH2uY7/R5xAExukz/+6swVOdZiD/
Mo2fAVGUBz+YaaUJnqWi
=nnta
-----END PGP SIGNATURE-----
Merge tag 'iommu-fixes-v3.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu
Pull IOMMU fixes from Joerg Roedel:
"Two fixes are necessary. One patch fixes a boot crash on MacBook Air
with interrupt remapping enabled and the other patch fixes a
regression (which causes a boot crash on AMD IOMMUv2 systems too) in
the init code of the AMD IOMMU driver."
* tag 'iommu-fixes-v3.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
iommu/amd: Fix wrong check for ARRAY_SIZE()
irq_remap: disable IRQ remapping if any IOAPIC lacks an IOMMU
When the codec turn-on operation is canceled by the immediate
power-on, the driver left the power_transition flag as is.
This caused the persistent avoidance of power-save behavior.
Cc: <stable@vger.kernel.org> [v3.5+]
Signed-off-by: Takashi Iwai <tiwai@suse.de>
A batch more bugfixes, all driver-specific and fairly small and
unremarkable in a global context. The biggest batch are for the newly
added Arizona drivers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAABAgAGBQJQLsRjAAoJEFJkBDiqVpZ4HI0QALREeI4Hq7xGxOEPsY9QV+Eh
0zs+Q2KnlGKlm87cm3PfsIpI+atf8WGVAO5/nTk7TPewvPbkvJp8p6zgzaMwvq1r
5TqTdwTOwg0UuoiFakmET6x7mHmYvks0U1uAm5VwPzdNbahvHLArCsRgufXtNsEz
4M9FmLL/+e9r/n3EKXMoNYab4krvmyVft5QCUxFkHgfcbfv95KIn9So54T5H/jG9
fzhmKjMMGUja7Q7nLtpr6OHkJLZd1iPTu8xdjsQB7htNW7P8KPaseVt0oAUXNkXS
K0WhTjqtQbDtm9KfrifY0vpdWNLbTi1R+vnm6FwQiDN0fZ1Tm18992veNZfaOAUE
QWlGzt5Av2sCGwNXA55SF0cLo1lbxD1kwGN9o45zztGw0wW5qjkH9VF92XkpqISh
zdE+bQoQk7I9UBtwql/YtY17QLn3KUBoDlHDaOQqrmQYXW69J8RnnjUMskoO/2Tu
LTMPWLPnudVXIcfW+C/j1GSBN0l0q3FHGBYVfoCWwXShwjIr3Fzg8hhtHwL056/J
YhEykqucR4iDJaOpjSxKiiKWjFfMQBkzipuTL6p/vqQJ3fPTp9LjQTABUnzsGqYQ
mIx9W3BqZ1q/LiZYPYEExiIChdlE3g6+aFZfukk0sQQ0/dpipC/0qXRWMb8Kks6W
18HFsHL5jX5s5e8qG5ac
=X06H
-----END PGP SIGNATURE-----
Merge tag 'asoc-3.6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
ASoC: Additional updates for 3.6
A batch more bugfixes, all driver-specific and fairly small and
unremarkable in a global context. The biggest batch are for the newly
added Arizona drivers.
Fix config warning:
warning: ( ... && DRM_USB) selects USB which has unmet direct dependencies
(USB_SUPPORT && USB_ARCH_HAS_HCD)
and build error:
ERROR: "usb_speed_string" [drivers/usb/core/usbcore.ko] undefined!
by adding the missing dependency on USB_ARCH_HAS_HCD to DRM_UDL and DRM_USB.
This exposes:
drivers/video/Kconfig:36:error: recursive dependency detected!
drivers/video/Kconfig:36: symbol FB is selected by DRM_KMS_HELPER
drivers/gpu/drm/Kconfig:28: symbol DRM_KMS_HELPER is selected by DRM_UDL
drivers/gpu/drm/udl/Kconfig:1: symbol DRM_UDL depends on USB_ARCH_HAS_HCD
drivers/usb/Kconfig:78: symbol USB_ARCH_HAS_HCD depends on USB_ARCH_HAS_OHCI
drivers/usb/Kconfig:16: symbol USB_ARCH_HAS_OHCI depends on I2C
drivers/i2c/Kconfig:5: symbol I2C is selected by FB_DDC
drivers/video/Kconfig:86: symbol FB_DDC is selected by FB_CYBER2000_DDC
drivers/video/Kconfig:385: symbol FB_CYBER2000_DDC depends on FB_CYBER2000
drivers/video/Kconfig:373: symbol FB_CYBER2000 depends on FB
which is due to drivers/usb/Kconfig:
config USB_ARCH_HAS_OHCI
...
default y if ARCH_PNX4008 && I2C
Fix by dropping I2C from the above dependency; logic is that this is not a
platform dependency but a configuration dependency: the _architecture_ still
supports USB even is I2C is not selected.
This exposes:
drivers/video/Kconfig:36:error: recursive dependency detected!
drivers/video/Kconfig:36: symbol FB is selected by DRM_KMS_HELPER
drivers/gpu/drm/Kconfig:28: symbol DRM_KMS_HELPER is selected by DRM_UDL
drivers/gpu/drm/udl/Kconfig:1: symbol DRM_UDL depends on USB_ARCH_HAS_HCD
drivers/usb/Kconfig:78: symbol USB_ARCH_HAS_HCD depends on USB_ARCH_HAS_OHCI
drivers/usb/Kconfig:17: symbol USB_ARCH_HAS_OHCI depends on MFD_TC6393XB
drivers/mfd/Kconfig:396: symbol MFD_TC6393XB depends on GPIOLIB
drivers/gpio/Kconfig:35: symbol GPIOLIB is selected by FB_VIA
drivers/video/Kconfig:1560: symbol FB_VIA depends on FB
which can be fixed by having MFD_TC6393XB select GPIOLIB instead of depending on
it.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
James Bottomley reported [1] a massive power regression, due to the
enabling of semaphores by default in 3.5. A workaround for him is to
again disable semaphores. And indeed, his system has a very hard time
to enter rc6 with semaphores enabled.
Ben Widawsky run around with a kill-a-watt a lot and noticed:
- There are indeed a few rare systems that seem to have a hard time
entering rc6 when desktop-idle.
- One machine, The Indestructible Toshiba regressed in this behaviour
between 3.5 and 3.6 in a merge commit! So rc6 behaviour with the
current setting seems to be highly timing dependent and not robust
at all.
- The behaviour James reported wrt semaphores seems to be a freak
timing thing that only happens on his specific machine, confirming
that enabling semaphores shouldn't reduce rc6 residency.
Now furthermore the Google ChromeOS guys reported [2] a while ago that
at least on some machines a simply a blinking cursor can keep the gpu
turbo at the highest frequency. This is because the current rps limits
used on snb/ivb are highly asymmetric.
On the theory that gpu turbo and rc6 tuning values are related, we've
tried whether the much saner looking (since much less asymmetric) rps
tuning values used for hsw would also help entering rc6 more robustly.
And it seems to mostly work, and we don't really have the resources to
through-roughly tune things in any better way: The values from the
ChromeOS ppl seem to fare a bit worse for James' machine, so I guess
we better stick with something vpg (the gpu hw/windows group)
provided, hoping that they've done their jobs.
Reference[1]: http://lists.freedesktop.org/archives/dri-devel/2012-July/025675.html
Reference[2]: http://lists.freedesktop.org/archives/intel-gfx/2012-July/018692.html
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=53393
Tested-by: Ben Widawsky <ben@bwidawsk.net>
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Pull x86 fixes from Ingo Molnar.
A x32 socket ABI fix with a -stable backport tag among other fixes.
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x32: Use compat shims for {g,s}etsockopt
Revert "x86-64/efi: Use EFI to deal with platform wall clock"
x86, apic: fix broken legacy interrupts in the logical apic mode
x86, build: Globally set -fno-pic
x86, avx: don't use avx instructions with "noxsave" boot param
Pull scheduler fixes from Ingo Molnar.
* 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
sched: Fix migration thread runtime bogosity
sched,rt: fix isolated CPUs leaving root_task_group indefinitely throttled
sched,cgroup: Fix up task_groups list
sched: fix divide by zero at {thread_group,task}_times
sched, cgroup: Reduce rq->lock hold times for large cgroup hierarchies
Pull a mutex fix from Ingo Molnar.
Fix the fastpath_lock failure contention flag for xchg-based mutexes.
* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
mutex: Place lock in contended state after fastpath_lock failure
compat_sys_{read,write}v() need the same "pass a copy of file->f_pos" thing
as sys_{read,write}{,v}().
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The debugfs directory includes the cluster fsid and our unique global_id.
We need to delay the initialization of the debug entry until we have
learned both the fsid and our global_id from the monitor or else the
second client can't create its debugfs entry and will fail (and multiple
client instances aren't properly reflected in debugfs).
Reported by: Yan, Zheng <zheng.z.yan@intel.com>
Signed-off-by: Sage Weil <sage@inktank.com>
Reviewed-by: Yehuda Sadeh <yehuda@inktank.com>