commit fd82174a6967b34e1f478469269f161f7b1e688b Author: Greg Kroah-Hartman Date: Thu Feb 6 11:42:22 2014 -0800 Linux 3.13.2 commit 31752e89b1e728d672eaafaa7869e7c0673ae9f6 Author: Borislav Petkov Date: Wed Jan 15 00:07:11 2014 +0100 x86, cpu, amd: Add workaround for family 16h, erratum 793 commit 3b56496865f9f7d9bcb2f93b44c63f274f08e3b6 upstream. This adds the workaround for erratum 793 as a precaution in case not every BIOS implements it. This addresses CVE-2013-6885. Erratum text: [Revision Guide for AMD Family 16h Models 00h-0Fh Processors, document 51810 Rev. 3.04 November 2013] 793 Specific Combination of Writes to Write Combined Memory Types and Locked Instructions May Cause Core Hang Description Under a highly specific and detailed set of internal timing conditions, a locked instruction may trigger a timing sequence whereby the write to a write combined memory type is not flushed, causing the locked instruction to stall indefinitely. Potential Effect on System Processor core hang. Suggested Workaround BIOS should set MSR C001_1020[15] = 1b. Fix Planned No fix planned [ hpa: updated description, fixed typo in MSR name ] Signed-off-by: Borislav Petkov Link: http://lkml.kernel.org/r/20140114230711.GS29865@pd.tnic Tested-by: Aravind Gopalakrishnan Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 8698e6867596eaaa98535f0e4ee801a076633928 Author: Paul Mackerras Date: Sat Jan 18 21:14:47 2014 +1100 powerpc: Make sure "cache" directory is removed when offlining cpu commit 91b973f90c1220d71923e7efe1e61f5329806380 upstream. The code in remove_cache_dir() is supposed to remove the "cache" subdirectory from the sysfs directory for a CPU when that CPU is being offlined. It tries to do this by calling kobject_put() on the kobject for the subdirectory. However, the subdirectory only gets removed once the last reference goes away, and the reference being put here may well not be the last reference. That means that the "cache" subdirectory may still exist when the offlining operation has finished. If the same CPU subsequently gets onlined, the code tries to add a new "cache" subdirectory. If the old subdirectory has not yet been removed, we get a WARN_ON in the sysfs code, with stack trace, and an error message printed on the console. Further, we ultimately end up with an online cpu with no "cache" subdirectory. This fixes it by doing an explicit kobject_del() at the point where we want the subdirectory to go away. kobject_del() removes the sysfs directory even though the object still exists in memory. The object will get freed at some point in the future. A subsequent onlining operation can create a new sysfs directory, even if the old object still exists in memory, without causing any problems. Signed-off-by: Paul Mackerras Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 5326f5fc83fecf025bf211f429373d7bed0f7582 Author: Srivatsa S. Bhat Date: Mon Dec 30 17:05:34 2013 +0530 powerpc: Fix the setup of CPU-to-Node mappings during CPU online commit d4edc5b6c480a0917e61d93d55531d7efa6230be upstream. On POWER platforms, the hypervisor can notify the guest kernel about dynamic changes in the cpu-numa associativity (VPHN topology update). Hence the cpu-to-node mappings that we got from the firmware during boot, may no longer be valid after such updates. This is handled using the arch_update_cpu_topology() hook in the scheduler, and the sched-domains are rebuilt according to the new mappings. But unfortunately, at the moment, CPU hotplug ignores these updated mappings and instead queries the firmware for the cpu-to-numa relationships and uses them during CPU online. So the kernel can end up assigning wrong NUMA nodes to CPUs during subsequent CPU hotplug online operations (after booting). Further, a particularly problematic scenario can result from this bug: On POWER platforms, the SMT mode can be switched between 1, 2, 4 (and even 8) threads per core. The switch to Single-Threaded (ST) mode is performed by offlining all except the first CPU thread in each core. Switching back to SMT mode involves onlining those other threads back, in each core. Now consider this scenario: 1. During boot, the kernel gets the cpu-to-node mappings from the firmware and assigns the CPUs to NUMA nodes appropriately, during CPU online. 2. Later on, the hypervisor updates the cpu-to-node mappings dynamically and communicates this update to the kernel. The kernel in turn updates its cpu-to-node associations and rebuilds its sched domains. Everything is fine so far. 3. Now, the user switches the machine from SMT to ST mode (say, by running ppc64_cpu --smt=1). This involves offlining all except 1 thread in each core. 4. The user then tries to switch back from ST to SMT mode (say, by running ppc64_cpu --smt=4), and this involves onlining those threads back. Since CPU hotplug ignores the new mappings, it queries the firmware and tries to associate the newly onlined sibling threads to the old NUMA nodes. This results in sibling threads within the same core getting associated with different NUMA nodes, which is incorrect. The scheduler's build-sched-domains code gets thoroughly confused with this and enters an infinite loop and causes soft-lockups, as explained in detail in commit 3be7db6ab (powerpc: VPHN topology change updates all siblings). So to fix this, use the numa_cpu_lookup_table to remember the updated cpu-to-node mappings, and use them during CPU hotplug online operations. Further, we also need to ensure that all threads in a core are assigned to a common NUMA node, irrespective of whether all those threads were online during the topology update. To achieve this, we take care not to use cpu_sibling_mask() since it is not hotplug invariant. Instead, we use cpu_first_sibling_thread() and set up the mappings manually using the 'threads_per_core' value for that particular platform. This helps us ensure that we don't hit this bug with any combination of CPU hotplug and SMT mode switching. Signed-off-by: Srivatsa S. Bhat Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 000bed8a41424d1fca84c047dbf7fa260af87087 Author: David Sterba Date: Wed Jan 15 18:15:52 2014 +0100 btrfs: restrict snapshotting to own subvolumes commit d024206133ce21936b3d5780359afc00247655b7 upstream. Currently, any user can snapshot any subvolume if the path is accessible and thus indirectly create and keep files he does not own under his direcotries. This is not possible with traditional directories. In security context, a user can snapshot root filesystem and pin any potentially buggy binaries, even if the updates are applied. All the snapshots are visible to the administrator, so it's possible to verify if there are suspicious snapshots. Another more practical problem is that any user can pin the space used by eg. root and cause ENOSPC. Original report: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/484786 Signed-off-by: David Sterba Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 5d4d57d2f5cd27b27505d24766fa0f0952e2a19b Author: Chris Mason Date: Thu Jan 9 17:28:00 2014 -0800 Btrfs: setup inode location during btrfs_init_inode_locked commit 90d3e592e99b8e374ead2b45148abf506493a959 upstream. We have a race during inode init because the BTRFS_I(inode)->location is setup after the inode hash table lock is dropped. btrfs_find_actor uses the location field, so our search might not find an existing inode in the hash table if we race with the inode init code. This commit changes things to setup the location field sooner. Also the find actor now uses only the location objectid to match inodes. For inode hashing, we just need a unique and stable test, it doesn't have to reflect the inode numbers we show to userland. Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit fb0f7df29d50332f5b79c84e954d30acf7961884 Author: Wang Shilong Date: Tue Jan 7 17:26:58 2014 +0800 Btrfs: handle EAGAIN case properly in btrfs_drop_snapshot() commit 90515e7f5d7d24cbb2a4038a3f1b5cfa2921aa17 upstream. We may return early in btrfs_drop_snapshot(), we shouldn't call btrfs_std_err() for this case, fix it. Signed-off-by: Wang Shilong Signed-off-by: Josef Bacik Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 0bf44d6862c3d4551fa442b8913421d43933d067 Author: Andy Grover Date: Fri Jan 24 16:18:54 2014 -0800 target/iscsi: Fix network portal creation race commit ee291e63293146db64668e8d65eb35c97e8324f4 upstream. When creating network portals rapidly, such as when restoring a configuration, LIO's code to reuse existing portals can return a false negative if the thread hasn't run yet and set np_thread_state to ISCSI_NP_THREAD_ACTIVE. This causes an error in the network stack when attempting to bind to the same address/port. This patch sets NP_THREAD_ACTIVE before the np is placed on g_np_list, so even if the thread hasn't run yet, iscsit_get_np will return the existing np. Also, convert np_lock -> np_mutex + hold across adding new net portal to g_np_list to prevent a race where two threads may attempt to create the same network portal, resulting in one of them failing. (nab: Add missing mutex_unlocks in iscsit_add_np failure paths) (DanC: Fix incorrect spin_unlock -> spin_unlock_bh) Signed-off-by: Andy Grover Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit e00d98a6df6f455e790c3cef4e9e78926d6f6ba7 Author: Nicholas Bellinger Date: Fri Jan 10 02:06:59 2014 +0000 iscsi-target: Pre-allocate more tags to avoid ack starvation commit 4a4caa29f1abcb14377e05d57c0793d338fb945d upstream. This patch addresses an traditional iscsi-target fabric ack starvation issue where iscsit_allocate_cmd() -> percpu_ida_alloc_state() ends up hitting slow path percpu-ida code, because iscsit_ack_from_expstatsn() is expected to free ack'ed tags after tag allocation. This is done to take into account the tags waiting to be acknowledged and released in iscsit_ack_from_expstatsn(), but who's number are not directly limited by the CmdSN Window queue_depth being enforced by the target. So that said, this patch bumps up the pre-allocated number of per session tags to: (max(queue_depth, ISCSIT_MIN_TAGS) * 2) + ISCSIT_EXTRA_TAGS for good measure to avoid the percpu_ida_alloc_state() slow path. Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit f91c20513353a088257f2b1264d497b3dcfe81de Author: Asias He Date: Thu Jan 16 10:18:48 2014 +1030 virtio-scsi: Fix hotcpu_notifier use-after-free with virtscsi_freeze commit f466f75385369a181409e46da272db3de6f5c5cb upstream. vqs are freed in virtscsi_freeze but the hotcpu_notifier is not unregistered. We will have a use-after-free usage when the notifier callback is called after virtscsi_freeze. Fixes: 285e71ea6f3583a85e27cb2b9a7d8c35d4c0d558 ("virtio-scsi: reset virtqueue affinity when doing cpu hotplug") Signed-off-by: Asias He Reviewed-by: Paolo Bonzini Signed-off-by: Jason Wang Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman commit 8507df5828d2335c6a07c87804e18df0ff2a4af1 Author: Dan Carpenter Date: Wed Nov 13 10:48:11 2013 +0300 SCSI: qla4xxx: overflow in qla4xxx_set_chap_entry() commit 3c60cfd73966797746530768d66597d025a69804 upstream. We should cap the size of memcpy() because it comes from the network and can't be trusted. Fixes: 26ffd7b45fe9 ('[SCSI] qla4xxx: Add support to set CHAP entries') Signed-off-by: Dan Carpenter Acked-by: Vikas Chaudhary Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit e88f3608e8230b5d82353701656e0f60166114b6 Author: Vijaya Mohan Guvva Date: Wed Dec 4 05:43:58 2013 -0800 SCSI: bfa: Chinook quad port 16G FC HBA claim issue commit dcaf9aed995c2b2a49fb86bbbcfa2f92c797ab5d upstream. Bfa driver crash is observed while pushing the firmware on to chinook quad port card due to uninitialized bfi_image_ct2 access which gets initialized only for CT2 ASIC based cards after request_firmware(). For quard port chinook (CT2 ASIC based), bfi_image_ct2 is not getting initialized as there is no check for chinook PCI device ID before request_firmware and instead bfi_image_cb is initialized as it is the default case for card type check. This patch includes changes to read the right firmware for quad port chinook. Signed-off-by: Vijaya Mohan Guvva Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 6d9541431906f495c56ffaf0d5f9c62b919b8491 Author: Thomas Pugliese Date: Mon Dec 9 13:40:29 2013 -0600 usb: core: get config and string descriptors for unauthorized devices commit 83e83ecb79a8225e79bc8e54e9aff3e0e27658a2 upstream. There is no need to skip querying the config and string descriptors for unauthorized WUSB devices when usb_new_device is called. It is allowed by WUSB spec. The only action that needs to be delayed until authorization time is the set config. This change allows user mode tools to see the config and string descriptors earlier in enumeration which is needed for some WUSB devices to function properly on Android systems. It also reduces the amount of divergent code paths needed for WUSB devices. Signed-off-by: Thomas Pugliese Signed-off-by: Greg Kroah-Hartman commit 3e700ec6144244a484c787f403c8299125db86e3 Author: Mikulas Patocka Date: Wed Jan 29 00:10:44 2014 +0100 hpfs: remember free space commit 2cbe5c76fc5e38e9af4b709593146e4b8272b69e upstream. Previously, hpfs scanned all bitmaps each time the user asked for free space using statfs. This patch changes it so that hpfs scans the bitmaps only once, remembes the free space and on next invocation of statfs it returns the value instantly. New versions of wine are hammering on the statfs syscall very heavily, making some games unplayable when they're stored on hpfs, with load times in minutes. This should be backported to the stable kernels because it fixes user-visible problem (excessive level load times in wine). Signed-off-by: Mikulas Patocka Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8a8c97e6cc6a7b311617a32fe182ec6a69a9e9af Author: Takashi Iwai Date: Mon Jan 13 12:40:07 2014 +0100 ALSA: hda - Don't set indep_hp flag for old AD codecs commit cbd209f41ea5f39394de5c1fe2dd9aa54a9c5744 upstream. Some old AD codecs don't like the independent HP handling, either it contains a single DAC (AD1981) or it mandates the mixer routing (AD1986A). This patch removes the indep_hp flag for such codecs. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=68081 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 946c119beade4f44113c09974410af82e92fcc3c Author: Mihai Caraman Date: Thu Jan 9 17:01:05 2014 +0200 KVM: PPC: e500: Fix bad address type in deliver_tlb_misss() commit 70713fe315ed14cd1bb07d1a7f33e973d136ae3d upstream. Use gva_t instead of unsigned int for eaddr in deliver_tlb_miss(). Signed-off-by: Mihai Caraman Signed-off-by: Alexander Graf Signed-off-by: Greg Kroah-Hartman commit a03e895e05a2ee3939f559e2644f762d04b3972a Author: Andreas Schwab Date: Mon Dec 30 15:36:56 2013 +0100 KVM: PPC: Book3S HV: use xics_wake_cpu only when defined commit 48eaef0518a565d3852e301c860e1af6a6db5a84 upstream. Signed-off-by: Andreas Schwab Signed-off-by: Alexander Graf Signed-off-by: Greg Kroah-Hartman commit 625988d38c57d3ef867195a8941820677a939035 Author: Helge Deller Date: Fri Jan 31 21:33:17 2014 +0100 parisc: fix cache-flushing commit 57737c49dd72c96cfbcd4f66559f3ffc399aeb4f upstream. This commit: f8dae00684d678afa13041ef170cecfd1297ed40: parisc: Ensure full cache coherency for kmap/kunmap caused negative caching side-effects, e.g. hanging processes with expect and too many inequivalent alias messages from flush_dcache_page() on Debian 5 systems. This patch now partly reverts it and has been in production use on our debian buildd makeservers since a week without any major problems. Signed-off-by: Helge Deller Signed-off-by: John David Anglin Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 3b11ff52d571e4bac05c33c64653afdf36c5d63d Author: Helge Deller Date: Fri Jan 31 15:39:40 2014 +0100 parisc/sti_console: prefer Linux fonts over built-in ROM fonts commit 8a10bc9d27ceb084b0d8be621a033a475eb9fdfd upstream. The built-in ROM fonts lack many necessary ASCII characters, which is why it makes sens to prefer the Linux fonts instead if they are available. This makes consoles on STI graphics cards which are not supported by the stifb driver (e.g. Visualize FXe) looks much nicer. Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 2a98c6f081a98abdb3a287788f4cbca3ae0db1fe Author: Mikulas Patocka Date: Wed Jan 22 23:04:33 2014 -0500 alpha: fix broken network checksum commit 0ef38d70d4118b2ce1a538d14357be5ff9dc2bbd upstream. The patch 3ddc5b46a8e90f3c9251338b60191d0a804b0d92 breaks networking on alpha (there is a follow-up fix 5cfe8f1ba5eebe6f4b6e5858cdb1a5be4f3272a6, but networking is still broken even with the second patch). The patch 3ddc5b46a8e90f3c9251338b60191d0a804b0d92 makes csum_partial_copy_from_user check the pointer with access_ok. However, csum_partial_copy_from_user is called also from csum_partial_copy_nocheck and csum_partial_copy_nocheck is called on kernel pointers and it is supposed not to check pointer validity. This bug results in ssh session hangs if the system is loaded and bulk data are printed to ssh terminal. This patch fixes csum_partial_copy_nocheck to call set_fs(KERNEL_DS), so that access_ok in csum_partial_copy_from_user accepts kernel-space addresses. Signed-off-by: Mikulas Patocka Signed-off-by: Matt Turner Signed-off-by: Greg Kroah-Hartman commit 8fabad704e223548edb974819d2bd5d942d049b6 Author: Dong Aisheng Date: Thu Dec 26 15:23:53 2013 +0800 mmc: sdhci-esdhc-imx: fix access hardirq-unsafe lock in atomic context commit a974862faee199cba3ff36b5a148df5fd34bd1e7 upstream. Sometimes we may meet the following lockdep issue. The root cause is .set_clock callback is executed with spin_lock_irqsave in sdhci_do_set_ios. However, the IMX set_clock callback will try to access clk_get_rate which is using a mutex lock. The fix avoids access mutex in .set_clock callback by initializing the pltfm_host->clock at probe time and use it later instead of calling clk_get_rate again in atomic context. [ INFO: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected ] 3.13.0-rc1+ #285 Not tainted ------------------------------------------------------ kworker/u8:1/29 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: (prepare_lock){+.+...}, at: [<80480b08>] clk_prepare_lock+0x44/0xe4 and this task is already holding: (&(&host->lock)->rlock#2){-.-...}, at: [<804611f4>] sdhci_do_set_ios+0x20/0x720 which would create a new lock dependency: (&(&host->lock)->rlock#2){-.-...} -> (prepare_lock){+.+...} but this new dependency connects a HARDIRQ-irq-safe lock: (&(&host->lock)->rlock#2){-.-...} ... which became HARDIRQ-irq-safe at: [<8005f030>] mark_lock+0x140/0x6ac [<80060760>] __lock_acquire+0xb30/0x1cbc [<800620d0>] lock_acquire+0x70/0x84 [<8061d2f0>] _raw_spin_lock+0x30/0x40 [<80460668>] sdhci_irq+0x24/0xa68 [<8006b1d4>] handle_irq_event_percpu+0x54/0x18c [<8006b350>] handle_irq_event+0x44/0x64 [<8006e50c>] handle_fasteoi_irq+0xa0/0x170 [<8006a8f0>] generic_handle_irq+0x30/0x44 [<8000f238>] handle_IRQ+0x54/0xbc [<8000864c>] gic_handle_irq+0x30/0x64 [<80013024>] __irq_svc+0x44/0x5c [<80614c58>] printk+0x38/0x40 [<804622a8>] sdhci_add_host+0x844/0xbcc [<80464948>] sdhci_esdhc_imx_probe+0x378/0x67c [<8032ee88>] platform_drv_probe+0x20/0x50 [<8032d48c>] driver_probe_device+0x118/0x234 [<8032d690>] __driver_attach+0x9c/0xa0 [<8032b89c>] bus_for_each_dev+0x68/0x9c [<8032cf44>] driver_attach+0x20/0x28 [<8032cbc8>] bus_add_driver+0x148/0x1f4 [<8032dce0>] driver_register+0x80/0x100 [<8032ee54>] __platform_driver_register+0x50/0x64 [<8084b094>] sdhci_esdhc_imx_driver_init+0x18/0x20 [<80008980>] do_one_initcall+0x108/0x16c [<8081cca4>] kernel_init_freeable+0x10c/0x1d0 [<80611c50>] kernel_init+0x10/0x120 [<8000e9c8>] ret_from_fork+0x14/0x2c to a HARDIRQ-irq-unsafe lock: (prepare_lock){+.+...} ... which became HARDIRQ-irq-unsafe at: ... [<8005f030>] mark_lock+0x140/0x6ac [<8005f604>] mark_held_locks+0x68/0x12c [<8005f780>] trace_hardirqs_on_caller+0xb8/0x1d8 [<8005f8b4>] trace_hardirqs_on+0x14/0x18 [<8061a130>] mutex_trylock+0x180/0x20c [<80480ad8>] clk_prepare_lock+0x14/0xe4 [<804816a4>] clk_notifier_register+0x28/0xf0 [<80015120>] twd_clk_init+0x50/0x68 [<80008980>] do_one_initcall+0x108/0x16c [<8081cca4>] kernel_init_freeable+0x10c/0x1d0 [<80611c50>] kernel_init+0x10/0x120 [<8000e9c8>] ret_from_fork+0x14/0x2c other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(prepare_lock); local_irq_disable(); lock(&(&host->lock)->rlock#2); lock(prepare_lock); lock(&(&host->lock)->rlock#2); *** DEADLOCK *** 3 locks held by kworker/u8:1/29: #0: (kmmcd){.+.+.+}, at: [<8003db18>] process_one_work+0x128/0x468 #1: ((&(&host->detect)->work)){+.+.+.}, at: [<8003db18>] process_one_work+0x128/0x468 #2: (&(&host->lock)->rlock#2){-.-...}, at: [<804611f4>] sdhci_do_set_ios+0x20/0x720 the dependencies between HARDIRQ-irq-safe lock and the holding lock: -> (&(&host->lock)->rlock#2){-.-...} ops: 330 { IN-HARDIRQ-W at: [<8005f030>] mark_lock+0x140/0x6ac [<80060760>] __lock_acquire+0xb30/0x1cbc [<800620d0>] lock_acquire+0x70/0x84 [<8061d2f0>] _raw_spin_lock+0x30/0x40 [<80460668>] sdhci_irq+0x24/0xa68 [<8006b1d4>] handle_irq_event_percpu+0x54/0x18c [<8006b350>] handle_irq_event+0x44/0x64 [<8006e50c>] handle_fasteoi_irq+0xa0/0x170 [<8006a8f0>] generic_handle_irq+0x30/0x44 [<8000f238>] handle_IRQ+0x54/0xbc [<8000864c>] gic_handle_irq+0x30/0x64 [<80013024>] __irq_svc+0x44/0x5c [<80614c58>] printk+0x38/0x40 [<804622a8>] sdhci_add_host+0x844/0xbcc [<80464948>] sdhci_esdhc_imx_probe+0x378/0x67c [<8032ee88>] platform_drv_probe+0x20/0x50 [<8032d48c>] driver_probe_device+0x118/0x234 [<8032d690>] __driver_attach+0x9c/0xa0 [<8032b89c>] bus_for_each_dev+0x68/0x9c [<8032cf44>] driver_attach+0x20/0x28 [<8032cbc8>] bus_add_driver+0x148/0x1f4 [<8032dce0>] driver_register+0x80/0x100 [<8032ee54>] __platform_driver_register+0x50/0x64 [<8084b094>] sdhci_esdhc_imx_driver_init+0x18/0x20 [<80008980>] do_one_initcall+0x108/0x16c [<8081cca4>] kernel_init_freeable+0x10c/0x1d0 [<80611c50>] kernel_init+0x10/0x120 [<8000e9c8>] ret_from_fork+0x14/0x2c IN-SOFTIRQ-W at: [<8005f030>] mark_lock+0x140/0x6ac [<80060204>] __lock_acquire+0x5d4/0x1cbc [<800620d0>] lock_acquire+0x70/0x84 [<8061d40c>] _raw_spin_lock_irqsave+0x40/0x54 [<8045e4a4>] sdhci_tasklet_finish+0x1c/0x120 [<8002b538>] tasklet_action+0xa0/0x15c [<8002b778>] __do_softirq+0x118/0x290 [<8002bcf4>] irq_exit+0xb4/0x10c [<8000f240>] handle_IRQ+0x5c/0xbc [<8000864c>] gic_handle_irq+0x30/0x64 [<80013024>] __irq_svc+0x44/0x5c [<80614c58>] printk+0x38/0x40 [<804622a8>] sdhci_add_host+0x844/0xbcc [<80464948>] sdhci_esdhc_imx_probe+0x378/0x67c [<8032ee88>] platform_drv_probe+0x20/0x50 [<8032d48c>] driver_probe_device+0x118/0x234 [<8032d690>] __driver_attach+0x9c/0xa0 [<8032b89c>] bus_for_each_dev+0x68/0x9c [<8032cf44>] driver_attach+0x20/0x28 [<8032cbc8>] bus_add_driver+0x148/0x1f4 [<8032dce0>] driver_register+0x80/0x100 [<8032ee54>] __platform_driver_register+0x50/0x64 [<8084b094>] sdhci_esdhc_imx_driver_init+0x18/0x20 [<80008980>] do_one_initcall+0x108/0x16c [<8081cca4>] kernel_init_freeable+0x10c/0x1d0 [<80611c50>] kernel_init+0x10/0x120 [<8000e9c8>] ret_from_fork+0x14/0x2c INITIAL USE at: [<8005f030>] mark_lock+0x140/0x6ac [<8005ff0c>] __lock_acquire+0x2dc/0x1cbc [<800620d0>] lock_acquire+0x70/0x84 [<8061d40c>] _raw_spin_lock_irqsave+0x40/0x54 [<804611f4>] sdhci_do_set_ios+0x20/0x720 [<80461924>] sdhci_set_ios+0x30/0x3c [<8044cea0>] mmc_power_up+0x6c/0xd0 [<8044dac4>] mmc_start_host+0x60/0x70 [<8044eb3c>] mmc_add_host+0x60/0x88 [<8046225c>] sdhci_add_host+0x7f8/0xbcc [<80464948>] sdhci_esdhc_imx_probe+0x378/0x67c [<8032ee88>] platform_drv_probe+0x20/0x50 [<8032d48c>] driver_probe_device+0x118/0x234 [<8032d690>] __driver_attach+0x9c/0xa0 [<8032b89c>] bus_for_each_dev+0x68/0x9c [<8032cf44>] driver_attach+0x20/0x28 [<8032cbc8>] bus_add_driver+0x148/0x1f4 [<8032dce0>] driver_register+0x80/0x100 [<8032ee54>] __platform_driver_register+0x50/0x64 [<8084b094>] sdhci_esdhc_imx_driver_init+0x18/0x20 [<80008980>] do_one_initcall+0x108/0x16c [<8081cca4>] kernel_init_freeable+0x10c/0x1d0 [<80611c50>] kernel_init+0x10/0x120 [<8000e9c8>] ret_from_fork+0x14/0x2c } ... key at: [<80e040e8>] __key.26952+0x0/0x8 ... acquired at: [<8005eb60>] check_usage+0x3d0/0x5c0 [<8005edac>] check_irq_usage+0x5c/0xb8 [<80060d38>] __lock_acquire+0x1108/0x1cbc [<800620d0>] lock_acquire+0x70/0x84 [<8061a210>] mutex_lock_nested+0x54/0x3c0 [<80480b08>] clk_prepare_lock+0x44/0xe4 [<8048188c>] clk_get_rate+0x14/0x64 [<8046374c>] esdhc_pltfm_set_clock+0x20/0x2a4 [<8045d70c>] sdhci_set_clock+0x4c/0x498 [<80461518>] sdhci_do_set_ios+0x344/0x720 [<80461924>] sdhci_set_ios+0x30/0x3c [<8044c390>] __mmc_set_clock+0x44/0x60 [<8044cd4c>] mmc_set_clock+0x10/0x14 [<8044f8f4>] mmc_init_card+0x1b4/0x1520 [<80450f00>] mmc_attach_mmc+0xb4/0x194 [<8044da08>] mmc_rescan+0x294/0x2f0 [<8003db94>] process_one_work+0x1a4/0x468 [<8003e850>] worker_thread+0x118/0x3e0 [<80044de0>] kthread+0xd4/0xf0 [<8000e9c8>] ret_from_fork+0x14/0x2c the dependencies between the lock to be acquired and HARDIRQ-irq-unsafe lock: -> (prepare_lock){+.+...} ops: 395 { HARDIRQ-ON-W at: [<8005f030>] mark_lock+0x140/0x6ac [<8005f604>] mark_held_locks+0x68/0x12c [<8005f780>] trace_hardirqs_on_caller+0xb8/0x1d8 [<8005f8b4>] trace_hardirqs_on+0x14/0x18 [<8061a130>] mutex_trylock+0x180/0x20c [<80480ad8>] clk_prepare_lock+0x14/0xe4 [<804816a4>] clk_notifier_register+0x28/0xf0 [<80015120>] twd_clk_init+0x50/0x68 [<80008980>] do_one_initcall+0x108/0x16c [<8081cca4>] kernel_init_freeable+0x10c/0x1d0 [<80611c50>] kernel_init+0x10/0x120 [<8000e9c8>] ret_from_fork+0x14/0x2c SOFTIRQ-ON-W at: [<8005f030>] mark_lock+0x140/0x6ac [<8005f604>] mark_held_locks+0x68/0x12c [<8005f7c8>] trace_hardirqs_on_caller+0x100/0x1d8 [<8005f8b4>] trace_hardirqs_on+0x14/0x18 [<8061a130>] mutex_trylock+0x180/0x20c [<80480ad8>] clk_prepare_lock+0x14/0xe4 [<804816a4>] clk_notifier_register+0x28/0xf0 [<80015120>] twd_clk_init+0x50/0x68 [<80008980>] do_one_initcall+0x108/0x16c [<8081cca4>] kernel_init_freeable+0x10c/0x1d0 [<80611c50>] kernel_init+0x10/0x120 [<8000e9c8>] ret_from_fork+0x14/0x2c INITIAL USE at: [<8005f030>] mark_lock+0x140/0x6ac [<8005ff0c>] __lock_acquire+0x2dc/0x1cbc [<800620d0>] lock_acquire+0x70/0x84 [<8061a0c8>] mutex_trylock+0x118/0x20c [<80480ad8>] clk_prepare_lock+0x14/0xe4 [<80482af8>] __clk_init+0x1c/0x45c [<8048306c>] _clk_register+0xd0/0x170 [<80483148>] clk_register+0x3c/0x7c [<80483b4c>] clk_register_fixed_rate+0x88/0xd8 [<80483c04>] of_fixed_clk_setup+0x68/0x94 [<8084c6fc>] of_clk_init+0x44/0x68 [<808202b0>] time_init+0x2c/0x38 [<8081ca14>] start_kernel+0x1e4/0x368 [<10008074>] 0x10008074 } ... key at: [<808afebc>] prepare_lock+0x38/0x48 ... acquired at: [<8005eb94>] check_usage+0x404/0x5c0 [<8005edac>] check_irq_usage+0x5c/0xb8 [<80060d38>] __lock_acquire+0x1108/0x1cbc [<800620d0>] lock_acquire+0x70/0x84 [<8061a210>] mutex_lock_nested+0x54/0x3c0 [<80480b08>] clk_prepare_lock+0x44/0xe4 [<8048188c>] clk_get_rate+0x14/0x64 [<8046374c>] esdhc_pltfm_set_clock+0x20/0x2a4 [<8045d70c>] sdhci_set_clock+0x4c/0x498 [<80461518>] sdhci_do_set_ios+0x344/0x720 [<80461924>] sdhci_set_ios+0x30/0x3c [<8044c390>] __mmc_set_clock+0x44/0x60 [<8044cd4c>] mmc_set_clock+0x10/0x14 [<8044f8f4>] mmc_init_card+0x1b4/0x1520 [<80450f00>] mmc_attach_mmc+0xb4/0x194 [<8044da08>] mmc_rescan+0x294/0x2f0 [<8003db94>] process_one_work+0x1a4/0x468 [<8003e850>] worker_thread+0x118/0x3e0 [<80044de0>] kthread+0xd4/0xf0 [<8000e9c8>] ret_from_fork+0x14/0x2c stack backtrace: CPU: 2 PID: 29 Comm: kworker/u8:1 Not tainted 3.13.0-rc1+ #285 Workqueue: kmmcd mmc_rescan Backtrace: [<80012160>] (dump_backtrace+0x0/0x10c) from [<80012438>] (show_stack+0x18/0x1c) r6:00000000 r5:00000000 r4:8088ecc8 r3:bfa11200 [<80012420>] (show_stack+0x0/0x1c) from [<80616b14>] (dump_stack+0x84/0x9c) [<80616a90>] (dump_stack+0x0/0x9c) from [<8005ebb4>] (check_usage+0x424/0x5c0) r5:80979940 r4:bfa29b44 [<8005e790>] (check_usage+0x0/0x5c0) from [<8005edac>] (check_irq_usage+0x5c/0xb8) [<8005ed50>] (check_irq_usage+0x0/0xb8) from [<80060d38>] (__lock_acquire+0x1108/0x1cbc) r8:bfa115e8 r7:80df9884 r6:80dafa9c r5:00000003 r4:bfa115d0 [<8005fc30>] (__lock_acquire+0x0/0x1cbc) from [<800620d0>] (lock_acquire+0x70/0x84) [<80062060>] (lock_acquire+0x0/0x84) from [<8061a210>] (mutex_lock_nested+0x54/0x3c0) r7:bfa11200 r6:80dafa9c r5:00000000 r4:80480b08 [<8061a1bc>] (mutex_lock_nested+0x0/0x3c0) from [<80480b08>] (clk_prepare_lock+0x44/0xe4) [<80480ac4>] (clk_prepare_lock+0x0/0xe4) from [<8048188c>] (clk_get_rate+0x14/0x64) r6:03197500 r5:bf0e9aa8 r4:bf827400 r3:808ae128 [<80481878>] (clk_get_rate+0x0/0x64) from [<8046374c>] (esdhc_pltfm_set_clock+0x20/0x2a4) r5:bf0e9aa8 r4:bf0e9c40 [<8046372c>] (esdhc_pltfm_set_clock+0x0/0x2a4) from [<8045d70c>] (sdhci_set_clock+0x4c/0x498) [<8045d6c0>] (sdhci_set_clock+0x0/0x498) from [<80461518>] (sdhci_do_set_ios+0x344/0x720) r8:0000003b r7:20000113 r6:bf0e9d68 r5:bf0e9aa8 r4:bf0e9c40 r3:00000000 [<804611d4>] (sdhci_do_set_ios+0x0/0x720) from [<80461924>] (sdhci_set_ios+0x30/0x3c) r9:00000004 r8:bf131000 r7:bf131048 r6:00000000 r5:bf0e9aa8 r4:bf0e9800 [<804618f4>] (sdhci_set_ios+0x0/0x3c) from [<8044c390>] (__mmc_set_clock+0x44/0x60) r5:03197500 r4:bf0e9800 [<8044c34c>] (__mmc_set_clock+0x0/0x60) from [<8044cd4c>] (mmc_set_clock+0x10/0x14) r5:00000000 r4:bf0e9800 [<8044cd3c>] (mmc_set_clock+0x0/0x14) from [<8044f8f4>] (mmc_init_card+0x1b4/0x1520) [<8044f740>] (mmc_init_card+0x0/0x1520) from [<80450f00>] (mmc_attach_mmc+0xb4/0x194) [<80450e4c>] (mmc_attach_mmc+0x0/0x194) from [<8044da08>] (mmc_rescan+0x294/0x2f0) r5:8065f358 r4:bf0e9af8 [<8044d774>] (mmc_rescan+0x0/0x2f0) from [<8003db94>] (process_one_work+0x1a4/0x468) r8:00000000 r7:bfa29eb0 r6:bf80dc00 r5:bf0e9af8 r4:bf9e3f00 r3:8044d774 [<8003d9f0>] (process_one_work+0x0/0x468) from [<8003e850>] (worker_thread+0x118/0x3e0) [<8003e738>] (worker_thread+0x0/0x3e0) from [<80044de0>] (kthread+0xd4/0xf0) [<80044d0c>] (kthread+0x0/0xf0) from [<8000e9c8>] (ret_from_fork+0x14/0x2c) r7:00000000 r6:00000000 r5:80044d0c r4:bf9e7f00 Fixes: 0ddf03c mmc: esdhc-imx: parse max-frequency from devicetree Signed-off-by: Dong Aisheng Acked-by: Shawn Guo Tested-by: Philippe De Muyter Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit ee02211febfb1dc0ee77e2b641d48910422ed872 Author: Aisheng Dong Date: Mon Dec 23 19:13:04 2013 +0800 mmc: sdhci: fix lockdep error in tuning routine commit 2b35bd83467df6f8284b9148d6f768148c3a5e5f upstream. The sdhci_execute_tuning routine gets lock separately by disable_irq(host->irq); spin_lock(&host->lock); It will cause the following lockdep error message since the &host->lock could also be got in irq context. Use spin_lock_irqsave/spin_unlock_restore instead to get rid of this error message. [ INFO: inconsistent lock state ] 3.13.0-rc1+ #287 Not tainted --------------------------------- inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. kworker/u2:1/33 [HC0[0]:SC0[0]:HE1:SE1] takes: (&(&host->lock)->rlock){?.-...}, at: [<8045f7f4>] sdhci_execute_tuning+0x4c/0x710 {IN-HARDIRQ-W} state was registered at: [<8005f030>] mark_lock+0x140/0x6ac [<80060760>] __lock_acquire+0xb30/0x1cbc [<800620d0>] lock_acquire+0x70/0x84 [<8061d1c8>] _raw_spin_lock+0x30/0x40 [<804605cc>] sdhci_irq+0x24/0xa68 [<8006b1d4>] handle_irq_event_percpu+0x54/0x18c [<8006b350>] handle_irq_event+0x44/0x64 [<8006e50c>] handle_fasteoi_irq+0xa0/0x170 [<8006a8f0>] generic_handle_irq+0x30/0x44 [<8000f238>] handle_IRQ+0x54/0xbc [<8000864c>] gic_handle_irq+0x30/0x64 [<80013024>] __irq_svc+0x44/0x5c [<80329bf4>] dev_vprintk_emit+0x50/0x58 [<80329c24>] dev_printk_emit+0x28/0x30 [<80329fec>] __dev_printk+0x4c/0x90 [<8032a180>] dev_err+0x3c/0x48 [<802dd4f0>] _regulator_get+0x158/0x1cc [<802dd5b4>] regulator_get_optional+0x18/0x1c [<80461df4>] sdhci_add_host+0x42c/0xbd8 [<80464820>] sdhci_esdhc_imx_probe+0x378/0x67c [<8032ee88>] platform_drv_probe+0x20/0x50 [<8032d48c>] driver_probe_device+0x118/0x234 [<8032d690>] __driver_attach+0x9c/0xa0 [<8032b89c>] bus_for_each_dev+0x68/0x9c [<8032cf44>] driver_attach+0x20/0x28 [<8032cbc8>] bus_add_driver+0x148/0x1f4 [<8032dce0>] driver_register+0x80/0x100 [<8032ee54>] __platform_driver_register+0x50/0x64 [<8084b094>] sdhci_esdhc_imx_driver_init+0x18/0x20 [<80008980>] do_one_initcall+0x108/0x16c [<8081cca4>] kernel_init_freeable+0x10c/0x1d0 [<80611b28>] kernel_init+0x10/0x120 [<8000e9c8>] ret_from_fork+0x14/0x2c irq event stamp: 805 hardirqs last enabled at (805): [<8061d43c>] _raw_spin_unlock_irqrestore+0x38/0x4c hardirqs last disabled at (804): [<8061d2c8>] _raw_spin_lock_irqsave+0x24/0x54 softirqs last enabled at (570): [<8002b824>] __do_softirq+0x1c4/0x290 softirqs last disabled at (561): [<8002bcf4>] irq_exit+0xb4/0x10c other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(&host->lock)->rlock); lock(&(&host->lock)->rlock); *** DEADLOCK *** 2 locks held by kworker/u2:1/33: #0: (kmmcd){.+.+..}, at: [<8003db18>] process_one_work+0x128/0x468 #1: ((&(&host->detect)->work)){+.+...}, at: [<8003db18>] process_one_work+0x128/0x468 stack backtrace: CPU: 0 PID: 33 Comm: kworker/u2:1 Not tainted 3.13.0-rc1+ #287 Workqueue: kmmcd mmc_rescan Backtrace: [<80012160>] (dump_backtrace+0x0/0x10c) from [<80012438>] (show_stack+0x18/0x1c) r6:bfad0900 r5:00000000 r4:8088ecc8 r3:bfad0900 [<80012420>] (show_stack+0x0/0x1c) from [<806169ec>] (dump_stack+0x84/0x9c) [<80616968>] (dump_stack+0x0/0x9c) from [<806147b4>] (print_usage_bug+0x260/0x2d0) r5:8076ba88 r4:80977410 [<80614554>] (print_usage_bug+0x0/0x2d0) from [<8005f0d0>] (mark_lock+0x1e0/0x6ac) r9:8005e678 r8:00000000 r7:bfad0900 r6:00001015 r5:bfad0cd0 r4:00000002 [<8005eef0>] (mark_lock+0x0/0x6ac) from [<80060234>] (__lock_acquire+0x604/0x1cbc) [<8005fc30>] (__lock_acquire+0x0/0x1cbc) from [<800620d0>] (lock_acquire+0x70/0x84) [<80062060>] (lock_acquire+0x0/0x84) from [<8061d1c8>] (_raw_spin_lock+0x30/0x40) r7:00000000 r6:bfb63000 r5:00000000 r4:bfb60568 [<8061d198>] (_raw_spin_lock+0x0/0x40) from [<8045f7f4>] (sdhci_execute_tuning+0x4c/0x710) r4:bfb60000 [<8045f7a8>] (sdhci_execute_tuning+0x0/0x710) from [<80453454>] (mmc_sd_init_card+0x5f8/0x660) [<80452e5c>] (mmc_sd_init_card+0x0/0x660) from [<80453748>] (mmc_attach_sd+0xb4/0x180) r9:bf92d400 r8:8065f364 r7:00061a80 r6:bfb60000 r5:8065f358 r4:bfb60000 [<80453694>] (mmc_attach_sd+0x0/0x180) from [<8044d9f8>] (mmc_rescan+0x284/0x2f0) r5:8065f358 r4:bfb602f8 [<8044d774>] (mmc_rescan+0x0/0x2f0) from [<8003db94>] (process_one_work+0x1a4/0x468) r8:00000000 r7:bfb55eb0 r6:bf80dc00 r5:bfb602f8 r4:bfb35980 r3:8044d774 [<8003d9f0>] (process_one_work+0x0/0x468) from [<8003e850>] (worker_thread+0x118/0x3e0) [<8003e738>] (worker_thread+0x0/0x3e0) from [<80044de0>] (kthread+0xd4/0xf0) [<80044d0c>] (kthread+0x0/0xf0) from [<8000e9c8>] (ret_from_fork+0x14/0x2c) r7:00000000 r6:00000000 r5:80044d0c r4:bfb37b40 Signed-off-by: Dong Aisheng Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit 8a6551ad7cd0751319efbc75e0b5ad884cb06fdb Author: David Cohen Date: Tue Oct 29 10:58:27 2013 -0700 mmc: sdhci-pci: add broken HS200 quirk for Intel Merrifield commit 390145f9adcf2730fcee81c8a51fd7c6c08f705f upstream. Due to unknown hw issue so far, Merrifield is unable to enable HS200 support. This patch adds quirk to avoid SDHCI to initialize with error below: [ 53.850132] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.12.0-rc6-00037-g3d7c8d9-dirty #36 [ 53.850150] Hardware name: Intel Corporation Merrifield/SALT BAY, BIOS 397 2013.09.12:11.51.40 [ 53.850167] 00000000 00000000 ee409e48 c18816d2 00000000 ee409e78 c123e254 c1acc9b0 [ 53.850227] 00000000 00000000 c1b14148 000003de c16c03bf c16c03bf ee75b480 ed97c54c [ 53.850282] ee75b480 ee409e88 c123e292 00000009 00000000 ee409ef8 c16c03bf c1207fac [ 53.850339] Call Trace: [ 53.850376] [] dump_stack+0x4b/0x79 [ 53.850408] [] warn_slowpath_common+0x84/0xa0 [ 53.850436] [] ? sdhci_send_command+0xb4f/0xc50 [ 53.850462] [] ? sdhci_send_command+0xb4f/0xc50 [ 53.850490] [] warn_slowpath_null+0x22/0x30 [ 53.850516] [] sdhci_send_command+0xb4f/0xc50 [ 53.850545] [] ? native_sched_clock+0x2c/0xb0 [ 53.850575] [] ? delay_tsc+0x73/0xb0 [ 53.850601] [] ? __const_udelay+0x1e/0x20 [ 53.850626] [] ? sdhci_reset+0x93/0x190 [ 53.850654] [] sdhci_finish_data+0xf0/0x2e0 [ 53.850683] [] sdhci_irq+0x31f/0x930 [ 53.850713] [] ? __buffer_unlock_commit+0x10/0x20 [ 53.850740] [] ? trace_buffer_unlock_commit+0x37/0x50 [ 53.850773] [] handle_irq_event_percpu+0x5c/0x220 [ 53.850800] [] ? handle_fasteoi_irq+0x16/0xd0 [ 53.850827] [] handle_irq_event+0x3a/0x60 [ 53.850852] [] ? unmask_irq+0x30/0x30 [ 53.850878] [] handle_fasteoi_irq+0x4e/0xd0 [ 53.850895] [] ? do_IRQ+0x42/0xb0 [ 53.850943] [] ? common_interrupt+0x31/0x38 [ 53.850973] [] ? cgroup_mkdir+0x4e8/0x580 [ 53.851001] [] ? default_idle+0x22/0xf0 [ 53.851029] [] ? arch_cpu_idle+0x26/0x30 [ 53.851054] [] ? cpu_startup_entry+0x65/0x240 [ 53.851082] [] ? rest_init+0xb5/0xc0 [ 53.851108] [] ? __read_lock_failed+0x18/0x18 [ 53.851138] [] ? start_kernel+0x31b/0x321 [ 53.851164] [] ? repair_env_string+0x51/0x51 [ 53.851190] [] ? i386_start_kernel+0x139/0x13c [ 53.851209] ---[ end trace 92777f5fe48d33f2 ]--- [ 53.853449] mmcblk0: error -84 transferring data, sector 11142162, nr 304, cmd response 0x0, card status 0x0 [ 53.853476] mmcblk0: retrying using single block read [ 55.937863] sdhci: Timeout waiting for Buffer Read Ready interrupt during tuning procedure, falling back to fixed sampling clock [ 56.207951] sdhci: Timeout waiting for Buffer Read Ready interrupt during tuning procedure, falling back to fixed sampling clock [ 66.228785] mmc0: Timeout waiting for hardware interrupt. [ 66.230855] ------------[ cut here ]------------ Signed-off-by: David Cohen Reviewed-by: Chuanxiao Dong Acked-by: Dong Aisheng Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit a5891096c1e99013f0fab10eb353d855988392d1 Author: David Cohen Date: Tue Oct 29 10:58:26 2013 -0700 mmc: sdhci: add quirk for broken HS200 support commit 13868bf20f2f2c305f96e23620b024e167d6f9cb upstream. This patch defines a quirk for platforms unable to enable HS200 support. Signed-off-by: David Cohen Reviewed-by: Chuanxiao Dong Acked-by: Dong Aisheng Signed-off-by: Chris Ball Signed-off-by: Greg Kroah-Hartman commit c8579f3216b25a0c5adf473b2e1cbbb3f908fa4c Author: Duan Jiong Date: Tue Jan 28 11:49:43 2014 +0800 net: gre: use icmp_hdr() to get inner ip header [ Upstream commit c0c0c50ff7c3e331c90bab316d21f724fb9e1994 ] When dealing with icmp messages, the skb->data points the ip header that triggered the sending of the icmp message. In gre_cisco_err(), the parse_gre_header() is called, and the iptunnel_pull_header() is called to pull the skb at the end of the parse_gre_header(), so the skb->data doesn't point the inner ip header. Unfortunately, the ipgre_err still needs those ip addresses in inner ip header to look up tunnel by ip_tunnel_lookup(). So just use icmp_hdr() to get inner ip header instead of skb->data. Signed-off-by: Duan Jiong Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b84c36cb8ca10bdfc0ee8f3e1e74eaeb4010756c Author: Annie Li Date: Tue Jan 28 11:35:42 2014 +0800 xen-netfront: fix resource leak in netfront [ Upstream commit cefe0078eea52af17411eb1248946a94afb84ca5 ] This patch removes grant transfer releasing code from netfront, and uses gnttab_end_foreign_access to end grant access since gnttab_end_foreign_access_ref may fail when the grant entry is currently used for reading or writing. * clean up grant transfer code kept from old netfront(2.6.18) which grants pages for access/map and transfer. But grant transfer is deprecated in current netfront, so remove corresponding release code for transfer. * fix resource leak, release grant access (through gnttab_end_foreign_access) and skb for tx/rx path, use get_page to ensure page is released when grant access is completed successfully. Xen-blkfront/xen-tpmfront/xen-pcifront also have similar issue, but patches for them will be created separately. V6: Correct subject line and commit message. V5: Remove unecessary change in xennet_end_access. V4: Revert put_page in gnttab_end_foreign_access, and keep netfront change in single patch. V3: Changes as suggestion from David Vrabel, ensure pages are not freed untill grant acess is ended. V2: Improve patch comments. Signed-off-by: Annie Li Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0fdedfaac984ec03e8012362fdbd2f2aab77a4ac Author: Holger Eitzenberger Date: Mon Jan 27 10:33:18 2014 +0100 net: Fix memory leak if TPROXY used with TCP early demux [ Upstream commit a452ce345d63ddf92cd101e4196569f8718ad319 ] I see a memory leak when using a transparent HTTP proxy using TPROXY together with TCP early demux and Kernel v3.8.13.15 (Ubuntu stable): unreferenced object 0xffff88008cba4a40 (size 1696): comm "softirq", pid 0, jiffies 4294944115 (age 8907.520s) hex dump (first 32 bytes): 0a e0 20 6a 40 04 1b 37 92 be 32 e2 e8 b4 00 00 .. j@..7..2..... 02 00 07 01 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] kmem_cache_alloc+0xad/0xb9 [] sk_prot_alloc+0x29/0xc5 [] sk_clone_lock+0x14/0x283 [] inet_csk_clone_lock+0xf/0x7b [] netlink_broadcast+0x14/0x16 [] tcp_create_openreq_child+0x1b/0x4c3 [] tcp_v4_syn_recv_sock+0x38/0x25d [] tcp_check_req+0x25c/0x3d0 [] tcp_v4_do_rcv+0x287/0x40e [] ip_route_input_noref+0x843/0xa55 [] tcp_v4_rcv+0x4c9/0x725 [] ip_local_deliver_finish+0xe9/0x154 [] __netif_receive_skb+0x4b2/0x514 [] process_backlog+0xee/0x1c5 [] net_rx_action+0xa7/0x200 [] add_interrupt_randomness+0x39/0x157 But there are many more, resulting in the machine going OOM after some days. From looking at the TPROXY code, and with help from Florian, I see that the memory leak is introduced in tcp_v4_early_demux(): void tcp_v4_early_demux(struct sk_buff *skb) { /* ... */ iph = ip_hdr(skb); th = tcp_hdr(skb); if (th->doff < sizeof(struct tcphdr) / 4) return; sk = __inet_lookup_established(dev_net(skb->dev), &tcp_hashinfo, iph->saddr, th->source, iph->daddr, ntohs(th->dest), skb->skb_iif); if (sk) { skb->sk = sk; where the socket is assigned unconditionally to skb->sk, also bumping the refcnt on it. This is problematic, because in our case the skb has already a socket assigned in the TPROXY target. This then results in the leak I see. The very same issue seems to be with IPv6, but haven't tested. Reviewed-by: Florian Westphal Signed-off-by: Holger Eitzenberger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5c9dfac1cf67e2d4a9e6e72379ff205ae5f7ebe8 Author: Oliver Hartkopp Date: Thu Jan 23 10:19:34 2014 +0100 fib_frontend: fix possible NULL pointer dereference [ Upstream commit a0065f266a9b5d51575535a25c15ccbeed9a9966 ] The two commits 0115e8e30d (net: remove delay at device dismantle) and 748e2d9396a (net: reinstate rtnl in call_netdevice_notifiers()) silently removed a NULL pointer check for in_dev since Linux 3.7. This patch re-introduces this check as it causes crashing the kernel when setting small mtu values on non-ip capable netdevices. Signed-off-by: Oliver Hartkopp Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 93199ca47ddf8047144d5569f19564fdbaf7ec40 Author: Or Gerlitz Date: Thu Jan 23 11:28:13 2014 +0200 net/vxlan: Share RX skb de-marking and checksum checks with ovs [ Upstream commit d0bc65557ad09a57b4db176e9e3ccddb26971453 ] Make sure the practice set by commit 0afb166 "vxlan: Add capability of Rx checksum offload for inner packet" is applied when the skb goes through the portion of the RX code which is shared between vxlan netdevices and ovs vxlan port instances. Cc: Joseph Gasparakis Cc: Pravin B Shelar Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f2e02efa3b861bbd2a50931b29c799fe4a377ab2 Author: Duan Jiong Date: Thu Jan 23 14:00:25 2014 +0800 ip_tunnel: clear IPCB in ip_tunnel_xmit() in case dst_link_failure() is called [ Upstream commit 11c21a307d79ea5f6b6fc0d3dfdeda271e5e65f6 ] commit a622260254ee48("ip_tunnel: fix kernel panic with icmp_dest_unreach") clear IPCB in ip_tunnel_xmit() , or else skb->cb[] may contain garbage from GSO segmentation layer. But commit 0e6fbc5b6c621("ip_tunnels: extend iptunnel_xmit()") refactor codes, and it clear IPCB behind the dst_link_failure(). So clear IPCB in ip_tunnel_xmit() just like commti a622260254ee48("ip_tunnel: fix kernel panic with icmp_dest_unreach"). Signed-off-by: Duan Jiong Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 78405c1b5ec581abff61d72a0e56590737824207 Author: Anton Blanchard Date: Mon Dec 9 16:03:10 2013 +1100 drivers/tty: ehv_bytechan fails to build as a module commit a183d3ae63c08186477d2b0ef2798d47d10add4b upstream. ehv_bytechan is marked tristate but fails to build as a module: drivers/tty/ehv_bytechan.c:363:1: error: type defaults to ‘int’ in declaration of ‘console_initcall’ [-Werror=implicit-int] It doesn't make much sense for a console driver to be built as a module, so change it to a bool. Signed-off-by: Anton Blanchard Acked-by: Greg Kroah-Hartman Signed-off-by: Scott Wood Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit f52c045e05025727da918570fb9ac29f3239caaf Author: Shane Huang Date: Wed Jan 22 14:05:46 2014 -0800 i2c: piix4: Add support for AMD ML and CZ SMBus changes commit 032f708bc4f6da868ec49dac48ddf3670d8035d3 upstream. The locations of SMBus register base address and enablement bit are changed from AMD ML, which need this patch to be supported. Signed-off-by: Shane Huang Reviewed-by: Jean Delvare Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit c1d9c71fc913e93307ddae3ff140684e3dae9deb Author: Gregory CLEMENT Date: Tue Dec 31 17:07:35 2013 +0100 i2c: mv64xxx: Document the newly introduced Armada XP A0 compatible commit f8b94beb7e6a374cb0de531b72377c49857b35ca upstream. The first variants of Armada XP SoCs (A0 stepping) have issues related to the i2c controller which prevent to use the offload mechanism and lead to a kernel hang during boot. The commit introduces a new the compatible string marvell,mv78230-a0-i2c for the i2c controller. Signed-off-by: Gregory CLEMENT Acked-by: Arnd Bergmann cc: devicetree@vger.kernel.org Fixes: 930ab3d403ae (i2c: mv64xxx: Add I2C Transaction Generator support) Signed-off-by: Jason Cooper Signed-off-by: Greg Kroah-Hartman commit e70322ad000f6b1c9cc81c345542241d34e283c8 Author: Gregory CLEMENT Date: Tue Dec 31 16:59:33 2013 +0100 i2c: mv64xxx: Fix bus hang on A0 version of the Armada XP SoCs commit 6cf70ae928bae17077efc0d528dec49bc380438b upstream. The first variants of Armada XP SoCs (A0 stepping) have issues related to the i2c controller which prevent to use the offload mechanism and lead to a kernel hang during boot. The commit introduces a new the compatible string marvell,mv78230-a0-i2c for the i2c controller. When this compatible string is used the driver disables the offload mechanism and the kernel no more hangs on these SoCs. Signed-off-by: Gregory CLEMENT Reported-by: Andrew Lunn Acked-by: Wolfram Sang Acked-by: Arnd Bergmann Fixes: 930ab3d403ae (i2c: mv64xxx: Add I2C Transaction Generator support) Signed-off-by: Jason Cooper Signed-off-by: Greg Kroah-Hartman commit 5f800a1159c1fc8d3f7c4b4891117e7fe738a8d2 Author: Gregory CLEMENT Date: Tue Jan 7 16:26:01 2014 +0100 ARM: mvebu: Add quirk for i2c for the OpenBlocks AX3-4 board commit 85e618a1be2b2092318178d1d66bdad49cbbeeeb upstream. The first variants of Armada XP SoCs (A0 stepping) have issues related to the i2c controller which prevent to use the offload mechanism and lead to a kernel hang during boot. This commit add quirk in the mvebu platform code to check the SoC version and then update the compatible string for the i2c controller according to the revision of the SoC. Currently only some OpenBlocks AX3-4 boards are known to use an A0 revision so the check is done only for these boards. Signed-off-by: Gregory CLEMENT Fixes: 930ab3d403ae (i2c: mv64xxx: Add I2C Transaction Generator support) Acked-by: Arnd Bergmann Signed-off-by: Jason Cooper Signed-off-by: Greg Kroah-Hartman commit 1aed03315395bc36aaafbc50e36841520c41abee Author: Gregory CLEMENT Date: Thu Jan 2 15:08:59 2014 +0100 ARM: mvebu: Add support to get the ID and the revision of a SoC commit af8d1c63afcbf36eea06789c92e22d4af118d2fb upstream. All the mvebu SoCs have information related to their variant and revision that can be read from the PCI control register. This patch adds support for Armada XP and Armada 370. This reading of the revision and the ID are done before the PCI initialization to avoid any conflicts. Once these data are retrieved, the resources are freed to let the PCI subsystem use it. Fixes: 930ab3d403ae (i2c: mv64xxx: Add I2C Transaction Generator support) Signed-off-by: Gregory CLEMENT Acked-by: Arnd Bergmann Signed-off-by: Jason Cooper Signed-off-by: Greg Kroah-Hartman commit 33e02be955a04b0b1f137db77a94761986892825 Author: Takashi Iwai Date: Mon Jan 13 12:32:44 2014 +0100 hp_accel: Add a new PnP ID HPQ6007 for new HP laptops commit b0ad4ff35d479a46a3b995a299db9aeb097acfce upstream. The DriveGuard chips on the new HP laptops are with a new PnP ID "HPQ6007". It should be compatible with older chips. Acked-by: Éric Piel Signed-off-by: Takashi Iwai Signed-off-by: Matthew Garrett Signed-off-by: Greg Kroah-Hartman commit a76055cd067d7d6aee361b60b3fa5338c0a6f017 Author: Minchan Kim Date: Thu Jan 30 15:45:58 2014 -0800 zram: fix race between reset and flushing pending work commit da4a04126baa3be03bc566d4a2ee0944c5e783d0 upstream. Dan and Sergey reported that there is a racy between reset and flushing of pending work so that it could make oops by freeing zram->meta in reset while zram_slot_free can access zram->meta if new request is adding during the race window. This patch moves flush after taking init_lock so it prevents new request so that it closes the race. Signed-off-by: Minchan Kim Reported-by: Dan Carpenter Cc: Nitin Gupta Cc: Jerome Marchand Tested-by: Sergey Senozhatsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9047ec62665cb8931840214b038cc1d22c4ed2e4 Author: Kent Overstreet Date: Tue Dec 17 17:51:02 2013 -0800 bcache: Data corruption fix commit ef71ec00002d92a08eb27e9d036e3d48835b6597 upstream. The code that handles overlapping extents that we've just read back in from disk was depending on the behaviour of the code that handles overlapping extents as we're inserting into a btree node in the case of an insert that forced an existing extent to be split: on insert, if we had to split we'd also insert a new extent to represent the top part of the old extent - and then that new extent would get written out. The code that read the extents back in thus not bother with splitting extents - if it saw an extent that ovelapped in the middle of an older extent, it would trim the old extent to only represent the bottom part, assuming that the original insert would've inserted a new extent to represent the top part. I still haven't figured out _how_ it can happen, but I'm now pretty convinced (and testing has confirmed) that there's some kind of an obscure corner case (probably involving extent merging, and multiple overwrites in different sets) that breaks this. The fix is to change the mergesort fixup code to split extents itself when required. Signed-off-by: Kent Overstreet Signed-off-by: Greg Kroah-Hartman commit 860abe4c33f491aa5c79acc916d01af978e64aec Author: Eric W. Biederman Date: Mon Jan 20 15:26:15 2014 -0800 vfs: Is mounted should be testing mnt_ns for NULL or error. commit 260a459d2e39761fbd39803497205ce1690bc7b1 upstream. A bug was introduced with the is_mounted helper function in commit f7a99c5b7c8bd3d3f533c8b38274e33f3da9096e Author: Al Viro Date: Sat Jun 9 00:59:08 2012 -0400 get rid of ->mnt_longterm it's enough to set ->mnt_ns of internal vfsmounts to something distinct from all struct mnt_namespace out there; then we can just use the check for ->mnt_ns != NULL in the fast path of mntput_no_expire() Signed-off-by: Al Viro The intent was to test if the real_mount(vfsmount)->mnt_ns was NULL_OR_ERR but the code is actually testing real_mount(vfsmount) and always returning true. The result is d_absolute_path returning paths it should be hiding. Signed-off-by: "Eric W. Biederman" Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 9650c1d10aff25a58575a9304d27a6908ad88b1f Author: Eric W. Biederman Date: Mon Jan 20 15:43:25 2014 -0800 vfs: Remove second variable named error in __dentry_path commit a8323da0366d3398eda62741d2ac1130c8a172ed upstream. In commit 232d2d60aa5469bb097f55728f65146bd49c1d25 Author: Waiman Long Date: Mon Sep 9 12:18:13 2013 -0400 dcache: Translating dentry into pathname without taking rename_lock The __dentry_path locking was changed and the variable error was intended to be moved outside of the loop. Unfortunately the inner declaration of error was not removed. Resulting in a version of __dentry_path that will never return an error. Remove the problematic inner declaration of error and allow __dentry_path to return errors once again. Cc: Waiman Long Signed-off-by: "Eric W. Biederman" Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 4cd96b4772c6c98b4bc0043fb7f2d284220223fa Author: Theodore Ts'o Date: Tue Jan 7 12:58:19 2014 -0500 ext4: avoid clearing beyond i_blocks when truncating an inline data file commit 09c455aaa8f47a94d5bafaa23d58365768210507 upstream. A missing cast means that when we are truncating a file which is less than 60 bytes, we don't clear the correct area of memory, and in fact we can end up truncating the next inode in the inode table, or worse yet, some other kernel data structure. Addresses-Coverity-Id: #751987 Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 6b78ac03be5b667fb0c59360d317fcda40379d6e Author: Tejun Heo Date: Thu Jan 16 09:47:17 2014 -0500 libata: disable LPM for some WD SATA-I devices commit ecd75ad514d73efc1bbcc5f10a13566c3ace5f53 upstream. For some reason, some early WD drives spin up and down drives erratically when the link is put into slumber mode which can reduce the life expectancy of the device significantly. Unfortunately, we don't have full list of devices and given the nature of the issue it'd be better to err on the side of false positives than the other way around. Let's disable LPM on all WD devices which match one of the known problematic model prefixes and are SATA-I. As horkage list doesn't support matching SATA capabilities, this is implemented as two horkages - WD_BROKEN_LPM and NOLPM. The former is set for the known prefixes and sets the latter if the matched device is SATA-I. Note that this isn't optimal as this disables all LPM operations and partial link power state reportedly works fine on these; however, the way LPM is implemented in libata makes it difficult to precisely map libata LPM setting to specific link power state. Well, these devices are already fairly outdated. Let's just disable whole LPM for now. Signed-off-by: Tejun Heo Reported-and-tested-by: Nikos Barkas Reported-and-tested-by: Ioannis Barkas References: https://bugzilla.kernel.org/show_bug.cgi?id=57211 Signed-off-by: Greg Kroah-Hartman commit 1b45143a96ffc481ea8b9bf56d2a6f8b56667cac Author: Simon Guinot Date: Tue Jan 14 20:10:27 2014 +0100 ARM: mvebu: update the SATA compatible string for Armada 370/XP commit a96cc303e42ad7830dde929aad0046e448a05505 upstream. This patch updates the Armada 370/XP SATA node with the new compatible string "marvell,armada-370-sata". Signed-off-by: Simon Guinot Cc: Thomas Petazzoni Cc: Jason Cooper Cc: Andrew Lunn Cc: Gregory Clement Cc: Sebastian Hesselbarth Cc: Lior Amsalem Acked-by: Jason Cooper Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit c4f351e601ead476efbc959084bd879418847bf9 Author: Lior Amsalem Date: Tue Jan 14 20:09:57 2014 +0100 ata: sata_mv: fix disk hotplug for Armada 370/XP SoCs commit 9013d64e661fc2a37a1742670202171c27fef4b5 upstream. On Armada 370/XP SoCs, once a disk is removed from a SATA port, then the re-plug events are not detected by the sata_mv driver. This patch fixes the issue by updating the PHY speed in the LP_PHY_CTL register (0x58) according to the SControl speed. Note that this fix is only applied if the compatible string "marvell,armada-370-sata" is found in the SATA DT node. Fixes: 9ae6f740b49f ("arm: mach-mvebu: add support for Armada 370 and Armada XP with DT") Signed-off-by: Lior Amsalem Signed-off-by: Nadav Haklai Signed-off-by: Simon Guinot Cc: Thomas Petazzoni Cc: Jason Cooper Cc: Andrew Lunn Cc: Gregory Clement Cc: Sebastian Hesselbarth Acked-by: Jason Cooper Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 191f444122ec2afe41ae78119805dd1af915e4ce Author: Simon Guinot Date: Tue Jan 14 20:04:39 2014 +0100 ata: sata_mv: introduce compatible string "marvell, armada-370-sata" commit b1f5c73bd5a4752efb7d7af019034044b08aafe9 upstream. The sata_mv driver supports the SATA IP found in several Marvell SoCs. As some new SATA registers have been introduced with the Armada 370/XP SoCs, a way to identify them is needed. This patch introduces a new compatible string for the SATA IP found in Armada 370/XP SoCs. Signed-off-by: Simon Guinot Cc: Thomas Petazzoni Cc: Jason Cooper Cc: Andrew Lunn Cc: Gregory Clement Cc: Sebastian Hesselbarth Cc: Lior Amsalem Acked-by: Jason Cooper Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit f5ceff3d8c64d07e716e3f97734037e448327a72 Author: Roberto Sassu Date: Fri Nov 8 19:21:35 2013 +0100 ima: change the default hash algorithm to SHA1 in ima_eventdigest_ng_init() commit c502c78ba7fb5b9cef71e2bd70f12c38ef26e5ab upstream. Replace HASH_ALGO__LAST with HASH_ALGO_SHA1 as the initial value of the hash algorithm so that the prefix 'sha1:' is added to violation digests. Fix commit: 4d7aeee ima: define new template ima-ng and template fields d-ng and n-ng Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit b6bb44f306acf3555fc1f89ec8f708e7109c6d17 Author: Peter Huewe Date: Wed Oct 30 20:46:55 2013 +0100 tpm/tpm_ppi: Do not compare strcmp(a,b) == -1 commit 747d35bd9bb4ae6bd74b19baa5bbe32f3e0cee11 upstream. Depending on the implementation strcmp might return the difference between two strings not only -1,0,1 consequently if (strcmp (a,b) == -1) might lead to taking the wrong branch -> compare with < 0 instead, which in any case is more canonical. Signed-off-by: Peter Huewe Signed-off-by: Greg Kroah-Hartman commit 5ef2e9bc3c840ab1b3c7ac404e6c5e1795f6cb2d Author: Peter Huewe Date: Wed Oct 30 00:54:20 2013 +0100 tpm/tpm_i2c_stm_st33: Check return code of get_burstcount commit 85c5e0d451125c6ddb78663972e40af810b83644 upstream. The 'get_burstcount' function can in some circumstances 'return -EBUSY' which in tpm_stm_i2c_send is stored in an 'u32 burstcnt' thus converting the signed value into an unsigned value, resulting in 'burstcnt' being huge. Changing the type to u32 only does not solve the problem as the signed value is converted to an unsigned in I2C_WRITE_DATA, resulting in the same effect. Thus -> Change type of burstcnt to u32 (the return type of get_burstcount) -> Add a check for the return value of 'get_burstcount' and propagate a potential error. This makes also sense in the 'I2C_READ_DATA' case, where the there is no signed/unsigned conversion. found by coverity Signed-off-by: Peter Huewe Signed-off-by: Greg Kroah-Hartman commit a0372de295fb1d46179694b85da1192071470820 Author: Stephen Warren Date: Thu Jan 30 11:52:16 2014 -0700 ALSA: hda/hdmi - allow PIN_OUT to be dynamically enabled commit 75fae117a5dbde5ab984fa5c60705758cfbc6433 upstream. Commit 384a48d71520 "ALSA: hda: HDMI: Support codecs with fewer cvts than pins" dynamically enabled each pin widget's PIN_OUT only when the pin was actively in use. This was required on certain NVIDIA CODECs for correct operation. Specifically, if multiple pin widgets each had their mux input select the same audio converter widget and each pin widget had PIN_OUT enabled, then only one of the pin widgets would actually receive the audio, and often not the one the user wanted! However, this apparently broke some Intel systems, and commit 6169b673618b "ALSA: hda - Always turn on pins for HDMI/DP" reverted the dynamic setting of PIN_OUT. This in turn broke the afore-mentioned NVIDIA CODECs. This change supports either dynamic or static handling of PIN_OUT, selected by a flag set up during CODEC initialization. This flag is enabled for all recent NVIDIA GPUs. Reported-by: Uosis Signed-off-by: Stephen Warren Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 30cb840c2939f29eb3149c7934903ecf9f191401 Author: Hui Wang Date: Thu Jan 30 10:55:51 2014 +0800 ALSA: hda - add headset mic detect quirks for another Dell laptop commit 5e87d5807110afd6bd659e1b98929fab43f3732f upstream. When we plug a 3-ring headset on the Dell machine (Vendor ID: 0x10ec0255, Subsystem ID: 0x1028064d), the headset mic can't be detected, after apply this patch, the headset mic can work well. BugLink: https://bugs.launchpad.net/bugs/1260303 Cc: David Henningsson Tested-by: Doro Wu Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit fbd50fc43507d112a07b9a93297ce2a7d5a6fa2b Author: Adrien Vergé Date: Fri Jan 24 14:56:14 2014 -0500 ALSA: hda - Fix silent output on MacBook Air 1,1 commit e7729a415315fcd9516912050d85d5aaebcededc upstream. Similarly to other Apple products, MBA 1,1 needs a specific quirk. Pin 0x18 must be set to VREF_50 to have sound output. This was no longer done since commit 1a97b7f, resulting in a mute built-in speaker. This patch corrects the regression by creating a fixup for the MBA 1,1. Fixes: 1a97b7f22774 ("ALSA: hda/realtek - Remove the last static quirks for ALC882") Tested-by: Adrien Vergé Signed-off-by: Adrien Vergé Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ae4aaae623c4b4991aaeee803439da2710a602ed Author: Dan Carpenter Date: Thu Jan 23 11:21:28 2014 +0300 ALSA: bits vs bytes bug in snd_card_create() commit 4c3773eda49c872a3034382f8ec3080002e715bf upstream. The test here is intended intended to prevent shift wrapping bugs when we do "1U << idx2". We should consider the number of bits in a u32 instead of the number of bytes. [fix another chunk similarly by tiwai] Fixes: 7bb2491b35a2 ('ALSA: Add kconfig to specify the max card numbers') Signed-off-by: Dan Carpenter Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d4c3c4f241f54209124f28b88d0bad8e76b165f6 Author: Hui Wang Date: Thu Jan 16 15:51:10 2014 +0800 ALSA: hda - add headset mic detect quirks for some Dell machines commit c48ae0ab3790efba2dfb1a4709c0ef8da024de1a upstream. When we plug a 3-ring headset on some Dell machines, the headset mic can't be detected, after apply this patch, the headset mic can work well on all those machines. On the machine with the Subsytem ID 0x10280610, if we use ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, the headset mic can be detected and work well, but the sound can't be outputed via headphone anymore, use ALC269_FIXUP_DELL3_MIC_NO_PRESENCE can fix this problem. BugLink: https://bugs.launchpad.net/bugs/1260303 Cc: David Henningsson Tested-by: David Chen Tested-by: Cyrus Lien Tested-by: Shawn Wang Tested-by: Chih-Hsyuan Ho Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7d947f8cfb5c4e18c6772721b324cc97d4affa46 Author: Hui Wang Date: Tue Jan 14 14:07:36 2014 +0800 ALSA: hda - automute via amp instead of pinctl on some AIO models commit 493a52a9b6645f61954580c7d4bd52fa62110934 upstream. On some AIO (All In One) models with the codec alc668 (Vendor ID: 0x10ec0668) on it, when we plug a headphone into the jack, the system will switch the output to headphone and set the speaker to automute as well as change the speaker Pin-ctls from 0x40 to 0x00, this will bring loud noise to the headphone. I tried to disable the corresponding EAPD, but it did not help to eliminate the noise. According to Takashi's suggestion, we use amp operation to replace the pinctl modification for the automute, this really eliminate the noise. BugLink: https://bugs.launchpad.net/bugs/1268468 Cc: David Henningsson Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 25cb36334e92312684f5cc18bfcf1eb96eb00485 Author: Takashi Iwai Date: Fri Jan 10 14:20:42 2014 +0100 ALSA: Enable CONFIG_ZONE_DMA for smaller PCI DMA masks commit 80ab8eae70e51d578ebbeb228e0f7a562471b8b7 upstream. The PCI devices with DMA masks smaller than 32bit should enable CONFIG_ZONE_DMA. Since the recent change of page allocator, page allocations via dma_alloc_coherent() with the limited DMA mask bits may fail more frequently, ended up with no available buffers, when CONFIG_ZONE_DMA isn't enabled. With CONFIG_ZONE_DMA, the system has much more chance to obtain such pages. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=68221 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 91fda6476631db837d40655e0aa3cc80de3180a5 Author: Takashi Iwai Date: Tue Jan 7 18:11:44 2014 +0100 ALSA: hda - Don't create duplicated ctls for loopback paths commit 43a8e50a46a4e1dd1451e4a4ffa1f7695fb7d287 upstream. AD1986A mic pins (0x1d and 0x1f) share the same widget for controlling the loopback volume/mute, but the generic parser didn't check it. This ended up with the duplicated controls for the same effect. This patch adds the check of the duplication for avoiding it. After this fix, there will be only one control although it affects both paths; this remaining issue should be fixed later in a different patch. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=66621 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 200a5a04b92a0e226ee2731c834883a0388f3689 Author: Takashi Iwai Date: Tue Jan 7 17:48:11 2014 +0100 ALSA: hda - Correct AD1986A 3stack pin configs commit ed0e0d0617a8dc3d8b82c6e54827f269f2247b07 upstream. The 3stack pin configs for AD1986A codec had incorrect values that resulted in broken mic and line-in. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=66621 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 22352b204088c6de570bedf318adafb164d9ea59 Author: Takashi Iwai Date: Fri Dec 27 00:13:08 2013 +0200 ALSA: rme9652: fix a missing comma in channel_map_9636_ds[] commit 770bd4bf2e664939a9dacd3d26ec9ff7a3933210 upstream. The lack of comma leads to the wrong channel for an SPDIF channel. Unfortunately this wasn't caught by compiler because it's still a valid expression. Reported-by: Alexander Aristov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1b81516f6a730272ac117077a9b4072b9f6a9258 Author: Charles Keepax Date: Tue Jan 21 16:27:51 2014 +0000 ASoC: wm5110: Extend SYSCLK patch file for rev D commit 34354792432b6e0a3b156819a1a19716c50d3473 upstream. Latest evaluation of the the device has given some patch file additions for improved performance. Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit f76d48bbe631eb18132bf0c50a79a5dce64c2b3b Author: Markus Pargmann Date: Wed Jan 15 18:12:40 2014 +0100 ASoC: tlv320aic32x4: Fix regmap range_min commit e8e08c521dc101cf7e7e1caf4f487f9fe11a9a7a upstream. range_min is the lowest address in the virtual register range. This is the first register with address 0, not the first register of page 1. Currently all writes to page 1 are mapped to page 0, so the codec fails to operate. Fixes: 4d208ca429ad (ASoC: tlv320aic32x4: Convert to direct regmap API usage) Signed-off-by: Markus Pargmann Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 5609fd11c56addf3b3ce48b4e0f599282cdf0b62 Author: Markus Pargmann Date: Sat Jan 11 14:48:30 2014 +0100 ASoC: codec: tlv320aic32x4: Fix regmap range config commit 6d0d5103bdc45242b8d02e4130fbe5a3ea9f668a upstream. This codec driver fails to probe because it has a higher regmap range_max value than max_register. This patch sets the range_max to the max_register value as described in the for struct regmap_range_cfg: "@range_max: Address of the highest register in virtual range." Fixes: 4d208ca429ad (ASoC: tlv320aic32x4: Convert to direct regmap API usage) Signed-off-by: Markus Pargmann Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 81c828ddd476183a7c6fa23f0a52b31eb099e538 Author: Lars-Peter Clausen Date: Wed Jan 8 11:22:25 2014 +0100 ASoC: adau1701: Fix ADAU1701_SEROCTL_WORD_LEN_16 constant commit e20970ada3f699c113fe64b04492af083d11a7d8 upstream. The driver defines ADAU1701_SEROCTL_WORD_LEN_16 as 0x10 while it should be b10, so 0x2. This patch fixes it. Reported-by: Magnus Reftel Signed-off-by: Lars-Peter Clausen Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit eef2dc201d71a3dd199b6d00f00965803a4c730c Author: Krzysztof Kozlowski Date: Fri Dec 20 10:35:07 2013 +0100 mfd: max77686: Fix regmap resource leak on driver remove commit 74142ffc0b52cfe6f9d2f6f34a5f3eedbfe3ce51 upstream. The regmap used by max77686 MFD driver was not freed with regmap_exit() on driver exit. This lead to leak of resources. Replace regmap_init_i2c() call in driver probe with initialization of managed register map so the regmap will be properly freed by the device management code. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman commit c73c940dd8716c88e72248f0b286f1ea1a59a81a Author: Dongsheng Yang Date: Fri Dec 20 13:41:47 2013 -0500 perf kvm: Fix kvm report without guestmount. commit ad85ace07a05062ef6b59c35a5e80b6eaee1eee6 upstream. Currently, if we use perf kvm --guestkallsyms --guestmodules report, we can not get the perf information from perf data file. All sample are shown as unknown. Reproducing steps: # perf kvm --guestkallsyms /tmp/kallsyms --guestmodules /tmp/modules record -a sleep 1 [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.624 MB perf.data.guest (~27260 samples) ] # perf kvm --guestkallsyms /tmp/kallsyms --guestmodules /tmp/modules report |grep % 100.00% [guest/6471] [unknown] [g] 0xffffffff8164f330 This bug was introduced by 207b57926 (perf kvm: Fix regression with guest machine creation). In original code, it uses perf_session__find_machine(), it means we deliver symbol to machine which has the same pid, if no machine found, deliver it to *default* guest. But if we use perf_session__findnew_machine() here, if no machine was found, new machine with pid will be built and added. Then the default guest which with pid == 0 will never get a symbol. And because the new machine initialized here has no kernel map created, the symbol delivered to it will be marked as "unknown". This patch here is to revert commit 207b57926 and fix the SEGFAULT bug in another way. Verification steps: # ./perf kvm --guestkallsyms /home/kallsyms --guestmodules /home/modules record -a sleep 1 [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.651 MB perf.data.guest (~28437 samples) ] # ./perf kvm --guestkallsyms /home/kallsyms --guestmodules /home/modules report |grep % 22.64% :6471 [guest.kernel.kallsyms] [g] update_rq_clock.part.70 19.99% :6471 [guest.kernel.kallsyms] [g] d_free 18.46% :6471 [guest.kernel.kallsyms] [g] bio_phys_segments 16.25% :6471 [guest.kernel.kallsyms] [g] dequeue_task 12.78% :6471 [guest.kernel.kallsyms] [g] __switch_to 7.91% :6471 [guest.kernel.kallsyms] [g] scheduler_tick 1.75% :6471 [guest.kernel.kallsyms] [g] native_apic_mem_write 0.21% :6471 [guest.kernel.kallsyms] [g] apic_timer_interrupt Signed-off-by: Dongsheng Yang Acked-by: David Ahern Cc: David Ahern Link: http://lkml.kernel.org/r/1387564907-3045-1-git-send-email-yangds.fnst@cn.fujitsu.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 248f75a42a6ad1f3c29b05d1ce2487b3eba4fd9c Author: Chen-Yu Tsai Date: Thu Jan 16 14:34:23 2014 +0800 pinctrl: sunxi: Honor GPIO output initial vaules commit fa8cf57c923e86a693a85aff1df579245a27cbb3 upstream. Some GPIO users, such as fixed-regulator, request GPIO output with initial value of 1. This was ignored by sunxi driver. Signed-off-by: Chen-Yu Tsai Acked-by: Maxime Ripard Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 2c457ffeb38442be473836d64d414cba2143a694 Author: Dasaratharaman Chandramouli Date: Tue Dec 10 09:51:12 2013 -0800 misc: mic: bug fix for interrupt acknowledgement in MSI/INTx case. commit df5e4e8b576108f88f79e5b4c984d51d460d2360 upstream. The interrupt handler (mic_interrupt), called in the MSI/INTx mode, writes to the interrupt sources register to acknowledge the interrupt and then calls the corresponding callback handlers to handle the same. These callback handlers acknowledge the interrupts again leading to missed interrupts. This patch fixes the issue by removing the interrupt acknowlegment code from the callback handlers. Reviewed-by: Sudeep Dutt Reviewed-by: Nikhil Rao Reviewed-by: Siva Krishna Kumar Reddy Yerramreddy Signed-off-by: Dasaratharaman Chandramouli Signed-off-by: Greg Kroah-Hartman commit 96ce677076dbac9b1a7f44a91e204762e1355b57 Author: Stephen Warren Date: Thu Jan 23 15:55:19 2014 -0800 rtc: max8907: weekday encoding fixes commit 75ea799df4cb07e505c91b4abaa87bc28aad3e66 upstream. The current MAX8907 driver has two issues related to weekday value handling: 1) The HW WEEKDAY register has range 0..6 rather than 1..7 as documented. Note that I validated the actual HW range by observing the HW register roll from 6->0 rather than 6->7->1 as would otherwise be expected. This matches Linux's tm_wday range of 0..6. When the CMOS RAM content is lost, the date returned from the device is 2007-01-01 00:00:00, which is a Monday. The WEEKDAY register reads 1 in this case. This matches the numbering in Linux's tm_wday field. Hence we should write Linux's tm_wday value to the register without modifying it. Hence, remove the +1/-1 calculations for WEEKDAY/tm_wday. 2) There's no need to make alarms match on the WEEKDAY register, since the other fields together uniquely define the alarm date/time. Ignoring the WEEKDAY value in the match isolates the driver from any incorrect value in the current time copy of the WEEKDAY register. Each change individually, or both together, solves an issue that I observed; "hwclock -r" would time out waiting for its alarm to fire if the CMOS RAM content had been lost, and hence the WEEKDAY register value mismatched what the driver expected it to be. "hwclock -w" would solve this by over-writing the HW default WEEKDAY register value with what the driver expected. Signed-off-by: Stephen Warren Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8174cd42809e060cc379eddff255c1ea53078073 Author: Sebastian Andrzej Siewior Date: Wed Nov 27 17:43:43 2013 +0100 parport: parport_pc: remove double PCI ID for NetMos commit d6a484520c5572a4170fa915109ccfc0c38f5008 upstream. In commit 85747f ("PATCH] parport: add NetMOS 9805 support") Max added the PCI ID for NetMOS 9805 based on a Debian bug report from 2k4 which was at the v2.4.26 time frame. The patch made into 2.6.14. Shortly before that patch akpm merged commit 296d3c783b ("[PATCH] Support NetMOS based PCI cards providing serial and parallel ports") which made into v2.6.9-rc1. Now we have two different entries for the same PCI id. I have here the NetMos 9805 which claims to support SPP/EPP/ECP mode. This patch takes Max's entry for titan_1284p1 (base != -1 specifies the ioport for ECP mode) and replaces akpm's entry for netmos_9805 which specified -1 (=none). Both share the same PCI-ID (my card has subsystem 0x1000 / 0x0020 so it should match PCI_ANY). While here I also drop the entry for titan_1284p2 which is the same as netmos_9815. Cc: Maximilian Attems Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 1e7586f6dd7b7c9b8dba467bef9ef344fa54f2c7 Author: Heiko Carstens Date: Tue Jan 21 17:31:10 2014 +0100 s390/uapi: fix struct statfs64 definition commit 4e078146dff728f4865270a47710d57797e81eb6 upstream. With b8668fd0a7e1b59f "s390/uapi: change struct statfs[64] member types to unsigned values" the size of a couple of struct statfs64 member got incorrectly changed from 64 to 32 bit for 32 bit builds. Fix this by changing the type of couple of struct statfs64 members from unsigned long to unsigned long long. The definition of struct compat_statfs64 was correct however. Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit a94656765648f13577cb520761c957998506e409 Author: Dominik Dingel Date: Mon Dec 9 18:30:01 2013 +0100 KVM: s390: ioeventfd: ignore leftmost bits commit ff1f3cb4b3ac5d039f02679f34cb1498d110d241 upstream. The diagnose 500 subcode 3 contains the 32 bit subchannel id in bits 32-63 (counting from the left). As for other I/O instructions, bits 0-31 should be ignored and thus not be passed to kvm_io_bus_write_cookie(). This fixes a bug where the guest passed non-zero bits 0-31 which the host tried to interpret, leading to ioeventfd notification failures. Signed-off-by: Dominik Dingel Reviewed-by: Cornelia Huck Signed-off-by: Cornelia Huck Signed-off-by: Greg Kroah-Hartman commit aeb4c5fcb16509724e8975b7c902d2fc946d62cb Author: Heiko Carstens Date: Mon Nov 11 13:56:47 2013 +0100 KVM: s390: fix diagnose code extraction commit 743db27c526e0f31cc507959d662e97e2048a86f upstream. The diagnose code to be used is the contents of the base register (if not zero), plus the displacement. The current code ignores the base register contents. So let's fix that... Reviewed-by: Cornelia Huck Cc: stable@vger.kernel.org Signed-off-by: Heiko Carstens Signed-off-by: Cornelia Huck Signed-off-by: Greg Kroah-Hartman commit ed039ce3768ecaeac51bb24e297c8ef6e642693e Author: Thomas Huth Date: Wed Nov 6 15:46:33 2013 +0100 KVM: s390: Always store status during SIGP STOP_AND_STORE_STATUS commit e879892c725217a4af1012f31ae56be762473216 upstream. The SIGP order STOP_AND_STORE_STATUS is defined to stop a CPU and store its status. However, we only stored the status if the CPU was still running, so make sure that the status is now also stored if the CPU was already stopped. This fixes the problem that the CPU information was not stored correctly in kdump files, rendering them unreadable. Signed-off-by: Thomas Huth Acked-by: Christian Borntraeger Signed-off-by: Cornelia Huck Signed-off-by: Greg Kroah-Hartman commit 4d93ec131e692450bf4507ee09dd65007ffaaa46 Author: Heiko Carstens Date: Mon Jan 13 13:35:16 2014 +0100 s390/compat: fix PSW32_USER_BITS definition commit 075dfd82102d2048e43e1cbf48d558d915c50072 upstream. PSW32_USER_BITS should define the primary address space for user space instead of the home address space. Symptom of this bug is that gdb doesn't work in compat mode. The bug was introduced with e258d719ff28 "s390/uaccess: always run the kernel in home space" and f26946d7ecad "s390/compat: make psw32_user_bits a constant value again". Reported-by: Andreas Arnez Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 84d14624a9c952791af50adc8824c3698c568351 Author: Stephen Warren Date: Tue Jan 7 15:00:12 2014 -0700 serial: 8250: enable UART_BUG_NOMSR for Tegra commit 3685f19e07802ec4207b52465c408f185b66490e upstream. Tegra chips have 4 or 5 identical UART modules embedded. UARTs C..E have their MODEM-control signals tied off to a static state. However UARTs A and B can optionally route those signals to/from package pins, depending on the exact pinmux configuration. When these signals are not routed to package pins, false interrupts may trigger either temporarily, or permanently, all while not showing up in the IIR; it will read as NO_INT. This will eventually lead to the UART IRQ being disabled due to unhandled interrupts. When this happens, the kernel may print e.g.: irq 68: nobody cared (try booting with the "irqpoll" option) In order to prevent this, enable UART_BUG_NOMSR. This prevents UART_IER_MSI from being enabled, which prevents the false interrupts from triggering. In practice, this is not needed under any of the following conditions: * On Tegra chips after Tegra30, since the HW bug has apparently been fixed. * On UARTs C..E since their MODEM control signals are tied to the correct static state which doesn't trigger the issue. * On UARTs A..B if the MODEM control signals are routed out to package pins, since they will then carry valid signals. However, we ignore these exceptions for now, since they are only relevant if a board actually hooks up more than a 4-wire UART, and no currently supported board does this. If we ever support a board that does, we can refine the algorithm that enables UART_BUG_NOMSR to take those exceptions into account, and/or read a flag from DT/... that indicates that the board has hooked up and pinmux'd more than a 4-wire UART. Reported-by: Olof Johansson # autotester Signed-off-by: Stephen Warren Signed-off-by: Greg Kroah-Hartman commit 6c640da03afedf50faab443f0768002a7e191ca3 Author: Jonathan Woithe Date: Mon Dec 9 16:33:08 2013 +1030 serial: 8250: Fix initialisation of Quatech cards with the AMCC PCI chip commit 9c5320f8d7d9a2cf623e65d50e1113f34d9b9eb1 upstream. Fix the initialisation of older Quatech serial cards which are fitted with the AMCC PCI Matchmaker interface chip. Signed-off-by: Jonathan Woithe (jwoithe@just42.net) Signed-off-by: Greg Kroah-Hartman commit df2f06c9c5f9b1a9da3618444cf5f9bf0ea87cb9 Author: Yegor Yefremov Date: Mon Dec 9 12:11:15 2013 +0100 serial: add support for 200 v3 series Titan card commit 48c0247d7b7bf58abb85a39021099529df365c4d upstream. Signed-off-by: Yegor Yefremov Signed-off-by: Greg Kroah-Hartman commit a51cc29a07dc2589fc4758492a19232c82913bc4 Author: Aaro Koskinen Date: Fri Dec 20 16:19:47 2013 +0200 uio: fix devm_request_irq usage commit 632fefaf1fff7c344191c363e08a43cf006fe60e upstream. Commit e6789cd3dfb553077606ccafeb05e0043f072481 (uio: Simplify uio error path by using devres functions) converted uio to use devm_request_irq(). This introduced a change in behaviour since the IRQ is associated with the parent device instead of the created UIO device. The IRQ will remain active after uio_unregister_device() is called, and some drivers will crash because of this. The patch fixes this. Signed-off-by: Aaro Koskinen Signed-off-by: Greg Kroah-Hartman commit 6c84d406c04505f220158ef50479d392a562d96c Author: Sarah Sharp Date: Mon Jan 6 13:07:03 2014 -0800 xhci: Set scatter-gather limit to avoid failed block writes. commit f2d9b991c549f159dc9ae81f77d8206c790cbfee upstream. Commit 35773dac5f862cb1c82ea151eba3e2f6de51ec3e "usb: xhci: Link TRB must not occur within a USB payload burst" attempted to fix an issue found with USB ethernet adapters, and inadvertently broke USB storage devices. The patch attempts to ensure that transfers never span a segment, and rejects transfers that have more than 63 entries (or possibly less, if some entries cross 64KB boundaries). usb-storage limits the maximum transfer size to 120K, and we had assumed the block layer would pass a scatter-gather list of 4K entries, resulting in no more than 31 sglist entries: http://marc.info/?l=linux-usb&m=138498190419312&w=2 That assumption was wrong, since we've seen the driver reject a write that was 218 sectors long (of probably 512 bytes each): Jan 1 07:04:49 jidanni5 kernel: [ 559.624704] xhci_hcd 0000:00:14.0: Too many fragments 79, max 63 ... Jan 1 07:04:58 jidanni5 kernel: [ 568.622583] Write(10): 2a 00 00 06 85 0e 00 00 da 00 Limit the number of scatter-gather entries to half a ring segment. That should be margin enough in case some entries cross 64KB boundaries. Increase the number of TRBs per segment from 64 to 256, which should result in ring segments fitting on a 4K page. Signed-off-by: Sarah Sharp Reported-by: jidanni@jidanni.org References: http://bugs.debian.org/733907 Fixes: 35773dac5f86 ('usb: xhci: Link TRB must not occur within a USB payload burst') Signed-off-by: Greg Kroah-Hartman commit e8ca4934157c039fd1da479c5a7ad2684b1f1ab6 Author: Ben Hutchings Date: Mon Jan 6 03:16:32 2014 +0000 xhci: Avoid infinite loop when sg urb requires too many trbs commit d6c9ea9069af684358efedcaf2f2f687f51c58ee upstream. Currently prepare_ring() returns -ENOMEM if the urb won't fit into a single ring segment. usb_sg_wait() treats this error as a temporary condition and will keep retrying until something else goes wrong. The number of retries should be limited in usb_sg_wait(), but also prepare_ring() should not return an error code that suggests it might be worth retrying. Change it to -EINVAL. Reported-by: jidanni@jidanni.org References: http://bugs.debian.org/733907 Fixes: 35773dac5f86 ('usb: xhci: Link TRB must not occur within a USB payload burst') Signed-off-by: Ben Hutchings Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 0ff5f6294b1e1640251dccc8dd494fa3cd84522f Author: Phil Pokorny Date: Tue Jan 14 10:46:46 2014 -0800 hwmon: (k10temp) Add support for Kaveri CPUs commit d303b1b5fbb688282bbf72a534b9dfed7af9fe4f upstream. Add new PCI ID to support new model "Kaveri" family. Signed-off-by: Philip Pokorny Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit e1d0d8b70c05aa5ed96f860f0da69c02e3e31674 Author: Jean-Jacques Hiblot Date: Thu Jan 9 16:01:54 2014 +0100 ARM: at91: smc: bug fix in sam9_smc_cs_read() commit 1588c51cf6d782e63a8719681d905ef0ac22ee62 upstream. There was a copy/paste error when reading the nwe_pulse value. Signed-off-by: Jean-Jacques Hiblot Acked-by: Boris BREZILLON Signed-off-by: Nicolas Ferre Signed-off-by: Kevin Hilman Signed-off-by: Greg Kroah-Hartman commit 6ac2e205d68a7b1e56c738f1910c5a40abc1e2f8 Author: Ludovic Desroches Date: Fri Nov 22 14:49:52 2013 +0100 ARM: at91: at91sam9g45: set default mmc pinctrl-names commit 0645b93f6c223b594c0dca348e2ae0a23bccf6e3 upstream. pinctrl-names property was missing from mmc nodes. Signed-off-by: Ludovic Desroches Acked-by: Jean-Christophe PLAGNIOL-VILLARD Signed-off-by: Nicolas Ferre Signed-off-by: Greg Kroah-Hartman commit 8150a7afa6200473c0f88cb0fae9ba22888f297d Author: Marek Roszko Date: Fri Jan 10 10:33:11 2014 +0100 tty/serial: at91: disable uart timer at start of shutdown commit 8bc661bfc0c2d221e209f4205bdaaf574d50100c upstream. The uart timer will schedule a tasklet when it fires. It is possible that it can fire inside _shutdown before it is killed in the dma and pdc cleanup routines. This causes a tasklet that exists after the port is shutdown, so when the kernel finally executes it, it panics as the tty port is NULL. This is a somewhat rare condition but its possible if a program keeps on opening/closing the port. It has been observed in particular with systemd boot messages that were causing a kernel panic because of this behavior. Moving the timer deletion to the beginning of the function stops a tasklet from being scheduled unexpectedly. Signed-off-by: Marek Roszko [nicolas.ferre@atmel.com: modify commit message, call setup_timer() in any case] Signed-off-by: Nicolas Ferre Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit d7f2686ed1afc2aa3a5a37c493aa8be977554d0b Author: Mark Deneen Date: Tue Jan 7 11:45:09 2014 +0100 tty/serial: at91: reset rx_ring when port is shutdown commit bb7e73c598fb226c75f7625088a8f6a45a0fc892 upstream. When using RX DMA, the driver won't pass any data to the uart layer until the buffer is flipped. When the port is shutdown, the dma buffers are unmapped, but the head and tail of the ring buffer are not reseted. Since the serial console will keep the port open, this will only present itself when the uart is not shared. To reproduce the issue, with an unpatched driver, run a getty on /dev/ttyS0 with no serial console and exit. Getty will exit, and when the new one returns you will be unable to log in. If you hold down a key long enough to fill the DMA buffer and flip it, you can then log in. Signed-off-by: Mark Deneen Acked-by: Leilei Zhao [nicolas.ferre@atmel.com: adapt to mainline kernel, handle !DMA case] Signed-off-by: Nicolas Ferre Signed-off-by: Greg Kroah-Hartman commit be08a62a7708f420431a85e57e8044efdf081552 Author: Marek Roszko Date: Tue Jan 7 11:45:07 2014 +0100 tty/serial: at91: fix race condition in atmel_serial_remove commit f50c995f9ebf064cea1368bf361c4e29679415b4 upstream. The _remove callback could be called when a tasklet is scheduled. tasklet_kill was called inside the function in order to free up any scheduled tasklets. However it was called after uart_remove_one_port which destroys tty references needed in the port for atmel_tasklet_func. Simply putting the tasklet_kill at the start of the function will prevent this conflict. Signed-off-by: Marek Roszko Acked-by: Leilei Zhao Signed-off-by: Nicolas Ferre Signed-off-by: Greg Kroah-Hartman commit e1f473a09b52b87f7d1797c6ee2d05e84aac9df5 Author: Marek Roszko Date: Tue Jan 7 11:45:06 2014 +0100 tty/serial: at91: Handle shutdown more safely commit 0cc7c6c7916b1b6f34350ff1473b80b9f7e459c0 upstream. Interrupts were being cleaned up late in the shutdown handler, it is possible that an interrupt can occur and schedule a tasklet that runs after the port is cleaned up. There is a null dereference due to this race condition with the following stacktrace: [] (atmel_tasklet_func+0x514/0x814) from [] (tasklet_action+0x70/0xa8) [] (tasklet_action+0x70/0xa8) from [] (__do_softirq+0x90/0x144) [] (__do_softirq+0x90/0x144) from [] (irq_exit+0x40/0x4c) [] (irq_exit+0x40/0x4c) from [] (handle_IRQ+0x64/0x84) [] (handle_IRQ+0x64/0x84) from [] (__irq_svc+0x40/0x50) [] (__irq_svc+0x40/0x50) from [] (atmel_rx_dma_release+0x88/0xb8) [] (atmel_rx_dma_release+0x88/0xb8) from [] (atmel_shutdown+0x104/0x160) [] (atmel_shutdown+0x104/0x160) from [] (uart_port_shutdown+0x2c/0x38) Signed-off-by: Marek Roszko Acked-by: Leilei Zhao Signed-off-by: Nicolas Ferre Signed-off-by: Greg Kroah-Hartman commit b6ece84bf2f402cd07ab076fb6faef6ed0a2c1c5 Author: Tomas Winkler Date: Wed Jan 8 20:19:22 2014 +0200 mei: use hbm idle state to prevent spurious resets commit 66ae460b13c31a176b41550259683c841a62af3e upstream. When reset is caused by hbm protocol mismatch or timeout we might end up in an endless reset loop and hbm protocol will never sync Signed-off-by: Tomas Winkler Signed-off-by: Alexander Usyskin Signed-off-by: Greg Kroah-Hartman commit cab808a881049229532d18bc4a2ebee936716a23 Author: Malcolm Priestley Date: Wed Jan 1 19:19:28 2014 +0000 staging: vt6656: CARDqGetNextTBTT correct uLowNextTBTT commit 9acec059c0cef0bf086c738f4c0b1f4447782a48 upstream. value uLowNextTBTT yields wrong value. ULL is needed with qwTSF Signed-off-by: Malcolm Priestley Signed-off-by: Greg Kroah-Hartman commit 85d937c854d1665c0439ef3eae6d2c3ba10c3b50 Author: Malcolm Priestley Date: Sun Dec 8 09:11:30 2013 +0000 staging: vt6656: [BUG] BBvUpdatePreEDThreshold Always set sensitivity on bScanning commit 8f248dae133668bfb8e9379b4b3f0571c858b24a upstream. byBBPreEDIndex value is initially 0, this means that from cold BBvUpdatePreEDThreshold is never set. This means that sensitivity may be in an ambiguous state, failing to scan any wireless points or at least distant ones. Signed-off-by: Malcolm Priestley Signed-off-by: Greg Kroah-Hartman commit ba27ce242a7028f5dba549ef95a9efa3d86361e0 Author: Larry Finger Date: Tue Dec 24 11:22:54 2013 -0600 staging: r8712u: Set device type to wlan commit 3a21f00a5002b14e4aab52aef59d33ed28468a13 upstream. The latest version of NetworkManager does not recognize the device as wireless without this change. Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman commit 45c5560ef7eb98edb53a71f5b8ce5c0dddb2ea38 Author: Amir Shehata Date: Tue Dec 3 21:58:47 2013 +0800 staging/lustre/ptlrpc: Fix a crash when dereferencing NULL pointer commit 3c92a0bf4d72737035a16c4fe357ccd439c9b7d2 upstream. When a system runs out of memory and the function ptlrpc_register_bulk() is called from ptl_send_rpc() the call to LNetMEAttach() fails due to failure to allocate memory. This forces the code into an error path, which most probably previously went untested. The error path: if (rc != 0) { CERROR("%s: LNetMEAttach failed x"LPU64"/%d: rc = %dn", desc->bd_export->exp_obd->obd_name, xid, posted_md, rc); break; } This print assumes that desc->bd_export is not NULL. However, it is. In fact it is expected to be NULL. desc->bd_import is the correct structure to access in this case. Lustre-change: http://review.whamcloud.com/7121 Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-3585 Signed-off-by: Amir Shehata Reviewed-by: Liang Zhen Reviewed-by: Doug Oucharek Reviewed-by: Oleg Drokin Signed-off-by: Peng Tao Signed-off-by: Andreas Dilger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit f4c8e868983e927b1bf93508c805f1f08a2afcc4 Author: Sujith Manoharan Date: Thu Jan 9 08:51:15 2014 +0530 ath9k: Disable cross-band FCC commit 1e2f9295f4c657500111514f92a3d3894d0e05b4 upstream. Fast Channel Change across bands was enabled for AR9462 recently, but this is causing baseband issues. Disable it until this feature is tested well. Also, remove the feature bit for AR9565 since it is a single-band card and doesn't support this feature. Reported-by: Oleksij Rempel Signed-off-by: Sujith Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 84666036f8a6b46492db7dd04b733732a4f3a542 Author: Sujith Manoharan Date: Thu Jan 9 08:51:14 2014 +0530 ath9k: Use correct channel for RX packets commit ff9a93f2ebb88ac7aab9568de80b64b92078e96d upstream. Accessing the current channel definition in mac80211 when processing RX packets is problematic because it could have been updated when a scan is issued. Since a channel change involves flushing the existing packets in the RX queue before a chip-reset is done, they would be processed using the wrong band/channel information. To avoid this, use the current channel information maintained in the driver. Reported-by: Oleksij Rempel Signed-off-by: Sujith Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ed8034b113a9d491499ab650be0487431b6e32cf Author: ZHAO Gang Date: Sat Jan 18 00:17:38 2014 +0800 b43: fix the wrong assignment of status.freq in b43_rx() commit 64e5acb09ca6b50c97299cff9ef51299470b29f2 upstream. Use the right function to update frequency value. If rx skb is probe response or beacon, the wrong frequency value can cause problem that bss info can't be updated when it should be. Fixes: 8318d78a44d4 ("cfg80211 API for channels/bitrates, mac80211 and driver conversion") Signed-off-by: ZHAO Gang Acked-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 94080dee38400618751ed156107ffac856ac22b9 Author: Larry Finger Date: Sun Jan 12 15:11:39 2014 -0600 b43legacy: Fix unload oops if firmware is not available commit 452028665312672c6ba9e16a19248ee00ead9400 upstream. The asyncronous firmware load uses a completion struct to hold firmware processing until the user-space routines are up and running. There is. however, a problem in that the waiter is nevered canceled during teardown. As a result, unloading the driver when firmware is not available causes an oops. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 8365103d678e6be9952722b22dbe7c2b8331757c Author: Larry Finger Date: Sun Jan 12 15:11:38 2014 -0600 b43: Fix unload oops if firmware is not available commit 0673effd41dba323d6a280ef37b5ef29f3f5a653 upstream. The asyncronous firmware load uses a completion struct to hold firmware processing until the user-space routines are up and running. There is. however, a problem in that the waiter is nevered canceled during teardown. As a result, unloading the driver when firmware is not available causes an oops. To be able to access the completion structure at teardown, it had to be moved into the b43_wldev structure. This patch also fixes a typo in a comment. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit dd6ccf171f67ef638f000f6e70bb83c62e6c62c7 Author: Larry Finger Date: Sun Jan 12 15:11:37 2014 -0600 b43: Fix lockdep splat commit 09164043f63c947a49797750a09ca1cd7c31108e upstream. In https://bugzilla.kernel.org/show_bug.cgi?id=67561, a locking dependency is reported when b43 is used with hostapd, and rfkill is used to kill the radio output. The lockdep splat (in part) is as follows: ====================================================== [ INFO: possible circular locking dependency detected ] 3.12.0 #1 Not tainted ------------------------------------------------------- rfkill/10040 is trying to acquire lock: (rtnl_mutex){+.+.+.}, at: [] rtnl_lock+0x12/0x20 but task is already holding lock: (rfkill_global_mutex){+.+.+.}, at: [] rfkill_fop_write+0x6a/0x170 [rfkill] --snip-- Chain exists of: rtnl_mutex --> misc_mtx --> rfkill_global_mutex The fix is to move the initialization of the hardware random number generator outside the code range covered by the rtnl_mutex. Reported-by: yury Tested-by: yury Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 4aca366c885d29df6ca9803c13fd92e2b4f42854 Author: Eliad Peller Date: Sun Jan 5 12:41:12 2014 +0200 iwlwifi: mvm: fix missing cleanup in .start() error path commit 91b0d1198417cf4fd9a7bd4138b6909f0b359099 upstream. Cleanup of iwl_mvm_leds was missing in case of error, resulting in the following warning: WARNING: at lib/kobject.c:196 kobject_add_internal+0x1f4/0x210() kobject_add_internal failed for phy0-led with -EEXIST, don't try to register things with the same name in the same directory. which prevents further reloads of the driver. Signed-off-by: Eliad Peller Signed-off-by: Emmanuel Grumbach Signed-off-by: Greg Kroah-Hartman commit 79a7d9a826165fcdde29bac4bec2f3da41f0a18a Author: Emmanuel Grumbach Date: Tue Dec 24 14:15:41 2013 +0200 iwlwifi: pcie: enable oscillator for L1 exit commit 2d93aee152b1758a94a18fe15d72153ba73b5679 upstream. Enabling the oscillator consumes slightly more power (100uA) but allows to make sure that we exit from L1 on time. Not doing so might lead to a PCIe specification violation since we might wake up from L1 at the wrong time. This issue has been identified on 3160 and 7260 only. On older NICs L1 off is not enabled, on newer NICs (7265), the issue is fixed. When the bug occurs the user sees that the NIC has disappeared from the PCI bridge, any access to the device returns 0xff. This fixes: https://bugzilla.kernel.org/show_bug.cgi?id=64541 and has been extensively discussed here: http://markmail.org/thread/mfmpzqt3r333n4bo Fixes: 99cd47142399 ("iwlwifi: add 7000 series device configuration") Reported-and-tested-by: wzyboy Reviewed-by: Johannes Berg Signed-off-by: Emmanuel Grumbach Signed-off-by: Greg Kroah-Hartman commit a50a46af7d18043166d194dda782cf7c4e8d455d Author: Bing Zhao Date: Tue Jan 14 19:16:34 2014 -0800 mwifiex: fix wrong 11ac bits setting in fw_cap_info commit 1e202242ee1432d68a8bea4919b2ae0ef19d9e06 upstream. bit 14 is actually reserved and bit 12 & 13 should be used for 11ac capability in fw_cap_info. Signed-off-by: Bing Zhao Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 9f0359a610c252bb9e8764e73e160020f8dfd308 Author: Amitkumar Karwar Date: Fri Jan 10 14:30:41 2014 -0800 mwifiex: add missing endian conversion for fw_tsf commit 9795229752c31da0c5f8a7dc4c827665327b52f9 upstream. It is u64 data received from firmware. Little endian to cpu conversion is required here. Signed-off-by: Amitkumar Karwar Signed-off-by: Bing Zhao Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit e820ca9d93d6593771771bfc9cc9788d515a5c16 Author: Larry Finger Date: Mon Nov 25 10:45:28 2013 -0600 rtlwifi: rtl8188ee: Fix typo in code commit f699273d6a624266ebc9198774f06ee64a3847a1 upstream. The static analyser "cppcheck" shows the following typo: drivers/net/wireless/rtlwifi/rtl8188ee/dm.c:1081]: (style) Same expression on both sides of '!='. Signed-off-by: Larry Finger Reported-by: David Binderman Cc: David Binderman Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 9bc0e062fe03fda337d347f32d9a28504c945d7e Author: Larry Finger Date: Mon Nov 18 11:11:36 2013 -0600 rtlwifi: rtl8192c: Update dynamic gain calculations commit 796e453436b183057e2d7d9b2bcff88d0bf53ba7 upstream. The vendor driver contained a number of improvements in the gain settings for the rtl8192c{e,u} devices. This patch implements them in the kernel driver. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit c92e19d0c2dc7ef40de83ad20c6de7703bfd3202 Author: Larry Finger Date: Mon Nov 18 11:11:35 2013 -0600 rtlwifi: Add missing code to PWDB statics routine commit d82403a9f407217b6aed5260aa92a120e8e98310 upstream. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 15ca6fca90008c4cf504cf946fb711c7498fcd55 Author: Larry Finger Date: Mon Nov 18 11:11:34 2013 -0600 rtlwifi: rtl8192cu: Fix some code in RF handling commit e9b0784bb9de3152e787ee779868c626b137fb3b upstream. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit e0b7169e124dcbfb65c9b3a491a725f307275026 Author: Larry Finger Date: Mon Nov 18 11:11:33 2013 -0600 rtlwifi: rtl8192cu: Update the power index registers commit 9806eacf5de27ab01d680c5d75c92a3a89734e4f upstream. This patch uses the newly introduced power index register routines. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit f50e4e983a0b5354a79b37c1d8ff4ce036e19d3d Author: Larry Finger Date: Mon Nov 18 11:11:32 2013 -0600 rtlwifi: rtl8192c: Add routines to save/restore power index registers commit 97204e93f01868eeba6ae5c4f3270f32905bb418 upstream. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit b54c97ea32054562110847191fea54588c19b39f Author: Larry Finger Date: Mon Nov 18 11:11:30 2013 -0600 rtlwifi: Increase the RX queue length for USB drivers commit dc6405712268fe514d3dd89aa936c4397b0871b9 upstream. The current number of RX buffers queued is 32, which is too small under heavy load. That number is doubled. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ceb6fd9f03db2c86f6f2914bcfc066c707545e98 Author: Larry Finger Date: Mon Nov 18 11:11:29 2013 -0600 rtlwifi: rtl8192c: Add new definitions in the dm_common header commit c908c74e005de780fddbe8cb6fcd44803f5d4b74 upstream. Changes in the gain-control mechanism will require some changes in the header. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 4e4aeb96f7f390c7b4ce2ae4bbd5a95a5bb67ec9 Author: Larry Finger Date: Mon Nov 18 11:11:28 2013 -0600 rtlwifi: Set the link state commit 619ce76f8bb850b57032501a39f26aa6c6731c70 upstream. The present code fails to set the linked state when an interface is added. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 03b3daeede578a31865e70158853424a6d5bcaae Author: Larry Finger Date: Mon Nov 18 11:11:27 2013 -0600 rtlwifi: Redo register save locations commit b9a758a8c905fc59e783ae91ad645452d877ea88 upstream. The initial USB driver did not use some register save locations in the private data storage. To save some memory, a union was used to overlay these variables with USB I/O components. In an update of the gain-control code, these register save locations are now needed for USB drivers. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit fc3fd60626d3ba4327b3f20d96fde5c5b2aa14e3 Author: Larry Finger Date: Mon Nov 18 11:11:26 2013 -0600 rtlwifi: rtl8192cu: Add new firmware commit 62009b7f12793c932aaba0df946b04cb4a77d022 upstream. Vendor driver rtl8188C_8192C_8192D_usb_linux_v3.4.2_3727.20120404 introduced new firmware for these chips. The code try for the new file, and fall back to the original firmware if the new file is not available. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 6c4d4787020c56cb8bb186194ce2abc3210f2d60 Author: Larry Finger Date: Mon Nov 18 11:11:25 2013 -0600 rtlwifi: rtl8192c: Prevent reconnect attempts if not connected commit 8fd77aec1a9d6f4328fc0244f21932114e066df3 upstream. This driver has a watchdog timer that attempts to reconnect when beacon frames are not seen for 6 seconds. This patch disables that reconnect whenever the device has never been connected. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 65027c0384b355195a928e6ab720f52384c68a62 Author: Larry Finger Date: Mon Nov 18 11:11:31 2013 -0600 rtlwifi: Update beacon statistics for USB driver commit 65b9cc97c6852fae19dc5c7745e9abc8dd380aad upstream. The USB drivers were not updating the beacon statistics, which led to false beacon loss indications. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 982380a2c1d60eadf1cd3c7d1a05119421e5d172 Author: Larry Finger Date: Thu Jan 9 10:27:27 2014 -0600 rtlwifi: rtl8192cu: Add new device ID commit f87f960b2fb802f26ee3b00c19320e57a9c583ff upstream. Reported-by: Jan Prinsloo Tested-by: Jan Prinsloo Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit fe7ce71955f9e3462de8b345d352a7acfcc09e81 Author: Peter Chen Date: Fri Jan 10 13:51:26 2014 +0800 usb: ehci: add freescale imx28 special write register method commit feffe09f510c475df082546815f9e4a573f6a233 upstream. According to Freescale imx28 Errata, "ENGR119653 USB: ARM to USB register error issue", All USB register write operations must use the ARM SWP instruction. So, we implement a special ehci_write for imx28. Discussion for it at below: http://marc.info/?l=linux-usb&m=137996395529294&w=2 Without this patcheset, imx28 works unstable at high AHB bus loading. If the bus loading is not high, the imx28 usb can work well at the most of time. There is a IC errata for this problem, usually, we consider IC errata is a problem not a new feature, and this workaround is needed for that, so we need to add them to stable tree 3.11+. Cc: robert.hodaszi@digi.com Signed-off-by: Peter Chen Acked-by: Alan Stern Signed-off-by: Marc Kleine-Budde Tested-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit dce790e4a650df7a40ca030f8ac754f6a029de07 Author: Alan Stern Date: Tue Jan 7 10:43:02 2014 -0500 USB: fix race between hub_disconnect and recursively_mark_NOTATTACHED commit 543d7784b07ffd16cc82a9cb4e1e0323fd0040f1 upstream. There is a race in the hub driver between hub_disconnect() and recursively_mark_NOTATTACHED(). This race can be triggered if the driver is unbound from a device at the same time as the bus's root hub is removed. When the race occurs, it can cause an oops: BUG: unable to handle kernel NULL pointer dereference at 0000015c IP: [] recursively_mark_NOTATTACHED+0x20/0x60 Call Trace: [] recursively_mark_NOTATTACHED+0x34/0x60 [] recursively_mark_NOTATTACHED+0x34/0x60 [] recursively_mark_NOTATTACHED+0x34/0x60 [] recursively_mark_NOTATTACHED+0x34/0x60 [] usb_set_device_state+0x92/0x120 [] usb_disconnect+0x2b/0x1a0 [] usb_remove_hcd+0xb0/0x160 [] ? _raw_spin_unlock_irqrestore+0x26/0x50 [] ehci_mid_remove+0x1c/0x30 [] ehci_mid_stop_host+0x16/0x30 [] penwell_otg_work+0xd28/0x3520 [] ? __schedule+0x39b/0x7f0 [] ? sub_preempt_count+0x3d/0x50 [] process_one_work+0x11d/0x3d0 [] ? mutex_unlock+0xd/0x10 [] ? manage_workers.isra.24+0x1b5/0x270 [] worker_thread+0xf9/0x320 [] ? _raw_spin_unlock_irqrestore+0x26/0x50 [] ? rescuer_thread+0x2b0/0x2b0 [] kthread+0x94/0xa0 [] ret_from_kernel_thread+0x1b/0x28 [] ? kthread_create_on_node+0xc0/0xc0 One problem is that recursively_mark_NOTATTACHED() uses the intfdata value and hub->hdev->maxchild while hub_disconnect() is clearing them. Another problem is that it uses hub->ports[i] while the port device is being released. To fix this race, we need to hold the device_state_lock while hub_disconnect() changes the values. (Note that usb_disconnect() and hub_port_connect_change() already acquire this lock at similar critical times during a USB device's life cycle.) We also need to remove the port devices after maxchild has been set to 0, instead of before. Signed-off-by: Alan Stern Reported-by: "Du, Changbin" Tested-by: "Du, Changbin" Signed-off-by: Greg Kroah-Hartman commit 241e39dcafe2ff5ef2914c8f05ce0a983c2a63ed Author: Jack Pham Date: Fri Nov 15 14:53:14 2013 -0800 usb: xhci: Check for XHCI_PLAT in xhci_cleanup_msix() commit 9005355af23856c55a5538c9024355785424821b upstream. If CONFIG_PCI is enabled, make sure xhci_cleanup_msix() doesn't try to free a bogus PCI IRQ or dereference an invalid pci_dev when the xHCI device is actually a platform_device. This patch should be backported to kernels as old as 3.9, that contain the commit 52fb61250a7a132b0cfb9f4a1060a1f3c49e5a25 "xhci-plat: Don't enable legacy PCI interrupts." Signed-off-by: Jack Pham Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 6a345958ecfd9211633ffec338426b3a9c1f3493 Author: Mikhail Zolotaryov Date: Sat Dec 28 01:56:35 2013 +0200 USB: Nokia 502 is an unusual device commit 0e16114f2db4838251fb64f3b550996ad3585890 upstream. The USB storage operation of Nokia Asha 502 Dual SIM smartphone running Asha Platform 1.1.1 is unreliable in respect of data consistency (i.e. transfered files are corrupted). A similar issue is described here: http://discussions.nokia.com/t5/Asha-and-other-Nokia-Series-30/Nokia-301-USB-transfers-and-corrupted-files/td-p/1974170 The workaround is (MAX_SECTORS_64): rmmod usb_storage && modprobe usb_storage quirks=0421:06aa:m The patch adds the tested device to the unusual list permanently. Signed-off-by: Mikhail Zolotaryov Signed-off-by: Greg Kroah-Hartman commit 9d4f3c7eb2692b07fda28465486fb155c8c46a04 Author: Colin Leitner Date: Mon Jan 6 21:33:54 2014 +0100 USB: ftdi_sio: added CS5 quirk for broken smartcard readers commit c1f15196ac3b541d084dc80a8fbd8a74c6a0bd44 upstream. Genuine FTDI chips support only CS7/8. A previous fix in commit 8704211f65a2 ("USB: ftdi_sio: fixed handling of unsupported CSIZE setting") enforced this limitation and reported it back to userspace. However, certain types of smartcard readers depend on specific driver behaviour that requests 0 data bits (not 5) to change into a different operating mode if CS5 has been set. This patch reenables this behaviour for all FTDI devices. Tagged to be added to stable, because it affects a lot of users of embedded systems which rely on these readers to work properly. Reported-by: Heinrich Siebmanns Tested-by: Heinrich Siebmanns Signed-off-by: Colin Leitner Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 60b5c6f40e357b87e465ff8a94befb019f1bcc9e Author: Johan Hovold Date: Thu Jan 2 22:49:24 2014 +0100 USB: cypress_m8: fix ring-indicator detection and reporting commit 440ebadeae9298d7de3d4d105342691841ec88d0 upstream. Fix ring-indicator (RI) status-bit definition, which was defined as CTS, effectively preventing RI-changes from being detected while reporting false RI status. This bug predates git. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit efd921a4d74c1bf2d580593ee63dfe60fbe3ca79 Author: Rahul Bedarkar Date: Thu Jan 2 20:57:56 2014 +0530 USB: serial: add support for iBall 3.5G connect usb modem commit 7d5c1b9c7cb5ec8e52b1adc65c484a923a8ea6c3 upstream. Add support for iBall 3.5G connect usb modem. $lsusb Bus 002 Device 006: ID 1c9e:9605 OMEGA TECHNOLOGY $usb-devices T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 6 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1c9e ProdID=9605 Rev=00.00 S: Manufacturer=USB Modem S: Product=USB Modem S: SerialNumber=1234567890ABCDEF C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage Signed-off-by: Rahul Bedarkar Suggested-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman commit c2e054829425ea747cf150354413763b1fcb9db4 Author: 张君 Date: Wed Dec 18 15:37:17 2013 +0800 usb: option: add new zte 3g modem pids to option driver commit 4d90b819ae4c7ea8fd5e2bb7edc68c0f334be2e4 upstream. Signed-off-by: Jun zhang Signed-off-by: Greg Kroah-Hartman commit 90cf43ef61389b287bd0f0c4af65b1ba4dc7862f Author: Johan Hovold Date: Sun Dec 29 19:22:53 2013 +0100 USB: pl2303: fix data corruption on termios updates commit 623c8263376c0b8a4b0c220232e7313d762cd0cc upstream. Some PL2303 devices are known to lose bytes if you change serial settings even to the same values as before. Avoid this by comparing the encoded settings with the previsouly used ones before configuring the device. The common case was fixed by commit bf5e5834bffc6 ("pl2303: Fix mode switching regression"), but this problem was still possible to trigger, for instance, by using the TCSETS2-interface to repeatedly request 115201 baud, which gets mapped to 115200 and thus always triggers a settings update. Cc: Frank Schäfer Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 3b1fa541dc6cb41cd208af9ea5221b30e12713ee Author: Heikki Krogerus Date: Wed Dec 18 16:41:25 2013 +0200 usb: dwc3: fix the glue drivers using the nop phy commit 13518673f1419f2667985a6fca4543e44143408b upstream. The reset_gpio member of the usb_phy_gen_xceiv_platform_data structure needs the have negative value or phy-generic's probe will fail unless DT is used. 0 is a valid gpio number. This fixes an issue where phy-generic fails to probe with message: "usb_phy_gen_xceiv.0: Error requesting RESET GPIO 0". Signed-off-by: Heikki Krogerus Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit d1f9d7eca2bcad07afc898243171c4dc031e8ae4 Author: Bjørn Mork Date: Sun Jan 12 21:48:53 2014 +0100 usb: cdc-wdm: resp_count can be 0 even if WDM_READ is set commit f563926fed982f26b391ca42493f55f2447f1b0a upstream. Do not decrement resp_count if it's already 0. We set resp_count to 0 when the device is closed. The next open and read will try to clear the WDM_READ flag if there was leftover data in the read buffer. This fix is necessary to prevent resubmitting the read URB in a tight loop because resp_count becomes negative. The bug can easily be triggered from userspace by not reading all data in the read buffer, and then closing and reopening the chardev. Fixes: 8dd5cd5395b9 ("usb: cdc-wdm: avoid hanging on zero length reads") Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit c91a8012d127d5e95376e11079f725a80f98b08b Author: Bjørn Mork Date: Fri Dec 20 14:07:24 2013 +0100 usb: cdc-wdm: avoid hanging on zero length reads commit 8dd5cd5395b90070d98149d0a94e5981a74cd2ec upstream. commit 73e06865ead1 ("USB: cdc-wdm: support back-to-back USB_CDC_NOTIFY_RESPONSE_AVAILABLE notifications") implemented queued response handling. This added a new requirement: The read urb must be resubmitted every time we clear the WDM_READ flag if the response counter indicates that the device is waiting for a read. Fix by factoring out the code handling the WMD_READ clearing and possible urb submission, calling it everywhere we clear the flag. Without this fix, the driver ends up in a state where the read urb is inactive, but the response counter is positive after a zero length read. This prevents the read urb from ever being submitted again and the driver appears to be hanging. Fixes: 73e06865ead1 ("USB: cdc-wdm: support back-to-back USB_CDC_NOTIFY_RESPONSE_AVAILABLE notifications") Cc: Greg Suarez Signed-off-by: Bjørn Mork Signed-off-by: Greg Kroah-Hartman commit a348d7614c3b52c0b6d28f1a9fdd08a122d8def3 Author: Peter Chen Date: Fri Jan 10 13:51:32 2014 +0800 usb: chipidea: udc: using MultO at TD as real mult value for ISO-TX commit 2fc5a7dace3c43e62402ab4e8800a8f1834ffe2a upstream. We have met a bug that the high bandwidth ISO-TX transfer has failed at the last packet if it is less than 1024, the TD status shows it is "Transaction Error". The root cause of this problem is: the mult value at qh is not correct for current TD's transfer length. We use TD list to queue un-transfer TDs, and change mult for new adding TDs. If new adding TDs transfer length less than 1024, but the queued un-transfer TDs transfer length is larger than 1024, the transfer error will occur, and vice versa. Usually, this problem occurs at the last packet, and the first packet for new frame. We fixed this problem by setting Mult at QH as the largest value (3), and set MultO (Multiplier Override) at TD according to every transfer length. It can cover both hardware version less than 2.3 (the real mult is MultO if it is not 0) and 2.3+ (the real mult is min(qh.mult, td.multo)). Since the MultO bits are only existed at TX TD, we keep the ISO-RX behavior unchanged. For stable tree: 3.11+. Cc: Michael Grzeschik Reported-by: Matthieu Vanin Tested-by: Matthieu Vanin Signed-off-by: Peter Chen Signed-off-by: Greg Kroah-Hartman commit 1dd4f26f0b4292ecc591ac61987f4996356feba4 Author: Peter Chen Date: Fri Jan 10 13:51:31 2014 +0800 usb: chipidea: need to mask INT_STATUS when write otgsc commit 5332ff1fb63c46588656e4208201bc131627c878 upstream. For otgsc, both enable bits and status bits are in it. So we need to make sure the status bits are not be cleared when write enable bits. It can fix one bug that we plug in/out Micro AB cable fast, and sometimes, the IDIS will be cleared wrongly when handle last ID interrupt (ID 0->1), so the current interrupt will not occur. For stable tree: 3.12+ Signed-off-by: Peter Chen Signed-off-by: Greg Kroah-Hartman commit c864872d32fa288aef50508908a4d0f1bc290b69 Author: Peter Chen Date: Fri Jan 10 13:51:28 2014 +0800 usb: chipidea: imx: set CI_HDRC_IMX28_WRITE_FIX for imx28 commit 1071055e2a118a81c0b300d7f4af7eba3f7a7c82 upstream. Due to imx28 needs ARM swp instruction for writing, we set CI_HDRC_IMX28_WRITE_FIX for imx28. This patch is needed for stable tree 3.11+ Cc: robert.hodaszi@digi.com Signed-off-by: Peter Chen Signed-off-by: Marc Kleine-Budde Tested-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 1d503f1a90538a068b0efd62757af9c11e119b36 Author: Peter Chen Date: Fri Jan 10 13:51:27 2014 +0800 usb: chipidea: add freescale imx28 special write register method commit ed8f8318d2ef3e5f9e4ddf79349508c116b68d7f upstream. According to Freescale imx28 Errata, "ENGR119653 USB: ARM to USB register error issue", All USB register write operations must use the ARM SWP instruction. So, we implement special hw_write and hw_test_and_clear for imx28. Discussion for it at below: http://marc.info/?l=linux-usb&m=137996395529294&w=2 This patch is needed for stable tree 3.11+. Cc: robert.hodaszi@digi.com Signed-off-by: Peter Chen Signed-off-by: Marc Kleine-Budde Tested-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 4ba10fc2d81a087e69fb782e4c8a0fc54f5084df Author: Paolo Bonzini Date: Mon Jan 27 14:51:44 2014 +0100 x86, kvm: correctly access the KVM_CPUID_FEATURES leaf at 0x40000101 commit 77f01bdfa5e55dc19d3eb747181d2730a9bb3ca8 upstream. When Hyper-V hypervisor leaves are present, KVM must relocate its own leaves at 0x40000100, because Windows does not look for Hyper-V leaves at indices other than 0x40000000. In this case, the KVM features are at 0x40000101, but the old code would always look at 0x40000001. Fix by using kvm_cpuid_base(). This also requires making the function non-inline, since kvm_cpuid_base() is static. Fixes: 1085ba7f552d84aa8ac0ae903fa8d0cc2ff9f79d Cc: mtosatti@redhat.com Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit b94c2ba692234e31150b025ad270e8220d4b03a4 Author: Paolo Bonzini Date: Mon Jan 27 14:49:40 2014 +0100 x86, kvm: cache the base of the KVM cpuid leaves commit 1c300a40772dae829b91dad634999a6a522c0829 upstream. It is unnecessary to go through hypervisor_cpuid_base every time a leaf is found (which will be every time a feature is requested after the next patch). Fixes: 1085ba7f552d84aa8ac0ae903fa8d0cc2ff9f79d Cc: mtosatti@redhat.com Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 7581173b4e52437936ed39d20b48418b1cdecd31 Author: Marcelo Tosatti Date: Mon Jan 6 12:00:02 2014 -0200 KVM: x86: limit PIT timer frequency commit 9ed96e87c5748de4c2807ef17e81287c7304186c upstream. Limit PIT timer frequency similarly to the limit applied by LAPIC timer. Reviewed-by: Jan Kiszka Signed-off-by: Marcelo Tosatti Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 965918eb863be707d548683b5165cfb30deb8d1c Author: Dave Young Date: Fri Dec 20 18:02:15 2013 +0800 x86/efi: Fix off-by-one bug in EFI Boot Services reservation commit a7f84f03f660d93574ac88835d056c0d6468aebe upstream. Current code check boot service region with kernel text region by: start+size >= __pa_symbol(_text) The end of the above region should be start + size - 1 instead. I see this problem in ovmf + Fedora 19 grub boot: text start: 1000000 md start: 800000 md size: 800000 Signed-off-by: Dave Young Acked-by: Borislav Petkov Acked-by: Toshi Kani Tested-by: Toshi Kani Signed-off-by: Matt Fleming Signed-off-by: Greg Kroah-Hartman commit 0c51097273237d079ef67aa819e904e484e382ca Author: Ben Hutchings Date: Tue Dec 31 20:46:27 2013 +0100 xen/pci: Fix build on non-x86 commit b7ef4a6dd35d1b47db72fbd1a31c8fd0da7a74f3 upstream. We can't include if this isn't x86, and we only need it if CONFIG_PCI_MMCONFIG is enabled. Fixes: 8deb3eb1461e ('xen/mcfg: Call PHYSDEVOP_pci_mmcfg_reserved for MCFG areas.') Signed-off-by: Ben Hutchings Signed-off-by: Konrad Rzeszutek Wilk Reviewed-by: David Vrabel Acked-by: Ian Campbell Signed-off-by: Greg Kroah-Hartman commit 921ce180818a8a3b52fbe02e747695d51a46f5e1 Author: PaX Team Date: Thu Jan 30 16:59:25 2014 -0800 x86, x32: Correct invalid use of user timespec in the kernel commit 2def2ef2ae5f3990aabdbe8a755911902707d268 upstream. The x32 case for the recvmsg() timout handling is broken: asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, unsigned int vlen, unsigned int flags, struct compat_timespec __user *timeout) { int datagrams; struct timespec ktspec; if (flags & MSG_CMSG_COMPAT) return -EINVAL; if (COMPAT_USE_64BIT_TIME) return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, flags | MSG_CMSG_COMPAT, (struct timespec *) timeout); ... The timeout pointer parameter is provided by userland (hence the __user annotation) but for x32 syscalls it's simply cast to a kernel pointer and is passed to __sys_recvmmsg which will eventually directly dereference it for both reading and writing. Other callers to __sys_recvmmsg properly copy from userland to the kernel first. The bug was introduced by commit ee4fa23c4bfc ("compat: Use COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels since 3.4 (and perhaps vendor kernels if they backported x32 support along with this code). Note that CONFIG_X86_X32_ABI gets enabled at build time and only if CONFIG_X86_X32 is enabled and ld can build x32 executables. Other uses of COMPAT_USE_64BIT_TIME seem fine. This addresses CVE-2014-0038. Signed-off-by: PaX Team Signed-off-by: H. Peter Anvin Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 41d3f491c9cf265f757bcbab663ec34ff84748fa Author: David Rientjes Date: Thu Jan 30 15:46:08 2014 -0800 mm/mempolicy.c: fix mempolicy printing in numa_maps commit 8790c71a18e5d2d93532ae250bcf5eddbba729cd upstream. As a result of commit 5606e3877ad8 ("mm: numa: Migrate on reference policy"), /proc//numa_maps prints the mempolicy for any as "prefer:N" for the local node, N, of the process reading the file. This should only be printed when the mempolicy of is MPOL_PREFERRED for node N. If the process is actually only using the default mempolicy for local node allocation, make sure "default" is printed as expected. Signed-off-by: David Rientjes Reported-by: Robert Lippert Cc: Peter Zijlstra Acked-by: Mel Gorman Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4a466742d28b10d696e79b1c77996e2f72536ba7 Author: Aristeu Rozanski Date: Thu Dec 5 10:37:56 2013 -0500 e752x_edac: Fix pci_dev usage count commit 90ed4988b8c030d65b41b7d13140e9376dc6ec5a upstream. In case the device 0, function 1 is not found using pci_get_device(), pci_scan_single_device() will be used but, differently than pci_get_device(), it allocates a pci_dev but doesn't does bump the usage count on the pci_dev and after few module removals and loads the pci_dev will be freed. Signed-off-by: Aristeu Rozanski Reviewed-by: mark gross Link: http://lkml.kernel.org/r/20131205153755.GL4545@redhat.com Signed-off-by: Borislav Petkov Cc: Jean Delvare Signed-off-by: Greg Kroah-Hartman