1. 09 Feb, 2015 14 commits
  2. 08 Feb, 2015 26 commits
    • Tejun Heo's avatar
      workqueue: fix subtle pool management issue which can stall whole worker_pool · c6662b96
      Tejun Heo authored
      commit 29187a9e upstream.
      
      A worker_pool's forward progress is guaranteed by the fact that the
      last idle worker assumes the manager role to create more workers and
      summon the rescuers if creating workers doesn't succeed in timely
      manner before proceeding to execute work items.
      
      This manager role is implemented in manage_workers(), which indicates
      whether the worker may proceed to work item execution with its return
      value.  This is necessary because multiple workers may contend for the
      manager role, and, if there already is a manager, others should
      proceed to work item execution.
      
      Unfortunately, the function also indicates that the worker may proceed
      to work item execution if need_to_create_worker() is false at the head
      of the function.  need_to_create_worker() tests the following
      conditions.
      
      	pending work items && !nr_running && !nr_idle
      
      The first and third conditions are protected by pool->lock and thus
      won't change while holding pool->lock; however, nr_running can change
      asynchronously as other workers block and resume and while it's likely
      to be zero, as someone woke this worker up in the first place, some
      other workers could have become runnable inbetween making it non-zero.
      
      If this happens, manage_worker() could return false even with zero
      nr_idle making the worker, the last idle one, proceed to execute work
      items.  If then all workers of the pool end up blocking on a resource
      which can only be released by a work item which is pending on that
      pool, the whole pool can deadlock as there's no one to create more
      workers or summon the rescuers.
      
      This patch fixes the problem by removing the early exit condition from
      maybe_create_worker() and making manage_workers() return false iff
      there's already another manager, which ensures that the last worker
      doesn't start executing work items.
      
      We can leave the early exit condition alone and just ignore the return
      value but the only reason it was put there is because the
      manage_workers() used to perform both creations and destructions of
      workers and thus the function may be invoked while the pool is trying
      to reduce the number of workers.  Now that manage_workers() is called
      only when more workers are needed, the only case this early exit
      condition is triggered is rare race conditions rendering it pointless.
      
      Tested with simulated workload and modified workqueue code which
      trigger the pool deadlock reliably without this patch.
      
      tj: Updated to v3.14 where manage_workers() is responsible not only
          for creating more workers but also destroying surplus ones.
          maybe_create_worker() needs to keep its early exit condition to
          avoid creating a new worker when manage_workers() is called to
          destroy surplus ones.  Other than that, the adaptabion is
          straight-forward.  Both maybe_{create|destroy}_worker() functions
          are converted to return void and manage_workers() returns %false
          iff it lost manager arbitration.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarEric Sandeen <sandeen@sandeen.net>
      Link: http://lkml.kernel.org/g/54B019F4.8030009@sandeen.net
      Cc: Dave Chinner <david@fromorbit.com>
      Cc: Lai Jiangshan <laijs@cn.fujitsu.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      c6662b96
    • Ilya Dryomov's avatar
      rbd: fix rbd_dev_parent_get() when parent_overlap == 0 · 926e01a5
      Ilya Dryomov authored
      commit ae43e9d0 upstream.
      
      The comment for rbd_dev_parent_get() said
      
          * We must get the reference before checking for the overlap to
          * coordinate properly with zeroing the parent overlap in
          * rbd_dev_v2_parent_info() when an image gets flattened.  We
          * drop it again if there is no overlap.
      
      but the "drop it again if there is no overlap" part was missing from
      the implementation.  This lead to absurd parent_ref values for images
      with parent_overlap == 0, as parent_ref was incremented for each
      img_request and virtually never decremented.
      
      Fix this by leveraging the fact that refresh path calls
      rbd_dev_v2_parent_info() under header_rwsem and use it for read in
      rbd_dev_parent_get(), instead of messing around with atomics.  Get rid
      of barriers in rbd_dev_v2_parent_info() while at it - I don't see what
      they'd pair with now and I suspect we are in a pretty miserable
      situation as far as proper locking goes regardless.
      Signed-off-by: default avatarIlya Dryomov <idryomov@redhat.com>
      Reviewed-by: default avatarJosh Durgin <jdurgin@redhat.com>
      Reviewed-by: default avatarAlex Elder <elder@linaro.org>
      [idryomov@redhat.com: backport to 3.14: context]
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      926e01a5
    • Liu ShuoX's avatar
      pstore: Fix NULL pointer fault if get NULL prz in ramoops_get_next_prz · ed64a543
      Liu ShuoX authored
      commit b0aa931f upstream.
      
      ramoops_get_next_prz get the prz according the paramters. If it get a
      uninitialized prz, access its members by following persistent_ram_old_size(prz)
      will cause a NULL pointer crash.
      Ex: if ftrace_size is 0, fprz will be NULL.
      
      Fix it by return NULL in advance.
      Signed-off-by: default avatarLiu ShuoX <shuox.liu@intel.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Cc: HuKeping <hukeping@huawei.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ed64a543
    • Liu ShuoX's avatar
      pstore: skip zero size persistent ram buffer in traverse · 013d52e2
      Liu ShuoX authored
      commit aa9a4a1e upstream.
      
      In ramoops_pstore_read, a valid prz pointer with zero size buffer will
      break traverse of all persistent ram buffers.  The latter buffer might be
      lost.
      Signed-off-by: default avatarLiu ShuoX <shuox.liu@intel.com>
      Cc: "Zhang, Yanmin" <yanmin_zhang@linux.intel.com>
      Cc: Colin Cross <ccross@android.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Cc: HuKeping <hukeping@huawei.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      013d52e2
    • Liu ShuoX's avatar
      pstore: clarify clearing of _read_cnt in ramoops_context · 42ecc20b
      Liu ShuoX authored
      commit 57fd8353 upstream.
      
      *_read_cnt in ramoops_context need to be cleared during pstore ->open to
      support mutli times getting the records.  The patch added missed
      ftrace_read_cnt clearing and removed duplicate clearing in ramoops_probe.
      Signed-off-by: default avatarLiu ShuoX <shuox.liu@intel.com>
      Cc: "Zhang, Yanmin" <yanmin_zhang@linux.intel.com>
      Cc: Colin Cross <ccross@android.com>
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Cc: HuKeping <hukeping@huawei.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      42ecc20b
    • Russell King's avatar
      ARM: DMA: ensure that old section mappings are flushed from the TLB · 51173bf8
      Russell King authored
      commit 6b076991 upstream.
      
      When setting up the CMA region, we must ensure that the old section
      mappings are flushed from the TLB before replacing them with page
      tables, otherwise we can suffer from mismatched aliases if the CPU
      speculatively prefetches from these mappings at an inopportune time.
      
      A mismatched alias can occur when the TLB contains a section mapping,
      but a subsequent prefetch causes it to load a page table mapping,
      resulting in the possibility of the TLB containing two matching
      mappings for the same virtual address region.
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Cc: Hou Pengyang <houpengyang@huawei.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      51173bf8
    • Bob Paauwe's avatar
      drm/i915: Only fence tiled region of object. · d5ce8947
      Bob Paauwe authored
      commit af1a7301 upstream.
      
      When creating a fence for a tiled object, only fence the area that
      makes up the actual tiles.  The object may be larger than the tiled
      area and if we allow those extra addresses to be fenced, they'll
      get converted to addresses beyond where the object is mapped. This
      opens up the possiblity of writes beyond the end of object.
      
      To prevent this, we adjust the size of the fence to only encompass
      the area that makes up the actual tiles.  The extra space is considered
      un-tiled and now behaves as if it was a linear object.
      
      Testcase: igt/gem_tiled_fence_overflow
      Reported-by: default avatarDan Hettena <danh@ghs.com>
      Signed-off-by: default avatarBob Paauwe <bob.j.paauwe@intel.com>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarJani Nikula <jani.nikula@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      d5ce8947
    • Mugunthan V N's avatar
      drivers: net: cpsw: discard dual emac default vlan configuration · 92e66e18
      Mugunthan V N authored
      commit 02a54164 upstream.
      
      In Dual EMAC, the default VLANs are used to segregate Rx packets between
      the ports, so adding the same default VLAN to the switch will affect the
      normal packet transfers. So returning error on addition of dual EMAC
      default VLANs.
      
      Even if EMAC 0 default port VLAN is added to EMAC 1, it will lead to
      break dual EMAC port separations.
      
      Fixes: d9ba8f9e (driver: net: ethernet: cpsw: dual emac interface implementation)
      Reported-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarMugunthan V N <mugunthanvnm@ti.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      92e66e18
    • Ashay Jaiswal's avatar
      regulator: core: fix race condition in regulator_put() · 28140574
      Ashay Jaiswal authored
      commit 83b0302d upstream.
      
      The regulator framework maintains a list of consumer regulators
      for a regulator device and protects it from concurrent access using
      the regulator device's mutex lock.
      
      In the case of regulator_put() the consumer is removed and regulator
      device's parameters are updated without holding the regulator device's
      mutex. This would lead to a race condition between the regulator_put()
      and any function which traverses the consumer list or modifies regulator
      device's parameters.
      Fix this race condition by holding the regulator device's mutex in case
      of regulator_put.
      Signed-off-by: default avatarAshay Jaiswal <ashayj@codeaurora.org>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      28140574
    • Mika Westerberg's avatar
      spi/pxa2xx: Clear cur_chip pointer before starting next message · 7d2e2460
      Mika Westerberg authored
      commit c957e8f0 upstream.
      
      Once the current message is finished, the driver notifies SPI core about
      this by calling spi_finalize_current_message(). This function queues next
      message to be transferred. If there are more messages in the queue, it is
      possible that the driver is asked to transfer the next message at this
      point.
      
      When spi_finalize_current_message() returns the driver clears the
      drv_data->cur_chip pointer to NULL. The problem is that if the driver
      already started the next message clearing drv_data->cur_chip will cause
      NULL pointer dereference which crashes the kernel like:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
       IP: [<ffffffffa0022bc8>] cs_deassert+0x18/0x70 [spi_pxa2xx_platform]
       PGD 78bb8067 PUD 37712067 PMD 0
       Oops: 0000 [#1] SMP
       Modules linked in:
       CPU: 1 PID: 11 Comm: ksoftirqd/1 Tainted: G           O   3.18.0-rc4-mjo #5
       Hardware name: Intel Corp. VALLEYVIEW B3 PLATFORM/NOTEBOOK, BIOS MNW2CRB1.X64.0071.R30.1408131301 08/13/2014
       task: ffff880077f9f290 ti: ffff88007a820000 task.ti: ffff88007a820000
       RIP: 0010:[<ffffffffa0022bc8>]  [<ffffffffa0022bc8>] cs_deassert+0x18/0x70 [spi_pxa2xx_platform]
       RSP: 0018:ffff88007a823d08  EFLAGS: 00010202
       RAX: 0000000000000008 RBX: ffff8800379a4430 RCX: 0000000000000026
       RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff8800379a4430
       RBP: ffff88007a823d18 R08: 00000000ffffffff R09: 000000007a9bc65a
       R10: 000000000000028f R11: 0000000000000005 R12: ffff880070123e98
       R13: ffff880070123de8 R14: 0000000000000100 R15: ffffc90004888000
       FS:  0000000000000000(0000) GS:ffff880079a80000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
       CR2: 0000000000000048 CR3: 000000007029b000 CR4: 00000000001007e0
       Stack:
        ffff88007a823d58 ffff8800379a4430 ffff88007a823d48 ffffffffa0022c89
        0000000000000000 ffff8800379a4430 0000000000000000 0000000000000006
        ffff88007a823da8 ffffffffa0023be0 ffff88007a823dd8 ffffffff81076204
       Call Trace:
        [<ffffffffa0022c89>] giveback+0x69/0xa0 [spi_pxa2xx_platform]
        [<ffffffffa0023be0>] pump_transfers+0x710/0x740 [spi_pxa2xx_platform]
        [<ffffffff81076204>] ? pick_next_task_fair+0x744/0x830
        [<ffffffff81049679>] tasklet_action+0xa9/0xe0
        [<ffffffff81049a0e>] __do_softirq+0xee/0x280
        [<ffffffff81049bc0>] run_ksoftirqd+0x20/0x40
        [<ffffffff810646df>] smpboot_thread_fn+0xff/0x1b0
        [<ffffffff810645e0>] ? SyS_setgroups+0x150/0x150
        [<ffffffff81060f9d>] kthread+0xcd/0xf0
        [<ffffffff81060ed0>] ? kthread_create_on_node+0x180/0x180
        [<ffffffff8187a82c>] ret_from_fork+0x7c/0xb0
      
      Fix this by clearing drv_data->cur_chip before we call spi_finalize_current_message().
      Reported-by: default avatarMartin Oldfield <m@mjoldfield.com>
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Acked-by: default avatarRobert Jarzmik <robert.jarzmik@free.fr>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      7d2e2460
    • Joe Thornber's avatar
      dm cache: fix missing ERR_PTR returns and handling · 4aaf18db
      Joe Thornber authored
      commit 766a7888 upstream.
      
      Commit 9b1cc9f2 ("dm cache: share cache-metadata object across
      inactive and active DM tables") mistakenly ignored the use of ERR_PTR
      returns.  Restore missing IS_ERR checks and ERR_PTR returns where
      appropriate.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      4aaf18db
    • Joe Thornber's avatar
      dm thin: don't allow messages to be sent to a pool target in READ_ONLY or FAIL mode · 5702185d
      Joe Thornber authored
      commit 2a7eaea0 upstream.
      
      You can't modify the metadata in these modes.  It's better to fail these
      messages immediately than let the block-manager deny write locks on
      metadata blocks.  Otherwise these failed metadata changes will trigger
      'needs_check' to get set in the metadata superblock -- requiring repair
      using the thin_check utility.
      Signed-off-by: default avatarJoe Thornber <ejt@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      5702185d
    • Johannes Berg's avatar
      nl80211: fix per-station group key get/del and memory leak · 708dddc0
      Johannes Berg authored
      commit 0fa7b391 upstream.
      
      In case userspace attempts to obtain key information for or delete a
      unicast key, this is currently erroneously rejected unless the driver
      sets the WIPHY_FLAG_IBSS_RSN flag. Apparently enough drivers do so it
      was never noticed.
      
      Fix that, and while at it fix a potential memory leak: the error path
      in the get_key() function was placed after allocating a message but
      didn't free it - move it to a better place. Luckily admin permissions
      are needed to call this operation.
      
      Fixes: e31b8213 ("cfg80211/mac80211: allow per-station GTKs")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      708dddc0
    • Mathy Vanhoef's avatar
      mac80211: properly set CCK flag in radiotap · 2c6dcd87
      Mathy Vanhoef authored
      commit 3a5c5e81 upstream.
      
      Fix a regression introduced by commit a5e70697 ("mac80211: add radiotap flag
      and handling for 5/10 MHz") where the IEEE80211_CHAN_CCK channel type flag was
      incorrectly replaced by the IEEE80211_CHAN_OFDM flag. This commit fixes that by
      using the CCK flag again.
      
      Fixes: a5e70697 ("mac80211: add radiotap flag and handling for 5/10 MHz")
      Signed-off-by: default avatarMathy Vanhoef <vanhoefm@gmail.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      2c6dcd87
    • Trond Myklebust's avatar
      NFSv4.1: Fix an Oops in nfs41_walk_client_list · ca2c498b
      Trond Myklebust authored
      commit 3175e1dc upstream.
      
      If we start state recovery on a client that failed to initialise correctly,
      then we are very likely to Oops.
      Reported-by: default avatar"Mkrtchyan, Tigran" <tigran.mkrtchyan@desy.de>
      Link: http://lkml.kernel.org/r/130621862.279655.1421851650684.JavaMail.zimbra@desy.deSigned-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      ca2c498b
    • Peng Tao's avatar
      nfs: fix dio deadlock when O_DIRECT flag is flipped · 88bc0227
      Peng Tao authored
      commit ee8a1a8b upstream.
      
      We only support swap file calling nfs_direct_IO. However, application
      might be able to get to nfs_direct_IO if it toggles O_DIRECT flag
      during IO and it can deadlock because we grab inode->i_mutex in
      nfs_file_direct_write(). So return 0 for such case. Then the generic
      layer will fall back to buffer IO.
      Signed-off-by: default avatarPeng Tao <tao.peng@primarydata.com>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      88bc0227
    • Jochen Hein's avatar
      Input: i8042 - add noloop quirk for Medion Akoya E7225 (MD98857) · 6633edfe
      Jochen Hein authored
      commit 1d90d6d5 upstream.
      
      Without this the aux port does not get detected, and consequently the touchpad
      will not work.
      
      With this patch the touchpad is detected:
      
      $ dmesg | grep -E "(SYN|i8042|serio)"
      pnp 00:03: Plug and Play ACPI device, IDs SYN1d22 PNP0f13 (active)
      i8042: PNP: PS/2 Controller [PNP0303:PS2K,PNP0f13:PS2M] at 0x60,0x64 irq 1,12
      serio: i8042 KBD port at 0x60,0x64 irq 1
      serio: i8042 AUX port at 0x60,0x64 irq 12
      input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input4
      psmouse serio1: synaptics: Touchpad model: 1, fw: 8.1, id: 0x1e2b1, caps: 0xd00123/0x840300/0x126800, board id: 2863, fw id: 1473085
      input: SynPS/2 Synaptics TouchPad as /devices/platform/i8042/serio1/input/input6
      
      dmidecode excerpt for this laptop is:
      
      Handle 0x0001, DMI type 1, 27 bytes
      System Information
              Manufacturer: Medion
              Product Name: Akoya E7225
              Version: 1.0
      Signed-off-by: default avatarJochen Hein <jochen@jochen.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      6633edfe
    • Peter Hutterer's avatar
      Input: synaptics - adjust min/max for Lenovo ThinkPad X1 Carbon 2nd · cc356228
      Peter Hutterer authored
      commit 8543cf1c upstream.
      
      LEN0037 found in the Lenovo ThinkPad X1 Carbon 2nd (2014 model)
      Reported-and-tested-by: default avatarBjoern Olausson <bjoern@olausson.de>
      Signed-off-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      cc356228
    • Paul Osmialowski's avatar
      i2c: s3c2410: fix ABBA deadlock by keeping clock prepared · db51cc37
      Paul Osmialowski authored
      commit 34e81ad5 upstream.
      
      This patch solves deadlock between clock prepare mutex and regmap mutex reported
      by Tomasz Figa in [1] by implementing solution from [2]: "always leave the clock
      of the i2c controller in a prepared state".
      
      [1] https://lkml.org/lkml/2014/7/2/171
      [2] https://lkml.org/lkml/2014/7/2/207
      
      On each i2c transfer handled by s3c24xx_i2c_xfer(), clk_prepare_enable() was
      called, which calls clk_prepare() then clk_enable(). clk_prepare() takes
      prepare_lock mutex before proceeding. Note that i2c transfer functions are
      invoked from many places in kernel, typically with some other additional lock
      held.
      
      It may happen that function on CPU1 (e.g. regmap_update_bits()) has taken a
      mutex (i.e. regmap lock mutex) then it attempts i2c communication in order to
      proceed (so it needs to obtain clock related prepare_lock mutex during transfer
      preparation stage due to clk_prepare() call). At the same time other task on
      CPU0 wants to operate on clock (e.g. to (un)prepare clock for some other reason)
      so it has taken prepare_lock mutex.
      
      CPU0:                        CPU1:
      clk_disable_unused()         regulator_disable()
        clk_prepare_lock()           map->lock(map->lock_arg)
        regmap_read()                s3c24xx_i2c_xfer()
          map->lock(map->lock_arg)     clk_prepare_lock()
      
      Implemented solution from [2] leaves i2c clock prepared. Preparation is done in
      s3c24xx_i2c_probe() function. Without this patch, it is immediately unprepared
      by clk_disable_unprepare() call. I've replaced this call with clk_disable() and
      I've added clk_unprepare() call in s3c24xx_i2c_remove().
      
      The s3c24xx_i2c_xfer() function now uses clk_enable() instead of
      clk_prepare_enable() (and clk_disable() instead of clk_unprepare_disable()).
      Signed-off-by: default avatarPaul Osmialowski <p.osmialowsk@samsung.com>
      Reviewed-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      db51cc37
    • Ilya Dryomov's avatar
      rbd: drop parent_ref in rbd_dev_unprobe() unconditionally · 848ca9fd
      Ilya Dryomov authored
      commit e69b8d41 upstream.
      
      This effectively reverts the last hunk of 392a9dad ("rbd: detect
      when clone image is flattened").
      
      The problem with parent_overlap != 0 condition is that it's possible
      and completely valid to have an image with parent_overlap == 0 whose
      parent state needs to be cleaned up on unmap.  The next commit, which
      drops the "clone image now standalone" logic, opens up another window
      of opportunity to hit this, but even without it
      
          # cat parent-ref.sh
          #!/bin/bash
          rbd create --image-format 2 --size 1 foo
          rbd snap create foo@snap
          rbd snap protect foo@snap
          rbd clone foo@snap bar
          rbd resize --allow-shrink --size 0 bar
          rbd resize --size 1 bar
          DEV=$(rbd map bar)
          rbd unmap $DEV
      
      leaves rbd_device/rbd_spec/etc and rbd_client along with ceph_client
      hanging around.
      
      My thinking behind calling rbd_dev_parent_put() unconditionally is that
      there shouldn't be any requests in flight at that point in time as we
      are deep into unmap sequence.  Hence, even if rbd_dev_unparent() caused
      by flatten is delayed by in-flight requests, it will have finished by
      the time we reach rbd_dev_unprobe() caused by unmap, thus turning
      unconditional rbd_dev_parent_put() into a no-op.
      
      Fixes: http://tracker.ceph.com/issues/10352Signed-off-by: default avatarIlya Dryomov <idryomov@redhat.com>
      Reviewed-by: default avatarJosh Durgin <jdurgin@redhat.com>
      Reviewed-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      848ca9fd
    • Clemens Ladisch's avatar
      ALSA: seq-dummy: remove deadlock-causing events on close · 8b61ee53
      Clemens Ladisch authored
      commit 0767e95b upstream.
      
      When the last subscriber to a "Through" port has been removed, the
      subscribed destination ports might still be active, so it would be
      wrong to send "all sounds off" and "reset controller" events to them.
      The proper place for such a shutdown would be the closing of the actual
      MIDI port (and close_substream() in rawmidi.c already can do this).
      
      This also fixes a deadlock when dummy_unuse() tries to send events to
      its own port that is already locked because it is being freed.
      Reported-by: default avatarPeter Billam <peter@www.pjb.com.au>
      Signed-off-by: default avatarClemens Ladisch <clemens@ladisch.de>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      8b61ee53
    • Laurent Dufour's avatar
      powerpc/xmon: Fix another endiannes issue in RTAS call from xmon · b294d7b1
      Laurent Dufour authored
      commit e6eb2eba upstream.
      
      The commit 3b8a3c01 ("powerpc/pseries: Fix endiannes issue in RTAS
      call from xmon") was fixing an endianness issue in the call made from
      xmon to RTAS.
      
      However, as Michael Ellerman noticed, this fix was not complete, the
      token value was not byte swapped. This lead to call an unexpected and
      most of the time unexisting RTAS function, which is silently ignored by
      RTAS.
      
      This fix addresses this hole.
      Reported-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarLaurent Dufour <ldufour@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      b294d7b1
    • Ahmed S. Darwish's avatar
      can: kvaser_usb: Fix state handling upon BUS_ERROR events · a38a9696
      Ahmed S. Darwish authored
      commit e638642b upstream.
      
      While being in an ERROR_WARNING state, and receiving further
      bus error events with error counters still in the ERROR_WARNING
      range of 97-127 inclusive, the state handling code erroneously
      reverts back to ERROR_ACTIVE.
      
      Per the CAN standard, only revert to ERROR_ACTIVE when the
      error counters are less than 96.
      
      Moreover, in certain Kvaser models, the BUS_ERROR flag is
      always set along with undefined bits in the M16C status
      register. Thus use bitwise operators instead of full equality
      for checking that register against bus errors.
      Signed-off-by: default avatarAhmed S. Darwish <ahmed.darwish@valeo.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      a38a9696
    • Ahmed S. Darwish's avatar
      can: kvaser_usb: Retry the first bulk transfer on -ETIMEDOUT · 3d636550
      Ahmed S. Darwish authored
      commit 14c10c2a upstream.
      
      On some x86 laptops, plugging a Kvaser device again after an
      unplug makes the firmware always ignore the very first command.
      For such a case, provide some room for retries instead of
      completely exiting the driver init code.
      Signed-off-by: default avatarAhmed S. Darwish <ahmed.darwish@valeo.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      3d636550
    • Ahmed S. Darwish's avatar
      can: kvaser_usb: Send correct context to URB completion · 5738a842
      Ahmed S. Darwish authored
      commit 3803fa69 upstream.
      
      Send expected argument to the URB completion hander: a CAN
      netdevice instead of the network interface private context
      `kvaser_usb_net_priv'.
      
      This was discovered by having some garbage in the kernel
      log in place of the netdevice names: can0 and can1.
      Signed-off-by: default avatarAhmed S. Darwish <ahmed.darwish@valeo.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      5738a842
    • Ahmed S. Darwish's avatar
      can: kvaser_usb: Do not sleep in atomic context · 59383099
      Ahmed S. Darwish authored
      commit ded50066 upstream.
      
      Upon receiving a hardware event with the BUS_RESET flag set,
      the driver kills all of its anchored URBs and resets all of
      its transmit URB contexts.
      
      Unfortunately it does so under the context of URB completion
      handler `kvaser_usb_read_bulk_callback()', which is often
      called in an atomic context.
      
      While the device is flooded with many received error packets,
      usb_kill_urb() typically sleeps/reschedules till the transfer
      request of each killed URB in question completes, leading to
      the sleep in atomic bug. [3]
      
      In v2 submission of the original driver patch [1], it was
      stated that the URBs kill and tx contexts reset was needed
      since we don't receive any tx acknowledgments later and thus
      such resources will be locked down forever. Fortunately this
      is no longer needed since an earlier bugfix in this patch
      series is now applied: all tx URB contexts are reset upon CAN
      channel close. [2]
      
      Moreover, a BUS_RESET is now treated _exactly_ like a BUS_OFF
      event, which is the recommended handling method advised by
      the device manufacturer.
      
      [1] http://article.gmane.org/gmane.linux.network/239442
          http://www.webcitation.org/6Vr2yagAQ
      
      [2] can: kvaser_usb: Reset all URB tx contexts upon channel close
          889b77f7
      
      [3] Stacktrace:
      
       <IRQ>  [<ffffffff8158de87>] dump_stack+0x45/0x57
       [<ffffffff8158b60c>] __schedule_bug+0x41/0x4f
       [<ffffffff815904b1>] __schedule+0x5f1/0x700
       [<ffffffff8159360a>] ? _raw_spin_unlock_irqrestore+0xa/0x10
       [<ffffffff81590684>] schedule+0x24/0x70
       [<ffffffff8147d0a5>] usb_kill_urb+0x65/0xa0
       [<ffffffff81077970>] ? prepare_to_wait_event+0x110/0x110
       [<ffffffff8147d7d8>] usb_kill_anchored_urbs+0x48/0x80
       [<ffffffffa01f4028>] kvaser_usb_unlink_tx_urbs+0x18/0x50 [kvaser_usb]
       [<ffffffffa01f45d0>] kvaser_usb_rx_error+0xc0/0x400 [kvaser_usb]
       [<ffffffff8108b14a>] ? vprintk_default+0x1a/0x20
       [<ffffffffa01f5241>] kvaser_usb_read_bulk_callback+0x4c1/0x5f0 [kvaser_usb]
       [<ffffffff8147a73e>] __usb_hcd_giveback_urb+0x5e/0xc0
       [<ffffffff8147a8a1>] usb_hcd_giveback_urb+0x41/0x110
       [<ffffffffa0008748>] finish_urb+0x98/0x180 [ohci_hcd]
       [<ffffffff810cd1a7>] ? acct_account_cputime+0x17/0x20
       [<ffffffff81069f65>] ? local_clock+0x15/0x30
       [<ffffffffa000a36b>] ohci_work+0x1fb/0x5a0 [ohci_hcd]
       [<ffffffff814fbb31>] ? process_backlog+0xb1/0x130
       [<ffffffffa000cd5b>] ohci_irq+0xeb/0x270 [ohci_hcd]
       [<ffffffff81479fc1>] usb_hcd_irq+0x21/0x30
       [<ffffffff8108bfd3>] handle_irq_event_percpu+0x43/0x120
       [<ffffffff8108c0ed>] handle_irq_event+0x3d/0x60
       [<ffffffff8108ec84>] handle_fasteoi_irq+0x74/0x110
       [<ffffffff81004dfd>] handle_irq+0x1d/0x30
       [<ffffffff81004727>] do_IRQ+0x57/0x100
       [<ffffffff8159482a>] common_interrupt+0x6a/0x6a
      Signed-off-by: default avatarAhmed S. Darwish <ahmed.darwish@valeo.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      59383099