1. 13 Sep, 2014 40 commits
    • Patrick Riphagen's avatar
      USB: serial: ftdi_sio: Add support for new Xsens devices · 5547c8a6
      Patrick Riphagen authored
      commit 4bdcde35 upstream.
      
      This adds support for new Xsens devices, using Xsens' own Vendor ID.
      Signed-off-by: default avatarPatrick Riphagen <patrick.riphagen@xsens.com>
      Signed-off-by: default avatarFrans Klaver <frans.klaver@xsens.com>
      Cc: Johan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5547c8a6
    • Patrick Riphagen's avatar
      USB: serial: ftdi_sio: Annotate the current Xsens PID assignments · f1a1b8a2
      Patrick Riphagen authored
      commit 9273b8a2 upstream.
      
      The converters are used in specific products. It can be useful to know
      which they are exactly.
      Signed-off-by: default avatarPatrick Riphagen <patrick.riphagen@xsens.com>
      Signed-off-by: default avatarFrans Klaver <frans.klaver@xsens.com>
      Cc: Johan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f1a1b8a2
    • Paul Moore's avatar
      netlabel: fix a problem when setting bits below the previously lowest bit · 33401ce9
      Paul Moore authored
      commit 41c3bd20 upstream.
      
      The NetLabel category (catmap) functions have a problem in that they
      assume categories will be set in an increasing manner, e.g. the next
      category set will always be larger than the last.  Unfortunately, this
      is not a valid assumption and could result in problems when attempting
      to set categories less than the startbit in the lowest catmap node.
      In some cases kernel panics and other nasties can result.
      
      This patch corrects the problem by checking for this and allocating a
      new catmap node instance and placing it at the front of the list.
      Reported-by: default avatarChristian Evans <frodox@zoho.com>
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Tested-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      [bwh: Backported to 3.2: adjust filename for SMACK]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      33401ce9
    • Dan Carpenter's avatar
      netlabel: use GFP flags from caller instead of GFP_ATOMIC · 908964e5
      Dan Carpenter authored
      commit 64b5fad5 upstream.
      
      This function takes a GFP flags as a parameter, but they are never used.
      We don't take a lock in this function so there is no reason to prefer
      GFP_ATOMIC over the caller's GFP flags.
      
      There is only one caller, cipso_v4_map_cat_rng_ntoh(), and it passes
      GFP_ATOMIC as the GFP flags so this doesn't change how the code works.
      It's just a cleanup.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      908964e5
    • Jeremy Vial's avatar
      ARM: OMAP3: Fix choice of omap3_restore_es function in OMAP34XX rev3.1.2 case. · 8977e721
      Jeremy Vial authored
      commit 9b5f7428 upstream.
      
      According to the comment “restore_es3: applies to 34xx >= ES3.0" in
      "arch/arm/mach-omap2/sleep34xx.S”, omap3_restore_es3 should be used
      if the revision of an OMAP34xx is ES3.1.2.
      Signed-off-by: default avatarJeremy Vial <jvial@adeneo-embedded.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8977e721
    • Eric W. Biederman's avatar
      mnt: Change the default remount atime from relatime to the existing value · 24a26ff9
      Eric W. Biederman authored
      commit ffbc6f0e upstream.
      
      Since March 2009 the kernel has treated the state that if no
      MS_..ATIME flags are passed then the kernel defaults to relatime.
      
      Defaulting to relatime instead of the existing atime state during a
      remount is silly, and causes problems in practice for people who don't
      specify any MS_...ATIME flags and to get the default filesystem atime
      setting.  Those users may encounter a permission error because the
      default atime setting does not work.
      
      A default that does not work and causes permission problems is
      ridiculous, so preserve the existing value to have a default
      atime setting that is always guaranteed to work.
      
      Using the default atime setting in this way is particularly
      interesting for applications built to run in restricted userspace
      environments without /proc mounted, as the existing atime mount
      options of a filesystem can not be read from /proc/mounts.
      
      In practice this fixes user space that uses the default atime
      setting on remount that are broken by the permission checks
      keeping less privileged users from changing more privileged users
      atime settings.
      Acked-by: default avatarSerge E. Hallyn <serge.hallyn@ubuntu.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      [bwh: Backported to 3.2: add definition of MNT_ATIME_MASK, as we don't
       need the fix that introduced that definition upstream]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      24a26ff9
    • Milan Broz's avatar
      crypto: af_alg - properly label AF_ALG socket · b446ad53
      Milan Broz authored
      commit 4c63f83c upstream.
      
      Th AF_ALG socket was missing a security label (e.g. SELinux)
      which means that socket was in "unlabeled" state.
      
      This was recently demonstrated in the cryptsetup package
      (cryptsetup v1.6.5 and later.)
      See https://bugzilla.redhat.com/show_bug.cgi?id=1115120
      
      This patch clones the sock's label from the parent sock
      and resolves the issue (similar to AF_BLUETOOTH protocol family).
      Signed-off-by: default avatarMilan Broz <gmazyland@gmail.com>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b446ad53
    • Jeffrey Deans's avatar
      MIPS: GIC: Prevent array overrun · 43b781e0
      Jeffrey Deans authored
      commit ffc8415a upstream.
      
      A GIC interrupt which is declared as having a GIC_MAP_TO_NMI_MSK
      mapping causes the cpu parameter to gic_setup_intr() to be increased
      to 32, causing memory corruption when pcpu_masks[] is written to again
      later in the function.
      Signed-off-by: default avatarJeffrey Deans <jeffrey.deans@imgtec.com>
      Signed-off-by: default avatarMarkos Chandras <markos.chandras@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/7375/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      43b781e0
    • Axel Lin's avatar
      hwmon: (amc6821) Fix possible race condition bug · 3e6d3af6
      Axel Lin authored
      commit cf44819c upstream.
      
      Ensure mutex lock protects the read-modify-write period to prevent possible
      race condition bug.
      In additional, update data->valid should also be protected by the mutex lock.
      Signed-off-by: default avatarAxel Lin <axel.lin@ingics.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3e6d3af6
    • Sachin Kamat's avatar
      hwmon: (amc6821) Fix return value · 0719a7b8
      Sachin Kamat authored
      commit 3499e5b2 upstream.
      
      Propagate return value obtained from i2c_smbus_read_byte_data()
      instead of hardcoding.
      Signed-off-by: default avatarSachin Kamat <sachin.kamat@linaro.org>
      Cc: T. Mertelj <tomaz.mertelj@guest.arnes.si>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0719a7b8
    • Guenter Roeck's avatar
      hwmon: (lm78) Fix overflow problems seen when writing large temperature limits · 48371f90
      Guenter Roeck authored
      commit 1074d683 upstream.
      
      On platforms with sizeof(int) < sizeof(long), writing a temperature
      limit larger than MAXINT will result in unpredictable limit values
      written to the chip. Avoid auto-conversion from long to int to fix
      the problem.
      
      Cc: Axel Lin <axel.lin@ingics.com>
      Reviewed-by: default avatarAxel Lin <axel.lin@ingics.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      48371f90
    • Guenter Roeck's avatar
      hwmon: (lm85) Fix various errors on attribute writes · d02ae215
      Guenter Roeck authored
      commit 3248c3b7 upstream.
      
      Temperature limit register writes did not account for negative numbers.
      As a result, writing -127000 resulted in -126000 written into the
      temperature limit register. This problem affected temp[1-3]_min,
      temp[1-3]_max, temp[1-3]_auto_temp_crit, and temp[1-3]_auto_temp_min.
      
      When writing pwm[1-3]_freq, a long variable was auto-converted into an int
      without range check. Wiring values larger than MAXINT resulted in unexpected
      register values.
      
      When writing temp[1-3]_auto_temp_max, an unsigned long variable was
      auto-converted into an int without range check. Writing values larger than
      MAXINT resulted in unexpected register values.
      
      vrm is an u8, so the written value needs to be limited to [0, 255].
      
      Cc: Axel Lin <axel.lin@ingics.com>
      Reviewed-by: default avatarAxel Lin <axel.lin@ingics.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      [bwh: Backported to 3.2:
       - Driver is not using clamp_val(); keep using SENSORS_LIMIT() for consistency
       - Driver is not using kstrtoul(); make the minimum change to store_vrm_reg()
         so we can validate the value before assigning]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d02ae215
    • Theodore Ts'o's avatar
      ext4: fix ext4_discard_allocated_blocks() if we can't allocate the pa struct · 5024a6ef
      Theodore Ts'o authored
      commit 86f0afd4 upstream.
      
      If there is a failure while allocating the preallocation structure, a
      number of blocks can end up getting marked in the in-memory buddy
      bitmap, and then not getting released.  This can result in the
      following corruption getting reported by the kernel:
      
      EXT4-fs error (device sda3): ext4_mb_generate_buddy:758: group 1126,
      12793 clusters in bitmap, 12729 in gd
      
      In that case, we need to release the blocks using mb_free_blocks().
      
      Tested: fs smoke test; also demonstrated that with injected errors,
      	the file system is no longer getting corrupted
      
      Google-Bug-Id: 16657874
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5024a6ef
    • Zheng Liu's avatar
      ext4: cleanup in ext4_discard_allocated_blocks() · 6f98bebd
      Zheng Liu authored
      commit 400db9d3 upstream.
      
      remove 'len' variable in ext4_discard_allocated_blocks() because it is
      useless.
      Signed-off-by: default avatarZheng Liu <wenqing.lz@taobao.com>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6f98bebd
    • NeilBrown's avatar
      md/raid1,raid10: always abort recover on write error. · 9a28f9e6
      NeilBrown authored
      commit 2446dba0 upstream.
      
      Currently we don't abort recovery on a write error if the write error
      to the recovering device was triggerd by normal IO (as opposed to
      recovery IO).
      
      This means that for one bitmap region, the recovery might write to the
      recovering device for a few sectors, then not bother for subsequent
      sectors (as it never writes to failed devices).  In this case
      the bitmap bit will be cleared, but it really shouldn't.
      
      The result is that if the recovering device fails and is then re-added
      (after fixing whatever hardware problem triggerred the failure),
      the second recovery won't redo the region it was in the middle of,
      so some of the device will not be recovered properly.
      
      If we abort the recovery, the region being processes will be cancelled
      (bit not cleared) and the whole region will be retried.
      
      As the bug can result in data corruption the patch is suitable for
      -stable.  For kernels prior to 3.11 there is a conflict in raid10.c
      which will require care.
      
      Original-from: jiao hui <jiaohui@bwstor.com.cn>
      Reported-and-tested-by: default avatarjiao hui <jiaohui@bwstor.com.cn>
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9a28f9e6
    • David Rientjes's avatar
      mm, thp: do not allow thp faults to avoid cpuset restrictions · 74eb879f
      David Rientjes authored
      commit b104a35d upstream.
      
      The page allocator relies on __GFP_WAIT to determine if ALLOC_CPUSET
      should be set in allocflags.  ALLOC_CPUSET controls if a page allocation
      should be restricted only to the set of allowed cpuset mems.
      
      Transparent hugepages clears __GFP_WAIT when defrag is disabled to prevent
      the fault path from using memory compaction or direct reclaim.  Thus, it
      is unfairly able to allocate outside of its cpuset mems restriction as a
      side-effect.
      
      This patch ensures that ALLOC_CPUSET is only cleared when the gfp mask is
      truly GFP_ATOMIC by verifying it is also not a thp allocation.
      Signed-off-by: default avatarDavid Rientjes <rientjes@google.com>
      Reported-by: default avatarAlex Thorlton <athorlton@sgi.com>
      Tested-by: default avatarAlex Thorlton <athorlton@sgi.com>
      Cc: Bob Liu <lliubbo@gmail.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Hedi Berriche <hedi@sgi.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Rik van Riel <riel@redhat.com>
      Cc: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      74eb879f
    • Paul Burton's avatar
      MIPS: Prevent user from setting FCSR cause bits · 5aa0e65c
      Paul Burton authored
      commit b1442d39 upstream.
      
      If one or more matching FCSR cause & enable bits are set in saved thread
      context then when that context is restored the kernel will take an FP
      exception. This is of course undesirable and considered an oops, leading
      to the kernel writing a backtrace to the console and potentially
      rebooting depending upon the configuration. Thus the kernel avoids this
      situation by clearing the cause bits of the FCSR register when handling
      FP exceptions and after emulating FP instructions.
      
      However the kernel does not prevent userland from setting arbitrary FCSR
      cause & enable bits via ptrace, using either the PTRACE_POKEUSR or
      PTRACE_SETFPREGS requests. This means userland can trivially cause the
      kernel to oops on any system with an FPU. Prevent this from happening
      by clearing the cause bits when writing to the saved FCSR context via
      ptrace.
      
      This problem appears to exist at least back to the beginning of the git
      era in the PTRACE_POKEUSR case.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: Paul Burton <paul.burton@imgtec.com>
      Patchwork: https://patchwork.linux-mips.org/patch/7438/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5aa0e65c
    • Huacai Chen's avatar
      MIPS: tlbex: Fix a missing statement for HUGETLB · 159abeca
      Huacai Chen authored
      commit 8393c524 upstream.
      
      In commit 2c8c53e2 (MIPS: Optimize TLB handlers for Octeon CPUs)
      build_r4000_tlb_refill_handler() is modified. But it doesn't compatible
      with the original code in HUGETLB case. Because there is a copy & paste
      error and one line of code is missing. It is very easy to produce a bug
      with LTP's hugemmap05 test.
      Signed-off-by: default avatarHuacai Chen <chenhc@lemote.com>
      Signed-off-by: default avatarBinbin Zhou <zhoubb@lemote.com>
      Cc: John Crispin <john@phrozen.org>
      Cc: Steven J. Hill <Steven.Hill@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: Fuxin Zhang <zhangfx@lemote.com>
      Cc: Zhangjin Wu <wuzhangjin@gmail.com>
      Patchwork: https://patchwork.linux-mips.org/patch/7496/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      159abeca
    • Axel Lin's avatar
      hwmon: (ads1015) Fix off-by-one for valid channel index checking · 395166a4
      Axel Lin authored
      commit 56de1377 upstream.
      
      Current code uses channel as array index, so the valid channel value is
      0 .. ADS1015_CHANNELS - 1.
      Signed-off-by: default avatarAxel Lin <axel.lin@ingics.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      395166a4
    • Jason Gunthorpe's avatar
      tpm: Provide a generic means to override the chip returned timeouts · 0f7e814c
      Jason Gunthorpe authored
      commit 8e54caf4 upstream.
      
      Some Atmel TPMs provide completely wrong timeouts from their
      TPM_CAP_PROP_TIS_TIMEOUT query. This patch detects that and returns
      new correct values via a DID/VID table in the TIS driver.
      
      Tested on ARM using an AT97SC3204T FW version 37.16
      
      [PHuewe: without this fix these 'broken' Atmel TPMs won't function on
      older kernels]
      Signed-off-by: default avatar"Berg, Christopher" <Christopher.Berg@atmel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgunthorpe@obsidianresearch.com>
      Signed-off-by: default avatarPeter Huewe <peterhuewe@gmx.de>
      [bwh: Backported to 3.2:
       - Adjust filename, context
       - s/chip->ops->/chip->vendor./]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0f7e814c
    • Andrey Ryabinin's avatar
      net: sendmsg: fix NULL pointer dereference · 3f3067bb
      Andrey Ryabinin authored
      commit 40eea803 upstream.
      
      Sasha's report:
      	> While fuzzing with trinity inside a KVM tools guest running the latest -next
      	> kernel with the KASAN patchset, I've stumbled on the following spew:
      	>
      	> [ 4448.949424] ==================================================================
      	> [ 4448.951737] AddressSanitizer: user-memory-access on address 0
      	> [ 4448.952988] Read of size 2 by thread T19638:
      	> [ 4448.954510] CPU: 28 PID: 19638 Comm: trinity-c76 Not tainted 3.16.0-rc4-next-20140711-sasha-00046-g07d3099-dirty #813
      	> [ 4448.956823]  ffff88046d86ca40 0000000000000000 ffff880082f37e78 ffff880082f37a40
      	> [ 4448.958233]  ffffffffb6e47068 ffff880082f37a68 ffff880082f37a58 ffffffffb242708d
      	> [ 4448.959552]  0000000000000000 ffff880082f37a88 ffffffffb24255b1 0000000000000000
      	> [ 4448.961266] Call Trace:
      	> [ 4448.963158] dump_stack (lib/dump_stack.c:52)
      	> [ 4448.964244] kasan_report_user_access (mm/kasan/report.c:184)
      	> [ 4448.965507] __asan_load2 (mm/kasan/kasan.c:352)
      	> [ 4448.966482] ? netlink_sendmsg (net/netlink/af_netlink.c:2339)
      	> [ 4448.967541] netlink_sendmsg (net/netlink/af_netlink.c:2339)
      	> [ 4448.968537] ? get_parent_ip (kernel/sched/core.c:2555)
      	> [ 4448.970103] sock_sendmsg (net/socket.c:654)
      	> [ 4448.971584] ? might_fault (mm/memory.c:3741)
      	> [ 4448.972526] ? might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3740)
      	> [ 4448.973596] ? verify_iovec (net/core/iovec.c:64)
      	> [ 4448.974522] ___sys_sendmsg (net/socket.c:2096)
      	> [ 4448.975797] ? put_lock_stats.isra.13 (./arch/x86/include/asm/preempt.h:98 kernel/locking/lockdep.c:254)
      	> [ 4448.977030] ? lock_release_holdtime (kernel/locking/lockdep.c:273)
      	> [ 4448.978197] ? lock_release_non_nested (kernel/locking/lockdep.c:3434 (discriminator 1))
      	> [ 4448.979346] ? check_chain_key (kernel/locking/lockdep.c:2188)
      	> [ 4448.980535] __sys_sendmmsg (net/socket.c:2181)
      	> [ 4448.981592] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600)
      	> [ 4448.982773] ? trace_hardirqs_on (kernel/locking/lockdep.c:2607)
      	> [ 4448.984458] ? syscall_trace_enter (arch/x86/kernel/ptrace.c:1500 (discriminator 2))
      	> [ 4448.985621] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2600)
      	> [ 4448.986754] SyS_sendmmsg (net/socket.c:2201)
      	> [ 4448.987708] tracesys (arch/x86/kernel/entry_64.S:542)
      	> [ 4448.988929] ==================================================================
      
      This reports means that we've come to netlink_sendmsg() with msg->msg_name == NULL and msg->msg_namelen > 0.
      
      After this report there was no usual "Unable to handle kernel NULL pointer dereference"
      and this gave me a clue that address 0 is mapped and contains valid socket address structure in it.
      
      This bug was introduced in f3d33426
      (net: rework recvmsg handler msg_name and msg_namelen logic).
      Commit message states that:
      	"Set msg->msg_name = NULL if user specified a NULL in msg_name but had a
      	 non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't
      	 affect sendto as it would bail out earlier while trying to copy-in the
      	 address."
      But in fact this affects sendto when address 0 is mapped and contains
      socket address structure in it. In such case copy-in address will succeed,
      verify_iovec() function will successfully exit with msg->msg_namelen > 0
      and msg->msg_name == NULL.
      
      This patch fixes it by setting msg_namelen to 0 if msg_name == NULL.
      
      Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Cc: Eric Dumazet <edumazet@google.com>
      Reported-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: default avatarAndrey Ryabinin <a.ryabinin@samsung.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3f3067bb
    • Alex Williamson's avatar
      iommu/vt-d: Exclude devices using RMRRs from IOMMU API domains · cb3a0657
      Alex Williamson authored
      commit c875d2c1 upstream.
      
      The user of the IOMMU API domain expects to have full control of
      the IOVA space for the domain.  RMRRs are fundamentally incompatible
      with that idea.  We can neither map the RMRR into the IOMMU API
      domain, nor can we guarantee that the device won't continue DMA with
      the area described by the RMRR as part of the new domain.  Therefore
      we must prevent such devices from being used by the IOMMU API.
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Cc: David Woodhouse <dwmw2@infradead.org>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      [bwh: Backported to 3.2: driver only operates on PCI devices]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cb3a0657
    • Linus Torvalds's avatar
      Fix gcc-4.9.0 miscompilation of load_balance() in scheduler · 03ee4d69
      Linus Torvalds authored
      commit 2062afb4 upstream.
      
      Michel Dänzer and a couple of other people reported inexplicable random
      oopses in the scheduler, and the cause turns out to be gcc mis-compiling
      the load_balance() function when debugging is enabled.  The gcc bug
      apparently goes back to gcc-4.5, but slight optimization changes means
      that it now showed up as a problem in 4.9.0 and 4.9.1.
      
      The instruction scheduling problem causes gcc to schedule a spill
      operation to before the stack frame has been created, which in turn can
      corrupt the spilled value if an interrupt comes in.  There may be other
      effects of this bug too, but that's the code generation problem seen in
      Michel's case.
      
      This is fixed in current gcc HEAD, but the workaround as suggested by
      Markus Trippelsdorf is pretty simple: use -fno-var-tracking-assignments
      when compiling the kernel, which disables the gcc code that causes the
      problem.  This can result in slightly worse debug information for
      variable accesses, but that is infinitely preferable to actual code
      generation problems.
      
      Doing this unconditionally (not just for CONFIG_DEBUG_INFO) also allows
      non-debug builds to verify that the debug build would be identical: we
      can do
      
          export GCC_COMPARE_DEBUG=1
      
      to make gcc internally verify that the result of the build is
      independent of the "-g" flag (it will make the compiler build everything
      twice, toggling the debug flag, and compare the results).
      
      Without the "-fno-var-tracking-assignments" option, the build would fail
      (even with 4.8.3 that didn't show the actual stack frame bug) with a gcc
      compare failure.
      
      See also gcc bugzilla:
      
        https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61801Reported-by: default avatarMichel Dänzer <michel@daenzer.net>
      Suggested-by: default avatarMarkus Trippelsdorf <markus@trippelsdorf.de>
      Cc: Jakub Jelinek <jakub@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      03ee4d69
    • K. Y. Srinivasan's avatar
      Drivers: scsi: storvsc: Implement a eh_timed_out handler · 5519f195
      K. Y. Srinivasan authored
      commit 56b26e69 upstream.
      
      On Azure, we have seen instances of unbounded I/O latencies. To deal with
      this issue, implement handler that can reset the timeout. Note that the
      host gaurantees that it will respond to each command that has been issued.
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.de>
      [hch: added a better comment explaining the issue]
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      [bwh: Backported to 3.2: adjust filename, context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5519f195
    • Stephen M. Cameron's avatar
      hpsa: fix bad -ENOMEM return value in hpsa_big_passthru_ioctl · b1b82e6b
      Stephen M. Cameron authored
      commit 0758f4f7 upstream.
      
      When copy_from_user fails, return -EFAULT, not -ENOMEM
      Signed-off-by: default avatarStephen M. Cameron <scameron@beardog.cce.hp.com>
      Reported-by: default avatarRobert Elliott <elliott@hp.com>
      Reviewed-by: default avatarJoe Handzik <joseph.t.handzik@hp.com>
      Reviewed-by: default avatarScott Teel <scott.teel@hp.com>
      Reviewed by: Mike MIller <michael.miller@canonical.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b1b82e6b
    • Ben Hutchings's avatar
      bfa: Fix undefined bit shift on big-endian architectures with 32-bit DMA address · 5d0c0f58
      Ben Hutchings authored
      commit 03a6c3ff upstream.
      
      bfa_swap_words() shifts its argument (assumed to be 64-bit) by 32 bits
      each way.  In two places the argument type is dma_addr_t, which may be
      32-bit, in which case the effect of the bit shift is undefined:
      
      drivers/scsi/bfa/bfa_fcpim.c: In function 'bfa_ioim_send_ioreq':
      drivers/scsi/bfa/bfa_fcpim.c:2497:4: warning: left shift count >= width of type [enabled by default]
          addr = bfa_sgaddr_le(sg_dma_address(sg));
          ^
      drivers/scsi/bfa/bfa_fcpim.c:2497:4: warning: right shift count >= width of type [enabled by default]
      drivers/scsi/bfa/bfa_fcpim.c:2509:4: warning: left shift count >= width of type [enabled by default]
          addr = bfa_sgaddr_le(sg_dma_address(sg));
          ^
      drivers/scsi/bfa/bfa_fcpim.c:2509:4: warning: right shift count >= width of type [enabled by default]
      
      Avoid this by adding casts to u64 in bfa_swap_words().
      
      Compile-tested only.
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Acked-by: default avatarAnil Gurumurthy <anil.gurumurthy@qlogic.com>
      Fixes: f16a1750 ('[SCSI] bfa: remove all OS wrappers')
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      5d0c0f58
    • Malcolm Priestley's avatar
      staging: vt6655: Fix disassociated messages every 10 seconds · 2127d02b
      Malcolm Priestley authored
      commit 4aa0abed upstream.
      
      byReAssocCount is incremented every second resulting in
      disassociated message being send every 10 seconds whether
      connection or not.
      
      byReAssocCount should only advance while eCommandState
      is in WLAN_ASSOCIATE_WAIT
      
      Change existing scope to if condition.
      Signed-off-by: default avatarMalcolm Priestley <tvboxspy@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust context, indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2127d02b
    • Malcolm Priestley's avatar
      staging: vt6655: Fix Warning on boot handle_irq_event_percpu. · 7d526a2b
      Malcolm Priestley authored
      commit 6cff1f6a upstream.
      
      WARNING: CPU: 0 PID: 929 at /home/apw/COD/linux/kernel/irq/handle.c:147 handle_irq_event_percpu+0x1d1/0x1e0()
      irq 17 handler device_intr+0x0/0xa80 [vt6655_stage] enabled interrupts
      
      Using spin_lock_irqsave appears to fix this.
      Signed-off-by: default avatarMalcolm Priestley <tvboxspy@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: adjust context, indentation]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7d526a2b
    • Guenter Roeck's avatar
      hwmon: (smsc47m192) Fix temperature limit and vrm write operations · 00cab884
      Guenter Roeck authored
      commit 043572d5 upstream.
      
      Temperature limit clamps are applied after converting the temperature
      from milli-degrees C to degrees C, so either the clamp limit needs
      to be specified in degrees C, not milli-degrees C, or clamping must
      happen before converting to degrees C. Use the latter method to avoid
      overflows.
      
      vrm is an u8, so the written value needs to be limited to [0, 255].
      
      Cc: Axel Lin <axel.lin@ingics.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Reviewed-by: default avatarJean Delvare <jdelvare@suse.de>
      [bwh: Backported to 3.2:
       - Driver is not using clamp_val(); keep using SENSORS_LIMIT() for consistency
       - Driver is not using kstrtoul(); make the minimum change to set_vrm() so
         we can validate the value before assigning]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      00cab884
    • Christian König's avatar
      drm/radeon: fix irq ring buffer overflow handling · c1dd1fd9
      Christian König authored
      commit e8c214d2 upstream.
      
      We must mask out the overflow bit as well, otherwise
      the wptr will never match the rptr again and the interrupt
      handler will loop forever.
      Signed-off-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Reviewed-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      [bwh: Backported to 3.2: drop changes for unsupported GPUs]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      c1dd1fd9
    • Pratyush Anand's avatar
      USB: Fix persist resume of some SS USB devices · 7a0d07fb
      Pratyush Anand authored
      commit a40178b2 upstream.
      
      Problem Summary: Problem has been observed generally with PM states
      where VBUS goes off during suspend. There are some SS USB devices which
      take longer time for link training compared to many others.  Such
      devices fail to reconnect with same old address which was associated
      with it before suspend.
      
      When system resumes, at some point of time (dpm_run_callback->
      usb_dev_resume->usb_resume->usb_resume_both->usb_resume_device->
      usb_port_resume) SW reads hub status. If device is present,
      then it finishes port resume and re-enumerates device with same
      address. If device is not present then, SW thinks that device was
      removed during suspend and therefore does logical disconnection
      and removes all the resource allocated for this device.
      
      Now, if I put sufficient delay just before root hub status read in
      usb_resume_device then, SW sees always that device is present. In normal
      course(without any delay) SW sees that no device is present and then SW
      removes all resource associated with the device at this port.  In the
      latter case, after sometime, device says that hey I am here, now host
      enumerates it, but with new address.
      
      Problem had been reproduced when I connect verbatim USB3.0 hard disc
      with my STiH407 XHCI host running with 3.10 kernel.
      
      I see that similar problem has been reported here.
      https://bugzilla.kernel.org/show_bug.cgi?id=53211
      Reading above it seems that bug was not in 3.6.6 and was present in 3.8
      and again it was not present for some in 3.12.6, while it was present
      for few others. I tested with 3.13-FC19 running at i686 desktop, problem
      was still there. However, I was failed to reproduce it with 3.16-RC4
      running at same i686 machine. I would say it is just a random
      observation. Problem for few devices is always there, as I am unable to
      find a proper fix for the issue.
      
      So, now question is what should be the amount of delay so that host is
      always able to recognize suspended device after resume.
      
      XHCI specs 4.19.4 says that when Link training is successful, port sets
      CSC bit to 1. So if SW reads port status before successful link
      training, then it will not find device to be present.  USB Analyzer log
      with such buggy devices show that in some cases device switch on the
      RX termination after long delay of host enabling the VBUS. In few other
      cases it has been seen that device fails to negotiate link training in
      first attempt. It has been reported till now that few devices take as
      long as 2000 ms to train the link after host enabling its VBUS and
      RX termination. This patch implements a 2000 ms timeout for CSC bit to set
      ie for link training. If in a case link trains before timeout, loop will
      exit earlier.
      
      This patch implements above delay, but only for SS device and when
      persist is enabled.
      
      So, for the good device overhead is almost none. While for the bad
      devices penalty could be the time which it take for link training.
      But, If a device was connected before suspend, and was removed
      while system was asleep, then the penalty would be the timeout ie
      2000 ms.
      
      Results:
      
      Verbatim USB SS hard disk connected with STiH407 USB host running 3.10
      Kernel resumes in 461 msecs without this patch, but hard disk is
      assigned a new device address. Same system resumes in 790 msecs with
      this patch, but with old device address.
      Signed-off-by: default avatarPratyush Anand <pratyush.anand@st.com>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      7a0d07fb
    • Oliver Neukum's avatar
      usbcore: don't log on consecutive debounce failures of the same port · 9b627762
      Oliver Neukum authored
      commit 5ee0f803 upstream.
      
      Some laptops have an internal port for a BT device which picks
      up noise when the kill switch is used, but not enough to trigger
      printk_rlimit(). So we shouldn't log consecutive faults of this kind.
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2:
       - Adjust context
       - Error message already includes the port number]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9b627762
    • Romain Degez's avatar
      ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode) · 784e6a38
      Romain Degez authored
      commit b32bfc06 upstream.
      
      Add support of the Promise FastTrak TX8660 SATA HBA in ahci mode by
      registering the board in the ahci_pci_tbl[].
      
      Note: this HBA also provide a hardware RAID mode when activated in
      BIOS but specific drivers from the manufacturer are required in this
      case.
      Signed-off-by: default avatarRomain Degez <romain.degez@gmail.com>
      Tested-by: default avatarRomain Degez <romain.degez@gmail.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      784e6a38
    • Alan Stern's avatar
      USB: OHCI: don't lose track of EDs when a controller dies · bb013738
      Alan Stern authored
      commit 977dcfdc upstream.
      
      This patch fixes a bug in ohci-hcd.  When an URB is unlinked, the
      corresponding Endpoint Descriptor is added to the ed_rm_list and taken
      off the hardware schedule.  Once the ED is no longer visible to the
      hardware, finish_unlinks() handles the URBs that were unlinked or have
      completed.  If any URBs remain attached to the ED, the ED is added
      back to the hardware schedule -- but only if the controller is
      running.
      
      This fails when a controller dies.  A non-empty ED does not get added
      back to the hardware schedule and does not remain on the ed_rm_list;
      ohci-hcd loses track of it.  The remaining URBs cannot be unlinked,
      which causes the USB stack to hang.
      
      The patch changes finish_unlinks() so that non-empty EDs remain on
      the ed_rm_list if the controller isn't running.  This requires moving
      some of the existing code around, to avoid modifying the ED's hardware
      fields more than once.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [bwh: Backported to 3.2: keep using HC_IS_RUNNING()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bb013738
    • James Bottomley's avatar
      scsi: handle flush errors properly · 85cf4736
      James Bottomley authored
      commit 89fb4cd1 upstream.
      
      Flush commands don't transfer data and thus need to be special cased
      in the I/O completion handler so that we can propagate errors to
      the block layer and filesystem.
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Reported-by: default avatarSteven Haber <steven@qumulo.com>
      Tested-by: default avatarSteven Haber <steven@qumulo.com>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      85cf4736
    • Vladimir Davydov's avatar
      Bluetooth: never linger on process exit · 07dd3b62
      Vladimir Davydov authored
      commit 093facf3 upstream.
      
      If the current process is exiting, lingering on socket close will make
      it unkillable, so we should avoid it.
      
      Reproducer:
      
        #include <sys/types.h>
        #include <sys/socket.h>
      
        #define BTPROTO_L2CAP   0
        #define BTPROTO_SCO     2
        #define BTPROTO_RFCOMM  3
      
        int main()
        {
                int fd;
                struct linger ling;
      
                fd = socket(PF_BLUETOOTH, SOCK_STREAM, BTPROTO_RFCOMM);
                //or: fd = socket(PF_BLUETOOTH, SOCK_DGRAM, BTPROTO_L2CAP);
                //or: fd = socket(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_SCO);
      
                ling.l_onoff = 1;
                ling.l_linger = 1000000000;
                setsockopt(fd, SOL_SOCKET, SO_LINGER, &ling, sizeof(ling));
      
                return 0;
        }
      Signed-off-by: default avatarVladimir Davydov <vdavydov@parallels.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      07dd3b62
    • Christoph Schulz's avatar
      x86: don't exclude low BIOS area when allocating address space for non-PCI cards · 209dc6f6
      Christoph Schulz authored
      commit cbace46a upstream.
      
      Commit 30919b0b ("x86: avoid low BIOS area when allocating address
      space") moved the test for resource allocations that fall within the first
      1MB of address space from the PCI-specific path to a generic path, such
      that all resource allocations will avoid this area.  However, this breaks
      ISA cards which need to allocate a memory region within the first 1MB.  An
      example is the i82365 PCMCIA controller and derivatives like the Ricoh
      RF5C296/396 which map part of the PCMCIA socket memory address space into
      the first 1MB of system memory address space.  They do not work anymore as
      no usable memory region exists due to this change:
      
        Intel ISA PCIC probe: Ricoh RF5C296/396 ISA-to-PCMCIA at port 0x3e0 ofs 0x00, 2 sockets
        host opts [0]: none
        host opts [1]: none
        ISA irqs (scanned) = 3,4,5,9,10 status change on irq 10
        pcmcia_socket pcmcia_socket1: pccard: PCMCIA card inserted into slot 1
        pcmcia_socket pcmcia_socket0: cs: IO port probe 0xc00-0xcff: excluding 0xcf8-0xcff
        pcmcia_socket pcmcia_socket0: cs: IO port probe 0xa00-0xaff: clean.
        pcmcia_socket pcmcia_socket0: cs: IO port probe 0x100-0x3ff: excluding 0x170-0x177 0x1f0-0x1f7 0x2f8-0x2ff 0x370-0x37f 0x3c0-0x3e7 0x3f0-0x3ff
        pcmcia_socket pcmcia_socket0: cs: memory probe 0x0a0000-0x0affff: excluding 0xa0000-0xaffff
        pcmcia_socket pcmcia_socket0: cs: memory probe 0x0b0000-0x0bffff: excluding 0xb0000-0xbffff
        pcmcia_socket pcmcia_socket0: cs: memory probe 0x0c0000-0x0cffff: excluding 0xc0000-0xcbfff
        pcmcia_socket pcmcia_socket0: cs: memory probe 0x0d0000-0x0dffff: clean.
        pcmcia_socket pcmcia_socket0: cs: memory probe 0x0e0000-0x0effff: clean.
        pcmcia_socket pcmcia_socket0: cs: memory probe 0x60000000-0x60ffffff: clean.
        pcmcia_socket pcmcia_socket0: cs: memory probe 0xa0000000-0xa0ffffff: clean.
        pcmcia_socket pcmcia_socket1: cs: IO port probe 0xc00-0xcff: excluding 0xcf8-0xcff
        pcmcia_socket pcmcia_socket1: cs: IO port probe 0xa00-0xaff: clean.
        pcmcia_socket pcmcia_socket1: cs: IO port probe 0x100-0x3ff: excluding 0x170-0x177 0x1f0-0x1f7 0x2f8-0x2ff 0x370-0x37f 0x3c0-0x3e7 0x3f0-0x3ff
        pcmcia_socket pcmcia_socket1: cs: memory probe 0x0a0000-0x0affff: excluding 0xa0000-0xaffff
        pcmcia_socket pcmcia_socket1: cs: memory probe 0x0b0000-0x0bffff: excluding 0xb0000-0xbffff
        pcmcia_socket pcmcia_socket1: cs: memory probe 0x0c0000-0x0cffff: excluding 0xc0000-0xcbfff
        pcmcia_socket pcmcia_socket1: cs: memory probe 0x0d0000-0x0dffff: clean.
        pcmcia_socket pcmcia_socket1: cs: memory probe 0x0e0000-0x0effff: clean.
        pcmcia_socket pcmcia_socket1: cs: memory probe 0x60000000-0x60ffffff: clean.
        pcmcia_socket pcmcia_socket1: cs: memory probe 0xa0000000-0xa0ffffff: clean.
        pcmcia_socket pcmcia_socket1: cs: memory probe 0x0cc000-0x0effff: excluding 0xe0000-0xeffff
        pcmcia_socket pcmcia_socket1: cs: unable to map card memory!
      
      If filtering out the first 1MB is reverted, everything works as expected.
      Tested-by: default avatarRobert Resch <fli4l@robert.reschpara.de>
      Signed-off-by: default avatarChristoph Schulz <develop@kristov.de>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      209dc6f6
    • Kevin Hao's avatar
      mtd/ftl: fix the double free of the buffers allocated in build_maps() · 6b59836f
      Kevin Hao authored
      commit a152056c upstream.
      
      I got the following panic on my fsl p5020ds board.
      
        Unable to handle kernel paging request for data at address 0x7375627379737465
        Faulting instruction address: 0xc000000000100778
        Oops: Kernel access of bad area, sig: 11 [#1]
        SMP NR_CPUS=24 CoreNet Generic
        Modules linked in:
        CPU: 0 PID: 1 Comm: swapper/0 Not tainted 3.15.0-next-20140613 #145
        task: c0000000fe080000 ti: c0000000fe088000 task.ti: c0000000fe088000
        NIP: c000000000100778 LR: c00000000010073c CTR: 0000000000000000
        REGS: c0000000fe08aa00 TRAP: 0300   Not tainted  (3.15.0-next-20140613)
        MSR: 0000000080029000 <CE,EE,ME>  CR: 24ad2e24  XER: 00000000
        DEAR: 7375627379737465 ESR: 0000000000000000 SOFTE: 1
        GPR00: c0000000000c99b0 c0000000fe08ac80 c0000000009598e0 c0000000fe001d80
        GPR04: 00000000000000d0 0000000000000913 c000000007902b20 0000000000000000
        GPR08: c0000000feaae888 0000000000000000 0000000007091000 0000000000200200
        GPR12: 0000000028ad2e28 c00000000fff4000 c0000000007abe08 0000000000000000
        GPR16: c0000000007ab160 c0000000007aaf98 c00000000060ba68 c0000000007abda8
        GPR20: c0000000007abde8 c0000000feaea6f8 c0000000feaea708 c0000000007abd10
        GPR24: c000000000989370 c0000000008c6228 00000000000041ed c0000000fe00a400
        GPR28: c00000000017c1cc 00000000000000d0 7375627379737465 c0000000fe001d80
        NIP [c000000000100778] .__kmalloc_track_caller+0x70/0x168
        LR [c00000000010073c] .__kmalloc_track_caller+0x34/0x168
        Call Trace:
        [c0000000fe08ac80] [c00000000087e6b8] uevent_sock_list+0x0/0x10 (unreliable)
        [c0000000fe08ad20] [c0000000000c99b0] .kstrdup+0x44/0x90
        [c0000000fe08adc0] [c00000000017c1cc] .__kernfs_new_node+0x4c/0x130
        [c0000000fe08ae70] [c00000000017d7e4] .kernfs_new_node+0x2c/0x64
        [c0000000fe08aef0] [c00000000017db00] .kernfs_create_dir_ns+0x34/0xc8
        [c0000000fe08af80] [c00000000018067c] .sysfs_create_dir_ns+0x58/0xcc
        [c0000000fe08b010] [c0000000002c711c] .kobject_add_internal+0xc8/0x384
        [c0000000fe08b0b0] [c0000000002c7644] .kobject_add+0x64/0xc8
        [c0000000fe08b140] [c000000000355ebc] .device_add+0x11c/0x654
        [c0000000fe08b200] [c0000000002b5988] .add_disk+0x20c/0x4b4
        [c0000000fe08b2c0] [c0000000003a21d4] .add_mtd_blktrans_dev+0x340/0x514
        [c0000000fe08b350] [c0000000003a3410] .mtdblock_add_mtd+0x74/0xb4
        [c0000000fe08b3e0] [c0000000003a32cc] .blktrans_notify_add+0x64/0x94
        [c0000000fe08b470] [c00000000039b5b4] .add_mtd_device+0x1d4/0x368
        [c0000000fe08b520] [c00000000039b830] .mtd_device_parse_register+0xe8/0x104
        [c0000000fe08b5c0] [c0000000003b8408] .of_flash_probe+0x72c/0x734
        [c0000000fe08b750] [c00000000035ba40] .platform_drv_probe+0x38/0x84
        [c0000000fe08b7d0] [c0000000003599a4] .really_probe+0xa4/0x29c
        [c0000000fe08b870] [c000000000359d3c] .__driver_attach+0x100/0x104
        [c0000000fe08b900] [c00000000035746c] .bus_for_each_dev+0x84/0xe4
        [c0000000fe08b9a0] [c0000000003593c0] .driver_attach+0x24/0x38
        [c0000000fe08ba10] [c000000000358f24] .bus_add_driver+0x1c8/0x2ac
        [c0000000fe08bab0] [c00000000035a3a4] .driver_register+0x8c/0x158
        [c0000000fe08bb30] [c00000000035b9f4] .__platform_driver_register+0x6c/0x80
        [c0000000fe08bba0] [c00000000084e080] .of_flash_driver_init+0x1c/0x30
        [c0000000fe08bc10] [c000000000001864] .do_one_initcall+0xbc/0x238
        [c0000000fe08bd00] [c00000000082cdc0] .kernel_init_freeable+0x188/0x268
        [c0000000fe08bdb0] [c0000000000020a0] .kernel_init+0x1c/0xf7c
        [c0000000fe08be30] [c000000000000884] .ret_from_kernel_thread+0x58/0xd4
        Instruction dump:
        41bd0010 480000c8 4bf04eb5 60000000 e94d0028 e93f0000 7cc95214 e8a60008
        7fc9502a 2fbe0000 419e00c8 e93f0022 <7f7e482a> 39200000 88ed06b2 992d06b2
        ---[ end trace b4c9a94804a42d40 ]---
      
      It seems that the corrupted partition header on my mtd device triggers
      a bug in the ftl. In function build_maps() it will allocate the buffers
      needed by the mtd partition, but if something goes wrong such as kmalloc
      failure, mtd read error or invalid partition header parameter, it will
      free all allocated buffers and then return non-zero. In my case, it
      seems that partition header parameter 'NumTransferUnits' is invalid.
      
      And the ftl_freepart() is a function which free all the partition
      buffers allocated by build_maps(). Given the build_maps() is a self
      cleaning function, so there is no need to invoke this function even
      if build_maps() return with error. Otherwise it will causes the
      buffers to be freed twice and then weird things would happen.
      Signed-off-by: default avatarKevin Hao <haokexin@gmail.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6b59836f
    • Hans de Goede's avatar
      gspca_pac7302: Add new usb-id for Genius i-Look 317 · 2121cbd8
      Hans de Goede authored
      commit 242841d3 upstream.
      Tested-and-reported-by: default avataryullaw <yullaw@mageia.cz>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <m.chehab@samsung.com>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2121cbd8
    • Antti Palosaari's avatar
      tda10071: force modulation to QPSK on DVB-S · 5248ee65
      Antti Palosaari authored
      commit db4175ae upstream.
      
      Only supported modulation for DVB-S is QPSK. Modulation parameter
      contains invalid value for DVB-S on some cases, which leads driver
      refusing tuning attempt. Due to that, hard code modulation to QPSK
      in case of DVB-S.
      Signed-off-by: default avatarAntti Palosaari <crope@iki.fi>
      Signed-off-by: default avatarMauro Carvalho Chehab <m.chehab@samsung.com>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5248ee65