1. 11 Jul, 2014 40 commits
    • Thomas Gleixner's avatar
      rtmutex: Plug slow unlock race · b5177f73
      Thomas Gleixner authored
      commit 27e35715 upstream.
      
      When the rtmutex fast path is enabled the slow unlock function can
      create the following situation:
      
      spin_lock(foo->m->wait_lock);
      foo->m->owner = NULL;
      	    			rt_mutex_lock(foo->m); <-- fast path
      				free = atomic_dec_and_test(foo->refcnt);
      				rt_mutex_unlock(foo->m); <-- fast path
      				if (free)
      				   kfree(foo);
      
      spin_unlock(foo->m->wait_lock); <--- Use after free.
      
      Plug the race by changing the slow unlock to the following scheme:
      
           while (!rt_mutex_has_waiters(m)) {
           	    /* Clear the waiters bit in m->owner */
      	    clear_rt_mutex_waiters(m);
            	    owner = rt_mutex_owner(m);
            	    spin_unlock(m->wait_lock);
            	    if (cmpxchg(m->owner, owner, 0) == owner)
            	       return;
            	    spin_lock(m->wait_lock);
           }
      
      So in case of a new waiter incoming while the owner tries the slow
      path unlock we have two situations:
      
       unlock(wait_lock);
      					lock(wait_lock);
       cmpxchg(p, owner, 0) == owner
       	    	   			mark_rt_mutex_waiters(lock);
      	 				acquire(lock);
      
      Or:
      
       unlock(wait_lock);
      					lock(wait_lock);
      	 				mark_rt_mutex_waiters(lock);
       cmpxchg(p, owner, 0) != owner
      					enqueue_waiter();
      					unlock(wait_lock);
       lock(wait_lock);
       wakeup_next waiter();
       unlock(wait_lock);
      					lock(wait_lock);
      					acquire(lock);
      
      If the fast path is disabled, then the simple
      
         m->owner = NULL;
         unlock(m->wait_lock);
      
      is sufficient as all access to m->owner is serialized via
      m->wait_lock;
      
      Also document and clarify the wakeup_next_waiter function as suggested
      by Oleg Nesterov.
      Reported-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Link: http://lkml.kernel.org/r/20140611183852.937945560@linutronix.deSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      b5177f73
    • Thomas Gleixner's avatar
      rtmutex: Detect changes in the pi lock chain · faeac1e1
      Thomas Gleixner authored
      commit 82084984 upstream.
      
      When we walk the lock chain, we drop all locks after each step. So the
      lock chain can change under us before we reacquire the locks. That's
      harmless in principle as we just follow the wrong lock path. But it
      can lead to a false positive in the dead lock detection logic:
      
      T0 holds L0
      T0 blocks on L1 held by T1
      T1 blocks on L2 held by T2
      T2 blocks on L3 held by T3
      T4 blocks on L4 held by T4
      
      Now we walk the chain
      
      lock T1 -> lock L2 -> adjust L2 -> unlock T1 ->
           lock T2 ->  adjust T2 ->  drop locks
      
      T2 times out and blocks on L0
      
      Now we continue:
      
      lock T2 -> lock L0 -> deadlock detected, but it's not a deadlock at all.
      
      Brad tried to work around that in the deadlock detection logic itself,
      but the more I looked at it the less I liked it, because it's crystal
      ball magic after the fact.
      
      We actually can detect a chain change very simple:
      
      lock T1 -> lock L2 -> adjust L2 -> unlock T1 -> lock T2 -> adjust T2 ->
      
           next_lock = T2->pi_blocked_on->lock;
      
      drop locks
      
      T2 times out and blocks on L0
      
      Now we continue:
      
      lock T2 ->
      
           if (next_lock != T2->pi_blocked_on->lock)
           	   return;
      
      So if we detect that T2 is now blocked on a different lock we stop the
      chain walk. That's also correct in the following scenario:
      
      lock T1 -> lock L2 -> adjust L2 -> unlock T1 -> lock T2 -> adjust T2 ->
      
           next_lock = T2->pi_blocked_on->lock;
      
      drop locks
      
      T3 times out and drops L3
      T2 acquires L3 and blocks on L4 now
      
      Now we continue:
      
      lock T2 ->
      
           if (next_lock != T2->pi_blocked_on->lock)
           	   return;
      
      We don't have to follow up the chain at that point, because T2
      propagated our priority up to T4 already.
      
      [ Folded a cleanup patch from peterz ]
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reported-by: default avatarBrad Mouring <bmouring@ni.com>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Link: http://lkml.kernel.org/r/20140605152801.930031935@linutronix.de
      [bwh: Backported to 3.2: adjust filename, context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      faeac1e1
    • Thomas Gleixner's avatar
      rtmutex: Handle deadlock detection smarter · 95f9aded
      Thomas Gleixner authored
      commit 3d5c9340 upstream.
      
      Even in the case when deadlock detection is not requested by the
      caller, we can detect deadlocks. Right now the code stops the lock
      chain walk and keeps the waiter enqueued, even on itself. Silly not to
      yell when such a scenario is detected and to keep the waiter enqueued.
      
      Return -EDEADLK unconditionally and handle it at the call sites.
      
      The futex calls return -EDEADLK. The non futex ones dequeue the
      waiter, throw a warning and put the task into a schedule loop.
      
      Tagged for stable as it makes the code more robust.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Brad Mouring <bmouring@ni.com>
      Link: http://lkml.kernel.org/r/20140605152801.836501969@linutronix.deSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      [bwh: Backported to 3.2: adjust filenames]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      95f9aded
    • Andrey Ryabinin's avatar
      mm: rmap: fix use-after-free in __put_anon_vma · d857054b
      Andrey Ryabinin authored
      commit 624483f3 upstream.
      
      While working address sanitizer for kernel I've discovered
      use-after-free bug in __put_anon_vma.
      
      For the last anon_vma, anon_vma->root freed before child anon_vma.
      Later in anon_vma_free(anon_vma) we are referencing to already freed
      anon_vma->root to check rwsem.
      
      This fixes it by freeing the child anon_vma before freeing
      anon_vma->root.
      Signed-off-by: default avatarAndrey Ryabinin <a.ryabinin@samsung.com>
      Acked-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d857054b
    • David Henningsson's avatar
      ALSA: hda - Add quirk for external mic on Lifebook U904 · 2aef2e3b
      David Henningsson authored
      commit 2041d564 upstream.
      
      According to the bug reporter (Данило Шеган), the external mic
      starts to work and has proper jack detection if only pin 0x19
      is marked properly as an external headset mic.
      
      AlsaInfo at https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1328587/+attachment/4128991/+files/AlsaInfo.txt
      
      BugLink: https://bugs.launchpad.net/bugs/1328587Signed-off-by: default avatarDavid Henningsson <david.henningsson@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      [bwh: Backported to 3.2:
       - s/struct hda_pintbl/struct alc_pincfg/
       - s/HDA_FIXUP_PINS/ALC_FIXUP_PINS/
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      2aef2e3b
    • Mimi Zohar's avatar
      evm: prohibit userspace writing 'security.evm' HMAC value · 0d2b9938
      Mimi Zohar authored
      commit 2fb1c9a4 upstream.
      
      Calculating the 'security.evm' HMAC value requires access to the
      EVM encrypted key.  Only the kernel should have access to it.  This
      patch prevents userspace tools(eg. setfattr, cp --preserve=xattr)
      from setting/modifying the 'security.evm' HMAC value directly.
      Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0d2b9938
    • Michael Neuling's avatar
      powerpc: Don't setup CPUs with bad status · 335a4d5b
      Michael Neuling authored
      commit 59a53afe upstream.
      
      OPAL will mark a CPU that is guarded as "bad" in the status property of the CPU
      node.
      
      Unfortunatley Linux doesn't check this property and will put the bad CPU in the
      present map.  This has caused hangs on booting when we try to unsplit the core.
      
      This patch checks the CPU is avaliable via this status property before putting
      it in the present map.
      Signed-off-by: default avatarMichael Neuling <mikey@neuling.org>
      Tested-by: default avatarAnton Blanchard <anton@samba.org>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      335a4d5b
    • Gabor Juhos's avatar
      watchdog: ath79_wdt: avoid spurious restarts on AR934x · bb262325
      Gabor Juhos authored
      commit 23afeb61 upstream.
      
      On some AR934x based systems, where the frequency of
      the AHB bus is relatively high, the built-in watchdog
      causes a spurious restart when it gets enabled.
      
      The possible cause of these restarts is that the timeout
      value written into the TIMER register does not reaches
      the hardware in time.
      
      Add an explicit delay into the ath79_wdt_enable function
      to avoid the spurious restarts.
      Signed-off-by: default avatarGabor Juhos <juhosg@openwrt.org>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarWim Van Sebroeck <wim@iguana.be>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bb262325
    • Andy Lutomirski's avatar
      auditsc: audit_krule mask accesses need bounds checking · 38831a0a
      Andy Lutomirski authored
      commit a3c54931 upstream.
      
      Fixes an easy DoS and possible information disclosure.
      
      This does nothing about the broken state of x32 auditing.
      
      eparis: If the admin has enabled auditd and has specifically loaded
      audit rules.  This bug has been around since before git.  Wow...
      Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: audit_filter_inode_name() is not a separate
       function but part of audit_filter_inodes()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      38831a0a
    • Christian König's avatar
      drm/radeon: stop poisoning the GART TLB · 191fe265
      Christian König authored
      commit 0986c1a5 upstream.
      
      When we set the valid bit on invalid GART entries they are
      loaded into the TLB when an adjacent entry is loaded. This
      poisons the TLB with invalid entries which are sometimes
      not correctly removed on TLB flush.
      
      For stable inclusion the patch probably needs to be modified a bit.
      Signed-off-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      [bwh: Backported to 3.2: R600_PTE_GART is not defined and we list all the
       flags indvidually]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      191fe265
    • Chris Mason's avatar
      Btrfs: fix double free in find_lock_delalloc_range · 232270aa
      Chris Mason authored
      commit 7d788742 upstream.
      
      We need to NULL the cached_state after freeing it, otherwise
      we might free it again if find_delalloc_range doesn't find anything.
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      232270aa
    • J. Bruce Fields's avatar
      nfsd4: fix FREE_STATEID lockowner leak · 85845448
      J. Bruce Fields authored
      commit 48385408 upstream.
      
      27b11428 ("nfsd4: remove lockowner when removing lock stateid")
      introduced a memory leak.
      Reported-by: default avatarJeff Layton <jeff.layton@primarydata.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      85845448
    • Benjamin Tissoires's avatar
      Input: synaptics - fix resolution for manually provided min/max · 19475c82
      Benjamin Tissoires authored
      commit d49cb7ae upstream.
      
      commit 421e08c4 fixed the reported min/max for the X and Y axis,
      but unfortunately, it broke the resolution of those same axis.
      
      On the t540p, the resolution is the same regarding X and Y. It is not
      a problem for xf86-input-synaptics because this driver is only interested
      in the ratio between X and Y.
      Unfortunately, xf86-input-cmt uses directly the resolution, and having a
      null resolution leads to some divide by 0 errors, which are translated by
      -infinity in the resulting coordinates.
      Reported-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      [bwh: Backported to 3.2: I didn't apply the PNP ID changes, so the
       code being moved looks different]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      19475c82
    • Hans de Goede's avatar
      Input: elantech - don't set bit 1 of reg_10 when the no_hw_res quirk is set · cb70ede3
      Hans de Goede authored
      commit fb4f8f56 upstream.
      
      The touchpad on the GIGABYTE U2442 not only stops communicating when we try
      to set bit 3 (enable real hardware resolution) of reg_10, but on some BIOS
      versions also when we set bit 1 (enable two finger mode auto correct).
      
      I've asked the original reporter of:
      https://bugzilla.kernel.org/show_bug.cgi?id=61151
      
      To check that not setting bit 1 does not lead to any adverse effects on his
      model / BIOS revision, and it does not, so this commit fixes the touchpad
      not working on these versions by simply never setting bit 1 for laptop
      models with the no_hw_res quirk.
      Reported-and-tested-by: default avatarJames Lademann <jwlademann@gmail.com>
      Tested-by: default avatarPhilipp Wolfer <ph.wolfer@gmail.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      cb70ede3
    • Hans de Goede's avatar
      Input: elantech - deal with clickpads reporting right button events · 714e2d65
      Hans de Goede authored
      commit cd9e83e2 upstream.
      
      At least the Dell Vostro 5470 elantech *clickpad* reports right button
      clicks when clicked in the right bottom area:
      
      https://bugzilla.redhat.com/show_bug.cgi?id=1103528
      
      This is different from how (elantech) clickpads normally operate, normally
      no matter where the user clicks on the pad the pad always reports a left
      button event, since there is only 1 hardware button beneath the path.
      
      It looks like Dell has put 2 buttons under the pad, one under each bottom
      corner, causing this.
      
      Since this however still clearly is a real clickpad hardware-wise, we still
      want to report it as such to userspace, so that things like finger movement
      in the bottom area can be properly ignored as it should be on clickpads.
      
      So deal with this weirdness by simply mapping a right click to a left click
      on elantech clickpads. As an added advantage this is something which we can
      simply do on all elantech clickpads, so no need to add special quirks for
      this weird model.
      Reported-and-tested-by: default avatarElder Marco <eldermarco@gmail.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      714e2d65
    • Lai Jiangshan's avatar
      idr: fix overflow bug during maximum ID calculation at maximum height · 5ab98da0
      Lai Jiangshan authored
      commit 3afb69cb upstream.
      
      idr_replace() open-codes the logic to calculate the maximum valid ID
      given the height of the idr tree; unfortunately, the open-coded logic
      doesn't account for the fact that the top layer may have unused slots
      and over-shifts the limit to zero when the tree is at its maximum
      height.
      
      The following test code shows it fails to replace the value for
      id=((1<<27)+42):
      
        static void test5(void)
        {
              int id;
              DEFINE_IDR(test_idr);
        #define TEST5_START ((1<<27)+42) /* use the highest layer */
      
              printk(KERN_INFO "Start test5\n");
              id = idr_alloc(&test_idr, (void *)1, TEST5_START, 0, GFP_KERNEL);
              BUG_ON(id != TEST5_START);
              TEST_BUG_ON(idr_replace(&test_idr, (void *)2, TEST5_START) != (void *)1);
              idr_destroy(&test_idr);
              printk(KERN_INFO "End of test5\n");
        }
      
      Fix the bug by using idr_max() which correctly takes into account the
      maximum allowed shift.
      
      sub_alloc() shares the same problem and may incorrectly fail with
      -EAGAIN; however, this bug doesn't affect correct operation because
      idr_get_empty_slot(), which already uses idr_max(), retries with the
      increased @id in such cases.
      
      [tj@kernel.org: Updated patch description.]
      Signed-off-by: default avatarLai Jiangshan <laijs@cn.fujitsu.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      5ab98da0
    • Matthew Dempsky's avatar
      ptrace: fix fork event messages across pid namespaces · 0b8ad905
      Matthew Dempsky authored
      commit 4e52365f upstream.
      
      When tracing a process in another pid namespace, it's important for fork
      event messages to contain the child's pid as seen from the tracer's pid
      namespace, not the parent's.  Otherwise, the tracer won't be able to
      correlate the fork event with later SIGTRAP signals it receives from the
      child.
      
      We still risk a race condition if a ptracer from a different pid
      namespace attaches after we compute the pid_t value.  However, sending a
      bogus fork event message in this unlikely scenario is still a vast
      improvement over the status quo where we always send bogus fork event
      messages to debuggers in a different pid namespace than the forking
      process.
      Signed-off-by: default avatarMatthew Dempsky <mdempsky@chromium.org>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Julien Tinnes <jln@chromium.org>
      Cc: Roland McGrath <mcgrathr@chromium.org>
      Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      0b8ad905
    • Boris BREZILLON's avatar
      rtc: rtc-at91rm9200: fix infinite wait for ACKUPD irq · 6df2529a
      Boris BREZILLON authored
      commit 2fe121e1 upstream.
      
      The rtc user must wait at least 1 sec between each time/calandar update
      (see atmel's datasheet chapter "Updating Time/Calendar").
      
      Use the 1Hz interrupt to update the at91_rtc_upd_rdy flag and wait for
      the at91_rtc_wait_upd_rdy event if the rtc is not ready.
      
      This patch fixes a deadlock in an uninterruptible wait when the RTC is
      updated more than once every second.  AFAICT the bug is here from the
      beginning, but I think we should at least backport this fix to 3.10 and
      the following longterm and stable releases.
      Signed-off-by: default avatarBoris BREZILLON <boris.brezillon@free-electrons.com>
      Reported-by: default avatarBryan Evenson <bevenson@melinkcorp.com>
      Tested-by: default avatarBryan Evenson <bevenson@melinkcorp.com>
      Cc: Andrew Victor <linux@maxim.org.za>
      Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
      Cc: Jean-Christophe Plagniol-Villard <plagnioj@jcrosoft.com>
      Cc: Alessandro Zummo <a.zummo@towertech.it>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2:
       - Adjust context
       - at91_rtc_write() is called at91_sys_write()
       - Use at91_sys_write() directly instead of the missing
         at91_rtc_write_ier() and at91_rtc_write_idr()]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      6df2529a
    • Johannes Weiner's avatar
      mm: vmscan: clear kswapd's special reclaim powers before exiting · e70d6e73
      Johannes Weiner authored
      commit 71abdc15 upstream.
      
      When kswapd exits, it can end up taking locks that were previously held
      by allocating tasks while they waited for reclaim.  Lockdep currently
      warns about this:
      
      On Wed, May 28, 2014 at 06:06:34PM +0800, Gu Zheng wrote:
      >  inconsistent {RECLAIM_FS-ON-W} -> {IN-RECLAIM_FS-R} usage.
      >  kswapd2/1151 [HC0[0]:SC0[0]:HE1:SE1] takes:
      >   (&sig->group_rwsem){+++++?}, at: exit_signals+0x24/0x130
      >  {RECLAIM_FS-ON-W} state was registered at:
      >     mark_held_locks+0xb9/0x140
      >     lockdep_trace_alloc+0x7a/0xe0
      >     kmem_cache_alloc_trace+0x37/0x240
      >     flex_array_alloc+0x99/0x1a0
      >     cgroup_attach_task+0x63/0x430
      >     attach_task_by_pid+0x210/0x280
      >     cgroup_procs_write+0x16/0x20
      >     cgroup_file_write+0x120/0x2c0
      >     vfs_write+0xc0/0x1f0
      >     SyS_write+0x4c/0xa0
      >     tracesys+0xdd/0xe2
      >  irq event stamp: 49
      >  hardirqs last  enabled at (49):  _raw_spin_unlock_irqrestore+0x36/0x70
      >  hardirqs last disabled at (48):  _raw_spin_lock_irqsave+0x2b/0xa0
      >  softirqs last  enabled at (0):  copy_process.part.24+0x627/0x15f0
      >  softirqs last disabled at (0):            (null)
      >
      >  other info that might help us debug this:
      >   Possible unsafe locking scenario:
      >
      >         CPU0
      >         ----
      >    lock(&sig->group_rwsem);
      >    <Interrupt>
      >      lock(&sig->group_rwsem);
      >
      >   *** DEADLOCK ***
      >
      >  no locks held by kswapd2/1151.
      >
      >  stack backtrace:
      >  CPU: 30 PID: 1151 Comm: kswapd2 Not tainted 3.10.39+ #4
      >  Call Trace:
      >    dump_stack+0x19/0x1b
      >    print_usage_bug+0x1f7/0x208
      >    mark_lock+0x21d/0x2a0
      >    __lock_acquire+0x52a/0xb60
      >    lock_acquire+0xa2/0x140
      >    down_read+0x51/0xa0
      >    exit_signals+0x24/0x130
      >    do_exit+0xb5/0xa50
      >    kthread+0xdb/0x100
      >    ret_from_fork+0x7c/0xb0
      
      This is because the kswapd thread is still marked as a reclaimer at the
      time of exit.  But because it is exiting, nobody is actually waiting on
      it to make reclaim progress anymore, and it's nothing but a regular
      thread at this point.  Be tidy and strip it of all its powers
      (PF_MEMALLOC, PF_SWAPWRITE, PF_KSWAPD, and the lockdep reclaim state)
      before returning from the thread function.
      Signed-off-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Reported-by: default avatarGu Zheng <guz.fnst@cn.fujitsu.com>
      Cc: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
      Cc: Tang Chen <tangchen@cn.fujitsu.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e70d6e73
    • Nicholas Bellinger's avatar
      iscsi-target: Reject mutual authentication with reflected CHAP_C · 9ae0f3c0
      Nicholas Bellinger authored
      commit 1d2b60a5 upstream.
      
      This patch adds an explicit check in chap_server_compute_md5() to ensure
      the CHAP_C value received from the initiator during mutual authentication
      does not match the original CHAP_C provided by the target.
      
      This is in line with RFC-3720, section 8.2.1:
      
         Originators MUST NOT reuse the CHAP challenge sent by the Responder
         for the other direction of a bidirectional authentication.
         Responders MUST check for this condition and close the iSCSI TCP
         connection if it occurs.
      Reported-by: default avatarTejas Vaykole <tejas.vaykole@calsoftinc.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      9ae0f3c0
    • Kailang Yang's avatar
      ALSA: hda/realtek - Add support of ALC891 codec · 4e53b9de
      Kailang Yang authored
      commit b6c5fbad upstream.
      
      New codec support for ALC891.
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      4e53b9de
    • Benjamin Herrenschmidt's avatar
      powerpc/serial: Use saner flags when creating legacy ports · 19e84f23
      Benjamin Herrenschmidt authored
      commit c4cad90f upstream.
      
      We had a mix & match of flags used when creating legacy ports
      depending on where we found them in the device-tree. Among others
      we were missing UPF_SKIP_TEST for some kind of ISA ports which is
      a problem as quite a few UARTs out there don't support the loopback
      test (such as a lot of BMCs).
      
      Let's pick the set of flags used by the SoC code and generalize it
      which means autoconf, no loopback test, irq maybe shared and fixed
      port.
      
      Sending to stable as the lack of UPF_SKIP_TEST is breaking
      serial on some machines so I want this back into distros
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      19e84f23
    • Hugh Dickins's avatar
      mm: fix sleeping function warning from __put_anon_vma · e3ffaedc
      Hugh Dickins authored
      commit 7f39dda9 upstream.
      
      Trinity reports BUG:
      
        sleeping function called from invalid context at kernel/locking/rwsem.c:47
        in_atomic(): 0, irqs_disabled(): 0, pid: 5787, name: trinity-c27
      
      __might_sleep < down_write < __put_anon_vma < page_get_anon_vma <
      migrate_pages < compact_zone < compact_zone_order < try_to_compact_pages ..
      
      Right, since conversion to mutex then rwsem, we should not put_anon_vma()
      from inside an rcu_read_lock()ed section: fix the two places that did so.
      And add might_sleep() to anon_vma_free(), as suggested by Peter Zijlstra.
      
      Fixes: 88c22088 ("mm: optimize page_lock_anon_vma() fast-path")
      Reported-by: default avatarDave Jones <davej@redhat.com>
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e3ffaedc
    • Benny Halevy's avatar
      nfsd4: use recall_lock for delegation hashing · ba1ef838
      Benny Halevy authored
      commit 931ee56c upstream.
      
      This fixes a bug in the handling of the fi_delegations list.
      
      nfs4_setlease does not hold the recall_lock when adding to it. The
      client_mutex is held, which prevents against concurrent list changes,
      but nfsd_break_deleg_cb does not hold while walking it. New delegations
      could theoretically creep onto the list while we're walking it there.
      Signed-off-by: default avatarBenny Halevy <bhalevy@primarydata.com>
      Signed-off-by: default avatarJeff Layton <jlayton@primarydata.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      [bwh: Backported to 3.2:
       - Adjust context
       - Also remove a list_del_init() in nfs4_setlease() which would now be
         before the corresponding list_add()
       - Drop change to nfsd_find_all_delegations(), which doesn't exist]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ba1ef838
    • Jérôme Carretero's avatar
      ahci: Add Device ID for HighPoint RocketRaid 642L · 13ce2ab0
      Jérôme Carretero authored
      commit d2518365 upstream.
      
      This device normally comes with a proprietary driver, using a web GUI
      to configure RAID:
       http://www.highpoint-tech.com/USA_new/series_rr600-download.htm
      But thankfully it also works out of the box with the AHCI driver,
      being just a Marvell 88SE9235.
      
      Devices 640L, 644L, 644LS should also be supported but not tested here.
      Signed-off-by: default avatarJérôme Carretero <cJ-ko@zougloub.eu>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      13ce2ab0
    • Alex Deucher's avatar
      drm/radeon: only apply hdmi bpc pll flags when encoder mode is hdmi · 3c010c0b
      Alex Deucher authored
      commit 7d5ab300 upstream.
      
      May fix display issues with non-HDMI displays.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      3c010c0b
    • Alex Deucher's avatar
      drm/radeon/atom: fix dithering on certain panels · 94264f44
      Alex Deucher authored
      commit 64252835 upstream.
      
      We need to specify the encoder mode as LVDS for eDP
      when using the Crtc_Source atom table in order to properly
      set up the FMT hardware.
      
      bug:
      https://bugs.freedesktop.org/show_bug.cgi?id=73911Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      94264f44
    • Alex Deucher's avatar
      drm/radeon: fix typo in radeon_connector_is_dp12_capable() · 08e6c752
      Alex Deucher authored
      commit af5d3653 upstream.
      
      We were checking the ext clock rather than the display clock.
      
      Noticed by ArtForz on IRC.
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      08e6c752
    • hujianyang's avatar
      UBIFS: Remove incorrect assertion in shrink_tnc() · a1c97ac5
      hujianyang authored
      commit 72abc8f4 upstream.
      
      I hit the same assert failed as Dolev Raviv reported in Kernel v3.10
      shows like this:
      
      [ 9641.164028] UBIFS assert failed in shrink_tnc at 131 (pid 13297)
      [ 9641.234078] CPU: 1 PID: 13297 Comm: mmap.test Tainted: G           O 3.10.40 #1
      [ 9641.234116] [<c0011a6c>] (unwind_backtrace+0x0/0x12c) from [<c000d0b0>] (show_stack+0x20/0x24)
      [ 9641.234137] [<c000d0b0>] (show_stack+0x20/0x24) from [<c0311134>] (dump_stack+0x20/0x28)
      [ 9641.234188] [<c0311134>] (dump_stack+0x20/0x28) from [<bf22425c>] (shrink_tnc_trees+0x25c/0x350 [ubifs])
      [ 9641.234265] [<bf22425c>] (shrink_tnc_trees+0x25c/0x350 [ubifs]) from [<bf2245ac>] (ubifs_shrinker+0x25c/0x310 [ubifs])
      [ 9641.234307] [<bf2245ac>] (ubifs_shrinker+0x25c/0x310 [ubifs]) from [<c00cdad8>] (shrink_slab+0x1d4/0x2f8)
      [ 9641.234327] [<c00cdad8>] (shrink_slab+0x1d4/0x2f8) from [<c00d03d0>] (do_try_to_free_pages+0x300/0x544)
      [ 9641.234344] [<c00d03d0>] (do_try_to_free_pages+0x300/0x544) from [<c00d0a44>] (try_to_free_pages+0x2d0/0x398)
      [ 9641.234363] [<c00d0a44>] (try_to_free_pages+0x2d0/0x398) from [<c00c6a60>] (__alloc_pages_nodemask+0x494/0x7e8)
      [ 9641.234382] [<c00c6a60>] (__alloc_pages_nodemask+0x494/0x7e8) from [<c00f62d8>] (new_slab+0x78/0x238)
      [ 9641.234400] [<c00f62d8>] (new_slab+0x78/0x238) from [<c031081c>] (__slab_alloc.constprop.42+0x1a4/0x50c)
      [ 9641.234419] [<c031081c>] (__slab_alloc.constprop.42+0x1a4/0x50c) from [<c00f80e8>] (kmem_cache_alloc_trace+0x54/0x188)
      [ 9641.234459] [<c00f80e8>] (kmem_cache_alloc_trace+0x54/0x188) from [<bf227908>] (do_readpage+0x168/0x468 [ubifs])
      [ 9641.234553] [<bf227908>] (do_readpage+0x168/0x468 [ubifs]) from [<bf2296a0>] (ubifs_readpage+0x424/0x464 [ubifs])
      [ 9641.234606] [<bf2296a0>] (ubifs_readpage+0x424/0x464 [ubifs]) from [<c00c17c0>] (filemap_fault+0x304/0x418)
      [ 9641.234638] [<c00c17c0>] (filemap_fault+0x304/0x418) from [<c00de694>] (__do_fault+0xd4/0x530)
      [ 9641.234665] [<c00de694>] (__do_fault+0xd4/0x530) from [<c00e10c0>] (handle_pte_fault+0x480/0xf54)
      [ 9641.234690] [<c00e10c0>] (handle_pte_fault+0x480/0xf54) from [<c00e2bf8>] (handle_mm_fault+0x140/0x184)
      [ 9641.234716] [<c00e2bf8>] (handle_mm_fault+0x140/0x184) from [<c0316688>] (do_page_fault+0x150/0x3ac)
      [ 9641.234737] [<c0316688>] (do_page_fault+0x150/0x3ac) from [<c000842c>] (do_DataAbort+0x3c/0xa0)
      [ 9641.234759] [<c000842c>] (do_DataAbort+0x3c/0xa0) from [<c0314e38>] (__dabt_usr+0x38/0x40)
      
      After analyzing the code, I found a condition that may cause this failed
      in correct operations. Thus, I think this assertion is wrong and should be
      removed.
      
      Suppose there are two clean znodes and one dirty znode in TNC. So the
      per-filesystem atomic_t @clean_zn_cnt is (2). If commit start, dirty_znode
      is set to COW_ZNODE in get_znodes_to_commit() in case of potentially ops
      on this znode. We clear COW bit and DIRTY bit in write_index() without
      @tnc_mutex locked. We don't increase @clean_zn_cnt in this place. As the
      comments in write_index() shows, if another process hold @tnc_mutex and
      dirty this znode after we clean it, @clean_zn_cnt would be decreased to (1).
      We will increase @clean_zn_cnt to (2) with @tnc_mutex locked in
      free_obsolete_znodes() to keep it right.
      
      If shrink_tnc() performs between decrease and increase, it will release
      other 2 clean znodes it holds and found @clean_zn_cnt is less than zero
      (1 - 2 = -1), then hit the assertion. Because free_obsolete_znodes() will
      soon correct @clean_zn_cnt and no harm to fs in this case, I think this
      assertion could be removed.
      
      2 clean zondes and 1 dirty znode, @clean_zn_cnt == 2
      
      Thread A (commit)         Thread B (write or others)       Thread C (shrinker)
      ->write_index
         ->clear_bit(DIRTY_NODE)
         ->clear_bit(COW_ZNODE)
      
                  @clean_zn_cnt == 2
                                ->mutex_locked(&tnc_mutex)
                                ->dirty_cow_znode
                                    ->!ubifs_zn_cow(znode)
                                    ->!test_and_set_bit(DIRTY_NODE)
                                    ->atomic_dec(&clean_zn_cnt)
                                ->mutex_unlocked(&tnc_mutex)
      
                  @clean_zn_cnt == 1
                                                                 ->mutex_locked(&tnc_mutex)
                                                                 ->shrink_tnc
                                                                   ->destroy_tnc_subtree
                                                                   ->atomic_sub(&clean_zn_cnt, 2)
                                                                   ->ubifs_assert  <- hit
                                                                 ->mutex_unlocked(&tnc_mutex)
      
                  @clean_zn_cnt == -1
      ->mutex_lock(&tnc_mutex)
      ->free_obsolete_znodes
         ->atomic_inc(&clean_zn_cnt)
      ->mutux_unlock(&tnc_mutex)
      
                  @clean_zn_cnt == 0 (correct after shrink)
      Signed-off-by: default avatarhujianyang <hujianyang@huawei.com>
      Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      a1c97ac5
    • Christoph Hellwig's avatar
      nfsd: getattr for FATTR4_WORD0_FILES_AVAIL needs the statfs buffer · ad6a6b22
      Christoph Hellwig authored
      commit 12337901 upstream.
      
      Note nobody's ever noticed because the typical client probably never
      requests FILES_AVAIL without also requesting something else on the list.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      ad6a6b22
    • Yann Droneaud's avatar
      RDMA/cxgb4: Add missing padding at end of struct c4iw_create_cq_resp · e36a18a9
      Yann Droneaud authored
      commit b6f04d3d upstream.
      
      The i386 ABI disagrees with most other ABIs regarding alignment of
      data types larger than 4 bytes: on most ABIs a padding must be added
      at end of the structures, while it is not required on i386.
      
      So for most ABI struct c4iw_create_cq_resp gets implicitly padded
      to be aligned on a 8 bytes multiple, while for i386, such padding
      is not added.
      
      The tool pahole can be used to find such implicit padding:
      
        $ pahole --anon_include \
                 --nested_anon_include \
                 --recursive \
                 --class_name c4iw_create_cq_resp \
                 drivers/infiniband/hw/cxgb4/iw_cxgb4.o
      
      Then, structure layout can be compared between i386 and x86_64:
      
      # +++ obj-i386/drivers/infiniband/hw/cxgb4/iw_cxgb4.o.pahole.txt   2014-03-28 11:43:05.547432195 +0100
      # --- obj-x86_64/drivers/infiniband/hw/cxgb4/iw_cxgb4.o.pahole.txt 2014-03-28 10:55:10.990133017 +0100
        @@ -14,9 +13,8 @@ struct c4iw_create_cq_resp {
                __u32                      size;                 /*    28     4 */
                __u32                      qid_mask;             /*    32     4 */
      
        -       /* size: 36, cachelines: 1, members: 6 */
        -       /* last cacheline: 36 bytes */
        +       /* size: 40, cachelines: 1, members: 6 */
        +       /* padding: 4 */
        +       /* last cacheline: 40 bytes */
         };
      
      This ABI disagreement will make an x86_64 kernel try to write past the
      buffer provided by an i386 binary.
      
      When boundary check will be implemented, the x86_64 kernel will refuse
      to write past the i386 userspace provided buffer and the uverbs will
      fail.
      
      If the structure is on a page boundary and the next page is not
      mapped, ib_copy_to_udata() will fail and the uverb will fail.
      
      This patch adds an explicit padding at end of structure
      c4iw_create_cq_resp, and, like 92b0ca7c ("IB/mlx5: Fix stack info
      leak in mlx5_ib_alloc_ucontext()"), makes function c4iw_create_cq()
      not writting this padding field to userspace. This way, x86_64 kernel
      will be able to write struct c4iw_create_cq_resp as expected by
      unpatched and patched i386 libcxgb4.
      
      Link: http://marc.info/?i=cover.1399309513.git.ydroneaud@opteya.com
      Fixes: cfdda9d7 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC")
      Fixes: e24a72a3 ("RDMA/cxgb4: Fix four byte info leak in c4iw_create_cq()")
      Cc: Dan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarYann Droneaud <ydroneaud@opteya.com>
      Acked-by: default avatarSteve Wise <swise@opengridcomputing.com>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e36a18a9
    • Dan Carpenter's avatar
      RDMA/cxgb4: Fix four byte info leak in c4iw_create_cq() · bec3dbf1
      Dan Carpenter authored
      commit e24a72a3 upstream.
      
      There is a four byte hole at the end of the "uresp" struct after the
      ->qid_mask member.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      bec3dbf1
    • Bart Van Assche's avatar
      IB/umad: Fix error handling · f414d289
      Bart Van Assche authored
      commit 8ec0a0e6 upstream.
      
      Avoid leaking a kref count in ib_umad_open() if port->ib_dev == NULL
      or if nonseekable_open() fails.
      
      Avoid leaking a kref count, that sm_sem is kept down and also that the
      IB_PORT_SM capability mask is not cleared in ib_umad_sm_open() if
      nonseekable_open() fails.
      
      Since container_of() never returns NULL, remove the code that tests
      whether container_of() returns NULL.
      
      Moving the kref_get() call from the start of ib_umad_*open() to the
      end is safe since it is the responsibility of the caller of these
      functions to ensure that the cdev pointer remains valid until at least
      when these functions return.
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      
      [ydroneaud@opteya.com: rework a bit to reduce the amount of code changed]
      Signed-off-by: default avatarYann Droneaud <ydroneaud@opteya.com>
      
      [ nonseekable_open() can't actually fail, but....  - Roland ]
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      f414d289
    • Mathias Nyman's avatar
      xhci: delete endpoints from bandwidth list before freeing whole device · 28170033
      Mathias Nyman authored
      commit 5dc2808c upstream.
      
      Lists of endpoints are stored for bandwidth calculation for roothub ports.
      Make sure we remove all endpoints from the list before the whole device,
      containing its endpoints list_head stuctures, is freed.
      
      This used to be done in the wrong order in xhci_mem_cleanup(),
      and triggered an oops in resume from S4 (hibernate).
      Tested-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      28170033
    • Thomas Gleixner's avatar
      rtmutex: Fix deadlock detector for real · d70ca108
      Thomas Gleixner authored
      commit 397335f0 upstream.
      
      The current deadlock detection logic does not work reliably due to the
      following early exit path:
      
      	/*
      	 * Drop out, when the task has no waiters. Note,
      	 * top_waiter can be NULL, when we are in the deboosting
      	 * mode!
      	 */
      	if (top_waiter && (!task_has_pi_waiters(task) ||
      			   top_waiter != task_top_pi_waiter(task)))
      		goto out_unlock_pi;
      
      So this not only exits when the task has no waiters, it also exits
      unconditionally when the current waiter is not the top priority waiter
      of the task.
      
      So in a nested locking scenario, it might abort the lock chain walk
      and therefor miss a potential deadlock.
      
      Simple fix: Continue the chain walk, when deadlock detection is
      enabled.
      
      We also avoid the whole enqueue, if we detect the deadlock right away
      (A-A). It's an optimization, but also prevents that another waiter who
      comes in after the detection and before the task has undone the damage
      observes the situation and detects the deadlock and returns
      -EDEADLOCK, which is wrong as the other task is not in a deadlock
      situation.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Reviewed-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: Lai Jiangshan <laijs@cn.fujitsu.com>
      Link: http://lkml.kernel.org/r/20140522031949.725272460@linutronix.deSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      [bwh: Backported to 3.2: adjust filename]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      d70ca108
    • Arik Nemtsov's avatar
      mac80211: don't check netdev state for debugfs read/write · 37543a4e
      Arik Nemtsov authored
      commit 923eaf36 upstream.
      
      Doing so will lead to an oops for a p2p-dev interface, since it has
      no netdev.
      Signed-off-by: default avatarArik Nemtsov <arikx.nemtsov@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      37543a4e
    • Christian Borntraeger's avatar
      s390/lowcore: reserve 96 bytes for IRB in lowcore · e4a0cc26
      Christian Borntraeger authored
      commit 993072ee upstream.
      
      The IRB might be 96 bytes if the extended-I/O-measurement facility is
      used. This feature is currently not used by Linux, but struct irb
      already has the emw defined. So let's make the irb in lowcore match the
      size of the internal data structure to be future proof.
      We also have to add a pad, to correctly align the paste.
      
      The bigger irb field also circumvents a bug in some QEMU versions that
      always write the emw field on test subchannel and therefore destroy the
      paste definitions of this CPU. Running under these QEMU version broke
      some timing functions in the VDSO and all users of these functions,
      e.g. some JREs.
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Sebastian Ott <sebott@linux.vnet.ibm.com>
      Cc: Cornelia Huck <cornelia.huck@de.ibm.com>
      [bwh: Backported to 3.2: offsets of the affected fields in the 64-bit version
       of struct _lowcore are 128 bytes smaller]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      e4a0cc26
    • NeilBrown's avatar
      md: always set MD_RECOVERY_INTR when aborting a reshape or other "resync". · 8197104d
      NeilBrown authored
      commit 3991b31e upstream.
      
      If mddev->ro is set, md_to_sync will (correctly) abort.
      However in that case MD_RECOVERY_INTR isn't set.
      
      If a RESHAPE had been requested, then ->finish_reshape() will be
      called and it will think the reshape was successful even though
      nothing happened.
      
      Normally a resync will not be requested if ->ro is set, but if an
      array is stopped while a reshape is on-going, then when the array is
      started, the reshape will be restarted.  If the array is also set
      read-only at this point, the reshape will instantly appear to success,
      resulting in data corruption.
      
      Consequently, this patch is suitable for any -stable kernel.
      Signed-off-by: default avatarNeilBrown <neilb@suse.de>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      8197104d
    • Guenter Roeck's avatar
      powerpc: Fix 64 bit builds with binutils 2.24 · 1e2f98c5
      Guenter Roeck authored
      commit 7998eb3d upstream.
      
      With binutils 2.24, various 64 bit builds fail with relocation errors
      such as
      
      arch/powerpc/kernel/built-in.o: In function `exc_debug_crit_book3e':
      	(.text+0x165ee): relocation truncated to fit: R_PPC64_ADDR16_HI
      	against symbol `interrupt_base_book3e' defined in .text section
      	in arch/powerpc/kernel/built-in.o
      arch/powerpc/kernel/built-in.o: In function `exc_debug_crit_book3e':
      	(.text+0x16602): relocation truncated to fit: R_PPC64_ADDR16_HI
      	against symbol `interrupt_end_book3e' defined in .text section
      	in arch/powerpc/kernel/built-in.o
      
      The assembler maintainer says:
      
       I changed the ABI, something that had to be done but unfortunately
       happens to break the booke kernel code.  When building up a 64-bit
       value with lis, ori, shl, oris, ori or similar sequences, you now
       should use @high and @higha in place of @h and @ha.  @h and @ha
       (and their associated relocs R_PPC64_ADDR16_HI and R_PPC64_ADDR16_HA)
       now report overflow if the value is out of 32-bit signed range.
       ie. @h and @ha assume you're building a 32-bit value. This is needed
       to report out-of-range -mcmodel=medium toc pointer offsets in @toc@h
       and @toc@ha expressions, and for consistency I did the same for all
       other @h and @ha relocs.
      
      Replacing @h with @high in one strategic location fixes the relocation
      errors. This has to be done conditionally since the assembler either
      supports @h or @high but not both.
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      [bwh: Backported to 3.2: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      1e2f98c5
    • Huang Rui's avatar
      usb: usbtest: fix unlink write error with pattern 1 · 895902a9
      Huang Rui authored
      commit e4d58f5d upstream.
      
      TEST 12 and TEST 24 unlinks the URB write request for N times. When
      host and gadget both initialize pattern 1 (mod 63) data series to
      transfer, the gadget side will complain the wrong data which is not
      expected.  Because in host side, usbtest doesn't fill the data buffer
      as mod 63 and this patch fixed it.
      
      [20285.488974] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready
      [20285.489181] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Not Active
      [20285.489423] dwc3 dwc3.0.auto: ep1out-bulk: req ffff8800aa6cb480 dma aeb50800 length 512 last
      [20285.489727] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Start Transfer' params 00000000 a9eaf000 00000000
      [20285.490055] dwc3 dwc3.0.auto: Command Complete --> 0
      [20285.490281] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready
      [20285.490492] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Active
      [20285.490713] dwc3 dwc3.0.auto: ep1out-bulk: endpoint busy
      [20285.490909] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Complete
      [20285.491117] dwc3 dwc3.0.auto: request ffff8800aa6cb480 from ep1out-bulk completed 512/512 ===> 0
      [20285.491431] zero gadget: bad OUT byte, buf[1] = 0
      [20285.491605] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Set Stall' params 00000000 00000000 00000000
      [20285.491915] dwc3 dwc3.0.auto: Command Complete --> 0
      [20285.492099] dwc3 dwc3.0.auto: queing request ffff8800aa6cb480 to ep1out-bulk length 512
      [20285.492387] dwc3 dwc3.0.auto: ep1out-bulk: Transfer Not Ready
      [20285.492595] dwc3 dwc3.0.auto: ep1out-bulk: reason Transfer Not Active
      [20285.492830] dwc3 dwc3.0.auto: ep1out-bulk: req ffff8800aa6cb480 dma aeb51000 length 512 last
      [20285.493135] dwc3 dwc3.0.auto: ep1out-bulk: cmd 'Start Transfer' params 00000000 a9eaf000 00000000
      [20285.493465] dwc3 dwc3.0.auto: Command Complete --> 0
      Signed-off-by: default avatarHuang Rui <ray.huang@amd.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      895902a9