1. 07 Oct, 2012 40 commits
    • Steffen Rumler's avatar
      powerpc: Fix kernel panic during kernel module load · dcd92275
      Steffen Rumler authored
      commit 3c752965 upstream.
      
      This fixes a problem which can causes kernel oopses while loading
      a kernel module.
      
      According to the PowerPC EABI specification, GPR r11 is assigned
      the dedicated function to point to the previous stack frame.
      In the powerpc-specific kernel module loader, do_plt_call()
      (in arch/powerpc/kernel/module_32.c), GPR r11 is also used
      to generate trampoline code.
      
      This combination crashes the kernel, in the case where the compiler
      chooses to use a helper function for saving GPRs on entry, and the
      module loader has placed the .init.text section far away from the
      .text section, meaning that it has to generate a trampoline for
      functions in the .init.text section to call the GPR save helper.
      Because the trampoline trashes r11, references to the stack frame
      using r11 can cause an oops.
      
      The fix just uses GPR r12 instead of GPR r11 for generating the
      trampoline code.  According to the statements from Freescale, this is
      safe from an EABI perspective.
      
      I've tested the fix for kernel 2.6.33 on MPC8541.
      Signed-off-by: default avatarSteffen Rumler <steffen.rumler.ext@nsn.com>
      [paulus@samba.org: reworded the description]
      Signed-off-by: default avatarPaul Mackerras <paulus@samba.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      dcd92275
    • James Bottomley's avatar
      SCSI: fix scsi_wait_scan · 24f65f8b
      James Bottomley authored
      commit 1ff2f403 upstream.
      
      Commit  c7510859
      Author: Rafael J. Wysocki <rjw@sisk.pl>
      Date:   Sun Apr 12 20:06:56 2009 +0200
      
          PM/Hibernate: Wait for SCSI devices scan to complete during resume
      
      Broke the scsi_wait_scan module in 2.6.30.  Apparently debian still uses it so
      fix it and backport to stable before removing it in 3.6.
      
      The breakage is caused because the function template in
      include/scsi/scsi_scan.h is defined to be a nop unless SCSI is built in.
      That means that in the modular case (which is every distro), the
      scsi_wait_scan module does a simple async_synchronize_full() instead of
      waiting for scans.
      Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      24f65f8b
    • Sarah Sharp's avatar
      xhci: Reset reserved command ring TRBs on cleanup. · 6dd99cb6
      Sarah Sharp authored
      commit 33b2831a upstream.
      
      When the xHCI driver needs to clean up memory (perhaps due to a failed
      register restore on resume from S3 or resume from S4), it needs to reset
      the number of reserved TRBs on the command ring to zero.  Otherwise,
      several resume cycles (about 30) with a UAS device attached will
      continually increment the number of reserved TRBs, until all command
      submissions fail because there isn't enough room on the command ring.
      
      This patch should be backported to kernels as old as 2.6.32,
      that contain the commit 913a8a34
      "USB: xhci: Change how xHCI commands are handled."
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      6dd99cb6
    • Jan Kara's avatar
      ext4: fix error handling on inode bitmap corruption · 1f2e3234
      Jan Kara authored
      commit acd6ad83 upstream.
      
      When insert_inode_locked() fails in ext4_new_inode() it most likely means inode
      bitmap got corrupted and we allocated again inode which is already in use. Also
      doing unlock_new_inode() during error recovery is wrong since the inode does
      not have I_NEW set. Fix the problem by jumping to fail: (instead of fail_drop:)
      which declares filesystem error and does not call unlock_new_inode().
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      1f2e3234
    • Jan Kara's avatar
      ext3: Fix error handling on inode bitmap corruption · ba57e38b
      Jan Kara authored
      commit 1415dd87 upstream.
      
      When insert_inode_locked() fails in ext3_new_inode() it most likely
      means inode bitmap got corrupted and we allocated again inode which
      is already in use. Also doing unlock_new_inode() during error recovery
      is wrong since inode does not have I_NEW set. Fix the problem by jumping
      to fail: (instead of fail_drop:) which declares filesystem error and
      does not call unlock_new_inode().
      Reviewed-by: default avatarEric Sandeen <sandeen@redhat.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      ba57e38b
    • Jonathan Nieder's avatar
      NFSv4: Revalidate uid/gid after open · 5816579f
      Jonathan Nieder authored
      This is a shorter (and more appropriate for stable kernels) analog to
      the following upstream commit:
      
      commit 6926afd1
      Author: Trond Myklebust <Trond.Myklebust@netapp.com>
      Date:   Sat Jan 7 13:22:46 2012 -0500
      
          NFSv4: Save the owner/group name string when doing open
      
          ...so that we can do the uid/gid mapping outside the asynchronous RPC
          context.
          This fixes a bug in the current NFSv4 atomic open code where the client
          isn't able to determine what the true uid/gid fields of the file are,
          (because the asynchronous nature of the OPEN call denies it the ability
          to do an upcall) and so fills them with default values, marking the
          inode as needing revalidation.
          Unfortunately, in some cases, the VFS will do some additional sanity
          checks on the file, and may override the server's decision to allow
          the open because it sees the wrong owner/group fields.
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      
      Without this patch, logging into two different machines with home
      directories mounted over NFS4 and then running "vim" and typing ":q"
      in each reliably produces the following error on the second machine:
      
      	E137: Viminfo file is not writable: /users/system/rtheys/.viminfo
      
      This regression was introduced by 80e52ace ("NFSv4: Don't do
      idmapper upcalls for asynchronous RPC calls", merged during the 2.6.32
      cycle) --- after the OPEN call, .viminfo has the default values for
      st_uid and st_gid (0xfffffffe) cached because we do not want to let
      rpciod wait for an idmapper upcall to fill them in.
      
      The fix used in mainline is to save the owner and group as strings and
      perform the upcall in _nfs4_proc_open outside the rpciod context,
      which takes about 600 lines.  For stable, we can do something similar
      with a one-liner: make open check for the stale fields and make a
      (synchronous) GETATTR call to fill them when needed.
      
      Trond dictated the patch, I typed it in, and Rik tested it.
      
      Addresses http://bugs.debian.org/659111 and
                https://bugzilla.redhat.com/789298Reported-by: default avatarRik Theys <Rik.Theys@esat.kuleuven.be>
      Explained-by: default avatarDavid Flyn <davidf@rd.bbc.co.uk>
      Signed-off-by: default avatarJonathan Nieder <jrnieder@gmail.com>
      Tested-by: default avatarRik Theys <Rik.Theys@esat.kuleuven.be>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      5816579f
    • Mark Hills's avatar
      ALSA: echoaudio: Remove incorrect part of assertion · 826b464b
      Mark Hills authored
      commit c914f55f upstream.
      
      This assertion seems to imply that chip->dsp_code_to_load is a pointer.
      It's actually an integer handle on the actual firmware, and 0 has no
      special meaning.
      
      The assertion prevents initialisation of a Darla20 card, but would also
      affect other models. It seems it was introduced in commit dd7b254d.
      
      ALSA sound/pci/echoaudio/echoaudio.c:2061 Echoaudio driver starting...
      ALSA sound/pci/echoaudio/echoaudio.c:1969 chip=ebe4e000
      ALSA sound/pci/echoaudio/echoaudio.c:2007 pci=ed568000 irq=19 subdev=0010 Init hardware...
      ALSA sound/pci/echoaudio/darla20_dsp.c:36 init_hw() - Darla20
      ------------[ cut here ]------------
      WARNING: at sound/pci/echoaudio/echoaudio_dsp.c:478 init_hw+0x1d1/0x86c [snd_darla20]()
      Hardware name: Dell DM051
      BUG? (!chip->dsp_code_to_load || !chip->comm_page)
      Signed-off-by: default avatarMark Hills <mark@pogo.org.uk>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      826b464b
    • Eric Dumazet's avatar
      netem: fix possible skb leak · 88a3ee1a
      Eric Dumazet authored
      [ Upstream commit 116a0fc3 ]
      
      skb_checksum_help(skb) can return an error, we must free skb in this
      case. qdisc_drop(skb, sch) can also be feeded with a NULL skb (if
      skb_unshare() failed), so lets use this generic helper.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Stephen Hemminger <shemminger@osdl.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      88a3ee1a
    • Tim Bird's avatar
      ARM: 7410/1: Add extra clobber registers for assembly in kernel_execve · 25849872
      Tim Bird authored
      commit e787ec13 upstream.
      
      The inline assembly in kernel_execve() uses r8 and r9.  Since this
      code sequence does not return, it usually doesn't matter if the
      register clobber list is accurate.  However, I saw a case where a
      particular version of gcc used r8 as an intermediate for the value
      eventually passed to r9.  Because r8 is used in the inline
      assembly, and not mentioned in the clobber list, r9 was set
      to an incorrect value.
      
      This resulted in a kernel panic on execution of the first user-space
      program in the system.  r9 is used in ret_to_user as the thread_info
      pointer, and if it's wrong, bad things happen.
      Signed-off-by: default avatarTim Bird <tim.bird@am.sony.com>
      Signed-off-by: default avatarRussell King <rmk+kernel@arm.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      25849872
    • David Ward's avatar
      net_sched: gred: Fix oops in gred_dump() in WRED mode · 31ff79fb
      David Ward authored
      [ Upstream commit 244b65db ]
      
      A parameter set exists for WRED mode, called wred_set, to hold the same
      values for qavg and qidlestart across all VQs. The WRED mode values had
      been previously held in the VQ for the default DP. After these values
      were moved to wred_set, the VQ for the default DP was no longer created
      automatically (so that it could be omitted on purpose, to have packets
      in the default DP enqueued directly to the device without using RED).
      
      However, gred_dump() was overlooked during that change; in WRED mode it
      still reads qavg/qidlestart from the VQ for the default DP, which might
      not even exist. As a result, this command sequence will cause an oops:
      
      tc qdisc add dev $DEV handle $HANDLE parent $PARENT gred setup \
          DPs 3 default 2 grio
      tc qdisc change dev $DEV handle $HANDLE gred DP 0 prio 8 $RED_OPTIONS
      tc qdisc change dev $DEV handle $HANDLE gred DP 1 prio 8 $RED_OPTIONS
      
      This fixes gred_dump() in WRED mode to use the values held in wred_set.
      Signed-off-by: default avatarDavid Ward <david.ward@ll.mit.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      31ff79fb
    • Davide Ciminaghi's avatar
      net/ethernet: ks8851_mll fix rx frame buffer overflow · 28188e3a
      Davide Ciminaghi authored
      [ Upstream commit 8a9a0ea6 ]
      
      At the beginning of ks_rcv(), a for loop retrieves the
      header information relevant to all the frames stored
      in the mac's internal buffers. The number of pending
      frames is stored as an 8 bits field in KS_RXFCTR.
      If interrupts are disabled long enough to allow for more than
      32 frames to accumulate in the MAC's internal buffers, a buffer
      overflow occurs.
      This patch fixes the problem by making the
      driver's frame_head_info buffer big enough.
      Well actually, since the chip appears to have 12K of
      internal rx buffers and the shortest ethernet frame should
      be 64 bytes long, maybe the limit could be set to
      12*1024/64 = 192 frames, but 255 should be safer.
      Signed-off-by: default avatarDavide Ciminaghi <ciminaghi@gnudd.com>
      Signed-off-by: default avatarRaffaele Recalcati <raffaele.recalcati@bticino.it>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      28188e3a
    • Tony Zelenoff's avatar
      atl1: fix kernel panic in case of DMA errors · cf4f7218
      Tony Zelenoff authored
      [ Upstream commit 03662e41 ]
      
      Problem:
      There was two separate work_struct structures which share one
      handler. Unfortunately getting atl1_adapter structure from
      work_struct in case of DMA error was done from incorrect
      offset which cause kernel panics.
      
      Solution:
      The useless work_struct for DMA error removed and
      handler name changed to more generic one.
      Signed-off-by: default avatarTony Zelenoff <antonz@parallels.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      cf4f7218
    • Eric Dumazet's avatar
      net: fix a race in sock_queue_err_skb() · 237b6148
      Eric Dumazet authored
      [ Upstream commit 110c4330 ]
      
      As soon as an skb is queued into socket error queue, another thread
      can consume it, so we are not allowed to reference skb anymore, or risk
      use after free.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      237b6148
    • Eric Dumazet's avatar
      netlink: fix races after skb queueing · e0547758
      Eric Dumazet authored
      [ Upstream commit 4a7e7c2a ]
      
      As soon as an skb is queued into socket receive_queue, another thread
      can consume it, so we are not allowed to reference skb anymore, or risk
      use after free.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e0547758
    • Sasha Levin's avatar
      phonet: Check input from user before allocating · e61eb0d0
      Sasha Levin authored
      [ Upstream commit bcf1b70a ]
      
      A phonet packet is limited to USHRT_MAX bytes, this is never checked during
      tx which means that the user can specify any size he wishes, and the kernel
      will attempt to allocate that size.
      
      In the good case, it'll lead to the following warning, but it may also cause
      the kernel to kick in the OOM and kill a random task on the server.
      
      [ 8921.744094] WARNING: at mm/page_alloc.c:2255 __alloc_pages_slowpath+0x65/0x730()
      [ 8921.749770] Pid: 5081, comm: trinity Tainted: G        W    3.4.0-rc1-next-20120402-sasha #46
      [ 8921.756672] Call Trace:
      [ 8921.758185]  [<ffffffff810b2ba7>] warn_slowpath_common+0x87/0xb0
      [ 8921.762868]  [<ffffffff810b2be5>] warn_slowpath_null+0x15/0x20
      [ 8921.765399]  [<ffffffff8117eae5>] __alloc_pages_slowpath+0x65/0x730
      [ 8921.769226]  [<ffffffff81179c8a>] ? zone_watermark_ok+0x1a/0x20
      [ 8921.771686]  [<ffffffff8117d045>] ? get_page_from_freelist+0x625/0x660
      [ 8921.773919]  [<ffffffff8117f3a8>] __alloc_pages_nodemask+0x1f8/0x240
      [ 8921.776248]  [<ffffffff811c03e0>] kmalloc_large_node+0x70/0xc0
      [ 8921.778294]  [<ffffffff811c4bd4>] __kmalloc_node_track_caller+0x34/0x1c0
      [ 8921.780847]  [<ffffffff821b0e3c>] ? sock_alloc_send_pskb+0xbc/0x260
      [ 8921.783179]  [<ffffffff821b3c65>] __alloc_skb+0x75/0x170
      [ 8921.784971]  [<ffffffff821b0e3c>] sock_alloc_send_pskb+0xbc/0x260
      [ 8921.787111]  [<ffffffff821b002e>] ? release_sock+0x7e/0x90
      [ 8921.788973]  [<ffffffff821b0ff0>] sock_alloc_send_skb+0x10/0x20
      [ 8921.791052]  [<ffffffff824cfc20>] pep_sendmsg+0x60/0x380
      [ 8921.792931]  [<ffffffff824cb4a6>] ? pn_socket_bind+0x156/0x180
      [ 8921.794917]  [<ffffffff824cb50f>] ? pn_socket_autobind+0x3f/0x90
      [ 8921.797053]  [<ffffffff824cb63f>] pn_socket_sendmsg+0x4f/0x70
      [ 8921.798992]  [<ffffffff821ab8e7>] sock_aio_write+0x187/0x1b0
      [ 8921.801395]  [<ffffffff810e325e>] ? sub_preempt_count+0xae/0xf0
      [ 8921.803501]  [<ffffffff8111842c>] ? __lock_acquire+0x42c/0x4b0
      [ 8921.805505]  [<ffffffff821ab760>] ? __sock_recv_ts_and_drops+0x140/0x140
      [ 8921.807860]  [<ffffffff811e07cc>] do_sync_readv_writev+0xbc/0x110
      [ 8921.809986]  [<ffffffff811958e7>] ? might_fault+0x97/0xa0
      [ 8921.811998]  [<ffffffff817bd99e>] ? security_file_permission+0x1e/0x90
      [ 8921.814595]  [<ffffffff811e17e2>] do_readv_writev+0xe2/0x1e0
      [ 8921.816702]  [<ffffffff810b8dac>] ? do_setitimer+0x1ac/0x200
      [ 8921.818819]  [<ffffffff810e2ec1>] ? get_parent_ip+0x11/0x50
      [ 8921.820863]  [<ffffffff810e325e>] ? sub_preempt_count+0xae/0xf0
      [ 8921.823318]  [<ffffffff811e1926>] vfs_writev+0x46/0x60
      [ 8921.825219]  [<ffffffff811e1a3f>] sys_writev+0x4f/0xb0
      [ 8921.827127]  [<ffffffff82658039>] system_call_fastpath+0x16/0x1b
      [ 8921.829384] ---[ end trace dffe390f30db9eb7 ]---
      Signed-off-by: default avatarSasha Levin <levinsasha928@gmail.com>
      Acked-by: default avatarRmi Denis-Courmont <remi.denis-courmont@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      e61eb0d0
    • Thomas Jarosch's avatar
      PCI: Add quirk for still enabled interrupts on Intel Sandy Bridge GPUs · cdb1f35d
      Thomas Jarosch authored
      commit f67fd55f upstream.
      
      Some BIOS implementations leave the Intel GPU interrupts enabled,
      even though no one is handling them (f.e. i915 driver is never loaded).
      Additionally the interrupt destination is not set up properly
      and the interrupt ends up -somewhere-.
      
      These spurious interrupts are "sticky" and the kernel disables
      the (shared) interrupt line after 100.000+ generated interrupts.
      
      Fix it by disabling the still enabled interrupts.
      This resolves crashes often seen on monitor unplug.
      
      Tested on the following boards:
      - Intel DH61CR: Affected
      - Intel DH67BL: Affected
      - Intel S1200KP server board: Affected
      - Asus P8H61-M LE: Affected, but system does not crash.
        Probably the IRQ ends up somewhere unnoticed.
      
      According to reports on the net, the Intel DH61WW board is also affected.
      
      Many thanks to Jesse Barnes from Intel for helping
      with the register configuration and to Intel in general
      for providing public hardware documentation.
      Signed-off-by: default avatarThomas Jarosch <thomas.jarosch@intra2net.com>
      Tested-by: default avatarCharlie Suffin <charlie.suffin@stratus.com>
      Signed-off-by: default avatarJesse Barnes <jbarnes@virtuousgeek.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      cdb1f35d
    • Kent Yoder's avatar
      crypto: sha512 - Fix byte counter overflow in SHA-512 · 21f5d063
      Kent Yoder authored
      commit 25c3d30c upstream.
      
      The current code only increments the upper 64 bits of the SHA-512 byte
      counter when the number of bytes hashed happens to hit 2^64 exactly.
      
      This patch increments the upper 64 bits whenever the lower 64 bits
      overflows.
      Signed-off-by: default avatarKent Yoder <key@linux.vnet.ibm.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      21f5d063
    • Alex He's avatar
      xHCI: Correct the #define XHCI_LEGACY_DISABLE_SMI · 79c23081
      Alex He authored
      commit 95018a53 upstream.
      
      Re-define XHCI_LEGACY_DISABLE_SMI and used it in right way. All SMI enable
      bits will be cleared to zero and flag bits 29:31 are also cleared to zero.
      Other bits should be presvered as Table 146.
      
      This patch should be backported to kernels as old as 2.6.31.
      Signed-off-by: default avatarAlex He <alex.he@amd.com>
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      79c23081
    • Sarah Sharp's avatar
      xhci: Don't write zeroed pointers to xHC registers. · 737b15bb
      Sarah Sharp authored
      commit 159e1fcc upstream.
      
      When xhci_mem_cleanup() is called, we can't be sure if the xHC is
      actually halted.  We can ask the xHC to halt by writing to the RUN bit
      in the command register, but that might timeout due to a HW hang.
      
      If the host controller is still running, we should not write zeroed
      values to the event ring dequeue pointers or base tables, the DCBAA
      pointers, or the command ring pointers.  Eric Fu reports his VIA VL800
      host accesses the event ring pointers after a failed register restore on
      resume from suspend.  The hypothesis is that the host never actually
      halted before the register write to change the event ring pointer to
      zero.
      
      Remove all writes of zeroed values to pointer registers in
      xhci_mem_cleanup().  Instead, make all callers of the function reset the
      host controller first, which will reset those registers to zero.
      xhci_mem_init() is the only caller that doesn't first halt and reset the
      host controller before calling xhci_mem_cleanup().
      
      This should be backported to kernels as old as 2.6.32.
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Tested-by: default avatarElric Fu <elricfu1@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      737b15bb
    • Johan Hovold's avatar
      USB: serial: fix race between probe and open · 0fdec066
      Johan Hovold authored
      commit a65a6f14 upstream.
      
      Fix race between probe and open by making sure that the disconnected
      flag is not cleared until all ports have been registered.
      
      A call to tty_open while probe is running may get a reference to the
      serial structure in serial_install before its ports have been
      registered. This may lead to usb_serial_core calling driver open before
      port is fully initialised.
      
      With ftdi_sio this result in the following NULL-pointer dereference as
      the private data has not been initialised at open:
      
      [  199.698286] IP: [<f811a089>] ftdi_open+0x59/0xe0 [ftdi_sio]
      [  199.698297] *pde = 00000000
      [  199.698303] Oops: 0000 [#1] PREEMPT SMP
      [  199.698313] Modules linked in: ftdi_sio usbserial
      [  199.698323]
      [  199.698327] Pid: 1146, comm: ftdi_open Not tainted 3.2.11 #70 Dell Inc. Vostro 1520/0T816J
      [  199.698339] EIP: 0060:[<f811a089>] EFLAGS: 00010286 CPU: 0
      [  199.698344] EIP is at ftdi_open+0x59/0xe0 [ftdi_sio]
      [  199.698348] EAX: 0000003e EBX: f5067000 ECX: 00000000 EDX: 80000600
      [  199.698352] ESI: f48d8800 EDI: 00000001 EBP: f515dd54 ESP: f515dcfc
      [  199.698356]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
      [  199.698361] Process ftdi_open (pid: 1146, ti=f515c000 task=f481e040 task.ti=f515c000)
      [  199.698364] Stack:
      [  199.698368]  f811a9fe f811a9e0 f811b3ef 00000000 00000000 00001388 00000000 f4a86800
      [  199.698387]  00000002 00000000 f806e68e 00000000 f532765c f481e040 00000246 22222222
      [  199.698479]  22222222 22222222 22222222 f5067004 f5327600 f5327638 f515dd74 f806e6ab
      [  199.698496] Call Trace:
      [  199.698504]  [<f806e68e>] ? serial_activate+0x2e/0x70 [usbserial]
      [  199.698511]  [<f806e6ab>] serial_activate+0x4b/0x70 [usbserial]
      [  199.698521]  [<c126380c>] tty_port_open+0x7c/0xd0
      [  199.698527]  [<f806e660>] ? serial_set_termios+0xa0/0xa0 [usbserial]
      [  199.698534]  [<f806e76f>] serial_open+0x2f/0x70 [usbserial]
      [  199.698540]  [<c125d07c>] tty_open+0x20c/0x510
      [  199.698546]  [<c10e9eb7>] chrdev_open+0xe7/0x230
      [  199.698553]  [<c10e48f2>] __dentry_open+0x1f2/0x390
      [  199.698559]  [<c144bfec>] ? _raw_spin_unlock+0x2c/0x50
      [  199.698565]  [<c10e4b76>] nameidata_to_filp+0x66/0x80
      [  199.698570]  [<c10e9dd0>] ? cdev_put+0x20/0x20
      [  199.698576]  [<c10f3e08>] do_last+0x198/0x730
      [  199.698581]  [<c10f4440>] path_openat+0xa0/0x350
      [  199.698587]  [<c10f47d5>] do_filp_open+0x35/0x80
      [  199.698593]  [<c144bfec>] ? _raw_spin_unlock+0x2c/0x50
      [  199.698599]  [<c10ff110>] ? alloc_fd+0xc0/0x100
      [  199.698605]  [<c10f0b72>] ? getname_flags+0x72/0x120
      [  199.698611]  [<c10e4450>] do_sys_open+0xf0/0x1c0
      [  199.698617]  [<c11fcc08>] ? trace_hardirqs_on_thunk+0xc/0x10
      [  199.698623]  [<c10e458e>] sys_open+0x2e/0x40
      [  199.698628]  [<c144c990>] sysenter_do_call+0x12/0x36
      [  199.698632] Code: 85 89 00 00 00 8b 16 8b 4d c0 c1 e2 08 c7 44 24 14 88 13 00 00 81 ca 00 00 00 80 c7 44 24 10 00 00 00 00 c7 44 24 0c 00 00 00 00 <0f> b7 41 78 31 c9 89 44 24 08 c7 44 24 04 00 00 00 00 c7 04 24
      [  199.698884] EIP: [<f811a089>] ftdi_open+0x59/0xe0 [ftdi_sio] SS:ESP 0068:f515dcfc
      [  199.698893] CR2: 0000000000000078
      [  199.698925] ---[ end trace 77c43ec023940cff ]---
      Reported-and-tested-by: default avatarKen Huang <csuhgw@gmail.com>
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      0fdec066
    • Wang YanQing's avatar
      video:uvesafb: Fix oops that uvesafb try to execute NX-protected page · a6f5fd97
      Wang YanQing authored
      commit b78f29ca upstream.
      
      This patch fix the oops below that catched in my machine
      
      [   81.560602] uvesafb: NVIDIA Corporation, GT216 Board - 0696a290, Chip Rev   , OEM: NVIDIA, VBE v3.0
      [   81.609384] uvesafb: protected mode interface info at c000:d350
      [   81.609388] uvesafb: pmi: set display start = c00cd3b3, set palette = c00cd40e
      [   81.609390] uvesafb: pmi: ports = 3b4 3b5 3ba 3c0 3c1 3c4 3c5 3c6 3c7 3c8 3c9 3cc 3ce 3cf 3d0 3d1 3d2 3d3 3d4 3d5 3da
      [   81.614558] uvesafb: VBIOS/hardware doesn't support DDC transfers
      [   81.614562] uvesafb: no monitor limits have been set, default refresh rate will be used
      [   81.614994] uvesafb: scrolling: ypan using protected mode interface, yres_virtual=4915
      [   81.744147] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
      [   81.744153] BUG: unable to handle kernel paging request at c00cd3b3
      [   81.744159] IP: [<c00cd3b3>] 0xc00cd3b2
      [   81.744167] *pdpt = 00000000016d6001 *pde = 0000000001c7b067 *pte = 80000000000cd163
      [   81.744171] Oops: 0011 [#1] SMP
      [   81.744174] Modules linked in: uvesafb(+) cfbcopyarea cfbimgblt cfbfillrect
      [   81.744178]
      [   81.744181] Pid: 3497, comm: modprobe Not tainted 3.3.0-rc4NX+ #71 Acer            Aspire 4741                    /Aspire 4741
      [   81.744185] EIP: 0060:[<c00cd3b3>] EFLAGS: 00010246 CPU: 0
      [   81.744187] EIP is at 0xc00cd3b3
      [   81.744189] EAX: 00004f07 EBX: 00000000 ECX: 00000000 EDX: 00000000
      [   81.744191] ESI: f763f000 EDI: f763f6e8 EBP: f57f3a0c ESP: f57f3a00
      [   81.744192]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
      [   81.744195] Process modprobe (pid: 3497, ti=f57f2000 task=f748c600 task.ti=f57f2000)
      [   81.744196] Stack:
      [   81.744197]  f82512c5 f759341c 00000000 f57f3a30 c124a9bc 00000001 00000001 000001e0
      [   81.744202]  f8251280 f763f000 f7593400 00000000 f57f3a40 c12598dd f5c0c000 00000000
      [   81.744206]  f57f3b10 c1255efe c125a21a 00000006 f763f09c 00000000 c1c6cb60 f7593400
      [   81.744210] Call Trace:
      [   81.744215]  [<f82512c5>] ? uvesafb_pan_display+0x45/0x60 [uvesafb]
      [   81.744222]  [<c124a9bc>] fb_pan_display+0x10c/0x160
      [   81.744226]  [<f8251280>] ? uvesafb_vbe_find_mode+0x180/0x180 [uvesafb]
      [   81.744230]  [<c12598dd>] bit_update_start+0x1d/0x50
      [   81.744232]  [<c1255efe>] fbcon_switch+0x39e/0x550
      [   81.744235]  [<c125a21a>] ? bit_cursor+0x4ea/0x560
      [   81.744240]  [<c129b6cb>] redraw_screen+0x12b/0x220
      [   81.744245]  [<c128843b>] ? tty_do_resize+0x3b/0xc0
      [   81.744247]  [<c129ef42>] vc_do_resize+0x3d2/0x3e0
      [   81.744250]  [<c129efb4>] vc_resize+0x14/0x20
      [   81.744253]  [<c12586bd>] fbcon_init+0x29d/0x500
      [   81.744255]  [<c12984c4>] ? set_inverse_trans_unicode+0xe4/0x110
      [   81.744258]  [<c129b378>] visual_init+0xb8/0x150
      [   81.744261]  [<c129c16c>] bind_con_driver+0x16c/0x360
      [   81.744264]  [<c129b47e>] ? register_con_driver+0x6e/0x190
      [   81.744267]  [<c129c3a1>] take_over_console+0x41/0x50
      [   81.744269]  [<c1257b7a>] fbcon_takeover+0x6a/0xd0
      [   81.744272]  [<c12594b8>] fbcon_event_notify+0x758/0x790
      [   81.744277]  [<c10929e2>] notifier_call_chain+0x42/0xb0
      [   81.744280]  [<c1092d30>] __blocking_notifier_call_chain+0x60/0x90
      [   81.744283]  [<c1092d7a>] blocking_notifier_call_chain+0x1a/0x20
      [   81.744285]  [<c124a5a1>] fb_notifier_call_chain+0x11/0x20
      [   81.744288]  [<c124b759>] register_framebuffer+0x1d9/0x2b0
      [   81.744293]  [<c1061c73>] ? ioremap_wc+0x33/0x40
      [   81.744298]  [<f82537c6>] uvesafb_probe+0xaba/0xc40 [uvesafb]
      [   81.744302]  [<c12bb81f>] platform_drv_probe+0xf/0x20
      [   81.744306]  [<c12ba558>] driver_probe_device+0x68/0x170
      [   81.744309]  [<c12ba731>] __device_attach+0x41/0x50
      [   81.744313]  [<c12b9088>] bus_for_each_drv+0x48/0x70
      [   81.744316]  [<c12ba7f3>] device_attach+0x83/0xa0
      [   81.744319]  [<c12ba6f0>] ? __driver_attach+0x90/0x90
      [   81.744321]  [<c12b991f>] bus_probe_device+0x6f/0x90
      [   81.744324]  [<c12b8a45>] device_add+0x5e5/0x680
      [   81.744329]  [<c122a1a3>] ? kvasprintf+0x43/0x60
      [   81.744332]  [<c121e6e4>] ? kobject_set_name_vargs+0x64/0x70
      [   81.744335]  [<c121e6e4>] ? kobject_set_name_vargs+0x64/0x70
      [   81.744339]  [<c12bbe9f>] platform_device_add+0xff/0x1b0
      [   81.744343]  [<f8252906>] uvesafb_init+0x50/0x9b [uvesafb]
      [   81.744346]  [<c100111f>] do_one_initcall+0x2f/0x170
      [   81.744350]  [<f82528b6>] ? uvesafb_is_valid_mode+0x66/0x66 [uvesafb]
      [   81.744355]  [<c10c6994>] sys_init_module+0xf4/0x1410
      [   81.744359]  [<c1157fc0>] ? vfsmount_lock_local_unlock_cpu+0x30/0x30
      [   81.744363]  [<c144cb10>] sysenter_do_call+0x12/0x36
      [   81.744365] Code: f5 00 00 00 32 f6 66 8b da 66 d1 e3 66 ba d4 03 8a e3 b0 1c 66 ef b0 1e 66 ef 8a e7 b0 1d 66 ef b0 1f 66 ef e8 fa 00 00 00 61 c3 <60> e8 c8 00 00 00 66 8b f3 66 8b da 66 ba d4 03 b0 0c 8a e5 66
      [   81.744388] EIP: [<c00cd3b3>] 0xc00cd3b3 SS:ESP 0068:f57f3a00
      [   81.744391] CR2: 00000000c00cd3b3
      [   81.744393] ---[ end trace 18b2c87c925b54d6 ]---
      Signed-off-by: default avatarWang YanQing <udknight@gmail.com>
      Cc: Michal Januszewski <spock@gentoo.org>
      Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
      Signed-off-by: default avatarFlorian Tobias Schandinat <FlorianSchandinat@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      a6f5fd97
    • David S. Miller's avatar
      sparc64: Fix bootup crash on sun4v. · 4c5a5473
      David S. Miller authored
      commit 9e0daff3 upstream.
      
      The DS driver registers as a subsys_initcall() but this can be too
      early, in particular this risks registering before we've had a chance
      to allocate and setup module_kset in kernel/params.c which is
      performed also as a subsyts_initcall().
      
      Register DS using device_initcall() insteal.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      4c5a5473
    • Johan Hovold's avatar
      Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close · 9a603990
      Johan Hovold authored
      commit 33b69bf8 upstream.
      
      Do not close protocol driver until device has been unregistered.
      
      This fixes a race between tty_close and hci_dev_open which can result in
      a NULL-pointer dereference.
      
      The line discipline closes the protocol driver while we may still have
      hci_dev_open sleeping on the req_lock mutex resulting in a NULL-pointer
      dereference when lock is acquired and hci_init_req called.
      
      Bug is 100% reproducible using hciattach and a disconnected serial port:
      
      0. # hciattach -n ttyO1 any noflow
      
      1. hci_dev_open called from hci_power_on grabs req lock
      2. hci_init_req executes but device fails to initialise (times out
         eventually)
      3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
      4. hci_uart_tty_close detaches protocol driver and cancels init req
      5. hci_dev_open (1) releases req lock
      6. hci_dev_open (3) grabs req lock, calls hci_init_req, which triggers oops
         when request is prepared in hci_uart_send_frame
      
      [  137.201263] Unable to handle kernel NULL pointer dereference at virtual address 00000028
      [  137.209838] pgd = c0004000
      [  137.212677] [00000028] *pgd=00000000
      [  137.216430] Internal error: Oops: 17 [#1]
      [  137.220642] Modules linked in:
      [  137.223846] CPU: 0    Tainted: G        W     (3.3.0-rc6-dirty #406)
      [  137.230529] PC is at __lock_acquire+0x5c/0x1ab0
      [  137.235290] LR is at lock_acquire+0x9c/0x128
      [  137.239776] pc : [<c0071490>]    lr : [<c00733f8>]    psr: 20000093
      [  137.239776] sp : cf869dd8  ip : c0529554  fp : c051c730
      [  137.251800] r10: 00000000  r9 : cf8673c0  r8 : 00000080
      [  137.257293] r7 : 00000028  r6 : 00000002  r5 : 00000000  r4 : c053fd70
      [  137.264129] r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : 00000001
      [  137.270965] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
      [  137.278717] Control: 10c5387d  Table: 8f0f4019  DAC: 00000015
      [  137.284729] Process kworker/u:1 (pid: 7, stack limit = 0xcf8682e8)
      [  137.291229] Stack: (0xcf869dd8 to 0xcf86a000)
      [  137.295776] 9dc0:                                                       c0529554 00000000
      [  137.304351] 9de0: cf8673c0 cf868000 d03ea1ef cf868000 000001ef 00000470 00000000 00000002
      [  137.312927] 9e00: cf8673c0 00000001 c051c730 c00716ec 0000000c 00000440 c0529554 00000001
      [  137.321533] 9e20: c051c730 cf868000 d03ea1f3 00000000 c053b978 00000000 00000028 cf868000
      [  137.330078] 9e40: 00000000 00000000 00000002 00000000 00000000 c00733f8 00000002 00000080
      [  137.338684] 9e60: 00000000 c02a1d50 00000000 00000001 60000013 c0969a1c 60000093 c053b96c
      [  137.347259] 9e80: 00000002 00000018 20000013 c02a1d50 cf0ac000 00000000 00000002 cf868000
      [  137.355834] 9ea0: 00000089 c0374130 00000002 00000000 c02a1d50 cf0ac000 0000000c cf0fc540
      [  137.364410] 9ec0: 00000018 c02a1d50 cf0fc540 00000000 cf0fc540 c0282238 c028220c cf178d80
      [  137.372985] 9ee0: 127525d8 c02821cc 9a1fa451 c032727c 9a1fa451 127525d8 cf0fc540 cf0ac4ec
      [  137.381561] 9f00: cf0ac000 cf0fc540 cf0ac584 c03285f4 c0328580 cf0ac4ec cf85c740 c05510cc
      [  137.390136] 9f20: ce825400 c004c914 00000002 00000000 c004c884 ce8254f5 cf869f48 00000000
      [  137.398712] 9f40: c0328580 ce825415 c0a7f914 c061af64 00000000 c048cf3c cf8673c0 cf85c740
      [  137.407287] 9f60: c05510cc c051a66c c05510ec c05510c4 cf85c750 cf868000 00000089 c004d6ac
      [  137.415863] 9f80: 00000000 c0073d14 00000001 cf853ed8 cf85c740 c004d558 00000013 00000000
      [  137.424438] 9fa0: 00000000 00000000 00000000 c00516b0 00000000 00000000 cf85c740 00000000
      [  137.433013] 9fc0: 00000001 dead4ead ffffffff ffffffff c0551674 00000000 00000000 c0450aa4
      [  137.441589] 9fe0: cf869fe0 cf869fe0 cf853ed8 c005162c c0013b30 c0013b30 00ffff00 00ffff00
      [  137.450164] [<c0071490>] (__lock_acquire+0x5c/0x1ab0) from [<c00733f8>] (lock_acquire+0x9c/0x128)
      [  137.459503] [<c00733f8>] (lock_acquire+0x9c/0x128) from [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58)
      [  137.469360] [<c0374130>] (_raw_spin_lock_irqsave+0x44/0x58) from [<c02a1d50>] (skb_queue_tail+0x18/0x48)
      [  137.479339] [<c02a1d50>] (skb_queue_tail+0x18/0x48) from [<c0282238>] (h4_enqueue+0x2c/0x34)
      [  137.488189] [<c0282238>] (h4_enqueue+0x2c/0x34) from [<c02821cc>] (hci_uart_send_frame+0x34/0x68)
      [  137.497497] [<c02821cc>] (hci_uart_send_frame+0x34/0x68) from [<c032727c>] (hci_send_frame+0x50/0x88)
      [  137.507171] [<c032727c>] (hci_send_frame+0x50/0x88) from [<c03285f4>] (hci_cmd_work+0x74/0xd4)
      [  137.516204] [<c03285f4>] (hci_cmd_work+0x74/0xd4) from [<c004c914>] (process_one_work+0x1a0/0x4ec)
      [  137.525604] [<c004c914>] (process_one_work+0x1a0/0x4ec) from [<c004d6ac>] (worker_thread+0x154/0x344)
      [  137.535278] [<c004d6ac>] (worker_thread+0x154/0x344) from [<c00516b0>] (kthread+0x84/0x90)
      [  137.543975] [<c00516b0>] (kthread+0x84/0x90) from [<c0013b30>] (kernel_thread_exit+0x0/0x8)
      [  137.552734] Code: e59f4e5c e5941000 e3510000 0a000031 (e5971000)
      [  137.559234] ---[ end trace 1b75b31a2719ed1e ]---
      Signed-off-by: default avatarJohan Hovold <jhovold@gmail.com>
      Acked-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      9a603990
    • Jun Nie's avatar
      Bluetooth: add NULL pointer check in HCI · c74bc8b7
      Jun Nie authored
      commit d9319560 upstream.
      
      If we fail to find a hci device pointer in hci_uart, don't try
      to deref the NULL one we do have.
      Signed-off-by: default avatarJun Nie <njun@marvell.com>
      Signed-off-by: default avatarGustavo F. Padovan <padovan@profusion.mobi>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      c74bc8b7
    • Salman Qazi's avatar
      sched/x86: Fix overflow in cyc2ns_offset · ab81b6ab
      Salman Qazi authored
      commit 9993bc63 upstream.
      
      When a machine boots up, the TSC generally gets reset.  However,
      when kexec is used to boot into a kernel, the TSC value would be
      carried over from the previous kernel.  The computation of
      cycns_offset in set_cyc2ns_scale is prone to an overflow, if the
      machine has been up more than 208 days prior to the kexec.  The
      overflow happens when we multiply *scale, even though there is
      enough room to store the final answer.
      
      We fix this issue by decomposing tsc_now into the quotient and
      remainder of division by CYC2NS_SCALE_FACTOR and then performing
      the multiplication separately on the two components.
      
      Refactor code to share the calculation with the previous
      fix in __cycles_2_ns().
      Signed-off-by: default avatarSalman Qazi <sqazi@google.com>
      Acked-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Acked-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
      Cc: Paul Turner <pjt@google.com>
      Cc: john stultz <johnstul@us.ibm.com>
      Link: http://lkml.kernel.org/r/20120310004027.19291.88460.stgit@dungbeetle.mtv.corp.google.comSigned-off-by: default avatarIngo Molnar <mingo@elte.hu>
      Cc: Mike Galbraith <efault@gmx.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      ab81b6ab
    • Dan Carpenter's avatar
      nfsd: don't allow zero length strings in cache_parse() · 0d1e8b82
      Dan Carpenter authored
      commit 6d8d1749 upstream.
      
      There is no point in passing a zero length string here and quite a
      few of that cache_parse() implementations will Oops if count is
      zero.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      0d1e8b82
    • Jan Kara's avatar
      xfs: Fix oops on IO error during xlog_recover_process_iunlinks() · df2c6845
      Jan Kara authored
      commit d97d32ed upstream.
      
      When an IO error happens during inode deletion run from
      xlog_recover_process_iunlinks() filesystem gets shutdown. Thus any subsequent
      attempt to read buffers fails. Code in xlog_recover_process_iunlinks() does not
      count with the fact that read of a buffer which was read a while ago can
      really fail which results in the oops on
        agi = XFS_BUF_TO_AGI(agibp);
      
      Fix the problem by cleaning up the buffer handling in
      xlog_recover_process_iunlinks() as suggested by Dave Chinner. We release buffer
      lock but keep buffer reference to AG buffer. That is enough for buffer to stay
      pinned in memory and we don't have to call xfs_read_agi() all the time.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Reviewed-by: default avatarDave Chinner <dchinner@redhat.com>
      Signed-off-by: default avatarBen Myers <bpm@sgi.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      df2c6845
    • Theodore Ts'o's avatar
      ext4: check for zero length extent · 2e3380e6
      Theodore Ts'o authored
      commit 31d4f3a2 upstream.
      
      Explicitly test for an extent whose length is zero, and flag that as a
      corrupted extent.
      
      This avoids a kernel BUG_ON assertion failure.
      
      Tested: Without this patch, the file system image found in
      tests/f_ext_zero_len/image.gz in the latest e2fsprogs sources causes a
      kernel panic.  With this patch, an ext4 file system error is noted
      instead, and the file system is marked as being corrupted.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=42859Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      2e3380e6
    • Trond Myklebust's avatar
      SUNRPC: We must not use list_for_each_entry_safe() in rpc_wake_up() · df79b5ef
      Trond Myklebust authored
      commit 540a0f75 upstream.
      
      The problem is that for the case of priority queues, we
      have to assume that __rpc_remove_wait_queue_priority will move new
      elements from the tk_wait.links lists into the queue->tasks[] list.
      We therefore cannot use list_for_each_entry_safe() on queue->tasks[],
      since that will skip these new tasks that __rpc_remove_wait_queue_priority
      is adding.
      
      Without this fix, rpc_wake_up and rpc_wake_up_status will both fail
      to wake up all functions on priority wait queues, which can result
      in some nasty hangs.
      Reported-by: default avatarAndy Adamson <andros@netapp.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      df79b5ef
    • Sasha Levin's avatar
      ntp: Fix integer overflow when setting time · 58c37cca
      Sasha Levin authored
      commit a078c6d0 upstream.
      
      'long secs' is passed as divisor to div_s64, which accepts a 32bit
      divisor. On 64bit machines that value is trimmed back from 8 bytes
      back to 4, causing a divide by zero when the number is bigger than
      (1 << 32) - 1 and all 32 lower bits are 0.
      
      Use div64_long() instead.
      Signed-off-by: default avatarSasha Levin <levinsasha928@gmail.com>
      Cc: johnstul@us.ibm.com
      Link: http://lkml.kernel.org/r/1331829374-31543-2-git-send-email-levinsasha928@gmail.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      [WT: div64_long() does not exist on 2.6.32 and needs a deeper backport than
       desired. Instead, address the issue by controlling that the divisor is
       correct for use as an s32 divisor]
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      58c37cca
    • Greg Kroah-Hartman's avatar
      USB: ftdi_sio: fix problem when the manufacture is a NULL string · f12847e2
      Greg Kroah-Hartman authored
      commit 656d2b39 upstream.
      
      On some misconfigured ftdi_sio devices, if the manufacturer string is
      NULL, the kernel will oops when the device is plugged in.  This patch
      fixes the problem.
      Reported-by: default avatarWojciech M Zabolotny <W.Zabolotny@elka.pw.edu.pl>
      Tested-by: default avatarWojciech M Zabolotny <W.Zabolotny@elka.pw.edu.pl>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      f12847e2
    • Ryusuke Konishi's avatar
      nilfs2: fix NULL pointer dereference in nilfs_load_super_block() · 9d899d1f
      Ryusuke Konishi authored
      commit d7178c79 upstream.
      
      According to the report from Slicky Devil, nilfs caused kernel oops at
      nilfs_load_super_block function during mount after he shrank the
      partition without resizing the filesystem:
      
       BUG: unable to handle kernel NULL pointer dereference at 00000048
       IP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2]
       *pde = 00000000
       Oops: 0000 [#1] PREEMPT SMP
       ...
       Call Trace:
        [<d0d7a87b>] init_nilfs+0x4b/0x2e0 [nilfs2]
        [<d0d6f707>] nilfs_mount+0x447/0x5b0 [nilfs2]
        [<c0226636>] mount_fs+0x36/0x180
        [<c023d961>] vfs_kern_mount+0x51/0xa0
        [<c023ddae>] do_kern_mount+0x3e/0xe0
        [<c023f189>] do_mount+0x169/0x700
        [<c023fa9b>] sys_mount+0x6b/0xa0
        [<c04abd1f>] sysenter_do_call+0x12/0x28
       Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43
       20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72
       48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00
       EIP: [<d0d7a08e>] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc
       CR2: 0000000000000048
      
      This turned out due to a defect in an error path which runs if the
      calculated location of the secondary super block was invalid.
      
      This patch fixes it and eliminates the reported oops.
      Reported-by: default avatarSlicky Devil <slicky.dvl@gmail.com>
      Signed-off-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Tested-by: default avatarSlicky Devil <slicky.dvl@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      9d899d1f
    • Dan Carpenter's avatar
      block, sx8: fix pointer math issue getting fw version · 3aeff240
      Dan Carpenter authored
      commit ea5f4db8 upstream.
      
      "mem" is type u8.  We need parenthesis here or it screws up the pointer
      math probably leading to an oops.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarJeff Garzik <jgarzik@redhat.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      3aeff240
    • Eric Dumazet's avatar
      ipsec: be careful of non existing mac headers · d67f05eb
      Eric Dumazet authored
      [ Upstream commit 03606895 ]
      
      Niccolo Belli reported ipsec crashes in case we handle a frame without
      mac header (atm in his case)
      
      Before copying mac header, better make sure it is present.
      
      Bugzilla reference:  https://bugzilla.kernel.org/show_bug.cgi?id=42809Reported-by: default avatarNiccol Belli <darkbasic@linuxsystems.it>
      Tested-by: default avatarNiccol Belli <darkbasic@linuxsystems.it>
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      d67f05eb
    • Thomas Gleixner's avatar
      x86: Derandom delay_tsc for 64 bit · 3a40b4fe
      Thomas Gleixner authored
      commit a7f4255f upstream.
      
      Commit f0fbf0ab ("x86: integrate delay functions") converted
      delay_tsc() into a random delay generator for 64 bit.  The reason is
      that it merged the mostly identical versions of delay_32.c and
      delay_64.c.  Though the subtle difference of the result was:
      
       static void delay_tsc(unsigned long loops)
       {
      -	unsigned bclock, now;
      +	unsigned long bclock, now;
      
      Now the function uses rdtscl() which returns the lower 32bit of the
      TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64
      bit this fails when the lower 32bit are close to wrap around when
      bclock is read, because the following check
      
             if ((now - bclock) >= loops)
             	  	break;
      
      evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0
      because the unsigned long (now - bclock) of these values results in
      0xffffffff00000001 which is definitely larger than the loops
      value. That explains Tvortkos observation:
      
      "Because I am seeing udelay(500) (_occasionally_) being short, and
       that by delaying for some duration between 0us (yep) and 491us."
      
      Make those variables explicitely u32 again, so this works for both 32
      and 64 bit.
      Reported-by: default avatarTvrtko Ursulin <tvrtko.ursulin@onelan.co.uk>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      3a40b4fe
    • David S. Miller's avatar
      tcp: Don't change unlocked socket state in tcp_v4_err(). · 386ca3f0
      David S. Miller authored
      commit 8f49c270 upstream.
      
      Alexey Kuznetsov noticed a regression introduced by
      commit f1ecd5d9
      ("Revert Backoff [v3]: Revert RTO on ICMP destination unreachable")
      
      The RTO and timer modification code added to tcp_v4_err()
      doesn't check sock_owned_by_user(), which if true means we
      don't have exclusive access to the socket and therefore cannot
      modify it's critical state.
      
      Just skip this new code block if sock_owned_by_user() is true
      and eliminate the now superfluous sock_owned_by_user() code
      block contained within.
      Reported-by: default avatarAlexey Kuznetsov <kuznet@ms2.inr.ac.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      CC: Damian Lukowski <damian@tvk.rwth-aachen.de>
      Acked-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Cc: Ben Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      386ca3f0
    • Oleg Nesterov's avatar
      cred: copy_process() should clear child->replacement_session_keyring · 66174b0e
      Oleg Nesterov authored
      commit 79549c6d upstream
      
      keyctl_session_to_parent(task) sets ->replacement_session_keyring,
      it should be processed and cleared by key_replace_session_keyring().
      
      However, this task can fork before it notices TIF_NOTIFY_RESUME and
      the new child gets the bogus ->replacement_session_keyring copied by
      dup_task_struct(). This is obviously wrong and, if nothing else, this
      leads to put_cred(already_freed_cred).
      
      change copy_creds() to clear this member. If copy_process() fails
      before this point the wrong ->replacement_session_keyring doesn't
      matter, exit_creds() won't be called.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      66174b0e
    • Greg Kroah-Hartman's avatar
      hfsplus: Fix potential buffer overflows · 092c87ce
      Greg Kroah-Hartman authored
      commit 6f24f892 upstream
      
      Commit ec81aecb ("hfs: fix a potential buffer overflow") fixed a few
      potential buffer overflows in the hfs filesystem.  But as Timo Warns
      pointed out, these changes also need to be made on the hfsplus
      filesystem as well.
      Reported-by: default avatarTimo Warns <warns@pre-sense.de>
      Acked-by: default avatarWANG Cong <amwang@redhat.com>
      Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
      Cc: Miklos Szeredi <mszeredi@suse.cz>
      Cc: Sage Weil <sage@newdream.net>
      Cc: Eugene Teo <eteo@redhat.com>
      Cc: Roman Zippel <zippel@linux-m68k.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Dave Anderson <anderson@redhat.com>
      Cc: stable <stable@vger.kernel.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [dannf: backported to Debian's 2.6.32]
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      092c87ce
    • Jeff Mahoney's avatar
      dl2k: Clean up rio_ioctl · 4b3eb7bc
      Jeff Mahoney authored
      commit 1bb57e94 upstream
      
      The dl2k driver's rio_ioctl call has a few issues:
      - No permissions checking
      - Implements SIOCGMIIREG and SIOCGMIIREG using the SIOCDEVPRIVATE numbers
      - Has a few ioctls that may have been used for debugging at one point
        but have no place in the kernel proper.
      
      This patch removes all but the MII ioctls, renumbers them to use the
      standard ones, and adds the proper permission check for SIOCSMIIREG.
      
      We can also get rid of the dl2k-specific struct mii_data in favor of
      the generic struct mii_ioctl_data.
      
      Since we have the phyid on hand, we can add the SIOCGMIIPHY ioctl too.
      
      Most of the MII code for the driver could probably be converted to use
      the generic MII library but I don't have a device to test the results.
      Reported-by: default avatarStephan Mueller <stephan.mueller@atsec.com>
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [dannf: backported to Debian's 2.6.32]
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      4b3eb7bc
    • Francois Romieu's avatar
      dl2k: use standard #defines from mii.h. · aecd9f48
      Francois Romieu authored
      commit 78f6a6bd upstream
      Signed-off-by: default avatarFrancois Romieu <romieu@fr.zoreil.com>
      [dannf: backported to Debian's 2.6.32]
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      aecd9f48