Commit Graph

388790 Commits

Author SHA1 Message Date
Sarah Sharp 203a86613f xhci: Avoid NULL pointer deref when host dies.
When the host controller fails to respond to an Enable Slot command, and
the host fails to respond to the register write to abort the command
ring, the xHCI driver will assume the host is dead, and call
usb_hc_died().

The USB device's slot_id is still set to zero, and the pointer stored at
xhci->devs[0] will always be NULL.  The call to xhci_check_args in
xhci_free_dev should have caught the NULL virt_dev pointer.

However, xhci_free_dev is designed to free the xhci_virt_device
structures, even if the host is dead, so that we don't leak kernel
memory.  xhci_free_dev checks the return value from the generic
xhci_check_args function.  If the return value is -ENODEV, it carries on
trying to free the virtual device.

The issue is that xhci_check_args looks at the host controller state
before it looks at the xhci_virt_device pointer.  It will return -ENIVAL
because the host is dead, and xhci_free_dev will ignore the return
value, and happily dereference the NULL xhci_virt_device pointer.

The fix is to make sure that xhci_check_args checks the xhci_virt_device
pointer before it checks the host state.

See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1203453 for
further details.  This patch doesn't solve the underlying issue, but
will ensure we don't see any more NULL pointer dereferences because of
the issue.

This patch should be backported to kernels as old as 3.1, that
contain the commit 7bd89b4017 "xhci: Don't
submit commands or URBs to halted hosts."

Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Reported-by: Vincent Thiele <vincentthiele@gmail.com>
Cc: stable@vger.kernel.org
2013-07-25 08:09:23 -07:00
Jani Nikula 14c5cec5d0 drm/i915: initialize gt_lock early with other spin locks
commit 181d1b9e31
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Sun Jul 21 13:16:24 2013 +0200

    drm/i915: fix up gt init sequence fallout

moved dev_priv->gt_lock initialization after use. Do the initialization
much earlier with other spin lock initializations.

Reported-by: Sedat Dilek <sedat.dilek@gmail.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
Cc: stable@vger.kernel.org (since the regressing patch is also cc: stable)
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2013-07-25 15:39:15 +02:00
Arik Nemtsov 23df0b7319 regulatory: use correct regulatory initiator on wiphy register
The current regdomain was not always set by the core. This causes
cards with a custom regulatory domain to ignore user initiated changes
if done before the card was registered.

Signed-off-by: Arik Nemtsov <arik@wizery.com>
Acked-by: Luis R. Rodriguez <mcgrof@do-not-panic.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-07-25 09:52:46 +02:00
David S. Miller 1df86b4cee Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
John W. Linville says:

====================
This is another batch of fixes intended for the 3.11 stream.  FWIW,
this is the first request with fixes from the mac80211 and iwlwifi
trees as well.

Regarding the mac80211 bits, Johannes says:

"Here I have a fix for RSSI thresholds in mesh, two minstrel fixes from
Felix, an nl80211 fix from Michal and four various fixes I did myself."

As for the iwlwifi bits, Johannes says:

"Here I have a fix for debugfs directory creation (causing a spurious
error message), two scanning fixes from David Spinadel, an LED fix and
two patches related to a BA session problem that eventually caused
firmware crashes from Emmanuel and a small BT fix for older devices as
well as a workaround for a firmware problem with APs with very small
beacon intervals from myself."

Along with those:

Arend van Spriel addresses a lock-up and a NULL pointer dereference
in brcmfmac.

Daniel Drake fixes an unhandled interrupt during device tear down
in mwifiex.

Larry Finger corrects a wil6210 build error.

Oleksij Rempel fixes two ath9k_htc problems related to keeping the
driver and firmware in sync.

Solomon Peachy gives us a cw1200 fix to avoid an oops in monitor mode.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2013-07-25 00:06:59 -07:00
NeilBrown f94c0b6658 md/raid5: fix interaction of 'replace' and 'recovery'.
If a device in a RAID4/5/6 is being replaced while another is being
recovered, then the writes to the replacement device currently don't
happen, resulting in corruption when the replacement completes and the
new drive takes over.

This is because the replacement writes are only triggered when
's.replacing' is set and not when the similar 's.sync' is set (which
is the case during resync and recovery - it means all devices need to
be read).

So schedule those writes when s.replacing is set as well.

In this case we cannot use "STRIPE_INSYNC" to record that the
replacement has happened as that is needed for recording that any
parity calculation is complete.  So introduce STRIPE_REPLACED to
record if the replacement has happened.

For safety we should also check that STRIPE_COMPUTE_RUN is not set.
This has a similar effect to the "s.locked == 0" test.  The latter
ensure that now IO has been flagged but not started.  The former
checks if any parity calculation has been flagged by not started.
We must wait for both of these to complete before triggering the
'replace'.

Add a similar test to the subsequent check for "are we finished yet".
This possibly isn't needed (is subsumed in the STRIPE_INSYNC test),
but it makes it more obvious that the REPLACE will happen before we
think we are finished.

Finally if a NeedReplace device is not UPTODATE then that is an
error.  We really must trigger a warning.

This bug was introduced in commit 9a3e1101b8
(md/raid5:  detect and handle replacements during recovery.)
which introduced replacement for raid5.
That was in 3.3-rc3, so any stable kernel since then would benefit
from this fix.

Cc: stable@vger.kernel.org (3.3+)
Reported-by: qindehua <13691222965@163.com>
Tested-by: qindehua <qindehua@163.com>
Signed-off-by: NeilBrown <neilb@suse.de>
2013-07-25 16:46:57 +10:00
NeilBrown 0eb25bb027 md/raid10: remove use-after-free bug.
We always need to be careful when calling generic_make_request, as it
can start a chain of events which might free something that we are
using.

Here is one place I wasn't careful enough.  If the wbio2 is not in
use, then it might get freed at the first generic_make_request call.
So perform all necessary tests first.

This bug was introduced in 3.3-rc3 (24afd80d99) and can cause an
oops, so fix is suitable for any -stable since then.

Cc: stable@vger.kernel.org (3.3+)
Signed-off-by: NeilBrown <neilb@suse.de>
2013-07-25 16:46:53 +10:00
Kuninori Morimoto 16b551dd22 ARM: shmobile: armadillo800eva: Don't request GPIO 166 in board code
89ae7b5bbd
(ARM: shmobile: armadillo800eva: Register pinctrl mapping for INTC)
mistakenly requests GPIO 166 in board code,
most probably due to a wrong merge conflict resolution.
As the GPIO is passed to the st1232 driver through platform
data and requested by the driver,
there's no need to request it in board code. Fix it.

Tested by: Cao Minh Hiep <cm-hiep@jinso.co.jp>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
2013-07-25 14:40:31 +09:00
Tsugikazu Shibata 9b0ee8cf70 HOWTO ja_JP sync
Attached is Documentation/ja_JP/HOWTO sync patch for 3.10.
This patch was reviewed by Japanese translation community called JF.

Signed-off-by: Tsugikazu Shibata <tshibata@ab.jp.nec.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24 22:06:34 -07:00
Enrico Mioso 63b5df963f usb: serial: option: Add ONYX 3G device support
This patch adds support for the ONYX 3G device (version 1) from ALFA
NETWORK.

Signed-off-by: Enrico Mioso <mrkiko.rs@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24 21:53:47 -07:00
Florian Fainelli deceb4c062 net: fix comment above build_skb()
build_skb() specifies that the data parameter must come from a kmalloc'd
area, this is only true if frag_size equals 0, because then build_skb()
will use kzsize(data) to figure out the actual data size. Update the
comment to reflect that special condition.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-07-24 17:59:07 -07:00
Olof Johansson 51378066fc Samsung fixes for v3.11
- fix kernel booting on exynos5440
   skip pm which is not supported
   update regarding LPAE features
 - fix s3c2440 uart with adding clkdev entries
 - fix compilatioin for Samsung SoCs with selecting pm
 - update ARCH_NR_GPIO to support exynos4412 has more gpios
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJR8AZBAAoJEA0Cl+kVi2xqSNIP/iBgogT3O18Aj2dclg9QDh7L
 YTnT60p7VsoevAb+mVS0rcxpgFGIvuM6TII65VGMNQNeHgwOJzrFT2rWe0NQ0kCw
 DUE3717+sHcqiGDxnsyffeJL+7THSZiZUzkgxmKSb22yTzb1uO1gDrF2uT/njAgh
 6lsthqKZjKhi8KL9qXGEeh1HgxNaQWGUrTcpEWFGYxpF+wyrQuFjOJoRQJc7dKsp
 JdlSiR+R5mTWvo5HAiT0QH97JzT5xuk5p8lMrxbmkwfEmewKeM89uIv1bjrOl3qa
 O4OY5fZ5oamQBjETTfeQtgJxciKrogg3uyCjsVsX2PX0s1u/vcukJnn52wY9gb64
 y6Ge6qlwnzWkhvPEJeH9GEGDQcUPr9OgZABSBxNTja6rJdTjHJKgImU38BvLOopp
 nedsmDn63kTi7Vr4NDP8iRcMenEZMeaGuscVvU4TfdBOX95RJOu4SI3fT/VCSuvm
 hHvjfGfLUF15P0qdAthvmj8W4ZbNr0KViP12kaEF4MeU+MqOiZb8JlHP9ebPp7ao
 FtO47Mic1FIdA4mL6GEbJxK43N1klNQ6q/xobOattPA2TPZ4sk4nCB3lqtXS2ZFJ
 51yToCMv23oY5AynP95qAMnYYJCP1UyPHlsV7n8jMgm3ZzePC2pv1WAZr4ZsPWu3
 zBJom5YPKZUaoDN7xl7z
 =ygWA
 -----END PGP SIGNATURE-----

Merge tag 'samsung-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung into fixes

From Kukjin Kim:
Samsung fixes for v3.11
- fix kernel booting on exynos5440
  skip pm which is not supported
  update regarding LPAE features
- fix s3c2440 uart with adding clkdev entries
- fix compilatioin for Samsung SoCs with selecting pm
- update ARCH_NR_GPIO to support exynos4412 has more gpios

* tag 'samsung-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung:
  ARM: EXYNOS: Update CONFIG_ARCH_NR_GPIO for Exynos
  ARM: EXYNOS: Fix low level debug support
  ARM: SAMSUNG: Save/restore only selected uart's registers
  ARM: SAMSUNG: Add SAMSUNG_PM config option to select pm
  ARM: S3C24XX: Add missing clkdev entries for s3c2440 UART
  ARM: EXYNOS: Enable 64-bit DMA for EXYNOS5440 if LPAE is enabled
  ARM: EXYNOS: change the PHYSMEM_BITS and SECTION_SIZE
  ARM: EXYNOS: skip pm support on exynos5440

Signed-off-by: Olof Johansson <olof@lixom.net>
2013-07-24 17:06:58 -07:00
Olof Johansson f82a3133c0 ARM: omap5: Only select errata 798181 if SMP
Avoids the following warning when SMP is off:

warning: (ARCH_KEYSTONE && SOC_OMAP5) selects ARM_ERRATA_798181 which
has unmet direct dependencies (CPU_V7 && SMP)

Reported-by: Emilio López <emilio@elopez.com.ar>
Cc: Tony Lindgren <tony@atomide.com>
Cc: Santosh Shilimkar <santosh.shilimkar@ti.com>
Signed-off-by: Olof Johansson <olof@lixom.net>
2013-07-24 17:06:23 -07:00
Emilio López 2bf420a768 net: sun4i: fix timeout check
The current timeout check is comparing two constant values, so it won't
ever detect a timeout. This patch reworks the affected code a bit so it
has a chance at detecting timeouts correctly.

Signed-off-by: Emilio López <emilio@elopez.com.ar>
Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-07-24 17:04:20 -07:00
Hannes Frederic Sowa 905a6f96a1 ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup
Otherwise we end up dereferencing the already freed net->ipv6.mrt pointer
which leads to a panic (from Srivatsa S. Bhat):

BUG: unable to handle kernel paging request at ffff882018552020
IP: [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
PGD 290a067 PUD 207ffe0067 PMD 207ff1d067 PTE 8000002018552060
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
Modules linked in: ebtable_nat ebtables nfs fscache nf_conntrack_ipv4 nf_defrag_ipv4 ipt_REJECT xt_CHECKSUM iptable_mangle iptable_filter ip_tables nfsd lockd nfs_acl exportfs auth_rpcgss autofs4 sunrpc 8021q garp bridge stp llc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter
+ip6_tables ipv6 vfat fat vhost_net macvtap macvlan vhost tun kvm_intel kvm uinput iTCO_wdt iTCO_vendor_support cdc_ether usbnet mii microcode i2c_i801 i2c_core lpc_ich mfd_core shpchp ioatdma dca mlx4_core be2net wmi acpi_cpufreq mperf ext4 jbd2 mbcache dm_mirror dm_region_hash dm_log dm_mod
CPU: 0 PID: 7 Comm: kworker/u33:0 Not tainted 3.11.0-rc1-ea45e-a #4
Hardware name: IBM  -[8737R2A]-/00Y2738, BIOS -[B2E120RUS-1.20]- 11/30/2012
Workqueue: netns cleanup_net
task: ffff8810393641c0 ti: ffff881039366000 task.ti: ffff881039366000
RIP: 0010:[<ffffffffa0366b02>]  [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
RSP: 0018:ffff881039367bd8  EFLAGS: 00010286
RAX: ffff881039367fd8 RBX: ffff882018552000 RCX: dead000000200200
RDX: 0000000000000000 RSI: ffff881039367b68 RDI: ffff881039367b68
RBP: ffff881039367bf8 R08: ffff881039367b68 R09: 2222222222222222
R10: 2222222222222222 R11: 2222222222222222 R12: ffff882015a7a040
R13: ffff882014eb89c0 R14: ffff8820289e2800 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88103fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff882018552020 CR3: 0000000001c0b000 CR4: 00000000000407f0
Stack:
 ffff881039367c18 ffff882014eb89c0 ffff882015e28c00 0000000000000000
 ffff881039367c18 ffffffffa034d9d1 ffff8820289e2800 ffff882014eb89c0
 ffff881039367c58 ffffffff815bdecb ffffffff815bddf2 ffff882014eb89c0
Call Trace:
 [<ffffffffa034d9d1>] rawv6_close+0x21/0x40 [ipv6]
 [<ffffffff815bdecb>] inet_release+0xfb/0x220
 [<ffffffff815bddf2>] ? inet_release+0x22/0x220
 [<ffffffffa032686f>] inet6_release+0x3f/0x50 [ipv6]
 [<ffffffff8151c1d9>] sock_release+0x29/0xa0
 [<ffffffff81525520>] sk_release_kernel+0x30/0x70
 [<ffffffffa034f14b>] icmpv6_sk_exit+0x3b/0x80 [ipv6]
 [<ffffffff8152fff9>] ops_exit_list+0x39/0x60
 [<ffffffff815306fb>] cleanup_net+0xfb/0x1a0
 [<ffffffff81075e3a>] process_one_work+0x1da/0x610
 [<ffffffff81075dc9>] ? process_one_work+0x169/0x610
 [<ffffffff81076390>] worker_thread+0x120/0x3a0
 [<ffffffff81076270>] ? process_one_work+0x610/0x610
 [<ffffffff8107da2e>] kthread+0xee/0x100
 [<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
 [<ffffffff8162a99c>] ret_from_fork+0x7c/0xb0
 [<ffffffff8107d940>] ? __init_kthread_worker+0x70/0x70
Code: 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 66 66 66 66 90 4c 8b 67 30 49 89 fd e8 db 3c 1e e1 49 8b 9c 24 90 08 00 00 48 85 db 74 06 <4c> 39 6b 20 74 20 bb f3 ff ff ff e8 8e 3c 1e e1 89 d8 4c 8b 65
RIP  [<ffffffffa0366b02>] ip6mr_sk_done+0x32/0xb0 [ipv6]
 RSP <ffff881039367bd8>
CR2: ffff882018552020

Reported-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Tested-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-07-24 17:02:13 -07:00
Jerry Snitselaar f585a991e1 fib_trie: potential out of bounds access in trie_show_stats()
With the <= max condition in the for loop, it will be always go 1
element further than needed. If the condition for the while loop is
never met, then max is MAX_STAT_DEPTH, and for loop will walk off the
end of nodesizes[].

Signed-off-by: Jerry Snitselaar <jerry.snitselaar@oracle.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-07-24 16:05:14 -07:00
Johan Hovold 1fad56424f USB: ti_usb_3410_5052: fix dynamic-id matching
The driver failed to take the dynamic ids into account when determining
the device type and therefore all devices were detected as 2-port
devices when using the dynamic-id interface.

Match on the usb-serial-driver field instead of doing redundant id-table
searches.

Reported-by: Anders Hammarquist <iko@iko.pp.se>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24 15:55:38 -07:00
Dan Carpenter 64d2c22a4c mlx5: use after free in mlx5_cmd_comp_handler()
We can't dereference "ent" after passing it to free_cmd().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-07-24 15:44:51 -07:00
Lekensteyn 4ea72445bd r8169: fix lockdep warning when removing interface
The work queue is initialised in rtl_open (when the interface goes up),
but canceled in rtl_remove_one (when the PCI device gets removed). If
the network interface is not brought up, then the work queue struct is
not initialised. When the device is removed, the attempt to cancel the
uninitialised work queue causes a lockdep warning.

This patch fixes the issue by moving cancel_work_sync to rtl_close (to
match rtl_open). (Note that rtl_close is also called via
unregister_netdev in rtl_remove_one.)

Signed-off-by: Peter Wu <lekensteyn@gmail.com>
Acked-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-07-24 15:42:59 -07:00
Alex Williamson d24cdbfd28 vfio-pci: Avoid deadlock on remove
If an attempt is made to unbind a device from vfio-pci while that
device is in use, the request is blocked until the device becomes
unused.  Unfortunately, that unbind path still grabs the device_lock,
which certain things like __pci_reset_function() also want to take.
This means we need to try to acquire the locks ourselves and use the
pre-locked version, __pci_reset_function_locked().

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2013-07-24 16:36:41 -06:00
Alex Williamson c64019302b vfio: Ignore sprurious notifies
Remove debugging WARN_ON if we get a spurious notify for a group that
no longer exists.  No reports of anyone hitting this, but it would
likely be a race and not a bug if they did.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2013-07-24 16:36:40 -06:00
Alex Williamson de9c7602ca vfio: Don't overreact to DEL_DEVICE
BUS_NOTIFY_DEL_DEVICE triggers IOMMU drivers to remove devices from
their iommu group, but there's really nothing we can do about it at
this point.  If the device is in use, then the vfio sub-driver will
block the device_del from completing until it's released.  If the
device is not in use or not owned by a vfio sub-driver, then we
really don't care that it's being removed.

The current code can be triggered just by unloading an sr-iov driver
(ex. igb) while the VFs are attached to vfio-pci because it makes an
incorrect assumption about the ordering of driver remove callbacks
vs the DEL_DEVICE notification.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2013-07-24 16:36:00 -06:00
Richard Zhao 3bf5d35058 serial: tegra: correct help message in Kconfig from 'ttyHS' to 'ttyTHS'
ttyTHS is consistent with the name used in driver.

Signed-off-by: Richard Zhao <rizhao@nvidia.com>
Acked-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24 15:23:38 -07:00
Henrik Nordström 258a9fd17b tty/8250_early: Don't truncate last character of options
The earlier change to use strlcpy uncovered a bug in the options
argument length calculation causing last character to be truncated.
This makes the actual console to be configured with incorrect
baudrate when specifying the console using console=uart,... syntax.

Bug symptom seen in kernel log output:

Kernel command line: console=uart,mmio,0x90000000,115200
Early serial console at MMIO 0x90000000 (options '11520')

which then results in a invalid baud rate 11520 instead of the
expected 115200 when the console is switched to ttyS0 later
in the boot process.

Signed-off-by: Henrik Nordstrom <henrik@henriknordstrom.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24 15:23:38 -07:00
Dan Carpenter 2652c2163d TTY: snyclinkmp: calculating wrong addresses
This is a static checker fix and I don't have a way to test it.  But
from the context it looks like this is a typo where SCABUFSIZE was
intended instead of sizeof(SCABUFSIZE).  SCABUFSIZE is 1024 and
sizeof(int) is 4.  I would suspect this is a bad bug.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24 15:23:38 -07:00
James Bottomley e1be09808e [SCSI] isci: fix breakage caused by >16byte CDB patch
Oops, apparently no-one I cc'd at intel actually bothered to check this
patch for the isci driver:

commit e73823f7a2
Author: James Bottomley <JBottomley@Parallels.com>
Date:   Tue May 7 15:38:18 2013 -0700

    [SCSI] libsas: implement > 16 byte CDB support

sci_swab32_cpy needs multiples of four, so for commands that aren't that, it's
rounding the wrong way.  fix by doing (len+3)/4 instead of len/4.

Reported-by: Tony Luck <tony.luck@intel.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
2013-07-24 14:18:12 -07:00
Linus Torvalds 07bc9dc1b0 Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc
Pull powerpc fixes from Ben Herrenschmidt:
 "Here is a series of powerpc fixes.  It's a bit big, mostly because of
  the series of 11 "EEH" patches from Gavin.  The EEH (Our IBM specific
  PCI/PCIe Enhanced Error Handling) code had been rotting for a while
  and this merge window saw a significant rework & fixing of it by Gavin
  Shan.

  However, that wasn't complete and left some open issues.  There were
  still a few corner cases that didn't work properly, for example in
  relation to hotplug and devices without explicit error handlers.  We
  had some patches but they weren't quite good enough yet so I left them
  off the 3.11 merge window.

  Gavin since then fixed it all up, we ran quite a few rounds of testing
  and it seems fairly solid (at least probably more than it has ever
  been).  This should probably have made -rc1 but both Gavin and I took
  some vacation so it had to wait for -rc2.

  The rest is more bug fixes, mostly to new features recently added, for
  example, we missed the cpu table entry for one of the two models of P8
  (we didn't realize they had different PVR [Processor Version Register]
  values), some module CRC issues, etc..."

* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc: (23 commits)
  powerpc/perf: BHRB filter configuration should follow the task
  powerpc/perf: Ignore separate BHRB privilege state filter request
  powerpc/powernv: Mark pnv_pci_init_ioda2_phb() as __init
  powerpc/mm: Use the correct SLB(LLP) encoding in tlbie instruction
  powerpc/mm: Fix fallthrough bug in hpte_decode
  powerpc/pseries: Fix a typo in pSeries_lpar_hpte_insert()
  powerpc/eeh: Introdce flag to protect sysfs
  powerpc/eeh: Fix unbalanced enable for IRQ
  powerpc/eeh: Don't use pci_dev during BAR restore
  powerpc/eeh: Use partial hotplug for EEH unaware drivers
  powerpc/pci: Partial tree hotplug support
  powerpc/eeh: Use safe list traversal when walking EEH devices
  powerpc/eeh: Keep PE during hotplug
  powerpc/pci/hotplug: Don't need to remove from EEH cache twice
  powerpc/pci: Override pcibios_release_device()
  powerpc/eeh: Export functions for hotplug
  powerpc/eeh: Remove reference to PCI device
  powerpc: Fix the corrupt r3 error during MCE handling.
  powerpc/perf: Set PPC_FEATURE2_EBB when we register the power8 PMU
  powerpc/pseries: Drop "select HOTPLUG"
  ...
2013-07-24 11:07:18 -07:00
Linus Torvalds b48a97be8e Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto fixes from Herbert Xu:
 "This push fixes a memory corruption issue in caam, as well as
  reverting the new optimised crct10dif implementation as it breaks boot
  on initrd systems.

  Hopefully crct10dif will be reinstated once the supporting code is
  added so that it doesn't break boot"

* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  Revert "crypto: crct10dif - Wrap crc_t10dif function all to use crypto transform framework"
  crypto: caam - Fixed the memory out of bound overwrite issue
2013-07-24 11:05:18 -07:00
Lidza Louina 81b884c9df MAINTAINERS: Update the list of maintainers for staging/comedi driver.
This patch updates the list of maintainers for the staging/comedi
driver.

Signed-off-by: Lidza Louina <lidza.louina@gmail.com>
Acked-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Acked-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24 09:51:18 -07:00
Jingoo Han 932ef3685f staging: tidspbridge: replace strict_strtol() with kstrtos32()
The usage of strict_strtol() is not preferred, because
strict_strtol() is obsolete. Thus, kstrtos32() should be
used in order to convert a string to s32. Also, error handling
is added to get rid of a __must_check warning.

This fixes a memory corruption bug as well.

Signed-off-by: Jingoo Han <jg1.han@samsung.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-24 09:51:18 -07:00
Richard Zhu 9e54eae23b ahci_imx: add ahci sata support on imx platforms
imx6q contains one Synopsys AHCI SATA controller, But it can't share
ahci_platform driver with other controllers because there are some
misalignments of the generic AHCI controller - the bits definitions of
the HBA registers, the Vendor Specific registers, the AHCI PHY clock
and the AHCI signals adjustment window(GPR13 register).

 - CAP_SSS(bit20) of the HOST_CAP is writable, default value is '0',
   should be configured to be '1'

 - bit0 (only one AHCI SATA port on imx6q) of the HOST_PORTS_IMPL
   should be set to be '1'.(default 0)

 - One Vendor Specific register HOST_TIMER1MS(offset:0xe0) should be
   configured regarding to the frequency of AHB bus clock.

 - Configurations of the AHCI PHY clock, and the signal parameters of
   the GPR13

Setup its own ahci sata driver, contained the imx6q specific
initialized codes, re-use the generic ahci_platform driver, and keep
the generic ahci_platform driver clean as much as possible.

tj: patch description reformatted

Signed-off-by: Richard Zhu <r65037@freescale.com>
Reviewed-by: Shawn Guo <shawn.guo@linaro.org>
Signed-off-by: Tejun Heo <tj@kernel.org>
2013-07-24 12:29:08 -04:00
Richard Zhu 6a6c21ef48 ARM: imx6q: update the sata bits definitions of gpr13
Replace the SATA_PHY_# by the more readable definitons.

tj: Being routed through libata branch to enable implementation of
    ahci_imx.

Signed-off-by: Richard Zhu <r65037@freescale.com>
Acked-by: Shawn Guo <shawn.guo@linaro.org>
Signed-off-by: Tejun Heo <tj@kernel.org>
2013-07-24 12:28:15 -04:00
Lai Jiangshan c2fda50966 workqueue: allow work_on_cpu() to be called recursively
If the @fn call work_on_cpu() again, the lockdep will complain:

> [ INFO: possible recursive locking detected ]
> 3.11.0-rc1-lockdep-fix-a #6 Not tainted
> ---------------------------------------------
> kworker/0:1/142 is trying to acquire lock:
>  ((&wfc.work)){+.+.+.}, at: [<ffffffff81077100>] flush_work+0x0/0xb0
>
> but task is already holding lock:
>  ((&wfc.work)){+.+.+.}, at: [<ffffffff81075dd9>] process_one_work+0x169/0x610
>
> other info that might help us debug this:
>  Possible unsafe locking scenario:
>
>        CPU0
>        ----
>   lock((&wfc.work));
>   lock((&wfc.work));
>
>  *** DEADLOCK ***

It is false-positive lockdep report. In this sutiation,
the two "wfc"s of the two work_on_cpu() are different,
they are both on stack. flush_work() can't be deadlock.

To fix this, we need to avoid the lockdep checking in this case,
thus we instroduce a internal __flush_work() which skip the lockdep.

tj: Minor comment adjustment.

Signed-off-by: Lai Jiangshan <laijs@cn.fujitsu.com>
Reported-by: "Srivatsa S. Bhat" <srivatsa.bhat@linux.vnet.ibm.com>
Reported-by: Alexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2013-07-24 12:24:25 -04:00
John W. Linville 18e1ccb6ca Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem 2013-07-24 11:50:38 -04:00
Steven Rostedt (Red Hat) 195a8afc7a ftrace: Add check for NULL regs if ops has SAVE_REGS set
If a ftrace ops is registered with the SAVE_REGS flag set, and there's
already a ops registered to one of its functions but without the
SAVE_REGS flag, there's a small race window where the SAVE_REGS ops gets
added to the list of callbacks to call for that function before the
callback trampoline gets set to save the regs.

The problem is, the function is not currently saving regs, which opens
a small race window where the ops that is expecting regs to be passed
to it, wont. This can cause a crash if the callback were to reference
the regs, as the SAVE_REGS guarantees that regs will be set.

To fix this, we add a check in the loop case where it checks if the ops
has the SAVE_REGS flag set, and if so, it will ignore it if regs is
not set.

Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2013-07-24 11:22:54 -04:00
Oleg Nesterov 9c01fe4593 tracing: Kill trace_cpu struct/members
After the previous changes trace_array_cpu->trace_cpu and
trace_array->trace_cpu becomes write-only. Remove these members
and kill "struct trace_cpu" as well.

As a side effect this also removes memset(per_cpu_memory, 0).
It was not needed, alloc_percpu() returns zero-filled memory.

Link: http://lkml.kernel.org/r/20130723152613.GA23741@redhat.com

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2013-07-24 11:22:53 -04:00
Oleg Nesterov 6484c71cbc tracing: Change tracing_fops/snapshot_fops to rely on tracing_get_cpu()
tracing_open() and tracing_snapshot_open() are racy, the memory
inode->i_private points to can be already freed.

Convert these last users of "inode->i_private == trace_cpu" to
use "i_private = trace_array" and rely on tracing_get_cpu().

v2: incorporate the fix from Steven, tracing_release() must not
    blindly dereference file->private_data unless we know that
    the file was opened for reading.

Link: http://lkml.kernel.org/r/20130723152610.GA23737@redhat.com

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2013-07-24 11:22:53 -04:00
Oleg Nesterov 0bc392ee46 tracing: Change tracing_entries_fops to rely on tracing_get_cpu()
tracing_open_generic_tc() is racy, the memory inode->i_private
points to can be already freed.

1. Change its last user, tracing_entries_fops, to use
   tracing_*_generic_tr() instead.

2. Change debugfs_create_file("buffer_size_kb", data) callers
   to pass "data = tr".

3. Change tracing_entries_read() and tracing_entries_write() to
   use tracing_get_cpu().

4. Kill the no longer used tracing_open_generic_tc() and
   tracing_release_generic_tc().

Link: http://lkml.kernel.org/r/20130723152606.GA23730@redhat.com

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2013-07-24 11:22:52 -04:00
Oleg Nesterov 4d3435b8a4 tracing: Change tracing_stats_fops to rely on tracing_get_cpu()
tracing_open_generic_tc() is racy, the memory inode->i_private
points to can be already freed.

1. Change one of its users, tracing_stats_fops, to use
   tracing_*_generic_tr() instead.

2. Change trace_create_cpu_file("stats", data) to pass "data = tr".

3. Change tracing_stats_read() to use tracing_get_cpu().

Link: http://lkml.kernel.org/r/20130723152603.GA23727@redhat.com

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2013-07-24 11:22:52 -04:00
Oleg Nesterov 46ef2be0d1 tracing: Change tracing_buffers_fops to rely on tracing_get_cpu()
tracing_buffers_open() is racy, the memory inode->i_private points
to can be already freed.

Change debugfs_create_file("trace_pipe_raw", data) caller to pass
"data = tr", tracing_buffers_open() can use tracing_get_cpu().

Change debugfs_create_file("snapshot_raw_fops", data) caller too,
this file uses tracing_buffers_open/release.

Link: http://lkml.kernel.org/r/20130723152600.GA23720@redhat.com

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2013-07-24 11:22:51 -04:00
Oleg Nesterov 15544209cb tracing: Change tracing_pipe_fops() to rely on tracing_get_cpu()
tracing_open_pipe() is racy, the memory inode->i_private points to
can be already freed.

Change debugfs_create_file("trace_pipe", data) callers to to pass
"data = tr", tracing_open_pipe() can use tracing_get_cpu().

Link: http://lkml.kernel.org/r/20130723152557.GA23717@redhat.com

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2013-07-24 11:22:51 -04:00
Oleg Nesterov 649e9c70da tracing: Introduce trace_create_cpu_file() and tracing_get_cpu()
Every "file_operations" used by tracing_init_debugfs_percpu is buggy.
f_op->open/etc does:

	1. struct trace_cpu *tc = inode->i_private;
	   struct trace_array *tr = tc->tr;

	2. trace_array_get(tr) or fail;

	3. do_something(tc);

But tc (and tr) can be already freed before trace_array_get() is called.
And it doesn't matter whether this file is per-cpu or it was created by
init_tracer_debugfs(), free_percpu() or kfree() are equally bad.

Note that even 1. is not safe, the freed memory can be unmapped. But even
if it was safe trace_array_get() can wrongly succeed if we also race with
the next new_instance_create() which can re-allocate the same tr, or tc
was overwritten and ->tr points to the valid tr. In this case 3. uses the
freed/reused memory.

Add the new trivial helper, trace_create_cpu_file() which simply calls
trace_create_file() and encodes "cpu" in "struct inode". Another helper,
tracing_get_cpu() will be used to read cpu_nr-or-RING_BUFFER_ALL_CPUS.

The patch abuses ->i_cdev to encode the number, it is never used unless
the file is S_ISCHR(). But we could use something else, say, i_bytes or
even ->d_fsdata. In any case this hack is hidden inside these 2 helpers,
it would be trivial to change them if needed.

This patch only changes tracing_init_debugfs_percpu() to use the new
trace_create_cpu_file(), the next patches will change file_operations.

Note: tracing_get_cpu(inode) is always safe but you can't trust the
result unless trace_array_get() was called, without trace_types_lock
which acts as a barrier it can wrongly return RING_BUFFER_ALL_CPUS.

Link: http://lkml.kernel.org/r/20130723152554.GA23710@redhat.com

Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2013-07-24 11:22:13 -04:00
Benjamin Tissoires 6f49801827 HID: sony: fix HID mapping for PS3 sixaxis controller
Commit f04d51404f (HID: driver for PS2/3 Buzz controllers) introduced
an input_mapping() callback, but set the return value to -1 to all devices
except the Buzz controllers. The result of this is that the Sixaxis input
device is not populated, making it useless.

Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2013-07-24 16:57:09 +02:00
Lars-Peter Clausen 56a6783442 ASoC: dapm: Fix return value of snd_soc_dapm_put_{volsw,enum_virt}()
The ALSA core expect the put callback of a control to return 1 if the value of
the control changed and 0 if it did not. Both snd_soc_dapm_put_volsw() and
snd_soc_dapm_put_enum_virt() currently always returns 0. For both functions we
already have a 'change' variable which either contains 1 or 0 depending on
whether the value has changed or not, so just return that.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Mark Brown <broonie@linaro.org>
2013-07-24 14:55:04 +01:00
Sachin Kamat 53302bf60d ARM: EXYNOS: Update CONFIG_ARCH_NR_GPIO for Exynos
With the recent cleanup in Exynos platform code notably commits
17859bec ("ARM: EXYNOS: Do not select legacy Kconfig symbols any
more") and b9222210 ("ARM: EXYNOS: Remove mach/gpio.h"), the definition
of ARCH_NR_GPIOS got removed. This started causing problems on SoCs like
Exynos4412 which have more than the default number of GPIOs. Thus define
this number in KConfig file which takes care of current SoC requirements
and provides scope for GPIO expanders. Without this patch we get the
following errors during boot:

gpiochip_add: gpios 251..258 (gpv0) failed to register
samsung-pinctrl 106e0000.pinctrl: failed to register gpio_chip gpv0, error code: -22
samsung-pinctrl: probe of 106e0000.pinctrl failed with error -22

Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org>
Cc: Tomasz Figa <t.figa@samsung.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
2013-07-24 18:55:27 +09:00
Takashi Iwai 43cbd286fb ASoC: Updates for v3.11
A few small updates again, the sgtl5000 one fixes some newly triggered
 issues due to some probe ordering changes which were introduced in the
 last merge window.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABAgAGBQJR75+6AAoJELSic+t+oim9VnEP/10lLM7UeYCx60q4M7A3yHGP
 pLm3j+0eHOn97rOY+A2ZEBx7lesL4gXou60WxcEykv5naSAxX24z7t0m49dGmL+t
 jO+cSUb66qEjxH5SYx1A6c72dgd2EPTGi1J1ydi+O8u+29ijhu/HSrsCkYhOMo3L
 i7NPQd2J+0752hJyQmq+sBCiWzvNtXI8zncU0B8yQho+L5Qp6CcbMX7Rl9qHupz/
 UKqH0m0OBSuQN+5A2273JBM9H2549MMtg9p0HItINwAGjjaDqbmVn8IVapmzUQky
 /tG9y/PKVFjhnqn19jt0kBAAy1ieT2aCurfwK5UssAOe9vfJGoQTmJRH8c5TdVeq
 dJtzU5Kcg+dsyUHQOL2UUH69gK3o1Q1px8E/XqGYKF2GGNU5w6gJhv6KsSYwFCmO
 LkqP07tLa+yXKTc0v4Q9k1IY9xpZal7/3dG3FQVSH7P6oTKIy1fYvBO8XAqdJNfG
 tcw/N5mMbgL6GOB5zIRlCwt+Dj8lqR2B94w2rUqNxUF2jRGNNmbsgm+Pg5uQANrG
 lE3lNpgaNAY3gqbSlj2NUrqLA8YIEL+1SjxzfrxZ9a5qVN9M01NOi3z5aETPsQSV
 1PSHnJVYpzZQsZN3zbNF2FBw125wDmzrEkv5DKnFQ0R9mw0Dc8NoxpFoCuRHNGpn
 APGIbVqu5anjWAPifAsP
 =9lns
 -----END PGP SIGNATURE-----

Merge tag 'asoc-v3.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Updates for v3.11

A few small updates again, the sgtl5000 one fixes some newly triggered
issues due to some probe ordering changes which were introduced in the
last merge window.
2013-07-24 11:42:34 +02:00
Eldad Zack fee4b700a4 ALSA: hiface: return correct XRUN indication
Return SNDRV_PCM_POS_XRUN (snd_pcm_uframes_t) instead of
SNDRV_PCM_STATE_XRUN (snd_pcm_state_t) from the pointer
function of hiface, as expected by snd_pcm_update_hw_ptr0().

Caught by sparse.

Cc: Antonio Ospite <ospite@studenti.unina.it>
Signed-off-by: Eldad Zack <eldad@fogrefinery.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2013-07-24 10:51:37 +02:00
Yadwinder Singh Brar 7ed76e089a ARM: EXYNOS: Fix low level debug support
Presently, using exynos_defconfig with CONFIG_DEBUG_LL and CONFIG_EARLY_PRIN
on, kernel is not booting, we are getting following:

[    0.000000] ------------[ cut here ]------------
[    0.000000] kernel BUG at mm/vmalloc.c:1134!
[    0.000000] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
[    0.000000] Modules linked in:
[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 3.11.0-rc1 #633
[    0.000000] task: c052ec48 ti: c0524000 task.ti: c0524000
[    0.000000] PC is at vm_area_add_early+0x54/0x94
[    0.000000] LR is at add_static_vm_early+0xc/0x60

Its because exynos[4/5]_map_io() function ioremaps a single 512KB memory
size for all the four uart ports which envelopes the mapping created by
debug_ll_io_init(), called earlier in exynos_init_io().

This patch removes iodesc entries for UART controller for all Samsung SoC's,
since now the Samsung uart driver does a ioremap during probe and any needed
iomapping for earlyprintk will be handled by debug_ll_io_init().

Tested on smdk4412 and smdk5250.

Signed-off-by: Yadwinder Singh Brar <yadi.brar@samsung.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
2013-07-24 17:05:32 +09:00
Yadwinder Singh Brar 7bdc84fb82 ARM: SAMSUNG: Save/restore only selected uart's registers
Basically this code gets executed only during debugging i.e when
DEBUG_LL & SAMSUNG_PM_DEBUG is on, so required only for UART used
for debugging. Since we are removing static iodesc entries for UARTs,
so now only the selected (CONFIG_DEBUG_S3C_UART) UART will be
ioremapped by the debug_ll_io_init() for DEBUG_LL, so save/restore
uart registers only for selected uart.

Signed-off-by: Yadwinder Singh Brar <yadi.brar@samsung.com>
Signed-off-by: Kukjin Kim <kgene.kim@samsung.com>
2013-07-24 17:05:07 +09:00
David Spinadel bb963c4a43 iwlwifi: mvm: set SSID bits for passive channels
Set SSID bitmap for direct scan even on passive channels,
for the passive-to-active feature. Without this patch only
the SSID from probe request template is sent on passive
channels, after passive-to-active switching, causing us to
not find all desired networks.

Remove the unused passive scan mask constant.

Cc: stable@vger.kernel.org
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-07-24 09:29:08 +02:00
Johannes Berg 5312e54d7e iwlwifi: mvm: use only a single GTK in D3
Unfortunately, the firmware only supports replay counters for
a single GTK in D3, so that we should only upload the last
key and use its replay counters. Since mac80211 key iteration
will walk through the keys in order of their addition, simply
use the same HW key index (1) for all GTKs, thus overwriting
previous ones with newer ones. The replay counters for it are
already used.

Reviewed-by: Yaron Vaknin <Yaron.Vaknin@intel.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-07-24 09:28:23 +02:00