| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
clockevents_config_and_register is more clever and correct than doing it
by hand; so use it.
[vgupta: fixed build failure due to missing ; in patch]
Signed-off-by: Uwe Kleine-König <[email protected]>
Signed-off-by: Vineet Gupta <[email protected]>
|
|
Some ARC SMP systems lack native atomic R-M-W (LLOCK/SCOND) insns and
can only use atomic EX insn (reg with mem) to build higher level R-M-W
primitives. This includes a SystemC based SMP simulation model.
So rwlocks need to use a protecting spinlock for atomic cmp-n-exchange
operation to update reader(s)/writer count.
The spinlock operation itself looks as follows:
mov reg, 1 ; 1=locked, 0=unlocked
retry:
EX reg, [lock] ; load existing, store 1, atomically
BREQ reg, 1, rety ; if already locked, retry
In single-threaded simulation, SystemC alternates between the 2 cores
with "N" insn each based scheduling. Additionally for insn with global
side effect, such as EX writing to shared mem, a core switch is
enforced too.
Given that, 2 cores doing a repeated EX on same location, Linux often
got into a livelock e.g. when both cores were fiddling with tasklist
lock (gdbserver / hackbench) for read/write respectively as the
sequence diagram below shows:
core1 core2
-------- --------
1. spin lock [EX r=0, w=1] - LOCKED
2. rwlock(Read) - LOCKED
3. spin unlock [ST 0] - UNLOCKED
spin lock [EX r=0,w=1] - LOCKED
-- resched core 1----
5. spin lock [EX r=1] - ALREADY-LOCKED
-- resched core 2----
6. rwlock(Write) - READER-LOCKED
7. spin unlock [ST 0]
8. rwlock failed, retry again
9. spin lock [EX r=0, w=1]
-- resched core 1----
10 spinlock locked in #9, retry #5
11. spin lock [EX gets 1]
-- resched core 2----
...
...
The fix was to unlock using the EX insn too (step 7), to trigger another
SystemC scheduling pass which would let core1 proceed, eliding the
livelock.
Signed-off-by: Vineet Gupta <[email protected]>
|
|
Anton reported
| LTP tests syscalls/process_vm_readv01 and process_vm_writev01 fail
| similarly in one testcase test_iov_invalid -> lvec->iov_base.
| Testcase expects errno EFAULT and return code -1,
| but it gets return code 1 and ERRNO is 0 what means success.
Essentially test case was passing a pointer of -1 which access_ok()
was not catching. It was doing [@addr + @sz <= TASK_SIZE] which would
pass for @addr == -1
Fixed that by rewriting as [@addr <= TASK_SIZE - @sz]
Reported-by: Anton Kolesov <[email protected]>
Signed-off-by: Vineet Gupta <[email protected]>
|
|
If a load or store is the last instruction in a zero-overhead-loop, and
it's misaligned, the loop would execute only once.
This fixes that problem.
Signed-off-by: Mischa Jonker <[email protected]>
Signed-off-by: Vineet Gupta <[email protected]>
|
|
Signed-off-by: Takashi Iwai <[email protected]>
|
|
This patch adds the default pin configuration and some init verbs for
setting COEFs, in addition to the correction of input pin AMP caps
for MacBook Air 6,1 and 6,2. With these changes, the headphone jack
detection starts working properly.
[trivial space fixes by tiwai]
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=60811
Signed-off-by: Ben Whitten <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
|
|
On AMD family 14h, applying microcode patch on the a core (core0)
would also affect the other core (core1) in the same compute
unit. The driver would skip applying the patch on core1, but it
still need to update kernel structures to reflect the proper
patch level.
The current logic is not updating the struct
ucode_cpu_info.cpu_sig.rev of the skipped core. This causes the
/sys/devices/system/cpu/cpu1/microcode/version to report
incorrect patch level as shown below:
$ grep . cpu?/microcode/version
cpu0/microcode/version:0x600063d
cpu1/microcode/version:0x6000626
cpu2/microcode/version:0x600063d
cpu3/microcode/version:0x6000626
cpu4/microcode/version:0x600063d
Signed-off-by: Suravee Suthikulpanit <[email protected]>
Acked-by: Borislav Petkov <[email protected]>
Cc: <[email protected]>
Cc: <[email protected]>
Cc: <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
|
|
|
|
* pm-cpufreq-fixes:
cpufreq: exynos5440: Fix potential NULL pointer dereference
cpufreq: check cpufreq driver is valid and cpufreq isn't disabled in cpufreq_get()
acpi-cpufreq: skip loading acpi_cpufreq after intel_pstate
|
|
* acpi-fixes:
ACPI / scan: fix typo in comments of acpi_bus_unregister_driver()
ACPI / IPMI: Fix atomic context requirement of ipmi_msg_handler()
|
|
Dmitry Vyukov managed to trigger a case where aio_migratepage can cause a
use-after-free during teardown of the aio ring buffer's mapping. This turns
out to be caused by access to the ioctx's ring_pages via the migratepage
operation which was not being protected by any locks during ioctx freeing.
Use the address_space's private_lock to protect use and updates of the mapping's
private_data, and make ioctx teardown unlink the ioctx from the address space.
Reported-by: Dmitry Vyukov <[email protected]>
Tested-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Benjamin LaHaise <[email protected]>
|
|
The DLink DWA-125 Rev D1 also uses this driver.
Signed-off-by: Larry Finger <[email protected]>
Reported-by: Sergey Kostanbaev <[email protected]>
Tested-by: Sergey Kostanbaev <[email protected]>
Cc: Sergey Kostanbaev <[email protected]>
Cc: stable <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
Add PCI id for Intel Merrifield
Signed-off-by: David Cohen <[email protected]>
Cc: stable <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
In case of usb phy reinitialization:
e.g. insmod usb-module(usb works well) -> rmmod usb-module -> insmod usb-module
It found the PHY_CLK_VALID bit didn't work if it's not with the power-on reset.
So we just check PHY_CLK_VALID bit during the stage with POR, this can be met
by the tricky of checking FSL_SOC_USB_PRICTRL register.
Signed-off-by: Shengzhou Liu <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
There's a bunch of failure exits in ffs_fs_mount() with
seriously broken recovery logics. Most of that appears to stem
from misunderstanding of the ->kill_sb() semantics; unlike
->put_super() it is called for *all* superblocks of given type,
no matter how (in)complete the setup had been. ->put_super()
is called only if ->s_root is not NULL; any failure prior to
setting ->s_root will have the call of ->put_super() skipped.
->kill_sb(), OTOH, awaits every superblock that has come from
sget().
Current behaviour of ffs_fs_mount():
We have struct ffs_sb_fill_data data on stack there. We do
ffs_dev = functionfs_acquire_dev_callback(dev_name);
and store that in data.private_data. Then we call mount_nodev(),
passing it ffs_sb_fill() as a callback. That will either fail
outright, or manage to call ffs_sb_fill(). There we allocate an
instance of struct ffs_data, slap the value of ffs_dev (picked
from data.private_data) into ffs->private_data and overwrite
data.private_data by storing ffs into an overlapping member
(data.ffs_data). Then we store ffs into sb->s_fs_info and attempt
to set the rest of the things up (root inode, root dentry, then
create /ep0 there). Any of those might fail. Should that
happen, we get ffs_fs_kill_sb() called before mount_nodev()
returns. If mount_nodev() fails for any reason whatsoever,
we proceed to
functionfs_release_dev_callback(data.ffs_data);
That's broken in a lot of ways. Suppose the thing has failed in
allocation of e.g. root inode or dentry. We have
functionfs_release_dev_callback(ffs);
ffs_data_put(ffs);
done by ffs_fs_kill_sb() (ffs accessed via sb->s_fs_info), followed by
functionfs_release_dev_callback(ffs);
from ffs_fs_mount() (via data.ffs_data). Note that the second
functionfs_release_dev_callback() has every chance to be done to freed memory.
Suppose we fail *before* root inode allocation. What happens then?
ffs_fs_kill_sb() doesn't do anything to ffs (it's either not called at all,
or it doesn't have a pointer to ffs stored in sb->s_fs_info). And
functionfs_release_dev_callback(data.ffs_data);
is called by ffs_fs_mount(), but here we are in nasal daemon country - we
are reading from a member of union we'd never stored into. In practice,
we'll get what we used to store into the overlapping field, i.e. ffs_dev.
And then we get screwed, since we treat it (struct gfs_ffs_obj * in
disguise, returned by functionfs_acquire_dev_callback()) as struct
ffs_data *, pick what would've been ffs_data ->private_data from it
(*well* past the actual end of the struct gfs_ffs_obj - struct ffs_data
is much bigger) and poke in whatever it points to.
FWIW, there's a minor leak on top of all that in case if ffs_sb_fill()
fails on kstrdup() - ffs is obviously forgotten.
The thing is, there is no point in playing all those games with union.
Just allocate and initialize ffs_data *before* calling mount_nodev() and
pass a pointer to it via data.ffs_data. And once it's stored in
sb->s_fs_info, clear data.ffs_data, so that ffs_fs_mount() knows that
it doesn't need to kill the sucker manually - from that point on
we'll have it done by ->kill_sb().
Signed-off-by: Al Viro <[email protected]>
Acked-by: Michal Nazarewicz <[email protected]>
Cc: stable <[email protected]> # 3.3+
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
The put_device(dev) at the bottom of the loop of device_shutdown
may result in the dev being cleaned up. In device_create_release,
the dev is kfreed.
However, device_shutdown attempts to use the dev pointer again after
put_device by referring to dev->parent.
Copy the parent pointer instead to avoid this condition.
This bug was found on Chromium OS's chromeos-3.8, which is based on v3.8.11.
See bug report : https://code.google.com/p/chromium/issues/detail?id=297842
This can easily be reproduced when shutting down with
hidraw devices that report battery condition.
Two examples are the HP Bluetooth Mouse X4000b and the Apple Magic Mouse.
For example, with the magic mouse :
The dev in question is "hidraw0"
dev->parent is "magicmouse"
In the course of the shutdown for this device, the input event cleanup calls
a put on hidraw0, decrementing its reference count.
When we finally get to put_device(dev) in device_shutdown, kobject_cleanup
is called and device_create_release does kfree(dev).
dev->parent is no longer valid, and we may crash in
put_device(dev->parent).
This change should be applied on any kernel with this change :
d1c6c030fcec6f860d9bb6c632a3ebe62e28440b
Cc: [email protected]
Signed-off-by: Benson Leung <[email protected]>
Reviewed-by: Ming Lei <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
In kobj_ns_current_may_mount the default should be to allow the
mount. The test is only for a single kobj_ns_type at a time, and unless
there is a reason to prevent it the mounting sysfs should be allowed.
Subsystems that are not registered can't have are not involved so can't
have a reason to prevent mounting sysfs.
This is a bug-fix to:
commit 7dc5dbc879bd0779924b5132a48b731a0bc04a1e
Author: Eric W. Biederman <[email protected]>
Date: Mon Mar 25 20:07:01 2013 -0700
sysfs: Restrict mounting sysfs
Don't allow mounting sysfs unless the caller has CAP_SYS_ADMIN rights
over the net namespace. The principle here is if you create or have
capabilities over it you can mount it, otherwise you get to live with
what other people have mounted.
Instead of testing this with a straight forward ns_capable call,
perform this check the long and torturous way with kobject helpers,
this keeps direct knowledge of namespaces out of sysfs, and preserves
the existing sysfs abstractions.
Acked-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: "Eric W. Biederman" <[email protected]>
That came in via the userns tree during the 3.12 merge window.
Reported-by: James Hogan <[email protected]>
Signed-off-by: "Eric W. Biederman" <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
commit 666b9adc801ef012612c4e43e0f44b2cdc1979cf terminated vmbus
version negotiation incorrectly. We need to terminate the version
negotiation only if the current negotiation were to timeout.
Signed-off-by: K. Y. Srinivasan <[email protected]>
Cc: Olaf Hering <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
The current code does not correctly negotiate the version numbers for the util
driver when hosted on earlier hosts. The version numbers presented by this
driver were not compatible with the version numbers supported by Windows Server
2008. Fix this problem.
I would like to thank Olaf Hering ([email protected]) for identifying the problem.
Reported-by: Olaf Hering <[email protected]>
Signed-off-by: K. Y. Srinivasan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
Unset init_clients_timer and amthif_stall_timers
in mei_reset in order to cancel timer ticking and hence
avoid recursive reset calls.
Cc: <[email protected]> # 3.9+
Signed-off-by: Alexander Usyskin <[email protected]>
Signed-off-by: Tomas Winkler <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
Bus layer omitted check for client state transition while waiting
for read completion
The client state transition may occur for example as result
of firmware initiated reset
Add mei_cl_is_transitioning wrapper to reduce the code
repetition.:
Cc: <[email protected]> # 3.9+
Signed-off-by: Tomas Winkler <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
1. u8 counters are prone to hard to detect overflow:
make them unsigned long to match bit_ functions argument type
2. don't check me_clients_num for negativity, it is unsigned.
3. init all the me client counters from one place
Cc: <[email protected]> # 3.9+
Signed-off-by: Tomas Winkler <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
Outgoing packets sent by via-rhine have their VLAN PCP field off by one
(when hardware acceleration is enabled). The TX descriptor expects only VID
and PCP (without a CFI/DEI bit).
Peter Boström noticed and reported the bug.
Signed-off-by: Roger Luethi <[email protected]>
Cc: Peter Boström <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
|
|
Commit 'tty: ar933x_uart: add device tree support
and binding documentation' introduced a new doc in
bindins/tty/serial.
According to a recent thread [1] on the linux-serial
list, the binding documentation of serial drivers
should be added into bindings/serial.
Move the documentation of qca,ar9330-uart to the
correct place.
1. http://marc.info/?l=linux-serial&m=137771295411517
Cc: [email protected]
Signed-off-by: Gabor Juhos <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
For controller versions greater than 1.6, setting ULPI_PHY_CLK_SEL
bit when USB_EN bit is already set causes instability issues with
PHY_CLK_VLD bit. So USB_EN is set only for IP controller version
below 1.6 before setting ULPI_PHY_CLK_SEL bit
Signed-off-by: Ramneek Mehresh <[email protected]>
Cc: stable <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
|
|
This patch adds explicit call to bcma_core_pci_power_save() from
a non-atomic context resolving 'scheduling while atomic' issue.
[ 13.224317] BUG: scheduling while atomic: dhcpcd/1800/0x00000202
[ 13.224322] Modules linked in: brcmsmac nouveau coretemp kvm_intel kvm cordic brcmutil bcma dell_wmi atl1c ttm mxm_wmi wmi
[ 13.224354] CPU: 0 PID: 1800 Comm: dhcpcd Tainted: G W 3.11.0-wl #1
[ 13.224359] Hardware name: Alienware M11x R2/M11x R2, BIOS A04 11/23/2010
[ 13.224363] ffff880177c12c40 ffff880170fd1968 ffffffff8169af5b 0000000000000007
[ 13.224374] ffff880170fd1ad0 ffff880170fd1978 ffffffff81697ee2 ffff880170fd19f8
[ 13.224383] ffffffff816a19f5 00000000000f4240 000000000000d080 ffff880170fd1fd8
[ 13.224391] Call Trace:
[ 13.224399] [<ffffffff8169af5b>] dump_stack+0x4f/0x84
[ 13.224403] [<ffffffff81697ee2>] __schedule_bug+0x43/0x51
[ 13.224409] [<ffffffff816a19f5>] __schedule+0x6e5/0x810
[ 13.224412] [<ffffffff816a1c34>] schedule+0x24/0x70
[ 13.224416] [<ffffffff816a04fc>] schedule_hrtimeout_range_clock+0x10c/0x150
[ 13.224420] [<ffffffff810684e0>] ? update_rmtp+0x60/0x60
[ 13.224424] [<ffffffff8106915f>] ? hrtimer_start_range_ns+0xf/0x20
[ 13.224429] [<ffffffff816a054e>] schedule_hrtimeout_range+0xe/0x10
[ 13.224432] [<ffffffff8104f6fb>] usleep_range+0x3b/0x40
[ 13.224437] [<ffffffffa003733a>] bcma_pcie_mdio_read.isra.5+0x8a/0x100 [bcma]
[ 13.224442] [<ffffffffa00374a5>] bcma_pcie_mdio_writeread.isra.6.constprop.13+0x25/0x30 [bcma]
[ 13.224448] [<ffffffffa00374f9>] bcma_core_pci_power_save+0x49/0x80 [bcma]
[ 13.224452] [<ffffffffa003765d>] bcma_core_pci_up+0x2d/0x60 [bcma]
[ 13.224460] [<ffffffffa03dc17c>] brcms_c_up+0xfc/0x430 [brcmsmac]
[ 13.224467] [<ffffffffa03d1a7d>] brcms_up+0x1d/0x20 [brcmsmac]
[ 13.224473] [<ffffffffa03d2498>] brcms_ops_start+0x298/0x340 [brcmsmac]
[ 13.224478] [<ffffffff81600a12>] ? cfg80211_netdev_notifier_call+0xd2/0x5f0
[ 13.224483] [<ffffffff815fa53d>] ? packet_notifier+0xad/0x1d0
[ 13.224487] [<ffffffff81656e75>] ieee80211_do_open+0x325/0xf80
[ 13.224491] [<ffffffff8106ac09>] ? __raw_notifier_call_chain+0x9/0x10
[ 13.224495] [<ffffffff81657b41>] ieee80211_open+0x71/0x80
[ 13.224498] [<ffffffff81526267>] __dev_open+0x87/0xe0
[ 13.224502] [<ffffffff8152650c>] __dev_change_flags+0x9c/0x180
[ 13.224505] [<ffffffff815266a3>] dev_change_flags+0x23/0x70
[ 13.224509] [<ffffffff8158cd68>] devinet_ioctl+0x5b8/0x6a0
[ 13.224512] [<ffffffff8158d5c5>] inet_ioctl+0x75/0x90
[ 13.224516] [<ffffffff8150b38b>] sock_do_ioctl+0x2b/0x70
[ 13.224519] [<ffffffff8150b681>] sock_ioctl+0x71/0x2a0
[ 13.224523] [<ffffffff8114ed47>] do_vfs_ioctl+0x87/0x520
[ 13.224528] [<ffffffff8113f159>] ? ____fput+0x9/0x10
[ 13.224533] [<ffffffff8106228c>] ? task_work_run+0x9c/0xd0
[ 13.224537] [<ffffffff8114f271>] SyS_ioctl+0x91/0xb0
[ 13.224541] [<ffffffff816aa252>] system_call_fastpath+0x16/0x1b
Cc: <[email protected]> # 3.11.x
Cc: Tod Jackson <[email protected]>
Cc: Joe Perches <[email protected]>
Cc: Rafal Milecki <[email protected]>
Cc: Hauke Mehrtens <[email protected]>
Reviewed-by: Hante Meuleman <[email protected]>
Signed-off-by: Arend van Spriel <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
This patch removes the bcma_core_pci_power_save() call from
the bcma_core_pci_{up,down}() functions as it tries to schedule
thus requiring to call them from non-atomic context. The function
bcma_core_pci_power_save() is now exported so the calling module
can explicitly use it in non-atomic context. This fixes the
'scheduling while atomic' issue reported by Tod Jackson and
Joe Perches.
[ 13.210710] BUG: scheduling while atomic: dhcpcd/1800/0x00000202
[ 13.210718] Modules linked in: brcmsmac nouveau coretemp kvm_intel kvm cordic brcmutil bcma dell_wmi atl1c ttm mxm_wmi wmi
[ 13.210756] CPU: 2 PID: 1800 Comm: dhcpcd Not tainted 3.11.0-wl #1
[ 13.210762] Hardware name: Alienware M11x R2/M11x R2, BIOS A04 11/23/2010
[ 13.210767] ffff880177c92c40 ffff880170fd1948 ffffffff8169af5b 0000000000000007
[ 13.210777] ffff880170fd1ab0 ffff880170fd1958 ffffffff81697ee2 ffff880170fd19d8
[ 13.210785] ffffffff816a19f5 00000000000f4240 000000000000d080 ffff880170fd1fd8
[ 13.210794] Call Trace:
[ 13.210813] [<ffffffff8169af5b>] dump_stack+0x4f/0x84
[ 13.210826] [<ffffffff81697ee2>] __schedule_bug+0x43/0x51
[ 13.210837] [<ffffffff816a19f5>] __schedule+0x6e5/0x810
[ 13.210845] [<ffffffff816a1c34>] schedule+0x24/0x70
[ 13.210855] [<ffffffff816a04fc>] schedule_hrtimeout_range_clock+0x10c/0x150
[ 13.210867] [<ffffffff810684e0>] ? update_rmtp+0x60/0x60
[ 13.210877] [<ffffffff8106915f>] ? hrtimer_start_range_ns+0xf/0x20
[ 13.210887] [<ffffffff816a054e>] schedule_hrtimeout_range+0xe/0x10
[ 13.210897] [<ffffffff8104f6fb>] usleep_range+0x3b/0x40
[ 13.210910] [<ffffffffa00371af>] bcma_pcie_mdio_set_phy.isra.3+0x4f/0x80 [bcma]
[ 13.210921] [<ffffffffa003729f>] bcma_pcie_mdio_write.isra.4+0xbf/0xd0 [bcma]
[ 13.210932] [<ffffffffa0037498>] bcma_pcie_mdio_writeread.isra.6.constprop.13+0x18/0x30 [bcma]
[ 13.210942] [<ffffffffa00374ee>] bcma_core_pci_power_save+0x3e/0x80 [bcma]
[ 13.210953] [<ffffffffa003765d>] bcma_core_pci_up+0x2d/0x60 [bcma]
[ 13.210975] [<ffffffffa03dc17c>] brcms_c_up+0xfc/0x430 [brcmsmac]
[ 13.210989] [<ffffffffa03d1a7d>] brcms_up+0x1d/0x20 [brcmsmac]
[ 13.211003] [<ffffffffa03d2498>] brcms_ops_start+0x298/0x340 [brcmsmac]
[ 13.211020] [<ffffffff81600a12>] ? cfg80211_netdev_notifier_call+0xd2/0x5f0
[ 13.211030] [<ffffffff815fa53d>] ? packet_notifier+0xad/0x1d0
[ 13.211064] [<ffffffff81656e75>] ieee80211_do_open+0x325/0xf80
[ 13.211076] [<ffffffff8106ac09>] ? __raw_notifier_call_chain+0x9/0x10
[ 13.211086] [<ffffffff81657b41>] ieee80211_open+0x71/0x80
[ 13.211101] [<ffffffff81526267>] __dev_open+0x87/0xe0
[ 13.211109] [<ffffffff8152650c>] __dev_change_flags+0x9c/0x180
[ 13.211117] [<ffffffff815266a3>] dev_change_flags+0x23/0x70
[ 13.211127] [<ffffffff8158cd68>] devinet_ioctl+0x5b8/0x6a0
[ 13.211136] [<ffffffff8158d5c5>] inet_ioctl+0x75/0x90
[ 13.211147] [<ffffffff8150b38b>] sock_do_ioctl+0x2b/0x70
[ 13.211155] [<ffffffff8150b681>] sock_ioctl+0x71/0x2a0
[ 13.211169] [<ffffffff8114ed47>] do_vfs_ioctl+0x87/0x520
[ 13.211180] [<ffffffff8113f159>] ? ____fput+0x9/0x10
[ 13.211198] [<ffffffff8106228c>] ? task_work_run+0x9c/0xd0
[ 13.211202] [<ffffffff8114f271>] SyS_ioctl+0x91/0xb0
[ 13.211208] [<ffffffff816aa252>] system_call_fastpath+0x16/0x1b
[ 13.211217] NOHZ: local_softirq_pending 202
The issue was introduced in v3.11 kernel by following commit:
commit aa51e598d04c6acf5477934cd6383f5a17ce9029
Author: Hauke Mehrtens <[email protected]>
Date: Sat Aug 24 00:32:31 2013 +0200
brcmsmac: use bcma PCIe up and down functions
replace the calls to bcma_core_pci_extend_L1timer() by calls to the
newly introduced bcma_core_pci_ip() and bcma_core_pci_down()
Signed-off-by: Hauke Mehrtens <[email protected]>
Cc: Arend van Spriel <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
This fix has been discussed with Hauke Mehrtens [1] selection
option 3) and is intended for v3.12.
Ref:
[1] http://mid.gmane.org/[email protected]
Cc: <[email protected]> # 3.11.x
Cc: Tod Jackson <[email protected]>
Cc: Joe Perches <[email protected]>
Cc: Rafal Milecki <[email protected]>
Cc: Hauke Mehrtens <[email protected]>
Reviewed-by: Hante Meuleman <[email protected]>
Signed-off-by: Arend van Spriel <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
The driver uses platform_driver_probe() to obtain platform data
if any. However, that function is placed in the .init section so
it must be called upon driver module initialization.
The problem was reported by Fenguang Wu resulting in a kernel
oops because the .init section was already freed.
[ 48.966342] Switched to clocksource tsc
[ 48.970002] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[ 48.970851] BUG: unable to handle kernel paging request at ffffffff82196446
[ 48.970957] IP: [<ffffffff82196446>] classes_init+0x26/0x26
[ 48.970957] PGD 1e76067 PUD 1e77063 PMD f388063 PTE 8000000002196163
[ 48.970957] Oops: 0011 [#1]
[ 48.970957] CPU: 0 PID: 17 Comm: kworker/0:1 Not tainted 3.11.0-rc7-00444-gc52dd7f #23
[ 48.970957] Workqueue: events brcmf_driver_init
[ 48.970957] task: ffff8800001d2000 ti: ffff8800001d4000 task.ti: ffff8800001d4000
[ 48.970957] RIP: 0010:[<ffffffff82196446>] [<ffffffff82196446>] classes_init+0x26/0x26
[ 48.970957] RSP: 0000:ffff8800001d5d40 EFLAGS: 00000286
[ 48.970957] RAX: 0000000000000001 RBX: ffffffff820c5620 RCX: 0000000000000000
[ 48.970957] RDX: 0000000000000001 RSI: ffffffff816f7380 RDI: ffffffff820c56c0
[ 48.970957] RBP: ffff8800001d5d50 R08: ffff8800001d2508 R09: 0000000000000002
[ 48.970957] R10: 0000000000000000 R11: 0001f7ce298c5620 R12: ffff8800001c76b0
[ 48.970957] R13: ffffffff81e91d40 R14: 0000000000000000 R15: ffff88000e0ce300
[ 48.970957] FS: 0000000000000000(0000) GS:ffffffff81e84000(0000) knlGS:0000000000000000
[ 48.970957] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 48.970957] CR2: ffffffff82196446 CR3: 0000000001e75000 CR4: 00000000000006b0
[ 48.970957] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 48.970957] DR3: 0000000000000000 DR6: 0000000000000000 DR7: 0000000000000000
[ 48.970957] Stack:
[ 48.970957] ffffffff816f7df8 ffffffff820c5620 ffff8800001d5d60 ffffffff816eeec9
[ 48.970957] ffff8800001d5de0 ffffffff81073dc5 ffffffff81073d68 ffff8800001d5db8
[ 48.970957] 0000000000000086 ffffffff820c5620 ffffffff824f7fd0 0000000000000000
[ 48.970957] Call Trace:
[ 48.970957] [<ffffffff816f7df8>] ? brcmf_sdio_init+0x18/0x70
[ 48.970957] [<ffffffff816eeec9>] brcmf_driver_init+0x9/0x10
[ 48.970957] [<ffffffff81073dc5>] process_one_work+0x1d5/0x480
[ 48.970957] [<ffffffff81073d68>] ? process_one_work+0x178/0x480
[ 48.970957] [<ffffffff81074188>] worker_thread+0x118/0x3a0
[ 48.970957] [<ffffffff81074070>] ? process_one_work+0x480/0x480
[ 48.970957] [<ffffffff8107aa17>] kthread+0xe7/0xf0
[ 48.970957] [<ffffffff810829f7>] ? finish_task_switch.constprop.57+0x37/0xd0
[ 48.970957] [<ffffffff8107a930>] ? __kthread_parkme+0x80/0x80
[ 48.970957] [<ffffffff81a6923a>] ret_from_fork+0x7a/0xb0
[ 48.970957] [<ffffffff8107a930>] ? __kthread_parkme+0x80/0x80
[ 48.970957] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc cc cc <cc> cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
[ 48.970957] RIP [<ffffffff82196446>] classes_init+0x26/0x26
[ 48.970957] RSP <ffff8800001d5d40>
[ 48.970957] CR2: ffffffff82196446
[ 48.970957] ---[ end trace 62980817cd525f14 ]---
Cc: <[email protected]> # 3.10.x, 3.11.x
Reported-by: Fengguang Wu <[email protected]>
Reviewed-by: Hante Meuleman <[email protected]>
Reviewed-by: Pieter-Paul Giesberts <[email protected]>
Tested-by: Fengguang Wu <[email protected]>
Signed-off-by: Arend van Spriel <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
Bug 60815 - Interface hangs in mwifiex_usb
https://bugzilla.kernel.org/show_bug.cgi?id=60815
[ 2.883807] BUG: unable to handle kernel NULL pointer dereference
at 0000000000000048
[ 2.883813] IP: [<ffffffff815a65e0>] pfifo_fast_enqueue+0x90/0x90
[ 2.883834] CPU: 1 PID: 3220 Comm: kworker/u8:90 Not tainted
3.11.1-monotone-l0 #6
[ 2.883834] Hardware name: Microsoft Corporation Surface with
Windows 8 Pro/Surface with Windows 8 Pro,
BIOS 1.03.0450 03/29/2013
On Surface Pro, suspend to ram gives a NULL pointer dereference in
pfifo_fast_enqueue(). The stack trace reveals that the offending
call is clearing carrier in mwifiex_usb suspend handler.
Since commit 1499d9f "mwifiex: don't drop carrier flag over suspend"
has removed the carrier flag handling over suspend/resume in SDIO
and PCIe drivers, I'm removing it in USB driver too. This also fixes
the bug for Surface Pro.
Cc: <[email protected]> # 3.5+
Tested-by: Dmitry Khromov <[email protected]>
Signed-off-by: Bing Zhao <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
Bug 60815 - Interface hangs in mwifiex_usb
https://bugzilla.kernel.org/show_bug.cgi?id=60815
We have 4 bytes of interface header for packets delivered to SDIO
and PCIe, but not for USB interface.
In Tx AMSDU case, currently 4 bytes of garbage data is unnecessarily
appended for USB packets. This sometimes leads to a firmware hang,
because it may not interpret the data packet correctly.
Problem is fixed by removing this redundant headroom for USB.
Cc: <[email protected]> # 3.5+
Tested-by: Dmitry Khromov <[email protected]>
Signed-off-by: Amitkumar Karwar <[email protected]>
Signed-off-by: Bing Zhao <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
Added USB ID for Corega WLUSB2GTST USB adapter.
Cc: <[email protected]>
Reported-by: Joerg Kalisch <[email protected]>
Signed-off-by: Christian Lamparter <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
This supercedes the older patch ("cw1200: Don't perform SPI transfers in
interrupt context") that badly attempted to fix this problem.
This is a far simpler solution, which has the added benefit of
actually working.
Signed-off-by: Solomon Peachy <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
This reverts commit aec8e88c947b7017e2b4bbcb68a4bfc4a1f8ad35.
This solution turned out to cause interrupt delivery problems, and
rather than trying to fix this approach, it has been scrapped in favor
of an alternative (and far simpler) implementation.
Signed-off-by: Solomon Peachy <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
For pcie8897, the hs_cfg cancel command (0xe5) times out when host
comes out of suspend. This is caused by an incompleted host sleep
handshake between driver and firmware.
Like SDIO interface, PCIe also needs to go through firmware power
save events to complete the handshake for host sleep configuration.
Only USB interface doesn't require power save events for hs_cfg.
Cc: <[email protected]> # 3.10+
Signed-off-by: Bing Zhao <[email protected]>
Signed-off-by: Amitkumar Karwar <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
The private array at the end of the rtl_priv struct is not aligned.
On ARM architecture, this causes an alignment trap and is fixed by aligning
that array with __align(sizeof(void *)). That should properly align that
space according to the requirements of all architectures.
Reported-by: Jason Andrews <[email protected]>
Tested-by: Jason Andrews <[email protected]>
Signed-off-by: Larry Finger <[email protected]>
Cc: Stable <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
Prevents race conditions when un-aggregated frames are pending in the
driver.
Signed-off-by: Felix Fietkau <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
If request_firmware_nowait() fails in p54u_load_firmware(),
p54u_load_firmware_cb is not called and no one decrements usb_dev refcnt.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
When .release_buffered_frames was implemented, only A-MPDU packets were
buffered internally. Now that this has changed, the BUF_AMPDU flag needs
to be checked before calling ath_tx_addto_baw
Signed-off-by: Felix Fietkau <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
The commit "ath9k: Optimize LNA check" tried
to use the "rs_firstaggr" flag to optimize the LNA
combining algorithm when processing subframes in
an A-MPDU. This doesn't appear to work well in practice,
so revert it and use the old method of relying on
"rs_moreaggr".
Cc: [email protected] # 3.11
Signed-off-by: Sujith Manoharan <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
This might trip up tx completion processing, although the condition that
triggers this should not (yet) occur in practice.
Signed-off-by: Felix Fietkau <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
Fixes a regression from commit
"ath9k: shrink a few data structures by reordering fields"
When cloning a buffer, the stale flag (part of bf_state now) needs to be
reset after copying the state to prevent tx processing hangs.
Signed-off-by: Felix Fietkau <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth
|
|
Commit f5ea1100 cleans up the disk to host conversions for
node directory entries, but because a variable is reused in
xfs_node_toosmall() the next node is not correctly found.
If the original node is small enough (<= 3/8 of the node size),
this change may incorrectly cause a node collapse when it should
not. That will cause an assert in xfstest generic/319:
Assertion failed: first <= last && last < BBTOB(bp->b_length),
file: /root/newest/xfs/fs/xfs/xfs_trans_buf.c, line: 569
Keep the original node header to get the correct forward node.
(When a node is considered for a merge with a sibling, it overwrites the
sibling pointers of the original incore nodehdr with the sibling's
pointers. This leads to loop considering the original node as a merge
candidate with itself in the second pass, and so it incorrectly
determines a merge should occur.)
Signed-off-by: Mark Tinguely <[email protected]>
Reviewed-by: Ben Myers <[email protected]>
Signed-off-by: Ben Myers <[email protected]>
[v3: added Dave Chinner's (slightly modified) suggestion to the commit header,
cleaned up whitespace. -bpm]
|
|
Determine if we've created a new file by examining the directory change
attribute and/or the O_EXCL flag.
This fixes a regression when doing a non-exclusive create of a new file.
If the FILE_CREATED flag is not set, the atomic_open() command will
perform full file access permissions checks instead of just checking
for MAY_OPEN.
Signed-off-by: Trond Myklebust <[email protected]>
|
|
Add missing break into the restore function.
Signed-off-by: Marek Vasut <[email protected]>
Cc: Fabio Estevam <[email protected]>
Cc: Shawn Guo <[email protected]>
Cc: Tomi Valkeinen <[email protected]>
Signed-off-by: Tomi Valkeinen <[email protected]>
|
|
This patch avoids to dereference the uninitialized data pointer if the
error path is entered before devm_kzalloc is called (or if the allocation
fails). It fixes the following warning:
sound/soc/fsl/imx-sgtl5000.c: In function 'imx_sgtl5000_probe':
sound/soc/fsl/imx-sgtl5000.c:175:18: warning: 'data' may be used uninitialized in this function [-Wmaybe-uninitialized]
Signed-off-by: Philipp Zabel <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
|
|
Calling devm_clk_get with any device pointer other than our own confuses
devres. Use clk_get instead. This avoids hitting the following warning in
the imx-sgtl5000 error path:
imx-sgtl5000 sound.12: snd_soc_register_card failed (-517)
platform sound.12: Driver imx-sgtl5000 requests probe deferral
------------[ cut here ]------------
WARNING: CPU: 0 PID: 75 at drivers/base/dd.c:272 driver_probe_device+0x194/0x218()
Modules linked in: snd_soc_sgtl5000(+) snd_soc_imx_sgtl5000 coda snd_soc_imx_audmux imx_sdma snd_soc_fsl_spdif snd_soc_fsl_ssi
CPU: 0 PID: 75 Comm: udevd Not tainted 3.11.0-rc6+ #4682
Backtrace:
[<80010bc4>] (dump_backtrace+0x0/0x10c) from [<80010d60>] (show_stack+0x18/0x1c)
r6:00000110 r5:00000009 r4:00000000 r3:00000000
[<80010d48>] (show_stack+0x0/0x1c) from [<804f0764>] (dump_stack+0x20/0x28)
[<804f0744>] (dump_stack+0x0/0x28) from [<8001a4a4>] (warn_slowpath_common+0x6c/0x8c)
[<8001a438>] (warn_slowpath_common+0x0/0x8c) from [<8001a4e8>] (warn_slowpath_null+0x24/0x2c)
r8:7f032000 r7:7f02f93c r6:cf8eaa54 r5:cf8eaa20 r4:80728a0c
[<8001a4c4>] (warn_slowpath_null+0x0/0x2c) from [<80286bdc>] (driver_probe_device+0x194/0x218)
[<80286a48>] (driver_probe_device+0x0/0x218) from [<80286cf4>] (__driver_attach+0x94/0x98)
r7:00000000 r6:cf8eaa54 r5:7f02f93c r4:cf8eaa20
[<80286c60>] (__driver_attach+0x0/0x98) from [<802851c8>] (bus_for_each_dev+0x5c/0x90)
r6:80286c60 r5:7f02f93c r4:00000000 r3:cf8ef03c
[<8028516c>] (bus_for_each_dev+0x0/0x90) from [<80286654>] (driver_attach+0x24/0x28)
r6:806d0424 r5:cf16a580 r4:7f02f93c
[<80286630>] (driver_attach+0x0/0x28) from [<802861e4>] (bus_add_driver+0xdc/0x234)
[<80286108>] (bus_add_driver+0x0/0x234) from [<802871d4>] (driver_register+0x80/0x154)
r8:7f032000 r7:00000001 r6:7f02fa68 r5:7f02fa74 r4:7f02f93c
[<80287154>] (driver_register+0x0/0x154) from [<8033c278>] (i2c_register_driver+0x34/0xbc)
[<8033c244>] (i2c_register_driver+0x0/0xbc) from [<7f032018>] (sgtl5000_i2c_driver_init+0x18/0x24 [snd_soc_sgtl5000])
r5:7f02fa74 r4:cfb7ff48
[<7f032000>] (sgtl5000_i2c_driver_init+0x0/0x24 [snd_soc_sgtl5000]) from [<80008738>] (do_one_initcall+0xf4/0x150)
[<80008644>] (do_one_initcall+0x0/0x150) from [<80053f64>] (load_module+0x174c/0x1db4)
[<80052818>] (load_module+0x0/0x1db4) from [<800546ac>] (SyS_init_module+0xe0/0xf4)
[<800545cc>] (SyS_init_module+0x0/0xf4) from [<8000e540>] (ret_fast_syscall+0x0/0x30)
r6:00005b22 r5:00afed68 r4:00000000
---[ end trace b24c5c3bb145dbdd ]---
Signed-off-by: Philipp Zabel <[email protected]>
Acked-by: Shawn Guo <[email protected]>
Reviewed-by: Fabio Estevam <[email protected]>
Signed-off-by: Mark Brown <[email protected]>
|
|
After reports from Chris and Josh Boyer of a rare crash in applesmc,
Guenter pointed at the initialization problem fixed below. The patch
has not been verified to fix the crash, but should be applied
regardless.
Reported-by: <[email protected]>
Suggested-by: Guenter Roeck <[email protected]>
Signed-off-by: Henrik Rydberg <[email protected]>
Cc: [email protected]
Signed-off-by: Guenter Roeck <[email protected]>
|
|
of_get_display_timing(s) use of_find_node_by_name
to get child node, this is incorrect, of_get_child_by_name
should be used instead. The patch fixes it.
Small typo is also corrected.
Signed-off-by: Andrzej Hajda <[email protected]>
Signed-off-by: Kyungmin Park <[email protected]>
Signed-off-by: Tomi Valkeinen <[email protected]>
|
|
Fix to return a negative error code from the error handling
case instead of 0, as done elsewhere in this function.
Signed-off-by: Wei Yongjun <[email protected]>
Signed-off-by: Tomi Valkeinen <[email protected]>
|