Skip to content
Commits on Jan 11, 2013
  1. @gregkh

    Linux 3.0.58

    gregkh committed
  2. @gregkh

    can: Do not call dev_put if restart timer is running upon close

    Alexander Stein committed with gregkh
    commit ab48b03 upstream.
    If the restart timer is running due to BUS-OFF and the device is
    disconnected an dev_put will decrease the usage counter to -1 thus
    blocking the interface removal, resulting in the following dmesg
    lines repeating every 10s:
    can: notifier: receive list not found for dev can0
    can: notifier: receive list not found for dev can0
    can: notifier: receive list not found for dev can0
    unregister_netdevice: waiting for can0 to become free. Usage count = -1
    Signed-off-by: Alexander Stein <>
    Signed-off-by: Marc Kleine-Budde <>
    Signed-off-by: Greg Kroah-Hartman <>
  3. @gregkh

    mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT

    Michal Hocko committed with gregkh
    commit 53a59fc upstream.
    Since commit e303297 ("mm: extended batches for generic
    mmu_gather") we are batching pages to be freed until either
    tlb_next_batch cannot allocate a new batch or we are done.
    This works just fine most of the time but we can get in troubles with
    on large machines where too aggressive batching might lead to soft
    lockups during process exit path (exit_mmap) because there are no
    scheduling points down the free_pages_and_swap_cache path and so the
    freeing can take long enough to trigger the soft lockup.
    The lockup is harmless except when the system is setup to panic on
    softlockup which is not that unusual.
    The simplest way to work around this issue is to limit the maximum
    number of batches in a single mmu_gather.  10k of collected pages should
    be safe to prevent from soft lockups (we would have 2ms for one) even if
    they are all freed without an explicit scheduling point.
    This patch doesn't add any new explicit scheduling points because it
    relies on zap_pmd_range during page tables zapping which calls
    cond_resched per PMD.
    The following lockup has been reported for 3.0 kernel with a huge
    process (in order of hundreds gigs but I do know any more details).
      BUG: soft lockup - CPU#56 stuck for 22s! [kernel:31053]
      Modules linked in: af_packet nfs lockd fscache auth_rpcgss nfs_acl sunrpc mptctl mptbase autofs4 binfmt_misc dm_round_robin dm_multipath bonding cpufreq_conservative cpufreq_userspace cpufreq_powersave pcc_cpufreq mperf microcode fuse loop osst sg sd_mod crc_t10dif st qla2xxx scsi_transport_fc scsi_tgt netxen_nic i7core_edac iTCO_wdt joydev e1000e serio_raw pcspkr edac_core iTCO_vendor_support acpi_power_meter rtc_cmos hpwdt hpilo button container usbhid hid dm_mirror dm_region_hash dm_log linear uhci_hcd ehci_hcd usbcore usb_common scsi_dh_emc scsi_dh_alua scsi_dh_hp_sw scsi_dh_rdac scsi_dh dm_snapshot pcnet32 mii edd dm_mod raid1 ext3 mbcache jbd fan thermal processor thermal_sys hwmon cciss scsi_mod
      Supported: Yes
      CPU 56
      Pid: 31053, comm: kernel Not tainted 3.0.31-0.9-default #1 HP ProLiant DL580 G7
      RIP: 0010:  _raw_spin_unlock_irqrestore+0x8/0x10
      RSP: 0018:ffff883ec1037af0  EFLAGS: 00000206
      RAX: 0000000000000e00 RBX: ffffea01a0817e28 RCX: ffff88803ffd9e80
      RDX: 0000000000000200 RSI: 0000000000000206 RDI: 0000000000000206
      RBP: 0000000000000002 R08: 0000000000000001 R09: ffff887ec724a400
      R10: 0000000000000000 R11: dead000000200200 R12: ffffffff8144c26e
      R13: 0000000000000030 R14: 0000000000000297 R15: 000000000000000e
      FS:  00007ed834282700(0000) GS:ffff88c03f200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 000000000068b240 CR3: 0000003ec13c5000 CR4: 00000000000006e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process kernel (pid: 31053, threadinfo ffff883ec1036000, task ffff883ebd5d4100)
      Call Trace:
      DWARF2 unwinder stuck at int_signal+0x12/0x17
    Signed-off-by: Michal Hocko <>
    Cc: Mel Gorman <>
    Cc: Rik van Riel <>
    Cc: Peter Zijlstra <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. @tonyprisk @gregkh

    drivers/rtc/rtc-vt8500.c: fix handling of data passed in struct rtc_time

    tonyprisk committed with gregkh
    commit 2f90b68 upstream.
    tm_mon is 0..11, whereas vt8500 expects 1..12 for the month field,
    causing invalid date errors for January, and causing the day field to
    roll over incorrectly.
    The century flag is only handled in vt8500_rtc_read_time, but not set in
    vt8500_rtc_set_time.  This patch corrects the behaviour of the century
    Signed-off-by: Edgar Toernig <>
    Signed-off-by: Tony Prisk <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. @tonyprisk @gregkh

    drivers/rtc/rtc-vt8500.c: correct handling of CR_24H bitfield

    tonyprisk committed with gregkh
    commit 532db57 upstream.
    Control register bitfield for 12H/24H mode is handled incorrectly.
    Setting CR_24H actually enables 12H mode.  This patch renames the define
    and changes the initialization code to correctly set 24H mode.
    Signed-off-by: Tony Prisk <>
    Cc: Edgar Toernig <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  6. @gregkh

    CRIS: fix I/O macros

    Corey Minyard committed with gregkh
    commit c24bf9b upstream.
    The inb/outb macros for CRIS are broken from a number of points of view,
    missing () around parameters and they have an unprotected if statement
    in them.  This was breaking the compile of IPMI on CRIS and thus I was
    being annoyed by build regressions, so I fixed them.
    Plus I don't think they would have worked at all, since the data values
    were missing "&" and the outsl had a "3" instead of a "4" for the size.
    From what I can tell, this stuff is not used at all, so this can't be
    any more broken than it was before, anyway.
    Signed-off-by: Corey Minyard <>
    Cc: Jesper Nilsson <>
    Cc: Mikael Starvik <>
    Acked-by: Geert Uytterhoeven <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. @gregkh

    Bluetooth: cancel power_on work when unregistering the device

    Gustavo Padovan committed with gregkh
    commit b9b5ef1 upstream.
    We need to cancel the hci_power_on work in order to avoid it run when we
    try to free the hdev.
    [ 1434.201149] ------------[ cut here ]------------
    [ 1434.204998] WARNING: at lib/debugobjects.c:261 debug_print_object+0x8e/0xb0()
    [ 1434.208324] ODEBUG: free active (active state 0) object type: work_struct hint: hci
    [ 1434.210386] Pid: 8564, comm: trinity-child25 Tainted: G        W    3.7.0-rc5-next-
    20121112-sasha-00018-g2f4ce0e #127
    [ 1434.210760] Call Trace:
    [ 1434.210760]  [<ffffffff819f3d6e>] ? debug_print_object+0x8e/0xb0
    [ 1434.210760]  [<ffffffff8110b887>] warn_slowpath_common+0x87/0xb0
    [ 1434.210760]  [<ffffffff8110b911>] warn_slowpath_fmt+0x41/0x50
    [ 1434.210760]  [<ffffffff819f3d6e>] debug_print_object+0x8e/0xb0
    [ 1434.210760]  [<ffffffff8376b750>] ? hci_dev_open+0x310/0x310
    [ 1434.210760]  [<ffffffff83bf94e5>] ? _raw_spin_unlock_irqrestore+0x55/0xa0
    [ 1434.210760]  [<ffffffff819f3ee5>] __debug_check_no_obj_freed+0xa5/0x230
    [ 1434.210760]  [<ffffffff83785db0>] ? bt_host_release+0x10/0x20
    [ 1434.210760]  [<ffffffff819f4d15>] debug_check_no_obj_freed+0x15/0x20
    [ 1434.210760]  [<ffffffff8125eee7>] kfree+0x227/0x330
    [ 1434.210760]  [<ffffffff83785db0>] bt_host_release+0x10/0x20
    [ 1434.210760]  [<ffffffff81e539e5>] device_release+0x65/0xc0
    [ 1434.210760]  [<ffffffff819d3975>] kobject_cleanup+0x145/0x190
    [ 1434.210760]  [<ffffffff819d39cd>] kobject_release+0xd/0x10
    [ 1434.210760]  [<ffffffff819d33cc>] kobject_put+0x4c/0x60
    [ 1434.210760]  [<ffffffff81e548b2>] put_device+0x12/0x20
    [ 1434.210760]  [<ffffffff8376a334>] hci_free_dev+0x24/0x30
    [ 1434.210760]  [<ffffffff82fd8fe1>] vhci_release+0x31/0x60
    [ 1434.210760]  [<ffffffff8127be12>] __fput+0x122/0x250
    [ 1434.210760]  [<ffffffff811cab0d>] ? rcu_user_exit+0x9d/0xd0
    [ 1434.210760]  [<ffffffff8127bf49>] ____fput+0x9/0x10
    [ 1434.210760]  [<ffffffff81133402>] task_work_run+0xb2/0xf0
    [ 1434.210760]  [<ffffffff8106cfa7>] do_notify_resume+0x77/0xa0
    [ 1434.210760]  [<ffffffff83bfb0ea>] int_signal+0x12/0x17
    [ 1434.210760] ---[ end trace a6d57fefbc8a8cc7 ]---
    Reported-by: Sasha Levin <>
    Signed-off-by: Gustavo Padovan <>
    Signed-off-by: Greg Kroah-Hartman <>
  8. @mrkindustries @gregkh

    Bluetooth: ath3k: Add support for VAIO VPCEH [0489:e027]

    mrkindustries committed with gregkh
    commit acd9454 upstream.
    Added Atheros AR3011 internal bluetooth device found in Sony VAIO VPCEH to the
    devices list.
    Before this, the bluetooth module was identified as an Foxconn / Hai bluetooth
    device [0489:e027], now it claims to be an AtherosAR3011 Bluetooth
    T:  Bus=01 Lev=02 Prnt=02 Port=04 Cnt=02 Dev#=  4 Spd=12   MxCh= 0
    D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=0489 ProdID=e027 Rev= 0.01
    C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
    I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
    E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
    I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
    E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
    I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
    I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
    I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
    I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
    E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
    E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
    Signed-off-by: Marcos Chaparro <>
    Signed-off-by: Gustavo Padovan <>
    Cc: Ben Hutchings <>
    Signed-off-by: Greg Kroah-Hartman <>
  9. @amluto @gregkh

    PCI: Reduce Ricoh 0xe822 SD card reader base clock frequency to 50MHz

    amluto committed with gregkh
    commit 812089e upstream.
    Otherwise it fails like this on cards like the Transcend 16GB SDHC card:
        mmc0: new SDHC card at address b368
        mmcblk0: mmc0:b368 SDC   15.0 GiB
        mmcblk0: error -110 sending status command, retrying
        mmcblk0: error -84 transferring data, sector 0, nr 8, cmd response 0x900, card status 0xb0
    Tested on my Lenovo x200 laptop.
    [bhelgaas: changelog]
    Signed-off-by: Andy Lutomirski <>
    Signed-off-by: Bjorn Helgaas <>
    Acked-by: Chris Ball <>
    CC: Manoj Iyer <>
    Signed-off-by: Greg Kroah-Hartman <>
  10. @dwmw2 @gregkh

    solos-pci: fix double-free of TX skb in DMA mode

    dwmw2 committed with gregkh
    commit cae49ed upstream.
    We weren't clearing card->tx_skb[port] when processing the TX done interrupt.
    If there wasn't another skb ready to transmit immediately, this led to a
    double-free because we'd free it *again* next time we did have a packet to
    Signed-off-by: David Woodhouse <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  11. @gregkh

    ARM: missing ->mmap_sem around find_vma() in swp_emulate.c

    Al Viro committed with gregkh
    commit 7bf9b7b upstream.
    find_vma() is *not* safe when somebody else is removing vmas.  Not just
    the return value might get bogus just as you are getting it (this instance
    doesn't try to dereference the resulting vma), the search itself can get
    buggered in rather spectacular ways.  IOW, ->mmap_sem really, really is
    not optional here.
    Signed-off-by: Al Viro <>
    Signed-off-by: Russell King <>
    Signed-off-by: Greg Kroah-Hartman <>
  12. @wildea01 @gregkh

    ARM: mm: use pteval_t to represent page protection values

    wildea01 committed with gregkh
    commit 864aa04 upstream.
    When updating the page protection map after calculating the user_pgprot
    value, the base protection map is temporarily stored in an unsigned long
    type, causing truncation of the protection bits when LPAE is enabled.
    This effectively means that calls to mprotect() will corrupt the upper
    page attributes, clearing the XN bit unconditionally.
    This patch uses pteval_t to store the intermediate protection values,
    preserving the upper bits for 64-bit descriptors.
    Acked-by: Nicolas Pitre <>
    Acked-by: Catalin Marinas <>
    Signed-off-by: Will Deacon <>
    Signed-off-by: Greg Kroah-Hartman <>
  13. @gregkh

    tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation

    Eric Dumazet committed with gregkh
    [ Upstream commit 354e4aa ]
    RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation]
      All TCP stacks MAY implement the following mitigation.  TCP stacks
      that implement this mitigation MUST add an additional input check to
      any incoming segment.  The ACK value is considered acceptable only if
      it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
      SND.NXT).  All incoming segments whose ACK value doesn't satisfy the
      above condition MUST be discarded and an ACK sent back.
    Move tcp_send_challenge_ack() before tcp_ack() to avoid a forward
    Signed-off-by: Eric Dumazet <>
    Cc: Neal Cardwell <>
    Cc: Yuchung Cheng <>
    Cc: Jerry Chu <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  14. @gregkh

    tcp: tcp_replace_ts_recent() should not be called from tcp_validate_i…

    Eric Dumazet committed with gregkh
    [ Upstream commit bd090df ]
    We added support for RFC 5961 in latest kernels but TCP fails
    to perform exhaustive check of ACK sequence.
    We can update our view of peer tsval from a frame that is
    later discarded by tcp_ack()
    This makes timestamps enabled sessions vulnerable to injection of
    a high tsval : peers start an ACK storm, since the victim
    sends a dupack each time it receives an ACK from the other peer.
    As tcp_validate_incoming() is called before tcp_ack(), we should
    not peform tcp_replace_ts_recent() from it, and let callers do it
    at the right time.
    Signed-off-by: Eric Dumazet <>
    Cc: Neal Cardwell <>
    Cc: Yuchung Cheng <>
    Cc: Nandita Dukkipati <>
    Cc: H.K. Jerry Chu <>
    Cc: Romain Francoise <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  15. @gregkh

    tcp: refine SYN handling in tcp_validate_incoming

    Eric Dumazet committed with gregkh
    [ Upstream commit e371589 ]
    Followup of commit 0c24604 (tcp: implement RFC 5961 4.2)
    As reported by Vijay Subramanian, we should send a challenge ACK
    instead of a dup ack if a SYN flag is set on a packet received out of
    This permits the ratelimiting to work as intended, and to increase
    correct SNMP counters.
    Suggested-by: Vijay Subramanian <>
    Signed-off-by: Eric Dumazet <>
    Acked-by: Vijay Subramanian <>
    Cc: Kiran Kumar Kella <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  16. @gregkh

    tcp: implement RFC 5961 4.2

    Eric Dumazet committed with gregkh
    [ Upstream commit 0c24604 ]
    Implement the RFC 5691 mitigation against Blind
    Reset attack using SYN bit.
    Section 4.2 of RFC 5961 advises to send a Challenge ACK and drop
    incoming packet, instead of resetting the session.
    Add a new SNMP counter to count number of challenge acks sent
    in response to SYN packets.
    (netstat -s | grep TCPSYNChallenge)
    Remove obsolete TCPAbortOnSyn, since we no longer abort a TCP session
    because of a SYN flag.
    Signed-off-by: Eric Dumazet <>
    Cc: Kiran Kumar Kella <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  17. @gregkh

    tcp: implement RFC 5961 3.2

    Eric Dumazet committed with gregkh
    [ Upstream commit 282f23c ]
    Implement the RFC 5691 mitigation against Blind
    Reset attack using RST bit.
    Idea is to validate incoming RST sequence,
    to match RCV.NXT value, instead of previouly accepted
    window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND)
    If sequence is in window but not an exact match, send
    a "challenge ACK", so that the other part can resend an
    RST with the appropriate sequence.
    Add a new sysctl, tcp_challenge_ack_limit, to limit
    number of challenge ACK sent per second.
    Add a new SNMP counter to count number of challenge acks sent.
    (netstat -s | grep TCPChallengeACK)
    Signed-off-by: Eric Dumazet <>
    Cc: Kiran Kumar Kella <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  18. @matiniero @gregkh

    net: sched: integer overflow fix

    matiniero committed with gregkh
    [ Upstream commit d2fe85d ]
    Fixed integer overflow in function htb_dequeue
    Signed-off-by: Stefan Hasko <>
    Acked-by: Eric Dumazet <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  19. @kleikamp @gregkh

    sparc: huge_ptep_set_* functions need to call set_huge_pte_at()

    kleikamp committed with gregkh
    [ Upstream commit 6cb9c36 ]
    Modifying the huge pte's requires that all the underlying pte's be
    Version 2: added missing flush_tlb_page()
    Signed-off-by: Dave Kleikamp <>
    Cc: "David S. Miller" <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  20. @gregkh

    ftrace: Do not function trace inlined functions

    Steven Rostedt committed with gregkh
    commit 45959ee upstream.
    When gcc inlines a function, it does not mark it with the mcount
    prologue, which in turn means that inlined functions are not traced
    by the function tracer. But if CONFIG_OPTIMIZE_INLINING is set, then
    gcc is allowed not to inline a function that is marked inline.
    Depending on the options and the compiler, a function may or may
    not be traced by the function tracer, depending on whether gcc
    decides to inline a function or not. This has caused several
    problems in the pass becaues gcc is not always consistent with
    what it decides to inline between different gcc versions.
    Some places should not be traced (like paravirt native_* functions)
    and these are mostly marked as inline. When gcc decides not to
    inline the function, and if that function should not be traced, then
    the ftrace function tracer will suddenly break when it use to work
    fine. This becomes even harder to debug when different versions of
    gcc will not inline that function, making the same kernel and config
    work for some gcc versions and not work for others.
    By making all functions marked inline to not be traced will remove
    the ambiguity that gcc adds when it comes to tracing functions marked
    inline. All gcc versions will be consistent with what functions are
    traced and having volatile working code will be removed.
    Note, only the inline macro when CONFIG_OPTIMIZE_INLINING is set needs
    to have notrace added, as the attribute __always_inline will force
    the function to be inlined and then not traced.
    Signed-off-by: Steven Rostedt <>
    Signed-off-by: Greg Kroah-Hartman <>
  21. @aprzywar @gregkh

    x86, amd: Disable way access filter on Piledriver CPUs

    aprzywar committed with gregkh
    commit 2bbf0a1 upstream.
    The Way Access Filter in recent AMD CPUs may hurt the performance of
    some workloads, caused by aliasing issues in the L1 cache.
    This patch disables it on the affected CPUs.
    The issue is similar to that one of last year:
    This new patch does not replace the old one, we just need another
    quirk for newer CPUs.
    The performance penalty without the patch depends on the
    circumstances, but is a bit less than the last year's 3%.
    The workloads affected would be those that access code from the same
    physical page under different virtual addresses, so different
    processes using the same libraries with ASLR or multiple instances of
    PIE-binaries. The code needs to be accessed simultaneously from both
    cores of the same compute unit.
    More details can be found here:
    CPUs affected are anything with the core known as Piledriver.
    That includes the new parts of the AMD A-Series (aka Trinity) and the
    just released new CPUs of the FX-Series (aka Vishera).
    The model numbering is a bit odd here: FX CPUs have model 2,
    A-Series has model 10h, with possible extensions to 1Fh. Hence the
    range of model ids.
    Signed-off-by: Andre Przywara <>
    Signed-off-by: H. Peter Anvin <>
    Signed-off-by: CAI Qian <>
    Signed-off-by: Greg Kroah-Hartman <>
  22. @gregkh

    cgroup: remove incorrect dget/dput() pair in cgroup_create_dir()

    Tejun Heo committed with gregkh
    commit 1754316 upstream.
    cgroup_create_dir() does weird dancing with dentry refcnt.  On
    success, it gets and then puts it achieving nothing.  On failure, it
    puts but there isn't no matching get anywhere leading to the following
    oops if cgroup_create_file() fails for whatever reason.
      ------------[ cut here ]------------
      kernel BUG at /work/os/work/fs/dcache.c:552!
      invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
      Modules linked in:
      CPU 2
      Pid: 697, comm: mkdir Not tainted 3.7.0-rc4-work+ #3 Bochs Bochs
      RIP: 0010:[<ffffffff811d9c0c>]  [<ffffffff811d9c0c>] dput+0x1dc/0x1e0
      RSP: 0018:ffff88001a3ebef8  EFLAGS: 00010246
      RAX: 0000000000000000 RBX: ffff88000e5b1ef8 RCX: 0000000000000403
      RDX: 0000000000000303 RSI: 2000000000000000 RDI: ffff88000e5b1f58
      RBP: ffff88001a3ebf18 R08: ffffffff82c76960 R09: 0000000000000001
      R10: ffff880015022080 R11: ffd9bed70f48a041 R12: 00000000ffffffea
      R13: 0000000000000001 R14: ffff88000e5b1f58 R15: 00007fff57656d60
      FS:  00007ff05fcb3800(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000004046f0 CR3: 000000001315f000 CR4: 00000000000006e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process mkdir (pid: 697, threadinfo ffff88001a3ea000, task ffff880015022080)
       ffff88001a3ebf48 00000000ffffffea 0000000000000001 0000000000000000
       ffff88001a3ebf38 ffffffff811cc889 0000000000000001 ffff88000e5b1ef8
       ffff88001a3ebf68 ffffffff811d1fc9 ffff8800198d7f18 ffff880019106ef8
      Call Trace:
       [<ffffffff811cc889>] done_path_create+0x19/0x50
       [<ffffffff811d1fc9>] sys_mkdirat+0x59/0x80
       [<ffffffff811d2009>] sys_mkdir+0x19/0x20
       [<ffffffff81be1e02>] system_call_fastpath+0x16/0x1b
      Code: 00 48 8d 90 18 01 00 00 48 89 93 c0 00 00 00 4c 89 a0 18 01 00 00 48 8b 83 a0 00 00 00 83 80 28 01 00 00 01 e8 e6 6f a0 00 eb 92 <0f> 0b 66 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 49 89 fe 41
      RIP  [<ffffffff811d9c0c>] dput+0x1dc/0x1e0
       RSP <ffff88001a3ebef8>
      ---[ end trace 1277bcfd9561ddb0 ]---
    Fix it by dropping the unnecessary dget/dput() pair.
    Signed-off-by: Tejun Heo <>
    Acked-by: Li Zefan <>
    Signed-off-by: Greg Kroah-Hartman <>
  23. @gregkh

    xhci: Add Lynx Point LP to list of Intel switchable hosts

    Russell Webb committed with gregkh
    commit bb1e5dd upstream.
    Like Lynx Point, Lynx Point LP is also switchable.  See
    1c12443 for more details.
    This patch should be backported to stable kernels as old as 3.0,
    that contain commit 69e848c
    "Intel xhci: Support EHCI/xHCI port switching."
    Signed-off-by: Russell Webb <>
    Signed-off-by: Sarah Sharp <>
    Signed-off-by: Greg Kroah-Hartman <>
  24. @gregkh

    genirq: Always force thread affinity

    Thomas Gleixner committed with gregkh
    commit 04aa530 upstream.
    Sankara reported that the genirq core code fails to adjust the
    affinity of an interrupt thread in several cases:
     1) On request/setup_irq() the call to setup_affinity() happens before
        the new action is registered, so the new thread is not notified.
     2) For secondary shared interrupts nothing notifies the new thread to
        change its affinity.
     3) Interrupts which have the IRQ_NO_BALANCE flag set are not moving
        the thread either.
    Fix this by setting the thread affinity flag right on thread creation
    time. This ensures that under all circumstances the thread moves to
    the right place. Requires a check in irq_thread_check_affinity for an
    existing affinity mask (CONFIG_CPU_MASK_OFFSTACK=y)
    Reported-and-tested-by: Sankara Muthukrishnan <>
    Signed-off-by: Thomas Gleixner <>
    Signed-off-by: Greg Kroah-Hartman <>
  25. @gregkh

    Input: walkera0701 - fix crash on startup

    Peter Popovec committed with gregkh
    commit a455e29 upstream.
    The driver's timer must be set up before enabling IRQ handler, otherwise
    bad things may happen.
    Reported-and-tested-by: Fengguang Wu <>
    Signed-off-by: Peter Popovec <>
    Signed-off-by: Dmitry Torokhov <>
    Signed-off-by: Greg Kroah-Hartman <>
  26. @xiw @gregkh

    nfs: fix null checking in nfs_get_option_str()

    xiw committed with gregkh
    commit e25fbe3 upstream.
    The following null pointer check is broken.
    	*option = match_strdup(args);
    	return !option;
    The pointer `option' must be non-null, and thus `!option' is always false.
    Use `!*option' instead.
    The bug was introduced in commit c5cb09b ("Cleanup: Factor out some
    cut-and-paste code.").
    Signed-off-by: Xi Wang <>
    Signed-off-by: Trond Myklebust <>
    Signed-off-by: Greg Kroah-Hartman <>
  27. @gregkh

    nfsd4: fix oops on unusual readlike compound

    J. Bruce Fields committed with gregkh
    commit d5f50b0 upstream.
    If the argument and reply together exceed the maximum payload size, then
    a reply with a read-like operation can overlow the rq_pages array.
    Signed-off-by: J. Bruce Fields <>
    Signed-off-by: Greg Kroah-Hartman <>
  28. @gregkh

    NFS: Fix calls to drop_nlink()

    Trond Myklebust committed with gregkh
    commit 1f01845 upstream.
    It is almost always wrong for NFS to call drop_nlink() after removing a
    file. What we really want is to mark the inode's attributes for
    revalidation, and we want to ensure that the VFS drops it if we're
    reasonably sure that this is the final unlink().
    Do the former using the usual cache validity flags, and the latter
    by testing if inode->i_nlink == 1, and clearing it in that case.
    This also fixes the following warning reported by Neil Brown and
    Jeff Layton (among others).
    [634155.004438] WARNING:
    at /home/abuild/rpmbuild/BUILD/kernel-desktop-3.5.0/lin [634155.004442]
    Hardware name: Latitude E6510 [634155.004577]  crc_itu_t crc32c_intel
    snd_hwdep snd_pcm snd_timer snd soundcor [634155.004609] Pid: 13402, comm:
    bash Tainted: G        W    3.5.0-36-desktop # [634155.004611] Call Trace:
    [634155.004630]  [<ffffffff8100444a>] dump_trace+0xaa/0x2b0
    [634155.004641]  [<ffffffff815a23dc>] dump_stack+0x69/0x6f
    [634155.004653]  [<ffffffff81041a0b>] warn_slowpath_common+0x7b/0xc0
    [634155.004662]  [<ffffffff811832e4>] drop_nlink+0x34/0x40
    [634155.004687]  [<ffffffffa05bb6c3>] nfs_dentry_iput+0x33/0x70 [nfs]
    [634155.004714]  [<ffffffff8118049e>] dput+0x12e/0x230
    [634155.004726]  [<ffffffff8116b230>] __fput+0x170/0x230
    [634155.004735]  [<ffffffff81167c0f>] filp_close+0x5f/0x90
    [634155.004743]  [<ffffffff81167cd7>] sys_close+0x97/0x100
    [634155.004754]  [<ffffffff815c3b39>] system_call_fastpath+0x16/0x1b
    [634155.004767]  [<00007f2a73a0d110>] 0x7f2a73a0d10f
    Signed-off-by: Trond Myklebust <>
    Signed-off-by: Greg Kroah-Hartman <>
  29. @neilbrown @gregkh

    NFS: avoid NULL dereference in nfs_destroy_server

    neilbrown committed with gregkh
    commit f259613 upstream.
    In rare circumstances, nfs_clone_server() of a v2 or v3 server can get
    an error between setting server->destory (to nfs_destroy_server), and
    calling nfs_start_lockd (which will set server->nlm_host).
    If this happens, nfs_clone_server will call nfs_free_server which
    will call nfs_destroy_server and thence nlmclnt_done(NULL).  This
    causes the NULL to be dereferenced.
    So add a guard to only call nlmclnt_done() if ->nlm_host is not NULL.
    The other guards there are irrelevant as nlm_host can only be non-NULL
    if one of these flags are set - so remove those tests.  (Thanks to Trond
    for this suggestion).
    This is suitable for any stable kernel since 2.6.25.
    Signed-off-by: NeilBrown <>
    Signed-off-by: Trond Myklebust <>
    Signed-off-by: Greg Kroah-Hartman <>
  30. @gregkh

    ACPI / scan: Do not use dummy HID for system bus ACPI nodes

    Rafael J. Wysocki committed with gregkh
    commit 4f5f64c upstream.
    At one point acpi_device_set_id() checks if acpi_device_hid(device)
    returns NULL, but that never happens, so system bus devices with an
    empty list of PNP IDs are given the dummy HID ("device") instead of
    the "system bus HID" ("LNXSYBUS").  Fix the code to use the right
    Signed-off-by: Rafael J. Wysocki <>
    Signed-off-by: Greg Kroah-Hartman <>
  31. @gregkh

    usb: gadget: phonet: free requests in pn_bind()'s error path

    Sebastian Andrzej Siewior committed with gregkh
    commit d0eca71 upstream.
    Signed-off-by: Sebastian Andrzej Siewior <>
    Signed-off-by: Felipe Balbi <>
    Signed-off-by: Greg Kroah-Hartman <>
  32. @chunkeey @gregkh

    p54usb: add USBIDs for two more p54usb devices

    chunkeey committed with gregkh
    commit 4010fe2 upstream.
    This patch adds USBIDs for:
    	- DrayTek Vigor 530
    	- Zoom 4410a
    It also adds a note about Gemtek WUBI-100GW
    and SparkLAN WL-682 USBID conflict [WUBI-100GW
    is a ISL3886+NET2280 (LM86 firmare) solution,
    whereas WL-682 is a ISL3887 (LM87 firmware)]
    Source: <>
    Signed-off-by: Christian Lamparter <>
    Signed-off-by: John W. Linville <>
    Signed-off-by: Greg Kroah-Hartman <>
  33. @gregkh

    p54usb: add USB ID for T-Com Sinus 154 data II

    Tomasz Guszkowski committed with gregkh
    commit 3194b7f upstream.
    Added USB ID for T-Com Sinus 154 data II.
    Signed-off-by: Tomasz Guszkowski <>
    Acked-by: Christian Lamparter <>
    Signed-off-by: John W. Linville <>
    Signed-off-by: Greg Kroah-Hartman <>
  34. @tiwai @gregkh

    ALSA: usb-audio: Fix missing autopm for MIDI input

    tiwai committed with gregkh
    commit f5f1654 upstream.
    The commit [88a8516: ALSA: usbaudio: implement USB autosuspend] added
    the support of autopm for USB MIDI output, but it didn't take the MIDI
    input into account.
    This patch adds the following for fixing the autopm:
    - Manage the URB start at the first MIDI input stream open, instead of
      the time of instance creation
    - Move autopm code to the common substream_open()
    - Make snd_usbmidi_input_start/_stop() more robust and add the running
      state check
    Reviewd-by: Clemens Ladisch <>
    Tested-by: Clemens Ladisch <>
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Greg Kroah-Hartman <>
  35. @tiwai @gregkh

    ALSA: usb-audio: Avoid autopm calls after disconnection

    tiwai committed with gregkh
    commit 59866da upstream.
    Add a similar protection against the disconnection race and the
    invalid use of usb instance after disconnection, as well as we've done
    for the USB audio PCM.
    Reviewd-by: Clemens Ladisch <>
    Tested-by: Clemens Ladisch <>
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Greg Kroah-Hartman <>
Something went wrong with that request. Please try again.