Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Feb 28, 2013
  1. @gregkh

    Linux 3.0.67

    gregkh authored
  2. @gregkh

    USB: usb-storage: unusual_devs update for Super TOP SATA bridge

    Josh Boyer authored gregkh committed
    commit 18e0331 upstream.
    The current entry in unusual_cypress.h for the Super TOP SATA bridge devices
    seems to be causing corruption on newer revisions of this device.  This has
    been reported in Arch Linux and Fedora.  The original patch was tested on
    devices with bcdDevice of 1.60, whereas the newer devices report bcdDevice
    as 2.20.  Limit the UNUSUAL_DEV entry to devices less than 2.20.
    This fixes
    The Arch Forum post on this is here:
    Reported-by: Carsten S. <>
    Tested-by: Carsten S. <>
    Signed-off-by: Josh Boyer <>
    Signed-off-by: Greg Kroah-Hartman <>
  3. @gregkh

    USB: storage: properly handle the endian issues of idProduct

    fangxiaozhi authored gregkh committed
    commit cd06095 upstream.
    1. The idProduct is little endian, so make sure its value to be
    compatible with the current CPU. Make no break on big endian processors.
    Signed-off-by: fangxiaozhi <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. @rogerq @gregkh

    USB: ehci-omap: Fix autoloading of module

    rogerq authored gregkh committed
    commit 0475352 upstream.
    The module alias should be "ehci-omap" and not
    "omap-ehci" to match the platform device name.
    The omap-ehci module should now autoload correctly.
    Signed-off-by: Roger Quadros <>
    Acked-by: Alan Stern <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. @bmork @gregkh

    USB: option: add Huawei "ACM" devices using protocol = vendor

    bmork authored gregkh committed
    commit 1f3f687 upstream.
    The USB device descriptor of one identity presented by a few
    Huawei morphing devices have serial functions with class codes
    02/02/ff, indicating CDC ACM with a vendor specific protocol. This
    combination is often used for MSFT RNDIS functions, and the CDC
    ACM class driver will therefore ignore such functions.
    The CDC ACM class driver cannot support functions with only 2
    endpoints.  The underlying serial functions of these modems are
    also believed to be the same as for alternate device identities
    already supported by the option driver. Letting the same driver
    handle these functions independently of the current identity
    ensures consistent handling and user experience.
    There is no need to blacklist these devices in the rndis_host
    driver. Huawei serial functions will either have only 2 endpoints
    or a CDC ACM functional descriptor with bmCapabilities != 0, making
    them correctly ignored as "non RNDIS" by that driver.
    Signed-off-by: Bjørn Mork <>
    Signed-off-by: Greg Kroah-Hartman <>
  6. @bmork @gregkh

    USB: option: add Yota / Megafon M100-1 4g modem

    bmork authored gregkh committed
    commit cd56527 upstream.
    Interface layout:
     00 CD-ROM
     01 debug COM port
     02 AP control port
     03 modem
     04 usb-ethernet
    Bus=01 Lev=02 Prnt=02 Port=01 Cnt=02 Dev#=  4 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=0408 ProdID=ea42 Rev= 0.00
    S:  Manufacturer=Qualcomm, Incorporated
    S:  Product=Qualcomm CDMA Technologies MSM
    S:  SerialNumber=353568051xxxxxx
    C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
    I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
    I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
    I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
    E:  Ad=84(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
    I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
    E:  Ad=86(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
    E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
    Signed-off-by: Bjørn Mork <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. @bmork @gregkh

    USB: option: add and update Alcatel modems

    bmork authored gregkh committed
    commit f8f0302 upstream.
    Adding three currently unsupported modems based on information
    from .inf driver files:
      Diag  VID_1BBB&PID_0052&MI_00
      AGPS  VID_1BBB&PID_0052&MI_01
      VOICE VID_1BBB&PID_0052&MI_02
      AT    VID_1BBB&PID_0052&MI_03
      Modem VID_1BBB&PID_0052&MI_05
      wwan  VID_1BBB&PID_0052&MI_06
      Diag  VID_1BBB&PID_00B6&MI_00
      AT    VID_1BBB&PID_00B6&MI_01
      Modem VID_1BBB&PID_00B6&MI_02
      wwan  VID_1BBB&PID_00B6&MI_03
      Diag  VID_1BBB&PID_00B7&MI_00
      AGPS  VID_1BBB&PID_00B7&MI_01
      VOICE VID_1BBB&PID_00B7&MI_02
      AT    VID_1BBB&PID_00B7&MI_03
      Modem VID_1BBB&PID_00B7&MI_04
      wwan  VID_1BBB&PID_00B7&MI_05
    Updating the blacklist info for the X060S_X200 and X220_X500D,
    reserving interfaces for a wwan driver, based on
      wwan VID_1BBB&PID_0000&MI_04
      wwan VID_1BBB&PID_0017&MI_06
    Signed-off-by: Bjørn Mork <>
    Signed-off-by: Greg Kroah-Hartman <>
  8. @gregkh

    dca: check against empty dca_domains list before unregister provider

    Maciej Sosnowski authored gregkh committed
    commit c419fcf upstream.
    When providers get blocked unregister_dca_providers() is called ending up
    with dca_providers and dca_domain lists emptied. Dca should be prevented from
    trying to unregister any provider if dca_domain list is found empty.
    Reported-by: Jiang Liu <>
    Tested-by: Gaohuai Han <>
    Signed-off-by: Maciej Sosnowski <>
    Signed-off-by: Dan Williams <>
    Signed-off-by: Greg Kroah-Hartman <>
  9. @gregkh

    ipv6: use a stronger hash for tcp

    Eric Dumazet authored gregkh committed
    [ Upstream commit 08dcdbf ]
    It looks like its possible to open thousands of TCP IPv6
    sessions on a server, all landing in a single slot of TCP hash
    table. Incoming packets have to lookup sockets in a very
    long list.
    We should hash all bits from foreign IPv6 addresses, using
    a salt and hash mix, not a simple XOR.
    inet6_ehashfn() can also separately use the ports, instead
    of xoring them.
    Reported-by: Neal Cardwell <>
    Signed-off-by: Eric Dumazet <>
    Cc: Yuchung Cheng <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  10. @gregkh

    ipv4: fix a bug in ping_err().

    Li Wei authored gregkh committed
    [ Upstream commit b531ed6 ]
    We should get 'type' and 'code' from the outer ICMP header.
    Signed-off-by: Li Wei <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  11. @dvrabel @gregkh

    xen-netback: cancel the credit timer when taking the vif down

    dvrabel authored gregkh committed
    [ Upstream commit 3e55f8b ]
    If the credit timer is left armed after calling
    xen_netbk_remove_xenvif(), then it may fire and attempt to schedule
    the vif which will then oops as vif->netbk == NULL.
    This may happen both in the fatal error path and during normal
    disconnection from the front end.
    The sequencing during shutdown is critical to ensure that: a)
    vif->netbk doesn't become unexpectedly NULL; and b) the net device/vif
    is not freed.
    1. Mark as unschedulable (netif_carrier_off()).
    2. Synchronously cancel the timer.
    3. Remove the vif from the schedule list.
    4. Remove it from it netback thread group.
    5. Wait for vif->refcnt to become 0.
    Signed-off-by: David Vrabel <>
    Acked-by: Ian Campbell <>
    Reported-by: Christopher S. Aker <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  12. @dvrabel @gregkh

    xen-netback: correctly return errors from netbk_count_requests()

    dvrabel authored gregkh committed
    [ Upstream commit 35876b5 ]
    netbk_count_requests() could detect an error, call
    netbk_fatal_tx_error() but return 0.  The vif may then be used
    afterwards (e.g., in a call to netbk_tx_error().
    Since netbk_fatal_tx_error() could set vif->refcnt to 1, the vif may
    be freed immediately after the call to netbk_fatal_tx_error() (e.g.,
    if the vif is also removed).
    Netback thread              Xenwatch thread
    netbk_fatal_tx_err()        netback_remove()
    netbk_tx_err() Oops!
    Signed-off-by: Wei Liu <>
    Signed-off-by: Jan Beulich <>
    Signed-off-by: David Vrabel <>
    Reported-by: Christopher S. Aker <>
    Acked-by: Ian Campbell <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  13. @shemminger @gregkh

    bridge: set priority of STP packets

    shemminger authored gregkh committed
    [ Upstream commit 547b4e7 ]
    Spanning Tree Protocol packets should have always been marked as
    control packets, this causes them to get queued in the high prirority
    FIFO. As Radia Perlman mentioned in her LCA talk, STP dies if bridge
    gets overloaded and can't communicate. This is a long-standing bug back
    to the first versions of Linux bridge.
    Signed-off-by: Stephen Hemminger <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  14. @tiwai @gregkh

    fb: Yet another band-aid for fixing lockdep mess

    tiwai authored gregkh committed
    commit e93a9a8 upstream.
    I've still got lockdep warnings even after Alan's patch, and it seems that
    yet more band aids are required to paper over similar paths for
    unbind_con_driver() and unregister_con_driver().  After this hack, lockdep
    warnings are finally gone.
    Signed-off-by: Takashi Iwai <>
    Cc: Alan Cox <>
    Cc: Florian Tobias Schandinat <>
    Cc: Jiri Kosina <>
    Tested-by: Sedat Dilek <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Dave Airlie <>
    Signed-off-by: Greg Kroah-Hartman <>
  15. @gregkh

    fb: rework locking to fix lock ordering on takeover

    Alan Cox authored gregkh committed
    commit 50e244c upstream.
    Adjust the console layer to allow a take over call where the caller
    already holds the locks.  Make the fb layer lock in order.
    This is partly a band aid, the fb layer is terminally confused about the
    locking rules it uses for its notifiers it seems.
    [ remove stray non-ascii char, tidy comment]
    [ export do_take_over_console()]
    [airlied: cleanup another non-ascii char]
    Signed-off-by: Alan Cox <>
    Cc: Florian Tobias Schandinat <>
    Cc: Stephen Rothwell <>
    Cc: Jiri Kosina <>
    Tested-by: Sedat Dilek <>
    Reviewed-by: Daniel Vetter <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Dave Airlie <>
    Signed-off-by: Greg Kroah-Hartman <>
  16. @gregkh

    fbcon: don't lose the console font across generic->chip driver switch

    Dave Airlie authored gregkh committed
    commit ae12878 upstream.
    If grub2 loads efifb/vesafb, then when systemd starts it can set the console
    font on that framebuffer device, however when we then load the native KMS
    driver, the first thing it does is tear down the generic framebuffer driver.
    The thing is the generic code is doing the right thing, it frees the font
    because otherwise it would leak memory. However we can assume that if you
    are removing the generic firmware driver (vesa/efi/offb), that a new driver
    *should* be loading soon after, so we effectively leak the font.
    However the old code left a dangling pointer in vc-> and we
    can now reuse that dangling pointer to load the font into the new
    driver, now that we aren't freeing it.
    Signed-off-by: Dave Airlie <>
    Cc: Kay Sievers <>
    Signed-off-by: Greg Kroah-Hartman <>
  17. @gregkh

    pcmcia/vrc4171: Add missing spinlock init

    Jean Delvare authored gregkh committed
    commit 811af97 upstream.
    It doesn't seem this spinlock was properly initialized. This bug was
    introduced by commit 7a410e8.
    Signed-off-by: Jean Delvare <>
    Signed-off-by: Greg Kroah-Hartman <>
  18. @gregkh

    Purge existing TLB entries in set_pte_at and ptep_set_wrprotect

    John David Anglin authored gregkh committed
    commit 7139bc1 upstream.
    This patch goes a long way toward fixing the minifail bug, and
    it  significantly improves the stability of SMP machines such as
    the rp3440.  When write  protecting a page for COW, we need to
    purge the existing translation.  Otherwise, the COW break
    doesn't occur as expected because the TLB may still have a stale entry
    which allows writes.
    [jejb: fix up checkpatch errors]
    Signed-off-by: John David Anglin <>
    Signed-off-by: James Bottomley <>
    Signed-off-by: Greg Kroah-Hartman <>
  19. @gregkh

    powerpc/kexec: Disable hard IRQ before kexec

    Phileas Fogg authored gregkh committed
    commit 8520e44 upstream.
    Disable hard IRQ before kexec a new kernel image.
    Not doing it can result in corrupted data in the memory segments
    reserved for the new kernel.
    Signed-off-by: Phileas Fogg <>
    Signed-off-by: Benjamin Herrenschmidt <>
    Signed-off-by: Greg Kroah-Hartman <>
  20. @igor-grinberg @gregkh

    ARM: PXA3xx: program the CSMSADRCFG register

    igor-grinberg authored gregkh committed
    commit d107a20 upstream.
    The Chip Select Configuration Register must be programmed to 0x2 in
    order to achieve the correct behavior of the Static Memory Controller.
    Without this patch devices wired to DFI and accessed through SMC cannot
    be accessed after resume from S2.
    Do not rely on the boot loader to program the CSMSADRCFG register by
    programming it in the kernel smemc module.
    Signed-off-by: Igor Grinberg <>
    Acked-by: Eric Miao <>
    Signed-off-by: Haojian Zhuang <>
    Signed-off-by: Greg Kroah-Hartman <>
  21. @gregkh

    staging: vt6656: Fix URB submitted while active warning.

    Malcolm Priestley authored gregkh committed
    commit ae5943d upstream.
    This error happens because PIPEnsControlOut and PIPEnsControlIn unlock the
    spin lock for delay, letting in another thread.
    The patch moves the current MP_SET_FLAG to before filling
    of sUsbCtlRequest for pControlURB and clears it in event of failing.
    Any thread calling either function while fMP_CONTROL_READS or fMP_CONTROL_WRITES
    flags set will return STATUS_FAILURE.
    Signed-off-by: Malcolm Priestley <>
    Signed-off-by: Greg Kroah-Hartman <>
  22. @ian-abbott @gregkh

    staging: comedi: disallow COMEDI_DEVCONFIG on non-board minors

    ian-abbott authored gregkh committed
    commit 754ab5c upstream.
    Comedi has two sorts of minor devices:
    (a) normal board minor devices in the range 0 to
    COMEDI_NUM_BOARD_MINORS-1 inclusive; and
    (b) special subdevice minor devices in the range COMEDI_NUM_BOARD_MINORS
    upwards that are used to open the same underlying comedi device as the
    normal board minor devices, but with non-default read and write
    subdevices for asynchronous commands.
    The special subdevice minor devices get created when a board supporting
    asynchronous commands is attached to a normal board minor device, and
    destroyed when the board is detached from the normal board minor device.
    One way to attach or detach a board is by using the COMEDI_DEVCONFIG
    ioctl.  This should only be used on normal board minors as the special
    subdevice minors are too ephemeral.  In particular, the change
    introduced in commit 7d3135a ("staging:
    comedi: prevent auto-unconfig of manually configured devices") breaks
    horribly for special subdevice minor devices.
    Since there's no legitimate use for the COMEDI_DEVCONFIG ioctl on a
    special subdevice minor device node, disallow it and return -ENOTTY.
    Signed-off-by: Ian Abbott <>
    Signed-off-by: Greg Kroah-Hartman <>
  23. @gregkh

    drm/i915: disable shared panel fitter for pipe

    Mika Kuoppala authored gregkh committed
    commit 24a1f16 upstream.
    If encoder is switched off by BIOS, but the panel fitter is left on,
    we never try to turn off the panel fitter and leave it still attached
    to the pipe - which can cause blurry output elsewhere.
    Based on work by Chris Wilson <>
    Signed-off-by: Mika Kuoppala <>
    Tested-by: Andreas Sturmlechner <>
    [danvet: Remove the redundant HAS_PCH_SPLIT check and add a tiny
    Signed-off-by: Daniel Vetter <>
    Signed-off-by: Greg Kroah-Hartman <>
  24. @gregkh

    NLS: improve UTF8 -> UTF16 string conversion routine

    Alan Stern authored gregkh committed
    commit 0720a06 upstream.
    The utf8s_to_utf16s conversion routine needs to be improved.  Unlike
    its utf16s_to_utf8s sibling, it doesn't accept arguments specifying
    the maximum length of the output buffer or the endianness of its
    16-bit output.
    This patch (as1501) adds the two missing arguments, and adjusts the
    only two places in the kernel where the function is called.  A
    follow-on patch will add a third caller that does utilize the new
    The two conversion routines are still annoyingly inconsistent in the
    way they handle invalid byte combinations.  But that's a subject for a
    different patch.
    Signed-off-by: Alan Stern <>
    CC: Clemens Ladisch <>
    Signed-off-by: Greg Kroah-Hartman <>
  25. @gregkh

    drm/usb: bind driver to correct device

    Dave Airlie authored gregkh committed
    commit 9f23de5 upstream.
    While looking at plymouth on udl I noticed that plymouth was trying
    to use its fb plugin not its drm one, it was trying to drmOpen a driver called
    usb not udl, noticed that we actually had out driver pointing at the wrong
    Signed-off-by: Dave Airlie <>
    Signed-off-by: Greg Kroah-Hartman <>
  26. @davem330 @gregkh

    sunvdc: Fix off-by-one in generic_request().

    davem330 authored gregkh committed
    [ Upstream commit f4d9605 ]
    The 'operations' bitmap corresponds one-for-one with the operation
    codes, no adjustment is necessary.
    Reported-by: Mark Kettenis <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  27. @error27 @gregkh

    ext4: add missing kfree() on error return path in add_new_gdb()

    error27 authored gregkh committed
    commit c49bafa upstream.
    We added some more error handling in b409714 "ext4: add error
    checking to calls to ext4_handle_dirty_metadata()".  But we need to
    call kfree() as well to avoid a memory leak.
    Signed-off-by: Dan Carpenter <>
    Signed-off-by: "Theodore Ts'o" <>
    Signed-off-by: Jeff Mahoney <>
    Signed-off-by: Greg Kroah-Hartman <>
  28. @taoma-tm @gregkh

    ext4: Free resources in some error path in ext4_fill_super

    taoma-tm authored gregkh committed
    commit dcf2d80 upstream.
    Some of the error path in ext4_fill_super don't release the
    resouces properly. So this patch just try to release them
    in the right way.
    Signed-off-by: Tao Ma <>
    Signed-off-by: "Theodore Ts'o" <>
    Signed-off-by: Jeff Mahoney <>
    Signed-off-by: Greg Kroah-Hartman <>
  29. @gregkh

    ALSA: usb: Fix Processing Unit Descriptor parsers

    Pawel Moll authored gregkh committed
    commit b531f81 upstream.
    Commit 99fc864 "ALSA: usb-mixer:
    parse descriptors with structs" introduced a set of useful parsers
    for descriptors. Unfortunately the parses for the Processing Unit
    Descriptor came with a very subtle bug...
    Functions uac_processing_unit_iProcessing() and
    uac_processing_unit_specific() were indexing the baSourceID array
    forgetting the fields before the iProcessing and process-specific
    The problem was observed with Sound Blaster Extigy mixer,
    where nNrModes in Up/Down-mix Processing Unit Descriptor
    was accessed at offset 10 of the descriptor (value 0)
    instead of offset 15 (value 7). In result the resulting
    control had interesting limit values:
    Simple mixer control 'Channel Routing Mode Select',0
      Capabilities: volume volume-joined penum
      Playback channels: Mono
      Capture channels: Mono
      Limits: 0 - -1
      Mono: -1 [100%]
    Fixed by starting from the bmControls, which was calculated
    correctly, instead of baSourceID.
    Now the mentioned control is fine:
    Simple mixer control 'Channel Routing Mode Select',0
      Capabilities: volume volume-joined penum
      Playback channels: Mono
      Capture channels: Mono
      Limits: 0 - 6
      Mono: 0 [0%]
    Signed-off-by: Pawel Moll <>
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Greg Kroah-Hartman <>
  30. @cladisch @gregkh

    ALSA: usb-audio: fix Roland A-PRO support

    cladisch authored gregkh committed
    commit 7da5804 upstream.
    The quirk for the Roland/Cakewalk A-PRO keyboards accidentally used the
    wrong interface number, which prevented the driver from attaching to the
    Signed-off-by: Clemens Ladisch <>
    Signed-off-by: Greg Kroah-Hartman <>
  31. @gregkh

    p54usb: corrected USB ID for T-Com Sinus 154 data II

    Tomasz Guszkowski authored gregkh committed
    commit 008e33f upstream.
    Corrected USB ID for T-Com Sinus 154 data II. ISL3887-based. The
    device was tested in managed mode with no security, WEP 128
    bit and WPA-PSK (TKIP) with firmware (md5sum:
    7d676323ac60d6e1a3b6d61e8c528248). It works.
    Signed-off-by: Tomasz Guszkowski <>
    Acked-By: Christian Lamparter <>
    Signed-off-by: John W. Linville <>
    Signed-off-by: Greg Kroah-Hartman <>
  32. @gregkh

    NLM: Ensure that we resend all pending blocking locks after a reclaim

    Trond Myklebust authored gregkh committed
    commit 666b3d8 upstream.
    Currently, nlmclnt_lock will break out of the for(;;) loop when
    the reclaimer wakes up the blocking lock thread by setting
    nlm_lck_denied_grace_period. This causes the lock request to fail
    with an ENOLCK error.
    The intention was always to ensure that we resend the lock request
    after the grace period has expired.
    Reported-by: Wangyuan Zhang <>
    Signed-off-by: Trond Myklebust <>
    Signed-off-by: Greg Kroah-Hartman <>
  33. @gregkh

    mm/fadvise.c: drain all pagevecs if POSIX_FADV_DONTNEED fails to disc…

    Mel Gorman authored gregkh committed
    …ard all pages
    commit 67d46b2 upstream.
    Rob van der Heij reported the following (paraphrased) on private mail.
    	The scenario is that I want to avoid backups to fill up the page
    	cache and purge stuff that is more likely to be used again (this is
    	with s390x Linux on z/VM, so I don't give it as much memory that
    	we don't care anymore). So I have something with LD_PRELOAD that
    	intercepts the close() call (from tar, in this case) and issues
    	a posix_fadvise() just before closing the file.
    	This mostly works, except for small files (less than 14 pages)
    	that remains in page cache after the face.
    Unfortunately Rob has not had a chance to test this exact patch but the
    test program below should be reproducing the problem he described.
    The issue is the per-cpu pagevecs for LRU additions.  If the pages are
    added by one CPU but fadvise() is called on another then the pages
    remain resident as the invalidate_mapping_pages() only drains the local
    pagevecs via its call to pagevec_release().  The user-visible effect is
    that a program that uses fadvise() properly is not obeyed.
    A possible fix for this is to put the necessary smarts into
    invalidate_mapping_pages() to globally drain the LRU pagevecs if a
    pagevec page could not be discarded.  The downside with this is that an
    inode cache shrink would send a global IPI and memory pressure
    potentially causing global IPI storms is very undesirable.
    Instead, this patch adds a check during fadvise(POSIX_FADV_DONTNEED) to
    check if invalidate_mapping_pages() discarded all the requested pages.
    If a subset of pages are discarded it drains the LRU pagevecs and tries
    again.  If the second attempt fails, it assumes it is due to the pages
    being mapped, locked or dirty and does not care.  With this patch, an
    application using fadvise() correctly will be obeyed but there is a
    downside that a malicious application can force the kernel to send
    global IPIs and increase overhead.
    If accepted, I would like this to be considered as a -stable candidate.
    It's not an urgent issue but it's a system call that is not working as
    advertised which is weak.
    The following test program demonstrates the problem.  It should never
    report that pages are still resident but will without this patch.  It
    assumes that CPU 0 and 1 exist.
    int main() {
    	int fd;
    	int pagesize = getpagesize();
    	ssize_t written = 0, expected;
    	char *buf;
    	unsigned char *vec;
    	int resident, i;
    	cpu_set_t set;
    	/* Prepare a buffer for writing */
    	expected = FILESIZE_PAGES * pagesize;
    	buf = malloc(expected + 1);
    	if (buf == NULL) {
    	buf[expected] = 0;
    	memset(buf, 'a', expected);
    	/* Prepare the mincore vec */
    	vec = malloc(FILESIZE_PAGES);
    	if (vec == NULL) {
    	/* Bind ourselves to CPU 0 */
    	CPU_SET(0, &set);
    	if (sched_setaffinity(getpid(), sizeof(set), &set) == -1) {
    	/* open file, unlink and write buffer */
    	fd = open("fadvise-test-file", O_CREAT|O_EXCL|O_RDWR);
    	if (fd == -1) {
    	while (written < expected) {
    		ssize_t this_write;
    		this_write = write(fd, buf + written, expected - written);
    		if (this_write == -1) {
    		written += this_write;
    	 * Force ourselves to another CPU. If fadvise only flushes the local
    	 * CPUs pagevecs then the fadvise will fail to discard all file pages
    	CPU_SET(1, &set);
    	if (sched_setaffinity(getpid(), sizeof(set), &set) == -1) {
    	/* sync and fadvise to discard the page cache */
    	if (posix_fadvise(fd, 0, expected, POSIX_FADV_DONTNEED) == -1) {
    	/* map the file and use mincore to see which parts of it are resident */
    	buf = mmap(NULL, expected, PROT_READ, MAP_SHARED, fd, 0);
    	if (buf == NULL) {
    	if (mincore(buf, expected, vec) == -1) {
    	/* Check residency */
    	for (i = 0, resident = 0; i < FILESIZE_PAGES; i++) {
    		if (vec[i])
    	if (resident != 0) {
    		printf("Nr unexpected pages resident: %d\n", resident);
    	munmap(buf, expected);
    Signed-off-by: Mel Gorman <>
    Reported-by: Rob van der Heij <>
    Tested-by: Rob van der Heij <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  34. @gregkh

    tmpfs: fix use-after-free of mempolicy object

    Greg Thelen authored gregkh committed
    commit 5f00110 upstream.
    The tmpfs remount logic preserves filesystem mempolicy if the mpol=M
    option is not specified in the remount request.  A new policy can be
    specified if mpol=M is given.
    Before this patch remounting an mpol bound tmpfs without specifying
    mpol= mount option in the remount request would set the filesystem's
    mempolicy object to a freed mempolicy object.
    To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run:
        # mkdir /tmp/x
        # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x
        # grep /tmp/x /proc/mounts
        nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0
        # mount -o remount,size=200M nodev /tmp/x
        # grep /tmp/x /proc/mounts
        nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0
            # note ? garbage in mpol=... output above
        # dd if=/dev/zero of=/tmp/x/f count=1
            # panic here
        BUG: unable to handle kernel NULL pointer dereference at           (null)
        IP: [<          (null)>]           (null)
        Oops: 0010 [#1] SMP DEBUG_PAGEALLOC
        Call Trace:
    Non-debug kernels will not crash immediately because referencing the
    dangling mpol will not cause a fault.  Instead the filesystem will
    reference a freed mempolicy object, which will cause unpredictable
    The problem boils down to a dropped mpol reference below if
    shmem_parse_options() does not allocate a new mpol:
        config = *sbinfo
        shmem_parse_options(data, &config, true)
        sbinfo->mpol = config.mpol  /* BUG: saves unreferenced mpol */
    This patch avoids the crash by not releasing the mempolicy if
    shmem_parse_options() doesn't create a new mpol.
    How far back does this issue go? I see it in both 2.6.36 and 3.3.  I did
    not look back further.
    Signed-off-by: Greg Thelen <>
    Acked-by: Hugh Dickins <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  35. @larsclausen @gregkh

    drivers/video/backlight/adp88?0_bl.c: fix resume

    larsclausen authored gregkh committed
    commit 5eb02c0 upstream.
    Clearing the NSTBY bit in the control register also automatically clears
    the BLEN bit.  So we need to make sure to set it again during resume,
    otherwise the backlight will stay off.
    Signed-off-by: Lars-Peter Clausen <>
    Acked-by: Michael Hennerich <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
Something went wrong with that request. Please try again.