Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Jan 3, 2012
  1. @gregkh

    Linux 3.1.7

    gregkh committed
  2. @torvalds @gregkh

    Revert "clockevents: Set noop handler in clockevents_exchange_device()"

    torvalds committed with gregkh
    commit 3b87487 upstream.
    This reverts commit de28f25.
    It results in resume problems for various people. See for example
    and the fedora and ubuntu bug reports
    which got bisected down to the stable version of this commit.
    Reported-by: Jonathan Nieder <>
    Reported-by: Phil Miller <>
    Reported-by: Philip Langdale <>
    Reported-by: Tim Gardner <>
    Cc: Thomas Gleixner <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
Commits on Dec 21, 2011
  1. @gregkh

    Linux 3.1.6

    gregkh committed
  2. @bmork @gregkh

    USB: option: Removing one bogus and adding some new Huawei combinations

    bmork committed with gregkh
    commit 02a551c upstream.
    Huawei use the product code HUAWEI_PRODUCT_E353 (0x1506) for a
    number of different devices, which each can appear with a number
    of different descriptor sets.  Different types of interfaces
    can be identified by looking at the subclass and protocol fields
    Subclass 1 protocol 8 is actually the data interface of a CDC
    ECM set, with subclass 1 protocol 9 as the control interface.
    Neither support serial data communcation, and cannot therefore
    be supported by this driver.
    At the same time, add a few other sets which appear if the
    device is configured in "Windows mode" using this modeswitch
    Signed-off-by: Bjørn Mork <>
    Cc: stable <>
    Signed-off-by: Greg Kroah-Hartman <>
  3. @gregkh

    usb: option: Add Huawei E398 controlling interfaces

    Alex Hermann committed with gregkh
    commit 414b591 upstream.
    This patch adds the controlling interfaces for the Huawei E398.
    Thanks to Bjørn Mork <> for extracting the interface
    numbers from the windows driver.
    Signed-off-by: Alex Hermann <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. @gregkh

    USB: cdc-acm: add IDs for Motorola H24 HSPA USB module.

    Krzysztof Hałasa committed with gregkh
    commit 6abff5d upstream.
    Add USB IDs for Motorola H24 HSPA USB module.
    Signed-off-by: Krzysztof Hałasa <>
    Acked-by: Oliver Neukum <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. @gregkh

    ibft: Fix finding IBFT ACPI table on UEFI

    Yinghai Lu committed with gregkh
    commit 935a9fe upstream.
    Found one system with UEFI/iBFT, kernel does not detect the iBFT during
    iscsi_ibft module loading.
    Root cause: on x86 (UEFI), we are calling of find_ibft_region() much earlier
    - specifically in setup_arch() before ACPI is enabled.
    Try to split acpi checking code out and call that later
    At that time ACPI iBFT already get permanent mapped with ioremap.
    So isa_virt_to_bus() will get wrong phys from right virt address.
    We could just skip that phys address printing.
    For legacy one, print the found address early.
    -v2: update comments and description according to Konrad.
    -v3: fix problem about module use case that is found by Konrad.
    -v4: use acpi_get_table() instead of acpi_table_parse() to handle module use case that is found by Konrad again..
    Signed-off-by: Yinghai Lu <>
    Signed-off-by: Konrad Rzeszutek Wilk <>
    Signed-off-by: Greg Kroah-Hartman <>
  6. @gregkh

    drm/radeon/kms: add some new pci ids

    Alex Deucher committed with gregkh
    commit cd5cfce upstream.
    Signed-off-by: Alex Deucher <>
    Signed-off-by: Dave Airlie <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. @lwfinger @gregkh

    staging: r8712u: Add new USB ID

    lwfinger committed with gregkh
    commit c7caf4d upstream.
    Add USB ID for Sitecom WLA-2000 v1.001 WLAN.
    Reported-and-tested-by: Roland Gruber <>
    Signed-off-by: Larry Finger <>
    Signed-off-by: Greg Kroah-Hartman <>
  8. @RoelKluin @gregkh

    fuse: fix llseek bug

    RoelKluin committed with gregkh
    commit b48c6af upstream.
    The test in fuse_file_llseek() "not SEEK_CUR or not SEEK_SET" always evaluates
    to true.
    This was introduced in 3.1 by commit 06222e4 (fs: handle SEEK_HOLE/SEEK_DATA
    properly in all fs's that define their own llseek) and changed the behavior of
    SEEK_CUR and SEEK_SET to always retrieve the file attributes.  This is a
    performance regression.
    Fix the test so that it makes sense.
    Signed-off-by: Miklos Szeredi <>
    CC: Josef Bacik <>
    CC: Al Viro <>
    Signed-off-by: Greg Kroah-Hartman <>
  9. @gregkh

    fuse: fix fuse_retrieve

    Miklos Szeredi committed with gregkh
    commit 48706d0 upstream.
    Fix two bugs in fuse_retrieve():
     - retrieving more than one page would yield repeated instances of the
       first page
     - if more than FUSE_MAX_PAGES_PER_REQ pages were requested than the
       request page array would overflow
    fuse_retrieve() was added in 2.6.36 and these bugs had been there since the
    Signed-off-by: Miklos Szeredi <>
    Signed-off-by: Greg Kroah-Hartman <>
  10. @YANGYongqiang @gregkh

    ext4: handle EOF correctly in ext4_bio_write_page()

    YANGYongqiang committed with gregkh
    commit 5a0dc73 upstream.
    We need to zero out part of a page which beyond EOF before setting uptodate,
    otherwise, mapread or write will see non-zero data beyond EOF.
    Signed-off-by: Yongqiang Yang <>
    Signed-off-by: "Theodore Ts'o" <>
    Signed-off-by: Greg Kroah-Hartman <>
  11. @YANGYongqiang @gregkh

    ext4: avoid potential hang in mpage_submit_io() when blocksize < page…

    YANGYongqiang committed with gregkh
    commit 13a79a4 upstream.
    If there is an unwritten but clean buffer in a page and there is a
    dirty buffer after the buffer, then mpage_submit_io does not write the
    dirty buffer out.  As a result, da_writepages loops forever.
    This patch fixes the problem by checking dirty flag.
    Signed-off-by: Yongqiang Yang <>
    Signed-off-by: "Theodore Ts'o" <>
    Signed-off-by: Greg Kroah-Hartman <>
  12. @gregkh

    ext4: avoid hangs in ext4_da_should_update_i_disksize()

    Andrea Arcangeli committed with gregkh
    commit ea51d13 upstream.
    If the pte mapping in generic_perform_write() is unmapped between
    iov_iter_fault_in_readable() and iov_iter_copy_from_user_atomic(), the
    "copied" parameter to ->end_write can be zero. ext4 couldn't cope with
    it with delayed allocations enabled. This skips the i_disksize
    enlargement logic if copied is zero and no new data was appeneded to
    the inode.
     gdb> bt
     #0  0xffffffff811afe80 in ext4_da_should_update_i_disksize (file=0xffff88003f606a80, mapping=0xffff88001d3824e0, pos=0x1\
     08000, len=0x1000, copied=0x0, page=0xffffea0000d792e8, fsdata=0x0) at fs/ext4/inode.c:2467
     #1  ext4_da_write_end (file=0xffff88003f606a80, mapping=0xffff88001d3824e0, pos=0x108000, len=0x1000, copied=0x0, page=0\
     xffffea0000d792e8, fsdata=0x0) at fs/ext4/inode.c:2512
     #2  0xffffffff810d97f1 in generic_perform_write (iocb=<value optimized out>, iov=<value optimized out>, nr_segs=<value o\
     ptimized out>, pos=0x108000, ppos=0xffff88001e26be40, count=<value optimized out>, written=0x0) at mm/filemap.c:2440
     #3  generic_file_buffered_write (iocb=<value optimized out>, iov=<value optimized out>, nr_segs=<value optimized out>, p\
     os=0x108000, ppos=0xffff88001e26be40, count=<value optimized out>, written=0x0) at mm/filemap.c:2482
     #4  0xffffffff810db5d1 in __generic_file_aio_write (iocb=0xffff88001e26bde8, iov=0xffff88001e26bec8, nr_segs=0x1, ppos=0\
     xffff88001e26be40) at mm/filemap.c:2600
     #5  0xffffffff810db853 in generic_file_aio_write (iocb=0xffff88001e26bde8, iov=0xffff88001e26bec8, nr_segs=<value optimi\
     zed out>, pos=<value optimized out>) at mm/filemap.c:2632
     #6  0xffffffff811a71aa in ext4_file_write (iocb=0xffff88001e26bde8, iov=0xffff88001e26bec8, nr_segs=0x1, pos=0x108000) a\
     t fs/ext4/file.c:136
     #7  0xffffffff811375aa in do_sync_write (filp=0xffff88003f606a80, buf=<value optimized out>, len=<value optimized out>, \
     ppos=0xffff88001e26bf48) at fs/read_write.c:406
     #8  0xffffffff81137e56 in vfs_write (file=0xffff88003f606a80, buf=0x1ec2960 <Address 0x1ec2960 out of bounds>, count=0x4\
     000, pos=0xffff88001e26bf48) at fs/read_write.c:435
     #9  0xffffffff8113816c in sys_write (fd=<value optimized out>, buf=0x1ec2960 <Address 0x1ec2960 out of bounds>, count=0x\
     4000) at fs/read_write.c:487
     #10 <signal handler called>
     #11 0x00007f120077a390 in __brk_reservation_fn_dmi_alloc__ ()
     #12 0x0000000000000000 in ?? ()
     gdb> print offset
     $22 = 0xffffffffffffffff
     gdb> print idx
     $23 = 0xffffffff
     gdb> print inode->i_blkbits
     $24 = 0xc
     gdb> up
     #1  ext4_da_write_end (file=0xffff88003f606a80, mapping=0xffff88001d3824e0, pos=0x108000, len=0x1000, copied=0x0, page=0\
     xffffea0000d792e8, fsdata=0x0) at fs/ext4/inode.c:2512
     2512                    if (ext4_da_should_update_i_disksize(page, end)) {
     gdb> print start
     $25 = 0x0
     gdb> print end
     $26 = 0xffffffffffffffff
     gdb> print pos
     $27 = 0x108000
     gdb> print new_i_size
     $28 = 0x108000
     gdb> print ((struct ext4_inode_info *)((char *)inode-((int)(&((struct ext4_inode_info *)0)->vfs_inode))))->i_disksize
     $29 = 0xd9000
     gdb> down
     2467            for (i = 0; i < idx; i++)
     gdb> print i
     $30 = 0xd44acbee
    This is 100% reproducible with some autonuma development code tuned in
    a very aggressive manner (not normal way even for knumad) which does
    "exotic" changes to the ptes. It wouldn't normally trigger but I don't
    see why it can't happen normally if the page is added to swap cache in
    between the two faults leading to "copied" being zero (which then
    hangs in ext4). So it should be fixed. Especially possible with lumpy
    reclaim (albeit disabled if compaction is enabled) as that would
    ignore the young bits in the ptes.
    Signed-off-by: Andrea Arcangeli <>
    Signed-off-by: "Theodore Ts'o" <>
    Signed-off-by: Greg Kroah-Hartman <>
  13. @tytso @gregkh

    ext4: display the correct mount option in /proc/mounts for [no]init_i…

    tytso committed with gregkh
    commit fc6cb1c upstream.
    /proc/mounts was showing the mount option [no]init_inode_table when
    the correct mount option that will be accepted by parse_options() is
    Signed-off-by: "Theodore Ts'o" <>
    Signed-off-by: Greg Kroah-Hartman <>
  14. @tytso @gregkh

    ext4: fix ext4_end_io_dio() racing against fsync()

    tytso committed with gregkh
    commit b5a7e97 upstream.
    We need to make sure iocb->private is cleared *before* we put the
    io_end structure on i_completed_io_list.  Otherwise fsync() could
    potentially run on another CPU and free the iocb structure out from
    under us.
    Reported-by: Kent Overstreet <>
    Signed-off-by: "Theodore Ts'o" <>
    Signed-off-by: Greg Kroah-Hartman <>
  15. @gregkh

    xen: only limit memory map to maximum reservation for domain 0.

    Ian Campbell committed with gregkh
    commit d3db728 upstream.
    d312ae8 "xen: use maximum reservation to limit amount of usable RAM"
    clamped the total amount of RAM to the current maximum reservation. This is
    correct for dom0 but is not correct for guest domains. In order to boot a guest
    "pre-ballooned" (e.g. with memory=1G but maxmem=2G) in order to allow for
    future memory expansion the guest must derive max_pfn from the e820 provided by
    the toolstack and not the current maximum reservation (which can reflect only
    the current maximum, not the guest lifetime max). The existing algorithm
    already behaves this correctly if we do not artificially limit the maximum
    number of pages for the guest case.
    For a guest booted with maxmem=512, memory=128 this results in:
     [    0.000000] BIOS-provided physical RAM map:
     [    0.000000]  Xen: 0000000000000000 - 00000000000a0000 (usable)
     [    0.000000]  Xen: 00000000000a0000 - 0000000000100000 (reserved)
    -[    0.000000]  Xen: 0000000000100000 - 0000000008100000 (usable)
    -[    0.000000]  Xen: 0000000008100000 - 0000000020800000 (unusable)
    +[    0.000000]  Xen: 0000000000100000 - 0000000020800000 (usable)
     [    0.000000] NX (Execute Disable) protection: active
     [    0.000000] DMI not present or invalid.
     [    0.000000] e820 update range: 0000000000000000 - 0000000000010000 (usable) ==> (reserved)
     [    0.000000] e820 remove range: 00000000000a0000 - 0000000000100000 (usable)
    -[    0.000000] last_pfn = 0x8100 max_arch_pfn = 0x1000000
    +[    0.000000] last_pfn = 0x20800 max_arch_pfn = 0x1000000
     [    0.000000] initial memory mapped : 0 - 027ff000
     [    0.000000] Base memory trampoline at [c009f000] 9f000 size 4096
    -[    0.000000] init_memory_mapping: 0000000000000000-0000000008100000
    -[    0.000000]  0000000000 - 0008100000 page 4k
    -[    0.000000] kernel direct mapping tables up to 8100000 @ 27bb000-27ff000
    +[    0.000000] init_memory_mapping: 0000000000000000-0000000020800000
    +[    0.000000]  0000000000 - 0020800000 page 4k
    +[    0.000000] kernel direct mapping tables up to 20800000 @ 26f8000-27ff000
     [    0.000000] xen: setting RW the range 27e8000 - 27ff000
     [    0.000000] 0MB HIGHMEM available.
    -[    0.000000] 129MB LOWMEM available.
    -[    0.000000]   mapped low ram: 0 - 08100000
    -[    0.000000]   low ram: 0 - 08100000
    +[    0.000000] 520MB LOWMEM available.
    +[    0.000000]   mapped low ram: 0 - 20800000
    +[    0.000000]   low ram: 0 - 20800000
    With this change "xl mem-set <domain> 512M" will successfully increase the
    guest RAM (by reducing the balloon).
    There is no change for dom0.
    Reported-and-Tested-by:  George Shuklin <>
    Signed-off-by: Ian Campbell <>
    Reviewed-by: David Vrabel <>
    Signed-off-by: Konrad Rzeszutek Wilk <>
    Signed-off-by: Greg Kroah-Hartman <>
  16. @gregkh

    drm/radeon/kms: fix DP setup on TRAVIS bridges

    Alex Deucher committed with gregkh
    commit cf2aff6 upstream.
    Supposedly both NUTMEG and TRAVIS should use the same
    panel mode, but switching the panel mode for TRAVIS
    gets things working.
    Signed-off-by: Alex Deucher <>
    Signed-off-by: Dave Airlie <>
    Signed-off-by: Greg Kroah-Hartman <>
  17. @gregkh

    drm/radeon/kms: rework DP bridge checks

    Alex Deucher committed with gregkh
    commit 1d33e1f upstream.
    Return the encoder id rather than a boolean.  This is needed
    for differentiate between multiple DP bridge chips.
    Signed-off-by: Alex Deucher <>
    Signed-off-by: Dave Airlie <>
    Signed-off-by: Greg Kroah-Hartman <>
  18. @gregkh

    drm/radeon/kms: cleanup atombios_adjust_pll()

    Alex Deucher committed with gregkh
    commit b4f15f8 upstream.
    The logic was messy and hard to follow.
    Signed-off-by: Alex Deucher <>
    Signed-off-by: Dave Airlie <>
    Signed-off-by: Greg Kroah-Hartman <>
  19. @gregkh

    hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops

    Phillip Lougher committed with gregkh
    commit 434a964 upstream.
    Clement Lecigne reports a filesystem which causes a kernel oops in
    hfs_find_init() trying to dereference sb->ext_tree which is NULL.
    This proves to be because the filesystem has a corrupted MDB extent
    record, where the extents file does not fit into the first three extents
    in the file record (the first blocks).
    In hfs_get_block() when looking up the blocks for the extent file
    (HFS_EXT_CNID), it fails the first blocks special case, and falls
    through to the extent code (which ultimately calls hfs_find_init())
    which is in the process of being initialised.
    Hfs avoids this scenario by always having the extents b-tree fitting
    into the first blocks (the extents B-tree can't have overflow extents).
    The fix is to check at mount time that the B-tree fits into first
    blocks, i.e.  fail if HFS_I(inode)->alloc_blocks >=
    Note, the existing commit 47f365e ("hfs: fix oops on mount with
    corrupted btree extent records") becomes subsumed into this as a special
    case, but only for the extents B-tree (HFS_EXT_CNID), it is perfectly
    acceptable for the catalog B-Tree file to grow beyond three extents,
    with the remaining extent descriptors in the extents overfow.
    This fixes CVE-2011-2203
    Reported-by: Clement LECIGNE <>
    Signed-off-by: Phillip Lougher <>
    Cc: Jeff Mahoney <>
    Cc: Christoph Hellwig <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Cc: Moritz Mühlenhoff <>
    Signed-off-by: Greg Kroah-Hartman <>
  20. @guaneryu @gregkh

    jbd/jbd2: validate sb->s_first in journal_get_superblock()

    guaneryu committed with gregkh
    commit 8762202 upstream.
    I hit a J_ASSERT(blocknr != 0) failure in cleanup_journal_tail() when
    mounting a fsfuzzed ext3 image. It turns out that the corrupted ext3
    image has s_first = 0 in journal superblock, and the 0 is passed to
    journal->j_head in journal_reset(), then to blocknr in
    cleanup_journal_tail(), in the end the J_ASSERT failed.
    So validate s_first after reading journal superblock from disk in
    journal_get_superblock() to ensure s_first is valid.
    The following script could reproduce it:
    magic="c0 3b 39 98"
    dd if=/dev/zero of=$img bs=1M count=8
    mkfs -t $fstype -b $blocksize -F $img
    filesize=`stat -c %s $img`
    while [ $offset -lt $filesize ]
            if od -j $offset -N 4 -t x1 $img | grep -i "$magic";then
                    echo "Found journal: $offset"
            offset=`echo "$offset+$blocksize" | bc`
    if [ $found -ne 1 ];then
            echo "Magic \"$magic\" not found"
            exit 1
    dd if=/dev/zero of=$img seek=$(($offset+23)) conv=notrunc bs=1 count=1
    mkdir -p ./mnt
    mount -o loop $img ./mnt
    Cc: Jan Kara <>
    Signed-off-by: Eryu Guan <>
    Signed-off-by: "Theodore Ts'o" <>
    Cc: Moritz Mühlenhoff <>
    Signed-off-by: Greg Kroah-Hartman <>
  21. @gregkh

    x86, hpet: Immediately disable HPET timer 1 if rtc irq is masked

    Mark Langsdorf committed with gregkh
    commit 2ded6e6 upstream.
    When HPET is operating in RTC mode, the TN_ENABLE bit on timer1
    controls whether the HPET or the RTC delivers interrupts to irq8. When
    the system goes into suspend, the RTC driver sends a signal to the
    HPET driver so that the HPET releases control of irq8, allowing the
    RTC to wake the system from suspend. The switchover is accomplished by
    a write to the HPET configuration registers which currently only
    occurs while servicing the HPET interrupt.
    On some systems, I have seen the system suspend before an HPET
    interrupt occurs, preventing the write to the HPET configuration
    register and leaving the HPET in control of the irq8. As the HPET is
    not active during suspend, it does not generate a wake signal and RTC
    alarms do not work.
    This patch forces the HPET driver to immediately transfer control of
    the irq8 channel to the RTC instead of waiting until the next
    interrupt event.
    Signed-off-by: Mark Langsdorf <>
    Tested-by: Andreas Herrmann <>
    Signed-off-by: Andreas Herrmann <>
    Signed-off-by: Thomas Gleixner <>
    Signed-off-by: Greg Kroah-Hartman <>
  22. @gregkh

    xen/pm_idle: Make pm_idle be default_idle under Xen.

    Konrad Rzeszutek Wilk committed with gregkh
    commit e5fd47b upstream.
    The idea behind commit d91ee58 ("cpuidle: replace xen access to x86
    pm_idle and default_idle") was to have one call - disable_cpuidle()
    which would make pm_idle not be molested by other code.  It disallows
    cpuidle_idle_call to be set to pm_idle (which is excellent).
    But in the select_idle_routine() and idle_setup(), the pm_idle can still
    be set to either: amd_e400_idle, mwait_idle or default_idle.  This
    depends on some CPU flags (MWAIT) and in AMD case on the type of CPU.
    In case of mwait_idle we can hit some instances where the hypervisor
    (Amazon EC2 specifically) sets the MWAIT and we get:
      Brought up 2 CPUs
      invalid opcode: 0000 [#1] SMP
      Pid: 0, comm: swapper Not tainted 3.1.0-0.rc6.git0.3.fc16.x86_64 #1
      RIP: e030:[<ffffffff81015d1d>]  [<ffffffff81015d1d>] mwait_idle+0x6f/0xb4
      Call Trace:
       [<ffffffff8100e2ed>] cpu_idle+0xae/0xe8
       [<ffffffff8149ee78>] cpu_bringup_and_idle+0xe/0x10
      RIP  [<ffffffff81015d1d>] mwait_idle+0x6f/0xb4
       RSP <ffff8801d28ddf10>
    In the case of amd_e400_idle we don't get so spectacular crashes, but we
    do end up making an MSR which is trapped in the hypervisor, and then
    follow it up with a yield hypercall.  Meaning we end up going to
    hypervisor twice instead of just once.
    The previous behavior before v3.0 was that pm_idle was set to
    default_idle regardless of select_idle_routine/idle_setup.
    We want to do that, but only for one specific case: Xen.  This patch
    does that.
    Fixes RH BZ #739499 and Ubuntu #881076
    Reported-by: Stefan Bader <>
    Signed-off-by: Konrad Rzeszutek Wilk <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  23. @gregkh

    mmc: mxcmmc: fix falling back to PIO

    Sascha Hauer committed with gregkh
    commit e58f516 upstream.
    When we can't configure the dma channel we want to fall
    back to PIO. We do this by setting host->do_dma to zero.
    This does not work as do_dma is used to see whether dma
    can be used for the current transfer. Instead, we have
    to set host->dma to NULL.
    Signed-off-by: Sascha Hauer <>
    Signed-off-by: Chris Ball <>
    Signed-off-by: Greg Kroah-Hartman <>
  24. @thertp @gregkh

    ARM: 7204/1: arch/arm/kernel/setup.c: initialize arm_dma_zone_size ea…

    thertp committed with gregkh
    commit 9811ccd upstream.
    arm_dma_zone_size is used by arm_bootmem_free() which is called by
    paging_init(). Thus it needs to be set before calling it.
    Signed-off-by: Arnaud Patard <>
    Acked-by: Nicolas Pitre <>
    Signed-off-by: Russell King <>
    Signed-off-by: Greg Kroah-Hartman <>
  25. @AxelLin @gregkh

    hwmon: (jz4740) fix signedness bug

    AxelLin committed with gregkh
    commit 0b57d76 upstream.
    wait_for_completion_interruptible_timeout() may return negative value.
    In this case, checking if (t > 0)  will return true if t is unsigned.
    Signed-off-by: Axel Lin <>
    Acked-by: Lars-Peter Clausen <>
    Signed-off-by: Guenter Roeck <>
    Signed-off-by: Greg Kroah-Hartman <>
  26. @torvalds @gregkh

    linux/log2.h: Fix rounddown_pow_of_two(1)

    torvalds committed with gregkh
    commit 13c07b0 upstream.
    Exactly like roundup_pow_of_two(1), the rounddown version was buggy for
    the case of a compile-time constant '1' argument.  Probably because it
    originated from the same code, sharing history with the roundup version
    from before the bugfix (for that one, see commit 1a06a52: "Fix
    However, unlike the roundup version, the fix for rounddown is to just
    remove the broken special case entirely.  It's simply not needed - the
    generic code
        1UL << ilog2(n)
    does the right thing for the constant '1' argment too.  The only reason
    roundup needed that special case was because rounding up does so by
    subtracting one from the argument (and then adding one to the result)
    causing the obvious problems with "ilog2(0)".
    But rounddown doesn't do any of that, since ilog2() naturally truncates
    (ie "rounds down") to the right rounded down value.  And without the
    ilog2(0) case, there's no reason for the special case that had the wrong
    tl;dr: rounddown_pow_of_two(1) should be 1, not 0.
    Acked-by: Dmitry Torokhov <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  27. @gregkh

    cifs: check for NULL last_entry before calling cifs_save_resume_key

    Jeff Layton committed with gregkh
    commit 7023676 upstream.
    Prior to commit eaf35b1, cifs_save_resume_key had some NULL pointer
    checks at the top. It turns out that at least one of those NULL
    pointer checks is needed after all.
    When the LastNameOffset in a FIND reply appears to be beyond the end of
    the buffer, CIFSFindFirst and CIFSFindNext will set srch_inf.last_entry
    to NULL. Since eaf35b1, the code will now oops in this situation.
    Fix this by having the callers check for a NULL last entry pointer
    before calling cifs_save_resume_key. No change is needed for the
    call site in cifs_readdir as it's not reachable with a NULL
    current_entry pointer.
    This should fix:
    Cc: Christoph Hellwig <>
    Reported-by: Adam G. Metzler <>
    Signed-off-by: Jeff Layton <>
    Signed-off-by: Steve French <>
    Signed-off-by: Greg Kroah-Hartman <>
  28. @gregkh

    percpu: fix chunk range calculation

    Tejun Heo committed with gregkh
    commit a855b84 upstream.
    Percpu allocator recorded the cpus which map to the first and last
    units in pcpu_first/last_unit_cpu respectively and used them to
    determine the address range of a chunk - e.g. it assumed that the
    first unit has the lowest address in a chunk while the last unit has
    the highest address.
    This simply isn't true.  Groups in a chunk can have arbitrary positive
    or negative offsets from the previous one and there is no guarantee
    that the first unit occupies the lowest offset while the last one the
    Fix it by actually comparing unit offsets to determine cpus occupying
    the lowest and highest offsets.  Also, rename pcu_first/last_unit_cpu
    to pcpu_low/high_unit_cpu to avoid confusion.
    The chunk address range is used to flush cache on vmalloc area
    map/unmap and decide whether a given address is in the first chunk by
    per_cpu_ptr_to_phys() and the bug was discovered by invalid
    per_cpu_ptr_to_phys() translation for crash_note.
    Kudos to Dave Young for tracking down the problem.
    Signed-off-by: Tejun Heo <>
    Reported-by: WANG Cong <>
    Reported-by: Dave Young <>
    Tested-by: Dave Young <>
    LKML-Reference: <>
    Signed-off-by: Thomas Renninger <>
    Signed-off-by: Greg Kroah-Hartman <>
  29. @gregkh

    target/file: walk properly over sg list

    Sebastian Andrzej Siewior committed with gregkh
    commit 9649fa1 upstream.
    This patch changes fileio to use for_each_sg() when walking se_task->task_sg
    memory passed into from loopback LLD struct scsi_cmnd scatterlist memory.
    This addresses an issue where FILEIO backends with loopback where hitting the
    following OOPs with mkfs.ext2:
    |kernel BUG at include/linux/scatterlist.h:97!
    |invalid opcode: 0000 [#1] PREEMPT SMP
    |Modules linked in: sd_mod tcm_loop target_core_stgt scsi_tgt target_core_pscsi target_core_file target_core_iblock target_core_mod configfs scsi_mod
    |Pid: 671, comm: LIO_fileio Not tainted 3.1.0-rc10+ #139 Bochs Bochs
    |EIP: 0060:[<e0afd746>] EFLAGS: 00010202 CPU: 0
    |EIP is at fd_do_task+0x396/0x420 [target_core_file]
    | [<e0aa7884>] __transport_execute_tasks+0xd4/0x190 [target_core_mod]
    | [<e0aa797c>] transport_execute_tasks+0x3c/0xf0 [target_core_mod]
    |EIP: [<e0afd746>] fd_do_task+0x396/0x420 [target_core_file] SS:ESP 0068:dea47e90
    Signed-off-by: Sebastian Andrzej Siewior <>
    Cc: Christoph Hellwig <>
    Signed-off-by: Nicholas Bellinger <>
    Signed-off-by: Greg Kroah-Hartman <>
  30. @nablio3000 @gregkh

    iscsi-target: Add missing F_BIT for iscsi_tm_rsp

    nablio3000 committed with gregkh
    commit 7ae0b10 upstream.
    This patch sets the missing ISCSI_FLAG_CMD_FINAL bit in
    iscsit_send_task_mgt_rsp() for a struct iscsi_tm_rsp PDU.
    This usage is hardcoded for all TM response PDUs in RFC-3720
    section 10.6.
    Reported-by: whucecil <>
    Signed-off-by: Nicholas Bellinger <>
    Signed-off-by: Greg Kroah-Hartman <>
  31. @rolandd @gregkh

    target: Fix page length in emulated INQUIRY VPD page 86h

    rolandd committed with gregkh
    commit 1289a05 upstream.
    The LSB of the page length is at offset 3, not 2.
    Signed-off-by: Roland Dreier <>
    Signed-off-by: Nicholas Bellinger <>
    Signed-off-by: Greg Kroah-Hartman <>
  32. @rolandd @gregkh

    target: Handle 0 correctly in transport_get_sectors_6()

    rolandd committed with gregkh
    commit 9b5cd7f upstream.
    SBC-3 says:
        A TRANSFER LENGTH field set to zero specifies that 256 logical
        blocks shall be written.  Any other value specifies the number
        of logical blocks that shall be written.
    The old code was always just returning the value in the TRANSFER LENGTH
    byte.  Fix this to return 256 if the byte is 0.
    Signed-off-by: Roland Dreier <>
    Signed-off-by: Nicholas Bellinger <>
    Signed-off-by: Greg Kroah-Hartman <>
  33. @nablio3000 @gregkh

    iscsi-target: Fix residual count hanlding + remove iscsi_cmd->residua…

    nablio3000 committed with gregkh
    commit 7e46cf0 upstream.
    This patch fixes iscsi-target handling of underflow where residual data is
    causing an OOPs by using the incorrect iscsi_cmd_t->data_length initially
    assigned in iscsit_allocate_se_cmd().  It resets iscsi_cmd_t->data_length
    from se_cmd_t->data_length after transport_generic_allocate_tasks()
    has been invoked in iscsit_handle_scsi_cmd() RX context, and converts
    iscsi_cmd->residual_count usage to access iscsi_cmd->se_cmd.residual_count
    to get the proper residual count set by target-core.
    Reported-by: <>
    Cc: Christoph Hellwig <>
    Cc: Andy Grover <>
    Signed-off-by: Nicholas Bellinger <>
    Signed-off-by: Greg Kroah-Hartman <>
Something went wrong with that request. Please try again.