Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Dec 6, 2012
  1. @gregkh

    Linux 3.4.22

    gregkh authored
  2. @gregkh

    x86-32: Export kernel_stack_pointer() for modules

    H. Peter Anvin authored gregkh committed
    commit cb57a2b upstream.
    Modules, in particular oprofile (and possibly other similar tools)
    need kernel_stack_pointer(), so export it using EXPORT_SYMBOL_GPL().
    Cc: Yang Wei <>
    Cc: Robert Richter <>
    Cc: Jun Zhang <>
    Signed-off-by: H. Peter Anvin <>
    Cc: Robert Richter <>
    Cc: Herton Ronaldo Krzesinski <>
    Cc: Philip Müller <>
    Signed-off-by: Greg Kroah-Hartman <>
Commits on Dec 3, 2012
  1. @gregkh

    Linux 3.4.21

    gregkh authored
  2. @jmberg @gregkh

    iwlwifi: fix 6000 series channel switch command

    jmberg authored gregkh committed
    commit 8f7b8db upstream.
    The channel switch command for 6000 series devices
    is larger than the maximum inline command size of
    320 bytes. The command is therefore refused with a
    warning. Fix this by allocating the command and
    using the NOCOPY mechanism.
    Reviewed-by: Emmanuel Grumbach <>
    Signed-off-by: Johannes Berg <>
    Cc: Ben Hutchings <>
    Signed-off-by: Greg Kroah-Hartman <>
  3. @stanislav-yakovlev @gregkh

    net/wireless: ipw2200: Fix panic occurring in ipw_handle_promiscuous_…

    stanislav-yakovlev authored gregkh committed
    commit bf11315 upstream.
    The driver does not count space of radiotap fields when allocating skb for
    radiotap packet. This leads to kernel panic with the following call trace:
    [67607.676067] [<c152f90f>] error_code+0x67/0x6c
    [67607.676067] [<c142f831>] ? skb_put+0x91/0xa0
    [67607.676067] [<f8cf5e5b>] ? ipw_handle_promiscuous_tx+0x16b/0x2d0 [ipw2200]
    [67607.676067] [<f8cf5e5b>] ipw_handle_promiscuous_tx+0x16b/0x2d0 [ipw2200]
    [67607.676067] [<f8cf899b>] ipw_net_hard_start_xmit+0x8b/0x90 [ipw2200]
    [67607.676067] [<f8741c5a>] libipw_xmit+0x55a/0x980 [libipw]
    [67607.676067] [<c143d3e8>] dev_hard_start_xmit+0x218/0x4d0
    This bug was found by VittGam.
    Signed-off-by: Stanislav Yakovlev <>
    Signed-off-by: John W. Linville <>
    Cc: Ben Hutchings <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. @gregkh

    timekeeping: Cast raw_interval to u64 to avoid shift overflow

    Dan Carpenter authored gregkh committed
    commit 5b3900c upstream.
    We fixed a bunch of integer overflows in timekeeping code during the 3.6
    cycle.  I did an audit based on that and found this potential overflow.
    Signed-off-by: Dan Carpenter <>
    Acked-by: John Stultz <>
    Signed-off-by: Thomas Gleixner <>
    Cc: Ben Hutchings <>
    [ herton: adapt for 3.5, timekeeper instead of tk pointer ]
    Signed-off-by: Herton Ronaldo Krzesinski <>
    Signed-off-by: Greg Kroah-Hartman <>
  5. @colincross @gregkh

    ARM: OMAP: counter: add locking to read_persistent_clock

    colincross authored gregkh committed
    commit 9d7d6e3 upstream.
    read_persistent_clock uses a global variable, use a spinlock to
    ensure non-atomic updates to the variable don't overlap and cause
    time to move backwards.
    Signed-off-by: Colin Cross <>
    Signed-off-by: R Sricharan <>
    Signed-off-by: Tony Lindgren <>
    [bwh: Backported to 3.2: adjust context]
    Signed-off-by: Ben Hutchings <>
    Signed-off-by: Greg Kroah-Hartman <>
  6. @gregkh

    mmc: sdhci-s3c: fix the wrong number of max bus clocks

    Jaehoon Chung authored gregkh committed
    commit 5feb54a upstream.
    We can use up to four bus-clocks; but on module remove, we didn't
    disable the fourth bus clock.
    Signed-off-by: Jaehoon Chung <>
    Signed-off-by: Kyungmin Park <>
    Signed-off-by: Chris Ball <>
    Cc: Ben Hutchings <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. @shangw @gregkh

    powerpc/eeh: Lock module while handling EEH event

    shangw authored gregkh committed
    commit feadf7c upstream.
    The EEH core is talking with the PCI device driver to determine the
    action (purely reset, or PCI device removal). During the period, the
    driver might be unloaded and in turn causes kernel crash as follows:
    EEH: Detected PCI bus error on PHB#4-PE#10000
    EEH: This PCI device has failed 3 times in the last hour
    lpfc 0004:01:00.0: 0:2710 PCI channel disable preparing for reset
    Unable to handle kernel paging request for data at address 0x00000490
    Faulting instruction address: 0xd00000000e682c90
    cpu 0x1: Vector: 300 (Data Access) at [c000000fc75ffa20]
        pc: d00000000e682c90: .lpfc_io_error_detected+0x30/0x240 [lpfc]
        lr: d00000000e682c8c: .lpfc_io_error_detected+0x2c/0x240 [lpfc]
        sp: c000000fc75ffca0
       msr: 8000000000009032
       dar: 490
     dsisr: 40000000
      current = 0xc000000fc79b88b0
      paca    = 0xc00000000edb0380	 softe: 0	 irq_happened: 0x00
        pid   = 3386, comm = eehd
    enter ? for help
    [c000000fc75ffca0] c000000fc75ffd30 (unreliable)
    [c000000fc75ffd30] c00000000004fd3c .eeh_report_error+0x7c/0xf0
    [c000000fc75ffdc0] c00000000004ee00 .eeh_pe_dev_traverse+0xa0/0x180
    [c000000fc75ffe70] c00000000004ffd8 .eeh_handle_event+0x68/0x300
    [c000000fc75fff00] c0000000000503a0 .eeh_event_handler+0x130/0x1a0
    [c000000fc75fff90] c000000000020138 .kernel_thread+0x54/0x70
    The patch increases the reference of the corresponding driver modules
    while EEH core does the negotiation with PCI device driver so that the
    corresponding driver modules can't be unloaded during the period and
    we're safe to refer the callbacks.
    Reported-by: Alexey Kardashevskiy <>
    Signed-off-by: Gavin Shan <>
    Signed-off-by: Benjamin Herrenschmidt <>
    [ herton: backported for 3.5, adjusted driver assignments, return 0
      instead of NULL, assume dev is not NULL ]
    Signed-off-by: Herton Ronaldo Krzesinski <>
    Cc: Ben Hutchings <>
    Signed-off-by: Greg Kroah-Hartman <>
  8. @mlauss @gregkh

    MPI: Fix compilation on MIPS with GCC 4.4 and newer

    mlauss authored gregkh committed
    commit a3cea98 upstream.
    Since 4.4 GCC on MIPS no longer recognizes the "h" constraint,
    leading to this build failure:
      CC      lib/mpi/generic_mpih-mul1.o
    lib/mpi/generic_mpih-mul1.c: In function 'mpihelp_mul_1':
    lib/mpi/generic_mpih-mul1.c:50:3: error: impossible constraint in 'asm'
    This patch updates MPI with the latest umul_ppm implementations for MIPS.
    Signed-off-by: Manuel Lauss <>
    Cc: Linux-MIPS <>
    Cc: Dmitry Kasatkin <>
    Cc: James Morris <>
    Signed-off-by: Ralf Baechle <>
    Cc: Shuah Khan <>
    Signed-off-by: Greg Kroah-Hartman <>
  9. @gregkh

    watchdog: using u64 in get_sample_period()

    Chuansheng Liu authored gregkh committed
    commit 8ffeb9b upstream.
    In get_sample_period(), unsigned long is not enough:
      watchdog_thresh * 2 * (NSEC_PER_SEC / 5)
      watchdog_thresh is 10 by default, the sample value will be: 0xEE6B2800
     set watchdog_thresh is 20, the sample value will be: 0x1 DCD6 5000
    In case2, we need use u64 to express the sample period.  Otherwise,
    changing the threshold thru proc often can not be successful.
    Signed-off-by: liu chuansheng <>
    Acked-by: Don Zickus <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Shuah Khan <>
    Signed-off-by: Greg Kroah-Hartman <>
  10. @jhovold @gregkh

    USB: mct_u232: fix broken close

    jhovold authored gregkh committed
    commit 5260e45 upstream.
    Make sure generic close is called at close.
    The driver relies on the generic write implementation but did not call
    generic close.
    Note that the call to kill the read urb is not redundant, as mct_u232
    uses an interrupt urb from the second port as the read urb and that
    generic close therefore fails to kill it.
    Compile-only tested.
    Signed-off-by: Johan Hovold <>
    Signed-off-by: Greg Kroah-Hartman <>
    [bwh: Backported to 3.2: adjust context]
    Signed-off-by: Ben Hutchings <>
  11. @gregkh

    NFC: Fix nfc_llcp_local chained list insertion

    Thierry Escande authored gregkh committed
    commit 16a78e9 upstream.
    list_add was called with swapped parameters
    Signed-off-by: Thierry Escande <>
    Signed-off-by: Samuel Ortiz <>
    Signed-off-by: Peter Huewe <>
    Signed-off-by: Greg Kroah-Hartman <>
  12. @gregkh

    NFC: pn533: Fix mem leak in pn533_in_dep_link_up

    Waldemar Rymarkiewicz authored gregkh committed
    commit 70418e6 upstream.
    cmd is allocated in pn533_dep_link_up and passed as an arg to
    pn533_send_cmd_frame_async together with a complete cb.
    arg is passed to the cb and must be kfreed there.
    Signed-off-by: Waldemar Rymarkiewicz <>
    Signed-off-by: Samuel Ortiz <>
    Signed-off-by: Peter Huewe <>
    Signed-off-by: Greg Kroah-Hartman <>
  13. @sjanc @gregkh

    NFC: pn533: Fix use after free

    sjanc authored gregkh committed
    commit 770f750 upstream.
    cmd was freed in pn533_dep_link_up regardless of
    pn533_send_cmd_frame_async return code. Cmd is passed as argument to
    pn533_in_dep_link_up_complete callback and should be freed there.
    Signed-off-by: Szymon Janc <>
    Signed-off-by: Samuel Ortiz <>
    Signed-off-by: Peter Huewe <>
    Signed-off-by: Greg Kroah-Hartman <>
  14. @gregkh

    get_dvb_firmware: fix download site for tda10046 firmware

    Mauro Carvalho Chehab authored gregkh committed
    commit 25ec43d upstream.
    The previous website doesn't exist anymore. Update it to one site that
    actually exists.
    Signed-off-by: Mauro Carvalho Chehab <>
    Signed-off-by: Peter Huewe <>
    Signed-off-by: Greg Kroah-Hartman <>
  15. @davidmilburn @gregkh

    sata_svw: check DMA start bit before reset

    davidmilburn authored gregkh committed
    commit b03e66a upstream.
    If kdump is triggered with pending IO, controller may not respond causing
    kdump to fail.
    During error recovery ata_do_dev_read_id never completes due hang
    in mmio_insw.
    if DMA start bit is cleared before reset, PIO command is successful
    and kdump succeeds.
    Signed-off-by: David Milburn <>
    Signed-off-by: Jeff Garzik <>
    Cc: CAI Qian <>
    Signed-off-by: Greg Kroah-Hartman <>
  16. @gregkh

    ixgbe: add support for X540-AT1 authored gregkh committed
    commit df376f0 upstream.
    This patch adds device support for Ethernet Controller X540-AT1.
    Signed-off-by: Josh Hay <>
    Tested-by: Phil Schmitt <>
    Signed-off-by: Jeff Kirsher <>
    Signed-off-by: Abdallah Chatila <>
    Signed-off-by: Greg Kroah-Hartman <>
  17. @gregkh

    KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE bit set (CVE-…

    Petr Matousek authored gregkh committed
    commit 6d1068b upstream.
    On hosts without the XSAVE support unprivileged local user can trigger
    oops similar to the one below by setting X86_CR4_OSXSAVE bit in guest
    cr4 register using KVM_SET_SREGS ioctl and later issuing KVM_RUN
    invalid opcode: 0000 [#2] SMP
    Modules linked in: tun ip6table_filter ip6_tables ebtable_nat ebtables
    Pid: 24935, comm: zoog_kvm_monito Tainted: G      D      3.2.0-3-686-pae
    EIP: 0060:[<f8b9550c>] EFLAGS: 00210246 CPU: 0
    EIP is at kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm]
    EAX: 00000001 EBX: 000f387e ECX: 00000000 EDX: 00000000
    ESI: 00000000 EDI: 00000000 EBP: ef5a0060 ESP: d7c63e70
     DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
    Process zoog_kvm_monito (pid: 24935, ti=d7c62000 task=ed84a0c0
     00000001 f70a1200 f8b940a9 ef5a0060 00000000 00200202 f8769009 00000000
     ef5a0060 000f387e eda5c020 8722f9c8 00015bae 00000000 ed84a0c0 ed84a0c0
     c12bf02d 0000ae80 ef7f8740 fffffffb f359b740 ef5a0060 f8b85dc1 0000ae80
    Call Trace:
     [<f8b940a9>] ? kvm_arch_vcpu_ioctl_set_sregs+0x2fe/0x308 [kvm]
     [<c12bfb44>] ? syscall_call+0x7/0xb
    Code: 89 e8 e8 14 ee ff ff ba 00 00 04 00 89 e8 e8 98 48 ff ff 85 c0 74
    1e 83 7d 48 00 75 18 8b 85 08 07 00 00 31 c9 8b 95 0c 07 00 00 <0f> 01
    d1 c7 45 48 01 00 00 00 c7 45 1c 01 00 00 00 0f ae f0 89
    EIP: [<f8b9550c>] kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm] SS:ESP
    QEMU first retrieves the supported features via KVM_GET_SUPPORTED_CPUID
    and then sets them later. So guest's X86_FEATURE_XSAVE should be masked
    out on hosts without X86_FEATURE_XSAVE, making kvm_set_cr4 with
    X86_CR4_OSXSAVE fail. Userspaces that allow specifying guest cpuid with
    X86_FEATURE_XSAVE even on hosts that do not support it, might be
    susceptible to this attack from inside the guest as well.
    Allow setting X86_CR4_OSXSAVE bit only if host has XSAVE support.
    Signed-off-by: Petr Matousek <>
    Signed-off-by: Marcelo Tosatti <>
    Signed-off-by: Greg Kroah-Hartman <>
  18. @jankara @gregkh

    scsi: Silence unnecessary warnings about ioctl to partition

    jankara authored gregkh committed
    commit 6d93592 upstream.
    Sometimes, warnings about ioctls to partition happen often enough that they
    form majority of the warnings in the kernel log and users complain. In some
    cases warnings are about ioctls such as SG_IO so it's not good to get rid of
    the warnings completely as they can ease debugging of userspace problems
    when ioctl is refused.
    Since I have seen warnings from lots of commands, including some proprietary
    userspace applications, I don't think disallowing the ioctls for processes
    with CAP_SYS_RAWIO will happen in the near future if ever. So lets just
    stop warning for processes with CAP_SYS_RAWIO for which ioctl is allowed.
    Acked-by: Paolo Bonzini <>
    CC: Paolo Bonzini <>
    CC: James Bottomley <>
    Signed-off-by: Jan Kara <>
    Signed-off-by: Jens Axboe <>
    Cc: satoru takeuchi <>
    Signed-off-by: Greg Kroah-Hartman <>
  19. @gregkh

    bas_gigaset: fix pre_reset handling

    Tilman Schmidt authored gregkh committed
    commit c6fdd8e upstream.
    The delayed work function int_in_work() may call usb_reset_device()
    and thus, indirectly, the driver's pre_reset method. Trying to
    cancel the work synchronously in that situation would deadlock.
    Fix by avoiding cancel_work_sync() in the pre_reset method.
    If the reset was NOT initiated by int_in_work() this might cause
    int_in_work() to run after the post_reset method, with urb_int_in
    already resubmitted, so handle that case gracefully.
    Signed-off-by: Tilman Schmidt <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  20. @diwic @gregkh

    ALSA: hda - Add support for Realtek ALC292

    diwic authored gregkh committed
    commit af02dde upstream.
    We found a new codec ID 292, and that just a simple quirk would enable
    sound output/input on this ALC292 chip.
    Tested-by: Acelan Kao <>
    Signed-off-by: David Henningsson <>
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Greg Kroah-Hartman <>
  21. @duncan-roe @gregkh

    ALSA: hda - Fix missing beep on ASUS X43U notebook

    duncan-roe authored gregkh committed
    commit 7110005 upstream.
    Signed-off-by: Duncan Roe <>
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Greg Kroah-Hartman <>
  22. @gregkh

    ALSA: hda - Add new codec ALC283 ALC290 support

    Kailang Yang authored gregkh committed
    commit 7ff34ad upstream.
    These are compatible with standard ALC269 parser.
    Signed-off-by: Kailang Yang <>
    Signed-off-by: Takashi Iwai <>
    Signed-off-by: Greg Kroah-Hartman <>
  23. @lyakh @gregkh

    PM / QoS: fix wrong error-checking condition

    lyakh authored gregkh committed
    commit a7227a0 upstream.
    dev_pm_qos_add_request() can return 0, 1, or a negative error code,
    therefore the correct error test is "if (error < 0)." Checking just for
    non-zero return code leads to erroneous setting of the req->dev pointer
    to NULL, which then leads to a repeated call to
    dev_pm_qos_add_ancestor_request() in st1232_ts_irq_handler(). This in turn
    leads to an Oops, when the I2C host adapter is unloaded and reloaded again
    because of the inconsistent state of its QoS request list.
    Signed-off-by: Guennadi Liakhovetski <>
    Signed-off-by: Rafael J. Wysocki <>
    Signed-off-by: Greg Kroah-Hartman <>
  24. @gregkh

    sparc64: not any error from do_sigaltstack() should fail rt_sigreturn()

    Al Viro authored gregkh committed
    commit fae2ae2 upstream.
    If a signal handler is executed on altstack and another signal comes,
    we will end up with rt_sigreturn() on return from the second handler
    getting -EPERM from do_sigaltstack().  It's perfectly OK, since we
    are not asking to change the settings; in fact, they couldn't have been
    changed during the second handler execution exactly because we'd been
    on altstack all along.  64bit sigreturn on sparc treats any error from
    do_sigaltstack() as "SIGSEGV now"; we need to switch to the same semantics
    we are using on other architectures.
    Signed-off-by: Al Viro <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
  25. @jankara @gregkh

    jbd: Fix lock ordering bug in journal_unmap_buffer()

    jankara authored gregkh committed
    commit 25389bb upstream.
    Commit 09e05d4 introduced a wait for transaction commit into
    journal_unmap_buffer() in the case we are truncating a buffer undergoing commit
    in the page stradding i_size on a filesystem with blocksize < pagesize. Sadly
    we forgot to drop buffer lock before waiting for transaction commit and thus
    deadlock is possible when kjournald wants to lock the buffer.
    Fix the problem by dropping the buffer lock before waiting for transaction
    commit. Since we are still holding page lock (and that is OK), buffer cannot
    disappear under us.
    Signed-off-by: Jan Kara <>
    Signed-off-by: Greg Kroah-Hartman <>
  26. @hartkopp @gregkh

    can: bcm: initialize ifindex for timeouts without previous frame rece…

    hartkopp authored gregkh committed
    commit 81b4011 upstream.
    Set in the rx_ifindex to pass the correct interface index in the case of a
    message timeout detection. Usually the rx_ifindex value is set at receive
    time. But when no CAN frame has been received the RX_TIMEOUT notification
    did not contain a valid value.
    Reported-by: Andre Naujoks <>
    Signed-off-by: Oliver Hartkopp <>
    Signed-off-by: Marc Kleine-Budde <>
    Signed-off-by: Greg Kroah-Hartman <>
  27. @hartkopp @gregkh

    can: peak_usb: fix hwtstamp assignment

    hartkopp authored gregkh committed
    commit c9faaa0 upstream.
    The skb->tstamp is set to the hardware timestamp when available in the USB
    urb message. This leads to user visible timestamps which contain the 'uptime'
    of the USB adapter - and not the usual system generated timestamp.
    Fix this wrong assignment by applying the available hardware timestamp to the
    skb_shared_hwtstamps data structure - which is intended for this purpose.
    Signed-off-by: Oliver Hartkopp <>
    Signed-off-by: Marc Kleine-Budde <>
    Signed-off-by: Greg Kroah-Hartman <>
  28. @pebolle @gregkh

    radeon: add AGPMode 1 quirk for RV250

    pebolle authored gregkh committed
    commit 4517100 upstream.
    The Intel 82855PM host bridge / Mobility FireGL 9000 RV250 combination
    in an (outdated) ThinkPad T41 needs AGPMode 1 for suspend/resume (under
    KMS, that is). So add a quirk for it.
    (Change R250 to RV250 in comment for preceding quirk too.)
    Signed-off-by: Paul Bolle <>
    Signed-off-by: Alex Deucher <>
    Signed-off-by: Greg Kroah-Hartman <>
  29. @gregkh

    mac80211: deinitialize ibss-internals after emptiness check

    Simon Wunderlich authored gregkh committed
    commit b78a493 upstream.
    The check whether the IBSS is active and can be removed should be
    performed before deinitializing the fields used for the check/search.
    Otherwise, the configured BSS will not be found and removed properly.
    To make it more clear for the future, rename sdata->u.ibss to the
    local pointer ifibss which is used within the checks.
    This behaviour was introduced by
    ("mac80211: fix IBSS teardown race")
    Signed-off-by: Simon Wunderlich <>
    Cc: Ignacy Gawedzki <>
    Signed-off-by: Johannes Berg <>
    Signed-off-by: Greg Kroah-Hartman <>
  30. @dvhart @gregkh

    futex: avoid wake_futex() for a PI futex_q

    dvhart authored gregkh committed
    commit aa10990 upstream.
    Dave Jones reported a bug with futex_lock_pi() that his trinity test
    exposed.  Sometime between queue_me() and taking the q.lock_ptr, the
    lock_ptr became NULL, resulting in a crash.
    While futex_wake() is careful to not call wake_futex() on futex_q's with
    a pi_state or an rt_waiter (which are either waiting for a
    futex_unlock_pi() or a PI futex_requeue()), futex_wake_op() and
    futex_requeue() do not perform the same test.
    Update futex_wake_op() and futex_requeue() to test for q.pi_state and
    q.rt_waiter and abort with -EINVAL if detected.  To ensure any future
    breakage is caught, add a WARN() to wake_futex() if the same condition
    is true.
    This fix has seen 3 hours of testing with "trinity -c futex" on an
    x86_64 VM with 4 CPUS.
    [ tidy up the WARN()]
    Signed-off-by: Darren Hart <>
    Reported-by: Dave Jones <>
    Cc: Thomas Gleixner <>
    Cc: Peter Zijlstra <>
    Cc: Ingo Molnar <>
    Cc: John Kacur <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
  31. @axboe @gregkh

    dm: fix deadlock with request based dm and queue request_fn recursion

    axboe authored gregkh committed
    commit a8c32a5 upstream.
    Request based dm attempts to re-run the request queue off the
    request completion path. If used with a driver that potentially does
    end_io from its request_fn, we could deadlock trying to recurse
    back into request dispatch. Fix this by punting the request queue
    run to kblockd.
    Tested to fix a quickly reproducible deadlock in such a scenario.
    Acked-by: Alasdair G Kergon <>
    Signed-off-by: Jens Axboe <>
    Signed-off-by: Greg Kroah-Hartman <>
  32. @neilbrown @gregkh

    md/raid10: decrement correct pending counter when writing to replacem…

    neilbrown authored gregkh committed
    commit 884162d upstream.
    When a write to a replacement device completes, we carefully
    and correctly found the rdev that the write actually went to
    and the blithely called rdev_dec_pending on the primary rdev,
    even if this write was to the replacement.
    This means that any writes to an array while a replacement
    was ongoing would cause the nr_pending count for the primary
    device to go negative, so it could never be removed.
    This bug has been present since replacement was introduced in
    3.3, so it is suitable for any -stable kernel since then.
    Reported-by: "George Spelvin" <>
    Signed-off-by: NeilBrown <>
    Signed-off-by: Greg Kroah-Hartman <>
  33. @majianpeng @gregkh

    md: Avoid write invalid address if read_seqretry returned true.

    majianpeng authored gregkh committed
    commit 35f9ac2 upstream.
    If read_seqretry returned true and bbp was changed, it will write
    invalid address which can cause some serious problem.
    This bug was introduced by commit v3.0-rc7-130-g2699b67.
    So fix is suitable for 3.0.y thru 3.6.y.
    Signed-off-by: Jianpeng Ma <>
    Signed-off-by: NeilBrown <>
    Signed-off-by: Greg Kroah-Hartman <>
Something went wrong with that request. Please try again.