Skip to content
Commits on Oct 7, 2012
  1. @gregkh

    Linux 3.6.1

    gregkh committed Oct 7, 2012
  2. @bvanassche @gregkh

    SCSI: scsi_dh_alua: Enable STPG for unavailable ports

    bvanassche committed with gregkh Aug 24, 2012
    commit e47f897 upstream.
    
    A quote from SPC-4: "While in the unavailable primary target port
    asymmetric access state, the device server shall support those of
    the following commands that it supports while in the active/optimized
    state: [ ... ] d) SET TARGET PORT GROUPS; [ ... ]". Hence enable
    sending STPG to a target port group that is in the unavailable state.
    
    Signed-off-by: Bart Van Assche <bvanassche@acm.org>
    Reviewed-by: Mike Christie <michaelc@cs.wisc.edu>
    Acked-by: Hannes Reinecke <hare@suse.de>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  3. @gregkh

    SCSI: scsi_remove_target: fix softlockup regression on hot remove

    Dan Williams committed with gregkh Aug 28, 2012
    commit bc3f02a upstream.
    
    John reports:
     BUG: soft lockup - CPU#2 stuck for 23s! [kworker/u:8:2202]
     [..]
     Call Trace:
      [<ffffffff8141782a>] scsi_remove_target+0xda/0x1f0
      [<ffffffff81421de5>] sas_rphy_remove+0x55/0x60
      [<ffffffff81421e01>] sas_rphy_delete+0x11/0x20
      [<ffffffff81421e35>] sas_port_delete+0x25/0x160
      [<ffffffff814549a3>] mptsas_del_end_device+0x183/0x270
    
    ...introduced by commit 3b661a9 "[SCSI] fix hot unplug vs async scan race".
    
    Don't restart lookup of more stargets in the multi-target case, just
    arrange to traverse the list once, on the assumption that new targets
    are always added at the end.  There is no guarantee that the target will
    change state in scsi_target_reap() so we can end up spinning if we
    restart.
    
    Acked-by: Jack Wang <jack_wang@usish.com>
    LKML-Reference: <CAEhu1-6wq1YsNiscGMwP4ud0Q+MrViRzv=kcWCQSBNc8c68N5Q@mail.gmail.com>
    Reported-by: John Drescher <drescherjm@gmail.com>
    Tested-by: John Drescher <drescherjm@gmail.com>
    Signed-off-by: Dan Williams <djbw@fb.com>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  4. @djbw @gregkh

    isci: fix isci_pci_probe() generates warning on efi failure path

    djbw committed with gregkh Jun 22, 2012
    commit 6d70a74 upstream.
    
    The oem parameter image embedded in the efi variable is at an offset
    from the start of the variable.  However, in the failure path we try to
    free the 'orom' pointer which is only valid when the paramaters are
    being read from the legacy option-rom space.
    
    Since failure to load the oem parameters is unlikely and we keep the
    memory around in the success case just defer all de-allocation to devm.
    
    Reported-by: Don Morris <don.morris@hp.com>
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  5. @mmarcini @gregkh

    IB/qib: Fix local access validation for user MRs

    mmarcini committed with gregkh Sep 28, 2012
    commit c00aaa1 upstream.
    
    Commit 8aac4cc ("IB/qib: RCU locking for MR validation") introduced
    a bug that broke user post sends.  The proper validation of the MR
    was lost in the patch.
    
    This patch corrects that validation.
    
    Reviewed-by: Dean Luick <dean.luick@intel.com>
    Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
    Signed-off-by: Roland Dreier <roland@purestorage.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  6. @bvanassche @gregkh

    IB/srp: Avoid having aborted requests hang

    bvanassche committed with gregkh Aug 24, 2012
    commit d853667 upstream.
    
    We need to call scsi_done() for commands after we abort them.
    
    Signed-off-by: Bart Van Assche <bvanassche@acm.org>
    Acked-by: David Dillow <dillowda@ornl.gov>
    Signed-off-by: Roland Dreier <roland@purestorage.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  7. @bvanassche @gregkh

    IB/srp: Fix use-after-free in srp_reset_req()

    bvanassche committed with gregkh Aug 24, 2012
    commit 9b796d0 upstream.
    
    srp_free_req() uses the scsi_cmnd structure contents to unmap
    buffers, so we must invoke srp_free_req() before we release
    ownership of that structure.
    
    Signed-off-by: Bart Van Assche <bvanassche@acm.org>
    Acked-by: David Dillow <dillowda@ornl.gov>
    Signed-off-by: Roland Dreier <roland@purestorage.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  8. @kaber @gregkh

    IPoIB: Fix use-after-free of multicast object

    kaber committed with gregkh Aug 30, 2012
    commit bea1e22 upstream.
    
    Fix a crash in ipoib_mcast_join_task().  (with help from Or Gerlitz)
    
    Commit c8c2afe ("IPoIB: Use rtnl lock/unlock when changing device
    flags") added a call to rtnl_lock() in ipoib_mcast_join_task(), which
    is run from the ipoib_workqueue, and hence the workqueue can't be
    flushed from the context of ipoib_stop().
    
    In the current code, ipoib_stop() (which doesn't flush the workqueue)
    calls ipoib_mcast_dev_flush(), which goes and deletes all the
    multicast entries.  This takes place without any synchronization with
    a possible running instance of ipoib_mcast_join_task() for the same
    ipoib device, leading to a crash due to NULL pointer dereference.
    
    Fix this by making sure that the workqueue is flushed before
    ipoib_mcast_dev_flush() is called.  To make that possible, we move the
    RTNL-lock wrapped code to ipoib_mcast_join_finish().
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Roland Dreier <roland@purestorage.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  9. @gregkh

    remoteproc: fix a potential NULL-dereference on cleanup

    Dan Carpenter committed with gregkh Sep 25, 2012
    commit 7168d91 upstream.
    
    We only need to allocate mapping if there is an IOMMU domain.
    
    Otherwise, when the mappings are released, the assumption that
    an IOMMU domain is there will crash and burn.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    [ohad: revise commit log]
    Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  10. @ohadbc @gregkh

    remoteproc: select VIRTIO to avoid build breakage

    ohadbc committed with gregkh Sep 30, 2012
    commit 2ed6d29 upstream.
    
    drivers/built-in.o: In function `rproc_virtio_finalize_features':
    remoteproc_virtio.c:(.text+0x2f9a02): undefined reference to `vring_transport_features'
    drivers/built-in.o: In function `rproc_virtio_del_vqs':
    remoteproc_virtio.c:(.text+0x2f9a74): undefined reference to `vring_del_virtqueue'
    drivers/built-in.o: In function `rproc_virtio_find_vqs':
    remoteproc_virtio.c:(.text+0x2f9c44): undefined reference to `vring_new_virtqueue'
    drivers/built-in.o: In function `rproc_add_virtio_dev':
    (.text+0x2f9e2c): undefined reference to `register_virtio_device'
    drivers/built-in.o: In function `rproc_vq_interrupt':
    (.text+0x2f9db7): undefined reference to `vring_interrupt'
    drivers/built-in.o: In function `rproc_remove_virtio_dev':
    (.text+0x2f9e9f): undefined reference to `unregister_virtio_device'
    
    Reported-by: Randy Dunlap <rdunlap@xenotime.net>
    Signed-off-by: Ohad Ben-Cohen <ohad@wizery.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  11. @gregkh

    Input: synaptics - adjust threshold for treating position values as n…

    Seth Forshee committed with gregkh Sep 28, 2012
    …egative
    
    commit 824efd3 upstream.
    
    Commit c039450 (Input: synaptics - handle out of bounds values from the
    hardware) caused any hardware reported values over 7167 to be treated as
    a wrapped-around negative value. It turns out that some firmware uses
    the value 8176 to indicate a finger near the edge of the touchpad whose
    actual position cannot be determined. This value now gets treated as
    negative, which can cause pointer jumps and broken edge scrolling on
    these machines.
    
    I only know of one touchpad which reports negative values, and this
    hardware never reports any value lower than -8 (i.e. 8184). Moving the
    threshold for treating a value as negative up to 8176 should work fine
    then for any hardware we currently know about, and since we're dealing
    with unspecified behavior it's probably the best we can do. The special
    8176 value is also likely to result in sudden jumps in position, so
    let's also clamp this to the maximum specified value for the axis.
    
    BugLink: http://bugs.launchpad.net/bugs/1046512
    https://bugzilla.kernel.org/show_bug.cgi?id=46371
    
    Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
    Reviewed-by: Daniel Kurtz <djkurtz@chromium.org>
    Tested-by: Alan Swanson <swanson@ukfsn.org>
    Tested-by: Arteom <arutemus@gmail.com>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  12. @gregkh

    can: mscan-mpc5xxx: fix return value check in mpc512x_can_get_clock()

    Wei Yongjun committed with gregkh Sep 21, 2012
    commit f61bd05 upstream.
    
    In case of error, the function clk_get() returns ERR_PTR()
    and never returns NULL pointer. The NULL test in the error
    handling should be replaced with IS_ERR().
    
    dpatch engine is used to auto generated this patch.
    (https://github.com/weiyj/dpatch)
    
    Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
    Acked-by: Wolfgang Grandegger <wg@grandegger.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  13. @smcameron @gregkh

    SCSI: hpsa: Use LUN reset instead of target reset

    smcameron committed with gregkh Jul 26, 2012
    commit 21e89af upstream.
    
    It turns out Smart Array logical drives do not support target
    reset and when the target reset fails, the logical drive will
    be taken off line.  Symptoms look like this:
    
    hpsa 0000:03:00.0: Abort request on C1:B0:T0:L0
    hpsa 0000:03:00.0: resetting device 1:0:0:0
    hpsa 0000:03:00.0: cp ffff880037c56000 is reported invalid (probably means target device no longer present)
    hpsa 0000:03:00.0: resetting device failed.
    sd 1:0:0:0: Device offlined - not ready after error recovery
    sd 1:0:0:0: rejecting I/O to offline device
    EXT3-fs error (device sdb1): read_block_bitmap:
    
    LUN reset is supported though, and is what we should be using.
    Target reset is also disruptive in shared SAS situations,
    for example, an external MSA1210m which does support target
    reset attached to Smart Arrays in multiple hosts -- a target
    reset from one host is disruptive to other hosts as all LUNs
    on the target will be reset and will abort all outstanding i/os
    back to all the attached hosts.  So we should use LUN reset,
    not target reset.
    
    Tested this with Smart Array logical drives and with tape drives.
    Not sure how this bug survived since 2009, except it must be very
    rare for a Smart Array to require more than 30s to complete a request.
    
    Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  14. @ozbenh @gregkh

    SCSI: ibmvscsi: Fix host config length field overflow

    ozbenh committed with gregkh Jul 30, 2012
    commit 225c569 upstream.
    
    The length field in the host config packet is only 16-bit long, so
    passing it 0x10000 (64K which is our standard PAGE_SIZE) doesn't
    work and result in an empty config from the server.
    
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Acked-by: Robert Jennings <rcj@linux.vnet.ibm.com>
    Signed-off-by: James Bottomley <JBottomley@Parallels.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  15. @kees @gregkh

    Yama: handle 32-bit userspace prctl

    kees committed with gregkh Aug 27, 2012
    commit 2e4930e upstream.
    
    When running a 64-bit kernel and receiving prctls from a 32-bit
    userspace, the "-1" used as an unsigned long will end up being
    misdetected. The kernel is looking for 0xffffffffffffffff instead of
    0xffffffff. Since prctl lacks a distinct compat interface, Yama needs
    to handle this translation itself. As such, support either value as
    meaning PR_SET_PTRACER_ANY, to avoid breaking the ABI for 64-bit.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: John Johansen <john.johansen@canonical.com>
    Signed-off-by: James Morris <james.l.morris@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  16. @gregkh

    UBI: erase free PEB with bitflip in EC header

    Matthieu CASTET committed with gregkh Aug 22, 2012
    commit 193819c upstream.
    
    Without this patch, these PEB are not scrubbed until we put data in them.
    Bitflip can accumulate latter and we can loose the EC header (but VID header
    should be intact and allow to recover data).
    
    Signed-off-by: Matthieu Castet <matthieu.castet@parrot.com>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  17. @gregkh

    UBI: fix autoresize handling in R/O mode

    Artem Bityutskiy committed with gregkh Aug 18, 2012
    commit abb3e01 upstream.
    
    Currently UBI fails in autoresize when it is in R/O mode (e.g., because the
    underlying MTD device is R/O). This patch fixes the issue - we just skip
    autoresize and print a warning.
    
    Reported-by: Pali Rohár <pali.rohar@gmail.com>
    Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  18. @gregkh

    n_gsm: memory leak in uplink error path

    Russ Gorby committed with gregkh Aug 13, 2012
    commit 88ed2a6 upstream.
    
    Uplink (TX) network data will go through gsm_dlci_data_output_framed
    there is a bug where if memory allocation fails, the skb which
    has already been pulled off the list will be lost.
    
    In addition TX skbs were being processed in LIFO order
    
    Fixed the memory leak, and changed to FIFO order processing
    
    Signed-off-by: Russ Gorby <russ.gorby@intel.com>
    Tested-by: Kappel, LaurentX <laurentx.kappel@intel.com>
    Signed-off-by: Alan Cox <alan@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  19. @gregkh

    n_gsm: added interlocking for gsm_data_lock for certain code paths

    Russ Gorby committed with gregkh Aug 13, 2012
    commit 5e44708 upstream.
    
    There were some locking holes in the management of the MUX's
    message queue for 2 code paths:
    1) gsmld_write_wakeup
    2) receipt of CMD_FCON flow-control message
    In both cases gsm_data_kick is called w/o locking so it can collide
    with other other instances of gsm_data_kick (pulling messages tx_tail)
    or potentially other instances of __gsm_data_queu (adding messages to tx_head)
    
    Changed to take the tx_lock in these 2 cases
    
    Signed-off-by: Russ Gorby <russ.gorby@intel.com>
    Tested-by: Yin, Fengwei <fengwei.yin@intel.com>
    Signed-off-by: Alan Cox <alan@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  20. @gregkh

    n_gsm: uplink SKBs accumulate on list

    Russ Gorby committed with gregkh Aug 13, 2012
    commit 192b604 upstream.
    
    gsm_dlci_data_kick will not call any output function if tx_bytes > THRESH_LO
    furthermore it will call the output function only once if tx_bytes == 0
    If the size of the IP writes are on the order of THRESH_LO
    we can get into a situation where skbs accumulate on the outbound list
    being starved for events to call the output function.
    
    gsm_dlci_data_kick now calls the sweep function when tx_bytes==0
    
    Signed-off-by: Russ Gorby <russ.gorby@intel.com>
    Tested-by: Kappel, LaurentX <laurentx.kappel@intel.com>
    Signed-off-by: Alan Cox <alan@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  21. @gregkh

    n_gsm.c: Implement 3GPP27.010 DLC start-up procedure in MUX

    xiaojin committed with gregkh Aug 13, 2012
    commit 7e8ac7b upstream.
    
    In 3GPP27.010 5.8.1, it defined:
    The TE multiplexer initiates the establishment of the multiplexer control channel by sending a SABM frame on DLCI 0 using the procedures of clause 5.4.1.
    Once the multiplexer channel is established other DLCs may be established using the procedures of clause 5.4.1.
    This patch implement 5.8.1 in MUX level, it make sure DLC0 is the first channel to be setup.
    
    [or for those not familiar with the specification: it was possible to try
     and open a data connection while the control channel was not yet fully
     open, which is a spec violation and confuses some modems]
    
    Signed-off-by: xiaojin <jin.xiao@intel.com>
    Tested-by: Yin, Fengwei <fengwei.yin@intel.com>
    [tweaked the order we check things and error code]
    Signed-off-by: Alan Cox <alan@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  22. @gregkh

    coredump: prevent double-free on an error path in core dumper

    Denys Vlasenko committed with gregkh Sep 26, 2012
    commit f34f9d1 upstream.
    
    In !CORE_DUMP_USE_REGSET case, if elf_note_info_init fails to allocate
    memory for info->fields, it frees already allocated stuff and returns
    error to its caller, fill_note_info.  Which in turn returns error to its
    caller, elf_core_dump.  Which jumps to cleanup label and calls
    free_note_info, which will happily try to free all info->fields again.
    BOOM.
    
    This is the fix.
    
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
    Cc: Venu Byravarasu <vbyravarasu@nvidia.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  23. @gregkh

    xen/pciback: Restore the PCI config space after an FLR.

    Konrad Rzeszutek Wilk committed with gregkh Sep 25, 2012
    commit c341ca4 upstream.
    
    When we do an FLR, or D0->D3_hot we may lose the BARs as the
    device has turned itself off (and on). This means the device cannot
    function unless the pci_restore_state is called - which it is
    when the PCI device is unbound from the Xen PCI backend driver.
    For PV guests it ends up calling pci_enable_device / pci_enable_msi[x]
    which does the proper steps
    
    That however is not happening if a HVM guest is run as QEMU
    deals with PCI configuration space. QEMU also requires that the
    device be "parked"  under the ownership of a pci-stub driver to
    guarantee that the PCI device is not being used. Hence we
    follow the same incantation as pci_reset_function does - by
    doing an FLR, then restoring the PCI configuration space.
    
    The result of this patch is that when you run lspci, you get
    now this:
    
    -       Region 0: [virtual] Memory at fe8c0000 (32-bit, non-prefetchable) [size=128K]
    -       Region 1: [virtual] Memory at fe800000 (32-bit, non-prefetchable) [size=512K]
    +       Region 0: Memory at fe8c0000 (32-bit, non-prefetchable) [size=128K]
    +       Region 1: Memory at fe800000 (32-bit, non-prefetchable) [size=512K]
            Region 2: I/O ports at c000 [size=32]
    -       Region 3: [virtual] Memory at fe8e0000 (32-bit, non-prefetchable) [size=16K]
    +       Region 3: Memory at fe8e0000 (32-bit, non-prefetchable) [size=16K]
    
    The [virtual] means that lspci read those entries from SysFS but when
    it read them from the device it got a different value (0xfffffff).
    
    Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  24. @gregkh

    ath9k: Disable ASPM only for AR9285

    Sujith Manoharan committed with gregkh Sep 22, 2012
    commit 046b680 upstream.
    
    Currently, ASPM is disabled for all WLAN+BT combo chipsets
    when BTCOEX is enabled. This is incorrect since the workaround
    is required only for WB195, which is a AR9285+AR3011 combo
    solution. Fix this by checking for the HW version when enabling
    the workaround.
    
    Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
    Tested-by: Paul Stewart <pstew@chromium.org>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  25. @kdau @gregkh

    HID: keep dev_rdesc unmodified and use it for comparisons

    kdau committed with gregkh Sep 20, 2012
    commit 86e6b77 upstream.
    
    The dev_rdesc member of the hid_device structure is meant to store the original
    report descriptor received from the device, but it is currently passed to any
    report_fixup method before it is copied to the rdesc member. This patch uses a
    temporary buffer to shield dev_rdesc from the side effects of many HID drivers'
    report_fixup implementations.
    
    usbhid's hid_post_reset checks the report descriptor currently returned by the
    device against a descriptor that may have been modified by a driver's
    report_fixup method. That leaves some devices nonfunctional after a resume, with
    a "reset_resume error 1" reported. This patch checks the new descriptor against
    the unmodified dev_rdesc instead and uses the original, instead of modified,
    report size.
    
    BugLink: http://bugs.launchpad.net/bugs/1049623
    Signed-off-by: Kevin Daughtridge <kevin@kdau.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  26. @spang-chromium @gregkh

    Increase XHCI suspend timeout to 16ms

    spang-chromium committed with gregkh Sep 14, 2012
    commit a6e097d upstream.
    
    The Intel XHCI specification says that after clearing the run/stop bit
    the controller may take up to 16ms to halt. We've seen a device take
    14ms, which with the current timeout of 10ms causes the kernel to
    abort the suspend. Increasing the timeout to the recommended value
    fixes the problem.
    
    This patch should be backported to kernels as old as 2.6.37, that
    contain the commit 5535b1d "USB: xHCI:
    PCI power management implementation".
    
    Signed-off-by: Michael Spang <spang@chromium.org>
    Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  27. @gregkh

    xHCI: handle command after aborting the command ring

    Elric Fu committed with gregkh Jun 27, 2012
    commit b63f405 upstream.
    
    According to xHCI spec section 4.6.1.1 and section 4.6.1.2,
    after aborting a command on the command ring, xHC will
    generate a command completion event with its completion
    code set to Command Ring Stopped at least. If a command is
    currently executing at the time of aborting a command, xHC
    also generate a command completion event with its completion
    code set to Command Abort. When the command ring is stopped,
    software may remove, add, or rearrage Command Descriptors.
    
    To cancel a command, software will initialize a command
    descriptor for the cancel command, and add it into a
    cancel_cmd_list of xhci. When the command ring is stopped,
    software will find the command trbs described by command
    descriptors in cancel_cmd_list and modify it to No Op
    command. If software can't find the matched trbs, we can
    think it had been finished.
    
    This patch should be backported to kernels as old as 3.0, that contain
    the commit 7ed603e "xhci: Add an
    assertion to check for virt_dev=0 bug." That commit papers over a NULL
    pointer dereference, and this patch fixes the underlying issue that
    caused the NULL pointer dereference.
    
    Signed-off-by: Elric Fu <elricfu1@gmail.com>
    Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
    Tested-by: Miroslav Sabljic <miroslav.sabljic@avl.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  28. @gregkh

    xHCI: cancel command after command timeout

    Elric Fu committed with gregkh Jun 27, 2012
    commit 6e4468b upstream.
    
    The patch is used to cancel command when the command isn't
    acknowledged and a timeout occurs.
    
    This patch should be backported to kernels as old as 3.0, that contain
    the commit 7ed603e "xhci: Add an
    assertion to check for virt_dev=0 bug." That commit papers over a NULL
    pointer dereference, and this patch fixes the underlying issue that
    caused the NULL pointer dereference.
    
    Signed-off-by: Elric Fu <elricfu1@gmail.com>
    Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
    Tested-by: Miroslav Sabljic <miroslav.sabljic@avl.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  29. @gregkh

    xHCI: add aborting command ring function

    Elric Fu committed with gregkh Jun 27, 2012
    commit b92cc66 upstream.
    
    Software have to abort command ring and cancel command
    when a command is failed or hang. Otherwise, the command
    ring will hang up and can't handle the others. An example
    of a command that may hang is the Address Device Command,
    because waiting for a SET_ADDRESS request to be acknowledged
    by a USB device is outside of the xHC's ability to control.
    
    To cancel a command, software will initialize a command
    descriptor for the cancel command, and add it into a
    cancel_cmd_list of xhci.
    
    Sarah: Fixed missing newline on "Have the command ring been stopped?"
    debugging statement.
    
    This patch should be backported to kernels as old as 3.0, that contain
    the commit 7ed603e "xhci: Add an
    assertion to check for virt_dev=0 bug." That commit papers over a NULL
    pointer dereference, and this patch fixes the underlying issue that
    caused the NULL pointer dereference.
    
    Signed-off-by: Elric Fu <elricfu1@gmail.com>
    Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
    Tested-by: Miroslav Sabljic <miroslav.sabljic@avl.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  30. @gregkh

    xHCI: add cmd_ring_state

    Elric Fu committed with gregkh Jun 27, 2012
    commit c181bc5 upstream.
    
    Adding cmd_ring_state for command ring. It helps to verify
    the current command ring state for controlling the command
    ring operations.
    
    This patch should be backported to kernels as old as 3.0.  The commit
    7ed603e "xhci: Add an assertion to
    check for virt_dev=0 bug." papers over the NULL pointer dereference that
    I now believe is related to a timed out Set Address command.  This (and
    the four patches that follow it) contain the real fix that also allows
    VIA USB 3.0 hubs to consistently re-enumerate during the plug/unplug
    stress tests.
    
    Signed-off-by: Elric Fu <elricfu1@gmail.com>
    Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
    Tested-by: Miroslav Sabljic <miroslav.sabljic@avl.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  31. @gregkh

    xhci: Intel Panther Point BEI quirk.

    Sarah Sharp committed with gregkh Sep 19, 2012
    commit 80fab3b upstream.
    
    When a device with an isochronous endpoint is behind a hub plugged into
    the Intel Panther Point xHCI host controller, and the driver submits
    multiple frames per URB, the xHCI driver will set the Block Event
    Interrupt (BEI) flag on all but the last TD for the URB.  This causes
    the host controller to place an event on the event ring, but not send an
    interrupt.  When the last TD for the URB completes, BEI is cleared, and
    we get an interrupt for the whole URB.
    
    However, under a Panther Point xHCI host controller, if the parent hub
    is unplugged when one or more events from transfers with BEI set are on
    the event ring, a port status change event is placed on the event ring,
    but no interrupt is generated.  This means URBs stop completing, and the
    USB device disconnect is not noticed.  Something like a USB headset will
    cause mplayer to hang when the device is disconnected.
    
    If another transfer is sent (such as running `sudo lsusb -v`), the next
    transfer event seems to "unstick" the event ring, the xHCI driver gets
    an interrupt, and the disconnect is reported to the USB core.
    
    The fix is not to use the BEI flag under the Panther Point xHCI host.
    This will impact power consumption and system responsiveness, because
    the xHCI driver will receive an interrupt for every frame in all
    isochronous URBs instead of once per URB.
    
    Intel chipset developers confirm that this bug will be hit if the BEI
    flag is used on any endpoint, not just ones that are behind a hub.
    
    This patch should be backported to kernels as old as 3.0, that contain
    the commit 69e848c "Intel xhci: Support
    EHCI/xHCI port switching."
    
    Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  32. @gregkh

    firmware: Add missing attributes to EFI variable attribute print out …

    Khalid Aziz committed with gregkh Sep 10, 2012
    …from sysfs
    
    commit 7083909 upstream.
    
    Some of the EFI variable attributes are missing from print out from
    /sys/firmware/efi/vars/*/attributes. This patch adds those in. It also
    updates code to use pre-defined constants for masking current value
    of attributes.
    
    Signed-off-by: Khalid Aziz <khalid.aziz@hp.com>
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Acked-by: Matthew Garrett <mjg@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  33. @lwfinger @gregkh

    b43legacy: Fix crash on unload when firmware not available

    lwfinger committed with gregkh Sep 26, 2012
    commit 2d838bb upstream.
    
    When b43legacy is loaded without the firmware being available, a following
    unload generates a kernel NULL pointer dereference BUG as follows:
    
    [  214.330789] BUG: unable to handle kernel NULL pointer dereference at 0000004c
    [  214.330997] IP: [<c104c395>] drain_workqueue+0x15/0x170
    [  214.331179] *pde = 00000000
    [  214.331311] Oops: 0000 [#1] SMP
    [  214.331471] Modules linked in: b43legacy(-) ssb pcmcia mac80211 cfg80211 af_packet mperf arc4 ppdev sr_mod cdrom sg shpchp yenta_socket pcmcia_rsrc pci_hotplug pcmcia_core battery parport_pc parport floppy container ac button edd autofs4 ohci_hcd ehci_hcd usbcore usb_common thermal processor scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_dh fan thermal_sys hwmon ata_generic pata_ali libata [last unloaded: cfg80211]
    [  214.333421] Pid: 3639, comm: modprobe Not tainted 3.6.0-rc6-wl+ #163 Source Technology VIC 9921/ALI Based Notebook
    [  214.333580] EIP: 0060:[<c104c395>] EFLAGS: 00010246 CPU: 0
    [  214.333687] EIP is at drain_workqueue+0x15/0x170
    [  214.333788] EAX: c162ac40 EBX: cdfb8360 ECX: 0000002a EDX: 00002a2a
    [  214.333890] ESI: 00000000 EDI: 00000000 EBP: cd767e7c ESP: cd767e5c
    [  214.333957]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
    [  214.333957] CR0: 8005003b CR2: 0000004c CR3: 0c96a000 CR4: 00000090
    [  214.333957] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
    [  214.333957] DR6: ffff0ff0 DR7: 00000400
    [  214.333957] Process modprobe (pid: 3639, ti=cd766000 task=cf802e90 task.ti=cd766000)
    [  214.333957] Stack:
    [  214.333957]  00000292 cd767e74 c12c5e09 00000296 00000296 cdfb8360 cdfb9220 00000000
    [  214.333957]  cd767e90 c104c4fd cdfb8360 cdfb9220 cd682800 cd767ea4 d0c10184 cd682800
    [  214.333957]  cd767ea4 cba31064 cd767eb8 d0867908 cba31064 d087e09c cd96f034 cd767ec4
    [  214.333957] Call Trace:
    [  214.333957]  [<c12c5e09>] ? skb_dequeue+0x49/0x60
    [  214.333957]  [<c104c4fd>] destroy_workqueue+0xd/0x150
    [  214.333957]  [<d0c10184>] ieee80211_unregister_hw+0xc4/0x100 [mac80211]
    [  214.333957]  [<d0867908>] b43legacy_remove+0x78/0x80 [b43legacy]
    [  214.333957]  [<d083654d>] ssb_device_remove+0x1d/0x30 [ssb]
    [  214.333957]  [<c126f15a>] __device_release_driver+0x5a/0xb0
    [  214.333957]  [<c126fb07>] driver_detach+0x87/0x90
    [  214.333957]  [<c126ef4c>] bus_remove_driver+0x6c/0xe0
    [  214.333957]  [<c1270120>] driver_unregister+0x40/0x70
    [  214.333957]  [<d083686b>] ssb_driver_unregister+0xb/0x10 [ssb]
    [  214.333957]  [<d087c488>] b43legacy_exit+0xd/0xf [b43legacy]
    [  214.333957]  [<c1089dde>] sys_delete_module+0x14e/0x2b0
    [  214.333957]  [<c110a4a7>] ? vfs_write+0xf7/0x150
    [  214.333957]  [<c1240050>] ? tty_write_lock+0x50/0x50
    [  214.333957]  [<c110a6f8>] ? sys_write+0x38/0x70
    [  214.333957]  [<c1397c55>] syscall_call+0x7/0xb
    [  214.333957] Code: bc 27 00 00 00 00 a1 74 61 56 c1 55 89 e5 e8 a3 fc ff ff 5d c3 90 55 89 e5 57 56 89 c6 53 b8 40 ac 62 c1 83 ec 14 e8 bb b7 34 00 <8b> 46 4c 8d 50 01 85 c0 89 56 4c 75 03 83 0e 40 80 05 40 ac 62
    [  214.333957] EIP: [<c104c395>] drain_workqueue+0x15/0x170 SS:ESP 0068:cd767e5c
    [  214.333957] CR2: 000000000000004c
    [  214.341110] ---[ end trace c7e90ec026d875a6 ]---Index: wireless-testing/drivers/net/wireless/b43legacy/main.c
    
    The problem is fixed by making certain that the ucode pointer is not NULL
    before deregistering the driver in mac80211.
    
    Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  34. @bwhacks @gregkh

    tools/hv: Check for read/write errors

    bwhacks committed with gregkh Sep 5, 2012
    commit 436473b upstream.
    
    hv_kvp_daemon currently does not check whether fread() or fwrite()
    succeed.  Add the necessary checks.  Also, remove the incorrect use of
    feof() before fread().
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  35. @bwhacks @gregkh

    tools/hv: Fix exit() error code

    bwhacks committed with gregkh Sep 5, 2012
    commit 6bb22fe upstream.
    
    Linux native exit codes are 8-bit unsigned values.  exit(-1) results
    in an exit code of 255, which is usually reserved for shells reporting
    'command not found'.  Use the portable value EXIT_FAILURE.  (Not that
    this matters much for a daemon.)
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Something went wrong with that request. Please try again.