Permalink
Commits on Dec 19, 2012
  1. Merge branch 'configs-3.6' into pf-3.6

    Oleksandr Natalenko
    Oleksandr Natalenko committed Dec 19, 2012
  2. Merge branch 'kbuild-3.6' into pf-3.6

    Oleksandr Natalenko
    Oleksandr Natalenko committed Dec 19, 2012
  3. kbuild-3.6: select MDIO for Atheros ethernet devices

    Oleksandr Natalenko
    Oleksandr Natalenko committed Dec 19, 2012
    This could be useful for not-yet-mainlined alx driver.
  4. configs-3.6: update dell-vostro-3360.config

    Oleksandr Natalenko
    Oleksandr Natalenko committed Dec 19, 2012
Commits on Dec 17, 2012
  1. Merge branch 'version-3.6' into pf-3.6

    Oleksandr Natalenko
    Oleksandr Natalenko committed Dec 17, 2012
  2. Merge branch 'distro-3.6' into pf-3.6

    Oleksandr Natalenko
    Oleksandr Natalenko committed Dec 17, 2012
  3. distro-3.6: bump to v3.6.12-pf

    Oleksandr Natalenko
    Oleksandr Natalenko committed Dec 17, 2012
  4. version-3.6: bump to v3.6.12-pf

    Oleksandr Natalenko
    Oleksandr Natalenko committed Dec 17, 2012
  5. fix merge conflict

    Oleksandr Natalenko
    Oleksandr Natalenko committed Dec 17, 2012
  6. Linux 3.6.11

    gregkh committed Dec 17, 2012
  7. sctp: fix -ENOMEM result with invalid user space pointer in sendto() …

    rantala authored and gregkh committed Nov 22, 2012
    …syscall
    
    [ Upstream commit 6e51fe7 ]
    
    Consider the following program, that sets the second argument to the
    sendto() syscall incorrectly:
    
     #include <string.h>
     #include <arpa/inet.h>
     #include <sys/socket.h>
    
     int main(void)
     {
             int fd;
             struct sockaddr_in sa;
    
             fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
             if (fd < 0)
                     return 1;
    
             memset(&sa, 0, sizeof(sa));
             sa.sin_family = AF_INET;
             sa.sin_addr.s_addr = inet_addr("127.0.0.1");
             sa.sin_port = htons(11111);
    
             sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
    
             return 0;
     }
    
    We get -ENOMEM:
    
     $ strace -e sendto ./demo
     sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ENOMEM (Cannot allocate memory)
    
    Propagate the error code from sctp_user_addto_chunk(), so that we will
    tell user space what actually went wrong:
    
     $ strace -e sendto ./demo
     sendto(3, NULL, 1, 0, {sa_family=AF_INET, sin_port=htons(11111), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EFAULT (Bad address)
    
    Noticed while running Trinity (the syscall fuzzer).
    
    Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  8. sctp: fix memory leak in sctp_datamsg_from_user() when copy from user…

    rantala authored and gregkh committed Nov 27, 2012
    … space fails
    
    [ Upstream commit be364c8 ]
    
    Trinity (the syscall fuzzer) discovered a memory leak in SCTP,
    reproducible e.g. with the sendto() syscall by passing invalid
    user space pointer in the second argument:
    
     #include <string.h>
     #include <arpa/inet.h>
     #include <sys/socket.h>
    
     int main(void)
     {
             int fd;
             struct sockaddr_in sa;
    
             fd = socket(AF_INET, SOCK_STREAM, 132 /*IPPROTO_SCTP*/);
             if (fd < 0)
                     return 1;
    
             memset(&sa, 0, sizeof(sa));
             sa.sin_family = AF_INET;
             sa.sin_addr.s_addr = inet_addr("127.0.0.1");
             sa.sin_port = htons(11111);
    
             sendto(fd, NULL, 1, 0, (struct sockaddr *)&sa, sizeof(sa));
    
             return 0;
     }
    
    As far as I can tell, the leak has been around since ~2003.
    
    Signed-off-by: Tommi Rantala <tt.rantala@gmail.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  9. bonding: fix race condition in bonding_store_slaves_active

    newbg authored and gregkh committed Nov 29, 2012
    [ Upstream commit e196c0e ]
    
    Race between bonding_store_slaves_active() and slave manipulation
     functions. The bond_for_each_slave use in bonding_store_slaves_active()
     is not protected by any synchronization mechanism.
     NULL pointer dereference is easy to reach.
     Fixed by acquiring the bond->lock for the slave walk.
    
     v2: Make description text < 75 columns
    
    Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
    Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  10. bonding: Bonding driver does not consider the gso_max_size/gso_max_se…

    Sarveshwar Bandi authored and gregkh committed Nov 21, 2012
    …gs setting of slave devices.
    
    [ Upstream commit 0e376bd ]
    
    Patch sets the lowest gso_max_size and gso_max_segs values of the slave devices during enslave and detach.
    
    Signed-off-by: Sarveshwar Bandi <sarveshwar.bandi@emulex.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  11. net: cdc_ncm: add Huawei devices

    bmork authored and gregkh committed Nov 13, 2012
    [ Upstream commit bbc8d92 ]
    
    A number of Huawei 3G and LTE modems implement a CDC NCM function,
    including the necessary functional descriptors, but using a non
    standard interface layout and class/subclass/protocol codes.
    
    These devices can be handled by this driver with only a minor
    change to the probing logic, allowing a single combined control
    and data interface.  This works because the devices
    - include a CDC Union descriptor labelling the combined
      interface as both master and slave, and
    - have an alternate setting #1 for the bulk endpoints on the
      combined interface.
    
    The 3G/LTE network connection is managed by vendor specific AT
    commands on a serial function in the same composite device.
    Handling the managment function is out of the scope of this
    driver.  It will be handled by an appropriate USB serial
    driver.
    
    Reported-and-Tested-by: Olof Ermis <olof.ermis@gmail.com>
    Reported-and-Tested-by: Tommy Cheng <tommy7765@yahoo.com>
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  12. usb/ipheth: Add iPhone 5 support

    Jay Purohit authored and gregkh committed Oct 14, 2012
    [ Upstream commit af1b85e ]
    
    I noticed that the iPhone ethernet driver did not support
    iPhone 5. I quickly added support to it in my kernel, here's
    a patch.
    
    Signed-off-by: Jay Purohit <jspurohit@velocitylimitless.com>
    Acked-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
    Signed-off-by: Jan Ceuleers <jan.ceuleers@computer.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  13. inet_diag: validate port comparison byte code to prevent unsafe reads

    Neal Cardwell authored and gregkh committed Dec 9, 2012
    [ Upstream commit 5e1f542 ]
    
    Add logic to verify that a port comparison byte code operation
    actually has the second inet_diag_bc_op from which we read the port
    for such operations.
    
    Previously the code blindly referenced op[1] without first checking
    whether a second inet_diag_bc_op struct could fit there. So a
    malicious user could make the kernel read 4 bytes beyond the end of
    the bytecode array by claiming to have a whole port comparison byte
    code (2 inet_diag_bc_op structs) when in fact the bytecode was not
    long enough to hold both.
    
    Signed-off-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  14. inet_diag: avoid unsafe and nonsensical prefix matches in inet_diag_b…

    Neal Cardwell authored and gregkh committed Dec 8, 2012
    …c_run()
    
    [ Upstream commit f67caec ]
    
    Add logic to check the address family of the user-supplied conditional
    and the address family of the connection entry. We now do not do
    prefix matching of addresses from different address families (AF_INET
    vs AF_INET6), except for the previously existing support for having an
    IPv4 prefix match an IPv4-mapped IPv6 address (which this commit
    maintains as-is).
    
    This change is needed for two reasons:
    
    (1) The addresses are different lengths, so comparing a 128-bit IPv6
    prefix match condition to a 32-bit IPv4 connection address can cause
    us to unwittingly walk off the end of the IPv4 address and read
    garbage or oops.
    
    (2) The IPv4 and IPv6 address spaces are semantically distinct, so a
    simple bit-wise comparison of the prefixes is not meaningful, and
    would lead to bogus results (except for the IPv4-mapped IPv6 case,
    which this commit maintains).
    
    Signed-off-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  15. inet_diag: validate byte code to prevent oops in inet_diag_bc_run()

    Neal Cardwell authored and gregkh committed Dec 8, 2012
    [ Upstream commit 405c005 ]
    
    Add logic to validate INET_DIAG_BC_S_COND and INET_DIAG_BC_D_COND
    operations.
    
    Previously we did not validate the inet_diag_hostcond, address family,
    address length, and prefix length. So a malicious user could make the
    kernel read beyond the end of the bytecode array by claiming to have a
    whole inet_diag_hostcond when the bytecode was not long enough to
    contain a whole inet_diag_hostcond of the given address family. Or
    they could make the kernel read up to about 27 bytes beyond the end of
    a connection address by passing a prefix length that exceeded the
    length of addresses of the given family.
    
    Signed-off-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  16. inet_diag: fix oops for IPv4 AF_INET6 TCP SYN-RECV state

    Neal Cardwell authored and gregkh committed Dec 8, 2012
    [ Upstream commit 1c95df8 ]
    
    Fix inet_diag to be aware of the fact that AF_INET6 TCP connections
    instantiated for IPv4 traffic and in the SYN-RECV state were actually
    created with inet_reqsk_alloc(), instead of inet6_reqsk_alloc(). This
    means that for such connections inet6_rsk(req) returns a pointer to a
    random spot in memory up to roughly 64KB beyond the end of the
    request_sock.
    
    With this bug, for a server using AF_INET6 TCP sockets and serving
    IPv4 traffic, an inet_diag user like `ss state SYN-RECV` would lead to
    inet_diag_fill_req() causing an oops or the export to user space of 16
    bytes of kernel memory as a garbage IPv6 address, depending on where
    the garbage inet6_rsk(req) pointed.
    
    Signed-off-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  17. ipv4: ip_check_defrag must not modify skb before unsharing

    jmberg authored and gregkh committed Dec 9, 2012
    [ Upstream commit 1bf3751 ]
    
    ip_check_defrag() might be called from af_packet within the
    RX path where shared SKBs are used, so it must not modify
    the input SKB before it has unshared it for defragmentation.
    Use skb_copy_bits() to get the IP header and only pull in
    everything later.
    
    The same is true for the other caller in macvlan as it is
    called from dev->rx_handler which can also get a shared SKB.
    
    Reported-by: Eric Leblond <eric@regit.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  18. ipv4: avoid passing NULL to inet_putpeer() in icmpv4_xrlim_allow()

    Neal Cardwell authored and gregkh committed Nov 24, 2012
    [ Upstream commit e1a6764 ]
    
    inet_getpeer_v4() can return NULL under OOM conditions, and while
    inet_peer_xrlim_allow() is OK with a NULL peer, inet_putpeer() will
    crash.
    
    This code path now uses the same idiom as the others from:
    1d861aa ("inet: Minimize use of
    cached route inetpeer.").
    
    Signed-off-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  19. ipv4: do not cache looped multicasts

    Julian Anastasov authored and gregkh committed Nov 22, 2012
    [ Upstream commit 6361742 ]
    
    	Starting from 3.6 we cache output routes for
    multicasts only when using route to 224/4. For local receivers
    we can set RTCF_LOCAL flag depending on the membership but
    in such case we use maddr and saddr which are not caching
    keys as before. Additionally, we can not use same place to
    cache routes that differ in RTCF_LOCAL flag value.
    
    	Fix it by caching only RTCF_MULTICAST entries
    without RTCF_LOCAL (send-only, no loopback). As a side effect,
    we avoid unneeded lookup for fnhe when not caching because
    multicasts are not redirected and they do not learn PMTU.
    
    	Thanks to Maxime Bizon for showing the caching
    problems in __mkroute_output for 3.6 kernels: different
    RTCF_LOCAL flag in cache can lead to wrong ip_mc_output or
    ip_output call and the visible problem is that traffic can
    not reach local receivers via loopback.
    
    Reported-by: Maxime Bizon <mbizon@freebox.fr>
    Tested-by: Maxime Bizon <mbizon@freebox.fr>
    Signed-off-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  20. irda: sir_dev: Fix copy/paste typo

    shcgit authored and gregkh committed Nov 20, 2012
    [ Upstream commit 2355a62 ]
    
    Signed-off-by: Alexander Shiyan <shc_work@mail.ru>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  21. ipv6: fix inet6_csk_update_pmtu() return value

    Eric Dumazet authored and gregkh committed Nov 20, 2012
    [ Upstream commit b4dd006 ]
    
    In case of error, inet6_csk_update_pmtu() should consistently
    return NULL.
    
    Bug added in commit 35ad9b9
    (ipv6: Add helper inet6_csk_update_pmtu().)
    
    Reported-by: Lluís Batlle i Rossell <viric@viric.name>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  22. ne2000: add the right platform device

    Alan Cox authored and gregkh committed Nov 20, 2012
    [ Upstream commit da9da01 ]
    
    Without this udev doesn't have a way to key the ne device to the platform
    device.
    
    Signed-off-by: Alan Cox <alan@linux.intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  23. sis900: fix sis900_set_mode call parameters.

    Francois Romieu authored and gregkh committed Nov 18, 2012
    [ Upstream commit 8495c0d ]
    
    Leftover of 57d6d45 ("sis900: stop
    using net_device.{base_addr, irq} and convert to __iomem.").
    
    It is needed for suspend / resume to work.
    
    Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
    Tested-by: Jan Janssen <medhefgo@web.de>
    Cc: Daniele Venzano <venza@brownhat.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  24. PCI/PM: Fix deadlock when unbinding device if parent in D3cold

    Huang Ying authored and gregkh committed Oct 24, 2012
    commit 90b5c1d upstream.
    
    If a PCI device and its parents are put into D3cold, unbinding the
    device will trigger deadlock as follow:
    
    - driver_unbind
      - device_release_driver
        - device_lock(dev)				<--- previous lock here
        - __device_release_driver
          - pm_runtime_get_sync
            ...
              - rpm_resume(dev)
                - rpm_resume(dev->parent)
                  ...
                    - pci_pm_runtime_resume
                      ...
                      - pci_set_power_state
                        - __pci_start_power_transition
                          - pci_wakeup_bus(dev->parent->subordinate)
                            - pci_walk_bus
                              - device_lock(dev)	<--- deadlock here
    
    
    If we do not do device_lock in pci_walk_bus, we can avoid deadlock.
    Device_lock in pci_walk_bus is introduced in commit:
    d71374d, corresponding email thread
    is: https://lkml.org/lkml/2006/5/26/38.  The patch author Zhang Yanmin
    said device_lock is added to pci_walk_bus because:
    
      Some error handling functions call pci_walk_bus. For example, PCIe
      aer. Here we lock the device, so the driver wouldn't detach from the
      device, as the cb might call driver's callback function.
    
    So I fixed the deadlock as follows:
    
    - remove device_lock from pci_walk_bus
    - add device_lock into callback if callback will call driver's callback
    
    I checked pci_walk_bus users one by one, and found only PCIe aer needs
    device lock.
    
    Signed-off-by: Huang Ying <ying.huang@intel.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    CC: stable@vger.kernel.org		# v3.6+
    CC: Zhang Yanmin <yanmin.zhang@intel.com>
  25. rcu: Fix batch-limit size problem

    Eric Dumazet authored and gregkh committed Oct 18, 2012
    commit 878d743 upstream.
    
    Commit 29c00b4 (rcu: Add event-tracing for RCU callback
    invocation) added a regression in rcu_do_batch()
    
    Under stress, RCU is supposed to allow to process all items in queue,
    instead of a batch of 10 items (blimit), but an integer overflow makes
    the effective limit being 1.  So, unless there is frequent idle periods
    (during which RCU ignores batch limits), RCU can be forced into a
    state where it cannot keep up with the callback-generation rate,
    eventually resulting in OOM.
    
    This commit therefore converts a few variables in rcu_do_batch() from
    int to long to fix this problem, along with the module parameters
    controlling the batch limits.
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  26. USB: EHCI: bugfix: urb->hcpriv should not be NULL

    AlanStern authored and gregkh committed Nov 8, 2012
    commit 2656a9a upstream.
    
    This patch (as1632b) fixes a bug in ehci-hcd.  The USB core uses
    urb->hcpriv to determine whether or not an URB is active; host
    controller drivers are supposed to set this pointer to a non-NULL
    value when an URB is queued.  However ehci-hcd sets it to NULL for
    isochronous URBs, which defeats the check in usbcore.
    
    In itself this isn't a big deal.  But people have recently found that
    certain sequences of actions will cause the snd-usb-audio driver to
    reuse URBs without waiting for them to complete.  In the absence of
    proper checking by usbcore, the URBs get added to their endpoint list
    twice.  This leads to list corruption and a system freeze.
    
    The patch makes ehci-hcd assign a meaningful value to urb->hcpriv for
    isochronous URBs.  Improving robustness always helps.
    
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Reported-by: Artem S. Tashkinov <t.artem@lycos.com>
    Reported-by: Christof Meerwald <cmeerw@cmeerw.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  27. perf test: fix a build error on builtin-test

    gnehzuil authored and gregkh committed Nov 9, 2012
    commit 12f8f74 upstream.
    
    Recently I build perf and get a build error on builtin-test.c. The error is as
    following:
    
    $ make
        CC perf.o
        CC builtin-test.o
    cc1: warnings being treated as errors
    builtin-test.c: In function ‘sched__get_first_possible_cpu’:
    builtin-test.c:977: warning: implicit declaration of function ‘CPU_ALLOC’
    builtin-test.c:977: warning: nested extern declaration of ‘CPU_ALLOC’
    builtin-test.c:977: warning: assignment makes pointer from integer without a cast
    builtin-test.c:978: warning: implicit declaration of function ‘CPU_ALLOC_SIZE’
    builtin-test.c:978: warning: nested extern declaration of ‘CPU_ALLOC_SIZE’
    builtin-test.c:979: warning: implicit declaration of function ‘CPU_ZERO_S’
    builtin-test.c:979: warning: nested extern declaration of ‘CPU_ZERO_S’
    builtin-test.c:982: warning: implicit declaration of function ‘CPU_FREE’
    builtin-test.c:982: warning: nested extern declaration of ‘CPU_FREE’
    builtin-test.c:992: warning: implicit declaration of function ‘CPU_ISSET_S’
    builtin-test.c:992: warning: nested extern declaration of ‘CPU_ISSET_S’
    builtin-test.c:998: warning: implicit declaration of function ‘CPU_CLR_S’
    builtin-test.c:998: warning: nested extern declaration of ‘CPU_CLR_S’
    make: *** [builtin-test.o] Error 1
    
    This problem is introduced in 3e7c439. CPU_ALLOC and related macros are
    missing in sched__get_first_possible_cpu function. In 54489c1, commiter
    mentioned that CPU_ALLOC has been removed. So CPU_ALLOC calls in this
    function are removed to let perf to be built.
    
    Signed-off-by: Vinson Lee <vlee@twitter.com>
    Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
    Cc: David Ahern <dsahern@gmail.com>
    Cc: Frederic Weisbecker <fweisbec@gmail.com>
    Cc: Mike Galbraith <efault@gmx.de>
    Cc: Paul Mackerras <paulus@samba.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stephane Eranian <eranian@google.com>
    Cc: Vinson Lee <vlee@twitter.com>
    Cc: Zheng Liu <wenqing.lz@taobao.com>
    Link: http://lkml.kernel.org/r/1352422726-31114-1-git-send-email-vlee@twitter.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  28. cdc-acm: implement TIOCSSERIAL to avoid blocking close(2)

    dcbw authored and gregkh committed Nov 8, 2012
    commit ba2d8ce upstream.
    
    Some devices (ex Nokia C7) simply don't respond at all when data is sent
    to some of their USB interfaces.  The data gets stuck in the TTYs queue
    and sits there until close(2), which them blocks because closing_wait
    defaults to 30 seconds (even though the fd is O_NONBLOCK).  This is
    rarely desired.  Implement the standard mechanism to adjust closing_wait
    and let applications handle it how they want to.
    
    See also 02303f7 for usb_wwan.c.
    
    Signed-off-by: Dan Williams <dcbw@redhat.com>
    Acked-by: Oliver Neukum <oneukum@suse.de>
    Tested-by: Aleksander Morgado <aleksander@gnu.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  29. ring-buffer: Fix race between integrity check and readers

    Steven Rostedt authored and gregkh committed Nov 30, 2012
    commit 9366c1b upstream.
    
    The function rb_check_pages() was added to make sure the ring buffer's
    pages were sane. This check is done when the ring buffer size is modified
    as well as when the iterator is released (closing the "trace" file),
    as that was considered a non fast path and a good place to do a sanity
    check.
    
    The problem is that the check does not have any locks around it.
    If one process were to read the trace file, and another were to read
    the raw binary file, the check could happen while the reader is reading
    the file.
    
    The issues with this is that the check requires to clear the HEAD page
    before doing the full check and it restores it afterward. But readers
    require the HEAD page to exist before it can read the buffer, otherwise
    it gives a nasty warning and disables the buffer.
    
    By adding the reader lock around the check, this keeps the race from
    happening.
    
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  30. ring-buffer: Fix NULL pointer if rb_set_head_page() fails

    Steven Rostedt authored and gregkh committed Nov 30, 2012
    commit 54f7be5 upstream.
    
    The function rb_set_head_page() searches the list of ring buffer
    pages for a the page that has the HEAD page flag set. If it does
    not find it, it will do a WARN_ON(), disable the ring buffer and
    return NULL, as this should never happen.
    
    But if this bug happens to happen, not all callers of this function
    can handle a NULL pointer being returned from it. That needs to be
    fixed.
    
    Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>