Permalink
Commits on Nov 17, 2012
  1. @gregkh

    Linux 3.6.7

    gregkh committed Nov 17, 2012
  2. @tiwai @gregkh

    ALSA: usb-audio: Fix mutex deadlock at disconnection

    commit 10e4423 upstream.
    
    The recent change for USB-audio disconnection race fixes introduced a
    mutex deadlock again.  There is a circular dependency between
    chip->shutdown_rwsem and pcm->open_mutex, depicted like below, when a
    device is opened during the disconnection operation:
    
    A. snd_usb_audio_disconnect() ->
         card.c::register_mutex ->
           chip->shutdown_rwsem (write) ->
             snd_card_disconnect() ->
               pcm.c::register_mutex ->
                 pcm->open_mutex
    
    B. snd_pcm_open() ->
         pcm->open_mutex ->
           snd_usb_pcm_open() ->
             chip->shutdown_rwsem (read)
    
    Since the chip->shutdown_rwsem protection in the case A is required
    only for turning on the chip->shutdown flag and it doesn't have to be
    taken for the whole operation, we can reduce its window in
    snd_usb_audio_disconnect().
    
    Reported-by: Jiri Slaby <jslaby@suse.cz>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    tiwai committed with gregkh Nov 13, 2012
  3. @tiwai @gregkh

    ALSA: Fix card refcount unbalance

    commit 8bb4d9c upstream.
    
    There are uncovered cases whether the card refcount introduced by the
    commit a0830db isn't properly increased or decreased:
    - OSS PCM and mixer success paths
    - When lookup function gets NULL
    
    This patch fixes these places.
    
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=50251
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    tiwai committed with gregkh Nov 8, 2012
  4. @dchinner @gregkh

    xfs: fix buffer shudown reference count mismatch

    commit 03b1293 upstream.
    
    When we shut down the filesystem, we have to unpin and free all the
    buffers currently active in the CIL. To do this we unpin and remove
    them in one operation as a result of a failed iclogbuf write. For
    buffers, we do this removal via a simultated IO completion of after
    marking the buffer stale.
    
    At the time we do this, we have two references to the buffer - the
    active LRU reference and the buf log item.  The LRU reference is
    removed by marking the buffer stale, and the active CIL reference is
    by the xfs_buf_iodone() callback that is run by
    xfs_buf_do_callbacks() during ioend processing (via the bp->b_iodone
    callback).
    
    However, ioend processing requires one more reference - that of the
    IO that it is completing. We don't have this reference, so we free
    the buffer prematurely and use it after it is freed. For buffers
    marked with XBF_ASYNC, this leads to assert failures in
    xfs_buf_rele() on debug kernels because the b_hold count is zero.
    
    Fix this by making sure we take the necessary IO reference before
    starting IO completion processing on the stale buffer, and set the
    XBF_ASYNC flag to ensure that IO completion processing removes all
    the active references from the buffer to ensure it is fully torn
    down.
    
    Signed-off-by: Dave Chinner <dchinner@redhat.com>
    Reviewed-by: Mark Tinguely <tinguely@sgi.com>
    Signed-off-by: Ben Myers <bpm@sgi.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    dchinner committed with gregkh Nov 2, 2012
  5. @gregkh

    xfs: fix reading of wrapped log data

    commit 6ce377a upstream.
    
    Commit 4439647 ("xfs: reset buffer pointers before freeing them") in
    3.0-rc1 introduced a regression when recovering log buffers that
    wrapped around the end of log. The second part of the log buffer at
    the start of the physical log was being read into the header buffer
    rather than the data buffer, and hence recovery was seeing garbage
    in the data buffer when it got to the region of the log buffer that
    was incorrectly read.
    
    Reported-by: Torsten Kaiser <just.for.lkml@googlemail.com>
    Signed-off-by: Dave Chinner <dchinner@redhat.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: Mark Tinguely <tinguely@sgi.com>
    Signed-off-by: Ben Myers <bpm@sgi.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Dave Chinner committed with gregkh Nov 2, 2012
  6. @gregkh

    GFS2: Test bufdata with buffer locked and gfs2_log_lock held

    commit 96e5d1d upstream.
    
    In gfs2_trans_add_bh(), gfs2 was testing if a there was a bd attached to the
    buffer without having the gfs2_log_lock held. It was then assuming it would
    stay attached for the rest of the function. However, without either the log
    lock being held of the buffer locked, __gfs2_ail_flush() could detach bd at any
    time.  This patch moves the locking before the test.  If there isn't a bd
    already attached, gfs2 can safely allocate one and attach it before locking.
    There is no way that the newly allocated bd could be on the ail list,
    and thus no way for __gfs2_ail_flush() to detach it.
    
    Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
    Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Benjamin Marzinski committed with gregkh Nov 7, 2012
  7. @gregkh

    drm/radeon/si: add some missing regs to the VM reg checker

    commit f418b88 upstream.
    
    This register is needed for streamout to work properly.
    
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Alex Deucher committed with gregkh Nov 8, 2012
  8. @gregkh

    drm/radeon/cayman: add some missing regs to the VM reg checker

    commit 860fe2f upstream.
    
    These regs were being wronly rejected leading to rendering
    issues.
    
    fixes:
    https://bugs.freedesktop.org/show_bug.cgi?id=56876
    
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Alex Deucher committed with gregkh Nov 8, 2012
  9. @thomashvmw @gregkh

    drm/vmwgfx: Fix a case where the code would BUG when trying to pin GM…

    …R memory
    
    commit afcc87a upstream.
    
    Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
    Reviewed-by: Brian Paul <brianp@vmware.com>
    Reviewed-by: Dmitry Torokhov <dtor@vmware.com>
    Cc: linux-graphics-maintainer@vmware.com
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    thomashvmw committed with gregkh Nov 9, 2012
  10. @thomashvmw @gregkh

    drm/vmwgfx: Fix hibernation device reset

    commit 95e8f6a upstream.
    
    The device would not reset properly when resuming from hibernation.
    
    Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
    Reviewed-by: Brian Paul <brianp@vmware.com>
    Reviewed-by: Dmitry Torokhov <dtor@vmware.com>
    Cc: linux-graphics-maintainer@vmware.com
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    thomashvmw committed with gregkh Nov 9, 2012
  11. @cjb @gregkh

    mmc: sdhci: fix NULL dereference in sdhci_request() tuning

    commit 14efd95 upstream.
    
    Commit 473b095 ("mmc: sdhci: fix incorrect command used in tuning")
    introduced a NULL dereference at resume-time if an SD 3.0 host controller
    raises the SDHCI_NEEDS_TUNING flag while no card is inserted.  Seen on an
    OLPC XO-4 with sdhci-pxav3, but presumably affects other controllers too.
    
    Signed-off-by: Chris Ball <cjb@laptop.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    cjb committed with gregkh Nov 5, 2012
  12. @lyakh @gregkh

    mmc: sh_mmcif: fix use after free

    commit a0d28ba upstream.
    
    A recent commit "mmc: sh_mmcif: fix clock management" has introduced a
    use after free bug in sh_mmcif.c: in sh_mmcif_remove() the call to
    mmc_free_host() frees private driver data, therefore using it afterwards
    is a bug. Revert that hunk.
    
    Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
    Signed-off-by: Chris Ball <cjb@laptop.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    lyakh committed with gregkh Oct 23, 2012
  13. @gregkh

    futex: Handle futex_pi OWNER_DIED take over correctly

    commit 59fa624 upstream.
    
    Siddhesh analyzed a failure in the take over of pi futexes in case the
    owner died and provided a workaround.
    See: http://sourceware.org/bugzilla/show_bug.cgi?id=14076
    
    The detailed problem analysis shows:
    
    Futex F is initialized with PTHREAD_PRIO_INHERIT and
    PTHREAD_MUTEX_ROBUST_NP attributes.
    
    T1 lock_futex_pi(F);
    
    T2 lock_futex_pi(F);
       --> T2 blocks on the futex and creates pi_state which is associated
           to T1.
    
    T1 exits
       --> exit_robust_list() runs
           --> Futex F userspace value TID field is set to 0 and
               FUTEX_OWNER_DIED bit is set.
    
    T3 lock_futex_pi(F);
       --> Succeeds due to the check for F's userspace TID field == 0
       --> Claims ownership of the futex and sets its own TID into the
           userspace TID field of futex F
       --> returns to user space
    
    T1 --> exit_pi_state_list()
           --> Transfers pi_state to waiter T2 and wakes T2 via
           	   rt_mutex_unlock(&pi_state->mutex)
    
    T2 --> acquires pi_state->mutex and gains real ownership of the
           pi_state
       --> Claims ownership of the futex and sets its own TID into the
           userspace TID field of futex F
       --> returns to user space
    
    T3 --> observes inconsistent state
    
    This problem is independent of UP/SMP, preemptible/non preemptible
    kernels, or process shared vs. private. The only difference is that
    certain configurations are more likely to expose it.
    
    So as Siddhesh correctly analyzed the following check in
    futex_lock_pi_atomic() is the culprit:
    
    	if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) {
    
    We check the userspace value for a TID value of 0 and take over the
    futex unconditionally if that's true.
    
    AFAICT this check is there as it is correct for a different corner
    case of futexes: the WAITERS bit became stale.
    
    Now the proposed change
    
    -	if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) {
    +       if (unlikely(ownerdied ||
    +                       !(curval & (FUTEX_TID_MASK | FUTEX_WAITERS)))) {
    
    solves the problem, but it's not obvious why and it wreckages the
    "stale WAITERS bit" case.
    
    What happens is, that due to the WAITERS bit being set (T2 is blocked
    on that futex) it enforces T3 to go through lookup_pi_state(), which
    in the above case returns an existing pi_state and therefor forces T3
    to legitimately fight with T2 over the ownership of the pi_state (via
    pi_state->mutex). Probelm solved!
    
    Though that does not work for the "WAITERS bit is stale" problem
    because if lookup_pi_state() does not find existing pi_state it
    returns -ERSCH (due to TID == 0) which causes futex_lock_pi() to
    return -ESRCH to user space because the OWNER_DIED bit is not set.
    
    Now there is a different solution to that problem. Do not look at the
    user space value at all and enforce a lookup of possibly available
    pi_state. If pi_state can be found, then the new incoming locker T3
    blocks on that pi_state and legitimately races with T2 to acquire the
    rt_mutex and the pi_state and therefor the proper ownership of the
    user space futex.
    
    lookup_pi_state() has the correct order of checks. It first tries to
    find a pi_state associated with the user space futex and only if that
    fails it checks for futex TID value = 0. If no pi_state is available
    nothing can create new state at that point because this happens with
    the hash bucket lock held.
    
    So the above scenario changes to:
    
    T1 lock_futex_pi(F);
    
    T2 lock_futex_pi(F);
       --> T2 blocks on the futex and creates pi_state which is associated
           to T1.
    
    T1 exits
       --> exit_robust_list() runs
           --> Futex F userspace value TID field is set to 0 and
               FUTEX_OWNER_DIED bit is set.
    
    T3 lock_futex_pi(F);
       --> Finds pi_state and blocks on pi_state->rt_mutex
    
    T1 --> exit_pi_state_list()
           --> Transfers pi_state to waiter T2 and wakes it via
           	   rt_mutex_unlock(&pi_state->mutex)
    
    T2 --> acquires pi_state->mutex and gains ownership of the pi_state
       --> Claims ownership of the futex and sets its own TID into the
           userspace TID field of futex F
       --> returns to user space
    
    This covers all gazillion points on which T3 might come in between
    T1's exit_robust_list() clearing the TID field and T2 fixing it up. It
    also solves the "WAITERS bit stale" problem by forcing the take over.
    
    Another benefit of changing the code this way is that it makes it less
    dependent on untrusted user space values and therefor minimizes the
    possible wreckage which might be inflicted.
    
    As usual after staring for too long at the futex code my brain hurts
    so much that I really want to ditch that whole optimization of
    avoiding the syscall for the non contended case for PI futexes and rip
    out the maze of corner case handling code. Unfortunately we can't as
    user space relies on that existing behaviour, but at least thinking
    about it helps me to preserve my mental sanity. Maybe we should
    nevertheless :)
    
    Reported-and-tested-by: Siddhesh Poyarekar <siddhesh.poyarekar@gmail.com>
    Link: http://lkml.kernel.org/r/alpine.LFD.2.02.1210232138540.2756@ionos
    Acked-by: Darren Hart <dvhart@linux.intel.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Thomas Gleixner committed with gregkh Oct 23, 2012
  14. @hannes @gregkh

    ipv6: send unsolicited neighbour advertisements to all-nodes

    [ Upstream commit 60713a0 ]
    
    As documented in RFC4861 (Neighbor Discovery for IP version 6) 7.2.6.,
    unsolicited neighbour advertisements should be sent to the all-nodes
    multicast address.
    
    Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    hannes committed with gregkh Nov 6, 2012
  15. @regit @gregkh

    af-packet: fix oops when socket is not present

    [ Upstream commit a3d744e ]
    
    Due to a NULL dereference, the following patch is causing oops
    in normal trafic condition:
    
    commit c0de08d
    Author: Eric Leblond <eric@regit.org>
    Date:   Thu Aug 16 22:02:58 2012 +0000
    
        af_packet: don't emit packet on orig fanout group
    
    This buggy patch was a feature fix and has reached most stable
    branches.
    
    When skb->sk is NULL and when packet fanout is used, there is a
    crash in match_fanout_group where skb->sk is accessed.
    This patch fixes the issue by returning false as soon as the
    socket is NULL: this correspond to the wanted behavior because
    the kernel as to resend the skb to all the listening socket in
    this case.
    
    Signed-off-by: Eric Leblond <eric@regit.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    regit committed with gregkh Nov 6, 2012
  16. @cyrillos @gregkh

    net: inet_diag -- Return error code if protocol handler is missed

    [ Upstream commit cacb6ba ]
    
    We've observed that in case if UDP diag module is not
    supported in kernel the netlink returns NLMSG_DONE without
    notifying a caller that handler is missed.
    
    This patch makes __inet_diag_dump to return error code instead.
    
    So as example it become possible to detect such situation
    and handle it gracefully on userspace level.
    
    Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
    CC: David Miller <davem@davemloft.net>
    CC: Eric Dumazet <eric.dumazet@gmail.com>
    CC: Pavel Emelyanov <xemul@parallels.com>
    Acked-by: Pavel Emelyanov <xemul@parallels.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    cyrillos committed with gregkh Nov 3, 2012
  17. @xemul @gregkh

    tcp-repair: Handle zero-length data put in rcv queue

    [ Upstream commit c454e61 ]
    
    When sending data into a tcp socket in repair state we should check
    for the amount of data being 0 explicitly. Otherwise we'll have an skb
    with seq == end_seq in rcv queue, but tcp doesn't expect this to happen
    (in particular a warn_on in tcp_recvmsg shoots).
    
    Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
    Reported-by: Giorgos Mavrikas <gmavrikas@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    xemul committed with gregkh Oct 29, 2012
  18. @gregkh

    l2tp: fix oops in l2tp_eth_create() error path

    [ Upstream commit 7893363 ]
    
    When creating an L2TPv3 Ethernet session, if register_netdev() should fail for
    any reason (for example, automatic naming for "l2tpeth%d" interfaces hits the
    32k-interface limit), the netdev is freed in the error path.  However, the
    l2tp_eth_sess structure's dev pointer is left uncleared, and this results in
    l2tp_eth_delete() then attempting to unregister the same netdev later in the
    session teardown.  This results in an oops.
    
    To avoid this, clear the session dev pointer in the error path.
    
    Signed-off-by: Tom Parkin <tparkin@katalix.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Tom Parkin committed with gregkh Oct 29, 2012
  19. @petersenna @gregkh

    drivers/net/ethernet/nxp/lpc_eth.c: Call mdiobus_unregister before md…

    …iobus_free
    
    [ Upstream commit 57c10b6 ]
    
    Based on commit b27393a
    
    Calling mdiobus_free without calling mdiobus_unregister causes
    BUG_ON(). This patch fixes the issue.
    
    The semantic patch that found this issue(http://coccinelle.lip6.fr/):
    // <smpl>
    @@
    expression E;
    @@
      ... when != mdiobus_unregister(E);
    
    + mdiobus_unregister(E);
      mdiobus_free(E);
    // </smpl>
    
    Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com>
    Tested-by: Roland Stigge <stigge@antcom.de>
    Tested-by: Alexandre Pereira da Silva <aletes.xgr@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    petersenna committed with gregkh Oct 28, 2012
  20. @netoptimizer @gregkh

    net: fix divide by zero in tcp algorithm illinois

    [ Upstream commit 8f363b7 ]
    
    Reading TCP stats when using TCP Illinois congestion control algorithm
    can cause a divide by zero kernel oops.
    
    The division by zero occur in tcp_illinois_info() at:
     do_div(t, ca->cnt_rtt);
    where ca->cnt_rtt can become zero (when rtt_reset is called)
    
    Steps to Reproduce:
     1. Register tcp_illinois:
         # sysctl -w net.ipv4.tcp_congestion_control=illinois
     2. Monitor internal TCP information via command "ss -i"
         # watch -d ss -i
     3. Establish new TCP conn to machine
    
    Either it fails at the initial conn, or else it needs to wait
    for a loss or a reset.
    
    This is only related to reading stats.  The function avg_delay() also
    performs the same divide, but is guarded with a (ca->cnt_rtt > 0) at its
    calling point in update_params().  Thus, simply fix tcp_illinois_info().
    
    Function tcp_illinois_info() / get_info() is called without
    socket lock.  Thus, eliminate any race condition on ca->cnt_rtt
    by using a local stack variable.  Simply reuse info.tcpv_rttcnt,
    as its already set to ca->cnt_rtt.
    Function avg_delay() is not affected by this race condition, as
    its called with the socket lock.
    
    Cc: Petr Matousek <pmatouse@redhat.com>
    Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Stephen Hemminger <shemminger@vyatta.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    netoptimizer committed with gregkh Oct 31, 2012
  21. @gregkh

    net: usb: Fix memory leak on Tx data path

    [ Upstream commit 39707c2 ]
    
    Driver anchors the tx urbs and defers the urb submission if
    a transmit request comes when the interface is suspended.
    Anchoring urb increments the urb reference count. These
    deferred urbs are later accessed by calling usb_get_from_anchor()
    for submission during interface resume. usb_get_from_anchor()
    unanchors the urb but urb reference count remains same.
    This causes the urb reference count to remain non-zero
    after usb_free_urb() gets called and urb never gets freed.
    Hence call usb_put_urb() after anchoring the urb to properly
    balance the reference count for these deferred urbs. Also,
    unanchor these deferred urbs during disconnect, to free them
    up.
    
    Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
    Acked-by: Oliver Neukum <oneukum@suse.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Hemant Kumar committed with gregkh Oct 25, 2012
  22. @gregkh

    ipv6: Set default hoplimit as zero.

    [ Upstream commit 14edd87 ]
    
    Commit a02e4b7(Demark default hoplimit as zero) only changes the
    hoplimit checking condition and default value in ip6_dst_hoplimit, not
    zeros all hoplimit default value.
    
    Keep the zeroing ip6_template_metrics[RTAX_HOPLIMIT - 1] to force it as
    const, cause as a37e6e3(net: force dst_default_metrics to const
    section)
    
    Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Li RongQing committed with gregkh Oct 24, 2012
  23. @gregkh

    net: fix secpath kmemleak

    [ Upstream commit 3d861f6 ]
    
    Mike Kazantsev found 3.5 kernels and beyond were leaking memory,
    and tracked the faulty commit to a1c7fff ("net:
    netdev_alloc_skb() use build_skb()")
    
    While this commit seems fine, it uncovered a bug introduced
    in commit bad43ca ("net: introduce skb_try_coalesce()), in function
    kfree_skb_partial()"):
    
    If head is stolen, we free the sk_buff,
    without removing references on secpath (skb->sp).
    
    So IPsec + IP defrag/reassembly (using skb coalescing), or
    TCP coalescing could leak secpath objects.
    
    Fix this bug by calling skb_release_head_state(skb) to properly
    release all possible references to linked objects.
    
    Reported-by: Mike Kazantsev <mk.fraggod@gmail.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Bisected-by: Mike Kazantsev <mk.fraggod@gmail.com>
    Tested-by: Mike Kazantsev <mk.fraggod@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Eric Dumazet committed with gregkh Oct 22, 2012
  24. @gregkh

    tcp: fix FIONREAD/SIOCINQ

    [ Upstream commit a3374c4 ]
    
    tcp_ioctl() tries to take into account if tcp socket received a FIN
    to report correct number bytes in receive queue.
    
    But its flaky because if the application ate the last skb,
    we return 1 instead of 0.
    
    Correct way to detect that FIN was received is to test SOCK_DONE.
    
    Reported-by: Elliot Hughes <enh@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Neal Cardwell <ncardwell@google.com>
    Cc: Tom Herbert <therbert@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Eric Dumazet committed with gregkh Oct 18, 2012
  25. @gregkh

    netlink: use kfree_rcu() in netlink_release()

    [ Upstream commit 6d772ac ]
    
    On some suspend/resume operations involving wimax device, we have
    noticed some intermittent memory corruptions in netlink code.
    
    Stéphane Marchesin tracked this corruption in netlink_update_listeners()
    and suggested a patch.
    
    It appears netlink_release() should use kfree_rcu() instead of kfree()
    for the listeners structure as it may be used by other cpus using RCU
    protection.
    
    netlink_release() must set to NULL the listeners pointer when
    it is about to be freed.
    
    Also have to protect netlink_update_listeners() and
    netlink_has_listeners() if listeners is NULL.
    
    Add a nl_deref_protected() lockdep helper to properly document which
    locks protects us.
    
    Reported-by: Jonathan Kliegman <kliegs@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Stéphane Marchesin <marcheu@google.com>
    Cc: Sam Leffler <sleffler@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Eric Dumazet committed with gregkh Oct 18, 2012
  26. @gregkh

    ipv4: Fix flushing of cached routing informations

    [ Upstream commit 13d82bf ]
    
    Currently we can not flush cached pmtu/redirect informations via
    the ipv4_sysctl_rtcache_flush sysctl. We need to check the rt_genid
    of the old route and reset the nh exeption if the old route is
    expired when we bind a new route to a nh exeption.
    
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Steffen Klassert committed with gregkh Oct 17, 2012
  27. @gregkh

    sctp: fix call to SCTP_CMD_PROCESS_SACK in sctp_cmd_interpreter()

    [ Upstream commit f6e80ab ]
    
    Bug introduced by commit edfee03
    (sctp: check src addr when processing SACK to update transport state)
    
    Signed-off-by: Zijie Pan <zijie.pan@6wind.com>
    Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Acked-by: Vlad Yasevich <vyasevich@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Zijie Pan committed with gregkh Oct 15, 2012
  28. @tiwai @gregkh

    ALSA: Avoid endless sleep after disconnect

    commit 0914f79 upstream.
    
    When disconnect callback is called, each component should wake up
    sleepers and check card->shutdown flag for avoiding the endless sleep
    blocking the proper resource release.
    
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    tiwai committed with gregkh Nov 7, 2012
  29. @tiwai @gregkh

    ALSA: Add a reference counter to card instance

    commit a0830db upstream.
    
    For more strict protection for wild disconnections, a refcount is
    introduced to the card instance, and let it up/down when an object is
    referred via snd_lookup_*() in the open ops.
    
    The free-after-last-close check is also changed to check this refcount
    instead of the empty list, too.
    
    Reported-by: Matthieu CASTET <matthieu.castet@parrot.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    tiwai committed with gregkh Nov 7, 2012
  30. @tiwai @gregkh

    ALSA: usb-audio: Fix races at disconnection in mixer_quirks.c

    commit 888ea7d upstream.
    
    Similar like the previous commit, cover with chip->shutdown_rwsem
    and chip->shutdown checks.
    
    Reported-by: Matthieu CASTET <matthieu.castet@parrot.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    tiwai committed with gregkh Nov 7, 2012
  31. @tiwai @gregkh

    ALSA: usb-audio: Use rwsem for disconnect protection

    commit 34f3c89 upstream.
    
    Replace mutex with rwsem for codec->shutdown protection so that
    concurrent accesses are allowed.
    
    Also add the protection to snd_usb_autosuspend() and
    snd_usb_autoresume(), too.
    
    Reported-by: Matthieu CASTET <matthieu.castet@parrot.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    tiwai committed with gregkh Nov 7, 2012
  32. @tiwai @gregkh

    ALSA: usb-audio: Fix races at disconnection

    commit 978520b upstream.
    
    Close some races at disconnection of a USB audio device by adding the
    chip->shutdown_mutex and chip->shutdown check at appropriate places.
    
    The spots to put bandaids are:
    - PCM prepare, hw_params and hw_free
    - where the usb device is accessed for communication or get speed, in
     mixer.c and others; the device speed is now cached in subs->speed
     instead of accessing to chip->dev
    
    The accesses in PCM open and close don't need the mutex protection
    because these are already handled in the core PCM disconnection code.
    
    The autosuspend/autoresume codes are still uncovered by this patch
    because of possible mutex deadlocks.  They'll be covered by the
    upcoming change to rwsem.
    
    Also the mixer codes are untouched, too.  These will be fixed in
    another patch, too.
    
    Reported-by: Matthieu CASTET <matthieu.castet@parrot.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    tiwai committed with gregkh Nov 7, 2012
  33. @tiwai @gregkh

    ALSA: PCM: Fix some races at disconnection

    commit 9b0573c upstream.
    
    Fix races at PCM disconnection:
    - while a PCM device is being opened or closed
    - while the PCM state is being changed without lock in prepare,
      hw_params, hw_free ops
    
    Reported-by: Matthieu CASTET <matthieu.castet@parrot.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    tiwai committed with gregkh Nov 7, 2012
  34. @gregkh

    hwmon: (w83627ehf) Force initial bank selection

    commit 3300fb4 upstream.
    
    Don't assume bank 0 is selected at device probe time. This may not be
    the case. Force bank selection at first register access to guarantee
    that we read the right registers upon driver loading.
    
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    Reviewed-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Jean Delvare committed with gregkh Nov 5, 2012
  35. @ihadzic @gregkh

    drm: set dev_mapping before calling drm_open_helper

    commit fdb40a0 upstream.
    
    Some drivers (specifically vmwgfx) look at dev_mapping
    in their open hook, so we have to set dev->dev_mapping
    earlier in the process.
    
    Reference:
    http://lists.freedesktop.org/archives/dri-devel/2012-October/029420.html
    
    Signed-off-by: Ilija Hadzic <ihadzic@research.bell-labs.com>
    Reported-by: Thomas Hellstrom <thellstrom@vmware.com>
    Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    ihadzic committed with gregkh Oct 29, 2012