Commit Graph

362014 Commits

Author SHA1 Message Date
Johan Hovold
7b24596905 USB: io_ti: fix use-after-free in TIOCMIWAIT
Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-03-21 15:59:04 -07:00
Johan Hovold
333576255d USB: io_edgeport: fix use-after-free in TIOCMIWAIT
Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-03-21 15:59:03 -07:00
Johan Hovold
71ccb9b019 USB: ftdi_sio: fix use-after-free in TIOCMIWAIT
Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

When switching to tty ports, some lifetime assumptions were changed.
Specifically, close can now be called before the final tty reference is
dropped as part of hangup at device disconnect. Even with the ftdi
private-data refcounting this means that the port private data can be
freed while a process is sleeping on modem-status changes and thus
cannot be relied on to detect disconnects when woken up.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-03-21 15:59:03 -07:00
Johan Hovold
508f940f14 USB: f81232: fix use-after-free in TIOCMIWAIT
Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-03-21 15:59:03 -07:00
Johan Hovold
356050d8b1 USB: cypress_m8: fix use-after-free in TIOCMIWAIT
Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

Also remove bogus test for private data pointer being NULL as it is
never assigned in the loop.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-03-21 15:59:03 -07:00
Johan Hovold
fa1e11d523 USB: ch341: fix use-after-free in TIOCMIWAIT
Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-03-21 15:59:03 -07:00
Johan Hovold
5018860321 USB: ark3116: fix use-after-free in TIOCMIWAIT
Use the port wait queue and make sure to check the serial disconnected
flag before accessing private port data after waking up.

This is is needed as the private port data (including the wait queue
itself) can be gone when waking up after a disconnect.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-03-21 15:59:02 -07:00
Johan Hovold
e5b33dc9d1 USB: serial: add modem-status-change wait queue
Add modem-status-change wait queue to struct usb_serial_port that
subdrivers can use to implement TIOCMIWAIT.

Currently subdrivers use a private wait queue which may have been
released when waking up after device disconnected.

Note that we're adding a new wait queue rather than reusing the tty-port
one as we do not want to get woken up at hangup (yet).

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-03-21 15:59:02 -07:00
Johan Hovold
d7971051e4 USB: serial: fix interface refcounting
Make sure the interface is not released before our serial device.

Note that drivers are still not allowed to access the interface in
any way that may interfere with another driver that may have gotten
bound to the same interface after disconnect returns.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-03-21 15:59:02 -07:00
Johan Hovold
5492bf3d56 USB: io_ti: fix get_icount for two port adapters
Add missing get_icount field to two-port driver.

The two-port driver was not updated when switching to the new icount
interface in commit 0bca1b913a ("tty: Convert the USB drivers to the
new icount interface").

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-03-21 15:59:02 -07:00
Johan Hovold
618aa1068d USB: garmin_gps: fix memory leak on disconnect
Remove bogus disconnect test introduced by 95bef012e ("USB: more serial
drivers writing after disconnect") which prevented queued data from
being freed on disconnect.

The possible IO it was supposed to prevent is long gone.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-03-21 15:59:02 -07:00
Johan Hovold
cb25505fc6 USB: cdc-acm: fix device unregistration
Unregister tty device in disconnect as is required by the USB stack.

By deferring unregistration to when the last tty reference is dropped,
the parent interface device can get unregistered before the child
resulting in broken hotplug events being generated when the tty is
finally closed:

KERNEL[2290.798128] remove   /devices/pci0000:00/0000:00:1d.7/usb2/2-1/2-1:3.1 (usb)
KERNEL[2290.804589] remove   /devices/pci0000:00/0000:00:1d.7/usb2/2-1 (usb)
KERNEL[2294.554799] remove   /2-1:3.1/tty/ttyACM0 (tty)

The driver must deal with tty callbacks after disconnect by checking the
disconnected flag. Specifically, further opens must be prevented and
this is already implemented.

Cc: stable <stable@vger.kernel.org>
Cc: Oliver Neukum <oneukum@suse.de>
Acked-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-03-21 15:59:01 -07:00
Alexey Khoroshilov
c93d819550 usb: cdc-acm: fix error handling in acm_probe()
acm_probe() ignores errors in tty_port_register_device()
and leaves intfdata pointing to freed memory on alloc_fail7
error path. The patch fixes the both issues.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Acked-by: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-03-21 15:59:01 -07:00
Andrzej Hajda
6ba4d05e84 [media] m5mols: Fix bug in stream on handler
Due to improper condition check streaming start for some pixel
formats was prevent and the s_stream just reatuned -EINVAL.
This fixes regression introduced in commit 5565a2ad47
[media] m5mols: Protect driver data with a mutex.

Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2013-03-21 18:25:09 -03:00
Sylwester Nawrocki
8c6ecdd7ce [media] s5p-fimc: Do not attempt to disable not enabled media pipeline
This fixes following warnings when all links are being disconnected:
[   20.080000] WARNING: at drivers/media/platform/s5p-fimc/fimc-mdevice.c:1269 __fimc_md_set_camclk+0x208/0x20c()
[   20.090000] Modules linked in:
[   20.095000] [<c001603c>] (unwind_backtrace+0x0/0x13c) from [<c00246dc>] (warn_slowpath_common+0x54/0x64)
[   20.105000] [<c00246dc>] (warn_slowpath_common+0x54/0x64) from [<c0024708>] (warn_slowpath_null+0x1c/0x24)
[   20.115000] [<c0024708>] (warn_slowpath_null+0x1c/0x24) from [<c0323fe8>] (__fimc_md_set_camclk+0x208/0x20c)
[   20.125000] [<c0323fe8>] (__fimc_md_set_camclk+0x208/0x20c) from [<c0324368>] (__fimc_pipeline_close+0x38/0x48)
[   20.135000] [<c0324368>] (__fimc_pipeline_close+0x38/0x48) from [<c0325848>] (fimc_md_link_notify+0x10c/0x198)
[   20.145000] [<c0325848>] (fimc_md_link_notify+0x10c/0x198) from [<c02f9dd4>] (__media_entity_setup_link+0x1c0/0x1e8)
[   20.155000] [<c02f9dd4>] (__media_entity_setup_link+0x1c0/0x1e8) from [<c02f9710>] (media_device_ioctl+0x2c0/0x41c)
[   20.165000] [<c02f9710>] (media_device_ioctl+0x2c0/0x41c) from [<c02f9938>] (media_ioctl+0x30/0x34)
[   20.175000] [<c02f9938>] (media_ioctl+0x30/0x34) from [<c00cf0bc>] (do_vfs_ioctl+0x84/0x5e8)
[   20.185000] [<c00cf0bc>] (do_vfs_ioctl+0x84/0x5e8) from [<c00cf65c>] (sys_ioctl+0x3c/0x60)
[   20.190000] [<c00cf65c>] (sys_ioctl+0x3c/0x60) from [<c000f040>] (ret_fast_syscall+0x0/0x30)

Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2013-03-21 18:24:57 -03:00
Arun Kumar K
053e09f319 [media] s5p-mfc: Fix encoder control 15 issue
mfc-encoder is not working in the latest kernel giving the
erorr "Adding control (15) failed". Adding the missing step
parameter in this control to fix the issue.

Signed-off-by: Arun Kumar K <arun.kk@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2013-03-21 18:24:38 -03:00
Arun Kumar K
90c0ae5009 [media] s5p-mfc: Fix frame skip bug
The issue was seen in VP8 decoding where the last frame was
skipped by the driver. This patch gets the correct frame_type value
to fix this bug.

Signed-off-by: Arun Kumar K <arun.kk@samsung.com>
Signed-off-by: Arun Mankuzhi <arun.m@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2013-03-21 18:24:07 -03:00
Shaik Ameer Basha
e34a89b397 [media] s5p-fimc: send valid m2m ctx to fimc_m2m_job_finish
fimc_m2m_job_finish() has to be called with the m2m context for the necessary
cleanup while resume. But currently fimc_m2m_job_finish() always passes m2m
context as NULL.
This patch preserves the context before making it null, for necessary cleanup.

Signed-off-by: Shaik Ameer Basha <shaik.ameer@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2013-03-21 18:23:21 -03:00
Shaik Ameer Basha
5d83790be7 [media] exynos-gsc: send valid m2m ctx to gsc_m2m_job_finish
gsc_m2m_job_finish() has to be called with the m2m context for the necessary
cleanup while resume. But currently gsc_m2m_job_finish() always passes m2m
context as NULL.
This patch preserves the context before making it null, for necessary cleanup.
Use gsc_m2m_opened() instead gsc_m2m_active() in gsc_resume().

Signed-off-by: Shaik Ameer Basha <shaik.ameer@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2013-03-21 18:23:06 -03:00
Shaik Ameer Basha
6a5360966a [media] fimc-lite: Fix the variable type to avoid possible crash
Changing the variable type to 'int' from 'unsigned int'. Driver
logic expects the variable type to be 'int'.

Signed-off-by: Shaik Ameer Basha <shaik.ameer@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2013-03-21 18:22:43 -03:00
Shaik Ameer Basha
4cec1893d8 [media] fimc-lite: Initialize 'step' field in fimc_lite_ctrl structure
v4l2_ctrl_new() uses check_range() for control range checking.
This function expects 'step' value for V4L2_CTRL_TYPE_BOOLEAN type control.
If 'step' value doesn't match to '1', it returns -ERANGE error.
This patch adds the default .step value to 1.

Signed-off-by: Shaik Ameer Basha <shaik.ameer@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2013-03-21 18:22:08 -03:00
Richard Genoud
740924a267 pinmux: forbid mux_usecount to be set at UINT_MAX
If pin_free is called on a pin already freed, mux_usecount is set to
UINT_MAX which is really a bad idea.

This will issue a warning, so that we can correct the code responsible
for the double free.

Signed-off-by: Richard Genoud <richard.genoud@gmail.com>
Reviewed-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2013-03-21 19:26:18 +01:00
Simon Guinot
48a23fac5e pinctrl: mvebu: fix checking for SoC specific controls
This patch fixes a minor bug (probably due to a typo) while checking
the SoC specific controls in mvebu_pinctrl_probe().

Acked-by: Sebastian Hesselbarth <sebastian.hesselbarth@gmail.com>
Signed-off-by: Simon Guinot <simon.guinot@sequanux.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2013-03-21 18:50:54 +01:00
Jeff Layton
f853c61688 cifs: ignore everything in SPNEGO blob after mechTypes
We've had several reports of people attempting to mount Windows 8 shares
and getting failures with a return code of -EINVAL. The default sec=
mode changed recently to sec=ntlmssp. With that, we expect and parse a
SPNEGO blob from the server in the NEGOTIATE reply.

The current decode_negTokenInit function first parses all of the
mechTypes and then tries to parse the rest of the negTokenInit reply.
The parser however currently expects a mechListMIC or nothing to follow the
mechTypes, but Windows 8 puts a mechToken field there instead to carry
some info for the new NegoEx stuff.

In practice, we don't do anything with the fields after the mechTypes
anyway so I don't see any real benefit in continuing to parse them.
This patch just has the kernel ignore the fields after the mechTypes.
We'll probably need to reinstate some of this if we ever want to support
NegoEx.

Reported-by: Jason Burgess <jason@jacknife2.dns2go.com>
Reported-by: Yan Li <elliot.li.tech@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Steve French <sfrench@us.ibm.com>
2013-03-21 12:40:19 -05:00
Al Viro
06ae43f34b Don't bother with redoing rw_verify_area() from default_file_splice_from()
default_file_splice_from() ends up calling vfs_write() (via very convoluted
callchain).  It's an overkill, since we already have done rw_verify_area()
in the caller by the time we call vfs_write() we are under set_fs(KERNEL_DS),
so access_ok() is also pointless.  Add a new helper (__kernel_write()),
use it instead of kernel_write() in there.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-03-21 13:11:11 -04:00
Arnd Bergmann
a8d03eb42b The imx fixes for 3.9, take 3:
- Add the lost dependency check for DEBUG_IMX_UART_PORT back
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQEcBAABAgAGBQJRR/5HAAoJEFBXWFqHsHzOQxsH/2vXHYV3ds9HeBzb9UPIQEo5
 dXKdUiSz/Sh/5gdm43swUOHr8nl3Wm0hqErGM1acyEBUcG9zDIJUMF5UX59tXCKs
 uEFp/TufyDK1VCMwdkUrPZG9WNXnYZuAkAWv6plGZk+ZhHFYAUQccOH9TN8JE11E
 IgmO2NTt9gG83dMF/jxsLQBGE0YcPWzdR34Uyfl4TUwq8w+MTUalWKpajn5pKkQ2
 4rvqNRaXevlVRzKxYH5/Xpd0VeFZH1eK/wbWEQfc1jBXlGv52Fz3OTJWSOCi2z+y
 FQ9DwShaHfHbhwJmM8pgWyHzUsd4iPuPxpsbtAIuM9yhOQkxxDLAshjCSjpJByI=
 =lu20
 -----END PGP SIGNATURE-----

Merge tag 'imx-fixes-3.9-3' of git://git.linaro.org/people/shawnguo/linux-2.6 into fixes

From Shawn Guo <shawn.guo@linaro.org>:

The imx fixes for 3.9, take 3:
 - Add the lost dependency check for DEBUG_IMX_UART_PORT back

* tag 'imx-fixes-3.9-3' of git://git.linaro.org/people/shawnguo/linux-2.6:
  ARM: imx: add dependency check for DEBUG_IMX_UART_PORT

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2013-03-21 17:40:07 +01:00
Arnd Bergmann
a4ba740d41 The mxs fixes for 3.9, take 3:
- Fix the shifted framebuffer with X11 system
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQEcBAABAgAGBQJRR/2TAAoJEFBXWFqHsHzOxSYH/1ZOu9LcOclGxw79GE+GxZqK
 ZiZXyPSlgb+0+oXGezYq04ciGfKMgNmORuJfuxseH1cHPY0JqccmWac3mXKC7fYE
 qlNdp/xjLihHJnYH3XJCbUJJ0axtt518FJB2WAT5oi3+MP7+XhqSaYvwpwq3d+Hy
 pVC/VuSdfqKJg6JhxoQ+F8G/y7OXMF92C9WjQCeQZlfYDsr40e6Wg7UsXnerqqhi
 HmY/hLF0vZatgsO4LNxRFJpzYl5Ahr+/svv6gH1MbcaL4iMo5U6RhgAtAiDSAY6E
 jgpfNUHmCjAWHCjr30uxiD0fyXZk9Aq1jiQ3iUBZ9GbghHkxKWgeNtuKdn8JkMo=
 =kmVW
 -----END PGP SIGNATURE-----

Merge tag 'mxs-fixes-3.9-3' of git://git.linaro.org/people/shawnguo/linux-2.6 into fixes

From Shawn Guo <shawn.guo@linaro.org>:

The mxs fixes for 3.9, take 3:
 - Fix the shifted framebuffer with X11 system

* tag 'mxs-fixes-3.9-3' of git://git.linaro.org/people/shawnguo/linux-2.6:
  ARM: video: mxs: Fix mxsfb misconfiguring VDCTRL0

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2013-03-21 17:38:49 +01:00
Andrey Vagin
ae5fc98728 net: fix *_DIAG_MAX constants
Follow the common pattern and define *_DIAG_MAX like:

        [...]
        __XXX_DIAG_MAX,
};

Because everyone is used to do:

        struct nlattr *attrs[XXX_DIAG_MAX+1];

        nla_parse([...], XXX_DIAG_MAX, [...]

Reported-by: Thomas Graf <tgraf@suug.ch>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Pavel Emelyanov <xemul@parallels.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-21 12:36:33 -04:00
Takashi Iwai
55a63d4da3 ALSA: hda - Fix DAC assignment for independent HP
The generic parser should evaluate the availability of the independent
HP when specified.  Otherwise a DAC without the direct connection to
the corresponding pin may be assigned for the HP, but the driver
doesn't check it at all.  The problem was actually seen on some
machines with VT1708s or equivalent codec, where DAC0 is assigned to
HP although it can be connected only via aamix.

This patch adds the badness evaluation for the independent HP to make
it working properly.

Reported-by: Lydia Wang <LydiaWang@viatech.com.cn>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2013-03-21 17:20:12 +01:00
David S. Miller
b37391e68c Merge branch 'mlx4'
Or Gerlitz says:

====================
Here's a batch of mlx4 driver fixes for 3.9, mostly SRIOV/Flow-steering
related. Series done against the net tree as of commit 5a3da1f
"inet: limit length of fragment queue hash table bucket lists
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-21 12:05:32 -04:00
Hadar Hen Zion
2c473ae7e5 net/mlx4_core: Disallow releasing VF QPs which have steering rules
VF QPs must not be released when they have steering rules attached to them.

For that end, introduce a reference count field to the QP object in the
SRIOV resource tracker which is incremented/decremented when steering rules
are attached/detached to it. QPs can be released by VF only when their
ref count is zero.

Signed-off-by: Hadar Hen Zion <hadarh@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-21 12:05:08 -04:00
Hadar Hen Zion
1e3f7b324e net/mlx4_core: Always use 64 bit resource ID when doing lookup
One of the resource tracker code paths was wrongly using int and not u64
for resource tracking IDs, fix it.

Signed-off-by: Hadar Hen Zion <hadarh@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-21 12:05:08 -04:00
Hadar Hen Zion
6efb5fac4d net/mlx4_en: Remove ethtool flow steering rules before releasing QPs
Fix the ethtool flow steering rules cleanup to be carried out before
releasing the RX QPs.

Signed-off-by: Hadar Hen Zion <hadarh@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-21 12:05:08 -04:00
Hadar Hen Zion
80cb002116 net/mlx4_core: Fix wrong order of flow steering resources removal
On the resource tracker cleanup flow, the DMFS rules must be deleted before we
destroy the QPs, else the HW may attempt doing packet steering to non existent QPs.

Signed-off-by: Hadar Hen Zion <hadarh@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-21 12:05:07 -04:00
Moshe Lazer
c101c81b52 net/mlx4_core: Fix wrong mask applied on EQ numbers in the wrapper
Currently the  mask is wrongly set in the MAP_EQ wrapper, fix that.
Without the fix any EQ number above 511 is mapped to one below 511.

Signed-off-by: Moshe Lazer <moshel@mellanox.com>
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-21 12:05:07 -04:00
Lothar Waßmann
ce16294fda net: ethernet: cpsw: fix erroneous condition in error check
The error check in cpsw_probe_dt() has an '&&' where an '||' is
meant to be. This causes a NULL pointer dereference when incomplet DT
data is passed to the driver ('phy_id' property for cpsw_emac1
missing).

Signed-off-by: Lothar Waßmann <LW@KARO-electronics.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-21 11:57:42 -04:00
Wei Yongjun
cb0e51d806 lantiq_etop: use free_netdev(netdev) instead of kfree()
Freeing netdev without free_netdev() leads to net, tx leaks.
And it may lead to dereferencing freed pointer.

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-03-21 11:50:10 -04:00
Greg Kroah-Hartman
d93acbcacd usb: fixes for v3.9-rc4
udc-core learned that it shouldn't use invalid pointers
 when unloading a gadget driver.
 
 net2272 and net2280 got a fix for a regression caused by
 the udc_start/udc_stop conversion.
 
 We're defining a static inline no-op for otg_ulpi_create()
 to prevent build errors when that driver isn't enabled.
 
 FunctionFS got a fix for an off-by-one error when binding
 and unbinding instances of FunctionFS.
 
 MUSB learned that it shouldn't try to unmap buffers which
 weren't previously mapped.
 
 f_rndis got a fix for a possible NULL pointer dereference
 in a debugging message code.
 
 MUSB's DA8xx glue layer got a build fix due to a typo.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABAgAGBQJRSu6dAAoJEIaOsuA1yqREdA8P/R4iKKZ3H23xfSJirQaEYADY
 ejeCefHeev+QFXcRVtkhTMGV1Kt6ZLAJ19wrTT3xdENjUbBZdx+9GzN/bUsr5yAO
 SjBFSzVkbbELn4es+hbUPIJgGDa+/DOs9nLgDLlzdaaWbbyvpsl5cbokGAYFgstn
 xy/36e5wctm066cZzG78+cewtuvKxXHANhZt7tTNLWfu/ARaBfiDoYH+fhobJwzq
 poZ47hZPxPE5nn9ppB16jtvpAFAXT8AQZg4SGA2yIRKXkExNNCOUh2xxIHnmWdI2
 k3Qp0YUlCUsoCifFu6k0vhJBxctbi9AVTnnBJXWokw4tX4bVt9uglDkXXZdOfQ/y
 vA3j+lY9rSjuBixmNjVlvwP77qyR85ILFF9WDhwsGrSNJyeUyV/Fmy2s7sRZFLjL
 X6ziN2Tj/3gC6uaO5Rbgmw7aURy8UyML/byBVq/uRMTu0NJPGxnC5xM2WPmGl9nz
 dWP2mcd193rxys8GYH7G6zz4MJ3WFyPgJ0VszsT/kGI/rL0ij1xTuKnw7zsP38Mk
 RINfeBcY2Msi0Mt4KnXJ8vgSIyI3XOwVCebKCAIdc4rktVAryKCJTjtXMlHD4niI
 rTztkXPkM4bcEiqa29FIhGkiYsQfQ66N8a9RbH6nWZSvhbgs1p8Y721FYfTKt+54
 oTvm35fUgthYTtpig5bN
 =wGIr
 -----END PGP SIGNATURE-----

Merge tag 'fixes-for-v3.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus

Felipe writes:

	usb: fixes for v3.9-rc4

	udc-core learned that it shouldn't use invalid pointers
	when unloading a gadget driver.

	net2272 and net2280 got a fix for a regression caused by
	the udc_start/udc_stop conversion.

	We're defining a static inline no-op for otg_ulpi_create()
	to prevent build errors when that driver isn't enabled.

	FunctionFS got a fix for an off-by-one error when binding
	and unbinding instances of FunctionFS.

	MUSB learned that it shouldn't try to unmap buffers which
	weren't previously mapped.

	f_rndis got a fix for a possible NULL pointer dereference
	in a debugging message code.

	MUSB's DA8xx glue layer got a build fix due to a typo.
2013-03-21 08:40:22 -07:00
Linus Torvalds
0a7e453103 Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux
Pull thermal management fixes from Zhang Rui.

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
  thermal: exynos_thermal: return a proper error code while thermal_zone_device_register fail.
  thermal: rcar_thermal: propagate return value of thermal_zone_device_register
  Thermal: kirkwood: Convert to devm_ioremap_resource()
  Thermal: rcar: Convert to devm_ioremap_resource()
  Thermal: dove: Convert to devm_ioremap_resource()
  thermal: rcar: fix missing unlock on error in rcar_thermal_update_temp()
2013-03-21 08:37:10 -07:00
Linus Torvalds
cd82346934 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf fixes from Ingo Molnar:
 "A fair chunk of the linecount comes from a fix for a tracing bug that
  corrupts latency tracing buffers when the overwrite mode is changed on
  the fly - the rest is mostly assorted fewliner fixlets."

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf/x86: Add SNB/SNB-EP scheduling constraints for cycle_activity event
  kprobes/x86: Check Interrupt Flag modifier when registering probe
  kprobes: Make hash_64() as always inlined
  perf: Generate EXIT event only once per task context
  perf: Reset hwc->last_period on sw clock events
  tracing: Prevent buffer overwrite disabled for latency tracers
  tracing: Keep overwrite in sync between regular and snapshot buffers
  tracing: Protect tracer flags with trace_types_lock
  perf tools: Fix LIBNUMA build with glibc 2.12 and older.
  tracing: Fix free of probe entry by calling call_rcu_sched()
  perf/POWER7: Create a sysfs format entry for Power7 events
  perf probe: Fix segfault
  libtraceevent: Remove hard coded include to /usr/local/include in Makefile
  perf record: Fix -C option
  perf tools: check if -DFORTIFY_SOURCE=2 is allowed
  perf report: Fix build with NO_NEWT=1
  perf annotate: Fix build with NO_NEWT=1
  tracing: Fix race in snapshot swapping
2013-03-21 08:29:11 -07:00
Linus Torvalds
172a271b5e Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
 "Radeon, intel and nouveau, along with one mgag200 fix

   - intel fix for an ioctl overflow, along with a regression fix for
     some phantom irqs on Ironlake.
   - nouveau has a lockdep warning and a bunch of thermal fixes
   - radeon has new pci ids and some minor fixes."

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (26 commits)
  drm/mgag200: Bug fix: Modified pll algorithm for EH project
  drm/i915: stop using GMBUS IRQs on Gen4 chips
  drm/nv50/kms: prevent lockdep false-positive in page flipping path
  drm/nouveau/core: fix return value of nouveau_object_del()
  MAINTAINERS: intel-gfx is no longer subscribers-only
  drm/i915: Use the fixed pixel clock for eDP in intel_dp_set_m_n()
  drm/nouveau/hwmon: do not expose a buggy temperature if it is unavailable
  drm/nouveau/therm: display the availability of the internal sensor
  drm/nouveau/therm: disable temperature management if the sensor isn't readable
  drm/nouveau/therm: disable auto fan management if temperature is not available
  drm/nv40/therm: reserve negative temperatures for errors
  drm/nv40/therm: disable temperature reading if the bios misses some parameters
  drm/nouveau/therm-ic: the temperature is off by sensor_constant, warn the user
  drm/nouveau/therm: remove some confusion introduced by therm_mode
  drm/nouveau/therm: do not make assumptions on temperature
  drm/nv40/therm: increase the sensor's settling delay to 20ms
  drm/nv40/therm: improve selection between the old and the new style
  Revert "drm/i915: try to train DP even harder"
  drm/radeon: add Richland pci ids
  drm/radeon: add support for Richland APUs
  ...
2013-03-21 08:27:58 -07:00
Linus Torvalds
85ab3c4617 A set of device-mapper fixes for 3.9.
Fix reported data loss with discards and thin snapshots; avoid a
 deadlock observed in dm verity; fix a race in the new dm cache code
 along with some other minor bugs; store the cache policy version on disk
 to make the stored hints format future-proof.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJRSfH2AAoJEK2W1qbAHj1nENIP+wQCLqY5Sl1uBbtJ1s1T102U
 RDDqSNQKRvsRlR+lfL4QR+kAeUyOyU8C4K/RPh3G4BUXjT+3UxMtQ1ZeliUQX8qa
 Vt2gywtAS+eyydOHgUmywnDc/u9OT5JRcbww/uEoeUj9GnhBZJQ205t4eqPxcP6q
 cx0S3pBAQqwMu2BTmBQY1CrDP/7LQ545TU/PPbu/Y7VStgd+XyNkPA5VcuyBuwl1
 MlK1666x2QMQ5whJBSs8diGZYXZo4rRLUWQuaytJdyvANdip7Kv1jZyx/M1nMBk2
 /dtBY79RoOQEeUrptwF/BltuFrXY1YGnX5f/lhCaVtpaKusKcLX19foIM+0jnlVg
 qigMn0RVtXKckWfSVa0rA5I+XFpRwjgPtqAIbeFWYrOG6qcjamvlIB4fz2ARMYDD
 clymfIzPk/HRrbgmrFvZSa/LCwLWrU6ZXchVuPKzqjtj1doBBdKT4tgrLeIlsNJE
 Cx1q5bLKJAUXGpoW9yfNGWrAujF6rmMU0xhOk+SjmUQU5JZguCpX+5TsCqB43tup
 wW8/BamGWijlsIJzFi0VyvtqspXL/nwfXO+hx8KitXaszduj5EulDJ9dopqJOV1p
 N9VfCQ6xbWW+iTBsnkCf5bgNPSZpPa2V/CQrXM6eSmYQhnK1YMTKXmYRfCnBJtjC
 rmvMV/VpWddO82NA4bq0
 =7+/X
 -----END PGP SIGNATURE-----

Merge tag 'dm-3.9-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-dm

Pull device-mapper fixes from Alasdair G Kergon:
 "Fix reported data loss with discards and thin snapshots; avoid a
  deadlock observed in dm verity; fix a race in the new dm cache code
  along with some other minor bugs; store the cache policy version on
  disk to make the stored hints format future-proof."

* tag 'dm-3.9-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-dm:
  dm cache: policy ignore hints if generated by different version
  dm cache: policy change version from string to integer set
  dm cache: fix race in writethrough implementation
  dm cache: metadata clear dirty bits on clean shutdown
  dm cache: avoid calling policy destructor twice on error
  dm cache: detect cache_create failure
  dm cache: avoid 64 bit division on 32 bit
  dm verity: avoid deadlock
  dm thin: fix non power of two discard granularity calc
  dm thin: fix discard corruption
2013-03-21 08:27:03 -07:00
Trond Myklebust
240286725d NFSv4.1: Add a helper pnfs_commit_and_return_layout
In order to be able to safely return the layout in nfs4_proc_setattr,
we need to block new uses of the layout, wait for all outstanding
users of the layout to complete, commit the layout and then return it.

This patch adds a helper in order to do all this safely.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: Boaz Harrosh <bharrosh@panasas.com>
2013-03-21 10:31:21 -04:00
Trond Myklebust
2495680434 NFSv4.1: Always clear the NFS_INO_LAYOUTCOMMIT in layoutreturn
Note that clearing NFS_INO_LAYOUTCOMMIT is tricky, since it requires
you to also clear the NFS_LSEG_LAYOUTCOMMIT bits from the layout
segments.
The only two sites that need to do this are the ones that call
pnfs_return_layout() without first doing a layout commit.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Acked-by: Benny Halevy <bhalevy@tonian.com>
Cc: stable@vger.kernel.org
2013-03-21 10:31:21 -04:00
Trond Myklebust
a073dbff35 NFSv4.1: Fix a race in pNFS layoutcommit
We need to clear the NFS_LSEG_LAYOUTCOMMIT bits atomically with the
NFS_INO_LAYOUTCOMMIT bit, otherwise we may end up with situations
where the two are out of sync.
The first half of the problem is to ensure that pnfs_layoutcommit_inode
clears the NFS_LSEG_LAYOUTCOMMIT bit through pnfs_list_write_lseg.
We still need to keep the reference to those segments until the RPC call
is finished, so in order to make it clear _where_ those references come
from, we add a helper pnfs_list_write_lseg_done() that cleans up after
pnfs_list_write_lseg.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Acked-by: Benny Halevy <bhalevy@tonian.com>
Cc: stable@vger.kernel.org
2013-03-21 10:31:19 -04:00
fanchaoting
4376c94618 pnfs-block: removing DM device maybe cause oops when call dev_remove
when pnfs block using device mapper,if umounting later,it maybe
cause oops. we apply "1 + sizeof(bl_umount_request)" memory for
msg->data, the memory maybe overflow when we do "memcpy(&dataptr
[sizeof(bl_msg)], &bl_umount_request, sizeof(bl_umount_request))",
because the size of bl_msg is more than 1 byte.

Signed-off-by: fanchaoting<fanchaoting@cn.fujitsu.com>
Cc: stable@vger.kernel.org
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
2013-03-21 10:11:06 -04:00
Matt Fleming
e971318bbe efivars: Handle duplicate names from get_next_variable()
Some firmware exhibits a bug where the same VariableName and
VendorGuid values are returned on multiple invocations of
GetNextVariableName(). See,

    https://bugzilla.kernel.org/show_bug.cgi?id=47631

As a consequence of such a bug, Andre reports hitting the following
WARN_ON() in the sysfs code after updating the BIOS on his, "Gigabyte
Technology Co., Ltd. To be filled by O.E.M./Z77X-UD3H, BIOS F19e
11/21/2012)" machine,

[    0.581554] EFI Variables Facility v0.08 2004-May-17
[    0.584914] ------------[ cut here ]------------
[    0.585639] WARNING: at /home/andre/linux/fs/sysfs/dir.c:536 sysfs_add_one+0xd4/0x100()
[    0.586381] Hardware name: To be filled by O.E.M.
[    0.587123] sysfs: cannot create duplicate filename '/firmware/efi/vars/SbAslBufferPtrVar-01f33c25-764d-43ea-aeea-6b5a41f3f3e8'
[    0.588694] Modules linked in:
[    0.589484] Pid: 1, comm: swapper/0 Not tainted 3.8.0+ #7
[    0.590280] Call Trace:
[    0.591066]  [<ffffffff81208954>] ? sysfs_add_one+0xd4/0x100
[    0.591861]  [<ffffffff810587bf>] warn_slowpath_common+0x7f/0xc0
[    0.592650]  [<ffffffff810588bc>] warn_slowpath_fmt+0x4c/0x50
[    0.593429]  [<ffffffff8134dd85>] ? strlcat+0x65/0x80
[    0.594203]  [<ffffffff81208954>] sysfs_add_one+0xd4/0x100
[    0.594979]  [<ffffffff81208b78>] create_dir+0x78/0xd0
[    0.595753]  [<ffffffff81208ec6>] sysfs_create_dir+0x86/0xe0
[    0.596532]  [<ffffffff81347e4c>] kobject_add_internal+0x9c/0x220
[    0.597310]  [<ffffffff81348307>] kobject_init_and_add+0x67/0x90
[    0.598083]  [<ffffffff81584a71>] ? efivar_create_sysfs_entry+0x61/0x1c0
[    0.598859]  [<ffffffff81584b2b>] efivar_create_sysfs_entry+0x11b/0x1c0
[    0.599631]  [<ffffffff8158517e>] register_efivars+0xde/0x420
[    0.600395]  [<ffffffff81d430a7>] ? edd_init+0x2f5/0x2f5
[    0.601150]  [<ffffffff81d4315f>] efivars_init+0xb8/0x104
[    0.601903]  [<ffffffff8100215a>] do_one_initcall+0x12a/0x180
[    0.602659]  [<ffffffff81d05d80>] kernel_init_freeable+0x13e/0x1c6
[    0.603418]  [<ffffffff81d05586>] ? loglevel+0x31/0x31
[    0.604183]  [<ffffffff816a6530>] ? rest_init+0x80/0x80
[    0.604936]  [<ffffffff816a653e>] kernel_init+0xe/0xf0
[    0.605681]  [<ffffffff816ce7ec>] ret_from_fork+0x7c/0xb0
[    0.606414]  [<ffffffff816a6530>] ? rest_init+0x80/0x80
[    0.607143] ---[ end trace 1609741ab737eb29 ]---

There's not much we can do to work around and keep traversing the
variable list once we hit this firmware bug. Our only solution is to
terminate the loop because, as Lingzhu reports, some machines get
stuck when they encounter duplicate names,

  > I had an IBM System x3100 M4 and x3850 X5 on which kernel would
  > get stuck in infinite loop creating duplicate sysfs files because,
  > for some reason, there are several duplicate boot entries in nvram
  > getting GetNextVariableName into a circle of iteration (with
  > period > 2).

Also disable the workqueue, as efivar_update_sysfs_entries() uses
GetNextVariableName() to figure out which variables have been created
since the last iteration. That algorithm isn't going to work if
GetNextVariableName() returns duplicates. Note that we don't disable
EFI variable creation completely on the affected machines, it's just
that any pstore dump-* files won't appear in sysfs until the next
boot.

Reported-by: Andre Heider <a.heider@gmail.com>
Reported-by: Lingzhu Xiang <lxiang@redhat.com>
Tested-by: Lingzhu Xiang <lxiang@redhat.com>
Cc: Seiji Aguchi <seiji.aguchi@hds.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
2013-03-21 12:43:46 +00:00
Matt Fleming
ec50bd32f1 efivars: explicitly calculate length of VariableName
It's not wise to assume VariableNameSize represents the length of
VariableName, as not all firmware updates VariableNameSize in the same
way (some don't update it at all if EFI_SUCCESS is returned). There
are even implementations out there that update VariableNameSize with
values that are both larger than the string returned in VariableName
and smaller than the buffer passed to GetNextVariableName(), which
resulted in the following bug report from Michael Schroeder,

  > On HP z220 system (firmware version 1.54), some EFI variables are
  > incorrectly named :
  >
  > ls -d /sys/firmware/efi/vars/*8be4d* | grep -v -- -8be returns
  > /sys/firmware/efi/vars/dbxDefault-pport8be4df61-93ca-11d2-aa0d-00e098032b8c
  > /sys/firmware/efi/vars/KEKDefault-pport8be4df61-93ca-11d2-aa0d-00e098032b8c
  > /sys/firmware/efi/vars/SecureBoot-pport8be4df61-93ca-11d2-aa0d-00e098032b8c
  > /sys/firmware/efi/vars/SetupMode-Information8be4df61-93ca-11d2-aa0d-00e098032b8c

The issue here is that because we blindly use VariableNameSize without
verifying its value, we can potentially read garbage values from the
buffer containing VariableName if VariableNameSize is larger than the
length of VariableName.

Since VariableName is a string, we can calculate its size by searching
for the terminating NULL character.

Reported-by: Frederic Crozat <fcrozat@suse.com>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Josh Boyer <jwboyer@redhat.com>
Cc: Michael Schroeder <mls@suse.com>
Cc: Lee, Chun-Yi <jlee@suse.com>
Cc: Lingzhu Xiang <lxiang@redhat.com>
Cc: Seiji Aguchi <seiji.aguchi@hds.com>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
2013-03-21 12:43:46 +00:00
Seth Forshee
ec0971ba53 efivars: Add module parameter to disable use as a pstore backend
We know that with some firmware implementations writing too much data to
UEFI variables can lead to bricking machines. Recent changes attempt to
address this issue, but for some it may still be prudent to avoid
writing large amounts of data until the solution has been proven on a
wide variety of hardware.

Crash dumps or other data from pstore can potentially be a large data
source. Add a pstore_module parameter to efivars to allow disabling its
use as a backend for pstore. Also add a config option,
CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE, to allow setting the default
value of this paramter to true (i.e. disabled by default).

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Cc: Josh Boyer <jwboyer@redhat.com>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Seiji Aguchi <seiji.aguchi@hds.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
2013-03-21 12:43:46 +00:00
Seth Forshee
ed9dc8ce7a efivars: Allow disabling use as a pstore backend
Add a new option, CONFIG_EFI_VARS_PSTORE, which can be set to N to
avoid using efivars as a backend to pstore, as some users may want to
compile out the code completely.

Set the default to Y to maintain backwards compatability, since this
feature has always been enabled until now.

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Cc: Josh Boyer <jwboyer@redhat.com>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: Seiji Aguchi <seiji.aguchi@hds.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
2013-03-21 12:43:46 +00:00